cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

Support Informix version 10.0 as a data source

To collect logs from IBM Informix Dynamic Server™ version 10.0 which is installed on a Linux platform we need first to setup auditing which enables the recording of selected user activities on the database server.

3.1. 1 Auditing Setup

  1. 1. Log in as user informix.

    2. Auditing is turned off by default when you install the database server. To turn it on, edit the $INFORMIXDIR/aaodir/adtcfg as follows:
  • Change ADTMODE from 0 (which is the default) to 1. A 1 means that database server-managed auditing is on for all sessions.
  • Change ADTPATH to the full path to which you want the database server to save audit files. Ownership of the directory should be informix, Group ID should be informix and Permission 755 to prevent unauthorized use of the audit files.

For this example we will use /usr/informix/auditing for ADTPATH.


 
This is the resulting adtfcg file contents:

ADTMODE         1
ADTPATH /usr/informix/auditing
ADTSIZE 50000
ADTERR 0

  1. 3. Stop and restart the engine so that the new settings take effect.
  2. 4. Run onaudit -c to confirm the audit configuration parameters are correct.

ADTMODE    = 1
ADTERR     = 0
ADTPATH    = /usr/informix/auditing
ADTSIZE    = 50000
Audit file = 0


Auditing is now turned on.

  1. 5. Create the audit mask _require which applies automatically to all users. In this example, the _require mask is created using the Informix recommended events.

    onaudit -a -u _require -e +OPDB,GRDB,RVDB,GRTB, RVTB,CRRL,STRL,STSA,STOM,GRRL,RVRL,GRFR,RVFR
  2. 1. Create an individual user mask. For this example, the user mask is pat and the events to be audited will be creating and dropping databases.

             .2 Auditing Demonstration

onaudit -a -u pat -e +CRDB,DRDB

  1. 2. Run onaudit -o -y to show the audit events for all the defined users. The output is displayed as follows:

_require    - GRDB,GRTB,OPDB,RVDB,RVTB,STOM,GRFR,   RVFR,CRRL,GRRL,RVRL,STRL,STSA

pat -   CRDB,DRDB

  1. 3. Execute the following SQL commands as user pat:

CREATE DATABASE test;
CREATE TABLE tab1
(
col1 INT
);


DATABASE sysmaster;
DROP DATABASE test;

  1. 4. Run onshowaudit to display the tracked events for user pat. The events are displayed here.

> onshowaudit

ONLN|2002-10-31 14:25:10.000|digger2|2684|pat|pat|0:CRDB:test:-

ONLN|2002-10-31 14:25:28.000|digger2|2684|pat|pat|0:OPDB:sysmaster:0:-

ONLN|2002-10-31 14:25:28.000|digger2|2684|pat|pat|0:DRDB:test:-

  1.   5. Repeat step #3 as user informix.

       6. Run onshowaudit to display the tracked events for user informix. The events are displayed here.

> onshowaudit

ONLN|2002-10-31 14:38:35.000|digger2|2711|informix|informix|

  
           0:OPDB:sysmaster:0:-

          

    Note that the CRDB (create database), OPDB (open database), and DRDB (drop database) events are shown for user pat but user informix only shows OPDB.

  • Activate the audit to generate log files with a limited size, which is listed above.
  • Create cron
  • By creating cron to copy log files to another location dedicated only to McAfee SIEM, we will not delete the original log files and we are working only with duplicate copy.
  • Installation of the SFTP on the Linux server in order to be activated to use SFTP as a Data Retrieval method with McAfee SIEM.

  3 McAfee Receiver Configuration

     After successfully logging into the McAfee ESM console the data source “Informix” will need to be added to a McAfee Receiver in the ESM hierarchy.

    So, we need to configure McAfee SIEM to pull log files using SFTP File Source as a Data Retrieval over port: 22 and after processing the log file it is  highly necessary to delete processed files after to prevent McAfee SIEM to pull the same log file many times. We need to fill in the IP address of the Informix solution and the path of the location of the log files as well as the necessary credentials, see the picture below:



informix.png

Picture 1: Data source Screen Settings

  Support Generic Syslogs: Log “unknown syslog” event

     After finishing the phase of collecting the logs and receiving some unknown events because there is no Regular Expression in the ASP rule to match those packets,

     So we need to create Advanced Syslog Parser rule to deal with these events.

   During the creation of ASP rule, you need first to copy only different packet format to not parse similar packets many times.

   Severity: If the Severity is in the packet it will be used if not McAfee SIEM will use the Default Severity that you specify during the parse.

   Action: map this field to specific names.

   Date format: parse the date/timestamp of the log message using the variables.

   Tag: select the suitable tag for example Informix.

   Rule Assignment Type: select it to Group rules by vendor (for example: Informix)

   Use the documentation of the vendor “Informix” to know the meaning of each field in the packet and based on that you can parse correctly in the Field Assignment tab as

   well as select the right Normalized ID.

   If you do not find a field that fits your purpose at the Field Assignment tab you can define custom types from the ESM properties.

               Note:

   The field that map to Signature Description in the Field Assignment tab will be shown as Rule Message in the Default Summary View in “Event Summary”. 

   After parsing all unknown syslog event we can change the Support Generic Syslogs temporary in short period to Parse as generic syslog and when the rule is matching all the logs

   then change it to the default: Do nothing.

 

Support Generic Syslogs:

  • Do nothing: Ignore logs that cannot be parsed
  • Parse as generic syslog: Best effort “SYSLOG” parsing
  • Log “unknown syslog” event: Mark logs that cannot be parsed as “Unknown”

     Activate the ASP rule and Rollout the policy to distribute it to the Receiver.

1 Reply
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 2

Re: Support Informix version 10.0 as a data source

Hello,

Interesting article and some additional information about Informix:

https://kc.mcafee.com/corporate/index?page=content&id=KB74120

In case above information was useful or answered your question, please select "Accept as Solution" in my reply, or give a Kudo. Thanks!
Nino
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community