README IBM Tivoli Security Operations Manager(TM) Version 4.1.1 Fix Pack 013 for IBM AIX, Solaris Operating Environments, Red Hat Linux ES and Windows Server 2003 © Copyright International Business Machines Corporation 2011. All rights reserved. Contents -------------------------------------------------------------------------------- 1.0 About this release 1.1 Supported products and components by platform 1.2 PTF and VRMF information 2.0 Installation and configuration 2.1 Supported languages for DB2 clients available from the FTP site 2.2 Prerequisites 2.3 Before installation 2.4 Installing the Tivoli Security Operations Manager 4.1.1 Fix Pack 013 2.5 After installation 2.6 Uninstalling / rollback 3.0 Documentation Updates 3.1 New handling of checkpoint conduit. 3.2 Cleanup of event_data table causing application downtime in Oracle. 3.3 Starting with 4.1.1-TIV-TSOM-FP007 logging level could be changed dynamically. 3.4 Password encryption 3.5 New Device Rules installation tool. 3.6 Additional indexes for historical data searches in DB2. 3.7 Changing TSOM encryption ciphers. 3.8 New config file for device rules. 3.9 New configuration parameters. 3.10 License agreement needed when installing a Fix Pack. 3.11 TCIM and TSOM integration. 3.12 Host names interpretation update. 3.13 Messages forwarded by KIWI Syslog. 3.14 Under heavy load TSOM GUI may not display all processed events. 3.15 Easy filtering of erroneous event types. 3.16 Configuring UCM to monitor Windows Event Log. 3.17 Restoring events from 'data' directory after database connection was broken. 4.0 Resolved Problems 5.0 Contacting customer support 6.0 Notices and trademarks 1.0 About this release -------------------------------------------------------------------------------- Set the font to monospace to better view this file. The information in this readme file should be read by Tivoli Security Operations Manager administrators who plan to install Tivoli Security Operations Manager 4.1.1 Fix Pack 013 (R). This readme file contains platform specific information about the latest changes and known problems and workarounds for TSOM. This readme file contains TSOM 4.1.1 Fix Pack 013 information for all UNIX(R) operating systems supported by Tivoli Security Operations Manager. Specific information for each supported UNIX operating system is described in separate sections of this readme. However, unless otherwise specified, the instructions are applicable to all supported UNIX operating systems. 1.1 Supported products and components by platform This readme file contains information for the following products and components for each UNIX operating system: IBM AIX Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 013 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 013 Linux(TM) (RedHat(R)) 32-bit Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 013 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 013 Solaris(R) Operating Environments (32-bit) Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 013 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 013 Windows(TM) Server 2003 Enterprise Edition R2 SP2 (64-bit) Product list: * Tivoli Security Operations Manager Central Management System (CMS) Version 4.1.1 Fix Pack 013 * Tivoli Security Operations Manager Event Aggregation Module (EAM) Version 4.1.1 Fix Pack 013 1.2 PTF and VRMF information +-----------------------+---------------------------------------+-------------+ | Operating system | PTF | VRMF | +-----------------------+---------------------------------------+-------------+ | AIX 5L | 4.1.1-TIV-TSOM-AIXPPC32-FP013.bin | 4.1.1-FP013 | +-----------------------+---------------------------------------+-------------+ | Solaris Operating | 4.1.1-TIV-TSOM-SolarisSparc-FP013.bin | 4.1.1-FP013 | | Environment | | | +-----------------------+---------------------------------------+-------------| | LINUX (RedHat) | 4.1.1-TIV-TSOM-LinuxIA32-FP013.bin | 4.1.1-FP013 | | | | | +-----------------------+---------------------------------------+-------------+ | Windows (Server 2003) | 4.1.1-TIV-TSOM-WinX64-FP013.exe | 4.1.1-FP013 | | | | | +-----------------------+---------------------------------------+-------------+ 2.0 Installation and configuration -------------------------------------------------------------------------------- The package names for each specific UNIX operating system are: +-------------------------------+-----------------------------------------+ | AIX | 4.1.1-TIV-TSOM-AIXPPC32-FP013.bin | +-------------------------------+-----------------------------------------+ | Linux (RedHat) | 4.1.1-TIV-TSOM-LinuxIA32-FP013.bin | +-------------------------------+-----------------------------------------+ | Solaris Operating Environment | 4.1.1-TIV-TSOM-SolarisSparc-FP013.bin | | (32-bit) | | +-------------------------------+-----------------------------------------+ | Windows Operating Environment | 4.1.1-TIV-TSOM-WinX64-FP013.exe | | (64-bit) | | +-------------------------------+-----------------------------------------+ The packages are self extracting executables. 2.1 Supported languages for Tivoli Security Operations Manager available from the FTP site The following table details the supported languages that are available from the FTP site: +---------------------------+---------------------------+ | Operating System | Central Management System | +---------------------------+---------------------------+ | AIX | English only | | | | +---------------------------+---------------------------+ | RedHat Linux Intel | English only | | (32-bit) | | +---------------------------+---------------------------+ | Solaris Operating System | English only | | | | +---------------------------+---------------------------+ | Windows Operating System | English only | | (64-bit) | | +---------------------------+---------------------------+ 2.2 Prerequisites a) You must have a supported operating system installed. The supported operating systems are: * AIX 5L Version 5.3 (5.3.x) * Solaris Version 10 (10.x) * RedHat Version 5 (5.x) * Microsoft Windows Server 2003 Enterprise Edition R2 SP2 (64-bit) b) You must have a supported database installed and a schema and user created and available. The supported databases are: * IBM DB2 Enterprise 9 (9.x) * Oracle 10g Release 1 (10.2.x) c) This Interim fix must be installed on the Central Management System (CMS) and all Event Aggregation Modules (EAM) d) Ensure that you have read the entire contents of this readme. e) This Fix Pack can be installed on systems with: * Tivoli