siteprotector technical reference guide - ibm · command and control schema ... introduction the...
TRANSCRIPT
®
Technical ReferenceGuide
Version 2.0, Service Pack 4
Internet Security Systems, Inc.6303 Barfield RoadAtlanta, Georgia 30328-4233United States(404) 236-2600http://www.iss.net
© Internet Security Systems, Inc. 1994-2004. All rights reserved worldwide. Customers may make reasonable numbers of copies of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any other person or entity without the express prior written consent of Internet Security Systems, Inc.
SiteProtector Version 2.0, Service Pack 4, Patent pending.
Internet Security Systems, System Scanner, Wireless Scanner, SiteProtector, Proventia, ADDME, AlertCon, ActiveAlert, FireCell, FlexCheck, Secure Steps, SecurePartner, SecureU, and X-Press Update are trademarks and service marks, and the Internet Security Systems logo, X-Force, SAFEsuite, Internet Scanner, Database Scanner, Online Scanner, and RealSecure registered trademarks, of Internet Security Systems, Inc. Network ICE, ICEpac, and ICEcap are trademarks, and BlackICE is a licensed trademark, of Network ICE Corporation, a wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company. Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc. HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM Corporation. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX, Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle, Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports, Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here in an editorial context without intent of infringement. Specifications are subject to change without notice.
Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an “AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental, consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems, Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems, Inc., and shall not be used for advertising or product endorsement purposes.
Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or inappropriate link, please send an email with the topic name, link, and its behavior to [email protected].
June 07, 2004
Contents
Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vHow to use SiteProtector Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viConventions Used in this Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiGetting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viii . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x
Chapter 1: Improving Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Section A: Improving Database Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Improving Database Hardware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4Guidelines for Database Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Optimizing SiteProtector Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Disabling SiteProtector Database Disk Performance Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Section B: Improving Event Collector Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Identifying Event Overload in the Event Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Improving Event Collector Hardware and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Modifying Agent Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2: Log File Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Section A: Miscellaneous Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Application Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Database Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Installation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23X-Press Update Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Active Directory Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Section B: Log4j Logging Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Log4j Application Server and Sensor Controller Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Changing Log4j Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Section C: Sensor Controller Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Sensor Controller Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32Sensor Controller SiteProtector Database Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33Sensor Controller SiteProtector Core Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Sensor Controller Event Collector Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35Sensor Controller Desktop Controller Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Sensor Controller Internet Scanner Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Sensor Controller Internet Scanner Databridge Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40Sensor Controller A-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41Sensor Controller G-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
iiiTechnical Reference Guide Version 2.0, SP4
Contents
Sensor Controller RealSecure Network Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43Sensor Controller RealSecure Network Gigabit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Sensor Controller RealSecure Server Sensor Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45Sensor Controller SiteProtector Third Party Module Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Section D: Desktop Controller Logging Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47Desktop Controller Desktop Protection Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Desktop Controller M-Series Appliance Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 3: Diagnostic and Debugging Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Running the Sensor Controller as a Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Setting up Run-time Logging for the RealSecure SiteProtector Sensor Controller Service . . . . . . . . . . . 53Setting up Run-Time Logging for the RealSecure SiteProtector Application Server Service. . . . . . . . . . . 55
Chapter 4: Solutions to Some Common Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57Issues Related to SiteProtector Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58Issues Related to SiteProtector Encryption Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60Issues Related to Operating SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62Issues Related to Low Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70Issues Related to Updating SiteProtector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72Issues Related to SiteProtector Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74Issues Related to Agents and Appliances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Appendix A: Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79Application Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80Auditing and Diagnostics Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81Command and Control Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82Grouping Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83ITRSO Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84Metrics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85Sensor Data Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86Site Analysis Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Site Filters Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88Staging and Rejects Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89Statistics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90X-Force Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91Complete Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
iv
Preface
Overview
Introduction The SiteProtector Technical Reference Guide describes the diagnostic capabilities of SiteProtector, and also gives recommendations for some of the issues you may encounter as you use SiteProtector.
Scope The following table lists and describes the purpose of each chapter in this manual:
Audience This guide is for network administrators, security administrators, or any other individuals who are responsible for installing SiteProtector and managing network security.
Chapter/Appendix Purpose
Chapter 1: Improving Performance
Describes some of the causes of poor performance, and explains the process by which you can improve the performance of your SiteProtector system.
Chapter 2: Log File Diagnostics
Describes the options for setting up the Sensor Controller Diagnostics console and how to activate run-time debugging for the sensor controller and the application server.
Chapter 3: Diagnostic and Debugging Setup
Describes how to use the Sensor Controller Diagnostics console.
Chapter 4: Solutions to Common Issues
Describes some of the issues that may occur when you install and use SiteProtector. This chapter also provides steps you can take to resolve certain issues.
Appendix A: Database Schema
Displays the SiteProtector Database schema.
vTechnical Reference Guide Version 2.0, SP4
Preface
How to use SiteProtector Documentation
Using this guide This guide includes some of the issues that you may encounter when working with SiteProtector, but it is not a troubleshooting guide.
Reference: For the most up-to-date list of SiteProtector issues, see the ISS Knowledgebase at http://www.iss.net/support/knowledgebase/. If the Knowledgebase does not help you resolve your issue, email ISS Customer Support at [email protected] or call ISS Customer Support at (1) (888) 447-4861.
Related publications Table 1 describes the publications included with SiteProtector.
Title or type of documentation
Description
SiteProtector Installation and Configuration Guide
Provides information about installing and setting up your SiteProtector system.
SiteProtector Strategy Guide Provides best practice information for customizing SiteProtector to suit your specific needs.
SiteProtector Help Provides procedures for using SiteProtector, and all compatible ISS agents/appliances.
SiteProtector System Requirements
Provides the standards that your computer system must meet to run SiteProtector.
SiteProtector Supported Agents and Appliances
Provides a list of agents and appliances that are supported by SiteProtector.
Table 1: Related publications
vi
Conventions Used in this Guide
Conventions Used in this Guide
Introduction This topic explains the typographic conventions used in this guide to make information in procedures and commands easier to recognize.
In procedures The typographic conventions used in procedures are shown in the following table:
Command conventions
The typographic conventions used for command lines are shown in the following table:
Convention What it Indicates Examples
Bold An element on the graphical user interface.
Type the computer’s address in the IP Address box.Select the Print check box. Click OK.
SMALL CAPS A key on the keyboard. Press ENTER.Press the PLUS SIGN (+).
Constantwidth
A file name, folder name, path name, or other information that you must type exactly as shown.
Save the User.txt file in the Addresses folder.Type IUSR__SMA in the Username box.
Constantwidthitalic
A file name, folder name, path name, or other information that you must supply.
Type Version number in the Identification information box.
! A sequence of commands from the taskbar or menu bar.
From the taskbar, select Start!Run.On the File menu, select Utilities!Compare Documents.
Table 2: Typographic conventions for procedures
Convention What it Indicates Examples
Constantwidth bold
Information to type in exactly as shown.
md ISS
Italic Information that varies according to your circumstances.
md your_folder_name
[ ] Optional information. dir [drive:][path][filename] [/P][/W][/D]
| Two mutually exclusive choices.
verify [ON|OFF]
{ } A set of choices from which you must choose one.
% chmod {u g oa}=[r][w][x] file
Table 3: Typographic conventions for commands
viiTechnical Reference Guide Version 2.0, SP4
Preface
Getting Technical Support
Introduction ISS provides technical support through its Web site and by email or telephone.
The ISS Web site The Internet Security Systems (ISS) Resource Center Web site (http://www.iss.net/support/) provides direct access to frequently asked questions (FAQs), white papers, online user documentation, current versions listings, detailed product literature, and the Technical Support Knowledgebase (http://www.iss.net/support/knowledgebase/).
Support levels ISS offers three levels of support:
� Standard
� Select
� Premium
Each level provides you with 24-7 telephone and electronic support. Select and Premium services provide more features and benefits than the Standard service. Contact Client Services at [email protected] if you do not know the level of support your organization has selected.
Hours of support The following table provides hours for Technical Support at the Americas and other locations:
Contact information The following table provides electronic support information and telephone numbers for technical support requests:
Location Hours
Americas 24 hours a day
All other locations
Monday through Friday, 9:00 A.M. to 6:00 P.M. during their local time, excluding ISS published holidays
Note: If your local support office is located outside the Americas, you may call or send an email to the Americas office for help during off-hours.
Table 4: Hours for technical support
Regional Office
Electronic Support Telephone Number
North America Connect to the MYISS section of our Web site:
www.iss.net
Standard:
(1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Select and Premium:
Refer to your Welcome Kit or call your Primary Designated Contact for this information.
Latin America [email protected] (1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Table 5: Contact information for technical support
viii
Getting Technical Support
Europe, Middle East, and Africa
[email protected] (44) (1753) 845105
Asia-Pacific, Australia, and the Philippines
[email protected] (1) (888) 447-4861 (toll free)
(1) (404) 236-2700
Japan [email protected] Domestic: (81) (3) 5740-4065
Regional Office
Electronic Support Telephone Number
Table 5: Contact information for technical support (Continued)
ixTechnical Reference Guide Version 2.0, SP4
Preface
x
Chapter 1
Improving Performance
Overview
Introduction Slow performance can be caused by the following conditions:
� event overload
� insufficient application server capacity
This chapter discusses what you can do to improve SiteProtector system performance.
In this chapter This chapter contains the following sections:
Section Page
Improving Database Performance 3
Improving Event Collector Performance 11
1Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
2
Overview
SECTION A: Improving Database Performance
Overview
Introduction This section discusses how to correct SiteProtector database performance problems.
In this section This section contains the following topics:
Topic Page
Improving Database Hardware 4
Guidelines for Database Maintenance 5
Optimizing SiteProtector Databases 7
Disabling SiteProtector Database Disk Performance Counters 10
3Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
Improving Database Hardware
Introduction To improve database performance, consider doing the following:
� upgrade the SiteProtector database server to a larger drive
� install a high performance IDE or SCSI controller card
� install an additional CPU
Optimum database hardware
To ensure optimum database performance, ISS recommends that you use hardware that meets the specifications listed in the SiteProtector System Requirements. If you are using hardware that does not meet these specifications, the tasks recommended in this topic may not improve database performance significantly.
Installing a high performance controller card
High performance controller cards maximize the performance of the database server’s hard drive by providing faster data transfers. The internal controller on the server motherboard generally does not perform as well as a separate plug-in card. To maximize the drive’s performance, consider installing a high performance controller card that is compatible with the hard drive. Installing an additional CPU
Multiple CPUs can improve database performance. Consider adding CPUs to the database server.
4
Guidelines for Database Maintenance
Guidelines for Database Maintenance
Introduction SiteProtector allows emergency purge options as a part of automatic maintenance. If the maximum age values are not sufficient to prevent the database from reaching capacity, SiteProtector purges the oldest data from the following database tables:
� Observances
� SensorData
� Hosts
Guidelines for emergency purge options
Guidelines for configuring emergency purge options are as follows:
Emergency purge threshold—After a databases exceeds 85 percent of its capacity, it can reach full capacity quickly, so ISS recommends that you avoid setting emergency purge threshold values that exceed the default.
Purge margin—The purge margin deletes a percentage of the oldest data stored in the database only when the maximum age values are not sufficient to reduce the size of the database to below the emergency purge threshold. Therefore, the purge margin may delete data that is newer than the maximum age values.
Guidelines for configuring maximum age values
To prevent emergency purges, consider the following guidelines when configuring maximum age values:
� Decrease values that correspond to data that is not important for evidence, troubleshooting, or trend analysis, such as message logs or unused hosts.
� Increase values that correspond to data you want to retain for evidence, troubleshooting, or trend analysis, such as observances or metrics.
Note: Consider retaining metrics data as long as needed because this data is valuable in establishing trends and uses minimal database space.
Daily and weekly maintenance schedules
Guidelines for scheduling automatic maintenance are as follows:
Daily database maintenance—By default, SiteProtector schedules daily database maintenance at midnight (UTC). You should schedule daily maintenance at a time when the event volume is the lowest. Depending on your hours of operation, midnight may not be the ideal time to schedule daily maintenance. For example, if you are monitoring sites that operate in several time zones, early morning or early evening may be more appropriate.
Weekly database maintenance—Schedule weekly maintenance at a time when the event volume is the lowest. By default, SiteProtector schedules weekly database maintenance on Sunday.
Recovery models The type of recovery model you select affects the frequency with which backups are performed. Consider the following when selecting a recovery model:
� If you select the full or bulked logged recovery model, then SiteProtector performs differential backups during daily maintenance and performs full backups during weekly maintenance.
5Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
� If you select the simple recovery method, then SiteProtector performs full backups during daily and weekly maintenance.
Note: If you enable transaction log backups for full or bulked logged recovery models, SiteProtector backs up transaction logs when the log reaches the specified Log backup threshold.
