Environment
Situation
Resolution
Log archival:
iSeries: psgetlogs job runs on the iSeries box to gather the logs --> The central computer request log data from iSeries --> from there it goes to the Qreport folder (program files\netiq security manager\onepoint\qreport) --> the files inside of the qreport are parsed by security manager rules and sent to the Central computers MSMQ --> The MSMQ on the LAS (log archival server) receives and processes the data into the LAS database (current partition for that day).
UNIX: Uvservd process runs the UNIX box --> The central computer request log data from the UNIX boxes --> from there it goes to the Qreport folder (program files\netiq security manager\onepoint\qreport) --> the files inside of the qreport are parsed by security manager rules and sent to the Central computers MSMQ --> The MSMQ on the LAS (log archival server) receives and processes the data into the LAS database (current partition for that day).
Windows: Data is sent from the agent to the queue and cache files on the central computer (all user\application data\NetIQ\Security Manager\Config_group_name\) --> then it goes to the MSMQ on the Central computer --> The MSMQ on the LAS (log archival server) receives and processes the data into the LAS database (current partition for that day).
Real-Time:
iSeries: psdect job runs on the iSeries box for real-time collection --> from there it goes to the Vigilent folder on the Central computer (program files\netiq security manager\onepoint\vigilent\event.##) --> the files inside of the vigilent folder are parsed by security manager rules and sent to the one point database
UNIX: detectd runs on the UNIX box for real-time collection --> from there it goes to the Vigilent folder on the Central computer (program files\netiq security manager\onepoint\vigilent\event.##) --> the files inside of the vigilent folder are parsed by security manager rules and sent to the one point database
Window: Data is sent from the agent to the queue and cache files on the central computer (all user\application data\NetIQ\Security Manager\Config_group_name\) --> then the data is processed directly to the onepoint database
Additional Information
the UNIX and iSeries boxes have their own set of rules and processes\jobs that get the data ready for transfer to Security Manager. Security Manager rules do not get applied until the data arrives at the Central computer.
The Windows agents get their rules directly from Security Manager and are processed on the agent box.