Security Operations Manager 4.1.1 GA release or * Tivoli Security Operations Manager 4.1.1 Interim Fix 001 or * Tivoli Security Operations Manager 4.1.1 Interim Fix 002 or * Tivoli Security Operations Manager 4.1.1 Interim Fix 003 or * Tivoli Security Operations Manager 4.1.1 Fix Pack 004 or * Tivoli Security Operations Manager 4.1.1 Interim Fix 006 or * Tivoli Security Operations Manager 4.1.1 Interim Fix 007 or * Tivoli Security Operations Manager 4.1.1 Fix Pack 008 or * Tivoli Security Operations Manager 4.1.1 LA Fix Pack 009 or * Tivoli Security Operations Manager 4.1.1 Fix Pack 010 or * Tivoli Security Operations Manager 4.1.1 Fix Pack 011 2.3 Before installation a) You must install this Fix pack using the same method that you used to install the product initially. * If you installed Tivoli Security Operations Manager v 4.1.1 using Xwindows install, you must use an Xwindows installation to install this Fix pack. * If you used a console install to install Tivoli Security Operations Manager, you must use the console installation to install this Fix pack. 2.4 Installing Tivoli Security Operations Manager 4.1.1 Fix Pack 013: Procedures To install Tivoli Security Operations Manager Fix Pack 013: a) Log in to the server hosting the Tivoli Security Operations Manager component as the root user or as a user that has privileges to sudo to root, or on Windows as the same user originally used to install Tivoli Security Operations Manager . b) STOP all TSOM components. Preferably in following order: GUI client(s), CMS, EAM(s), UCM(s). *WARNING*: GUI clients left running during a CMS upgrade will reconnect, but they will NOT download upgraded client-side code. This will cause a code mismatch between client and server which can yield unexpected results. To avoid this, close all GUI clients before upgrading a CMS. To find all open GUI clients, use netstat to search the CMS for any IPs connected to the CMS on port tcp/9997. To stop | start TSOM on UNIX/Linux use: ./bin/tsom_server.sh stop | start ./bin/tsom_tomcat.sh stop | start On Windows stop | start relevant service. c) Change directories to the directory where you downloaded the self-extracting binary. d) Run the self-extracting binary (use -i console for a text based install): On UNIX/Linux: If you have Xwindows installed: ./4.1.1-TIV-TSOM--FP013.bin If you do not have Xwindows installed: ./4.1.1-TIV-TSOM--FP013.bin -i console Where is the operating system on the server. The Install Anywhere installer will launch. On Windows: Using Windows Explorer locate the downloaded file 4.1.1-TIV-TSOM-WinX64-FP013.exe and doubleclick. e) On the Locale screen, select the locale in which the install utility will run and click Ok. f) On the Introduction screen, click Next. g) Review the installation on the Pre-Installation Summary screen, and click Install. h) When the installation has completed, click Done on the Install Complete screen. General reminder: Fix Pack installer does not upgrade Device Rules. To resolve all APARs mentioned in this document install TSOM 4.1/4.1.1 Device Rules Update Package : 2011/01 or newer. 2.5 After installation Ensure the installed components are running by logging into the UI using the admin user (username: admin password:password): https://:8443 where is the IP address of the server hosting the CMS. *** Important Note *** This Interim Fix includes an updated UCM that will run as a service on windows. After installing the fix the UCM file that should be installed on a windows system is /misc/install_ucm.exe. This file can also be obtained from the downloads link on the TSOM Portal at: https://:8443 -or- http://:8080 where is the IP address of the server hosting the CMS. Known issue: The default configuration does not include the necessary library ITSOM_LogParser.dll in the java library path. There are two ways to get the ITSOM_LogParser.dll into the JAVA library PATH: (Assuming default install dir of C:\Program Files\IBM\TSOM) 1) Copy the file 'ITSOM_LogParser.dll' from C:\Program Files\IBM\TSOM\lib\ITSOM_LogParser.dll to C:\Program Files\IBM\TSOM\ITSOM_LogParser.dll For example: >cd C:\Program Files\IBM\TSOM\ >copy lib\ITSOM_LogParser.dll ITSOM_LogParser.dll -or- 2) Alter the 'C:\Program Files\IBM\TSOM\UCM.lax' file. Add this block of text: # LAX.NL.JAVA.OPTION.ADDITIONAL # ----------------------------- # -Dargument=value args to JAVA lax.nl.java.option.additional= -Djava.net.preferIPv4Stack=true \ -Djava.net.preferIPv6Addresses=false \ -Djava.library.path=lib General reminder - the UCM needs Windows Log Parser installed. This is a free tool from Microsoft that that is used to safely communicate with the Event Log system. 2.6 Uninstall *** Warning *** Uninstalling a cumulative fix (such as this one) will uninstall the complete product a) Log in to the server hosting the Tivoli Security Operations Manager component as the root user or as a user that has privileges to sudo to root. b) Change directories to the directory /Uninstall_Tivoli Security Operations Manager where is the directory where you installed Tivoli Security Operations Manager. c) Execute the uninstaller(use -i console for a text based install): * If you have Xwindows installed: ./Uninstall_Tivoli_Security_Operations_Manager * If you do not have Xwindows installed: ./Uninstall_Tivoli_Security_Operations_Manager -i console Where is the operating system on the server. The Install Anywhere uninstaller will launch. d) On the Summary screen, click Uninastall. e) When the uninstallation has completed, click Done on the Uninstall Complete screen. 3.0 Documentation Updates -------------------------------------------------------------------------------- 3.1 New handling of checkpoint conduit. Starting from 4.1.1-TIV-TSOM-FP004 a native conduit that communicates with Checkpoint server runs as a separate service on all supporting platform. a) Solaris and Linux: On each EAM server which collects Checkpoint data, start tsom_leads.sh service by issuing: ./bin/tsom_leads.sh start The service stops automatically at the moment when EAM process stops. b) Windows: New service named TSOMLEADS is created by a Fix Pack installer. You may want to stop it manually when checkpoint conduit is not needed. 