Autoshrink and autogrow
The autogrow option is enabled by default on the SiteProtector database, and the autoshrink option is disabled. If you enable the autoshrink option, you may experience performance problems due to the overhead that is created when both options are enabled. Consider selecting the Automatically shrink option only when you are purging a large volume of data so that you can leave enough space available for future processing.
6
Optimizing SiteProtector Databases
Optimizing SiteProtector Databases
Introduction This topic provides recommendations for optimizing SiteProtector databases and database servers.
When to optimize databases
The following table describes when to perform the procedures included in this topic:
Formatting the database drives
NT file systems (NTFS) provide better database performance than other file systems. Format the database drives with NTFS, using 64KB extent sizes, before you install SiteProtector. For detailed information, refer to your Microsoft Windows Server documentation.
Allocating sufficient space for data and log files
After you install SiteProtector, allocate sufficient space to the SQL data and log files so that these files support database growth.
To allocate space to data and log files:
1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager, and then expand the server group that contains the Site database.
2. Right-click the SiteProtector database you are configuring in the Tree tab, and then select Properties.
3. Select the Data tab, and then select the Automatically grow file option.
4. In the File Growth section, select the Megabytes option and then type or select the number of megabytes to grow the data file. (The recommended size is 256 megabytes.)
Important: If you select the Restrict file growth option, type or select a maximum file size that is based on the size of the physical drive and the size into which you expect the database to grow.
5. Select the Transaction Log tab, and then select the Automatically grow file option.
6. Are you using the simple recovery method?
� If yes, select the Unrestricted file growth option, and then go to Step 8.
� If no, then go to Step 7.
7. Type or select a maximum file size that is at least 50 percent larger than the maximum file size you specified for the data file.
Task When to Perform
Format the database drives Before you install SiteProtector
Allocate sufficient space for data and log files After you install SiteProtector
Separate database files on servers that do not use RAID disk storage
After you install SiteProtector
Reconfigure database server properties
Select the correct recovery model and options for your configuration
Allocate sufficient space for the temporary database file
Table 6: When to optimize databases and database servers
7Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
Note: For information about SQL recovery models, refer to the procedure in this topic about selecting the right recovery model, or refer to your Microsoft SQL documentation.
8. Click OK.
Separating database files on servers that do not use RAID disk storage
To maximize performance on servers that do not use RAID disk storage, distribute database files on separate disks. The following table lists the recommended distribution of database files for each configuration:
Reconfiguring database server properties
SQL default server properties do not support optimum database performance for SiteProtector.
To reconfigure database server properties for optimum performance:
1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager.
2. Right-click the server (not the database) you are configuring in the Tree tab, and then select Properties.
3. Select the General tab, and then select the following options:
� Autostart SQL Server
� Autostart SQL Server Agent
4. Select the Memory tab, and then select the Dynamically configure SQL server memory option.
5. Select the Processor tab, and then select the Use all available processors option.
6. Click OK.
Selecting the correct recovery model and options for your configuration
The type of SQL recovery model you select when you are configuring the SiteProtector database can impact performance.
Number of disks in configuration
Distribution of database files from the largest to the smallest disk
2 1. Primary database
2. Transaction log and OS drive
3 1. Primary database
2. Transaction log
3. OS drive
4 or more 1. Primary database
2. Transaction log
3. OS drive
Note: Using the database properties window, consider creating additional data files on different disks and assigning them to the primary filegroup.
Table 7: Separating database files on servers that do not use RAID disk storage
8
Optimizing SiteProtector Databases
To select the right recovery model for your configuration:
1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager, and then expand the server group that contains the SiteProtector database.
2. Right-click the SiteProtector database you are configuring in the Tree tab, and then select Properties.
3. Select the Options tab.
4. Use the following table for determining which recovery model to select in the Recovery Model list:
5. Select only the following check boxes:
� Auto update statistics
� Torn page detection
� Auto create statistics
� Allow cross-database ownership chaining
6. Click OK.
Allocating sufficient space for the temporary database
You can impact database performance if you do not allocate sufficient space to temporary database files.
To allocate space to temporary database files:
1. On the SiteProtector database server, open the Microsoft SQL Enterprise Manager, and then expand the server group that contains the SiteProtector database.
2. Right-click the temporary database (TempDB) you are configuring in the Tree tab, and then select Properties.
3. Select the Data tab.
4. Consider increasing the active values in the following fields:
� Megabytes
� By percent
5. Consider increasing the space allocated to the temporary database so that it can support growth.
If the database is... Then select this option...
used for a production system Full or Bulk-Logged
not used for a production system Simple
9Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
Disabling SiteProtector Database Disk Performance Counters
Introduction Disk performance counters can impact database performance. Disable disk performance counters only if you are not using the data that is generated by them.
Definition: disk performance counters
Enabled by default, disk performance counters measure the performance of the physical and logical drives on Windows servers. You can improve database performance by disabling all disk performance counters on the SiteProtector database.
Procedure To disable disk performance counters:
1. On the taskbar, select Start!Run.
2. Type .cmd in the Run window, and then click OK.
3. At the command prompt, type DISKPERF -N, and then press ENTER.
A message appears stating that disk performance counters are now disabled on logical and physical drives.
4. Restart the SiteProtector database server.
10
Overview
SECTION B: Improving Event Collector Performance
Overview
Introduction This section discusses how to identify and correct event collector performance problems.
In this section This section contains the following topics:
Topic Page
Identifying Event Overload in the Event Collector 12
Improving Event Collector Hardware and Configuration 14
Modifying Agent Policies 15
11Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
Identifying Event Overload in the Event Collector
Introduction When an overload occurs in the event collector, the event collector generates alerts, called throttle messages, which tell you when the overload started and when it stopped. Frequent throttle messages may indicate that you have a performance problem.
Important: The event collector may send throttle messages when you stop, and then restart the event collector. This condition is usually temporary because agents are unloading the backlog stored in their queues.
Task overview Identifying event overload in the event collector is a two-task procedure:
Where throttle messages appear?
Throttle messages appear in the following locations:
� on the SiteProtector Console, as warning events
� in the event collector log files, located on the computer where the event collector is installed
Note: The Microsoft Event Viewer also displays throttle messages as application warnings, which appear on the computer where the event collector is installed.
Event collector log files
Event collector log files are on the computer where the event collector is installed. When configured properly, log files can indicate performance problems that have occurred over a specified period of time. To enable throttle messages to appear in the log files, you must specify the EC trace level as Warning or greater.
Note: Changes to the logging level do not take effect until you restart the event collector.
Task Description
1 Verify that throttle messages are enabled.
2 View throttle messages in the event collector log files.
Table 8: Identifying event overload task overview
12
Identifying Event Overload in the Event Collector
Example: throttle message
The following throttle message example shows a start message followed by a stop message:
2002/02/08 16:04:09.91 T:0ad0 CPluginEventDatabaseStarted throttlingevent rate (due to large backlog of events waiting to be stored in thedatabase). If this happens often, this may be an indication that yourEvent Collector is overloaded. [ID=0xc734004c]
2002/02/08 16:04:13.32 T:0ad0 CPluginEventDatabase Stopped throttlingevent rate. [ID=0xc734004d]
Configuring throttle messages
To configure the event collector to send throttle messages to the SiteProtector Console and to the SiteProtector database:
1. In the grouping tree, select the folder that contains the event collector.
2. Select the Sensor tab in the Analysis pane.
3. Right-click the event collector, and then select Event Collector!Edit Properties from the list.
The Event Collector Properties window opens.
4. Select the Alerts tab.
5. In EventCollector_Warning, verify that the following boxes are selected:
� Enable
� Notify console
� Log to database
6. Click OK.
Sending throttle messages to event collector log files
To send the throttle messages to the Event Collector log files:
1. In the grouping tree, select the folder that contains the event collector.
2. Select the Sensor tab in the Analysis pane.
3. Right-click the event collector, and then select Event Collector!Edit Properties from the list.
The Event Collector Properties window opens.
4. Select the General tab, and then click Advanced.
5. Verify that the event collector trace level is set to the Warn level or higher.
6. Click OK.
Note: These changes do not take effect until you restart the event collector.
Viewing throttle messages in event collector log files
To view throttle messages in the event collector log files:
1. Go to the computer where the event collector is installed.
2. Open the following file:
\Program Files\ISS\RealSecureSiteProtector\EventCollector\Logs\emtrace.txt
The contents of the log file appear in a default text editor window.
13Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
Improving Event Collector Hardware and Configuration
Introduction To improve event collector performance, consider doing the following:
� add another event collector to your configuration
� install the event collector and the SiteProtector database on separate computers
Adding an event collector
Using the custom installation option, add an event collector to your site configuration. You can install up to five event collectors per site.
Separating the event collector and the SiteProtector database
If you have installed both the event collector and the SiteProtector database on the same computer, consider installing them on separate computers.
Reference: For more information about separating components and installing additional SiteProtector components using the custom installation option, refer to the SiteProtector Installation and Configuration Guide.
14
Modifying Agent Policies
Modifying Agent Policies
Introduction Modify agent policies to decrease the number of events the event collector and the SiteProtector database must process. The procedures for modifying policies vary according to the type of agent.
How to modify an agent policy
In most cases, when you modify agent policies, you either change the default policy or customize the policy. When you know there is a specific signature or check that is generating a significant number of extraneous events, consider turning off those checks in the policy.
Caution: Before you modify an agent policy, consider the impact of those policy changes on the security of your network. If turning off a check makes your network less secure, then consider other alternatives.
Advantages The advantages of modifying policies are as follows:
� does not require additional hardware
� can be implemented easily and quickly
Disadvantages The disadvantages of modifying policies are as follows:
� can impact security
� usually a short term solution
15Technical Reference Guide Version 2.0, SP4
Chapter 1: Improving Performance
16
Chapter 2
Log File Diagnostics
Overview
Introduction Log files can help you identify and correct problems with components or agents. This chapter provides the following types of information:
� the path of the file
� file contents
� how to change logging levels
� how to view the log
Viewing logs Most log files are text files that you can open with a standard text file editor. If a different method is needed for a particular log file, it is explained with the description of that log.
Important: Be sure to use a text editor that can handle large files.
In this chapter This chapter contains the following sections:
Topic Page
Miscellaneous Logging Information 19
Log4j Logging Information 27
Sensor Controller Logging Information 31
Desktop Controller Logging Information 47
17Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
18
Overview
SECTION A: Miscellaneous Logging Information
Overview
Introduction This section gives logging information related to various SiteProtector processes and components.
In this section This section contains the following topics:
Topic Page
Application Server Logs 20
Database Logs 22
Installation Logs 23
X-Press Update Logs 25
Active Directory Logs 26
19Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Application Server Logs
Introduction This topic describes the log and configuration files that the application server uses:
� application server log files
� issDaemon logs
How log files are created on the application server
When you issue a command that displays or modifies a property, response, or policy file for an agent or core component, your SiteProtector system sends log files to the computer where the application server is running.
Location of application server logs
The path of the application server log files is \Program Files\ISS\RealSecureSiteProtector\Application Server\temp\AppServer.
Setting logging levels
The logging level determines the type and amount of system information that SiteProtector stores. To set logging levels for the application server logs:
� In the Sensor Controller Diagnostics console, right-click the SiteProtector Core component in the Sensor window.
Important: The application server does not use dynamic logging, so changes to the logging levels do not take effect until you restart the RealSecure Application Server Service.
Characteristics of application server logs
The following characteristics apply to all application server log files:
� The system overwrites a log file each time you restart the sensor controller.
� The amount of detail collected depends on the current trace level.
Note: The log files can quickly become very large when the logging level is high.
Description of log files
Table 9 describes the application server logs:
Location of issDaemon logs
Logging information is available for each issDaemon with which the application server communicates. The path is \Program Files\ISS\RealSecureSiteProtector\Application Server\temp\SensorController\[email protected].
Note: The issDaemon log files are always available regardless of the trace level.
File name Description
Issdk.txt Logs high-level activity detailing application server interaction with all issDaemons
IssdkComm.txt Logs low-level communication activity between the application server and issDaemons
IssdkInterface.txt Logs low-level application server activity
Table 9: Application Server logs
20
Application Server Logs
Description of log files
Table 10 describes the issDaemon log files:
File Name Description
[email protected] Copy of iss.access located at specified IP address
[email protected] Copy of common.policy located at specified IP address
[email protected] Copy of issDaemon.policy located at specified IP address
Table 10: issDaemon and application server communication logs
21Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Database Logs
Introduction Database log information, such as errors, number of rows loaded, number of rows rejected, and reasons for rows rejected, is logged to the messagelog table in the SiteProtector database.
