eTrust Audit Reference Guide - CA Technologies

eTrust Audit 

Reference Guide 

1.5 

SP2

This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for 

the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates 

International, Inc. (“CA”) at any time. 

This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without 

the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright 

laws of the United States and international treaties. 

Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for 

their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only 

authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the 

license for the software are permitted to have access to such copies. 

This right to print copies is limited to the period during which the license for the product remains in full force and 

effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced 

copies or to certify to CA that same have been destroyed. 

To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind, 

including without limitation, any implied warranties of merchantability, fitness for a particular purpose or 

noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or 

indirect, from the use of this documentation, including without limitation, lost profits, business interruption, 

goodwill, or lost data, even if CA is expressly advised of such loss or damage. 

The use of any product referenced in this documentation and this documentation is governed by the end user’s 

applicable license agreement. 

The manufacturer of this documentation is Computer Associates International, Inc. 

Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or 

DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions. 

© 2003 Computer Associates International, Inc. 

All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.

Contents 

Chapter 1: Introduction 

Chapter 2: Windows Services 

Commands to Control the Services ............................................................. 2-2 

Action Manager Service (acactmgr) ............................................................. 2-5 

Distribution Agent Service (acdistagn) .......................................................... 2-6 

Distribution Server Service (acdistsrv) .......................................................... 2-7 

Log Router Service (aclogRd) .................................................................. 2-8 

Collector Service (SeLogRcd)................................................................... 2-8 

Recorder Service (SeLogRec) ................................................................... 2-9 

Redirector Service (SeLogRd) ................................................................. 2-10 

SNMP Recorder Service (SnmpRec)............................................................ 2-11 

Portmap Service ............................................................................. 2-12 

Chapter 3: UNIX Daemons 

Issuing Commands to Control the Daemons ..................................................... 3-2 

Action Manager Daemon (acactmgr)............................................................ 3-6 

Distribution Agent Daemon (acdistagn) ......................................................... 3-7 

Collector Daemon (aclogrcd)................................................................... 3-7 

Log Router Daemon (aclogrd).................................................................. 3-8 

Generic Recorder Daemon (acrecorderd) ........................................................ 3-8 

SNMP Recorder Daemon (snmprec) ............................................................ 3-9 

Contents 

iii

Chapter 4: Configuration Files 

About Queues ................................................................................ 4-1 

About Queue Rules............................................................................ 4-2 

Windows ................................................................................. 4-2 

UNIX..................................................................................... 4-2 

Example .................................................................................. 4-3 

About Actions ................................................................................ 4-3 

Recorder Configuration File .................................................................... 4-6 

Comment Lines ........................................................................... 4-7 

The Asterisk as Wildcard ................................................................... 4-7 

Redirector Configuration File................................................................... 4-7 

Router Configuration File ...................................................................... 4-8 

Chapter 5: Router Configuration File Rule Language 

Reference 

Location of the Router Configuration File ........................................................ 5-1 

File Structure ................................................................................. 5-1 

Variables ..................................................................................... 5-2 

Variable Expiration ........................................................................ 5-3 

Dynamic Variable Names .................................................................. 5-3 

Using Variables in Filter Rules .............................................................. 5-3 

Groups ....................................................................................... 5-4 

Loops .................................................................................... 5-4 

Command Syntax ............................................................................. 5-4 

action; target .............................................................................. 5-4 

action; remote ............................................................................. 5-5 

do........................................................................................ 5-6 

type: ..................................................................................... 5-7 

include ................................................................................... 5-8 

exclude ................................................................................... 5-8 

rule ...................................................................................... 5-9 

group .................................................................................... 5-9 

Regular Expressions .......................................................................... 5-10 

Supported Binary Operators................................................................... 5-10 

Including Additional Data Types .............................................................. 5-11 

Identifying Events using SAPI Tokens.......................................................... 5-12 

iv 

Reference Guide

Chapter 6: Windows Registry Entries 

Opening the Windows Registry ................................................................ 6-1 

Ports ........................................................................................ 6-2 

RPC ......................................................................................... 6-4 

Messages .................................................................................... 6-5 

Severity ...................................................................................... 6-5 

Fatal ..................................................................................... 6-5 

Critical ................................................................................... 6-6 

Error..................................................................................... 6-6 

Warning ................................................................................. 6-7 

Info ...................................................................................... 6-7 

Targets ...................................................................................... 6-8 

Monitor .................................................................................. 6-8 

Mail ......................................................................................... 6-9 

Client\SeOS\logmgr......................................................................... 6-10 

Recorders ................................................................................... 6-11 

NT Recorder............................................................................. 6-12 

SNMP Recorder.......................................................................... 6-14 

Redirector................................................................................... 6-14 

Router ...................................................................................... 6-17 

Queue Manager\Queues ................................................................. 6-18 

Queues\CollectionQueue................................................................. 6-22 

Queues\Default ......................................................................... 6-25 

Management Agent .......................................................................... 6-29 

Parameters .............................................................................. 6-29 

AN Types ............................................................................... 6-31 

Policy Manager .............................................................................. 6-35 

Database ................................................................................ 6-35 

Distribution Log ......................................................................... 6-36 

Distribution Server ....................................................................... 6-37 

Data Server ................................................................................. 6-44 

Database ................................................................................ 6-44 

Viewer .................................................................................. 6-46 

Reports ................................................................................. 6-46 

Security Monitor............................................................................. 6-48 

Contents 

v

Chapter 7: UNIX INI Files 

eAudit.ini .................................................................................... 7-1 

Ports ..................................................................................... 7-1 

Messages ................................................................................. 7-3 

Fatal ..................................................................................... 7-4 

Critical ................................................................................... 7-4 

Error ..................................................................................... 7-4 

Warning .................................................................................. 7-4 

Info ...................................................................................... 7-5 

Monitor .................................................................................. 7-5 

Recorders ................................................................................. 7-6 

Router.................................................................................... 7-6 

Management Agent....................................................................... 7-11 

Parameters............................................................................... 7-11 

AN Types................................................................................ 7-12 

recorder.ini .................................................................................. 7-14 

Recorder Modules ........................................................................ 7-14 

Definitions ............................................................................... 7-14 

Parameters............................................................................... 7-15 

Chapter 8: Encryption Options 

Changing Your Encryption Key................................................................. 8-1 

setkey Command Options...................................................................... 8-2 

Turning Off Encryption ........................................................................ 8-2 

Chapter 9: Firewall Considerations 

Chapter 10: Database Considerations 

Preparing eTrust Audit Database .............................................................. 10-1 

Oracle Databases ......................................................................... 10-1 

MS SQL Server Databases ................................................................. 10-2 

Configuring an Oracle Client .................................................................. 10-2 

Windows ................................................................................ 10-2 

UNIX.................................................................................... 10-2 

Windows NT Authentication with Microsoft SQL Server ......................................... 10-3 

vi 


Changing the Database Type.................................................................. 10-4 

Using a Remote MS Access Database .......................................................... 10-4 

Backing Up a Microsoft Access Database ....................................................... 10-4 

Chapter 11: Encup Utility 

Executing Encup............................................................................. 11-1 

Chapter 12: Security-related Event IDs 

Windows NT Event IDs ...................................................................... 12-1 

Windows 2000 Event IDs ..................................................................... 12-6 

UNIX Event IDs ............................................................................ 12-15 

Windows Event IDs ......................................................................... 12-15 

eTrust Access Control Event IDs ............................................................. 12-16 

Cisco PIX Event IDs ......................................................................... 12-16 

Chapter 13: The Submit API (SAPI) 

Mapping .................................................................................... 13-2 

Message Routing ............................................................................ 13-2 

Submitting a Message to the Router........................................................ 13-2 

Handling Submit Failures................................................................. 13-3 

Compiling and Linking....................................................................... 13-3 

Libraries .................................................................................... 13-3 

Sample SAPI Routine ........................................................................ 13-3 

SAPI Reference .............................................................................. 13-6 

SAPI_Init................................................................................ 13-6 

SAPI_NewMessage ...................................................................... 13-7 

SAPI_AddItem .......................................................................... 13-8 

SAPI_SubmitMsg ........................................................................ 13-9 

SAPI_RemoveMessage .................................................................. 13-10 

SAPI_DumpMessage .................................................................... 13-11 

SAPI_DestroyCTX ...................................................................... 13-12 

SAPI_SetRouter ......................................................................... 13-12 

SAPI_SetRouterPort ..................................................................... 13-13 

SAPI_SetRouterTimeout ................................................................. 13-13 

SAPI Return and Error Codes ................................................................ 13-14 

Fields for SAPI ............................................................................. 13-16 

Field Properties ......................................................................... 13-16 

Contents 

vii

Mapping Examples .......................................................................... 13-17 

Mandatory Fields for Event Identification.................................................. 13-17 

Common Predefined Fields for Event Identification ......................................... 13-19 

Optional Predefined Fields for Event Identification ......................................... 13-19 

Common Predefined Fields for Event Description .......................................... 13-20 

Mapping Events to Predefined Categories ................................................. 13-22 

System Access........................................................................... 13-23 

Account Management.................................................................... 13-24 

Object Access ........................................................................... 13-25 

Policy Management...................................................................... 13-26 

Security Systems ........................................................................ 13-27 

Physical Security ........................................................................ 13-28 

Network ................................................................................ 13-28 

Detailed Tracking ....................................................................... 13-30 

System/Application, Administration and General Events ................................... 13-31 

Fields Internal to eTrust Audit ............................................................ 13-32 

Reserved Keywords ......................................................................... 13-32 

Chapter 14: Recorder for Check Point FireWall-1 Reference 

Information Flow............................................................................. 14-1 

Preinstallation Considerations ................................................................. 14-3 

Configuring the Check Point FireWall-1 Servers ............................................. 14-3 

Information You Need to Collect ........................................................... 14-3 

Installing the Recorder for Check Point FireWall-1............................................... 14-4 

Installing in a Solaris Environment ............................................................. 14-4 

Installing the Recorder for Check Point FireWall-1 ........................................... 14-5 

Upgrading the Data Tools ................................................................. 14-6 

Configuration Values ......................................................................... 14-7 

Registry Keys and .ini File ................................................................. 14-7 

Windows Registry Entries ................................................................. 14-7 

Solaris eAudit.ini File Values ............................................................. 14-10 

Technical Information ....................................................................... 14-13 

OPSEC Connection Types ................................................................ 14-13 

Configuring Check Point FireWall-1 Servers ............................................... 14-14 

viii 


Chapter 15: Using the eTSAPISend Program 

eTSAPISend.exe ............................................................................. 15-1 

Example .................................................................................... 15-2 

Sample Batch File ............................................................................ 15-3 

Chapter 16: Inserting eTrust Access Control Records in Bulk 

to a Collector Database Using acloader 

Insert Records into an Oracle Database......................................................... 16-1 

Remove the Indexes from SEOSDATA ......................................................... 16-2 

Recreate the Indexes in SEOSDATA ........................................................... 16-2 

The acloader Utility .......................................................................... 16-3 

Examples ................................................................................... 16-5 

Chapter 17: Inserting eTrust Access Control Records in Bulk 

to a Collector Database Using selogrd and sqlldr 

Requirements ............................................................................... 17-1 

Converting the eTrust Access Control Audit Log to Oracle Import File Format..................... 17-1 

Insert the Data into an Oracle Database using the sqlldr Utility ................................... 17-3 

Create One Import File and Insert It into the Oracle Database ................................ 17-3 

Create Multiple Import Log Files and Insert Them Separately into the Oracle Database ......... 17-4 

Examples ................................................................................... 17-4 

Chapter 18: iRecorder Development Reference 

Overview of the iTechnology SDK............................................................. 18-2 

iRecorder Design and Architecture ............................................................ 18-3 

Components of iTechnology .............................................................. 18-3 

iRecorder................................................................................ 18-6 

iRouter.................................................................................. 18-7 

How to Create an iRecorder Development Environment ......................................... 18-7 

Development Environment ............................................................... 18-7 

Development Machine.................................................................... 18-8 

Test Environment ....................................................................... 18-10 

How To Develop an iRecorder ............................................................... 18-11 

Step 1: Identify Information about Required Fields for eTrust Audit.......................... 18-11 

Step 2: Establish a Method to Access Log Events ........................................... 18-13 

Contents 

ix

Step 3: Parse Log Event Data into Tokens .................................................. 18-13 

Step 4: Modify Files ...................................................................... 18-14 

Step 5: Build the Project .................................................................. 18-18 

Step 6: Test and Debug Your iRecorder .................................................... 18-18 

iRecorder API Functions ..................................................................... 18-19 

x 


Chapter 

1 Introduction 

This guide presents a variety of topics that describe technical features of eTrust 

Audit. While many users might never have reason to review the topics in this 

guide, others will need to consult it to perform additional configuration changes 

to their environments. 

Introduction 1–1

Chapter 

2 

Windows Services 

eTrust Audit installs several services on Windows systems. These services enable 

the information flow between eTrust Audit components by collecting, reading, 

and forwarding information from all sources in the system. This chapter 

describes the eTrust Audit services. 

The topics that follow describe the commands to control the eTrust Audit 

services on Windows, and the services: 

acactmgr 

The eTrust Audit Action Manager 

acdistagn 

The eTrust Audit Distribution Agent 

acdistsrv 

The eTrust Audit Distribution Server 

acfwrecd 

The eTrust Audit FW-1 Recorder 

aclogrd 

The eTrust Audit Log Router 

acrecorderd 

The eTrust Audit Generic Recorder 

portmap 

The eTrust Audit Portmap service 

selogrcd 

The eTrust Audit Collector 

selogrec 

The eTrust Audit Recorder 

selogrd 

The eTrust Audit Redirector 

snmprec 

The eTrust Audit SNMP Recorder 

Windows Services 2–1

Commands to Control the Services 


You can control the services using the Windows Control Panel or the Service 

Control Manager application. You can also control them from a command 

prompt. The eTrust Audit services for Windows reside in the following location: 

install_dir\bin 

where install_dir is the directory in which you installed eTrust Audit. Unless you 

add this directory to your PATH statement, you must issue the commands from 

this directory. 

Syntax 

The following command syntax applies to all eTrust Audit services, except 

portmap: 

servicename options 

where servicename is the name of the service. The options are described in the 

topic that follows. 

Options 

The following list described the available parameters: 

-help 

Displays these syntax options. 

-debug 

Starts the service in foreground mode; that is, it routes events the console 

(STDOUT). For example, the following command starts the service and 

routes the output to the console: 

servicename -debug 

You can use the following options: 

-trace options 

Starts a trace of the service. For example, the following command starts 

the service and routes debug messages to the console and a file named 

errors.txt: 

servicename -debug -trace dest1 STDOUT dest2 errors.txt 

See the description of the -trace option later in the list. 

2–2 Reference Guide


-install 

Installs the service. 


-user name 

Lets you specify the name of a user authorized to install a service on the 

system. You should combine the -user and -pwd options as follows: 

servicename -install -user user01 -pwd password 

-pwd password 

Lets you specify the password of a user authorized to install a service on 

the system. You should combine the -user and -pwd options as follows: 

servicename -install -user user01 -pwd password 


Starts a trace of the service after installing it. For example, the following 

command installs the service and routes debug messages to the console: 

servicename -install -trace dest1 STDOUT 


-remove 

Removes the service from the registry and from the Windows Service 

Control Manager. 

You can the following options: 


Starts a trace of the service while removing it. For example, the following 

command uninstalls the service and routes debug messages to a file 

named errors.txt: 

servicename -stop -trace dest1 errors.txt 

Additionally, you can use the redirect symbol, >, as follows to open a 

console an direct the output to a file: 

servicename -stop -trace dest1 STDOUT > errors.txt 


-start 

Starts the service in background mode; that is, without a console. 



Starts a trace of the service while starting it. For example, the following 

command starts the service and routes debug messages to a file named 

errors.txt: 

servicename -start -trace dest1 errors.txt 




-stop 

Stops the service. 



Starts a trace of the service while stopping it. For example, the following 

command stops the service and routes debug messages to a file named 

errors.txt: 

servicename -stop -trace dest1 errors.txt 


The -trace option applies to all parameters except, -help as follows: 


Turns on trace mode, which routes trace-level messages of a specified level 

to the destination. You can specify the following trace options: 

-dbglvl n 

Sets the debug level. n is the level from 1 to 5, 1 providing the least 

amount of debug information and 5 providing the most details. If you do 

not specify a value, 1 is the default. 

-dest1 dest 

Sets the primary output destination to display the debugging 

information to the console. dest can be one of the following: 

STDOUT 

Routes messages to the console. 

STDERR 

Routes messages to the console or to wherever you have redirected 

STDERR. 

filename 

The name of file where you want the service to write the debug 

output. 

-dest2 dest 

Sets a secondary output destination to display the debugging 

information. dest can be one of the following: 

STDOUT 


STDERR 


STDERR. 

filename 


output. 


Action Manager Service (acactmgr) 

Action Manager Service (acactmgr) 

The eTrust Audit Action Manager service, acactmgr.exe, reads events from 

queues where actions were placed by the Router and performs the specified 

actions defined for each event. The queues have parameters such as maximum 

action time, maximum file number and so on. These parameters affect the 

performance of the Action Manager. 

Tip: For information about the Action Manager, actions, and configuration 

files, see About Actions in the “Configuration Files” chapter. 

Registry Keys 

Several registry keys contain values that affect the functioning of the eTrust 

Audit Action Manager service. They are as follows: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Router\Queue 

Manager\Queues 


Manager\Queues\xxxQueue\Queue Parameters 

For information on the values in these keys, see the “Registry Keys” chapter. 


Distribution Agent Service (acdistagn) 

Distribution Agent Service (acdistagn) 

The eTrust Audit Distribution Agent service, acdistagn.exe, receives policy files 

from the Policy Manager through eTrust Audit Distribution Server service. The 

distribution agent service also removes old policy files if instructed by the eTrust 

Audit Distribution Server service. 

The distribution agent service changes auditing requirements according to the 

policy it receives. The service notifies the router to update the policy to get new 

rules. 

Registry Keys 

When you install eTrust Audit, you specify the name of the host where the Policy 

Manager will run. This is the only host recognized by the distribution agent 

service rejects attempts to update the policy from other hosts. However, you can 

add more servers to be recognized as trusted servers by editing the 

TrustedServers key of the Distribution Agent Service. This key is found in the 

following registry entry: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Management 

Agent. 

The distribution server service and the distribution agent service use TCP/IP 

port 8025. You can change that port by using the registry and adding a special 

port, for example: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Ports\ 

DistributionPort 

See the “Registry Keys” chapter for more information. 


Distribution Server Service (acdistsrv) 

Distribution Server Service (acdistsrv) 

The eTrust Audit Distribution Server service, acdistsrv.exe, distributes the policy 

files among the clients. It must run on the same system where the Policy 

Manager is located. 

Registry Keys 

After you instruct the Policy Manager to distribute the policy, the relevant 

commands reach the distribution queue. The distribution server reads the 

distribution queue, selects from the compiled policy files, processes them, and 

sends them to the distribution agents according to the commands. 

The distribution server tries to connect to the distribution agent as follows: 

■ 

■ 

If the connection succeeds, the agent starts receiving configuration files. 

After the transmission operation terminates successfully, the distribution log 

of the Policy Manager is updated. 

If the connection trial fails (or in case the initial connection succeeds but 

afterwards a failure occurs), the transmission command is delayed. After a 

pre-defined period (by default: 24 hours) of failed connection trials, the 

distribution server terminates the transmission trials. In any case, the 

distribution log of the Policy Manager is updated. 

The key of the Distribution Server is found under: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Policy 

Manager\Distribution Server 

The distribution server service and the distribution agent service use TCP/IP 

port 8025. You can change that port by using the registry and adding a special 

port, for example: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Ports\ 


See the “Registry Keys” chapter for more information. 


Log Router Service (aclogRd) 

Log Router Service (aclogRd) 

The eTrust Audit Log Router service, aclogRd.exe receives events from a number 

of different sources. It handles received events according to the filters specified in 

the router configuration file and routes them to the queue files with the 

associated actions and targets. The Router service should be registered by the 

eTrust Audit Portmap service so that it can start only if the portmap is running. 

See Router Configuration File in the “Configuration Files” chapter for more 

information. 

Registry Keys 


Audit Log Router service. They are as follows: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Router 


Collector Service (SeLogRcd) 

The eTrust Audit Collector service, SeLogRcd.exe, receives information from the 

eTrust Audit Action Manager services on systems where eTrust Audit is 

running, and writes it to the event database. The Collector service should be 

registered by the eTrust Audit Portmap service so that it can start only if the 

portmap is running. 

Registry Keys 


Audit Collector. They are as follows: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Data Server\Database 



Recorder Service (SeLogRec) 

Recorder Service (SeLogRec) 

The eTrust Audit Recorder service, SeLogRec.exe, harvests the Windows audit 

information on the client system into the local audit file for further handling by 

other eTrust Audit Client components. 

You can edit the recorder configuration file to specify which events are to be 

recorded. For details, see Recorder Configuration File in the “Configuration 

Files” chapter. 

Registry Keys 


Audit Recorder. They are as follows: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Recorders\NT 

Recorder 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\SeOS\logmgr 

Additionally, if eTrust Access Control is installed, the Recorder service uses 

the same local audit file as eTrust Access Control. To permit the recorder service 

to run when eTrust Access Control is stopped, set the emulate registry key to a 

value of 1. The emulate key is in the following location: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAccessControl\eTrustAccessCo 

ntrol\Emulate 

Otherwise, the recorder service uses the value in the following eTrust Access 

Control key: 

HKEY_LOCAL_MACHINE\ SOFTWARE\MEMCO\SeOS\SeOS\Emulate 



Redirector Service (SeLogRd) 

Redirector Service (SeLogRd) 

The eTrust Audit Redirector service, SeLogRd.exe, reads the local audit file 

created by the eTrust Audit Recorder service (or by eTrust Access Control) and 

forwards it to the router. The local audit file contains Windows (and possibly 

eTrust Access Control) events originating on the local machine. 

You control Redirector service by editing the configuration file, logroute.cfg. For 

details, see Redirector Configuration File in the “Configuration Files” chapter. 

Registry Keys 


Audit Redirector. They are as follows: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrustAudit\ 

Client\Redirector 


eTrust Audit limits the size of the audit files. As a result, when events are 

generated faster than they can be forwarded—for example, a router service is not 

running, or too many events are being generated during a peak situation—it is 

possible to lose data. 

You can guarantee delivery of records to the router by making changes to the 

values in the registry. You can permit the files to exceed their prescribed 

maximum size by setting the option to overwrite backup files to 0. 



SNMP Recorder Service (SnmpRec) 

SNMP Recorder Service (SnmpRec) 

The eTrust Audit SNMP Recorder service, SnmpRec.exe, traps SNMP messages 

sent to a Windows machine, and then passes them onto the default router. By 

default, the default router is the local host. 

Registry Keys 


Audit SNMP Recorder. They are as follows: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Recorders\SNMP 

recorder 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust 

Audit\Client\Recorders\DefaultRouter 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Recorders\SNMP 

Recorder\cfg\snmptd_rec.mp 

For information on the values in these keys, see the Registry Keys chapter. 


Portmap Service 

Portmap Service 

The eTrust Audit Portmap service, portmap.exe, manages a table of 

correspondences between ports (logical communications channels) and the 

services registered at them. It provides a standard way for a client to look up the 

TCP/IP or UDP port number of an RPC program supported by the server. This 

service runs on any Windows host on which an eTrust Audit component is 

installed. 

Note: For Windows NT 4.0 and Windows 2000, note that eTrust Audit installs 

the Sun RPC portmapper. 

Syntax 

Using a command prompt session, enter the following commands to start or stop 

portmap: 

net start portmap 

net stop portmap 

To install portmap, use the following commands: 

install_dir\bin\inst_pm install_dir\bin\portmap.exe 

where install_dir is the directory where you installed eTrust Audit. 

To uninstall portmap, use the following command: 

install_dir\bin\inst_pm remove 


Chapter 

3 

UNIX Daemons 

eTrust Audit installs several daemons on UNIX systems. These daemons enable 

the information flow between eTrust Audit components by collecting, reading, 

and forwarding information from all sources in the system. This chapter 

describes the eTrust Audit daemons. 

This topic that follow describe the commands to control the eTrust Audit 

daemons on UNIX platforms, the daemons: 

acactmgt 


acdistagn 


aclogrcd 


aclogrd 


acfwrecd 


acrecorderd 


snmprec 


UNIX Daemons 3–1

Issuing Commands to Control the Daemons 


You can issue commands to control the eTrust Audit daemons as follows: 

1. Login as root. 

2. Using either the Bourne or Korn shells, use the steps in the topic for your 

UNIX platform. 

3. Depending on your UNIX platform, do the following: 

Solaris 

From the shell prompt, enter the following command: 

/etc/rc2.d/S77servicename 

AIX 

From the shell prompt, follow these steps: 

1. Enter the following command to set environment variables in 

preparation for starting the eTrust Audit daemons: 

. /usr/eaudit/bin/ac_set_env.sh 

2. Enter the a command as follows: 

/usr/eaudit/bin/servicename 

HP-UX 

From the shell prompt enter the following command: 

/sbin/rc2.d/S770servicename 

Tru64 and Linux 

From the shell prompt enter the following command: 

/sbin/rc2.d/S77servicename 

where servicename is one of the following: 

acactmgr 


acdistagn 


acfwrecd 

The eTrust Audit Recorder for Check Point Firewall-1 

aclogrcd 


aclogrd 


acfwrecd 




acrecorderd 


snmprec 


Syntax 

The following command syntax applies to all eTrust Audit daemons portmap: 

daemon options 

where servicename is the name of the service. The options are described in the 

topic that follows. 

Options 

The following list described the available parameters: 

-help 


-debug 

Starts the daemon in foreground mode; that is, it routes events the console 

(STDOUT). For example, the following command starts the daemon and 

routes the output to the console: 

daemon -debug 



Starts a trace of the daemon. For example, the following command starts 

the daemon and routes debug messages to the console and a file named 

errors.txt: 

daemon -debug -trace dest1 STDOUT dest2 errors.txt 


UNIX Daemons 3–3


-install 

Installs the daemon. 


-user name 

Lets you specify the name of a user authorized to install a daemon on the 

system. You should combine the -user and -pwd options as follows: 

daemon -install -user user01 -pwd password 

-pwd password 

Lets you specify the password of a user authorized to install a daemon 

on the system. You should combine the -user and -pwd options as 

follows: 

daemon -install -user user01 -pwd password 


Starts a trace of the daemon after installing it. For example, the following 

command installs the daemon and routes debug messages to the console: 

daemon -install -trace dest1 STDOUT 


-remove 

Removes the daemon. 



Starts a trace of the daemon while removing it. For example, the 

following command uninstalls the daemon and routes debug messages 

to a file named errors.txt: 

daemon -stop -trace dest1 errors.txt 


-start 

Starts the daemon in background mode; that is, without a console. 



Starts a trace of the daemon while starting it. For example, the following 

command starts the daemon and routes debug messages to a file named 

errors.txt: 

daemon -start -trace dest1 errors.txt 

Additionally, you can use the redirect symbol, >, as follows to open a 

console an direct the output to a file: 

servicename -stop -trace dest1 STDOUT > errors.txt 




-stop 

Stops the daemon. 



Starts a trace of the daemon while stopping it. For example, the 

following command stops the daemon and routes debug messages to a 

file named errors.txt: 

daemon -stop -trace dest1 errors.txt 


The -trace option applies to all parameters except, -help as follows: 


Turns on trace mode, which routes trace-level messages of a specified level 

to the destination. You can specify the following trace options: 

-dbglvl n 

Sets the debug level. n is the level from 1 to 5, 1 providing the least 

amount of debug information and 5 providing the most details. If you do 

not specify a value, 1 is the default. 

-dest1 dest 

Sets the primary output destination to display the debugging 

information to the console. dest can be one of the following: 

STDOUT 


STDERR 


STDERR. 

filename 


output. 

-dest2 dest 

Sets a secondary output destination to display the debugging 

information. dest can be one of the following: 

STDOUT 


STDERR 


STDERR. 

filename 


output. 

UNIX Daemons 3–5

Action Manager Daemon (acactmgr) 

Action Manager Daemon (acactmgr) 

The eTrust Audit Action Manager daemon, acactmgr, reads events from queues 

where actions were placed by the Router and performs the specified actions 

defined for each event. The queues have parameters such as maximum action 

time, maximum file number and so on. These parameters affect the performance 

of the Action Manager. 

Tip: For information about the Action Manager, actions, and configuration 

files, see About Actions in the “Configuration Files” chapter. 