3.2 Cleanup of event_data table causing application downtime in Oracle. In order to efficiently clean up the EVENT_DATA tables, drop partition is used in the Oracle install. To achieve this all indexes that are created must be partitioned by normalization_time as well. This is already done, however as EVENT_DATA_ID is the primary key of the event data table this creates an implicit index. So after issuing drop partition statements, this index becomes invalid and must be manually rebuilt which takes 3-4 hours approximately. During this time, CMS is unavailable. This was resolved by issuing 2 schema change sqls: 1. Remove the constraint of the primary key from the table ALTER TABLE EVENT_DATA DROP PRIMARY KEY DROP INDEX 2. Create an index on EVENT_DATA_ID and NORMALIZATION_TIME such that a partitioning by NORMALIZATION_TIME is possible . ALTER TABLE EVENT_DATA ADD CONSTRAINT UNIQ_EVTDATA_NORMTIME UNIQUE (Event_data_id, Normalization_time) The above 2 sqls can be provided to customers (on oracle) on a need basis if they encounter similar problem. 3.3 Fix Pack 4.1.1-TIV-TSOM-FP007 introduces mechanism for dynamic logging level changes. See the technote for details: http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH &q1=log4j&uid=swg21404702&loc=en_US&cs=utf-8&lang=en 3.4 Passwords encryption a) Database passwords Password is not hashed in configuration file and is stored in clear-text. This was resolved by providing a tool to perform password encryption of existing cleartext passwords. The encryption tool can be run in the following modes: * cms, * vuln * migration Syntax: >bin/encrypt.sh -c cms|vuln|migration In cms mode passwords from the following files are removed: * conf/db/repository_database.xml * tomcat/webapps/TSOM-Reports/WEB-INF/classes/conf/db/repository_database.xml * Tivoli_Security_Operations_Manager_InstallLog.xml * Uninstall_Tivoli Security Operations Manager/installvariables.properties * maint/*/installvariables.properties In vuln mode passwords in: conf/scanner.conf will be encrypted. In migration mode passwords in conf/Migration/migration.xml will be encrypted. b) Tomcat passwords To encrypt password in tomcat configuration file tomcat/conf/server.xml use tool specific for it: >bin/encrypt_tomcat_pass.sh Syntax: >./bin/encrypt_tomcat_pass.sh DBPassword The generated encrypted password should be stored into server.xml config file under tsom/tomcat. This mode will require the following information to be input from the user: 1) Run the encryption tool as above. 2) On the tomcat/conf/server.xml * replace the clear text password with the encrypted one * if it does not exist the "digest" attribute on element set with value "md5". From now we use strong algorithm for password encoding in tomcat. Sample: 3) Restart tomcat. c) UCM passwords The encryption tool for UCM can be invoke by script: UNIX systems: > encrypt.sh Windows systems: > encrypt.bat All passwords in ucm.cfg file will be encrypted. Lines with comments in ucm.cfg are ignored. The encryption tool for UCM can be executed multiple times as new password are added to the ucm.cfg file. 3.5 New Device Rules installation tool As part of the Fix Pack 10 a new installer for Device Rules packages is introduced that replaces bin/dev_support.sh script. The new installer will help to install, uninstall and display installation history for both Central Management System (CMS) and Event Aggregation Module (EAM) on all Windows and UNIX platforms supported by TSOM components. The installer works with existing and will work with future Device Rules packages. Starting from Fix Pack 10, the most recent Device Rules package is provided – but not installed - as part of a Fix Pack installation in the ‘devicerules_repository’ sub-directory of TSOM installation directory. The installer is aware of this default location of Device Rules packages and uses it when installing without providing the explicit path to a Device Rules package. Customers are encouraged to store manually downloaded Device Rules packages in the ‘devicerules_repository’ sub-directory of TSOM installation directory. Please read the following examples, to quickly learn how to use the new installer for Device Rules packages: a) In order to display information about the installer invocation, go to the TSOM installation directory and invoke: For UNIX systems: >./bin/devicerules_install.sh help For Windows: >bin\devicerules_install.bat help b) In order to install recent Device Rules package stored in ‘devicerules_repository’, invoke: For UNIX systems: >./bin/devicerules_install.sh install For Windows: >bin\devicerules_install.bat install c) In order to install Device Rules package from arbitrary location, invoke: For UNIX systems: >./bin/devicerules_install.sh install –file “/home/DeviceRules-20100326.jar” For Windows: >bin\devicerules_install.bat install –file “c:\Program Files\DeviceRules-20100326.jar” d) In order to display the installation history and the version of recently installed Device Rules package invoke: For UNIX systems: >./bin/devicerules_install.sh version For Windows: >bin\devicerules_install.bat version Note: The installer 'version' command does not list Device Rules packages which were installed manually or were installed incorrectly when using dev_support.sh script. 3.6 Additional indexes for historical data searches in DB2. To improve historical data searches on large DB2 with large amount of data please add additional indexes on EVENT_DATA_SECURITY_DOMAIN_MAP and EVENT_DATA. a) Shutdown TSOM and DB2 instance. b) Start DB2, login as the owner of the TSOM database. c) Connect to TSOM database (e.g. db2 connect to tsom). d) Execute following commands (e.g. db2 -tf ). Below command assume that DB2INST1 was used: CREATE INDEX DB2INST1.EDSDM_NORM ON DB2INST1.EVENT_DATA_SECURITY_DOMAIN_MAP ("NORMALIZATION_TIME" ASC, "SECURITY_DOMAIN_ID_FK" ASC, "EVENT_DATA_ID_FK" ASC) ALLOW REVERSE SCANS; COMMIT WORK; RUNSTATS ON TABLE DB2INST1.EVENT_DATA_SECURITY_DOMAIN_MAP FOR INDEX DB2INST1.EDSDM_NORM ; COMMIT WORK; CREATE INDEX DB2INST1.ED_NORM ON DB2INST1.EVENT_DATA ("NORMALIZATION_TIME" ASC, "EVENT_DATA_ID" ASC) ALLOW REVERSE SCANS ; COMMIT WORK; RUNSTATS ON TABLE DB2INST1.EVENT_DATA FOR INDEX DB2INST1.ED_NORM; COMMIT WORK; e) Start all TSOM services. Note: The procedure can take hours (depending on the amount of data and hardware) please plan it in a convenient time. 3.7 Changing TSOM encryption ciphers. To change cipher used by TSOM you have to add in the GenericStageStarter.config on CMS, in the Configuration element, additional section that should look as such: .... ... SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_FIPS_WITH_DES_CBC_SHA ... SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA ... .... After that you have to restart CMS. To debug cipher used by TSOM set java system property by adding "-Djavax.net.debug=all" to the java parameters. For complete list of available cipher go to the Java Secure Socket Extension documentation. 