Viewing database logs
Use Microsoft SQL Server Enterprise Manager or Query Analyzer to view the messagelog table.
Default logging level The default logging level is set to Warnings. This level logs a limited set of significant events.
Changing the logging level
You can use the Sensor Details feature in the SiteProtector Console to change the logging level.
Recommendations for increased logging detail
Increasing the logging levels for an extended period of time can quickly fill the database. Use the following recommendations when increasing logging detail:
� Increase the logging levels (i.e., setting the logging level to Full) for short intervals as needed to gather detailed information.
� Reset the trace level to Warnings after you finish collecting detailed information.
Truncate this table after extended debugging, as well as during normal tracing if the table becomes too large.
22
Installation Logs
Installation Logs
Introduction The SiteProtector installation process generates a log file for each SiteProtector component you install. It also creates a detailed log file for each bulk copy of data loaded into a particular table on the SiteProtector database. The log files contain a line of text for each action taking place.
Location of log files Table 11 provides the path of the log files on the computer where each component is installed:
Log files created during installation
The log files created during installation depend on the type of installation (Basic or Custom). Table 12 contains the installation log files that may be generated during installation:
Log Files Folder
Component log files for installation \temp\iss
SiteProtector database table bulk copy log files
\temp\iss\bulk copy logs
Table 11: Location of database log files
This log file... Is created by...
Application_Server_Setup_Log.txt Application Server installation
Console_Setup_Log.txt Console installation
Site_Database_Setup_Log.txt Database installation
Event_Collector_Setup_Log.txt Event Collector installation
Desktop_Controller_Setup_Log.txt Desktop Controller installation
Deployment_Manager_setup_log.txt Deployment Manager installation
DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for a Basic installation from CD
DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for a Basic installation
DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for installation of the Console
DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for part 1 of the Custom installation
DMInstallAgent_<YYYYMMDD_HHMMSS>.txt DMInstallAgent program for part 2 of the Custom installation
All_Components_Log.txt User clicking Yes to the “Do you want to view the log file?” prompt on the message box.
Table 12: Log files that may be created at installation
23Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Component log files for uninstallation
Log files are always created when you uninstall SiteProtector. The names of the log files are the same as those created during installation, but the contents are overwritten with the uninstallation process information if the original log files still exist.
Note: If error or warning messages occur during the installation process, and you want to save these messages for troubleshooting purposes, then rename the log files before you uninstall the application.
Viewing the component log files
If an error or warning occurs during the installation or uninstallation process in normal mode, the View Log File check box on the Finish window at the end of the process will be checked by default. This enables you to easily view the log file contents to determine the reason for the error or warning.
To view the component installation logs:
1. Click OK on the Finish window.
The Finish window closes and Notepad opens, displaying the contents of the installation/uninstallation log file.
2. View the errors and/or warnings in the log file to determine how to resolve the problem.
SiteProtector database table bulk copy log files
Approximately 50 pairs of log files are generated for each bulk copy that is created and populated for the SiteProtector database. Table 13 describes those pairs of log files:
Note: Statistics for the number of rows copied for every bulk copy file that was installed or uninstalled are included in the Enterprise_Database_Setup_Log.txt file. This file provides a single source for you to quickly determine which error messages or warnings have occurred.
Table Name Description
<tablename>_Table_BulkCopy_Log.txt
Statistics related to bulk copy process used to create the database table (e.g., source, destination, number of rows copied, duration)
<tablename>Table_BulkCopy_ErrorLog.txt
File is empty unless errors have occurred
Table 13: SiteProtector database log descriptions
24
X-Press Update Logs
X-Press Update Logs
Introduction You can generate log files to track the details of X-Press Update (XPU) activities for the application server and the sensor controller.
Contents of the log The X-Press Update log file contains details of X-Press Update downloading activity and the overall X-Press Update status.
� This high-level log file contains details about XPU activity.
� The file is overwritten each time the application server or the sensor controller restarts.
� The amount of detail depends on current trace level.
Note: This file can quickly become large when logging level is high.
Location of log files Table 14 provides the paths of the X-Press Update log files:
Setting the X-Press Update logging level
To change the logging level for the X-Press Update log file:
1. On the Options menu, select XPU Logging Level.
2. Select the logging level you want to use.
Component X-Press Update log file path and name
application server \Program Files\ISS\RealSecureSiteProtector\ApplicationServer\temp\AppServer\Xpu.txt
sensor controller \Program Files\ISS\RealSecureSiteProtector\Application Server\temp\SensorController\Xpu.txt
Table 14: X-Press Update log file locations
25Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Active Directory Logs
Introduction The SiteProtector application generates Active Directory log files that can give you information about specific jobs and help you troubleshoot issues with your SiteProtector Active Directory listing.
Location of log files You can find the Active Directory log files in the following location:
\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\SP [email protected]\Job_<job number>
Note: If you are using the Custom Installation, the Active Directory log files are located on your application server.
Description of log files
Table 15 provides the names and descriptions of the Active Directory log files:
Setting the Active Directory logging level
The Active Directory Update job sets its logging level from the SiteProtector Core logging level. To set the Active Directory logging level:
1. In the Sensors tab, right-click SiteProtector Core.
2. In the pop-up box, select SiteProtector Core!Edit Properties.
The SiteProtector Core Properties window opens.
3. Click Advanced.
The Advanced SiteProtector Core Properties window appears.
4. In the Set sensor controller trace level drop-down list, select the logging level you want.
5. Select OK.
Log file name Description
warnings.csv • lists hosts that were not added to the SiteProtector Active Directory listing
• provides information about why a host was not added to the SiteProtector Active Directory listing
• generated only when logging is set to Warn or higher
JobLog.txt • lists system-related information
• generated with any logging level, except None
• generated when a system error occurs
Table 15: Active Directory log file locations
26
Overview
SECTION B: Log4j Logging Information
Overview
Introduction This section provides log4j logging information, and also gives information about using the log4j tool to set logging levels.
In this section This section contains the following topics:
Topic Page
Log4j Application Server and Sensor Controller Logs 28
Changing Log4j Logging Levels 29
27Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Log4j Application Server and Sensor Controller Logs
Introduction You can view the application server and sensor controller log4j logs in the following ways:
� in a text file in a standard text editor
� in the Windows 2000 Event Viewer Application Log
� in a run-time debug log on a Command Prompt window
Location of log files Table 16 provides the paths of the run-time logs on the computer that hosts the application server and sensor controller.
Viewing from a text file
To view the log:
� Open the log file for application server (app_server.log) or the sensor controller (sensor_ctl.log) with any text file editor that can edit large files.
Viewing from the event viewer
Events generated by the application server and the sensor controller are logged to the Application Log in the Windows 2000 Event Viewer. The Source names for the events are issSPAppService and issSPSenCtlService.
To view the events from the Windows 2000 Event Viewer Application Log:
1. Click Start on the taskbar, and then select Programs! Administrative Tools.
2. Double-click the Event Viewer icon.
3. In the left pane, select the application log.
4. In the right pane of the Source column, look for issSPAppService and issSPSenCtlService.
Tip: Click the Source column to sort the list.
Viewing run-time debug logs
To view run-time debug log:
� Locate the Command Prompt window that contains the debug log.
Important: You must first configure the application server and the sensor controller to enable run-time logging.
Component Properties File Path and File Name
application server \Program Files\ISS\RealSecureSiteProtector\ApplicationServer\temp\app_server.<time stamp>.log
sensor controller \Program Files\ISS\RealSecureSiteProtector\ApplicationServer\temp\sensor_ctl.<time stamp>.log
Table 16: Log4j log file locations
28
Changing Log4j Logging Levels
Changing Log4j Logging Levels
Introduction This topic describes logging levels for log4j logs. These logging levels are separate and distinct from the logging levels on the Sensor Controller Diagnostics console’s Set Logging Level menu.
Note: Methods for viewing the log4j logs are explained in “Log4j Application Server and Sensor Controller Logs” on page 28.
Logging levels The log4j tool provides five priority levels of logging detail. (See non-ISS documentation at http://jakarta.apache.org/log4j/docs/manual.html.) The default logging level is set to fatal, which only logs very serious errors.
Priority levels, in decreasing order of logging detail, are as follows:
� DEBUG
� INFO
� WARN
� ERROR
� FATAL
Recommendations for logging detail
Increasing the logging levels for an extended period of time can quickly fill the log file. Follow these recommendations when increasing logging detail:
� Increase the logging levels for short intervals as needed to gather detailed information.
� Delete the log files at any time, as they can quickly become large.
� Delete the app_server.log, and then restart the application server.
� Delete the sensor_ctl.log, and then restart the sensor controller.
� Check the log4j documentation for procedures that automatically roll the logs into manageable sizes.
Where the logging level is set
The logging level is set in a properties file for each component. The properties file path and file name for the application server are as follows:
\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\config\log.properties
Important: The file must be present before any logging takes place.
Changing the logging level
To change the logging level:
1. In Notepad or an equivalent text editor, open the properties file for the application server (log.properties).
2. Find the line that contains the following:
log4j.rootLogger=logging_level
Note: The logging_level value is one of the five possible logging levels.
29Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
3. Replace the logging level with another available logging level.
Example: Change the logging level from FATAL to DEBUG.
4. Save the file.
Note: You must restart the application server before the logging change takes effect.
30
Overview
SECTION C: Sensor Controller Logging Information
Overview
Introduction This section lists SiteProtector logging information for components that are managed with the sensor controller.
In this section This section contains the following topics:
Topic Page
Sensor Controller Logs 32
Sensor Controller SiteProtector Database Logs 33
Sensor Controller SiteProtector Core Logs 34
Sensor Controller Event Collector Logs 35
Sensor Controller Desktop Controller Logs 37
Sensor Controller Internet Scanner Logs 39
Sensor Controller Internet Scanner Databridge Logs 40
Sensor Controller A-Series Appliance Logs 41
Sensor Controller G-Series Appliance Logs 42
Sensor Controller RealSecure Network Logs 43
Sensor Controller RealSecure Network Gigabit Logs 44
Sensor Controller RealSecure Server Sensor Logs 45
Sensor Controller SiteProtector Third Party Module Logs 46
31Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Sensor Controller Logs
Introduction This topic introduces log and configuration files that the sensor controller uses:
� the log files for the sensor controller
� the configuration and log files for the agents and SiteProtector components with which the sensor controller communicates
How sensor controller logging works
When you issue a command that displays or modifies a property, response, or policy file for an agent or core component, your SiteProtector system sends log files to the computer where the sensor controller is running.
Location of log files The path of the files is as follows:
Program Files\ISS\RealSecure SiteProtector\Application Server\temp
Dynamic logging levels
Changes to the logging levels are dynamic. You do not have to restart the RealSecure Sensor Controller Service for the changes to go into effect.
Common characteristics
The following common characteristics apply to all sensor controller log files:
� The log file is overwritten each time you restart the sensor controller, but only if the logging level is not full. If the logging level is full then the file appends.
� The amount of detail collected depends on current trace level.
Note: The log files can quickly become large when the logging level is high.
Description of log files
Table 17 describes the log files for the sensor controller:
Changing logging levels for agents
To change the logging levels:
1. In the Sensors window, right-click the agent.
2. Select Details in the pop-up menu.
3. Select the desired logging level in the Sets new sensor logging level drop-down list.
4. Click OK.
Log File Name Description
Issdk.txt logs high-level activity detailing sensor controller interaction with all agents and core components
IssdkComm.txt logs low-level communication activity between the sensor controller and agents
IssdkInterface.txt logs low-level sensor controller activity
Table 17: Sensor controller dynamic log files
32
Sensor Controller SiteProtector Database Logs
Sensor Controller SiteProtector Database Logs
Introduction The SiteProtector database files contain information related to the SiteProtector database located at the given IP address. The path of the log file is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\Site Protector [email protected].
