siteprotector technical reference guide - ibm · command and control schema ... introduction the...

®

Technical ReferenceGuide

Version 2.0, Service Pack 4

Internet Security Systems, Inc.6303 Barfield RoadAtlanta, Georgia 30328-4233United States(404) 236-2600http://www.iss.net

© Internet Security Systems, Inc. 1994-2004. All rights reserved worldwide. Customers may make reasonable numbers of copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc.

SiteProtector Version 2.0, Service Pack 4, Patent pending.

Internet Security Systems, System Scanner, Wireless Scanner, SiteProtector, Proventia, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner, SecureU, and X-Press Update are trademarks and service marks, and the Internet Security Systems logo, X-Force, SAFEsuite, Internet Scanner, Database Scanner, Online Scanner, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network ICE, ICEpac, and ICEcap are trademarks, and BlackICE is a licensed trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject to change without notice.

Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for advertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behavior to [email protected].

June 07, 2004

http://www.iss.net

mailto:[email protected]

Contents

Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vHow to use SiteProtector Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viConventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiGetting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x

Chapter 1: Improving Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Section A: Improving Database Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Improving Database Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Guidelines for Database Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Optimizing SiteProtector Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Disabling SiteProtector Database Disk Performance Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Section B: Improving Event Collector Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Identifying Event Overload in the Event Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Improving Event Collector Hardware and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Modifying Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2: Log File Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Section A: Miscellaneous Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Application Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Database Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Installation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23X-Press Update Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Active Directory Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Section B: Log4j Logging Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Log4j Application Server and Sensor Controller Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Changing Log4j Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Section C: Sensor Controller Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Sensor Controller Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Sensor Controller SiteProtector Database Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Sensor Controller SiteProtector Core Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Sensor Controller Event Collector Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Sensor Controller Desktop Controller Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Sensor Controller Internet Scanner Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Sensor Controller Internet Scanner Databridge Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Sensor Controller A-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Sensor Controller G-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

iiiTechnical Reference Guide Version 2.0, SP4

Contents

Sensor Controller RealSecure Network Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Sensor Controller RealSecure Network Gigabit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Sensor Controller RealSecure Server Sensor Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Sensor Controller SiteProtector Third Party Module Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Section D: Desktop Controller Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Desktop Controller Desktop Protection Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Desktop Controller M-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Chapter 3: Diagnostic and Debugging Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Running the Sensor Controller as a Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Setting up Run-time Logging for the RealSecure SiteProtector Sensor Controller Service . . . . . . . . . . . 53Setting up Run-Time Logging for the RealSecure SiteProtector Application Server Service. . . . . . . . . . . 55

Chapter 4: Solutions to Some Common Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Issues Related to SiteProtector Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Issues Related to SiteProtector Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Issues Related to Operating SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Issues Related to Low Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Issues Related to Updating SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Issues Related to SiteProtector Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Issues Related to Agents and Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Appendix A: Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Application Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Auditing and Diagnostics Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Command and Control Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Grouping Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83ITRSO Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Metrics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Sensor Data Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Site Analysis Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Site Filters Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Staging and Rejects Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Statistics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90X-Force Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Complete Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

iv

Preface

Overview

Introduction The SiteProtector Technical Reference Guide describes the diagnostic capabilities of SiteProtector, and also gives recommendations for some of the issues you may encounter as you use SiteProtector.

Scope The following table lists and describes the purpose of each chapter in this manual:

Audience This guide is for network administrators, security administrators, or any other individuals who are responsible for installing SiteProtector and managing network security.

Chapter/Appendix Purpose

Chapter 1: Improving Performance

Describes some of the causes of poor performance, and explains the process by which you can improve the performance of your SiteProtector system.

Chapter 2: Log File Diagnostics

Describes the options for setting up the Sensor Controller Diagnostics console and how to activate run-time debugging for the sensor controller and the application server.

Chapter 3: Diagnostic and Debugging Setup

Describes how to use the Sensor Controller Diagnostics console.

Chapter 4: Solutions to Common Issues

Describes some of the issues that may occur when you install and use SiteProtector. This chapter also provides steps you can take to resolve certain issues.

Appendix A: Database Schema

Displays the SiteProtector Database schema.

vTechnical Reference Guide Version 2.0, SP4

Preface

How to use SiteProtector Documentation

Using this guide This guide includes some of the issues that you may encounter when working with SiteProtector, but it is not a troubleshooting guide.

Reference: For the most up-to-date list of SiteProtector issues, see the ISS Knowledgebase at http://www.iss.net/support/knowledgebase/. If the Knowledgebase does not help you resolve your issue, email ISS Customer Support at [email protected] or call ISS Customer Support at (1) (888) 447-4861.

Related publications Table 1 describes the publications included with SiteProtector.

Title or type of documentation

Description

SiteProtector Installation and Configuration Guide

Provides information about installing and setting up your SiteProtector system.

SiteProtector Strategy Guide Provides best practice information for customizing SiteProtector to suit your specific needs.

SiteProtector Help Provides procedures for using SiteProtector, and all compatible ISS agents/appliances.

SiteProtector System Requirements

Provides the standards that your computer system must meet to run SiteProtector.

SiteProtector Supported Agents and Appliances

Provides a list of agents and appliances that are supported by SiteProtector.

Table 1: Related publications

vi

http://www.iss.net/support/knowledgebase/


Conventions Used in this Guide

Conventions Used in this Guide

Introduction This topic explains the typographic conventions used in this guide to make information in procedures and commands easier to recognize.

In procedures The typographic conventions used in procedures are shown in the following table:

Command conventions

The typographic conventions used for command lines are shown in the following table:

Convention What it Indicates Examples

Bold An element on the graphical user interface.

Type the computer’s address in the IP Address box.Select the Print check box. Click OK.

SMALL CAPS A key on the keyboard. Press ENTER.Press the PLUS SIGN (+).

Constantwidth

A file name, folder name, path name, or other information that you must type exactly as shown.

Save the User.txt file in the Addresses folder.Type IUSR__SMA in the Username box.

Constantwidthitalic

A file name, folder name, path name, or other information that you must supply.

Type Version number in the Identification information box.

! A sequence of commands from the taskbar or menu bar.

From the taskbar, select Start!Run.On the File menu, select Utilities!Compare Documents.

Table 2: Typographic conventions for procedures

Convention What it Indicates Examples

Constantwidth bold

Information to type in exactly as shown.

md ISS

Italic Information that varies according to your circumstances.

md your_folder_name

[ ] Optional information. dir [drive:][path][filename] [/P][/W][/D]

| Two mutually exclusive choices.

verify [ON|OFF]

{ } A set of choices from which you must choose one.

% chmod {u g oa}=[r][w][x] file

Table 3: Typographic conventions for commands

viiTechnical Reference Guide Version 2.0, SP4

Preface

Getting Technical Support

Introduction ISS provides technical support through its Web site and by email or telephone.

The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/support/) provides direct access to frequently asked questions (FAQs), white papers, online user documentation, current versions listings, detailed product literature, and the Technical Support Knowledgebase (http://www.iss.net/support/knowledgebase/).

Support levels ISS offers three levels of support:

� Standard

� Select

� Premium

Each level provides you with 24-7 telephone and electronic support. Select and Premium services provide more features and benefits than the Standard service. Contact Client Services at [email protected] if you do not know the level of support your organization has selected.

Hours of support The following table provides hours for Technical Support at the Americas and other locations:

Contact information The following table provides electronic support information and telephone numbers for technical support requests:

Location Hours

Americas 24 hours a day

All other locations

Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local time, excluding ISS published holidays

Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours.

Table 4: Hours for technical support

Regional Office

Electronic Support Telephone Number

North America Connect to the MYISS section of our Web site:

www.iss.net

Standard:

(1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Select and Premium:

Refer to your Welcome Kit or call your Primary Designated Contact for this information.

Latin America [email protected] (1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Table 5: Contact information for technical support

viii

http://www.iss.net/support/

http://www.iss.net/support/

http://www.iss.net/support/knowledgebase


http://www.iss.net


Getting Technical Support

Europe, Middle East, and Africa

[email protected] (44) (1753) 845105

Asia-Pacific, Australia, and the Philippines

[email protected] (1) (888) 447-4861 (toll free)

(1) (404) 236-2700

Japan [email protected] Domestic: (81) (3) 5740-4065

Regional Office

Electronic Support Telephone Number

Table 5: Contact information for technical support (Continued)

ixTechnical Reference Guide Version 2.0, SP4




Preface

x

Chapter 1

Improving Performance

Overview

Introduction Slow performance can be caused by the following conditions:

� event overload

� insufficient application server capacity

This chapter discusses what you can do to improve SiteProtector system performance.

In this chapter This chapter contains the following sections:

Section Page

Improving Database Performance 3

Improving Event Collector Performance 11

1Technical Reference Guide Version 2.0, SP4


2

Overview

SECTION A: Improving Database Performance

Overview

Introduction This section discusses how to correct SiteProtector database performance problems.

In this section This section contains the following topics:

Topic Page

Improving Database Hardware 4

Guidelines for Database Maintenance 5

Optimizing SiteProtector Databases 7

Disabling SiteProtector Database Disk Performance Counters 10



Improving Database Hardware

Introduction To improve database performance, consider doing the following:

� upgrade the SiteProtector database server to a larger drive

� install a high performance IDE or SCSI controller card

� install an additional CPU

Optimum database hardware

To ensure optimum database performance, ISS recommends that you use hardware that meets the specifications listed in the SiteProtector System Requirements. If you are using hardware that does not meet these specifications, the tasks recommended in this topic may not improve database performance significantly.

Installing a high performance controller card

High performance controller cards maximize the performance of the database server’s hard drive by providing faster data transfers. The internal controller on the server motherboard generally does not perform as well as a separate plug-in card. To maximize the drive’s performance, consider installing a high performance controller card that is compatible with the hard drive. Installing an additional CPU

Multiple CPUs can improve database performance. Consider adding CPUs to the database server.

4

Guidelines for Database Maintenance

Guidelines for Database Maintenance

Introduction SiteProtector allows emergency purge options as a part of automatic maintenance. If the maximum age values are not sufficient to prevent the database from reaching capacity, SiteProtector purges the oldest data from the following database tables:

� Observances

� SensorData

� Hosts

Guidelines for emergency purge options

Guidelines for configuring emergency purge options are as follows:

Emergency purge threshold—After a databases exceeds 85 percent of its capacity, it can reach full capacity quickly, so ISS recommends that you avoid setting emergency purge threshold values that exceed the default.

Purge margin—The purge margin deletes a percentage of the oldest data stored in the database only when the maximum age values are not sufficient to reduce the size of the database to below the emergency purge threshold. Therefore, the purge margin may delete data that is newer than the maximum age values.

Guidelines for configuring maximum age values

To prevent emergency purges, consider the following guidelines when configuring maximum age values:

� Decrease values that correspond to data that is not important for evidence, troubleshooting, or trend analysis, such as message logs or unused hosts.

� Increase values that correspond to data you want to retain for evidence, troubleshooting, or trend analysis, such as observances or metrics.

Note: Consider retaining metrics data as long as needed because this data is valuable in establishing trends and uses minimal database space.

Daily and weekly maintenance schedules

Guidelines for scheduling automatic maintenance are as follows:

Daily database maintenance—By default, SiteProtector schedules daily database maintenance at midnight (UTC). You should schedule daily maintenance at a time when the event volume is the lowest. Depending on your hours of operation, midnight may not be the ideal time to schedule daily maintenance. For example, if you are monitoring sites that operate in several time zones, early morning or early evening may be more appropriate.

Weekly database maintenance—Schedule weekly maintenance at a time when the event volume is the lowest. By default, SiteProtector schedules weekly database maintenance on Sunday.

Recovery models The type of recovery model you select affects the frequency with which backups are performed. Consider the following when selecting a recovery model:

� If you select the full or bulked logged recovery model, then SiteProtector performs differential backups during daily maintenance and performs full backups during weekly maintenance.



� If you select the simple recovery method, then SiteProtector performs full backups during daily and weekly maintenance.

Note: If you enable transaction log backups for full or bulked logged recovery models, SiteProtector backs up transaction logs when the log reaches the specified Log backup threshold.

Autoshrink and autogrow

The autogrow option is enabled by default on the SiteProtector database, and the autoshrink option is disabled. If you enable the autoshrink option, you may experience performance problems due to the overhead that is created when both options are enabled. Consider selecting the Automatically shrink option only when you are purging a large volume of data so that you can leave enough space available for future processing.

6

Optimizing SiteProtector Databases


Introduction This topic provides recommendations for optimizing SiteProtector databases and database servers.

When to optimize databases

The following table describes when to perform the procedures included in this topic:

Formatting the database drives

NT file systems (NTFS) provide better database performance than other file systems. Format the database drives with NTFS, using 64KB extent sizes, before you install SiteProtector. For detailed information, refer to your Microsoft Windows Server documentation.

Allocating sufficient space for data and log files

After you install SiteProtector, allocate sufficient space to the SQL data and log files so that these files support database growth.

To allocate space to data and log files:

1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager, and then expand the server group that contains the Site database.

2. Right-click the SiteProtector database you are configuring in the Tree tab, and then select Properties.

3. Select the Data tab, and then select the Automatically grow file option.

4. In the File Growth section, select the Megabytes option and then type or select the number of megabytes to grow the data file. (The recommended size is 256 megabytes.)

Important: If you select the Restrict file growth option, type or select a maximum file size that is based on the size of the physical drive and the size into which you expect the database to grow.

5. Select the Transaction Log tab, and then select the Automatically grow file option.

6. Are you using the simple recovery method?

� If yes, select the Unrestricted file growth option, and then go to Step 8.

� If no, then go to Step 7.

7. Type or select a maximum file size that is at least 50 percent larger than the maximum file size you specified for the data file.

Task When to Perform

Format the database drives Before you install SiteProtector

Allocate sufficient space for data and log files After you install SiteProtector

Separate database files on servers that do not use RAID disk storage

After you install SiteProtector

Reconfigure database server properties

Select the correct recovery model and options for your configuration

Allocate sufficient space for the temporary database file

Table 6: When to optimize databases and database servers



Note: For information about SQL recovery models, refer to the procedure in this topic about selecting the right recovery model, or refer to your Microsoft SQL documentation.

8. Click OK.

Separating database files on servers that do not use RAID disk storage

To maximize performance on servers that do not use RAID disk storage, distribute database files on separate disks. The following table lists the recommended distribution of database files for each configuration:

Reconfiguring database server properties

SQL default server properties do not support optimum database performance for SiteProtector.

To reconfigure database server properties for optimum performance:

1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager.

2. Right-click the server (not the database) you are configuring in the Tree tab, and then select Properties.

3. Select the General tab, and then select the following options:

� Autostart SQL Server

� Autostart SQL Server Agent

4. Select the Memory tab, and then select the Dynamically configure SQL server memory option.

5. Select the Processor tab, and then select the Use all available processors option.

6. Click OK.

Selecting the correct recovery model and options for your configuration

The type of SQL recovery model you select when you are configuring the SiteProtector database can impact performance.

Number of disks in configuration

Distribution of database files from the largest to the smallest disk

2 1. Primary database

2. Transaction log and OS drive

3 1. Primary database

2. Transaction log

3. OS drive

4 or more 1. Primary database

2. Transaction log

3. OS drive

Note: Using the database properties window, consider creating additional data files on different disks and assigning them to the primary filegroup.

Table 7: Separating database files on servers that do not use RAID disk storage

8


To select the right recovery model for your configuration:

1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager, and then expand the server group that contains the SiteProtector database.

2. Right-click the SiteProtector database you are configuring in the Tree tab, and then select Properties.

3. Select the Options tab.

4. Use the following table for determining which recovery model to select in the Recovery Model list:

5. Select only the following check boxes:

� Auto update statistics

� Torn page detection

� Auto create statistics

� Allow cross-database ownership chaining

6. Click OK.

Allocating sufficient space for the temporary database

You can impact database performance if you do not allocate sufficient space to temporary database files.

To allocate space to temporary database files:

1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager, and then expand the server group that contains the SiteProtector database.

2. Right-click the temporary database (TempDB) you are configuring in the Tree tab, and then select Properties.

3. Select the Data tab.

4. Consider increasing the active values in the following fields:

� Megabytes

� By percent

5. Consider increasing the space allocated to the temporary database so that it can support growth.

If the database is... Then select this option...

used for a production system Full or Bulk-Logged

not used for a production system Simple



Disabling SiteProtector Database Disk Performance Counters

Introduction Disk performance counters can impact database performance. Disable disk performance counters only if you are not using the data that is generated by them.

Definition: disk performance counters

Enabled by default, disk performance counters measure the performance of the physical and logical drives on Windows servers. You can improve database performance by disabling all disk performance counters on the SiteProtector database.

Procedure To disable disk performance counters:

1. On the taskbar, select Start!Run.

2. Type .cmd in the Run window, and then click OK.

3. At the command prompt, type DISKPERF -N, and then press ENTER.

A message appears stating that disk performance counters are now disabled on logical and physical drives.

4. Restart the SiteProtector database server.

10

Overview

SECTION B: Improving Event Collector Performance

Overview

Introduction This section discusses how to identify and correct event collector performance problems.


Topic Page

Identifying Event Overload in the Event Collector 12

Improving Event Collector Hardware and Configuration 14

Modifying Agent Policies 15



Identifying Event Overload in the Event Collector

Introduction When an overload occurs in the event collector, the event collector generates alerts, called throttle messages, which tell you when the overload started and when it stopped. Frequent throttle messages may indicate that you have a performance problem.

Important: The event collector may send throttle messages when you stop, and then restart the event collector. This condition is usually temporary because agents are unloading the backlog stored in their queues.

Task overview Identifying event overload in the event collector is a two-task procedure:

Where throttle messages appear?

Throttle messages appear in the following locations:

� on the SiteProtector Console, as warning events

� in the event collector log files, located on the computer where the event collector is installed

Note: The Microsoft Event Viewer also displays throttle messages as application warnings, which appear on the computer where the event collector is installed.

Event collector log files

Event collector log files are on the computer where the event collector is installed. When configured properly, log files can indicate performance problems that have occurred over a specified period of time. To enable throttle messages to appear in the log files, you must specify the EC trace level as Warning or greater.

Note: Changes to the logging level do not take effect until you restart the event collector.

Task Description

1 Verify that throttle messages are enabled.

2 View throttle messages in the event collector log files.

Table 8: Identifying event overload task overview

12

Identifying Event Overload in the Event Collector

Example: throttle message

The following throttle message example shows a start message followed by a stop message:

2002/02/08 16:04:09.91 T:0ad0 CPluginEventDatabaseStarted throttlingevent rate (due to large backlog of events waiting to be stored in thedatabase). If this happens often, this may be an indication that yourEvent Collector is overloaded. [ID=0xc734004c]

2002/02/08 16:04:13.32 T:0ad0 CPluginEventDatabase Stopped throttlingevent rate. [ID=0xc734004d]

Configuring throttle messages

To configure the event collector to send throttle messages to the SiteProtector Console and to the SiteProtector database:

1. In the grouping tree, select the folder that contains the event collector.

2. Select the Sensor tab in the Analysis pane.

3. Right-click the event collector, and then select Event Collector!Edit Properties from the list.

The Event Collector Properties window opens.

4. Select the Alerts tab.

5. In EventCollector_Warning, verify that the following boxes are selected:

� Enable

� Notify console

� Log to database

6. Click OK.

Sending throttle messages to event collector log files

To send the throttle messages to the Event Collector log files:

1. In the grouping tree, select the folder that contains the event collector.

2. Select the Sensor tab in the Analysis pane.

3. Right-click the event collector, and then select Event Collector!Edit Properties from the list.

The Event Collector Properties window opens.

4. Select the General tab, and then click Advanced.

5. Verify that the event collector trace level is set to the Warn level or higher.

6. Click OK.

Note: These changes do not take effect until you restart the event collector.

Viewing throttle messages in event collector log files

To view throttle messages in the event collector log files:

1. Go to the computer where the event collector is installed.

2. Open the following file:

\Program Files\ISS\RealSecureSiteProtector\EventCollector\Logs\emtrace.txt

The contents of the log file appear in a default text editor window.



Improving Event Collector Hardware and Configuration

Introduction To improve event collector performance, consider doing the following:

� add another event collector to your configuration

� install the event collector and the SiteProtector database on separate computers

Adding an event collector

Using the custom installation option, add an event collector to your site configuration. You can install up to five event collectors per site.

Separating the event collector and the SiteProtector database

If you have installed both the event collector and the SiteProtector database on the same computer, consider installing them on separate computers.

Reference: For more information about separating components and installing additional SiteProtector components using the custom installation option, refer to the SiteProtector Installation and Configuration Guide.

14

Modifying Agent Policies

Modifying Agent Policies

Introduction Modify agent policies to decrease the number of events the event collector and the SiteProtector database must process. The procedures for modifying policies vary according to the type of agent.

How to modify an agent policy

In most cases, when you modify agent policies, you either change the default policy or customize the policy. When you know there is a specific signature or check that is generating a significant number of extraneous events, consider turning off those checks in the policy.

Caution: Before you modify an agent policy, consider the impact of those policy changes on the security of your network. If turning off a check makes your network less secure, then consider other alternatives.

Advantages The advantages of modifying policies are as follows:

� does not require additional hardware

� can be implemented easily and quickly

Disadvantages The disadvantages of modifying policies are as follows:

� can impact security

� usually a short term solution



16

Chapter 2

Log File Diagnostics

Overview

Introduction Log files can help you identify and correct problems with components or agents. This chapter provides the following types of information:

� the path of the file

� file contents

� how to change logging levels

� how to view the log

Viewing logs Most log files are text files that you can open with a standard text file editor. If a different method is needed for a particular log file, it is explained with the description of that log.

Important: Be sure to use a text editor that can handle large files.

In this chapter This chapter contains the following sections:

Topic Page

Miscellaneous Logging Information 19

Log4j Logging Information 27

Sensor Controller Logging Information 31

Desktop Controller Logging Information 47



18

Overview

SECTION A: Miscellaneous Logging Information

Overview

Introduction This section gives logging information related to various SiteProtector processes and components.


Topic Page

Application Server Logs 20

Database Logs 22

Installation Logs 23

X-Press Update Logs 25

Active Directory Logs 26



Application Server Logs

Introduction This topic describes the log and configuration files that the application server uses:

� application server log files

� issDaemon logs

How log files are created on the application server

When you issue a command that displays or modifies a property, response, or policy file for an agent or core component, your SiteProtector system sends log files to the computer where the application server is running.

Location of application server logs

The path of the application server log files is \Program Files\ISS\RealSecureSiteProtector\Application Server\temp\AppServer.

Setting logging levels

The logging level determines the type and amount of system information that SiteProtector stores. To set logging levels for the application server logs:

� In the Sensor Controller Diagnostics console, right-click the SiteProtector Core component in the Sensor window.

Important: The application server does not use dynamic logging, so changes to the logging levels do not take effect until you restart the RealSecure Application Server Service.

Characteristics of application server logs

The following characteristics apply to all application server log files:

� The system overwrites a log file each time you restart the sensor controller.

� The amount of detail collected depends on the current trace level.

Note: The log files can quickly become very large when the logging level is high.

Description of log files

Table 9 describes the application server logs:

Location of issDaemon logs

Logging information is available for each issDaemon with which the application server communicates. The path is \Program Files\ISS\RealSecureSiteProtector\Application Server\temp\SensorController\[email protected].

Note: The issDaemon log files are always available regardless of the trace level.

File name Description

Issdk.txt Logs high-level activity detailing application server interaction with all issDaemons

IssdkComm.txt Logs low-level communication activity between the application server and issDaemons

IssdkInterface.txt Logs low-level application server activity

Table 9: Application Server logs

20

Application Server Logs


Table 10 describes the issDaemon log files:

File Name Description

[email protected] Copy of iss.access located at specified IP address

[email protected] Copy of common.policy located at specified IP address

[email protected] Copy of issDaemon.policy located at specified IP address

Table 10: issDaemon and application server communication logs



Database Logs

Introduction Database log information, such as errors, number of rows loaded, number of rows rejected, and reasons for rows rejected, is logged to the messagelog table in the SiteProtector database.

Viewing database logs

Use Microsoft SQL Server Enterprise Manager or Query Analyzer to view the messagelog table.

Default logging level The default logging level is set to Warnings. This level logs a limited set of significant events.

Changing the logging level

You can use the Sensor Details feature in the SiteProtector Console to change the logging level.

Recommendations for increased logging detail

Increasing the logging levels for an extended period of time can quickly fill the database. Use the following recommendations when increasing logging detail:

� Increase the logging levels (i.e., setting the logging level to Full) for short intervals as needed to gather detailed information.

� Reset the trace level to Warnings after you finish collecting detailed information.

Truncate this table after extended debugging, as well as during normal tracing if the table becomes too large.

22

Installation Logs

Installation Logs

Introduction The SiteProtector installation process generates a log file for each SiteProtector component you install. It also creates a detailed log file for each bulk copy of data loaded into a particular table on the SiteProtector database. The log files contain a line of text for each action taking place.

Location of log files Table 11 provides the path of the log files on the computer where each component is installed:

Log files created during installation

The log files created during installation depend on the type of installation (Basic or Custom). Table 12 contains the installation log files that may be generated during installation:

Log Files Folder

Component log files for installation \temp\iss

SiteProtector database table bulk copy log files

\temp\iss\bulk copy logs

Table 11: Location of database log files

This log file... Is created by...

Application_Server_Setup_Log.txt Application Server installation

Console_Setup_Log.txt Console installation

Site_Database_Setup_Log.txt Database installation

Event_Collector_Setup_Log.txt Event Collector installation

Desktop_Controller_Setup_Log.txt Desktop Controller installation

Deployment_Manager_setup_log.txt Deployment Manager installation

DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for a Basic installation from CD

DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for a Basic installation

DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for installation of the Console

DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for part 1 of the Custom installation

DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for part 2 of the Custom installation

All_Components_Log.txt User clicking Yes to the “Do you want to view the log file?” prompt on the message box.

Table 12: Log files that may be created at installation



Component log files for uninstallation

Log files are always created when you uninstall SiteProtector. The names of the log files are the same as those created during installation, but the contents are overwritten with the uninstallation process information if the original log files still exist.

Note: If error or warning messages occur during the installation process, and you want to save these messages for troubleshooting purposes, then rename the log files before you uninstall the application.