3.8 New config file for device rules. In TSOM 4.1.1 Fix Pack 010 there was added configuration file that allows specification of java rules detection/execution order, easy enabling/disabling of rules and passing initialization parameters (optional). For that initialization starting from TSOM 4.1.1 FP010 the ARulesFile API has been extended by adding method: public void init(String parameterStr) The method is called right after rule instantiation (e.g. every time when conduit is restarted/reinitialized). On EAM startup rules and rules/system directories are searched for rules.conf file. If no such file is found then all *.java files existing in the directory are used (this is for backward compatibility). TSOM 4.1.1 FP010 is required for that config file support. Note: For more details see rules.conf files in proper conduit directories. 3.9 New configuration parameters. Starting from TSOM 4.1.1 Fix Pack 010 the are a few new configuration parameters. All could be changed by update to the TSOM_CONFIGURATION table followed by TSOM CMS restart. +-----------------------------------+--------------------------------------+ | Parameter | Description | +-----------------------------------+--------------------------------------+ | EVENT_TYPE_PAGINATION_FLAG | Flag to turn on event type pagination| +-----------------------------------+--------------------------------------+ | EVENT_TYPE_PAGINATION_BATCH_LIMIT | Event type pagination batch limit. | | | Both above to use on environments | | | with large amount of event types | | | (e.g. more than 200 thousands of | | | event types). By default event type | | | pagination are disabled. | +-----------------------------------+--------------------------------------+ | DEVICE_RULES_FALLBACK_IP_ADDRESS | Fallback IP address to be used when | | | real address does not exists, is not | | | defined or is just invalid. | | | As default is used "0.0.0.0" IP | | | address but could be switched to any | | | other use to be not real in current | | | installation. | +-----------------------------------+--------------------------------------+ 3.10 License agreement needed when installing a Fix Pack. Starting from TSOM 4.1.1 Fix Pack 011, the installation requires agreement on the product license. When installing in graphical or console mode, the user accepts the license manually. When installing in silent mode, in order to agree on the product license a response file location needs to be provided as the fix pack installer argument: -i silent -f The response file must contain the following line: $LICENSE_ACCEPTED$=true 3.11 TCIM and TSOM integration. Starting from TSOM 4.1.1 Fix Pack 011, a new script was added to forward portion of events from TSOM to TCIM. The script 'TcimLogger.java', located in the '/action' directory, creates a file constantly filled with event data in a format that can be further read by TCIM. The location of the output file can be altered by manual modification of mentioned script and by default is '/var/log/tcim/audit.log'. In order to use the script, do the following: a) Create a condition that filters events, which should be forwarded to the TCIM b) Under the condition, create a script action c) Fill in the script contents with the following text: TcimLogger.java "--when=$EVENT.TIME" "--where=$EVENT.SENSOR.NAME,$EVENT.SENSOR.TYPE" "--who=-,$EVENT.USER.NAME" "--wherefrom=$EVENT.SRC.NB.NAME,$EVENT.SRC.IP" "--whereto=$EVENT.DEST.NB.NAME,$EVENT.DEST.IP" "--what=$EVENT.TYPE.NAME,user,success " "--onwhat=$EVENT.PROTOCOL.NAME,$EVENT.DEST.IP,$EVENT.DEST.PORT" "--info=$EVENT.INFO.UNQUOTED" d) Save the configuration Note: The script is designed for a basic, low event rate integration with TCIM. Depending on the TSOM configuration, it can forward only up to 100 events per second. Be sure to use appropriate filters to restrict amount of forwarded events. Note: Starting with TSOM 4.1.1 Fix Pack 013, the action definition for TcimLogger.java and tcimlogger.pl scripts are modified, instead of '$EVENT.INFO' token, use '$EVENT.INFO.UNQUOTED' token. Token '$EVENT.INFO.UNQUOTED' is intended for usage in bash scripts whenever it will be part of a double-quoted string, like e.g.: test.sh "Quoted content $EVENT.INFO.UNQUOTED" The behavior of token '$EVENT.INFO' remains unchanged - when resolved in script action it is already double-quoted by TSOM. Mentioned tokens are never quoted in non-script action, like ticket creation. 3.12 Host names interpretation update. Fix Pack 012 enhances interpretation of event source and destination IPs and names. The following scenarios lead now to consistent behavior: - when there is a manually (non auto) defined host and event contains its IP, the host name will be correctly resolved and attached to event. - the reverse scenario is also true: when host name is known in the event, the correct IP will be resolved and attached to event - when there is an $EVENT.SRC.HOST.NAME or $EVENT.DEST.HOST.NAME tag used in action definition, it will be correctly resolved based on any of source/destination IP or host name information that the event contains 3.13 Messages forwarded by KIWI Syslog. Fix Pack 012 extends capabilities of Java-based device rules. Now it is possible to pre-process events via new API and react to event messages that are altered on the way from its source to TSOM. The API for Java based device rules contains now the additional file(s) that will be executed before any java detection and parsing. Each conduit type have it's own file for that purpose placed in the conduit's rules directory and named Processing.java. For example for syslog it's /conduits/syslog/SyslogProcessing.java. For more detailed description see the example file for syslog conduit. It contains code commentary with some guide-lines and already working preprocessing code that deals with messages forwarded by KIWI syslog deamon. KIWI syslog has different header format than regular syslog so to enable proper detection and parsing of it's messages by TSOM device rules in-put messages have to be reformatted to plain syslog. Before Fix Pack 12 this was possible only in perl rules. To use the functionality, ensure that along with Fix Pack 12, you have at least DRP 2010/09 installed. 