eTrust Audit Reference Guide - CA Technologies

More documents

Recommendations

Info

Recorder Configuration File unicenter The unicenter action tells the Action Manager to send events to the local Unicenter agent (installed on the eTrust Audit host that performs the action) for forwarding to the Unicenter Event Management Console on the specified host as shown in the following example: Action unicenter; systema In the example, the Action Manager sends events to the Unicenter Event Management Console on systema. Note: Status codes from eTrust Access Control are translated to their generic equivalents. In the Unicenter Event Management Console, events display color codes and status icons. The Unicenter Event Management Agent must be installed on the host where the Action Manager runs. Recorder Configuration File The recorder configuration file, each line (other than comment lines) provides criteria for bringing audit records into the local audit file from Windows. A record is admitted and handled by eTrust Audit if it matches the criteria of any line in the file. If the record does not match a line, then eTrust Audit will ignore the record. The file is selogrec.cfg in the audit\etc directory, where audit is the directory in which you installed eTrust Audit. This file defines which NT logs will be read, according to the client. The format is explained in the following example. Use commas as delimiters within the three-part resource specification, (source, event category, event ID), This is different that the semicolons that are used as delimiters elsewhere. The file is case-sensitive. You can select the way to filter the events that are recorded by using the following mask: ;;; For example: NT-Security;Security,Detailed Tracking,593;jerry;S The default values, which can be selected during installation, are: ■ ■ ■ NT-System;*;*;* NT-Security;*;*;* NT-Application;*;*;* 4–6 Reference Guide
Redirector Configuration File For more in-depth information regarding this issue, see the selogrec.cfg file in the install_dir\etc directory. The access results Success and Failure typically refer to logins, while Info reports on successful application startups. Warning refers to possible problems, while Error indicates a more severe problem. Comment Lines To create a comment line, begin it with a semicolon (;), pound sign (#), or exclamation point (!). For example, — ! Here are four comment lines. If you wanted to ! use the fourth one as a rule, you could simply ! erase the "!" mark from its start. ! NT-Security;Security,Detailed Tracking,593;jerry;S The Asterisk as Wildcard You can use an asterisk (*), signifying any number of wildcards, for any field except the event log name. If you wish, you can use a single asterisk for the three-part Resource field; for example, to indicate “all Windows NT security log events, regardless of resource, user, and result”: NT-Security;*;*;* The question mark (?) represents a single wildcard character. Here is another example, specifying all Windows NT Application log events that are Information events with the eTrust Audit Collector service as their source, regardless of event category, event ID, and user: NT-Application;eTrustAudit Col*,*,*;*;I Redirector Configuration File The redirector configuration file tells what should be sent where. By default, everything is sent to the router (local or remote). While running, the redirector periodically reconfigures itself according to the contents of the redirector configuration file. For SeLogRd, the configuration file is logroute.cfg, located in the install_dir\etc directory. Configuration Files 4–7
Page 1 and 2: eTrust Audit Reference Guide 1.5 S
Page 3 and 4: Contents Chapter 1: Introduction Ch
Page 5 and 6: Chapter 6: Windows Registry Entries
Page 7 and 8: Changing the Database Type.........
Page 9 and 10: Chapter 15: Using the eTSAPISend Pr
Page 11: Chapter 1 Introduction This guide p
Page 14 and 15: Commands to Control the Services Co
Page 16 and 17: Commands to Control the Services -s
Page 18 and 19: Distribution Agent Service (acdista
Page 20 and 21: Log Router Service (aclogRd) Log Ro
Page 22 and 23: Redirector Service (SeLogRd) Redire
Page 24 and 25: Portmap Service Portmap Service The
Page 26 and 27: Issuing Commands to Control the Dae
Page 28 and 29: Issuing Commands to Control the Dae
Page 30 and 31: Action Manager Daemon (acactmgr) Ac
Page 32 and 33: Log Router Daemon (aclogrd) Log Rou
Page 35 and 36: Chapter 4 Configuration Files The e
Page 37 and 38: About Actions Example For example,
Page 39: About Actions program The program a
Page 43: Router Configuration File Statement
Page 46 and 47: Variables Each condition uses binar
Page 48 and 49: Groups Groups Groups are set off by
Page 50 and 51: Command Syntax do Syntax do Int ope
