To collect logs from IBM Informix Dynamic Server™ version 10.0 which is installed on a Linux platform we need first to setup auditing which enables the recording of selected user activities on the database server.
3.1. 1 Auditing Setup
1. Log in as user informix.
2. Auditing is turned off by default when you install the database server. To turn it on, edit the$INFORMIXDIR/aaodir/adtcfgas follows:
Change ADTMODE from 0 (which is the default) to 1. A 1 means that database server-managed auditing is on for all sessions.
Change ADTPATH to the full path to which you want the database server to save audit files. Ownership of the directory should be informix, Group ID should be informix and Permission 755 to prevent unauthorized use of the audit files.
For this example we will use/usr/informix/auditingfor ADTPATH.
Note that the CRDB (create database), OPDB (open database), and DRDB (drop database) events are shown for user pat but user informix only shows OPDB.
Activate the audit to generate log files with a limited size, which is listed above.
By creating cron to copy log files to another location dedicated only to McAfee SIEM, we will not delete the original log files and we are working only with duplicate copy.
Installation of the SFTP on the Linux server in order to be activated to use SFTP as a Data Retrieval method with McAfee SIEM.
3 McAfee Receiver Configuration
After successfully logging into the McAfee ESM console the data source “Informix” will need to be added to a McAfee Receiver in the ESM hierarchy.
So, we need to configure McAfee SIEM to pull log files using SFTP File Source as a Data Retrieval over port: 22 and after processing the log file it is highly necessary to delete processed files after to prevent McAfee SIEM to pull the same log file many times. We need to fill in the IP address of the Informix solution and the path of the location of the log files as well as the necessary credentials, see the picture below:
Picture 1: Data source Screen Settings
Support Generic Syslogs: Log “unknown syslog” event
After finishing the phase of collecting the logs and receiving some unknown events because there is no Regular Expression in the ASP rule to match those packets,
So we need to create Advanced Syslog Parser rule to deal with these events.
During the creation of ASP rule, you need first to copy only different packet format to not parse similar packets many times.
Severity: If the Severity is in the packet it will be used if not McAfee SIEM will use the Default Severity that you specify during the parse.
Action: map this field to specific names.
Date format: parse the date/timestamp of the log message using the variables.
Tag: select the suitable tag for example Informix.
Rule Assignment Type: select it to Group rules by vendor (for example: Informix)
Use the documentation of the vendor “Informix” to know the meaning of each field in the packet and based on that you can parse correctly in the Field Assignment tab as
well as select the right Normalized ID.
If you do not find a field that fits your purpose at the Field Assignment tab you can define custom types from the ESM properties.
The field that map to Signature Description in the Field Assignment tab will be shown as Rule Message in the Default Summary View in “Event Summary”.
After parsing all unknown syslog event we can change the Support Generic Syslogs temporary in short period to Parse as generic syslog and when the rule is matching all the logs
then change it to the default: Do nothing.
Support Generic Syslogs:
Do nothing: Ignore logs that cannot be parsed
Parse as generic syslog: Best effort “SYSLOG” parsing
Log “unknown syslog” event: Mark logs that cannot be parsed as “Unknown”
Activate the ASP rule and Rollout the policy to distribute it to the Receiver.
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.
Community Help Hub
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.