For details, see eAudit.ini in the “UNIX INI Files” chapter. 

eAudit.ini File Entries 

The daemon running on UNIX is controlled by the following entries in 

eAudit.ini: 

Client\Router\Queue Manager\Queues 

Client\Router\Queue Manager\Queues\ xxxQueue\ Queue Parameters 

The file is located in install_dir/ini/, where install_dir is the directory where you 

installed eTrust Audit. 


Distribution Agent Daemon (acdistagn) 

Distribution Agent Daemon (acdistagn) 

The eTrust Audit Distribution Agent service, acdistagn, receives policy files from 

the Policy Manager through eTrust Audit Distribution Server service running on 

a Windows system. The distribution agent daemon also removes old policy files 

if instructed by the eTrust Audit Distribution Server service. 

The distribution agent daemon changes auditing requirements according to the 

policy it receives. The daemon notifies the router to update the policy to get new 

rules. 





Client\Management Agent 



Collector Daemon (aclogrcd) 

The eTrust Audit Collector daemon, aclogrcd, receives information from the 

eTrust Audit Action Manager daemons on systems where eTrust Audit is 

running, and writes it to the event database. 





Data Server\Database 

Data Server\Collector 



UNIX Daemons 3–7

Log Router Daemon (aclogrd) 

Log Router Daemon (aclogrd) 

The eTrust Audit Log Router daemon, aclogRd receives events from a number of 

different sources. It handles received events according to the filters specified in 

the router configuration file. 





Client\Router 



Generic Recorder Daemon (acrecorderd) 

The eTrust Audit Generic Recorder daemon, acrecorderd, reads the logs created 

by UNIX operating system, by third-party applications running on the UNIX 

station, or both, and sends them to the Audit Router daemon, aclogrd, for further 

handling by eTrust Audit. 

You can edit the recorder configuration file, recorder.ini, to specify which events 

are to be recorded. For details, see recorder.ini in the “UNIX INI Files” chapter. 

Recorder.ini File Entries 


recorder.ini: 

Recorder_Modules 




SNMP Recorder Daemon (snmprec) 

SNMP Recorder Daemon (snmprec) 

The eTrust Audit SNMP Recorder daemon, snmprec, traps SNMP messages sent 

to a UNIX machine, and then passes onto the default router. By default, the 

default router is the local host. 




Client\Recorders\SNMP Recorder 



UNIX Daemons 3–9

Chapter 

4 

Configuration Files 

The eTrust Audit Router reads the .cfg files that are found in the following 

directories: 

For Windows systems 

\eTrust Audit\cfg directory 

For UNIX systems 

/usr/eaudit/cfg 

These .cfg files contain filters that are made up of rules, and actions and targets. 

Using these rules the log router, aclogrd, filters the forwarded events and 

discards some of them. 

About Queues 

The events the log router receives from the recorders are written into queues. 

These queues are specified as follows: 

For Windows systems 

The queues are located in directories specified in the following registry key: 


Audit\Client\Router\Queue Manager\Queues\DirectoryName 

For UNIX systems 

The queues are located according to specifications in the following section of 

the .ini file: 

Client\Router\Queue Manager\Queues 

The three predefined queues are: 

■ 

■ 

■ 

Default 

AlertQueue 

CollectionQueue 

However, you can define your own queues. 

Configuration Files 4–1

About Queue Rules 

About Queue Rules 

The queue to which the router writes depend on the rules defined in the Queue 

Rules key: 


Manager\Queues\AlertQueue\Queue Rules 

The form of queue rules differs depending on the operating system. 

Windows 

The form of a queue rule is a follows: 

rule_name 

as registry value name and 

action; target name 

as value data (for a specific target) 

or 

rule_name 

action; 

as registry value name and 

as value data (for all targets) 

UNIX 

The form of a queue rule is a follows: 

rule_name = action\; target name (for a specific target) 

or 

rule_name = action\; 

(for all targets) 


About Actions 

Example 

For example, if the .cfg file contains a rule with the action, Collector, the records 

are written to the collection queue, because this queue, as defined by the Queue 

rules, includes the rule Collector. 

You can add rules in the registry, to customize your settings. By default, actions 

for which you have no defined rules are directed to the default queue. If you 

want actions to be directed to the alert or collection queue, you must add a rule. 

In the following example, the ‘file’ rule was add to define that actions of this type 

be directed to this queue, and not to Default directory. 

myrule = file\; 

Any event that has some attached actions may be placed in a several queues. 

About Actions 

The Action Manager uses the saved events to determine which action to take for 

a specific event. The following topics describe the available actions: 

collector 

The collector action tells the Action Manager to send the events received 

from the queue to a collector on a user-defined host, as shown in the 

following example: 

Action collector; systema 

In the example, the Action Manager sends the events to the collector on the 

host known as systema. 

monitor 

The monitor action tells the Action Manager to send the events received from 

the queue to the security monitor on a user-defined host, as shown in the 


Action monitor; localhost 

In the example, the Action Manager sends the events to the security monitor 

on the current system. 


About Actions 

screen 

The screen action tells the Action Manager to send the events received from 

the queue to the screen on a user-defined host, as shown in the following 

example: 

Action screen; systemb 

In the example, the Action Manager sends the events received from the 

queue to the screen on systemb. 

Note: The screen action is for Windows systems only. 

mail 

The mail action tells the Action Manager to send events received from the 

queue to a specific email address, as shown in the following example: 

Action mail; administrator@myorg.com 

In the example, the Action Manager sends the events received from the 

queue to the email address of the administrator. 

SNMP 

The SNMP action tells the Action Manager to send events received from the 

queue by the SNMP protocol to the user-defined host, as shown in the 


Action SNMP; systemc 

In this example, the Action Manager routes SNMP events to the host 

systemc. 

file 

The file action tells the Action Manager to write the events received from the 

queue to a file as shown in the following example: 

Action file; c:\events\myevents.txt 

In this example, the Action Manager writes events to the 

c:\events\myevents.txt file. 

route 

The route action tells the Action Manager to send router events to a remote 

host where the router of that host handles them as shown in the following 

example: 

Action route; systema 

In this example, the Action Manager sends router events to the router on 

systema. 

remote 

The remote action tells the Action Manager to move records from a queue to 

a remote router and performs any action on this remote host. For example: 

Action remote; systema; monitor;systemb 

In this example, the Action Manager moves the events to the remote router 

on the host, systema, where they will are sent to the security monitor on 

systemb. 


About Actions 

program 

The program action tells the Action Manager to run an executable or batch 

file when an event is received. When you define an action with the name 

program, the Action Manager writes the event to a file. The file name and the 

file location (the directory to which the file was written) are transferred as 

one string to the program you want to run as the first parameter. 

You can use either of the following methods to specify the program action: 

Action program;\path\progname.exe; additional_parameters; timeout 

Action program;\path\progname.bat; additional_parameters; timeout 

path 

You must specify name of the program or batch file as follows: 

■ 

■ 

Use the full path name 

Ensure that the program file is in the directory defined by the 

%path% environment variable 

If the program is located in the directory defined by the system 

environment variable, PATH, or in the directory install_dir\bin, you can 

omit the path. You cannot use quotation marks, so the path statement 

cannot include directories with spaces in their names. 

additional_parameters 

You can specify parameters for the command. When you run a batch file, 

it contains the same parameters as a program. It is the responsibility of 

the program to parse the additional parameters. 

timeout 

You can specify an optional timeout period in seconds. The default 

timeout is 30 seconds. If the program has not exited when the timeout 

expires, it is terminated. 

When you run a program or a batch file, the following occurs: 

■ 

■ 

The event is written into a file located in the TEMP directory 

(currently %TEMP%) 

The program itself gets the file name and the directory path. 

Note: Using your API, you can open the file, retrieve the appropriate 

information, and run your software accordingly. 


Recorder Configuration File 

unicenter 

The unicenter action tells the Action Manager to send events to the local 

Unicenter agent (installed on the eTrust Audit host that performs the action) 

for forwarding to the Unicenter Event Management Console on the specified 

host as shown in the following example: 

Action unicenter; systema 

In the example, the Action Manager sends events to the Unicenter Event 

Management Console on systema. 

Note: Status codes from eTrust Access Control are translated to their generic 

equivalents. In the Unicenter Event Management Console, events display 

color codes and status icons. The Unicenter Event Management Agent must 

be installed on the host where the Action Manager runs. 

Recorder Configuration File 

The recorder configuration file, each line (other than comment lines) provides 

criteria for bringing audit records into the local audit file from Windows. A 

record is admitted and handled by eTrust Audit if it matches the criteria of any 

line in the file. If the record does not match a line, then eTrust Audit will ignore 

the record. The file is selogrec.cfg in the audit\etc directory, where audit is the 

directory in which you installed eTrust Audit. This file defines which NT logs 

will be read, according to the client. 

The format is explained in the following example. Use commas as delimiters 

within the three-part resource specification, (source, event category, event ID), 

This is different that the semicolons that are used as delimiters elsewhere. The 

file is case-sensitive. 

You can select the way to filter the events that are recorded by using the 

following mask: 

;;; 

For example: 

NT-Security;Security,Detailed Tracking,593;jerry;S 

The default values, which can be selected during installation, are: 

■ 

■ 

■ 

NT-System;*;*;* 

NT-Security;*;*;* 

NT-Application;*;*;* 


Redirector Configuration File 

For more in-depth information regarding this issue, see the selogrec.cfg file in the 

install_dir\etc directory. 

The access results Success and Failure typically refer to logins, while Info reports 

on successful application startups. Warning refers to possible problems, while 

Error indicates a more severe problem. 

Comment Lines 

To create a comment line, begin it with a semicolon (;), pound sign (#), or 

exclamation point (!). For example, — 

! Here are four comment lines. If you wanted to 

! use the fourth one as a rule, you could simply 

! erase the "!" mark from its start. 

! NT-Security;Security,Detailed Tracking,593;jerry;S 

The Asterisk as Wildcard 

You can use an asterisk (*), signifying any number of wildcards, for any field 

except the event log name. If you wish, you can use a single asterisk for the 

three-part Resource field; for example, to indicate “all Windows NT security log 

events, regardless of resource, user, and result”: 

NT-Security;*;*;* 

The question mark (?) represents a single wildcard character. 

Here is another example, specifying all Windows NT Application log events that 

are Information events with the eTrust Audit Collector service as their source, 

regardless of event category, event ID, and user: 

NT-Application;eTrustAudit Col*,*,*;*;I 

Redirector Configuration File 

The redirector configuration file tells what should be sent where. By default, 

everything is sent to the router (local or remote). 

While running, the redirector periodically reconfigures itself according to the 

contents of the redirector configuration file. 

For SeLogRd, the configuration file is logroute.cfg, located in the install_dir\etc 

directory. 


Router Configuration File 


The router filters events and decides what action should be performed on these 

events according to configuration files. The table that follows provides a brief 

overview of the statements and some sample rule statements: 

Statements Example Description 

Rule 

select_NT 

(name of rule) 

Every rule must start with the word Rule 

and have at least one action or one Do 

group. 

Action Monitor;localhost (target name) Defines the action associated with the 

event. Possible actions include: monitor, 

file, Collector, and so on. 

Include int Log ~"^NT" Include int is the internal language 

command, Include. Log ~"^NT" is the 

condition for including the event. 

Exclude int Log ~"^Oracle" Exclude int is the internal language 

command, Exclude. Log ~"^Oracle" is the 

condition for excluding the event. 

Do group group_NT Can be used for activating another group 

of rules. The statement enables 

implementing a nesting of rules. 

Group group_NT Contains a list of rules. 

Do Int Define $Host_%Location%_Count Value(1) This defines an internal integer variable 

that has the value of 1. Whatever is 

between % (such as %location%) is 

replaced by embedded text. In this case, it 

would be whatever value location is. 

$Host_%Location%_Count exists 

Test for the existence of the variable 

$Host_%Location%_FailedCount 

Incr Host_%Location%_Count Increments the internally defined variable 

Decr Host_%Location%_Count Decrements the internally defined 

variable 

Integer: 

Do Int Define 

$Host_%Location%_FailedCount equal to 

3 

$AlertEvent Src("eTrust Policy Manager") 

Type("Alert") 

Declares that a variable or an SAPI field is 

an integer. 

Defines a variable. It can be used to 

generate a new event. 



Statements Example Description 

Do Int Set $AlertEvent.User User Sets the value of User in the generated 

event by copying the value contained in 

the token User, which is found in the 

event currently filtered. 

Do Int Delete $AlertEvent Deletes the generated events. 

Do Int 

NewEvent 

$AlertEvent 

Generates a new event. 


Chapter 

5 

Router Configuration File Rule 

Language Reference 

The router configuration files, router*.cfg, configures the eTrust Audit router 

(ACLogRd). This chapter describes how to enter rules directly into the file. 

You can also compose rules using Policy Manager’s Policies window. Policy 

Manager automates the writing of scripts (lines in the rules file consisting of 

conditions and subsequent actions). 

Location of the Router Configuration File 

The default extension of the router configuration file is .cfg. The full path to the 

file should be recorded: 

■ 

■ 

in UNIX, in the Router section of the .ini file, as the token RulesPath 

in Windows, as the value of RulesFile under the registry key 


Audit\Client\Router 

File Structure 

The file consists of rules. Each rule consists of a filter (conditions for including 

and excluding events) and actions (actions to be taken if an event matches the 

filter). 

Rules are arranged in groups. Each event is matched against all the rules in the 

default group. Rules inside a non-default group are tested only if a rule calls for 

performance of the group. 

Each rule is comprised of the following lines: 

Rule ruleName 

Action action 

Include Int condition 

Exclude Int condition 

Router Configuration File Rule Language Reference 5–1

Variables 

Each condition uses binary operators to check whether a field in the event record 

has a given value. 

For example: 

Rule Route_Oracle_From_Maneki 

Include Int Location equal to "maneki", Src equal to "Oracle" 

Action route; target_host; 

----------- 

Rule Mail_Frank_on_Create_Admin 

Include Int Integer: ID equal to 536, Object equal to "Administrator" 

Action mail; frank; Someone created an administrator! 

Variables 

In addition, rules can perform variable manipulation, adding flags and counters 

to audit records. You may wish to generate a suspicious event after a certain 

number of repetitions, within a specified time, of an event that is not in itself 

suspicious. Failed logons are a good example. 

Variable names begin with $. Because they are assigned only temporarily, you 

can choose any name you wish, such as $Flag or $counter. 

Do languageName operation $variablename 

Variables are defined in the Do statement of a rule. A variable can contain several 

properties. (The default property is Value.) For example: 

Do Int Define $Flag 1 

Do Int Define $Flag Value(1) User(“John”) 

After an event triggers initialization of a variable, the variable can be 

manipulated by further events in several ways: 

■ 

■ 

■ 

An event can set a new value for the variable, as follows: 

Do Int Set $User “John” 

Do Int Set $Flag.User “John” 

The event can increment or decrement the value, as follows: 

Do Int Incr $Count 

Do Int Decr $Count 

The event can add or subtract values from the variable, as follows: 

Do Int Add $Sum 3 

Do Int Subtract $Sum 2 


Variables 

Variable Expiration 

A variable is deleted automatically one hour after its initialization. 

You can delete the variable explicitly using the operation Delete, as follows: 

Do Int Delete $Flag 

You can specify a different span of time in seconds using the property ExpireIn 

in a variable definition. The following example sets the counter’s initial value to 

1, while specifying that the flag will cease to exist after two hours: 

Do Int Define $Counter Value(1) ExpireIn(7200) 

You can also set expiration to occur a certain number of seconds after the last 

modification of the variable, as follows: 

Do Int Define $Counter Value(1) ExpireSinceLastModified(900) 

Dynamic Variable Names 

You can define variables that incorporate data from the event record into the 

variable name. For example: 

Do Int Define $LoginCount%Location% Value (1) 

%Location% is translated only when an event triggers execution of the rule. 

Whatever value is contained in the SAPI field Location will be inserted in the 

place of %Location%. 

Dynamic variable names can include more than one token, as in the following 

case: 

Do Int Incr $Count_%User%_%Location%_FailedLogins 

Using Variables in Filter Rules 

You can use variables in Include and Exclude conditions just as you would use 

other tokens, using the same binary operators and regular expressions. 

For example: 

Include Int Integer: $Count equal to 3 

Include Int Integer: $Count.Value equal to 3 

You can also query whether a variable was defined, as follows: 

Include Int $Flag exists 

If the variable was defined, the condition is true. 


Groups 

Groups 

Groups are set off by the statement: 

group groupName 

Rules that follow such a statement are considered part of the group. A rule may 

be assigned to a given group simply by introducing it with the appropriate 

group groupName statement. Switch to other groups by introducing another 

groupName. 

Group names must be unique. 

Loops 

Loops are not permitted. Any rule or group that calls itself will be reported as an 

error. 

Command Syntax 

Each line in the rule begins with a command. Commands have the following 

syntax. 

action; target 

Syntax 

action action; target target 

Description 

Each action has its own appropriate target format. 

Action 

Argument Target Parameter Description 

collector hostname or IP address Sends the record to the collector 

service on the specified host. 

e-mail recipient@domain Sends e-mail to the specified account. 

file full pathname Appends event details to the file with 

the specified pathname. 



Action 

Argument Target Parameter Description 

route hostname or IP address Forwards the message, before 

filtering, to a router on another host. 

screen 

hostname or IP address or 

username 

Sends event details as a screen popup 

to a host or (if logged in) user. This 

action applies to Windows systems 

only. 

monitor hostname or IP address Sends event to the Security Monitor 

console running on the specified host. 

snmp hostname IP address Sends the event to the SNMP server 

on the specified host. 

unicenter hostname or IP address Sends the event to the Unicenter 

Event Management Console on the 

specified host. 

action; remote 

Syntax 

action remote hostname;action;target 

Description 

Whenever the client station is not configured to perform the action specified, it is 

necessary to use the action remote command to set up remote execution of the 

action. The action and target parameters are the same as in the action command. 

Parameter 

hostname 

action 

target 

Description 

The host where the action should take place (for 

example, a mail or fax server). 

See the action command. 

See the action command. Each action has appropriate 

formats for targets. 



do 

Syntax 

do Int operation 

Description 

The do command introduces each operation that a rule applies to an event. 

Unless you compose your own language for conditions, the value for 

languagename will be Int (internal language). 

Operation 

add $variablename value 

decrement $variablename 

define $variablename 

define $variablename ExpireIn seconds 

define $variablename 

ExpireSinceLastModified seconds 

delete $variablename 

group groupname 

increment $variablename 

rule rulename 

set $variablename value 

subtract $variablename value 

NewEvent $variablename 

Description 

Adds the given value to the variable. 

Subtracts one from the value of a 

variable used as a counter. 

Establishes the name of a variable. 

Gives the time at which the variable 

will be deleted, in seconds from 

creation (default is one hour). 

Gives the time at which the variable 

deleted, in seconds from the time of its 

last modification. 

Deletes the variable. 

Gives name of group of rules to be 

performed if the event matches the 

current rule. 

Adds one to the value of a variable 

used as a counter. 

Gives name of rule to be performed if 

the event matches the current rule. 

Sets the value of a variable that has 

already been defined. 

Subtracts the given value from the 

variable. 

Creates a new event. 



type: 

Syntax 

command Int type: datatype condition 

Description 

By default, the data type for conditions is string. If you wish to use another data 

type, specify it with the type: command. We recommend that you use non-string 

data types when evaluating numerical values. 

Datatype 

Permissible formats 

Integer 

Integer value 

Timestamp Jun 13, 1999 at 12:00 

Time 

11 pm 

11:23:00 

11:23:30 pm 

23:30 

Date Aug 2, 2000 

2 Aug, 2000 

2 Aug, 00 



include 

Syntax 


Description 

Any record that meets the condition will be subject to the rule in which it is 

contained. 

Each condition includes binary operators and regular expressions (in quotation 

marks). Conditions take one of the following forms: 

Include Int token “regularexpression” 

or 

Include Int token exists 

The data type will be string unless you add a type: command before the regular 

expression. For example: 

Include Int Integer: id equal to 536 

exclude 

Syntax 

Exclude Int condition 

Description 

The format for conditions is the same as for the include command. Any records 

meeting the condition will be excluded from treatment. 



rule 

Syntax 

rule rulename 

Description 

The name of the rule. 

Parameter 

rulename 

Description 

Name of the rule that follows. 

Each use of the rule command starts a new rule. 

group 

Syntax 

group groupname 

Description 

Each use of the group command starts a new group of rules. Groups can contain 

internal rules (rule rulename internal) that are only called from within the group. 

Parameter 

groupname 

Description 

Name of the group of rules that 

follows. 

To return to the default group, use the group command with no parameter. 


Regular Expressions 

For example, 

;============== 

group login 

Rule cont_login 

Include int $Login_%source% exists 

do rule increment 

do group cont_login_group 

;------------------------- 

Rule increment internal 

do int increment $Login_%source% 

;------------------ 

Rule tenth_login 

Include int integer: $Login_%source% == 10 

Do int Delete $Login_%source% 

Action mail; john; Tenth login 

‘================ 

Regular Expressions 

The router configuration file supports any pattern recognized as a regular 

expression. Put the regular expression in quotation marks. For example: 

Src MATCHES "NT*" 

Supported Binary Operators 

To match a field to a string, you can use binary operators. 

The supported binary operators are: 

■ EQUAL TO or == 

■ DIFFERENT THAN or != 

■ GREATER THAN or > 

■ GREATER OR EQUAL TO or >= 

■ LESS THAN or < 

■ LESS OR EQUAL TO or

Including Additional Data Types 

The following operators are for strings and regular expressions only. 

Note: By default, operators are case-sensitive. Operators that are case-insensitive 

are preceded by CI : or Case Insensitive. 

■ MATCHES or ~ 

■ 

■ 

■ 

■ 

■ 

CI: MATCHES 

CASE INSENSITIVE: EQUAL TO 

CI: DIFFERENT THAN 

PART OF 

CASE INSENSITIVE: PART OF 

To imply an AND between conditions: 

Include Int condition, condition, etc. 

To imply an OR between conditions: 



Including Additional Data Types 

By default, information is regarded as string. Especially when comparing 

integers, this can lead to problems. 

Other available types are Integer, Timestamp, Time, and Date. You can use the 

types by specifying them as follows: 

type: fieldName operator integerValue 

Time format can be 11 am, 11:23:00, 11:23:00 pm, or 23:00. 

Date format can be Aug 2, 2002 or 2 Aug, 2002. Two-digit year numbers are also 

supported. 

For example: 

Integer: id equal to 22 

Timestamp: field_when greater than Jun 13, 2002 at 12:00 

Date: field_when equal to 12 Jun, 2002 

Time: field_when equal to 11 pm 


Identifying Events using SAPI Tokens 


The following tables list events and the filters necessary to catch them. For more 

information on the eTrust Audit Submit Application Programming Interface 

(SAPI), see the “Submit API” chapter. 

Tokens (predefined values for SAPI fields) are defined in the file 

AC_SAPITokens.h. 

These are some filter examples. To see a filter for any predefined rule, open its 

Properties dialog on the tab “Filter” in the Policy Manager. 

Event 

Logon 

Logon - Failed 

Logon - Successful 

Logon - Admin - Successful 

Logon - Admin - Failed 

Logon - Failed - Bad Password 

Account Management 

Filter 

Category == “System Access” 

Oper == “Logon” 



Status == “F” 



Status == “S” 



SurrogateUser == "Administrator" 


NT only 




Info ~ "Logon Failure*User 

Name:?administrator*" 

NT only 




Info ~ "*Unknown user name or bad 

password*" 

NT only 

Category == “Account Management” 




Event 

System Error 

System - Security System 

Filter 

Src == "NT-System" 

Severity == “2” 

NT only 

Category == “System Status” 

Src == NT-Security 

NT only 


Chapter 

6 

Windows Registry Entries 

This chapter describes important entries in the Windows registry that belong to 

eTrust Audit, and are located under the following: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit 

These registry control many facets of how eTrust Audit operates. 

Opening the Windows Registry 

The Windows registry contains key that control various features in eTrust Audit. 

The root level key is as follows: 


To open the Windows registry to view or modify its contents, follow these steps: 

1. Open a command prompt session. 

2. Enter the regedit or regedt32 command. 

3. Expand the tree items for the HKEY_LOCAL_MACHINE, SOFTWARE, 

ComputerAssociates, and finally the eTrust Audit branch to view the 

registry keys described in the topics that follow. 

Note: The topics that follow describe only those key values that you can modify. 

Windows Registry Entries 6–1

Ports 

Ports 

eTrust Audit maintains information about the ports it uses under the following 

key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Ports 

Normally, eTrust Audit uses one of its default ports or uses portmapper to 

dynamically assign a port. eTrust Audit uses the values of these keys under the 

following conditions: 

■ 

■ 

The default port is busy 

The service cannot get the dynamic port from the portmapper 

Under normal circumstances, you would not have any reason to modify these 

values. However, if a port is being used by another application or service or you 

need to route events through a firewall, you must modify the values for these 

keys. 

The key values are as follows: 

MonitorPort 

The data value specified for the MonitorPort key is used by the Action 

Manager to route events to the Security Monitor and by the Security Monitor 

to receive events. 

Type 

String Value 

Data 

Specify the number of the port to be used. 

By default, the port is dynamically assigned by portmapper. 

RouterPort 

The data value specified for the RouterPort key is used by the router and 

redirector. 

Type 

String Value 

Data 




Ports 

RouterSapiPort 

The data value specified for the RouterSapiPort key is used by the UNIX 

Recorder, the Recorder, the Generic NT Recorder, the Check Point Firewall-1 

Recorder, and applications that use SAPI, and is used by the router. 

Type 

String Value 

Data 



CollectorPort 

The data value specified for the CollectorPort key is used by the Action 

Manager to route events to the Collector and by the Collector to receive 

events. 

Type 

String Value 

Data 




The data value specified for the DistributionPort key is used by the 

distribution server and the distribution agent. 

Type 

String Value 

Data 

Specify the number of the port to be used. The default is 8025. 

SNMPRecorderPort 

The data value specified for the SNMPRecorderPort key is used by the 

SNMP recorder. 

Type 

String Value 

Data 


SNMPTrapPort 

The data value specified for the SNMPTrapPort key is used by the Action 

Manager to route actions defined as Action SNMP to the router. 

Type 

String Value 

Data 



RPC 

Note: The Windows SNMP service also uses port 162. If you need to use the 

SNMP recorder, you must disable the Windows SNMP service or assign another 

data value for the SNMPRecorderPort and SNMPTrapPort keys. 

RPC 

eTrust Audit maintains information about the name of the program used to map 

ports on the system. It uses under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\RPC 


values. If you are using a different program to map ports other than portmap, 

you must change the data value. 


PortmapName 

The data value specified for the PortmapName key is used to identify the 

name of the program used to map RPC ports. 

Type 

String Value 

Data 

Specify the name of the RPC port map program. The default is 

portmap.exe. If you do not know the program name, leave this value 

empty. 


Messages 

Messages 

eTrust Audit maintains information about the name of the file where it stores 

messages under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Messages 


values. 


MessageFile 

The data value specified for the MessageFile key is used to identify the name 

and location of the message file. 

Type 

String Value 

Data 

Specify the name of the message file, including its full path. The default 

is install_dir\Messages\message.txt. 

Severity 

eTrust Audit maintains information about the name of the targets where 

messages are to be sent under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Messages\Severity 


values. 


Fatal 

Targets 

The data value specified for the Targets key is used to identify the targets 

where fatal messages are to be sent. 

Type 

String Value 

Data 

Specify the name of the targets, separated by commas. The default value 

is Monitor,Log. 


Severity 

SkipTimeout 

The data value specified for the SkipTimeout key is used to identify the 

minimum time interval between identical messages. If eTrust Audit receives 

two of the same message within the interval, it discards the second message. 

Type 

DWORD Value 

Data 

Specify the time interval in seconds. The default value is 0 seconds. 

Critical 

Targets 


where critical messages are to be sent. 

Type 

String Value 

Data 



SkipTimeout 




Type 

DWORD Value 

Data 


Error 

Targets 


where error messages are to be sent. 

Type 

String Value 

Data 




Severity 

SkipTimeout 




Type 

DWORD Value 

Data 


Warning 

Targets 


where warning messages are to be sent. 

Type 

String Value 

Data 



SkipTimeout 




Type 

DWORD Value 

Data 


Info 

Targets 


where info messages are to be sent. 

Type 

String Value 

Data 




Targets 

SkipTimeout 




Type 

DWORD Value 

Data 


Targets 

Monitor 

eTrust Audit maintains information about the self-monitor target to use to send 

its own notification messages under the following key: 


Audit\Messages\Targets\Monitor 

Host 

The data value specified for the Host key is used to identify the host where 

messages are to be sent. 

Type 

String Value 

Data 

Specify the name of the host. The default value is localhost. 

MonitorPort 

The data value specified for the MonitorPort key is used to identify the port 

used by the Security Monitor. 