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the SiteProtector database is:
\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\Site Protector [email protected]\Job_<jobnumber>
Description of log files
Table 18 describes the SiteProtector database log file:
Log File Name Description
Site [email protected]
• low-level log file detailing sensor controller interaction with SiteProtector database component (i.e. XPU activity)
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Table 18: SiteProtector database log files
33Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Sensor Controller SiteProtector Core Logs
Introduction The SiteProtector Core log files contain information related to the sensor controller located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the SiteProtector Core is:
\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\sensor_ctl.<time stamp>.log
Description of log files
5. Table 19 describes the SiteProtector Core log files
Log File Name Description
sensor_ctl.<time stamp>.log • generated file containing runtime debug information
• overwritten each time sensor controller service restarts
• amount of detail depends on current logging level
Table 19: SiteProtector Core log files
34
Sensor Controller Event Collector Logs
Sensor Controller Event Collector Logs
Introduction The default path of configuration files for the event collector at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\EventCollector_<DNS>@xxx.xxx.xxx.xxx. The default installation path of the event collector is \Program Files\ISS\RealSecureSiteProtector\Event Collector.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the event collector is:
\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\EventCollector_<DNS>@xxx.xxx.xxx.xxx\Job_<job number>
Description of log files
Table 20 describes the event collector log files:
Log File Names Description
EventCollector_<DNS>@xxx.xxx.xxx.xxx.common
• copy of common.policy located at specified IP address
• always available
• independent of logging level
EventCollector_<DNS>@xxx.xxx.xxx.xxx.daemon
• copy of issDaemon.policy located at specified IP address
• always available
• independent of logging level
EventCollector_<DNS>@xxx.xxx.xxx.xxx.policy
• copy of current.policy located at specified IP address
• always available
• independent of logging level
EventCollector_<DNS>@xxx.xxx.xxx.xxx.status
• copy of ec_status.policy (located at specified IP address) that details the Event Collector control list and status information
• always available
• independent of logging level
EventCollector_<DNS>@xxx.xxx.xxx.xxx.prop
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
EventCollector_<DNS>@xxx.xxx.xxx.xxx.properties
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
Table 20: Event collector log files
35Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
EventCollector_<DNS>@xxx.xxx.xxx.xxx.txt
• generated file containing runtime debug information detailing interaction between sensor controller and event collector
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Log File Names Description
Table 20: Event collector log files (Continued)
36
Sensor Controller Desktop Controller Logs
Sensor Controller Desktop Controller Logs
Introduction The default path of configuration files for the Desktop Controller at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\DesktopController_<DNS>@xxx.xxx.xxx.xxx. The default installation path of the Desktop Controller is \ProgramFiles\ISS\RealSecure SiteProtector\Desktop Controller.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the Desktop Controller is:
\Program Files\ISS\RealSecure SiteProtector\Desktop Controller\Job_<jobnumber>
Description of log files
Table 21 describes the Desktop Controller log files:
Log File Names Description
DesktopController_<DNS>@xxx.xxx.xxx.xxx.common
• copy of common.policy located at specified IP address
• always available
• independent of logging level
DesktopController_<DNS>@xxx.xxx.xxx.xxx.daemon
• copy of issDaemon.policy located at specified IP address
• always available
• independent of logging level
DesktopController_<DNS>@xxx.xxx.xxx.xxx.policy
• copy of current.policy located at specified IP address
• always available
• independent of logging level
DesktopController_<DNS>@xxx.xxx.xxx.xxx.status
• copy of the Desktop Controller status policy file (located at specified IP address) that details the Desktop Controller control list and status information
• always available
• independent of logging level
DesktopController_<DNS>@xxx.xxx.xxx.xxx.prop
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
DesktopController_<DNS>@xxx.xxx.xxx.xxx.properties
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
Table 21: Desktop Controller log files
37Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
DesktopController_<DNS>@xxx.xxx.xxx.xxx.txt
• generated file containing runtime debug information detailing interaction between sensor controller and Desktop Controller
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Log File Names Description
Table 21: Desktop Controller log files (Continued)
38
Sensor Controller Internet Scanner Logs
Sensor Controller Internet Scanner Logs
Introduction The path of the configuration and log files for the Internet Scanner located at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected]. The default installation path for Internet Scanner 6.2.1 is \Program Files\ISS\Scanner6. The default installation path for Internet Scanner 7.0 is \ProgramFiles\ISS\issSensors\Scanner_1.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the Internet Scanner is:
Location of Internet Scanner job-specific log files
The path of the log files related to specific jobs for Internet Scanner is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\[email protected]. The files are located in subfolders according to the job name. By default, the path for Internet Scanner 6.2.1 configuration files is \Program Files\ISS\Scanner6 on the computer the Internet Scanner is hosted. The general form is as follows:
� Job_x – folder containing files related to job number “x”
Note: Internet Scanner 7.0 does not use files with the .cfg extension. However, Internet Scanner 7.0 log files are located by default in \ProgramFiles\ISS\issSensors\scanner_1\log.
Description of Internet Scanner job-specific log files
Table 23 describes the job-specific log files:
Version Path
6.2.1 \Program Files\ISS\Scanner6\Job_<job number>
7.0 \Program Files\ISS\Scanner_1\log\Job_<job number>
Table 22: Location of Internet Scanner logs
Log File Name Description
hosts.hst IP range of hosts to be scanned
iss.key license key that limits IP range that can be scanned
*.policy policy file used by Internet Scanner during scan (e.g., L1 Inventory.policy)
Table 23: Internet Scanner job-specific log files
39Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Sensor Controller Internet Scanner Databridge Logs
Introduction The path of the log files for the Internet Scanner Databridge at the given IP address is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\SensorController\[email protected]. The default installation path for the Internet Scanner Databridge is \ProgramFiles\ISS\issSensors\Internet_Scanner_DataBridge.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the Internet Scanner Databridge is:
\Program Files\ISS\issSensors\Internet_Scanner_DataBridge\Job_<jobnumber>
Description of log files
Table 24 describes the Internet Scanner Databridge log files:
File Names Description
• copy of current.policy located at specified IP address
• always available
• independent of logging level
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
• generated file containing runtime debug information detailing interaction between sensor controller and Internet Scanner Databridge
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Table 24: Internet Scanner Databridge log files
40
Sensor Controller A-Series Appliance Logs
Sensor Controller A-Series Appliance Logs
Introduction The A-Series appliance log files contain information related to the A-Series appliance located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\Proventia_A<model number>@xxx.xxx.xxx.xxx.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the A-Series appliance is:
\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\Proventia_A<model number>\Job_<job number>
Description of log files
Table 25 describes the A-Series appliance log files:
Log File Names Description
Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.policy
• copy of current.policy located at specified IP address
• always available
• independent of logging level
Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.prop
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.properties
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
Proventia_A<modelnumber>@xxx.xxx.xxx.xxx.txt
• generated file containing runtime debug information
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Table 25: A-Series appliance log files
41Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Sensor Controller G-Series Appliance Logs
Introduction The G-Series appliance log files contain information related to the G-Series appliance located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\Proventia_G<model number>@xxx.xxx.xxx.xxx.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the G-Series appliance is:
\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\Proventia_G<model number>\Job_<job number>
Description of log files
Table 26 describes the G-Series appliance log files:
Log File Names Description
Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.policy
• copy of current.policy located at specified IP address
• always available
• independent of logging level
Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.prop
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.properties
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
Proventia_G<modelnumber>@xxx.xxx.xxx.xxx.txt
• generated file containing runtime debug information
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Table 26: G-Series appliance log files
42
Sensor Controller RealSecure Network Logs
Sensor Controller RealSecure Network Logs
Introduction The RealSecure Network log files contain information related to the RealSecure Network agent located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected].
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Network agent is:
\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected]\Job_<jobnumber>
Description of log files
Table 27 describes the RealSecure Network agent log files:
Note: All logging is saved for successful jobs, unless the logging level is turned off.
Log File Names Description
• copy of current.policy located at specified IP address
• always available
• independent of logging level
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
• generated file containing runtime debug information detailing interaction between sensor controller and network sensor
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Table 27: RealSecure Network agent log files
43Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Sensor Controller RealSecure Network Gigabit Logs
Introduction The RealSecure Network Gigabit log files contain information related to the RealSecure Network Gigabit agent located at the given IP address. The path of the log files is \Program Files\ISS\RealSecure SiteProtector\ApplicationServer\temp\Sensor Controller\[email protected].
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Network Gigabit is:
\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\[email protected]\Job_<job number>
Description of log files
Table 28 describes the RealSecure Network Gigabit log files:
Log File Names Description
• copy of current.policy located at specified IP address
• always available
• independent of logging level
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
• generated file containing runtime debug information detailing interaction between sensor controller and network sensor
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Table 28: RealSecure Network Gigabit log files
44
Sensor Controller RealSecure Server Sensor Logs
Sensor Controller RealSecure Server Sensor Logs
Introduction The RealSecure Server Sensor log files contain information related to the RealSecure Server Sensor located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\temp\SensorController\<server sensor name>@xxx.xxx.xxx.xxx.
Note: If the trace level is set to 0 and the job is completed, then the system deletes the Job folder. Otherwise, the default location of command job log files for the RealSecure Server Sensor is:
\Program Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor Controller\<server sensor name>@xxx.xxx.xxx.xxx\Job_<job number>
Description of log files
Table 29 describes the server sensor log files:
Log File Name Description
• copy of current.policy located at specified IP address
• always available
• independent of logging level
• generated file containing runtime configuration information
• overwritten each time sensor controller restarts but is independent of logging level
• cached file of user modifications to properties
• overwritten each time sensor controller restarts but is independent of logging level
• generated file containing runtime debug information detailing interaction between sensor controller and server sensor
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
Table 29: RealSecure Server Sensor log files
45Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Sensor Controller SiteProtector Third Party Module Logs
Introduction The Third Party Module log files contain information related to the Third Party Module located at the given IP address. The paths to the log files are as follows:
CheckPoint log files Table 30 describes the CheckPoint Third Party Module log files:
Cisco PIX log files Table 31 describes the Cisco PIX Third Party Module log files:
Firewall Log file path
CheckPoint \ISS\issSensors\ThirdPartyModule_Checkpoint_1\Logs
Cisco PIX \ISS\issSensors\ThirdPartyModule_Cisco_1\Logs
Log File Name Description
sensor_health.policy • copy of current.policy located at specified IP address
• always available
• independent of logging level
LeaTraceLog.txt • generated file containing runtime debug information
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
TpmLog.txt
TPMTraceLog.txt
Table 30: CheckPoint Third Party Module log files
Log File Name Description
sensor_health.policy • copy of current.policy located at specified IP address
• always available
• independent of logging level
TpmLog.txt, • generated file containing runtime debug information
• overwritten each time sensor controller restarts
• amount of detail depends on current logging level
TPMTraceLog.txt
Table 31: Cisco PIX Third Party Module log files
46
Overview
SECTION D: Desktop Controller Logging Information
Overview
Introduction This section lists SiteProtector logging information for components that are managed with the Desktop Controller.
In this section This section contains the following topics:
Topic Page
Desktop Controller Desktop Protection Logs 48
Desktop Controller M-Series Appliance Logs 50
47Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Desktop Controller Desktop Protection Logs
Introduction The Desktop Protection log files contain information related to the Desktop Controller located at the given IP address. The path of the log files is \ProgramFiles\ISS\RealSecure SiteProtector\Desktop Controller\Logs.
Logging levels If you are experiencing problems with your Desktop Controller applications, you should adjust logging levels to help troubleshoot the issues. You set logging levels in the rsspdc.ini file, which is located in the following directory on the Desktop Controller computer:
\Program Files\ISS\RealSecure SiteProtector\Desktop Controller
Setting and clearing logging levels
To set a logging level:
1. In the rsspdc.ini file, cut the logging level you want from the dcLog.clear line, and then paste it into the dcLog.set line.
To clear a logging level, cut it from the dcLog.set line, and then paste it into the dcLog.clear line.
2. Save, and then close the files.
3. From the SiteProtector Console, stop, and then start the Desktop Controller.
Important: ISS strongly recommends that you perform this procedure only with guidance from ISS Technical Support.
Logging level parameters
The following table lists the logging level parameters:
Logging level Description
EXCEPTION Error level logging including both fatal and non-fatal. These errors may indicate expected failure situations (such as connectivity loss or out of memory errors) or unexpected problems from the outside the Desktop Controller (such as malformed XML policies or unexpected events from agents).
ASSERTION Debug assertion logging that indicates a bug in the Desktop Controller code. These errors indicate abnormal conditions and if seen, they should be reported to ISS Technical Support.
WARNING Warning logging for non-critical/recoverable conditions in the Desktop Controller like DB connectivity loss.
INFORMATION Information logging of general activity in the Desktop Controller.
HTTPRESPONSE Logging of HTTP response data to agents from the Desktop Controller.
HTTPEVENT Logging of incoming HTTP event/heartbeat data from agents.
FIREWALL Logging of firewall rule-setting during policy loading.
AGENTDOWNLOAD Logging of HTTP request information when agents download files from the Desktop Controller (including configuration files or upgrade packages).
WEBSERVER Logging of Web server activity in the Desktop Controller.
Table 32: Desktop Protection logging level parameters
48
Desktop Controller Desktop Protection Logs
SYSMON General logging level for system type events like thread startup and shutdown.
ALERT Logging of alert/response information for SMTP, Pager, and SNMP alerts.
METRICS Traces incoming event counts.
VERBOSE Logging of repeated informational traces such as polling thread activity and policy/property file loading.
