Environment
NetIQ Security Manager 6.x
Forensics Reports
Situation
Resolution
You must have access to the LAS and the LogManagerConfiguration DB servers in order to resolve this issue.
- Using the Log Archive Data Viewer, find and open an iSeries event.
- Highlight and copy the value (guid) for Analyzer.Node.Ident.
- On the Database server, navigate down to the tables in LogManagerConfiguration database.
- Open the table HistoricalServerId
- Fill in the following fields:
- ServerGuid - Paste the value from Analyzer.Node.Ident and remove any brackets and dashes.
- ServerName - Put the correct name of the server in here.
- ServerModel - This will be: iSeries
A second method of getting all of the computer guids, computer names, and server models is to query the SMcubeDepot\dim_computer table.
E.g. use smcubedepot select * from dim_computer where an_model = 'Unix'
Need a query to insert large numbers of guids into the HistoricalServerId from the dim_computer table or from a spreadsheet.
Cause
This can be caused by reregistering your iSeries machine while the subsystem ZPSE is still running which subsequently causes a guid mismatch in the logmanagerconfiguration database.
This can also be caused when removing and adding UNIX agents within SM.
On windows boxes this issue can occur when moving agents from one domain to another. (if done incorrectly).
When reregistering, readding, or moving agents there is a chance that another agent guid will be created. If a single agent has multiple computer guids, typically only one guid will work correctly when running forensice reports. The other guid will appear to not have an association with any computer groups which in turn will cause permissions errors. When running forensic reports relies on computer group associations for all of the agent machines.