Viewing the component log files

If an error or warning occurs during the installation or uninstallation process in normal mode, the View Log File check box on the Finish window at the end of the process will be checked by default. This enables you to easily view the log file contents to determine the reason for the error or warning.

To view the component installation logs:

1. Click OK on the Finish window.

The Finish window closes and Notepad opens, displaying the contents of the installation/uninstallation log file.

2. View the errors and/or warnings in the log file to determine how to resolve the problem.

SiteProtector database table bulk copy log files

Approximately 50 pairs of log files are generated for each bulk copy that is created and populated for the SiteProtector database. Table 13 describes those pairs of log files:

Note: Statistics for the number of rows copied for every bulk copy file that was installed or uninstalled are included in the Enterprise_Database_Setup_Log.txt file. This file provides a single source for you to quickly determine which error messages or warnings have occurred.

Table Name Description

<tablename>_Table_BulkCopy_Log.txt

Statistics related to bulk copy process used to create the database table (e.g., source, destination, number of rows copied, duration)

<tablename>Table_BulkCopy_ErrorLog.txt

File is empty unless errors have occurred

Table 13: SiteProtector database log descriptions

24

X-Press Update Logs

X-Press Update Logs

Introduction You can generate log files to track the details of X-Press Update (XPU) activities for the application server and the sensor controller.

Contents of the log The X-Press Update log file contains details of X-Press Update downloading activity and the overall X-Press Update status.

� This high-level log file contains details about XPU activity.

� The file is overwritten each time the application server or the sensor controller restarts.

� The amount of detail depends on current trace level.

Note: This file can quickly become large when logging level is high.

Location of log files Table 14 provides the paths of the X-Press Update log files:

Setting the X-Press Update logging level

To change the logging level for the X-Press Update log file:

1. On the Options menu, select XPU Logging Level.

2. Select the logging level you want to use.

Component X-Press Update log file path and name

application server \Program Files\ISS\RealSecureSiteProtector\ApplicationServer\temp\AppServer\Xpu.txt

sensor controller \Program Files\ISS\RealSecureSiteProtector\Application Server\temp\SensorController\Xpu.txt

Table 14: X-Press Update log file locations



Active Directory Logs

Introduction The SiteProtector application generates Active Directory log files that can give you information about specific jobs and help you troubleshoot issues with your SiteProtector Active Directory listing.

Location of log files You can find the Active Directory log files in the following location:

\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\SP [email protected]\Job_<job number>

Note: If you are using the Custom Installation, the Active Directory log files are located on your application server.


Table 15 provides the names and descriptions of the Active Directory log files:

Setting the Active Directory logging level

The Active Directory Update job sets its logging level from the SiteProtector Core logging level. To set the Active Directory logging level:

1. In the Sensors tab, right-click SiteProtector Core.

2. In the pop-up box, select SiteProtector Core!Edit Properties.

The SiteProtector Core Properties window opens.

3. Click Advanced.

The Advanced SiteProtector Core Properties window appears.

4. In the Set sensor controller trace level drop-down list, select the logging level you want.

5. Select OK.

Log file name Description

warnings.csv • lists hosts that were not added to the SiteProtector Active Directory listing

• provides information about why a host was not added to the SiteProtector Active Directory listing

• generated only when logging is set to Warn or higher

JobLog.txt • lists system-related information

• generated with any logging level, except None

• generated when a system error occurs

Table 15: Active Directory log file locations

26

Overview

SECTION B: Log4j Logging Information

Overview

Introduction This section provides log4j logging information, and also gives information about using the log4j tool to set logging levels.


Topic Page

Log4j Application Server and Sensor Controller Logs 28

Changing Log4j Logging Levels 29



Log4j Application Server and Sensor Controller Logs

Introduction You can view the application server and sensor controller log4j logs in the following ways:

� in a text file in a standard text editor

� in the Windows 2000 Event Viewer Application Log

� in a run-time debug log on a Command Prompt window

Location of log files Table 16 provides the paths of the run-time logs on the computer that hosts the application server and sensor controller.

Viewing from a text file

To view the log:

� Open the log file for application server (app_server.log) or the sensor controller (sensor_ctl.log) with any text file editor that can edit large files.

Viewing from the event viewer

Events generated by the application server and the sensor controller are logged to the Application Log in the Windows 2000 Event Viewer. The Source names for the events are issSPAppService and issSPSenCtlService.

To view the events from the Windows 2000 Event Viewer Application Log:

1. Click Start on the taskbar, and then select Programs! Administrative Tools.

2. Double-click the Event Viewer icon.

3. In the left pane, select the application log.

4. In the right pane of the Source column, look for issSPAppService and issSPSenCtlService.

Tip: Click the Source column to sort the list.

Viewing run-time debug logs

To view run-time debug log:

� Locate the Command Prompt window that contains the debug log.

Important: You must first configure the application server and the sensor controller to enable run-time logging.

Component Properties File Path and File Name

application server \Program Files\ISS\RealSecureSiteProtector\ApplicationServer\temp\app_server.<time stamp>.log

sensor controller \Program Files\ISS\RealSecureSiteProtector\ApplicationServer\temp\sensor_ctl.<time stamp>.log

Table 16: Log4j log file locations

28

Changing Log4j Logging Levels

Changing Log4j Logging Levels

Introduction This topic describes logging levels for log4j logs. These logging levels are separate and distinct from the logging levels on the Sensor Controller Diagnostics console’s Set Logging Level menu.

Note: Methods for viewing the log4j logs are explained in “Log4j Application Server and Sensor Controller Logs” on page 28.

Logging levels The log4j tool provides five priority levels of logging detail. (See non-ISS documentation at http://jakarta.apache.org/log4j/docs/manual.html.) The default logging level is set to fatal, which only logs very serious errors.

Priority levels, in decreasing order of logging detail, are as follows:

� DEBUG

� INFO

� WARN

� ERROR

� FATAL

Recommendations for logging detail

Increasing the logging levels for an extended period of time can quickly fill the log file. Follow these recommendations when increasing logging detail:

� Increase the logging levels for short intervals as needed to gather detailed information.

� Delete the log files at any time, as they can quickly become large.

� Delete the app_server.log, and then restart the application server.

� Delete the sensor_ctl.log, and then restart the sensor controller.

� Check the log4j documentation for procedures that automatically roll the logs into manageable sizes.

Where the logging level is set

The logging level is set in a properties file for each component. The properties file path and file name for the application server are as follows:

\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\config\log.properties

Important: The file must be present before any logging takes place.

Changing the logging level

To change the logging level:

1. In Notepad or an equivalent text editor, open the properties file for the application server (log.properties).

2. Find the line that contains the following:

log4j.rootLogger=logging_level

Note: The logging_level value is one of the five possible logging levels.


http://jakarta.apache.org/log4j/docs/manual.html

http://jakarta.apache.org/log4j/docs/manual.html


3. Replace the logging level with another available logging level.

Example: Change the logging level from FATAL to DEBUG.

4. Save the file.

Note: You must restart the application server before the logging change takes effect.

30

Overview

SECTION C: Sensor Controller Logging Information

Overview

Introduction This section lists SiteProtector logging information for components that are managed with the sensor controller.


Topic Page

Sensor Controller Logs 32

Sensor Controller SiteProtector Database Logs 33

Sensor Controller SiteProtector Core Logs 34

Sensor Controller Event Collector Logs 35

Sensor Controller Desktop Controller Logs 37

Sensor Controller Internet Scanner Logs 39

Sensor Controller Internet Scanner Databridge Logs 40

Sensor Controller A-Series Appliance Logs 41

Sensor Controller G-Series Appliance Logs 42

Sensor Controller RealSecure Network Logs 43

Sensor Controller RealSecure Network Gigabit Logs 44

Sensor Controller RealSecure Server Sensor Logs 45

Sensor Controller SiteProtector Third Party Module Logs 46



Sensor Controller Logs

Introduction This topic introduces log and configuration files that the sensor controller uses:

� the log files for the sensor controller

� the configuration and log files for the agents and SiteProtector components with which the sensor controller communicates

How sensor controller logging works

When you issue a command that displays or modifies a property, response, or policy file for an agent or core component, your SiteProtector system sends log files to the computer where the sensor controller is running.

Location of log files The path of the files is as follows:

Program Files\ISS\RealSecure SiteProtector\Application Server\temp

Dynamic logging levels

Changes to the logging levels are dynamic. You do not have to restart the RealSecure Sensor Controller Service for the changes to go into effect.

Common characteristics

The following common characteristics apply to all sensor controller log files:

� The log file is overwritten each time you restart the sensor controller, but only if the logging level is not full. If the logging level is full then the file appends.

� The amount of detail collected depends on current trace level.

Note: The log files can quickly become large when the logging level is high.


Table 17 describes the log files for the sensor controller:

Changing logging levels for agents

To change the logging levels:

1. In the Sensors window, right-click the agent.

2. Select Details in the pop-up menu.

3. Select the desired logging level in the Sets new sensor logging level drop-down list.

4. Click OK.

Log File Name Description

Issdk.txt logs high-level activity detailing sensor controller interaction with all agents and core components

IssdkComm.txt logs low-level communication activity between the sensor controller and agents

IssdkInterface.txt logs low-level sensor controller activity

Table 17: Sensor controller dynamic log files

32

Sensor Controller SiteProtector Database Logs

Sensor Controller SiteProtector Database Logs

Introduction The SiteProtector database files contain information related to the SiteProtector database located at the given IP address. The path of the log file is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\Site Protector [email protected].

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the SiteProtector database is:

\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\Site Protector [email protected]\Job_<jobnumber>


Table 18 describes the SiteProtector database log file:


Site [email protected]

• low-level log file detailing sensor controller interaction with SiteProtector database component (i.e. XPU activity)

• overwritten each time sensor controller restarts

• amount of detail depends on current logging level

Table 18: SiteProtector database log files



Sensor Controller SiteProtector Core Logs

Introduction The SiteProtector Core log files contain information related to the sensor controller located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the SiteProtector Core is:

\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\sensor_ctl.<time stamp>.log


5. Table 19 describes the SiteProtector Core log files


sensor_ctl.<time stamp>.log • generated file containing runtime debug information

• overwritten each time sensor controller service restarts


Table 19: SiteProtector Core log files

34

Sensor Controller Event Collector Logs

Sensor Controller Event Collector Logs

Introduction The default path of configuration files for the event collector at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\EventCollector_<DNS>@xxx.xxx.xxx.xxx. The default installation path of the event collector is \Program Files\ISS\RealSecureSiteProtector\Event Collector.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the event collector is:

\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\EventCollector_<DNS>@xxx.xxx.xxx.xxx\Job_<job number>


Table 20 describes the event collector log files:

Log File Names Description

EventCollector_<DNS>@xxx.xxx.xxx.xxx.common

• copy of common.policy located at specified IP address

• always available

• independent of logging level

EventCollector_<DNS>@xxx.xxx.xxx.xxx.daemon

• copy of issDaemon.policy located at specified IP address



EventCollector_<DNS>@xxx.xxx.xxx.xxx.policy

• copy of current.policy located at specified IP address



EventCollector_<DNS>@xxx.xxx.xxx.xxx.status

• copy of ec_status.policy (located at specified IP address) that details the Event Collector control list and status information



EventCollector_<DNS>@xxx.xxx.xxx.xxx.prop

• generated file containing runtime configuration information

• overwritten each time sensor controller restarts but is independent of logging level

EventCollector_<DNS>@xxx.xxx.xxx.xxx.properties

• cached file of user modifications to properties


Table 20: Event collector log files



EventCollector_<DNS>@xxx.xxx.xxx.xxx.txt

• generated file containing runtime debug information detailing interaction between sensor controller and event collector




Table 20: Event collector log files (Continued)

36

Sensor Controller Desktop Controller Logs

Sensor Controller Desktop Controller Logs

Introduction The default path of configuration files for the Desktop Controller at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\DesktopController_<DNS>@xxx.xxx.xxx.xxx. The default installation path of the Desktop Controller is \ProgramFiles\ISS\RealSecure SiteProtector\Desktop Controller.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the Desktop Controller is:

\Program Files\ISS\RealSecure SiteProtector\Desktop Controller\Job_<jobnumber>


Table 21 describes the Desktop Controller log files:


DesktopController_<DNS>@xxx.xxx.xxx.xxx.common

• copy of common.policy located at specified IP address



DesktopController_<DNS>@xxx.xxx.xxx.xxx.daemon

• copy of issDaemon.policy located at specified IP address



DesktopController_<DNS>@xxx.xxx.xxx.xxx.policy




DesktopController_<DNS>@xxx.xxx.xxx.xxx.status

• copy of the Desktop Controller status policy file (located at specified IP address) that details the Desktop Controller control list and status information



DesktopController_<DNS>@xxx.xxx.xxx.xxx.prop



DesktopController_<DNS>@xxx.xxx.xxx.xxx.properties



Table 21: Desktop Controller log files



DesktopController_<DNS>@xxx.xxx.xxx.xxx.txt

• generated file containing runtime debug information detailing interaction between sensor controller and Desktop Controller




Table 21: Desktop Controller log files (Continued)

38

Sensor Controller Internet Scanner Logs

Sensor Controller Internet Scanner Logs

Introduction The path of the configuration and log files for the Internet Scanner located at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected]. The default installation path for Internet Scanner 6.2.1 is \Program Files\ISS\Scanner6. The default installation path for Internet Scanner 7.0 is \ProgramFiles\ISS\issSensors\Scanner_1.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the Internet Scanner is:

Location of Internet Scanner job-specific log files

The path of the log files related to specific jobs for Internet Scanner is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\[email protected]. The files are located in subfolders according to the job name. By default, the path for Internet Scanner 6.2.1 configuration files is \Program Files\ISS\Scanner6 on the computer the Internet Scanner is hosted. The general form is as follows:

� Job_x – folder containing files related to job number “x”

Note: Internet Scanner 7.0 does not use files with the .cfg extension. However, Internet Scanner 7.0 log files are located by default in \ProgramFiles\ISS\issSensors\scanner_1\log.

Description of Internet Scanner job-specific log files

Table 23 describes the job-specific log files:

Version Path

6.2.1 \Program Files\ISS\Scanner6\Job_<job number>

7.0 \Program Files\ISS\Scanner_1\log\Job_<job number>

Table 22: Location of Internet Scanner logs


hosts.hst IP range of hosts to be scanned

iss.key license key that limits IP range that can be scanned

*.policy policy file used by Internet Scanner during scan (e.g., L1 Inventory.policy)

Table 23: Internet Scanner job-specific log files



Sensor Controller Internet Scanner Databridge Logs

Introduction The path of the log files for the Internet Scanner Databridge at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\SensorController\[email protected]. The default installation path for the Internet Scanner Databridge is \ProgramFiles\ISS\issSensors\Internet_Scanner_DataBridge.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the Internet Scanner Databridge is:

\Program Files\ISS\issSensors\Internet_Scanner_DataBridge\Job_<jobnumber>


Table 24 describes the Internet Scanner Databridge log files:

File Names Description

[email protected]




[email protected]



[email protected]



[email protected]

• generated file containing runtime debug information detailing interaction between sensor controller and Internet Scanner Databridge



Table 24: Internet Scanner Databridge log files

40

Sensor Controller A-Series Appliance Logs

Sensor Controller A-Series Appliance Logs

Introduction The A-Series appliance log files contain information related to the A-Series appliance located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\Proventia_A<model number>@xxx.xxx.xxx.xxx.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the A-Series appliance is:

\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\Proventia_A<model number>\Job_<job number>


Table 25 describes the A-Series appliance log files:


Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.policy




Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.prop



Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.properties



Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.txt

• generated file containing runtime debug information



Table 25: A-Series appliance log files



Sensor Controller G-Series Appliance Logs

Introduction The G-Series appliance log files contain information related to the G-Series appliance located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\Proventia_G<model number>@xxx.xxx.xxx.xxx.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the G-Series appliance is:

\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\Proventia_G<model number>\Job_<job number>


Table 26 describes the G-Series appliance log files:


Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.policy




Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.prop



Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.properties



Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.txt

• generated file containing runtime debug information



Table 26: G-Series appliance log files

42

Sensor Controller RealSecure Network Logs

Sensor Controller RealSecure Network Logs

Introduction The RealSecure Network log files contain information related to the RealSecure Network agent located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Network agent is:

\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected]\Job_<jobnumber>


Table 27 describes the RealSecure Network agent log files:

Note: All logging is saved for successful jobs, unless the logging level is turned off.


[email protected]




[email protected]



[email protected]



[email protected]

• generated file containing runtime debug information detailing interaction between sensor controller and network sensor



Table 27: RealSecure Network agent log files



Sensor Controller RealSecure Network Gigabit Logs

Introduction The RealSecure Network Gigabit log files contain information related to the RealSecure Network Gigabit agent located at the given IP address. The path of the log files is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected].

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Network Gigabit is:

\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\[email protected]\Job_<job number>


Table 28 describes the RealSecure Network Gigabit log files:


[email protected]




[email protected]



[email protected]



[email protected]

• generated file containing runtime debug information detailing interaction between sensor controller and network sensor



Table 28: RealSecure Network Gigabit log files

44

Sensor Controller RealSecure Server Sensor Logs

Sensor Controller RealSecure Server Sensor Logs

Introduction The RealSecure Server Sensor log files contain information related to the RealSecure Server Sensor located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\<server sensor name>@xxx.xxx.xxx.xxx.

Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Server Sensor is:

\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\<server sensor name>@xxx.xxx.xxx.xxx\Job_<job number>


Table 29 describes the server sensor log files:


[email protected]




[email protected]



[email protected]



[email protected]

• generated file containing runtime debug information detailing interaction between sensor controller and server sensor



Table 29: RealSecure Server Sensor log files



Sensor Controller SiteProtector Third Party Module Logs

Introduction The Third Party Module log files contain information related to the Third Party Module located at the given IP address. The paths to the log files are as follows:

CheckPoint log files Table 30 describes the CheckPoint Third Party Module log files:

Cisco PIX log files Table 31 describes the Cisco PIX Third Party Module log files:

Firewall Log file path

CheckPoint \ISS\issSensors\ThirdPartyModule_Checkpoint_1\Logs

Cisco PIX \ISS\issSensors\ThirdPartyModule_Cisco_1\Logs


sensor_health.policy • copy of current.policy located at specified IP address



LeaTraceLog.txt • generated file containing runtime debug information



TpmLog.txt

TPMTraceLog.txt

Table 30: CheckPoint Third Party Module log files


sensor_health.policy • copy of current.policy located at specified IP address



TpmLog.txt, • generated file containing runtime debug information



TPMTraceLog.txt

Table 31: Cisco PIX Third Party Module log files

46

Overview

SECTION D: Desktop Controller Logging Information

Overview

Introduction This section lists SiteProtector logging information for components that are managed with the Desktop Controller.


Topic Page

Desktop Controller Desktop Protection Logs 48

Desktop Controller M-Series Appliance Logs 50



Desktop Controller Desktop Protection Logs

Introduction The Desktop Protection log files contain information related to the Desktop Controller located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Desktop Controller\Logs.

Logging levels If you are experiencing problems with your Desktop Controller applications, you should adjust logging levels to help troubleshoot the issues. You set logging levels in the rsspdc.ini file, which is located in the following directory on the Desktop Controller computer:

\Program Files\ISS\RealSecure SiteProtector\Desktop Controller

Setting and clearing logging levels

To set a logging level:

1. In the rsspdc.ini file, cut the logging level you want from the dcLog.clear line, and then paste it into the dcLog.set line.

To clear a logging level, cut it from the dcLog.set line, and then paste it into the dcLog.clear line.

2. Save, and then close the files.

3. From the SiteProtector Console, stop, and then start the Desktop Controller.

Important: ISS strongly recommends that you perform this procedure only with guidance from ISS Technical Support.

Logging level parameters

The following table lists the logging level parameters:

Logging level Description

EXCEPTION Error level logging including both fatal and non-fatal. These errors may indicate expected failure situations (such as connectivity loss or out of memory errors) or unexpected problems from the outside the Desktop Controller (such as malformed XML policies or unexpected events from agents).

ASSERTION Debug assertion logging that indicates a bug in the Desktop Controller code. These errors indicate abnormal conditions and if seen, they should be reported to ISS Technical Support.

WARNING Warning logging for non-critical/recoverable conditions in the Desktop Controller like DB connectivity loss.

INFORMATION Information logging of general activity in the Desktop Controller.

HTTPRESPONSE Logging of HTTP response data to agents from the Desktop Controller.

HTTPEVENT Logging of incoming HTTP event/heartbeat data from agents.

FIREWALL Logging of firewall rule-setting during policy loading.

AGENTDOWNLOAD Logging of HTTP request information when agents download files from the Desktop Controller (including configuration files or upgrade packages).

WEBSERVER Logging of Web server activity in the Desktop Controller.

Table 32: Desktop Protection logging level parameters

48

Desktop Controller Desktop Protection Logs

SYSMON General logging level for system type events like thread startup and shutdown.

ALERT Logging of alert/response information for SMTP, Pager, and SNMP alerts.

METRICS Traces incoming event counts.

VERBOSE Logging of repeated informational traces such as polling thread activity and policy/property file loading.

Logging level Description

Table 32: Desktop Protection logging level parameters



Desktop Controller M-Series Appliance Logs

Introduction The M-Series log file contains information related to the M-Series appliance located at the given IP address. The path to the log file is /var/log/messages.

Local Management Interface

The easiest way to access the log file is by using the Local Management Interface (LMI) on the M-Series appliance. For information about how to access the log file using the LMI, see the Proventia M-Series Appliances User Guide.

Description of log file

Table 33 describes the M-Series log file:

Log file parameter Description

Date/Time The date and time that the event was detected.

Event Type The type of event that was detected. The event types are:

• anti-virus

• firewall

• intrusion protection module

• system

Other event details Besides Date, Time, and Event Type, the following event information can be included in the M-Series log file:

• generated error message

• source/destination IP address

• source/destination port

• host name

Table 33: M-Series log file

50

Chapter 3

Diagnostic and Debugging Setup

Overview

Introduction This chapter explains the options for setting up the Sensor Controller Diagnostics console and how to activate run-time debugging for the sensor controller and the application server.

Options for running the sensor controller

By default, the sensor controller runs as a service without the Sensor Controller Diagnostics console. When you run the Sensor Controller Diagnostics console, you can run the sensor controller either as a service or as a Java application.

� If you are only logging agent data, you can use either method.

� If you are unable to start the sensor controller as a service, you can start it as a Java application. Starting the sensor controller as a Java application is also quicker.

Log information For information about the debug logs for the sensor controller and the application server, see the following:

� “Log4j Application Server and Sensor Controller Logs” on page 28

� “Changing Log4j Logging Levels” on page 29

Where to find the Sensor Controller Diagnostics console

The Sensor Controller Diagnostics console is installed with the sensor controller and the application server. The instructions for setting up the Sensor Controller Diagnostics console reference the default installation paths. If you installed SiteProtector components to other paths, you must use those instead.

In this chapter This chapter contains the following topics:

Topic Page

Diagnostic and Debugging Setup 51

Setting up Run-time Logging for the RealSecure SiteProtector Sensor Controller Service

55

Setting up Run-Time Logging for the RealSecure SiteProtector Application Server Service

55



Running the Sensor Controller as a Java Application

Introduction When you run the sensor controller as a Java application, you start the Sensor Controller Diagnostics console and the run-time debug log together from a command prompt window.

Note: When you set up the Sensor Controller Diagnostics console, you also activate the run-time debug logs for the sensor controller.

Procedure To run the sensor controller as a Java application:

1. Access the Services utility on your computer.

2. Select the RealSecure SiteProtector Sensor Controller Service, and then click Stop.

3. Access the Command Prompt.

4. Change directories to \Program Files\ISS\RealSecureSiteProtector\Application Server\bin.

5. Type ccengine –debug, and then press ENTER.

Logging information is displayed, and the Sensor Controller Diagnostics console appears.

52



Introduction When you use the Sensor Controller Diagnostics console with the sensor controller as a service, the run-time debug log appears in a separate Command Prompt window.

Process overview Starting the Sensor Controller Diagnostics console with the RealSecure SiteProtector Sensor Controller service is a four-task process:

Procedure To start run-time logging with the sensor controller as a service:

Select Start on the taskbar, and then select Settings!Control Panel.

6. Double-click the Administrative Tools icon, and then double-click the Services icon.

7. Select RealSecure SiteProtector Sensor Controller Service, and then click Stop.

8. Right-click RealSecure SiteProtector Sensor Controller Service, and then select Properties from the pop-up menu.

9. Select the Log On tab, and select the Allow service to interact with desktop check box, and then click OK.

Tip: Do not close the Services window.

10. Select Start on the taskbar, and then select Run.

11. Type regedit, and then press ENTER.

The Registry Editor appears.

12. In the left pane, select HKEY_LOCAL_MACHINE!SYSTEM! CurrentControlSet!Services!issSPSenCtlService!Parameters.

13. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then click OK.

14. In Services, select RealSecure SiteProtector Sensor Controller Service, and then click Start. Access the Services utility on your computer.

15. Select the RealSecure SiteProtector Sensor Controller Service, and then click Stop.

Description Task

Stop the RealSecure SiteProtector Sensor Controller service

Use the Services Administrative Tool to stop the RealSecure SiteProtector Sensor Controller service.

Edit the properties of the service From the Log On tab, select the Allow service to interact with desktop check box

Change the registry setting Change the setting of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\issSPSenCtlService\Parameters\ConsoleTrace registry key from N to Y

Change directories From the Command Prompt, change directories to \Program Files\ISS\RealSecureSiteProtector\Application Server\bin, and then run the ccengine -debug command.

Table 34: Starting the Sensor Controller Diagnostics console



16. Access the Command Prompt.

17. Change directories to \Program Files\ISS\RealSecureSiteProtector\Application Server\bin.

18. Type ccengine –debug, and then press ENTER.

19. Logging information is displayed, and the Sensor Controller Diagnostics console appears.

54



Introduction When you enable run-time logging for the application server, it continues to run as a service. The run-time logging information appears in a separate Command Prompt window.