Logging level Description
Table 32: Desktop Protection logging level parameters
49Technical Reference Guide Version 2.0, SP4
Chapter 2: Log File Diagnostics
Desktop Controller M-Series Appliance Logs
Introduction The M-Series log file contains information related to the M-Series appliance located at the given IP address. The path to the log file is /var/log/messages.
Local Management Interface
The easiest way to access the log file is by using the Local Management Interface (LMI) on the M-Series appliance. For information about how to access the log file using the LMI, see the Proventia M-Series Appliances User Guide.
Description of log file
Table 33 describes the M-Series log file:
Log file parameter Description
Date/Time The date and time that the event was detected.
Event Type The type of event that was detected. The event types are:
• anti-virus
• firewall
• intrusion protection module
• system
Other event details Besides Date, Time, and Event Type, the following event information can be included in the M-Series log file:
• generated error message
• source/destination IP address
• source/destination port
• host name
Table 33: M-Series log file
50
Chapter 3
Diagnostic and Debugging Setup
Overview
Introduction This chapter explains the options for setting up the Sensor Controller Diagnostics console and how to activate run-time debugging for the sensor controller and the application server.
Options for running the sensor controller
By default, the sensor controller runs as a service without the Sensor Controller Diagnostics console. When you run the Sensor Controller Diagnostics console, you can run the sensor controller either as a service or as a Java application.
� If you are only logging agent data, you can use either method.
� If you are unable to start the sensor controller as a service, you can start it as a Java application. Starting the sensor controller as a Java application is also quicker.
Log information For information about the debug logs for the sensor controller and the application server, see the following:
� “Log4j Application Server and Sensor Controller Logs” on page 28
� “Changing Log4j Logging Levels” on page 29
Where to find the Sensor Controller Diagnostics console
The Sensor Controller Diagnostics console is installed with the sensor controller and the application server. The instructions for setting up the Sensor Controller Diagnostics console reference the default installation paths. If you installed SiteProtector components to other paths, you must use those instead.
In this chapter This chapter contains the following topics:
Topic Page
Diagnostic and Debugging Setup 51
Setting up Run-time Logging for the RealSecure SiteProtector Sensor Controller Service
55
Setting up Run-Time Logging for the RealSecure SiteProtector Application Server Service
55
51Technical Reference Guide Version 2.0, SP4
Chapter 3: Diagnostic and Debugging Setup
Running the Sensor Controller as a Java Application
Introduction When you run the sensor controller as a Java application, you start the Sensor Controller Diagnostics console and the run-time debug log together from a command prompt window.
Note: When you set up the Sensor Controller Diagnostics console, you also activate the run-time debug logs for the sensor controller.
Procedure To run the sensor controller as a Java application:
1. Access the Services utility on your computer.
2. Select the RealSecure SiteProtector Sensor Controller Service, and then click Stop.
3. Access the Command Prompt.
4. Change directories to \Program Files\ISS\RealSecureSiteProtector\Application Server\bin.
5. Type ccengine –debug, and then press ENTER.
Logging information is displayed, and the Sensor Controller Diagnostics console appears.
52
Setting up Run-time Logging for the RealSecure SiteProtector Sensor Controller Service
Setting up Run-time Logging for the RealSecure SiteProtector Sensor Controller Service
Introduction When you use the Sensor Controller Diagnostics console with the sensor controller as a service, the run-time debug log appears in a separate Command Prompt window.
Process overview Starting the Sensor Controller Diagnostics console with the RealSecure SiteProtector Sensor Controller service is a four-task process:
Procedure To start run-time logging with the sensor controller as a service:
Select Start on the taskbar, and then select Settings!Control Panel.
6. Double-click the Administrative Tools icon, and then double-click the Services icon.
7. Select RealSecure SiteProtector Sensor Controller Service, and then click Stop.
8. Right-click RealSecure SiteProtector Sensor Controller Service, and then select Properties from the pop-up menu.
9. Select the Log On tab, and select the Allow service to interact with desktop check box, and then click OK.
Tip: Do not close the Services window.
10. Select Start on the taskbar, and then select Run.
11. Type regedit, and then press ENTER.
The Registry Editor appears.
12. In the left pane, select HKEY_LOCAL_MACHINE!SYSTEM! CurrentControlSet!Services!issSPSenCtlService!Parameters.
13. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then click OK.
14. In Services, select RealSecure SiteProtector Sensor Controller Service, and then click Start. Access the Services utility on your computer.
15. Select the RealSecure SiteProtector Sensor Controller Service, and then click Stop.
Description Task
Stop the RealSecure SiteProtector Sensor Controller service
Use the Services Administrative Tool to stop the RealSecure SiteProtector Sensor Controller service.
Edit the properties of the service From the Log On tab, select the Allow service to interact with desktop check box
Change the registry setting Change the setting of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\issSPSenCtlService\Parameters\ConsoleTrace registry key from N to Y
Change directories From the Command Prompt, change directories to \Program Files\ISS\RealSecureSiteProtector\Application Server\bin, and then run the ccengine -debug command.
Table 34: Starting the Sensor Controller Diagnostics console
53Technical Reference Guide Version 2.0, SP4
Chapter 3: Diagnostic and Debugging Setup
16. Access the Command Prompt.
17. Change directories to \Program Files\ISS\RealSecureSiteProtector\Application Server\bin.
18. Type ccengine –debug, and then press ENTER.
19. Logging information is displayed, and the Sensor Controller Diagnostics console appears.
54
Setting up Run-Time Logging for the RealSecure SiteProtector Application Server Service
Setting up Run-Time Logging for the RealSecure SiteProtector Application Server Service
Introduction When you enable run-time logging for the application server, it continues to run as a service. The run-time logging information appears in a separate Command Prompt window.
Procedure To set up run-time logging for the application server:
1. Select Start on the taskbar, and then select Settings!Control Panel.
2. Double-click the Administrative Tools icon, and then double-click the Services icon.
3. Select RealSecure SiteProtector Application Server, and then click Stop.
4. Right-click RealSecure SiteProtector Application Server, and then select Properties from the pop-up menu.
5. Select the Log On tab, and select the Allow service to interact with desktop check box, and then click OK.
Tip: Do not close the Services window.
6. Select Start on the taskbar, and then select Run.
7. Type regedit, and then press ENTER.
The Registry Editor appears.
8. In the left pane, select HKEY_LOCAL_MACHINE!SYSTEM!CurrentControlSet!Services!issSPAppService!Parameters.
9. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then click OK.
10. In Services, select RealSecure SiteProtector Application Server, and then click Start.
55Technical Reference Guide Version 2.0, SP4
Chapter 3: Diagnostic and Debugging Setup
56
Chapter 4
Solutions to Some Common Issues
Overview
Introduction This chapter provides descriptions and solutions for some of the issues you may encounter when working with SiteProtector. It is not intended to represent a complete list of potential SiteProtector issues.
Knowledgebase and ISS Customer Support
For the most complete and up-to-date list of SiteProtector issues, see the ISS Knowledgebase at http://www.iss.net/support/knowledgebase/. If the Knowledgebase does not help you resolve your issue, contact ISS Customer Support at (1) (888) 447-4861.
In this chapter This chapter contains the following topics:
Topic Page
Issues Related to SiteProtector Installation 58
Issues Related to SiteProtector Encryption Keys 60
Issues Related to Operating SiteProtector 62
Issues Related to Low Memory 70
Issues Related to Updating SiteProtector 72
Issues Related to SiteProtector Services 74
Issues Related to Agents and Appliances 76
57Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Issues Related to SiteProtector Installation
Introduction This topic provides solutions to issues that you might encounter when you install or uninstall SiteProtector components.
Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:
http://www.iss.net/support/knowledgebase/
Installing SiteProtector manually
Description: Installing SiteProtector manually.
Solution: You can install SiteProtector manually instead of using the Basic or Custom installation method. The individual packages for installation are found in the Setup folder, which is located at the root of the SiteProtector CD.
Install the packages in the following order:
� SiteProtector database
� event collector
� Desktop Controller
� application server
� SiteProtector Console
Not Found messages displayed
Why do the pages of my Deployment Manager display a “Not Found” message?
Description: The menu frames for your Deployment Manager appear, but the pages display “Not Found” messages. This can happen when the SiteProtector Web service is running, but the RealSecure SiteProtector Application Server service is stopped on the computer where the Deployment Manager is installed.
Solution: Start the RealSecure SiteProtector Application Server service on the computer where the Deployment Manager is installed.
issApp login already exists
Description: While installing the application server, an error states that the application server login issApp already exists, and then the installation process is terminated.
Explanation: This usually occurs when you attempt to install the application server over an unsuccessful uninstallation. If the RealSecure Application Server service or RealSecure Sensor Controller service cannot be stopped during the uninstallation process, the issApp login is still in use and cannot be deleted from the database.
Solution: Do the following:
1. Make sure both services (or applications, if running as such) are stopped.
2. Use SQL Server 2000 Enterprise Manager to manually delete the existing issApp login, which is located in the /Security/Logins folder for the SiteProtector database.
58
Issues Related to SiteProtector Installation
Event collector login cannot be deleted
Description: While uninstalling the event collector, an error states that the EventCollector_<machine> login cannot be deleted because the service is running, and then the uninstallation process terminates.
Solution: Do one of the following:
� If you are uninstalling the SiteProtector database, ignore this message and uninstall the database, and then repeat the uninstallation process for the event collector.
� If you are not uninstalling the SiteProtector database, stop the issDaemon service and repeat the event collector uninstallation process. If the uninstallation process proceeds, but you are warned that the login still exists, use the SQL Server 2000 Enterprise Manager to manually delete the existing EventCollector_<computer> login, located in the /Security/Logins folder for the SiteProtector database.
Additional event collector encryption
Description: When you install an additional event collector, the encryption is not initially set.
Solution: After installing an additional event collector, you must stop, and then restart it to set encryption.
To stop, and then restart an event collector:
1. Select the root group in the Site Manager group tree.
2. Select the Sensor tab.
3. Set the Show/Hide subtree button to Show if it is not already set.
4. Right-click the event collector you want to restart.
A pop-up menu appears.
5. Select Event Collector!Stop.
When the event collector is stopped, the value in the Status column reads Stopped.
6. Right-click the event collector after it stops.
A pop-up menu appears.
7. Select Event Collector!Start.
When the event collector starts, the value in the Status column reads Active.
Can’t stop the event collector
Description: You have removed the application server and the console, but can’t stop the event collector.
Solution: The two ways to handle this are as follows:
� Remove the SiteProtector database first.
� If you aren’t removing the SiteProtector database, contact ISS Technical Support for assistance with manually stopping the event collector.
Database in use error
Description: While uninstalling the SiteProtector database, an error states that the database is in use.
Solution: Use the SQL Server 2000 Enterprise Manager to manually stop all processes associated with the SiteProtector database, and then proceed with uninstalling the database.
59Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Issues Related to SiteProtector Encryption Keys
Introduction This topic provides solutions to issues that you might encounter when working with SiteProtector encryption keys.
Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:
http://www.iss.net/support/knowledgebase/
Keeping the private key directory
Description: You can avoid having to copy new public keys for the SiteProtector event collector and application server.
Solution: Public encryption keys from the SiteProtector event collector and application server are used to communicate with agents. To avoid having to issue new public key files when a SiteProtector event collector or application server is reinstalled, do not remove the private key directory, located, by default, in the following location:
\Program Files\ISS\KeyContainer
The uninstallation process does not remove private keys, but if you manually remove the private keys, you must issue a new public key after you reinstall an event collector or an application server. However, if you uninstall an event collector, you may need to manually copy the application server's public key back to that event collector. This is usually required only if another agent, such as a RealSecure Server Sensor, is installed on the same computer as the event collector.
To copy the application server's public key to the event collector:
1. Locate the application server's public keys on the application server computer:
\Program Files\ISS\RealSecure SiteProtector\Application Server\Keys
2. Copy the public encryption keys, called sp_con_<computername>_239.PubKey and sp_con_<computername>_1024.PubKey, from the CerticomNRA and RSA directories to their respective locations on the event collector computer:
\Program Files\ISS\RealSecure SiteProtector\Event Collector\Keys
Key exchange doesn’t work
Description: The following message appears under the EC Public Keys sent row when you click Details for Solaris RealSecure Network 7.0?
EC Public Keys sent : No - Error checking encryption algorithms onsensor, neither CerticomNRA nor RSA supported. No encryption key(includedirectory) found on sensor.
This message indicates that the encryption key exchange between SiteProtector and the Solaris RealSecure Network 7.0 is not functioning. This issue also causes the RealSecure Network to display a status of Offline. To fix the issue, you must manually send the keys from SiteProtector to the RealSecure Network agent.