Type 

String Value 

Data 

Specify the number of the port. 



Mail 

Mail 

eTrust Audit maintains information about the mail server to use to send email 

under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Mail 

If you specify the name of the mail server at installation, you would not have any 

reason to modify these values, unless you wanted to change the name of the mail 

server or change the name of the user sending the mail. 


ServerType 

The data value specified for the ServerType key is used to identify the type 

of mail server. 

Type 

String Value 

Data 

Specify the name of the type of mail server. The default is SMTP. You 

cannot change this value. 

MailServer 

The data value specified for the MailServer key is used to identify the host 

name of the mail server. 

Type 

String Value 

Data 

Specify the name of the mail server. The default is mailsrv or the name 

you specified at installation time. 

Sender 

The data value specified for the Sender key is the mail address of the account 

from which mail is sent. 

Type 

String Value 

Data 

Specify the name of the sender from which mail is sent. The default value is 

Administrator. For certain SMTP servers, the value of Sender must represent 

an existing mail account, with the format name@domain. 


Client\SeOS\logmgr 

Client\SeOS\logmgr 

eTrust Audit maintains information about the audit and error log files for eTrust 

Audit under the following key: 



values. However, there might be times when you must increase the value of the 

audit_size parameter, such as during periods of peak use. 


audit_back 

The data value specified for the audit_back key is used to identify the name 

of the backup file for the local audit file. When the local audit file reaches the 

size specified by the audit_size parameter, it is given this name and the old 

file with this name is discarded. 

Type 

String Value 

Data 

Specify the name of the audit backup file, including path. The default is 

install_dir\dat\log\seos_audit.bak. 

audit_log 

The data value specified for the audit_log key is used to identify the name of 

the local audit file. The recorder service writes to the file named here, and the 

redirector service reads from it. 

Type 

String Value 

Data 

Specify the name of the local audit file, including path. The default is 

install_dir\dat\log\seos.audit. 

audit_size 

The data value specified for the audit_size key is used to identify the 

maximum size, in KB, for the local audit file. 

Type 

DWORD Value 

Data 

Specify the size of the local audit file. The default is 3000, for 3000 KB. 


Recorders 

error_back 

The data value specified for the error_back key is used to identify the name 

of a file used internally by eTrust Audit. 

Type 

String Value 

Data 

Specify the name of the error log backup file, including path. The default 

is install_dir\dat\log\seos_error.bak. 

error_log 

The data value specified for the error_log key is used to identify the name of 

a file used internally by eTrust Audit. 

Type 

String Value 

Data 

Specify the name of the error log file, including path. The default is 

install_dir\dat\log\seos.error. 

Recorders 

eTrust Audit maintains information about the audit and error log files for eTrust 

Audit under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Recorders 

By default, the recorder sends messages to the router on the system where it is 

installed. However, as you begin to deploy eTrust Audit throughout your 

enterprise, you can change this value to send events to dedicated routers. You 

identify these dedicated router systems by changing the value of DefaultRouter 

from localhost to the host name or IP address of the dedicated router system. 


DefaultRouter 

The data value specified for the DefaultRouter key is used to identify the 

host name or IP address of the computer that runs the eTrust Audit Router. 

Type 

String Value 

Data 

Specify the name of the host that runs the eTrust Audit Router. The 

default is localhost. 


Recorders 

NT Recorder 

eTrust Audit maintains information about the files used by the recorder under 

the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Recorders\NT Recorder 


values. 


DataFile 

The data value specified for the DataFile key is used to identify the name of 

the file used by the recorder internally. 

Type 

String Value 

Data 

Specify the name of the file, including path. The default is 

install_dir\dat\recorders\selogrec.dat. You should not change this 

location. 

FilterFile 

The data value specified for the FilterFile key is used to identify the name of 

the recorder configuration file. 

Type 

String Value 

Data 

Specify the name of the recorder configuration file, including path. The 

default is install_dir\dat\recorders\selogrec.cfg. 

SearchStringsFile 

The data value specified for the SearchStringsFile key is used to identify the 

name of a file that the recorder service uses internally. 

Type 

String Value 

Data 

Specify the name of the search strings file, including path. The default is 

install_dir\dat\recorders\selogrec.str. You should not change this 

location. 


Recorders 

SkipImportLogs 

The data value specified for the SkipImportLogs key is used to identify 

whether to import earlier Windows NT audit logs. 

Type 

DWORD Value 

Data 

This value is generated during setup. Specify 1 or 0. When set to 1, the 

recorder will start to send only new events. 

Interval 

The data value specified for the Interval key is used to identify the time the 

recorder service suspends (sleeps) without writing any data from the event 

log. 

Type 

DWORD Value 

Data 

The sleep interval in seconds. The default value is 10 seconds. This value 

is optional. 

MaxSeqNoSleep 

The data value specified for the MaxSeqNoSleep key is used to identify the 

maximum number of records written before sleeping. 

Type 

DWORD Value 

Data 

The maximum number of records before sleeping. The default value is 

50. This value is optional. 


Redirector 

SNMP Recorder 

eTrust Audit maintains information about the mapping file used by the SNMP 

recorder to parse events under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Recorders\SNMP 

Recorder 


values. 


MPFile 

The data value specified for the MPFile key is used to identify the name of 

the mapping file used by the SNMP recorder to parse events. 

Type 

String Value 

Data 

Specify the name of the mapping file, including path. The default is 

install_dir\cfg\snmptd_rec.mp. 

Redirector 

eTrust Audit maintains information used by the redirector under the following 

key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Redirector 


values. 


DataFile 

The data value specified for the DataFile key is used to identify the name of a 

file used by the redirector internally. 

Type 

String Value 

Data 

Specify the name of the internal file used by the redirector, including 

path. The default is install_dir\dat\logroute.dat. You should not change 

this location. 


Redirector 

MailSubject 

The data value specified for the MailSubject key is used to identify the 

subject line for eTrust Audit outgoing email. 

Type 

String Value 

Data 

Specify the subject line of an email sent by eTrust Audit. The default is 

Notification from eTrust Audit. 

RouteFile 

The data value specified for the RouteFile key is used to identify the name of 

the redirector configuration file. 

Type 

String Value 

Data 

Specify the name of the redirector configuration file. The default value is 

install_dir\etc\ logroute.cfg. 

SendTimeout 

The data value specified for the SendTimeout key is used to identify the time 

the redirector waits for confirmation from the router before resending a 

message. If the timeout period is too short, the same message might appear 

in the database several times. 

Type 

DWORD Value 

Data 

Specify the time in seconds the redirector waits for confirmation from the 

router before sending a message. The default value is 25 seconds. Setting 

this value is optional. 

Interval 

The data value specified for the Interval key is used to identify the time the 

redirector service sleeps without writing any data from the event log. 

Type 

DWORD Value 

Data 

The sleep interval in seconds. The default value is 5 seconds. Setting this 

value is optional. 


Redirector 

MaxSeqNoSleep 

The data value specified for the MaxSeqNoSleep key is used to identify the 

maximum number of records sent before sleeping. 

Type 

DWORD Value 

Data 

The maximum number of records sent before sleeping. The default value 

is 50. Setting this value is optional. 

SpeedBackup 

The data value specified for the SpeedBackup key affects the values of 

Interval and MaxSeqNoSleep, previously mentioned. This value affects only 

if the Redirector reads from the eTrust Audit backup file. The value of 

MaxSeqNoSleep is multiplied by the value of SpeedBackup to give an 

effective value. The value of Interval is divided by the value of SpeedBackup 

to give an effective value. The effective value has a set minimum of 1 second. 

Type 

DWORD Value 

Data 

The default value is 2. Setting this value is optional. 

ChangeLogFactor 

The data value specified for the ChangeLogFactor key is used to identify the 

number of sleep periods before retrying failed targets. 

Type 

DWORD Value 

Data 

The number of sleep periods before the redirector retries failed targets. 

The default value is 3. Setting this value is optional. 

SavePeriod 

The data value specified for the SavePeriod key is used to identify the time 

before the current position of the redirector service in seos.audit is stored in 

logroute.dat. 

Type 

DWORD Value 

Data 

The time in minutes before the current position of the redirector service 

in seos_audit is stored in logroute.dat. The default value is 10 minutes. 

Setting this value is optional. 


Router 

OverWriteBackup 

The data value specified for the OverWriteBackup key is used to identify 

whether the redirector closes the backup file during sleep periods so that it 

can be erased. 

Type 

DWORD Value 

Data 

Specify 1 or 0. When set to 1, the redirector service closes the backup file 

during sleep periods, allowing it to be erased. 

Router 

eTrust Audit maintains information used by the router under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Client\Router 


values. 


RulesDirectory 

The data value specified for the RulesDirectory key is used to identify the 

directory where routers configuration files are located. 

Type 

String Value 

Data 

Specify the name of the directory where the router configuration files are 

located. The default is install_dir\cfg\. 

RulesExtension 

The data value specified for the RulesExtension key is used to identify the 

extension for router configuration files. 

Type 

String Value 

Data 

Specify the extension for router configuration files. The default is .cfg. 

Setting this value is optional. 


Router 

Queue Manager\Queues 

eTrust Audit maintains information about the queues used by the router under 



Manager\Queues 


values. 


DirectoryName 

The data value specified for the DirectoryName key is used to identify the 

directory where queues are located. 

Type 

String Value 

Data 

Specify the name of the directory where the queues are located. The 

default is install_dir\dat\Queue\route. 

Queues\AlertQueue\Queue Rules 

eTrust Audit maintains information about the alert queue rules used by the 

router under the following key: 


Manager\Queues\AlertQueue\Queue Rules 

Note: The rule name (value name) is unimportant, so you can change it. The 

Data section indicates which action and which target the action reaches to be 

performed from this queue. In case the target is not indicated, it means that only 

the action is of importance. 


values. 


monitor 

The data value specified for the monitor key is used to identify the name of 

the action and target, separated by a semicolon. 

Type 

String Value 

Data 

Specify the name of the action and the target separated by a semicolon. 

The default value is “monitor; “ 


Router 

snmp 

The data value specified for the snmp key is used to identify the name of the 

action and target, separated by a semicolon. 

Type 

String Value 

Data 


The default value is “snmp; “ 

screen 

The data value specified for the screen key is used to identify the name of the 

action and target, separated by a semicolon. 

Type 

String Value 

Data 


The default value is “screen; “ 

Queues\AlertQueue\Queue Parameters 




Manager\Queues\AlertQueue\Queue Parameters 


values. 


MaxFileNum 

The data value specified for the MaxFileNum key is used to identify the 

maximum number of files in the queues. 

Type 

DWORD Value 

Data 

Specify the number of files in the queues. The default value is 10. 


Router 

MaxFileSize 

The data value specified for the MaxFileSize key is used to identify the size 

of the files in the queue. 

Type 

DWORD Value 

Data 

Specify the size of the file in the queue in KB. The default value is 500 

KB. 

MaxActionTime 

The data value specified for the MaxActionTime key is used to identify the 

maximum time the action manager operates in the queue before moving to 

another queue. 

Type 

DWORD Value 

Data 

Specify the maximum number of milliseconds the action manager 

operates in the queue before moving to another queue. The default value 

is 500 milliseconds. 

MinActionTime 

The data value specified for the MinActionTime key is used to identify the 

minimum time the action manager operates in the queue before moving to 


Type 

DWORD Value 

Data 

Specify the minimum number of milliseconds the action manager 



SleepTime 

The data value specified for the SleepTime key is used to identify the time 

the action manager service sleeps without writing any data from the queue. 

Type 

DWORD Value 

Data 

The sleep interval in seconds. The default value is 3 seconds. 


Router 

RetryDelay 

The data value specified for the RetryDelay key is used to identify the 

amount of time that passes before trying to transmit a message again 

Type 

DWORD Value 

Data 

The retry interval in seconds. The default value is 600 seconds (10 

minutes). 

MaxLifeTime 

The data value specified for the MaxLifeTime key is used to identify the 

maximal time a message can be in the queue before it is erased. 

Type 

DWORD Value 

Data 

The maximum time in seconds a message can be in the queue before it is 

erased. The default value is 86400 seconds (24 hours). 

DeleteOldFiles 

The data value specified for the DeleteOldFiles key is used to identify the 

whether the oldest queue file should be deleted if the number of 

MaxFileNum is reached. 

Type 

DWORD Value 

Data 

Specify either of the following: 

■ 

■ 

Specify 1 if you want to delete the oldest queue file when the 

number of files in the queue equals the number set in the 

MaxFileNum parameter. 

Specify 0, if you do not want to loose any record. 

Setting this value is optional. The default value is 1. 


Router 

Queues\CollectionQueue 

Queues\CollectionQueue\Queue Rules 

eTrust Audit maintains information about the collection queue rules used by the 



Manager\Queues\CollectionQueue\Queue Rules 


values. 


Name 

The data value specified for the Name key is used to identify the name of the 

collector. 

Type 

String Value 

Data 

Specify the name of the collector. The default value is “collector;”. There 

is no reason to change this value. 

Queues\CollectionQueue\Queue Parameters 




Manager\Queues\CollectionQueue\Queue Parameters 


values. 


MaxFileNum 


maximum number of files in the queue. 

Type 

DWORD Value 

Data 

Specify the number of files in the queue. The default value is 10. 


Router 

MaxFileSize 


of the file in the queue. 

Type 

DWORD Value 

Data 


KB. 

MaxActionTime 




Type 

DWORD Value 

Data 




MinActionTime 




Type 

DWORD Value 

Data 




SleepTime 



Type 

DWORD Value 

Data 



Router 

RetryDelay 



Type 

DWORD Value 

Data 


minutes). 

MaxLifeTime 



Type 

DWORD Value 

Data 







Type 

DWORD value 

Data 


■ 

■ 







Router 

Queues\Default 

Queues\Default\Queue Rules 




Manager\Queues\Default\Queue Rules 


values. 

The default key has no key rules; it gets all the rules of the other keys. 

Queues\Default\Queue Parameters 




Manager\Queues\Default\Queue Parameters 


values. 


MaxFileNum 



Type 

DWORD Value 

Data 


MaxFileSize 



Type 

DWORD Value 

Data 


KB. 


Router 

MaxActionTime 




Type 

DWORD Value 

Data 




MinActionTime 




Type 

DWORD Value 

Data 




SleepTime 



Type 

DWORD Value 

Data 


RetryDelay 



Type 

DWORD Value 

Data 


minutes). 


Router 

MaxLifeTime 



Type 

DWORD Value 

Data 







Type 

DWORD Value 

Data 


■ 

■ 






Actions 

eTrust Audit maintains information about the actions specified rules used by the 



Manager\Actions 


values. 


file 

The file action routes events to a file in ASCII text format. It has no 

parameters you should change. 

monitor 

The monitor action routes events to the security monitor. It has no 


collector 

The collector action routes events to the collector database. It has no 



Router 

mail 

The mail action routes messages to a designated SMTP mail server and onto 

an email address. 


Audit\Client\Router\Queue Manager\Actions\Mail\Parameters 


MailSubject 


subject line for eTrust Audit mail. 

Type 

String Value 

Data 

Specify the text you want to appear in the subject line of email sent 

by eTrust Audit. The default is “Notification from eTrust Audit.” 

screen 

The screen action routes events to an NT screen session. 

remote 

The remote action routes events to an action manager on the host named in 

the action where it is executed without filtering. 

route 

The route action sends events to the host named in the action where it 

reviewed by the router on that system and executed according to any filters 

that apply on that system. 

snmp 

The snmp action sends SNMP traps to the host named in the action. 

program 

The program action executes a command on the host named in the action on 

the local host. 

unicenter 

The unicenter action routes events to the Event Management Console on the 

host named in the action. The key values are as follows: 

UnicenterHome 

The data value specified for the UnicenterHome key is used to identify 

the location of the Unicenter installation. 

Type 

String Value 

Data 

Specify the location of the Unicenter installation. 


Management Agent 


eTrust Audit maintains information about the which systems are trusted policy 

servers and parameters related to policy distribution under the following key: 


Agent 

When you install eTrust Audit, you identify the name of a trusted policy server. 

By changing the value of the TrustedServers key, you can add more servers to 

identify other policy servers. 


values. 


TrustedServers 

The data value specified for the TrustedServers key is used to identify one or 

more policy servers. 

Type 

String Value 

Data 

Specify the host names or IP addresses of one or more policy servers, 

separated by commas. 

Parameters 

eTrust Audit maintains information about the how policy management under 



Agent\Parameters 


values. 

All the following keys are optional: 

TmpPolicyDir 

The data value specified for the TmpPolicyDir key is used to identify the 

directory where temporary policy files are stored. 

Type 

String Value 

Data 

Specify the directory name. The default value is 

install_dir\dat\tmp\agent_tmp_policies. 



ConnectionTimeout 

The data value specified for the ConnectionTimeout key is used to identify 

the number of seconds after which a connection between a policy server and 

distribution agent is closed. 

Type 

DWORD Value 

Data 

Specify the number of seconds after which the connection is broken. The 

default value is 600 seconds. 

ReceiveTimeout 

The data value specified for the ReceiveTimeout key is used to identify an 

internal parameter for the TCP session. 

Type 

DWORD Value 

Data 

Specify the number of seconds. The default value is 10 seconds. 

SendTimeout 

The data value specified for the SendTimeout key is used to identify an 

internal parameter for the TCP session. 

Type 

DWORD Value 

Data 


DistributionTimeout 

The data value specified for the DistributionTimeout key is used to identify 

the time from the start of the TCP session until the agent receives the policy. 

Type 

DWORD Value 

Data 




AN Types 

eTrust Audit maintains information about the types of event logs defined to it 



Agent\AN Types 


values through the registry. 

Note: All the following event log sources have a parameters section that contains 

no values. 

Apache 

eTrust Audit maintains information about the library used by the Apache AN 

type under the following key: 


Agent\AN Types\Apache 



LibraryName 

The data value specified for the LibraryName key is used to identify the 

library used to process Apache events. 

Type 

String Value 

Data 

Specify the name of the library. The default value is TGNR. 



Default 

eTrust Audit maintains information about the library used by the Default AN 



Agent\AN Types\Default 



LibraryName 


library used to process Default events. 

Type 

String Value 

Data 


eTrust Access Control 

eTrust Audit maintains information about the library used by the eTrust Access 

Control AN type under the following key: 


Agent\AN Types\eTrust Access Control 



LibraryName 


library used to process eTrust Access Control events. 

Type 

String Value 

Data 




Netscape 

eTrust Audit maintains information about the library used by the Netscape AN 



Agent\AN Types\Netscape 



LibraryName 


library used to process Netscape events. 

Type 

String Value 

Data 


NT 

eTrust Audit maintains information about the library used by the NT AN type 



Agent\AN Types\NT 



LibraryName 


library used to process NT events. 

Type 

String Value 

Data 

Specify the name of the library. The default value is TALR. 



Oracle 

eTrust Audit maintains information about the library used by the Oracle AN 



Agent\AN Types\Oracle 



LibraryName 


library used to process Oracle events. 

Type 

String Value 

Data 


UNIX 

eTrust Audit maintains information about the library used by the UNIX AN type 



Agent\AN Types\UNIX 


values through the registry. You define and modify these using the Policy 

Manager GUI. 

LibraryName 


library used to process UNIX events. 

Type 

String Value 

Data 



Policy Manager 


The keys in the topics that follow apply to the Policy Manager. 

Database 

eTrust Audit maintains information about the database used by the Policy 

Manager under the following key: 


Manager\Database 


values. 


DSN 

The data value specified for the DSN key is used to identify the name of the 

data source. 

Type 

String Value 

Data 

Specify the data source name. The default value is eAuditPMDB. 

UserName 

The data value specified for the UserName key is used to identify the name 

of the user under whose name changes can be made to the database. 

Type 

Binary Value 

Data 

Specify the user name. The value is encrypted. 

Password 

The data value specified for the Password key is used to identify the 

password of the user under whose name changes can be made to the 

database. 

Type 

Binary Value 

Data 

Specify the password. The value is encrypted. 



Distribution Log 

eTrust Audit maintains information about the log file used to store messages 

about the success or failure of policy distribution used by the Policy Manager 



Manager\Distribution Log 


values. 


MaxLogSize 

The data value specified for the MaxLogSize key is used to identify the 

number of records to be stored in the log. 

Type 

DWORD Value 

Data 

Specify the number of records. The default value is 10000. 

MaxTimeOut 

The data value specified for the MaxTimeOut key is used to identify the 

maximum time (in seconds) the distribution server waits to write to the 

database. After this period ends without success, an error is recorded in the 

machine event log. 

Type 

DWORD Value 

Data 

Specify the number of seconds. The default value is 60. 

DelPartSize 

The data value specified for the DelPartSize key is used to identify the 

number of records to erase when the value of MaxLogSize is reached. 

Type 

DWORD Value 

Data 

Specify the number of records to be erased. The default is 500. 



Distribution Server 

eTrust Audit maintains information about the output directory used by the 

distribution server under the following key: 


Manager\Distribution Server 


values. 


Queue Manager\Queues 

eTrust Audit maintains information about the queues used by the distribution 

server under the following key: 


Manager\Distribution Server\Queue Manager\Queues 

Under normal circumstances, you should not have any reason to modify these 

values. 


DirectoryName 

The data value specified for the DirectoryName key is used to identify the 

directory where queues are located. 

Type 

String Value 

Data 

Specify the name of the directory where the queues are located. The 

default is install_dir\dat\Queue\distrib. 



Queues\DistributionQueue\Queue Rules 

eTrust Audit maintains information about the queue rules used by the Policy 



Manager\Distribution Server\Queue Manager\Queues\DistributionQueue\Queue Rules 


values. 


distribute 

The data value specified for the distribute key is used to identify the name of 

the action. 

Type 

String Value 

Data 


The default value is “distribute; “ 

remove 

The data value specified for the remove key is used to identify the name of 

the action and target. 

Type 

String Value 

Data 


The default value is “remove; “ 



Queues\DistributionQueue\Queue Parameters 

eTrust Audit maintains information about the distribution queue rules used by 

the Policy Manager under the following key: 


Manager\Distribution Server\Queue Manager\Queues\DistributionQueue\Queue 

Parameters 


values. 


MaxFileNum 



Type 

DWORD Value 

Data 


MaxFileSize 



Type 

DWORD Value 

Data 


KB. 

MaxActionTime 


maximum time the distribution server operates in the queue before moving 

to another queue. 

Type 

DWORD Value 

Data 

Specify the maximum number of milliseconds the distribution server 





MinActionTime 


minimum time the distribution server operates in the queue before moving 


Type 

DWORD Value 

Data 

Specify the minimum number of milliseconds the distribution server 



SleepTime 


the distribution server service sleeps without writing any data from the 

queue. 

Type 

DWORD Value 

Data 


RetryDelay 


amount of time that passes before trying to transmit a policy again 

Type 

DWORD Value 

Data 


minutes). 

MaxLifeTime 


maximal time a policy can be in the queue before it is erased. 

Type 

DWORD Value 

Data 

The maximum time in seconds a policy can be in the queue before it is 








Type 

DWORD Value 

Data 


■ 

■ 






Queues\Default\Queue Rules 

eTrust Audit maintains information about the queue rules used by the Policy 



Manager\Distribution Server\Queue Manager\Queues\Default\Queue Rules 

This key has not rules. It is processed based on rules for other keys. 

Queues\Default\Queue Parameters 

eTrust Audit maintains information about the default queue rules used by the 

Policy Manager under the following key: 


Manager\Distribution Server\Queue Manager\Queues\Default\Queue Parameters 


values. 


MaxFileNum 



Type 

DWORD Value 

Data 




MaxFileSize 



Type 

DWORD Value 

Data 


KB. 

MaxActionTime 


maximum time the distribution server operates in the queue before moving 


Type 

DWORD Value 

Data 

Specify the maximum number of milliseconds the distribution server 



MinActionTime 


minimum time the distribution server operates in the queue before moving 


Type 

DWORD Value 

Data 

Specify the minimum number of milliseconds the distribution server 



SleepTime 


the distribution server service sleeps without writing any data from the 

queue. 

Type 

DWORD Value 

Data 




RetryDelay 


amount of time that passes before trying to transmit a policy again 

Type 

DWORD Value 

Data 


minutes). 

MaxLifeTime 


maximal time a policy can be in the queue before it is erased. 

Type 

DWORD Value 

Data 

The maximum time in seconds a policy can be in the queue before it is 






Type 

DWORD Value 

Data 


■ 

■ 







Data Server 

Queue Manager\Actions 

eTrust Audit maintains information about the actions specified rules used by the 



Manager\Distribution Server\Queue Manager\Actions 


values. 


distribute 

The distribute action routes policies to distribution agents. 

remove 

The remove action removes policies from the distribution agents. 

Data Server 

The keys in the topics that follow apply to the Data Server. 

Database 

eTrust Audit maintains information about the database used by the data server 


HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Data Server\Database 


values. 


AuditDSN 

The data value specified for the AuditDSN key is used to identify the name 

of the data source for the database used by the Data Tools components. This 

values is used by the Collector service and by the Viewer and Reporter as the 

default database. 

Type 

String Value 

Data 

Specify the data source name. The default value is eAudit_DSN. 


Data Server 

Note: To switch to a different database, the ODBC Data Sources applet in 

Windows NT Control Panel (or the Administrative Tools in the Control 

Panel, in Windows 2000) to set up a new database with the same DSN. If you 

want to start a new database with a new DSN, you need to match this value 

to it. 

DSNList 

The data value specified for the DSNList key is used to identify the another 

system DSNs for the databases used by the Viewer and the Reporter. 

Type 

String Value 

Data 

Specify the data source names, separated by commas. The default value 

is eAudit_DSN. 

UserName 

The data value specified for the UserName key is used to identify the name 

of the user under whose name connection can be made to the database. 

Type 

Binary Value 

Data 

Specify the user name. The value is encrypted. If no value is specified 

when the collector service or the Viewer starts, it is requested. 

Password 

The data value specified for the Password key is used to identify the 

password of the user under whose name connection can be made to the 

database. 

Type 

Binary Value 

Data 

Specify the password. The value is encrypted. If no value is specified 

when the collector service or the Viewer starts, it is requested. 

Note: You can change the user name and the password using the Encup 

utility. 


Data Server 

Viewer 

eTrust Audit maintains information about the Viewer under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Data Server\Viewer 


values. 


FiltersDir 

The data value specified for the FiltersDir key is used to identify the location 

where the filter definition files are stored. 

Type 

String Value 

Data 

Specify the directory name. The default value is install_dir\dat\filters\. 

IniFile 

The data value specified for the IniFile key is used to identify the location 

where the ini file is stored. 

Type 

String Value 

Data 


install_dir\ini\SeAuditW.ini. 

Reports 

eTrust Audit maintains information about reports under the following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Data Server\Reports 


values. 


ReportsDir 

The data value specified for the ReportsDir key is used to identify the 

location where reports are stored. 

Type 

String Value 

Data 

Specify the directory. The default value is install_dir\dat\reports. 


Data Server 

ReadyReportsDir 

The data value specified for the ReadyReportsDir key is used to identify the 

location where saved reports are stored. 

Type 

String Value 

Data 

Specify the directory. The default value is Saved\. 

TemplatesDir 

The data value specified for the TemplatesDir key is used to identify the 

location where the report templates are stored. 

Type 

String Value 

Data 

Specify the directory. The default value is Templates\. 

MailSubject 


subject line of email notifications about report completion. 

Type 

String Value 

Data 

Specify the text for the subject line. The default value is “Notification 

from eTrust Audit Report Generator.” 

MailBody 

The data value specified for the MailBody key is used to identify the body 

text in email notifications about report completion. 

Type 

String Value 

Data 

Specify the body text. The default value is “Report has been created 

successfully. You can view the report using the eTrust Audit Reporter.” 


Security Monitor 


eTrust Audit maintains information about the Security Monitor under the 

following key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Monitors\Security 

Monitor 


values. 


EventData 

The data value specified for the EventData key is used to identify the name 

of a file to which the currently displayed events are written each time you 

close the Security Monitor. When you next open the Security Monitor, the 

contents of the file are displayed and new events are added. 

Type 

String Value 

Data 

Specify the file name, including path. The default value is 

install_dir\etc\events.data. 

IniFile 

The data value specified for the IniFile key is used to identify the location 

where the ini file is stored. 

Type 

String Value 

Data 


install_dir\ini\SecMonW.ini. 


Chapter 

7 

UNIX INI Files 

The Client components running on UNIX are controlled by entries in the 

following .ini files: 

■ 

■ 

eAudit.ini 

recorder.ini 

The files are located in eTrustAudit_root/ini/, where eTrustAudit_root is the 

directory where you installed eTrust Audit. 


The following topics describe sections of the ini file that you might need to 

change. 

