eTrust Audit Reference Guide - CA Technologies
eTrust Audit Reference Guide - CA Technologies
eTrust Audit Reference Guide - CA Technologies
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>eTrust</strong> <strong>Audit</strong><br />
<strong>Reference</strong> <strong>Guide</strong><br />
1.5<br />
SP2
This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for<br />
the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates<br />
International, Inc. (“<strong>CA</strong>”) at any time.<br />
This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without<br />
the prior written consent of <strong>CA</strong>. This documentation is proprietary information of <strong>CA</strong> and protected by the copyright<br />
laws of the United States and international treaties.<br />
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for<br />
their own internal use, provided that all <strong>CA</strong> copyright notices and legends are affixed to each reproduced copy. Only<br />
authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the<br />
license for the software are permitted to have access to such copies.<br />
This right to print copies is limited to the period during which the license for the product remains in full force and<br />
effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to <strong>CA</strong> the reproduced<br />
copies or to certify to <strong>CA</strong> that same have been destroyed.<br />
To the extent permitted by applicable law, <strong>CA</strong> provides this documentation “as is” without warranty of any kind,<br />
including without limitation, any implied warranties of merchantability, fitness for a particular purpose or<br />
noninfringement. In no event will <strong>CA</strong> be liable to the end user or any third party for any loss or damage, direct or<br />
indirect, from the use of this documentation, including without limitation, lost profits, business interruption,<br />
goodwill, or lost data, even if <strong>CA</strong> is expressly advised of such loss or damage.<br />
The use of any product referenced in this documentation and this documentation is governed by the end user’s<br />
applicable license agreement.<br />
The manufacturer of this documentation is Computer Associates International, Inc.<br />
Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or<br />
DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.<br />
© 2003 Computer Associates International, Inc.<br />
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents<br />
Chapter 1: Introduction<br />
Chapter 2: Windows Services<br />
Commands to Control the Services ............................................................. 2-2<br />
Action Manager Service (acactmgr) ............................................................. 2-5<br />
Distribution Agent Service (acdistagn) .......................................................... 2-6<br />
Distribution Server Service (acdistsrv) .......................................................... 2-7<br />
Log Router Service (aclogRd) .................................................................. 2-8<br />
Collector Service (SeLogRcd)................................................................... 2-8<br />
Recorder Service (SeLogRec) ................................................................... 2-9<br />
Redirector Service (SeLogRd) ................................................................. 2-10<br />
SNMP Recorder Service (SnmpRec)............................................................ 2-11<br />
Portmap Service ............................................................................. 2-12<br />
Chapter 3: UNIX Daemons<br />
Issuing Commands to Control the Daemons ..................................................... 3-2<br />
Action Manager Daemon (acactmgr)............................................................ 3-6<br />
Distribution Agent Daemon (acdistagn) ......................................................... 3-7<br />
Collector Daemon (aclogrcd)................................................................... 3-7<br />
Log Router Daemon (aclogrd).................................................................. 3-8<br />
Generic Recorder Daemon (acrecorderd) ........................................................ 3-8<br />
SNMP Recorder Daemon (snmprec) ............................................................ 3-9<br />
Contents<br />
iii
Chapter 4: Configuration Files<br />
About Queues ................................................................................ 4-1<br />
About Queue Rules............................................................................ 4-2<br />
Windows ................................................................................. 4-2<br />
UNIX..................................................................................... 4-2<br />
Example .................................................................................. 4-3<br />
About Actions ................................................................................ 4-3<br />
Recorder Configuration File .................................................................... 4-6<br />
Comment Lines ........................................................................... 4-7<br />
The Asterisk as Wildcard ................................................................... 4-7<br />
Redirector Configuration File................................................................... 4-7<br />
Router Configuration File ...................................................................... 4-8<br />
Chapter 5: Router Configuration File Rule Language<br />
<strong>Reference</strong><br />
Location of the Router Configuration File ........................................................ 5-1<br />
File Structure ................................................................................. 5-1<br />
Variables ..................................................................................... 5-2<br />
Variable Expiration ........................................................................ 5-3<br />
Dynamic Variable Names .................................................................. 5-3<br />
Using Variables in Filter Rules .............................................................. 5-3<br />
Groups ....................................................................................... 5-4<br />
Loops .................................................................................... 5-4<br />
Command Syntax ............................................................................. 5-4<br />
action; target .............................................................................. 5-4<br />
action; remote ............................................................................. 5-5<br />
do........................................................................................ 5-6<br />
type: ..................................................................................... 5-7<br />
include ................................................................................... 5-8<br />
exclude ................................................................................... 5-8<br />
rule ...................................................................................... 5-9<br />
group .................................................................................... 5-9<br />
Regular Expressions .......................................................................... 5-10<br />
Supported Binary Operators................................................................... 5-10<br />
Including Additional Data Types .............................................................. 5-11<br />
Identifying Events using SAPI Tokens.......................................................... 5-12<br />
iv<br />
<strong>Reference</strong> <strong>Guide</strong>
Chapter 6: Windows Registry Entries<br />
Opening the Windows Registry ................................................................ 6-1<br />
Ports ........................................................................................ 6-2<br />
RPC ......................................................................................... 6-4<br />
Messages .................................................................................... 6-5<br />
Severity ...................................................................................... 6-5<br />
Fatal ..................................................................................... 6-5<br />
Critical ................................................................................... 6-6<br />
Error..................................................................................... 6-6<br />
Warning ................................................................................. 6-7<br />
Info ...................................................................................... 6-7<br />
Targets ...................................................................................... 6-8<br />
Monitor .................................................................................. 6-8<br />
Mail ......................................................................................... 6-9<br />
Client\SeOS\logmgr......................................................................... 6-10<br />
Recorders ................................................................................... 6-11<br />
NT Recorder............................................................................. 6-12<br />
SNMP Recorder.......................................................................... 6-14<br />
Redirector................................................................................... 6-14<br />
Router ...................................................................................... 6-17<br />
Queue Manager\Queues ................................................................. 6-18<br />
Queues\CollectionQueue................................................................. 6-22<br />
Queues\Default ......................................................................... 6-25<br />
Management Agent .......................................................................... 6-29<br />
Parameters .............................................................................. 6-29<br />
AN Types ............................................................................... 6-31<br />
Policy Manager .............................................................................. 6-35<br />
Database ................................................................................ 6-35<br />
Distribution Log ......................................................................... 6-36<br />
Distribution Server ....................................................................... 6-37<br />
Data Server ................................................................................. 6-44<br />
Database ................................................................................ 6-44<br />
Viewer .................................................................................. 6-46<br />
Reports ................................................................................. 6-46<br />
Security Monitor............................................................................. 6-48<br />
Contents<br />
v
Chapter 7: UNIX INI Files<br />
e<strong>Audit</strong>.ini .................................................................................... 7-1<br />
Ports ..................................................................................... 7-1<br />
Messages ................................................................................. 7-3<br />
Fatal ..................................................................................... 7-4<br />
Critical ................................................................................... 7-4<br />
Error ..................................................................................... 7-4<br />
Warning .................................................................................. 7-4<br />
Info ...................................................................................... 7-5<br />
Monitor .................................................................................. 7-5<br />
Recorders ................................................................................. 7-6<br />
Router.................................................................................... 7-6<br />
Management Agent....................................................................... 7-11<br />
Parameters............................................................................... 7-11<br />
AN Types................................................................................ 7-12<br />
recorder.ini .................................................................................. 7-14<br />
Recorder Modules ........................................................................ 7-14<br />
Definitions ............................................................................... 7-14<br />
Parameters............................................................................... 7-15<br />
Chapter 8: Encryption Options<br />
Changing Your Encryption Key................................................................. 8-1<br />
setkey Command Options...................................................................... 8-2<br />
Turning Off Encryption ........................................................................ 8-2<br />
Chapter 9: Firewall Considerations<br />
Chapter 10: Database Considerations<br />
Preparing <strong>eTrust</strong> <strong>Audit</strong> Database .............................................................. 10-1<br />
Oracle Databases ......................................................................... 10-1<br />
MS SQL Server Databases ................................................................. 10-2<br />
Configuring an Oracle Client .................................................................. 10-2<br />
Windows ................................................................................ 10-2<br />
UNIX.................................................................................... 10-2<br />
Windows NT Authentication with Microsoft SQL Server ......................................... 10-3<br />
vi<br />
<strong>Reference</strong> <strong>Guide</strong>
Changing the Database Type.................................................................. 10-4<br />
Using a Remote MS Access Database .......................................................... 10-4<br />
Backing Up a Microsoft Access Database ....................................................... 10-4<br />
Chapter 11: Encup Utility<br />
Executing Encup............................................................................. 11-1<br />
Chapter 12: Security-related Event IDs<br />
Windows NT Event IDs ...................................................................... 12-1<br />
Windows 2000 Event IDs ..................................................................... 12-6<br />
UNIX Event IDs ............................................................................ 12-15<br />
Windows Event IDs ......................................................................... 12-15<br />
<strong>eTrust</strong> Access Control Event IDs ............................................................. 12-16<br />
Cisco PIX Event IDs ......................................................................... 12-16<br />
Chapter 13: The Submit API (SAPI)<br />
Mapping .................................................................................... 13-2<br />
Message Routing ............................................................................ 13-2<br />
Submitting a Message to the Router........................................................ 13-2<br />
Handling Submit Failures................................................................. 13-3<br />
Compiling and Linking....................................................................... 13-3<br />
Libraries .................................................................................... 13-3<br />
Sample SAPI Routine ........................................................................ 13-3<br />
SAPI <strong>Reference</strong> .............................................................................. 13-6<br />
SAPI_Init................................................................................ 13-6<br />
SAPI_NewMessage ...................................................................... 13-7<br />
SAPI_AddItem .......................................................................... 13-8<br />
SAPI_SubmitMsg ........................................................................ 13-9<br />
SAPI_RemoveMessage .................................................................. 13-10<br />
SAPI_DumpMessage .................................................................... 13-11<br />
SAPI_DestroyCTX ...................................................................... 13-12<br />
SAPI_SetRouter ......................................................................... 13-12<br />
SAPI_SetRouterPort ..................................................................... 13-13<br />
SAPI_SetRouterTimeout ................................................................. 13-13<br />
SAPI Return and Error Codes ................................................................ 13-14<br />
Fields for SAPI ............................................................................. 13-16<br />
Field Properties ......................................................................... 13-16<br />
Contents<br />
vii
Mapping Examples .......................................................................... 13-17<br />
Mandatory Fields for Event Identification.................................................. 13-17<br />
Common Predefined Fields for Event Identification ......................................... 13-19<br />
Optional Predefined Fields for Event Identification ......................................... 13-19<br />
Common Predefined Fields for Event Description .......................................... 13-20<br />
Mapping Events to Predefined Categories ................................................. 13-22<br />
System Access........................................................................... 13-23<br />
Account Management.................................................................... 13-24<br />
Object Access ........................................................................... 13-25<br />
Policy Management...................................................................... 13-26<br />
Security Systems ........................................................................ 13-27<br />
Physical Security ........................................................................ 13-28<br />
Network ................................................................................ 13-28<br />
Detailed Tracking ....................................................................... 13-30<br />
System/Application, Administration and General Events ................................... 13-31<br />
Fields Internal to <strong>eTrust</strong> <strong>Audit</strong> ............................................................ 13-32<br />
Reserved Keywords ......................................................................... 13-32<br />
Chapter 14: Recorder for Check Point FireWall-1 <strong>Reference</strong><br />
Information Flow............................................................................. 14-1<br />
Preinstallation Considerations ................................................................. 14-3<br />
Configuring the Check Point FireWall-1 Servers ............................................. 14-3<br />
Information You Need to Collect ........................................................... 14-3<br />
Installing the Recorder for Check Point FireWall-1............................................... 14-4<br />
Installing in a Solaris Environment ............................................................. 14-4<br />
Installing the Recorder for Check Point FireWall-1 ........................................... 14-5<br />
Upgrading the Data Tools ................................................................. 14-6<br />
Configuration Values ......................................................................... 14-7<br />
Registry Keys and .ini File ................................................................. 14-7<br />
Windows Registry Entries ................................................................. 14-7<br />
Solaris e<strong>Audit</strong>.ini File Values ............................................................. 14-10<br />
Technical Information ....................................................................... 14-13<br />
OPSEC Connection Types ................................................................ 14-13<br />
Configuring Check Point FireWall-1 Servers ............................................... 14-14<br />
viii<br />
<strong>Reference</strong> <strong>Guide</strong>
Chapter 15: Using the eTSAPISend Program<br />
eTSAPISend.exe ............................................................................. 15-1<br />
Example .................................................................................... 15-2<br />
Sample Batch File ............................................................................ 15-3<br />
Chapter 16: Inserting <strong>eTrust</strong> Access Control Records in Bulk<br />
to a Collector Database Using acloader<br />
Insert Records into an Oracle Database......................................................... 16-1<br />
Remove the Indexes from SEOSDATA ......................................................... 16-2<br />
Recreate the Indexes in SEOSDATA ........................................................... 16-2<br />
The acloader Utility .......................................................................... 16-3<br />
Examples ................................................................................... 16-5<br />
Chapter 17: Inserting <strong>eTrust</strong> Access Control Records in Bulk<br />
to a Collector Database Using selogrd and sqlldr<br />
Requirements ............................................................................... 17-1<br />
Converting the <strong>eTrust</strong> Access Control <strong>Audit</strong> Log to Oracle Import File Format..................... 17-1<br />
Insert the Data into an Oracle Database using the sqlldr Utility ................................... 17-3<br />
Create One Import File and Insert It into the Oracle Database ................................ 17-3<br />
Create Multiple Import Log Files and Insert Them Separately into the Oracle Database ......... 17-4<br />
Examples ................................................................................... 17-4<br />
Chapter 18: iRecorder Development <strong>Reference</strong><br />
Overview of the iTechnology SDK............................................................. 18-2<br />
iRecorder Design and Architecture ............................................................ 18-3<br />
Components of iTechnology .............................................................. 18-3<br />
iRecorder................................................................................ 18-6<br />
iRouter.................................................................................. 18-7<br />
How to Create an iRecorder Development Environment ......................................... 18-7<br />
Development Environment ............................................................... 18-7<br />
Development Machine.................................................................... 18-8<br />
Test Environment ....................................................................... 18-10<br />
How To Develop an iRecorder ............................................................... 18-11<br />
Step 1: Identify Information about Required Fields for <strong>eTrust</strong> <strong>Audit</strong>.......................... 18-11<br />
Step 2: Establish a Method to Access Log Events ........................................... 18-13<br />
Contents<br />
ix
Step 3: Parse Log Event Data into Tokens .................................................. 18-13<br />
Step 4: Modify Files ...................................................................... 18-14<br />
Step 5: Build the Project .................................................................. 18-18<br />
Step 6: Test and Debug Your iRecorder .................................................... 18-18<br />
iRecorder API Functions ..................................................................... 18-19<br />
x<br />
<strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
1 Introduction<br />
This guide presents a variety of topics that describe technical features of <strong>eTrust</strong><br />
<strong>Audit</strong>. While many users might never have reason to review the topics in this<br />
guide, others will need to consult it to perform additional configuration changes<br />
to their environments.<br />
Introduction 1–1
Chapter<br />
2<br />
Windows Services<br />
<strong>eTrust</strong> <strong>Audit</strong> installs several services on Windows systems. These services enable<br />
the information flow between <strong>eTrust</strong> <strong>Audit</strong> components by collecting, reading,<br />
and forwarding information from all sources in the system. This chapter<br />
describes the <strong>eTrust</strong> <strong>Audit</strong> services.<br />
The topics that follow describe the commands to control the <strong>eTrust</strong> <strong>Audit</strong><br />
services on Windows, and the services:<br />
acactmgr<br />
The <strong>eTrust</strong> <strong>Audit</strong> Action Manager<br />
acdistagn<br />
The <strong>eTrust</strong> <strong>Audit</strong> Distribution Agent<br />
acdistsrv<br />
The <strong>eTrust</strong> <strong>Audit</strong> Distribution Server<br />
acfwrecd<br />
The <strong>eTrust</strong> <strong>Audit</strong> FW-1 Recorder<br />
aclogrd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Log Router<br />
acrecorderd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Generic Recorder<br />
portmap<br />
The <strong>eTrust</strong> <strong>Audit</strong> Portmap service<br />
selogrcd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Collector<br />
selogrec<br />
The <strong>eTrust</strong> <strong>Audit</strong> Recorder<br />
selogrd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Redirector<br />
snmprec<br />
The <strong>eTrust</strong> <strong>Audit</strong> SNMP Recorder<br />
Windows Services 2–1
Commands to Control the Services<br />
Commands to Control the Services<br />
You can control the services using the Windows Control Panel or the Service<br />
Control Manager application. You can also control them from a command<br />
prompt. The <strong>eTrust</strong> <strong>Audit</strong> services for Windows reside in the following location:<br />
install_dir\bin<br />
where install_dir is the directory in which you installed <strong>eTrust</strong> <strong>Audit</strong>. Unless you<br />
add this directory to your PATH statement, you must issue the commands from<br />
this directory.<br />
Syntax<br />
The following command syntax applies to all <strong>eTrust</strong> <strong>Audit</strong> services, except<br />
portmap:<br />
servicename options<br />
where servicename is the name of the service. The options are described in the<br />
topic that follows.<br />
Options<br />
The following list described the available parameters:<br />
-help<br />
Displays these syntax options.<br />
-debug<br />
Starts the service in foreground mode; that is, it routes events the console<br />
(STDOUT). For example, the following command starts the service and<br />
routes the output to the console:<br />
servicename -debug<br />
You can use the following options:<br />
-trace options<br />
Starts a trace of the service. For example, the following command starts<br />
the service and routes debug messages to the console and a file named<br />
errors.txt:<br />
servicename -debug -trace dest1 STDOUT dest2 errors.txt<br />
See the description of the -trace option later in the list.<br />
2–2 <strong>Reference</strong> <strong>Guide</strong>
Commands to Control the Services<br />
-install<br />
Installs the service.<br />
You can use the following options:<br />
-user name<br />
Lets you specify the name of a user authorized to install a service on the<br />
system. You should combine the -user and -pwd options as follows:<br />
servicename -install -user user01 -pwd password<br />
-pwd password<br />
Lets you specify the password of a user authorized to install a service on<br />
the system. You should combine the -user and -pwd options as follows:<br />
servicename -install -user user01 -pwd password<br />
-trace options<br />
Starts a trace of the service after installing it. For example, the following<br />
command installs the service and routes debug messages to the console:<br />
servicename -install -trace dest1 STDOUT<br />
See the description of the -trace option later in the list.<br />
-remove<br />
Removes the service from the registry and from the Windows Service<br />
Control Manager.<br />
You can the following options:<br />
-trace options<br />
Starts a trace of the service while removing it. For example, the following<br />
command uninstalls the service and routes debug messages to a file<br />
named errors.txt:<br />
servicename -stop -trace dest1 errors.txt<br />
Additionally, you can use the redirect symbol, >, as follows to open a<br />
console an direct the output to a file:<br />
servicename -stop -trace dest1 STDOUT > errors.txt<br />
See the description of the -trace option later in the list.<br />
-start<br />
Starts the service in background mode; that is, without a console.<br />
You can the following options:<br />
-trace options<br />
Starts a trace of the service while starting it. For example, the following<br />
command starts the service and routes debug messages to a file named<br />
errors.txt:<br />
servicename -start -trace dest1 errors.txt<br />
See the description of the -trace option later in the list.<br />
Windows Services 2–3
Commands to Control the Services<br />
-stop<br />
Stops the service.<br />
You can the following options:<br />
-trace options<br />
Starts a trace of the service while stopping it. For example, the following<br />
command stops the service and routes debug messages to a file named<br />
errors.txt:<br />
servicename -stop -trace dest1 errors.txt<br />
See the description of the -trace option later in the list.<br />
The -trace option applies to all parameters except, -help as follows:<br />
-trace options<br />
Turns on trace mode, which routes trace-level messages of a specified level<br />
to the destination. You can specify the following trace options:<br />
-dbglvl n<br />
Sets the debug level. n is the level from 1 to 5, 1 providing the least<br />
amount of debug information and 5 providing the most details. If you do<br />
not specify a value, 1 is the default.<br />
-dest1 dest<br />
Sets the primary output destination to display the debugging<br />
information to the console. dest can be one of the following:<br />
STDOUT<br />
Routes messages to the console.<br />
STDERR<br />
Routes messages to the console or to wherever you have redirected<br />
STDERR.<br />
filename<br />
The name of file where you want the service to write the debug<br />
output.<br />
-dest2 dest<br />
Sets a secondary output destination to display the debugging<br />
information. dest can be one of the following:<br />
STDOUT<br />
Routes messages to the console.<br />
STDERR<br />
Routes messages to the console or to wherever you have redirected<br />
STDERR.<br />
filename<br />
The name of file where you want the service to write the debug<br />
output.<br />
2–4 <strong>Reference</strong> <strong>Guide</strong>
Action Manager Service (acactmgr)<br />
Action Manager Service (acactmgr)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Action Manager service, acactmgr.exe, reads events from<br />
queues where actions were placed by the Router and performs the specified<br />
actions defined for each event. The queues have parameters such as maximum<br />
action time, maximum file number and so on. These parameters affect the<br />
performance of the Action Manager.<br />
Tip: For information about the Action Manager, actions, and configuration<br />
files, see About Actions in the “Configuration Files” chapter.<br />
Registry Keys<br />
Several registry keys contain values that affect the functioning of the <strong>eTrust</strong><br />
<strong>Audit</strong> Action Manager service. They are as follows:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\xxxQueue\Queue Parameters<br />
For information on the values in these keys, see the “Registry Keys” chapter.<br />
Windows Services 2–5
Distribution Agent Service (acdistagn)<br />
Distribution Agent Service (acdistagn)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Distribution Agent service, acdistagn.exe, receives policy files<br />
from the Policy Manager through <strong>eTrust</strong> <strong>Audit</strong> Distribution Server service. The<br />
distribution agent service also removes old policy files if instructed by the <strong>eTrust</strong><br />
<strong>Audit</strong> Distribution Server service.<br />
The distribution agent service changes auditing requirements according to the<br />
policy it receives. The service notifies the router to update the policy to get new<br />
rules.<br />
Registry Keys<br />
When you install <strong>eTrust</strong> <strong>Audit</strong>, you specify the name of the host where the Policy<br />
Manager will run. This is the only host recognized by the distribution agent<br />
service rejects attempts to update the policy from other hosts. However, you can<br />
add more servers to be recognized as trusted servers by editing the<br />
TrustedServers key of the Distribution Agent Service. This key is found in the<br />
following registry entry:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent.<br />
The distribution server service and the distribution agent service use TCP/IP<br />
port 8025. You can change that port by using the registry and adding a special<br />
port, for example:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Ports\<br />
DistributionPort<br />
See the “Registry Keys” chapter for more information.<br />
2–6 <strong>Reference</strong> <strong>Guide</strong>
Distribution Server Service (acdistsrv)<br />
Distribution Server Service (acdistsrv)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Distribution Server service, acdistsrv.exe, distributes the policy<br />
files among the clients. It must run on the same system where the Policy<br />
Manager is located.<br />
Registry Keys<br />
After you instruct the Policy Manager to distribute the policy, the relevant<br />
commands reach the distribution queue. The distribution server reads the<br />
distribution queue, selects from the compiled policy files, processes them, and<br />
sends them to the distribution agents according to the commands.<br />
The distribution server tries to connect to the distribution agent as follows:<br />
■<br />
■<br />
If the connection succeeds, the agent starts receiving configuration files.<br />
After the transmission operation terminates successfully, the distribution log<br />
of the Policy Manager is updated.<br />
If the connection trial fails (or in case the initial connection succeeds but<br />
afterwards a failure occurs), the transmission command is delayed. After a<br />
pre-defined period (by default: 24 hours) of failed connection trials, the<br />
distribution server terminates the transmission trials. In any case, the<br />
distribution log of the Policy Manager is updated.<br />
The key of the Distribution Server is found under:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server<br />
The distribution server service and the distribution agent service use TCP/IP<br />
port 8025. You can change that port by using the registry and adding a special<br />
port, for example:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Ports\<br />
DistributionPort<br />
See the “Registry Keys” chapter for more information.<br />
Windows Services 2–7
Log Router Service (aclogRd)<br />
Log Router Service (aclogRd)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Log Router service, aclogRd.exe receives events from a number<br />
of different sources. It handles received events according to the filters specified in<br />
the router configuration file and routes them to the queue files with the<br />
associated actions and targets. The Router service should be registered by the<br />
<strong>eTrust</strong> <strong>Audit</strong> Portmap service so that it can start only if the portmap is running.<br />
See Router Configuration File in the “Configuration Files” chapter for more<br />
information.<br />
Registry Keys<br />
Several registry keys contain values that affect the functioning of the <strong>eTrust</strong><br />
<strong>Audit</strong> Log Router service. They are as follows:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router<br />
For information on the values in these keys, see the “Registry Keys” chapter.<br />
Collector Service (SeLogRcd)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Collector service, SeLogRcd.exe, receives information from the<br />
<strong>eTrust</strong> <strong>Audit</strong> Action Manager services on systems where <strong>eTrust</strong> <strong>Audit</strong> is<br />
running, and writes it to the event database. The Collector service should be<br />
registered by the <strong>eTrust</strong> <strong>Audit</strong> Portmap service so that it can start only if the<br />
portmap is running.<br />
Registry Keys<br />
Several registry keys contain values that affect the functioning of the <strong>eTrust</strong><br />
<strong>Audit</strong> Collector. They are as follows:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Data Server\Database<br />
For information on the values in these keys, see the “Registry Keys” chapter.<br />
2–8 <strong>Reference</strong> <strong>Guide</strong>
Recorder Service (SeLogRec)<br />
Recorder Service (SeLogRec)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Recorder service, SeLogRec.exe, harvests the Windows audit<br />
information on the client system into the local audit file for further handling by<br />
other <strong>eTrust</strong> <strong>Audit</strong> Client components.<br />
You can edit the recorder configuration file to specify which events are to be<br />
recorded. For details, see Recorder Configuration File in the “Configuration<br />
Files” chapter.<br />
Registry Keys<br />
Several registry keys contain values that affect the functioning of the <strong>eTrust</strong><br />
<strong>Audit</strong> Recorder. They are as follows:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Recorders\NT<br />
Recorder<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\SeOS\logmgr<br />
Additionally, if <strong>eTrust</strong> Access Control is installed, the Recorder service uses<br />
the same local audit file as <strong>eTrust</strong> Access Control. To permit the recorder service<br />
to run when <strong>eTrust</strong> Access Control is stopped, set the emulate registry key to a<br />
value of 1. The emulate key is in the following location:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong>AccessControl\<strong>eTrust</strong>AccessCo<br />
ntrol\Emulate<br />
Otherwise, the recorder service uses the value in the following <strong>eTrust</strong> Access<br />
Control key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\ SOFTWARE\MEMCO\SeOS\SeOS\Emulate<br />
For information on the values in these keys, see the “Registry Keys” chapter.<br />
Windows Services 2–9
Redirector Service (SeLogRd)<br />
Redirector Service (SeLogRd)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Redirector service, SeLogRd.exe, reads the local audit file<br />
created by the <strong>eTrust</strong> <strong>Audit</strong> Recorder service (or by <strong>eTrust</strong> Access Control) and<br />
forwards it to the router. The local audit file contains Windows (and possibly<br />
<strong>eTrust</strong> Access Control) events originating on the local machine.<br />
You control Redirector service by editing the configuration file, logroute.cfg. For<br />
details, see Redirector Configuration File in the “Configuration Files” chapter.<br />
Registry Keys<br />
Several registry keys contain values that affect the functioning of the <strong>eTrust</strong><br />
<strong>Audit</strong> Redirector. They are as follows:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong><strong>Audit</strong>\<br />
Client\Redirector<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\SeOS\logmgr<br />
<strong>eTrust</strong> <strong>Audit</strong> limits the size of the audit files. As a result, when events are<br />
generated faster than they can be forwarded—for example, a router service is not<br />
running, or too many events are being generated during a peak situation—it is<br />
possible to lose data.<br />
You can guarantee delivery of records to the router by making changes to the<br />
values in the registry. You can permit the files to exceed their prescribed<br />
maximum size by setting the option to overwrite backup files to 0.<br />
For information on the values in these keys, see the “Registry Keys” chapter.<br />
2–10 <strong>Reference</strong> <strong>Guide</strong>
SNMP Recorder Service (SnmpRec)<br />
SNMP Recorder Service (SnmpRec)<br />
The <strong>eTrust</strong> <strong>Audit</strong> SNMP Recorder service, SnmpRec.exe, traps SNMP messages<br />
sent to a Windows machine, and then passes them onto the default router. By<br />
default, the default router is the local host.<br />
Registry Keys<br />
Several registry keys contain values that affect the functioning of the <strong>eTrust</strong><br />
<strong>Audit</strong> SNMP Recorder. They are as follows:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Recorders\SNMP<br />
recorder<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong><br />
<strong>Audit</strong>\Client\Recorders\DefaultRouter<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Recorders\SNMP<br />
Recorder\cfg\snmptd_rec.mp<br />
For information on the values in these keys, see the Registry Keys chapter.<br />
Windows Services 2–11
Portmap Service<br />
Portmap Service<br />
The <strong>eTrust</strong> <strong>Audit</strong> Portmap service, portmap.exe, manages a table of<br />
correspondences between ports (logical communications channels) and the<br />
services registered at them. It provides a standard way for a client to look up the<br />
TCP/IP or UDP port number of an RPC program supported by the server. This<br />
service runs on any Windows host on which an <strong>eTrust</strong> <strong>Audit</strong> component is<br />
installed.<br />
Note: For Windows NT 4.0 and Windows 2000, note that <strong>eTrust</strong> <strong>Audit</strong> installs<br />
the Sun RPC portmapper.<br />
Syntax<br />
Using a command prompt session, enter the following commands to start or stop<br />
portmap:<br />
net start portmap<br />
net stop portmap<br />
To install portmap, use the following commands:<br />
install_dir\bin\inst_pm install_dir\bin\portmap.exe<br />
where install_dir is the directory where you installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
