To collect logs from IBM Informix Dynamic Server™ version 10.0 which is installed on a Linux platform we need first to setup auditing which enables the recording of selected user activities on the database server.
3.1. 1 Auditing Setup
- 1. Log in as user informix.
2. Auditing is turned off by default when you install the database server. To turn it on, edit the $INFORMIXDIR/aaodir/adtcfg as follows:
- Change ADTMODE from 0 (which is the default) to 1. A 1 means that database server-managed auditing is on for all sessions.
- Change ADTPATH to the full path to which you want the database server to save audit files. Ownership of the directory should be informix, Group ID should be informix and Permission 755 to prevent unauthorized use of the audit files.
For this example we will use /usr/informix/auditing for ADTPATH.
This is the resulting adtfcg file contents:
- 3. Stop and restart the engine so that the new settings take effect.
- 4. Run onaudit -c to confirm the audit configuration parameters are correct.
ADTMODE = 1
ADTERR = 0
ADTPATH = /usr/informix/auditing
ADTSIZE = 50000
Audit file = 0
Auditing is now turned on.
- 5. Create the audit mask _require which applies automatically to all users. In this example, the _require mask is created using the Informix recommended events.
onaudit -a -u _require -e +OPDB,GRDB,RVDB,GRTB, RVTB,CRRL,STRL,STSA,STOM,GRRL,RVRL,GRFR,RVFR
- 1. Create an individual user mask. For this example, the user mask is pat and the events to be audited will be creating and dropping databases.
.2 Auditing Demonstration
onaudit -a -u pat -e +CRDB,DRDB
- 2. Run onaudit -o -y to show the audit events for all the defined users. The output is displayed as follows:
_require - GRDB,GRTB,OPDB,RVDB,RVTB,STOM,GRFR, RVFR,CRRL,GRRL,RVRL,STRL,STSA
pat - CRDB,DRDB
- 3. Execute the following SQL commands as user pat:
CREATE DATABASE test;
CREATE TABLE tab1
DROP DATABASE test;
- 4. Run onshowaudit to display the tracked events for user pat. The events are displayed here.
- 5. Repeat step #3 as user informix.
6. Run onshowaudit to display the tracked events for user informix. The events are displayed here.
Note that the CRDB (create database), OPDB (open database), and DRDB (drop database) events are shown for user pat but user informix only shows OPDB.
- Activate the audit to generate log files with a limited size, which is listed above.
- Create cron
- By creating cron to copy log files to another location dedicated only to McAfee SIEM, we will not delete the original log files and we are working only with duplicate copy.
- Installation of the SFTP on the Linux server in order to be activated to use SFTP as a Data Retrieval method with McAfee SIEM.
3 McAfee Receiver Configuration
After successfully logging into the McAfee ESM console the data source “Informix” will need to be added to a McAfee Receiver in the ESM hierarchy.
So, we need to configure McAfee SIEM to pull log files using SFTP File Source as a Data Retrieval over port: 22 and after processing the log file it is highly necessary to delete processed files after to prevent McAfee SIEM to pull the same log file many times. We need to fill in the IP address of the Informix solution and the path of the location of the log files as well as the necessary credentials, see the picture below:
Picture 1: Data source Screen Settings
Support Generic Syslogs: Log “unknown syslog” event
After finishing the phase of collecting the logs and receiving some unknown events because there is no Regular Expression in the ASP rule to match those packets,
So we need to create Advanced Syslog Parser rule to deal with these events.
During the creation of ASP rule, you need first to copy only different packet format to not parse similar packets many times.
Severity: If the Severity is in the packet it will be used if not McAfee SIEM will use the Default Severity that you specify during the parse.
Action: map this field to specific names.
Date format: parse the date/timestamp of the log message using the variables.
Tag: select the suitable tag for example Informix.
Rule Assignment Type: select it to Group rules by vendor (for example: Informix)
Use the documentation of the vendor “Informix” to know the meaning of each field in the packet and based on that you can parse correctly in the Field Assignment tab as
well as select the right Normalized ID.
If you do not find a field that fits your purpose at the Field Assignment tab you can define custom types from the ESM properties.
The field that map to Signature Description in the Field Assignment tab will be shown as Rule Message in the Default Summary View in “Event Summary”.
After parsing all unknown syslog event we can change the Support Generic Syslogs temporary in short period to Parse as generic syslog and when the rule is matching all the logs
then change it to the default: Do nothing.
Support Generic Syslogs:
- Do nothing: Ignore logs that cannot be parsed
- Parse as generic syslog: Best effort “SYSLOG” parsing
- Log “unknown syslog” event: Mark logs that cannot be parsed as “Unknown”
Activate the ASP rule and Rollout the policy to distribute it to the Receiver.