OpenVMS logs to be sent using syslog

I have a number of versions of openVMS, 5.5.2 - vax, 8.3 - Alpha,  and 8.3.1 -Integrity, and have been asked to send the key authentication log information via syslog to a SIEM.   Is there an official way of doing this that would be acceptable to the business?   Is there also a documented way to do this?   I have found a few things via google but there's no one 'validated' way.

Thanks
mozza2010Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
No.

What you can do is Create a LAT port, enable it for OPCOM messages and then handle all Broadcasts (through a BroadcastMailbox).
Then you will receive all messages in a mailbox that you can read and pass on to other sites using f.e. the syslog protocol.

Some observations:
- Syslog uses one-liners as message, most of them are quite terse
- OPCOM messages are spread around many lines and are rather verbose, most of the lines cannot be easily discarded. So you need to make a parser that will get all relevant bits and concatenate that to one line and handle that one.
- Many syslog post processing systems do expect an event to be ONE message.

If you are just interested in security violations you might be better off with tapping the AUDIT_SERVER and handle its messages.
0
BillPedersenCommented:
Which key authentication information are you looking to capture and send?

This might give us a better idea of what you are trying to do.

Also since OpenVMS does not use a syslog function we need to determine what the request really needs.

Bill.
0
mozza2010Author Commented:
I have been given a list of the events that need to be logged.
Successful and failed logins
Logon to and activity using privileged accounts
Creation, modification, and deletion of accounts
Unauthorised attempts to access restricted network locations
Changes to configuration on dedicated security devices
Changes to security configuration
Changes to access rights
Classification of sensitive data and logging of access and changes to such data
Use of shared or group accounts
Failed access attempts to data and resources

This is the information that I have found so far:

http://labs.hoffmanlabs.com/node/1257
http://labs.hoffmanlabs.com/node/1428
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1282305362644+28353475&threadId=532169
http://home.insightbb.com/~hemker/vms.html

Thanks

0
BillPedersenCommented:
Well, 5.5-2 is probably going to be a challenge since there have been significant changes and improvements in event logging since that version was release in the early 1990's - almost 20 years ago.  There are newer versions if you can upgrade - 7.2 was the last version for VAX.  If you have to stay with 5.5-2 a bit more research will be necessary to see what you need to do here.  I suspect you can do something similar to the mailbox operation discussed below.  You just might not get the ability to see as much information or details.

Let's look at the 8.3.x systems.  Here you can create an get the audit server security logs sent to a listener mailbox and then have a program/command procedure read the mail box and dispatch the messages that come as you desire/need.  See the HP OpenVMS Guide to System Security/Security for the System Administrator/Security Auditing/Methods of Capturing Event Messages.

You can probably take care of most of your needs then with it being entirely based on software.

Some of your requirements might be a bit difficult unless you have certain procedures built into your process.

Use of shared/group accounts - well, if you do not let them have them you do not need to report, but the ability of a user to share their information may be beyond your control.  You might need to add code to prevent multiple log in by a user for instance but that only prevents simultaneous use, not serial use.

Successful login versus login to privileged account - am not sure there exists any differentiation to this at present.  You might need to interface to the authentication database to figure out if a given account has privileges.

The audit server process has the following functionality:

    * Logins, logouts, or login failures

    * Changes to the authorization database

    * Access to a protected object, such as a file, device,or global section

    * Changes in privileges or the security attributesof protected objects

You will have to modify the default audit levels as well.  There are details of this earlier in the above referenced manual.

Bill.



0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bonzothecatCommented:
I did just come up with something rather similar to what you requested using the OpenVMS Audit facilty, as Bill suggested above, a freeware version of logger.c, and some C code borrowed from eight-cubed. But no, I would say there not an 'official' way to do this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.