To uninstall portmap, use the following command:<br />
install_dir\bin\inst_pm remove<br />
2–12 <strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
3<br />
UNIX Daemons<br />
<strong>eTrust</strong> <strong>Audit</strong> installs several daemons on UNIX systems. These daemons enable<br />
the information flow between <strong>eTrust</strong> <strong>Audit</strong> components by collecting, reading,<br />
and forwarding information from all sources in the system. This chapter<br />
describes the <strong>eTrust</strong> <strong>Audit</strong> daemons.<br />
This topic that follow describe the commands to control the <strong>eTrust</strong> <strong>Audit</strong><br />
daemons on UNIX platforms, the daemons:<br />
acactmgt<br />
The <strong>eTrust</strong> <strong>Audit</strong> Action Manager<br />
acdistagn<br />
The <strong>eTrust</strong> <strong>Audit</strong> Distribution Agent<br />
aclogrcd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Collector<br />
aclogrd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Log Router<br />
acfwrecd<br />
The <strong>eTrust</strong> <strong>Audit</strong> FW-1 Recorder<br />
acrecorderd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Generic Recorder<br />
snmprec<br />
The <strong>eTrust</strong> <strong>Audit</strong> SNMP Recorder<br />
UNIX Daemons 3–1
Issuing Commands to Control the Daemons<br />
Issuing Commands to Control the Daemons<br />
You can issue commands to control the <strong>eTrust</strong> <strong>Audit</strong> daemons as follows:<br />
1. Login as root.<br />
2. Using either the Bourne or Korn shells, use the steps in the topic for your<br />
UNIX platform.<br />
3. Depending on your UNIX platform, do the following:<br />
Solaris<br />
From the shell prompt, enter the following command:<br />
/etc/rc2.d/S77servicename<br />
AIX<br />
From the shell prompt, follow these steps:<br />
1. Enter the following command to set environment variables in<br />
preparation for starting the <strong>eTrust</strong> <strong>Audit</strong> daemons:<br />
. /usr/eaudit/bin/ac_set_env.sh<br />
2. Enter the a command as follows:<br />
/usr/eaudit/bin/servicename<br />
HP-UX<br />
From the shell prompt enter the following command:<br />
/sbin/rc2.d/S770servicename<br />
Tru64 and Linux<br />
From the shell prompt enter the following command:<br />
/sbin/rc2.d/S77servicename<br />
where servicename is one of the following:<br />
acactmgr<br />
The <strong>eTrust</strong> <strong>Audit</strong> Action Manager<br />
acdistagn<br />
The <strong>eTrust</strong> <strong>Audit</strong> Distribution Agent<br />
acfwrecd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Recorder for Check Point Firewall-1<br />
aclogrcd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Collector<br />
aclogrd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Log Router<br />
acfwrecd<br />
The <strong>eTrust</strong> <strong>Audit</strong> FW-1 Recorder<br />
3–2 <strong>Reference</strong> <strong>Guide</strong>
Issuing Commands to Control the Daemons<br />
acrecorderd<br />
The <strong>eTrust</strong> <strong>Audit</strong> Generic Recorder<br />
snmprec<br />
The <strong>eTrust</strong> <strong>Audit</strong> SNMP Recorder<br />
Syntax<br />
The following command syntax applies to all <strong>eTrust</strong> <strong>Audit</strong> daemons portmap:<br />
daemon options<br />
where servicename is the name of the service. The options are described in the<br />
topic that follows.<br />
Options<br />
The following list described the available parameters:<br />
-help<br />
Displays these syntax options.<br />
-debug<br />
Starts the daemon in foreground mode; that is, it routes events the console<br />
(STDOUT). For example, the following command starts the daemon and<br />
routes the output to the console:<br />
daemon -debug<br />
You can use the following options:<br />
-trace options<br />
Starts a trace of the daemon. For example, the following command starts<br />
the daemon and routes debug messages to the console and a file named<br />
errors.txt:<br />
daemon -debug -trace dest1 STDOUT dest2 errors.txt<br />
See the description of the -trace option later in the list.<br />
UNIX Daemons 3–3
Issuing Commands to Control the Daemons<br />
-install<br />
Installs the daemon.<br />
You can use the following options:<br />
-user name<br />
Lets you specify the name of a user authorized to install a daemon on the<br />
system. You should combine the -user and -pwd options as follows:<br />
daemon -install -user user01 -pwd password<br />
-pwd password<br />
Lets you specify the password of a user authorized to install a daemon<br />
on the system. You should combine the -user and -pwd options as<br />
follows:<br />
daemon -install -user user01 -pwd password<br />
-trace options<br />
Starts a trace of the daemon after installing it. For example, the following<br />
command installs the daemon and routes debug messages to the console:<br />
daemon -install -trace dest1 STDOUT<br />
See the description of the -trace option later in the list.<br />
-remove<br />
Removes the daemon.<br />
You can the following options:<br />
-trace options<br />
Starts a trace of the daemon while removing it. For example, the<br />
following command uninstalls the daemon and routes debug messages<br />
to a file named errors.txt:<br />
daemon -stop -trace dest1 errors.txt<br />
See the description of the -trace option later in the list.<br />
-start<br />
Starts the daemon in background mode; that is, without a console.<br />
You can the following options:<br />
-trace options<br />
Starts a trace of the daemon while starting it. For example, the following<br />
command starts the daemon and routes debug messages to a file named<br />
errors.txt:<br />
daemon -start -trace dest1 errors.txt<br />
Additionally, you can use the redirect symbol, >, as follows to open a<br />
console an direct the output to a file:<br />
servicename -stop -trace dest1 STDOUT > errors.txt<br />
See the description of the -trace option later in the list.<br />
3–4 <strong>Reference</strong> <strong>Guide</strong>
Issuing Commands to Control the Daemons<br />
-stop<br />
Stops the daemon.<br />
You can the following options:<br />
-trace options<br />
Starts a trace of the daemon while stopping it. For example, the<br />
following command stops the daemon and routes debug messages to a<br />
file named errors.txt:<br />
daemon -stop -trace dest1 errors.txt<br />
See the description of the -trace option later in the list.<br />
The -trace option applies to all parameters except, -help as follows:<br />
-trace options<br />
Turns on trace mode, which routes trace-level messages of a specified level<br />
to the destination. You can specify the following trace options:<br />
-dbglvl n<br />
Sets the debug level. n is the level from 1 to 5, 1 providing the least<br />
amount of debug information and 5 providing the most details. If you do<br />
not specify a value, 1 is the default.<br />
-dest1 dest<br />
Sets the primary output destination to display the debugging<br />
information to the console. dest can be one of the following:<br />
STDOUT<br />
Routes messages to the console.<br />
STDERR<br />
Routes messages to the console or to wherever you have redirected<br />
STDERR.<br />
filename<br />
The name of file where you want the service to write the debug<br />
output.<br />
-dest2 dest<br />
Sets a secondary output destination to display the debugging<br />
information. dest can be one of the following:<br />
STDOUT<br />
Routes messages to the console.<br />
STDERR<br />
Routes messages to the console or to wherever you have redirected<br />
STDERR.<br />
filename<br />
The name of file where you want the service to write the debug<br />
output.<br />
UNIX Daemons 3–5
Action Manager Daemon (acactmgr)<br />
Action Manager Daemon (acactmgr)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Action Manager daemon, acactmgr, reads events from queues<br />
where actions were placed by the Router and performs the specified actions<br />
defined for each event. The queues have parameters such as maximum action<br />
time, maximum file number and so on. These parameters affect the performance<br />
of the Action Manager.<br />
Tip: For information about the Action Manager, actions, and configuration<br />
files, see About Actions in the “Configuration Files” chapter.<br />
For details, see e<strong>Audit</strong>.ini in the “UNIX INI Files” chapter.<br />
e<strong>Audit</strong>.ini File Entries<br />
The daemon running on UNIX is controlled by the following entries in<br />
e<strong>Audit</strong>.ini:<br />
Client\Router\Queue Manager\Queues<br />
Client\Router\Queue Manager\Queues\ xxxQueue\ Queue Parameters<br />
The file is located in install_dir/ini/, where install_dir is the directory where you<br />
installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
3–6 <strong>Reference</strong> <strong>Guide</strong>
Distribution Agent Daemon (acdistagn)<br />
Distribution Agent Daemon (acdistagn)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Distribution Agent service, acdistagn, receives policy files from<br />
the Policy Manager through <strong>eTrust</strong> <strong>Audit</strong> Distribution Server service running on<br />
a Windows system. The distribution agent daemon also removes old policy files<br />
if instructed by the <strong>eTrust</strong> <strong>Audit</strong> Distribution Server service.<br />
The distribution agent daemon changes auditing requirements according to the<br />
policy it receives. The daemon notifies the router to update the policy to get new<br />
rules.<br />
For details, see e<strong>Audit</strong>.ini in the “UNIX INI Files” chapter.<br />
e<strong>Audit</strong>.ini File Entries<br />
The daemon running on UNIX is controlled by the following entries in<br />
e<strong>Audit</strong>.ini:<br />
Client\Management Agent<br />
The file is located in install_dir/ini/, where install_dir is the directory where you<br />
installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
Collector Daemon (aclogrcd)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Collector daemon, aclogrcd, receives information from the<br />
<strong>eTrust</strong> <strong>Audit</strong> Action Manager daemons on systems where <strong>eTrust</strong> <strong>Audit</strong> is<br />
running, and writes it to the event database.<br />
For details, see e<strong>Audit</strong>.ini in the “UNIX INI Files” chapter.<br />
e<strong>Audit</strong>.ini File Entries<br />
The daemon running on UNIX is controlled by the following entries in<br />
e<strong>Audit</strong>.ini:<br />
Data Server\Database<br />
Data Server\Collector<br />
The file is located in install_dir/ini/, where install_dir is the directory where you<br />
installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
UNIX Daemons 3–7
Log Router Daemon (aclogrd)<br />
Log Router Daemon (aclogrd)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Log Router daemon, aclogRd receives events from a number of<br />
different sources. It handles received events according to the filters specified in<br />
the router configuration file.<br />
For details, see e<strong>Audit</strong>.ini in the “UNIX INI Files” chapter.<br />
e<strong>Audit</strong>.ini File Entries<br />
The daemon running on UNIX is controlled by the following entries in<br />
e<strong>Audit</strong>.ini:<br />
Client\Router<br />
The file is located in install_dir/ini/, where install_dir is the directory where you<br />
installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
Generic Recorder Daemon (acrecorderd)<br />
The <strong>eTrust</strong> <strong>Audit</strong> Generic Recorder daemon, acrecorderd, reads the logs created<br />
by UNIX operating system, by third-party applications running on the UNIX<br />
station, or both, and sends them to the <strong>Audit</strong> Router daemon, aclogrd, for further<br />
handling by <strong>eTrust</strong> <strong>Audit</strong>.<br />
You can edit the recorder configuration file, recorder.ini, to specify which events<br />
are to be recorded. For details, see recorder.ini in the “UNIX INI Files” chapter.<br />
Recorder.ini File Entries<br />
The daemon running on UNIX is controlled by the following entries in<br />
recorder.ini:<br />
Recorder_Modules<br />
The file is located in install_dir/ini/, where install_dir is the directory where you<br />
installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
3–8 <strong>Reference</strong> <strong>Guide</strong>
SNMP Recorder Daemon (snmprec)<br />
SNMP Recorder Daemon (snmprec)<br />
The <strong>eTrust</strong> <strong>Audit</strong> SNMP Recorder daemon, snmprec, traps SNMP messages sent<br />
to a UNIX machine, and then passes onto the default router. By default, the<br />
default router is the local host.<br />
e<strong>Audit</strong>.ini File Entries<br />
The daemon running on UNIX is controlled by the following entries in<br />
e<strong>Audit</strong>.ini:<br />
Client\Recorders\SNMP Recorder<br />
The file is located in install_dir/ini/, where install_dir is the directory where you<br />
installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
UNIX Daemons 3–9
Chapter<br />
4<br />
Configuration Files<br />
The <strong>eTrust</strong> <strong>Audit</strong> Router reads the .cfg files that are found in the following<br />
directories:<br />
For Windows systems<br />
\<strong>eTrust</strong> <strong>Audit</strong>\cfg directory<br />
For UNIX systems<br />
/usr/eaudit/cfg<br />
These .cfg files contain filters that are made up of rules, and actions and targets.<br />
Using these rules the log router, aclogrd, filters the forwarded events and<br />
discards some of them.<br />
About Queues<br />
The events the log router receives from the recorders are written into queues.<br />
These queues are specified as follows:<br />
For Windows systems<br />
The queues are located in directories specified in the following registry key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong><br />
<strong>Audit</strong>\Client\Router\Queue Manager\Queues\DirectoryName<br />
For UNIX systems<br />
The queues are located according to specifications in the following section of<br />
the .ini file:<br />
Client\Router\Queue Manager\Queues<br />
The three predefined queues are:<br />
■<br />
■<br />
■<br />
Default<br />
AlertQueue<br />
CollectionQueue<br />
However, you can define your own queues.<br />
Configuration Files 4–1
About Queue Rules<br />
About Queue Rules<br />
The queue to which the router writes depend on the rules defined in the Queue<br />
Rules key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\AlertQueue\Queue Rules<br />
The form of queue rules differs depending on the operating system.<br />
Windows<br />
The form of a queue rule is a follows:<br />
rule_name<br />
as registry value name and<br />
action; target name<br />
as value data (for a specific target)<br />
or<br />
rule_name<br />
action;<br />
as registry value name and<br />
as value data (for all targets)<br />
UNIX<br />
The form of a queue rule is a follows:<br />
rule_name = action\; target name (for a specific target)<br />
or<br />
rule_name = action\;<br />
(for all targets)<br />
4–2 <strong>Reference</strong> <strong>Guide</strong>
About Actions<br />
Example<br />
For example, if the .cfg file contains a rule with the action, Collector, the records<br />
are written to the collection queue, because this queue, as defined by the Queue<br />
rules, includes the rule Collector.<br />
You can add rules in the registry, to customize your settings. By default, actions<br />
for which you have no defined rules are directed to the default queue. If you<br />
want actions to be directed to the alert or collection queue, you must add a rule.<br />
In the following example, the ‘file’ rule was add to define that actions of this type<br />
be directed to this queue, and not to Default directory.<br />
myrule = file\;<br />
Any event that has some attached actions may be placed in a several queues.<br />
About Actions<br />
The Action Manager uses the saved events to determine which action to take for<br />
a specific event. The following topics describe the available actions:<br />
collector<br />
The collector action tells the Action Manager to send the events received<br />
from the queue to a collector on a user-defined host, as shown in the<br />
following example:<br />
Action collector; systema<br />
In the example, the Action Manager sends the events to the collector on the<br />
host known as systema.<br />
monitor<br />
The monitor action tells the Action Manager to send the events received from<br />
the queue to the security monitor on a user-defined host, as shown in the<br />
following example:<br />
Action monitor; localhost<br />
In the example, the Action Manager sends the events to the security monitor<br />
on the current system.<br />
Configuration Files 4–3
About Actions<br />
screen<br />
The screen action tells the Action Manager to send the events received from<br />
the queue to the screen on a user-defined host, as shown in the following<br />
example:<br />
Action screen; systemb<br />
In the example, the Action Manager sends the events received from the<br />
queue to the screen on systemb.<br />
Note: The screen action is for Windows systems only.<br />
mail<br />
The mail action tells the Action Manager to send events received from the<br />
queue to a specific email address, as shown in the following example:<br />
Action mail; administrator@myorg.com<br />
In the example, the Action Manager sends the events received from the<br />
queue to the email address of the administrator.<br />
SNMP<br />
The SNMP action tells the Action Manager to send events received from the<br />
queue by the SNMP protocol to the user-defined host, as shown in the<br />
following example:<br />
Action SNMP; systemc<br />
In this example, the Action Manager routes SNMP events to the host<br />
systemc.<br />
file<br />
The file action tells the Action Manager to write the events received from the<br />
queue to a file as shown in the following example:<br />
Action file; c:\events\myevents.txt<br />
In this example, the Action Manager writes events to the<br />
c:\events\myevents.txt file.<br />
route<br />
The route action tells the Action Manager to send router events to a remote<br />
host where the router of that host handles them as shown in the following<br />
example:<br />
Action route; systema<br />
In this example, the Action Manager sends router events to the router on<br />
systema.<br />
remote<br />
The remote action tells the Action Manager to move records from a queue to<br />
a remote router and performs any action on this remote host. For example:<br />
Action remote; systema; monitor;systemb<br />
In this example, the Action Manager moves the events to the remote router<br />
on the host, systema, where they will are sent to the security monitor on<br />
systemb.<br />
4–4 <strong>Reference</strong> <strong>Guide</strong>
About Actions<br />
program<br />
The program action tells the Action Manager to run an executable or batch<br />
file when an event is received. When you define an action with the name<br />
program, the Action Manager writes the event to a file. The file name and the<br />
file location (the directory to which the file was written) are transferred as<br />
one string to the program you want to run as the first parameter.<br />
You can use either of the following methods to specify the program action:<br />
Action program;\path\progname.exe; additional_parameters; timeout<br />
Action program;\path\progname.bat; additional_parameters; timeout<br />
path<br />
You must specify name of the program or batch file as follows:<br />
■<br />
■<br />
Use the full path name<br />
Ensure that the program file is in the directory defined by the<br />
%path% environment variable<br />
If the program is located in the directory defined by the system<br />
environment variable, PATH, or in the directory install_dir\bin, you can<br />
omit the path. You cannot use quotation marks, so the path statement<br />
cannot include directories with spaces in their names.<br />
additional_parameters<br />
You can specify parameters for the command. When you run a batch file,<br />
it contains the same parameters as a program. It is the responsibility of<br />
the program to parse the additional parameters.<br />
timeout<br />
You can specify an optional timeout period in seconds. The default<br />
timeout is 30 seconds. If the program has not exited when the timeout<br />
expires, it is terminated.<br />
When you run a program or a batch file, the following occurs:<br />
■<br />
■<br />
The event is written into a file located in the TEMP directory<br />
(currently %TEMP%)<br />
The program itself gets the file name and the directory path.<br />
Note: Using your API, you can open the file, retrieve the appropriate<br />
information, and run your software accordingly.<br />
Configuration Files 4–5
Recorder Configuration File<br />
unicenter<br />
The unicenter action tells the Action Manager to send events to the local<br />
Unicenter agent (installed on the <strong>eTrust</strong> <strong>Audit</strong> host that performs the action)<br />
for forwarding to the Unicenter Event Management Console on the specified<br />
host as shown in the following example:<br />
Action unicenter; systema<br />
In the example, the Action Manager sends events to the Unicenter Event<br />
Management Console on systema.<br />
Note: Status codes from <strong>eTrust</strong> Access Control are translated to their generic<br />
equivalents. In the Unicenter Event Management Console, events display<br />
color codes and status icons. The Unicenter Event Management Agent must<br />
be installed on the host where the Action Manager runs.<br />
Recorder Configuration File<br />
The recorder configuration file, each line (other than comment lines) provides<br />
criteria for bringing audit records into the local audit file from Windows. A<br />
record is admitted and handled by <strong>eTrust</strong> <strong>Audit</strong> if it matches the criteria of any<br />
line in the file. If the record does not match a line, then <strong>eTrust</strong> <strong>Audit</strong> will ignore<br />
the record. The file is selogrec.cfg in the audit\etc directory, where audit is the<br />
directory in which you installed <strong>eTrust</strong> <strong>Audit</strong>. This file defines which NT logs<br />
will be read, according to the client.<br />
The format is explained in the following example. Use commas as delimiters<br />
within the three-part resource specification, (source, event category, event ID),<br />
This is different that the semicolons that are used as delimiters elsewhere. The<br />
file is case-sensitive.<br />
You can select the way to filter the events that are recorded by using the<br />
following mask:<br />
;;;<br />
For example:<br />
NT-Security;Security,Detailed Tracking,593;jerry;S<br />
The default values, which can be selected during installation, are:<br />
■<br />
■<br />
■<br />
NT-System;*;*;*<br />
NT-Security;*;*;*<br />
NT-Application;*;*;*<br />
4–6 <strong>Reference</strong> <strong>Guide</strong>
Redirector Configuration File<br />
For more in-depth information regarding this issue, see the selogrec.cfg file in the<br />
install_dir\etc directory.<br />
The access results Success and Failure typically refer to logins, while Info reports<br />
on successful application startups. Warning refers to possible problems, while<br />
Error indicates a more severe problem.<br />
Comment Lines<br />
To create a comment line, begin it with a semicolon (;), pound sign (#), or<br />
exclamation point (!). For example, —<br />
! Here are four comment lines. If you wanted to<br />
! use the fourth one as a rule, you could simply<br />
! erase the "!" mark from its start.<br />
! NT-Security;Security,Detailed Tracking,593;jerry;S<br />
The Asterisk as Wildcard<br />
You can use an asterisk (*), signifying any number of wildcards, for any field<br />
except the event log name. If you wish, you can use a single asterisk for the<br />
three-part Resource field; for example, to indicate “all Windows NT security log<br />
events, regardless of resource, user, and result”:<br />
NT-Security;*;*;*<br />
The question mark (?) represents a single wildcard character.<br />
Here is another example, specifying all Windows NT Application log events that<br />
are Information events with the <strong>eTrust</strong> <strong>Audit</strong> Collector service as their source,<br />
regardless of event category, event ID, and user:<br />
NT-Application;<strong>eTrust</strong><strong>Audit</strong> Col*,*,*;*;I<br />
Redirector Configuration File<br />
The redirector configuration file tells what should be sent where. By default,<br />
everything is sent to the router (local or remote).<br />
While running, the redirector periodically reconfigures itself according to the<br />
contents of the redirector configuration file.<br />
For SeLogRd, the configuration file is logroute.cfg, located in the install_dir\etc<br />
directory.<br />
Configuration Files 4–7
Router Configuration File<br />
Router Configuration File<br />
The router filters events and decides what action should be performed on these<br />
events according to configuration files. The table that follows provides a brief<br />
overview of the statements and some sample rule statements:<br />
Statements Example Description<br />
Rule<br />
select_NT<br />
(name of rule)<br />
Every rule must start with the word Rule<br />
and have at least one action or one Do<br />
group.<br />
Action Monitor;localhost (target name) Defines the action associated with the<br />
event. Possible actions include: monitor,<br />
file, Collector, and so on.<br />
Include int Log ~"^NT" Include int is the internal language<br />
command, Include. Log ~"^NT" is the<br />
condition for including the event.<br />
Exclude int Log ~"^Oracle" Exclude int is the internal language<br />
command, Exclude. Log ~"^Oracle" is the<br />
condition for excluding the event.<br />
Do group group_NT Can be used for activating another group<br />
of rules. The statement enables<br />
implementing a nesting of rules.<br />
Group group_NT Contains a list of rules.<br />
Do Int Define $Host_%Location%_Count Value(1) This defines an internal integer variable<br />
that has the value of 1. Whatever is<br />
between % (such as %location%) is<br />
replaced by embedded text. In this case, it<br />
would be whatever value location is.<br />
$Host_%Location%_Count exists<br />
Test for the existence of the variable<br />
$Host_%Location%_FailedCount<br />
Incr Host_%Location%_Count Increments the internally defined variable<br />
Decr Host_%Location%_Count Decrements the internally defined<br />
variable<br />
Integer:<br />
Do Int Define<br />
$Host_%Location%_FailedCount equal to<br />
3<br />
$AlertEvent Src("<strong>eTrust</strong> Policy Manager")<br />
Type("Alert")<br />
Declares that a variable or an SAPI field is<br />
an integer.<br />
Defines a variable. It can be used to<br />
generate a new event.<br />
4–8 <strong>Reference</strong> <strong>Guide</strong>
Router Configuration File<br />
Statements Example Description<br />
Do Int Set $AlertEvent.User User Sets the value of User in the generated<br />
event by copying the value contained in<br />
the token User, which is found in the<br />
event currently filtered.<br />
Do Int Delete $AlertEvent Deletes the generated events.<br />
Do Int<br />
NewEvent<br />
$AlertEvent<br />
Generates a new event.<br />
Configuration Files 4–9
Chapter<br />
5<br />
Router Configuration File Rule<br />
Language <strong>Reference</strong><br />
The router configuration files, router*.cfg, configures the <strong>eTrust</strong> <strong>Audit</strong> router<br />
(ACLogRd). This chapter describes how to enter rules directly into the file.<br />
You can also compose rules using Policy Manager’s Policies window. Policy<br />
Manager automates the writing of scripts (lines in the rules file consisting of<br />
conditions and subsequent actions).<br />
Location of the Router Configuration File<br />
The default extension of the router configuration file is .cfg. The full path to the<br />
file should be recorded:<br />
■<br />
■<br />
in UNIX, in the Router section of the .ini file, as the token RulesPath<br />
in Windows, as the value of RulesFile under the registry key<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong><br />
<strong>Audit</strong>\Client\Router<br />
File Structure<br />
The file consists of rules. Each rule consists of a filter (conditions for including<br />
and excluding events) and actions (actions to be taken if an event matches the<br />
filter).<br />
Rules are arranged in groups. Each event is matched against all the rules in the<br />
default group. Rules inside a non-default group are tested only if a rule calls for<br />
performance of the group.<br />
Each rule is comprised of the following lines:<br />
Rule ruleName<br />
Action action<br />
Include Int condition<br />
Exclude Int condition<br />
Router Configuration File Rule Language <strong>Reference</strong> 5–1
Variables<br />
Each condition uses binary operators to check whether a field in the event record<br />
has a given value.<br />
For example:<br />
Rule Route_Oracle_From_Maneki<br />
Include Int Location equal to "maneki", Src equal to "Oracle"<br />
Action route; target_host;<br />
-----------<br />
Rule Mail_Frank_on_Create_Admin<br />
Include Int Integer: ID equal to 536, Object equal to "Administrator"<br />
Action mail; frank; Someone created an administrator!<br />
Variables<br />
In addition, rules can perform variable manipulation, adding flags and counters<br />
to audit records. You may wish to generate a suspicious event after a certain<br />
number of repetitions, within a specified time, of an event that is not in itself<br />
suspicious. Failed logons are a good example.<br />
Variable names begin with $. Because they are assigned only temporarily, you<br />
can choose any name you wish, such as $Flag or $counter.<br />
Do languageName operation $variablename<br />
Variables are defined in the Do statement of a rule. A variable can contain several<br />
properties. (The default property is Value.) For example:<br />
Do Int Define $Flag 1<br />
Do Int Define $Flag Value(1) User(“John”)<br />
After an event triggers initialization of a variable, the variable can be<br />
manipulated by further events in several ways:<br />
■<br />
■<br />
■<br />
An event can set a new value for the variable, as follows:<br />
Do Int Set $User “John”<br />
Do Int Set $Flag.User “John”<br />
The event can increment or decrement the value, as follows:<br />
Do Int Incr $Count<br />
Do Int Decr $Count<br />
The event can add or subtract values from the variable, as follows:<br />
Do Int Add $Sum 3<br />
Do Int Subtract $Sum 2<br />
5–2 <strong>Reference</strong> <strong>Guide</strong>
Variables<br />
Variable Expiration<br />
A variable is deleted automatically one hour after its initialization.<br />
You can delete the variable explicitly using the operation Delete, as follows:<br />
Do Int Delete $Flag<br />
You can specify a different span of time in seconds using the property ExpireIn<br />
in a variable definition. The following example sets the counter’s initial value to<br />
1, while specifying that the flag will cease to exist after two hours:<br />
Do Int Define $Counter Value(1) ExpireIn(7200)<br />
You can also set expiration to occur a certain number of seconds after the last<br />
modification of the variable, as follows:<br />
Do Int Define $Counter Value(1) ExpireSinceLastModified(900)<br />
Dynamic Variable Names<br />
You can define variables that incorporate data from the event record into the<br />
variable name. For example:<br />
Do Int Define $LoginCount%Location% Value (1)<br />
%Location% is translated only when an event triggers execution of the rule.<br />
Whatever value is contained in the SAPI field Location will be inserted in the<br />
place of %Location%.<br />
Dynamic variable names can include more than one token, as in the following<br />
case:<br />
Do Int Incr $Count_%User%_%Location%_FailedLogins<br />
Using Variables in Filter Rules<br />
You can use variables in Include and Exclude conditions just as you would use<br />
other tokens, using the same binary operators and regular expressions.<br />
For example:<br />
Include Int Integer: $Count equal to 3<br />
Include Int Integer: $Count.Value equal to 3<br />
You can also query whether a variable was defined, as follows:<br />
Include Int $Flag exists<br />
If the variable was defined, the condition is true.<br />
Router Configuration File Rule Language <strong>Reference</strong> 5–3
Groups<br />
Groups<br />
Groups are set off by the statement:<br />
group groupName<br />
Rules that follow such a statement are considered part of the group. A rule may<br />
be assigned to a given group simply by introducing it with the appropriate<br />
group groupName statement. Switch to other groups by introducing another<br />
groupName.<br />
Group names must be unique.<br />
Loops<br />
Loops are not permitted. Any rule or group that calls itself will be reported as an<br />
error.<br />
Command Syntax<br />
Each line in the rule begins with a command. Commands have the following<br />
syntax.<br />
action; target<br />
Syntax<br />
action action; target target<br />
Description<br />
Each action has its own appropriate target format.<br />
Action<br />
Argument Target Parameter Description<br />
collector hostname or IP address Sends the record to the collector<br />
service on the specified host.<br />
e-mail recipient@domain Sends e-mail to the specified account.<br />
file full pathname Appends event details to the file with<br />
the specified pathname.<br />
5–4 <strong>Reference</strong> <strong>Guide</strong>
Command Syntax<br />
Action<br />
Argument Target Parameter Description<br />
route hostname or IP address Forwards the message, before<br />
filtering, to a router on another host.<br />
screen<br />
hostname or IP address or<br />
username<br />
Sends event details as a screen popup<br />
to a host or (if logged in) user. This<br />
action applies to Windows systems<br />
only.<br />
monitor hostname or IP address Sends event to the Security Monitor<br />
console running on the specified host.<br />
snmp hostname IP address Sends the event to the SNMP server<br />
on the specified host.<br />
unicenter hostname or IP address Sends the event to the Unicenter<br />
Event Management Console on the<br />
specified host.<br />
action; remote<br />
Syntax<br />
action remote hostname;action;target<br />
Description<br />
Whenever the client station is not configured to perform the action specified, it is<br />
necessary to use the action remote command to set up remote execution of the<br />
action. The action and target parameters are the same as in the action command.<br />
Parameter<br />
hostname<br />
action<br />
target<br />
Description<br />
The host where the action should take place (for<br />
example, a mail or fax server).<br />
See the action command.<br />
See the action command. Each action has appropriate<br />
formats for targets.<br />
Router Configuration File Rule Language <strong>Reference</strong> 5–5
Command Syntax<br />
do<br />
Syntax<br />
do Int operation<br />
Description<br />
The do command introduces each operation that a rule applies to an event.<br />
Unless you compose your own language for conditions, the value for<br />
languagename will be Int (internal language).<br />
Operation<br />
add $variablename value<br />
decrement $variablename<br />
define $variablename<br />
define $variablename ExpireIn seconds<br />
define $variablename<br />
ExpireSinceLastModified seconds<br />
delete $variablename<br />
group groupname<br />
increment $variablename<br />
rule rulename<br />
set $variablename value<br />
subtract $variablename value<br />
NewEvent $variablename<br />
Description<br />
Adds the given value to the variable.<br />
Subtracts one from the value of a<br />
variable used as a counter.<br />
Establishes the name of a variable.<br />
Gives the time at which the variable<br />
will be deleted, in seconds from<br />
creation (default is one hour).<br />
Gives the time at which the variable<br />
deleted, in seconds from the time of its<br />
last modification.<br />
Deletes the variable.<br />
Gives name of group of rules to be<br />
performed if the event matches the<br />
current rule.<br />
Adds one to the value of a variable<br />
used as a counter.<br />
Gives name of rule to be performed if<br />
the event matches the current rule.<br />
Sets the value of a variable that has<br />
already been defined.<br />
Subtracts the given value from the<br />
variable.<br />
Creates a new event.<br />
5–6 <strong>Reference</strong> <strong>Guide</strong>
Command Syntax<br />
type:<br />
Syntax<br />
command Int type: datatype condition<br />
Description<br />
By default, the data type for conditions is string. If you wish to use another data<br />
type, specify it with the type: command. We recommend that you use non-string<br />
data types when evaluating numerical values.<br />
Datatype<br />
Permissible formats<br />
Integer<br />
Integer value<br />
Timestamp Jun 13, 1999 at 12:00<br />
Time<br />
11 pm<br />
11:23:00<br />
11:23:30 pm<br />
23:30<br />
Date Aug 2, 2000<br />
2 Aug, 2000<br />
2 Aug, 00<br />
Router Configuration File Rule Language <strong>Reference</strong> 5–7
Command Syntax<br />
include<br />
Syntax<br />
Include Int condition<br />
Description<br />
Any record that meets the condition will be subject to the rule in which it is<br />
contained.<br />
Each condition includes binary operators and regular expressions (in quotation<br />
marks). Conditions take one of the following forms:<br />
Include Int token “regularexpression”<br />
or<br />
Include Int token exists<br />
The data type will be string unless you add a type: command before the regular<br />
expression. For example:<br />
Include Int Integer: id equal to 536<br />
exclude<br />
Syntax<br />
Exclude Int condition<br />
Description<br />
The format for conditions is the same as for the include command. Any records<br />
meeting the condition will be excluded from treatment.<br />
5–8 <strong>Reference</strong> <strong>Guide</strong>
Command Syntax<br />
rule<br />
Syntax<br />
rule rulename<br />
Description<br />
The name of the rule.<br />
Parameter<br />
rulename<br />
Description<br />
Name of the rule that follows.<br />
Each use of the rule command starts a new rule.<br />
group<br />
Syntax<br />
group groupname<br />
Description<br />
Each use of the group command starts a new group of rules. Groups can contain<br />
internal rules (rule rulename internal) that are only called from within the group.<br />
Parameter<br />
groupname<br />
Description<br />
Name of the group of rules that<br />
follows.<br />
To return to the default group, use the group command with no parameter.<br />
Router Configuration File Rule Language <strong>Reference</strong> 5–9
Regular Expressions<br />
For example,<br />
;==============<br />
group login<br />
Rule cont_login<br />
Include int $Login_%source% exists<br />
do rule increment<br />
do group cont_login_group<br />
;-------------------------<br />
Rule increment internal<br />
do int increment $Login_%source%<br />
;------------------<br />
Rule tenth_login<br />
Include int integer: $Login_%source% == 10<br />
Do int Delete $Login_%source%<br />
Action mail; john; Tenth login<br />
‘================<br />
Regular Expressions<br />
The router configuration file supports any pattern recognized as a regular<br />
expression. Put the regular expression in quotation marks. For example:<br />
Src MATCHES "NT*"<br />
Supported Binary Operators<br />
To match a field to a string, you can use binary operators.<br />
The supported binary operators are:<br />
■ EQUAL TO or ==<br />
■ DIFFERENT THAN or !=<br />
■ GREATER THAN or ><br />
■ GREATER OR EQUAL TO or >=<br />
■ LESS THAN or <<br />
■ LESS OR EQUAL TO or
Including Additional Data Types<br />
The following operators are for strings and regular expressions only.<br />
Note: By default, operators are case-sensitive. Operators that are case-insensitive<br />
are preceded by CI : or Case Insensitive.<br />
■ MATCHES or ~<br />
■<br />
■<br />
■<br />
■<br />
■<br />
CI: MATCHES<br />
<strong>CA</strong>SE INSENSITIVE: EQUAL TO<br />
CI: DIFFERENT THAN<br />
PART OF<br />
<strong>CA</strong>SE INSENSITIVE: PART OF<br />
To imply an AND between conditions:<br />
Include Int condition, condition, etc.<br />
To imply an OR between conditions:<br />
Include Int condition<br />
Include Int condition<br />
Including Additional Data Types<br />
By default, information is regarded as string. Especially when comparing<br />
integers, this can lead to problems.<br />
Other available types are Integer, Timestamp, Time, and Date. You can use the<br />
types by specifying them as follows:<br />
type: fieldName operator integerValue<br />
Time format can be 11 am, 11:23:00, 11:23:00 pm, or 23:00.<br />
Date format can be Aug 2, 2002 or 2 Aug, 2002. Two-digit year numbers are also<br />
supported.<br />
For example:<br />
Integer: id equal to 22<br />
Timestamp: field_when greater than Jun 13, 2002 at 12:00<br />
Date: field_when equal to 12 Jun, 2002<br />
Time: field_when equal to 11 pm<br />
Router Configuration File Rule Language <strong>Reference</strong> 5–11
Identifying Events using SAPI Tokens<br />
Identifying Events using SAPI Tokens<br />
The following tables list events and the filters necessary to catch them. For more<br />
information on the <strong>eTrust</strong> <strong>Audit</strong> Submit Application Programming Interface<br />
(SAPI), see the “Submit API” chapter.<br />
Tokens (predefined values for SAPI fields) are defined in the file<br />
AC_SAPITokens.h.<br />
These are some filter examples. To see a filter for any predefined rule, open its<br />
Properties dialog on the tab “Filter” in the Policy Manager.<br />
Event<br />
Logon<br />
Logon - Failed<br />
Logon - Successful<br />
Logon - Admin - Successful<br />
Logon - Admin - Failed<br />
Logon - Failed - Bad Password<br />
Account Management<br />
Filter<br />
Category == “System Access”<br />
Oper == “Logon”<br />
Category == “System Access”<br />
Oper == “Logon”<br />
Status == “F”<br />
Category == “System Access”<br />
Oper == “Logon”<br />
Status == “S”<br />
Category == “System Access”<br />
Oper == “Logon”<br />
SurrogateUser == "Administrator"<br />
Status == “S”<br />
NT only<br />
Category == “System Access”<br />
Oper == “Logon”<br />
Status == “F”<br />
Info ~ "Logon Failure*User<br />
Name:?administrator*"<br />
NT only<br />
Category == “System Access”<br />
Oper == “Logon”<br />
Status == “F”<br />
Info ~ "*Unknown user name or bad<br />
password*"<br />
NT only<br />
Category == “Account Management”<br />
Status == “S”<br />
5–12 <strong>Reference</strong> <strong>Guide</strong>
Identifying Events using SAPI Tokens<br />
Event<br />
System Error<br />
System - Security System<br />
Filter<br />
Src == "NT-System"<br />
Severity == “2”<br />
NT only<br />
Category == “System Status”<br />
Src == NT-Security<br />
NT only<br />
Router Configuration File Rule Language <strong>Reference</strong> 5–13
Chapter<br />
6<br />
Windows Registry Entries<br />
This chapter describes important entries in the Windows registry that belong to<br />
<strong>eTrust</strong> <strong>Audit</strong>, and are located under the following:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong><br />
These registry control many facets of how <strong>eTrust</strong> <strong>Audit</strong> operates.<br />