Procedure To set up run-time logging for the application server:

1. Select Start on the taskbar, and then select Settings!Control Panel.

2. Double-click the Administrative Tools icon, and then double-click the Services icon.

3. Select RealSecure SiteProtector Application Server, and then click Stop.

4. Right-click RealSecure SiteProtector Application Server, and then select Properties from the pop-up menu.

5. Select the Log On tab, and select the Allow service to interact with desktop check box, and then click OK.

Tip: Do not close the Services window.

6. Select Start on the taskbar, and then select Run.

7. Type regedit, and then press ENTER.

The Registry Editor appears.

8. In the left pane, select HKEY_LOCAL_MACHINE!SYSTEM!CurrentControlSet!Services!issSPAppService!Parameters.

9. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then click OK.

10. In Services, select RealSecure SiteProtector Application Server, and then click Start.



56

Chapter 4

Solutions to Some Common Issues

Overview

Introduction This chapter provides descriptions and solutions for some of the issues you may encounter when working with SiteProtector. It is not intended to represent a complete list of potential SiteProtector issues.

Knowledgebase and ISS Customer Support

For the most complete and up-to-date list of SiteProtector issues, see the ISS Knowledgebase at http://www.iss.net/support/knowledgebase/. If the Knowledgebase does not help you resolve your issue, contact ISS Customer Support at (1) (888) 447-4861.

In this chapter This chapter contains the following topics:

Topic Page

Issues Related to SiteProtector Installation 58

Issues Related to SiteProtector Encryption Keys 60

Issues Related to Operating SiteProtector 62

Issues Related to Low Memory 70

Issues Related to Updating SiteProtector 72

Issues Related to SiteProtector Services 74

Issues Related to Agents and Appliances 76




Chapter 4: Solutions to Some Common Issues

Issues Related to SiteProtector Installation

Introduction This topic provides solutions to issues that you might encounter when you install or uninstall SiteProtector components.

Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:


Installing SiteProtector manually

Description: Installing SiteProtector manually.

Solution: You can install SiteProtector manually instead of using the Basic or Custom installation method. The individual packages for installation are found in the Setup folder, which is located at the root of the SiteProtector CD.

Install the packages in the following order:

� SiteProtector database

� event collector

� Desktop Controller

� application server

� SiteProtector Console

Not Found messages displayed

Why do the pages of my Deployment Manager display a “Not Found” message?

Description: The menu frames for your Deployment Manager appear, but the pages display “Not Found” messages. This can happen when the SiteProtector Web service is running, but the RealSecure SiteProtector Application Server service is stopped on the computer where the Deployment Manager is installed.

Solution: Start the RealSecure SiteProtector Application Server service on the computer where the Deployment Manager is installed.

issApp login already exists

Description: While installing the application server, an error states that the application server login issApp already exists, and then the installation process is terminated.

Explanation: This usually occurs when you attempt to install the application server over an unsuccessful uninstallation. If the RealSecure Application Server service or RealSecure Sensor Controller service cannot be stopped during the uninstallation process, the issApp login is still in use and cannot be deleted from the database.

Solution: Do the following:

1. Make sure both services (or applications, if running as such) are stopped.

2. Use SQL Server 2000 Enterprise Manager to manually delete the existing issApp login, which is located in the /Security/Logins folder for the SiteProtector database.

58


Issues Related to SiteProtector Installation

Event collector login cannot be deleted

Description: While uninstalling the event collector, an error states that the EventCollector_<machine> login cannot be deleted because the service is running, and then the uninstallation process terminates.

Solution: Do one of the following:

� If you are uninstalling the SiteProtector database, ignore this message and uninstall the database, and then repeat the uninstallation process for the event collector.

� If you are not uninstalling the SiteProtector database, stop the issDaemon service and repeat the event collector uninstallation process. If the uninstallation process proceeds, but you are warned that the login still exists, use the SQL Server 2000 Enterprise Manager to manually delete the existing EventCollector_<computer> login, located in the /Security/Logins folder for the SiteProtector database.

Additional event collector encryption

Description: When you install an additional event collector, the encryption is not initially set.

Solution: After installing an additional event collector, you must stop, and then restart it to set encryption.

To stop, and then restart an event collector:

1. Select the root group in the Site Manager group tree.

2. Select the Sensor tab.

3. Set the Show/Hide subtree button to Show if it is not already set.

4. Right-click the event collector you want to restart.

A pop-up menu appears.

5. Select Event Collector!Stop.

When the event collector is stopped, the value in the Status column reads Stopped.

6. Right-click the event collector after it stops.

A pop-up menu appears.

7. Select Event Collector!Start.

When the event collector starts, the value in the Status column reads Active.

Can’t stop the event collector

Description: You have removed the application server and the console, but can’t stop the event collector.

Solution: The two ways to handle this are as follows:

� Remove the SiteProtector database first.

� If you aren’t removing the SiteProtector database, contact ISS Technical Support for assistance with manually stopping the event collector.

Database in use error

Description: While uninstalling the SiteProtector database, an error states that the database is in use.

Solution: Use the SQL Server 2000 Enterprise Manager to manually stop all processes associated with the SiteProtector database, and then proceed with uninstalling the database.



Issues Related to SiteProtector Encryption Keys

Introduction This topic provides solutions to issues that you might encounter when working with SiteProtector encryption keys.



Keeping the private key directory

Description: You can avoid having to copy new public keys for the SiteProtector event collector and application server.

Solution: Public encryption keys from the SiteProtector event collector and application server are used to communicate with agents. To avoid having to issue new public key files when a SiteProtector event collector or application server is reinstalled, do not remove the private key directory, located, by default, in the following location:

\Program Files\ISS\KeyContainer

The uninstallation process does not remove private keys, but if you manually remove the private keys, you must issue a new public key after you reinstall an event collector or an application server. However, if you uninstall an event collector, you may need to manually copy the application server's public key back to that event collector. This is usually required only if another agent, such as a RealSecure Server Sensor, is installed on the same computer as the event collector.

To copy the application server's public key to the event collector:

1. Locate the application server's public keys on the application server computer:

\Program Files\ISS\RealSecure SiteProtector\Application Server\Keys

2. Copy the public encryption keys, called sp_con_<computername>_239.PubKey and sp_con_<computername>_1024.PubKey, from the CerticomNRA and RSA directories to their respective locations on the event collector computer:

\Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys

Key exchange doesn’t work

Description: The following message appears under the EC Public Keys sent row when you click Details for Solaris RealSecure Network 7.0?

EC Public Keys sent : No - Error checking encryption algorithms onsensor, neither CerticomNRA nor RSA supported. No encryption key(includedirectory) found on sensor.

This message indicates that the encryption key exchange between SiteProtector and the Solaris RealSecure Network 7.0 is not functioning. This issue also causes the RealSecure Network to display a status of Offline. To fix the issue, you must manually send the keys from SiteProtector to the RealSecure Network agent.

60


Issues Related to SiteProtector Encryption Keys

Solution: To manually send keys:

1. Locate your event collector public keys. These keys reside on the event collector computer that communicates with your Solaris RealSecure Network.

The default names and directories for your public keys are:

� \Program Files\ISS\RealSecure SiteProtector\EventCollector\Keys\CerticomNRA\rs_eng_<computer_name>_239.PubKey

� \Program Files\ISS\RealSecure SiteProtector\EventCollector\Keys\RSA\rs_eng_<computer_name>_1024.PubKey

� \Program Files\ISS\RealSecure SiteProtector\EventCollector\Keys\RSA\rs_eng_<computer_name>_1536.PubKey

2. Using the file transfer protocol (FTP), send rs_eng_<computer_name>_239.PubKey to the following location on your Solaris RealSecure Network 7.0 computer:

/opt/ISS/issSensors/network_sensor_1/Keys/CerticomNRA

3. Using FTP, send rs_eng_<computer_name>_1024.PubKey and rs_eng_<computer_name>_1536.PubKey to the following location on your Solaris RealSecure Network 7.0 computer:

/opt/ISS/issSensors/network_sensor_1/Keys/RSA

Important: Be sure to change to binary mode before you FTP your keys.



Issues Related to Operating SiteProtector

Introduction This topic provides solutions to issues that you might encounter when operating SiteProtector.



Cannot log into SiteProtector

Description: When you attempt to log on to the console, SiteProtector displays a Certificate Incompatibility message.

Explanation: The Certificate Incompatibility message appears when you try to connect to the server, but the certificate validation process determines a discrepancy in the certificate assigned to the server.

Solution: Record the information displayed in the Certificate Incompatibility message and contact your System Administrator to determine if the certificates have been updated.

� If your System Administrator confirms that they have updated the certificates, click Valid. The newly updated certificate will replace the previous certificate in the key store for that server.

� If your System Administrator verifies that they have not updated certificates, then click Invalid. The System Administrator should then contact ISS Technical Support for assistance.

Note: The purpose of certificates is to alert you to attacks. Accepting an unknown certificate could make you vulnerable to attacks.

Cannot view a report

Description: SiteProtector displays the following error when you try to view a report:

The requested URL could not be retrieved.

This error can occur when you log on to the SiteProtector Console using a Netbios computer name, but your Internet Explorer application cannot resolve by Netbios name. Your Internet Explorer application is probably set to use a proxy, but the proxy server is not configured to resolve the Netbios address.

Solution: Log out of the SiteProtector Console, and then log in using either the fully qualified domain name (FQDN) or the IP address of the SiteProtector application server.

Cannot view PDF documentation

Description: You are unable to view the PDF documentation from the SiteProtector Help menu when using Windows 2003.

The default Windows 2003 security settings prevent users from opening non-HTML files by clicking the associated link or menu item.

Solution: To open the SiteProtector PDF documentation, do one of the following:

62



� Configure your Windows 2003 security settings to allow you to open non-HTML files by clicking the associated link or menu item. For information about configuring your security settings, see the Windows 2003 system documentation.

Or

� Save the PDF documentation to your hard drive, and then access the PDF file directly.

Software query on host returns no entries

Description: After adding a host, querying the host for software returns no entries.

Solution: Check to make sure the signature verification for the agent is not failing. On the host where the agent is located, the agent should appear in the Application log portion of the Event Viewer for the issDaemon.

Missing or invalid license key errors

Description: After you add a license key through the SiteProtector console, the features do not appear, but errors related to a missing or invalid license key appear.

Solution: The sensor controller polls for license changes every 60 seconds, so the change may not appear immediately.

You can press the F5 key to refresh the licensing information. You can also wait 60 seconds, and then re-open the Add License window to see if the feature columns are populated. If the feature columns are populated, the license key has been successfully imported.

Note: If you add license keys through the Sensor Controller Diagnostics console, the effect is immediately apparent.

Computer absent from Active Directory

Description: Your computer appears in a domain and the DNS, but it does not appear in the Active Directory grouping tree.

Solution: Your computer may not have an assigned DNS name in the Active Directory object. If this is the case, then SiteProtector can not resolve a name for your computer.

To verify that your computer has an assigned DNS name:

1. On the Domain Controller computer, access Administrative Tools.

2. Select Active Directory Users and Computer.

3. In the left pane, locate the computer that does not appear in the Active Directory listing.

4. Right-click the computer name, and then select Properties.

The <Computer Name> Properties window appears.

5. Does the full DNS name appear in the DNS name box?

� If yes, then call ISS Technical Support to help you with this issue.

� If no, then go to the next step.

6. Go to the computer that does not appear in the Active Directory listing.

7. Right-click My Computer, and then select Properties.

The System Properties window appears.

8. Manually change the Full computer name in System Properties to reflect the complete name of the computer.



Note: The procedure to change the name that appears in the Full computer name field depends on your operating system version. See your operating system documentation for information about how to change your computer name.

SiteProtector is not collecting Internet Scanner 6.2.1 data

Description: You re-installed Internet Scanner 6.2.1, and you are no longer collecting data.

Solution: The Internet Scanner Databridge registers some of the Internet Scanner DLL files, so you must reinstall the Internet Scanner Databridge after you reinstall Internet Scanner 6.2.1.

Your event collector password was deleted or has expired

Description: Your event collector username/password was accidentally deleted, changed, or has expired. The encryption authentication between the event collector and the SiteProtector database is no longer valid.

Solution: You must generate a new set of keys by re-generating the user account. Contact ISS Technical Support for assistance.

Agent status is “Unknown” or “Not Responding”

Description: The SiteProtector Console displays an “Unknown” or “Not Responding” status for one or more agents.

Under normal conditions, an agent's status should be “Active” or “Stopped” if the agent is not assigned to an event collector. If the agent is assigned to an event collector, the status should be “Active” (if the agent is currently connected to an event collector) or “Offline” (if the event collector is unable to connect to the agent).

Solution: This is probably the result of a missing or invalid SiteProtector authentication key on the agent computer. To verify that this is the problem, go to the Keys folder on the agent computer. Typical folders include the following:

Product Folder

Deployment Manager

\Program Files\ISS\RealSecure SiteProtector\DeploymentManager\Keys

Desktop controller \Program Files\ISS\Realsecure SiteProtector\DesktopController\Keys

RealSecure Network Gigabit (Linux)

/opt/ISS/issSensors/network_sensor_1/Keys

RealSecure Network Gigabit (Windows)

\Program Files\ISS\issSensors\Network_Sensor_1\Keys

ICEcap Databridge \Program Files\ISS\issSensors\ICEcap_Databridge\Keys

Internet Scanner 7.0 \Program Files\ISS\issSensors\Scanner_1\Keys

Internet Scanner 6.2.1

\Program Files\ISS\Scanner6\Keys

Internet Scanner Databridge 6.2.1

\Program Files\ISS\issSensors\Internet_Scanner_DataBridge\Keys

Table 35: Location of Keys folder

64


Important: You need to examine both the Internet Scanner and Internet Scanner Databridge folders for Internet Scanner 6.2.1 installations.

Each Keys folder can contain subfolders for each key provider present (e.g. \RSA or \CerticomNRA). At least one of these key provider subfolders should contain the SiteProtector authentication key, which looks like sp_con_<ApplicationServerDNS>_<####>.PubKey.

For example, if the SiteProtector is present on a computer with the DNS “bob”, then the computer containing a RealSecure Server Sensor installation should have a file called \ProgramFiles\ISS\issSensors\server_sensor_1\Keys\RSA\sp_con_bob_239.PubKey (assuming RSA encryption. If this file is not present, or if the date does not match the date of the corresponding key on the RealSecure application server computer, then you must force the key to be pushed from the RealSecure application server to the local agent.

The SiteProtector authentication keys for SiteProtector are located in the \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\Keys\<keyprovider>\ folders.

Important: Make sure you compare keys in similar key provider subfolders. In the example above, compare the agent's RSA key folder to the Application Server's RSA key folder.

To send the application server’s authentication keys to the agent:

1. Locate, and then delete sp_con*.PubKey in the \Program Files\ISS folder and below.

2. From a command prompt, type net stop issdaemon.

RealSecure Network

\Program Files\ISS\issSensors\network_sensor_1\Keys

Proventia A-Series /opt/ISS/issSensors/network_sensor_1/Keys

Proventia G-Series /opt/ISS/issSensors/network_sensor_1/Keys

Proventia M-Series /var/spool/crm/leafcertsNote: The Proventia M Series has an SSL Cert key instead of an encryption key.

SecurityFusion Module

\Program Files\ISS\issSensors\Security Fusion\Keys

RealSecure Server Sensor

\Program Files\ISS\issSensors\server_sensor_1\Keys

System Scanner Databridge

\Program Files\ISS\issSensors\System_Scanner_Databridge\Keys

Third Party Module (for Check Point)

\Program Files\ISS\issSensors\ThirdPartyModule_CheckPoint_1\Keys

Third Party Module (for Cisco)

\Program Files\ISS\issSensors\ThirdPartyModule_Cisco_1\Keys

Product Folder

Table 35: Location of Keys folder



3. Edit \Program Files\ISS\issDaemon\crypt.policy file by changing the “allowfirstconnection<tab> =L<tab>0;” string to “allowfirstconnection<tab> =L<tab>1;”,

4. Save the file.

5. From a command prompt, type net start issdaemon.

6. From the SiteProtector console, issue a Start command to the agent so that it attempts to connect. This should change the agent status, though it may take a minute or so. Verify that the key was sent as described above.

Agent status is “Offline”

Description: The SiteProtector console displays the status for one or more agents as “Offline.”

Explanation: This could be the result of a missing or invalid event collector authentication key on the agent computer.

Solution: To verify that this is the problem, go to the Keys folder on the agent computer. For a list of typical folders, see Table 35, “Location of Keys folder” on page 64.

Each Keys folder can contain subfolders for each key provider present (e.g., \RSA or \CerticomNRA). At least one of these key provider subfolders should contain the event collector authentication key, which looks like rs_eng_<EventCollectorDNS>_<####>.PubKey.

For example, if the event collector is present on a computer with the DNS “bob”, then the computer containing a RealSecure Server Sensor installation should have a file called \Program Files\ISS\issSensors\server_sensor_1\Keys\RSA\rs_eng_bob_239.PubKey (assuming RSA encryption). If this file is not present, or if the date does not match the date of the corresponding key on the event collector host, then you must force the key to be pushed from the event collector to the local agent.

The event collector computer’s authentication keys are located in the \ProgramFiles\ISS\RealSecure SiteProtector\Event Collector\Keys\<key provider>\ folders.

Important: Make sure you compare keys in similar key provider subfolders. In our example above, compare the agent’s RSA key folder to the event collector ’s RSA key folder.

To apply the event collector’s authentication keys to the agent:

1. From the SiteProtector Console, issue a Stop command to the event collector, and wait until its status changes to “Stopped.”

2. Select the agent, right-click the agent, and then select View/Edit from the pop-up menu.

3. Change the Event Collector box to None, and then click OK.

4. Issue a Start command to the event collector, and then wait until its status changes to either “Offline” or “Active.”

5. Select the agent, right-click the agent, and then select View/Edit from the pop-up menu.

6. Change the Event Collector box from “None” to the appropriate event collector, and then click OK.

66


This should change the agent status to “Active.” Verify that the key was sent, as described previously.

Inaccessible file structure and application registry

Description: When you install the SiteProtector Console, the file structure and the application registry may not be accessible for some users and groups that have limited access privileges.

Solution: To change SiteProtector Console access permission on Windows 2000:

Note: You must be an administrator or user with access privileges that allow modifications to the security settings for the SiteProtector Console installation. Specifically, you must be able to change the file systems and registry settings that are described in the following procedure:

1. Open Windows Explorer.

2. Navigate to the location where the SiteProtector Console is installed.

The default location is:

\Program Files\ISS\RealSecure SiteProtector\Console

3. Right-click the Console folder, and then select Properties.

The folder’s properties window appears.

4. Select the Security tab.

5. Click Add.

The Select Users, Computers, or Groups window opens.

6. Select the users and/or groups for which you want to add permissions, and then click Add.

7. Click OK.

The Select Users, Computers, or Groups window closes.

8. Select each user and/or group you added, and then ensure that they have, at least, the following permissions:

For file folders:

� Write

� Read

� List & Execute

� Modify

For registry folders:

� Read

9. Click Apply, and then click OK.

10. Open the registry editor program, regedt32.exe.

Note: The registry editor program name is regedit.exe on Windows 2003.

11. Select the window titled HKEY_LOCAL_MACHINE on Local Machine, and then navigate the following path:

HKEY_LOCAL_MACHINE\Software\ISS\SiteProtector

12. Select the Console folder, and then select Security!Permissions on the menu bar.



Note: On Windows 2003, right-click the SiteProtector key, and then select Permissions.

The Permissions for Console window opens.

13. Click Add.

The Select Users, Computers, or Groups window opens.

14. Select the users and/or groups for which you want to add permissions, and then click Add.

15. Click OK.

The Select Users, Computers, or Groups window closes.

16. Click OK to complete the operation.

Desktop Protection agent not visible in the console

Description: The Desktop Protection agent is not visible in the SiteProtector Console.

Solution: On the target computer (computer where your Desktop Protector agent is installed), verify that the executable, blackd.exe, is running. You verify this on the Processes tab in Windows Task Manager.

You may have to limit the name of the final subdirectory in your Desktop Protection agent installation path to 17 characters or fewer.To limit the name of the final subdirectory in your Desktop Protector agent installation path to 17 characters or fewer:

1. Navigate to the root of the directory where the Desktop Protection agent is installed.

The default location is: \Program Files\ISS\issSensors\DesktopProtection

2. Double-click AgentRemove.exe.

3. In the Site Manager, select Sensor!Manage!Policy.

The Manage Policy window opens.

4. Select the appropriate policy.

This is the policy that was selected for the target computer.

5. Click View/Edit.

The Policy window opens.

6. Select Installation Configuration.

7. In the following fields, limit the name of the final subdirectory in your Desktop Protector agent installation path to 17 characters or fewer:

� WinNT/2000 Install Path

� Win 9x Install Path

8. Save the policy, and then right-click the group that contains the malfunctioning Desktop Protection agent, and then select Desktop Protection!Generate Desktop Protection Build.

The Generate Desktop Protection Build window opens.

9. In the drop-down list, select the desired Desktop Controller, and then type a description in the Description box.

10. Click OK.

11. After the Desktop Protection build is complete, navigate to the Desktop Protection Build page in the target computer’s Web browser.

68


By default, this page is located on port 8085 of the computer where the Desktop Controller resides.

12. Select the newly generated Desktop Protection build.

13. Select Open on the Download window.

14. The new agent build is installed.



Issues Related to Low Memory

Introduction This topic provides descriptions and solution for some of the issues you may encounter due to a lack of memory on your SiteProtector system.



Importing a large application list

Description: If you import an application list containing more than 8000 entries into the global application list or into a policy, then an out of memory error can appear when you attempt to edit the global application list.

Solution: Perform the following procedure:

1. Select Start!Run.

The Run window appears.

2. Type regedit in the Open box.

The Registry Editor application opens.

3. In the left pane, navigate the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\ISS\CPE\Parameters

4. Edit the string value for MaxHeap to reflect the following:

-Xmx<size in megabytes>M

Note: ISS recommends that you start with a value of 128, and then increase the value, if necessary, until the application runs. For example, type -Xmx128M to set the heap size to 128 megabytes.

Multiple console connections

Description: Your SiteProtector system may generate an "out of memory" error on the application server if both of the following occur:

� multiple consoles are simultaneously retrieving asset information from a Site

� you have increased the default value for the maximum number of rows that SiteProtector displays

Note: This is also applicable to the SiteProtector Web Portal.

Solution: Perform the following procedure:

1. On the application server, select Start!Run.

The Run window appears.

2. Type regedit in the Open box.

The Registry Editor application opens.

3. In the left pane, navigate the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\issSPAppService\Parameters

4. Edit the string value for MaxHeap to reflect the following:

70


Issues Related to Low Memory

-Xmx<size in megabytes>M

Note: ISS recommends that you start with a value of 384, and then increase the value, if necessary, until the application runs. For example, type -Xmx384M to set the heap size to 384 megabytes.



Issues Related to Updating SiteProtector

Introduction This topic provides descriptions and solutions for some of the issues you may encounter when updating your SiteProtector system.



Cross-database ownership chaining

Description: Some users have found that they cannot apply database updates after they install Microsoft SQL Server SP3. There are several reasons why your database updates may fail.

Solution: You must enable cross-database ownership in MSSQL before you can apply database updates. You can do this using the Enterprise Manager or using the command prompt.

Note: You only need to perform one of the following procedures.

To enable cross-database ownership using the Enterprise Manager:

1. Open the Enterprise Manager.

2. Right-click on the database, and then click Properties.

3. Select the Options tab.

4. Select Allow Cross-database ownership chaining.

5. Click OK.

To enable cross-database ownership without using the command prompt:

1. Type the following at the command prompt:

osql -E

2. Press ENTER.

The following prompt appears: 1>

3. Type the following at the prompt:

exec sp_dboption 'RealSecureDB', 'db chaining', 'true'

4. Press ENTER.

The following prompt appears: 2>

5. Type the following at the prompt:

go

6. Press ENTER.

SQL Agent not running

Description: If the SQL Server Agent is not running on the SQL server that hosts the SiteProtector database, the updates will fail.

Solution: Restart the SQL Server Agent, and then try applying the update again.

72


Issues Related to Updating SiteProtector

Database job missing

Description: Sometimes jobs in the SiteProtector database can be automatically deleted. This is a known SiteProtector issue.

Solution: Verify that certain jobs are present.

To verify the jobs:

1. In Enterprise Manager, select Management!SQL Server Agent!Jobs.

2. Verify that the following five files are present.

� Check Sensor Controller in RealSecureDB

� Job History Purge in RealSecureDB

� Load Sensor Data and Post Process in RealSecureDB

� Observances Purge in RealSecureDB

� SensorData Purge in RealSecureDB

Important: If one or more of these jobs is missing, contact ISS Technical Support for assistance.

Job ownership Description: If SiteProtector jobs are not owned by the IssApp account, you may not be able to apply updates to your SiteProtector database.

Solution: Make IssApp the owner of these jobs, and then apply the update.

Non-English SQL Description: SiteProtector is only supported on the English version of SQL Server. Localized versions of SQL Server have been known to cause problems when applying database updates.

Solution: Install an English version of SQL Server, and then apply the update.

Database update 1.18

Description: SiteProtector database update 1.18 contained many issues, and was subsequently re-released as database update 1.19.

Solution: You need further assistance to resolve this issue, please contact ISS Technical Support.



Issues Related to SiteProtector Services

Introduction This topic provides solutions to issues that you might encounter when working with the SiteProtector Services.



Services failing to start

Description: Communication between your application server or sensor controller and the SiteProtector database requires a password. SiteProtector generates the original password at installation time. If this password is changed, your SiteProtector database and application server (and/or sensor controller) cannot communicate. The result is that the service will fail to start.

Solution: The Application Server password utility allows you to create a new password if the original password is accidentally changed, deleted, or if your company policy requires you to change your passwords periodically.

To change the password for your sensor controller and application server:

1. Select Start!Settings!Control Panel!Administrative tools!Services.

The Component Services window appears.

2. Right-click RealSecure SiteProtector Application Service, and then click Stop on the pop-up menu.

3. Right-click RealSecure SiteProtector Sensor Controller Service, and then click Stop on the pop-up menu.

4. Select Start!Programs!Accessories!Command Prompt.

The Command Prompt window appears.