Ports 

Normally, eTrust Audit uses one of its default ports or uses portmapper to 

dynamically assign a port. eTrust Audit uses the values of these entries under the 

following conditions: 

■ 

■ 

The default port is busy 

The service cannot get the dynamic port from the portmapper 


values. However, if a port is being used by another application or service or you 

need to route events through a firewall, you must modify or set these values. 

UNIX INI Files 7–1


The entries and their default values are as follows: 

MonitorPort 

The data value specified for the MonitorPort is used by the Action Manager 

to route actions to the Security Monitor. 

Type 

String Value 

Data 



RouterPort 

The data value specified for the RouterPort is used by the router and 

redirector. 

Type 

String Value 

Data 



RouterSapiPort 

The data value specified for the RouterSapiPort key is used by the UNIX 

Recorder, the Recorder, the Generic NT Recorder, the Check Point Firewall-1 

Recorder, and applications that use SAPI, and is used by the router. 

Type 

String Value 

Data 



CollectorPort 

The data value specified for the CollectorPort is used by the Action Manager 

to route actions to the Collector and by the Collector to receive events. 

Type 

String Value 

Data 






The data value specified for the DistributionPort is used by the distribution 

server and the distribution agent. 

Type 

String Value 

Data 


SNMPRecorderPort 

The data value specified for the SNMPRecorderPort is used by the SNMP 

recorder. 

Type 

String Value 

Data 


SNMPTrapPort 

The data value specified for the SNMPTrapPort is used by the Action 

Manager to route actions defined as Action SNMP to the router. 

Type 

String Value 

Data 


Messages 

The Message section contains entries that describe the location of the message 

file: 

MessageFile 

Specify the name of the message file, including its full path. The default is 

eTrustAudit_root/Messages/message.txt. 

Severity 

Under this section, you specify values for the types of messages. There are 

several subsections with the same values: Targets (Mandatory) and SkipTimeout 

(Optional). Only the default SkipTimeout value differs. 



Fatal 

Targets 

Specify the name of the targets, separated by commas. The default value is 

Monitor,Log. 

SkipTimeout 

Specify the minimum time interval between identical messages. If eTrust 

Audit receives two of the same message within the interval it discards the 

second message. The default value is 0 seconds. 

Critical 

Targets 


Monitor,Log. 

SkipTimeout 




Error 

Targets 


Monitor,Log. 

SkipTimeout 




Warning 

Targets 


Monitor,Log. 

SkipTimeout 






Info 

Targets 


Monitor,Log. 

SkipTimeout 




Targets 

Monitor 

eTrust Audit maintains information about the self-monitor target to use to send 

its own notification messages under the following entries: 

Host 

The data value specified for the Host entry is used to identify the host where 

messages are to be sent. 

Type 

String Value 

Data 

Specify the name of the host. 

MonitorPort 

The data value specified for the MonitorPort key is used to identify the port 

used by the Security Monitor. 

Type 

String Value 

Data 

Specify the number of the port. 




Recorders 

By default, the recorder sends messages to the router on the system where it is 

installed. However, as you begin to deploy eTrust Audit throughout your 

enterprise, you can change this value to send events to dedicated routers. You 

identify these dedicated router systems by changing the value of DefaultRouter 

to the host name or IP address of the dedicated router system. 

The values are as follows: 

RecordersIniFile 

Specify the path to the recorder .ini file. The default value is ini/recorder.ini. 

DefaultRouter 

Specify the host name or IP address of the computer that runs the eTrust 

Audit router. An empty value means use the local host. 

SNMP Recorder 

eTrust Audit maintains information about the mapping file used by the SNMP 

recorder to parse events. The values are as follows: 

MPFile 

Specify the name of the mapping file used by the SNMP recorder to parse 

events. The default value is cfg/snmptd_rec.mp. 

Router 

eTrust Audit maintains information used by the router. The values are as 

follows: 

RulesDirectory 

Specify the directory where routers configuration files are located. The 

default is cfg/. 

RulesExtension 

Specify the extension for router configuration files. The default value is cfg. 

Queue MANAGER 

eTrust Audit maintains information about the queues used by the router. The 

values are as follows: 

DirectoryName 

Specify the directory where queues are located. The default value is 

eTrustAudit_root/dat/Queue/route. 



AlertQueue Queue Rules 

eTrust Audit maintains information about the alert queue rules. The values are 

as follows: 

monitor 

Specify the name of the action and target, separated by a semicolon. The 

default value is “monitor;” 

snmp 

Specify the name of the action and target, separated by a semicolon. The 

default value is “snmp;” 

AlertQueue Queue Parameters 


router. The values are as follows: 

MaxFileNum 

Specify the maximum number of files in the queue. The default value is 10. 

MaxFileSize 

Specify the size of the file in the queue. The default value is 500 KB. 

MaxActionTime 

Specify the maximum time the action manager operates in the queue before 

moving to another queue. The default is 500 milliseconds. 

MinActionTime 

Specify the minimum time the action manager operates in the queue before 

moving to another queue. The default value is 20 milliseconds. 

SleepTime 

Specify the time the action manager service sleeps without writing any data 

from the queue. The default value is 3 seconds. 

RetryDelay 

Specify the amount of time that passes before trying to transmit a message 

again. The default value is 600 seconds (10 minutes). 

MaxLifeTime 

Specify the maximal time a message can be in the queue before it is erased. 

The default value is 86400 seconds (24 hours). 




Specify whether the oldest queue file should be deleted if the number of 



■ 

■ 

Specify 1 if you want to delete the oldest queue file when the number of 

files in the queue equals the number set in the MaxFileNum parameter. 



CollectionQueue Queue Rules 



Collector 

Specify the name of the collector. The default value is “collector;” 

CollectionQueue Queue Parameters 



MaxFileNum 


MaxFileSize 


MaxActionTime 



MinActionTime 



SleepTime 



RetryDelay 





MaxLifeTime 







■ 

■ 





Default\Queue Rules 

The default section has no rules; it gets all the rules of the other subsections. 

Default Queue Parameters 

eTrust Audit maintains information about the default queue rules used by the 


MaxFileNum 


MaxFileSize 


MaxActionTime 



MinActionTime 



SleepTime 



RetryDelay 





MaxLifeTime 







■ 

■ 





Actions 

eTrust Audit maintains information about the actions used by the router. The 


file 

The file action routes events to a file in ASCII text format. It has no 


monitor 

The monitor action routes events to the security monitor. It has no 


collector 

The collector action routes events to the collector database. It has no 


mail 

The mail action routes messages to a designated SMTP mail server and onto 

an email address. 

The parameters are as follows: 

MailSubject 

Specify the subject line for eTrust Audit mail. The default is “Notification 

from eTrust Audit. 

remote 

The remote action routes events to an action manager on the host named in 

the action where it is executed without filtering. 

route 

The route action sends events to the host named in the action where it 

reviewed by the router on that system and executed according to any filters 

that apply on that system. 



snmp 

The snmp action sends SNMP traps to the host named in the action. 

program 

The program action executes a command named in the action on the local 

host. 

unicenter 

The unicenter action routes events to the Event Management Console on the 

host named in the action. 

The parameters are as follows: 

UnicenterHome 

Specify the location of the Event Management Console installation 

directory. 


eTrust Audit maintains information about which systems are trusted policy 

servers and parameters related to policy distribution. 

When you install eTrust Audit, you identify the name of a trust policy server. By 

changing the value of the TrustedServers, you can add more servers to identify 

other policy servers. 


TrustedServers 

Specify the host names or IP addresses of one or more policy servers, 

separated by commas. 

Parameters 

eTrust Audit maintains information about the how policy management runs. The 


TmpPolicyDir 

Specify the directory where temporary policy files are stored. The default 

value is eTrustAudit_root/dat/tmp/agent_tmp_policies. 

ConnectionTimeout 

Specify the number of seconds after which a connection between a policy 

server and distribution agent is closed. The default value is 600 seconds. 

ReceiveTimeout 

Specify an internal parameter for the TCP session. The default value is 10 

seconds. 



SendTimeout 

Specify an internal parameter for the TCP session. The default value is 10 

seconds. 

DistributionTimeout 

Specify the time from the start of the TCP session until the agent receives the 

policy. The default value is 800 seconds. 

AN Types 

eTrust Audit maintains information about the types of event logs defined to it. 


Apache 

eTrust Audit maintains information about the library used by the Apache AN 

type. 

LibraryName 

Specify the library used to process Apache events. The default value is 

TGNR. 

Default 

eTrust Audit maintains information about the library used by the Default AN 

type. 

LibraryName 

Specify the library used to process Default events. The default value is 

TGNR. 


eTrust Audit maintains information about the library used by the eTrust Access 

Control AN type. 

LibraryName 

Specify the library used to process eTrust Access Control events. The default 

value is TGNR. 



Netscape 

eTrust Audit maintains information about the library used by the Netscape AN 

type. 

LibraryName 

Specify the library used to process Netscape events. The default value is 

TGNR. 

NT 

eTrust Audit maintains information about the library used by the NT AN type. 

LibraryName 

Specify the library used to process NT events. The default value is TALR. 

Oracle 

eTrust Audit maintains information about the library used by the Oracle AN 

type. 

LibraryName 

Specify the library used to process Oracle events. The default value is TGNR. 

UNIX 

eTrust Audit maintains information about the library used by the UNIX AN 

type. 

LibraryName 

Specify the library used to process UNIX events. The default value is TGNR. 


ecorder.ini 

recorder.ini 

The following topics describe sections of the ini file that you might need to 

change. 

Recorder Modules 

The recorders supported by eTrust Audit in UNIX are: 

■ 

■ 

■ 

■ 

File Spooler (UNIX native recorder) 

Netscape 

Apache 

Oracle 

Each recorder has its own section in the recorder.ini file, which bears its name. 

The topics that follow describe entries found in sections for each recorder. 

Definitions 

The following definitions are found in all UNIX recorders supported by eTrust 

Audit, except for the last definition, ORACLE_HOME, which is found only in the 

Oracle recorder: 

ModuleName 

Specify the unique name for the recorder module. 

LibraryPrefix 

Specify the prefix for the name of the recorder module library. 

Active 

When specified, activates the recorder module. 

SleepInterval 

Specify the time, in seconds, that the service sleeps after each record. The 

default value is 1. 

SendInterval 

Specify the time, in seconds, that the service sleeps after the value of 

MaxSeqNoSleep is reached. The default value is 10. 

MaxSeqNoSleep 

Specify the maximum number of records sent before sleeping. The default 

value is 50. 

ORACLE_HOME 

Specify where Oracle is located on file system. 


ecorder.ini 

Parameters 

The Parameters section is found in all UNIX recorders supported by eTrust 

Audit. However, there is a significant difference between Oracle and other 

recorders as follows: 

■ 

■ 

In all recorders except Oracle, you can find two parameters under this 

section. 

DatFilePath 

A mandatory parameter, found in all UNIX recorders supported by 

eTrust Audit. 

MPDebug 

An optional parameter and is found in all recorders except Oracle. If you 

specify 1, debug information for the message parser is generated. 

Besides the DatFilePath parameter and MP file parameter (see the Log Data), 

Oracle has additional parameters, which are not found in the other recorders. 

These are the other parameters are as follows: 

DatFilePath 

Specify the relative path to the .dat file as follows: 

UNIX 

The default value is dat/recorders/syslog.dat. 

Netscape 

The default value is dat/recorders/netscape.dat. 

Apache 

The default value is dat/recorders/apache.dat. 

Oracle 

The default value is dat/recorders/oracle.dat. 

ORACLE_SID 

Specify the Oracle SID on the local host. 

TWO_TASK 

Specify the Oracle service name on the remote host. 

Password 

Specify the password for the user that can connect to the Oracle 

database. The value is encrypted. 

Username 

Specify the name of the user that can connect to the Oracle database. The 

value is encrypted. 


ecorder.ini 

Log Data 

The Log Data section describes parameters for the recorder logs. The file spooler 

has two logs: syslog and sulog. Other recorders have only one log that bears 

their name: Netscape or Apache. 

Notes: 

■ 

■ 

The only parameter here that is found also in Oracle is the MPfile parameter. 

The ConfigFile and Source parameters are found only in syslog. 


LogName 

Specify the recorder name: Unix, Netscape, or Apache. You should not 

change this value. 

StartOver 

If 1 is specified, eTrust Audit restarts reading the log files (ignores the .dat 

file). The default value is 0. 

SkipCurrentLogs 

Specify one of the following: 

0 

1 

Skips old records from the log files. 

Sends all records from the log files. 

Mpfile 

Specify the relative path to .mp file as follows: 

UNIX 

The default value is cfg/syslog.mp, or cfg/sulog.mp 

Netscape 

The default value is cfg/netscape.mp. 

Apache 

The default value is cfg/apache.mp. 

Oracle 

The default value is cfg/oracle.mp. 

ConfigFile 

Specify the relative path to syslog configuration file. The default value is 

/etc/syslog.conf. 


ecorder.ini 

Source 

Specify one of the following: 

0 

1 

Takes the log files defined in the default configuration file plus all log 

files found in the LogFiles section. 

Takes the log files defined in the configuration file under the ConfigFile 

parameter, plus all log files found in the LogFiles section. 

LogFiles 

Specify a list of paths to log files from which records are to be read as 

follows: 


Chapter 

8 

Encryption Options 

By default, the information eTrust Audit sends from station to station is encrypted 

using 56-bit DES encryption. You can change your encryption key, switch to a 

different encryption cipher, or turn off encryption. Whatever you do about 

encryption, you should do the same thing at every station where eTrust Audit is 

installed. 

Note: The unencrypted information is accepted from all sources, regardless of 

their encryption setting. 

Changing Your Encryption Key 

You can change the encryption key at any time, and you can change back to the 

default key at any time. But whenever you change the key at any station, you 

must make the same change at all stations. 

Note: You must make the encryption change manually at each station. There is 

no way to automatically distribute the change to each station in your eTrust 

Audit environment. 

eTrust Audit generates new keys using the MD5 hashing function. They can be 

based on a file or string of any size. 

To change the encryption key: 

1. Stop the eTrust Audit services and Security Monitor, if installed. 

2. From the command line, use the setkey utility. On Windows systems, setkey 

is located in the install_dir\bin directory (where install_dir is the directory in 

which you installed eTrust Audit). On UNIX systems, setkey is located in the 

install_dir/bin directory. 

3. Restart the services and Security Monitor. 

Encryption Options 8–1

setkey Command Options 

setkey Command Options 

You can use the following options for the setkey command: 

-c 

Clears the user key and sets a default key. 

-f[e] filename 

Specifies the contents of filename as the basis for the new encryption key. If 

the file is not in the current directory, you can include an absolute or relative 

pathname. 

If you use -fe, the file is then deleted. If you use -f, the file remains. 

-help 


-k newkey 

Installs newkey as the basis for the new encryption key. 

Turning Off Encryption 

To turn off encryption in Windows, delete the \winnt\system32\adcipher.dll 

file. 

To turn off encryption in UNIX, delete the /usr/lib/adcipher.so file. 

To turn encryption back on in Windows, copy the file, 

install_dir\bin\Des56bit.dll to \winnt\system32\adcipher.dll. 

To turn encryption back on in UNIX, create link/usr/lib/adcipher.si file to 

install_dir/bin/Des56bit library. 


Chapter 

9 

Firewall Considerations 

To enable communications between eTrust Audit components through a firewall, 

you must configure the eTrust Audit components on each side of the firewall to 

use the same open port in the firewall. For example, you might: 

■ 

■ 

Install the Security Monitor, the Router or the Collector service on one side of 

a firewall 

Install the recorder and router services on the opposite side 

However, if the firewall does not allow communication in the protected network, 

the client and the server (the redirector service, the router service and the 

Collector service) must be made to agree on a specific port. 

You can ensure agreement by setting the same value in the registry at the client 

and the server stations. 

1. At the client stations, edit the value Ports. On Windows systems, edit the 

following registry key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Ports 

For example: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\ports\MonitorPort 

On UNIX systems, edit the value for MonitorPort in the eaudit.ini file. 

For more information on these parameters, see Ports in the “Windows 

Registry Entries” chapter or the “UNIX INI Files” chapter. 

2. Enter the same entry and value in the registry (or in the eaudit.ini file) at the 

target station. 

Firewall Considerations 9–1

Chapter 

10 

Database Considerations 

This chapter describes database considerations, including the following: 

■ 

■ 

■ 

■ 

Preparing an eTrust Audit database 

Configuring an Oracle Client 

Configuring Windows NT Authentication with Microsoft SQL Server 

Changing the Database Type after installation 

Preparing eTrust Audit Database 

You should prepare the dedicated database for eTrust Audit before you install 

the eTrust Audit Data Tools components. This task should be performed by the 

DBA. 

Oracle Databases 

Perform the following tasks: 

1. Create the new dedicated tablespace for the event database. 

2. Create the new Oracle user ID with DBA privileges and define the created 

tablespace as the default tablespace for this user. 

3. If the Collector will be run on the UNIX host, then you should a create table 

in the new tablespace. To perform that you must execute the Oracle utility, 

SQLPLUS, and run the script “oracle.sql”. The script is located in the 

directory: CDMOUNT/eTrust/Audit/DataTools/unix_platform/ 

Database Considerations 10–1


MS SQL Server Databases 


1. Create the new dedicated database. 

2. Create the new MS SQL Server user with DBA priviledges and define the 

created database as the default database for this user. 


At each station where you want to work with an Oracle Server database, you 

must configure an Oracle client. Ensure that you have the following information 

(if you are unsure, consult your Oracle Server DBA): 

■ 

The Oracle Server’s host name 

■ The Oracle Server’s port number (usually 1521) 

■ 

The username and password of the Oracle account where the eTrust 

Audit tables are defined 

Windows 


1. Start the Oracle configuration utility (Oracle Net8 Easy Config utility for 

Oracle 9 or Net8 Configuration Assistant for Oracle 8i and 9i), and then 

choose Add New Service. Any name is acceptable as the name of the new 

service, but we recommend you use the same name for all users. 

2. Select TCP/IP as the protocol for the connection to the service. 

3. Specify the name of the host on which the Oracle service runs. Unless you 

have a local reason to change the port number, leave 1521 selected. 

4. Specify the database SID name. 

5. Check the new connection by clicking the Test Service option. Enter the 

username and password, and then click Test. If the result is positive, the 

connection is properly defined. Otherwise, consult your Oracle Server DBA. 

UNIX 

Open file tnsnames.ora under the following path: 

ORACLE_HOME/network/administration/ 

and add a configuration section for the new Oracle service. 


Windows NT Authentication with Microsoft SQL Server 

Windows NT Authentication with Microsoft SQL Server 

When you configure the Collector service login to the event database, you have 

two options—Microsoft SQL Server authentication and Windows NT 

authentication with the network login ID. 

To use Windows NT authentication, you must perform several configuration 

tasks. If you have any questions, consult your DBA. 

■ 

■ 

■ 

■ 

The Collector must be in the same domain as the database, or in a trusted 

domain. 

The user account for the Collector service in Microsoft SQL Server should be 

preconfigured in Windows NT. We recommend that you create a new user 

with a single account name for use in both Windows NT and Microsoft SQL 

Server. In Microsoft SQL Server, make the event database the default 

database for the account. The Collector service will log in to the database 

under this account. 

You must configure the ODBC drivers appropriately, either during eTrust 

Audit setup or from the Control Panel in NT (or the Administrative Tools in 

the Control Panel, in Windows 2000). Select Windows NT authentication 

with the network login ID. 

After eTrust Audit installation, you must configure the Collector service to 

access the database as the new user you created. In the Control Panel’s 

Services dialog, select the “eAudit Collector” and click Startup, Log On As 

This Account. Then select the user you created for the Collector service. 

Database Considerations 10–3

Changing the Database Type 

Changing the Database Type 

At installation time, you specify the database type for the event database: 

Microsoft Access, Oracle Server, or Microsoft SQL Server. However, you might 

need to change the database type at some point after the initial installation. 

To change the database type, we recommend that you reinstall the Collector. In 

any case, the data stored in the old database will not be moved to the new 

database. 

1. Use the ODBC Data Sources applet in the Windows NT control panel (or the 

Administrative Tools in the Control Panel, in Windows 2000) to set up your 

new system DSN. 

2. If there is a difference in DSN between the old and new databases, update 

the AuditDSN value in the following Windows registry key: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\Data 

Server\Database 

You can also use this key to update the username and password by using the 

Encup utility. 

For more information about registry keys, see the “Windows Registry Entries” 

chapter. 

Using a Remote MS Access Database 

If you are using the Microsoft Access database type and you want to use Audit 

Viewer to access a database located on another computer, you must first map the 

remote drive to your machine, and then set up the System DSN. 

Backing Up a Microsoft Access Database 

Microsoft Access limits the size of the database to one gigabyte or approximately 

one million records. To back up the database, you should: 

1. Stop the Collector service and the Audit Viewer. 

2. Rename the event database (SeOSData.mdb) as you wish. 

3. Copy the file SeOSDataBak.mdb. 

4. Rename the copy of SeOSDataBak.mdb to SeOSData.mdb. 

5. Restart the Collector service and the Audit Viewers. 


Chapter 

11 

Encup Utility 

The Encup utility lets you change user names and passwords. Encup passes a 

buffer that contains a user name or a password associated with that user name. 

The source of the information is a file or standard input. 

The information is then encrypted and returned to a file or to standard output. 

Executing Encup 

The Encup utility is located in the install_dir/bin directory, where install_dir is 

the directory where you installed eTrust Audit. 

For more information about the Encup utility, follow these steps: 

1. Open a command prompt session. 

2. Enter the following command from the install_dir/bin directory: 

encup –help 

Encup Utility 11–1

Chapter 

12 

Security-related Event IDs 

Windows NT Event IDs 

The following events are among those directly involved in security. 

Event ID Type Description 

512 Success Audit Windows NT startup. 

513 Success Audit Windows NT shutdown. 

514 Success Audit Authentication package has been loaded. It will be used to 

authenticate logon attempts. 

515 Success Audit Trusted logon process has been registered. It will be trusted to 

submit logon requests. 

516 Success Audit Some audit messages have been discarded (full queue). 

517 Success Audit The event log was cleared. Indicates primary user name, 

primary domain, primary logon ID, client user name, client 

domain, client logon ID. 

518 Success Audit Notification package has been loaded. It will be notified of any 

account or password changes. 

528 Success Audit Successful logon. Indicates user name, domain, logon type, 

logon process, authentication package, and workstation name. 

529 Failure Audit Failed logon—unknown user name or bad password. Indicates 

user name, domain, logon type, logon process, authentication 

package, and workstation name. 

530 Failure Audit Failed logon—time restriction violation. Indicates user name, 

domain, logon type, logon process, authentication package, and 

workstation name. 

531 Failure Audit Failed logon—account disabled. Indicates user name, domain, 

logon type, logon process, authentication package, and 


Security-related Event IDs 12–1



532 Failure Audit Failed logon—account expired. Indicates user name, domain, 



533 Failure Audit Failed logon—user not permitted at this computer. Indicates 



534 Failure Audit Failed logon—logon type not permitted for this user. Indicates 



535 Failure Audit Failed logon—password expired. Indicates user name, domain, 



536 Failure Audit Failed logon—Netlogon component not active. Indicates user 

name, domain, logon type, logon process, authentication 


537 Failure Audit Failed logon—unexpected error. Indicates user name, domain, 



538 Success Audit Logoff. Indicates user name, domain, logon type, logon process, 

authentication package, and workstation name. 

539 Failure Audit Failed logon—account locked out. Indicates user name, domain, 



560 Success Audit Object open. Includes the following: Object server, object type, 

object name, new handle ID, operation ID, process ID, primary 

user name, primary domain, primary logon ID, client user 

name, client domain, client logon ID. 

561 Success Audit Handle allocated. Includes handle, ID, operation ID, and 

process ID. 

562 Success Audit Handle closed. Includes handle, ID, operation ID, and process 

ID. 

563 Success Audit Object open for delete. Includes the following: Object server, 

object type, object name, new handle ID, operation ID, process 

ID, primary user name, primary domain, primary logon ID, 

client user name, client domain, client logon ID. 

564 Success Audit Object deleted. Includes object server, handle ID, and process 

ID. 

576 Success Audit Special privileges assigned to new logon. Includes user name, 

domain, login ID, and assigned privilege. 




577 Success Audit Privilege service called. Includes the following: server, service, 

primary user name, primary domain, primary logon ID, client 

user name, client domain, client logon ID, and privileges. 

578 Failure Audit Privileged object operation. Includes the following: object 

server, object handle, process ID, primary user name, primary 

domain, primary logon ID, client user name, client domain, 

client logon ID, and privileges. 

592 Success Audit New process created. Includes the following: new process ID, 

image file name, creator process ID, user name, domain, logon 

ID. 

593 Success Audit Process exited. Includes the following: process ID, user name, 

domain, logon ID. 

594 Success Audit Handle duplicated. Includes the following: source handle ID, 

source process ID, target handle ID, target process ID. 

595 Success Audit Indirect access to an object. Includes the following: object type, 

object name, process ID, primary user name, primary domain, 

primary logon ID, client user name, client domain, client logon 

ID, and accesses. 

608 Success Audit User right assigned. Includes the following: user right, assigned 

to, assigned by, user name , and logon ID. 

609 Success Audit User right removed. Includes the following: user right, removed 

from, removed by, user name , and logon ID. 

610 Success Audit New trusted domain. Includes the following: domain name, 

domain ID, established by, user name , domain, and logon ID. 

611 Success Audit Removing trusted domain. Includes the following: domain 

name, domain ID, removed by, user name , domain, and logon 

ID. 

612 Success Audit Audit policy change. Includes the following: new policy name, 

and success and failure for System, Logon/Logoff, Object 

Access, Privilege Use, Detailed Tracking, Policy Change, and 

Account Management. It also includes changed by, user name, 

domain name, logon ID. 

624 Success Audit User account created. Includes the following: new account 

name, new domain, new account ID, caller user name, caller 

domain, caller logon ID, privileges. 

625 Success Audit Account type changed. Includes the following: target account 

name, target domain, target account ID, new type, caller user 

name, caller logon ID. 




626 Success Audit Account enabled. Includes the following: target account name, 

target domain, target account ID, caller user name, caller 

domain, caller logon ID. 

627 Success Audit Change password attempt. Includes the following: target 

account name, target domain, target account ID, caller user 

name, domain, caller logon ID, privileges. 

628 Success Audit Password set. Includes the following: target account name, 

target domain, target account ID, caller user name, domain, 

caller logon ID. 

629 Success Audit Account disabled. Includes the following: target account name, 



630 Success Audit Account deleted. Includes the following: target account name, 



631 Success Audit Global group created. Includes the following: new account 



632 Success Audit Global group member added. Includes the following: member, 

target account name, target domain, target account ID, caller 

user name, caller domain, caller logon ID, privileges. 

633 Success Audit Global group member removed. Includes the following: 

member, target account name, target domain, target account ID, 

caller user name, caller domain, caller logon ID, privileges. 

634 Success Audit Global group deleted. Includes the following: target account 

name, target domain, target account ID, caller user name, caller 


635 Success Audit Local group created. Includes the following: new account name, 

new domain, new account ID, caller user name, caller domain, 

caller logon ID, privileges. 

636 Success Audit Local group member added. Includes the following: member, 



637 Success Audit Local group member removed. Includes the following: member, 



638 Success Audit Local group deleted. Includes the following: target account 






639 Success Audit Local group changed. Includes the following: target account 



640 Success Audit General account database changed. Includes the following: type 

of change, object type, object name, object ID, caller user name, 

caller domain, caller logon ID. 

641 Success Audit Global group changed. Includes the following: target account 



642 Success Audit User account changed. Includes the following: target account 



643 Success Audit Domain policy changed. Includes the following: domain, 

domain ID, caller user name, caller domain, caller logon ID, 

privileges. 

644 Success Audit User account locked out. Includes the following: target account 

name, target account ID, caller machine name, caller user name, 



Windows 2000 Event IDs 


The following events are among those directly involved in security. 


512 Success Audit Windows NT startup. 

513 Success Audit Windows NT shutdown. 

514 Success Audit Authentication package has been loaded. It will be used to 

authenticate logon attempts. 

515 Success Audit Trusted logon process has been registered. It will be trusted to 

submit logon requests. 

516 Success Audit Some audit messages have been discarded (full queue). 

517 Success Audit The event log was cleared. Indicates primary user name, 


domain, client logon ID. 

518 Success Audit Notification package has been loaded. It will be notified of any 

account or password changes. 

528 Success Audit Successful logon. Indicates user name, domain, logon type, 

logon process, authentication package, and workstation name. 