Opening the Windows Registry<br />
The Windows registry contains key that control various features in <strong>eTrust</strong> <strong>Audit</strong>.<br />
The root level key is as follows:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong><br />
To open the Windows registry to view or modify its contents, follow these steps:<br />
1. Open a command prompt session.<br />
2. Enter the regedit or regedt32 command.<br />
3. Expand the tree items for the HKEY_LO<strong>CA</strong>L_MACHINE, SOFTWARE,<br />
ComputerAssociates, and finally the <strong>eTrust</strong> <strong>Audit</strong> branch to view the<br />
registry keys described in the topics that follow.<br />
Note: The topics that follow describe only those key values that you can modify.<br />
Windows Registry Entries 6–1
Ports<br />
Ports<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the ports it uses under the following<br />
key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Ports<br />
Normally, <strong>eTrust</strong> <strong>Audit</strong> uses one of its default ports or uses portmapper to<br />
dynamically assign a port. <strong>eTrust</strong> <strong>Audit</strong> uses the values of these keys under the<br />
following conditions:<br />
■<br />
■<br />
The default port is busy<br />
The service cannot get the dynamic port from the portmapper<br />
Under normal circumstances, you would not have any reason to modify these<br />
values. However, if a port is being used by another application or service or you<br />
need to route events through a firewall, you must modify the values for these<br />
keys.<br />
The key values are as follows:<br />
MonitorPort<br />
The data value specified for the MonitorPort key is used by the Action<br />
Manager to route events to the Security Monitor and by the Security Monitor<br />
to receive events.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
RouterPort<br />
The data value specified for the RouterPort key is used by the router and<br />
redirector.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
6–2 <strong>Reference</strong> <strong>Guide</strong>
Ports<br />
RouterSapiPort<br />
The data value specified for the RouterSapiPort key is used by the UNIX<br />
Recorder, the Recorder, the Generic NT Recorder, the Check Point Firewall-1<br />
Recorder, and applications that use SAPI, and is used by the router.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
CollectorPort<br />
The data value specified for the CollectorPort key is used by the Action<br />
Manager to route events to the Collector and by the Collector to receive<br />
events.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
DistributionPort<br />
The data value specified for the DistributionPort key is used by the<br />
distribution server and the distribution agent.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used. The default is 8025.<br />
SNMPRecorderPort<br />
The data value specified for the SNMPRecorderPort key is used by the<br />
SNMP recorder.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used. The default is 162.<br />
SNMPTrapPort<br />
The data value specified for the SNMPTrapPort key is used by the Action<br />
Manager to route actions defined as Action SNMP to the router.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used. The default is 162.<br />
Windows Registry Entries 6–3
RPC<br />
Note: The Windows SNMP service also uses port 162. If you need to use the<br />
SNMP recorder, you must disable the Windows SNMP service or assign another<br />
data value for the SNMPRecorderPort and SNMPTrapPort keys.<br />
RPC<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the name of the program used to map<br />
ports on the system. It uses under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\RPC<br />
Under normal circumstances, you would not have any reason to modify these<br />
values. If you are using a different program to map ports other than portmap,<br />
you must change the data value.<br />
The key values are as follows:<br />
PortmapName<br />
The data value specified for the PortmapName key is used to identify the<br />
name of the program used to map RPC ports.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the RPC port map program. The default is<br />
portmap.exe. If you do not know the program name, leave this value<br />
empty.<br />
6–4 <strong>Reference</strong> <strong>Guide</strong>
Messages<br />
Messages<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the name of the file where it stores<br />
messages under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Messages<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MessageFile<br />
The data value specified for the MessageFile key is used to identify the name<br />
and location of the message file.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the message file, including its full path. The default<br />
is install_dir\Messages\message.txt.<br />
Severity<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the name of the targets where<br />
messages are to be sent under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Messages\Severity<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
Fatal<br />
Targets<br />
The data value specified for the Targets key is used to identify the targets<br />
where fatal messages are to be sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the targets, separated by commas. The default value<br />
is Monitor,Log.<br />
Windows Registry Entries 6–5
Severity<br />
SkipTimeout<br />
The data value specified for the SkipTimeout key is used to identify the<br />
minimum time interval between identical messages. If <strong>eTrust</strong> <strong>Audit</strong> receives<br />
two of the same message within the interval, it discards the second message.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the time interval in seconds. The default value is 0 seconds.<br />
Critical<br />
Targets<br />
The data value specified for the Targets key is used to identify the targets<br />
where critical messages are to be sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the targets, separated by commas. The default value<br />
is Monitor,Log.<br />
SkipTimeout<br />
The data value specified for the SkipTimeout key is used to identify the<br />
minimum time interval between identical messages. If <strong>eTrust</strong> <strong>Audit</strong> receives<br />
two of the same message within the interval, it discards the second message.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the time interval in seconds. The default value is 0 seconds.<br />
Error<br />
Targets<br />
The data value specified for the Targets key is used to identify the targets<br />
where error messages are to be sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the targets, separated by commas. The default value<br />
is Monitor,Log.<br />
6–6 <strong>Reference</strong> <strong>Guide</strong>
Severity<br />
SkipTimeout<br />
The data value specified for the SkipTimeout key is used to identify the<br />
minimum time interval between identical messages. If <strong>eTrust</strong> <strong>Audit</strong> receives<br />
two of the same message within the interval, it discards the second message.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the time interval in seconds. The default value is 60 seconds.<br />
Warning<br />
Targets<br />
The data value specified for the Targets key is used to identify the targets<br />
where warning messages are to be sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the targets, separated by commas. The default value<br />
is Monitor,Log.<br />
SkipTimeout<br />
The data value specified for the SkipTimeout key is used to identify the<br />
minimum time interval between identical messages. If <strong>eTrust</strong> <strong>Audit</strong> receives<br />
two of the same message within the interval, it discards the second message.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the time interval in seconds. The default value is 60 seconds.<br />
Info<br />
Targets<br />
The data value specified for the Targets key is used to identify the targets<br />
where info messages are to be sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the targets, separated by commas. The default value<br />
is Monitor,Log.<br />
Windows Registry Entries 6–7
Targets<br />
SkipTimeout<br />
The data value specified for the SkipTimeout key is used to identify the<br />
minimum time interval between identical messages. If <strong>eTrust</strong> <strong>Audit</strong> receives<br />
two of the same message within the interval, it discards the second message.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the time interval in seconds. The default value is 60 seconds.<br />
Targets<br />
Monitor<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the self-monitor target to use to send<br />
its own notification messages under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong><br />
<strong>Audit</strong>\Messages\Targets\Monitor<br />
Host<br />
The data value specified for the Host key is used to identify the host where<br />
messages are to be sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the host. The default value is localhost.<br />
MonitorPort<br />
The data value specified for the MonitorPort key is used to identify the port<br />
used by the Security Monitor.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port.<br />
By default, the port is dynamically assigned by portmapper.<br />
6–8 <strong>Reference</strong> <strong>Guide</strong>
Mail<br />
Mail<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the mail server to use to send email<br />
under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Mail<br />
If you specify the name of the mail server at installation, you would not have any<br />
reason to modify these values, unless you wanted to change the name of the mail<br />
server or change the name of the user sending the mail.<br />
The key values are as follows:<br />
ServerType<br />
The data value specified for the ServerType key is used to identify the type<br />
of mail server.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the type of mail server. The default is SMTP. You<br />
cannot change this value.<br />
MailServer<br />
The data value specified for the MailServer key is used to identify the host<br />
name of the mail server.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the mail server. The default is mailsrv or the name<br />
you specified at installation time.<br />
Sender<br />
The data value specified for the Sender key is the mail address of the account<br />
from which mail is sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the sender from which mail is sent. The default value is<br />
Administrator. For certain SMTP servers, the value of Sender must represent<br />
an existing mail account, with the format name@domain.<br />
Windows Registry Entries 6–9
Client\SeOS\logmgr<br />
Client\SeOS\logmgr<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the audit and error log files for <strong>eTrust</strong><br />
<strong>Audit</strong> under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\SeOS\logmgr<br />
Under normal circumstances, you would not have any reason to modify these<br />
values. However, there might be times when you must increase the value of the<br />
audit_size parameter, such as during periods of peak use.<br />
The key values are as follows:<br />
audit_back<br />
The data value specified for the audit_back key is used to identify the name<br />
of the backup file for the local audit file. When the local audit file reaches the<br />
size specified by the audit_size parameter, it is given this name and the old<br />
file with this name is discarded.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the audit backup file, including path. The default is<br />
install_dir\dat\log\seos_audit.bak.<br />
audit_log<br />
The data value specified for the audit_log key is used to identify the name of<br />
the local audit file. The recorder service writes to the file named here, and the<br />
redirector service reads from it.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the local audit file, including path. The default is<br />
install_dir\dat\log\seos.audit.<br />
audit_size<br />
The data value specified for the audit_size key is used to identify the<br />
maximum size, in KB, for the local audit file.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the size of the local audit file. The default is 3000, for 3000 KB.<br />
6–10 <strong>Reference</strong> <strong>Guide</strong>
Recorders<br />
error_back<br />
The data value specified for the error_back key is used to identify the name<br />
of a file used internally by <strong>eTrust</strong> <strong>Audit</strong>.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the error log backup file, including path. The default<br />
is install_dir\dat\log\seos_error.bak.<br />
error_log<br />
The data value specified for the error_log key is used to identify the name of<br />
a file used internally by <strong>eTrust</strong> <strong>Audit</strong>.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the error log file, including path. The default is<br />
install_dir\dat\log\seos.error.<br />
Recorders<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the audit and error log files for <strong>eTrust</strong><br />
<strong>Audit</strong> under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Recorders<br />
By default, the recorder sends messages to the router on the system where it is<br />
installed. However, as you begin to deploy <strong>eTrust</strong> <strong>Audit</strong> throughout your<br />
enterprise, you can change this value to send events to dedicated routers. You<br />
identify these dedicated router systems by changing the value of DefaultRouter<br />
from localhost to the host name or IP address of the dedicated router system.<br />
The key values are as follows:<br />
DefaultRouter<br />
The data value specified for the DefaultRouter key is used to identify the<br />
host name or IP address of the computer that runs the <strong>eTrust</strong> <strong>Audit</strong> Router.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the host that runs the <strong>eTrust</strong> <strong>Audit</strong> Router. The<br />
default is localhost.<br />
Windows Registry Entries 6–11
Recorders<br />
NT Recorder<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the files used by the recorder under<br />
the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Recorders\NT Recorder<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
DataFile<br />
The data value specified for the DataFile key is used to identify the name of<br />
the file used by the recorder internally.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the file, including path. The default is<br />
install_dir\dat\recorders\selogrec.dat. You should not change this<br />
location.<br />
FilterFile<br />
The data value specified for the FilterFile key is used to identify the name of<br />
the recorder configuration file.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the recorder configuration file, including path. The<br />
default is install_dir\dat\recorders\selogrec.cfg.<br />
SearchStringsFile<br />
The data value specified for the SearchStringsFile key is used to identify the<br />
name of a file that the recorder service uses internally.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the search strings file, including path. The default is<br />
install_dir\dat\recorders\selogrec.str. You should not change this<br />
location.<br />
6–12 <strong>Reference</strong> <strong>Guide</strong>
Recorders<br />
SkipImportLogs<br />
The data value specified for the SkipImportLogs key is used to identify<br />
whether to import earlier Windows NT audit logs.<br />
Type<br />
DWORD Value<br />
Data<br />
This value is generated during setup. Specify 1 or 0. When set to 1, the<br />
recorder will start to send only new events.<br />
Interval<br />
The data value specified for the Interval key is used to identify the time the<br />
recorder service suspends (sleeps) without writing any data from the event<br />
log.<br />
Type<br />
DWORD Value<br />
Data<br />
The sleep interval in seconds. The default value is 10 seconds. This value<br />
is optional.<br />
MaxSeqNoSleep<br />
The data value specified for the MaxSeqNoSleep key is used to identify the<br />
maximum number of records written before sleeping.<br />
Type<br />
DWORD Value<br />
Data<br />
The maximum number of records before sleeping. The default value is<br />
50. This value is optional.<br />
Windows Registry Entries 6–13
Redirector<br />
SNMP Recorder<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the mapping file used by the SNMP<br />
recorder to parse events under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Recorders\SNMP<br />
Recorder<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MPFile<br />
The data value specified for the MPFile key is used to identify the name of<br />
the mapping file used by the SNMP recorder to parse events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the mapping file, including path. The default is<br />
install_dir\cfg\snmptd_rec.mp.<br />
Redirector<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information used by the redirector under the following<br />
key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Redirector<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
DataFile<br />
The data value specified for the DataFile key is used to identify the name of a<br />
file used by the redirector internally.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the internal file used by the redirector, including<br />
path. The default is install_dir\dat\logroute.dat. You should not change<br />
this location.<br />
6–14 <strong>Reference</strong> <strong>Guide</strong>
Redirector<br />
MailSubject<br />
The data value specified for the MailSubject key is used to identify the<br />
subject line for <strong>eTrust</strong> <strong>Audit</strong> outgoing email.<br />
Type<br />
String Value<br />
Data<br />
Specify the subject line of an email sent by <strong>eTrust</strong> <strong>Audit</strong>. The default is<br />
Notification from <strong>eTrust</strong> <strong>Audit</strong>.<br />
RouteFile<br />
The data value specified for the RouteFile key is used to identify the name of<br />
the redirector configuration file.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the redirector configuration file. The default value is<br />
install_dir\etc\ logroute.cfg.<br />
SendTimeout<br />
The data value specified for the SendTimeout key is used to identify the time<br />
the redirector waits for confirmation from the router before resending a<br />
message. If the timeout period is too short, the same message might appear<br />
in the database several times.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the time in seconds the redirector waits for confirmation from the<br />
router before sending a message. The default value is 25 seconds. Setting<br />
this value is optional.<br />
Interval<br />
The data value specified for the Interval key is used to identify the time the<br />
redirector service sleeps without writing any data from the event log.<br />
Type<br />
DWORD Value<br />
Data<br />
The sleep interval in seconds. The default value is 5 seconds. Setting this<br />
value is optional.<br />
Windows Registry Entries 6–15
Redirector<br />
MaxSeqNoSleep<br />
The data value specified for the MaxSeqNoSleep key is used to identify the<br />
maximum number of records sent before sleeping.<br />
Type<br />
DWORD Value<br />
Data<br />
The maximum number of records sent before sleeping. The default value<br />
is 50. Setting this value is optional.<br />
SpeedBackup<br />
The data value specified for the SpeedBackup key affects the values of<br />
Interval and MaxSeqNoSleep, previously mentioned. This value affects only<br />
if the Redirector reads from the <strong>eTrust</strong> <strong>Audit</strong> backup file. The value of<br />
MaxSeqNoSleep is multiplied by the value of SpeedBackup to give an<br />
effective value. The value of Interval is divided by the value of SpeedBackup<br />
to give an effective value. The effective value has a set minimum of 1 second.<br />
Type<br />
DWORD Value<br />
Data<br />
The default value is 2. Setting this value is optional.<br />
ChangeLogFactor<br />
The data value specified for the ChangeLogFactor key is used to identify the<br />
number of sleep periods before retrying failed targets.<br />
Type<br />
DWORD Value<br />
Data<br />
The number of sleep periods before the redirector retries failed targets.<br />
The default value is 3. Setting this value is optional.<br />
SavePeriod<br />
The data value specified for the SavePeriod key is used to identify the time<br />
before the current position of the redirector service in seos.audit is stored in<br />
logroute.dat.<br />
Type<br />
DWORD Value<br />
Data<br />
The time in minutes before the current position of the redirector service<br />
in seos_audit is stored in logroute.dat. The default value is 10 minutes.<br />
Setting this value is optional.<br />
6–16 <strong>Reference</strong> <strong>Guide</strong>
Router<br />
OverWriteBackup<br />
The data value specified for the OverWriteBackup key is used to identify<br />
whether the redirector closes the backup file during sleep periods so that it<br />
can be erased.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify 1 or 0. When set to 1, the redirector service closes the backup file<br />
during sleep periods, allowing it to be erased.<br />
Router<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information used by the router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
RulesDirectory<br />
The data value specified for the RulesDirectory key is used to identify the<br />
directory where routers configuration files are located.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the directory where the router configuration files are<br />
located. The default is install_dir\cfg\.<br />
RulesExtension<br />
The data value specified for the RulesExtension key is used to identify the<br />
extension for router configuration files.<br />
Type<br />
String Value<br />
Data<br />
Specify the extension for router configuration files. The default is .cfg.<br />
Setting this value is optional.<br />
Windows Registry Entries 6–17
Router<br />
Queue Manager\Queues<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the queues used by the router under<br />
the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
DirectoryName<br />
The data value specified for the DirectoryName key is used to identify the<br />
directory where queues are located.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the directory where the queues are located. The<br />
default is install_dir\dat\Queue\route.<br />
Queues\AlertQueue\Queue Rules<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the alert queue rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\AlertQueue\Queue Rules<br />
Note: The rule name (value name) is unimportant, so you can change it. The<br />
Data section indicates which action and which target the action reaches to be<br />
performed from this queue. In case the target is not indicated, it means that only<br />
the action is of importance.<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
monitor<br />
The data value specified for the monitor key is used to identify the name of<br />
the action and target, separated by a semicolon.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the action and the target separated by a semicolon.<br />
The default value is “monitor; “<br />
6–18 <strong>Reference</strong> <strong>Guide</strong>
Router<br />
snmp<br />
The data value specified for the snmp key is used to identify the name of the<br />
action and target, separated by a semicolon.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the action and the target separated by a semicolon.<br />
The default value is “snmp; “<br />
screen<br />
The data value specified for the screen key is used to identify the name of the<br />
action and target, separated by a semicolon.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the action and the target separated by a semicolon.<br />
The default value is “screen; “<br />
Queues\AlertQueue\Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the alert queue rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\AlertQueue\Queue Parameters<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MaxFileNum<br />
The data value specified for the MaxFileNum key is used to identify the<br />
maximum number of files in the queues.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of files in the queues. The default value is 10.<br />
Windows Registry Entries 6–19
Router<br />
MaxFileSize<br />
The data value specified for the MaxFileSize key is used to identify the size<br />
of the files in the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the size of the file in the queue in KB. The default value is 500<br />
KB.<br />
MaxActionTime<br />
The data value specified for the MaxActionTime key is used to identify the<br />
maximum time the action manager operates in the queue before moving to<br />
another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the maximum number of milliseconds the action manager<br />
operates in the queue before moving to another queue. The default value<br />
is 500 milliseconds.<br />
MinActionTime<br />
The data value specified for the MinActionTime key is used to identify the<br />
minimum time the action manager operates in the queue before moving to<br />
another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the minimum number of milliseconds the action manager<br />
operates in the queue before moving to another queue. The default value<br />
is 20 milliseconds.<br />
SleepTime<br />
The data value specified for the SleepTime key is used to identify the time<br />
the action manager service sleeps without writing any data from the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
The sleep interval in seconds. The default value is 3 seconds.<br />
6–20 <strong>Reference</strong> <strong>Guide</strong>
Router<br />
RetryDelay<br />
The data value specified for the RetryDelay key is used to identify the<br />
amount of time that passes before trying to transmit a message again<br />
Type<br />
DWORD Value<br />
Data<br />
The retry interval in seconds. The default value is 600 seconds (10<br />
minutes).<br />
MaxLifeTime<br />
The data value specified for the MaxLifeTime key is used to identify the<br />
maximal time a message can be in the queue before it is erased.<br />
Type<br />
DWORD Value<br />
Data<br />
The maximum time in seconds a message can be in the queue before it is<br />
erased. The default value is 86400 seconds (24 hours).<br />
DeleteOldFiles<br />
The data value specified for the DeleteOldFiles key is used to identify the<br />
whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the<br />
number of files in the queue equals the number set in the<br />
MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
Windows Registry Entries 6–21
Router<br />
Queues\CollectionQueue<br />
Queues\CollectionQueue\Queue Rules<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the collection queue rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\CollectionQueue\Queue Rules<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
Name<br />
The data value specified for the Name key is used to identify the name of the<br />
collector.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the collector. The default value is “collector;”. There<br />
is no reason to change this value.<br />
Queues\CollectionQueue\Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the collection queue rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\CollectionQueue\Queue Parameters<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MaxFileNum<br />
The data value specified for the MaxFileNum key is used to identify the<br />
maximum number of files in the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of files in the queue. The default value is 10.<br />
6–22 <strong>Reference</strong> <strong>Guide</strong>
Router<br />
MaxFileSize<br />
The data value specified for the MaxFileSize key is used to identify the size<br />
of the file in the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the size of the file in the queue in KB. The default value is 500<br />
KB.<br />
MaxActionTime<br />
The data value specified for the MaxActionTime key is used to identify the<br />
maximum time the action manager operates in the queue before moving to<br />
another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the maximum number of milliseconds the action manager<br />
operates in the queue before moving to another queue. The default value<br />
is 500 milliseconds.<br />
MinActionTime<br />
The data value specified for the MinActionTime key is used to identify the<br />
minimum time the action manager operates in the queue before moving to<br />
another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the minimum number of milliseconds the action manager<br />
operates in the queue before moving to another queue. The default value<br />
is 10 milliseconds.<br />
SleepTime<br />
The data value specified for the SleepTime key is used to identify the time<br />
the action manager service sleeps without writing any data from the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
The sleep interval in seconds. The default value is 3 seconds.<br />
Windows Registry Entries 6–23
Router<br />
RetryDelay<br />
The data value specified for the RetryDelay key is used to identify the<br />
amount of time that passes before trying to transmit a message again<br />
Type<br />
DWORD Value<br />
Data<br />
The retry interval in seconds. The default value is 900 seconds (15<br />
minutes).<br />
MaxLifeTime<br />
The data value specified for the MaxLifeTime key is used to identify the<br />
maximal time a message can be in the queue before it is erased.<br />
Type<br />
DWORD Value<br />
Data<br />
The maximum time in seconds a message can be in the queue before it is<br />
erased. The default value is 259200 seconds (72 hours).<br />
DeleteOldFiles<br />
The data value specified for the DeleteOldFiles key is used to identify the<br />
whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Type<br />
DWORD value<br />
Data<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the<br />
number of files in the queue equals the number set in the<br />
MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
6–24 <strong>Reference</strong> <strong>Guide</strong>
Router<br />
Queues\Default<br />
Queues\Default\Queue Rules<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the collection queue rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\Default\Queue Rules<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The default key has no key rules; it gets all the rules of the other keys.<br />
Queues\Default\Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the collection queue rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Queues\Default\Queue Parameters<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MaxFileNum<br />
The data value specified for the MaxFileNum key is used to identify the<br />
maximum number of files in the queues.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of files in the queues. The default value is 10.<br />
MaxFileSize<br />
The data value specified for the MaxFileSize key is used to identify the size<br />
of the file in the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the size of the file in the queue in KB. The default value is 500<br />
KB.<br />
Windows Registry Entries 6–25
Router<br />
MaxActionTime<br />
The data value specified for the MaxActionTime key is used to identify the<br />
maximum time the action manager operates in the queue before moving to<br />
another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the maximum number of milliseconds the action manager<br />
operates in the queue before moving to another queue. The default value<br />
is 500 milliseconds.<br />
MinActionTime<br />
The data value specified for the MinActionTime key is used to identify the<br />
minimum time the action manager operates in the queue before moving to<br />
another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the minimum number of milliseconds the action manager<br />
operates in the queue before moving to another queue. The default value<br />
is 10 milliseconds.<br />
SleepTime<br />
The data value specified for the SleepTime key is used to identify the time<br />
the action manager service sleeps without writing any data from the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
The sleep interval in seconds. The default value is 3 seconds.<br />
RetryDelay<br />
The data value specified for the RetryDelay key is used to identify the<br />
amount of time that passes before trying to transmit a message again<br />
Type<br />
DWORD Value<br />
Data<br />
The retry interval in seconds. The default value is 1800 seconds (30<br />
minutes).<br />
6–26 <strong>Reference</strong> <strong>Guide</strong>
Router<br />
MaxLifeTime<br />
The data value specified for the MaxLifeTime key is used to identify the<br />
maximal time a message can be in the queue before it is erased.<br />
Type<br />
DWORD Value<br />
Data<br />
The maximum time in seconds a message can be in the queue before it is<br />
erased. The default value is 86400 seconds (24 hours).<br />
DeleteOldFiles<br />
The data value specified for the DeleteOldFiles key is used to identify the<br />
whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the<br />
number of files in the queue equals the number set in the<br />
MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
Actions<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the actions specified rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Router\Queue<br />
Manager\Actions<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
file<br />
The file action routes events to a file in ASCII text format. It has no<br />
parameters you should change.<br />
monitor<br />
The monitor action routes events to the security monitor. It has no<br />
parameters you should change.<br />
collector<br />
The collector action routes events to the collector database. It has no<br />
parameters you should change.<br />
Windows Registry Entries 6–27
Router<br />
mail<br />
The mail action routes messages to a designated SMTP mail server and onto<br />
an email address.<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong><br />
<strong>Audit</strong>\Client\Router\Queue Manager\Actions\Mail\Parameters<br />
The key values are as follows:<br />
MailSubject<br />
The data value specified for the MailSubject key is used to identify the<br />
subject line for <strong>eTrust</strong> <strong>Audit</strong> mail.<br />
Type<br />
String Value<br />
Data<br />
Specify the text you want to appear in the subject line of email sent<br />
by <strong>eTrust</strong> <strong>Audit</strong>. The default is “Notification from <strong>eTrust</strong> <strong>Audit</strong>.”<br />
screen<br />
The screen action routes events to an NT screen session.<br />
remote<br />
The remote action routes events to an action manager on the host named in<br />
the action where it is executed without filtering.<br />
route<br />
The route action sends events to the host named in the action where it<br />
reviewed by the router on that system and executed according to any filters<br />
that apply on that system.<br />
snmp<br />
The snmp action sends SNMP traps to the host named in the action.<br />
program<br />
The program action executes a command on the host named in the action on<br />
the local host.<br />
unicenter<br />
The unicenter action routes events to the Event Management Console on the<br />
host named in the action. The key values are as follows:<br />
UnicenterHome<br />
The data value specified for the UnicenterHome key is used to identify<br />
the location of the Unicenter installation.<br />
Type<br />
String Value<br />
Data<br />
Specify the location of the Unicenter installation.<br />
6–28 <strong>Reference</strong> <strong>Guide</strong>
Management Agent<br />
Management Agent<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the which systems are trusted policy<br />
servers and parameters related to policy distribution under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent<br />
When you install <strong>eTrust</strong> <strong>Audit</strong>, you identify the name of a trusted policy server.<br />
By changing the value of the TrustedServers key, you can add more servers to<br />
identify other policy servers.<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
TrustedServers<br />
The data value specified for the TrustedServers key is used to identify one or<br />
more policy servers.<br />
Type<br />
String Value<br />
Data<br />
Specify the host names or IP addresses of one or more policy servers,<br />
separated by commas.<br />
Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the how policy management under<br />
the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\Parameters<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
All the following keys are optional:<br />
TmpPolicyDir<br />
The data value specified for the TmpPolicyDir key is used to identify the<br />
directory where temporary policy files are stored.<br />
Type<br />
String Value<br />
Data<br />
Specify the directory name. The default value is<br />
install_dir\dat\tmp\agent_tmp_policies.<br />
Windows Registry Entries 6–29
Management Agent<br />
ConnectionTimeout<br />
The data value specified for the ConnectionTimeout key is used to identify<br />
the number of seconds after which a connection between a policy server and<br />
distribution agent is closed.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of seconds after which the connection is broken. The<br />
default value is 600 seconds.<br />
ReceiveTimeout<br />
The data value specified for the ReceiveTimeout key is used to identify an<br />
internal parameter for the TCP session.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of seconds. The default value is 10 seconds.<br />
SendTimeout<br />
The data value specified for the SendTimeout key is used to identify an<br />
internal parameter for the TCP session.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of seconds. The default value is 10 seconds.<br />
DistributionTimeout<br />
The data value specified for the DistributionTimeout key is used to identify<br />
the time from the start of the TCP session until the agent receives the policy.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of seconds. The default value is 800 seconds.<br />
6–30 <strong>Reference</strong> <strong>Guide</strong>
Management Agent<br />
AN Types<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the types of event logs defined to it<br />
under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry.<br />
Note: All the following event log sources have a parameters section that contains<br />
no values.<br />
Apache<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Apache AN<br />
type under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types\Apache<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry.<br />
LibraryName<br />
The data value specified for the LibraryName key is used to identify the<br />
library used to process Apache events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the library. The default value is TGNR.<br />
Windows Registry Entries 6–31
Management Agent<br />
Default<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Default AN<br />
type under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types\Default<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry.<br />
LibraryName<br />
The data value specified for the LibraryName key is used to identify the<br />
library used to process Default events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the library. The default value is TGNR.<br />
<strong>eTrust</strong> Access Control<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the <strong>eTrust</strong> Access<br />
Control AN type under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types\<strong>eTrust</strong> Access Control<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry.<br />
LibraryName<br />
The data value specified for the LibraryName key is used to identify the<br />
library used to process <strong>eTrust</strong> Access Control events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the library. The default value is TGNR.<br />
6–32 <strong>Reference</strong> <strong>Guide</strong>
Management Agent<br />
Netscape<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Netscape AN<br />
type under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types\Netscape<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry.<br />
LibraryName<br />
The data value specified for the LibraryName key is used to identify the<br />
library used to process Netscape events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the library. The default value is TGNR.<br />
NT<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the NT AN type<br />
under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types\NT<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry.<br />
LibraryName<br />
The data value specified for the LibraryName key is used to identify the<br />
library used to process NT events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the library. The default value is TALR.<br />
Windows Registry Entries 6–33
Management Agent<br />
Oracle<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Oracle AN<br />
type under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types\Oracle<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry.<br />
LibraryName<br />
The data value specified for the LibraryName key is used to identify the<br />
library used to process Oracle events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the library. The default value is TGNR.<br />
UNIX<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the UNIX AN type<br />
under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Client\Management<br />
Agent\AN Types\UNIX<br />
Under normal circumstances, you would not have any reason to modify these<br />
values through the registry. You define and modify these using the Policy<br />
Manager GUI.<br />
LibraryName<br />
The data value specified for the LibraryName key is used to identify the<br />
library used to process UNIX events.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the library. The default value is TGNR.<br />
6–34 <strong>Reference</strong> <strong>Guide</strong>
Policy Manager<br />
Policy Manager<br />
The keys in the topics that follow apply to the Policy Manager.<br />
Database<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the database used by the Policy<br />
Manager under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Database<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
DSN<br />
The data value specified for the DSN key is used to identify the name of the<br />
data source.<br />
Type<br />
String Value<br />
Data<br />
Specify the data source name. The default value is e<strong>Audit</strong>PMDB.<br />
UserName<br />
The data value specified for the UserName key is used to identify the name<br />
of the user under whose name changes can be made to the database.<br />
Type<br />
Binary Value<br />
Data<br />
Specify the user name. The value is encrypted.<br />
Password<br />