5. Change to the bin directory under the directory where the Application Server is installed.

For example, if the Application Server is installed in the default location, you should type the following, and then press ENTER:

cd "\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\bin"

6. At the command prompt, type the following command:

instutil.bat -p <your new password>

7. Select Start!Settings!Control Panel!Administrative tools!Services.

The Component Services window appears.

8. Right-click RealSecure SiteProtector Application Service, and then click Start on the pop-up menu.

9. Right-click RealSecure SiteProtector Sensor Controller Service, and then click Start on the pop-up menu.

74


Issues Related to SiteProtector Services

Desktop Controller Server fails

Description: Communication between your Desktop Controller and the SiteProtector database requires a password. SiteProtector generates the original password at installation time. If this password is changed, your SiteProtector database and Desktop Controller will no longer be able to communicate. The result is that the service will fail to start.

Solution: The Desktop Controller password utility allows you to create a new password if the original password is accidentally changed, deleted, or if your company policy requires you to change your passwords periodically.

To change the password for your Desktop Controller:

1. Double-click DCLogin.exe.

DCLogin.exe resides on the computer where your Desktop Controller is installed, and it is usually in the following location: \Program Files\ISS\RealSecureSiteProtector\Desktop Controller

2. Type the login name into the Login box.

Note: This field already contains the current login name for the Desktop Controller. If you don't plan to change the login name with the password, you can leave this field as is.

3. Type the password into the Password box.

4. Type the password again into the Confirm box.

5. Click Save.

6. In the Site Manager, stop, and then restart the Desktop Controller.



Issues Related to Agents and Appliances

Introduction This topic provides solutions to issues that you might encounter when working with agents or appliances that are monitored and/or controlled by SiteProtector.



Agent/SiteProtector communication failure

Description: Failure for RealSecure Network or RealSecure Server Sensor to communicate with SiteProtector may be due to the fact that RealSecure Network 6.0/6.5 and RealSecure Server Sensor 6.0/6.0.1/6.5 will not communicate with SiteProtector if any of the SiteProtector Databridge agents/scanners are installed. The event log creates the following message when attempting to communicate with these agents:

ns60_computername_w2k) - OnError from 172.16.3.69: The currently selectedprovider does not support the requested cryptographic algorithm at theselected strength/length. [ID=0xc7280003]

Solution: To avoid this issue, install RealSecure Network 6.0/6.5 and RealSecure Server Sensor 6.0/6.0.1/6.5 before you install Internet Scanner Databridge 6.2.1, ICEcap Databridge, or System Scanner Databridge.

Error when downloading agent logs

Description: SiteProtector issues the following error message when you attempt to download logs on a RealSecure Network that is running on a Unix operating system:

Get files failed on Sensor #<sensor number>. 0 of 1 files transferred.Get file <file name> failed. The current session user does not havepermission to perform the specified operation on the specified path.Please edit the access control file on the remote server and add thenecessary permissions for the session.This problem is due to an incorrectpermission contained in the iss.access file of the sensor’s daemon.

Note: The error message also appears for RealSecure Server Sensor.

Solution: Correct this issue as follows:

1. Access the iss.access file in the issDaemon folder, and then modify the following sections in the file:

Note: The following text is an example. The path on your computer may be slightly different.

2. Stop, and then restart the issDaemon service.

Before edit [/opt/ISS/issSensors/network_sensor_1/Logs/];

ACL1 =S Role=Default FilePerms=RD DirPerms=R;

After edit [/opt/ISS/issSensors/network_sensor_1/Logs/];

ACL1 =S Role=Default FilePerms=RD DirPerms=R Recursive;

76


®

Appendix

Appendix A

Database Schema

Overview

Introduction This appendix provides the SiteProtector database schematics.

In this appendix This appendix contains the following topics:

Topic Page

Application Security Schema 80

Auditing and Diagnostics Schema 81

Command and Control Schema 82

Grouping Schema 83

ITRSO Schema 84

Metrics Schema 85

Sensor Data Schema 86

Site Analysis Schema 87

Site Filters Schema 88

Staging and Rejects Schema 89

Statistics Schema 90

X-Force Schema 91

Complete Database Schema 92



Application Security Schema

Schema The following diagram displays the Application security schema:

Gro

ups

Gro

upID

: in

t N

OT

NU

LL (

AK

1.2

)

Gro

upN

am

e: nvarc

har(

80)

NO

T N

ULL

Gro

upD

esc: nvarc

har(

255)

NU

LL

Role

ID: in

t N

ULL (

FK

)

Pare

ntG

roupID

: in

t N

ULL (

AK

1.1

,IE

1.1

)

Gro

upV

iew

ID: in

t N

ULL (

FK

)

Dele

ted: tinyin

t N

ULL

SiteID

: in

t N

ULL (

FK

)

Gro

upT

ypeID

: in

t N

ULL (

FK

)

SP

Gro

upID

: in

t N

ULL

Rule

ID: in

t N

ULL (

FK

)

GU

ID: varc

har(

36)

NU

LL

Sites S

iteID

: in

t N

OT

NU

LL

Nam

e: nvarc

har(

60)

NO

T N

ULL

Descr:

nvarc

har(

255)

NU

LL

IpA

ddre

ss: varc

har(

47)

NO

T N

ULL

Port

: in

t N

OT

NU

LL

LastD

ata

LoadA

t: d

ate

tim

e N

ULL

Dele

ted: tinyin

t N

ULL

Audit ID

: IN

TE

GE

R N

OT

NU

LL

Entity

ID: in

t N

OT

NU

LL (

IE1.1

)

UserI

D: IN

TE

GE

R N

ULL (

FK

)

Entity

Nam

e: varc

har(

60)

NU

LL (

IE1.2

)

Descr:

varc

har(

255)

NU

LL

Action: varc

har(

30)

NU

LL

Sourc

eIP

: varc

har(

47)

NU

LL

Tim

e: date

tim

e N

ULL

Users U

sers

ID: in

t N

OT

NU

LL

Login

: nvarc

har(

50)

NO

T N

ULL

Dom

ain

: nvarc

har(

255)

NO

T N

ULL

SID

: varc

har(

50)

NO

T N

ULL (

AK

2.1

)

LastL

ogin

: date

tim

e N

ULL

LastL

ogin

Failu

re: date

tim

e N

ULL

NT

Gro

up: nvarc

har(

30)

NO

T N

ULL

Users

Gro

ups

Users

ID: in

t N

OT

NU

LL (

FK

)

Gro

upID

: in

t N

OT

NU

LL (

FK

)

Users

Sites

Users

ID: IN

TE

GE

R N

OT

NU

LL (

FK

)

SiteID

: in

t N

OT

NU

LL (

FK

)

Role

Role

ID: in

t N

OT

NU

LL

Role

Nam

e: varc

har(

60)

NO

T N

ULL

Pro

ductID

: in

t N

ULL (

FK

)

Cla

ssN

am

e: varc

har(

255)

NO

T N

ULL (

AK

1.1

)

Nam

espace: varc

har(

255)

NU

LL

Defa

ultLoggin

gLevel: tin

yin

t N

ULL

Defa

ultS

tatu

s: tinyin

t N

ULL

Defa

ultO

ptionF

lags: tinyin

t N

ULL

Support

sE

C: tinyin

t N

OT

NU

LL

Support

sG

roupP

olic

y: tinyin

t N

OT

NU

LL

Gro

upV

iew

Gro

upV

iew

ID: in

t N

OT

NU

LL (

IE1.1

)

Gro

upV

iew

Nam

e: nvarc

har(

64)

NO

T N

ULL

Dele

ted: tinyin

t N

ULL

Gro

upR

ule

Rule

ID: in

t N

OT

NU

LL

Rule

Type: tinyin

t N

OT

NU

LL (

FK

)

Rule

Valu

e: nte

xt N

OT

NU

LL

Description: nvarc

har(

254)

NU

LL

LastM

odifie

dA

t: d

ate

tim

e N

ULL

Gro

upT

ypes

Gro

upT

ypeID

: in

t N

OT

NU

LL

Nam

e: nvarc

har(

64)

NU

LL (

AK

1.1

)

Descr:

nvarc

har(

255)

NU

LL

80

Auditing and Diagnostics Schema

Auditing and Diagnostics Schema

Schema The following diagram displays the Auditing and Diagnostics schema:

AuditIn

fo

AuditIn

foID

: IN

TE

GE

R N

OT

NU

LL

AuditT

railI

D: IN

TE

GE

R N

ULL (

FK

)

Para

mN

am

e: nvarc

har(

100)

NU

LL

Para

mV

alu

e: nvarc

har(

500)

NU

LL

Para

mD

ata

Type: nvarc

har(

60)

NU

LL

Para

mD

esig

nato

r: n

varc

har(

10)

NU

LL

AuditT

rail

AuditT

railI

D: IN

TE

GE

R N

OT

NU

LL

AuditE

ventC

MD

ID: IN

TE

GE

R N

ULL (

FK

)

UserN

am

e: nvarc

har(

75)

NU

LL

AuditT

ime: D

AT

E N

ULL

ditE

ventC

MD

AuditE

ventC

MD

ID: IN

TE

GE

R N

OT

NU

LL

EventD

esc: nvarc

har(

100)

NU

LL

DB

SubC

om

ponent

DB

SubC

om

ponentID

: sm

alli

nt N

OT

NU

LL

DB

Com

ponentID

: sm

alli

nt N

ULL (

FK

)

Pro

cN

am

e: varc

har(

30)

NU

LL

Sta

te: tinyin

t N

ULL

Sta

teD

ate

Tim

e: D

AT

E N

ULL

Sta

teD

escription: varc

har(

100)

NU

LL

DB

Com

ponent

DB

Com

ponentID

: sm

alli

nt N

OT

NU

LL

Nam

e: varc

har(

30)

NU

LL

Sta

te: tinyin

t N

ULL

Sta

teD

escription: varc

har(

100)

NU

LL

Err

orM

essa

ge

Err

orN

um

ber:

IN

TE

GE

R N

OT

NU

LL

Severity

ID: sm

alli

nt N

ULL (

FK

)

MessageT

ext: n

varc

har(

300)

NU

LL

Vers

ion

Attribute

Nam

e: nvarc

har(

40)

NU

LL

Attribute

Valu

e: nvarc

har(

100)

NU

LL

Err

orS

everity

Severity

ID: sm

alli

nt N

OT

NU

LL

Nam

e: nvarc

har(

20)

NO

T N

ULL

Description: nvarc

har(

80)

NU

LL

Report

ToC

alle

r: tin

yin

t N

OT

NU

LL

SQ

LS

everity

: char(

2)

NU

LL

Loggin

gLevel: tin

yin

t N

ULL

Messa

geLo

g

MessageLogID

: IN

TE

GE

R N

OT

NU

LL

WhenO

ccurr

ed: D

AT

E N

OT

NU

LL

Severity

ID: sm

alli

nt N

OT

NU

LL (

FK

)

Err

orN

um

ber:

IN

TE

GE

R N

OT

NU

LL

Message: nvarc

har(

300)

NU

LL

Pro

cedure

Nam

e: nvarc

har(

60)

NU

LL

Rela

tesT

oE

rrorI

D: IN

TE

GE

R N

ULL

Vers

ionU

pdate

s

Update

Tag: char(

40)

NU

LL

Update

Type: tinyin

t N

OT

NU

LL

Majo

rVers

ion: in

t N

OT

NU

LL

Min

orV

ers

ion: in

t N

OT

NU

LL

YearP

oin

tRele

ase: in

t N

OT

NU

LL

Build

Num

ber:

int N

OT

NU

LL

Update

Cm

dLin

e: varc

har(

255)

NU

LL

Update

File

: varc

har(

260)

NU

LL

Dele

ted: tinyin

t N

OT

NU

LL

Up

date

Sta

tus

Update

Sta

tusID

: in

t N

OT

NU

LL

Nam

e: varc

har(

100)

NO

T N

ULL

Sta

rtT

ime: date

tim

e N

OT

NU

LL

Sta

tus: varc

har(

30)

NU

LL

ActionJobID

: in

t N

ULL

Tota

lSte

ps: in

t N

ULL

Up

date

Op

era

tionS

tatu

s

Update

Opera

tionS

tatu

sID

: in

t N

OT

NU

LL

Targ

etN

am

e: varc

har(

100)

NO

T N

ULL

Sta

tus: varc

har(

30)

NU

LL

Update

Sta

tusID

: in

t N

ULL (

FK

)

Dura

tion: sm

alld

ate

tim

e N

ULL

PctC

om

ple

te: sm

alli

nt N

ULL

Up

date

Ste

pS

tatu

s

Update

Ste

pS

tatu

sID

: in

t N

OT

NU

LL

Ste

pN

br:

int N

ULL

TaskN

am

e: varc

har(

50)

NU

LL

Description: varc

har(

1000)

NU

LL

PctC

om

ple

te: sm

alli

nt N

OT

NU

LL

DB

Tim

e: date

tim

e N

OT

NU

LL

Com

ponentT

ime: date

tim

e N

ULL

Sta

tus: varc

har(

30)

NU

LL

Update

Opera

tionS

tatu

sID

: in

t N

ULL (

FK

)

Main

tenanceLo

g

Main

tenanceLogID

: big

int N

OT

NU

LL

WhenO

ccurr

ed: date

tim

e N

ULL

Message: nvarc

har(

1200)

NU

LL

Pro

cedure

Nam

e: nvarc

har(

240)

NU

LL

RS

DB

Op

tions

OptionN

am

e: varc

har(

100)

NO

T N

ULL

Para

mD

esc: varc

har(

50)

NU

LL

Type: varc

har(

16)

NO

T N

ULL

Para

mV

alu

e: nvarc

har(

100)

NO

T N

ULL

Defa

ultV

alu

e: nvarc

har(

100)

NO

T N

ULL

LastM

odifie

dB

y: nvarc

har(

60)

NO

T N

ULL

LastM

odifie

dA

t: d

ate

tim

e N

OT

NU

LL

Syste

m_U

sr:

nvarc

har(

60)

NO

T N

ULL

Analy

sis

Lo

g

Query

ID: in

t N

OT

NU

LL

Sta

rtT

ime: date

tim

e N

ULL

Type: char(

1)

NU

LL

SP

ID: in

t N

ULL

Dura

tion: in

t N

ULL

UserI

D: in

t N

ULL

SQ

LS

tmt: text N

ULL

RP

C: te

xt N

ULL

Err

orI

D: in

t N

ULL



Command and Control Schema

Schema The following diagram displays the Command and Control schema:

Bin

ary

Da

ta

Bin

ary

Da

taID

: in

t ID

EN

TIT

Y

Bin

ary

Da

taT

yp

e:

tin

yin

t N

UL

L (

FK

)

Va

lue

: im

ag

e N

UL

L

Ch

eckS

um

: in

t N

UL

L (

IE1

.1)

File

Na

me

: n

va

rch

ar(

25

5)

NU

LL

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

De

lete

Re

fCo

un

t: in

t N

UL

L

Ro

le

Ro

leID

: in

t N

OT

NU

LL

Ro

leN

am

e:

va

rch

ar(

60

) N

OT

NU

LL

Pro

du

ctI

D:

int

NU

LL

(F

K)

Cla

ssN

am

e:

va

rch

ar(

25

5)

NO

T N

UL

L (

AK

1.1

)

Na

me

sp

ace

: va

rch

ar(

25

5)

NU

LL

De

fau

ltL

og

gin

gL

eve

l: t

inyin

t N

UL

L

De

fau

ltS

tatu

s:

tin

yin

t N

UL

L

De

fau

ltO

ptio

nF

lag

s:

tin

yin

t N

UL

L

Su

pp

ort

sE

C:

tin

yin

t N

OT

NU

LL

Su

pp

ort

sG

rou

pP

olic

y:

tin

yin

t N

OT

NU

LL

Co

mp

on

en

t

Co

mp

on

en

tID

: in

t ID

EN

TIT

Y

Ro

leID

: in

t N

UL

L (

FK

) (A

K1

.3)

La

stP

ush

ed

Po

licyID

: in

t N

UL

L (

FK

)

Pro

pe

rtyF

ileID

: in

t N

UL

L (

FK

)

Ho

stI

D:

int

NU

LL

(F

K)

(AK

1.1

)

Prio

rity

: n

um

eric N

OT

NU

LL

Sta

tus:

nu

me

ric N

OT

NU

LL

La

stM

od

ifie

dB

y:

nva

rch

ar(

60

) N

UL

L

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

De

lete

d:

nu

me

ric N

OT

NU

LL

Eve

ntS

ou

rce

Po

rt:

int

NU

LL

Eve

ntP

ort

: in

t N

UL

L

Ve

rsio

n:

va

rch

ar(

40

) N

UL

L

Se

nso

rNa

me

: n

va

rch

ar(

10

0)

NU

LL

(A

K1

.2)

Po

licy:

nva

rch

ar(

43

4)

NU

LL

Ma

ste

r: v

arc

ha

r(3

0)

NU

LL

Ava

ilab

leX

PU

: va

rch

ar(

40

) N

UL

L

La

stI

nsta

lled

XP

U:

va

rch

ar(

40

) N

UL

L

Lo

gg

ing

Le

ve

l: t

inyin

t N

UL

L

Lic

en

se

Sta

te:

sm

alli

nt

NU

LL

XP

US

tate

: sm

alli

nt

NU

LL

Sta

teD

escrip

tio

n:

nva

rch

ar(

50

0)

NU

LL

Un

exp

ecte

dC

on

fig

Ch

an

ge

: tin

yin

t N

UL

L

Mo

difie

dB

yS

en

so

rCo

ntr

olle

r: t

inyin

t N

OT

NU

LL

Da

em

on

Po

rt:

int

NU

LL

Eve

ntL

og

Op

tio

n:

tin

yin

t N

UL

L

Site

ID:

int

NU

LL

(F

K)

La

stP

ush

ed

Re

sp

on

se

ID:

int

NU

LL

(F

K)

XP

UD

ate

: d

ate

tim

e N

UL

L

Re

sp

on

se

: n

va

rch

ar(

43

4)

NU

LL

Po

licyG

rou

pID

: in

t N

UL

L (

FK

)

La

stH

ea

rtB

ea

t: d

ate

tim

e N

UL

L

GU

ID:

va

rch

ar(

36

) N

UL

L (

IE1

.1)

Lic

en

se

ID:

int

NU

LL

(F

K)

Po

licyC

ha

ng

ed

Fla

g:

tin

yin

t N

OT

NU

LL

FC

PE

ve

ntP

ort

: in

t N

UL

L

FC

PE

ve

ntS

ou

rce

Po

rt:

int

NU

LL

EC

Sta

tus:

tin

yin

t N

UL

L

EC

Sta

teD

escrip

tio

n:

nva

rch

ar(

50

0)

NU

LL

Op

tio

nF

lag

s:

int

NU

LL

Eve

ntC

olle

cto

rID

: in

t N

UL

L (

FK

)

Ale

rtE

ve

ntP

ort

: in

t N

UL

L

Ale

rtE

ve

ntS

ou

rce

Po

rt:

int

NU

LL

Gro

up

s

Gro

up

ID:

int

IDE

NT

ITY

(A

K1

.2)

Gro

up

Na

me

: n

va

rch

ar(

80

) N

OT

NU

LL

Gro

up

De

sc:

nva

rch

ar(

25

5)

NU

LL

Ro

leID

: in

t N

UL

L (

FK

)

Pa

ren

tGro

up

ID:

int

NU

LL

(A

K1

.1,I

E1

.1)

Gro

up

Vie

wID

: in

t N

UL

L (

FK

)

De

lete

d:

tin

yin

t N

UL

L

Site

ID:

int

NU

LL

(F

K)

Gro

up

Typ

eID

: in

t N

UL

L (

FK

)

SP

Gro

up

ID:

int

NU

LL

Ru

leID

: in

t N

UL

L (

FK

)

GU

ID:

va

rch

ar(

36

) N

UL

L

Gro

up

Ho

stL

inks

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Ho

stI

D:

int

NO

T N

UL

L (

FK

)

Sch

ed

ule

Sch

ed

ule

ID:

int

IDE

NT

ITY

De

scrip

tio

n:

va

rch

ar(

10

00

) N

UL

L

En

ab

led

: n

um

eric N

OT

NU

LL

Fre

qT

yp

e:

nu

me

ric N

OT

NU

LL

Fre

qIn

terv

al: n

um

eric N

OT

NU

LL

Fre

qS

ub

Typ

e:

nu

me

ric N

UL

L

Fre

qS

ub

Inte

rva

l: n

um

eric N

OT

NU

LL

Fre

qR

ela

tive

Int:

nu

me

ric N

OT

NU

LL

Fre

qR

ecu

rFa

cto

r: n

um

eric N

UL

L

Active

Sta

rtD

ate

: n

um

eric N

UL

L

Active

En

dD

ate

: n

um

eric N

UL

L

Active

Sta

rtT

OD

: n

um

eric N

UL

L

Active

En

dT

OD

: n

um

eric N

UL

L

Nu

mS

ch

ed

Sca

ns:

nu

me

ric N

UL

L

De

lete

d:

nu

me

ric N

OT

NU

LL

Tim

eZ

on

e:

va

rch

ar(

40

) N

UL

L

Actio

nJo

b

Actio

nJo

bID

: in

t ID

EN

TIT

Y

Actio

nD

eta

ilsID

: in

t N

OT

NU

LL

(F

K)

Co

mp

on

en

tID

: in

t N

UL

L (

FK

)

Sta

rtD

ate

Tim

e:

da

tetim

e N

OT

NU

LL

Actio

nS

tate

: n

um

eric N

OT

NU

LL

Re

su

lt:

va

rch

ar(

30

0)

NU

LL

Actio

nJo

bIn

fo:

va

rch

ar(

10

0)

NU

LL

La

stM

od

ifie

dA

t: d

ate

tim

e N

OT

NU

LL

Actio

nD

eta

ils

Actio

nD

eta

ilsID

: in

t ID

EN

TIT

Y

Ite

mID

: in

t N

UL

L

Ho

stI

D:

int

NU

LL

(F

K)

Co

mp

on

en

tID

: in

t N

UL

L (

FK

)

Ho

stG

rou

pID

: in

t N

UL

L (

IE1

.1)

Sch

ed

ule

ID:

int

NU

LL

(F

K)

Actio

nT

yp

e:

nu

me

ric N

OT

NU

LL

(IE

2.1

)

Ro

leID

: in

t N

UL

L (

FK

)

Sch

ed

ule

dB

y:

nva

rch

ar(

60

) N

OT

NU

LL

La

stM

od

ifie

dB

y:

nva

rch

ar(

60

) N

UL

L

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

Ne

xtR

un

Da

te:

da

tetim

e N

UL

L

Su

sp

en

de

d:

nu

me

ric N

OT

NU

LL

De

lete

d:

nu

me

ric N

OT

NU

LL

Co

mp

on

en

tGro

up

ID:

int

NU

LL

(F

K)

Arg

um

en

ts:

nte

xt

NU

LL

Co

ntr

olle

rID

: in

t N

UL

L

Po

licy Po

licyID

: in

t ID

EN

TIT

Y

Na

me

: n

va

rch

ar(

15

0)

NO

T N

UL

L

De

scrip

tio

n:

nva

rch

ar(

80

) N

UL

L

File

Na

me

: n

va

rch

ar(

25

5)

NU

LL

Ve

rsio

n:

va

rch

ar(

10

0)

NU

LL

Ro

leID

: in

t N

UL

L (

FK

)

Bin

ary

Da

taID

: in

t N

UL

L (

FK

)

De

lete

d:

nu

me

ric N

OT

NU

LL

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

La

stM

od

ifie

dB

y:

nva

rch

ar(

60

) N

UL

L

Re

ad

On

ly:

tin

yin

t N

UL

L

Ed

ito

rKe

y:

va

rch

ar(

50

) N

OT

NU

LL

Va

lid:

tin

yin

t N

OT

NU

LL

Ho

sts H

ostI

D:

int

IDE

NT

ITY

Ho

stI

pA

dd

ress:

va

rch

ar(

47

) N

UL

L

Ho

stD

NS

Na

me

: N

VA

RC

HA

R(2

54

) N

UL

L

Ho

stN

BN

am

e:

NV

AR

CH

AR

(16

) N

UL

L

Ho

stN

BD

om

ain

: n

va

rch

ar(

16

) N

UL

L

Ho

stO

SN

am

e:

nva

rch

ar(

64

) N

UL

L

Ho

stO

SV

ers

ion

: n

va

rch

ar(

32

) N

UL

L

Ho

stO

SR

evis

ion

Le

ve

l: v

arc

ha

r(3

2)

NU

LL

Ho

stO

wn

er:

nva

rch

ar(

50

) N

UL

L

Da

teH

ostA

dd

ed

: d

ate

tim

e N

OT

NU

LL

GU

ID:

va

rch

ar(

36

) N

UL

L

Ho

stI

PN

br:

nu

me

ric(1

0)

NO

T N

UL

L (

IE1

.1)

Ma

cA

dd

ress:

ch

ar(

17

) N

UL

L

Da

teH

ostU

pd

ate

d:

da

tetim

e N

OT

NU

LL

(IE

1.2

)

OS

Gro

up

ID:

int

NU

LL

(F

K)

ISS

ca

nD

ate

: d

ate

tim

e N

UL

L (

IE2

.1)

Sta

tNa

me

ID:

int

NU

LL

(IE

2.2

)

Pro

du

cts

Pro

du

ctI

D:

int

NO

T N

UL

L

Pro

dN

am

e:

nva

rch

ar(

40

) N

UL

L

Re

sp

on

se

Re

sp

on

se

ID:

int

IDE

NT

ITY

Na

me

: n

va

rch

ar(

15

0)

NO

T N

UL

L

De

scrip

tio

n:

nva

rch

ar(

80

) N

UL

L

File

Na

me

: n

va

rch

ar(

25

5)

NU

LL

Ve

rsio

n:

va

rch

ar(

10

0)

NU

LL

Ro

leID

: in

t N

UL

L (

FK

)

Bin

ary

Da

taID

: in

t N

UL

L (

FK

)

De

lete

d:

nu

me

ric N

OT

NU

LL

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

La

stM

od

ifie

dB

y:

nva

rch

ar(

60

) N

UL

L

Re

ad

On

ly:

tin

yin

t N

UL

L

Ed

ito

rKe

y:

va

rch

ar(

50

) N

OT

NU

LL

Va

lid:

tin

yin

t N

OT

NU

LL

Lic

en

se

Lic

en

se

ID:

int

IDE

NT

ITY

Na

me

: n

va

rch

ar(

50

) N

UL

L

Bin

ary

Da

taID

: in

t N

UL

L (

FK

)