Page 52 and 53: Command Syntax include Syntax Inclu
Page 54 and 55: Regular Expressions For example, ;=
Page 56 and 57: Identifying Events using SAPI Token
Page 59 and 60: Chapter 6 Windows Registry Entries
Page 61 and 62: Ports RouterSapiPort The data value
Page 63 and 64: Messages Messages eTrust Audit main
Page 65 and 66: Severity SkipTimeout The data value
Page 67 and 68: Mail Mail eTrust Audit maintains in
Page 69 and 70: Recorders error_back The data value
Page 71 and 72: Recorders SkipImportLogs The data v
Page 73 and 74: Redirector MailSubject The data val
Page 75 and 76: Router OverWriteBackup The data val
Page 77 and 78: Router snmp The data value specifie
Page 79 and 80: Router RetryDelay The data value sp
Page 81 and 82: Router MaxFileSize The data value s
Page 83 and 84: Router Queues\Default Queues\Defaul
Page 85 and 86: Router MaxLifeTime The data value s
Page 87 and 88: Management Agent Management Agent e
Page 89 and 90: Management Agent AN Types eTrust Au
Page 91 and 92:
Management Agent Netscape eTrust Au
Page 93 and 94:
Policy Manager Policy Manager The k
Page 95 and 96:
Policy Manager Distribution Server
Page 97 and 98:
Policy Manager Queues\DistributionQ
Page 99 and 100:
Policy Manager DeleteOldFiles The d
Page 101 and 102:
Policy Manager RetryDelay The data
Page 103 and 104:
Data Server Note: To switch to a di
Page 105 and 106:
Data Server ReadyReportsDir The dat
Page 107 and 108:
Chapter 7 UNIX INI Files The Client
Page 109 and 110:
eAudit.ini DistributionPort The dat
Page 111 and 112:
eAudit.ini Info Targets Specify the
Page 113 and 114:
eAudit.ini AlertQueue Queue Rules e
Page 115 and 116:
eAudit.ini MaxLifeTime Specify the
Page 117 and 118:
eAudit.ini snmp The snmp action sen
Page 119 and 120:
eAudit.ini Netscape eTrust Audit ma
Page 121 and 122:
ecorder.ini Parameters The Paramete
Page 123:
ecorder.ini Source Specify one of t
Page 126 and 127:
setkey Command Options setkey Comma
Page 129 and 130:
Chapter 10 Database Considerations
Page 131 and 132:
Windows NT Authentication with Micr
Page 133:
Chapter 11 Encup Utility The Encup
Page 136 and 137:
Windows NT Event IDs Event ID Type
Page 138 and 139:
Windows NT Event IDs Event ID Type
Page 140 and 141:
Windows 2000 Event IDs Windows 2000
Page 142 and 143:
Windows 2000 Event IDs Event ID Typ
Page 144 and 145:
Page 146 and 147:
Page 148 and 149:
Page 150 and 151:
eTrust Access Control Event IDs eTr
Page 152 and 153:
Mapping Mapping Messages are create
Page 154 and 155:
Sample SAPI Routine char source[] =
Page 156 and 157:
SAPI Reference SAPI Reference SAPI
Page 158 and 159:
SAPI Reference SAPI_AddItem The SAP
Page 160 and 161:
SAPI Reference SAPI_RemoveMessage S
Page 162 and 163:
SAPI Reference SAPI_DestroyCTX The
Page 164 and 165:
SAPI Return and Error Codes SAPI Re
Page 166 and 167:
Fields for SAPI Fields for SAPI The
Page 168 and 169:
Mapping Examples SAPI_SOURCE_FLD
Page 170 and 171:
Mapping Examples Common Predefined
Page 172 and 173:
Mapping Examples SAPI_INFO_FLD “I
Page 174 and 175:
Mapping Examples Account Management
Page 176 and 177:
Mapping Examples “Write” SAPI_O
Page 178 and 179:
Mapping Examples Physical Security
Page 180 and 181:
Mapping Examples SAPI_DIRECTION_FLD
Page 182 and 183:
Reserved Keywords Fields Internal t
Page 185 and 186:
Chapter 14 Recorder for Check Point
Page 187 and 188:
Preinstallation Considerations Prei
Page 189 and 190:
Installing in a Solaris Environment
Page 191 and 192:
Configuration Values Configuration
Page 193 and 194:
Configuration Values Client\Recorde
Page 195 and 196:
Configuration Values MaxSeqNoSleep
Page 197 and 198:
Technical Information Technical Inf
Page 199 and 200:
Chapter 15 Using the eTSAPISend Pro
Page 201:
Sample Batch File ■ ■ ■ ■ T
Page 204 and 205:
Remove the Indexes from SEOSDATA 6.
Page 206 and 207:
The acloader Utility Options You ca
Page 209 and 210:
Chapter 17 Inserting eTrust Access
Page 211 and 212:
Insert the Data into an Oracle Data
Page 213 and 214:
Chapter 18 iRecorder Development Re
Page 215 and 216:
iRecorder Design and Architecture i
Page 217 and 218:
iRecorder Design and Architecture T
Page 219 and 220:
How to Create an iRecorder Developm
Page 221 and 222:
How to Create an iRecorder Developm
Page 223 and 224:
How To Develop an iRecorder How To
Page 225 and 226:
How To Develop an iRecorder Step 2:
Page 227 and 228:
How To Develop an iRecorder ispUtil
Page 229 and 230:
How To Develop an iRecorder * AddSt
Page 231 and 232:
iRecorder API Functions iRecorder A
Page 233 and 234:
Index A acactmgr daemon, 3-6 acactm
Page 235 and 236:
encryption keys changing, 8-1 encup
Page 237 and 238:
Policy Manager database and registr
Page 239:
Security Monitor and registry keys,
show all

eTrust Audit Reference Guide - CA Technologies

Create successful ePaper yourself

Delete template?

Save as template?