60
Issues Related to SiteProtector Encryption Keys
Solution: To manually send keys:
1. Locate your event collector public keys. These keys reside on the event collector computer that communicates with your Solaris RealSecure Network.
The default names and directories for your public keys are:
� \Program Files\ISS\RealSecure SiteProtector\EventCollector\Keys\CerticomNRA\rs_eng_<computer_name>_239.PubKey
� \Program Files\ISS\RealSecure SiteProtector\EventCollector\Keys\RSA\rs_eng_<computer_name>_1024.PubKey
� \Program Files\ISS\RealSecure SiteProtector\EventCollector\Keys\RSA\rs_eng_<computer_name>_1536.PubKey
2. Using the file transfer protocol (FTP), send rs_eng_<computer_name>_239.PubKey to the following location on your Solaris RealSecure Network 7.0 computer:
/opt/ISS/issSensors/network_sensor_1/Keys/CerticomNRA
3. Using FTP, send rs_eng_<computer_name>_1024.PubKey and rs_eng_<computer_name>_1536.PubKey to the following location on your Solaris RealSecure Network 7.0 computer:
/opt/ISS/issSensors/network_sensor_1/Keys/RSA
Important: Be sure to change to binary mode before you FTP your keys.
61Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Issues Related to Operating SiteProtector
Introduction This topic provides solutions to issues that you might encounter when operating SiteProtector.
Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:
http://www.iss.net/support/knowledgebase/
Cannot log into SiteProtector
Description: When you attempt to log on to the console, SiteProtector displays a Certificate Incompatibility message.
Explanation: The Certificate Incompatibility message appears when you try to connect to the server, but the certificate validation process determines a discrepancy in the certificate assigned to the server.
Solution: Record the information displayed in the Certificate Incompatibility message and contact your System Administrator to determine if the certificates have been updated.
� If your System Administrator confirms that they have updated the certificates, click Valid. The newly updated certificate will replace the previous certificate in the key store for that server.
� If your System Administrator verifies that they have not updated certificates, then click Invalid. The System Administrator should then contact ISS Technical Support for assistance.
Note: The purpose of certificates is to alert you to attacks. Accepting an unknown certificate could make you vulnerable to attacks.
Cannot view a report
Description: SiteProtector displays the following error when you try to view a report:
The requested URL could not be retrieved.
This error can occur when you log on to the SiteProtector Console using a Netbios computer name, but your Internet Explorer application cannot resolve by Netbios name. Your Internet Explorer application is probably set to use a proxy, but the proxy server is not configured to resolve the Netbios address.
Solution: Log out of the SiteProtector Console, and then log in using either the fully qualified domain name (FQDN) or the IP address of the SiteProtector application server.
Cannot view PDF documentation
Description: You are unable to view the PDF documentation from the SiteProtector Help menu when using Windows 2003.
The default Windows 2003 security settings prevent users from opening non-HTML files by clicking the associated link or menu item.
Solution: To open the SiteProtector PDF documentation, do one of the following:
62
Issues Related to Operating SiteProtector
� Configure your Windows 2003 security settings to allow you to open non-HTML files by clicking the associated link or menu item. For information about configuring your security settings, see the Windows 2003 system documentation.
Or
� Save the PDF documentation to your hard drive, and then access the PDF file directly.
Software query on host returns no entries
Description: After adding a host, querying the host for software returns no entries.
Solution: Check to make sure the signature verification for the agent is not failing. On the host where the agent is located, the agent should appear in the Application log portion of the Event Viewer for the issDaemon.
Missing or invalid license key errors
Description: After you add a license key through the SiteProtector console, the features do not appear, but errors related to a missing or invalid license key appear.
Solution: The sensor controller polls for license changes every 60 seconds, so the change may not appear immediately.
You can press the F5 key to refresh the licensing information. You can also wait 60 seconds, and then re-open the Add License window to see if the feature columns are populated. If the feature columns are populated, the license key has been successfully imported.
Note: If you add license keys through the Sensor Controller Diagnostics console, the effect is immediately apparent.
Computer absent from Active Directory
Description: Your computer appears in a domain and the DNS, but it does not appear in the Active Directory grouping tree.
Solution: Your computer may not have an assigned DNS name in the Active Directory object. If this is the case, then SiteProtector can not resolve a name for your computer.
To verify that your computer has an assigned DNS name:
1. On the Domain Controller computer, access Administrative Tools.
2. Select Active Directory Users and Computer.
3. In the left pane, locate the computer that does not appear in the Active Directory listing.
4. Right-click the computer name, and then select Properties.
The <Computer Name> Properties window appears.
5. Does the full DNS name appear in the DNS name box?
� If yes, then call ISS Technical Support to help you with this issue.
� If no, then go to the next step.
6. Go to the computer that does not appear in the Active Directory listing.
7. Right-click My Computer, and then select Properties.
The System Properties window appears.
8. Manually change the Full computer name in System Properties to reflect the complete name of the computer.
63Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Note: The procedure to change the name that appears in the Full computer name field depends on your operating system version. See your operating system documentation for information about how to change your computer name.
SiteProtector is not collecting Internet Scanner 6.2.1 data
Description: You re-installed Internet Scanner 6.2.1, and you are no longer collecting data.
Solution: The Internet Scanner Databridge registers some of the Internet Scanner DLL files, so you must reinstall the Internet Scanner Databridge after you reinstall Internet Scanner 6.2.1.
Your event collector password was deleted or has expired
Description: Your event collector username/password was accidentally deleted, changed, or has expired. The encryption authentication between the event collector and the SiteProtector database is no longer valid.
Solution: You must generate a new set of keys by re-generating the user account. Contact ISS Technical Support for assistance.
Agent status is “Unknown” or “Not Responding”
Description: The SiteProtector Console displays an “Unknown” or “Not Responding” status for one or more agents.
Under normal conditions, an agent's status should be “Active” or “Stopped” if the agent is not assigned to an event collector. If the agent is assigned to an event collector, the status should be “Active” (if the agent is currently connected to an event collector) or “Offline” (if the event collector is unable to connect to the agent).
Solution: This is probably the result of a missing or invalid SiteProtector authentication key on the agent computer. To verify that this is the problem, go to the Keys folder on the agent computer. Typical folders include the following:
Product Folder
Deployment Manager
\Program Files\ISS\RealSecure SiteProtector\DeploymentManager\Keys
Desktop controller \Program Files\ISS\Realsecure SiteProtector\DesktopController\Keys
RealSecure Network Gigabit (Linux)
/opt/ISS/issSensors/network_sensor_1/Keys
RealSecure Network Gigabit (Windows)
\Program Files\ISS\issSensors\Network_Sensor_1\Keys
ICEcap Databridge \Program Files\ISS\issSensors\ICEcap_Databridge\Keys
Internet Scanner 7.0 \Program Files\ISS\issSensors\Scanner_1\Keys
Internet Scanner 6.2.1
\Program Files\ISS\Scanner6\Keys
Internet Scanner Databridge 6.2.1
\Program Files\ISS\issSensors\Internet_Scanner_DataBridge\Keys
Table 35: Location of Keys folder
64
Issues Related to Operating SiteProtector
Important: You need to examine both the Internet Scanner and Internet Scanner Databridge folders for Internet Scanner 6.2.1 installations.
Each Keys folder can contain subfolders for each key provider present (e.g. \RSA or \CerticomNRA). At least one of these key provider subfolders should contain the SiteProtector authentication key, which looks like sp_con_<ApplicationServerDNS>_<####>.PubKey.
For example, if the SiteProtector is present on a computer with the DNS “bob”, then the computer containing a RealSecure Server Sensor installation should have a file called \ProgramFiles\ISS\issSensors\server_sensor_1\Keys\RSA\sp_con_bob_239.PubKey (assuming RSA encryption. If this file is not present, or if the date does not match the date of the corresponding key on the RealSecure application server computer, then you must force the key to be pushed from the RealSecure application server to the local agent.
The SiteProtector authentication keys for SiteProtector are located in the \ProgramFiles\ISS\RealSecure SiteProtector\Application Server\Keys\<keyprovider>\ folders.
Important: Make sure you compare keys in similar key provider subfolders. In the example above, compare the agent's RSA key folder to the Application Server's RSA key folder.
To send the application server’s authentication keys to the agent:
1. Locate, and then delete sp_con*.PubKey in the \Program Files\ISS folder and below.
2. From a command prompt, type net stop issdaemon.
RealSecure Network
\Program Files\ISS\issSensors\network_sensor_1\Keys
Proventia A-Series /opt/ISS/issSensors/network_sensor_1/Keys
Proventia G-Series /opt/ISS/issSensors/network_sensor_1/Keys
Proventia M-Series /var/spool/crm/leafcertsNote: The Proventia M Series has an SSL Cert key instead of an encryption key.
SecurityFusion Module
\Program Files\ISS\issSensors\Security Fusion\Keys
RealSecure Server Sensor
\Program Files\ISS\issSensors\server_sensor_1\Keys
System Scanner Databridge
\Program Files\ISS\issSensors\System_Scanner_Databridge\Keys
Third Party Module (for Check Point)
\Program Files\ISS\issSensors\ThirdPartyModule_CheckPoint_1\Keys
Third Party Module (for Cisco)
\Program Files\ISS\issSensors\ThirdPartyModule_Cisco_1\Keys
Product Folder
Table 35: Location of Keys folder
65Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
3. Edit \Program Files\ISS\issDaemon\crypt.policy file by changing the “allowfirstconnection<tab> =L<tab>0;” string to “allowfirstconnection<tab> =L<tab>1;”,
4. Save the file.
5. From a command prompt, type net start issdaemon.
6. From the SiteProtector console, issue a Start command to the agent so that it attempts to connect. This should change the agent status, though it may take a minute or so. Verify that the key was sent as described above.
Agent status is “Offline”
Description: The SiteProtector console displays the status for one or more agents as “Offline.”
Explanation: This could be the result of a missing or invalid event collector authentication key on the agent computer.
Solution: To verify that this is the problem, go to the Keys folder on the agent computer. For a list of typical folders, see Table 35, “Location of Keys folder” on page 64.
Each Keys folder can contain subfolders for each key provider present (e.g., \RSA or \CerticomNRA). At least one of these key provider subfolders should contain the event collector authentication key, which looks like rs_eng_<EventCollectorDNS>_<####>.PubKey.
For example, if the event collector is present on a computer with the DNS “bob”, then the computer containing a RealSecure Server Sensor installation should have a file called \Program Files\ISS\issSensors\server_sensor_1\Keys\RSA\rs_eng_bob_239.PubKey (assuming RSA encryption). If this file is not present, or if the date does not match the date of the corresponding key on the event collector host, then you must force the key to be pushed from the event collector to the local agent.
The event collector computer’s authentication keys are located in the \ProgramFiles\ISS\RealSecure SiteProtector\Event Collector\Keys\<key provider>\ folders.
Important: Make sure you compare keys in similar key provider subfolders. In our example above, compare the agent’s RSA key folder to the event collector ’s RSA key folder.
To apply the event collector’s authentication keys to the agent:
1. From the SiteProtector Console, issue a Stop command to the event collector, and wait until its status changes to “Stopped.”
2. Select the agent, right-click the agent, and then select View/Edit from the pop-up menu.
3. Change the Event Collector box to None, and then click OK.
4. Issue a Start command to the event collector, and then wait until its status changes to either “Offline” or “Active.”
5. Select the agent, right-click the agent, and then select View/Edit from the pop-up menu.
6. Change the Event Collector box from “None” to the appropriate event collector, and then click OK.
66
Issues Related to Operating SiteProtector
This should change the agent status to “Active.” Verify that the key was sent, as described previously.
Inaccessible file structure and application registry
Description: When you install the SiteProtector Console, the file structure and the application registry may not be accessible for some users and groups that have limited access privileges.
Solution: To change SiteProtector Console access permission on Windows 2000:
Note: You must be an administrator or user with access privileges that allow modifications to the security settings for the SiteProtector Console installation. Specifically, you must be able to change the file systems and registry settings that are described in the following procedure:
1. Open Windows Explorer.
2. Navigate to the location where the SiteProtector Console is installed.
The default location is:
\Program Files\ISS\RealSecure SiteProtector\Console
3. Right-click the Console folder, and then select Properties.
The folder’s properties window appears.
4. Select the Security tab.
5. Click Add.
The Select Users, Computers, or Groups window opens.
6. Select the users and/or groups for which you want to add permissions, and then click Add.
7. Click OK.
The Select Users, Computers, or Groups window closes.
8. Select each user and/or group you added, and then ensure that they have, at least, the following permissions:
For file folders:
� Write
� Read
� List & Execute
� Modify
For registry folders:
� Read
9. Click Apply, and then click OK.
10. Open the registry editor program, regedt32.exe.
Note: The registry editor program name is regedit.exe on Windows 2003.
