Solved

OpenVMS logs to be sent using syslog

Posted on 2010-08-20
5
1,453 Views
Last Modified: 2014-11-15
I have a number of versions of openVMS, 5.5.2 - vax, 8.3 - Alpha,  and 8.3.1 -Integrity, and have been asked to send the key authentication log information via syslog to a SIEM.   Is there an official way of doing this that would be acceptable to the business?   Is there also a documented way to do this?   I have found a few things via google but there's no one 'validated' way.

Thanks
0
Comment
Question by:mozza2010
5 Comments
 
LVL 39

Expert Comment

by:noci
ID: 33486080
No.

What you can do is Create a LAT port, enable it for OPCOM messages and then handle all Broadcasts (through a BroadcastMailbox).
Then you will receive all messages in a mailbox that you can read and pass on to other sites using f.e. the syslog protocol.

Some observations:
- Syslog uses one-liners as message, most of them are quite terse
- OPCOM messages are spread around many lines and are rather verbose, most of the lines cannot be easily discarded. So you need to make a parser that will get all relevant bits and concatenate that to one line and handle that one.
- Many syslog post processing systems do expect an event to be ONE message.

If you are just interested in security violations you might be better off with tapping the AUDIT_SERVER and handle its messages.
0
 
LVL 2

Expert Comment

by:BillPedersen
ID: 33486432
Which key authentication information are you looking to capture and send?

This might give us a better idea of what you are trying to do.

Also since OpenVMS does not use a syslog function we need to determine what the request really needs.

Bill.
0
 

Author Comment

by:mozza2010
ID: 33486547
I have been given a list of the events that need to be logged.
Successful and failed logins
Logon to and activity using privileged accounts
Creation, modification, and deletion of accounts
Unauthorised attempts to access restricted network locations
Changes to configuration on dedicated security devices
Changes to security configuration
Changes to access rights
Classification of sensitive data and logging of access and changes to such data
Use of shared or group accounts
Failed access attempts to data and resources

This is the information that I have found so far:

http://labs.hoffmanlabs.com/node/1257
http://labs.hoffmanlabs.com/node/1428
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1282305362644+28353475&threadId=532169
http://home.insightbb.com/~hemker/vms.html

Thanks

0
 
LVL 2

Accepted Solution

by:
BillPedersen earned 250 total points
ID: 33487031
Well, 5.5-2 is probably going to be a challenge since there have been significant changes and improvements in event logging since that version was release in the early 1990's - almost 20 years ago.  There are newer versions if you can upgrade - 7.2 was the last version for VAX.  If you have to stay with 5.5-2 a bit more research will be necessary to see what you need to do here.  I suspect you can do something similar to the mailbox operation discussed below.  You just might not get the ability to see as much information or details.

Let's look at the 8.3.x systems.  Here you can create an get the audit server security logs sent to a listener mailbox and then have a program/command procedure read the mail box and dispatch the messages that come as you desire/need.  See the HP OpenVMS Guide to System Security/Security for the System Administrator/Security Auditing/Methods of Capturing Event Messages.

You can probably take care of most of your needs then with it being entirely based on software.

Some of your requirements might be a bit difficult unless you have certain procedures built into your process.

Use of shared/group accounts - well, if you do not let them have them you do not need to report, but the ability of a user to share their information may be beyond your control.  You might need to add code to prevent multiple log in by a user for instance but that only prevents simultaneous use, not serial use.

Successful login versus login to privileged account - am not sure there exists any differentiation to this at present.  You might need to interface to the authentication database to figure out if a given account has privileges.

The audit server process has the following functionality:

    * Logins, logouts, or login failures

    * Changes to the authorization database

    * Access to a protected object, such as a file, device,or global section

    * Changes in privileges or the security attributesof protected objects

You will have to modify the default audit levels as well.  There are details of this earlier in the above referenced manual.

Bill.



0
 

Expert Comment

by:bonzothecat
ID: 40445098
I did just come up with something rather similar to what you requested using the OpenVMS Audit facilty, as Bill suggested above, a freeware version of logger.c, and some C code borrowed from eight-cubed. But no, I would say there not an 'official' way to do this.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Windows 10 is here and for most admins this means frustration and challenges getting that first working Windows 10 image. As in my previous sysprep articles, I've put together a simple help guide to get you through this process. The aim is to achiev…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now