The data value specified for the Password key is used to identify the<br />
password of the user under whose name changes can be made to the<br />
database.<br />
Type<br />
Binary Value<br />
Data<br />
Specify the password. The value is encrypted.<br />
Windows Registry Entries 6–35
Policy Manager<br />
Distribution Log<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the log file used to store messages<br />
about the success or failure of policy distribution used by the Policy Manager<br />
under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Log<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MaxLogSize<br />
The data value specified for the MaxLogSize key is used to identify the<br />
number of records to be stored in the log.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of records. The default value is 10000.<br />
MaxTimeOut<br />
The data value specified for the MaxTimeOut key is used to identify the<br />
maximum time (in seconds) the distribution server waits to write to the<br />
database. After this period ends without success, an error is recorded in the<br />
machine event log.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of seconds. The default value is 60.<br />
DelPartSize<br />
The data value specified for the DelPartSize key is used to identify the<br />
number of records to erase when the value of MaxLogSize is reached.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of records to be erased. The default is 500.<br />
6–36 <strong>Reference</strong> <strong>Guide</strong>
Policy Manager<br />
Distribution Server<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the output directory used by the<br />
distribution server under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
Queue Manager\Queues<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the queues used by the distribution<br />
server under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server\Queue Manager\Queues<br />
Under normal circumstances, you should not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
DirectoryName<br />
The data value specified for the DirectoryName key is used to identify the<br />
directory where queues are located.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the directory where the queues are located. The<br />
default is install_dir\dat\Queue\distrib.<br />
Windows Registry Entries 6–37
Policy Manager<br />
Queues\DistributionQueue\Queue Rules<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the queue rules used by the Policy<br />
Manager under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server\Queue Manager\Queues\DistributionQueue\Queue Rules<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
distribute<br />
The data value specified for the distribute key is used to identify the name of<br />
the action.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the action and the target separated by a semicolon.<br />
The default value is “distribute; “<br />
remove<br />
The data value specified for the remove key is used to identify the name of<br />
the action and target.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the action and the target separated by a semicolon.<br />
The default value is “remove; “<br />
6–38 <strong>Reference</strong> <strong>Guide</strong>
Policy Manager<br />
Queues\DistributionQueue\Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the distribution queue rules used by<br />
the Policy Manager under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server\Queue Manager\Queues\DistributionQueue\Queue<br />
Parameters<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MaxFileNum<br />
The data value specified for the MaxFileNum key is used to identify the<br />
maximum number of files in the queues.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of files in the queues. The default value is 10.<br />
MaxFileSize<br />
The data value specified for the MaxFileSize key is used to identify the size<br />
of the file in the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the size of the file in the queue in KB. The default value is 100<br />
KB.<br />
MaxActionTime<br />
The data value specified for the MaxActionTime key is used to identify the<br />
maximum time the distribution server operates in the queue before moving<br />
to another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the maximum number of milliseconds the distribution server<br />
operates in the queue before moving to another queue. The default value<br />
is 500 milliseconds.<br />
Windows Registry Entries 6–39
Policy Manager<br />
MinActionTime<br />
The data value specified for the MinActionTime key is used to identify the<br />
minimum time the distribution server operates in the queue before moving<br />
to another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the minimum number of milliseconds the distribution server<br />
operates in the queue before moving to another queue. The default value<br />
is 50 milliseconds.<br />
SleepTime<br />
The data value specified for the SleepTime key is used to identify the time<br />
the distribution server service sleeps without writing any data from the<br />
queue.<br />
Type<br />
DWORD Value<br />
Data<br />
The sleep interval in seconds. The default value is 10 seconds.<br />
RetryDelay<br />
The data value specified for the RetryDelay key is used to identify the<br />
amount of time that passes before trying to transmit a policy again<br />
Type<br />
DWORD Value<br />
Data<br />
The retry interval in seconds. The default value is 1800 seconds (30<br />
minutes).<br />
MaxLifeTime<br />
The data value specified for the MaxLifeTime key is used to identify the<br />
maximal time a policy can be in the queue before it is erased.<br />
Type<br />
DWORD Value<br />
Data<br />
The maximum time in seconds a policy can be in the queue before it is<br />
erased. The default value is 86400 seconds (24 hours).<br />
6–40 <strong>Reference</strong> <strong>Guide</strong>
Policy Manager<br />
DeleteOldFiles<br />
The data value specified for the DeleteOldFiles key is used to identify the<br />
whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the<br />
number of files in the queue equals the number set in the<br />
MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
Queues\Default\Queue Rules<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the queue rules used by the Policy<br />
Manager under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server\Queue Manager\Queues\Default\Queue Rules<br />
This key has not rules. It is processed based on rules for other keys.<br />
Queues\Default\Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the default queue rules used by the<br />
Policy Manager under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server\Queue Manager\Queues\Default\Queue Parameters<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
MaxFileNum<br />
The data value specified for the MaxFileNum key is used to identify the<br />
maximum number of files in the queues.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the number of files in the queues. The default value is 10.<br />
Windows Registry Entries 6–41
Policy Manager<br />
MaxFileSize<br />
The data value specified for the MaxFileSize key is used to identify the size<br />
of the file in the queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the size of the file in the queue in KB. The default value is 100<br />
KB.<br />
MaxActionTime<br />
The data value specified for the MaxActionTime key is used to identify the<br />
maximum time the distribution server operates in the queue before moving<br />
to another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the maximum number of milliseconds the distribution server<br />
operates in the queue before moving to another queue. The default value<br />
is 500 milliseconds.<br />
MinActionTime<br />
The data value specified for the MinActionTime key is used to identify the<br />
minimum time the distribution server operates in the queue before moving<br />
to another queue.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify the minimum number of milliseconds the distribution server<br />
operates in the queue before moving to another queue. The default value<br />
is 50 milliseconds.<br />
SleepTime<br />
The data value specified for the SleepTime key is used to identify the time<br />
the distribution server service sleeps without writing any data from the<br />
queue.<br />
Type<br />
DWORD Value<br />
Data<br />
The sleep interval in seconds. The default value is 10 seconds.<br />
6–42 <strong>Reference</strong> <strong>Guide</strong>
Policy Manager<br />
RetryDelay<br />
The data value specified for the RetryDelay key is used to identify the<br />
amount of time that passes before trying to transmit a policy again<br />
Type<br />
DWORD Value<br />
Data<br />
The retry interval in seconds. The default value is 1800 seconds (30<br />
minutes).<br />
MaxLifeTime<br />
The data value specified for the MaxLifeTime key is used to identify the<br />
maximal time a policy can be in the queue before it is erased.<br />
Type<br />
DWORD Value<br />
Data<br />
The maximum time in seconds a policy can be in the queue before it is<br />
erased. The default value is 86400 seconds (24 hours).<br />
DeleteOldFiles<br />
The data value specified for the DeleteOldFiles key is used to identify the<br />
whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Type<br />
DWORD Value<br />
Data<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the<br />
number of files in the queue equals the number set in the<br />
MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
Windows Registry Entries 6–43
Data Server<br />
Queue Manager\Actions<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the actions specified rules used by the<br />
router under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Policy<br />
Manager\Distribution Server\Queue Manager\Actions<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
distribute<br />
The distribute action routes policies to distribution agents.<br />
remove<br />
The remove action removes policies from the distribution agents.<br />
Data Server<br />
The keys in the topics that follow apply to the Data Server.<br />
Database<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the database used by the data server<br />
under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Data Server\Database<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
<strong>Audit</strong>DSN<br />
The data value specified for the <strong>Audit</strong>DSN key is used to identify the name<br />
of the data source for the database used by the Data Tools components. This<br />
values is used by the Collector service and by the Viewer and Reporter as the<br />
default database.<br />
Type<br />
String Value<br />
Data<br />
Specify the data source name. The default value is e<strong>Audit</strong>_DSN.<br />
6–44 <strong>Reference</strong> <strong>Guide</strong>
Data Server<br />
Note: To switch to a different database, the ODBC Data Sources applet in<br />
Windows NT Control Panel (or the Administrative Tools in the Control<br />
Panel, in Windows 2000) to set up a new database with the same DSN. If you<br />
want to start a new database with a new DSN, you need to match this value<br />
to it.<br />
DSNList<br />
The data value specified for the DSNList key is used to identify the another<br />
system DSNs for the databases used by the Viewer and the Reporter.<br />
Type<br />
String Value<br />
Data<br />
Specify the data source names, separated by commas. The default value<br />
is e<strong>Audit</strong>_DSN.<br />
UserName<br />
The data value specified for the UserName key is used to identify the name<br />
of the user under whose name connection can be made to the database.<br />
Type<br />
Binary Value<br />
Data<br />
Specify the user name. The value is encrypted. If no value is specified<br />
when the collector service or the Viewer starts, it is requested.<br />
Password<br />
The data value specified for the Password key is used to identify the<br />
password of the user under whose name connection can be made to the<br />
database.<br />
Type<br />
Binary Value<br />
Data<br />
Specify the password. The value is encrypted. If no value is specified<br />
when the collector service or the Viewer starts, it is requested.<br />
Note: You can change the user name and the password using the Encup<br />
utility.<br />
Windows Registry Entries 6–45
Data Server<br />
Viewer<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the Viewer under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Data Server\Viewer<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
FiltersDir<br />
The data value specified for the FiltersDir key is used to identify the location<br />
where the filter definition files are stored.<br />
Type<br />
String Value<br />
Data<br />
Specify the directory name. The default value is install_dir\dat\filters\.<br />
IniFile<br />
The data value specified for the IniFile key is used to identify the location<br />
where the ini file is stored.<br />
Type<br />
String Value<br />
Data<br />
Specify the directory name. The default value is<br />
install_dir\ini\Se<strong>Audit</strong>W.ini.<br />
Reports<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about reports under the following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Data Server\Reports<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
ReportsDir<br />
The data value specified for the ReportsDir key is used to identify the<br />
location where reports are stored.<br />
Type<br />
String Value<br />
Data<br />
Specify the directory. The default value is install_dir\dat\reports.<br />
6–46 <strong>Reference</strong> <strong>Guide</strong>
Data Server<br />
ReadyReportsDir<br />
The data value specified for the ReadyReportsDir key is used to identify the<br />
location where saved reports are stored.<br />
Type<br />
String Value<br />
Data<br />
Specify the directory. The default value is Saved\.<br />
TemplatesDir<br />
The data value specified for the TemplatesDir key is used to identify the<br />
location where the report templates are stored.<br />
Type<br />
String Value<br />
Data<br />
Specify the directory. The default value is Templates\.<br />
MailSubject<br />
The data value specified for the MailSubject key is used to identify the<br />
subject line of email notifications about report completion.<br />
Type<br />
String Value<br />
Data<br />
Specify the text for the subject line. The default value is “Notification<br />
from <strong>eTrust</strong> <strong>Audit</strong> Report Generator.”<br />
MailBody<br />
The data value specified for the MailBody key is used to identify the body<br />
text in email notifications about report completion.<br />
Type<br />
String Value<br />
Data<br />
Specify the body text. The default value is “Report has been created<br />
successfully. You can view the report using the <strong>eTrust</strong> <strong>Audit</strong> Reporter.”<br />
Windows Registry Entries 6–47
Security Monitor<br />
Security Monitor<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the Security Monitor under the<br />
following key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Monitors\Security<br />
Monitor<br />
Under normal circumstances, you would not have any reason to modify these<br />
values.<br />
The key values are as follows:<br />
EventData<br />
The data value specified for the EventData key is used to identify the name<br />
of a file to which the currently displayed events are written each time you<br />
close the Security Monitor. When you next open the Security Monitor, the<br />
contents of the file are displayed and new events are added.<br />
Type<br />
String Value<br />
Data<br />
Specify the file name, including path. The default value is<br />
install_dir\etc\events.data.<br />
IniFile<br />
The data value specified for the IniFile key is used to identify the location<br />
where the ini file is stored.<br />
Type<br />
String Value<br />
Data<br />
Specify the directory name. The default value is<br />
install_dir\ini\SecMonW.ini.<br />
6–48 <strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
7<br />
UNIX INI Files<br />
The Client components running on UNIX are controlled by entries in the<br />
following .ini files:<br />
■<br />
■<br />
e<strong>Audit</strong>.ini<br />
recorder.ini<br />
The files are located in <strong>eTrust</strong><strong>Audit</strong>_root/ini/, where <strong>eTrust</strong><strong>Audit</strong>_root is the<br />
directory where you installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
e<strong>Audit</strong>.ini<br />
The following topics describe sections of the ini file that you might need to<br />
change.<br />
Ports<br />
Normally, <strong>eTrust</strong> <strong>Audit</strong> uses one of its default ports or uses portmapper to<br />
dynamically assign a port. <strong>eTrust</strong> <strong>Audit</strong> uses the values of these entries under the<br />
following conditions:<br />
■<br />
■<br />
The default port is busy<br />
The service cannot get the dynamic port from the portmapper<br />
Under normal circumstances, you would not have any reason to modify these<br />
values. However, if a port is being used by another application or service or you<br />
need to route events through a firewall, you must modify or set these values.<br />
UNIX INI Files 7–1
e<strong>Audit</strong>.ini<br />
The entries and their default values are as follows:<br />
MonitorPort<br />
The data value specified for the MonitorPort is used by the Action Manager<br />
to route actions to the Security Monitor.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
RouterPort<br />
The data value specified for the RouterPort is used by the router and<br />
redirector.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
RouterSapiPort<br />
The data value specified for the RouterSapiPort key is used by the UNIX<br />
Recorder, the Recorder, the Generic NT Recorder, the Check Point Firewall-1<br />
Recorder, and applications that use SAPI, and is used by the router.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
CollectorPort<br />
The data value specified for the CollectorPort is used by the Action Manager<br />
to route actions to the Collector and by the Collector to receive events.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used.<br />
By default, the port is dynamically assigned by portmapper.<br />
7–2 <strong>Reference</strong> <strong>Guide</strong>
e<strong>Audit</strong>.ini<br />
DistributionPort<br />
The data value specified for the DistributionPort is used by the distribution<br />
server and the distribution agent.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used. The default is 8025.<br />
SNMPRecorderPort<br />
The data value specified for the SNMPRecorderPort is used by the SNMP<br />
recorder.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used. The default is 162.<br />
SNMPTrapPort<br />
The data value specified for the SNMPTrapPort is used by the Action<br />
Manager to route actions defined as Action SNMP to the router.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port to be used. The default is 162.<br />
Messages<br />
The Message section contains entries that describe the location of the message<br />
file:<br />
MessageFile<br />
Specify the name of the message file, including its full path. The default is<br />
<strong>eTrust</strong><strong>Audit</strong>_root/Messages/message.txt.<br />
Severity<br />
Under this section, you specify values for the types of messages. There are<br />
several subsections with the same values: Targets (Mandatory) and SkipTimeout<br />
(Optional). Only the default SkipTimeout value differs.<br />
UNIX INI Files 7–3
e<strong>Audit</strong>.ini<br />
Fatal<br />
Targets<br />
Specify the name of the targets, separated by commas. The default value is<br />
Monitor,Log.<br />
SkipTimeout<br />
Specify the minimum time interval between identical messages. If <strong>eTrust</strong><br />
<strong>Audit</strong> receives two of the same message within the interval it discards the<br />
second message. The default value is 0 seconds.<br />
Critical<br />
Targets<br />
Specify the name of the targets, separated by commas. The default value is<br />
Monitor,Log.<br />
SkipTimeout<br />
Specify the minimum time interval between identical messages. If <strong>eTrust</strong><br />
<strong>Audit</strong> receives two of the same message within the interval it discards the<br />
second message. The default value is 0 seconds.<br />
Error<br />
Targets<br />
Specify the name of the targets, separated by commas. The default value is<br />
Monitor,Log.<br />
SkipTimeout<br />
Specify the minimum time interval between identical messages. If <strong>eTrust</strong><br />
<strong>Audit</strong> receives two of the same message within the interval it discards the<br />
second message. The default value is 60 seconds.<br />
Warning<br />
Targets<br />
Specify the name of the targets, separated by commas. The default value is<br />
Monitor,Log.<br />
SkipTimeout<br />
Specify the minimum time interval between identical messages. If <strong>eTrust</strong><br />
<strong>Audit</strong> receives two of the same message within the interval it discards the<br />
second message. The default value is 60 seconds.<br />
7–4 <strong>Reference</strong> <strong>Guide</strong>
e<strong>Audit</strong>.ini<br />
Info<br />
Targets<br />
Specify the name of the targets, separated by commas. The default value is<br />
Monitor,Log.<br />
SkipTimeout<br />
Specify the minimum time interval between identical messages. If <strong>eTrust</strong><br />
<strong>Audit</strong> receives two of the same message within the interval it discards the<br />
second message. The default value is 60 seconds.<br />
Targets<br />
Monitor<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the self-monitor target to use to send<br />
its own notification messages under the following entries:<br />
Host<br />
The data value specified for the Host entry is used to identify the host where<br />
messages are to be sent.<br />
Type<br />
String Value<br />
Data<br />
Specify the name of the host.<br />
MonitorPort<br />
The data value specified for the MonitorPort key is used to identify the port<br />
used by the Security Monitor.<br />
Type<br />
String Value<br />
Data<br />
Specify the number of the port.<br />
By default, the port is dynamically assigned by portmapper.<br />
UNIX INI Files 7–5
e<strong>Audit</strong>.ini<br />
Recorders<br />
By default, the recorder sends messages to the router on the system where it is<br />
installed. However, as you begin to deploy <strong>eTrust</strong> <strong>Audit</strong> throughout your<br />
enterprise, you can change this value to send events to dedicated routers. You<br />
identify these dedicated router systems by changing the value of DefaultRouter<br />
to the host name or IP address of the dedicated router system.<br />
The values are as follows:<br />
RecordersIniFile<br />
Specify the path to the recorder .ini file. The default value is ini/recorder.ini.<br />
DefaultRouter<br />
Specify the host name or IP address of the computer that runs the <strong>eTrust</strong><br />
<strong>Audit</strong> router. An empty value means use the local host.<br />
SNMP Recorder<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the mapping file used by the SNMP<br />
recorder to parse events. The values are as follows:<br />
MPFile<br />
Specify the name of the mapping file used by the SNMP recorder to parse<br />
events. The default value is cfg/snmptd_rec.mp.<br />
Router<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information used by the router. The values are as<br />
follows:<br />
RulesDirectory<br />
Specify the directory where routers configuration files are located. The<br />
default is cfg/.<br />
RulesExtension<br />
Specify the extension for router configuration files. The default value is cfg.<br />
Queue MANAGER<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the queues used by the router. The<br />
values are as follows:<br />
DirectoryName<br />
Specify the directory where queues are located. The default value is<br />
<strong>eTrust</strong><strong>Audit</strong>_root/dat/Queue/route.<br />
7–6 <strong>Reference</strong> <strong>Guide</strong>
e<strong>Audit</strong>.ini<br />
AlertQueue Queue Rules<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the alert queue rules. The values are<br />
as follows:<br />
monitor<br />
Specify the name of the action and target, separated by a semicolon. The<br />
default value is “monitor;”<br />
snmp<br />
Specify the name of the action and target, separated by a semicolon. The<br />
default value is “snmp;”<br />
AlertQueue Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the alert queue rules used by the<br />
router. The values are as follows:<br />
MaxFileNum<br />
Specify the maximum number of files in the queue. The default value is 10.<br />
MaxFileSize<br />
Specify the size of the file in the queue. The default value is 500 KB.<br />
MaxActionTime<br />
Specify the maximum time the action manager operates in the queue before<br />
moving to another queue. The default is 500 milliseconds.<br />
MinActionTime<br />
Specify the minimum time the action manager operates in the queue before<br />
moving to another queue. The default value is 20 milliseconds.<br />
SleepTime<br />
Specify the time the action manager service sleeps without writing any data<br />
from the queue. The default value is 3 seconds.<br />
RetryDelay<br />
Specify the amount of time that passes before trying to transmit a message<br />
again. The default value is 600 seconds (10 minutes).<br />
MaxLifeTime<br />
Specify the maximal time a message can be in the queue before it is erased.<br />
The default value is 86400 seconds (24 hours).<br />
UNIX INI Files 7–7
e<strong>Audit</strong>.ini<br />
DeleteOldFiles<br />
Specify whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the number of<br />
files in the queue equals the number set in the MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
CollectionQueue Queue Rules<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the collection queue rules used by the<br />
router. The values are as follows:<br />
Collector<br />
Specify the name of the collector. The default value is “collector;”<br />
CollectionQueue Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the collection queue rules used by the<br />
router. The values are as follows:<br />
MaxFileNum<br />
Specify the maximum number of files in the queue. The default value is 10.<br />
MaxFileSize<br />
Specify the size of the file in the queue. The default value is 500 KB.<br />
MaxActionTime<br />
Specify the maximum time the action manager operates in the queue before<br />
moving to another queue. The default is 500 milliseconds.<br />
MinActionTime<br />
Specify the minimum time the action manager operates in the queue before<br />
moving to another queue. The default value is 10 milliseconds.<br />
SleepTime<br />
Specify the time the action manager service sleeps without writing any data<br />
from the queue. The default value is 3 seconds.<br />
RetryDelay<br />
Specify the amount of time that passes before trying to transmit a message<br />
again. The default value is 900 seconds (15 minutes).<br />
7–8 <strong>Reference</strong> <strong>Guide</strong>
e<strong>Audit</strong>.ini<br />
MaxLifeTime<br />
Specify the maximal time a message can be in the queue before it is erased.<br />
The default value is 259200 seconds (72 hours).<br />
DeleteOldFiles<br />
Specify whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the number of<br />
files in the queue equals the number set in the MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
Default\Queue Rules<br />
The default section has no rules; it gets all the rules of the other subsections.<br />
Default Queue Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the default queue rules used by the<br />
router. The values are as follows:<br />
MaxFileNum<br />
Specify the maximum number of files in the queue. The default value is 10.<br />
MaxFileSize<br />
Specify the size of the file in the queue. The default value is 500 KB.<br />
MaxActionTime<br />
Specify the maximum time the action manager operates in the queue before<br />
moving to another queue. The default is 500 milliseconds.<br />
MinActionTime<br />
Specify the minimum time the action manager operates in the queue before<br />
moving to another queue. The default value is 10 milliseconds.<br />
SleepTime<br />
Specify the time the action manager service sleeps without writing any data<br />
from the queue. The default value is 3 seconds.<br />
RetryDelay<br />
Specify the amount of time that passes before trying to transmit a message<br />
again. The default value is 1800 seconds (30 minutes).<br />
UNIX INI Files 7–9
e<strong>Audit</strong>.ini<br />
MaxLifeTime<br />
Specify the maximal time a message can be in the queue before it is erased.<br />
The default value is 86400 seconds (24 hours).<br />
DeleteOldFiles<br />
Specify whether the oldest queue file should be deleted if the number of<br />
MaxFileNum is reached.<br />
Specify either of the following:<br />
■<br />
■<br />
Specify 1 if you want to delete the oldest queue file when the number of<br />
files in the queue equals the number set in the MaxFileNum parameter.<br />
Specify 0, if you do not want to loose any record.<br />
Setting this value is optional. The default value is 1.<br />
Actions<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the actions used by the router. The<br />
values are as follows:<br />
file<br />
The file action routes events to a file in ASCII text format. It has no<br />
parameters you should change.<br />
monitor<br />
The monitor action routes events to the security monitor. It has no<br />
parameters you should change.<br />
collector<br />
The collector action routes events to the collector database. It has no<br />
parameters you should change.<br />
mail<br />
The mail action routes messages to a designated SMTP mail server and onto<br />
an email address.<br />
The parameters are as follows:<br />
MailSubject<br />
Specify the subject line for <strong>eTrust</strong> <strong>Audit</strong> mail. The default is “Notification<br />
from <strong>eTrust</strong> <strong>Audit</strong>.<br />
remote<br />
The remote action routes events to an action manager on the host named in<br />
the action where it is executed without filtering.<br />
route<br />
The route action sends events to the host named in the action where it<br />
reviewed by the router on that system and executed according to any filters<br />
that apply on that system.<br />
7–10 <strong>Reference</strong> <strong>Guide</strong>
e<strong>Audit</strong>.ini<br />
snmp<br />
The snmp action sends SNMP traps to the host named in the action.<br />
program<br />
The program action executes a command named in the action on the local<br />
host.<br />
unicenter<br />
The unicenter action routes events to the Event Management Console on the<br />
host named in the action.<br />
The parameters are as follows:<br />
UnicenterHome<br />
Specify the location of the Event Management Console installation<br />
directory.<br />
Management Agent<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about which systems are trusted policy<br />
servers and parameters related to policy distribution.<br />
When you install <strong>eTrust</strong> <strong>Audit</strong>, you identify the name of a trust policy server. By<br />
changing the value of the TrustedServers, you can add more servers to identify<br />
other policy servers.<br />
The values are as follows:<br />
TrustedServers<br />
Specify the host names or IP addresses of one or more policy servers,<br />
separated by commas.<br />
Parameters<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the how policy management runs. The<br />
values are as follows:<br />
TmpPolicyDir<br />
Specify the directory where temporary policy files are stored. The default<br />
value is <strong>eTrust</strong><strong>Audit</strong>_root/dat/tmp/agent_tmp_policies.<br />
ConnectionTimeout<br />
Specify the number of seconds after which a connection between a policy<br />
server and distribution agent is closed. The default value is 600 seconds.<br />
ReceiveTimeout<br />
Specify an internal parameter for the TCP session. The default value is 10<br />
seconds.<br />
UNIX INI Files 7–11
e<strong>Audit</strong>.ini<br />
SendTimeout<br />
Specify an internal parameter for the TCP session. The default value is 10<br />
seconds.<br />
DistributionTimeout<br />
Specify the time from the start of the TCP session until the agent receives the<br />
policy. The default value is 800 seconds.<br />
AN Types<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the types of event logs defined to it.<br />
The values are as follows:<br />
Apache<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Apache AN<br />
type.<br />
LibraryName<br />
Specify the library used to process Apache events. The default value is<br />
TGNR.<br />
Default<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Default AN<br />
type.<br />
LibraryName<br />
Specify the library used to process Default events. The default value is<br />
TGNR.<br />
<strong>eTrust</strong> Access Control<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the <strong>eTrust</strong> Access<br />
Control AN type.<br />
LibraryName<br />
Specify the library used to process <strong>eTrust</strong> Access Control events. The default<br />
value is TGNR.<br />
7–12 <strong>Reference</strong> <strong>Guide</strong>
e<strong>Audit</strong>.ini<br />
Netscape<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Netscape AN<br />
type.<br />
LibraryName<br />
Specify the library used to process Netscape events. The default value is<br />
TGNR.<br />
NT<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the NT AN type.<br />
LibraryName<br />
Specify the library used to process NT events. The default value is TALR.<br />
Oracle<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the Oracle AN<br />
type.<br />
LibraryName<br />
Specify the library used to process Oracle events. The default value is TGNR.<br />
UNIX<br />
<strong>eTrust</strong> <strong>Audit</strong> maintains information about the library used by the UNIX AN<br />
type.<br />
LibraryName<br />
Specify the library used to process UNIX events. The default value is TGNR.<br />
UNIX INI Files 7–13
ecorder.ini<br />
recorder.ini<br />
The following topics describe sections of the ini file that you might need to<br />
change.<br />
Recorder Modules<br />
The recorders supported by <strong>eTrust</strong> <strong>Audit</strong> in UNIX are:<br />
■<br />
■<br />
■<br />
■<br />
File Spooler (UNIX native recorder)<br />
Netscape<br />
Apache<br />
Oracle<br />
Each recorder has its own section in the recorder.ini file, which bears its name.<br />
The topics that follow describe entries found in sections for each recorder.<br />
Definitions<br />
The following definitions are found in all UNIX recorders supported by <strong>eTrust</strong><br />
<strong>Audit</strong>, except for the last definition, ORACLE_HOME, which is found only in the<br />
Oracle recorder:<br />
ModuleName<br />
Specify the unique name for the recorder module.<br />
LibraryPrefix<br />
Specify the prefix for the name of the recorder module library.<br />
Active<br />
When specified, activates the recorder module.<br />
SleepInterval<br />
Specify the time, in seconds, that the service sleeps after each record. The<br />
default value is 1.<br />
SendInterval<br />
Specify the time, in seconds, that the service sleeps after the value of<br />
MaxSeqNoSleep is reached. The default value is 10.<br />
MaxSeqNoSleep<br />
Specify the maximum number of records sent before sleeping. The default<br />
value is 50.<br />
ORACLE_HOME<br />
Specify where Oracle is located on file system.<br />
7–14 <strong>Reference</strong> <strong>Guide</strong>
ecorder.ini<br />
Parameters<br />
The Parameters section is found in all UNIX recorders supported by <strong>eTrust</strong><br />
<strong>Audit</strong>. However, there is a significant difference between Oracle and other<br />
recorders as follows:<br />
■<br />
■<br />
In all recorders except Oracle, you can find two parameters under this<br />
section.<br />
DatFilePath<br />
A mandatory parameter, found in all UNIX recorders supported by<br />
<strong>eTrust</strong> <strong>Audit</strong>.<br />
MPDebug<br />
An optional parameter and is found in all recorders except Oracle. If you<br />
specify 1, debug information for the message parser is generated.<br />
Besides the DatFilePath parameter and MP file parameter (see the Log Data),<br />
Oracle has additional parameters, which are not found in the other recorders.<br />
These are the other parameters are as follows:<br />
DatFilePath<br />
Specify the relative path to the .dat file as follows:<br />
UNIX<br />
The default value is dat/recorders/syslog.dat.<br />
Netscape<br />
The default value is dat/recorders/netscape.dat.<br />
Apache<br />
The default value is dat/recorders/apache.dat.<br />
Oracle<br />
The default value is dat/recorders/oracle.dat.<br />
ORACLE_SID<br />
Specify the Oracle SID on the local host.<br />
TWO_TASK<br />
Specify the Oracle service name on the remote host.<br />
Password<br />
Specify the password for the user that can connect to the Oracle<br />
database. The value is encrypted.<br />
Username<br />
Specify the name of the user that can connect to the Oracle database. The<br />
value is encrypted.<br />
UNIX INI Files 7–15
ecorder.ini<br />
Log Data<br />
The Log Data section describes parameters for the recorder logs. The file spooler<br />
has two logs: syslog and sulog. Other recorders have only one log that bears<br />
their name: Netscape or Apache.<br />
Notes:<br />
■<br />
■<br />
The only parameter here that is found also in Oracle is the MPfile parameter.<br />
The ConfigFile and Source parameters are found only in syslog.<br />
The values are as follows:<br />
LogName<br />
Specify the recorder name: Unix, Netscape, or Apache. You should not<br />
change this value.<br />
StartOver<br />
If 1 is specified, <strong>eTrust</strong> <strong>Audit</strong> restarts reading the log files (ignores the .dat<br />
file). The default value is 0.<br />
SkipCurrentLogs<br />
Specify one of the following:<br />
0<br />
1<br />
Skips old records from the log files.<br />
Sends all records from the log files.<br />
Mpfile<br />
Specify the relative path to .mp file as follows:<br />
UNIX<br />
The default value is cfg/syslog.mp, or cfg/sulog.mp<br />
Netscape<br />
The default value is cfg/netscape.mp.<br />
Apache<br />
The default value is cfg/apache.mp.<br />
Oracle<br />
The default value is cfg/oracle.mp.<br />
ConfigFile<br />
Specify the relative path to syslog configuration file. The default value is<br />
/etc/syslog.conf.<br />
7–16 <strong>Reference</strong> <strong>Guide</strong>
ecorder.ini<br />
Source<br />
Specify one of the following:<br />
0<br />
1<br />
Takes the log files defined in the default configuration file plus all log<br />
files found in the LogFiles section.<br />
Takes the log files defined in the configuration file under the ConfigFile<br />
parameter, plus all log files found in the LogFiles section.<br />
LogFiles<br />
Specify a list of paths to log files from which records are to be read as<br />
follows:<br />
UNIX INI Files 7–17
Chapter<br />
8<br />
Encryption Options<br />
By default, the information <strong>eTrust</strong> <strong>Audit</strong> sends from station to station is encrypted<br />
using 56-bit DES encryption. You can change your encryption key, switch to a<br />
different encryption cipher, or turn off encryption. Whatever you do about<br />
encryption, you should do the same thing at every station where <strong>eTrust</strong> <strong>Audit</strong> is<br />
installed.<br />
Note: The unencrypted information is accepted from all sources, regardless of<br />
their encryption setting.<br />
Changing Your Encryption Key<br />
You can change the encryption key at any time, and you can change back to the<br />
default key at any time. But whenever you change the key at any station, you<br />
must make the same change at all stations.<br />
Note: You must make the encryption change manually at each station. There is<br />
no way to automatically distribute the change to each station in your <strong>eTrust</strong><br />
<strong>Audit</strong> environment.<br />
<strong>eTrust</strong> <strong>Audit</strong> generates new keys using the MD5 hashing function. They can be<br />
based on a file or string of any size.<br />
To change the encryption key:<br />
1. Stop the <strong>eTrust</strong> <strong>Audit</strong> services and Security Monitor, if installed.<br />
2. From the command line, use the setkey utility. On Windows systems, setkey<br />
is located in the install_dir\bin directory (where install_dir is the directory in<br />
which you installed <strong>eTrust</strong> <strong>Audit</strong>). On UNIX systems, setkey is located in the<br />
install_dir/bin directory.<br />
3. Restart the services and Security Monitor.<br />
Encryption Options 8–1
setkey Command Options<br />
setkey Command Options<br />
You can use the following options for the setkey command:<br />
-c<br />
Clears the user key and sets a default key.<br />
-f[e] filename<br />
Specifies the contents of filename as the basis for the new encryption key. If<br />
the file is not in the current directory, you can include an absolute or relative<br />
pathname.<br />
If you use -fe, the file is then deleted. If you use -f, the file remains.<br />
-help<br />
Displays these syntax options.<br />
-k newkey<br />
Installs newkey as the basis for the new encryption key.<br />
Turning Off Encryption<br />
To turn off encryption in Windows, delete the \winnt\system32\adcipher.dll<br />
file.<br />
To turn off encryption in UNIX, delete the /usr/lib/adcipher.so file.<br />
To turn encryption back on in Windows, copy the file,<br />
install_dir\bin\Des56bit.dll to \winnt\system32\adcipher.dll.<br />
To turn encryption back on in UNIX, create link/usr/lib/adcipher.si file to<br />
install_dir/bin/Des56bit library.<br />
8–2 <strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
9<br />
Firewall Considerations<br />
To enable communications between <strong>eTrust</strong> <strong>Audit</strong> components through a firewall,<br />
you must configure the <strong>eTrust</strong> <strong>Audit</strong> components on each side of the firewall to<br />
use the same open port in the firewall. For example, you might:<br />
■<br />
■<br />
Install the Security Monitor, the Router or the Collector service on one side of<br />
a firewall<br />
Install the recorder and router services on the opposite side<br />
However, if the firewall does not allow communication in the protected network,<br />
the client and the server (the redirector service, the router service and the<br />
Collector service) must be made to agree on a specific port.<br />
You can ensure agreement by setting the same value in the registry at the client<br />
and the server stations.<br />
1. At the client stations, edit the value Ports. On Windows systems, edit the<br />
following registry key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Ports<br />
For example:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\ports\MonitorPort<br />
On UNIX systems, edit the value for MonitorPort in the eaudit.ini file.<br />
For more information on these parameters, see Ports in the “Windows<br />
Registry Entries” chapter or the “UNIX INI Files” chapter.<br />