529 Failure Audit Failed logon—unknown user name or bad password. Indicates 



530 Failure Audit Failed logon—time restriction violation. Indicates user name, 

domain, logon type, logon process, authentication package, and 


531 Failure Audit Failed logon—account disabled. Indicates user name, domain, 



532 Failure Audit Failed logon—account expired. Indicates user name, domain, 



533 Failure Audit Failed logon—user not permitted at this computer. Indicates 



534 Failure Audit Failed logon—logon type not permitted for this user at this 

machine. Indicates user name, domain, logon type, logon 

process, authentication package, and workstation name. 




535 Failure Audit Failed logon—password expired. Indicates user name, domain, 



536 Failure Audit Failed logon—Netlogon component not active. Indicates user 

name, domain, logon type, logon process, authentication 


537 Failure Audit Failed logon—unexpected error. Indicates user name, domain, 



538 Success Audit Logoff. Indicates user name, domain, logon type, logon process, 

authentication package, and workstation name. 

539 Failure Audit Failed logon—account locked out. Indicates user name, domain, 



540 Success Audit Successful network logon. Includes the following: user name, 

domain, logon, ID, logon type, logon process, authentication 

package, workstation name. 

541 Success Audit IKE security association established. Includes the following: 

mode, peer identity, filter, parameters. 

542 Success Audit IKE security association ended. Includes the following: mode-- 

data protection, filter, inbound SPI, outbound SPI. 

543 Success Audit IKE security association ended. Includes the following: mode-- 

key exchange, filter. 

544 Failure Audit IKE security could not be established because the peer could not 

authenticate. The certificate trust could not be established. 

Includes the following: peer identity, and filter. 

545 Failure Audit IKE peer authentication failed. Includes the following: peer 

identity, and filter. 

546 Failure Audit IKE security could not be established because the peer sent and 

invalid proposal. Includes the following: mode, filter, attribute, 

expected value, received value. 

547 Failure Audit IKE security association negotiation failed. Includes the 

following: mode, filter, failure point, failure reason. 




name, client domain, client logon ID, accesses, privileges. 




561 Success Audit Handle allocated. Includes handle, ID, operation ID, and 

process ID. 

562 Success Audit Handle closed. Includes handle, ID, operation ID, and process 

ID. 

563 Success Audit Object open for delete. Includes the following: Object server, 

object type, object name, new handle ID, operation ID, process 

ID, primary user name, primary domain, primary logon ID, 

client user name, client domain, client logon ID, accesses, 

privileges. 

564 Success Audit Object deleted. Includes object server, handle ID, and process 

ID. 




name, client domain, client logon ID, accesses, privileges, 

properties. 

566 Success Audit Object operation. Includes the following: operation type, object 

type, object name, handle ID, operation ID, primary user name, 


domain, client logon ID, accesses, privileges. 

576 Success Audit Special privileges assigned to new logon. Includes user name, 

domain, login ID, and assigned privilege. 

577 Success Audit Privilege service called. Includes the following: server, service, 

primary user name, primary domain, primary logon ID, client 

user name, client domain, client logon ID, and privileges. 

578 Failure Audit Privileged object operation. Includes the following: object 

server, object handle, process ID, primary user name, primary 

domain, primary logon ID, client user name, client domain, 

client logon ID, and privileges. 

592 Success Audit New process created. Includes the following: new process ID, 

image file name, creator process ID, user name, domain, logon 

ID. 

593 Success Audit Process exited. Includes the following: process ID, user name, 

domain, logon ID. 

594 Success Audit Handle duplicated. Includes the following: source handle ID, 

source process ID, target handle ID, target process ID. 




595 Success Audit Indirect access to an object. Includes the following: object type, 

object name, process ID, primary user name, primary domain, 

primary logon ID, client user name, client domain, client logon 

ID, and accesses. 

608 Success Audit User right assigned. Includes the following: user right, assigned 

to, assigned by, user name , and logon ID. 

609 Success Audit User right removed. Includes the following: user right, removed 

from, removed by, user name , and logon ID. 

610 Success Audit New trusted domain. Includes the following: domain name, 

domain ID, established by, user name , domain, and logon ID. 

611 Success Audit Removing trusted domain. Includes the following: domain 

name, domain ID, removed by, user name , domain, and logon 

ID. 

612 Success Audit Audit policy change. Includes the following: new policy name, 

and success and failure for System, Logon/Logoff, Object 

Access, Privilege Use, Detailed Tracking, Policy Change, and 

Account Management. It also includes changed by, user name, 

domain name, logon ID. 

613 Success Audit IPSec policy agent started. Includes the following: IPSec policy 

agent, policy source, event data. 

614 Success Audit IPSec policy agent disabled. Includes the following: IPSec policy 

agent, event data. 

615 Success Audit IPSec Policy Agent service. Includes event data. 

616 Failure Audit IPSec policy agent encountered a potentially serious failure. 

Includes event data. 

617 Success Audit Kerberos policy changed. Includes changed by, user name, 

domain name, login ID, changes made, parameter name new 

and (old). 

618 Success Audit Encrypted data recovery policy changed. Includes the 

following: changed by, user name, domain name, logon ID, 

changes made parameter new and (old). 

619 Success Audit Quality of service policy changed. Includes the following: 

changed by, user name, domain name, logon ID, changes made 

parameter new and (old). 

620 Success Audit Trusted domain information modified. Includes the following: 

domain name, domain ID, modified by, user name, domain, 

logon ID. 




624 Success Audit User account created. Includes the following: new account 



625 Success Audit Account type changed. Includes the following: target account 

name, target domain, target account ID, new type, caller user 

name, caller logon ID. 

626 Success Audit Account enabled. Includes the following: target account name, 



627 Success Audit Change password attempt. Includes the following: target 


name, domain, caller logon ID, privileges. 

628 Success Audit User account password set. Includes the following: target 


name, domain, caller logon ID. 

630 Success Audit User account deleted. Includes the following: target account 



631 Success Audit Security enabled global group created. Includes the following: 

new account name, new domain, new account ID, caller user 

name, caller domain, caller logon ID, privileges. 

632 Success Audit Security enabled global group member added. Includes the 

following: member, target account name, target domain, target 

account ID, caller user name, caller domain, caller logon ID, 

privileges. 

633 Success Audit Security enabled global group member removed. Includes the 



privileges. 

634 Success Audit Security enabled global group deleted. Includes the following: 



635 Success Audit Security enabled local group created. Includes the following: 



636 Success Audit Security enabled local group member added. Includes the 



privileges. 




637 Success Audit Security enabled local group member removed. Includes the 



privileges. 

638 Success Audit Security enabled local group deleted. Includes the following: 



639 Success Audit Security enabled local group changed. Includes the following: 



640 Success Audit General account database changed. Includes the following: type 

of change, object type, object name, object ID, caller user name, 


641 Success Audit Security enabled global group changed. Includes the following: 



642 Success Audit User account changed. Includes the following: target account 



643 Success Audit Domain policy changed. Includes the following: domain, 

domain ID, caller user name, caller domain, caller logon ID, 

privileges. 

644 Success Audit User account locked out. Includes the following: target account 

name, target account ID, caller machine name, caller user name, 


645 Success Audit Computer account created. Includes the following: new account 



646 Success Audit Computer account changed. Includes the following: target 



647 Success Audit Computer account deleted. Includes the following: target 



648 Success Audit Security disabled local group created. Includes the following: 






649 Success Audit Security disabled local group changed. Includes the following: 



650 Success Audit Security disabled local group member added. Includes the 

following: member name, member ID, target account name, 



651 Success Audit Security disabled local group member removed. Includes the 




652 Success Audit Security disabled local group deleted. Includes the following: 



653 Success Audit Security disabled global group created. Includes the following: 



654 Success Audit Security disabled global group changed. Includes the following: 



655 Success Audit Security disabled global group member added. Includes the 




656 Success Audit Security disabled global group member removed. Includes the 




657 Success Audit Security disabled global group deleted. Includes the following: 



658 Success Audit Security enabled universal group created. Includes the 

following: new account name, new domain, new account ID, 


659 Success Audit Security enabled universal group changed. Includes the 

following: target account name, target domain, target account 

ID, caller user name, caller domain, caller logon ID, privileges. 




660 Success Audit Security enabled universal group member added. Includes the 




661 Success Audit Security enabled universal group member removed. Includes 

the following: member name, member ID, target account name, 



662 Success Audit Security enabled universal group deleted. Includes the 



663 Success Audit Security disabled universal group created. Includes the 

following: new account name, new domain, new account ID, 


664 Success Audit Security disabled universal group changed. Includes the 



665 Success Audit Security disabled universal group member added. Includes the 




666 Success Audit Security disabled universal group member removed. Includes 

the following: member name, member ID, target account name, 



667 Success Audit Security disabled universal group deleted. Includes the 



668 Success Audit Group type changed. Includes the following: target account 



669 Success Audit Add SID history. Includes the following: source account name, 

source account ID, target account name, target account ID, caller 


670 Success Audit Add SID history. Includes the following: source account name, 






672 Success Audit Authentication ticket granted. Includes the following: user 

name, supplied realm name, user ID, service name, service ID, 

ticket options, ticket encryption type, pre-authentication type, 

client address. 

673 Success Audit Service ticket granted. Includes the following: user name, user 

domain, user ID, service name, service ID, ticket options, ticket 

encryption type, client address. 

674 Success Audit Ticket granted renewed. Includes the following: user name, user 

domain, user ID, service name, service ID, ticket options, ticket 

encryption type, client address. 

675 Failure Audit Pre-authentication failed. Includes the following: user name, 

user ID, service name, pre-authentication type, failure code, 


676 Failure Audit Authentication ticket request failed. Includes the following: user 

name, supplied realm name, user ID, service name, ticket 

options, failure code, client address. 

677 Failure Audit Service ticket request failed. Includes the following: user name, 

supplied realm name, service name, ticket options, failure code, 


678 Success Audit Account mapped for logon by . Includes the following: client 

name, mapped name. 

679 Failure Audit The name could not be mapped for logon by . Includes the 

following: client name, mapped name. 

680 Success Audit Account used for logon by . Includes the following: account 

name, workstation. 

681 Failure Audit The login to account by from workstation failed. 

683 Success Audit Session reconnected to winstation. Includes the following: user 

name, domain, logon ID, session name, client name, client 

address. 

684 Success Audit Session disconnected to winstation. Includes the following: user 

name, domain, logon ID, session name, client name, client 

address. 


UNIX Event IDs 

UNIX Event IDs 

For the following sources, the various eTrust Audit recorders use an event ID of 

0: 

■ 

■ 

■ 

■ 

■ 

■ 

■ 

Syslog.conf 

Sylog 

Oracle 

Netsacpe 

IPlanet 

SNMP 

Check Point Firewall-1 

Windows Event IDs 

For the following sources, the various eTrust Audit recorders use an event ID of 

0: 

■ 

■ 

■ 

■ 

■ 

■ 

MS-IIS 

Microsoft Proxy 

Oracle 

Microsoft ISA 

SNMP 



eTrust Access Control Event IDs 

eTrust Access Control Event IDs 

The following event IDs are used for eTrust Access Control 5.1 SP1 and below. 

These events are generated by the seaudit -t command. This list also includes 

event IDs for eTrust Single Signon 6.5 and lower: 

Event ID 

Reason 

0 No request for LOG operation. 

1 User logged in out-of shift with LOGSHIFT property. 

2 User audit mode requires logging. 

3 Resource audit mode requires logging. 

4 Resource in WARNING mode. 

5 Serevu utility requested logging. 

6 Network attack protection. 

7 Incoming or outgoing connection (not from Log reason, but from 

stage code). 

8 PAM support 1 failed logon. 

10 A specific request to log operation. 

Cisco PIX Event IDs 

For events coming from Cisco PIX Firewalls, the eTrust Audit recorders use the 

message IDs as the event ID. For a description of the system log messages for 

Cisco PIX Firewalls, see your Cisco PIX Firewall documentation. 


Chapter 

13 

The Submit API (SAPI) 

eTrust Audit provides an API, the Submit API (SAPI), to submit audit events to 

the eTrust Audit router. The Submit API provides a simple means of adding new 

sources of audit information to eTrust Audit. Any third-party application 

intended to submit events to eTrust Audit should use the SAPI calls. 

Because the objective of eTrust Audit is to enable event analysis, both online and 

offline, it is important that events from different sources conform to a single 

concept. On the other hand, it is vital that native auditing information be 

preserved. The SAPI allows for both: 

■ 

■ 

■ 

If a submitted application’s events are to be analyzed by eTrust Audit, it 

must map events to the common format. The unified format simplifies 

management, reporting, and analysis. For example, Intrusion Detection rules 

for generic events such as logon/logoff can be easily administered crossplatform. 

Translators are functions that translate external data representation (such as 

UNIX time_t) to SAPI internal string format. Each translator is identified by 

name. Currently three translators are supported: string, timet and long. 

The client is free to add fields for native information. Auditors can report on 

events from a certain source by using the terms specific to the source. 

The Submit API (SAPI) 13–1

Mapping 

Mapping 

Messages are created by mapping to fields defined in the header file 

AC_SAPITokens.h. The SAPI format is completely free. However, some fields are 

mandatory and others are strongly recommended. 

Message Routing 

After mapping, the resulting message is submitted to a router. By default, events 

are submitted to the router resident on the local machine. You can configure the 

SAPI to submit to the router of your choice. 

Following a successful submit operation, eTrust Audit provides guaranteed 

delivery according to the filters and actions specified in the router’s filter rules 

file (router.cfg). 

Submitting a Message to the Router 

Tip: You must use SAPI_Init before any other SAPI function. 

Submitting events to the SAPI has a simple flow. Follow these steps: 

1. Create a SAPI context by using SAPI_Init. The context is helpful in the case 

of multiple threads. 

2. Create a message handle by using SAPI_NewMessage. 

3. By using the message handle, you add items (fields) to the message with 

SAPI_AddItem. 

4. With the same handle, submit the message to the router with 

SAPI_SubmitMsg. 

5. After a message has been successfully submitted, use SAPI_RemoveMessage 

to clear it from memory. 


Compiling and Linking 

Handling Submit Failures 

If the attempt to submit a message fails, you can remove it, or try to submit it 

again. If the message is not removed, it stays in memory. 

Note: After the first submit attempt, the message is locked and cannot be 

changed. 

Compiling and Linking 

To use the Submit API, you must include a header file with prototypes and 

structure definitions in your source code. The header file is etsapi.h 

For mapping, use AC_SAPITokens.h. 

Libraries 

On UNIX, SAPI includes two shared libraries: etsapi.so and etbase.so. In 

Windows, the corresponding files are etsapi.dll and etbase.dll. 

Sample SAPI Routine 

The following is a simple example of SAPI usage. The following application 

sends a single message containing five fields (category of event, native event ID, 

logname, source, and info). The field, timestamp, is added by default. 

Note: SAPI_Init and SAPI_Destroy should be used only once per application— 

not once per message as in this demonstration. 

#include "etsapi.h" 

#include "AC_SAPITokens.h" 

/* 

* Usage : test [host] 

*/ 

int main(int argc, char *argv[]) 

{ 

SAPI_CTX ctx; /* SAPI context */ 

SAPI_HANDLE_l h; /* handle for new message */ 

SMStatus rv; /* return value to check */ 

SMStatus remote_rv; /* return value from the receiver */ 

Char 

msg_buffer[1024]; 

long eventId = 123456; 

char 

category[] = "General"; 

char 

logname[] = "test_log"; 



char source[] = "test_recorder"; 

char info[] = "test_recorder information"; 

rv = SAPI_Init(&ctx, NULL); /* Create a new SAPI context */ 

if (rv != SAPI_SUCCESS) 

{ 

printf("SAPI_Init: failed code : 0x%X\n", rv); 

return 1; 

} 

/* set destination host, default - localhost */ 

if (argc > 1) 

{ 

rv = SAPI_SetRouter(ctx, argv[1]); 


{ 

printf("SAPI_SetRouter: host = '%s', failed code : 0x%X\n", 

argv[1], rv); 

return 1; 

} 

else 

printf("Set destination host %s\n", argv[1]); 

} 

rv = SAPI_NewMessage(ctx, &h); /* Create a new SAPI message */ 


{ 

printf("SAPI_NewMessage: failed code : 0x%X\n", rv); 

return 1; 

} 

/* Add a new items to a message */ 

rv = SAPI_AddItem(ctx, h, 

SAPI_TRANS_DATATYPE_STRING, 

SAPI_CATEGORY_FLD, 

category); 


{ 

printf("SAPI_AddItem: failed code : 0x%X\n", rv); 

return 1; 

} 


SAPI_TRANS_DATATYPE_LONG, 

SAPI_NATIVEID_FLD, 

&eventId); 


{ 


return 1; 

} 



SAPI_LOGNAME_FLD, 

logname); 


{ 


return 1; 

} 





SAPI_SOURCE_FLD, 

source); 


{ 


return 1; 

} 



SAPI_INFO_FLD, 

info); 


{ 


return 1; 

} 

/* Print the content of a message to a buffer */ 

rv = SAPI_DumpMessage(ctx, h, msg_buffer, sizeof(msg_buffer)); 


{ 

printf("SAPI_DumpMessage: failed code : 0x%X\n", rv); 

return 1; 

} 

else 

{ 

printf("SAPI message:\n %s\n", msg_buffer); 

} 

/*Submits the message to a SAPI router.*/ 

rv = SAPI_SubmitMsg(ctx, h, &remote_rv); 

if (rv == SAPI_SUCCESS) 

printf("SAPI_SubmitMsg OK, remote return code : 0x%X\n", remote_rv); 

else 

printf("SAPI_SubmitMsg: failed code :0x%X\n", rv); 

/*Remove a message from the given context.*/ 

rv = SAPI_RemoveMessage(ctx, h); 


{ 

printf("SAPI_RemoveMessage: failed code : 0x%X\n", rv); 

return 1; 

} 

/* destroy SAPI context and free all its allocations */ 

rv = SAPI_DestroyCTX(ctx); 


{ 

printf("SAPI_DestroyCTX: failed code :0x%X\n", rv); 

return 1; 

} 

} 

return 0; 


SAPI Reference 


SAPI functions use the following type definitions. 

SAPI_CTX 

SAPI context contains state information for all SAPI calls 

SAPI_HANDLE_l 

SAPI_HANDLE_lp 

SAPI message handles used for referring to specific messages 

The SAPI uses the functions on the following pages to pass messages to the 

eTrust Audit router. 

SAPI_Init 

This function must be called before any other SAPI functions can be used. 

Syntax 

SMStatus SAPI_Init( SAPI_CTX 

*ctx, 

char *config ); 

Parameters 

ctx 

The address of pointer to SAPI context. 

config 

The configuration (reserved for future use). 



SAPI_NewMessage 

The SAPI_NewMessage function creates a handle to new message in the given 

context. The message is also filled with automatic arguments for mandatory 

fields with their default values. 

Syntax 

SMStatus SAPI_NewMessage( SAPI_CTX 

* ctx, 

SAPI_HANDLE_lp Handle ); 

Parameters 

ctx 

The SAPI context. This parameter’s value originates with SAPI_Init. 

handle 

The address of the handle to return on success. 

Return Values 

The function returns SAPI_SUCCESS on success and SAPI_BADCTX_RC for an 

invalid SAPI context. 



SAPI_AddItem 

The SAPI_AddItem function adds a new Item to a message. If an Item by the 

given name already exists, it is replaced by the given Item. 

Syntax 

SMStatus SAPI_AddItem( SAPI_CTX 

ctx, 

SAPI_HANDLE_l 

handle, 

char 

*item_type, 

char 

*name, 

void *value ); 

Parameters 

ctx 


handle 

The handle to a message. This parameter’s value originates with 

SAPI_NewMessage. 

item_type 

The external raw data type. The available item types are as follows: 

long 

The value should point to address of long. 

string 

The value should point to a null terminated char string. 

timet 

The value should point to the address of a time_t. 

name 

The item name 

value 

The binary raw data. 

Return Values 





SAPI_SubmitMsg 

The SAPI_SubmitMsg functin submits the message to a SAPI router. 

Note: After the message has been submitted, you must free it with 

SAPI_RemoveMessage. 

Syntax 

SMStatus SAPI_SubmitMsg( SAPI_CTX 

ctx, 

SAPI_HANDLE_l 

handle, 

SMStatus *sapi_remote_rv ); 

Parameters 

ctx 


handle 



sapi_remote_rv 

The return value of the remote function. 

Return Values 

The function returns SAPI_SUCCESS on success. 



SAPI_RemoveMessage 

SAPI_RemoveMessage removes a message in the given context. Use the function 

to clear sent messages from memory. 

Syntax 

SMStatus SAPI_RemoveMessage( SAPI_CTX 

ctx, 

SAPI_HANDLE_l Handle ); 

Parameters 

ctx 


handle 



Return Values 





SAPI_DumpMessage 

The SAPI_DumpMessage function prints the content of a message in the given 

context to a buffer. Function prints the string values of the message fields. 

Syntax 

SMStatus SAPI_DumpMessage( SAPI_CTX 

ctx, 

SAPI_HANDLE_l 

handle, 

char 

* buffer, 

int Size ); 

Parameters 

ctx 


handle 



Buffer 

The buffer to output. 

Size 

The size of the buffer. 

Return Values 

The function returns SAPI_SUCCESS on success, SAPI_BADCTX_RC for an 

invalid SAPI context and SAPI_BADPARAM_RC for too small buffer size. 



SAPI_DestroyCTX 

The SAPI_DestroyCTX function frees current SAPI context and all unsent 

messages and gracefully shuts the client side of SAPI. 

Syntax 

SMStatus SAPI_DestroyCTX( SAPI_CTX ctx ); 

Parameters 

ctx 


Return Values 

The function returns SAPI_SUCCESS on success. 

SAPI_SetRouter 

The SAPI_SetRouter function registers the name of a new router host. 

Syntax 

SMStatus SAPI_SetRouter( SAPI_CTX 

Ctx, 

unsigned short hostname ); 

Parameters 

ctx 


Hostname 

The name of the host where the router resides. 

Return Values 

The function returns SAPI_SUCCESS on success and SAPI_BADPARAM_RC for 

an invalid context. 



SAPI_SetRouterPort 

The SAPI_SetRouterPort function changes the default SAPI router port number. 

Syntax 

SMStatus SAPI_SetRouterPort( SAPI_CTX 

Ctx, 

unsigned short Portnum ); 

Parameters 

ctx 


portnum 

The user-defined port number to be registered in portmap. If you specify 0, 

the port number will be set by portmap. 

Return Values 



SAPI_SetRouterTimeout 

The SAPI_SetRouterTimeout function changes the default SAPI router timeout 

period. 

Syntax 

SMStatus SAPI_SetRouterTimeout( SAPI_CTX 

Ctx, 

unsigned long Timeout ); 

Parameters 

ctx 


timeout 

The user-defined timeout period, in seconds. 

Return Values 




SAPI Return and Error Codes 


The following macros process return codes for all SAPI calls. 

Each return code is composed from (most to least): 

■ 

■ 

■ 

1 bit—success or failure code 

16 bits—software component ID number. In the case of the SAPI, the ID 

number is 11 (SAPI_RC_BASE). 

12 bits—meaningful portion of return code 

Macro 

_SM_IS_FAIL(rc) (rc>>31) 

_SM_RC_PKG(rc) ((rc>>12)&0xffff) 

_SM_RC_CODE(rc) (rc&0xfff) 

Purpose 

The macro checks whether the call failed. In case of failure, the 

macro returns TRUE or 1. 

The macro extracts and returns the software component ID 

number. 

The macro extracts and returns the meaningful portion of the 

return code. 



The following table describes the return and error codes defined in etsapi.h: 

Name Construction Meaning 

SAPI_SUCCESS 0 Function returned 

successfully. 

SAPI_MALLOC_RC _SM_RC_FAIL(SAPI_RC_BASE,1) SAPI could not allocate 

memory. 

SAPI_NOHANDLE_RC _SM_RC_FAIL(SAPI_RC_BASE,2) Requested SAPI message 

handle could not be found. 

SAPI_BADPARAM_RC _SM_RC_FAIL(SAPI_RC_BASE,3) Function received a bad 

parameter (most 

commonly a NULL 

pointer). 

SAPI_NOITEM_RC _SM_RC_FAIL(SAPI_RC_BASE,4) Low-level internal code, 

should not appear in 

normal operation. 

SAPI_ALRDYEXIST_RC _SM_RC_FAIL(SAPI_RC_BASE,5) A field by the same name 

already exists in the 

message. 

SAPI_UNSUPPORTED_RC _SM_RC_FAIL(SAPI_RC_BASE,6) Unsupported SAPI type. 

SAPI_NOAUTOARG_RC _SM_RC_SUCCESS(SAPI_RC_BASE,7) Low-level internal code, 



SAPI_BADCTX_RC _SM_RC_FAIL(SAPI_RC_BASE,8) Function got an invalid 

SAPI context for input. 

SAPI_MSGLOCKED_RC _SM_RC_FAIL(SAPI_RC_BASE,9) Low-level internal code, 



SAPI_NOTHINGTOSEND_RC _SM_RC_SUCCESS(SAPI_RC_BASE,10) 

Low-level internal code, 



SAPI_NOTREROUTING_RC _SM_RC_FAIL(SAPI_RC_BASE,11) Low-level internal code, 



SAPI_REROUTINGMODE_RC _SM_RC_FAIL(SAPI_RC_BASE,12) 

Low-level internal code, 




Fields for SAPI 

Fields for SAPI 

The SAPI format is completely free, except for certain mandatory fields, 

generally, those affecting intrusion detection and security auditing. If the 

submitting application does not provide values for such fields, the SAPI will 

provide a default value. 

Additional fields can be added as you choose. However, for security-related 

events it is strongly recommended to map to the predefined SAPI fields. Unless 

events map to the SAPI fields, they will be treated generically by the eTrust 

Audit viewers. 

Predefined fields are defined in the file AC_SAPITokens.h. User-defined field 

names should be unique. 

It is recommended to identify the log or source in all user-defined field names. 

For example, the first of these two macro definitions is specific to the SAPI and 

the second, to Oracle. 

#define SAPI_DATE_FLD 

#define ORA_AUDIT_OPTION 

”Date” 

“ORA_Audit_Option” 

Field Properties 

Each SAPI field has three properties: name, type, and value. Field types are 

assigned when submitting messages. Available types are date, string and long. 

The SAPI fields discussed below are organized by priority. 

• Mandatory fields must be present in every record. 

• Common predefined fields are important for event identification and 

description. 

• Optional, category-specific fields provide further characterization of events. 

Other fields are specific to event sources. 


Mapping Examples 


The following are examples of mapping of SAPI fields. 

Event User Category Subcategory ObjClass ObjName Oper 

User account 

was created 

Registry key 

was deleted 

Process was 

stopped (NT) 

Windows NT 

was shut 

down 

A file was 

opened for 

read 

“Administrator” 

Account 

Management 

Administration USER newuser Create 

“richard” Object Access Administration REGKEY “HKEY_USERS\ 

. . . “ 

“joan” Object Access Activation PROCESS “FINDFAST. 

EXE” 

“SYSTEM” 

Security 

Systems 

“joan” Object Access Usage FILE “c:\winnt\ 

system.ini” 

OS 

Delete 

Stop 

Stop 

Read 

Mandatory Fields for Event Identification 

The SAPI requires that certain fields be present in each message you submit. 

These fields contain data on the time, place, and status of events. For some fields, 

values are strictly predefined. 

SAPI_LOCATION_FLD “Location” 

The name of the host where the event was originated. Name format is UNIX 

qualified name or UNC (if DNS is not available). 

Examples 

host.mydomain.com (UNIX qualified name 

\\mydomain\host (UNC). 

Default Value 

The name of machine where submitter is resident. 

SAPI_LOGNAME_FLD “Log” 

The logical log name that uniquely identifies the native auditing type. That 

is, the logical name of the source of audit information. 

Examples 

NT-System, NT-Application 

UNIX for syslog and sulog files 

Oracle for Oracle logs 

Default Value 

The submitter must supply the contents for this field. 



SAPI_SOURCE_FLD “Src” 

The name of the software component that issued the event. 

Note: The audit mechanism may serve more than one process or application. 

When a native auditing environment has more than one instance on the same 

machine, this field will contain the instance identification. 

Examples 

Windows NT—Security, Disk, NETLOGON 

UNIX—telnetd, ftpd 

Default Value 

The submitter must supply the contents for this field. 

SAPI_DATE_FLD “Date” 

When the event was originated. Date contains both date and time in 

standard ISO format (text format that includes date, time and time zone). 

Examples 

20010201T080001-0500 means Feb. 1, 2001at 8:00:01 EST 

20010202T080001+0000 means Feb. 2, 2001 at 8:00:01 GMT 

Default Value 

The date and time at machine where the event is submitted. 

