Readme File for IBM® Spectrum Symphony RFE SPCS-I-868

Readme file for: IBM Spectrum Symphony

Product release: 7.2.0.2

Fix ID: sym-7.2.0.2-build600967

Publication date: January 24, 2022

This enhancement provides support for audit logging for EGO functions to be saved in ArcSight CEF (Common Event Format) standard, which is a format that provides a specific level of detail for the logs so that they can be analyzed with ArcSight tools. With this enhancement, you can enable CEF auditing logs for the service controller, and several IBM Spectrum Symphony services (repository (RS), service director (SD), and SYMREST services).

1.   Scope

Before you install this enhancement to your cluster, note the following requirements:

Operating system

RHEL 7.x 64-bit

Product version

IBM Spectrum Symphony 7.2.0.2

2. Installation

Follow these instructions to download and install this enhancement on hosts in your cluster.

Prerequisites

a.       Log on to the primary host as the cluster administrator, stop applications, and shut down all management hosts in the cluster

> egosh user logon -u Admin -x Admin

> soamcontrol app disable all

> egosh service stop SD RS SYMREST

> egosh ego shutdown ${all_management_hosts}

b.       On each management host, back up and remove the following files:

$EGO_TOP/3.6/linux-x86_64/etc/rs

$EGO_TOP/3.6/linux-x86_64/etc/vemkd

$EGO_TOP/3.6/linux-x86_64/etc/egosc

$EGO_TOP/soam/7.2/linux-x86_64/etc/sd

$EGO_TOP/soam/7.2/linux-x86_64/etc/symrest

c.       On each management host, download the sym-7.2.0.2_x86_64_build600967.tar.gz package and decompress it to the $EGO_TOP installation directory:

>tar zxof sym-7.2.0.2_x86_64_build600967.tar.gz -C $EGO_TOP

d.       Run the sd -V and vemkd V commands to verify the installation, for example:

$ sd -V
IBM Spectrum Symphony 7.2 build 600967, Jan 17 2022

$ vemkd -V
EGO 3.6.0 build 600967, Jan 17 2022

 

  binary type: linux-x86_64

  notes:

  fixes: support CEF format Audit logs

3.   Configuration and usage

a.       Enable CEF audit logging by editing the $EGO_CONFDIR/ego.conf file as follows:

EGO_AUDIT_LOG=Y

EGO_AUDIT_LOGDIR=$EGO_TOP/audits

EGO_AUDIT_LOG_CEF=Y

EGO_CEF_NO_SYSLOG=Y|N

Notes:

·       When EGO_AUDIT_LOG=Y, logging is enabled for EGO functions, and when EGO_AUDIT_LOG_CEF=Y, the system saves those audit logs in ArcSight CEF (Common Event Format) standard (a format that provides a specific level of detail for the logs so that they can be analyzed with ArcSight tools).

·       EGO_CEF_NO_SYSLOG controls the syslog (time, date, and host information) prefix usage for CEF standard auditing logs. If EGO_CEF_NO_SYSLOG=N, the logs show times, dates, and hosts; if EGO_CEF_NO_SYSLOG=Y, the logs hide times, dates, and hosts.

·       CEF logs should be encoded with UTF-8.

·       Logs in CEF standard use this format: 
MMM dd yyyy HH:mm:ss.SSS zzz host
CEF:Version|Device Vendor|Device Product|Device Version|Device Event Class ID|Name|Severity|[Extension]


For example:
Jan 17 2022 23:32:10.324 EST ib15b08 CEF:0|Symphony|VEMKD|3.6|EGO_USER_DELETE|CONFIG Admin USER test deleted. |3


In this example:

§  The syslog prefix is Jan 17 2022 23:32:10.324 EST ib15b08

§  CEF:Version is CEF:0

§  Device Vendor is Symphony

§  Device Product is VEMKD

§  Device Version is 3.6

§  Device Event Class ID is EGO_USER_DELETE

§  Name is CONFIG Admin USER test deleted.

