• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1665
  • Last Modified:

OpenVMS logs to be sent using syslog

I have a number of versions of openVMS, 5.5.2 - vax, 8.3 - Alpha,  and 8.3.1 -Integrity, and have been asked to send the key authentication log information via syslog to a SIEM.   Is there an official way of doing this that would be acceptable to the business?   Is there also a documented way to do this?   I have found a few things via google but there's no one 'validated' way.

Thanks
0
mozza2010
Asked:
mozza2010
1 Solution
 
nociSoftware EngineerCommented:
No.

What you can do is Create a LAT port, enable it for OPCOM messages and then handle all Broadcasts (through a BroadcastMailbox).
Then you will receive all messages in a mailbox that you can read and pass on to other sites using f.e. the syslog protocol.

Some observations:
- Syslog uses one-liners as message, most of them are quite terse
- OPCOM messages are spread around many lines and are rather verbose, most of the lines cannot be easily discarded. So you need to make a parser that will get all relevant bits and concatenate that to one line and handle that one.
- Many syslog post processing systems do expect an event to be ONE message.

If you are just interested in security violations you might be better off with tapping the AUDIT_SERVER and handle its messages.
0
 
BillPedersenCommented:
Which key authentication information are you looking to capture and send?

This might give us a better idea of what you are trying to do.

Also since OpenVMS does not use a syslog function we need to determine what the request really needs.

Bill.
0
 
mozza2010Author Commented:
I have been given a list of the events that need to be logged.
Successful and failed logins
Logon to and activity using privileged accounts
Creation, modification, and deletion of accounts
Unauthorised attempts to access restricted network locations
Changes to configuration on dedicated security devices
Changes to security configuration
Changes to access rights
Classification of sensitive data and logging of access and changes to such data
Use of shared or group accounts
Failed access attempts to data and resources

This is the information that I have found so far:

http://labs.hoffmanlabs.com/node/1257
http://labs.hoffmanlabs.com/node/1428
http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1282305362644+28353475&threadId=532169
http://home.insightbb.com/~hemker/vms.html

Thanks

0
 
BillPedersenCommented:
Well, 5.5-2 is probably going to be a challenge since there have been significant changes and improvements in event logging since that version was release in the early 1990's - almost 20 years ago.  There are newer versions if you can upgrade - 7.2 was the last version for VAX.  If you have to stay with 5.5-2 a bit more research will be necessary to see what you need to do here.  I suspect you can do something similar to the mailbox operation discussed below.  You just might not get the ability to see as much information or details.

Let's look at the 8.3.x systems.  Here you can create an get the audit server security logs sent to a listener mailbox and then have a program/command procedure read the mail box and dispatch the messages that come as you desire/need.  See the HP OpenVMS Guide to System Security/Security for the System Administrator/Security Auditing/Methods of Capturing Event Messages.

You can probably take care of most of your needs then with it being entirely based on software.

Some of your requirements might be a bit difficult unless you have certain procedures built into your process.

Use of shared/group accounts - well, if you do not let them have them you do not need to report, but the ability of a user to share their information may be beyond your control.  You might need to add code to prevent multiple log in by a user for instance but that only prevents simultaneous use, not serial use.

Successful login versus login to privileged account - am not sure there exists any differentiation to this at present.  You might need to interface to the authentication database to figure out if a given account has privileges.

The audit server process has the following functionality:

    * Logins, logouts, or login failures

    * Changes to the authorization database

    * Access to a protected object, such as a file, device,or global section

    * Changes in privileges or the security attributesof protected objects

You will have to modify the default audit levels as well.  There are details of this earlier in the above referenced manual.

Bill.



0
 
bonzothecatCommented:
I did just come up with something rather similar to what you requested using the OpenVMS Audit facilty, as Bill suggested above, a freeware version of logger.c, and some C code borrowed from eight-cubed. But no, I would say there not an 'official' way to do this.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now