Fe

atu

res:

nva

rch

ar(

50

) N

UL

L

Fe

atu

reD

escrip

tio

n:

nva

rch

ar(

10

0)

NU

LL

De

vic

eC

ou

nt:

in

t N

UL

L

Ma

inte

na

nce

Da

te:

va

rch

ar(

40

) N

UL

L

Exp

ire

Da

te:

va

rch

ar(

40

) N

UL

L

Sta

te:

tin

yin

t N

UL

L

Sta

teD

escrip

tio

n:

va

rch

ar(

51

2)

NU

LL

Lic

en

se

Typ

e:

tin

yin

t N

OT

NU

LL

Ke

yS

trin

g:

va

rch

ar(

50

) N

UL

L

Sta

tNa

me

ID:

int

NU

LL

(F

K)

Lic

Co

nta

ctI

nfo

GU

ID:

nva

rch

ar(

40

) N

UL

L (

FK

)

Lic

GU

ID:

nva

rch

ar(

40

) N

UL

L

De

scrip

tio

n:

nva

rch

ar(

10

0)

NU

LL

Ne

wL

ice

nse

ID:

int

NU

LL

(F

K)

Site

s Site

ID:

int

IDE

NT

ITY

(2,1

)

Na

me

: n

va

rch

ar(

60

) N

OT

NU

LL

De

scr:

nva

rch

ar(

25

5)

NU

LL

IpA

dd

ress:

va

rch

ar(

47

) N

OT

NU

LL

Po

rt:

int

NO

T N

UL

L

La

stD

ata

Lo

ad

At:

da

tetim

e N

UL

L

De

lete

d:

tin

yin

t N

UL

L

GU

ID:

va

rch

ar(

51

2)

NU

LL

Jo

bT

yp

es

Jo

bT

yp

eID

: in

t ID

EN

TIT

Y

De

scr:

va

rch

ar(

80

) N

OT

NU

LL

Ta

sks Ta

skID

: in

t ID

EN

TIT

Y

Jo

bT

yp

eID

: in

t N

OT

NU

LL

(F

K)

Na

me

: va

rch

ar(

60

) N

UL

L

De

scr:

va

rch

ar(

25

5)

NU

LL

Lo

ad

Ta

ble

Na

me

: va

rch

ar(

60

) N

UL

L

Lo

ad

Sto

red

Pro

cN

am

e:

va

rch

ar(

60

) N

UL

L

Fo

rma

tFile

: te

xt

NO

T N

UL

L

Lo

ad

SQ

LS

tate

me

nt:

va

rch

ar(

40

00

) N

UL

L

Bin

ary

Da

taT

yp

e

Bin

ary

Da

taT

yp

e:

tin

yin

t N

OT

NU

LL

Bin

ary

Da

taT

yp

eD

esc:

nva

rch

ar(

60

) N

OT

NU

LL

De

skto

pA

ge

ntV

ers

ion

GU

ID:

va

rch

ar(

36

) N

OT

NU

LL

Ve

rsio

n:

va

rch

ar(

40

) N

OT

NU

LL

Re

ad

me

File

ID:

int

NU

LL

(F

K)

Ro

leID

: in

t N

UL

L (

FK

)

Po

licyV

ers

ion

Ro

leID

: in

t N

OT

NU

LL

(F

K)

Ve

rsio

n:

va

rch

ar(

10

0)

NO

T N

UL

L

Dis

pla

yV

ers

ion

: va

rch

ar(

10

0)

NU

LL

Re

sp

on

se

Ve

rsio

n

Ro

leID

: in

t N

OT

NU

LL

(F

K)

Ve

rsio

n:

va

rch

ar(

10

0)

NO

T N

UL

L

Dis

pla

yV

ers

ion

: va

rch

ar(

10

0)

NU

LL

Co

mp

on

en

tDo

cu

me

nt

Co

mp

on

en

tID

: in

t N

OT

NU

LL

(F

K)

Na

me

sp

ace

ID:

sm

alli

nt

NO

T N

UL

L (

FK

)

Bin

ary

Da

taID

: in

t N

OT

NU

LL

(F

K)

Ve

rsio

n:

va

rch

ar(

10

0)

NU

LL

En

ab

led

: b

it N

OT

NU

LL

Gro

up

Do

cu

me

nt

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Na

me

sp

ace

ID:

sm

alli

nt

NO

T N

UL

L (

FK

)

Ve

rsio

n:

va

rch

ar(

10

0)

NO

T N

UL

L

Bin

ary

Da

taID

: in

t N

OT

NU

LL

(F

K)

En

ab

led

: b

it N

OT

NU

LL

Re

po

rtIn

sta

nce

Re

po

rtIn

sta

nce

ID:

int

NO

T N

UL

L (

FK

)

Te

mp

late

File

Na

me

: n

va

rch

ar(

25

5)

NU

LL

(IE

1.2

)

Re

po

rtC

ate

go

ry:

nva

rch

ar(

25

5)

NU

LL

Re

po

rtN

am

e:

nva

rch

ar(

25

5)

NU

LL

Re

po

rtF

ileP

ath

: n

va

rch

ar(

10

00

) N

UL

L

Da

teC

rea

ted

: d

ate

tim

e N

OT

NU

LL

Use

rID

: in

t N

UL

L (

IE1

.3)

Sh

are

d:

tin

yin

t N

OT

NU

LL

Gro

up

ID:

int

NU

LL

(IE

1.1

)

Re

cu

rsio

n:

tin

yin

t N

OT

NU

LL

Arg

um

en

ts:

nte

xt

NU

LL

La

stM

od

ifie

dA

t: d

ate

tim

e N

OT

NU

LL

La

stM

od

ifie

dB

y:

nva

rch

ar(

25

5)

NU

LL

82

Grouping Schema

Grouping Schema

Schema The following diagram displays the Grouping schema:

Site

Ra

ng

e

Site

Ra

ng

eID

: sm

alli

nt

NO

T N

UL

L

Sta

rtIP

Nb

r: n

um

eric(1

0)

NU

LL

En

dIP

Nb

r: n

um

eric(1

0)

NU

LL

De

scrip

tio

n:

nva

rch

ar(

64

) N

UL

L

De

lete

d:

tin

yin

t N

OT

NU

LL

Ro

le

Ro

leID

: in

t N

OT

NU

LL

Ro

leN

am

e:

va

rch

ar(

60

) N

OT

NU

LL

Pro

du

ctI

D:

int

NU

LL

(F

K)

Cla

ssN

am

e:

va

rch

ar(

25

5)

NO

T N

UL

L (

AK

1.1

)

Na

me

sp

ace

: va

rch

ar(

25

5)

NU

LL

De

fau

ltL

og

gin

gL

eve

l: t

inyin

t N

UL

L

De

fau

ltS

tatu

s:

tin

yin

t N

UL

L

De

fau

ltO

ptio

nF

lag

s:

tin

yin

t N

UL

L

Su

pp

ort

sE

C:

tin

yin

t N

OT

NU

LL

Su

pp

ort

sG

rou

pP

olic

y:

tin

yin

t N

OT

NU

LL

Co

mp

on

en

t

Co

mp

on

en

tID

: in

t N

OT

NU

LL

Ro

leID

: in

t N

UL

L (

FK

) (A

K1

.3)

La

stP

ush

ed

Po

licyID

: in

t N

UL

L (

FK

)

Pro

pe

rtyF

ileID

: IN

TE

GE

R N

UL

L (

FK

)

Ho

stI

D:

int

NU

LL

(F

K)

(AK

1.1

)

Prio

rity

: n

um

eric N

OT

NU

LL

Sta

tus:

nu

me

ric N

OT

NU

LL

La

stM

od

ifie

dB

y:

nva

rch

ar(

60

) N

UL

L

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

De

lete

d:

nu

me

ric N

OT

NU

LL

Eve

ntS

ou

rce

Po

rt:

int

NU

LL

Eve

ntP

ort

: in

t N

UL

L

Ve

rsio

n:

va

rch

ar(

40

) N

UL

L

Se

nso

rNa

me

: n

va

rch

ar(

10

0)

NU

LL

(A

K1

.2)

Po

licy:

nva

rch

ar(

43

4)

NU

LL

Ma

ste

r: v

arc

ha

r(3

0)

NU

LL

Ava

ilab

leX

PU

: va

rch

ar(

40

) N

UL

L

La

stI

nsta

lled

XP

U:

va

rch

ar(

40

) N

UL

L

Lo

gg

ing

Le

ve

l: t

inyin

t N

UL

L

Lic

en

se

Sta

te:

sm

alli

nt

NU

LL

XP

US

tate

: sm

alli

nt

NU

LL

Sta

teD

escrip

tio

n:

nva

rch

ar(

50

0)

NU

LL

Un

exp

ecte

dC

on

fig

Ch

an

ge

: tin

yin

t N

UL

L

Mo

difie

dB

yS

en

so

rCo

ntr

olle

r: t

inyin

t N

OT

NU

LL

Da

em

on

Po

rt:

int

NU

LL

Eve

ntL

og

Op

tio

n:

tin

yin

t N

UL

L

Site

ID:

int

NU

LL

(F

K)

La

stP

ush

ed

Re

sp

on

se

ID:

int

NU

LL

(F

K)

XP

UD

ate

: d

ate

tim

e N

UL

L

Re

sp

on

se

: n

va

rch

ar(

43

4)

NU

LL

Po

licyG

rou

pID

: in

t N

UL

L (

FK

)

La

stH

ea

rtB

ea

t: d

ate

tim

e N

UL

L

GU

ID:

va

rch

ar(

36

) N

UL

L (

IE1

.1)

Lic

en

se

ID:

int

NU

LL

(F

K)

Po

licyC

ha

ng

ed

Fla

g:

tin

yin

t N

OT

NU

LL

FC

PE

ve

ntP

ort

: in

t N

UL

L

FC

PE

ve

ntS

ou

rce

Po

rt:

int

NU

LL

EC

Sta

tus:

tin

yin

t N

UL

L

EC

Sta

teD

escrip

tio

n:

nva

rch

ar(

50

0)

NU

LL

Op

tio

nF

lag

s:

int

NU

LL

Eve

ntC

olle

cto

rID

: in

t N

UL

L (

FK

)

Ale

rtE

ve

ntP

ort

: in

t N

UL

L

Ale

rtE

ve

ntS

ou

rce

Po

rt:

int

NU

LL

Gro

up

Vie

w

Gro

up

Vie

wID

: in

t N

OT

NU

LL

(IE

1.1

)

Gro

up

Vie

wN

am

e:

nva

rch

ar(

64

) N

OT

NU

LL

De

lete

d:

tin

yin

t N

UL

L

Gro

up

s

Gro

up

ID:

int

NO

T N

UL

L (

AK

1.2

)

Gro

up

Na

me

: n

va

rch

ar(

80

) N

OT

NU

LL

Gro

up

De

sc:

nva

rch

ar(

25

5)

NU

LL

Ro

leID

: in

t N

UL

L (

FK

)

Pa

ren

tGro

up

ID:

int

NU

LL

(A

K1

.1,I

E1

.1)

Gro

up

Vie

wID

: in

t N

UL

L (

FK

)

De

lete

d:

tin

yin

t N

UL

L

Site

ID:

int

NU

LL

(F

K)

Gro

up

Typ

eID

: in

t N

UL

L (

FK

)

SP

Gro

up

ID:

int

NU

LL

Ru

leID

: in

t N

UL

L (

FK

)

GU

ID:

va

rch

ar(

36

) N

UL

L

Gro

up

Ho

stL

inks

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Ho

stI

D:

int

NO

T N

UL

L (

FK

)

Ho

sts H

ostI

D:

int

NO

T N

UL

L

Ho

stI

pA

dd

ress:

va

rch

ar(

47

) N

UL

L

Ho

stD

NS

Na

me

: N

VA

RC

HA

R(2

54

) N

UL

L

Ho

stN

BN

am

e:

NV

AR

CH

AR

(16

) N

UL

L

Ho

stN

BD

om

ain

: n

va

rch

ar(

16

) N

UL

L

Ho

stO

SN

am

e:

nva

rch

ar(

64

) N

UL

L

Ho

stO

SV

ers

ion

: n

va

rch

ar(

32

) N

UL

L

Ho

stO

SR

evis

ion

Le

ve

l: v

arc

ha

r(3

2)

NU

LL

Ho

stO

wn

er:

nva

rch

ar(

50

) N

UL

L

Da

teH

ostA

dd

ed

: d

ate

tim

e N

OT

NU

LL

GU

ID:

va

rch

ar(

36

) N

UL

L

Ho

stI

PN

br:

nu

me

ric(1

0)

NO

T N

UL

L (

IE1

.1)

Ma

cA

dd

ress:

ch

ar(

17

) N

UL

L

Da

teH

ostU

pd

ate

d:

da

tetim

e N

OT

NU

LL

(IE

1.2

)

OS

Gro

up

ID:

int

NU

LL

(F

K)

ISS

ca

nD

ate

: d

ate

tim

e N

UL

L (

IE2

.1)

Sta

tNa

me

ID:

int

NU

LL

(IE

2.2

)

Pro

du

cts

Pro

du

ctI

D:

int

NO

T N

UL

L

Pro

dN

am

e:

nva

rch

ar(

40

) N

UL

L

Site

s Site

ID:

int

NO

T N

UL

L

Na

me

: n

va

rch

ar(

60

) N

OT

NU

LL

De

scr:

nva

rch

ar(

25

5)

NU

LL

IpA

dd

ress:

va

rch

ar(

47

) N

OT

NU

LL

Po

rt:

int

NO

T N

UL

L

La

stD

ata

Lo

ad

At:

da

tetim

e N

UL

L

De

lete

d:

tin

yin

t N

UL

L

Gro

up

Typ

es

Gro

up

Typ

eID

: in

t N

OT

NU

LL

Na

me

: n

va

rch

ar(

64

) N

UL

L (

AK

1.1

)

De

scr:

nva

rch

ar(

25

5)

NU

LL

Ho

stC

ou

nts

Co

un

tDa

te:

da

tetim

e N

OT

NU

LL

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Ho

stC

ou

nt:

in

t N

OT

NU

LL

Gro

up

sP

are

ntC

hild

Pa

ren

tID

: in

t N

UL

L (

FK

)

Ch

ildID

: in

t N

OT

NU

LL

(F

K)

Gro

up

Ru

le

Ru

leID

: in

t N

OT

NU

LL

Ru

leT

yp

e:

tin

yin

t N

OT

NU

LL

(F

K)

Ru

leV

alu

e:

nte

xt

NO

T N

UL

L

De

scrip

tio

n:

nva

rch

ar(

25

4)

NU

LL

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

Gro

up

Po

licy

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Ro

leID

: in

t N

OT

NU

LL

(F

K)

Po

licyID

: in

t N

OT

NU

LL

(F

K)

Gro

up

Ru

leT

yp

e

Ru

leT

yp

e:

tin

yin

t N

OT

NU

LL

De

scrip

tio

n:

nva

rch

ar(

60

) N

OT

NU

LL

Un

Gro

up

ed

Ho

sts

Ho

stI

D:

int

NO

T N

UL

L (

FK

)

Un

Gro

up

ed

Sta

tus:

tin

yin

t N

UL

L (

FK

)

Un

Gro

up

ed

De

tails

: n

va

rch

ar(

25

4)

NU

LL

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

Un

Gro

up

ed

Sta

tus

Un

Gro

up

ed

Sta

tus:

tin

yin

t N

OT

NU

LL

Un

Gro

up

ed

Sta

tusD

esc:

nva

rch

ar(

60

) N

UL

L



ITRSO Schema

Schema The following diagram displays the ITRSO schema:

RatingS

et

RatingID

: in

t N

OT

NU

LL (

FK

)

RatingA

ttribute

ID: in

t N

OT

NU

LL (

FK

)

RatingO

rder:

int N

OT

NU

LL

RatingA

ttribute

RatingA

ttribute

ID: in

t N

OT

NU

LL

RatingA

ttribute

CodeID

: in

t N

OT

NU

LL (

FK

)

Attribute

Valu

e: varc

har(

80)

NU

LL

RatingA

ttribute

Code

RatingA

ttribute

CodeID

: in

t N

OT

NU

LL

Attribute

Nam

e: nvarc

har(

80)

NO

T N

ULL

CheckP

roducts

CheckP

roductID

: in

t N

OT

NU

LL

SecC

hkID

: in

t N

OT

NU

LL (

FK

)

Pro

dV

erI

D: in

t N

OT

NU

LL (

FK

)

Com

ment: v

arc

har(

4000)

NU

LL

Fals

eN

egative: nte

xt N

ULL

Fals

eP

ositiv

e: nte

xt N

ULL

Pro

ductC

heckN

am

e: varc

har(

120)

NU

LL

Alg

orith

mID

: in

t N

ULL (

FK

)

Vuln

Sta

tus: bit N

ULL

Alg

orith

mR

ating

Alg

orith

mID

: in

t N

OT

NU

LL (

FK

)

RatingID

: in

t N

OT

NU

LL (

FK

)

Alg

orith

m

Alg

orith

mID

: in

t N

OT

NU

LL

Alg

orith

mN

um

: in

t N

OT

NU

LL

Nam

eS

pace: char(

10)

NU

LL

Rating RatingID

: in

t N

OT

NU

LL

Corr

ela

tionIn

fo

RS

CheckP

roductID

: in

t N

OT

NU

LL (

FK

)

ScannerP

roductID

: in

t N

OT

NU

LL (

FK

)

Role

Num

ber:

int N

OT

NU

LL

Security

Checks

SecC

hkID

: in

t N

OT

NU

LL

TagN

am

e: varc

har(

60)

NO

T N

ULL

ChkN

am

e: varc

har(

40)

NO

T N

ULL

ChkB

riefD

esc: N

VA

RC

HA

R(2

55)

NU

LL

ChkD

eta

ilDesc: nte

xt N

ULL

ChkD

ate

Report

ed: date

tim

e N

ULL

ChkD

ate

Ente

red: date

tim

e N

ULL

ChkD

ate

Changed: date

tim

e N

ULL

Item

Affecte

d: nvarc

har(

255)

NU

LL

Dis

covere

r: n

varc

har(

255)

NU

LL

ConseqN

am

e: varc

har(

20)

NU

LL

ConseqB

riefD

esc: nvarc

har(

255)

NU

LL

ConseqD

eta

ilDesc: nte

xt N

ULL

Obsole

te: bit N

OT

NU

LL

Repla

cedB

y: in

t N

ULL

Vuln

Sta

tus: bit N

OT

NU

LL

84

Metrics Schema

Metrics Schema

Schema The following diagram displays the Metrics schema:

Gro

up

s

Gro

up

ID:

int

NO

T N

UL

L (

AK

1.2

)

Gro

up

Na

me

: n

va

rch

ar(

80

) N

OT

NU

LL

Gro

up

De

sc:

nva

rch

ar(

25

5)

NU

LL

Ro

leID

: in

t N

UL

L (

FK

)

Pa

ren

tGro

up

ID:

int

NU

LL

(A

K1

.1,I

E1

.1)

Gro

up

Vie

wID

: in

t N

UL

L (

FK

)

De

lete

d:

tin

yin

t N

UL

L

SiteID

: in

t N

ULL (

FK

)

Gro

up

Typ

eID

: in

t N

UL

L (

FK

)

SP

Gro

up

ID:

int

NU

LL

Ru

leID

: in

t N

UL

L (

FK

)

GU

ID:

va

rch

ar(

36

) N

UL

L

Vu

lnS

tatu

s

Vu

lnS

tatu

s:

tin

yin

t N

OT

NU

LL

Vu

lnS

tatu

sD

esc:

nva

rch

ar(

60

) N

UL

L

So

rtID

: in

t N

OT

NU

LL

Se

ve

rity

Se

ve

rity

ID:

tin

yin

t N

OT

NU

LL

Se

ve

rity

De

sc:

nva

rch

ar(

10

) N

UL

L

Me

tric

s

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Se

ve

rity

ID:

tin

yin

t N

OT

NU

LL

(F

K)

Me

tric

sT

yp

eID

: in

t N

OT

NU

LL

(F

K)

Da

yID

: in

t N

OT

NU

LL

(F

K)

Vu

lnS

tatu

s:

tin

yin

t N

OT

NU

LL

(F

K)

Se

cC

hkID

: in

t N

UL

L

Co

un

ts:

INT

EG

ER

NO

T N

UL

L

Me

tric

sD

ay

Da

yID

: in

t N

OT

NU

LL

Cu

rre

ntD

ate

: d

ate

tim

e N

OT

NU

LL

(A

K1

.1)

Da

yN

br:

sm

alli

nt

NO

T N

UL

L

Da

yO

fWe

ek:

nva

rch

ar(

20

) N

OT

NU

LL

Mo

nth

: sm

alli

nt

NO

T N

UL

L

Qu

art

er:

sm

alli

nt

NO

T N

UL

L

Ye

ar:

sm

alli

nt

NO

T N

UL

L

We

ekE

nd

Fla

g:

sm

alli

nt

NO

T N

UL

L

Metr

icsT

yp

e

Me

tric

sT

yp

eID

: in

t N

OT

NU

LL

De

scr:

nva

rch

ar(

30

) N

UL

L

Ho

stC

ou

nts

Co

un

tDa

te:

da

tetim

e N

OT

NU

LL

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Ho

stC

ou

nt:

in

t N

OT

NU

LL

Re

jectM

etr

ics

Site

ID:

INT

EG

ER

NU

LL

SP

Gro

up

ID:

int

NO

T N

UL

L

Se

cC

hkID

: in

t N

OT

NU

LL

Se

ve

rity

ID:

int

NO

T N

UL

L

Me

tric

sT

yp

eID

: in

t N

OT

NU

LL

Me

tric

sD

ay:

da

tetim

e N

OT

NU

LL

Vu

lnS

tatu

s:

int

NO

T N

UL

L

Co

un

ts:

int

NO

T N

UL

L



Sensor Data Schema

Schema The following diagram displays the Sensor Data schema:

SensorD

ata

SensorD

ata

ID: big

int N

OT

NU

LL

Ale

rtD

ata

ID: in

t N

OT

NU

LL

Ale

rtF

orm

atV

ers

ion: in

t N

ULL

Ale

rtN

am

eT

ype: in

t N

ULL

Ale

rtN

am

e: nvarc

har(

60)

NU

LL

Ale

rtD

ate

Tim

e: date

tim

e N

ULL (

IE8.2

)

LocalT

imezoneO

ffset: int N

ULL

Ale

rtT

imeP

recis

ion: in

t N

ULL

Ale

rtT

imeS

eqID

: in

t N

ULL

Ale

rtID

: char(

26)

NU

LL

SensorA

ddre

ss: varc

har(

60)

NU

LL

SensorN

am

e: nvarc

har(

100)

NU

LL

Pro

ductID

: in

t N

ULL

Ale

rtT

ypeID

: in

t N

ULL

Ale

rtP

riority

: in

t N

ULL

Ale

rtF

lags: in

t N

ULL

SensorA

ddre

ssIn

t: n

um

eric(1

0)

NU

LL

Src

Addre

ssN

am

e: V

AR

CH

AR

(60)

NU

LL

Src

Addre

ssIn

t: n

um

eric(1

0)

NU

LL

DestA

ddre

ssN

am

e: V

AR

CH

AR

(60)

NU

LL

DestA

ddre

ssIn

t: n

um

eric(1

0)

NU

LL

Pro

tocolID

: IN

TE

GE

R N

ULL

Sourc

eP

ort

: in

t N

ULL

Obje

ctN

am

e: nvarc

har(

2000)

NU

LL

Obje

ctT

ype: tinyin

t N

ULL

Sourc

eP

ort

Nam

e: nvarc

har(

60)

NU

LL

DestP

ort

Nam

e: nvarc

har(

60)

NU

LL

AttackS

uccessfu

l: tin

yin

t N

ULL

AttackF

ragm

ente

d: tinyin

t N

ULL

AttackO

rigin

: nvarc

har(

60)

NU

LL

Resourc

eID

: in

t N

ULL

Resourc

eS

ubID

: varc

har(

60)

NU

LL

Applic

ation: nvarc

har(

60)

NU

LL

UserN

am

e: nvarc

har(

60)

NU

LL

Pro

cessin

gF

lag: in

t N

ULL (

IE7.1

)

Cle

are

d: char(

1)

NU

LL (

IE8.3

)

HostG

UID

: varc

har(

36)

NU

LL

Sta

rtT

ime: D

AT

E N

ULL

Sto

pT

ime: D

AT

E N

ULL

HostD

NS

Nam

e: nvarc

har(

254)

NU

LL

HostN

BN

am

e: nvarc

har(

20)

NU

LL

HostN

BD

om

ain

: nvarc

har(

255)

NU

LL

HostO

SN

am

e: nvarc

har(

64)

NU

LL

HostO

SV

ers

ion: nvarc

har(

32)

NU

LL

HostO

SR

evis

ionLevel: v

arc

har(

32)

NU

LL

Vuln

Sta

tus: tinyin

t N

ULL

Ale

rtC

ount: IN

TE

GE

R N

OT

NU

LL

Observ

anceID

: big

int N

ULL (

IE8.1

)

OS

Gro

upID

: in

t N

ULL

Com

ponentID

: in

t N

ULL

SensorG

UID

: varc

har(

36)

NU

LL

Lic

Module

: varc

har(

100)

NU

LL

SensorD

ata

Update

s

SensorD

ata

ID: big

int N

OT

NU

LL (

FK

)

Ale

rtU

pdate

Nam

e: nvarc

har(

50)

NU

LL

Ale

rtU

pdate

Ord

er:

int N

ULL

Ale

rtU

pdate

Data

Type: varc

har(

30)

NU

LL

Ale

rtU

pdate

Valu

e: nvarc

har(

2000)

NU

LL

Ale

rtU

pdate

Blo

b: T

EX

T N

ULL

Ale

rtU

pdate

Section: IN

TE

GE

R N

ULL

SensorD

ata

AV

P

SensorD

ata

ID: big

int N

OT

NU

LL (

FK

)