SAPI_STATUS_FLD “Status” 

The status, which the event describes. Values for Status are strictly 

predefined: 

“S” SAPI_STATUS_SUCCESS 

Event for a successful operation. 

“F” SAPI_STATUS_FAILURE 

Event for a failure operation. 

“D” SAPI_STATUS_DENIED 

Event for a failure operation where the reason is insufficient privileges. 

We recommend that you use “F” SAPI_STATUS_FAILURE even for failure 

operations that is caused by insufficient privileges. 

Note: All source specific statues should be converted into one of SAPI 

statuses. To keep the original value put it into specific field: 

_Status, where is an unique identifies the source of audit 

information. 

Default Value 

“S” 



Common Predefined Fields for Event Identification 

The following fields are used by most events. They are not mandatory, but they 

are strongly recommended for each SAPI message. 

SAPI_USER_FLD “User” 

The name of the user (or principal as some systems define) who performed 

the audited operation. 

Example 

Windows NT—Administrator, my_domain\john 

UNIX—“root,” “john” 

Default Value 

None. 

SAPI_USERID_FLD “UID” 

The native user ID. 

Example 

Windows NT—S-1-5-21-1793529420-1590284213-401-284377-1208 

UNIX—0 (root user) 

Optional Predefined Fields for Event Identification 

Certain fields providing event identification are optional. 

SAPI_LOCATIONIP_FLD “LocationIP” 

The IP address where the event was originated. 

Example 

112.111.248.116 

SAPI_LOGFILENAME_FLD “LogF” 

The physical file name (full path name), if available, in cases where the audit 

does not reside in a fixed file. 

Example 

UNIX—/usr/logs/trace1.log 

SAPI_RECORDERVER_FLD “RecVer” 

The version of the submitter for the native auditing environment. 



Common Predefined Fields for Event Description 

The following fields provide general information about events. They are not 

mandatory, but it is recommended to set their values (if available) for each SAPI 

message. 

Reserved fields specific to predefined security event categories are listed later in 

this chapter. 

SAPI_CATEGORY_FLD “Category” 

The security-related events fall into predefined categories. If the event 

belongs to one of the categories, it is highly recommended to set the field’s 

value. The field can be left empty, or it can have a user-defined category if 

the predefined values are not matched. 

Example 

“System Access” SAPI_CATEGORY_SYSACC for any logon or logoff 

operation 

“Account Management” SAPI_CATEGORY_ACCOUNT for user 

account definition 

SAPI_SUBCAT_FLD “Subcat” 

Enables subdivision of events within a category. You can fill this field by 

using either a pre-defined value or any other string value. 

SAPI_SEVERITY_FLD “Severity” 

The logical severity of the event set by eTrust Audit policies (not by 

application severity). 

Values for Severity are strictly predefined. 

“0” SAPI_SEVERITY_INFO 

“1” SAPI_SEVERITY_WARNING 

“2” SAPI_SEVERITY_CRITICAL 

“3” SAPI_SEVERITY_FATAL 

SAPI_OPERATION_FLD “Oper” 

The operation performed on an object. Values are chosen from a list of 

predefined values. In cases where the predefined values are not suitable, 

native auditing values may be used. 

Example 

“Write” SAPI_OPER_WRITE—edited a file or registry key 

“Start” SAPI_OPER_START—started a service 



SAPI_OBJCLASS_FLD “ObjClass” 

The class of the object of the operation. Values are chosen from a list of 

predefined values. In cases where the predefined values are not suitable, 

native auditing values may be used. 

Example 

“FILE,” “REGKEY” 

SAPI_OBJNAME_FLD “ObjName” 

The name of the object on which the operation is performed. 

Example 

“C:\WINNT\system.ini”—a file name 

“notepad.exe”—a process name 

SAPI_OBJCLASS2_FLD “SecObjClass” 

The class of the second object that participated in the event (if it exists). 

Example 

“Group”—in case of joining a user to a group 

SAPI_OBJNAME2_FLD “SecObjName” 

The name of the second object that participated in the event (if it exists). 

Example 

“Administrators”—as the name of the group a user was added to 

SAPI_NATIVEOID_FLD “OID” 

The native object ID (handle) from auditing or operating system. 

Example 

Windows NT—“24” 

SAPI_PID_FLD “PID” 

The Process ID of the process that performed the operation, if available. 

Example 

WINDOWS NT—“2309196368” 

SAPI_NATIVEID_FLD “NID” 

The native ID of the event, in native auditing environments that enumerate 

events. 

Example 

Windows NT—“562” for closed handle event, “592” for process creation. 



SAPI_INFO_FLD “Info” 

The free-text event information. 

Example 

Windows NT—A process has exited. 

Process ID: 215487040 

User Name: user_john 

Domain: 

Logon ID: 

My_Domain 

(0x0,0x3ED6) 

UNIX—printer/tcp: “Print services stopped” 

Mapping Events to Predefined Categories 

For each security event category, records can be built from a certain set of SAPI 

fields, in addition to the mandatory identifying fields. 

Predefined security-related categories are: 

■ 

■ 

■ 

■ 

■ 

■ 

■ 

■ 

System Access 


Object Access 

Policy Management 

Security Systems 

Network 

Detailed Tracking 

Physical Security 

Other events (generally, start and stop notifications for applications) fall into the 

one of the following categories: 

■ 

■ 

■ 

System \ Application 

Administration 

General 



System Access 

System access events include logon, logoff, and change of user identity 

(impersonation). 


“System Access” SAPI_CATEGORY_SYSACC 

SAPI_SOURCE_FLD “Src” 

The software component that generated the message. 

Example 

Windows NT—“Security” 

UNIX—“login,” “telnetd,” in.telnetd,” rshd,” “in.rshd,” “Xsession” 

(XDMCP), “ftpd,” “in.ftpd,” “rlogind,” “in.rlogind,” “fingerd,” ffingerd” 


”Logon” SAPI_OPER_LOGON 

”Logoff” SAPI_OPER_LOGOFF 


The name of the logged-on user. 

SAPI_SURROGATEUSER NAME_FLD “SurrogateUser” 

The name of the new user when logging on from another user. For example, 

the UNIX command su root generates a SurrogateUser value of “root.” 


May contain reason for failed logon. 

SAPI_LOGONTYPE_FLD “LogonType” 

For logon operations, the type of logon. Values for LogonType are strictly 

predefined. 

Example 

“Interactive” SAPI_LOGONTYPE_INTERACTIVE—local user logon 

“Server” SAPI_LOGONTYPE_SERVER—logon to server, domain or 

shared drive 

SAPI_TERMINAL_FLD “Term” 

The terminal name or ID from which the operation is initiated. 

Example 

“pts/7” 

SAPI_REMOTEHOST_FLD “RemHost” 

The name or address of the remote host for operations that are performed 

remotely (name should follow Location field format). 




Account management events include the creation, changing, and deletion of 

users, groups, profiles and roles, as well as the granting of permissions. 

For security purposes, special care should be taken to audit the addition of users 

to the administrators group, and the addition of significant authorizations. 

The management of permissions on the system level is mapped to “Account 

Management,” and the management of auditing is mapped to “Policy 

Management.” For individual objects, both permissions and auditing setups are 

mapped to “Object Access.” 


“Account Management” SAPI_CATEGORY_ACCOUNT 


“Permission” SAPI_SUBCAT_PERMISSION 

“Audit” SAPI_SUBCAT_AUDIT 

“Password” SAPI_SUBCAT_PASSWORD 


Some possible values are predefined. 

For example: 

“Create” SAPI_OPER_CREATE 

“Delete” SAPI_OPER_DELETE 

“ChangeProperty” SAPI_OPER_CHANGEPROPERTY 

“Lock” SAPI_OPER_LOCK 

“Unlock SAPI_OPER_UNLOCK 


“USER” SAPI_OBJCLASS_USER 

“GROUP” SAPI_OBJCLASS_GROUP 


The nName of user or group. 

SAPI_OBJCLASS2_FLD “SecObjClass” 

The class of the secondary object. 

Example 

When adding a user to a group, “USER” is the primary object and 

“GROUP” is the secondary object. 

When changing permissions, the secondary object is “PRIVILEGE” 

SAPI_OBJCLASS_PRIVILEGE. 

SAPI_OBJNAME2_FLD “SecObjName” 

The name of the secondary object. 


The free-text description of the operation. 



Object Access 

Object access events include any access to resources such as files and the registry. 

Usually these accesses are audited only for critical objects. 

For individual objects, both permissions and auditing setups are mapped to 

“Object Access.” The management of permissions on the system level is mapped 

to “Account Management.” 


“Object Access” SAPI_CATEGORY_OBJACC 


“Password” SAPI_SUBCAT_PASSWORD 

“Usage” SAPI_SUBCAT_USAGE 


“Activation” SAPI_SUBCAT_ACTIVATION 



The name of the object on which the operation is performed. In cases where 

the predefined values are not suitable, native auditing values may be used. 

Example 

“REGKEY” — for registry key 

“FILE” – for file or folder 


The name of the accessed object. 


For example: 

“Execute” SAPI_OPER_EXECUTE“Start” SAPI_OPER_START_RL 

“Stop” SAPI_OPER_STOP 

“Kill” SAPI_OPER_KILL 



“ChangeProperty” SAPI_OPER_CHANGEPROPERTY 

“Rename” SAPI_OPER_RENAME 

“TakeOwnership” SAPI_OPER_TAKEOWNERSHIP 

“ChangePermission” SAPI_OPER_CHANGEPERMISSION 


“Unlock” SAPI_OPER_UNLOCK 

“Open” SAPI_OPER_OPEN 

“Read” SAPI_OPER_READ_RL 



“Write” SAPI_OPER_WRITE 

“Edit” SAPI_OPER_EDIT 

SAPI_NATIVEOID_FLD (optional) 

The object ID used by the native environment. 

SAPI_PID_FLD (optional) 

The ID of the process that accesses the object. 

SAPI_COMMAND_FLD “Command” (optional) 

The original command that caused the event (in case of a command line 

interface usage). 

Example 

eTrust Access Control Definition of new resource “new user(john)” 



Policy Management 

Policy management events include changes in audit policy, changes in password 

policy, and other events on the system level. This category usually includes very 

few events. 

For individual objects, permissions and auditing setups are mapped to “Object 

Access.” 


“Policy Management” SAPI_CATEGORY_POLICY 



“Activation” SAPI_SUBCAT_ACTIVATION 



For example: 




“POLICY” SAPI_OBJCLASS_POLICY 

Orace—map “Audit_Option” to this field 


The object name. 





Security Systems 

Security system status events include events related to the change in the status of 

security systems. For example, the stopping and starting of operating systems 

and the clearing of audit logs. 


“Security Systems” 

SAPI_CATEGORY_SECURITYSYS 


For example: 

“Restart” SAPI_OPER_RESTART 

“Startup” SAPI_OPER_STARTUP 

“Shutdown” SAPI_OPER_SHUTDOWN 

“Clear” SAPI_OPER_CLEAR 


For example: 

“Service” (or daemon) SAPI_OBJCLASS_SERVICE 

“Log” SAPI_OBJCLASS_LOG 

“Process” SAPI_OBJCLASS_PROCESS 

“OS” SAPI_OBJCLASS_OS 


The name of started or stopped program. 





Physical Security 

Physical security system events include events related to the change in the status 

of physical security systems, for example, the switching of cameras, opening, 

closing, and locking doors, and so on. 


“Physical Security” 

SAPI_CATEGORY_SECURITYPH 


For example: 

“Restart” SAPI_OPER_RESTART 

“Open” SAPI_OPER_OPEN 


“Unlock” SAPI_OPER_UNLOCK 


The class of the audited objects. 


The name of the audited objects. 



Network 

Network events include: 

■ 

■ 

■ 

Incoming and outgoing communication events from eTrust Access Control 

eTrust Intrusion Detection (former SessionWall) 

Events from other network products to be integrated with eTrust Audit 

Network events should map to identification fields. 


“Network” SAPI_CATEGORY_NETWORK 


“Connect” SAPI_OPER_CONNECT 

”Disconnect” SAPI_OPER_DISCONNECT 


For example: 

“PORT” SAPI_OBJCLASS_PORT PORT 



“HOST" SAPI_OBJCLASS_HOST 

“TERMINAL” SAPI_OBJCLASS_TERMINAL 

“DOMAIN" SAPI_OBJCLASS_DOMAIN 

“PROCESS" SAPI_OBJCLASS_PROCESS 

“PRINTER” API_OBJCLASS_PRINTER_RL 


The object name, name of host, terminal, domain and so on. 



The following additional fields contain network objects. 

SAPI_REMOTEIP_FLD “RemIP” 

The remote IP address. 

SAPI_AFTYPE_FLD “AddressFamily” 

The address family. 

SAPI_NETSERVICENAME_FL “NetServiceName” 

The service or daemon 

Example 

“FTP” 

SAPI_PORT_FLD “Port” 

The local port number 

Example 

“7890” 

SAPI_REMOTEPORT_FLD “RemotePort” 

The remote port number. 

Example 

“8765” 

SAPI_PROTOCOL_FLD “Protocol” 

The protocol. 

Example 

“TCP,” “UDP” 

SAPI_URL_FLD “URL” 

URL 

Example 

“www.ca.com” 



SAPI_DIRECTION_FLD “Direction” 

The event direction: inbound or outbound. 

Example 

“IN” 

“OUT” 

SAPI_EVENT_COUNT_FLD “EventCount” 

The count of events, if the event is aggregated. 

SAPI_SENDER_HOSTNAME_FLD “SenderHostName” 

Host sending the message. 

SAPI_SENDER_IP_FLD “SenderIP” 

IP of host sending the message. 

SAPI_SENDER_PORT_FLD “SenderPort” 

Port number of the message sender. 

Example 

“9876” 

SAPI_RECEIVER_HOSTNAME_FLD “ReceiverHostName” 

Host receiving the message. 

SAPI_RECEIVER_IP_FLD “ReceiverIP” 

IP of host receiving the message. 

SAPI_RECEIVER_PORT_FLD “ReceiverPort” 

Port number of the message receiver. 

Example 

“8765” 

Detailed Tracking 

Both Windows NT and eTrust Access Control offer detailed tracking—in 

Windows NT, for processes (by PID). In eTrust Access Control, tracking can be 

activated for other fields as well. 


“Detailed Tracking” SAPI_CATEGORY_TRACKING 


For example: 

“Start” SAPI_OPER_START 

“Stop” SAPI_OPER_STOP 


For example: “PROCESS” SAPI_OBJCLASS_PROCESS 

SAPI_PID_FLD “PID” 

The process ID. 




The object name, name of started or stopped program 


The event description. 


The user name. 

SAPI_USERID_FLD “UID” 

The user ID. 

SAPI_SURROGATEUSER NAME_FLD “SurrogateUser” 

The name of new identity of a user who changed his identity via set user etc. 

(available on systems that retain the original identity). 

Example 

UNIX—for set user operation, UserName may be “john” and 

SurrogateUser may be “root” 

SAPI_SURROGATEUSERID _FLD “SurrogateUId” 

The ID of the SurrogateUser, as explained above. 

SAPI_EUSERNAME_FLD “EffectiveUser” 

The effective user name. The effective user is the user whose rights are in 

effect for the described event. 

SAPI_EUSERID_FLD “EffectiveUserId” 

The ID of the effective user, as explained above. 

System/Application, Administration and General Events 

These events include start and stop notifications for applications not directly 

involved in security auditing (that is, not mapped to another category). Fields 

will be application-specific. Identification fields are mandatory. 


“System and Application” SAPI_CATEGORY_STATUS 

“Administration” SAPI_CATEGORY_ADMIN 

“General” SAPI_CATEGORY_GENERAL 




Reserved Keywords 

Fields Internal to eTrust Audit 

Internal fields may be filled for each event by eTrust Audit. These fields may be 

present in each record, but need not be filled by third-party submitters. 

SAPI_ROUTINGINFO_FLD “RoutInfo” 

For debug purposes only—a concatenation of the names of all the routers 

that have handled the event. 

SAPI_RULENAME_FLD “Rule” 

For debug purposes only—name of the eTrust Audit policy that originated 

the event. 


The following words may not be used as field names, since they have specific 

meanings in the filter language. 

ADD 

AM 

AT 

CASE 

CI 

CS 

DATE_YACC 

DAY 

DECR 

DECREMENT 

DEFINE 

DELETE 

DELETE_YACC 

DIFFERENT 

DY 

EQUAL 

EXISTS 

FATAL_ERROR 

GREATER 

INCR 

INCREMENT 

INSENSITIVE 

INTEGER 

LESS 

MATCHES 

MONTH 

NAME 

NEWEVENT 

NOT 

NUMBER 

OF 

OR 

PART 

PM 

REL_OP 

SCAN_ERROR 

SENSITIVE 

SET 

STRING 

STRING_CONST 



SUB 

SUBTRACT 

THAN 

TIME 

TIMESTAMP 

TO 

VARIABLE 

YR 

The names of months (JAN, FEB, MAR, APR, MAY, JUN, JUL, AUG, SEP, OCT, 

NOV, and DEC) are also reserved. 


Chapter 

14 

Recorder for 

Check Point FireWall-1 Reference 

The eTrust Audit Recorder for Check Point FireWall-1 is a component of the 

eTrust Audit Client. It runs on Windows, Solaris, and Linux systems only. The 

Recorder for Check Point FireWall-1 receives events from Check Point FireWall-1 

using the Check Point OPSEC (Open Platform for Security) application 

programming interface (API) protocol, and sends the events to the eTrust Audit 

Router using the SAPI protocol. 

Information Flow 

The Recorder for Check Point FireWall-1 for Windows or Solaris can be installed 

on the same host where the Check Point FireWall-1 server runs, or on another 

host. To receive data from Check Point FireWall-1 servers, the Recorder for 

Check Point FireWall-1 connects to the Check Point LEA server using the OPSEC 

protocol. After message parsing, the Recorder for Check Point FireWall-1 sends 

the messages to the Audit Router using the SAPI protocol. The information flow 

from here onward is like the one in the eTrust Audit Client. 

Recorder for 

Check Point FireWall-1 Reference 14–1

Information Flow 

The following diagram shows the basic information flow between the Recorder 

for Check Point FireWall-1 and the various components of eTrust Audit: 

The eTrust Audit Viewer has specific SQL queries for Check Point FireWall-1 

provided as ASCII files. 


Preinstallation Considerations 

Preinstallation Considerations 

You should take into consideration the following: 

■ 

■ 

The Recorder for Check Point FireWall-1 supports Check Point FireWall-1 

version 4.1.2. 

The Recorder for Check Point FireWall-1 values that have no direct matching 

to database or Security Monitor fields are concatenated in the message text 

field as details. The maximum size of the information field is 512 bytes. 

Configuring the Check Point FireWall-1 Servers 

You need to configure the Check Point FireWall-1 server or servers that you want 

to audit. For information about configuration, see Technical Information later in 

this chapter. 

Information You Need to Collect 

Before you install the Recorder for Check Point FireWall-1, we recommend you 

collect useful information about the Check Point FireWall-1 server or servers you 

want to audit. The following topics will help you get organized. 

Server Details 

Have the following information for each Check Point FireWall-1 server you want 

to audit: 

■ 

■ 

■ 

Logical name 

Host name or IP address 

OPSEC port number 

Tip: Look for the OPSEC port number in the fwopsec.conf file, which is 

located in the installation path under FW1\conf. 

Recorder for 


Installing the Recorder for Check Point FireWall-1 

Connection Types 

Choose the OPSEC connection type to use between the Recorder for Check Point 

FireWall-1 and each of the Check Point FireWall-1 servers. Define for each server 

you want to audit the connection type you will assign it during installation. For 

information about connection types, see Technical Information later in this 

chapter. 

Log Types 

Choose the log types for the Check Point FireWall-1 servers you want to audit: 

secure to audit system-related events, and account to audit user-related events. 

You can choose one type, both, or none. If you choose none, that server will not 

audit events. 


For information on installing the Recorder for Check Point Firewall-1, see the 

“Performing a Custom Installation of the Client Components” appendix in 

Getting Started. 

Installing in a Solaris Environment 

The installation process detects the eTrust Audit components installed on the 

host where it is running, and presents options accordingly. During installation, 

you can perform one of these actions on each host: 

■ 

■ 

To install the Recorder for Check Point FireWall-1 when the eTrust Audit 

Client is found on the host (residing alone or with the eTrust Audit Data 

Tools) 

To upgrade the eTrust Audit Data Tools when the eTrust Audit Client is not 

found on the host. 

Note: You can install the Recorder for Check Point FireWall-1 only on a host 

where the eTrust Audit Client 1.5 is installed. You must have root authority to 

invoke the installation script. 




This section describes the installation process for a host with an eTrust Audit 

Client. 

1. From the installation directory, run the following script: 

.\install_eAuditFW1Rec 

When only the eTrust Audit Client resides on the host, or both the eTrust 

Audit Client and the eTrust Audit Data Tools, you are prompted to upgrade: 

Looking for previous installations of eTrust Audit … 

Found eTrust Audit Client. 

Do you want to upgrade it? [y/n] 

or: 

Looking for previous installations of eTrust Audit … 

Found both eTrust Audit Client and eTrust Audit Data Tools. 

Select the components you want to upgrade: 

1 - Data Tools 

2 - Client and Data Tools 

: 

2. Choose the upgrade you need for the host. After several messages about 

calculations and configuration, you are prompted to enter information about 

the servers: 

Enter the Check Point FireWall-1 servers information one by one, terminating 

with CTRL-D or your EOF. 

Server logical name: 

Host name or IP address: 

Connection port: 

Select OPSEC connection type: 

1 - Clear connection 

2 - Authenticated and encrypted connection using SSL 

3 - Authenticated connection using SSL 

4 - Authenticated connection (Check Point proprietary) 

: 

Secure log [y/n]: 

Account log [y/n]: 

Server logical name: 

3. Enter the information for the first server. You are immediately prompted to 

enter information for another server. If you need to configure additional 

servers, continue entering information. Otherwise, press Enter to exit the 

prompt and to continue with the installation process. Several messages 

appear on screen informing about the status of the installation process. You 

are prompted with the following message: 

Would you like to start the eTrust Audit Recorder for Check Point Firewall-1 

daemons right now? [y/n]: (y) 

4. Choose whether to start the program. You are now prompted: 

Do you want to view the eTrust Audit Recorder for Check Point FireWall-1 

Readme.txt file? [y/n]: (y) 

Recorder for 



5. Choose whether to view the readme file. You are prompted as follows: 

Do you want to copy the PDF guide to the installation directory? [y/n] (y) 

6. Choose whether to copy the PDF file. 

A message informs you that the installation is completed. 

Tip: If you need to configure additional servers after the installation, you can 

either edit the eaudit.ini file, which is updated during the installation, or edit 

the Registry. 

Upgrading the Data Tools 

This section describes the upgrade procedure for a host without an eTrust Audit 

Client. 

When the installation process finds only the eTrust Audit Data Tools on the host, 

you can upgrade them so that the Audit Collector receives Check Point FireWall- 

1 events. 

1. From the installation directory, run the following script: 

.\install_eAuditFW1Rec 

You are prompted to upgrade the eTrust Audit Data Tools as follows: 

Found eTrust Audit Data Tools. 

Do you want to upgrade them? [y/n] 

2. Choose whether to upgrade. If you choose yes, you are prompted: 

Do you want to view the eTrust Audit Recorder for Check Point FireWall-1 

Readme.txt file? [y/n]: (y) 

3. Choose whether to display the readme file. You are now prompted: 

Do you want to copy the PDF guide to the installation directory? [y/n] (y) 

4. Choose whether to copy the PDF file. 

A message informs you that the upgrade is completed. 


Configuration Values 


After installation, the configuration values of the Recorder for Check Point 

FireWall-1 are kept in the registry on Windows , or in a configuration file on a 

Solaris environment. Check Point FW-1 is the name of the new Registry key or 

the new configuration file section. 

Registry Keys and .ini File 

In a Windows environment, the Registry keys are located under: 


In a Solaris environment, the configuration file eaudit.ini is located in the 

directory: 

/usr/eaudit/ini 

Windows Registry Entries 

The following list shows the specific configuration parameters of the Recorder 

for Check Point FireWall-1. The words in italic indicate data entered during 

installation: 

The registry keys are found under the following key for eTrust Audit: 

HKEY_LOCAL_MACHINE\SOFTWARE\ComputerAssociates\eTrust Audit\ 

Client\Recorders\Check Point FW-1 

The new key for the Recorder for Check Point FireWall-1 

Data Type 

Key 

Default Value 

N/A 

Client\Recorders\Check Point FW-1\ DatFilePath 

The Recorder for Check Point FireWall-1 uses this file internally. This 

location must not be changed. 

Data Type 

String 

Default Value 

dat\recorders\fw.dat 

Recorder for 



Client\Recorders\Check Point FW-1\ MPFile 

The name of the mapping file used for parsing received messages. 

Data Type 

String 

Default Value 

cfg\fw.mp 

Client\Recorders\Check Point FW-1\ SendInterval 

The time, in seconds, that the service sleeps after MaxSeqNoSleep records. 

Data Type 

DWORD 

Default Value 

10 

Client\Recorders\Check Point FW-1\ MaxSeqNoSleep 

The maximum number of records sent before sleeping. 

Data Type 

DWORD 

Default Value 

50 

Client\Recorders\Check Point FW-1\ LEA Servers 

New subkey 

Data Type 

Key 

Default Value 

N/A 

Client\Recorders\Check Point FW-1\ LEA Servers\ServerName 

It must be a unique name. 

Data Type 

Key 

Default Value 

N/A 

Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Active 

Whether the server is active. 

Data Type 

DWORD 

Default Value 

1 as follows: 

0=server inactive 

1=server active 



Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Host 

The server host name can be a logical name or an IP address. 

Data Type 

String 

Default Value 

N/A 

Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Port 

The OPSEC port number of the server. 

Data Type 

String 

Default Value 

N/A 

Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\AuthType 

Empty means clear connection. For a description of connection types, see 

Technical Information later in this chapter. 

Data Type 

String 

Default Value 

Empty 

Client\Recorders\Check Point FW-1\ LEA 

Servers\ServerName\Logs\Secure 

Whether secure log events is activated. 

Data Type 

DWORD 

Default Value 

0 as follows: 

0=deactivate secure log events 

1=activate secure log events 

Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Account 

Whether deactivate account log events is activated. 

Data Type 

DWORD 

Default Value 

0 as follows: 

0=deactivate account log events 

1=activate account log events 

Recorder for 



Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Logs\logn 

The Recorder receives records from this list of log files. 

Data Type 

String 

Default Value 

N/A 

Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\LoadType 

Whether read according to offset is activated. 

Data Type 

DWORD 

Default Value 

0 as follows: 

0=read according to offset 

1=read from the beginning ignoring offset 

Solaris eAudit.ini File Values 

The following list shows the specific configuration parameters of the Recorder 

for Check Point FireWall-1. The words in italics indicate data entered during 

installation: 

These values are found in the following section of the ini file: 

Client 

Recorders 

Check Point FW-1 

DatFilePath 

The Recorder for Check Point FireWall-1 uses this file internally. This 

location must not be changed. 

Default Value 

dat\recorders\fw.dat 

MPFile 

The name of the mapping file used for parsing received messages. 

Default Value 

cfg\fw.mp 

SendInterval 

The time, in seconds, that the service sleeps after MaxSeqNoSleep records. 

Default Value 

10 



MaxSeqNoSleep 

The maximum number of records sent before sleeping. 

Default Value 

50 

LEA Servers 

New subsection 

Default Value 

N/A 

LEA Servers ServerName 

It must be a unique name. 

Default Value 

N/A 

LEA Servers ServerName Active 

Whether the server is active. 

Default Value 

1 as follows: 

0=server inactive 

1=server active 

LEA Servers ServerName Host 

The server host name can be a logical name or an IP address. 

Default Value 

N/A 

LEA Servers ServerName Port 

The OPSEC port number of the server. 

Default Value 

N/A 

LEA Servers ServerName AuthType 

Empty means clear connection. For a description of connection types, see 

Technical Information later in this chapter. 

Default Value 

Empty 

LEA Servers ServerName Logs Secure 

Whether secure log events is activated. 

Default Value 

0 as follows: 

0=deactivate secure log events 

1=activate secure log events 

Recorder for 



LEA Servers ServerName Account 

Whether deactivate account log events is activated. 

Default Value 

0 as follows: 

0=deactivate account log events 

1=activate account log events 

LEA Servers ServerName Logs logn 

The Recorder receives records from this list of log files. 

Default Value 

N/A 

LEA Servers ServerName LoadType 

Whether read according to offset is activated. 

Default Value 

0 as follows: 

0=read according to offset 

1=read from the beginning ignoring offset 


Technical Information 


To help you configure your system, this appendix provides basic technical 

information about various Check Point FireWall-1 configuration settings, as 

follows: 

■ 

■ 

OPSEC connection types 

Configuring Check Point FireWall-1 servers 

For detailed information about these topics, see the Check Point documentation. 