3.14 Under heavy load TSOM GUI may not display all processed events. Fix Pack 012 solves the problem when under heavy load of events, some events were not displayed in the TSOM GUI even if all events were correctly processed and saved by CMS. However other conditions, not related to TSOM, may result in events not displayed in Event Console or Power Grid of TSOM GUI. This happens when e.g. the connection between CMS and TSOM GUI is slow and CMS cannot deliver all events with expected speed or if the machine where TSOM GUI is running is slow or does not have enough resources (CPU, memory) to allow TSOM GUI to work at required speed. In such cases, FP12 informs about described conditions both in the CMS log ‘tsom_server.log’ and in Java console for TSOM GUI. The following messages are displayed: a) When CMS buffer used to send events data to TSOM GUI is full and CMS cannot buffer any more events that should be sent to the TSOM GUI then on 'warning' level the following message appears: "Subscriber [IP Address/Hostname:Port]: receiver can't read events fast enough. Dropping started...” At the same time (delayed by network transmission) on TSOM GUI's java console on 'warning' level there will be similar message displayed: "CMS started dropping events to this GUI." b) 5 seconds after the CMS buffer is full, CMS will again write a summary message on 'warning' level: "Subscriber [IPAddress/Hostname:Port]: X events dropped during last 5 sec-onds." At the same time (delayed by network transmission) on GUI's java console on 'warning' level there will be similar summary: "CMS dropped X events during last 5 seconds." c) If GUI still cannot receive events fast enough and CMS will have to again start the procedure of reducing event flow described above then above sequence of messages will repeat (both on CMS and GUI). To ensure that all events are delivered to and displayed by TSOM GUI it is recommended that you use filters on all event related views (Event Console and Power). This will reduce the expected load of events and will allow for all filtered events to be delivered to the GUI. It is also recommended that you connect TSOM GUI to CMS via high speed network and the machine where TSOM GUI is launched has enough resources to let TSOM GUI run at full speed. 3.15 Easy filtering of erroneous event types. Starting from TSOM 4.1.1 FP013 TSOM provides a functionality to filter-out erroneous event types. The 'EVENT_TYPE' table in TSOM DB contains now additional column 'enable'. By default all event types are enabled and contain value '1' in the column. To filter erroneous event types, do the folowing: - Locate erroneous event types in 'EVENT_TYPE' table of TSOM DB. - Set 'enable' column of 'EVENT_TYPE' table to '0' for erroneous event types. - Restart all components of TSOM (including CMS, all EAMs and TSOM GUI). This is necessary to rebuild event types caches stored in TSOM components. - Upon restart, CMS will not load erroneous event types which will improve CMS performance, however they will appear in the system if corresponding events appear. It means, it is crucial to eliminate the reason of erroneous event types creation. Note: This is a fail-over functionality intended for using when too many (over 200'000) event types are accidentaly created which impact TSOM performance. After the reason behind erroneous event types creation is spot and eliminated, erroneous event types should be removed from TSOM DB and filtering of event types must be disabled and again TSOM infrastructure need to be restarted. For details, contact IBM support. 3.16 Configuring UCM to monitor Windows Event Log. Starting from Fix Pack 13, TSOM UCM supports the following configurations when monitoring Windows Event Log: a. Local Event Log on Windows 2003. b. Remote Event Log from Windows 2003. c. Local Event Log on Windows 2008. d. Remote Event Log from Windows 2008. Below you can find details how to setup specific configurations: a. Local Event Log on Windows 2003. - Install UCM on the Windows 2003 machine which logs you want to capture. - Install Microsoft LogParser 2.2 - Ensure 32bit IBM Java is used by UCM, to do this investigate UCM.lax file located in the UCM installation directory, and check 'lax.nl.current.vm' option. - Ensure UCM.lax contains path to Microsoft Log Parser in the option 'lax.nl.java.option.additional'. - Enable 'logparser' tailer (ucm.tailer.logparser.eventlog). Examples can be located in ucm.cfg. - as 'ucm.tailer.logparser.eventlog.hostname' use the name or IP of local host. - Start 'TSOMUCM' service, UCM will read required event log. b. Remote Event Log from Windows 2003. - Install UCM on Windows 2003 or Windows 2008 machine #1 which have access to the Windows 2003 that will be monitored remotely #2. - On machine #1 install Microsoft LogParser 2.2. - Ensure 32bit IBM Java is used by UCM, to do this investigate UCM.lax file located in the UCM installation directory, and check 'lax.nl.current.vm' option. - Ensure UCM.lax contains path to Microsoft Log Parser in the option 'lax.nl.java.option.additional'. - Enable 'logparser' tailer (ucm.tailer.logparser.eventlog). Examples can be located in ucm.cfg. - As 'ucm.tailer.logparser.eventlog.hostname' use the name or IP of remote host #2. - Start 'TSOMUCM' service, UCM will read required event log. c. Local Event Log on Windows 2008. - Install UCM on the Windows 2008 machine wich needs to be monitored. - Ensure IBM Java is used by UCM (it can be 32bit or 64bit), to do this investigate UCM.lax file located in the UCM installation directory, and check 'lax.nl.current.vm' option. - Enable 'wevtutil' tailer (ucm.tailer.wevtutil). Examples can be located in ucm.cfg. - As 'ucm.tailer.wevtutil.hostname' use the name or IP of local host or leave it empty. - Start 'TSOMUCM' service, UCM will read required event log. d. Remote Event Log from Windows 2008. - Install UCM on Windows 2008 machine #1 which have access to the Windows 2008 that will be monitored remotely #2. - Ensure IBM Java is used by UCM (it can be 32bit or 64bit), to do this investigate UCM.lax file located in the UCM installation directory, and check 'lax.nl.current.vm' option. - Enable 'wevtutil' tailer (ucm.tailer.wevtutil). Examples can be located in ucm.cfg. - As 'ucm.tailer.wevtutil.hostname' use the name or IP of remote host #2. - As 'ucm.tailer.wevtutil.remote.user' and 'ucm.tailer.wevtutil.remote.password' set credentials of a user that can access Event Log of remote machine #2. - In case machines are members of Windows Domain, update the field 'ucm.tailer.wevtutil.remote.domain', otherwise leave the field blank or remove it. - Start 'TSOMUCM' service, UCM