Readme File for IBM® Spectrum Symphony RFE SPCS-I-868
Readme file for: IBM
Spectrum Symphony
Product release: 7.2.0.2
Fix ID: sym-7.2.0.2-build600967
Publication date: January 24, 2022
This enhancement
provides support for audit logging for EGO functions to be saved in ArcSight
CEF (Common Event Format) standard, which is a format that provides a specific
level of detail for the logs so that they can be analyzed with ArcSight tools. With
this enhancement, you can enable CEF auditing logs for the service controller, and several IBM Spectrum
Symphony services (repository (RS), service director (SD), and SYMREST services).
Before
you install this enhancement to your cluster, note the following requirements:
Operating system |
RHEL 7.x 64-bit |
Product version |
IBM Spectrum Symphony 7.2.0.2 |
Follow these
instructions to download and install this enhancement on hosts in your cluster.
a. Log on to the primary host as the cluster administrator, stop applications, and shut down all management hosts in the cluster
>
egosh user logon -u Admin -x Admin
>
soamcontrol app disable all
>
egosh service stop SD RS SYMREST
>
egosh ego shutdown ${all_management_hosts}
b. On each management host, back up and remove the following files:
$EGO_TOP/3.6/linux-x86_64/etc/rs
$EGO_TOP/3.6/linux-x86_64/etc/vemkd
$EGO_TOP/3.6/linux-x86_64/etc/egosc
$EGO_TOP/soam/7.2/linux-x86_64/etc/sd
$EGO_TOP/soam/7.2/linux-x86_64/etc/symrest
c.
On each management host, download
the sym-7.2.0.2_x86_64_build600967.tar.gz package
and decompress it to the $EGO_TOP
installation directory:
>tar
zxof sym-7.2.0.2_x86_64_build600967.tar.gz -C
$EGO_TOP
d.
Run the sd -V and vemkd –V commands to verify the installation, for example:
$ sd -V
IBM Spectrum Symphony 7.2 build 600967, Jan 17 2022
$ vemkd -V
EGO 3.6.0 build 600967, Jan 17 2022
binary type: linux-x86_64
notes:
fixes:
support CEF format Audit logs
a.
Enable CEF audit logging by editing the $EGO_CONFDIR/ego.conf
file as follows:
EGO_AUDIT_LOG=Y
EGO_AUDIT_LOGDIR=$EGO_TOP/audits
EGO_AUDIT_LOG_CEF=Y
EGO_CEF_NO_SYSLOG=Y|N
Notes:
· When EGO_AUDIT_LOG=Y,
logging is enabled for EGO functions, and when EGO_AUDIT_LOG_CEF=Y, the system saves those audit logs in ArcSight CEF (Common Event
Format) standard (a format that provides a specific level of detail for the
logs so that they can be analyzed with ArcSight tools).
·
EGO_CEF_NO_SYSLOG controls the syslog (time, date, and host information) prefix usage for
CEF standard auditing logs. If EGO_CEF_NO_SYSLOG=N, the logs show times, dates, and hosts; if EGO_CEF_NO_SYSLOG=Y, the logs hide times, dates, and hosts.
·
CEF logs should be encoded with UTF-8.
·
Logs in CEF standard
use this format:
MMM dd yyyy HH:mm:ss.SSS zzz
host
CEF:Version|Device Vendor|Device
Product|Device Version|Device
Event Class ID|Name|Severity|[Extension]
For example:
Jan 17 2022 23:32:10.324 EST ib15b08
CEF:0|Symphony|VEMKD|3.6|EGO_USER_DELETE|CONFIG Admin USER test deleted. |3
In this example:
§ The syslog prefix is Jan 17 2022
23:32:10.324 EST ib15b08
§ CEF:Version is CEF:0
§ Device Vendor is Symphony
§ Device Product is VEMKD
§ Device Version is 3.6
§ Device Event Class ID is EGO_USER_DELETE
§ Name is CONFIG Admin USER test deleted.
§ Severity is 3
§ The Extension is empty
The CEF standard defines ten levels of severity, and IBM
Spectrum Symphony auditing logs define four levels of logs (DEBUG, INFO, WARN, and
ERROR); therefore, use the following mapping:
CEF level of severity |
IBM Spectrum Symphony log type |
0 (Low) |
DEBUG |
3 (Medium) |
INFO |
6 (Medium) |
WARN |
8 (High) |
ERROR |
Currently, all
auditing logs are at INFO level, so the CEF severity will always be 3.
b.