OPSEC Connection Types 

The following information will help you choose the most suitable OPSEC 

connection type between the Recorder for Check Point FireWall-1 and the Check 

Point FireWall-1 servers you want to audit. 

The OPSEC application can make one of the following types of connections: 

Authenticated and encrypted connection using SSL (Secure Socket Layer) 

The data transferred is encrypted using a 3DES key. An authenticated and 

encrypted connection is the most secure. This type of connection is 

supported by Check Point VPN-1/FireWall-1 starting from version 4.1. 

Authenticated connection using SSL 

When data encryption is not required, this is the recommended method for 

authenticating the host running the OPSEC application before the Check 

Point FireWall-1 servers. This type of authentication is supported by Check 

Point VPN-1/FireWall-1 starting from version 4.1 SP2. 

Authenticated connection (Check Point proprietary) 

This type of authentication is done at the transport layer using Check Point’s 

proprietary authentication algorithm. Use this method for backward 

compatibility with Check Point VPN-1/FireWall-1 version 4.1 SP1 and 

earlier. 

Clear connection 

The data transference is made without restrictions. 

Recorder for 



Configuring Check Point FireWall-1 Servers 

Any machine in your system that works with Check Point FireWall-1 version 

4.1.2 needs to be configured to establish an authenticated connection. This 

section explains how to establish an authentication connection between an eTrust 

Audit Client host where the Recorder for Check Point FireWall-1 runs, and a 

Check Point FireWall-1 version 4.1.2 server. 

The following scenario illustrates how an authenticated connection is established 

between two machines: comp1 and comp2. The machine comp1 runs the Check 

Point FireWall-1 server, and the machine comp2 runs the Recorder for Check 

Point FireWall-1. 

Important! You need to run the executable opsec_putkey, which is part of the 

OPSEC SDK. 

To configure comp1 and comp2: 

1. On comp1, enter one of the following commands on the command line, 

depending on the connection type desired: 

■ 

For an SSL based connection (authenticated or authenticated and 

encrypted), enter: 

■ 

fw putkey -opsec -ssl comp2 

For a backward compatible authenticated connection, enter: 

fw putkey -opsec comp2 

2. Enter the authentication key at the prompt. The authentication key must be 

at least six characters long. 

3. On comp2 enter one of the following commands in the command line, 

depending on the connection type desired: 

■ 

■ 

For an SSL based connection (authenticated or authenticated and 

encrypted), enter: 

opsec_putkey –ssl –port fw comp1 

For a backward compatible authenticated connection, enter: 

opsec_putkey –port fw comp1 

4. Enter the authentication key you entered in step 2. 

Note: If the Recorder for Check Point FireWall-1 will be communicating with 

several Check Point FireWall-1 servers, follow the previous procedure for each 

pair of client and server machines, for example, comp2 and comp3, comp2 and 

comp4, and so on. 


Chapter 

15 

Using the eTSAPISend Program 

eTSAPISend.exe is a program that lets you send messages and events to an 

eTrust Audit router. This executable does not depend on eTrust Common 

Services, so you can run it even if eTrust Common Services is not installed. 

eTSAPISend.exe 

The topics that follow describe eTSAPISend. 

Syntax 

Enter the command as follows: 

eTSAPISend options 

You specify the message fields as command line options. The fields can be 

predefined or user-defined. 

Note: On Solaris platforms, add /usr/ucblib to the LD_LIBRARY_PATH 

variable. 

Options 

For predefined fields, you can specify the field values by using the command line 

options as described in the following list: 

-cat 

The event category. Enclose the category in double quotes. 

-dat 

The date and time whose value is either MM/DD/YYYY or MM/DD/YYYY 

HH:MM:SS. Enclose the date value in double quotes. If you do not specify 

this optional parameter, the local system time is automatically applied to the 

message or event. 

-evt 

The event type, which should be empty unless it is an Alert type. 

Using the eTSAPISend Program 15–1

Example 

-inf 

Detailed information in the message. Enclose the details in double quotes. 

-loc 

The location (\\Domain\Computer) where the event originated. Enclose the 

location name in double quotes. 

-nam 

The logical log name. 

-nid 

The native ID (Event ID). This is a number. 

-nod 

The target eTrust Audit router. If you do not specify this option, the message 

or event is sent to the eTrust Audit router on the local host. 

-opr 

The operation that was performed. 

-src 

The submitter, such as the OS, process name, or application that issued the 

event. 

-sta 

The event status. 

-usr 

The user name associated with the event or message. 

User-defined Options 

For each user-defined field, add the field name followed by the field value as 

command line arguments. You can include any number of predefined and userdefined 

fields in a message or event. 

Example 

Consider the following sample command: 

eTSAPISend -nod systema -cat "System Access" -opr Logon -sta F 

-nam NT-Security -loc "\\MYDOMAIN\SYSTEMA" -usr SYSTEM -evt 70 -src Security 

-nid 529 -inf "Logon Failure" -dat "08/06/2002 16:00:30" User-defined SomeValue 

This command does the following: 

■ 

■ 

■ 

Sends the message to the eTrust Audit router on systema. 

The category of the message is System Access. 

The operation performed is a Logon. 


Sample Batch File 

■ 

■ 

■ 

■ 

The status of the message is F, for failed. 

The logical name of the log file from which the message was sent is NT- 

Security. 

The location of the source where the message originated is SYSTEMA 

machine on the MYDOMAIN domain. 

The user is SYSTEM. 

■ The event type is 70. 

■ 

The submitter of the event is Security. 

■ The event id is 529. 

■ 

The text of the message is Logon Failure. 

■ The date on which the event occurred is 08/06/2002 at 16:00:30. 

■ 

There is a user-defined value of SomeValue. 

Sample Batch File 

The following is an example of how to issue eTSAISend in batch: 

REM Failed Logon 

eTSAPISend -nod systemb -cat "System Access" -opr Logon -sta F -nam NT-Security - 

loc "\\mydomain\systema" -usr SYSTEM -evt 70 -src Security -nid 529 User-defined1 

SomeValue1 -inf "Logon Failure" User-defined2 SomeValue2 

eTSAPISend -nod systemb -cat "System Access" -opr Logon -sta F -nam NT-Security - 

loc "\\mydomain\systema" -usr SYSTEM -evt 70 -src Security -nid 529 -inf "Logon 

Failure" -dat "08/06/2002 16:00:30" User-defined SomeValue 

REM User Account Changed 

eTSAPISend -nod systemb -cat "Account Management" -sta S -nam NT-Security -nid 

642 -inf "User Account Changed" -loc "\\mydomain\systema" -usr SYSTEM -src 

Security 

REM Critical File Access Failure 

eTSAPISend -nod systemb -nam NT-Security -cat "Object Access" -nid 560 -inf 

"Object Type: File" -sta F -loc "\\mydomain\systema" -usr SYSTEM -src Security 

Using the eTSAPISend Program 15–3

Chapter 

16 

Inserting eTrust Access Control 

Records in Bulk to a Collector 

Database Using acloader 

If you have been using eTrust Access Control for awhile and now want to insert 

all the records from the eTrust Access Control logs into your eTrust Audit 

Collector database, you can use the acloader utility. This chapter provides steps 

on how to use acloader, describes the command syntax, and lists some sample 

commands. 

Insert Records into an Oracle Database 

Use the following steps to insert eTrust Access Control records in bulk into an 

eTrust Audit Collector database running on Oracle: 

1. Stop the eTrust Access Control daemons in UNIX or services in Windows. 

2. Rename current logroute.dat and selogrd.cfg files so that you can recover 

from any possible errors. 

3. Create a new selogrd.cfg file, and add the following lines: 

rule insertion 

host localhost 

where localhost is the name of remote host on which utility acloader is 

supposed to run. 

4. To ensure the best performance of selogrd, decrease the parameter interval in 

section [selogrd] of the file /usr/seos/seos.ini. 

5. Stop the eTrust Audit Router, aclogrd on the host where you will run 

acloader. 

Tip: Before you run acloader, you should remove the indexes from the 

SEOSDATA table as this significantly improves performance. Oracle 

commands to remove the indexes and recreate them are provided after this 

procedure. 

Inserting eTrust Access Control Records in Bulk to a Collector Database Using acloader 16–1

Remove the Indexes from SEOSDATA 

6. Run acloader. The following commands are samples: 

■ 

UNIX 

■ 

./acloader -user test_audit -pwd test_audit -oh /oracle/Oracle8 -tt 

audit-ora-service -nrec 80 -plib /usr/lib/ -tm 100 -psem 

/opt/seos/dat/log/seos.msg 

Windows 

acloader -dsm auditdb -user test_audit -pwd test_audit -plib "d:\Program 

Files\eTrust Audit\bin\" -nrec 100 -psem "d:\Program Files\eTrust 

Audit\etc\seos.msg" -host mymachine 

7. After you receive the prompt, "acloader is ready to receive records...", run the 

eTrust Access Control Redirector, selogrd. 

8. After the insertion completes, stop selogrd. 

9. Press Ctrl+C to stop acloader. 

Note: When acloader is stopped it inserts all records stored in its buffer, but 

not written yet to the target database. 

10. Renamed the files logrout.dat and selogrd.cfg, if necessary. 

11. Restart the eTrust Access Control and eTrust Audit daemons or services. 

Remove the Indexes from SEOSDATA 

To remove the indexes, start sqlplus and issue the following commands: 

drop index IX_TIMESTAMP; 

drop index IX_USERNAME; 

drop index IX_COMPUTERNAME; 

drop index IX_EVENTID; 

Recreate the Indexes in SEOSDATA 

To recreate the indexes, start sqlplus and issue the following commands: 

create index IX_TIMESTAMP ON SEOSDATA(TIMSTAMP DESC); 

create index IX_USERNAME ON SEOSDATA(USERNAME ASC); 

create index IX_COMPUTERNAME ON SEOSDATA(COMPUTERNAME ASC); 

create index IX_EVENTID ON SEOSDATA(EVENTID ASC); 


The acloader Utility 


The acloader utility lets you perform a bulk insert of records sent by the eTrust 

Audit Redirector (eAC Redirector) into the eTrust Audit Collector database table 

named SEOSDATA of an Oracle database in UNIX and Oracle or MS-SQL Server 

databases in Windows. 

acloader stores a predefined number of records in a buffer before it executes an 

INSERT statement. Every time this buffer fills with this number of records, 

acloader writes the contents to the database. You specify the number of records 

to stored using the -nrec option. The default is set to 50 records, and the 

maximum number of records you can specify is 100. 

Since acloader registers itself in portmap as the eTrust Audit Router (aclogrd), 

the appropriate token “host” should be placed in the rule at the sender side. 

Therefore you must stop the aclogrd service before you start acloader. You 

specify all the information acloader needs to run, including the user ID and 

password required to establish connection to the database using command line 

options. 

Requirements 

The following requirements must be met to use acloader: 

■ 

■ 

■ 

■ 

■ 

■ 

eTrust Access Control version 5.0 SP2 or higher must be installed on the 

machine. 

Table SEOSDATA for of eTrust Audit database (Oracle for UNIX and Oracle 

or SQL Server in Windows) must be created. 

In Windows, create System DSN for given database using ODBC Data 

Source Administrator. 

In Windows ODBC 3.0 use the “Oracle ODBC Driver” instead the “Microsoft 

ODBC for Oracle” driver. 

In Windows, adcipher.dll must be placed in the ..WinNT\system32 

directory. 

In UNIX in the /usr/lib directory, create a symbolic link in adcipher.so to 

the existing shared library Des.so. 

Syntax 

Enter the command as follows: 

Acloader -user username|-pwd password|-nrec number|-dsn name|-oh path|-osid 

OracleSID|-tt OracleTwoTask|-tm|-plib|-psem|-host|-h 

Note: On UNIX systems, you must log in as root to run acloader. 



Options 

You can specify the command line options described in the following list in any 

order: 

-user username 

Specifies the user ID for Oracle or SQL Server database access authorization. 

-pwd password 

Specifies the password for Oracle or SQL Server database access 

authorization. 

-nrec number 

Specifies the number of records to store in the buffer before insertion. The 

default is 50. The maximum number of records you can specify is 100. 

-dsn name 

Specifies the ODBC data source name. This option is for use on Windows 

systems only. 

-oh path 

Specifies the Oracle home directory. This option is for use on UNIX systems 

only. 

-osid OracleSID 

Specifies the Oracle SID. This option is for use on UNIX systems only. 

Specify either -osid (if the Oracle database is local) or -tt (if the Oracle 

database is remote). 

-tt OracleTwoTask 

Specified the Oracle service name This option is for use on UNIX systems 

only. Specify either -osid (if the Oracle database is local) or -tt (if the Oracle 

database is remote). 

-tm seconds 

Specifies the timeout period to wait for the Oracle server to respond. The 

default is 30 seconds. This option is for use on UNIX systems only. 

-plib path 

Specifies the directory where the eTrust Audit library SCMPcomm is placed. 

On UNIX the default is /usr/eaudit/lib). On Windows it specifies the 

directory where CMPcomm.dll and SUTL.dll are located. The default value 

is the current working directory. 

-psem pathname 

Specifies the path name of the eTrust Access Control messages file, seos.msg. 

On UNIX systems, the default /usr/eaudit/dat/log/seos.msg. On Windows 

systems this file is not defined. If the seos.msg file is not there, you must 

copy seos.msg from eTrust Access Control directory. 


Examples 

-host name 

Specifies the name of host that will be placed in field ComputerName of the 

table SEOSDATA in the database. This field is used when working with 

seos.collect.file. 

-h 

Prints brief help information for this utility 

Examples 

The following topics provide sample commands: 

UNIX 

./acloader -user test_audit -pwd test_audit -oh /oracle/Oracle816 -osid test816 - 

plib /opt/eaudit/lib/ -host mylocalhost 

./acloader -user test_audit -pwd test_audit -oh /oracle/Oracle816 -tt test816-onapollo 

-nrec 40 -tm 20 -plib /usr/lib/ -psem 

/opt/seos/dat/log/seos.msg 

Windows 

acloader -dsm auditdb -user test_audit -pwd test_audit -plib "d:\Program 

Files\eTrust Audit\bin\" -nrec 100 -psem "d:\Program Files\eTrust 

Audit\etc\seos.msg" -host mymachine 


Chapter 

17 

Inserting eTrust Access Control 

Records in Bulk to a Collector 

Database Using selogrd and sqlldr 

If you have been using eTrust Access Control for a while and now want to insert 

all the records from the eTrust Access Control logs into your eTrust Audit 

Collector database, you can use the eTrust Access Control extension, fex, and the 

Oracle sqlldr program. This chapter provides steps on how to use these tools, 

describes the command syntax, and lists some sample commands. 

Requirements 

The following requirements must be met to use the steps described in the topics 

that follow: 

■ 

■ 

■ 

■ 

eTrust Access Control version 5.0 SP2 or higher must be installed on 

machine. 

Prepare the eTrust Audit Oracle DB according to steps described in the Preinstallation 

Tasks topic in the “Installing eTrust Audit Data Tools 

Components on UNIX” appendix in Getting Started. 

Create the SEOSDATA table in the eTrust Audit Collector database in 

Oracle. 

Specify the path for the import file (file.dat) that the Oracle SQL Loader 

(sqlldr) should use in control file, fex.ctl. 

Converting the eTrust Access Control Audit Log to Oracle 

Import File Format 

Follow these steps to convert the eTrust Access Control audit log to the required 

Oracle import format 

1. Stop the eTrust Access Control selogrd daemon using the following 

command: 

kill -TERM pid 

2. Rename current logroute.dat. If you do not know the path value, look in 

/usr/seos/seos.ini in the [selogrd] section in the DataFile token. 

Inserting eTrust Access Control Records in Bulk to a Collector Database Using selogrd and sqlldr 17–1

Converting the eTrust Access Control Audit Log to Oracle Import File Format 

3. Rename current /usr/seos/etc/selogrd.ext . 

4. Create a new /usr/seos/etc/selogrd.ext file and add the following line: 

fex 

path/fex.ext 

where: 

path 

Is the path where shared library was copied from. 

ext 

Is the extension of shared library. 

5. Rename selogrd.cfg. If you do not know the path value look in 

/usr/seos/seos.ini in the [selogrd] section in the RouteFile token 

6. Create a new selogrd.cfg file and add the following lines: 

rule audit 

fex file.dat 

where file.dat is the import data file for Oracle database. 

5. Add the fex section to the seos.ini file as follows: 

In this section you should set the following parameters: 

computer_name 

The name of the computer where the audit log file was created. This 

value will be assigned to the field, ComputerName, in the SEOSDATA 

table if the eTrust Access Control record does not contains host name; 

otherwise it will be ignored. 

field_terminator 

The field delimiter. The default value is a comma (,). 

field_encloser 

The field values’ delimiter. The default value is unprinted character '±' 

(Alt+241 ). It should be a unique value that does not appear in the 

context of the message. 

Note: If you change the default values of tokens field_terminator and 

field_encloser in the [fex] section of /usr/ses/seos.ini, you should make the 

same changes to the corresponding values in control file for Oracle sqlldr 

utility. 

7. To improve the performance of selogrd, decrease the value of the Interval 

parameter in the [selogrd] section of /usr/seos/seos.ini. The default value is 

five seconds. Decreasing this value reduces the amount of time selogrd waits 

between polls. 

8. Run selogrd as follows: 

ssu selogrd 

If the location of your audit log is different than the standard location, 

/usr/seos/log/seos.audit, use the following command: 

ssu selogrd -audit audit_log_file 


Insert the Data into an Oracle Database using the sqlldr Utility 

Insert the Data into an Oracle Database using the sqlldr 

Utility 

Tip: Before you run sqlldr, you should remove the indexes from the 

SEOSDATA table as this significantly improves performance. Oracle 

commands to remove the indexes and recreate them are provided in the 

topic Remove the Indexes from SEOSDATA in the “Inserting eTrust Access 

Control Records in Bulk to a Collector Database Using acloader” appendix. 

Follow these steps to use sqlldr to insert the content of the import data file 

(file.dat): 

■ 

Run the following command: 

sqlldr control=path/fex.ctl log=path/fex.log 

If you have more than one audit log files that you want to import to Oracle 

database, use the steps in one of the following topics: 

■ 

■ 

Create one import log file and insert it 

Create multitple import log files and insert them separately 

Create One Import File and Insert It into the Oracle Database 

Follow these steps to convert some of audit log files into one Oracle import file 

and insert this file into the Oracle database: 

1. Perform steps 1- 7 in the topic entitled, “Converting the eTrust Access 

Control Audit Log to Oracle Import File Format.” 

2. For each audit log that you want to import, repeat the following steps: 

a. Perform step 8 in the topic entitled, “Converting the eTrust Access 


b. Delete logroute.dat. 

c. Change computer_name token in the [fex] section of /usr/seos/seos.ini, 

if needed. 

3. Run sqlldr command. 

4. Check the log file (path/fex.log) for possible errors. 

5. Remove file.dat 

6. Restore (if necessary) the old logrout.dat, selogrd.cfg, selogrd.ext, and 

seos.ini files, and then restart eTrust selogrd. 

Inserting eTrust Access Control Records in Bulk to a Collector Database Using selogrd and sqlldr 17–3

Examples 

Create Multiple Import Log Files and Insert Them Separately into the Oracle 

Database 

Follow these steps to convert each audit log file into Oracle import file and insert 

each audit log file separately into the Oracle database: 

1. Perform steps 1- 7 in the topic entitled, “Converting the eTrust Access 


2. Perform step 8 in the topic entitled, “Converting the eTrust Access Control 

Audit Log to Oracle Import File Format.” 

3. Run sqlldr. 

4. Delete logroute.dat. 

5. Change computer_name token in the [fex] section of /usr/seos/seos.ini, if 

needed. 

6. Check the log file (path/fex.log) for possible errors. 

7. Remove file.dat 

8. Restore (if necessary) the old logrout.dat, selogrd.cfg, selogrd.ext, and 

seos.ini files, and then restart eTrust selogrd. 

Examples 

Examples of the files fex.ctl, selogrd.cfg, selogrd.ext, and seos.ini are included in 

the installation package. The file, fex.ctl, is configured to append records from 

import file, file.dat, for new or existing SEOSDATA table. 


Chapter 

18 

iRecorder Development 

Reference 

eTrust Audit provides a new type of recorder known as an iRecorder. 

Functionally, iRecorders work the same way as traditional eTrust Audit 

recorders discussed earlier in this guide. Internally, iRecorders are developed 

with a new paradigm known as instrumentation technology, based on the 

Computer Associates iTechnology SDK. The following list describes the 

differences between iRecorders and the traditional recorders: 

■ 

Traditional recorders are packaged with eTrust Audit Client. These 

predefined recorders use eTrust Audit SAPI to send events to an eTrust 

Audit Router and Action Manager for further processing as defined by the 

Policy Manager. This architecture leads to some restrictions in the eTrust 

Audit Recorder development and deployment: 

– Since SAPI uses RPC, the recorders cannot be easily deployed across 

firewalls. 

■ 

iRecorders are developed using the iTechnololgy SDK and can be deployed 

in an existing eTrust Audit environment. iRecorders, just like traditional 

recorders, send events to an eTrust Audit Router and Action Manager for 

event processing. An iRecorder package consists of two components: 

– An iRecorder component installed on the device where events are 

generated or on the event repository. The iRecorder receives each event, 

tokenizes the event, and sends an XML string of tokens to an iRouter 

using HTTPS. 

– An iRouter component installed on an existing eTrust Audit Client. The 

iRouter provides a bridge between the iRecorder and the eTrust Audit 

Client. Tokens are converted from XML format to eTrust Audit SAPI 

format and submitted to the eTrust Audit Router. 

The iRecorder architecture provides easy deployment across firewalls and new 

iRecorder development does not require changes to your existing eTrust Audit 

deployment. 

iRecorder Development Reference 18–1

Overview of the iTechnology SDK 

This chapter provides information on how to develop a new iRecorder using the 

iTechnology SDK. Highlights of the information included in this chapter include: 

■ 

■ 

■ 

■ 

■ 


iRecorder design and architecture 

How to create an iRecorder development environment 

How to develop an iRecorder 

iRecorder API Functions 


iTechnology is a framework created by Computer Associates to facilitate rapid 

development of agents, known as iSponsors, to manage various instruments. An 

instrument can be just about anything: applications, databases, network devices, 

hardware devices, and so on. The letter ‘i’ in iTechnology stands for ‘instrument’. 

In addition, iTechnology provides an architecture in which iSponsors can 

efficiently and securely communicate with each other. The communication 

architecture of iTechnology relies on one of its fundamental components, called 

iGateway. 

Using the rich set of APIs provided by the iTechnology SDK, iSponsors can be 

developed to manage and control the instruments and handle specific tasks like: 

■ 

■ 

■ 

Set or change the configuration 

Set or get current status 

Get log events 

For communication with the outside world, an iSponsor uses the iGateway 

service to send and receive XML formatted instructions to and from another 

iSponsor or Web application. Technically, iGateway is a service that can 

dynamically load one or more iSponsor plug-ins. 

To leverage iTechnology and enhance eTrust Audit flexibility in deployment and 

scalability, new eTrust Audit recorders will be built using the iTechnology SDK. 

The new eTrust Audit recorders based on iTechnology are called iRecorders. 


iRecorder Design and Architecture 


The following illustration describes the iRecorder architecture: 

eTrust Audit iRecorder 

eTrust Audit Client 

iGateway 

Https - XML 

iGateway 

iControl 

iSponsor DLL 

iRecorder 

iSponsor DLL 

iControl 

iSponsor DLL 

Device 

Log Events 

Audit SAPI 

Localhost 

Event Plug-in 

EP Audit 

Event Plug-in 

EP iCollector 

iCollector 

Audit Router 


Action Manager 

Audit Collector 


Components of iTechnology 

The components of iTechnology are as follows: 

■ 

■ 

■ 

■ 

iGateway 

iControl 

iRecorder 

iRouter 



The iGateway Component 

iGateway is a service that dynamically loads iSponsors and communicates with 

the other iGateways and iSponsors. The main features and functions of an 

iGateway are as follows: 

■ 

Load iSponsor 

– Locate and read .conf files associated for various iSponsors in its local 

directory. 

– Load the corresponding iSponsor DLLs (such as iControl or iRecorder) at 

iGateway start up or upon request from another iSponsor (local or 

remote). 

■ 

■ 

Provide configuration data found in .conf file to the corresponding iSponsor 

Support Data Communication 

iGateway uses the HTTP/HTTPS protocol on port 5250 to handle all data 

communication as follows: 

– The data format for iGateway communication is based on XML. 

– An iGateway receives XML formatted data from the local iSponsors and 

sends it to the specified iGateway for delivery to the appropriate 

iSponsor. 

– An iGateway receives XML formatted data from a remote iSponsor and 

delivers it to the appropriate local iSponsor. 

Note: Each iGateway can be associated with a digital certificate used by 

iRecorders to sign all outgoing events. In addition, iRecorders include the digital 

certificate with its associated thumbprint for the first outgoing event. For all 

other events, only the thumbprint is included. 



The iControl Component 

iControl is an iSponsor DLL that is automatically loaded by the iGateway and 

supports the following functions: 

■ 

Store and Forward (SAF) for guaranteed delivery of events 

- If the iGateway cannot deliver an event, it is passed onto the iControl 

component for SAF handling. 

- iControl stores the undelivered events in a file. 

- Periodically, iControl extracts events from the event file and attempts to 

deliver them using iGateway. 

- All events that are extracted successfully are marked as “old,” and 

periodically iControl deletes the “old” events. 

■ 

Event validation 

– If it is the first event, save the digital certificate and the associated 

thumbprint 

– For all events, use the thumbprint included in the event to retrieve the 

matching certificate. 

■ 

♦ If the certificate is not found, generate an error. 

– Use the certificate to validate signature of the event. 

♦ If the signatures do not match, generate error. 

Routes events to a remote iControl 

The iControl.conf file contains information related to routing and which Event 

plug-in should be loaded. 

Note: iControl can load multiple Event plug-ins and sends every event to each 

plug-in. 

Event Plug-in (EP) 

The Event plug-in is a DLL used by iControl to handle specialized tasks such as 

converting formats, applying filters, sending events to a database, and so on. 



EPAudit Plug-in 

If the EPAudit plug-in is configured, all events received by iControl are sent to 

the EPAudit plug-in to be delivered to the eTrust Audit Router. The primary 

functions of EPAudit are to: 

■ 

■ 

Convert events from XML format to eTrust Audit SAPI format. 

Submit events to the eTrust Audit Router component running on the 

localhost. 

EPUnicenter Plug-in 

If the EPUnicenter plug-in is configured, all events received by iControl are sent 

to the EPUnicenter to be delivered to the Event Management component of 

Unicenter. The primary functions of the EPUnicenter plug-in are to: 

■ 

■ 

Convert events from XML format to Unicenter EM format. 

Submit events to the Event Management component running on the 

localhost. 

EPDebug Plug-in 

If the EPDebug plug-in is configured, all events received by iControl are sent to 

the EPDebug to be delivered to any Debug Viewer running on the local host. 

iRecorder 

iRecorder is an iSponsor DLL loaded by the iGateway running on the device 

generating log events. Its primary functions are as follows: 

■ 

■ 

■ 

■ 

Extract the log events from the device or from an event log repository using 

an API, ODBC, or file I/O. 

Parse the event fields into tokens and create “Name–Value” pairs for each 

parsed token in XML format. 

Submit XML strings containing the events to a local or remote iRouter. The 

iRouter sends the events to EPAudit plug-in, which in turn submits the 

events to eTrust Audit for further action. 

For the first log event from the device, the iRecorder attaches the iGateway 

certificate as an attribute. 

■ For all log events, iRecorder includes the iGateway certificate thumbprint (a 

unique ID for the certificate) and the signature (hash of the whole event 

signed by the certificate). 


How to Create an iRecorder Development Environment 

iRouter 

iRouter is a collection of following components installed on the eTrust Audit 

Client machine: 

■ 

■ 

■ 

iGateway 

iControl 

EPAudit plug-in 

The iRouter installation package is included with the iRecorder SDK and does 

not require any changes. It should work with the existing and new iRecorders. 

iRouter is responsible for forwarding all events to the eTrust Audit Client using 

the eTrust Audit SAPI. 


An iRecorder development environment is comprised of a development system 

and a test environment as described in the topics that follow. 