2. Enter the same entry and value in the registry (or in the eaudit.ini file) at the<br />
target station.<br />
Firewall Considerations 9–1
Chapter<br />
10<br />
Database Considerations<br />
This chapter describes database considerations, including the following:<br />
■<br />
■<br />
■<br />
■<br />
Preparing an <strong>eTrust</strong> <strong>Audit</strong> database<br />
Configuring an Oracle Client<br />
Configuring Windows NT Authentication with Microsoft SQL Server<br />
Changing the Database Type after installation<br />
Preparing <strong>eTrust</strong> <strong>Audit</strong> Database<br />
You should prepare the dedicated database for <strong>eTrust</strong> <strong>Audit</strong> before you install<br />
the <strong>eTrust</strong> <strong>Audit</strong> Data Tools components. This task should be performed by the<br />
DBA.<br />
Oracle Databases<br />
Perform the following tasks:<br />
1. Create the new dedicated tablespace for the event database.<br />
2. Create the new Oracle user ID with DBA privileges and define the created<br />
tablespace as the default tablespace for this user.<br />
3. If the Collector will be run on the UNIX host, then you should a create table<br />
in the new tablespace. To perform that you must execute the Oracle utility,<br />
SQLPLUS, and run the script “oracle.sql”. The script is located in the<br />
directory: CDMOUNT/<strong>eTrust</strong>/<strong>Audit</strong>/DataTools/unix_platform/<br />
Database Considerations 10–1
Configuring an Oracle Client<br />
MS SQL Server Databases<br />
Perform the following tasks:<br />
1. Create the new dedicated database.<br />
2. Create the new MS SQL Server user with DBA priviledges and define the<br />
created database as the default database for this user.<br />
Configuring an Oracle Client<br />
At each station where you want to work with an Oracle Server database, you<br />
must configure an Oracle client. Ensure that you have the following information<br />
(if you are unsure, consult your Oracle Server DBA):<br />
■<br />
The Oracle Server’s host name<br />
■ The Oracle Server’s port number (usually 1521)<br />
■<br />
The username and password of the Oracle account where the <strong>eTrust</strong><br />
<strong>Audit</strong> tables are defined<br />
Windows<br />
Perform the following tasks:<br />
1. Start the Oracle configuration utility (Oracle Net8 Easy Config utility for<br />
Oracle 9 or Net8 Configuration Assistant for Oracle 8i and 9i), and then<br />
choose Add New Service. Any name is acceptable as the name of the new<br />
service, but we recommend you use the same name for all users.<br />
2. Select TCP/IP as the protocol for the connection to the service.<br />
3. Specify the name of the host on which the Oracle service runs. Unless you<br />
have a local reason to change the port number, leave 1521 selected.<br />
4. Specify the database SID name.<br />
5. Check the new connection by clicking the Test Service option. Enter the<br />
username and password, and then click Test. If the result is positive, the<br />
connection is properly defined. Otherwise, consult your Oracle Server DBA.<br />
UNIX<br />
Open file tnsnames.ora under the following path:<br />
ORACLE_HOME/network/administration/<br />
and add a configuration section for the new Oracle service.<br />
10–2 <strong>Reference</strong> <strong>Guide</strong>
Windows NT Authentication with Microsoft SQL Server<br />
Windows NT Authentication with Microsoft SQL Server<br />
When you configure the Collector service login to the event database, you have<br />
two options—Microsoft SQL Server authentication and Windows NT<br />
authentication with the network login ID.<br />
To use Windows NT authentication, you must perform several configuration<br />
tasks. If you have any questions, consult your DBA.<br />
■<br />
■<br />
■<br />
■<br />
The Collector must be in the same domain as the database, or in a trusted<br />
domain.<br />
The user account for the Collector service in Microsoft SQL Server should be<br />
preconfigured in Windows NT. We recommend that you create a new user<br />
with a single account name for use in both Windows NT and Microsoft SQL<br />
Server. In Microsoft SQL Server, make the event database the default<br />
database for the account. The Collector service will log in to the database<br />
under this account.<br />
You must configure the ODBC drivers appropriately, either during <strong>eTrust</strong><br />
<strong>Audit</strong> setup or from the Control Panel in NT (or the Administrative Tools in<br />
the Control Panel, in Windows 2000). Select Windows NT authentication<br />
with the network login ID.<br />
After <strong>eTrust</strong> <strong>Audit</strong> installation, you must configure the Collector service to<br />
access the database as the new user you created. In the Control Panel’s<br />
Services dialog, select the “e<strong>Audit</strong> Collector” and click Startup, Log On As<br />
This Account. Then select the user you created for the Collector service.<br />
Database Considerations 10–3
Changing the Database Type<br />
Changing the Database Type<br />
At installation time, you specify the database type for the event database:<br />
Microsoft Access, Oracle Server, or Microsoft SQL Server. However, you might<br />
need to change the database type at some point after the initial installation.<br />
To change the database type, we recommend that you reinstall the Collector. In<br />
any case, the data stored in the old database will not be moved to the new<br />
database.<br />
1. Use the ODBC Data Sources applet in the Windows NT control panel (or the<br />
Administrative Tools in the Control Panel, in Windows 2000) to set up your<br />
new system DSN.<br />
2. If there is a difference in DSN between the old and new databases, update<br />
the <strong>Audit</strong>DSN value in the following Windows registry key:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\Data<br />
Server\Database<br />
You can also use this key to update the username and password by using the<br />
Encup utility.<br />
For more information about registry keys, see the “Windows Registry Entries”<br />
chapter.<br />
Using a Remote MS Access Database<br />
If you are using the Microsoft Access database type and you want to use <strong>Audit</strong><br />
Viewer to access a database located on another computer, you must first map the<br />
remote drive to your machine, and then set up the System DSN.<br />
Backing Up a Microsoft Access Database<br />
Microsoft Access limits the size of the database to one gigabyte or approximately<br />
one million records. To back up the database, you should:<br />
1. Stop the Collector service and the <strong>Audit</strong> Viewer.<br />
2. Rename the event database (SeOSData.mdb) as you wish.<br />
3. Copy the file SeOSDataBak.mdb.<br />
4. Rename the copy of SeOSDataBak.mdb to SeOSData.mdb.<br />
5. Restart the Collector service and the <strong>Audit</strong> Viewers.<br />
10–4 <strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
11<br />
Encup Utility<br />
The Encup utility lets you change user names and passwords. Encup passes a<br />
buffer that contains a user name or a password associated with that user name.<br />
The source of the information is a file or standard input.<br />
The information is then encrypted and returned to a file or to standard output.<br />
Executing Encup<br />
The Encup utility is located in the install_dir/bin directory, where install_dir is<br />
the directory where you installed <strong>eTrust</strong> <strong>Audit</strong>.<br />
For more information about the Encup utility, follow these steps:<br />
1. Open a command prompt session.<br />
2. Enter the following command from the install_dir/bin directory:<br />
encup –help<br />
Encup Utility 11–1
Chapter<br />
12<br />
Security-related Event IDs<br />
Windows NT Event IDs<br />
The following events are among those directly involved in security.<br />
Event ID Type Description<br />
512 Success <strong>Audit</strong> Windows NT startup.<br />
513 Success <strong>Audit</strong> Windows NT shutdown.<br />
514 Success <strong>Audit</strong> Authentication package has been loaded. It will be used to<br />
authenticate logon attempts.<br />
515 Success <strong>Audit</strong> Trusted logon process has been registered. It will be trusted to<br />
submit logon requests.<br />
516 Success <strong>Audit</strong> Some audit messages have been discarded (full queue).<br />
517 Success <strong>Audit</strong> The event log was cleared. Indicates primary user name,<br />
primary domain, primary logon ID, client user name, client<br />
domain, client logon ID.<br />
518 Success <strong>Audit</strong> Notification package has been loaded. It will be notified of any<br />
account or password changes.<br />
528 Success <strong>Audit</strong> Successful logon. Indicates user name, domain, logon type,<br />
logon process, authentication package, and workstation name.<br />
529 Failure <strong>Audit</strong> Failed logon—unknown user name or bad password. Indicates<br />
user name, domain, logon type, logon process, authentication<br />
package, and workstation name.<br />
530 Failure <strong>Audit</strong> Failed logon—time restriction violation. Indicates user name,<br />
domain, logon type, logon process, authentication package, and<br />
workstation name.<br />
531 Failure <strong>Audit</strong> Failed logon—account disabled. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
Security-related Event IDs 12–1
Windows NT Event IDs<br />
Event ID Type Description<br />
532 Failure <strong>Audit</strong> Failed logon—account expired. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
533 Failure <strong>Audit</strong> Failed logon—user not permitted at this computer. Indicates<br />
user name, domain, logon type, logon process, authentication<br />
package, and workstation name.<br />
534 Failure <strong>Audit</strong> Failed logon—logon type not permitted for this user. Indicates<br />
user name, domain, logon type, logon process, authentication<br />
package, and workstation name.<br />
535 Failure <strong>Audit</strong> Failed logon—password expired. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
536 Failure <strong>Audit</strong> Failed logon—Netlogon component not active. Indicates user<br />
name, domain, logon type, logon process, authentication<br />
package, and workstation name.<br />
537 Failure <strong>Audit</strong> Failed logon—unexpected error. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
538 Success <strong>Audit</strong> Logoff. Indicates user name, domain, logon type, logon process,<br />
authentication package, and workstation name.<br />
539 Failure <strong>Audit</strong> Failed logon—account locked out. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
560 Success <strong>Audit</strong> Object open. Includes the following: Object server, object type,<br />
object name, new handle ID, operation ID, process ID, primary<br />
user name, primary domain, primary logon ID, client user<br />
name, client domain, client logon ID.<br />
561 Success <strong>Audit</strong> Handle allocated. Includes handle, ID, operation ID, and<br />
process ID.<br />
562 Success <strong>Audit</strong> Handle closed. Includes handle, ID, operation ID, and process<br />
ID.<br />
563 Success <strong>Audit</strong> Object open for delete. Includes the following: Object server,<br />
object type, object name, new handle ID, operation ID, process<br />
ID, primary user name, primary domain, primary logon ID,<br />
client user name, client domain, client logon ID.<br />
564 Success <strong>Audit</strong> Object deleted. Includes object server, handle ID, and process<br />
ID.<br />
576 Success <strong>Audit</strong> Special privileges assigned to new logon. Includes user name,<br />
domain, login ID, and assigned privilege.<br />
12–2 <strong>Reference</strong> <strong>Guide</strong>
Windows NT Event IDs<br />
Event ID Type Description<br />
577 Success <strong>Audit</strong> Privilege service called. Includes the following: server, service,<br />
primary user name, primary domain, primary logon ID, client<br />
user name, client domain, client logon ID, and privileges.<br />
578 Failure <strong>Audit</strong> Privileged object operation. Includes the following: object<br />
server, object handle, process ID, primary user name, primary<br />
domain, primary logon ID, client user name, client domain,<br />
client logon ID, and privileges.<br />
592 Success <strong>Audit</strong> New process created. Includes the following: new process ID,<br />
image file name, creator process ID, user name, domain, logon<br />
ID.<br />
593 Success <strong>Audit</strong> Process exited. Includes the following: process ID, user name,<br />
domain, logon ID.<br />
594 Success <strong>Audit</strong> Handle duplicated. Includes the following: source handle ID,<br />
source process ID, target handle ID, target process ID.<br />
595 Success <strong>Audit</strong> Indirect access to an object. Includes the following: object type,<br />
object name, process ID, primary user name, primary domain,<br />
primary logon ID, client user name, client domain, client logon<br />
ID, and accesses.<br />
608 Success <strong>Audit</strong> User right assigned. Includes the following: user right, assigned<br />
to, assigned by, user name , and logon ID.<br />
609 Success <strong>Audit</strong> User right removed. Includes the following: user right, removed<br />
from, removed by, user name , and logon ID.<br />
610 Success <strong>Audit</strong> New trusted domain. Includes the following: domain name,<br />
domain ID, established by, user name , domain, and logon ID.<br />
611 Success <strong>Audit</strong> Removing trusted domain. Includes the following: domain<br />
name, domain ID, removed by, user name , domain, and logon<br />
ID.<br />
612 Success <strong>Audit</strong> <strong>Audit</strong> policy change. Includes the following: new policy name,<br />
and success and failure for System, Logon/Logoff, Object<br />
Access, Privilege Use, Detailed Tracking, Policy Change, and<br />
Account Management. It also includes changed by, user name,<br />
domain name, logon ID.<br />
624 Success <strong>Audit</strong> User account created. Includes the following: new account<br />
name, new domain, new account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
625 Success <strong>Audit</strong> Account type changed. Includes the following: target account<br />
name, target domain, target account ID, new type, caller user<br />
name, caller logon ID.<br />
Security-related Event IDs 12–3
Windows NT Event IDs<br />
Event ID Type Description<br />
626 Success <strong>Audit</strong> Account enabled. Includes the following: target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID.<br />
627 Success <strong>Audit</strong> Change password attempt. Includes the following: target<br />
account name, target domain, target account ID, caller user<br />
name, domain, caller logon ID, privileges.<br />
628 Success <strong>Audit</strong> Password set. Includes the following: target account name,<br />
target domain, target account ID, caller user name, domain,<br />
caller logon ID.<br />
629 Success <strong>Audit</strong> Account disabled. Includes the following: target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID.<br />
630 Success <strong>Audit</strong> Account deleted. Includes the following: target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
631 Success <strong>Audit</strong> Global group created. Includes the following: new account<br />
name, new domain, new account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
632 Success <strong>Audit</strong> Global group member added. Includes the following: member,<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
633 Success <strong>Audit</strong> Global group member removed. Includes the following:<br />
member, target account name, target domain, target account ID,<br />
caller user name, caller domain, caller logon ID, privileges.<br />
634 Success <strong>Audit</strong> Global group deleted. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
635 Success <strong>Audit</strong> Local group created. Includes the following: new account name,<br />
new domain, new account ID, caller user name, caller domain,<br />
caller logon ID, privileges.<br />
636 Success <strong>Audit</strong> Local group member added. Includes the following: member,<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
637 Success <strong>Audit</strong> Local group member removed. Includes the following: member,<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
638 Success <strong>Audit</strong> Local group deleted. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
12–4 <strong>Reference</strong> <strong>Guide</strong>
Windows NT Event IDs<br />
Event ID Type Description<br />
639 Success <strong>Audit</strong> Local group changed. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
640 Success <strong>Audit</strong> General account database changed. Includes the following: type<br />
of change, object type, object name, object ID, caller user name,<br />
caller domain, caller logon ID.<br />
641 Success <strong>Audit</strong> Global group changed. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
642 Success <strong>Audit</strong> User account changed. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
643 Success <strong>Audit</strong> Domain policy changed. Includes the following: domain,<br />
domain ID, caller user name, caller domain, caller logon ID,<br />
privileges.<br />
644 Success <strong>Audit</strong> User account locked out. Includes the following: target account<br />
name, target account ID, caller machine name, caller user name,<br />
caller domain, caller logon ID.<br />
Security-related Event IDs 12–5
Windows 2000 Event IDs<br />
Windows 2000 Event IDs<br />
The following events are among those directly involved in security.<br />
Event ID Type Description<br />
512 Success <strong>Audit</strong> Windows NT startup.<br />
513 Success <strong>Audit</strong> Windows NT shutdown.<br />
514 Success <strong>Audit</strong> Authentication package has been loaded. It will be used to<br />
authenticate logon attempts.<br />
515 Success <strong>Audit</strong> Trusted logon process has been registered. It will be trusted to<br />
submit logon requests.<br />
516 Success <strong>Audit</strong> Some audit messages have been discarded (full queue).<br />
517 Success <strong>Audit</strong> The event log was cleared. Indicates primary user name,<br />
primary domain, primary logon ID, client user name, client<br />
domain, client logon ID.<br />
518 Success <strong>Audit</strong> Notification package has been loaded. It will be notified of any<br />
account or password changes.<br />
528 Success <strong>Audit</strong> Successful logon. Indicates user name, domain, logon type,<br />
logon process, authentication package, and workstation name.<br />
529 Failure <strong>Audit</strong> Failed logon—unknown user name or bad password. Indicates<br />
user name, domain, logon type, logon process, authentication<br />
package, and workstation name.<br />
530 Failure <strong>Audit</strong> Failed logon—time restriction violation. Indicates user name,<br />
domain, logon type, logon process, authentication package, and<br />
workstation name.<br />
531 Failure <strong>Audit</strong> Failed logon—account disabled. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
532 Failure <strong>Audit</strong> Failed logon—account expired. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
533 Failure <strong>Audit</strong> Failed logon—user not permitted at this computer. Indicates<br />
user name, domain, logon type, logon process, authentication<br />
package, and workstation name.<br />
534 Failure <strong>Audit</strong> Failed logon—logon type not permitted for this user at this<br />
machine. Indicates user name, domain, logon type, logon<br />
process, authentication package, and workstation name.<br />
12–6 <strong>Reference</strong> <strong>Guide</strong>
Windows 2000 Event IDs<br />
Event ID Type Description<br />
535 Failure <strong>Audit</strong> Failed logon—password expired. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
536 Failure <strong>Audit</strong> Failed logon—Netlogon component not active. Indicates user<br />
name, domain, logon type, logon process, authentication<br />
package, and workstation name.<br />
537 Failure <strong>Audit</strong> Failed logon—unexpected error. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
538 Success <strong>Audit</strong> Logoff. Indicates user name, domain, logon type, logon process,<br />
authentication package, and workstation name.<br />
539 Failure <strong>Audit</strong> Failed logon—account locked out. Indicates user name, domain,<br />
logon type, logon process, authentication package, and<br />
workstation name.<br />
540 Success <strong>Audit</strong> Successful network logon. Includes the following: user name,<br />
domain, logon, ID, logon type, logon process, authentication<br />
package, workstation name.<br />
541 Success <strong>Audit</strong> IKE security association established. Includes the following:<br />
mode, peer identity, filter, parameters.<br />
542 Success <strong>Audit</strong> IKE security association ended. Includes the following: mode--<br />
data protection, filter, inbound SPI, outbound SPI.<br />
543 Success <strong>Audit</strong> IKE security association ended. Includes the following: mode--<br />
key exchange, filter.<br />
544 Failure <strong>Audit</strong> IKE security could not be established because the peer could not<br />
authenticate. The certificate trust could not be established.<br />
Includes the following: peer identity, and filter.<br />
545 Failure <strong>Audit</strong> IKE peer authentication failed. Includes the following: peer<br />
identity, and filter.<br />
546 Failure <strong>Audit</strong> IKE security could not be established because the peer sent and<br />
invalid proposal. Includes the following: mode, filter, attribute,<br />
expected value, received value.<br />
547 Failure <strong>Audit</strong> IKE security association negotiation failed. Includes the<br />
following: mode, filter, failure point, failure reason.<br />
560 Success <strong>Audit</strong> Object open. Includes the following: Object server, object type,<br />
object name, new handle ID, operation ID, process ID, primary<br />
user name, primary domain, primary logon ID, client user<br />
name, client domain, client logon ID, accesses, privileges.<br />
Security-related Event IDs 12–7
Windows 2000 Event IDs<br />
Event ID Type Description<br />
561 Success <strong>Audit</strong> Handle allocated. Includes handle, ID, operation ID, and<br />
process ID.<br />
562 Success <strong>Audit</strong> Handle closed. Includes handle, ID, operation ID, and process<br />
ID.<br />
563 Success <strong>Audit</strong> Object open for delete. Includes the following: Object server,<br />
object type, object name, new handle ID, operation ID, process<br />
ID, primary user name, primary domain, primary logon ID,<br />
client user name, client domain, client logon ID, accesses,<br />
privileges.<br />
564 Success <strong>Audit</strong> Object deleted. Includes object server, handle ID, and process<br />
ID.<br />
565 Success <strong>Audit</strong> Object open. Includes the following: Object server, object type,<br />
object name, new handle ID, operation ID, process ID, primary<br />
user name, primary domain, primary logon ID, client user<br />
name, client domain, client logon ID, accesses, privileges,<br />
properties.<br />
566 Success <strong>Audit</strong> Object operation. Includes the following: operation type, object<br />
type, object name, handle ID, operation ID, primary user name,<br />
primary domain, primary logon ID, client user name, client<br />
domain, client logon ID, accesses, privileges.<br />
576 Success <strong>Audit</strong> Special privileges assigned to new logon. Includes user name,<br />
domain, login ID, and assigned privilege.<br />
577 Success <strong>Audit</strong> Privilege service called. Includes the following: server, service,<br />
primary user name, primary domain, primary logon ID, client<br />
user name, client domain, client logon ID, and privileges.<br />
578 Failure <strong>Audit</strong> Privileged object operation. Includes the following: object<br />
server, object handle, process ID, primary user name, primary<br />
domain, primary logon ID, client user name, client domain,<br />
client logon ID, and privileges.<br />
592 Success <strong>Audit</strong> New process created. Includes the following: new process ID,<br />
image file name, creator process ID, user name, domain, logon<br />
ID.<br />
593 Success <strong>Audit</strong> Process exited. Includes the following: process ID, user name,<br />
domain, logon ID.<br />
594 Success <strong>Audit</strong> Handle duplicated. Includes the following: source handle ID,<br />
source process ID, target handle ID, target process ID.<br />
12–8 <strong>Reference</strong> <strong>Guide</strong>
Windows 2000 Event IDs<br />
Event ID Type Description<br />
595 Success <strong>Audit</strong> Indirect access to an object. Includes the following: object type,<br />
object name, process ID, primary user name, primary domain,<br />
primary logon ID, client user name, client domain, client logon<br />
ID, and accesses.<br />
608 Success <strong>Audit</strong> User right assigned. Includes the following: user right, assigned<br />
to, assigned by, user name , and logon ID.<br />
609 Success <strong>Audit</strong> User right removed. Includes the following: user right, removed<br />
from, removed by, user name , and logon ID.<br />
610 Success <strong>Audit</strong> New trusted domain. Includes the following: domain name,<br />
domain ID, established by, user name , domain, and logon ID.<br />
611 Success <strong>Audit</strong> Removing trusted domain. Includes the following: domain<br />
name, domain ID, removed by, user name , domain, and logon<br />
ID.<br />
612 Success <strong>Audit</strong> <strong>Audit</strong> policy change. Includes the following: new policy name,<br />
and success and failure for System, Logon/Logoff, Object<br />
Access, Privilege Use, Detailed Tracking, Policy Change, and<br />
Account Management. It also includes changed by, user name,<br />
domain name, logon ID.<br />
613 Success <strong>Audit</strong> IPSec policy agent started. Includes the following: IPSec policy<br />
agent, policy source, event data.<br />
614 Success <strong>Audit</strong> IPSec policy agent disabled. Includes the following: IPSec policy<br />
agent, event data.<br />
615 Success <strong>Audit</strong> IPSec Policy Agent service. Includes event data.<br />
616 Failure <strong>Audit</strong> IPSec policy agent encountered a potentially serious failure.<br />
Includes event data.<br />
617 Success <strong>Audit</strong> Kerberos policy changed. Includes changed by, user name,<br />
domain name, login ID, changes made, parameter name new<br />
and (old).<br />
618 Success <strong>Audit</strong> Encrypted data recovery policy changed. Includes the<br />
following: changed by, user name, domain name, logon ID,<br />
changes made parameter new and (old).<br />
619 Success <strong>Audit</strong> Quality of service policy changed. Includes the following:<br />
changed by, user name, domain name, logon ID, changes made<br />
parameter new and (old).<br />
620 Success <strong>Audit</strong> Trusted domain information modified. Includes the following:<br />
domain name, domain ID, modified by, user name, domain,<br />
logon ID.<br />
Security-related Event IDs 12–9
Windows 2000 Event IDs<br />
Event ID Type Description<br />
624 Success <strong>Audit</strong> User account created. Includes the following: new account<br />
name, new domain, new account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
625 Success <strong>Audit</strong> Account type changed. Includes the following: target account<br />
name, target domain, target account ID, new type, caller user<br />
name, caller logon ID.<br />
626 Success <strong>Audit</strong> Account enabled. Includes the following: target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID.<br />
627 Success <strong>Audit</strong> Change password attempt. Includes the following: target<br />
account name, target domain, target account ID, caller user<br />
name, domain, caller logon ID, privileges.<br />
628 Success <strong>Audit</strong> User account password set. Includes the following: target<br />
account name, target domain, target account ID, caller user<br />
name, domain, caller logon ID.<br />
630 Success <strong>Audit</strong> User account deleted. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
631 Success <strong>Audit</strong> Security enabled global group created. Includes the following:<br />
new account name, new domain, new account ID, caller user<br />
name, caller domain, caller logon ID, privileges.<br />
632 Success <strong>Audit</strong> Security enabled global group member added. Includes the<br />
following: member, target account name, target domain, target<br />
account ID, caller user name, caller domain, caller logon ID,<br />
privileges.<br />
633 Success <strong>Audit</strong> Security enabled global group member removed. Includes the<br />
following: member, target account name, target domain, target<br />
account ID, caller user name, caller domain, caller logon ID,<br />
privileges.<br />
634 Success <strong>Audit</strong> Security enabled global group deleted. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
635 Success <strong>Audit</strong> Security enabled local group created. Includes the following:<br />
new account name, new domain, new account ID, caller user<br />
name, caller domain, caller logon ID, privileges.<br />
636 Success <strong>Audit</strong> Security enabled local group member added. Includes the<br />
following: member, target account name, target domain, target<br />
account ID, caller user name, caller domain, caller logon ID,<br />
privileges.<br />
12–10 <strong>Reference</strong> <strong>Guide</strong>
Windows 2000 Event IDs<br />
Event ID Type Description<br />
637 Success <strong>Audit</strong> Security enabled local group member removed. Includes the<br />
following: member, target account name, target domain, target<br />
account ID, caller user name, caller domain, caller logon ID,<br />
privileges.<br />
638 Success <strong>Audit</strong> Security enabled local group deleted. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
639 Success <strong>Audit</strong> Security enabled local group changed. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
640 Success <strong>Audit</strong> General account database changed. Includes the following: type<br />
of change, object type, object name, object ID, caller user name,<br />
caller domain, caller logon ID.<br />
641 Success <strong>Audit</strong> Security enabled global group changed. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
642 Success <strong>Audit</strong> User account changed. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
643 Success <strong>Audit</strong> Domain policy changed. Includes the following: domain,<br />
domain ID, caller user name, caller domain, caller logon ID,<br />
privileges.<br />
644 Success <strong>Audit</strong> User account locked out. Includes the following: target account<br />
name, target account ID, caller machine name, caller user name,<br />
caller domain, caller logon ID.<br />
645 Success <strong>Audit</strong> Computer account created. Includes the following: new account<br />
name, new domain, new account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
646 Success <strong>Audit</strong> Computer account changed. Includes the following: target<br />
account name, target domain, target account ID, caller user<br />
name, caller domain, caller logon ID, privileges.<br />
647 Success <strong>Audit</strong> Computer account deleted. Includes the following: target<br />
account name, target domain, target account ID, caller user<br />
name, caller domain, caller logon ID, privileges.<br />
648 Success <strong>Audit</strong> Security disabled local group created. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
Security-related Event IDs 12–11
Windows 2000 Event IDs<br />
Event ID Type Description<br />
649 Success <strong>Audit</strong> Security disabled local group changed. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
650 Success <strong>Audit</strong> Security disabled local group member added. Includes the<br />
following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
651 Success <strong>Audit</strong> Security disabled local group member removed. Includes the<br />
following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
652 Success <strong>Audit</strong> Security disabled local group deleted. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
653 Success <strong>Audit</strong> Security disabled global group created. Includes the following:<br />
new account name, new domain, new account ID, caller user<br />
name, caller domain, caller logon ID, privileges.<br />
654 Success <strong>Audit</strong> Security disabled global group changed. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
655 Success <strong>Audit</strong> Security disabled global group member added. Includes the<br />
following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
656 Success <strong>Audit</strong> Security disabled global group member removed. Includes the<br />
following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
657 Success <strong>Audit</strong> Security disabled global group deleted. Includes the following:<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
658 Success <strong>Audit</strong> Security enabled universal group created. Includes the<br />
following: new account name, new domain, new account ID,<br />
caller user name, caller domain, caller logon ID, privileges.<br />
659 Success <strong>Audit</strong> Security enabled universal group changed. Includes the<br />
following: target account name, target domain, target account<br />
ID, caller user name, caller domain, caller logon ID, privileges.<br />
12–12 <strong>Reference</strong> <strong>Guide</strong>
Windows 2000 Event IDs<br />
Event ID Type Description<br />
660 Success <strong>Audit</strong> Security enabled universal group member added. Includes the<br />
following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
661 Success <strong>Audit</strong> Security enabled universal group member removed. Includes<br />
the following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
662 Success <strong>Audit</strong> Security enabled universal group deleted. Includes the<br />
following: target account name, target domain, target account<br />
ID, caller user name, caller domain, caller logon ID, privileges.<br />
663 Success <strong>Audit</strong> Security disabled universal group created. Includes the<br />
following: new account name, new domain, new account ID,<br />
caller user name, caller domain, caller logon ID, privileges.<br />
664 Success <strong>Audit</strong> Security disabled universal group changed. Includes the<br />
following: target account name, target domain, target account<br />
ID, caller user name, caller domain, caller logon ID, privileges.<br />
665 Success <strong>Audit</strong> Security disabled universal group member added. Includes the<br />
following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
666 Success <strong>Audit</strong> Security disabled universal group member removed. Includes<br />
the following: member name, member ID, target account name,<br />
target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
667 Success <strong>Audit</strong> Security disabled universal group deleted. Includes the<br />
following: target account name, target domain, target account<br />
ID, caller user name, caller domain, caller logon ID, privileges.<br />
668 Success <strong>Audit</strong> Group type changed. Includes the following: target account<br />
name, target domain, target account ID, caller user name, caller<br />
domain, caller logon ID, privileges.<br />
669 Success <strong>Audit</strong> Add SID history. Includes the following: source account name,<br />
source account ID, target account name, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
670 Success <strong>Audit</strong> Add SID history. Includes the following: source account name,<br />
target account name, target domain, target account ID, caller<br />
user name, caller domain, caller logon ID, privileges.<br />
Security-related Event IDs 12–13
Windows 2000 Event IDs<br />
Event ID Type Description<br />
672 Success <strong>Audit</strong> Authentication ticket granted. Includes the following: user<br />
name, supplied realm name, user ID, service name, service ID,<br />
ticket options, ticket encryption type, pre-authentication type,<br />
client address.<br />
673 Success <strong>Audit</strong> Service ticket granted. Includes the following: user name, user<br />
domain, user ID, service name, service ID, ticket options, ticket<br />
encryption type, client address.<br />
674 Success <strong>Audit</strong> Ticket granted renewed. Includes the following: user name, user<br />
domain, user ID, service name, service ID, ticket options, ticket<br />
encryption type, client address.<br />
675 Failure <strong>Audit</strong> Pre-authentication failed. Includes the following: user name,<br />
user ID, service name, pre-authentication type, failure code,<br />
client address.<br />
676 Failure <strong>Audit</strong> Authentication ticket request failed. Includes the following: user<br />
name, supplied realm name, user ID, service name, ticket<br />
options, failure code, client address.<br />
677 Failure <strong>Audit</strong> Service ticket request failed. Includes the following: user name,<br />
supplied realm name, service name, ticket options, failure code,<br />
client address.<br />
678 Success <strong>Audit</strong> Account mapped for logon by . Includes the following: client<br />
name, mapped name.<br />
679 Failure <strong>Audit</strong> The name could not be mapped for logon by . Includes the<br />
following: client name, mapped name.<br />
680 Success <strong>Audit</strong> Account used for logon by . Includes the following: account<br />
name, workstation.<br />
681 Failure <strong>Audit</strong> The login to account by from workstation failed.<br />
683 Success <strong>Audit</strong> Session reconnected to winstation. Includes the following: user<br />
name, domain, logon ID, session name, client name, client<br />
address.<br />
684 Success <strong>Audit</strong> Session disconnected to winstation. Includes the following: user<br />
name, domain, logon ID, session name, client name, client<br />
address.<br />
12–14 <strong>Reference</strong> <strong>Guide</strong>
UNIX Event IDs<br />
UNIX Event IDs<br />
For the following sources, the various <strong>eTrust</strong> <strong>Audit</strong> recorders use an event ID of<br />
0:<br />
■<br />
■<br />
■<br />
■<br />
■<br />
■<br />
■<br />
Syslog.conf<br />
Sylog<br />
Oracle<br />
Netsacpe<br />
IPlanet<br />
SNMP<br />
Check Point Firewall-1<br />
Windows Event IDs<br />
For the following sources, the various <strong>eTrust</strong> <strong>Audit</strong> recorders use an event ID of<br />
0:<br />
■<br />
■<br />
■<br />
■<br />
■<br />
■<br />
MS-IIS<br />
Microsoft Proxy<br />
Oracle<br />
Microsoft ISA<br />
SNMP<br />
Check Point Firewall-1<br />
Security-related Event IDs 12–15
<strong>eTrust</strong> Access Control Event IDs<br />
<strong>eTrust</strong> Access Control Event IDs<br />
The following event IDs are used for <strong>eTrust</strong> Access Control 5.1 SP1 and below.<br />
These events are generated by the seaudit -t command. This list also includes<br />
event IDs for <strong>eTrust</strong> Single Signon 6.5 and lower:<br />
Event ID<br />
Reason<br />
0 No request for LOG operation.<br />
1 User logged in out-of shift with LOGSHIFT property.<br />
2 User audit mode requires logging.<br />
3 Resource audit mode requires logging.<br />
4 Resource in WARNING mode.<br />
5 Serevu utility requested logging.<br />
6 Network attack protection.<br />
7 Incoming or outgoing connection (not from Log reason, but from<br />
stage code).<br />
8 PAM support 1 failed logon.<br />
10 A specific request to log operation.<br />
Cisco PIX Event IDs<br />
For events coming from Cisco PIX Firewalls, the <strong>eTrust</strong> <strong>Audit</strong> recorders use the<br />
message IDs as the event ID. For a description of the system log messages for<br />
Cisco PIX Firewalls, see your Cisco PIX Firewall documentation.<br />
12–16 <strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
13<br />
The Submit API (SAPI)<br />
<strong>eTrust</strong> <strong>Audit</strong> provides an API, the Submit API (SAPI), to submit audit events to<br />
the <strong>eTrust</strong> <strong>Audit</strong> router. The Submit API provides a simple means of adding new<br />
sources of audit information to <strong>eTrust</strong> <strong>Audit</strong>. Any third-party application<br />
intended to submit events to <strong>eTrust</strong> <strong>Audit</strong> should use the SAPI calls.<br />
Because the objective of <strong>eTrust</strong> <strong>Audit</strong> is to enable event analysis, both online and<br />
offline, it is important that events from different sources conform to a single<br />
concept. On the other hand, it is vital that native auditing information be<br />
preserved. The SAPI allows for both:<br />
■<br />
■<br />
■<br />
If a submitted application’s events are to be analyzed by <strong>eTrust</strong> <strong>Audit</strong>, it<br />
must map events to the common format. The unified format simplifies<br />
management, reporting, and analysis. For example, Intrusion Detection rules<br />
for generic events such as logon/logoff can be easily administered crossplatform.<br />
Translators are functions that translate external data representation (such as<br />
UNIX time_t) to SAPI internal string format. Each translator is identified by<br />
name. Currently three translators are supported: string, timet and long.<br />
The client is free to add fields for native information. <strong>Audit</strong>ors can report on<br />
events from a certain source by using the terms specific to the source.<br />
The Submit API (SAPI) 13–1
Mapping<br />
Mapping<br />
Messages are created by mapping to fields defined in the header file<br />
AC_SAPITokens.h. The SAPI format is completely free. However, some fields are<br />
mandatory and others are strongly recommended.<br />
Message Routing<br />
After mapping, the resulting message is submitted to a router. By default, events<br />
are submitted to the router resident on the local machine. You can configure the<br />
SAPI to submit to the router of your choice.<br />
Following a successful submit operation, <strong>eTrust</strong> <strong>Audit</strong> provides guaranteed<br />
delivery according to the filters and actions specified in the router’s filter rules<br />
file (router.cfg).<br />
Submitting a Message to the Router<br />
Tip: You must use SAPI_Init before any other SAPI function.<br />
Submitting events to the SAPI has a simple flow. Follow these steps:<br />
1. Create a SAPI context by using SAPI_Init. The context is helpful in the case<br />
of multiple threads.<br />
2. Create a message handle by using SAPI_NewMessage.<br />
3. By using the message handle, you add items (fields) to the message with<br />
SAPI_AddItem.<br />
4. With the same handle, submit the message to the router with<br />
SAPI_SubmitMsg.<br />
