How do I set up additional alert views for iSeries using Intrusion Manager for iSeries? (NETIQKB52363)

goal
How do I set up additional alert views for iSeries using Intrusion Manager for iSeries?

goal
How do I define views in Security Manager Intrusion Manager for CPF messages sent by PSDetect?

fact
NetIQ Security Solutions for iSeries 8.0

fact
Security Manager 5.1

fact
Security Manager 5.5

fact
PSDetect 8.0

fix

Alerts sent from PSDETECT to Security Manager Intrusion Manager are based upon the message ID. Intrusion Manager for iSeries has pre-defined views, such as:

• Invalid Signon Attempts
• QAUDCTL System Values Changed
• QSECOFR Sigon Successes
• Rejected Remote Requests
• Serious Storage Condition Detected
• All other iSeries Alerts

You can add additional iSeries views to Intrusion Manager by adding a record to the PSECLASS file on the iSeries, an iSeries event processing rule in Security Manager, and a corresponding alert view in Security Manager.

To add a record to the PSECLASS file:

1. On the iSeries system where PSDetect is installed, add a record to the PSECLASS file in library PSCOMMON with a unique classification ID. iSeries classifications are in the D.P.C.E format, where D is the domain (1 = Audit, 2 = Secure, and 3 = Detect), P is the platform (4 = AS/400), C is the category of the event, and E is the event identifier. Event Identifiers lower than 9000 are reserved for future use by NetIQ.

   For example, a classification in the PSECLASS file would read 3.4.1.9000 on the iSeries and 304019000 on Security Manager.

2. Type ADDLIBLE PSCOMMON and press Enter.
3. Type the following command and press Enter:

   PSRUNSQL REQUEST('insert into PSCOMMON/PSECLASS (PSEMSGID, PSECLASS, PSEUSRDTA) VALUES(''CPFXXXX'', ''D.P.C.E'', ''PSEUSRDTA'')')

   where CPFXXXX is the message ID for which you are monitoring, D.P.C.E is the classification, and PSEUSRDTA is specific text in the message. This value can be left blank.

4. Type RMVLIBLE PSCOMMON and press Enter.

To add an iSeries event processing rule:

1. Open the Security Manager Development console.
2. Expand the Processing rules groups on the left hand of the screen and then expand Intrusion Manager for iSeries.
3. Select Event processing rules.
4. Copy and paste an existing rule.
5. Double-click the pasted rule.
6. Change the name in the General tab to reflect the message ID added for PSEWORK.
7. Select the Alert tab and click Custom fields.
8. Change the value in the CustomField1: field to the classification value used in the PSECLASS file on the iSeries. Enter this number without periods. For example, the classification 3.4.1.9000 in the PSECLASS file is 304019000 in Security Manager.
9. Click OK.
10. Click Apply.
11. Click OK.

To add a new alert view:

1. Open the Security Manager Monitor console.
2. Expand Security Manager root console > Monitor > Security Views > Intrusion manager for iSeries.
3. Right-click on the Intrusion manager for iSeries item and select New Alert View.
4. On the Alert view properties window, specify Alerts that satisfy specified criteria and click Next.
5. Select from specified source and click on the highlighted "specified" word in the View description window.
6. In the Alert Source window, type VigilEntAgent.
7. Click OK to close the Alert Source window.
8. Select with specified string in CustomField 1.
9. Click on the highlighted "specified string" word in the View Description window.
10. Specify the classification value. For this example, the classification value is 304010015.
11. Click OK to close the Custom Field window.
12. Click Next.
13. Specify an appropriate view name and description.
14. Click Finish.

Now that both Processing rule and Alert view have been setup, you should be able to receive event from PSDETECT using the MSGID specified
 in the PSECLASS file on the.
Security Manager Incident console

.


note
For more information on using the PSESNDALR command in PSDETECT, see NetIQ Knowledge Base article NETIQKB53988: How do I configure PSDetect to send alerts to Security Manager?

Formerly known as NETIQKB52363