In the $EGO_ESRVDIR/esc/conf/egosc_conf.xml file,
enable service controller auditing logs by adding this configuration:
<ESC_AUDIT_LOG>ON</ESC_AUDIT_LOG>
c.
In the $EGO_ESRVDIR/esc/conf/services/rs.xml file,
enable repository server auditing logs by adding this configuration:
<ego:EnvironmentVariable
name="RS_AUDIT_LOG">ON</ego:EnvironmentVariable>
d.
In the $EGO_ESRVDIR/esc/conf/services/sd.xml file,
enable session director auditing logs by adding this configuration:
<ego:EnvironmentVariable
name="SD_AUDIT_LOG">ON</ego:EnvironmentVariable>
e.
In the $EGO_ESRVDIR/esc/conf/services/symrest.xml file,
enable SYMREST server auditing logs by adding this configuration:
<ego:EnvironmentVariable
name="SYMREST_AUDIT_LOG">ON</ego:EnvironmentVariable>
f.
Start the cluster and enable your applications:
$
egosh ego start all
$ soamcontrol app enable application_name
If required, follow
these instructions to uninstall this enhancement from hosts in your cluster.
a.
Log on to the primary host as the cluster
administrator, stop applications, and shut down all the management hosts in the
cluster:
>
egosh user logon -u Admin -x Admin
>
soamcontrol app disable all
>
egosh service stop SD RS SYMREST
>
egosh ego shutdown ${all_management_hosts}
b.
On each management host, restore the following
files from your backup:
$EGO_TOP/3.6/linux-x86_64/etc/rs
$EGO_TOP/3.6/linux-x86_64/etc/vemkd
$EGO_TOP/3.6/linux-x86_64/etc/egosc
$EGO_TOP/soam/7.2/linux-x86_64/etc/sd
$EGO_TOP/soam/7.2/linux-x86_64/etc/symrest
c.
In the $EGO_CONFDIR/ego.conf file, set EGO_AUDIT_LOG_CEF to N to disable
this enhancement, and set EGO_AUDIT_LOG to N
if
you want to disable ego auditing logs.
d. In
the $EGO_ESRVDIR/esc/conf/egosc_conf.xml
file, remove the following configuration, or set it to OFF
if you want to disable service controller
auditing logs:
<ESC_AUDIT_LOG>ON</ESC_AUDIT_LOG>
e. In
the $EGO_ESRVDIR/esc/conf/services/rs.xml
file, remove the following configuration, or set it to OFF
if you want to disable repository server auditing
logs:
<ego:EnvironmentVariable
name="RS_AUDIT_LOG">ON</ego:EnvironmentVariable>
f.
In the $EGO_ESRVDIR/esc/conf/services/sd.xml
file, remove the following configuration, or set it to OFF
if you want to disable session director auditing
logs:
<ego:EnvironmentVariable
name="SD_AUDIT_LOG">ON</ego:EnvironmentVariable>
g. In
the $EGO_ESRVDIR/esc/conf/services/symrest.xml
file, remove the following configuration, or set it to OFF
if you want to disable SYMREST server auditing
logs:
<ego:EnvironmentVariable
name="SYMREST_AUDIT_LOG">ON</ego:EnvironmentVariable>
h. Start
the cluster and enable your applications:
$
egosh ego start all
$ soamcontrol app enable application_name
acd97ac15e4634b25b00c07cafe87069 sym-7.2.0.2_x86_64_build600967.tar.gz
9780cdc15aa9928cac349115b894ecd4 3.6/linux-x86_64/etc/vemkd
e3ce2501e28a984ac2d69dc681b7df6c 3.6/linux-x86_64/etc/egosc
598ef30ce677b349ddacd85707576adc 3.6/linux-x86_64/etc/rs
f991bef46cf9781f8a8a4687de278fa3 soam/7.2/linux-x86_64/etc/sd
5c91c88def9e4733ff8d90a34cd3542b soam/7.2/linux-x86_64/etc/symrest
To receive
information about product solution and patch updates automatically, subscribe
to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM
Support website (http://support.ibm.com). You can edit your subscription
settings to choose the types of information you want to get notification about,
for example, security bulletins, fixes, troubleshooting, and product
enhancements or documentation changes.
© Copyright
IBM Corporation 2022
U.S.
Government Users Restricted Rights - Use, duplication or disclosure restricted
by GSA ADP Schedule Contract with IBM Corp.
IBM®, the
IBM logo and ibm.com® are trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names
might be trademarks of IBM or other companies. A current list of IBM trademarks
is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.