5. After a message has been successfully submitted, use SAPI_RemoveMessage<br />
to clear it from memory.<br />
13–2 <strong>Reference</strong> <strong>Guide</strong>
Compiling and Linking<br />
Handling Submit Failures<br />
If the attempt to submit a message fails, you can remove it, or try to submit it<br />
again. If the message is not removed, it stays in memory.<br />
Note: After the first submit attempt, the message is locked and cannot be<br />
changed.<br />
Compiling and Linking<br />
To use the Submit API, you must include a header file with prototypes and<br />
structure definitions in your source code. The header file is etsapi.h<br />
For mapping, use AC_SAPITokens.h.<br />
Libraries<br />
On UNIX, SAPI includes two shared libraries: etsapi.so and etbase.so. In<br />
Windows, the corresponding files are etsapi.dll and etbase.dll.<br />
Sample SAPI Routine<br />
The following is a simple example of SAPI usage. The following application<br />
sends a single message containing five fields (category of event, native event ID,<br />
logname, source, and info). The field, timestamp, is added by default.<br />
Note: SAPI_Init and SAPI_Destroy should be used only once per application—<br />
not once per message as in this demonstration.<br />
#include "etsapi.h"<br />
#include "AC_SAPITokens.h"<br />
/*<br />
* Usage : test [host]<br />
*/<br />
int main(int argc, char *argv[])<br />
{<br />
SAPI_CTX ctx; /* SAPI context */<br />
SAPI_HANDLE_l h; /* handle for new message */<br />
SMStatus rv; /* return value to check */<br />
SMStatus remote_rv; /* return value from the receiver */<br />
Char<br />
msg_buffer[1024];<br />
long eventId = 123456;<br />
char<br />
category[] = "General";<br />
char<br />
logname[] = "test_log";<br />
The Submit API (SAPI) 13–3
Sample SAPI Routine<br />
char source[] = "test_recorder";<br />
char info[] = "test_recorder information";<br />
rv = SAPI_Init(&ctx, NULL); /* Create a new SAPI context */<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_Init: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
/* set destination host, default - localhost */<br />
if (argc > 1)<br />
{<br />
rv = SAPI_SetRouter(ctx, argv[1]);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_SetRouter: host = '%s', failed code : 0x%X\n",<br />
argv[1], rv);<br />
return 1;<br />
}<br />
else<br />
printf("Set destination host %s\n", argv[1]);<br />
}<br />
rv = SAPI_NewMessage(ctx, &h); /* Create a new SAPI message */<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_NewMessage: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
/* Add a new items to a message */<br />
rv = SAPI_AddItem(ctx, h,<br />
SAPI_TRANS_DATATYPE_STRING,<br />
SAPI_<strong>CA</strong>TEGORY_FLD,<br />
category);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_AddItem: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
rv = SAPI_AddItem(ctx, h,<br />
SAPI_TRANS_DATATYPE_LONG,<br />
SAPI_NATIVEID_FLD,<br />
&eventId);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_AddItem: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
rv = SAPI_AddItem(ctx, h,<br />
SAPI_TRANS_DATATYPE_STRING,<br />
SAPI_LOGNAME_FLD,<br />
logname);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_AddItem: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
13–4 <strong>Reference</strong> <strong>Guide</strong>
Sample SAPI Routine<br />
rv = SAPI_AddItem(ctx, h,<br />
SAPI_TRANS_DATATYPE_STRING,<br />
SAPI_SOURCE_FLD,<br />
source);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_AddItem: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
rv = SAPI_AddItem(ctx, h,<br />
SAPI_TRANS_DATATYPE_STRING,<br />
SAPI_INFO_FLD,<br />
info);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_AddItem: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
/* Print the content of a message to a buffer */<br />
rv = SAPI_DumpMessage(ctx, h, msg_buffer, sizeof(msg_buffer));<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_DumpMessage: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
else<br />
{<br />
printf("SAPI message:\n %s\n", msg_buffer);<br />
}<br />
/*Submits the message to a SAPI router.*/<br />
rv = SAPI_SubmitMsg(ctx, h, &remote_rv);<br />
if (rv == SAPI_SUCCESS)<br />
printf("SAPI_SubmitMsg OK, remote return code : 0x%X\n", remote_rv);<br />
else<br />
printf("SAPI_SubmitMsg: failed code :0x%X\n", rv);<br />
/*Remove a message from the given context.*/<br />
rv = SAPI_RemoveMessage(ctx, h);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_RemoveMessage: failed code : 0x%X\n", rv);<br />
return 1;<br />
}<br />
/* destroy SAPI context and free all its allocations */<br />
rv = SAPI_DestroyCTX(ctx);<br />
if (rv != SAPI_SUCCESS)<br />
{<br />
printf("SAPI_DestroyCTX: failed code :0x%X\n", rv);<br />
return 1;<br />
}<br />
}<br />
return 0;<br />
The Submit API (SAPI) 13–5
SAPI <strong>Reference</strong><br />
SAPI <strong>Reference</strong><br />
SAPI functions use the following type definitions.<br />
SAPI_CTX<br />
SAPI context contains state information for all SAPI calls<br />
SAPI_HANDLE_l<br />
SAPI_HANDLE_lp<br />
SAPI message handles used for referring to specific messages<br />
The SAPI uses the functions on the following pages to pass messages to the<br />
<strong>eTrust</strong> <strong>Audit</strong> router.<br />
SAPI_Init<br />
This function must be called before any other SAPI functions can be used.<br />
Syntax<br />
SMStatus SAPI_Init( SAPI_CTX<br />
*ctx,<br />
char *config );<br />
Parameters<br />
ctx<br />
The address of pointer to SAPI context.<br />
config<br />
The configuration (reserved for future use).<br />
13–6 <strong>Reference</strong> <strong>Guide</strong>
SAPI <strong>Reference</strong><br />
SAPI_NewMessage<br />
The SAPI_NewMessage function creates a handle to new message in the given<br />
context. The message is also filled with automatic arguments for mandatory<br />
fields with their default values.<br />
Syntax<br />
SMStatus SAPI_NewMessage( SAPI_CTX<br />
* ctx,<br />
SAPI_HANDLE_lp Handle );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
handle<br />
The address of the handle to return on success.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success and SAPI_BADCTX_RC for an<br />
invalid SAPI context.<br />
The Submit API (SAPI) 13–7
SAPI <strong>Reference</strong><br />
SAPI_AddItem<br />
The SAPI_AddItem function adds a new Item to a message. If an Item by the<br />
given name already exists, it is replaced by the given Item.<br />
Syntax<br />
SMStatus SAPI_AddItem( SAPI_CTX<br />
ctx,<br />
SAPI_HANDLE_l<br />
handle,<br />
char<br />
*item_type,<br />
char<br />
*name,<br />
void *value );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
handle<br />
The handle to a message. This parameter’s value originates with<br />
SAPI_NewMessage.<br />
item_type<br />
The external raw data type. The available item types are as follows:<br />
long<br />
The value should point to address of long.<br />
string<br />
The value should point to a null terminated char string.<br />
timet<br />
The value should point to the address of a time_t.<br />
name<br />
The item name<br />
value<br />
The binary raw data.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success and SAPI_BADCTX_RC for an<br />
invalid SAPI context.<br />
13–8 <strong>Reference</strong> <strong>Guide</strong>
SAPI <strong>Reference</strong><br />
SAPI_SubmitMsg<br />
The SAPI_SubmitMsg functin submits the message to a SAPI router.<br />
Note: After the message has been submitted, you must free it with<br />
SAPI_RemoveMessage.<br />
Syntax<br />
SMStatus SAPI_SubmitMsg( SAPI_CTX<br />
ctx,<br />
SAPI_HANDLE_l<br />
handle,<br />
SMStatus *sapi_remote_rv );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
handle<br />
The handle to a message. This parameter’s value originates with<br />
SAPI_NewMessage.<br />
sapi_remote_rv<br />
The return value of the remote function.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success.<br />
The Submit API (SAPI) 13–9
SAPI <strong>Reference</strong><br />
SAPI_RemoveMessage<br />
SAPI_RemoveMessage removes a message in the given context. Use the function<br />
to clear sent messages from memory.<br />
Syntax<br />
SMStatus SAPI_RemoveMessage( SAPI_CTX<br />
ctx,<br />
SAPI_HANDLE_l Handle );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
handle<br />
The handle to a message. This parameter’s value originates with<br />
SAPI_NewMessage.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success and SAPI_BADCTX_RC for an<br />
invalid SAPI context.<br />
13–10 <strong>Reference</strong> <strong>Guide</strong>
SAPI <strong>Reference</strong><br />
SAPI_DumpMessage<br />
The SAPI_DumpMessage function prints the content of a message in the given<br />
context to a buffer. Function prints the string values of the message fields.<br />
Syntax<br />
SMStatus SAPI_DumpMessage( SAPI_CTX<br />
ctx,<br />
SAPI_HANDLE_l<br />
handle,<br />
char<br />
* buffer,<br />
int Size );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
handle<br />
The handle to a message. This parameter’s value originates with<br />
SAPI_NewMessage.<br />
Buffer<br />
The buffer to output.<br />
Size<br />
The size of the buffer.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success, SAPI_BADCTX_RC for an<br />
invalid SAPI context and SAPI_BADPARAM_RC for too small buffer size.<br />
The Submit API (SAPI) 13–11
SAPI <strong>Reference</strong><br />
SAPI_DestroyCTX<br />
The SAPI_DestroyCTX function frees current SAPI context and all unsent<br />
messages and gracefully shuts the client side of SAPI.<br />
Syntax<br />
SMStatus SAPI_DestroyCTX( SAPI_CTX ctx );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success.<br />
SAPI_SetRouter<br />
The SAPI_SetRouter function registers the name of a new router host.<br />
Syntax<br />
SMStatus SAPI_SetRouter( SAPI_CTX<br />
Ctx,<br />
unsigned short hostname );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
Hostname<br />
The name of the host where the router resides.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success and SAPI_BADPARAM_RC for<br />
an invalid context.<br />
13–12 <strong>Reference</strong> <strong>Guide</strong>
SAPI <strong>Reference</strong><br />
SAPI_SetRouterPort<br />
The SAPI_SetRouterPort function changes the default SAPI router port number.<br />
Syntax<br />
SMStatus SAPI_SetRouterPort( SAPI_CTX<br />
Ctx,<br />
unsigned short Portnum );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
portnum<br />
The user-defined port number to be registered in portmap. If you specify 0,<br />
the port number will be set by portmap.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success and SAPI_BADCTX_RC for an<br />
invalid SAPI context.<br />
SAPI_SetRouterTimeout<br />
The SAPI_SetRouterTimeout function changes the default SAPI router timeout<br />
period.<br />
Syntax<br />
SMStatus SAPI_SetRouterTimeout( SAPI_CTX<br />
Ctx,<br />
unsigned long Timeout );<br />
Parameters<br />
ctx<br />
The SAPI context. This parameter’s value originates with SAPI_Init.<br />
timeout<br />
The user-defined timeout period, in seconds.<br />
Return Values<br />
The function returns SAPI_SUCCESS on success and SAPI_BADCTX_RC for an<br />
invalid SAPI context.<br />
The Submit API (SAPI) 13–13
SAPI Return and Error Codes<br />
SAPI Return and Error Codes<br />
The following macros process return codes for all SAPI calls.<br />
Each return code is composed from (most to least):<br />
■<br />
■<br />
■<br />
1 bit—success or failure code<br />
16 bits—software component ID number. In the case of the SAPI, the ID<br />
number is 11 (SAPI_RC_BASE).<br />
12 bits—meaningful portion of return code<br />
Macro<br />
_SM_IS_FAIL(rc) (rc>>31)<br />
_SM_RC_PKG(rc) ((rc>>12)&0xffff)<br />
_SM_RC_CODE(rc) (rc&0xfff)<br />
Purpose<br />
The macro checks whether the call failed. In case of failure, the<br />
macro returns TRUE or 1.<br />
The macro extracts and returns the software component ID<br />
number.<br />
The macro extracts and returns the meaningful portion of the<br />
return code.<br />
13–14 <strong>Reference</strong> <strong>Guide</strong>
SAPI Return and Error Codes<br />
The following table describes the return and error codes defined in etsapi.h:<br />
Name Construction Meaning<br />
SAPI_SUCCESS 0 Function returned<br />
successfully.<br />
SAPI_MALLOC_RC _SM_RC_FAIL(SAPI_RC_BASE,1) SAPI could not allocate<br />
memory.<br />
SAPI_NOHANDLE_RC _SM_RC_FAIL(SAPI_RC_BASE,2) Requested SAPI message<br />
handle could not be found.<br />
SAPI_BADPARAM_RC _SM_RC_FAIL(SAPI_RC_BASE,3) Function received a bad<br />
parameter (most<br />
commonly a NULL<br />
pointer).<br />
SAPI_NOITEM_RC _SM_RC_FAIL(SAPI_RC_BASE,4) Low-level internal code,<br />
should not appear in<br />
normal operation.<br />
SAPI_ALRDYEXIST_RC _SM_RC_FAIL(SAPI_RC_BASE,5) A field by the same name<br />
already exists in the<br />
message.<br />
SAPI_UNSUPPORTED_RC _SM_RC_FAIL(SAPI_RC_BASE,6) Unsupported SAPI type.<br />
SAPI_NOAUTOARG_RC _SM_RC_SUCCESS(SAPI_RC_BASE,7) Low-level internal code,<br />
should not appear in<br />
normal operation.<br />
SAPI_BADCTX_RC _SM_RC_FAIL(SAPI_RC_BASE,8) Function got an invalid<br />
SAPI context for input.<br />
SAPI_MSGLOCKED_RC _SM_RC_FAIL(SAPI_RC_BASE,9) Low-level internal code,<br />
should not appear in<br />
normal operation.<br />
SAPI_NOTHINGTOSEND_RC _SM_RC_SUCCESS(SAPI_RC_BASE,10)<br />
Low-level internal code,<br />
should not appear in<br />
normal operation.<br />
SAPI_NOTREROUTING_RC _SM_RC_FAIL(SAPI_RC_BASE,11) Low-level internal code,<br />
should not appear in<br />
normal operation.<br />
SAPI_REROUTINGMODE_RC _SM_RC_FAIL(SAPI_RC_BASE,12)<br />
Low-level internal code,<br />
should not appear in<br />
normal operation.<br />
The Submit API (SAPI) 13–15
Fields for SAPI<br />
Fields for SAPI<br />
The SAPI format is completely free, except for certain mandatory fields,<br />
generally, those affecting intrusion detection and security auditing. If the<br />
submitting application does not provide values for such fields, the SAPI will<br />
provide a default value.<br />
Additional fields can be added as you choose. However, for security-related<br />
events it is strongly recommended to map to the predefined SAPI fields. Unless<br />
events map to the SAPI fields, they will be treated generically by the <strong>eTrust</strong><br />
<strong>Audit</strong> viewers.<br />
Predefined fields are defined in the file AC_SAPITokens.h. User-defined field<br />
names should be unique.<br />
It is recommended to identify the log or source in all user-defined field names.<br />
For example, the first of these two macro definitions is specific to the SAPI and<br />
the second, to Oracle.<br />
#define SAPI_DATE_FLD<br />
#define ORA_AUDIT_OPTION<br />
”Date”<br />
“ORA_<strong>Audit</strong>_Option”<br />
Field Properties<br />
Each SAPI field has three properties: name, type, and value. Field types are<br />
assigned when submitting messages. Available types are date, string and long.<br />
The SAPI fields discussed below are organized by priority.<br />
• Mandatory fields must be present in every record.<br />
• Common predefined fields are important for event identification and<br />
description.<br />
• Optional, category-specific fields provide further characterization of events.<br />
Other fields are specific to event sources.<br />
13–16 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
Mapping Examples<br />
The following are examples of mapping of SAPI fields.<br />
Event User Category Subcategory ObjClass ObjName Oper<br />
User account<br />
was created<br />
Registry key<br />
was deleted<br />
Process was<br />
stopped (NT)<br />
Windows NT<br />
was shut<br />
down<br />
A file was<br />
opened for<br />
read<br />
“Administrator”<br />
Account<br />
Management<br />
Administration USER newuser Create<br />
“richard” Object Access Administration REGKEY “HKEY_USERS\<br />
. . . “<br />
“joan” Object Access Activation PROCESS “FINDFAST.<br />
EXE”<br />
“SYSTEM”<br />
Security<br />
Systems<br />
“joan” Object Access Usage FILE “c:\winnt\<br />
system.ini”<br />
OS<br />
Delete<br />
Stop<br />
Stop<br />
Read<br />
Mandatory Fields for Event Identification<br />
The SAPI requires that certain fields be present in each message you submit.<br />
These fields contain data on the time, place, and status of events. For some fields,<br />
values are strictly predefined.<br />
SAPI_LO<strong>CA</strong>TION_FLD “Location”<br />
The name of the host where the event was originated. Name format is UNIX<br />
qualified name or UNC (if DNS is not available).<br />
Examples<br />
host.mydomain.com (UNIX qualified name<br />
\\mydomain\host (UNC).<br />
Default Value<br />
The name of machine where submitter is resident.<br />
SAPI_LOGNAME_FLD “Log”<br />
The logical log name that uniquely identifies the native auditing type. That<br />
is, the logical name of the source of audit information.<br />
Examples<br />
NT-System, NT-Application<br />
UNIX for syslog and sulog files<br />
Oracle for Oracle logs<br />
Default Value<br />
The submitter must supply the contents for this field.<br />
The Submit API (SAPI) 13–17
Mapping Examples<br />
SAPI_SOURCE_FLD “Src”<br />
The name of the software component that issued the event.<br />
Note: The audit mechanism may serve more than one process or application.<br />
When a native auditing environment has more than one instance on the same<br />
machine, this field will contain the instance identification.<br />
Examples<br />
Windows NT—Security, Disk, NETLOGON<br />
UNIX—telnetd, ftpd<br />
Default Value<br />
The submitter must supply the contents for this field.<br />
SAPI_DATE_FLD “Date”<br />
When the event was originated. Date contains both date and time in<br />
standard ISO format (text format that includes date, time and time zone).<br />
Examples<br />
20010201T080001-0500 means Feb. 1, 2001at 8:00:01 EST<br />
20010202T080001+0000 means Feb. 2, 2001 at 8:00:01 GMT<br />
Default Value<br />
The date and time at machine where the event is submitted.<br />
SAPI_STATUS_FLD “Status”<br />
The status, which the event describes. Values for Status are strictly<br />
predefined:<br />
“S” SAPI_STATUS_SUCCESS<br />
Event for a successful operation.<br />
“F” SAPI_STATUS_FAILURE<br />
Event for a failure operation.<br />
“D” SAPI_STATUS_DENIED<br />
Event for a failure operation where the reason is insufficient privileges.<br />
We recommend that you use “F” SAPI_STATUS_FAILURE even for failure<br />
operations that is caused by insufficient privileges.<br />
Note: All source specific statues should be converted into one of SAPI<br />
statuses. To keep the original value put it into specific field:<br />
_Status, where is an unique identifies the source of audit<br />
information.<br />
Default Value<br />
“S”<br />
13–18 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
Common Predefined Fields for Event Identification<br />
The following fields are used by most events. They are not mandatory, but they<br />
are strongly recommended for each SAPI message.<br />
SAPI_USER_FLD “User”<br />
The name of the user (or principal as some systems define) who performed<br />
the audited operation.<br />
Example<br />
Windows NT—Administrator, my_domain\john<br />
UNIX—“root,” “john”<br />
Default Value<br />
None.<br />
SAPI_USERID_FLD “UID”<br />
The native user ID.<br />
Example<br />
Windows NT—S-1-5-21-1793529420-1590284213-401-284377-1208<br />
UNIX—0 (root user)<br />
Optional Predefined Fields for Event Identification<br />
Certain fields providing event identification are optional.<br />
SAPI_LO<strong>CA</strong>TIONIP_FLD “LocationIP”<br />
The IP address where the event was originated.<br />
Example<br />
112.111.248.116<br />
SAPI_LOGFILENAME_FLD “LogF”<br />
The physical file name (full path name), if available, in cases where the audit<br />
does not reside in a fixed file.<br />
Example<br />
UNIX—/usr/logs/trace1.log<br />
SAPI_RECORDERVER_FLD “RecVer”<br />
The version of the submitter for the native auditing environment.<br />
The Submit API (SAPI) 13–19
Mapping Examples<br />
Common Predefined Fields for Event Description<br />
The following fields provide general information about events. They are not<br />
mandatory, but it is recommended to set their values (if available) for each SAPI<br />
message.<br />
Reserved fields specific to predefined security event categories are listed later in<br />
this chapter.<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
The security-related events fall into predefined categories. If the event<br />
belongs to one of the categories, it is highly recommended to set the field’s<br />
value. The field can be left empty, or it can have a user-defined category if<br />
the predefined values are not matched.<br />
Example<br />
“System Access” SAPI_<strong>CA</strong>TEGORY_SYSACC for any logon or logoff<br />
operation<br />
“Account Management” SAPI_<strong>CA</strong>TEGORY_ACCOUNT for user<br />
account definition<br />
SAPI_SUB<strong>CA</strong>T_FLD “Subcat”<br />
Enables subdivision of events within a category. You can fill this field by<br />
using either a pre-defined value or any other string value.<br />
SAPI_SEVERITY_FLD “Severity”<br />
The logical severity of the event set by <strong>eTrust</strong> <strong>Audit</strong> policies (not by<br />
application severity).<br />
Values for Severity are strictly predefined.<br />
“0” SAPI_SEVERITY_INFO<br />
“1” SAPI_SEVERITY_WARNING<br />
“2” SAPI_SEVERITY_CRITI<strong>CA</strong>L<br />
“3” SAPI_SEVERITY_FATAL<br />
SAPI_OPERATION_FLD “Oper”<br />
The operation performed on an object. Values are chosen from a list of<br />
predefined values. In cases where the predefined values are not suitable,<br />
native auditing values may be used.<br />
Example<br />
“Write” SAPI_OPER_WRITE—edited a file or registry key<br />
“Start” SAPI_OPER_START—started a service<br />
13–20 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
The class of the object of the operation. Values are chosen from a list of<br />
predefined values. In cases where the predefined values are not suitable,<br />
native auditing values may be used.<br />
Example<br />
“FILE,” “REGKEY”<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The name of the object on which the operation is performed.<br />
Example<br />
“C:\WINNT\system.ini”—a file name<br />
“notepad.exe”—a process name<br />
SAPI_OBJCLASS2_FLD “SecObjClass”<br />
The class of the second object that participated in the event (if it exists).<br />
Example<br />
“Group”—in case of joining a user to a group<br />
SAPI_OBJNAME2_FLD “SecObjName”<br />
The name of the second object that participated in the event (if it exists).<br />
Example<br />
“Administrators”—as the name of the group a user was added to<br />
SAPI_NATIVEOID_FLD “OID”<br />
The native object ID (handle) from auditing or operating system.<br />
Example<br />
Windows NT—“24”<br />
SAPI_PID_FLD “PID”<br />
The Process ID of the process that performed the operation, if available.<br />
Example<br />
WINDOWS NT—“2309196368”<br />
SAPI_NATIVEID_FLD “NID”<br />
The native ID of the event, in native auditing environments that enumerate<br />
events.<br />
Example<br />
Windows NT—“562” for closed handle event, “592” for process creation.<br />
The Submit API (SAPI) 13–21
Mapping Examples<br />
SAPI_INFO_FLD “Info”<br />
The free-text event information.<br />
Example<br />
Windows NT—A process has exited.<br />
Process ID: 215487040<br />
User Name: user_john<br />
Domain:<br />
Logon ID:<br />
My_Domain<br />
(0x0,0x3ED6)<br />
UNIX—printer/tcp: “Print services stopped”<br />
Mapping Events to Predefined Categories<br />
For each security event category, records can be built from a certain set of SAPI<br />
fields, in addition to the mandatory identifying fields.<br />
Predefined security-related categories are:<br />
■<br />
■<br />
■<br />
■<br />
■<br />
■<br />
■<br />
■<br />
System Access<br />
Account Management<br />
Object Access<br />
Policy Management<br />
Security Systems<br />
Network<br />
Detailed Tracking<br />
Physical Security<br />
Other events (generally, start and stop notifications for applications) fall into the<br />
one of the following categories:<br />
■<br />
■<br />
■<br />
System \ Application<br />
Administration<br />
General<br />
13–22 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
System Access<br />
System access events include logon, logoff, and change of user identity<br />
(impersonation).<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“System Access” SAPI_<strong>CA</strong>TEGORY_SYSACC<br />
SAPI_SOURCE_FLD “Src”<br />
The software component that generated the message.<br />
Example<br />
Windows NT—“Security”<br />
UNIX—“login,” “telnetd,” in.telnetd,” rshd,” “in.rshd,” “Xsession”<br />
(XDMCP), “ftpd,” “in.ftpd,” “rlogind,” “in.rlogind,” “fingerd,” ffingerd”<br />
SAPI_OPERATION_FLD “Oper”<br />
”Logon” SAPI_OPER_LOGON<br />
”Logoff” SAPI_OPER_LOGOFF<br />
SAPI_USER_FLD “User”<br />
The name of the logged-on user.<br />
SAPI_SURROGATEUSER NAME_FLD “SurrogateUser”<br />
The name of the new user when logging on from another user. For example,<br />
the UNIX command su root generates a SurrogateUser value of “root.”<br />
SAPI_INFO_FLD “Info”<br />
May contain reason for failed logon.<br />
SAPI_LOGONTYPE_FLD “LogonType”<br />
For logon operations, the type of logon. Values for LogonType are strictly<br />
predefined.<br />
Example<br />
“Interactive” SAPI_LOGONTYPE_INTERACTIVE—local user logon<br />
“Server” SAPI_LOGONTYPE_SERVER—logon to server, domain or<br />
shared drive<br />
SAPI_TERMINAL_FLD “Term”<br />
The terminal name or ID from which the operation is initiated.<br />
Example<br />
“pts/7”<br />
SAPI_REMOTEHOST_FLD “RemHost”<br />
The name or address of the remote host for operations that are performed<br />
remotely (name should follow Location field format).<br />
The Submit API (SAPI) 13–23
Mapping Examples<br />
Account Management<br />
Account management events include the creation, changing, and deletion of<br />
users, groups, profiles and roles, as well as the granting of permissions.<br />
For security purposes, special care should be taken to audit the addition of users<br />
to the administrators group, and the addition of significant authorizations.<br />
The management of permissions on the system level is mapped to “Account<br />
Management,” and the management of auditing is mapped to “Policy<br />
Management.” For individual objects, both permissions and auditing setups are<br />
mapped to “Object Access.”<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“Account Management” SAPI_<strong>CA</strong>TEGORY_ACCOUNT<br />
SAPI_SUB<strong>CA</strong>T_FLD “Subcat”<br />
“Permission” SAPI_SUB<strong>CA</strong>T_PERMISSION<br />
“<strong>Audit</strong>” SAPI_SUB<strong>CA</strong>T_AUDIT<br />
“Password” SAPI_SUB<strong>CA</strong>T_PASSWORD<br />
SAPI_OPERATION_FLD “Oper”<br />
Some possible values are predefined.<br />
For example:<br />
“Create” SAPI_OPER_CREATE<br />
“Delete” SAPI_OPER_DELETE<br />
“ChangeProperty” SAPI_OPER_CHANGEPROPERTY<br />
“Lock” SAPI_OPER_LOCK<br />
“Unlock SAPI_OPER_UNLOCK<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
“USER” SAPI_OBJCLASS_USER<br />
“GROUP” SAPI_OBJCLASS_GROUP<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The nName of user or group.<br />
SAPI_OBJCLASS2_FLD “SecObjClass”<br />
The class of the secondary object.<br />
Example<br />
When adding a user to a group, “USER” is the primary object and<br />
“GROUP” is the secondary object.<br />
When changing permissions, the secondary object is “PRIVILEGE”<br />
SAPI_OBJCLASS_PRIVILEGE.<br />
SAPI_OBJNAME2_FLD “SecObjName”<br />
The name of the secondary object.<br />
SAPI_INFO_FLD “Info”<br />
The free-text description of the operation.<br />
13–24 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
Object Access<br />
Object access events include any access to resources such as files and the registry.<br />
Usually these accesses are audited only for critical objects.<br />
For individual objects, both permissions and auditing setups are mapped to<br />
“Object Access.” The management of permissions on the system level is mapped<br />
to “Account Management.”<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“Object Access” SAPI_<strong>CA</strong>TEGORY_OBJACC<br />
SAPI_SUB<strong>CA</strong>T_FLD “Subcat”<br />
“Password” SAPI_SUB<strong>CA</strong>T_PASSWORD<br />
“Usage” SAPI_SUB<strong>CA</strong>T_USAGE<br />
“<strong>Audit</strong>” SAPI_SUB<strong>CA</strong>T_AUDIT<br />
“Activation” SAPI_SUB<strong>CA</strong>T_ACTIVATION<br />
“Permission” SAPI_SUB<strong>CA</strong>T_PERMISSION<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
The name of the object on which the operation is performed. In cases where<br />
the predefined values are not suitable, native auditing values may be used.<br />
Example<br />
“REGKEY” — for registry key<br />
“FILE” – for file or folder<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The name of the accessed object.<br />
SAPI_OPERATION_FLD “Oper”<br />
For example:<br />
“Execute” SAPI_OPER_EXECUTE“Start” SAPI_OPER_START_RL<br />
“Stop” SAPI_OPER_STOP<br />
“Kill” SAPI_OPER_KILL<br />
“Create” SAPI_OPER_CREATE<br />
“Delete” SAPI_OPER_DELETE<br />
“ChangeProperty” SAPI_OPER_CHANGEPROPERTY<br />
“Rename” SAPI_OPER_RENAME<br />
“TakeOwnership” SAPI_OPER_TAKEOWNERSHIP<br />
“ChangePermission” SAPI_OPER_CHANGEPERMISSION<br />
“Lock” SAPI_OPER_LOCK<br />
“Unlock” SAPI_OPER_UNLOCK<br />
“Open” SAPI_OPER_OPEN<br />
“Read” SAPI_OPER_READ_RL<br />
The Submit API (SAPI) 13–25
Mapping Examples<br />
“Write” SAPI_OPER_WRITE<br />
“Edit” SAPI_OPER_EDIT<br />
SAPI_NATIVEOID_FLD (optional)<br />
The object ID used by the native environment.<br />
SAPI_PID_FLD (optional)<br />
The ID of the process that accesses the object.<br />
SAPI_COMMAND_FLD “Command” (optional)<br />
The original command that caused the event (in case of a command line<br />
interface usage).<br />
Example<br />
<strong>eTrust</strong> Access Control Definition of new resource “new user(john)”<br />
SAPI_INFO_FLD “Info”<br />
The free-text event information.<br />
Policy Management<br />
Policy management events include changes in audit policy, changes in password<br />
policy, and other events on the system level. This category usually includes very<br />
few events.<br />
For individual objects, permissions and auditing setups are mapped to “Object<br />
Access.”<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“Policy Management” SAPI_<strong>CA</strong>TEGORY_POLICY<br />
SAPI_SUB<strong>CA</strong>T_FLD “Subcat”<br />
“<strong>Audit</strong>” SAPI_SUB<strong>CA</strong>T_AUDIT<br />
“Activation” SAPI_SUB<strong>CA</strong>T_ACTIVATION<br />
“Permission” SAPI_SUB<strong>CA</strong>T_PERMISSION<br />
SAPI_OPERATION_FLD “Oper”<br />
For example:<br />
“Create” SAPI_OPER_CREATE<br />
“Delete” SAPI_OPER_DELETE<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
“POLICY” SAPI_OBJCLASS_POLICY<br />
Orace—map “<strong>Audit</strong>_Option” to this field<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The object name.<br />
SAPI_INFO_FLD “Info”<br />
The free-text event information.<br />
13–26 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
Security Systems<br />
Security system status events include events related to the change in the status of<br />
security systems. For example, the stopping and starting of operating systems<br />
and the clearing of audit logs.<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“Security Systems”<br />
SAPI_<strong>CA</strong>TEGORY_SECURITYSYS<br />
SAPI_OPERATION_FLD “Oper”<br />
For example:<br />
“Restart” SAPI_OPER_RESTART<br />
“Startup” SAPI_OPER_STARTUP<br />
“Shutdown” SAPI_OPER_SHUTDOWN<br />
“Clear” SAPI_OPER_CLEAR<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
For example:<br />
“Service” (or daemon) SAPI_OBJCLASS_SERVICE<br />
“Log” SAPI_OBJCLASS_LOG<br />
“Process” SAPI_OBJCLASS_PROCESS<br />
“OS” SAPI_OBJCLASS_OS<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The name of started or stopped program.<br />
SAPI_INFO_FLD “Info”<br />
The free-text event information.<br />
The Submit API (SAPI) 13–27
Mapping Examples<br />
Physical Security<br />
Physical security system events include events related to the change in the status<br />
of physical security systems, for example, the switching of cameras, opening,<br />
closing, and locking doors, and so on.<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“Physical Security”<br />
SAPI_<strong>CA</strong>TEGORY_SECURITYPH<br />
SAPI_OPERATION_FLD “Oper”<br />
For example:<br />
“Restart” SAPI_OPER_RESTART<br />
“Open” SAPI_OPER_OPEN<br />
“Lock” SAPI_OPER_LOCK<br />
“Unlock” SAPI_OPER_UNLOCK<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
The class of the audited objects.<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The name of the audited objects.<br />
SAPI_INFO_FLD “Info”<br />
The free-text event information.<br />
Network<br />
Network events include:<br />
■<br />
■<br />
■<br />
Incoming and outgoing communication events from <strong>eTrust</strong> Access Control<br />
<strong>eTrust</strong> Intrusion Detection (former SessionWall)<br />
Events from other network products to be integrated with <strong>eTrust</strong> <strong>Audit</strong><br />
Network events should map to identification fields.<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“Network” SAPI_<strong>CA</strong>TEGORY_NETWORK<br />
SAPI_OPERATION_FLD “Oper”<br />
“Connect” SAPI_OPER_CONNECT<br />
”Disconnect” SAPI_OPER_DISCONNECT<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
For example:<br />
“PORT” SAPI_OBJCLASS_PORT PORT<br />
13–28 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
“HOST" SAPI_OBJCLASS_HOST<br />
“TERMINAL” SAPI_OBJCLASS_TERMINAL<br />
“DOMAIN" SAPI_OBJCLASS_DOMAIN<br />
“PROCESS" SAPI_OBJCLASS_PROCESS<br />
“PRINTER” API_OBJCLASS_PRINTER_RL<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The object name, name of host, terminal, domain and so on.<br />
SAPI_INFO_FLD “Info”<br />
The free-text event information.<br />
The following additional fields contain network objects.<br />
SAPI_REMOTEIP_FLD “RemIP”<br />
The remote IP address.<br />
SAPI_AFTYPE_FLD “AddressFamily”<br />
The address family.<br />
SAPI_NETSERVICENAME_FL “NetServiceName”<br />
The service or daemon<br />
Example<br />
“FTP”<br />
SAPI_PORT_FLD “Port”<br />
The local port number<br />
Example<br />
“7890”<br />
SAPI_REMOTEPORT_FLD “RemotePort”<br />
The remote port number.<br />
Example<br />
“8765”<br />
SAPI_PROTOCOL_FLD “Protocol”<br />
The protocol.<br />
Example<br />
“TCP,” “UDP”<br />
SAPI_URL_FLD “URL”<br />
URL<br />
Example<br />
“www.ca.com”<br />
The Submit API (SAPI) 13–29
Mapping Examples<br />
SAPI_DIRECTION_FLD “Direction”<br />
The event direction: inbound or outbound.<br />
Example<br />
“IN”<br />
“OUT”<br />
SAPI_EVENT_COUNT_FLD “EventCount”<br />
The count of events, if the event is aggregated.<br />
SAPI_SENDER_HOSTNAME_FLD “SenderHostName”<br />
Host sending the message.<br />
SAPI_SENDER_IP_FLD “SenderIP”<br />
IP of host sending the message.<br />
SAPI_SENDER_PORT_FLD “SenderPort”<br />
Port number of the message sender.<br />
Example<br />
“9876”<br />
SAPI_RECEIVER_HOSTNAME_FLD “ReceiverHostName”<br />
Host receiving the message.<br />
SAPI_RECEIVER_IP_FLD “ReceiverIP”<br />
IP of host receiving the message.<br />
SAPI_RECEIVER_PORT_FLD “ReceiverPort”<br />
Port number of the message receiver.<br />
Example<br />
“8765”<br />
Detailed Tracking<br />
Both Windows NT and <strong>eTrust</strong> Access Control offer detailed tracking—in<br />
Windows NT, for processes (by PID). In <strong>eTrust</strong> Access Control, tracking can be<br />
activated for other fields as well.<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“Detailed Tracking” SAPI_<strong>CA</strong>TEGORY_TRACKING<br />
SAPI_OPERATION_FLD “Oper”<br />
For example:<br />
“Start” SAPI_OPER_START<br />
“Stop” SAPI_OPER_STOP<br />
SAPI_OBJCLASS_FLD “ObjClass”<br />
For example: “PROCESS” SAPI_OBJCLASS_PROCESS<br />
SAPI_PID_FLD “PID”<br />
The process ID.<br />
13–30 <strong>Reference</strong> <strong>Guide</strong>
Mapping Examples<br />
SAPI_OBJNAME_FLD “ObjName”<br />
The object name, name of started or stopped program<br />
SAPI_INFO_FLD “Info”<br />
The event description.<br />
SAPI_USER_FLD “User”<br />
The user name.<br />
SAPI_USERID_FLD “UID”<br />
The user ID.<br />
SAPI_SURROGATEUSER NAME_FLD “SurrogateUser”<br />
The name of new identity of a user who changed his identity via set user etc.<br />
(available on systems that retain the original identity).<br />
Example<br />
UNIX—for set user operation, UserName may be “john” and<br />
SurrogateUser may be “root”<br />
SAPI_SURROGATEUSERID _FLD “SurrogateUId”<br />
The ID of the SurrogateUser, as explained above.<br />
SAPI_EUSERNAME_FLD “EffectiveUser”<br />
The effective user name. The effective user is the user whose rights are in<br />
effect for the described event.<br />
SAPI_EUSERID_FLD “EffectiveUserId”<br />
The ID of the effective user, as explained above.<br />
System/Application, Administration and General Events<br />
These events include start and stop notifications for applications not directly<br />
involved in security auditing (that is, not mapped to another category). Fields<br />
will be application-specific. Identification fields are mandatory.<br />
SAPI_<strong>CA</strong>TEGORY_FLD “Category”<br />
“System and Application” SAPI_<strong>CA</strong>TEGORY_STATUS<br />
“Administration” SAPI_<strong>CA</strong>TEGORY_ADMIN<br />
“General” SAPI_<strong>CA</strong>TEGORY_GENERAL<br />
SAPI_INFO_FLD “Info”<br />
The free-text event information.<br />
The Submit API (SAPI) 13–31
Reserved Keywords<br />
Fields Internal to <strong>eTrust</strong> <strong>Audit</strong><br />
Internal fields may be filled for each event by <strong>eTrust</strong> <strong>Audit</strong>. These fields may be<br />
present in each record, but need not be filled by third-party submitters.<br />
SAPI_ROUTINGINFO_FLD “RoutInfo”<br />
For debug purposes only—a concatenation of the names of all the routers<br />
that have handled the event.<br />
SAPI_RULENAME_FLD “Rule”<br />
For debug purposes only—name of the <strong>eTrust</strong> <strong>Audit</strong> policy that originated<br />
the event.<br />
Reserved Keywords<br />
The following words may not be used as field names, since they have specific<br />
meanings in the filter language.<br />
ADD<br />
AM<br />
AT<br />
<strong>CA</strong>SE<br />
CI<br />
CS<br />
DATE_YACC<br />
DAY<br />
DECR<br />
DECREMENT<br />
DEFINE<br />
DELETE<br />
DELETE_YACC<br />
DIFFERENT<br />
DY<br />
EQUAL<br />
EXISTS<br />
FATAL_ERROR<br />
GREATER<br />
INCR<br />
INCREMENT<br />
INSENSITIVE<br />
INTEGER<br />
LESS<br />
MATCHES<br />
MONTH<br />
NAME<br />
NEWEVENT<br />
NOT<br />
NUMBER<br />
OF<br />
OR<br />
PART<br />
PM<br />
REL_OP<br />
S<strong>CA</strong>N_ERROR<br />
SENSITIVE<br />
SET<br />
STRING<br />
STRING_CONST<br />
13–32 <strong>Reference</strong> <strong>Guide</strong>
Reserved Keywords<br />
SUB<br />
SUBTRACT<br />
THAN<br />
TIME<br />
TIMESTAMP<br />
TO<br />
VARIABLE<br />
YR<br />
The names of months (JAN, FEB, MAR, APR, MAY, JUN, JUL, AUG, SEP, OCT,<br />
NOV, and DEC) are also reserved.<br />
The Submit API (SAPI) 13–33
Chapter<br />
14<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong><br />
The <strong>eTrust</strong> <strong>Audit</strong> Recorder for Check Point FireWall-1 is a component of the<br />
<strong>eTrust</strong> <strong>Audit</strong> Client. It runs on Windows, Solaris, and Linux systems only. The<br />
Recorder for Check Point FireWall-1 receives events from Check Point FireWall-1<br />
using the Check Point OPSEC (Open Platform for Security) application<br />
programming interface (API) protocol, and sends the events to the <strong>eTrust</strong> <strong>Audit</strong><br />
Router using the SAPI protocol.<br />
Information Flow<br />
The Recorder for Check Point FireWall-1 for Windows or Solaris can be installed<br />
on the same host where the Check Point FireWall-1 server runs, or on another<br />
host. To receive data from Check Point FireWall-1 servers, the Recorder for<br />
Check Point FireWall-1 connects to the Check Point LEA server using the OPSEC<br />
protocol. After message parsing, the Recorder for Check Point FireWall-1 sends<br />
the messages to the <strong>Audit</strong> Router using the SAPI protocol. The information flow<br />
from here onward is like the one in the <strong>eTrust</strong> <strong>Audit</strong> Client.<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong> 14–1
Information Flow<br />
The following diagram shows the basic information flow between the Recorder<br />
for Check Point FireWall-1 and the various components of <strong>eTrust</strong> <strong>Audit</strong>:<br />
The <strong>eTrust</strong> <strong>Audit</strong> Viewer has specific SQL queries for Check Point FireWall-1<br />
provided as ASCII files.<br />
14–2 <strong>Reference</strong> <strong>Guide</strong>
Preinstallation Considerations<br />
Preinstallation Considerations<br />
You should take into consideration the following:<br />
■<br />
■<br />
The Recorder for Check Point FireWall-1 supports Check Point FireWall-1<br />
version 4.1.2.<br />
The Recorder for Check Point FireWall-1 values that have no direct matching<br />
to database or Security Monitor fields are concatenated in the message text<br />
field as details. The maximum size of the information field is 512 bytes.<br />
Configuring the Check Point FireWall-1 Servers<br />
You need to configure the Check Point FireWall-1 server or servers that you want<br />
to audit. For information about configuration, see Technical Information later in<br />
this chapter.<br />
Information You Need to Collect<br />
Before you install the Recorder for Check Point FireWall-1, we recommend you<br />
collect useful information about the Check Point FireWall-1 server or servers you<br />
want to audit. The following topics will help you get organized.<br />
Server Details<br />
Have the following information for each Check Point FireWall-1 server you want<br />
to audit:<br />
■<br />
■<br />
■<br />
Logical name<br />
Host name or IP address<br />
OPSEC port number<br />
Tip: Look for the OPSEC port number in the fwopsec.conf file, which is<br />
located in the installation path under FW1\conf.<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong> 14–3
Installing the Recorder for Check Point FireWall-1<br />
Connection Types<br />
Choose the OPSEC connection type to use between the Recorder for Check Point<br />
FireWall-1 and each of the Check Point FireWall-1 servers. Define for each server<br />
you want to audit the connection type you will assign it during installation. For<br />
information about connection types, see Technical Information later in this<br />
chapter.<br />
Log Types<br />
Choose the log types for the Check Point FireWall-1 servers you want to audit:<br />
secure to audit system-related events, and account to audit user-related events.<br />
You can choose one type, both, or none. If you choose none, that server will not<br />
audit events.<br />
Installing the Recorder for Check Point FireWall-1<br />
For information on installing the Recorder for Check Point Firewall-1, see the<br />
“Performing a Custom Installation of the Client Components” appendix in<br />
Getting Started.<br />
Installing in a Solaris Environment<br />
The installation process detects the <strong>eTrust</strong> <strong>Audit</strong> components installed on the<br />
host where it is running, and presents options accordingly. During installation,<br />
you can perform one of these actions on each host:<br />
■<br />
■<br />