11. Select the window titled HKEY_LOCAL_MACHINE on Local Machine, and then navigate the following path:
HKEY_LOCAL_MACHINE\Software\ISS\SiteProtector
12. Select the Console folder, and then select Security!Permissions on the menu bar.
67Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Note: On Windows 2003, right-click the SiteProtector key, and then select Permissions.
The Permissions for Console window opens.
13. Click Add.
The Select Users, Computers, or Groups window opens.
14. Select the users and/or groups for which you want to add permissions, and then click Add.
15. Click OK.
The Select Users, Computers, or Groups window closes.
16. Click OK to complete the operation.
Desktop Protection agent not visible in the console
Description: The Desktop Protection agent is not visible in the SiteProtector Console.
Solution: On the target computer (computer where your Desktop Protector agent is installed), verify that the executable, blackd.exe, is running. You verify this on the Processes tab in Windows Task Manager.
You may have to limit the name of the final subdirectory in your Desktop Protection agent installation path to 17 characters or fewer.To limit the name of the final subdirectory in your Desktop Protector agent installation path to 17 characters or fewer:
1. Navigate to the root of the directory where the Desktop Protection agent is installed.
The default location is: \Program Files\ISS\issSensors\DesktopProtection
2. Double-click AgentRemove.exe.
3. In the Site Manager, select Sensor!Manage!Policy.
The Manage Policy window opens.
4. Select the appropriate policy.
This is the policy that was selected for the target computer.
5. Click View/Edit.
The Policy window opens.
6. Select Installation Configuration.
7. In the following fields, limit the name of the final subdirectory in your Desktop Protector agent installation path to 17 characters or fewer:
� WinNT/2000 Install Path
� Win 9x Install Path
8. Save the policy, and then right-click the group that contains the malfunctioning Desktop Protection agent, and then select Desktop Protection!Generate Desktop Protection Build.
The Generate Desktop Protection Build window opens.
9. In the drop-down list, select the desired Desktop Controller, and then type a description in the Description box.
10. Click OK.
11. After the Desktop Protection build is complete, navigate to the Desktop Protection Build page in the target computer’s Web browser.
68
Issues Related to Operating SiteProtector
By default, this page is located on port 8085 of the computer where the Desktop Controller resides.
12. Select the newly generated Desktop Protection build.
13. Select Open on the Download window.
14. The new agent build is installed.
69Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Issues Related to Low Memory
Introduction This topic provides descriptions and solution for some of the issues you may encounter due to a lack of memory on your SiteProtector system.
Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:
http://www.iss.net/support/knowledgebase/
Importing a large application list
Description: If you import an application list containing more than 8000 entries into the global application list or into a policy, then an out of memory error can appear when you attempt to edit the global application list.
Solution: Perform the following procedure:
1. Select Start!Run.
The Run window appears.
2. Type regedit in the Open box.
The Registry Editor application opens.
3. In the left pane, navigate the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\ISS\CPE\Parameters
4. Edit the string value for MaxHeap to reflect the following:
-Xmx<size in megabytes>M
Note: ISS recommends that you start with a value of 128, and then increase the value, if necessary, until the application runs. For example, type -Xmx128M to set the heap size to 128 megabytes.
Multiple console connections
Description: Your SiteProtector system may generate an "out of memory" error on the application server if both of the following occur:
� multiple consoles are simultaneously retrieving asset information from a Site
� you have increased the default value for the maximum number of rows that SiteProtector displays
Note: This is also applicable to the SiteProtector Web Portal.
Solution: Perform the following procedure:
1. On the application server, select Start!Run.
The Run window appears.
2. Type regedit in the Open box.
The Registry Editor application opens.
3. In the left pane, navigate the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\issSPAppService\Parameters
4. Edit the string value for MaxHeap to reflect the following:
70
Issues Related to Low Memory
-Xmx<size in megabytes>M
Note: ISS recommends that you start with a value of 384, and then increase the value, if necessary, until the application runs. For example, type -Xmx384M to set the heap size to 384 megabytes.
71Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Issues Related to Updating SiteProtector
Introduction This topic provides descriptions and solutions for some of the issues you may encounter when updating your SiteProtector system.
Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:
http://www.iss.net/support/knowledgebase/
Cross-database ownership chaining
Description: Some users have found that they cannot apply database updates after they install Microsoft SQL Server SP3. There are several reasons why your database updates may fail.
Solution: You must enable cross-database ownership in MSSQL before you can apply database updates. You can do this using the Enterprise Manager or using the command prompt.
Note: You only need to perform one of the following procedures.
To enable cross-database ownership using the Enterprise Manager:
1. Open the Enterprise Manager.
2. Right-click on the database, and then click Properties.
3. Select the Options tab.
4. Select Allow Cross-database ownership chaining.
5. Click OK.
To enable cross-database ownership without using the command prompt:
1. Type the following at the command prompt:
osql -E
2. Press ENTER.
The following prompt appears: 1>
3. Type the following at the prompt:
exec sp_dboption 'RealSecureDB', 'db chaining', 'true'
4. Press ENTER.
The following prompt appears: 2>
5. Type the following at the prompt:
go
6. Press ENTER.
SQL Agent not running
Description: If the SQL Server Agent is not running on the SQL server that hosts the SiteProtector database, the updates will fail.
Solution: Restart the SQL Server Agent, and then try applying the update again.
72
Issues Related to Updating SiteProtector
Database job missing
Description: Sometimes jobs in the SiteProtector database can be automatically deleted. This is a known SiteProtector issue.
Solution: Verify that certain jobs are present.
To verify the jobs:
1. In Enterprise Manager, select Management!SQL Server Agent!Jobs.
2. Verify that the following five files are present.
� Check Sensor Controller in RealSecureDB
� Job History Purge in RealSecureDB
� Load Sensor Data and Post Process in RealSecureDB
� Observances Purge in RealSecureDB
� SensorData Purge in RealSecureDB
Important: If one or more of these jobs is missing, contact ISS Technical Support for assistance.
Job ownership Description: If SiteProtector jobs are not owned by the IssApp account, you may not be able to apply updates to your SiteProtector database.
Solution: Make IssApp the owner of these jobs, and then apply the update.
Non-English SQL Description: SiteProtector is only supported on the English version of SQL Server. Localized versions of SQL Server have been known to cause problems when applying database updates.
Solution: Install an English version of SQL Server, and then apply the update.
Database update 1.18
Description: SiteProtector database update 1.18 contained many issues, and was subsequently re-released as database update 1.19.
Solution: You need further assistance to resolve this issue, please contact ISS Technical Support.
73Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Issues Related to SiteProtector Services
Introduction This topic provides solutions to issues that you might encounter when working with the SiteProtector Services.
Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:
http://www.iss.net/support/knowledgebase/
Services failing to start
Description: Communication between your application server or sensor controller and the SiteProtector database requires a password. SiteProtector generates the original password at installation time. If this password is changed, your SiteProtector database and application server (and/or sensor controller) cannot communicate. The result is that the service will fail to start.
Solution: The Application Server password utility allows you to create a new password if the original password is accidentally changed, deleted, or if your company policy requires you to change your passwords periodically.
To change the password for your sensor controller and application server:
1. Select Start!Settings!Control Panel!Administrative tools!Services.
The Component Services window appears.
2. Right-click RealSecure SiteProtector Application Service, and then click Stop on the pop-up menu.
3. Right-click RealSecure SiteProtector Sensor Controller Service, and then click Stop on the pop-up menu.
4. Select Start!Programs!Accessories!Command Prompt.
The Command Prompt window appears.
5. Change to the bin directory under the directory where the Application Server is installed.
For example, if the Application Server is installed in the default location, you should type the following, and then press ENTER:
cd "\Program Files\ISS\RealSecure SiteProtector\ApplicationServer\bin"
6. At the command prompt, type the following command:
instutil.bat -p <your new password>
7. Select Start!Settings!Control Panel!Administrative tools!Services.
The Component Services window appears.
8. Right-click RealSecure SiteProtector Application Service, and then click Start on the pop-up menu.
9. Right-click RealSecure SiteProtector Sensor Controller Service, and then click Start on the pop-up menu.
74
Issues Related to SiteProtector Services
Desktop Controller Server fails
Description: Communication between your Desktop Controller and the SiteProtector database requires a password. SiteProtector generates the original password at installation time. If this password is changed, your SiteProtector database and Desktop Controller will no longer be able to communicate. The result is that the service will fail to start.
Solution: The Desktop Controller password utility allows you to create a new password if the original password is accidentally changed, deleted, or if your company policy requires you to change your passwords periodically.
To change the password for your Desktop Controller:
1. Double-click DCLogin.exe.
DCLogin.exe resides on the computer where your Desktop Controller is installed, and it is usually in the following location: \Program Files\ISS\RealSecureSiteProtector\Desktop Controller
2. Type the login name into the Login box.
Note: This field already contains the current login name for the Desktop Controller. If you don't plan to change the login name with the password, you can leave this field as is.
3. Type the password into the Password box.
4. Type the password again into the Confirm box.
5. Click Save.
6. In the Site Manager, stop, and then restart the Desktop Controller.
75Technical Reference Guide Version 2.0, SP4
Chapter 4: Solutions to Some Common Issues
Issues Related to Agents and Appliances
Introduction This topic provides solutions to issues that you might encounter when working with agents or appliances that are monitored and/or controlled by SiteProtector.
Important: This topic is not intended to represent a complete list of potential issues. For an expanded list of SiteProtector issues, see the ISS Knowledgebase at the following location:
http://www.iss.net/support/knowledgebase/
Agent/SiteProtector communication failure
Description: Failure for RealSecure Network or RealSecure Server Sensor to communicate with SiteProtector may be due to the fact that RealSecure Network 6.0/6.5 and RealSecure Server Sensor 6.0/6.0.1/6.5 will not communicate with SiteProtector if any of the SiteProtector Databridge agents/scanners are installed. The event log creates the following message when attempting to communicate with these agents:
ns60_computername_w2k) - OnError from 172.16.3.69: The currently selectedprovider does not support the requested cryptographic algorithm at theselected strength/length. [ID=0xc7280003]
Solution: To avoid this issue, install RealSecure Network 6.0/6.5 and RealSecure Server Sensor 6.0/6.0.1/6.5 before you install Internet Scanner Databridge 6.2.1, ICEcap Databridge, or System Scanner Databridge.
Error when downloading agent logs
Description: SiteProtector issues the following error message when you attempt to download logs on a RealSecure Network that is running on a Unix operating system:
Get files failed on Sensor #<sensor number>. 0 of 1 files transferred.Get file <file name> failed. The current session user does not havepermission to perform the specified operation on the specified path.Please edit the access control file on the remote server and add thenecessary permissions for the session.This problem is due to an incorrectpermission contained in the iss.access file of the sensor’s daemon.
Note: The error message also appears for RealSecure Server Sensor.
Solution: Correct this issue as follows:
1. Access the iss.access file in the issDaemon folder, and then modify the following sections in the file:
Note: The following text is an example. The path on your computer may be slightly different.
2. Stop, and then restart the issDaemon service.
Before edit [/opt/ISS/issSensors/network_sensor_1/Logs/];
ACL1 =S Role=Default FilePerms=RD DirPerms=R;
After edit [/opt/ISS/issSensors/network_sensor_1/Logs/];
ACL1 =S Role=Default FilePerms=RD DirPerms=R Recursive;
76
®
Appendix
Appendix A
Database Schema
Overview
Introduction This appendix provides the SiteProtector database schematics.
