Solved

OpenVMS logs to be sent using syslog

Posted on 2010-08-20
5
1,493 Views
Last Modified: 2014-11-15
I have a number of versions of openVMS, 5.5.2 - vax, 8.3 - Alpha,  and 8.3.1 -Integrity, and have been asked to send the key authentication log information via syslog to a SIEM.   Is there an official way of doing this that would be acceptable to the business?   Is there also a documented way to do this?   I have found a few things via google but there's no one 'validated' way.

Thanks
0
Comment
Question by:mozza2010
5 Comments
 
LVL 40

Expert Comment

by:noci
ID: 33486080
No.

What you can do is Create a LAT port, enable it for OPCOM messages and then handle all Broadcasts (through a BroadcastMailbox).
Then you will receive all messages in a mailbox that you can read and pass on to other sites using f.e. the syslog protocol.

Some observations:
- Syslog uses one-liners as message, most of them are quite terse
- OPCOM messages are spread around many lines and are rather verbose, most of the lines cannot be easily discarded. So you need to make a parser that will get all relevant bits and concatenate that to one line and handle that one.
- Many syslog post processing systems do expect an event to be ONE message.

If you are just interested in security violations you might be better off with tapping the AUDIT_SERVER and handle its messages.
0
 
LVL 2

Expert Comment

by:BillPedersen
ID: 33486432
Which key authentication information are you looking to capture and send?

This might give us a better idea of what you are trying to do.

Also since OpenVMS does not use a syslog function we need to determine what the request really needs.

Bill.
0
 

Author Comment

by:mozza2010
ID: 33486547
I have been given a list of the events that need to be logged.
Successful and failed logins
Logon to and activity using privileged accounts
Creation, modification, and deletion of accounts
Unauthorised attempts to access restricted network locations
Changes to configuration on dedicated security devices
Changes to security configuration
Changes to access rights
Classification of sensitive data and logging of access and changes to such data
Use of shared or group accounts
Failed access attempts to data and resources

This is the information that I have found so far:

http://labs.hoffmanlabs.com/node/1257
http://labs.hoffmanlabs.com/node/1428
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1282305362644+28353475&threadId=532169
http://home.insightbb.com/~hemker/vms.html

Thanks

0
 
LVL 2

Accepted Solution

by:
BillPedersen earned 250 total points
ID: 33487031
Well, 5.5-2 is probably going to be a challenge since there have been significant changes and improvements in event logging since that version was release in the early 1990's - almost 20 years ago.  There are newer versions if you can upgrade - 7.2 was the last version for VAX.  If you have to stay with 5.5-2 a bit more research will be necessary to see what you need to do here.  I suspect you can do something similar to the mailbox operation discussed below.  You just might not get the ability to see as much information or details.

Let's look at the 8.3.x systems.  Here you can create an get the audit server security logs sent to a listener mailbox and then have a program/command procedure read the mail box and dispatch the messages that come as you desire/need.  See the HP OpenVMS Guide to System Security/Security for the System Administrator/Security Auditing/Methods of Capturing Event Messages.

You can probably take care of most of your needs then with it being entirely based on software.

Some of your requirements might be a bit difficult unless you have certain procedures built into your process.

Use of shared/group accounts - well, if you do not let them have them you do not need to report, but the ability of a user to share their information may be beyond your control.  You might need to add code to prevent multiple log in by a user for instance but that only prevents simultaneous use, not serial use.

Successful login versus login to privileged account - am not sure there exists any differentiation to this at present.  You might need to interface to the authentication database to figure out if a given account has privileges.

The audit server process has the following functionality:

    * Logins, logouts, or login failures

    * Changes to the authorization database

    * Access to a protected object, such as a file, device,or global section

    * Changes in privileges or the security attributesof protected objects

You will have to modify the default audit levels as well.  There are details of this earlier in the above referenced manual.

Bill.



0
 

Expert Comment

by:bonzothecat
ID: 40445098
I did just come up with something rather similar to what you requested using the OpenVMS Audit facilty, as Bill suggested above, a freeware version of logger.c, and some C code borrowed from eight-cubed. But no, I would say there not an 'official' way to do this.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Sometimes a user will call me frantically, explaining that something has gone wrong and they have tried everything (read - they have messed it up more and now need someone to clean up) and it still does no good, can I help them?!  Usually the standa…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question