To install the Recorder for Check Point FireWall-1 when the <strong>eTrust</strong> <strong>Audit</strong><br />
Client is found on the host (residing alone or with the <strong>eTrust</strong> <strong>Audit</strong> Data<br />
Tools)<br />
To upgrade the <strong>eTrust</strong> <strong>Audit</strong> Data Tools when the <strong>eTrust</strong> <strong>Audit</strong> Client is not<br />
found on the host.<br />
Note: You can install the Recorder for Check Point FireWall-1 only on a host<br />
where the <strong>eTrust</strong> <strong>Audit</strong> Client 1.5 is installed. You must have root authority to<br />
invoke the installation script.<br />
14–4 <strong>Reference</strong> <strong>Guide</strong>
Installing in a Solaris Environment<br />
Installing the Recorder for Check Point FireWall-1<br />
This section describes the installation process for a host with an <strong>eTrust</strong> <strong>Audit</strong><br />
Client.<br />
1. From the installation directory, run the following script:<br />
.\install_e<strong>Audit</strong>FW1Rec<br />
When only the <strong>eTrust</strong> <strong>Audit</strong> Client resides on the host, or both the <strong>eTrust</strong><br />
<strong>Audit</strong> Client and the <strong>eTrust</strong> <strong>Audit</strong> Data Tools, you are prompted to upgrade:<br />
Looking for previous installations of <strong>eTrust</strong> <strong>Audit</strong> …<br />
Found <strong>eTrust</strong> <strong>Audit</strong> Client.<br />
Do you want to upgrade it? [y/n]<br />
or:<br />
Looking for previous installations of <strong>eTrust</strong> <strong>Audit</strong> …<br />
Found both <strong>eTrust</strong> <strong>Audit</strong> Client and <strong>eTrust</strong> <strong>Audit</strong> Data Tools.<br />
Select the components you want to upgrade:<br />
1 - Data Tools<br />
2 - Client and Data Tools<br />
:<br />
2. Choose the upgrade you need for the host. After several messages about<br />
calculations and configuration, you are prompted to enter information about<br />
the servers:<br />
Enter the Check Point FireWall-1 servers information one by one, terminating<br />
with CTRL-D or your EOF.<br />
Server logical name:<br />
Host name or IP address:<br />
Connection port:<br />
Select OPSEC connection type:<br />
1 - Clear connection<br />
2 - Authenticated and encrypted connection using SSL<br />
3 - Authenticated connection using SSL<br />
4 - Authenticated connection (Check Point proprietary)<br />
:<br />
Secure log [y/n]:<br />
Account log [y/n]:<br />
Server logical name:<br />
3. Enter the information for the first server. You are immediately prompted to<br />
enter information for another server. If you need to configure additional<br />
servers, continue entering information. Otherwise, press Enter to exit the<br />
prompt and to continue with the installation process. Several messages<br />
appear on screen informing about the status of the installation process. You<br />
are prompted with the following message:<br />
Would you like to start the <strong>eTrust</strong> <strong>Audit</strong> Recorder for Check Point Firewall-1<br />
daemons right now? [y/n]: (y)<br />
4. Choose whether to start the program. You are now prompted:<br />
Do you want to view the <strong>eTrust</strong> <strong>Audit</strong> Recorder for Check Point FireWall-1<br />
Readme.txt file? [y/n]: (y)<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong> 14–5
Installing in a Solaris Environment<br />
5. Choose whether to view the readme file. You are prompted as follows:<br />
Do you want to copy the PDF guide to the installation directory? [y/n] (y)<br />
6. Choose whether to copy the PDF file.<br />
A message informs you that the installation is completed.<br />
Tip: If you need to configure additional servers after the installation, you can<br />
either edit the eaudit.ini file, which is updated during the installation, or edit<br />
the Registry.<br />
Upgrading the Data Tools<br />
This section describes the upgrade procedure for a host without an <strong>eTrust</strong> <strong>Audit</strong><br />
Client.<br />
When the installation process finds only the <strong>eTrust</strong> <strong>Audit</strong> Data Tools on the host,<br />
you can upgrade them so that the <strong>Audit</strong> Collector receives Check Point FireWall-<br />
1 events.<br />
1. From the installation directory, run the following script:<br />
.\install_e<strong>Audit</strong>FW1Rec<br />
You are prompted to upgrade the <strong>eTrust</strong> <strong>Audit</strong> Data Tools as follows:<br />
Found <strong>eTrust</strong> <strong>Audit</strong> Data Tools.<br />
Do you want to upgrade them? [y/n]<br />
2. Choose whether to upgrade. If you choose yes, you are prompted:<br />
Do you want to view the <strong>eTrust</strong> <strong>Audit</strong> Recorder for Check Point FireWall-1<br />
Readme.txt file? [y/n]: (y)<br />
3. Choose whether to display the readme file. You are now prompted:<br />
Do you want to copy the PDF guide to the installation directory? [y/n] (y)<br />
4. Choose whether to copy the PDF file.<br />
A message informs you that the upgrade is completed.<br />
14–6 <strong>Reference</strong> <strong>Guide</strong>
Configuration Values<br />
Configuration Values<br />
After installation, the configuration values of the Recorder for Check Point<br />
FireWall-1 are kept in the registry on Windows , or in a configuration file on a<br />
Solaris environment. Check Point FW-1 is the name of the new Registry key or<br />
the new configuration file section.<br />
Registry Keys and .ini File<br />
In a Windows environment, the Registry keys are located under:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong><br />
In a Solaris environment, the configuration file eaudit.ini is located in the<br />
directory:<br />
/usr/eaudit/ini<br />
Windows Registry Entries<br />
The following list shows the specific configuration parameters of the Recorder<br />
for Check Point FireWall-1. The words in italic indicate data entered during<br />
installation:<br />
The registry keys are found under the following key for <strong>eTrust</strong> <strong>Audit</strong>:<br />
HKEY_LO<strong>CA</strong>L_MACHINE\SOFTWARE\ComputerAssociates\<strong>eTrust</strong> <strong>Audit</strong>\<br />
Client\Recorders\Check Point FW-1<br />
The new key for the Recorder for Check Point FireWall-1<br />
Data Type<br />
Key<br />
Default Value<br />
N/A<br />
Client\Recorders\Check Point FW-1\ DatFilePath<br />
The Recorder for Check Point FireWall-1 uses this file internally. This<br />
location must not be changed.<br />
Data Type<br />
String<br />
Default Value<br />
dat\recorders\fw.dat<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong> 14–7
Configuration Values<br />
Client\Recorders\Check Point FW-1\ MPFile<br />
The name of the mapping file used for parsing received messages.<br />
Data Type<br />
String<br />
Default Value<br />
cfg\fw.mp<br />
Client\Recorders\Check Point FW-1\ SendInterval<br />
The time, in seconds, that the service sleeps after MaxSeqNoSleep records.<br />
Data Type<br />
DWORD<br />
Default Value<br />
10<br />
Client\Recorders\Check Point FW-1\ MaxSeqNoSleep<br />
The maximum number of records sent before sleeping.<br />
Data Type<br />
DWORD<br />
Default Value<br />
50<br />
Client\Recorders\Check Point FW-1\ LEA Servers<br />
New subkey<br />
Data Type<br />
Key<br />
Default Value<br />
N/A<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName<br />
It must be a unique name.<br />
Data Type<br />
Key<br />
Default Value<br />
N/A<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Active<br />
Whether the server is active.<br />
Data Type<br />
DWORD<br />
Default Value<br />
1 as follows:<br />
0=server inactive<br />
1=server active<br />
14–8 <strong>Reference</strong> <strong>Guide</strong>
Configuration Values<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Host<br />
The server host name can be a logical name or an IP address.<br />
Data Type<br />
String<br />
Default Value<br />
N/A<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Port<br />
The OPSEC port number of the server.<br />
Data Type<br />
String<br />
Default Value<br />
N/A<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\AuthType<br />
Empty means clear connection. For a description of connection types, see<br />
Technical Information later in this chapter.<br />
Data Type<br />
String<br />
Default Value<br />
Empty<br />
Client\Recorders\Check Point FW-1\ LEA<br />
Servers\ServerName\Logs\Secure<br />
Whether secure log events is activated.<br />
Data Type<br />
DWORD<br />
Default Value<br />
0 as follows:<br />
0=deactivate secure log events<br />
1=activate secure log events<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Account<br />
Whether deactivate account log events is activated.<br />
Data Type<br />
DWORD<br />
Default Value<br />
0 as follows:<br />
0=deactivate account log events<br />
1=activate account log events<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong> 14–9
Configuration Values<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\Logs\logn<br />
The Recorder receives records from this list of log files.<br />
Data Type<br />
String<br />
Default Value<br />
N/A<br />
Client\Recorders\Check Point FW-1\ LEA Servers\ServerName\LoadType<br />
Whether read according to offset is activated.<br />
Data Type<br />
DWORD<br />
Default Value<br />
0 as follows:<br />
0=read according to offset<br />
1=read from the beginning ignoring offset<br />
Solaris e<strong>Audit</strong>.ini File Values<br />
The following list shows the specific configuration parameters of the Recorder<br />
for Check Point FireWall-1. The words in italics indicate data entered during<br />
installation:<br />
These values are found in the following section of the ini file:<br />
Client<br />
Recorders<br />
Check Point FW-1<br />
DatFilePath<br />
The Recorder for Check Point FireWall-1 uses this file internally. This<br />
location must not be changed.<br />
Default Value<br />
dat\recorders\fw.dat<br />
MPFile<br />
The name of the mapping file used for parsing received messages.<br />
Default Value<br />
cfg\fw.mp<br />
SendInterval<br />
The time, in seconds, that the service sleeps after MaxSeqNoSleep records.<br />
Default Value<br />
10<br />
14–10 <strong>Reference</strong> <strong>Guide</strong>
Configuration Values<br />
MaxSeqNoSleep<br />
The maximum number of records sent before sleeping.<br />
Default Value<br />
50<br />
LEA Servers<br />
New subsection<br />
Default Value<br />
N/A<br />
LEA Servers ServerName<br />
It must be a unique name.<br />
Default Value<br />
N/A<br />
LEA Servers ServerName Active<br />
Whether the server is active.<br />
Default Value<br />
1 as follows:<br />
0=server inactive<br />
1=server active<br />
LEA Servers ServerName Host<br />
The server host name can be a logical name or an IP address.<br />
Default Value<br />
N/A<br />
LEA Servers ServerName Port<br />
The OPSEC port number of the server.<br />
Default Value<br />
N/A<br />
LEA Servers ServerName AuthType<br />
Empty means clear connection. For a description of connection types, see<br />
Technical Information later in this chapter.<br />
Default Value<br />
Empty<br />
LEA Servers ServerName Logs Secure<br />
Whether secure log events is activated.<br />
Default Value<br />
0 as follows:<br />
0=deactivate secure log events<br />
1=activate secure log events<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong> 14–11
Configuration Values<br />
LEA Servers ServerName Account<br />
Whether deactivate account log events is activated.<br />
Default Value<br />
0 as follows:<br />
0=deactivate account log events<br />
1=activate account log events<br />
LEA Servers ServerName Logs logn<br />
The Recorder receives records from this list of log files.<br />
Default Value<br />
N/A<br />
LEA Servers ServerName LoadType<br />
Whether read according to offset is activated.<br />
Default Value<br />
0 as follows:<br />
0=read according to offset<br />
1=read from the beginning ignoring offset<br />
14–12 <strong>Reference</strong> <strong>Guide</strong>
Technical Information<br />
Technical Information<br />
To help you configure your system, this appendix provides basic technical<br />
information about various Check Point FireWall-1 configuration settings, as<br />
follows:<br />
■<br />
■<br />
OPSEC connection types<br />
Configuring Check Point FireWall-1 servers<br />
For detailed information about these topics, see the Check Point documentation.<br />
OPSEC Connection Types<br />
The following information will help you choose the most suitable OPSEC<br />
connection type between the Recorder for Check Point FireWall-1 and the Check<br />
Point FireWall-1 servers you want to audit.<br />
The OPSEC application can make one of the following types of connections:<br />
Authenticated and encrypted connection using SSL (Secure Socket Layer)<br />
The data transferred is encrypted using a 3DES key. An authenticated and<br />
encrypted connection is the most secure. This type of connection is<br />
supported by Check Point VPN-1/FireWall-1 starting from version 4.1.<br />
Authenticated connection using SSL<br />
When data encryption is not required, this is the recommended method for<br />
authenticating the host running the OPSEC application before the Check<br />
Point FireWall-1 servers. This type of authentication is supported by Check<br />
Point VPN-1/FireWall-1 starting from version 4.1 SP2.<br />
Authenticated connection (Check Point proprietary)<br />
This type of authentication is done at the transport layer using Check Point’s<br />
proprietary authentication algorithm. Use this method for backward<br />
compatibility with Check Point VPN-1/FireWall-1 version 4.1 SP1 and<br />
earlier.<br />
Clear connection<br />
The data transference is made without restrictions.<br />
Recorder for<br />
Check Point FireWall-1 <strong>Reference</strong> 14–13
Technical Information<br />
Configuring Check Point FireWall-1 Servers<br />
Any machine in your system that works with Check Point FireWall-1 version<br />
4.1.2 needs to be configured to establish an authenticated connection. This<br />
section explains how to establish an authentication connection between an <strong>eTrust</strong><br />
<strong>Audit</strong> Client host where the Recorder for Check Point FireWall-1 runs, and a<br />
Check Point FireWall-1 version 4.1.2 server.<br />
The following scenario illustrates how an authenticated connection is established<br />
between two machines: comp1 and comp2. The machine comp1 runs the Check<br />
Point FireWall-1 server, and the machine comp2 runs the Recorder for Check<br />
Point FireWall-1.<br />
Important! You need to run the executable opsec_putkey, which is part of the<br />
OPSEC SDK.<br />
To configure comp1 and comp2:<br />
1. On comp1, enter one of the following commands on the command line,<br />
depending on the connection type desired:<br />
■<br />
For an SSL based connection (authenticated or authenticated and<br />
encrypted), enter:<br />
■<br />
fw putkey -opsec -ssl comp2<br />
For a backward compatible authenticated connection, enter:<br />
fw putkey -opsec comp2<br />
2. Enter the authentication key at the prompt. The authentication key must be<br />
at least six characters long.<br />
3. On comp2 enter one of the following commands in the command line,<br />
depending on the connection type desired:<br />
■<br />
■<br />
For an SSL based connection (authenticated or authenticated and<br />
encrypted), enter:<br />
opsec_putkey –ssl –port fw comp1<br />
For a backward compatible authenticated connection, enter:<br />
opsec_putkey –port fw comp1<br />
4. Enter the authentication key you entered in step 2.<br />
Note: If the Recorder for Check Point FireWall-1 will be communicating with<br />
several Check Point FireWall-1 servers, follow the previous procedure for each<br />
pair of client and server machines, for example, comp2 and comp3, comp2 and<br />
comp4, and so on.<br />
14–14 <strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
15<br />
Using the eTSAPISend Program<br />
eTSAPISend.exe is a program that lets you send messages and events to an<br />
<strong>eTrust</strong> <strong>Audit</strong> router. This executable does not depend on <strong>eTrust</strong> Common<br />
Services, so you can run it even if <strong>eTrust</strong> Common Services is not installed.<br />
eTSAPISend.exe<br />
The topics that follow describe eTSAPISend.<br />
Syntax<br />
Enter the command as follows:<br />
eTSAPISend options<br />
You specify the message fields as command line options. The fields can be<br />
predefined or user-defined.<br />
Note: On Solaris platforms, add /usr/ucblib to the LD_LIBRARY_PATH<br />
variable.<br />
Options<br />
For predefined fields, you can specify the field values by using the command line<br />
options as described in the following list:<br />
-cat<br />
The event category. Enclose the category in double quotes.<br />
-dat<br />
The date and time whose value is either MM/DD/YYYY or MM/DD/YYYY<br />
HH:MM:SS. Enclose the date value in double quotes. If you do not specify<br />
this optional parameter, the local system time is automatically applied to the<br />
message or event.<br />
-evt<br />
The event type, which should be empty unless it is an Alert type.<br />
Using the eTSAPISend Program 15–1
Example<br />
-inf<br />
Detailed information in the message. Enclose the details in double quotes.<br />
-loc<br />
The location (\\Domain\Computer) where the event originated. Enclose the<br />
location name in double quotes.<br />
-nam<br />
The logical log name.<br />
-nid<br />
The native ID (Event ID). This is a number.<br />
-nod<br />
The target <strong>eTrust</strong> <strong>Audit</strong> router. If you do not specify this option, the message<br />
or event is sent to the <strong>eTrust</strong> <strong>Audit</strong> router on the local host.<br />
-opr<br />
The operation that was performed.<br />
-src<br />
The submitter, such as the OS, process name, or application that issued the<br />
event.<br />
-sta<br />
The event status.<br />
-usr<br />
The user name associated with the event or message.<br />
User-defined Options<br />
For each user-defined field, add the field name followed by the field value as<br />
command line arguments. You can include any number of predefined and userdefined<br />
fields in a message or event.<br />
Example<br />
Consider the following sample command:<br />
eTSAPISend -nod systema -cat "System Access" -opr Logon -sta F<br />
-nam NT-Security -loc "\\MYDOMAIN\SYSTEMA" -usr SYSTEM -evt 70 -src Security<br />
-nid 529 -inf "Logon Failure" -dat "08/06/2002 16:00:30" User-defined SomeValue<br />
This command does the following:<br />
■<br />
■<br />
■<br />
Sends the message to the <strong>eTrust</strong> <strong>Audit</strong> router on systema.<br />
The category of the message is System Access.<br />
The operation performed is a Logon.<br />
15–2 <strong>Reference</strong> <strong>Guide</strong>
Sample Batch File<br />
■<br />
■<br />
■<br />
■<br />
The status of the message is F, for failed.<br />
The logical name of the log file from which the message was sent is NT-<br />
Security.<br />
The location of the source where the message originated is SYSTEMA<br />
machine on the MYDOMAIN domain.<br />
The user is SYSTEM.<br />
■ The event type is 70.<br />
■<br />
The submitter of the event is Security.<br />
■ The event id is 529.<br />
■<br />
The text of the message is Logon Failure.<br />
■ The date on which the event occurred is 08/06/2002 at 16:00:30.<br />
■<br />
There is a user-defined value of SomeValue.<br />
Sample Batch File<br />
The following is an example of how to issue eTSAISend in batch:<br />
REM Failed Logon<br />
eTSAPISend -nod systemb -cat "System Access" -opr Logon -sta F -nam NT-Security -<br />
loc "\\mydomain\systema" -usr SYSTEM -evt 70 -src Security -nid 529 User-defined1<br />
SomeValue1 -inf "Logon Failure" User-defined2 SomeValue2<br />
eTSAPISend -nod systemb -cat "System Access" -opr Logon -sta F -nam NT-Security -<br />
loc "\\mydomain\systema" -usr SYSTEM -evt 70 -src Security -nid 529 -inf "Logon<br />
Failure" -dat "08/06/2002 16:00:30" User-defined SomeValue<br />
REM User Account Changed<br />
eTSAPISend -nod systemb -cat "Account Management" -sta S -nam NT-Security -nid<br />
642 -inf "User Account Changed" -loc "\\mydomain\systema" -usr SYSTEM -src<br />
Security<br />
REM Critical File Access Failure<br />
eTSAPISend -nod systemb -nam NT-Security -cat "Object Access" -nid 560 -inf<br />
"Object Type: File" -sta F -loc "\\mydomain\systema" -usr SYSTEM -src Security<br />
Using the eTSAPISend Program 15–3
Chapter<br />
16<br />
Inserting <strong>eTrust</strong> Access Control<br />
Records in Bulk to a Collector<br />
Database Using acloader<br />
If you have been using <strong>eTrust</strong> Access Control for awhile and now want to insert<br />
all the records from the <strong>eTrust</strong> Access Control logs into your <strong>eTrust</strong> <strong>Audit</strong><br />
Collector database, you can use the acloader utility. This chapter provides steps<br />
on how to use acloader, describes the command syntax, and lists some sample<br />
commands.<br />
Insert Records into an Oracle Database<br />
Use the following steps to insert <strong>eTrust</strong> Access Control records in bulk into an<br />
<strong>eTrust</strong> <strong>Audit</strong> Collector database running on Oracle:<br />
1. Stop the <strong>eTrust</strong> Access Control daemons in UNIX or services in Windows.<br />
2. Rename current logroute.dat and selogrd.cfg files so that you can recover<br />
from any possible errors.<br />
3. Create a new selogrd.cfg file, and add the following lines:<br />
rule insertion<br />
host localhost<br />
where localhost is the name of remote host on which utility acloader is<br />
supposed to run.<br />
4. To ensure the best performance of selogrd, decrease the parameter interval in<br />
section [selogrd] of the file /usr/seos/seos.ini.<br />
5. Stop the <strong>eTrust</strong> <strong>Audit</strong> Router, aclogrd on the host where you will run<br />
acloader.<br />
Tip: Before you run acloader, you should remove the indexes from the<br />
SEOSDATA table as this significantly improves performance. Oracle<br />
commands to remove the indexes and recreate them are provided after this<br />
procedure.<br />
Inserting <strong>eTrust</strong> Access Control Records in Bulk to a Collector Database Using acloader 16–1
Remove the Indexes from SEOSDATA<br />
6. Run acloader. The following commands are samples:<br />
■<br />
UNIX<br />
■<br />
./acloader -user test_audit -pwd test_audit -oh /oracle/Oracle8 -tt<br />
audit-ora-service -nrec 80 -plib /usr/lib/ -tm 100 -psem<br />
/opt/seos/dat/log/seos.msg<br />
Windows<br />
acloader -dsm auditdb -user test_audit -pwd test_audit -plib "d:\Program<br />
Files\<strong>eTrust</strong> <strong>Audit</strong>\bin\" -nrec 100 -psem "d:\Program Files\<strong>eTrust</strong><br />
<strong>Audit</strong>\etc\seos.msg" -host mymachine<br />
7. After you receive the prompt, "acloader is ready to receive records...", run the<br />
<strong>eTrust</strong> Access Control Redirector, selogrd.<br />
8. After the insertion completes, stop selogrd.<br />
9. Press Ctrl+C to stop acloader.<br />
Note: When acloader is stopped it inserts all records stored in its buffer, but<br />
not written yet to the target database.<br />
10. Renamed the files logrout.dat and selogrd.cfg, if necessary.<br />
11. Restart the <strong>eTrust</strong> Access Control and <strong>eTrust</strong> <strong>Audit</strong> daemons or services.<br />
Remove the Indexes from SEOSDATA<br />
To remove the indexes, start sqlplus and issue the following commands:<br />
drop index IX_TIMESTAMP;<br />
drop index IX_USERNAME;<br />
drop index IX_COMPUTERNAME;<br />
drop index IX_EVENTID;<br />
Recreate the Indexes in SEOSDATA<br />
To recreate the indexes, start sqlplus and issue the following commands:<br />
create index IX_TIMESTAMP ON SEOSDATA(TIMSTAMP DESC);<br />
create index IX_USERNAME ON SEOSDATA(USERNAME ASC);<br />
create index IX_COMPUTERNAME ON SEOSDATA(COMPUTERNAME ASC);<br />
create index IX_EVENTID ON SEOSDATA(EVENTID ASC);<br />
16–2 <strong>Reference</strong> <strong>Guide</strong>
The acloader Utility<br />
The acloader Utility<br />
The acloader utility lets you perform a bulk insert of records sent by the <strong>eTrust</strong><br />
<strong>Audit</strong> Redirector (eAC Redirector) into the <strong>eTrust</strong> <strong>Audit</strong> Collector database table<br />
named SEOSDATA of an Oracle database in UNIX and Oracle or MS-SQL Server<br />
databases in Windows.<br />
acloader stores a predefined number of records in a buffer before it executes an<br />
INSERT statement. Every time this buffer fills with this number of records,<br />
acloader writes the contents to the database. You specify the number of records<br />
to stored using the -nrec option. The default is set to 50 records, and the<br />
maximum number of records you can specify is 100.<br />
Since acloader registers itself in portmap as the <strong>eTrust</strong> <strong>Audit</strong> Router (aclogrd),<br />
the appropriate token “host” should be placed in the rule at the sender side.<br />
Therefore you must stop the aclogrd service before you start acloader. You<br />
specify all the information acloader needs to run, including the user ID and<br />
password required to establish connection to the database using command line<br />
options.<br />
Requirements<br />
The following requirements must be met to use acloader:<br />
■<br />
■<br />
■<br />
■<br />
■<br />
■<br />
<strong>eTrust</strong> Access Control version 5.0 SP2 or higher must be installed on the<br />
machine.<br />
Table SEOSDATA for of <strong>eTrust</strong> <strong>Audit</strong> database (Oracle for UNIX and Oracle<br />
or SQL Server in Windows) must be created.<br />
In Windows, create System DSN for given database using ODBC Data<br />
Source Administrator.<br />
In Windows ODBC 3.0 use the “Oracle ODBC Driver” instead the “Microsoft<br />
ODBC for Oracle” driver.<br />
In Windows, adcipher.dll must be placed in the ..WinNT\system32<br />
directory.<br />
In UNIX in the /usr/lib directory, create a symbolic link in adcipher.so to<br />
the existing shared library Des.so.<br />
Syntax<br />
Enter the command as follows:<br />
Acloader -user username|-pwd password|-nrec number|-dsn name|-oh path|-osid<br />
OracleSID|-tt OracleTwoTask|-tm|-plib|-psem|-host|-h<br />
Note: On UNIX systems, you must log in as root to run acloader.<br />
Inserting <strong>eTrust</strong> Access Control Records in Bulk to a Collector Database Using acloader 16–3
The acloader Utility<br />
Options<br />
You can specify the command line options described in the following list in any<br />
order:<br />
-user username<br />
Specifies the user ID for Oracle or SQL Server database access authorization.<br />
-pwd password<br />
Specifies the password for Oracle or SQL Server database access<br />
authorization.<br />
-nrec number<br />
Specifies the number of records to store in the buffer before insertion. The<br />
default is 50. The maximum number of records you can specify is 100.<br />
-dsn name<br />
Specifies the ODBC data source name. This option is for use on Windows<br />
systems only.<br />
-oh path<br />
Specifies the Oracle home directory. This option is for use on UNIX systems<br />
only.<br />
-osid OracleSID<br />
Specifies the Oracle SID. This option is for use on UNIX systems only.<br />
Specify either -osid (if the Oracle database is local) or -tt (if the Oracle<br />
database is remote).<br />
-tt OracleTwoTask<br />
Specified the Oracle service name This option is for use on UNIX systems<br />
only. Specify either -osid (if the Oracle database is local) or -tt (if the Oracle<br />
database is remote).<br />
-tm seconds<br />
Specifies the timeout period to wait for the Oracle server to respond. The<br />
default is 30 seconds. This option is for use on UNIX systems only.<br />
-plib path<br />
Specifies the directory where the <strong>eTrust</strong> <strong>Audit</strong> library SCMPcomm is placed.<br />
On UNIX the default is /usr/eaudit/lib). On Windows it specifies the<br />
directory where CMPcomm.dll and SUTL.dll are located. The default value<br />
is the current working directory.<br />
-psem pathname<br />
Specifies the path name of the <strong>eTrust</strong> Access Control messages file, seos.msg.<br />
On UNIX systems, the default /usr/eaudit/dat/log/seos.msg. On Windows<br />
systems this file is not defined. If the seos.msg file is not there, you must<br />
copy seos.msg from <strong>eTrust</strong> Access Control directory.<br />
16–4 <strong>Reference</strong> <strong>Guide</strong>
Examples<br />
-host name<br />
Specifies the name of host that will be placed in field ComputerName of the<br />
table SEOSDATA in the database. This field is used when working with<br />
seos.collect.file.<br />
-h<br />
Prints brief help information for this utility<br />
Examples<br />
The following topics provide sample commands:<br />
UNIX<br />
./acloader -user test_audit -pwd test_audit -oh /oracle/Oracle816 -osid test816 -<br />
plib /opt/eaudit/lib/ -host mylocalhost<br />
./acloader -user test_audit -pwd test_audit -oh /oracle/Oracle816 -tt test816-onapollo<br />
-nrec 40 -tm 20 -plib /usr/lib/ -psem<br />
/opt/seos/dat/log/seos.msg<br />
Windows<br />
acloader -dsm auditdb -user test_audit -pwd test_audit -plib "d:\Program<br />
Files\<strong>eTrust</strong> <strong>Audit</strong>\bin\" -nrec 100 -psem "d:\Program Files\<strong>eTrust</strong><br />
<strong>Audit</strong>\etc\seos.msg" -host mymachine<br />
Inserting <strong>eTrust</strong> Access Control Records in Bulk to a Collector Database Using acloader 16–5
Chapter<br />
17<br />
Inserting <strong>eTrust</strong> Access Control<br />
Records in Bulk to a Collector<br />
Database Using selogrd and sqlldr<br />
If you have been using <strong>eTrust</strong> Access Control for a while and now want to insert<br />
all the records from the <strong>eTrust</strong> Access Control logs into your <strong>eTrust</strong> <strong>Audit</strong><br />
Collector database, you can use the <strong>eTrust</strong> Access Control extension, fex, and the<br />
Oracle sqlldr program. This chapter provides steps on how to use these tools,<br />
describes the command syntax, and lists some sample commands.<br />
Requirements<br />
The following requirements must be met to use the steps described in the topics<br />
that follow:<br />
■<br />
■<br />
■<br />
■<br />
<strong>eTrust</strong> Access Control version 5.0 SP2 or higher must be installed on<br />
machine.<br />
Prepare the <strong>eTrust</strong> <strong>Audit</strong> Oracle DB according to steps described in the Preinstallation<br />
Tasks topic in the “Installing <strong>eTrust</strong> <strong>Audit</strong> Data Tools<br />
Components on UNIX” appendix in Getting Started.<br />
Create the SEOSDATA table in the <strong>eTrust</strong> <strong>Audit</strong> Collector database in<br />
Oracle.<br />
Specify the path for the import file (file.dat) that the Oracle SQL Loader<br />
(sqlldr) should use in control file, fex.ctl.<br />
Converting the <strong>eTrust</strong> Access Control <strong>Audit</strong> Log to Oracle<br />
Import File Format<br />
Follow these steps to convert the <strong>eTrust</strong> Access Control audit log to the required<br />
Oracle import format<br />
1. Stop the <strong>eTrust</strong> Access Control selogrd daemon using the following<br />
command:<br />
kill -TERM pid<br />
2. Rename current logroute.dat. If you do not know the path value, look in<br />
/usr/seos/seos.ini in the [selogrd] section in the DataFile token.<br />
Inserting <strong>eTrust</strong> Access Control Records in Bulk to a Collector Database Using selogrd and sqlldr 17–1
Converting the <strong>eTrust</strong> Access Control <strong>Audit</strong> Log to Oracle Import File Format<br />
3. Rename current /usr/seos/etc/selogrd.ext .<br />
4. Create a new /usr/seos/etc/selogrd.ext file and add the following line:<br />
fex<br />
path/fex.ext<br />
where:<br />
path<br />
Is the path where shared library was copied from.<br />
ext<br />
Is the extension of shared library.<br />
5. Rename selogrd.cfg. If you do not know the path value look in<br />
/usr/seos/seos.ini in the [selogrd] section in the RouteFile token<br />
6. Create a new selogrd.cfg file and add the following lines:<br />
rule audit<br />
fex file.dat<br />
where file.dat is the import data file for Oracle database.<br />
5. Add the fex section to the seos.ini file as follows:<br />
In this section you should set the following parameters:<br />
computer_name<br />
The name of the computer where the audit log file was created. This<br />
value will be assigned to the field, ComputerName, in the SEOSDATA<br />
table if the <strong>eTrust</strong> Access Control record does not contains host name;<br />
otherwise it will be ignored.<br />
field_terminator<br />
The field delimiter. The default value is a comma (,).<br />
field_encloser<br />
The field values’ delimiter. The default value is unprinted character '±'<br />
(Alt+241 ). It should be a unique value that does not appear in the<br />
context of the message.<br />
Note: If you change the default values of tokens field_terminator and<br />
field_encloser in the [fex] section of /usr/ses/seos.ini, you should make the<br />
same changes to the corresponding values in control file for Oracle sqlldr<br />
utility.<br />
7. To improve the performance of selogrd, decrease the value of the Interval<br />
parameter in the [selogrd] section of /usr/seos/seos.ini. The default value is<br />
five seconds. Decreasing this value reduces the amount of time selogrd waits<br />
between polls.<br />
8. Run selogrd as follows:<br />
ssu selogrd<br />
If the location of your audit log is different than the standard location,<br />
/usr/seos/log/seos.audit, use the following command:<br />
ssu selogrd -audit audit_log_file<br />
17–2 <strong>Reference</strong> <strong>Guide</strong>
Insert the Data into an Oracle Database using the sqlldr Utility<br />
Insert the Data into an Oracle Database using the sqlldr<br />
Utility<br />
Tip: Before you run sqlldr, you should remove the indexes from the<br />
SEOSDATA table as this significantly improves performance. Oracle<br />
commands to remove the indexes and recreate them are provided in the<br />
topic Remove the Indexes from SEOSDATA in the “Inserting <strong>eTrust</strong> Access<br />
Control Records in Bulk to a Collector Database Using acloader” appendix.<br />
Follow these steps to use sqlldr to insert the content of the import data file<br />
(file.dat):<br />
■<br />
Run the following command:<br />
sqlldr control=path/fex.ctl log=path/fex.log<br />
If you have more than one audit log files that you want to import to Oracle<br />
database, use the steps in one of the following topics:<br />
■<br />
■<br />
Create one import log file and insert it<br />
Create multitple import log files and insert them separately<br />
Create One Import File and Insert It into the Oracle Database<br />
Follow these steps to convert some of audit log files into one Oracle import file<br />
and insert this file into the Oracle database:<br />
1. Perform steps 1- 7 in the topic entitled, “Converting the <strong>eTrust</strong> Access<br />
Control <strong>Audit</strong> Log to Oracle Import File Format.”<br />
2. For each audit log that you want to import, repeat the following steps:<br />
a. Perform step 8 in the topic entitled, “Converting the <strong>eTrust</strong> Access<br />
Control <strong>Audit</strong> Log to Oracle Import File Format.”<br />
b. Delete logroute.dat.<br />
c. Change computer_name token in the [fex] section of /usr/seos/seos.ini,<br />
if needed.<br />
3. Run sqlldr command.<br />
4. Check the log file (path/fex.log) for possible errors.<br />
5. Remove file.dat<br />
6. Restore (if necessary) the old logrout.dat, selogrd.cfg, selogrd.ext, and<br />
seos.ini files, and then restart <strong>eTrust</strong> selogrd.<br />
Inserting <strong>eTrust</strong> Access Control Records in Bulk to a Collector Database Using selogrd and sqlldr 17–3
Examples<br />
Create Multiple Import Log Files and Insert Them Separately into the Oracle<br />
Database<br />
Follow these steps to convert each audit log file into Oracle import file and insert<br />
each audit log file separately into the Oracle database:<br />
1. Perform steps 1- 7 in the topic entitled, “Converting the <strong>eTrust</strong> Access<br />
Control <strong>Audit</strong> Log to Oracle Import File Format.”<br />
2. Perform step 8 in the topic entitled, “Converting the <strong>eTrust</strong> Access Control<br />
<strong>Audit</strong> Log to Oracle Import File Format.”<br />
3. Run sqlldr.<br />
4. Delete logroute.dat.<br />
5. Change computer_name token in the [fex] section of /usr/seos/seos.ini, if<br />
needed.<br />
6. Check the log file (path/fex.log) for possible errors.<br />
7. Remove file.dat<br />
8. Restore (if necessary) the old logrout.dat, selogrd.cfg, selogrd.ext, and<br />
seos.ini files, and then restart <strong>eTrust</strong> selogrd.<br />
Examples<br />
Examples of the files fex.ctl, selogrd.cfg, selogrd.ext, and seos.ini are included in<br />
the installation package. The file, fex.ctl, is configured to append records from<br />
import file, file.dat, for new or existing SEOSDATA table.<br />
17–4 <strong>Reference</strong> <strong>Guide</strong>
Chapter<br />
18<br />
iRecorder Development<br />
<strong>Reference</strong><br />
<strong>eTrust</strong> <strong>Audit</strong> provides a new type of recorder known as an iRecorder.<br />
Functionally, iRecorders work the same way as traditional <strong>eTrust</strong> <strong>Audit</strong><br />
recorders discussed earlier in this guide. Internally, iRecorders are developed<br />
with a new paradigm known as instrumentation technology, based on the<br />
Computer Associates iTechnology SDK. The following list describes the<br />
differences between iRecorders and the traditional recorders:<br />
■<br />
Traditional recorders are packaged with <strong>eTrust</strong> <strong>Audit</strong> Client. These<br />
predefined recorders use <strong>eTrust</strong> <strong>Audit</strong> SAPI to send events to an <strong>eTrust</strong><br />
<strong>Audit</strong> Router and Action Manager for further processing as defined by the<br />
Policy Manager. This architecture leads to some restrictions in the <strong>eTrust</strong><br />
<strong>Audit</strong> Recorder development and deployment:<br />
– Since SAPI uses RPC, the recorders cannot be easily deployed across<br />
firewalls.<br />
■<br />
iRecorders are developed using the iTechnololgy SDK and can be deployed<br />
in an existing <strong>eTrust</strong> <strong>Audit</strong> environment. iRecorders, just like traditional<br />
recorders, send events to an <strong>eTrust</strong> <strong>Audit</strong> Router and Action Manager for<br />
event processing. An iRecorder package consists of two components:<br />
– An iRecorder component installed on the device where events are<br />
generated or on the event repository. The iRecorder receives each event,<br />
tokenizes the event, and sends an XML string of tokens to an iRouter<br />
using HTTPS.<br />
– An iRouter component installed on an existing <strong>eTrust</strong> <strong>Audit</strong> Client. The<br />
iRouter provides a bridge between the iRecorder and the <strong>eTrust</strong> <strong>Audit</strong><br />
Client. Tokens are converted from XML format to <strong>eTrust</strong> <strong>Audit</strong> SAPI<br />
format and submitted to the <strong>eTrust</strong> <strong>Audit</strong> Router.<br />
The iRecorder architecture provides easy deployment across firewalls and new<br />
iRecorder development does not require changes to your existing <strong>eTrust</strong> <strong>Audit</strong><br />
deployment.<br />
iRecorder Development <strong>Reference</strong> 18–1
Overview of the iTechnology SDK<br />
This chapter provides information on how to develop a new iRecorder using the<br />
iTechnology SDK. Highlights of the information included in this chapter include:<br />
■<br />
■<br />
■<br />
■<br />
■<br />
Overview of the iTechnology SDK<br />
iRecorder design and architecture<br />
How to create an iRecorder development environment<br />
How to develop an iRecorder<br />
iRecorder API Functions<br />
Overview of the iTechnology SDK<br />
iTechnology is a framework created by Computer Associates to facilitate rapid<br />
development of agents, known as iSponsors, to manage various instruments. An<br />
instrument can be just about anything: applications, databases, network devices,<br />
hardware devices, and so on. The letter ‘i’ in iTechnology stands for ‘instrument’.<br />
In addition, iTechnology provides an architecture in which iSponsors can<br />
efficiently and securely communicate with each other. The communication<br />
architecture of iTechnology relies on one of its fundamental components, called<br />
iGateway.<br />
Using the rich set of APIs provided by the iTechnology SDK, iSponsors can be<br />
developed to manage and control the instruments and handle specific tasks like:<br />
■<br />
■<br />
■<br />
Set or change the configuration<br />
Set or get current status<br />
Get log events<br />
For communication with the outside world, an iSponsor uses the iGateway<br />
service to send and receive XML formatted instructions to and from another<br />
iSponsor or Web application. Technically, iGateway is a service that can<br />
dynamically load one or more iSponsor plug-ins.<br />
To leverage iTechnology and enhance <strong>eTrust</strong> <strong>Audit</strong> flexibility in deployment and<br />
scalability, new <strong>eTrust</strong> <strong>Audit</strong> recorders will be built using the iTechnology SDK.<br />
The new <strong>eTrust</strong> <strong>Audit</strong> recorders based on iTechnology are called iRecorders.<br />
18–2 <strong>Reference</strong> <strong>Guide</strong>
iRecorder Design and Architecture<br />
iRecorder Design and Architecture<br />
The following illustration describes the iRecorder architecture:<br />
<strong>eTrust</strong> <strong>Audit</strong> iRecorder<br />
<strong>eTrust</strong> <strong>Audit</strong> Client<br />
iGateway<br />
Https - XML<br />
iGateway<br />
iControl<br />
iSponsor DLL<br />
iRecorder<br />
iSponsor DLL<br />
iControl<br />
iSponsor DLL<br />
Device<br />
Log Events<br />
<strong>Audit</strong> SAPI<br />
Localhost<br />
Event Plug-in<br />
EP <strong>Audit</strong><br />
Event Plug-in<br />
EP iCollector<br />
iCollector<br />
<strong>Audit</strong> Router<br />
Policy Manager<br />
Action Manager<br />
<strong>Audit</strong> Collector<br />
Security Monitor<br />
Components of iTechnology<br />
The components of iTechnology are as follows:<br />
■<br />
■<br />
■<br />
■<br />
iGateway<br />
iControl<br />
iRecorder<br />
iRouter<br />
iRecorder Development <strong>Reference</strong> 18–3
iRecorder Design and Architecture<br />
The iGateway Component<br />
iGateway is a service that dynamically loads iSponsors and communicates with<br />
the other iGateways and iSponsors. The main features and functions of an<br />
iGateway are as follows:<br />
■<br />
Load iSponsor<br />
– Locate and read .conf files associated for various iSponsors in its local<br />
directory.<br />
– Load the corresponding iSponsor DLLs (such as iControl or iRecorder) at<br />
iGateway start up or upon request from another iSponsor (local or<br />
remote).<br />
■<br />
■<br />
Provide configuration data found in .conf file to the corresponding iSponsor<br />
Support Data Communication<br />
