How do I set up additional alert views for iSeries using Intrusion Manager for iSeries?
How do I define views in Security Manager Intrusion Manager for CPF messages sent by PSDetect?
NetIQ Security Solutions for iSeries 8.0
Security Manager 5.1
Security Manager 5.5
Alerts sent from PSDETECT to Security Manager Intrusion Manager are based upon theÂ message ID. Intrusion Manager for iSeries has pre-defined views, such as:
- Invalid Signon Attempts
- QAUDCTL System Values Changed
- QSECOFR Sigon Successes
- Rejected Remote Requests
- Serious Storage Condition Detected
- All other iSeries Alerts
You can add additional iSeries views to Intrusion Manager by adding a record to the PSECLASS file on the iSeries, an iSeries event processing rule in Security Manager, and a corresponding alert view in Security Manager.
To add a record to the PSECLASS file:
- On the iSeries system where PSDetect is installed, add a record to the PSECLASS file in library PSCOMMON with a unique classification ID.Â iSeries classifications are in the
Dis the domain (1 = Audit, 2 = Secure, and 3 = Detect),
Pis the platform (4 = AS/400),
Cis the category of the event, and
Eis the event identifier. Event Identifiers lower than 9000 are reserved for future use by NetIQ.
For example, a classification in the PSECLASS file would read 18.104.22.16800 on the iSeries and 304019000 on Security Manager.
- Type ADDLIBLE PSCOMMON and press Enter.
- Type the following command and press Enter:
PSRUNSQL REQUEST('insert into PSCOMMON/PSECLASS (PSEMSGID, PSECLASS, PSEUSRDTA) VALUES(''
CPFXXXXis the message ID for which you are monitoring,
D.P.C.EÂ is the classification, and
PSEUSRDTAÂ is specific text in the message. This value can be left blank.
RMVLIBLE PSCOMMONand press Enter.
To add an iSeries event processing rule:
- Open the Security Manager Development console.
- Expand the Processing rules groups on the left hand of the screen and then expand Intrusion Manager for iSeries.
- Select Event processing rules.
- Copy and paste an existing rule.
- Double-click the pasted rule.
- Change the name in the General tab to reflect the message ID added for PSEWORK.
- Select the Alert tab and click Custom fields.
- Change the value in the CustomField1: field to the classification value used in the PSECLASS file on the iSeries. Enter this number without periods. For example, the classification 22.214.171.12400 in the PSECLASS file is 304019000 in Security Manager.
- Click OK.
- Click Apply.
- Click OK.
To add a new alert view:
- Open the Security Manager Monitor console.
- Expand Security Manager root console > Monitor > Security Views > Intrusion manager for iSeries.
- Right-click on the Intrusion manager for iSeries item and select New Alert View.
- On the Alert view properties window, specify Alerts that satisfy specified criteria and click Next.
- Select from specified source and click on the highlighted "specified" word in the View description window.
- In the Alert Source window, type
- Click OK to close the Alert Source window.
- Select with specified string in CustomField 1.
- Click on the highlighted "specified string" word in the View Description window.
- Specify the classification value. For this example, the classification value is
- Click OK to close the Custom Field window.
- Click Next.
- Specify an appropriate view name and description.
- Click Finish.
Now that both Processing rule and Alert view have been setup, you should be able to receive event from PSDETECT using the MSGID specified
Â in the PSECLASS file on the.
Security Manager Incident console
For more information on using the PSESNDALR command in PSDETECT,Â see NetIQ Knowledge Base article NETIQKB53988: How do I configure PSDetect to send alerts to Security Manager?