will read required event log. Note: Remote Windows Event Logs from Windows 2008 cannot be captured if UCM is installed on Windows 2003. Also, if UCM is intended to monitor both Windows 2003 and Windows 2008 machines remotely, it needs to be installed on Windows 2008 and must be launched using 32bit IBM Java. 3.17 Restoring events from 'data' directory after database connection was broken. Starting from TSOM 4.1.1 FP013 a new general purpose tool is provided. It can be launched using /bin/tsom_cli.sh on UNIX/Linux or /bin/tsom_cli.bat on Windows. The tool in Fix Pack 13 provides functionality to investigate the contents of /data directory where events are stored in sql-like files if TSOM looses its database connection. Additionally the tool allows to restore events from /data directory back to TSOM database. To get help about tsom_cli.sh|bat usage launch it without arguments or with 'help' option: > bin/tsom_cli.sh help To list information about contents of 'data' diectory, execute: > bin\tsom_cli.bat db list stored events To restore events stored in the 'data' directory back to TSOM DB without making their backup, use: > bin/tsom_cli.sh db restore events To restore events stored in the 'data' directory back to TSOM DB and copy them to a backup directory located in /data_backup, use: > bin/tsom_cli.sh db restore events with backup Note, that upon restoration, files are removed from the 'data' directory. It is recommended to make a backup of 'data' directory before using the tool to restore them back to TSOM DB. 4.0 Resolved Problems -------------------------------------------------------------------------------- Problems fixed by 4.1.1-TIV-TSOM-FP013 APAR IZ91367 (devices) PARSING ISSUE WITH AIRMAGNET EVENTS USING SNMP CONDUIT. APAR IZ90490 ESTIMATED TOTAL EVENT COUNT AS SEEN FROM TSOM GUI REMAINS UNCHANGED AFTER EVENT ARCHIVAL. APAR IZ88212 (devices) TIPPINGPOINT IPS PARSER MAY CREATE RANDOM EVENT_TYPES. APAR IZ85911 (devices) PARSING ISSUE WITH WINDOWS SNARE EVENTS. APAR IZ85742 CMS IGNORES SNMP ENGINE ID IN CONF/SNMP.CONF. APAR IZ83409 UCM NOT ABLE TO COLLECT EVENTS FROM REMOTE WINDOWS 2008 MACHINES. APAR IZ81397 (devices) PARSING ISSUE WITH AIX AUDIT EVENTS. APAR IZ81391 TCIMLOGGER.PL SCRIPT BREAKS WHEN PARENTHESIS ARE IN THE INFO FIELD. APAR IZ80477 EVENT DESCRIPTION CAN BE TRUNCATED AFTER INSERTION INTO THE TSOM DATABASE. APAR IZ79770 CUSTOMER RUNNING TSOM ON A 'HEADLESS' SOLARIS SERVER CANNOT USE JREPORTS. INTERNAL DEFECT 3755 TICKET DIALOG SHOWS EMPTY 'SUMMARY' FIELD IF THE SUMMARY TEXT IS LONGER THAN 512 CHARACTERS, WHILE THE 'SUMMARY' COLUMN OF THE TICKETS VIEW DISPLAYS CORRECT TEXT. INTERNAL DEFECT 3748 ENABLE EASY FILTERING OF ERRONEOUS EVENT TYPES. INTERNAL 3736 TSOM_CLI: TOOL TO AUTOMATICALLY RESTORE EVENTS STORED IN 'DATA' DIRECTORY AFTER THE CONNECTION BETWEEN TSOM CMS AND TSOM DATABASE BREAKS. INTERNAL DEFECT 3686 DISALLOW 00:00:00:00:00:00 AS MAC WHEN DEFINING A HOST. INTERNAL DEFECT 3678 UCM CONSUMES DISK SPACE EXCESSIVELY WHEN SSL CONNECTION TO UCM IS CONFIGURED INCORRECTLY. INTERNAL DEFECT 3463 HISTORICAL QUERY PERFORMANCE IMPROVEMENT. Problems fixed by 4.1.1-TIV-TSOM-FP013 APAR IZ85105 (devices) WINDOWS 2008 WEVTUTILPARSER.JAVA PARSER IS NOT SETTING THE CORRECT SENSOR TIME. APAR IZ83505 (devices) CHECK POINT CONTROL EVENTS (ACTION=CTL) ARE NOT PARSED PROPERLY. APAR IZ83035 (devices) IP ADDRESSES FOR SOURCE IP SET TO 0.0.0.0 IF THE IPV4 ADDRESS IS ENCAPSULATED IN THE IPV6 FORMAT. APAR IZ81197 CODE CHANGE REQUIRED FOR NESSUS 4.2 FORMAT. APAR IZ79282 PROBLEM WHEN PARSING SYSLOG EVENTS FROM CISCO FORWARDED BY KIWI SYSLOG. APAR IZ77106 $EVENT.DEST.HOST.NAME LEFT BLANK IN GENERATED E-MAIL. APAR IZ77098 HOST WINDOW DOES NOT POPULATE WITH HOST DATA. APAR IZ76767 UNDER HEAVY LOAD TSOM GUI MAY NOT DISPLAY ALL PROCESSED EVENTS. APAR IZ76755 EAM FILTER FOR EVENT_TYPE DOES NOT WORK. INTERNAL DEFECT 3613 THE MAXIMUM ATTACHMENT SIZE VALUE OF SYSTEM CONFIGURATION/KNOWLEDGEBASE DIALOG WAS NOT SAVED. Problems fixed by 4.1.1-TIV-TSOM-FP011 APAR IZ77865 "SEVERE: DID NOT FIND THE USER PREFERENCES FILE" MESSAGE IS NORMAL IF NO CONFIG HAS BEEN SAVED. LOWER MESSAGE PRIORITY. APAR IZ75856 FP 10 INSTALLATION ISSUE WHEN INSTALLER UI MODE DIFFERS BETWEEN GA INSTALLATION AND FIX PACK INSTALLATION. APAR IZ75528 INTERNATIONALIZATION ISSUE WITH TOP SOURCES/DESTINATIONS GUI. APAR IZ75170 (devices) PROVENTIA G TRAPS ARE NOT BEING PARSED. NO EVENT TYPE, SOURCE OR DESTINATION IP ARE PARSED. APAR IZ75048 (devices) FORTIGATE 60 FIREWALL EVENTS NOT PARSING PROPERLY DUE TO A MISSING CHARACTER IN CODE. APAR IZ74908 TSOM SDEE CONDUIT CRASHED AFTER APPLYING TSOM FP10. APAR IZ74136 FOR SOME SRC/DST IP'S IN THE EC OR PG, THE HOST INFORMATION SCREEN IS EMPTY. APAR IZ74075 ADDING A DESCRIPTION TO AN EVENT TYPE CHANGES IT'S SEVERITY TO 0. APAR IZ73693 (devices) WINDOWS EVENTS ARE NOT GETTING PRASED PROPERLY. APAR IZ72299 (devices) TIPPING POINT IPS EVENT CONTAINS UNIX TIME IN MILLISECONDS. THIS VALUE IS NOT BEING CONVERTED PROPERLY. (TAKEN AS SECONDS) ER MR0316104716 TCIM and TSOM INTEGRATION VIA JAVA ACTION. INTERNAL DEFECT 3601 DROPPING EVENTS FROM DEVICE RULES DOES NOT WORK PROPERLY. INTERNAL DEFECT 3600 ERROR MESSAGE WHILE INSTALLING ON SOLARIS. INTERNAL DEFECT 3596 NUMEROUS CHECKS IN FIX PACK INSTALLER, TO PREVENT ITS EXECUTION WHEN PREREQUISITES ARE NOT MET (LIKE MISSING TSOM GA INSTALLATION, MISSING INSTALLATION REGISTRY). INTERNAL DEFECT 3569 LICENSE AGREEMENT NEEDED WHEN INSTALLING FIX PACK. INTERNAL DEFECT 3567 (DEVICES) AIRDEFENCE7 JAVA PARSER AUTODETECTION UPDATE. Problems fixed by 4.1.1-TIV-TSOM-FP010 APAR IZ73534 NO WAY TO KNOW IF DEVICE SUPPORT PACKAGE HAS BEEN UPDATED PROPERLY. APAR IZ60799 MAPPING REQUESTED FOR BLUECOAT, AND 0.0.0.0 IP ADDRESSED WITH THE MOST LIKELY TO INVESTIGATE AN ORIGIN. APAR IZ71314 NEW INDEXES PROPOSED TO IMPROVE HISTORICAL SEARCH PERFORMANCE ON TSOM DATABASES WITH LARGE AMOUNTS OF EVENT DATA. APAR IZ68504 REPORTS CONSOLE STOPS WORKING AFTER INSTALLING FIX PACK. APAR IZ70115 WHEN SCHEDULING REPORTS TO RUN PERIODICALLY EVERY DAY, BEGIN AND END DATE FOR EACH EXECUTION IS CALCULATED INCORRECTLY. APAR IZ70766 (devices) SAP 7 EVENTS ARE NOT PARSED BY TSOM. APAR IZ70403 KB ARTICLES NOT ASSOCIATED TO EVENT CLASSES AND TYPE. APAR IZ70880 MODIFY EXISTING DEVICE RULES PARSING CODE FOR SECURIFY EVENTS. APAR IZ72465 CUSTOMER WANTS TO CUSTOMIZE THE ENCRYPTION BETWEEN EAM AND CMS, AND HAS REQUSTED A HOW TO DOCUMENT. APAR IZ72673 UCM NOT GETTING INSTALLED ON WINDOWS 2003 SERVER with sun java 6. APAR IZ72979 