iGateway uses the HTTP/HTTPS protocol on port 5250 to handle all data<br />
communication as follows:<br />
– The data format for iGateway communication is based on XML.<br />
– An iGateway receives XML formatted data from the local iSponsors and<br />
sends it to the specified iGateway for delivery to the appropriate<br />
iSponsor.<br />
– An iGateway receives XML formatted data from a remote iSponsor and<br />
delivers it to the appropriate local iSponsor.<br />
Note: Each iGateway can be associated with a digital certificate used by<br />
iRecorders to sign all outgoing events. In addition, iRecorders include the digital<br />
certificate with its associated thumbprint for the first outgoing event. For all<br />
other events, only the thumbprint is included.<br />
18–4 <strong>Reference</strong> <strong>Guide</strong>
iRecorder Design and Architecture<br />
The iControl Component<br />
iControl is an iSponsor DLL that is automatically loaded by the iGateway and<br />
supports the following functions:<br />
■<br />
Store and Forward (SAF) for guaranteed delivery of events<br />
- If the iGateway cannot deliver an event, it is passed onto the iControl<br />
component for SAF handling.<br />
- iControl stores the undelivered events in a file.<br />
- Periodically, iControl extracts events from the event file and attempts to<br />
deliver them using iGateway.<br />
- All events that are extracted successfully are marked as “old,” and<br />
periodically iControl deletes the “old” events.<br />
■<br />
Event validation<br />
– If it is the first event, save the digital certificate and the associated<br />
thumbprint<br />
– For all events, use the thumbprint included in the event to retrieve the<br />
matching certificate.<br />
■<br />
♦ If the certificate is not found, generate an error.<br />
– Use the certificate to validate signature of the event.<br />
♦ If the signatures do not match, generate error.<br />
Routes events to a remote iControl<br />
The iControl.conf file contains information related to routing and which Event<br />
plug-in should be loaded.<br />
Note: iControl can load multiple Event plug-ins and sends every event to each<br />
plug-in.<br />
Event Plug-in (EP)<br />
The Event plug-in is a DLL used by iControl to handle specialized tasks such as<br />
converting formats, applying filters, sending events to a database, and so on.<br />
iRecorder Development <strong>Reference</strong> 18–5
iRecorder Design and Architecture<br />
EP<strong>Audit</strong> Plug-in<br />
If the EP<strong>Audit</strong> plug-in is configured, all events received by iControl are sent to<br />
the EP<strong>Audit</strong> plug-in to be delivered to the <strong>eTrust</strong> <strong>Audit</strong> Router. The primary<br />
functions of EP<strong>Audit</strong> are to:<br />
■<br />
■<br />
Convert events from XML format to <strong>eTrust</strong> <strong>Audit</strong> SAPI format.<br />
Submit events to the <strong>eTrust</strong> <strong>Audit</strong> Router component running on the<br />
localhost.<br />
EPUnicenter Plug-in<br />
If the EPUnicenter plug-in is configured, all events received by iControl are sent<br />
to the EPUnicenter to be delivered to the Event Management component of<br />
Unicenter. The primary functions of the EPUnicenter plug-in are to:<br />
■<br />
■<br />
Convert events from XML format to Unicenter EM format.<br />
Submit events to the Event Management component running on the<br />
localhost.<br />
EPDebug Plug-in<br />
If the EPDebug plug-in is configured, all events received by iControl are sent to<br />
the EPDebug to be delivered to any Debug Viewer running on the local host.<br />
iRecorder<br />
iRecorder is an iSponsor DLL loaded by the iGateway running on the device<br />
generating log events. Its primary functions are as follows:<br />
■<br />
■<br />
■<br />
■<br />
Extract the log events from the device or from an event log repository using<br />
an API, ODBC, or file I/O.<br />
Parse the event fields into tokens and create “Name–Value” pairs for each<br />
parsed token in XML format.<br />
Submit XML strings containing the events to a local or remote iRouter. The<br />
iRouter sends the events to EP<strong>Audit</strong> plug-in, which in turn submits the<br />
events to <strong>eTrust</strong> <strong>Audit</strong> for further action.<br />
For the first log event from the device, the iRecorder attaches the iGateway<br />
certificate as an attribute.<br />
■ For all log events, iRecorder includes the iGateway certificate thumbprint (a<br />
unique ID for the certificate) and the signature (hash of the whole event<br />
signed by the certificate).<br />
18–6 <strong>Reference</strong> <strong>Guide</strong>
How to Create an iRecorder Development Environment<br />
iRouter<br />
iRouter is a collection of following components installed on the <strong>eTrust</strong> <strong>Audit</strong><br />
Client machine:<br />
■<br />
■<br />
■<br />
iGateway<br />
iControl<br />
EP<strong>Audit</strong> plug-in<br />
The iRouter installation package is included with the iRecorder SDK and does<br />
not require any changes. It should work with the existing and new iRecorders.<br />
iRouter is responsible for forwarding all events to the <strong>eTrust</strong> <strong>Audit</strong> Client using<br />
the <strong>eTrust</strong> <strong>Audit</strong> SAPI.<br />
How to Create an iRecorder Development Environment<br />
An iRecorder development environment is comprised of a development system<br />
and a test environment as described in the topics that follow.<br />
Development Environment<br />
The following are software requirements for each supported operating system:<br />
AIX<br />
■<br />
■<br />
AIX C Compiler<br />
GNU Make<br />
Free BSD<br />
■ GCC included in Free BSD 4.7<br />
HP-UX<br />
■<br />
■<br />
HP-UX C compiler<br />
GNU Make<br />
Linux<br />
■ RH 7.x<br />
■ GCC included in RH 7.x<br />
iRecorder Development <strong>Reference</strong> 18–7
How to Create an iRecorder Development Environment<br />
Solaris<br />
■ Solaris C++ 5.3<br />
■<br />
GNU Make<br />
Windows<br />
■ MS VC 7.0<br />
■<br />
Cygwin Make<br />
Development Machine<br />
To setup a development machine on Windows platforms, follow these steps:<br />
1. Install iTechnology SDK on your development machine, for example<br />
[Default installation path: \Program File\<strong>CA</strong>\iTeckSDK20 ]<br />
2. Install Visual Studio .Net<br />
3. Install Cygwin:<br />
a. Run \iTechnlogy SDK\Tools\Cygwin\Setup.exe<br />
b. Select Install from Internet.<br />
c. Select Root Install Directory.<br />
d. Select Packages and expand Devel, and then select Make. Leave all other<br />
selections to default.<br />
e. Select Next to install the Cygwin components that are needed for<br />
iRecorder development.<br />
f. Finally, you need to make a change in \cygwin\cygwin.bat. Add a line<br />
in this file to provide the Visual Studio install path as highlighted in the<br />
following sample cygwin.bat file:<br />
@echo off<br />
call "C:\Program Files\Microsoft Visual Studio .NET\Vc7\bin\vcvars32.bat"<br />
C:<br />
chdir C:\cygwin\bin<br />
bash --login -i<br />
4. Create a development directory [iDev] on your local disk.<br />
18–8 <strong>Reference</strong> <strong>Guide</strong>
How to Create an iRecorder Development Environment<br />
5. Run \Program File\<strong>CA</strong>\iTeckSDK20\Wizard\QuickStart.html to start<br />
iTechnology Component Factory, and complete the fields as follows:<br />
Component Name [iRec]<br />
The name you provide becomes your project name and the iSponsor<br />
name.<br />
Component Type C++ <strong>eTrust</strong> <strong>Audit</strong> Recorder<br />
Select C++ <strong>eTrust</strong> <strong>Audit</strong> Recorder from the drop down list.<br />
Recorder Name [LOGNAME]<br />
<strong>eTrust</strong> <strong>Audit</strong> recognizes many recorders and each recorder or class of<br />
recorders known to <strong>eTrust</strong> <strong>Audit</strong> is identified by a unique name. In<br />
<strong>eTrust</strong> <strong>Audit</strong> terminology, this name is called the LOGNAME. For<br />
example, the LOGNAME for the Recorder for Check Point Firewall-1 is<br />
Check Point FW-1.<br />
You can see a complete list of LOGNAMEs known to <strong>eTrust</strong> <strong>Audit</strong> in the<br />
Policy Manager. Click <strong>Audit</strong> Nodes, and then select from the menu: File,<br />
AN types.<br />
Note: It is possible that a LOGNAME is known to <strong>eTrust</strong> <strong>Audit</strong> but no<br />
one has developed a recorder yet. Since you are developing a new<br />
recorder, look at the list of LOGNAMEs and, if possible, select a<br />
predefined name. If no matching LOGNAME is available, you can create<br />
a new. See the Policy Management <strong>Guide</strong>.<br />
Source Location: [iDev]<br />
This is the location where the project source files will be created.<br />
6. Hit the Create button. The Wizard creates the following files in the [iDev]<br />
directory:<br />
iRec.conf<br />
Configuration file for the iSponsor/iRecorder<br />
iRec.cpp<br />
cpp source for the iSponsor<br />
iRec.h<br />
Header file for the iSponsor<br />
iRec_recorder.cpp<br />
cpp source for the new iRecorder<br />
iRec_recorder.h<br />
Header file for the new iRecorder<br />
GNUmakefile<br />
Make file for the project<br />
7. Modify the iRec_recorder.cpp, iRec_recorder.h, and iRec.conf file and build<br />
iRec.dll. See Step 4: Modify Files, later in this chapter.<br />
8. Create an install package for the new iRecorder using the iGateway merge<br />
module (provided in the iRecorder SDK).<br />
iRecorder Development <strong>Reference</strong> 18–9
How to Create an iRecorder Development Environment<br />
Test Environment<br />
To create a test environment, follow these steps:<br />
1. Install <strong>eTrust</strong> <strong>Audit</strong> components (Client, Policy Manager, and Data Tools) as<br />
described in Getting Started.<br />
2. Install the iRouter component on the host where <strong>eTrust</strong> <strong>Audit</strong> Client is<br />
installed.<br />
3. Install the iRec_recorder on the host from where the recorder can access the<br />
log events generated by the device or system. iRecorder installation will:<br />
■<br />
■<br />
■<br />
Create a new directory \Program Files\<strong>CA</strong>\iGateway.<br />
Copy several files and DLLs into the \Program Files\<strong>CA</strong>\iGateway<br />
directory.<br />
Run iGateway service.<br />
4. If the new iRecorder is not one of the predefined <strong>Audit</strong> Node types (AN<br />
types), you must create a new AN Type using the <strong>eTrust</strong> <strong>Audit</strong> Policy<br />
Manager as described in the Policy Management <strong>Guide</strong>.<br />
5. Using the appropriate AN type for your new iRecorder, define the new AN,<br />
rules, and filters as described in the Policy Management <strong>Guide</strong>.<br />
6. To test the newly developed iRecorder [iRec]:<br />
■<br />
■<br />
■<br />
Install and setup the environment necessary for accessing the log events<br />
from the new iRecorder [iRec]. This can include special API, libraries,<br />
ODBC, and so on distributed by the manufacturer of the device or<br />
system.<br />
Stop and restart the iGateway service after bug fixes.<br />
If the new iRecorder is bug-free, all log events generated after the start of<br />
iGateway service should go to the <strong>eTrust</strong> <strong>Audit</strong> Client where the iRouter<br />
component was installed. These events should get routed according to<br />
the <strong>Audit</strong> Policy defined in the <strong>eTrust</strong> <strong>Audit</strong> Policy Manager.<br />
18–10 <strong>Reference</strong> <strong>Guide</strong>
How To Develop an iRecorder<br />
How To Develop an iRecorder<br />
Follow these steps to develop an iRecorder:<br />
1. Identify information about required fields for <strong>eTrust</strong> <strong>Audit</strong><br />
2. Establish a method to access log events<br />
3. Parse log event data into tokens<br />
4. Modify files<br />
5. Build the project<br />
6. Test and debug<br />
Step 1: Identify Information about Required Fields for <strong>eTrust</strong> <strong>Audit</strong><br />
Any event sent to <strong>eTrust</strong> <strong>Audit</strong> must have the following fields filled in<br />
appropriately. Some of the fields can be derived from the original event (such as<br />
Date, Status, Source, Event’s location). Some fields have to be defined up front<br />
(such as Logname).<br />
Gather information about the following fields:<br />
Source<br />
This is essentially the application that generates the log events you are interested<br />
in routing to <strong>eTrust</strong> <strong>Audit</strong>. This will also give some idea of how you are going to<br />
capture and process the events. For example, a firewall, VPN, and router type of<br />
device could send all events to a log file and for each event; your recorder would<br />
set the source to be Firewall, VPN, or Router depending on the source of the<br />
event. This is a required field and is mapped into the Source field in <strong>eTrust</strong><br />
<strong>Audit</strong>.<br />
iRecorder Development <strong>Reference</strong> 18–11
How To Develop an iRecorder<br />
Logname<br />
The Logname of a recorder defines the type or class of the recorder as defined in<br />
<strong>eTrust</strong> <strong>Audit</strong>. To identify an appropriate logname for your new iRecorder,<br />
review the list of all predefined lognames in Section dddd.<br />
If you cannot find a logname that matches the device or system for which you<br />
are writing the iRecorder, you must take the following steps to define a new<br />
Logname in <strong>eTrust</strong> <strong>Audit</strong>:<br />
1. Define a new AN Type in <strong>eTrust</strong> <strong>Audit</strong> Policy Manager. From <strong>Audit</strong> Nodes<br />
window, select the File menu and choose AN Types to enter a name for the<br />
new AN Type. This name is your new logname for the iRecorder. Make sure<br />
to click the Add button after you enter the New AN Type.<br />
2. The new logname must also be added to a text file: lognames.txt. This file is<br />
in the <strong>eTrust</strong> <strong>Audit</strong> installation directory for <strong>eTrust</strong> <strong>Audit</strong> Client and Data<br />
Tools. Use a text editor and add the new logname using the following<br />
format:<br />
nnnn LOGNAME<br />
where nnnn is a number.<br />
Location of Events<br />
Location identifies the host that issued the events. For example, if you want to<br />
develop an iRecorder for a firewall, the hostname of the firewall is the location.<br />
This is also a required field and is mapped into the Location field in <strong>eTrust</strong><br />
<strong>Audit</strong>.<br />
Other Required Fields<br />
Two other fields: Date and Status of events are also required and must be<br />
mapped to the Date and Status fields in <strong>eTrust</strong> <strong>Audit</strong>. Because these fields vary<br />
from event to event, they must be mapped during event processing.<br />
18–12 <strong>Reference</strong> <strong>Guide</strong>
How To Develop an iRecorder<br />
Step 2: Establish a Method to Access Log Events<br />
You must be able to access the log events in your iRecorder. There are essentially<br />
two ways to do it:<br />
1. Use an API, provided by the device, system, or application vendor, to get<br />
events as they are generated. This requires the API documentation, and the<br />
API software and libraries needed to access the device or system generating<br />
the events. Through the API, events are delivered to your iRecorder in<br />
almost real-time with various fields already set to the fields of some data<br />
structure. Because almost no parsing of an event is needed, your recorder<br />
code can be pretty simple.<br />
2. Access the events after they are saved in an event repository (log file,<br />
database, and so on.) by the device, system, or application. Because the<br />
events are already in the repository, you need to continuously scan the<br />
repository for any new events generated. Also, you need to define a parsing<br />
method to tokenize the fields and map them to <strong>eTrust</strong> <strong>Audit</strong> names.<br />
Note: iRecorder works as a device, which means that it will start processing<br />
new events that are generated after the recorder service is started. Events that<br />
were generated while the recorder was not running are lost. iRecorders do not<br />
process historical events.<br />
Step 3: Parse Log Event Data into Tokens<br />
Each log event data received by the iRecorder must be parsed into individual<br />
tokens. Each token must have two components: Name and Value. Name<br />
identifies the data and Value determines the content of the field. Use the<br />
technical documentation of the device, system, or application to create a map of:<br />
■<br />
Required Fields as explained in Step 1: Identify Information about Required<br />
Fields for <strong>eTrust</strong> <strong>Audit</strong>. For example, for the Check Point Firewall iRecorder:<br />
Required <strong>Audit</strong> Field Name<br />
LO<strong>CA</strong>TION<br />
LOGNAME<br />
SOURCE<br />
DATE<br />
STATUS<br />
Mapped Field or Value<br />
hostname.domain.com<br />
Check Point FW-1<br />
Firewall/VPN<br />
Date and time from event in ISO format<br />
Event dependent: (S)uccess, (F)ailure,<br />
(D)enied.<br />
■<br />
All other fields as Name–Value pairs.<br />
iRecorder Development <strong>Reference</strong> 18–13
How To Develop an iRecorder<br />
Step 4: Modify Files<br />
You must modify the following files:<br />
■<br />
■<br />
■<br />
iRec_recorder.cpp<br />
iRec.conf<br />
iControl.conf<br />
iRecorder Source File (iRec_recorder.cpp)<br />
The following is a sample iRec-recorder.cpp file. It is commented to provide<br />
additional information:<br />
// iRec_recorcer.CPP - Implementation of Recorder<br />
/* This file contains all the functions necessary to process<br />
* and send records/events to an iRouter.<br />
*/<br />
#include "MyRec_recorder.h"<br />
#include <br />
char *remove_none_priority (char *);<br />
void<br />
*RecorderMainLoop (void *lgp);<br />
// CTOR<br />
// DONT USE - WE NEED TO HAVE ACCESS TO THE ISPONSOR OBJECT<br />
Recorder::Recorder()<br />
{<br />
ispUtil::Debug(ISP_TRACE, "Recorder::Recorder *not used*\n");<br />
}<br />
Recorder::Recorder(iSponsor *isp)<br />
{<br />
ispUtil::Debug(ISP_TRACE, "Recorder::Recorder\n");<br />
/* Get config data that is passed to the iSponsor by the iGateway.<br />
* It is passed through<br />
* in a queue of configpairs (sPair - see iTech.h)<br />
* Note the matching configuration values in the iRec.conf file<br />
*/<br />
ispUtil::Debug(ISP_TRACE,<br />
"Recorder::Recorder: %d config params found\n",<br />
isp->m_configpairq.size());<br />
for(int i = 0; i < (int) isp->m_configpairq.size(); i++)<br />
{<br />
sPair *sp = isp->m_configpairq[i];<br />
if(!sp->name.compare("MyConf1"))<br />
{<br />
myconf1 = sp->value;<br />
ispUtil::Debug(ISP_TRACE,<br />
"Recorder::Recorder: set myconf1 to %s\n", myconf1.c_str());<br />
}<br />
if(!sp->name.compare("MyConf2"))<br />
{<br />
myconf2 = sp->value;<br />
18–14 <strong>Reference</strong> <strong>Guide</strong>
How To Develop an iRecorder<br />
ispUtil::Debug(ISP_TRACE,<br />
"Recorder::Recorder: set myconf2 to %s\n", myconf2.c_str());<br />
}<br />
}<br />
/* This is the one and only ispEvent object for this iRecorder.<br />
*<br />
* NOTE: if this recorder uses an API to collect data by registering<br />
* callbacks, either create an event object every time the<br />
* callback gets called, or use a mutex to protect it.<br />
*/<br />
evt = new ispEvent(isp);<br />
/* Create mutex to be used in callback or main loop and spawn of<br />
* the main thread that will do all the work.<br />
*/<br />
ispUtil::MutexCreate(&m_mutex);<br />
ispUtil::ThreadCreate(RecorderMainLoop, this);<br />
}<br />
// DTOR<br />
Recorder::~Recorder()<br />
{<br />
}<br />
ispUtil::Debug(ISP_TRACE, "Recorder::~Recorder\n");<br />
ispUtil::MutexDestroy(m_mutex);<br />
if(evt)<br />
{<br />
delete evt;<br />
evt = NULL;<br />
}<br />
// The main thread<br />
void *<br />
RecorderMainLoop(void *arg)<br />
{<br />
ispUtil::Debug(ISP_TRACE, "RecorderMainLoop\n");<br />
Recorder *lgp = (Recorder *)arg;<br />
#ifdef USING_API<br />
/* If the recorder will be using an API to receive events,<br />
* register with the API and create a main window loop<br />
* to receive the events.<br />
*/<br />
BOOL bRet;<br />
while(alive && (bRet = GetMessage( &msg, NULL, 0, 0 )) != 0)<br />
{<br />
if (bRet == -1)<br />
{<br />
// handle the error and possibly exit<br />
}<br />
else<br />
{<br />
TranslateMessage(&msg);<br />
DispatchMessage(&msg);<br />
}<br />
}<br />
iRecorder Development <strong>Reference</strong> 18–15
How To Develop an iRecorder<br />
#else // USING_API<br />
/* If reading a log file or connecting via ODBC,<br />
* open the file or initialize the connection now and<br />
* periodically process new events as they come in.<br />
*/<br />
while(alive)<br />
{<br />
ispUtil::MutexLock(lgp->m_mutex);<br />
ispUtil::Debug(ISP_TRACE, "RecorderMainLoop: Doing work.\n");<br />
#endif // USING_API<br />
}<br />
lgp->ProcessEvent();<br />
ispUtil::MutexUnlock(lgp->m_mutex);<br />
ispUtil::iSleep(10);<br />
ispUtil::Debug(ISP_TRACE, "RecorderMainLoop shutting down.\n");<br />
}<br />
return NULL;<br />
void Recorder::ProcessEvent()<br />
{<br />
/* Check if new events have arrived. If there are any, tokenize them<br />
* and add the entries to member variables, then call SendEvent for<br />
* every event<br />
*/<br />
ispUtil::Debug(ISP_TRACE, "Recorder::ProcessEvent\n");<br />
SendEvent();<br />
}<br />
void Recorder::SendEvent()<br />
{<br />
/* For every event received, pass the correct fields to the iRouter<br />
* in name/value pairs. This is done by calling one of the following<br />
* member functions of the event (as defined in ispEvent.h):<br />
* AddStringField(const char* field, const char* value);<br />
* AddDateField(const char* field, const time_t value);<br />
* AddLongField(const char* field, const long value);<br />
*<br />
* The following fields will be filled in automatically by the SDK:<br />
* Location - will default to the local hostname<br />
* can be overwrtiien by calling:<br />
* SetHostname(char *hostname);<br />
* Status - will default to ISP_STATUS_SUCCESS<br />
* can be overwrtiien by calling:<br />
* SetStatus(sStatus status);<br />
* Severity - will default to ISP_SEVERITY_NONE<br />
* can be overwrtiien by calling:<br />
* SetSeverity(sSeverity severity);<br />
* Date - will default to the date when the event object was<br />
* created can be overwrtiien by calling:<br />
* SetDate(time_t date);<br />
* OS - will default to the OS where the iRecorder is running<br />
* can be overwrtiien by calling:<br />
* SetOS(char* OS);<br />
*<br />
* NOTE: All <strong>eTrust</strong> <strong>Audit</strong> iRecorders MUST add the following field:<br />
* AddStringField("EventLog", )<br />
* where should be replaced with the AN Type<br />
* of the iRecorder as defined in the <strong>eTrust</strong> <strong>Audit</strong><br />
* Policy Manager.<br />
*<br />
* NOTE: To map to the Source(Src) field in eTust <strong>Audit</strong>, add the<br />
* the following field:<br />
18–16 <strong>Reference</strong> <strong>Guide</strong>
How To Develop an iRecorder<br />
* AddStringField("EventSource", )<br />
* where is replaced with the original source<br />
* of the event.<br />
*<br />
* All other fields should be added, when possible, using the<br />
* recommended field names as defined in the <strong>eTrust</strong> <strong>Audit</strong><br />
* Administrators <strong>Guide</strong> in the chapter about the Submit API.<br />
*/<br />
ispUtil::Debug(ISP_TRACE, "Recorder::SendEvent\n");<br />
// If the original event did not contain a timestamp, add the timestamp<br />
// when the iRecorder processed the event<br />
time_t now = time(NULL);<br />
evt->SetDate(now);<br />
// Required for <strong>Audit</strong> iRecorders<br />
evt->AddStringField("EventLog", "LOGNAME");<br />
// Recommended for <strong>Audit</strong> iRecorders<br />
evt->AddStringField("EventSource", "MySource");<br />
evt->SetSeverity(ISP_SEVERITY_INFO);<br />
evt->Submit();<br />
*/ automatically<br />
}<br />
/* Call this to clear out all but the fields that are inserted<br />
evt->ReuseEvent();<br />
iRecorder Configuration File (iRec.conf)<br />
The iRecorder configuration file contains iRecorder specific parameters (see<br />
MyConfig1 and MyConfig2). You can add any number of parameters in this file<br />
and the specified parameters are passed to the iRecorder at iGateway startup<br />
time. If the iRecorder needs any runtime configuration parameters, you can add<br />
parameters such as and .<br />
The following is a sample iRec.conf file:<br />
<br />
iRec<br />
DSP<br />
iRec<br />
iDispatch<br />
<br />
<br />
true<br />
value1<br />
value2<br />
defaultvalue<br />
mysecret<br />
<br />
iRecorder Development <strong>Reference</strong> 18–17
How To Develop an iRecorder<br />
iControl Configuration File (iControl.conf)<br />
The iControl configuration file contains parameters that specify control and<br />
routing relation information. In general, the parameters contained in the iControl<br />
file are needed at iRecorder installation time.<br />
If the parameter is set to true, the iControl component will use the<br />
parameter to determine the remote host [REMOTEHOST] to<br />
which the events should be sent.<br />
A sample iControl.conf file for this scenario is as follows:<br />
<br />
iControl<br />
iControl<br />
iDispatch<br />
DSP<br />
true<br />
true<br />
REMOTEHOST<br />
<br />
If the parameter is false, the iControl component will not route<br />
events to another host but would expect a such as EP<strong>Audit</strong> for<br />
event delivery. This is how iControl is set up on iRouter.<br />
A sample iControl.conf file for this scenario is as follows:<br />
<br />
iControl<br />
iControl<br />
iDispatch<br />
DSP<br />
true<br />
false<br />
localhost<br />
ep<strong>Audit</strong><br />
<br />
Step 5: Build the Project<br />
From your Cygwin environment, run make install to<br />
■<br />
■<br />
■<br />
■<br />
Compile and build your iRecorder project files.<br />
Stop iGateway service, if running.<br />
Copy the project files to the iGateway install directory.<br />
Start iGateway service.<br />
Step 6: Test and Debug Your iRecorder<br />
Using the test environment, you can proceed with testing your new iRecorder.<br />
18–18 <strong>Reference</strong> <strong>Guide</strong>
iRecorder API Functions<br />
iRecorder API Functions<br />
The iRecorder includes the following functions:<br />
Function Parameters Return Values Description<br />
AddBinaryField<br />
AddDateField<br />
(const char* field, const char*<br />
bvalue, const int bsize )<br />
( const char* field, const time_t<br />
value )<br />
void<br />
void<br />
Add a binary field to the event’s<br />
xml representation.<br />
Add a time date field to the<br />
event’s xml representation.<br />
AddIntField ( const char* field, const int value ) void Add an Int field to the event’s<br />
xml representation.<br />
AddLongField ( const char* field, const long value) void Add a long field to the event’s<br />
xml representation.<br />
AddShortField<br />
AddStringField<br />
( const char* field, const short value<br />
)<br />
( const char* field, const char* value<br />
)<br />
void<br />
void<br />
Add a short field to the event’s<br />
xml representation.<br />
Add a string field to the event’s<br />
xml representation.<br />
GetDate () const time_t Access to event’s date.<br />
GetHostname () const char* access to event’s location.<br />
GetOS () const Access to event’s OS.<br />
GetSeverity () const sSeverity Access to event’s severity.<br />
GetSeverityName () const char* Access to event’s severity<br />
GetStatus () const sStatus Access to event’s status.<br />
GetStatusName () const char* Access to event’s status.<br />
ReuseEvent () void Clear out iSponsor and reuse<br />
fields.<br />
SetDate ( time_t date ) void Set event’s date This field is<br />
required for an <strong>eTrust</strong> <strong>Audit</strong><br />
event.<br />
SetHostname ( char* hostname ) void Set the location where the event<br />
is generated.<br />
SetOS ( char* OS ) void Set even’s OS This field is not<br />
required for an <strong>eTrust</strong> <strong>Audit</strong><br />
event.<br />
SetSeverity ( sSeverity severity ) void Set event’s severity This field is<br />
required for an <strong>eTrust</strong> <strong>Audit</strong><br />
event.<br />
iRecorder Development <strong>Reference</strong> 18–19
iRecorder API Functions<br />
Function Parameters Return Values Description<br />
SetStatus ( sStatus status ) void Set event’s status This field is<br />
required for an <strong>eTrust</strong> <strong>Audit</strong><br />
event.<br />
Submit () bool Submit is called when you want<br />
to send the event formatted in a<br />
xml string out either to an<br />
iRouter or an iCollect.<br />
18–20 <strong>Reference</strong> <strong>Guide</strong>
Index<br />
A<br />
acactmgr daemon, 3-6<br />
acactmgr service, 2-5<br />
account management events<br />
for SAPI, 13-24<br />
acdistagn daemon, 3-7<br />
acdistagn service, 2-6<br />
acdistsrv service, 2-7<br />
acloader<br />
described, 16-3<br />
aclogrcd daemon, 3-7<br />
aclogrd<br />
and configuration files, 4-1<br />
aclogrd daemon, 3-8<br />
aclogrd service, 2-8<br />
acrecorderd daemon, 3-8<br />
action manager daemon, 3-6<br />
action manager service, 2-5<br />
action queue<br />
and registry keys, 6-27<br />
actions<br />
collector, 4-3<br />
described, 4-3<br />
file, 4-4<br />
mail, 4-4<br />
monitor, 4-3<br />
program, 4-5<br />
remote, 4-4<br />
route, 4-4<br />
screen, 4-4<br />
SNMP, 4-4<br />
unicenter, 4-6<br />
actions parameter<br />
e<strong>Audit</strong>.ini file, 7-10<br />
alert queue<br />
and registry keys, 6-18, 6-19<br />
alert queue parameter<br />
e<strong>Audit</strong>.ini file, 7-7<br />
AN types<br />
and registry keys, 6-31<br />
Apache, 6-31<br />
Default, 6-32, 7-12<br />
<strong>eTrust</strong> Access Control, 6-32<br />
Netscape, 6-33<br />
NT, 6-33<br />
Oracle, 6-34<br />
UNIX, 6-34<br />
AN types parameter<br />
e<strong>Audit</strong>.ini file, 7-12<br />
B<br />
binary operators<br />
in router configuration files, 5-10<br />
C<br />
Check Point Firewall-1<br />
configuration values, 14-7<br />
configuring servers, 14-3, 14-14<br />
connection types, 14-4<br />
e<strong>Audit</strong>.ini, 14-7, 14-10<br />
installation, 14-4<br />
log types, 14-4<br />
preinstallation considerations, 14-3<br />
registry keys, 14-7<br />
Index–21
UNIX installation, 14-4, 14-5<br />
upgrading the Data Tools, 14-6<br />
collection queue<br />
and registry keys, 6-22<br />
collection queue parameter<br />
e<strong>Audit</strong>.ini file, 7-8<br />
collector action, 4-3<br />
collector daemon, 3-7<br />
collector service, 2-8<br />
configuration files<br />
locations, 4-1<br />
recorder, 4-6<br />
redirector, 4-7<br />
router, 4-8<br />
configuration values<br />
Recorder Check Point Firewall-1, 14-7<br />
connection types<br />
OPSEC, 14-13<br />
Recorder Check Point Firewall-1, 14-4<br />
D<br />
daemon<br />
action manager, 3-6<br />
daemons<br />
collector, 3-7<br />
commmands to control, 3-2<br />
distribution agent, 3-7<br />
list of, 3-1<br />
log router, 3-8<br />
recorder, 3-8<br />
SNMP recorder, 3-9<br />
data server<br />
and registry keys, 6-44<br />
data server reports<br />
and registry keys, 6-46<br />
data server viewer<br />
and registry keys, 6-46<br />
Data Tools<br />
Recorder Check Point Firewall-1, 14-6<br />
data types<br />
in router configuration files, 5-11<br />
databases<br />
and registry keys, 6-44<br />
default queue<br />
and registry keys, 6-25<br />
default queue parameter<br />
e<strong>Audit</strong>.ini file, 7-9<br />
detailed tracking events<br />
for SAPI, 13-30<br />
distribution agent daemon, 3-7<br />
distribution agent service, 2-6<br />
distribution server<br />
and registry keys, 6-37<br />
distribution server service, 2-7<br />
do command, 5-6<br />
E<br />
eaudit.ini file<br />
actions parameters, 7-10<br />
alert queue parameters, 7-7<br />
AN types parameters, 7-12<br />
collection queue parameters, 7-8<br />
default queue parameters, 7-9<br />
management agent parameters, 7-11<br />
messages parameters, 7-3<br />
parameters, 7-1<br />
ports parameters, 7-1<br />
queue manager parameters, 7-6<br />
recorders parameters, 7-6<br />
router parameters, 7-6<br />
SNMP recorder parameters, 7-6<br />
e<strong>Audit</strong>.ini file<br />
and firewalls, 9-1<br />
Security Monitor, 7-5<br />
targets, 7-5<br />
eAudti.ini<br />
Recorder Check Point Firewall-1, 14-7, 14-10<br />
email<br />
and registry keys, 6-9<br />
encryption<br />
and setkey command, 8-2<br />
basic support, 8-1<br />
turning off, 8-2<br />
Index–2<br />
<strong>Reference</strong> <strong>Guide</strong>
encryption keys<br />
changing, 8-1<br />
encup utility, 11-1<br />
EP<strong>Audit</strong> plug-in<br />
described, 18-6<br />
EPDebug plug-in<br />
described, 18-6<br />
EPUnicenter plug-in<br />
described, 18-6<br />
error and return codes<br />
for SAPI, 13-14<br />
<strong>eTrust</strong> Access Control<br />
bulk migration of log records to <strong>eTrust</strong> <strong>Audit</strong>, 16-<br />
1, 17-1<br />
steps to migrate log records to <strong>eTrust</strong> <strong>Audit</strong>, 16-1<br />
Event database<br />
Renaming before backing up Access database,<br />
10-4<br />
event IDs<br />
2000, 12-6<br />
NT, 12-1<br />
Event plug-in<br />
described, 18-5<br />
exclude command, 5-8<br />
F<br />
fex<br />
and using selogrd to convert audit log files, 17-1<br />
fields<br />
for event description, 13-20<br />
for event notification, 13-17, 13-19<br />
SAPI, 13-16<br />
file action, 4-4<br />
files<br />
logroute.cfg, 4-7<br />
router.cfg, 4-8<br />
selogrec.cfg, 4-6<br />
firewalls<br />
and e<strong>Audit</strong>.ini file, 9-1<br />
and registry keys, 6-2, 9-1<br />
configuration requirements, 9-1<br />
functions<br />
for SAPI, 13-6<br />
SAPI_AddItem, 13-8<br />
SAPI_DestroyCTX, 13-12<br />
SAPI_DumpMessage, 13-11<br />
SAPI_Init, 13-6<br />
SAPI_New Message, 13-7<br />
SAPI_RemoveMessage, 13-10<br />
SAPI_SetRouter, 13-12<br />
SAPI_SetRouterPort, 13-13<br />
SAPI_SetRouterTimeout, 13-13<br />
SAPI_SubmitMsg, 13-9<br />
G<br />
general events<br />
for SAPI, 13-31<br />
group command, 5-9<br />
groups<br />
in router configuration files, 5-4<br />
H<br />
header file for SAPI<br />
etsapi.h, 13-3<br />
I<br />
iControl<br />
described, 18-5<br />
iControl configuration file, 18-18<br />
iGateway<br />
described, 18-4<br />
include command, 5-8<br />
ini files<br />
described, 7-1<br />
installation<br />
Recorder Check Point Firewall-1, 14-4<br />
internal events<br />
for SAPI, 13-32<br />
Index–3
iRecorder<br />
accessing events, 18-13<br />
building the project, 18-18<br />
described, 18-6<br />
design, 18-3<br />
developing, 18-11<br />
function reference, 18-19<br />
modifying files, 18-14<br />
parsing tokens, 18-13<br />
required fields, 18-11<br />
requirements, 18-7, 18-8, 18-10<br />
testing, 18-18<br />
iRecorder configuration file, 18-17<br />
iRecorder source file, 18-14<br />
iRouter<br />
described, 18-7<br />
iTechnology<br />
components, 18-3<br />
described, 18-2<br />
L<br />
libraries<br />
for SAPI, 13-3<br />
log files<br />
and registry keys, 6-10<br />
log router daemon, 3-8<br />
log router service, 2-8<br />
log types<br />
Recorder Check Point Firewall-1, 14-4<br />
M<br />
mail action, 4-4<br />
management agent<br />
and registry keys, 6-29<br />
management agent queue parameter<br />
e<strong>Audit</strong>.ini file, 7-11<br />
mapping events<br />
for SAPI, 13-22<br />
mapping examples<br />
for SAPI, 13-17<br />
mappings<br />
AC_SAPITokens.h, 13-2<br />
SAPI, 13-2<br />
message routing<br />
SAPI, 13-2<br />
messages<br />
location of, 7-3<br />
location of stored, 6-5<br />
using SAPI to handle submit failures, 13-3<br />
using SAPI to submit a messages to a router, 13-2<br />
messages parameter<br />
e<strong>Audit</strong>.ini file, 7-3<br />
monitor action, 4-3<br />
N<br />
network events<br />
for SAPI, 13-28<br />
O<br />
object access events<br />
for SAPI, 13-25<br />
OPSEC connection type, 14-4<br />
OPSEC connection types, 14-13<br />
P<br />
passwords<br />
changing, 11-1<br />
path action, 4-5<br />
policy management events<br />
for SAPI, 13-26<br />
Policy Manager<br />
and eaudit.ini file, 7-11<br />
and registry keys, 6-29<br />
changing the password for the administrator<br />
user, 11-1<br />
Policy Manager action queues<br />
and registry keys, 6-44<br />
Index–4<br />
<strong>Reference</strong> <strong>Guide</strong>
Policy Manager database<br />
and registry keys, 6-35<br />
Policy Manager default queues<br />
and registry keys, 6-41<br />
Policy Manager distribution log<br />
and registry keys, 6-36<br />
Policy Manager distribution server<br />
and registry keys, 6-37<br />
Policy Manager distribution server parameters<br />
and registry keys, 6-39<br />
Policy Manager distribution server queues<br />
and registry keys, 6-37<br />
Policy Manager distribution server rules<br />
and registry keys, 6-38<br />
portmap service, 2-12<br />
portmapper, 6-2, 7-1<br />
ports, 2-12<br />
and registry keys, 6-2<br />
ports parameter<br />
e<strong>Audit</strong>.ini file, 7-1<br />
preinstallation considerations<br />
Recorder Check Point Firewall-1, 14-3<br />
properties of fields<br />
SAPI, 13-16<br />
Q<br />
queue files<br />
defined, 4-1<br />
queue manager parameter<br />
e<strong>Audit</strong>.ini file, 7-6<br />
queues<br />
and registry keys, 6-18<br />
R<br />
recorder<br />
and registry keys, 6-12<br />
recorder configuration files, 4-6<br />
recorder daemon, 3-8<br />
Recorder for CheckPoint Firewall-1. See Checkpoint<br />
Firewall-1<br />
recorder service, 2-9<br />
recorder.ini file<br />
definitions section, 7-14<br />
log data section, 7-16<br />
parameters, 7-14<br />
parameters section, 7-15<br />
supported recorders, 7-14<br />
recorders<br />
and registry keys, 6-11<br />
Check Point Firewall-1, 14-1<br />
recorders parameter<br />
e<strong>Audit</strong>.ini file, 7-6<br />
redirector<br />
and registry keys, 6-14<br />
redirector configuration files, 4-7<br />
redirector service, 2-10<br />
registry<br />
editing, 6-1<br />
registry keys<br />
action queue, 6-27<br />
alert queue, 6-18, 6-19<br />
AN types, 6-31, 6-32, 6-33, 6-34, 7-12<br />
and action manager service, 2-5<br />
and collector service, 2-8<br />
and distribution agent service, 2-6<br />
and distribution server service, 2-7<br />
and log router service, 2-8<br />
and recorder service, 2-9<br />
and rules, 4-2<br />
collection queue, 6-22<br />
data server, 6-44<br />
data server reports, 6-46<br />
data server viewer, 6-46<br />
default queue, 6-25<br />
described, 6-1<br />
for log files, 6-10<br />
mail, 6-9<br />
management agent, 6-29<br />
messages, 6-5<br />
NT recorder, 6-12<br />
Policy Manager action queues, 6-44<br />
Policy Manager database, 6-35<br />
Policy Manager default queues, 6-41<br />
Policy Manager distribution log, 6-36<br />
Policy Manager distribution server, 6-37<br />
Index–5
Policy Manager distribution server parameters,<br />
6-39<br />
Policy Manager distribution server queues, 6-37<br />
Policy Manager distribution server rules, 6-38<br />
ports, 6-2<br />
queue manager, 6-18<br />
Recorder Check Point Firewall-1, 14-7<br />
recorders, 6-11<br />
redirector, 6-14<br />
redirector service, 2-10<br />
router, 6-11, 6-17<br />
RPC, 6-4<br />
Security Monitor, 6-8, 6-48<br />
severity, 6-5<br />
SNMP recorder, 6-14<br />
SNMP recorder service, 2-11<br />
targets, 6-8<br />
regular expressions<br />
in router configuration files, 5-10<br />
remote action, 4-4<br />
action, 5-5<br />
remote procedure calls, 6-4<br />
reports<br />
location of, 6-46<br />
reserved words<br />
for SAPI, 13-32<br />
route action, 4-4<br />
router<br />
and configuration files, 4-1<br />
and registry keys, 6-11, 6-17<br />
router configuration file<br />
groups, 5-4<br />
variables, 5-2<br />
router configuration files, 4-8<br />
location, 5-1<br />
rules, 5-1<br />
router parameter<br />
e<strong>Audit</strong>.ini file, 7-6<br />
rule command, 5-9<br />
rules<br />
and configuration files, 4-2<br />
described, 4-2<br />
in router configuration files, 5-1<br />
S<br />
sample program<br />
using SAPI, 13-3<br />
SAPI<br />
compiling an linking, 13-3<br />
described, 13-1<br />
error and return codes, 13-14<br />
event description fields, 13-20<br />
event notification fields, 13-17, 13-19<br />
fields, 13-16<br />
function reference, 13-6<br />
handling submit failures, 13-3<br />
libraries, 13-3<br />
mapping, 13-2<br />
mapping account management events, 13-24<br />
mapping detailed tracking events, 13-30<br />
mapping events, 13-22<br />
mapping examples, 13-17<br />
mapping general events, 13-31<br />
mapping internal events, 13-32<br />
mapping network events, 13-28<br />
mapping object access events, 13-25<br />
mapping policy management events, 13-26<br />
mapping security system status events, 13-27<br />
mapping system access events, 13-23<br />
message routing, 13-2<br />
reserved words, 13-32<br />
sample routine, 13-3<br />
submitting a message, 13-2<br />
SAPI field properties, 13-16<br />
SAPI tokens<br />
in router configuration files, 5-12<br />
SAPI_AddItemfunction, 13-8<br />
SAPI_DestroyCTX function, 13-12<br />
SAPI_DumpMessage function, 13-11<br />
SAPI_Init function, 13-6<br />
SAPI_NewMessagefunction, 13-7<br />
SAPI_RemoveMessage function, 13-10<br />
SAPI_SetRouter function, 13-12<br />
SAPI_SetRouterPort function, 13-13<br />
SAPI_SetRouterTimeout function, 13-13<br />
SAPI_SubmitMsg function, 13-9<br />
screen action, 4-4<br />
Index–6<br />
<strong>Reference</strong> <strong>Guide</strong>
Security Monitor<br />
and registry keys, 6-8, 6-48<br />
e<strong>Audit</strong>.ini file, 7-5<br />
Security Monitor key, 6-48<br />
security system status events<br />
for SAPI, 13-27<br />
selogrcd service, 2-8<br />
selogrd<br />
and configuration files, 4-7<br />
and fex, 17-1<br />
selogrd service, 2-10<br />
selogrec<br />
and configuration files, 4-6<br />
selogrec service, 2-9<br />
servers<br />
Recorder Check Point Firewall-1, 14-3, 14-14<br />
services<br />
action manager, 2-5<br />
collector, 2-8<br />
distribution agent, 2-6<br />
distribution server, 2-7<br />
list of, 2-1<br />
log router, 2-8<br />
portmap, 2-12<br />
recorder, 2-9<br />
redirector, 2-10<br />
SNMP recorder, 2-11<br />
Services, 2-1<br />
setkey command, 8-2<br />
SMTP Mail Server<br />
identifying, 6-9<br />
SNMP, 2-11, 3-9<br />
SNMP action, 4-4<br />
SNMP recorder and registry keys, 6-14<br />
SNMP recorder daemon, 3-9<br />
SNMP recorder parameter<br />
e<strong>Audit</strong>.ini file, 7-6<br />
SNMP recorder service, 2-11<br />
SNMP Service<br />
and registry keys, 6-2<br />
snmprec daemon, 3-9<br />
snmprec service, 2-11<br />
sqlldr<br />
using to import <strong>eTrust</strong> Access Control Records,<br />
17-3<br />
Submit API. See SAPI<br />
system access events<br />
for SAPI, 13-23<br />
T<br />
action, 5-4<br />
type command, 5-7<br />
U<br />
unicenter action, 4-6<br />
UNIX installation<br />
Recorder Check Point Firewall-1, 14-4, 14-5<br />
V<br />
variables<br />
in router configuration files, 5-2<br />
Viewer<br />
and registry keys, 6-46<br />
W<br />
Windows 2000 event IDs, 12-6<br />
Windows NT event IDs, 12-1<br />
Index–7