Development Environment 

The following are software requirements for each supported operating system: 

AIX 

■ 

■ 

AIX C Compiler 

GNU Make 

Free BSD 

■ GCC included in Free BSD 4.7 

HP-UX 

■ 

■ 

HP-UX C compiler 

GNU Make 

Linux 

■ RH 7.x 

■ GCC included in RH 7.x 



Solaris 

■ Solaris C++ 5.3 

■ 

GNU Make 

Windows 

■ MS VC 7.0 

■ 

Cygwin Make 

Development Machine 

To setup a development machine on Windows platforms, follow these steps: 

1. Install iTechnology SDK on your development machine, for example 

[Default installation path: \Program File\CA\iTeckSDK20 ] 

2. Install Visual Studio .Net 

3. Install Cygwin: 

a. Run \iTechnlogy SDK\Tools\Cygwin\Setup.exe 

b. Select Install from Internet. 

c. Select Root Install Directory. 

d. Select Packages and expand Devel, and then select Make. Leave all other 

selections to default. 

e. Select Next to install the Cygwin components that are needed for 

iRecorder development. 

f. Finally, you need to make a change in \cygwin\cygwin.bat. Add a line 

in this file to provide the Visual Studio install path as highlighted in the 

following sample cygwin.bat file: 

@echo off 

call "C:\Program Files\Microsoft Visual Studio .NET\Vc7\bin\vcvars32.bat" 

C: 

chdir C:\cygwin\bin 

bash --login -i 

4. Create a development directory [iDev] on your local disk. 



5. Run \Program File\CA\iTeckSDK20\Wizard\QuickStart.html to start 

iTechnology Component Factory, and complete the fields as follows: 

Component Name [iRec] 

The name you provide becomes your project name and the iSponsor 

name. 

Component Type C++ eTrust Audit Recorder 

Select C++ eTrust Audit Recorder from the drop down list. 

Recorder Name [LOGNAME] 

eTrust Audit recognizes many recorders and each recorder or class of 

recorders known to eTrust Audit is identified by a unique name. In 

eTrust Audit terminology, this name is called the LOGNAME. For 

example, the LOGNAME for the Recorder for Check Point Firewall-1 is 

Check Point FW-1. 

You can see a complete list of LOGNAMEs known to eTrust Audit in the 

Policy Manager. Click Audit Nodes, and then select from the menu: File, 

AN types. 

Note: It is possible that a LOGNAME is known to eTrust Audit but no 

one has developed a recorder yet. Since you are developing a new 

recorder, look at the list of LOGNAMEs and, if possible, select a 

predefined name. If no matching LOGNAME is available, you can create 

a new. See the Policy Management Guide. 

Source Location: [iDev] 

This is the location where the project source files will be created. 

6. Hit the Create button. The Wizard creates the following files in the [iDev] 

directory: 

iRec.conf 

Configuration file for the iSponsor/iRecorder 

iRec.cpp 

cpp source for the iSponsor 

iRec.h 

Header file for the iSponsor 

iRec_recorder.cpp 

cpp source for the new iRecorder 

iRec_recorder.h 

Header file for the new iRecorder 

GNUmakefile 

Make file for the project 

7. Modify the iRec_recorder.cpp, iRec_recorder.h, and iRec.conf file and build 

iRec.dll. See Step 4: Modify Files, later in this chapter. 

8. Create an install package for the new iRecorder using the iGateway merge 

module (provided in the iRecorder SDK). 



Test Environment 

To create a test environment, follow these steps: 

1. Install eTrust Audit components (Client, Policy Manager, and Data Tools) as 

described in Getting Started. 

2. Install the iRouter component on the host where eTrust Audit Client is 

installed. 

3. Install the iRec_recorder on the host from where the recorder can access the 

log events generated by the device or system. iRecorder installation will: 

■ 

■ 

■ 

Create a new directory \Program Files\CA\iGateway. 

Copy several files and DLLs into the \Program Files\CA\iGateway 

directory. 

Run iGateway service. 

4. If the new iRecorder is not one of the predefined Audit Node types (AN 

types), you must create a new AN Type using the eTrust Audit Policy 

Manager as described in the Policy Management Guide. 

5. Using the appropriate AN type for your new iRecorder, define the new AN, 

rules, and filters as described in the Policy Management Guide. 

6. To test the newly developed iRecorder [iRec]: 

■ 

■ 

■ 

Install and setup the environment necessary for accessing the log events 

from the new iRecorder [iRec]. This can include special API, libraries, 

ODBC, and so on distributed by the manufacturer of the device or 

system. 

Stop and restart the iGateway service after bug fixes. 

If the new iRecorder is bug-free, all log events generated after the start of 

iGateway service should go to the eTrust Audit Client where the iRouter 

component was installed. These events should get routed according to 

the Audit Policy defined in the eTrust Audit Policy Manager. 


How To Develop an iRecorder 


Follow these steps to develop an iRecorder: 

1. Identify information about required fields for eTrust Audit 

2. Establish a method to access log events 

3. Parse log event data into tokens 

4. Modify files 

5. Build the project 

6. Test and debug 

Step 1: Identify Information about Required Fields for eTrust Audit 

Any event sent to eTrust Audit must have the following fields filled in 

appropriately. Some of the fields can be derived from the original event (such as 

Date, Status, Source, Event’s location). Some fields have to be defined up front 

(such as Logname). 

Gather information about the following fields: 

Source 

This is essentially the application that generates the log events you are interested 

in routing to eTrust Audit. This will also give some idea of how you are going to 

capture and process the events. For example, a firewall, VPN, and router type of 

device could send all events to a log file and for each event; your recorder would 

set the source to be Firewall, VPN, or Router depending on the source of the 

event. This is a required field and is mapped into the Source field in eTrust 

Audit. 



Logname 

The Logname of a recorder defines the type or class of the recorder as defined in 

eTrust Audit. To identify an appropriate logname for your new iRecorder, 

review the list of all predefined lognames in Section dddd. 

If you cannot find a logname that matches the device or system for which you 

are writing the iRecorder, you must take the following steps to define a new 

Logname in eTrust Audit: 

1. Define a new AN Type in eTrust Audit Policy Manager. From Audit Nodes 

window, select the File menu and choose AN Types to enter a name for the 

new AN Type. This name is your new logname for the iRecorder. Make sure 

to click the Add button after you enter the New AN Type. 

2. The new logname must also be added to a text file: lognames.txt. This file is 

in the eTrust Audit installation directory for eTrust Audit Client and Data 

Tools. Use a text editor and add the new logname using the following 

format: 

nnnn LOGNAME 

where nnnn is a number. 

Location of Events 

Location identifies the host that issued the events. For example, if you want to 

develop an iRecorder for a firewall, the hostname of the firewall is the location. 

This is also a required field and is mapped into the Location field in eTrust 

Audit. 

Other Required Fields 

Two other fields: Date and Status of events are also required and must be 

mapped to the Date and Status fields in eTrust Audit. Because these fields vary 

from event to event, they must be mapped during event processing. 



Step 2: Establish a Method to Access Log Events 

You must be able to access the log events in your iRecorder. There are essentially 

two ways to do it: 

1. Use an API, provided by the device, system, or application vendor, to get 

events as they are generated. This requires the API documentation, and the 

API software and libraries needed to access the device or system generating 

the events. Through the API, events are delivered to your iRecorder in 

almost real-time with various fields already set to the fields of some data 

structure. Because almost no parsing of an event is needed, your recorder 

code can be pretty simple. 

2. Access the events after they are saved in an event repository (log file, 

database, and so on.) by the device, system, or application. Because the 

events are already in the repository, you need to continuously scan the 

repository for any new events generated. Also, you need to define a parsing 

method to tokenize the fields and map them to eTrust Audit names. 

Note: iRecorder works as a device, which means that it will start processing 

new events that are generated after the recorder service is started. Events that 

were generated while the recorder was not running are lost. iRecorders do not 

process historical events. 

Step 3: Parse Log Event Data into Tokens 

Each log event data received by the iRecorder must be parsed into individual 

tokens. Each token must have two components: Name and Value. Name 

identifies the data and Value determines the content of the field. Use the 

technical documentation of the device, system, or application to create a map of: 

■ 

Required Fields as explained in Step 1: Identify Information about Required 

Fields for eTrust Audit. For example, for the Check Point Firewall iRecorder: 

Required Audit Field Name 

LOCATION 

LOGNAME 

SOURCE 

DATE 

STATUS 

Mapped Field or Value 

hostname.domain.com 

Check Point FW-1 

Firewall/VPN 

Date and time from event in ISO format 

Event dependent: (S)uccess, (F)ailure, 

(D)enied. 

■ 

All other fields as Name–Value pairs. 



Step 4: Modify Files 

You must modify the following files: 

■ 

■ 

■ 

iRec_recorder.cpp 

iRec.conf 

iControl.conf 

iRecorder Source File (iRec_recorder.cpp) 

The following is a sample iRec-recorder.cpp file. It is commented to provide 

additional information: 

// iRec_recorcer.CPP - Implementation of Recorder 

/* This file contains all the functions necessary to process 

* and send records/events to an iRouter. 

*/ 

#include "MyRec_recorder.h" 

#include 

char *remove_none_priority (char *); 

void 

*RecorderMainLoop (void *lgp); 

// CTOR 

// DONT USE - WE NEED TO HAVE ACCESS TO THE ISPONSOR OBJECT 

Recorder::Recorder() 

{ 

ispUtil::Debug(ISP_TRACE, "Recorder::Recorder *not used*\n"); 

} 

Recorder::Recorder(iSponsor *isp) 

{ 

ispUtil::Debug(ISP_TRACE, "Recorder::Recorder\n"); 

/* Get config data that is passed to the iSponsor by the iGateway. 

* It is passed through 

* in a queue of configpairs (sPair - see iTech.h) 

* Note the matching configuration values in the iRec.conf file 

*/ 

ispUtil::Debug(ISP_TRACE, 

"Recorder::Recorder: %d config params found\n", 

isp->m_configpairq.size()); 

for(int i = 0; i < (int) isp->m_configpairq.size(); i++) 

{ 

sPair *sp = isp->m_configpairq[i]; 

if(!sp->name.compare("MyConf1")) 

{ 

myconf1 = sp->value; 


"Recorder::Recorder: set myconf1 to %s\n", myconf1.c_str()); 

} 

if(!sp->name.compare("MyConf2")) 

{ 

myconf2 = sp->value; 




"Recorder::Recorder: set myconf2 to %s\n", myconf2.c_str()); 

} 

} 

/* This is the one and only ispEvent object for this iRecorder. 

* 

* NOTE: if this recorder uses an API to collect data by registering 

* callbacks, either create an event object every time the 

* callback gets called, or use a mutex to protect it. 

*/ 

evt = new ispEvent(isp); 

/* Create mutex to be used in callback or main loop and spawn of 

* the main thread that will do all the work. 

*/ 

ispUtil::MutexCreate(&m_mutex); 

ispUtil::ThreadCreate(RecorderMainLoop, this); 

} 

// DTOR 

Recorder::~Recorder() 

{ 

} 

ispUtil::Debug(ISP_TRACE, "Recorder::~Recorder\n"); 

ispUtil::MutexDestroy(m_mutex); 

if(evt) 

{ 

delete evt; 

evt = NULL; 

} 

// The main thread 

void * 

RecorderMainLoop(void *arg) 

{ 

ispUtil::Debug(ISP_TRACE, "RecorderMainLoop\n"); 

Recorder *lgp = (Recorder *)arg; 

#ifdef USING_API 

/* If the recorder will be using an API to receive events, 

* register with the API and create a main window loop 

* to receive the events. 

*/ 

BOOL bRet; 

while(alive && (bRet = GetMessage( &msg, NULL, 0, 0 )) != 0) 

{ 

if (bRet == -1) 

{ 

// handle the error and possibly exit 

} 

else 

{ 

TranslateMessage(&msg); 

DispatchMessage(&msg); 

} 

} 



#else // USING_API 

/* If reading a log file or connecting via ODBC, 

* open the file or initialize the connection now and 

* periodically process new events as they come in. 

*/ 

while(alive) 

{ 

ispUtil::MutexLock(lgp->m_mutex); 

ispUtil::Debug(ISP_TRACE, "RecorderMainLoop: Doing work.\n"); 

#endif // USING_API 

} 

lgp->ProcessEvent(); 

ispUtil::MutexUnlock(lgp->m_mutex); 

ispUtil::iSleep(10); 

ispUtil::Debug(ISP_TRACE, "RecorderMainLoop shutting down.\n"); 

} 

return NULL; 

void Recorder::ProcessEvent() 

{ 

/* Check if new events have arrived. If there are any, tokenize them 

* and add the entries to member variables, then call SendEvent for 

* every event 

*/ 

ispUtil::Debug(ISP_TRACE, "Recorder::ProcessEvent\n"); 

SendEvent(); 

} 

void Recorder::SendEvent() 

{ 

/* For every event received, pass the correct fields to the iRouter 

* in name/value pairs. This is done by calling one of the following 

* member functions of the event (as defined in ispEvent.h): 

* AddStringField(const char* field, const char* value); 

* AddDateField(const char* field, const time_t value); 

* AddLongField(const char* field, const long value); 

* 

* The following fields will be filled in automatically by the SDK: 

* Location - will default to the local hostname 

* can be overwrtiien by calling: 

* SetHostname(char *hostname); 

* Status - will default to ISP_STATUS_SUCCESS 


* SetStatus(sStatus status); 

* Severity - will default to ISP_SEVERITY_NONE 


* SetSeverity(sSeverity severity); 

* Date - will default to the date when the event object was 

* created can be overwrtiien by calling: 

* SetDate(time_t date); 

* OS - will default to the OS where the iRecorder is running 


* SetOS(char* OS); 

* 

* NOTE: All eTrust Audit iRecorders MUST add the following field: 

* AddStringField("EventLog", ) 

* where should be replaced with the AN Type 

* of the iRecorder as defined in the eTrust Audit 

* Policy Manager. 

* 

* NOTE: To map to the Source(Src) field in eTust Audit, add the 

* the following field: 



* AddStringField("EventSource", ) 

* where is replaced with the original source 

* of the event. 

* 

* All other fields should be added, when possible, using the 

* recommended field names as defined in the eTrust Audit 

* Administrators Guide in the chapter about the Submit API. 

*/ 

ispUtil::Debug(ISP_TRACE, "Recorder::SendEvent\n"); 

// If the original event did not contain a timestamp, add the timestamp 

// when the iRecorder processed the event 

time_t now = time(NULL); 

evt->SetDate(now); 

// Required for Audit iRecorders 

evt->AddStringField("EventLog", "LOGNAME"); 

// Recommended for Audit iRecorders 

evt->AddStringField("EventSource", "MySource"); 

evt->SetSeverity(ISP_SEVERITY_INFO); 

evt->Submit(); 

*/ automatically 

} 

/* Call this to clear out all but the fields that are inserted 

evt->ReuseEvent(); 

iRecorder Configuration File (iRec.conf) 

The iRecorder configuration file contains iRecorder specific parameters (see 

MyConfig1 and MyConfig2). You can add any number of parameters in this file 

and the specified parameters are passed to the iRecorder at iGateway startup 

time. If the iRecorder needs any runtime configuration parameters, you can add 

parameters such as and . 

The following is a sample iRec.conf file: 

 

iRec 

DSP 

iRec 

iDispatch 

 

 

true 

value1 

value2 

defaultvalue 

mysecret 

 



iControl Configuration File (iControl.conf) 

The iControl configuration file contains parameters that specify control and 

routing relation information. In general, the parameters contained in the iControl 

file are needed at iRecorder installation time. 

If the parameter is set to true, the iControl component will use the 

parameter to determine the remote host [REMOTEHOST] to 

which the events should be sent. 

A sample iControl.conf file for this scenario is as follows: 

 

iControl 

iControl 

iDispatch 

DSP 

true 

true 

REMOTEHOST 

 

If the parameter is false, the iControl component will not route 

events to another host but would expect a such as EPAudit for 

event delivery. This is how iControl is set up on iRouter. 

A sample iControl.conf file for this scenario is as follows: 

 

iControl 

iControl 

iDispatch 

DSP 

true 

false 

localhost 

epAudit 

 

Step 5: Build the Project 

From your Cygwin environment, run make install to 

■ 

■ 

■ 

■ 

Compile and build your iRecorder project files. 

Stop iGateway service, if running. 

Copy the project files to the iGateway install directory. 

Start iGateway service. 

Step 6: Test and Debug Your iRecorder 

Using the test environment, you can proceed with testing your new iRecorder. 




The iRecorder includes the following functions: 

Function Parameters Return Values Description 

AddBinaryField 

AddDateField 

(const char* field, const char* 

bvalue, const int bsize ) 

( const char* field, const time_t 

value ) 

void 

void 

Add a binary field to the event’s 

xml representation. 

Add a time date field to the 

event’s xml representation. 

AddIntField ( const char* field, const int value ) void Add an Int field to the event’s 


AddLongField ( const char* field, const long value) void Add a long field to the event’s 


AddShortField 

AddStringField 

( const char* field, const short value 

) 

( const char* field, const char* value 

) 

void 

void 

Add a short field to the event’s 


Add a string field to the event’s 


GetDate () const time_t Access to event’s date. 

GetHostname () const char* access to event’s location. 

GetOS () const Access to event’s OS. 

GetSeverity () const sSeverity Access to event’s severity. 

GetSeverityName () const char* Access to event’s severity 

GetStatus () const sStatus Access to event’s status. 

GetStatusName () const char* Access to event’s status. 

ReuseEvent () void Clear out iSponsor and reuse 

fields. 

SetDate ( time_t date ) void Set event’s date This field is 

required for an eTrust Audit 

event. 

SetHostname ( char* hostname ) void Set the location where the event 

is generated. 

SetOS ( char* OS ) void Set even’s OS This field is not 


event. 

SetSeverity ( sSeverity severity ) void Set event’s severity This field is 


event. 



Function Parameters Return Values Description 

SetStatus ( sStatus status ) void Set event’s status This field is 


event. 

Submit () bool Submit is called when you want 

to send the event formatted in a 

xml string out either to an 

iRouter or an iCollect. 


Index 

A 

acactmgr daemon, 3-6 

acactmgr service, 2-5 

account management events 

for SAPI, 13-24 

acdistagn daemon, 3-7 

acdistagn service, 2-6 

acdistsrv service, 2-7 

acloader 

described, 16-3 

aclogrcd daemon, 3-7 

aclogrd 

and configuration files, 4-1 

aclogrd daemon, 3-8 

aclogrd service, 2-8 

acrecorderd daemon, 3-8 

action manager daemon, 3-6 

action manager service, 2-5 

action queue 

and registry keys, 6-27 

actions 

collector, 4-3 


file, 4-4 

mail, 4-4 

monitor, 4-3 

program, 4-5 

remote, 4-4 

route, 4-4 

screen, 4-4 

SNMP, 4-4 

unicenter, 4-6 

actions parameter 

eAudit.ini file, 7-10 

alert queue 

and registry keys, 6-18, 6-19 

alert queue parameter 


AN types 


Apache, 6-31 

Default, 6-32, 7-12 

eTrust Access Control, 6-32 

Netscape, 6-33 

NT, 6-33 

Oracle, 6-34 

UNIX, 6-34 

AN types parameter 


B 

binary operators 

in router configuration files, 5-10 

C 


configuration values, 14-7 

configuring servers, 14-3, 14-14 

connection types, 14-4 

eAudit.ini, 14-7, 14-10 

installation, 14-4 

log types, 14-4 

preinstallation considerations, 14-3 

registry keys, 14-7 

Index–21

UNIX installation, 14-4, 14-5 

upgrading the Data Tools, 14-6 

collection queue 


collection queue parameter 


collector action, 4-3 

collector daemon, 3-7 

collector service, 2-8 

configuration files 

locations, 4-1 

recorder, 4-6 

redirector, 4-7 

router, 4-8 

configuration values 

Recorder Check Point Firewall-1, 14-7 

connection types 

OPSEC, 14-13 


D 

daemon 

action manager, 3-6 

daemons 


commmands to control, 3-2 

distribution agent, 3-7 

list of, 3-1 

log router, 3-8 

recorder, 3-8 

SNMP recorder, 3-9 

data server 


data server reports 


data server viewer 


Data Tools 


data types 


databases 


default queue 


default queue parameter 


detailed tracking events 


distribution agent daemon, 3-7 

distribution agent service, 2-6 

distribution server 


distribution server service, 2-7 

do command, 5-6 

E 

eaudit.ini file 

actions parameters, 7-10 

alert queue parameters, 7-7 

AN types parameters, 7-12 

collection queue parameters, 7-8 

default queue parameters, 7-9 

management agent parameters, 7-11 

messages parameters, 7-3 

parameters, 7-1 

ports parameters, 7-1 

queue manager parameters, 7-6 

recorders parameters, 7-6 

router parameters, 7-6 

SNMP recorder parameters, 7-6 

eAudit.ini file 

and firewalls, 9-1 

Security Monitor, 7-5 

targets, 7-5 

eAudti.ini 

Recorder Check Point Firewall-1, 14-7, 14-10 

email 


encryption 

and setkey command, 8-2 

basic support, 8-1 

turning off, 8-2 

Index–2 


encryption keys 

changing, 8-1 

encup utility, 11-1 

EPAudit plug-in 


EPDebug plug-in 


EPUnicenter plug-in 


error and return codes 



bulk migration of log records to eTrust Audit, 16- 

1, 17-1 

steps to migrate log records to eTrust Audit, 16-1 

Event database 

Renaming before backing up Access database, 

10-4 

event IDs 

2000, 12-6 

NT, 12-1 

Event plug-in 


exclude command, 5-8 

F 

fex 

and using selogrd to convert audit log files, 17-1 

fields 

for event description, 13-20 

for event notification, 13-17, 13-19 

SAPI, 13-16 

file action, 4-4 

files 

logroute.cfg, 4-7 

router.cfg, 4-8 

selogrec.cfg, 4-6 

firewalls 

and eAudit.ini file, 9-1 


configuration requirements, 9-1 

functions 


SAPI_AddItem, 13-8 

SAPI_DestroyCTX, 13-12 

SAPI_DumpMessage, 13-11 

SAPI_Init, 13-6 

SAPI_New Message, 13-7 

SAPI_RemoveMessage, 13-10 

SAPI_SetRouter, 13-12 

SAPI_SetRouterPort, 13-13 

SAPI_SetRouterTimeout, 13-13 

SAPI_SubmitMsg, 13-9 

G 

general events 


group command, 5-9 

groups 


H 

header file for SAPI 

etsapi.h, 13-3 

I 

iControl 


iControl configuration file, 18-18 

iGateway 


include command, 5-8 

ini files 


installation 


internal events 


Index–3

iRecorder 

accessing events, 18-13 

building the project, 18-18 


design, 18-3 

developing, 18-11 

function reference, 18-19 

modifying files, 18-14 

parsing tokens, 18-13 

required fields, 18-11 

requirements, 18-7, 18-8, 18-10 

testing, 18-18 

iRecorder configuration file, 18-17 

iRecorder source file, 18-14 

iRouter 


iTechnology 

components, 18-3 


L 

libraries 


log files 


log router daemon, 3-8 

log router service, 2-8 

log types 


M 

mail action, 4-4 

management agent 


management agent queue parameter 


mapping events 


mapping examples 


mappings 

AC_SAPITokens.h, 13-2 

SAPI, 13-2 

message routing 

SAPI, 13-2 

messages 

location of, 7-3 

location of stored, 6-5 

using SAPI to handle submit failures, 13-3 

using SAPI to submit a messages to a router, 13-2 

messages parameter 


monitor action, 4-3 

N 

network events 


O 

object access events 


OPSEC connection type, 14-4 

OPSEC connection types, 14-13 

P 

passwords 

changing, 11-1 

path action, 4-5 

policy management events 



and eaudit.ini file, 7-11 


changing the password for the administrator 

user, 11-1 

Policy Manager action queues 


Index–4 


Policy Manager database 


Policy Manager default queues 


Policy Manager distribution log 


Policy Manager distribution server 


Policy Manager distribution server parameters 


Policy Manager distribution server queues 


Policy Manager distribution server rules 


portmap service, 2-12 

portmapper, 6-2, 7-1 

ports, 2-12 


ports parameter 


preinstallation considerations 


properties of fields 

SAPI, 13-16 

Q 

queue files 

defined, 4-1 

queue manager parameter 


queues 


R 

recorder 


recorder configuration files, 4-6 

recorder daemon, 3-8 

Recorder for CheckPoint Firewall-1. See Checkpoint 

Firewall-1 

recorder service, 2-9 

recorder.ini file 

definitions section, 7-14 

log data section, 7-16 

parameters, 7-14 

parameters section, 7-15 

supported recorders, 7-14 

recorders 


Check Point Firewall-1, 14-1 

recorders parameter 


redirector 


redirector configuration files, 4-7 

redirector service, 2-10 

registry 

editing, 6-1 

registry keys 

action queue, 6-27 

alert queue, 6-18, 6-19 

AN types, 6-31, 6-32, 6-33, 6-34, 7-12 

and action manager service, 2-5 

and collector service, 2-8 

and distribution agent service, 2-6 

and distribution server service, 2-7 

and log router service, 2-8 

and recorder service, 2-9 

and rules, 4-2 

collection queue, 6-22 

data server, 6-44 

data server reports, 6-46 

data server viewer, 6-46 

default queue, 6-25 


for log files, 6-10 

mail, 6-9 

management agent, 6-29 

messages, 6-5 

NT recorder, 6-12 

Policy Manager action queues, 6-44 

Policy Manager database, 6-35 

Policy Manager default queues, 6-41 

Policy Manager distribution log, 6-36 

Policy Manager distribution server, 6-37 

Index–5

Policy Manager distribution server parameters, 

6-39 

Policy Manager distribution server queues, 6-37 

Policy Manager distribution server rules, 6-38 

ports, 6-2 

queue manager, 6-18 


recorders, 6-11 


redirector service, 2-10 

router, 6-11, 6-17 

RPC, 6-4 

Security Monitor, 6-8, 6-48 

severity, 6-5 


SNMP recorder service, 2-11 

targets, 6-8 

regular expressions 


remote action, 4-4 

action, 5-5 

remote procedure calls, 6-4 

reports 

location of, 6-46 

reserved words 


route action, 4-4 

router 



router configuration file 

groups, 5-4 

variables, 5-2 

router configuration files, 4-8 

location, 5-1 

rules, 5-1 

router parameter 


rule command, 5-9 

rules 




S 

sample program 

using SAPI, 13-3 

SAPI 

compiling an linking, 13-3 


error and return codes, 13-14 

event description fields, 13-20 

event notification fields, 13-17, 13-19 

fields, 13-16 

function reference, 13-6 

handling submit failures, 13-3 

libraries, 13-3 

mapping, 13-2 

mapping account management events, 13-24 

mapping detailed tracking events, 13-30 

mapping events, 13-22 

mapping examples, 13-17 

mapping general events, 13-31 

mapping internal events, 13-32 

mapping network events, 13-28 

mapping object access events, 13-25 

mapping policy management events, 13-26 

mapping security system status events, 13-27 

mapping system access events, 13-23 

message routing, 13-2 

reserved words, 13-32 

sample routine, 13-3 

submitting a message, 13-2 

SAPI field properties, 13-16 

SAPI tokens 


SAPI_AddItemfunction, 13-8 

SAPI_DestroyCTX function, 13-12 

SAPI_DumpMessage function, 13-11 

SAPI_Init function, 13-6 

SAPI_NewMessagefunction, 13-7 

SAPI_RemoveMessage function, 13-10 

SAPI_SetRouter function, 13-12 

SAPI_SetRouterPort function, 13-13 

SAPI_SetRouterTimeout function, 13-13 

SAPI_SubmitMsg function, 13-9 

screen action, 4-4 

Index–6 





Security Monitor key, 6-48 

security system status events 


selogrcd service, 2-8 

selogrd 


and fex, 17-1 

selogrd service, 2-10 

selogrec 


selogrec service, 2-9 

servers 


services 

action manager, 2-5 


distribution agent, 2-6 

distribution server, 2-7 

list of, 2-1 

log router, 2-8 

portmap, 2-12 

recorder, 2-9 



Services, 2-1 

setkey command, 8-2 

SMTP Mail Server 

identifying, 6-9 

SNMP, 2-11, 3-9 

SNMP action, 4-4 

SNMP recorder and registry keys, 6-14 

SNMP recorder daemon, 3-9 

SNMP recorder parameter 


SNMP recorder service, 2-11 

SNMP Service 


snmprec daemon, 3-9 

snmprec service, 2-11 

sqlldr 

using to import eTrust Access Control Records, 

17-3 

Submit API. See SAPI 

system access events 


T 

action, 5-4 

type command, 5-7 

U 

unicenter action, 4-6 

UNIX installation 


V 

variables 


Viewer 


W 

Windows 2000 event IDs, 12-6 

Windows NT event IDs, 12-1 

Index–7

eTrust Audit Reference Guide - CA Technologies

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?