ISSUE WITH EVENT CLASS RULE DERAILS THE EVENT CLASSIFICATION. APAR IZ53255 SUPPORT FOR ISS PROVENTIA M SERIES THROUGH SNMP. APAR IZ61671 TOP SOURCES/TOP DESTINATION VIEW MAY NOT WORK PROPERLY. APAR IZ66580 CMS STOPS PROCESSING EVENTS. APAR IZ65973 ARBOR PEAK FLOW - SP EVENTS WHO UP AS X. APAR IZ69816 (devices) SSHD EVENTS ARE NOT GETTING PARSED PROPERLY. APAR IZ70322 IF TICKETS ARE SORTED BY TIME IN DESCENDING ORDER, NEWLY CREATED TICKETS ARE INSERTED AT THE BOTTOM OF THE LIST, NOT THE TOP. APAR IZ68797 FORMAT CLIENT USED IS NOT WORKING FOR BLUECOAT PROXY. APAR IZ49799 (FIN) TSOM 3.X CHECKPOINT CONDUIT CORE DUMP THIS PROBLEM HAS BEEN RECTIFIED IN TSOM 4.1.1 AND THIS APAR WILL CLOSE WITHOUT A CODE CHANGE IN 3.1 RELEASE. APAR IZ50743 (UR3) TSOM PROCESSES NEED TO RUN AS A NON-PRIVILEGED USER THIS PROBLEM WILL BE FIX IF NEW RELEASE OF TSOM WILL PUBLISH. APAR WILL CLOSE WITHOUT A CODE CHANGE IN 4.1.1 RELEASE. APAR IZ67305 (devices) TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM PIX/ASA. APAR IZ67584 (doc) HOW TO UPGRADE TO LATEST VERSION OF TOMCAT FOR TSOM 4.1.1. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH &uid=swg21416941&loc=en_US&cs=UTF-8&lang=en APAR IZ68019 (doc) FAIL-SAFE FOR REMOTE AUTHENTICATION FAILURE NOT DOCUMENTED. CUSTOMER IS UNAWARE OF HOW TO RECOVER FROM LDAP FAILURE. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH &uid=swg21417142&loc=en_US&cs=utf-8&lang=en APAR IZ67486 ORDER IN WHICH THE DATA IS DISPLAYED FOR "TOP N EVENTS FOR EVENT CLASS" WITH DB2 AS BACK-END DATABASE IS NOT CORRECT. APAR IZ67484 (devices) WINDOWS EVENTS THROUGH SNMP DO NOT HAVE SOURCE/DESTINATION IP ADDRESS PARSED. APAR IZ67330 (devices) MCAFEE EPO 4 EVENTS DOES NOT HAVE PROPER EVENT TYPE. APAR IZ66646 ALTERING COLUMN ORDER AND SORT ORDER IN TICKET WINDOW DOES NOT SAVE WHEN TSOM CLIENT IS CLOSED. APAR IZ59820 NETSCREEN IDP 100 EVENTS COMING IN WITH GENERIC SYSLOG AS SENSOR TYPE. Problems fixed by 4.1.1-TIV-TSOM-LA009 APAR IZ66457 EAM DOES NOT CONNECT TO THE CMS. Problems fixed by 4.1.1-TIV-TSOM-FP008 APAR IZ65378 TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM PIX/ASA. APAR IZ65441 TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM WEBSEAL. APAR IZ65435 (devices) TSOM NOT CORRECTLY PARSING CERTAIN EVENTS FROM PIX. APAR IZ51558 EVENT CONSOLE AND POWER GRID NETBLOCK BASED FILTERS NOT WORKING PROPERLY. APAR IZ62954 CONNECTION OF THE CMS BREAKS WITH THE DATABASE. APAR IZ62983 PERFORMANCE HIT FOR SYSTEMS WITH A VERY HIGH NUMBER OF WATCHLIST. APAR IZ64149 PASSWORD DISPLYED IN CLEAR TEXT IN ALL CONFIG FILES. APAR IZ65152 WEBSEAL LOGS DON'T ROLLOVER WHEN UCM IS CONFIGURED TO TAIL THEM. APAR IZ66172 THE DEFAULT UCM.CFG FILE HAS A TYPO WHICH COULD CAUSE CONFIGURATION CONFUSION AND ERRORS. APAR IZ62495 LOCAL WATCHLISTS WINDOW SIZE FIXED. ADD/CHANGE/DELETE BUTTONS CAN BECOME HIDDEN UNDER PARENT WINDOW EDGE. APAR IZ60100 RESIDENT APPLICATION VIEW UNDER THE PROPERTIES TAB FOR ANY HOST DOES NOT WORK PROPERLY. APAR IZ63943 PROBLEM WITH PARSING CHINESE CHARACTER IN SYSLOG. APAR IZ63762 (devices) LDAP CONNECTION ID DETAILS OF IPLANET EVENTS IS NOT BEING DISPLAYED. APAR IZ63569 WHEN A NEW SENSOR IS CONFIGURED VIA AUTOCONFIGURE (ONLY) THE SENSOR CANNOT BE ACCEPTED (ACCEPT & REJECT GRAYED OUT). APAR IZ64704 (devices) RSA/ACE MANAGEMENT SERVER EVENTS DO NOT PARSE DUE TO ITS SET UP IN NS_SYSLOG.RULES AS THE ANTIQUATED ETYPE EVENT. APAR IZ61686 POWERGRID FILTERS DO NOT WORK CORRECTLY. APAR IZ59596 UNABLE TO CONFIGURE SSL FOR UCM ON SOLARIS. APAR IZ58393 EAM GIVES MALFORMEDINPUTEXCEPTION ERRORS. APAR IZ63560 (devices) CISCO ACS EVENTS ARE IMPROPERLY PARSED. APAR IZ60526 SNMP CONDUIT NOT CORRECTLY POPULATING $TRAPID WITH THE OID VALUE. APAR IZ61965 IIS PARSER DOES NOT REMOVE IIS HEADER. BATCH INSERT FAILS. APAR IZ63356 (devices) TSOM IS NOT PROVIDING PIX SYSLOG SRC, DST, AND UID INFORMATION. APAR IZ55591 NESSUS 3.X AND 4.X SCAN RESULTS FILE DOSE NOT WORKS WITH VULNIMPORT UTILITY. APAR IZ55577 TSOM 4.1.1 VULNIMPORT UTIL WOULD NOT WORK WITH FOUNDSTONE 6.5/7.X. APAR IZ58730 SENSOR SELECTION FOR REPORTS CREATION DOES NOT RETURN THE CORRECT RESULT. APAR IZ60394 TICKETS VIEW GIVE A TIME-OUT ERROR. Problems fixed by 4.1.1-TIV-TSOM-FP007 APAR IZ58989 TSOM/TOMCAT FAILS TO INSTALL WHEN NOT USING THE DEFAULT DIRECTORY. http://www-01.ibm.com/support/docview.wss?rs=3125&context=SSGNRH &q1=C+drive&uid=swg21403929&loc=en_US&cs=utf-8&lang=en APAR IZ60123 ADD/REMOVE PROGRAMS CANNOT UNINSTALL TSOM UCM. ERROR: AN ERROR OCCURRED WHILE TRYING TO REMOVE. MAY ALREADY BE UNINSTALLED. APAR IZ60117 TICKETS SHOW UP TWICE FOR NON ADMIN USERS. APAR IZ59821 COPY/PASTE FUNCTION OF RULES DOES NOT WORK. APAR IZ52607 CONFIGURING MULTIPLE CHECKPOINTS ONTO A SIGLE EAM WITH IF 03 ON TSOM 4.1.1 NEEDS A RESTART OF THE CMS. APAR IZ52882 CUSTOMER IS GETTING "DUPLICATE SENSOR NAME" ERROR WHILE CREATING EAM. APAR IZ50915 INTERIM FIX 03 GETS INSTALLED IN C:\PROGRAM FILES\IBM\TSOM\ IRRESPECTIVE OF TSOM BEING INSTALLED ON A DIFFERENT DRIVE. APAR IZ53747 EXTENSIVE CMS-DATABASE COMMUNICATION UNDER LOAD WITH RELATIVELY HIGH 'NEW' HOSTS FRACTION. APAR IZ52884 "CONNECTION TIMED OUT" POPUP ERROR WHEN OPENING PUBLIC_MASTER_NETBLOCK. NETBLOCK CONTAINS 3 MILLION HOSTS. APAR IZ59902 (devices) EVENTS FROM MICROSOFT EXCHANGE SERVER 2003 DOES NOT HAVE THE OBJECT NAME. APAR IZ54879 (devices) CISCO ASA EVENTS HAVE THE SENSOR CLASS SET TO OS, BUT SHOULD BE SET TO FIREWALL. APAR IZ55996 (devices) IP ADDRESS DOES NOT GET PARSED FROM CISCO IOS 12X TCP-6-BADAUTH EVENTS. APAR IZ55215 CISCO NIDS EVENTS NEED TO HAVE THE SIGNATURE ID PARSED. APAR IZ49811 WEBSEAL LOG FILES NOT BEING READ. APAR IZ54255 (devices) THE USERNAME IS NOT PARSING OUT OF A CISCO IOS EVENT BY THE SYSLOG CONDUIT. Problems fixed by 4.1.1-TIV-TSOM-IF006 APAR IZ54449 WITH FP 04 ON TSOM 4.1.1, THE CMS MAY START FACING MEMORY LEAK ISSUE. APAR IZ53550 VULNIMPORT FAILS TO CONNECT TO QUALYS DUE TO UNKNOWN PROTOCOL "HTTPS", RUNNING ON THE SOLARIS PLATFORM. APAR IZ54448 WITH FP 04 ON TSOM 4.1.1, THE SAME CHECKPOINT EVENT MAY COME IN MORE THAN ONCE INTO TSOM. APAR IZ57753 SDEE CONDUIT STOPS WORKING AFTER RUNNING FINE FOR SOME TIME. APAR IZ58261 IP ADDRESS FILTERS ON EAM NOT FUNCTIONING. Problems fixed by 4.1.1-TIV-TSOM-FP004 APAR IZ46175 PARSING ISSUE WITH CISCO ASA DEVICE. APAR IZ53012 PARSING ISSUE WITH CISCO IPS USING THE SDEE CONDUIT. APAR IZ48223 CHECKPOINT CONDUIT[S] STOPS SENDING EVENTS TO EAM. INTERNAL DEFECT 3239 NO PAUSE WHEN INVESTIGATING EVENTS. THE EVENT CONSOLE/TOP SOURCES/TOP DESTINATIONS DOES NOT PAUSE INCOMING