Attribute

Nam

e: nvarc

har(

50)

NU

LL

Attribute

Ord

er:

int N

ULL

Attribute

Data

Type: varc

har(

30)

NU

LL

Attribute

Valu

e: nvarc

har(

2000)

NU

LL

Attribute

Blo

b: T

EX

T N

ULL

Attribute

Section: IN

TE

GE

R N

ULL

SensorD

ata

Response

SensorD

ata

ID: big

int N

OT

NU

LL (

FK

)

ResponseT

ypeN

am

e: varc

har(

32)

NU

LL

ResponseN

am

e: nvarc

har(

32)

NU

LL

Sta

tus: tinyin

t N

ULL

Ale

rtT

ype

Ale

rtT

ypeID

: IN

TE

GE

R N

OT

NU

LL

Ale

rtT

ypeN

am

e: varc

har(

30)

NU

LL

Observ

anceT

ype: tinyin

t N

ULL

Ale

rtC

ate

gory

ID: IN

TE

GE

R N

ULL (

FK

)

Description: varc

har(

80)

NU

LL

Ale

rtC

ate

gory

Ale

rtC

ate

gory

ID: in

t N

OT

NU

LL

Ale

rtC

ate

gory

Nam

e: varc

har(

20)

NU

LL

Description: varc

har(

80)

NU

LL

Ale

rtT

ypeV

iew

Ale

rtT

ypeID

: A

lert

Type.A

lert

TypeID

: IN

TE

GE

R N

OT

NU

LL

Observ

anceT

ype: A

lert

Type.O

bserv

anceT

ype: tinyin

t N

ULL

Observ

anceT

ypeD

esc: O

bserv

anceT

ype.O

bserv

anceT

ypeD

esc: nvarc

har(

30)

NU

L

wrk

_S

ensorD

ata

SensorD

ata

ID: big

int N

OT

NU

LL

SecC

hkID

: IN

TE

GE

R N

ULL

Ale

rtN

am

e: nvarc

har(

60)

NU

LL

Ale

rtN

am

eT

ype: IN

TE

GE

R N

ULL

Ale

rtT

ypeID

: IN

TE

GE

R N

ULL

Pro

ductID

: in

t N

ULL

Ale

rtD

ate

Tim

e: D

AT

E N

ULL

Ale

rtP

riority

: IN

TE

GE

R N

ULL

Src

Addre

ssN

am

e: varc

har(

60)

NU

LL

Src

Addre

ssIn

t: n

um

eric(1

0)

NU

LL

DestA

ddre

ssN

am

e: varc

har(

60)

NU

LL

DestA

ddre

ssIn

t: n

um

eric(1

0)

NU

LL

SensorA

ddre

ss: varc

har(

100)

NU

LL

SensorN

am

e: nvarc

har(

100)

NU

LL

SensorA

ddre

ssIn

t: n

um

eric(1

0)

NU

LL

Pro

cessin

gF

lag: IN

TE

GE

R N

ULL

Obje

ctID

: in

t N

ULL

Sourc

eP

ort

: IN

TE

GE

R N

ULL

DestP

ort

Nam

e: nvarc

har(

60)

NU

LL

HostD

NS

Nam

e: nvarc

har(

254)

NU

LL

HostN

BD

om

ain

: nvarc

har(

255)

NU

LL

HostN

BN

am

e: nvarc

har(

20)

NU

LL

HostO

SN

am

e: nvarc

har(

64)

NU

LL

HostO

SV

ers

ion: nvarc

har(

32)

NU

LL

HostG

UID

: varc

har(

36)

NU

LL

Src

HostID

: in

t N

ULL

DstH

ostID

: in

t N

ULL

Com

ponentID

: IN

TE

GE

R N

ULL

Cle

are

d: char(

1)

NU

LL

Vuln

Sta

tus: tinyin

t N

ULL

Reje

ctR

eason: varc

har(

200)

NU

LL

Ale

rtC

ount: IN

TE

GE

R N

ULL

Obje

ctT

ype: tinyin

t N

ULL

Obje

ctN

am

e: nvarc

har(

200)

NU

LL

Ale

rtF

lags: in

t N

ULL

Observ

anceID

: big

int N

ULL

OS

Gro

upID

: in

t N

ULL

SensorG

UID

: varc

har(

36)

NU

LL

Lic

Module

: varc

har(

100)

NU

LL

stg

_S

ensorD

ata

SensorD

ata

ID: big

int N

OT

NU

LL

Ale

rtD

ata

ID: in

t N

ULL

Work

ingS

etN

br:

tin

yin

t N

ULL

86

Site Analysis Schema

Site Analysis Schema

Schema The following diagram displays the Site Analysis schema:

Vu

lnS

tatu

s

Vu

lnS

tatu

s: tin

yin

t N

OT

NU

LL

Vu

lnS

tatu

sD

esc: n

va

rch

ar(

60)

NU

LL

Sort

ID: in

t N

OT

NU

LL

Se

nso

rHo

st

Se

nso

rID

: C

om

po

ne

nt.C

om

po

ne

ntID

: in

t N

OT

NU

LL

Se

nso

rHo

stID

: H

osts

.Ho

stID

: in

t N

OT

NU

LL

Se

nso

rIP

Ad

dre

ss: H

osts

.Ho

stIP

Nb

r: n

um

eric(1

0)

NO

T N

UL

L

SensorD

NS

Nam

e: H

osts

.HostD

NS

Nam

e: N

VA

RC

HA

R(2

54)

NU

LL

Se

nso

rOS

Na

me

: H

osts

.Ho

stO

SN

am

e: n

va

rch

ar(

64

) N

UL

L

Se

nso

rNa

me

: C

om

po

ne

nt.S

en

so

rNa

me

: n

va

rch

ar(

10

0)

NU

LL

Ob

se

rva

nce

Typ

e

Ob

se

rva

nce

Typ

e: tin

yin

t N

OT

NU

LL

Ob

se

rva

nce

Typ

eD

esc: n

va

rch

ar(

30

) N

UL

L

Se

ve

rity

Se

ve

rity

ID: tin

yin

t N

OT

NU

LL

Se

ve

rity

De

sc: n

va

rch

ar(

10)

NU

LL

Observ

ances

Ob

se

rva

nce

ID: b

igin

t N

OT

NU

LL

Observ

anceT

ime: date

tim

e N

OT

NU

LL (

IE10.1

,IE

8.1

,IE

9.1

)

SecC

hkID

: IN

TE

GE

R N

ULL (

FK

) (I

E9.4

)

Se

nso

rID

: in

t N

OT

NU

LL

(IE

4.1

,IE

9.5

)

Sourc

eID

: in

t N

OT

NU

LL (

IE10.3

,IE

6.1

,IE

9.3

)

Targ

etID

: in

t N

OT

NU

LL (

IE10.2

,IE

5.1

,IE

9.2

)

Ob

se

rva

nce

Co

un

t: in

t N

UL

L

Ob

jectID

: in

t N

UL

L (

FK

) (I

E9

.6)

Se

ve

rity

ID: tin

yin

t N

UL

L (

FK

) (I

E9

.7)

Cle

are

dC

ount: IN

TE

GE

R N

ULL

Vu

lnS

tatu

s: tin

yin

t N

UL

L (

FK

) (I

E9

.9)

Ob

se

rva

nce

Typ

e: tin

yin

t N

UL

L (

FK

) (I

E9

.8)

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L (

IE1

1.1

)

Observ

anceC

olu

mn

Dis

pla

yN

am

e: va

rch

ar(

10

0)

NO

T N

UL

L

Qu

alif

ied

Co

lNa

me

: va

rch

ar(

10

0)

NU

LL

Ta

ble

Na

me

: va

rch

ar(

10

0)

NU

LL

Co

lNa

me

: va

rch

ar(

10

0)

NU

LL

PK

_C

olN

am

e: varc

har(

10

0)

NU

LL

FK

_C

olN

am

e: varc

har(

10

0)

NU

LL

FK

_T

able

Nam

e: varc

har(

10

0)

NU

LL

Co

lTyp

e: ch

ar(

1)

NU

LL

Jo

inT

yp

e: va

rch

ar(

15

) N

UL

L

Filt

erC

olN

am

e: va

rch

ar(

10

0)

NU

LL

Ind

exH

int: v

arc

ha

r(1

00)

NU

LL

Un

iqu

eT

oD

ime

nsio

n: tin

yin

t N

UL

L

Com

ponent

Com

ponentID

: in

t N

OT

NU

LL

Ro

leID

: in

t N

UL

L (

FK

) (A

K1

.3)

La

stP

ush

ed

Po

licyID

: in

t N

UL

L (

FK

)

Pro

pe

rtyF

ileID

: IN

TE

GE

R N

UL

L (

FK

)

Ho

stID

: in

t N

UL

L (

FK

) (A

K1

.1)

Prio

rity

: n

um

eric N

OT

NU

LL

Sta

tus: n

um

eric N

OT

NU

LL

La

stM

od

ifie

dB

y: n

va

rch

ar(

60

) N

UL

L

La

stM

od

ifie

dA

t: d

ate

tim

e N

UL

L

De

lete

d: n

um

eric N

OT

NU

LL

Eve

ntS

ou

rce

Po

rt: in

t N

UL

L

Eve

ntP

ort

: in

t N

UL

L

Ve

rsio

n: va

rch

ar(

40

) N

UL

L

Se

nso

rNa

me

: n

va

rch

ar(

10

0)

NU

LL

(A

K1

.2)

Po

licy: n

va

rch

ar(

43

4)

NU

LL

Ma

ste

r: v

arc

ha

r(3

0)

NU

LL

Ava

ilab

leX

PU

: va

rch

ar(

40)

NU

LL

La

stIn

sta

lled

XP

U: va

rch

ar(

40)

NU

LL

Lo

gg

ing

Le

ve

l: tin

yin

t N

UL

L

Lic

en

se

Sta

te: sm

alli

nt N

UL

L

XP

US

tate

: sm

alli

nt N

UL

L

Sta

teD

escrip

tio

n: n

va

rch

ar(

50

0)

NU

LL

Un

exp

ecte

dC

on

fig

Ch

an

ge

: tin

yin

t N

UL

L

Mo

difie

dB

yS

en

so

rCo

ntr

olle

r: tin

yin

t N

OT

NU

LL

Da

em

on

Po

rt: in

t N

UL

L

Eve

ntL

og

Op

tio

n: tin

yin

t N

UL

L

Site

ID: in

t N

UL

L (

FK

)

La

stP

ush

ed

Re

sp

on

se

ID: in

t N

UL

L (

FK

)

XP

UD

ate

: d

ate

tim

e N

UL

L

Re

sp

on

se

: n

va

rch

ar(

43

4)

NU

LL

Po

licyG

rou

pID

: in

t N

UL

L (

FK

)

La

stH

ea

rtB

ea

t: d

ate

tim

e N

UL

L

GU

ID: va

rch

ar(

36

) N

UL

L (

IE1

.1)

Lic

en

se

ID: in

t N

UL

L (

FK

)

Po

licyC

ha

ng

ed

Fla

g: tin

yin

t N

OT

NU

LL

FC

PE

ve

ntP

ort

: in

t N

UL

L

FC

PE

ve

ntS

ou

rce

Po

rt: in

t N

UL

L

EC

Sta

tus: tin

yin

t N

UL

L

EC

Sta

teD

escrip

tio

n: n

va

rch

ar(

50

0)

NU

LL

Op

tio

nF

lag

s: in

t N

UL

L

Eve

ntC

olle

cto

rID

: in

t N

UL

L (

FK

)

Ale

rtE

ve

ntP

ort

: in

t N

UL

L

Ale

rtE

ve

ntS

ou

rce

Po

rt: in

t N

UL

L

Se

cu

rity

Ch

ecks

Se

cC

hkID

: in

t N

OT

NU

LL

TagN

am

e: varc

har(

60)

NO

T N

ULL (

AK

1.1

)

ChkN

am

e: varc

har(

40)

NO

T N

ULL

ChkB

riefD

esc: N

VA

RC

HA

R(2

55)

NU

LL

Ch

kD

eta

ilDe

sc: n

text N

UL

L

ChkD

ate

Report

ed: date

tim

e N

ULL

ChkD

ate

Ente

red: date

tim

e N

ULL

ChkD

ate

Changed: date

tim

e N

ULL

Ite

mA

ffe

cte

d: n

va

rch

ar(

25

5)

NU

LL

Dis

co

ve

rer:

nva

rch

ar(

25

5)

NU

LL

Co

nse

qN

am

e: va

rch

ar(

20)

NU

LL

Co

nse

qB

rie

fDe

sc: n

va

rch

ar(

25

5)

NU

LL

Co

nse

qD

eta

ilDe

sc: n

text N

UL

L

Ob

so

lete

: b

it N

OT

NU

LL

Re

pla

ce

dB

y: in

t N

UL

L

Vu

lnS

tatu

s: b

it N

OT

NU

LL

Ho

sts H

ostID

: in

t N

OT

NU

LL

Ho

stIp

Ad

dre

ss: va

rch

ar(

47

) N

UL

L

HostD

NS

Nam

e: N

VA

RC

HA

R(2

54)

NU

LL

HostN

BN

am

e: N

VA

RC

HA

R(1

6)

NU

LL

HostN

BD

om

ain

: nvarc

har(

16)

NU

LL

Ho

stO

SN

am

e: n

va

rch

ar(

64

) N

UL

L

Ho

stO

SV

ers

ion

: n

va

rch

ar(

32

) N

UL

L

Ho

stO

SR

evis

ion

Le

ve

l: v

arc

ha

r(3

2)

NU

LL

Ho

stO

wn

er:

nva

rch

ar(

50

) N

UL

L

Da

teH

ostA

dd

ed

: d

ate

tim

e N

OT

NU

LL

GU

ID: va

rch

ar(

36

) N

UL

L

Ho

stIP

Nb

r: n

um

eric(1

0)

NO

T N

UL

L (

IE1

.1)

Ma

cA

dd

ress: ch

ar(

17

) N

UL

L

Da

teH

ostU

pd

ate

d: d

ate

tim

e N

OT

NU

LL

(IE

1.2

)

OS

Gro

upID

: in

t N

ULL (

FK

)

ISS

ca

nD

ate

: d

ate

tim

e N

UL

L (

IE2

.1)

Sta

tNa

me

ID: in

t N

UL

L (

IE2

.2)

Sourc

eH

ost

So

urc

eID

: <

Ho

sts

.Ho

stID

>

So

urc

eIp

Ad

dre

ss: <

Ho

sts

.Ho

stIp

Nb

r>

Sourc

eD

NS

Nam

e: <

Hosts

.HostD

NS

Nam

e>

Sourc

eO

SN

am

e: <

Hosts

.HostO

SN

am

e>

Ta

rge

tHo

st

Ta

rge

tID

: <

Ho

sts

.Ho

stID

>

Ta

rge

tIp

Ad

dre

ss: <

Ho

sts

.Ho

stIp

Nb

r>

Targ

etD

NS

Nam

e: <

Hosts

.HostD

NS

Nam

e>

Targ

etO

SN

am

e: <

Hosts

.HostO

SN

am

e>

Ta

rge

tIP

Dis

pla

y: H

osts

.Ho

stIp

Ad

dre

ss: va

rch

ar(

47

) N

UL

L

Ta

rge

tOS

Re

vis

ion

Le

ve

l: H

osts

.Ho

stO

SR

evis

ion

Le

ve

l: v

arc

ha

r(3

2)

NU

LL

Targ

etN

BN

am

e: H

osts

.HostN

BN

am

e: N

VA

RC

HA

R(1

6)

NU

LL

Site

Filt

ers

Site

Filt

erI

D: in

t N

OT

NU

LL

Site

Filt

erT

yp

eID

: in

t N

UL

L (

FK

)

Site

Filt

erN

am

e: n

va

rch

ar(

60)

NU

LL

Site

Filt

erD

esc: n

text N

UL

L

Fusio

nIg

nore

Fla

g: bit N

OT

NU

LL

De

lete

d: tin

yin

t N

UL

L

Cre

ate

dB

y: va

rch

ar(

60)

NU

LL

Date

Modifie

d: date

tim

e N

ULL

Ob

se

rva

nce

Site

Filt

ers

Ob

se

rva

nce

ID: b

igin

t N

OT

NU

LL

(IE

1.1

)

Site

Filt

erR

ule

ID: in

t N

OT

NU

LL

(F

K)

Site

Filt

erI

D: in

t N

OT

NU

LL

(F

K)

Ob

se

rva

nce

Site

Filt

ers

Vie

w

Ob

se

rva

nce

ID: O

bse

rva

nce

Site

Filt

ers

.Ob

se

rva

nce

ID: b

igin

t N

OT

NU

LL

Site

Filt

erI

D: O

bse

rva

nce

Site

Filt

ers

.Site

Filt

erI

D: in

t N

OT

NU

LL

Site

Filt

erT

yp

e: S

ite

Filt

erT

yp

e.S

ite

Filt

erT

yp

e: ch

ar(

2)

NO

T N

UL

L

Site

Filt

erN

am

e: S

ite

Filt

ers

.Site

Filt

erN

am

e: n

va

rch

ar(

60)

NU

LL

Site

Filt

erD

esc: <

co

nve

rt(v

arc

ha

r(4

000...>

Cre

ate

dB

y: S

ite

Filt

ers

.Cre

ate

dB

y: va

rch

ar(

60)

NU

LL

Site

Filt

erT

yp

e

Site

Filt

erT

yp

eID

: in

t N

OT

NU

LL

Site

Filt

erT

yp

e: ch

ar(

2)

NO

T N

UL

L (

AK

1.1

)

Site

Filt

erN

am

e: n

va

rch

ar(

80)

NO

T N

UL

L

Obje

ctT

ype

Ob

jectT

yp

e: tin

yin

t N

OT

NU

LL

Ob

jectT

yp

eD

esc: n

va

rch

ar(

30)

NO

T N

UL

L

Ob

ject

Ob

jectID

: in

t N

OT

NU

LL

Ob

jectT

yp

e: tin

yin

t N

OT

NU

LL

(F

K)

(IE

2.2

)

Obje

ctN

am

e: nvarc

har(

200)

NO

T N

ULL (

IE1.1

,IE

2.1

)

Ob

jectV

iew

Ob

jectID

: O

bje

ct.O

bje

ctID

: in

t N

OT

NU

LL

Ob

jectT

yp

e: O

bje

ct.O

bje

ctT

yp

e: tin

yin

t N

OT

NU

LL

Ob

jectN

am

e: O

bje

ct.O

bje

ctN

am

e: n

va

rch

ar(

200)

NO

T N

UL

L

Ob

jectT

yp

eD

esc: O

bje

ctT

yp

e.O

bje

ctT

yp

eD

esc: n

va

rch

ar(

30)

NO

T N

UL

L

La

stV

uln

Sta

tus

Vu

lnS

tatu

sD

esc: V

uln

Sta

tus.V

uln

Sta

tusD

esc: n

va

rch

ar(

60)

NU

LL

Vu

lnS

tatu

s: V

uln

Sta

tus.V

uln

Sta

tus: tin

yin

t N

OT

NU

LL

Site

Filt

erR

ule

s

Site

Filt

erR

ule

ID: in

t N

OT

NU

LL

SiteF

ilterI

D: in

t N

OT

NU

LL (

FK

)

Site

Filt

erS

tart

Da

te: d

ate

tim

e N

UL

L

SiteF

ilterE

ndD

ate

: date

tim

e N

ULL

Be

gin

Src

Ad

dre

ssIn

t: n

um

eric(1

0,0

) N

UL

L (

IE1

.1)

En

dS

rcA

dd

ressIn

t: n

um

eric(1

0,0

) N

UL

L (

IE2

.1)

Be

gin

De

stA

dd

ressIn

t: n

um

eric(1

0,0

) N

UL

L (

IE3

.1)

En

dD

estA

dd

ressIn

t: n

um

eric(1

0,0

) N

UL

L (

IE4

.1)

Ta

gN

am

eIn

: va

rch

ar(

900)

NU

LL

(IE

5.1

)

TagN

am

eLik

e: varc

har(

60

) N

ULL (

IE6.1

)

Ta

rge

tOb

jectN

am

eL

ike

: va

rch

ar(

20

0)

NU

LL

(IE

7.1

)

Vu

lnS

tatu

sIn

: va

rch

ar(

90

0)

NU

LL

(IE

8.1

)

Ta

rge

tOb

jectT

yp

e: tin

yin

t N

UL

L (

FK

)

Ob

se

rva

nce

Typ

e: tin

yin

t N

UL

L (

FK

)



Site Filters Schema

Schema The following diagram displays the Site Filters schema:

Site

Filt

erT

yp

e

Site

Filt

erT

yp

eID

: in

t

Site

Filt

erT

yp

e:

ch

ar(

2)

Site

Filt

erN

am

e:

nva

rch

ar(

80

)

Site

Filt

ers

Site

Filt

erI

D:

int

Site

Filt

erT

yp

eID

: in

t (F

K)

Site

Filt

erN

am

e:

nva

rch

ar(

60

)S

ite

Filt

erD

esc:

nte

xt

Fu

sio

nIg

no

reF

lag

: b

itD

ele

ted

: tin

yin

tC

rea

ted

By:

va

rch

ar(

60

)D

ate

Mo

difie

d:

da

tetim

e

Ob

ject

Ob

jectI

D:

int

Ob

jectT

yp

e:

tin

yin

t (F

K)

Ob

jectN

am

e:

nva

rch

ar(

20

0)

Ob

jectT

yp

e

Ob

jectT

yp

e:

tin

yin

t

Ob

jectT

yp

eD

esc:

nva

rch

ar(

30

)

Site

Filt

erR

ule

s

Site

Filt

erR

ule

ID:

int

Site

Filt

erI

D:

int

(FK

)

Site

Filt

erS

tart

Da

te:

da

tetim

eS

ite

Filt

erE

nd

Da

te:

da

tetim

eB

eg

inS

rcA

dd

ressIn

t: n

um

eric(1

0,0

)E

nd

Src

Ad

dre

ssIn

t: n

um

eric(1

0,0

)B

eg

inD

estA

dd

ressIn

t: n

um

eric(1

0,0

)E

nd

De

stA

dd

ressIn

t: n

um

eric(1

0,0

)T

ag

Na

me

In:

va

rch

ar(

90

0)

Ta

gN

am

eL

ike

: va

rch

ar(

60

)T

arg

etO

bje

ctN

am

eL

ike

: va

rch

ar(

20

0)

Vu

lnS

tatu

sIn

: va

rch

ar(

90

0)

Ta

rge

tOb

jectT

yp

e:

tin

yin

t (F

K)

Ob

se

rva

nce

Typ

e:

tin

yin

t (F

K)

Ob

se

rva

nce

Site

Filt

ers

Ob

se

rva

nce

ID:

big

int

Site

Filt

erR

ule

ID: in

t (F

K)

Site

Filt

erI

D: in

t (F

K)

Ob

se

rva

nce

s

Ob

se

rva

nce

ID:

big

int

Ob

se

rva

nce

Tim

e:

da

tetim

eS

ecC

hkID

: IN

TE

GE

R (

FK

)S

en

so

rID

: in

tS

ou

rce

ID:

int

Ta

rge

tID

: in

tO

bse

rva

nce

Co

un

t: in

tO

bje

ctI

D:

int

(FK

)S

eve

rity

ID:

tin

yin

t (F

K)

Cle

are

dC

ou

nt:

IN

TE

GE

RV

uln

Sta

tus:

tin

yin

t (F

K)

Ob

se

rva

nce

Typ

e:

tin

yin

t (F

K)

La

stM

od

ifie

dA

t: d

ate

tim

eO

bse

rva

nce

Site

Filt

ers

Vie

w

Ob

se

rva

nce

ID:

Ob

se

rva

nce

Site

Filt

ers

.Ob

se

rva

nce

ID:

big

int

NO

T N

UL

LS

ite

Filt

erI

D:

Ob

se

rva

nce

Site

Filt

ers

.Site

Filt

erI

D:

int

NO

T N

UL

LS

ite

Filt

erT

yp

e:

Site

Filt

erT

yp

e.S

ite

Filt

erT

yp

e:

ch

ar(

2)

NO

T N

UL

LS

ite

Filt

erN

am

e:

Site

Filt

ers

.Site

Filt

erN

am

e:

nva

rch

ar(

60

) N

UL

LS

ite

Filt

erD

esc:

<co

nve

rt(v

arc

ha

r(4

00

0..