§  Severity is 3

§  The Extension is empty

 

The CEF standard defines ten levels of severity, and IBM Spectrum Symphony auditing logs define four levels of logs (DEBUG, INFO, WARN, and ERROR); therefore, use the following mapping:

 

CEF level of severity

IBM Spectrum Symphony log type

0 (Low)

DEBUG

3 (Medium)

INFO

6 (Medium)

WARN

8 (High)

ERROR

Currently, all auditing logs are at INFO level, so the CEF severity will always be 3.

b.       In the $EGO_ESRVDIR/esc/conf/egosc_conf.xml file, enable service controller auditing logs by adding this configuration:

<ESC_AUDIT_LOG>ON</ESC_AUDIT_LOG>

c.       In the $EGO_ESRVDIR/esc/conf/services/rs.xml file, enable repository server auditing logs by adding this configuration:

<ego:EnvironmentVariable name="RS_AUDIT_LOG">ON</ego:EnvironmentVariable>

d.       In the $EGO_ESRVDIR/esc/conf/services/sd.xml file, enable session director auditing logs by adding this configuration:

<ego:EnvironmentVariable name="SD_AUDIT_LOG">ON</ego:EnvironmentVariable>

e.       In the $EGO_ESRVDIR/esc/conf/services/symrest.xml file, enable SYMREST server auditing logs by adding this configuration:

<ego:EnvironmentVariable name="SYMREST_AUDIT_LOG">ON</ego:EnvironmentVariable>

f.        Start the cluster and enable your applications:

$ egosh ego start all

$ soamcontrol app enable application_name

4.   Uninstallation

If required, follow these instructions to uninstall this enhancement from hosts in your cluster.

a.       Log on to the primary host as the cluster administrator, stop applications, and shut down all the management hosts in the cluster:

> egosh user logon -u Admin -x Admin

> soamcontrol app disable all

> egosh service stop SD RS SYMREST

> egosh ego shutdown ${all_management_hosts}

b.       On each management host, restore the following files from your backup:

$EGO_TOP/3.6/linux-x86_64/etc/rs

$EGO_TOP/3.6/linux-x86_64/etc/vemkd

$EGO_TOP/3.6/linux-x86_64/etc/egosc

$EGO_TOP/soam/7.2/linux-x86_64/etc/sd

$EGO_TOP/soam/7.2/linux-x86_64/etc/symrest

c.       In the $EGO_CONFDIR/ego.conf file, set EGO_AUDIT_LOG_CEF to N to disable this enhancement, and set EGO_AUDIT_LOG to N if you want to disable ego auditing logs.

d.       In the $EGO_ESRVDIR/esc/conf/egosc_conf.xml file, remove the following configuration, or set it to OFF if you want to disable service controller auditing logs:

<ESC_AUDIT_LOG>ON</ESC_AUDIT_LOG>

e.       In the $EGO_ESRVDIR/esc/conf/services/rs.xml file, remove the following configuration, or set it to OFF if you want to disable repository server auditing logs:
<ego:EnvironmentVariable name="RS_AUDIT_LOG">ON</ego:EnvironmentVariable>

f.        In the $EGO_ESRVDIR/esc/conf/services/sd.xml file, remove the following configuration, or set it to OFF if you want to disable session director auditing logs:
<ego:EnvironmentVariable name="SD_AUDIT_LOG">ON</ego:EnvironmentVariable>

g.       In the $EGO_ESRVDIR/esc/conf/services/symrest.xml file, remove the following configuration, or set it to OFF if you want to disable SYMREST server auditing logs:
<ego:EnvironmentVariable name="SYMREST_AUDIT_LOG">ON</ego:EnvironmentVariable>

h.       Start the cluster and enable your applications:

$ egosh ego start all

$ soamcontrol app enable application_name

5.   List of files

acd97ac15e4634b25b00c07cafe87069 sym-7.2.0.2_x86_64_build600967.tar.gz

9780cdc15aa9928cac349115b894ecd4 3.6/linux-x86_64/etc/vemkd

e3ce2501e28a984ac2d69dc681b7df6c 3.6/linux-x86_64/etc/egosc

598ef30ce677b349ddacd85707576adc 3.6/linux-x86_64/etc/rs

f991bef46cf9781f8a8a4687de278fa3 soam/7.2/linux-x86_64/etc/sd

5c91c88def9e4733ff8d90a34cd3542b soam/7.2/linux-x86_64/etc/symrest

6.   Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.

7.   Copyright and trademark information

© Copyright IBM Corporation 2022

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.