EVENTS WHEN YOU CLICK ON ROW ITEM AS IT DID IN THE PAST. NOW, IF AN EVENT OF CONCERN SCROLLS BY IT IS NECESSARY TO EXPLICITLY CLICK ON THE PAUSE/PLAY BUTTON WHEREAS IN PREVIOUS VERSIONS SIMPLY CLICKING ON A ROW ITEM DATA WOULD INVOKE THE PAUSE ACTION. INTERNAL DEFECT 3240 INVESTIGATION WINDOW DISAPEARS. AS NEW EVENTS ARE DRAWN THE RIGHT-CLICK MENU DATA IS TERMINATED. THIS MEANS AN EXPLICIT PAUSE MUST BE ISSUES BEFORE THERE IS ANY CHANCE OF SUCCESSFULLY EXECUTING THE 'SHOW EVENT DETAILS' RIGHT-CLICK POP-UP MENU. INTERNAL DEFECT 3296 FILTERING BASED ON 'HOST NAME' COLUMN DOESN'T WORK IN 'TOP SOURCES' AND 'TOP DESTINATIONS' VIEWS. INTERNAL DEFECT 3295 FILTERING BASED ON 'WATCHLIST' COLUMN DOESN'T WORK IN 'TOP SOURCES' AND 'TOP DESTINATIONS' VIEWS. INTERNAL DEFECT 3245 TEXT SEARCH CASE SENSITIVITY. THE 'CONTAINS' SEARCH ENTITY WAS CASE SENSITIVE, NOW USER CAN CHOOSE AN OPTION REGARDING CASE SENSITIVITY. APAR IZ52955 CAN CREATE AND DELETE BUT CANNOT MODIFY EXISTING ROLES. RECEIVE "CAN NOT UPDATE ROLE" ERROR MESSAGE. APAR IZ47012 ONCE EVER 2-3 DAYS CMS WOULD CORE DUMP. APAR IZ47026 SYSLOG AND UCM EVENTS WOULD STOP FLOWING FROM EAM TO CMS. APAR IZ51121 ERRORS RELATED TO THE CHECK POINT CODE ADDITION. APAR IZ50903 SOME FIELDS IN THE TSOM GUI ARE NOT UPDATABLE IF THE OS LANGUAGE IS SET TO PORTUGUESE (BRAZIL). APAR IZ51191 LARGE NUMBER OR TICKETS CAUSE A DB2 QUERY ERROR WITH SQLSTATE:54001 STATEMENT TOO LONG OR TOO COMPLEX. APAR IZ50828 A '$' IN THE INFO FIELD CAUSES THE STRING '$EVENT.INFO' TO POPULATE A TICKET'S SUMMARY OR E-MAIL BODY CREATED BY AN ACTION. Problems fixed by 4.1.1-TIV-TSOM-IF003 APAR IZ27430 EAMS & SENSORS: UI FAILING TO LOAD SENSOR IDENTIFIER LIST ON START-UP AND EAMS & SENSORS VIEW FAILS TO LOAD AS WELL. APAR IZ38257 LEA_X.CONF GETTING OVERWRITTEN WHEN CHECKPOINT CONDUIT IS STARTED. APAR IZ32568 EXTREMELY HIGH CPU LOAD THEN GUI LOCKUP ON LARGE THREAT VIEW. APAR IZ40155 USERNAME AND USERCONTEXT BEING DROPPED BY SNMP CONDUIT. APAR IZ40118 WATCHLISTS ARE 'UNATTACHED' WHEN DUPLICATE ADDRESSES ARE CONFIGURED. APAR IZ45708 ALLOW OPSEC TO CONNECT TO MULTIPLE CHECKPOINT DEVICES. INTERNAL DEFECT 3220 FLAW IN LOGIC IN UCMPARSER WOULD ONLY ALLOW ONE JAVA RULES FILE TO BE CHECKED FOR EVENT COMPATIBILITY. INTERNAL DEFECT 3199 ADDED CLEAR CHANNEL HANDLING. INTERNAL DEFECT 3198 ADDED THE FUNCTIONALITY TO MATCH THE LANGUAGE SELECTED IN RAPORTS ADVANCED FORMAT TO MATCH THE BROWSER LOCALE. INTERNAL DEFECT 3224 BREAKING SUPORT FOR WINDOWS 2003 IN INSTALLER. PROBLEMS CAUSED BY JVM ON LINUX: JAVA OUT OF MEMORY AND SNMP PROBLEM. Problems fixed by 4.1.1-TIV-TSOM-IF002 APAR IZ25896 PERFORMANCE DEGREDATION WITH MULTIPLE CLIENTS CONNECT. APAR IZ29743 IF TOKEN REF $EVENT.INFO CONTAINS DOUBLE QUOTES TSOM RETURNS BLANK. APAR IZ31058 WINDOWS SYSLOG ADDS DEBUG TO MESSAGES. APAR IZ33559 EAM FILTER: DUPLICATE FILTER ISSUE. APAR IZ34660 SNMP V3 ENGINE ID NEEDS TO BE STORED IN OCTECT STRING FORMAT. APAR IZ33759 SYSLOG BINDING TO PORT 514. APAR IZ37268 TSOM 4.1.1 CMS CORE DUMP/ HEAP DUMP. APAR IZ38624 SNMP MESSAGES LOST ON HEAVILY LOADED EAM. APAR IZ39499 PERFORMANCE FIX FOR HOST CREATION QUEUE. APAR IZ39500 EAM MEMORY LEAK FROM APACHE COMMONS POOL. Problems fixed by 4.1.1-TIV-TSOM-IF001 APAR IZ32566 EAM CRASHES OR HANGS AFTER EVERY FEW HOURS WITH PERL ERRORS. APAR IZ27248 TSOM 4.1.1 INIT SCRIPT POITING WRONG TOMCAT SCRIPTS. APAR IZ27280 4.1.1 UCM INSTALLER FOR WINDOWS BROKE. APAR IZ29081 A NEW SENSOR IS CREATED FOR EVERY EVENT THAT THE JAVA RULE PROCESSES. APAR IZ29719 CMS RUNS OUT OF MEMORY ON SYSTEMS WITH OVER 300'000 HOSTS. APAR IZ29739 GUI HELP --> ABOUT STILL SHOWS 4.1.0 AFTER UPGRADE. 5.0 Contacting customer support -------------------------------------------------------------------------------- Support for Tivoli Security Operations Manager products, including documentation, FixPaks,and APAR information is provided at: http://www-306.ibm.com/software/sysmgmt /products/support/IBMTivoliSecurityOperationsManager.html?S_CMP=rnav IBM hardware, software, and systems support * 1-800-IBM-SERV (1-800-426-7378) 6.0 Notices and trademarks -------------------------------------------------------------------------------- IBM may not offer the products, services, or features discussed in this document in all countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A. For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country/region or send inquiries, in writing, to: IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan The following paragraph does not apply to the United Kingdom or any other country/region where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY, OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product, and use of those Web sites is at your own risk. IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact: IBM Canada Limited Office of the Lab Director 8200 Warden Avenue Markham, Ontario L6G 1C7 CANADA Such information may be available, subject to appropriate terms and conditions, including in some cases payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement, or any equivalent agreement between us. Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems, and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurements may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements, or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility, or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. This information may contain examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious, and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental. This information may contain sample application programs, in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM for the purposes of developing, using, marketing, or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. Trademarks IBM, Tivoli Security Operations Manager, DB2, and AIX are trademarks of International Business Machines Corporation in the United States, other countries, or both. Check Point FireWall-1, the Check Point logo, OPSEC, Site-Manager-1, SmartCenter Pro are trademarks or registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Red Hat and Red Hat Linux are registered trademarks of Red Hat Incorporated. Oracle and Oracle 10g are registered trademarks of Oracle Incorporated. Solaris and Solaris 10 are registered trademarks of Sun Microsystems Incorporated. Windows is a registered trademark of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Other company, product, or service names may be trademarks or service marks of others.