.>C

rea

ted

By:

Site

Filt

ers

.Cre

ate

dB

y:

va

rch

ar(

60

) N

UL

L

Site

Filt

erV

iew

Site

Filt

erI

D:

Site

Filt

ers

.Site

Filt

erI

D: in

t N

OT

NU

LL

Site

Filt

erR

ule

ID:

Site

Filt

erR

ule

s.S

ite

Filt

erR

ule

ID:

int

NO

T N

UL

LS

ite

Filt

erT

yp

eID

: S

ite

Filt

ers

.Site

Filt

erT

yp

eID

: in

t N

UL

LS

ite

Filt

erT

yp

e:

Site

Filt

erT

yp

e.S

ite

Filt

erT

yp

e:

ch

ar(

2)

NO

T N

UL

LS

ite

Filt

erN

am

e:

Site

Filt

ers

.Site

Filt

erN

am

e:

nva

rch

ar(

60

) N

UL

LS

ite

Filt

erS

tart

Da

te:

Site

Filt

erR

ule

s.S

ite

Filt

erS

tart

Da

te: d

ate

tim

e N

UL

LS

ite

Filt

erE

nd

Da

te:

Site

Filt

erR

ule

s.S

ite

Filt

erE

nd

Da

te:

da

tetim

e N

UL

LB

eg

inS

rcA

dd

ressIn

t: S

ite

Filt

erR

ule

s.B

eg

inS

rcA

dd

ressIn

t: n

um

eric(1

0,0

) N

UL

LE

nd

Src

Ad

dre

ssIn

t: S

ite

Filt

erR

ule

s.E

nd

Src

Ad

dre

ssIn

t: n

um

eric(1

0,0

) N

UL

LB

eg

inD

estA

dd

ressIn

t: S

ite

Filt

erR

ule

s.B

eg

inD

estA

dd

ressIn

t: n

um

eric(1

0,0

) N

UL

LE

nd

De

stA

dd

ressIn

t: S

ite

Filt

erR

ule

s.E

nd

De

stA

dd

ressIn

t: n

um

eric(1

0,0

) N

UL

LT

ag

Na

me

In:

Site

Filt

erR

ule

s.T

ag

Na

me

In:

va

rch

ar(

90

0)

NU

LL

Ta

gN

am

eL

ike

: S

ite

Filt

erR

ule

s.T

ag

Na

me

Lik

e:

va

rch

ar(

60

) N

UL

LT

arg

etO

bje

ctN

am

eL

ike

: S

ite

Filt

erR

ule

s.T

arg

etO

bje

ctN

am

eL

ike

: va

rch

ar(

20

0)

NU

LL

Vu

lnS

tatu

sIn

: S

ite

Filt

erR

ule

s.V

uln

Sta

tusIn

: va

rch

ar(

90

0)

NU

LL

Ta

rge

tOb

jectT

yp

e:

Site

Filt

erR

ule

s.T

arg

etO

bje

ctT

yp

e:

tin

yin

t N

UL

L

88

Staging and Rejects Schema

Staging and Rejects Schema

Schema The following table displays the Staging and Rejects schema:

Se

nso

rDa

taR

eje

cte

d

Ale

rtD

ata

ID:

big

int

NO

T N

UL

L (

IE1

.1)

Ale

rtF

orm

atV

ers

ion

: in

t N

UL

L

Ale

rtN

am

eT

yp

e:

int

NU

LL

Ale

rtN

am

e:

nva

rch

ar(

60)

NU

LL

Ale

rtD

ate

Tim

e:

da

tetim

e N

UL

L

Lo

ca

lTim

ezo

ne

Off

se

t: in

t N

UL

L

Ale

rtT

ime

Pre

cis

ion

: in

t N

UL

L

Ale

rtT

ime

Se

qID

: in

t N

UL

L

Ale

rtID

: va

rch

ar(

26

) N

UL

L

Se

nso

rAd

dre

ss:

va

rch

ar(

60

) N

UL

L

Se

nso

rNa

me

: n

va

rch

ar(

10

0)

NU

LL

Pro

du

ctI

D:

int

NU

LL

Ale

rtT

yp

eID

: in

t N

UL

L

Ale

rtP

rio

rity

: in

t N

UL

L

Ale

rtF

lag

s:

int

NU

LL

Pro

toco

lID

: in

t N

UL

L

So

urc

eP

ort

: in

t N

UL

L

So

urc

eP

ort

Na

me

: n

va

rch

ar(

60

) N

UL

L

De

stP

ort

Na

me

: n

va

rch

ar(

60

) N

UL

L

Src

Ad

dre

ssN

am

e:

va

rch

ar(

60

) N

UL

L

Src

Ad

dre

ssIn

t: n

um

eric(1

0)

NU

LL

De

stA

dd

ressN

am

e:

va

rch

ar(

60

) N

UL

L

De

stA

dd

ressIn

t: n

um

eric(1

0)

NU

LL

Se

nso

rAd

dre

ssIn

t: n

um

eric(1

0)

NU

LL

Att

ackS

ucce

ssfu

l: t

inyin

t N

UL

L

Att

ackF

rag

me

nte

d:

tin

yin

t N

UL

L

Att

ackO

rig

in:

nva

rch

ar(

60

) N

UL

L

Re

so

urc

eID

: in

t N

UL

L

Re

so

urc

eS

ub

ID:

va

rch

ar(

60

) N

UL

L

Ap

plic

atio

n:

nva

rch

ar(

60

) N

UL

L

Use

rNa

me

: n

va

rch

ar(

60

) N

UL

L

Ho

stG

UID

: va

rch

ar(

36

) N

UL

L

Sta

rtT

ime

: d

ate

tim

e N

UL

L

Sto

pT

ime

: d

ate

tim

e N

UL

L

Ho

stD

NS

Na

me

: n

va

rch

ar(

25

4)

NU

LL

Ho

stN

BN

am

e:

nva

rch

ar(

20

) N

UL

L

Ho

stN

BD

om

ain

: n

va

rch

ar(

25

5)

NU

LL

Ho

stO

SN

am

e:

nva

rch

ar(

64

) N

UL

L

Ho

stO

SV

ers

ion

: n

va

rch

ar(

32

) N

UL

L

Ho

stO

SR

evis

ion

Le

ve

l: v

arc

ha

r(3

2)

NU

LL

Vu

lnS

tatu

s:

tin

yin

t N

UL

L

Pro

ce

ssin

gF

lag

: sm

alli

nt

NU

LL

Se

nso

rDa

taID

: b

igin

t N

UL

L

Cle

are

d:

ch

ar(

1)

NU

LL

Re

jectR

ea

so

n:

va

rch

ar(

20

0)

NU

LL

Ale

rtC

ou

nt:

IN

TE

GE

R N

UL

L

Ob

jectT

yp

e:

tin

yin

t N

UL

L

Ob

jectN

am

e:

nva

rch

ar(

20

00

) N

UL

L

OS

Gro

up

ID:

int

NU

LL

Co

mp

on

en

tID

: in

t N

UL

L

Se

nso

rGU

ID:

va

rch

ar(

36

) N

UL

L

Stg

Wo

rkin

gS

et

Se

tID

: sm

alli

nt

NO

T N

UL

L

EC

_H

ost:

va

rch

ar(

60

) N

UL

L

EC

_G

UID

: va

rch

ar(

60

) N

UL

L

La

stC

ou

nt:

in

t N

UL

L

Ro

wsT

oL

oa

d:

int

NU

LL

Utiliz

atio

n:

int

NU

LL

Lo

ad

Da

te:

da

tetim

e N

UL

L

stg

_A

lert

Up

da

tes

Ale

rtD

ata

ID:

int

NO

T N

UL

L

Ale

rtU

pd

ate

Na

me

: n

va

rch

ar(

50)

NU

LL

Ale

rtU

pd

ate

Ord

er:

in

t N

UL

L

Ale

rtU

pd

ate

Da

taT

yp

e:

va

rch

ar(

30

) N

UL

L

Ale

rtU

pd

ate

Va

lue

: n

va

rch

ar(

20

00

) N

UL

L

Ale

rtU

pd

ate

Blo

b:

text

NU

LL

Ale

rtU

pd

ate

Se

ctio

n:

INT

EG

ER

NU

LL

stg

_A

lert

Da

ta

Ale

rtD

ata

ID:

int

NO

T N

UL

L

Ale

rtF

orm

atV

ers

ion

: in

t N

UL

L

Ale

rtN

am

eT

yp

e:

int

NU

LL

Ale

rtN

am

e:

nva

rch

ar(

60

) N

UL

L

Ale

rtD

ate

Tim

e:

da

tetim

e N

UL

L

Lo

ca

lTim

ezo

ne

Off

se

t: in

t N

UL

L

Ale

rtT

ime

Pre

cis

ion

: in

t N

UL

L

Ale

rtT

ime

Se

qID

: in

t N

UL

L

Ale

rtID

: ch

ar(

26

) N

UL

L

Se

nso

rAd

dre

ss:

va

rch

ar(

60

) N

UL

L

Se

nso

rNa

me

: n

va

rch

ar(

10

0)

NU

LL

Pro

du

ctI

D:

int

NU

LL

Ale

rtT

yp

eID

: in

t N

UL

L

Ale

rtP

rio

rity

: in

t N

UL

L

Ale

rtF

lag

s:

int

NU

LL

Pro

toco

lID

: in

t N

UL

L

So

urc

eP

ort

: in

t N

UL

L

Ob

jectN

am

e:

nva

rch

ar(

20

00

) N

UL

L

So

urc

eP

ort

Na

me

: n

va

rch

ar(

60

) N

UL

L

De

stP

ort

Na

me

: n

va

rch

ar(

60

) N

UL

L

Src

Ad

dre

ssN

am

e:

va

rch

ar(

60

) N

UL

L

Src

Ad

dre

ssIn

t: n

um

eric(1

0)

NU

LL

De

stA

dd

ressN

am

e:

va

rch

ar(

60

) N

UL

L

De

stA

dd

ressIn

t: n

um

eric(1

0)

NU

LL

Se

nso

rAd

dre

ssIn

t: n

um

eric(1

0)

NU

LL

Att

ackS

ucce

ssfu

l: t

inyin

t N

UL

L

Att

ackF

rag

me

nte

d:

tin

yin

t N

UL

L

Att

ackO

rig

in:

nva

rch

ar(

60

) N

UL

L

Re

so

urc

eID

: in

t N

UL

L

Re

so

urc

eS

ub

ID:

va

rch

ar(

60

) N

UL

L

Ap

plic

atio

n:

nva

rch

ar(

60

) N

UL

L

Use

rNa

me

: n

va

rch

ar(

60

) N

UL

L

Ho

stG

UID

: va

rch

ar(

36

) N

UL

L

Sta

rtT

ime

: D

AT

E N

UL

L

Sto

pT

ime

: D

AT

E N

UL

L

Ho

stD

NS

Na

me

: n

va

rch

ar(

25

4)

NU

LL

Ho

stN

BN

am

e:

nva

rch

ar(

20

) N

UL

L

Ho

stN

BD

om

ain

: n

va

rch

ar(

25

5)

NU

LL

Ho

stO

SN

am

e:

nva

rch

ar(

64

) N

UL

L

Ho

stO

SV

ers

ion

: n

va

rch

ar(

32

) N

UL

L

Ho

stO

SR

evis

ion

Le

ve

l: v

arc

ha

r(3

2)

NU

LL

Vu

lnS

tatu

s:

tin

yin

t N

UL

L

Pro

ce

ssin

gF

lag

: sm

alli

nt

NU

LL

Se

nso

rDa

taID

: in

t N

UL

L

Cle

are

d:

ch

ar(

1)

NU

LL

Ale

rtC

ou

nt:

in

t N

UL

L

Ob

jectT

yp

e:

tin

yin

t N

UL

L

OS

Gro

up

ID:

int

NU

LL

stg

_A

lert

AV

P

Ale

rtD

ata

ID:

int

NO

T N

UL

L

Att

rib

ute

Na

me

: n

va

rch

ar(

50

) N

UL

L

Att

rib

ute

Ord

er:

in

t N

UL

L

Att

rib

ute

Da

taT

yp

e:

va

rch

ar(

30

) N

UL

L

Att

rib

ute

Va

lue

: n

va

rch

ar(

20

00

) N

UL

L

Att

rib

ute

Blo

b:

TE

XT

NU

LL

Att

rib

ute

Se

ctio

n:

INT

EG

ER

NU

LL

stg

_A

lert

Re

sp

on

se

Ale

rtD

ata

ID:

int

NO

T N

UL

L

Re

sp

on

se

Typ

eN

am

e:

va

rch

ar(

32

) N

UL

L

Re

sp

on

se

Na

me

: n

va

rch

ar(

32

) N

UL

L

Sta

tus:

tin

yin

t N

UL

L

SD

AV

PR

eje

cte

d

Ale

rtD

ata

ID:

big

int

NO

T N

UL

L (

IE1

.1)

Ale

rtID

: va

rch

ar(

26

) N

UL

L

Att

rib

ute

Na

me

: n

va

rch

ar(

50

) N

UL

L

Att

rib

ute

Ord

er:

in

t N

UL

L

Att

rib

ute

Da

taT

yp

e:

va

rch

ar(

30)

NU

LL

Att

rib

ute

Va

lue

: n

va

rch

ar(

20

00

) N

UL

L

Att

rib

ute

Blo

b:

TE

XT

NU

LL

Att

rib

ute

Se

ctio

n:

INT

EG

ER

NU

LL

SD

Up

da

tesR

eje

cte

d

Ale

rtD

ata

ID:

big

int

NO

T N

UL

L (

IE1

.1)

Ale

rtID

: va

rch

ar(

26

) N

UL

L

Ale

rtU

pd

ate

Na

me

: n

va

rch

ar(

50

) N

UL

L

Ale

rtU

pd

ate

Ord

er:

in

t N

UL

L

Ale

rtU

pd

ate

Da

taT

yp

e:

va

rch

ar(

30

) N

UL

L

Ale

rtU

pd

ate

Va

lue

: n

va

rch

ar(

20

00

) N

UL

L

Ale

rtU

pd

ate

Blo

b:

text

NU

LL

Ale

rtU

pd

ate

Se

ctio

n:

INT

EG

ER

NU

LL

SD

Re

sp

on

se

Re

jecte

d

Ale

rtD

ata

ID:

big

int

NO

T N

UL

L (

IE1

.1)

Ale

rtID

: va

rch

ar(

26

) N

UL

L

Re

sp

on

se

Typ

eN

am

e:

va

rch

ar(

32

) N

UL

L

Re

sp

on

se

Na

me

: n

va

rch

ar(

32

) N

UL

L

Sta

tus:

tin

yin

t N

UL

LR

eje

ctM

etr

ics

Site

ID:

INT

EG

ER

NU

LL

SP

Gro

up

ID:

int

NO

T N

UL

L

Se

cC

hkID

: in

t N

OT

NU

LL

Se

ve

rity

ID:

int

NO

T N

UL

L

Me

tric

sT

yp

eID

: in

t N

OT

NU

LL

Me

tric

sD

ay:

da

tetim

e N

OT

NU

LL

Vu

lnS

tatu

s:

int

NO

T N

UL

L

Co

un

ts:

int

NO

T N

UL

L

wrk

_S

en

so

rDa

ta

Se

nso

rDa

taID

: b

igin

t N

OT

NU

LL

SecC

hkID

: IN

TE

GE

R N

ULL

Ale

rtN

am

e:

nva

rch

ar(

60)

NU

LL

Ale

rtN

am

eT

yp

e:

INT

EG

ER

NU

LL

Ale

rtT

yp

eID

: IN

TE

GE

R N

UL

L

Pro

du

ctI

D:

int

NU

LL

Ale

rtD

ate

Tim

e:

DA

TE

NU

LL

Ale

rtP

rio

rity

: IN

TE

GE

R N

UL

L

Src

Ad

dre

ssN

am

e:

va

rch

ar(

60

) N

UL

L

Src

Ad

dre

ssIn

t: n

um

eric(1

0)

NU

LL

De

stA

dd

ressN

am

e:

va

rch

ar(

60

) N

UL

L

De

stA

dd

ressIn

t: n

um

eric(1

0)

NU

LL

Se

nso

rAd

dre

ss:

va

rch

ar(

10

0)

NU

LL

Se

nso

rNa

me

: n

va

rch

ar(

10

0)

NU

LL

Se

nso

rAd

dre

ssIn

t: n

um

eric(1

0)

NU

LL

Pro

ce

ssin

gF

lag

: IN

TE

GE

R N

UL

L

Ob

jectI

D:

int

NU

LL

So

urc

eP

ort

: IN

TE

GE

R N

UL

L

De

stP

ort

Na

me

: n

va

rch

ar(

60

) N

UL

L

Ho

stD

NS

Na

me

: n

va

rch

ar(

25

4)

NU

LL

Ho

stN

BD

om

ain

: n

va

rch

ar(

25

5)

NU

LL

Ho

stN

BN

am

e:

nva

rch

ar(

20)

NU

LL

Ho

stO

SN

am

e:

nva

rch

ar(

64

) N

UL

L

Ho

stO

SV

ers

ion

: n

va

rch

ar(

32

) N

UL

L

Ho

stG

UID

: va

rch

ar(

36

) N

UL

L

Src

Ho

stI

D:

int

NU

LL

DstH

ostI

D:

int

NU

LL

Co

mp

on

en

tID

: IN

TE

GE

R N

UL

L

Cle

are

d:

ch

ar(

1)

NU

LL

Vu

lnS

tatu

s:

tin

yin

t N

UL

L

Re

jectR

ea

so

n:

va

rch

ar(

20

0)

NU

LL

Ale

rtC

ou

nt:

IN

TE

GE

R N

UL

L

Ob

jectT

yp

e:

tin

yin

t N

UL

L

Ob

jectN

am

e:

nva

rch

ar(

20

0)

NU

LL

Ale

rtF

lag

s:

int

NU

LL

Ob

se

rva

nce

ID:

big

int

NU

LL

OS

Gro

up

ID:

int

NU

LL

Se

nso

rGU

ID:

va

rch

ar(

36

) N

UL

L

Lic

Mo

du

le:

va

rch

ar(

10

0)

NU

LL

stg

_S

en

so

rDa

ta

Se

nso

rDa

taID

: b

igin

t N

OT

NU

LL

Ale

rtD

ata

ID:

int

NU

LL

Wo

rkin

gS

etN

br:

tin

yin

t N

UL

L

wrk

_O

bse

rva

nce

s

Ob

sID

: b

igin

t N

UL

L

Ob

sT

ime

: d

ate

tim

e N

UL

L

Ob

sT

yp

e:

tin

yin

t N

UL

L

Ob

sS

ecC

hkID

: in

t N

UL

L

Ob

sS

eve

rity

ID:

tin

yin

t N

UL

L

Ob

sS

en

so

rID

: in

t N

UL

L

Ob

sS

ou

rce

ID:

int

NU

LL

Ob

sT

arg

etI

D:

int

NU

LL

Ob

sO

bje

ctI

D:

int

NU

LL

Ob

sV

uln

Sta

tus:

tin

yin

t N

UL

L

Actio

n:

ch

ar(

1)

NU

LL

Ob

sC

ou

nt:

in

t N

UL

L

Ob

sC

lea

red

Co

un

t: in

t N

UL

L



Statistics Schema

Schema The following diagram displays the Statistics schema:

Sta

tCate

gory

Sta

tCate

gory

ID: in

t N

OT

NU

LL

Nam

e: nvarc

har(

200)

NO

T N

ULL

Sta

tNam

e

Sta

tNam

eID

: in

t N

OT

NU

LL

LM

Nam

e: nvarc

har(

200)

NO

T N

ULL

Dis

pla

yN

am

e: nvarc

har(

200)

NO

T N

ULL

Sta

tCatA

tt

Sta

tAttribute

ID: in

t N

OT

NU

LL (

FK

)

Sta

tCate

gory

ID: in

t N

OT

NU

LL (

FK

)

Sta

tistic

Sta

tCate

gory

ID: in

t N

OT

NU

LL (

FK

)

Sta

tNam

eID

: in

t N

OT

NU

LL (

FK

)

Sta

tAttribute

ID: in

t N

OT

NU

LL (

FK

)

Date

Update

d: date

tim

e N

ULL

Valu

e: nvarc

har(

2000)

NU

LL

SiteID

: in

t N

ULL

Sta

tAtt

rib

ute

Sta

tAttribute

ID: in

t N

OT

NU

LL

Data

Type: varc

har(

20)

NO

T N

ULL

Nam

e: nvarc

har(

200)

NO

T N

ULL

Lic

ense

Lic

enseID

: in

t N

OT

NU

LL

Nam

e: nvarc

har(

50)

NU

LL

Bin

ary

Data

ID: IN

TE

GE

R N

ULL (

FK

)

Featu

res: nvarc

har(

50)

NU

LL

Featu

reD

escription: nvarc

har(

100)

NU

LL

Devic

eC

ount: int N

ULL

Main

tenanceD

ate

: varc

har(

40)

NU

LL

ExpireD

ate

: varc

har(

40)

NU

LL

Sta

te: tinyin

t N

ULL

Sta

teD

escription: varc

har(

512)

NU

LL

Lic

enseT

ype: tinyin

t N

OT

NU

LL

KeyS

trin

g: varc

har(

50)

NU

LL

Sta

tNam

eID

: in

t N

ULL (

FK

)

Lic

Conta

ctInfo

GU

ID: nvarc

har(

40)

NU

LL (

FK

)

Lic

GU

ID: nvarc

har(

40)

NU

LL

Description: nvarc

har(

100)

NU

LL

New

Lic

enseID

: in

t N

ULL (

FK

)

Lic

Conta

ctInfo

Lic

Conta

ctInfo

GU

ID: nvarc

har(

40)

NO

T N

ULL

Subje

ctN

am

e: nvarc

har(

255)

NO

T N

ULL

Title

: nvarc

har(

100)

NU

LL

Com

panyN

am

e: nvarc

har(

255)

NU

LL

Addre

ss1: nvarc

har(

255)

NU

LL

Addre

ss2: nvarc

har(

255)

NU

LL

City: nvarc

har(

100)

NU

LL

Sta

te: nvarc

har(

50)

NU

LL

PostC

ode: nvarc

har(

40)

NU

LL

Countr

y: nvarc

har(

60)

NU

LL

Em

ail:

nvarc

har(

255)

NU

LL

Additio

nalInfo

: nvarc

har(

255)

NU

LL

Lic

ConsqM

essage

Sta

tNam

eID

: in

t N

OT

NU

LL

Phase: in

t N

OT

NU

LL

Mode: char(

10)

NO

T N

ULL

Message: nte

xt N

ULL

Hosts H

ostID

: in

t N

OT

NU

LL

HostIpA

ddre

ss: varc

har(

47)

NU

LL

HostD

NS

Nam

e: N

VA

RC

HA

R(2

54)

NU

LL

HostN

BN

am

e: N

VA

RC

HA

R(1

6)

NU

LL

HostN

BD

om

ain

: nvarc

har(

16)

NU

LL

HostO

SN

am

e: nvarc

har(

64)

NU

LL

HostO

SV

ers

ion: nvarc

har(

32)

NU

LL

HostO

SR

evis

ionLevel: v

arc

har(

32)

NU

LL

HostO

wner:

nvarc

har(

50)

NU

LL

Date

HostA

dded: date

tim

e N

OT

NU

LL

GU

ID: varc

har(

36)

NU

LL

HostIP

Nbr:

num

eric(1

0)

NO

T N

ULL

MacA

ddre

ss: char(

17)

NU

LL

Date

HostU

pdate

d: date

tim

e N

OT

NU

LL

OS

Gro

upID

: in

t N

ULL (

FK

)

ISS

canD

ate

: date

tim

e N

ULL

Sta

tNam

eID

: in

t N

ULL

90

X-Force Schema

X-Force Schema

Schema The following diagram displays the X-force schema:

Pro

toco

ls

Pro

toco

lID

: in

t N

OT

NU

LL

Pro

toco

lNa

me

: va

rch

ar(

40

) N

OT

NU

LL

Pro

toco

lDe

sc:

va

rch

ar(

25

5)

NU

LL

Se

rvic

es

Se

rvic

eID

: in

t N

OT

NU

LL

Se

rvic

eN

am

e:

nva

rch

ar(

64

) N

OT

NU

LL

(A

K1

.1)

Se

rvic

eP

roto

co

l: v

arc

ha

r(2

0)

NO

T N

UL

L (

AK

1.2

)

Se

rvR

FC

Po

rt:

int

NU

LL

(A

K1

.3)

Se

rvB

rie

fDe

sc:

nva

rch

ar(

25

5)

NU

LL

Ch

eckS

erv

ice

s

Se

cC

hkID

: in

t N

OT

NU

LL

(F

K)

Se

rvic

eID

: in

t N

OT

NU

LL

(F

K)

Pla

tfo

rmT

yp

es

Pla

tfo

rmT

yp

eID

: in

t N

OT

NU

LL

Pla

tfo

rmT

yp

eN

am

e:

va

rch

ar(

50

) N

UL

L (

AK

1.1

)

Pla

tfo

rmT

yp

eD

esc:

nva

rch

ar(

25

5)

NU

LL

Pla

tfo

rms

Pla

tfo

rmID

: in

t N

OT

NU

LL

Pla

tfo

rmN

am

e:

va

rch

ar(

40

) N

OT

NU

LL

(IE

1.1

)

Pla

tfo

rmV

ers

ion

: va

rch

ar(

20

) N

UL

L

Pla

tfo

rmM

fg:

va

rch

ar(

50

) N

UL

L

Pla

tfo

rmT

yp

eID

: in

t N

UL

L (

FK

)

Re

lea

se

Da

te:

da

tetim

e N

UL

L

Ch

eckP

latf

orm

s

Se

cC

hkID

: in

t N

OT

NU

LL

(F

K)

Pla

tfo

rmID

: in

t N

OT

NU

LL

(F

K)

Ch

kP

latf

orm

Co

mm

en

t: n

va

rch

ar(

25

5)

NU

LL

Fm

tRe

me

dyD

esc:

nte

xt

NU

LL

Re

me

dyD

esc:

nte

xt

NU

LL

Ch

eckC

ate

go

rie

s

Se

cC

hkID

: in

t N

OT

NU

LL

(F

K)

Ca

teg

ory

ID:

int

NO

T N

UL

L (

FK

)

Ca

teg

ory

Gro

up

Ca

tGro

up

ID:

int

NO

T N

UL

L

Ca

tGro

up

Na

me

: va

rch

ar(

40

) N

UL

L (

AK

1.1

)

Ca

tGro

up

De

sc:

nte

xt

NU

LL

Ca

teg

orie

s

Ca

teg

ory

ID:

int

NO

T N

UL

L

Ca

tGro

up

ID:

int

NO

T N

UL

L (

FK

)

Ca

teg

ory

Na

me

: va

rch

ar(

40

) N

UL

L

Ca

teg

ory

De

sc:

nte

xt

NU

LL

Se

cu

rity

Ch

ecks

Se

cC

hkID

: in

t N

OT

NU

LL

Ta

gN

am

e:

va

rch

ar(

60

) N

OT

NU

LL

(A

K1

.1)

Ch

kN

am

e:

va

rch

ar(

40

) N

OT

NU

LL

Ch

kB

rie

fDe

sc:

NV

AR

CH

AR

(25

5)

NU

LL

Ch

kD

eta

ilDe

sc:

nte

xt

NU

LL

Ch

kD

ate

Re

po

rte

d:

da

tetim

e N

UL

L

Ch

kD

ate

En

tere

d:

da

tetim

e N

UL

L

Ch

kD

ate

Ch

an

ge

d:

da

tetim

e N

UL

L

Ite

mA

ffe

cte

d:

nva

rch

ar(

25

5)

NU

LL

Dis

co

ve

rer:

nva

rch

ar(

25

5)

NU

LL

Co

nse

qN

am

e:

va

rch

ar(

20

) N

UL

L

Co

nse

qB

rie

fDe

sc:

nva

rch

ar(

25

5)

NU

LL

Co

nse

qD

eta

ilDe

sc:

nte

xt

NU

LL

Ob

so

lete

: b

it N

OT

NU

LL

Re

pla

ce

dB

y:

int

NU

LL

Vu

lnS

tatu

s:

bit N

OT

NU

LL

Exte

rna

lRe

fere

nce

s

ExtR

efI

D:

int

NO

T N

UL

L

Se

cC

hkID

: in

t N

UL

L (

FK

)

Exte

rna

lRe

fere

nce

: n

va

rch

ar(

25

5)

NU

LL

Title

: va

rch

ar(

25

5)

NU

LL

So

urc

e:

va

rch

ar(

10

0)

NU

LL

Pre

ferr

ed

Re

f: b

it N

OT

NU

LL

Re

me

die

s

Se

cC

hkID

: in

t N

OT

NU

LL

(F

K)

Re

me

dyD

esc:

nte

xt

NU

LL

Re

me

dyL

oca

tio

n:

va

rch

ar(

50

) N

UL

L

Mo

reIn

fo:

va

rch

ar(

50

) N

UL

L

Eff

ort

InH

ou

rs:

int

NU

LL

Lo

ca

lLo

ca

tio

n:

va

rch

ar(

50

) N

UL

L

Fm

tRe

me

dyD

esc:

nte

xt

NU

LL

UD

Se

cu

rity

Ch

ecks

UD

Se

cC

hkID

: in

t ID

EN

TIT

Y(5

00

00

0,1

)

Ta

gN

am

e:

va

rch

ar(

60

) N

OT

NU

LL

(IE

1.1

)

Ch

kN

am

e:

va

rch

ar(

40

) N

UL

L

Ch

kB

rie

fDe

sc:

va

rch

ar(

25

5)

NU

LL

Ch

kD

eta

ilDe

sc:

text

NU

LL

Co

nse

qD

eta

ilDe

sc:

text

NU

LL

Ta

rge

tStr

ing

: va

rch

ar(

60

) N

UL

L

Co

nte

xt:

va

rch

ar(

60

) N

UL

L

Pro

du

cts

Pro

du

ctI

D:

int

NO

T N

UL

L

Pro

dN

am

e:

nva

rch

ar(

40

) N

UL

L

Pro

du

ctV

ers

ion

s

Pro

dV

erI

D:

int

NO

T N

UL

L

Pro

dID

: in

t N

OT

NU

LL

(F

K)

Pro

dV

ers

ion

: n

va

rch

ar(

15

) N

UL

L

Ch

eckP

rod

ucts

Ch

eckP

rod

uctI

D:

int

NO

T N

UL

L

Se

cC

hkID

: in

t N

OT

NU

LL

(F

K)

(IE

1.2

)

Pro

dV

erI

D:

int

NO

T N

UL

L (

FK

) (I

E1

.1)

Co

mm

en

t: v

arc

ha

r(4

00

0)

NU

LL

Fa

lse

Ne

ga

tive

: n

text

NU

LL

Fa

lse

Po

sitiv

e:

nte

xt

NU

LL

Pro

du

ctC

he

ckN

am

e:

va

rch

ar(

12

0)

NU

LL

Alg

orith

mID

: in

t N

UL

L (

FK

)

Vu

lnS

tatu

s:

bit N

UL

L

Ch

eckO

SG

rou

p

OS

Gro

up

ID:

int

NO

T N

UL

L (

FK

)

Se

cC

hkID

: in

t N

OT

NU

LL

(F

K)

Co

rre

latio

nIn

fo

RS

Ch

eckP

rod

uctI

D:

int

NO

T N

UL

L (

FK

)

Sca

nn

erP

rod

uctI

D:

int

NO

T N

UL

L (

FK

)

Ro

leN

um

be

r: in

t N

OT

NU

LL

OS

Gro

up

OS

Gro

up

ID:

int

NO

T N

UL

L

OS

Gro

up

Na

me

: va

rch

ar(

12

0)

NO

T N

UL

L

Ch

eckS

td

Std

ID:

int

NO

T N

UL

L (

FK

)

Se

cC

hkID

: in

t N

OT

NU

LL

(F

K)

IAV

AC

he

cks

IAV

AG

rou

pN

am

e:

va

rch

ar(

60

) N

OT

NU

LL

(IE

1.1

)

Prio

rity

: va

rch

ar(

30

) N

OT

NU

LL

IAV

AID

: in

t N

OT

NU

LL

IAV

A:

va

rch

ar(

20

) N

OT

NU

LL

IAV

AD

esc:

va

rch

ar(

80

0)

NU

LL

CV

EID

: in

t N

UL

L

CV

E:

va

rch

ar(

20

) N

UL

L

Se

cC

hkID

: in

t N

UL

L (

IE2

.1)

Gh

ostC

he

ck:

tin

yin

t N

UL

L

Std

Ind

ex

Std

ID:

int

NO

T N

UL

L

Std

Co

de

: va

rch

ar(

20

) N

OT

NU

LL

(A

K1

.1)

Std

Re

pla

ce

dB

y:

int

NU

LL

(F

K)

Std

Gro

up

ID:

INT

EG

ER

NO

T N

UL

L (

FK

) (A

K1

.2,I

E1

.1)

Std

Ind

exD

esc:

va

rch

ar(

80

0)

NU

LL

Std

Gro

up

s

Std

Gro

up

ID:

int

NO

T N

UL

L

Std

Gro

up

Na

me

: va

rch

ar(

60

) N

OT

NU

LL

Std

Gro

up

De

sc:

text

NU

LL

Std

Re

vis

ion

No

: va

rch

ar(

25

5)

NU

LL



Complete Database Schema

Schema The following diagram displays a high-level overview of the entire database schema:

Au

ditIn

foA

ud

itT

rail

Au

ditE

ve

ntC

MD

DB

Su

bC

om

po

ne

nt

DB

Co

mp

on

en

t

Site

Ra

ng

e

Pro

toco

ls

Se

rvic

es

Ch

eckS

erv

ice

s

Pla

tfo

rmT

yp

es

Pla

tfo

rms

Ch

eckP

latf

orm

s

Ch

eckC

ate

go

rie

s

Ca

teg

ory

Gro

up

Ca

teg

orie

s

Vu

lnS

tatu

s

Err

orM

essag

e

Bin

ary

Da

ta

Se

nso

rHo

st Se

nso

rDa

taR

eje

cte

d

Stg

Wo

rkin

gS

et

Ob

se

rva

nce

Typ

e

Se

ve

rity

Ob

se

rva

nce

s

Ob

se

rva

nce

Co

lum

n

Ro

le

Co

mp

on

en

t

Gro

up

Vie

w

Gro

up

s

Gro

up

Ho

stL

inks

Sch

ed

ule

Actio

nJo

b

Actio

nD

eta

ils

Po

licy

Se

cu

rity

Ch

ecks

Ho

sts

Exte

rna

lRe

fere

nce

s

Ve

rsio

n

Re

me

die

s

UD

Se

cu

rity

Ch

ecks

stg

_A

lert

Up

da

tes

stg

_A

lert

Da

ta

stg

_A

lert

AV

P

stg

_A

lert

Re

sp

on

se

Se

nso

rDa

ta

Se

nso

rDa

taU

pd

ate

sS

en

so

rDa

taA

VP

Se

nso

rDa

taR

esp

on

se

SD

AV

PR

eje

cte

d

SD

Up

da

tesR

eje

cte

d

SD

Re

sp

on

se

Re

jecte

d

Ale

rtT

yp

e

Ale

rtC

ate

go

ry

So

urc

eH

ost

Ta

rge

tHo

st

wrk

_S

en

so

rDa

ta

Site

Filt

ers

Err

orS

eve

rity

Me

ssag

eL

og

Pro

du

cts

Pro

du

ctV

ers

ion

s

Ch

eckP

rod

ucts

Re

sp

on

se

Lic

en

se

stg

_S

en

so

rDa

ta

wrk

_O

bse

rva

nce

s

Site

s

Au

dit

Use

rs

Use

rsG

roup

s

Use

rsS

ite

s

Gro

up

Typ

es

Ho

stC

ou

nts

Re

jectM

etr

ics

Me

tric

s

Me

tric

sD

ay

Me

tric

sT

yp

e

Gro

up

sP

are

ntC

hild

Jo

bT

yp

es

Ta

sks

Ale

rtT

yp

eV

iew

Ve

rsio

nU

pd

ate

s

Site

Filt

erT

yp

e

Ob

se

rva

nce

Site

Filt

ers

Ob

se

rva

nce

Site

Filt

ers

Vie

w

Obje

ctT

yp

e

Obje

ct

Obje

ctV

iew

La

stV

uln

Sta

tus

Ra

tin

gS

et

Ra

tin

gA

ttrib

ute

Ra

tin

gA

ttrib

ute

Co

de

Alg

orith

mR

atin

g

Alg

orith

m

Site

Filt

erR

ule

s

Site

Filt

erV

iew

Sta

tCa

teg

ory

Sta

tNa

me

Sta

tCa

tAtt

Sta

tistic

Sta

tAtt

rib

ute

Gro

up

Ru

le

Gro

up

Po

licy

Gro

up

Ru

leT

yp

e

Bin

ary

Da

taT

yp

e

Ra

tin

gUn

Gro

up

ed

Ho

sts

Un

Gro

up

ed

Sta

tus

Ch

eckO

SG

roup

Co

rre

latio

nIn

fo

Lic

Co

nta

ctI

nfo

De

skto

pA

ge

ntV

ers

ion

Po

licyV

ers

ion

Re

sp

on

se

Ve

rsio

n

Lic

Co

nsq

Me

ssag

e

Up

da

teS

tatu

sU

pd

ate

Op

era

tio

nS

tatu

sU

pd

ate

Ste

pS

tatu

s

OS

Gro

up

RS

DB

Op

tio

nsM

ain

ten

an

ce

Lo

g

An

aly

sis

Lo

g

Co

mp

on

en

tDo

cu

me

nt

Na

me

sp

ace

Gro

up

Do

cu

me

nt

stg

_R

OL

Std

Ind

ex

Std

Gro

up

s

Ch

eckS

td

Re

po

rtIn

sta

nce

IAV

AC

he

cks

92

Index

aActive Directory 26, 63adding event collectors 14application server

debug logs 20–21

ccontroller card for database 4conventions, typographical

in commands viiin procedures viiin this manual vii

ddebug logs

application server 20–21application server, log4j 29installation 23issDaemon 20See also Sensor Controller Diagnostics consolesensor controller 32–34sensor controller, log4j 29setting up 55SiteProtector database 22SiteProtector database, installation 24X-Press Update 25

Desktop Controllerlogs 48

disk performance counters, disabling 10documentation

online documentation (Help) viSiteProtector Installation and Configuration Guide

Guide viSiteProtector Strategy Guide viSiteProtector Supported Agents and Appliances viSiteProtector System Requirementts vi

Technical Reference Guide Version 2.0, SP4

eEC trace level 12Event Collector

debug logs 35event collector

adding to configuration 14throttle messages 12–13trace level 12

iinstallation

logs 23Internet Scanner

debug logs 39Internet Scanner Databridge

debug logs 40Internet Security Systems

technical support viiiWeb site viii

llogging level

application server 20Desktop Protection 48sensor controler 32X-Press Update 25

logsdatabase 22Desktop Controller

Desktop Protection 48installation 23levels 29log4j application server 28log4j server sensor 28sensor controller 32

A-Series Appliance 41Desktop Controller 37event collector 17Gigabit network sensor 44G-Series Appliance 42Internet Scanner 39

93

Index

Internet Scanner Databridge 40network sensor 43server sensor 45SiteProtector core 34SiteProtector database 33SiteProtector Third Party Module 46

viewing 17, 22, 24, 28X-Press Update 25

logs, debugSee debug logs

oonline documentation (Help) vi

pperformance

disabling disk performance counters 10

sschema

application security 80auditing and diagnostics 81command and control 82complete database schema 92grouping 82–83ITRSO 84metrics 85sensor data 86site analysis 87site filters 88staging and rejects 89statistics 90X-Force 91

sensor controllerdebug logs 32–34

Sensor Controller Diagnostics consolestarting 52

separating the event collector and the Site database 14

SiteProtectorThird Party Module 46

SiteProtector databasedebug logs 22installation logs 24

SiteProtector Installation and Configuration Guide viSiteProtector Strategy Guide viSiteProtector Supported Agents and Appliances viSiteProtector System Requirementts vi

94

ttechnical support, Internet Security Systems viiithrottle messages 12–13typographical conventions vii

wWeb site, Internet Security Systems viii

xX-Press Updates

debug logs 25

Internet Security Systems, Inc. Software License AgreementTHIS SOFTWARE PRODUCT IS PROVIDED IN OBJECT CODE AND IS LICENSED, NOT SOLD. BY INSTALLING, ACTIVATING, COPYING OR OTHERWISE USING THIS SOFTWARE PRODUCT, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE PRODUCT AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE PRODUCT WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF RETURN.1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a nonexclusive and

nontransferable, limited license for the accompanying ISS software product and the related documentation (“Software”) and the associated license key(s) for use only on the specific network configuration, for the number and type of devices, and for the time period (“Term”) that are specified in ISS’ quotation and Licensee’s purchase order, as accepted by ISS. ISS limits use of Software based upon the number of nodes, users and/or the number and type of devices upon which it may be installed, used, gather data from, or report on, depending upon the specific Software licensed. A device includes any network addressable device connected to Licensee’s network, including remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. A device may also include ISS hardware delivered with pre-installed Software and the license associated with such shall be a non-exclusive, nontransferable, limited license to use such pre-installed Software only in conjunction with the ISS hardware with which it is originally supplied and only during the usable life of such hardware. Except as provided in the immediately preceding sentence, Licensee may reproduce, install and use the Software on multiple devices, provided that the total number and type are authorized by ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Software on devices that could exceed the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and controls to prevent loss or disclosure of the license key and unauthorized or unlicensed use of the Software. Licensee may make a reasonable number of backup copies of the Software and the associated license key solely for archival and disaster recovery purposes. In connection with certain Software products, ISS licenses security content on a subscription basis for a Term and provides Licensee with a license key for each such subscription. Content subscriptions are licensed pursuant to this License based upon the number of protected nodes or number of users. Security content is regularly updated and includes, but is not limited to, Internet content (URLs) and spam signatures that ISS classifies, security algorithms, checks, decodes, and ISS’ related analysis of such information, all of which ISS regards as its confidential information and intellectual property. Security content may only be used in conjunction with the applicable Software in accordance with this License. The use or re-use of such content for commercial purposes is prohibited. Licensee’s access to the security content is through an Internet update using the Software. In addition, unknown URLs may be automatically forwarded to ISS through the Software, analyzed, classified, entered in to ISS’ URL database and provided to Licensee as security content updates at regular intervals. ISS’ URL database is located at an ISS facility or as a mirrored version on Licensee’s premises. Any access by Licensee to the URL database that is not in conformance with this License is prohibited. Upon expiration of the security content subscription Term, unless Licensee renews such content subscription, Licensee shall implement appropriate system configuration modifications to terminate its use of the content subscription. Upon expiration of the license Term, Licensee shall cease using the Software and certify return or destruction of it upon request.

2. Migration Utilities – For Software ISS markets or sells as a Migration Utility, the following shall apply. Provided Licensee holds a valid license to the ISS Software to which the Migration Utility relates (the “Original Software”), ISS grants to Licensee as the only end user a nonexclusive and nontransferable, limited license to the Migration Utility and the related documentation (“Migration Utility”) for use only in connection with Licensee’s migration of the Original Software to the replacement software, as recommended by ISS in the related documentation. The Term of this License is for as long as Licensee holds a valid license to the applicable Original Software. Licensee may reproduce, install and use the Migration Utility on multiple devices in connection with its migration from the Original Software to the replacement software. Licensee shall implement appropriate safeguards and controls to prevent unlicensed use of the Migration Utility. Licensee may make a reasonable number of backup copies of the Migration Utility solely for archival and disaster recovery purposes.

3. Third-party Products - Use of third party product(s) supplied hereunder, if any, will be subject solely to the manufacturer’s terms and conditions that will be provided to Licensee upon delivery. ISS will pass any third party product warranties through to Licensee to the extent authorized. If ISS supplies Licensee with Crystal Decisions Runtime Software, then the following additional terms apply: Licensee agrees not to alter, disassemble, decompile, translate, adapt or reverse-engineer the Runtime Software or the report file (.RPT) format, or to use, distribute or integrate the Runtime Software with any general-purpose report writing, data analysis or report delivery product or any other product that performs the same of similar functions as Crystal Decisions’ product offerings; Licensee agrees not to use the Software to create for distribution a product that converts the report file (.RPT) format to an alternative report file format used by any general-purpose report writing, data analysis or report delivery product that is not the property of Crystal Decisions; Licensee agrees not to use the Runtime Software on a rental or timesharing basis or to operate a service bureau facility for the benefit of third–parties unless Licensee first acquires an Application Service Provider License from Crystal Decisions; Licensee may not use the Software or Runtime Software by itself or as part of a system to regularly deliver, distribute or share Reports outside of the Runtime Software environment: (a) to more than fifty (50) end users directly, or (b) to a location that is accessible to more than 50 end users without obtaining an additional license from Crystal Decisions; CRYSTAL DECISIONS AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS, OR IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FIRNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. CRYSTAL DECISIONS AND ITS SUPPLIERS SHALL HAVE NO LIABILITY WHATSOEVER UNDER THIS AGREEMENT OR IN CONNECTION WITH THE SOFTWARE. In this section 3 “Software” means the Crystal Reports software and associated documentation supplied by ISS and any updates, additional modules, or additional software provided by Crystal Decisions in connection therewith; it includes Crystal Decisions’ Design Tools, Report Application Server and Runtime Software, but does not include any promotional software of other software products provided in the same package, which shall be governed by the online software license agreements included with such promotional software or software product.

4. Beta License – If ISS is providing Licensee with the Software, security content and related documentation as a part of an alpha or beta test, the following terms of this Section 4 additionally apply and supercede any conflicting provisions herein or any other license agreement accompanying, contained or embedded in the subject Beta Software or any associated documentation. ISS grants to Licensee a nonexclusive, nontransferable, limited license to use the ISS alpha/prototype software program, security content, if any, and any related documentation furnished by ISS (“Beta Software”) for Licensee’s evaluation and comment (the “Beta License”) during the Test Period. ISS’ standard test cycle, which may be extended at ISS’ discretion, extends for sixty (60) days, commencing on the date of delivery of the Beta Software (the “Test Period”). Upon expiration of the Test Period or termination of the License, Licensee shall, within thirty (30) days, return to ISS or destroy all copies of the Beta Software, and shall furnish ISS written confirmation of such return or destruction upon request. Licensee will provide ISS information reasonably requested by ISS regarding Licensee’s experiences with the installation and operation of the Beta Software. Licensee agrees that ISS shall have the right to use, in any manner and for any purpose, any information gained as a result of Licensee’s use and evaluation of the Beta Software. Such information shall include but not be limited to changes, modifications and corrections to the Beta Software. Licensee grants to ISS a perpetual, royalty-free, non-exclusive, transferable, sublicensable right and license to use, copy, make derivative works of and distribute any report, test result, suggestion or other item resulting from Licensee’s evaluation of its installation and operation of the Beta Software. If Licensee is ever held or deemed to be the owner of any copyright rights in the Beta Software or any changes, modifications or corrections to the Beta Software, then Licensee hereby irrevocably assigns to ISS all such rights, title and interest and agrees to execute all documents necessary to implement and confirm the letter and intent of this Section. Licensee acknowledges and agrees that the Beta Software (including its existence, nature and specific features) constitute Confidential Information as defined in Section 18. Licensee further agrees to treat as Confidential Information all feedback, reports, test results, suggestions, and other items resulting from Licensee’s evaluation and testing of the Beta Software as contemplated in this Agreement. With regard to the Beta Software, ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases. However, ISS agrees to use its reasonable efforts to correct errors in the Beta Software and related documentation within a reasonable time, and will provide Licensee with any corrections it makes available to other evaluation participants. The documentation relating to the Beta Software may be in draft form and will, in many cases, be incomplete. Owing to the experimental nature of the Beta Software, Licensee is advised not to rely exclusively on the Beta Software for any reason. LICENSEE AGREES THAT THE BETA SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. LICENSEE ACKNOWLEDGES AND AGREES THAT THE BETA SOFTWARE MAY CONTAIN DEFECTS, PRODUCE ERRONEOUS AND UNINTENDED RESULTS AND MAY AFFECT DATA NETWORK SERVICES AND OTHER MATERIALS OF LICENSEE. LICENSEE’S USE OF THE BETA SOFTWARE IS AT THE SOLE RISK OF LICENSEE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA SOFTWARE LICENSE BY WRITTEN NOTICE TO ISS.

5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software and security content for evaluation in a non-production, test environment. The following terms of this Section 5 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove or disable the Software and security content from the authorized platform and return the Software, security content and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing. ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases to the Software or security content under evaluation. LICENSEE AGREES THAT THE EVALUATION SOFTWARE, SECURITY CONTENT AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE EVALUATION LICENSE BY WRITTEN NOTICE TO ISS.

6. Covenants - ISS reserves all intellectual property rights in the Software, security content and Beta Software. Licensee agrees: (i) the Software, security content or Beta Software is owned by ISS and/or its licensors, is a valuable trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii)

to take all reasonable precautions to protect the Software, security content or Beta Software from unauthorized access, disclosure, copying or use; (iii) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Software, security content or Beta Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software, security content or Beta Software; and (vi) not to transfer, lease, assign, sublicense, or distribute the Software, security content or Beta Software or make it available for time-sharing, service bureau, managed services offering, or on-line use.

7. Support and Maintenance – Depending upon what maintenance programs Licensee has purchased, ISS will provide maintenance, during the period for which Licensee has paid the applicable maintenance fees, in accordance with its prevailing Maintenance and Support Policy that is available at http://documents.iss.net/maintenance_policy.pdf. Any supplemental Software code or related materials that ISS provides to Licensee as part of any support and maintenance service are to be considered part of the Software and are subject to the terms and conditions of this License, unless otherwise specified.

8. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Software or security content will conform to material operational specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software or security content is installed, implemented, and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software or security content, (ii) modification of the Software or security content, (iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interaction with software or firmware not provided by ISS. If Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Software or security content or, if ISS determines that repair or replacement is impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE OR THE SECURITY CONTENT WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF THE SOFTWARE OR SECURITY CONTENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE OR SECURITY CONTENT ERRORS WILL BE CORRECTED. LICENSEE UNDERSTANDS AND AGREES THAT THE SOFTWARE AND THE SECURITY CONTENT ARE NO GUARANTEE AGAINST UNSOLICITED E-MAILS, UNDESIRABLE INTERNET CONTENT, INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR THAT ALL SECURITY THREATS AND VULNERABILITIES, UNSOLICITED E-MAILS OR UNDESIRABLE INTERNET CONTENT WILL BE DETECTED OR THAT THE PERFORMANCE OF THE SOFTWARE AND SECURITY CONTENT WILL RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 8 ARE THE SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.

9. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE AND SECURITY CONTENT ARE EACH PROVIDED “AS IS” AND ISS HEREBY DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.

10. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software and security content that are granted herein. ISS shall defend and indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or patent as a result of the use or distribution of a current, unmodified version of the Software and security content, but only if ISS is promptly notified in writing of any such suit or claim, and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Software and security content.

11. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE RECEIVED THE SOFTWARE. OR SECURITY CONTENT, AS APPLICABLE, IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without prior written notice from ISS, at the end of the term of the License, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may immediately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or expiration of a license for Software, Licensee shall cease all use of such Software, including Software pre-installed on ISS hardware, and destroy all copies of the Software and associated documentation. Termination of this License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other remedies available to it.

13. General Provisions - This License, together with the identification of the Software and/or security content, pricing and payment terms stated in the applicable ISS quotation and Licensee purchase order (if applicable) as accepted by ISS, constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. ISS Software and security content are generally delivered to Customer by supplying Customer with license key data. If Customer has not already downloaded the Software, security content and documentation, then it is available for download at http://www.iss.net/download/. All ISS hardware with pre-installed Software and any other products not delivered by download are delivered f.o.b. origin. This License will be governed by the substantive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing signed by an authorized officer of ISS.

14. Notice to United States Government End Users - Licensee acknowledges that any Software and security content furnished under this License is commercial computer software and any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms, conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR Subsection 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield Road, Atlanta, GA 30328, USA.

15. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, security content, any related technology, or any direct product of either except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to which the United States has embargoed the export of goods (currently Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. ISS makes its current export classification information available at http://www.iss.net/export. Please contact ISS’ Sourcing and Fulfillment for export questions relating to the Software or security content ([email protected]). Licensee understands that the foregoing obligations are U.S. legal requirements and agrees that they shall survive any term or termination of this License.

16. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that computer network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use the Software in accordance with all applicable laws, regulations and rules.

17. Disclaimers - Licensee acknowledges that some of the Software and security content is designed to test the security of computer networks and may disclose or create problems in the operation of the systems tested. Licensee further acknowledges that neither the Software nor security content is fault tolerant or designed or intended for use in hazardous environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any other applications in which the failure of the Software and security content could lead to death or personal injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom.

18. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time of disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confidentiality to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of the Disclosing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could severely

and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information of the Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon demand by the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all copies of the Disclosing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclosing Party’s Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive property of the Disclosing Party.

19. Compliance - From time to time, ISS may request Licensee to provide a certification that the Software and security content is being used in accordance with the terms of this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state Licensee’s compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its own expense appoint a nationally recognized software use auditor, to whom Licensee has no reasonable objection, to audit and examine use and records at Licensee offices during normal business hours, solely for the purpose of confirming that Licensee’s use of the Software and security content is in compliance with the terms of this License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal business operations of Licensee. If such audit should reveal that use of the Software or security content has been expanded beyond the scope of use and/or the number of Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable current list prices required to bring Licensee in compliance with its obligations hereunder with respect to its current use of the Software and security content. In addition to the foregoing, ISS may pursue any other rights and remedies it may have at law, in equity or under this License.

20. Data Protection - The data needed to process this transaction will be stored by ISS and may be forwarded to companies affiliated with ISS and possibly to Licensee’s vendor within the framework of processing Licensee’s order. All personal data will be treated confidentially.

Revised March 16, 2004.