In this appendix This appendix contains the following topics:
Topic Page
Application Security Schema 80
Auditing and Diagnostics Schema 81
Command and Control Schema 82
Grouping Schema 83
ITRSO Schema 84
Metrics Schema 85
Sensor Data Schema 86
Site Analysis Schema 87
Site Filters Schema 88
Staging and Rejects Schema 89
Statistics Schema 90
X-Force Schema 91
Complete Database Schema 92
79Technical Reference Guide Version 2.0, SP4
Appendix A: Database Schema
Application Security Schema
Schema The following diagram displays the Application security schema:
Gro
ups
Gro
upID
: in
t N
OT
NU
LL (
AK
1.2
)
Gro
upN
am
e: nvarc
har(
80)
NO
T N
ULL
Gro
upD
esc: nvarc
har(
255)
NU
LL
Role
ID: in
t N
ULL (
FK
)
Pare
ntG
roupID
: in
t N
ULL (
AK
1.1
,IE
1.1
)
Gro
upV
iew
ID: in
t N
ULL (
FK
)
Dele
ted: tinyin
t N
ULL
SiteID
: in
t N
ULL (
FK
)
Gro
upT
ypeID
: in
t N
ULL (
FK
)
SP
Gro
upID
: in
t N
ULL
Rule
ID: in
t N
ULL (
FK
)
GU
ID: varc
har(
36)
NU
LL
Sites S
iteID
: in
t N
OT
NU
LL
Nam
e: nvarc
har(
60)
NO
T N
ULL
Descr:
nvarc
har(
255)
NU
LL
IpA
ddre
ss: varc
har(
47)
NO
T N
ULL
Port
: in
t N
OT
NU
LL
LastD
ata
LoadA
t: d
ate
tim
e N
ULL
Dele
ted: tinyin
t N
ULL
Audit ID
: IN
TE
GE
R N
OT
NU
LL
Entity
ID: in
t N
OT
NU
LL (
IE1.1
)
UserI
D: IN
TE
GE
R N
ULL (
FK
)
Entity
Nam
e: varc
har(
60)
NU
LL (
IE1.2
)
Descr:
varc
har(
255)
NU
LL
Action: varc
har(
30)
NU
LL
Sourc
eIP
: varc
har(
47)
NU
LL
Tim
e: date
tim
e N
ULL
Users U
sers
ID: in
t N
OT
NU
LL
Login
: nvarc
har(
50)
NO
T N
ULL
Dom
ain
: nvarc
har(
255)
NO
T N
ULL
SID
: varc
har(
50)
NO
T N
ULL (
AK
2.1
)
LastL
ogin
: date
tim
e N
ULL
LastL
ogin
Failu
re: date
tim
e N
ULL
NT
Gro
up: nvarc
har(
30)
NO
T N
ULL
Users
Gro
ups
Users
ID: in
t N
OT
NU
LL (
FK
)
Gro
upID
: in
t N
OT
NU
LL (
FK
)
Users
Sites
Users
ID: IN
TE
GE
R N
OT
NU
LL (
FK
)
SiteID
: in
t N
OT
NU
LL (
FK
)
Role
Role
ID: in
t N
OT
NU
LL
Role
Nam
e: varc
har(
60)
NO
T N
ULL
Pro
ductID
: in
t N
ULL (
FK
)
Cla
ssN
am
e: varc
har(
255)
NO
T N
ULL (
AK
1.1
)
Nam
espace: varc
har(
255)
NU
LL
Defa
ultLoggin
gLevel: tin
yin
t N
ULL
Defa
ultS
tatu
s: tinyin
t N
ULL
Defa
ultO
ptionF
lags: tinyin
t N
ULL
Support
sE
C: tinyin
t N
OT
NU
LL
Support
sG
roupP
olic
y: tinyin
t N
OT
NU
LL
Gro
upV
iew
Gro
upV
iew
ID: in
t N
OT
NU
LL (
IE1.1
)
Gro
upV
iew
Nam
e: nvarc
har(
64)
NO
T N
ULL
Dele
ted: tinyin
t N
ULL
Gro
upR
ule
Rule
ID: in
t N
OT
NU
LL
Rule
Type: tinyin
t N
OT
NU
LL (
FK
)
Rule
Valu
e: nte
xt N
OT
NU
LL
Description: nvarc
har(
254)
NU
LL
LastM
odifie
dA
t: d
ate
tim
e N
ULL
Gro
upT
ypes
Gro
upT
ypeID
: in
t N
OT
NU
LL
Nam
e: nvarc
har(
64)
NU
LL (
AK
1.1
)
Descr:
nvarc
har(
255)
NU
LL
80
Auditing and Diagnostics Schema
Auditing and Diagnostics Schema
Schema The following diagram displays the Auditing and Diagnostics schema:
AuditIn
fo
AuditIn
foID
: IN
TE
GE
R N
OT
NU
LL
AuditT
railI
D: IN
TE
GE
R N
ULL (
FK
)
Para
mN
am
e: nvarc
har(
100)
NU
LL
Para
mV
alu
e: nvarc
har(
500)
NU
LL
Para
mD
ata
Type: nvarc
har(
60)
NU
LL
Para
mD
esig
nato
r: n
varc
har(
10)
NU
LL
AuditT
rail
AuditT
railI
D: IN
TE
GE
R N
OT
NU
LL
AuditE
ventC
MD
ID: IN
TE
GE
R N
ULL (
FK
)
UserN
am
e: nvarc
har(
75)
NU
LL
AuditT
ime: D
AT
E N
ULL
ditE
ventC
MD
AuditE
ventC
MD
ID: IN
TE
GE
R N
OT
NU
LL
EventD
esc: nvarc
har(
100)
NU
LL
DB
SubC
om
ponent
DB
SubC
om
ponentID
: sm
alli
nt N
OT
NU
LL
DB
Com
ponentID
: sm
alli
nt N
ULL (
FK
)
Pro
cN
am
e: varc
har(
30)
NU
LL
Sta
te: tinyin
t N
ULL
Sta
teD
ate
Tim
e: D
AT
E N
ULL
Sta
teD
escription: varc
har(
100)
NU
LL
DB
Com
ponent
DB
Com
ponentID
: sm
alli
nt N
OT
NU
LL
Nam
e: varc
har(
30)
NU
LL
Sta
te: tinyin
t N
ULL
Sta
teD
escription: varc
har(
100)
NU
LL
Err
orM
essa
ge
Err
orN
um
ber:
IN
TE
GE
R N
OT
NU
LL
Severity
ID: sm
alli
nt N
ULL (
FK
)
MessageT
ext: n
varc
har(
300)
NU
LL
Vers
ion
Attribute
Nam
e: nvarc
har(
40)
NU
LL
Attribute
Valu
e: nvarc
har(
100)
NU
LL
Err
orS
everity
Severity
ID: sm
alli
nt N
OT
NU
LL
Nam
e: nvarc
har(
20)
NO
T N
ULL
Description: nvarc
har(
80)
NU
LL
Report
ToC
alle
r: tin
yin
t N
OT
NU
LL
SQ
LS
everity
: char(
2)
NU
LL
Loggin
gLevel: tin
yin
t N
ULL
Messa
geLo
g
MessageLogID
: IN
TE
GE
R N
OT
NU
LL
WhenO
ccurr
ed: D
AT
E N
OT
NU
LL
Severity
ID: sm
alli
nt N
OT
NU
LL (
FK
)
Err
orN
um
ber:
IN
TE
GE
R N
OT
NU
LL
Message: nvarc
har(
300)
NU
LL
Pro
cedure
Nam
e: nvarc
har(
60)
NU
LL
Rela
tesT
oE
rrorI
D: IN
TE
GE
R N
ULL
Vers
ionU
pdate
s
Update
Tag: char(
40)
NU
LL
Update
Type: tinyin
t N
OT
NU
LL
Majo
rVers
ion: in
t N
OT
NU
LL
Min
orV
ers
ion: in
t N
OT
NU
LL
YearP
oin
tRele
ase: in
t N
OT
NU
LL
Build
Num
ber:
int N
OT
NU
LL
Update
Cm
dLin
e: varc
har(
255)
NU
LL
Update
File
: varc
har(
260)
NU
LL
Dele
ted: tinyin
t N
OT
NU
LL
Up
date
Sta
tus
Update
Sta
tusID
: in
t N
OT
NU
LL
Nam
e: varc
har(
100)
NO
T N
ULL
Sta
rtT
ime: date
tim
e N
OT
NU
LL
Sta
tus: varc
har(
30)
NU
LL
ActionJobID
: in
t N
ULL
Tota
lSte
ps: in
t N
ULL
Up
date
Op
era
tionS
tatu
s
Update
Opera
tionS
tatu
sID
: in
t N
OT
NU
LL
Targ
etN
am
e: varc
har(
100)
NO
T N
ULL
Sta
tus: varc
har(
30)
NU
LL
Update
Sta
tusID
: in
t N
ULL (
FK
)
Dura
tion: sm
alld
ate
tim
e N
ULL
PctC
om
ple
te: sm
alli
nt N
ULL
Up
date
Ste
pS
tatu
s
Update
Ste
pS
tatu
sID
: in
t N
OT
NU
LL
Ste
pN
br:
int N
ULL
TaskN
am
e: varc
har(
50)
NU
LL
Description: varc
har(
1000)
NU
LL
PctC
om
ple
te: sm
alli
nt N
OT
NU
LL
DB
Tim
e: date
tim
e N
OT
NU
LL
Com
ponentT
ime: date
tim
e N
ULL
Sta
tus: varc
har(
30)
NU
LL
Update
Opera
tionS
tatu
sID
: in
t N
ULL (
FK
)
Main
tenanceLo
g
Main
tenanceLogID
: big
int N
OT
NU
LL
WhenO
ccurr
ed: date
tim
e N
ULL
Message: nvarc
har(
1200)
NU
LL
Pro
cedure
Nam
e: nvarc
har(
240)
NU
LL
RS
DB
Op
tions
OptionN
am
e: varc
har(
100)
NO
T N
ULL
Para
mD
esc: varc
har(
50)
NU
LL
Type: varc
har(
16)
NO
T N
ULL
Para
mV
alu
e: nvarc
har(
100)
NO
T N
ULL
Defa
ultV
alu
e: nvarc
har(
100)
NO
T N
ULL
LastM
odifie
dB
y: nvarc
har(
60)
NO
T N
ULL
LastM
odifie
dA
t: d
ate
tim
e N
OT
NU
LL
Syste
m_U
sr:
nvarc
har(
60)
NO
T N
ULL
Analy
sis
Lo
g
Query
ID: in
t N
OT
NU
LL
Sta
rtT
ime: date
tim
e N
ULL
Type: char(
1)
NU
LL
SP
ID: in
t N
ULL
Dura
tion: in
t N
ULL
UserI
D: in
t N
ULL
SQ
LS
tmt: text N
ULL
RP
C: te
xt N
ULL
Err
orI
D: in
t N
ULL
81Technical Reference Guide Version 2.0, SP4
Appendix A: Database Schema
Command and Control Schema
Schema The following diagram displays the Command and Control schema:
Bin
ary
Da
ta
Bin
ary
Da
taID
: in
t ID
EN
TIT
Y
Bin
ary
Da
taT
yp
e:
tin
yin
t N
UL
L (
FK
)
Va
lue
: im
ag
e N
UL
L
Ch
eckS
um
: in
t N
UL
L (
IE1
.1)
File
Na
me
: n
va
rch
ar(
25
5)
NU
LL
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
De
lete
Re
fCo
un
t: in
t N
UL
L
Ro
le
Ro
leID
: in
t N
OT
NU
LL
Ro
leN
am
e:
va
rch
ar(
60
) N
OT
NU
LL
Pro
du
ctI
D:
int
NU
LL
(F
K)
Cla
ssN
am
e:
va
rch
ar(
25
5)
NO
T N
UL
L (
AK
1.1
)
Na
me
sp
ace
: va
rch
ar(
25
5)
NU
LL
De
fau
ltL
og
gin
gL
eve
l: t
inyin
t N
UL
L
De
fau
ltS
tatu
s:
tin
yin
t N
UL
L
De
fau
ltO
ptio
nF
lag
s:
tin
yin
t N
UL
L
Su
pp
ort
sE
C:
tin
yin
t N
OT
NU
LL
Su
pp
ort
sG
rou
pP
olic
y:
tin
yin
t N
OT
NU
LL
Co
mp
on
en
t
Co
mp
on
en
tID
: in
t ID
EN
TIT
Y
Ro
leID
: in
t N
UL
L (
FK
) (A
K1
.3)
La
stP
ush
ed
Po
licyID
: in
t N
UL
L (
FK
)
Pro
pe
rtyF
ileID
: in
t N
UL
L (
FK
)
Ho
stI
D:
int
NU
LL
(F
K)
(AK
1.1
)
Prio
rity
: n
um
eric N
OT
NU
LL
Sta
tus:
nu
me
ric N
OT
NU
LL
La
stM
od
ifie
dB
y:
nva
rch
ar(
60
) N
UL
L
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
De
lete
d:
nu
me
ric N
OT
NU
LL
Eve
ntS
ou
rce
Po
rt:
int
NU
LL
Eve
ntP
ort
: in
t N
UL
L
Ve
rsio
n:
va
rch
ar(
40
) N
UL
L
Se
nso
rNa
me
: n
va
rch
ar(
10
0)
NU
LL
(A
K1
.2)
Po
licy:
nva
rch
ar(
43
4)
NU
LL
Ma
ste
r: v
arc
ha
r(3
0)
NU
LL
Ava
ilab
leX
PU
: va
rch
ar(
40
) N
UL
L
La
stI
nsta
lled
XP
U:
va
rch
ar(
40
) N
UL
L
Lo
gg
ing
Le
ve
l: t
inyin
t N
UL
L
Lic
en
se
Sta
te:
sm
alli
nt
NU
LL
XP
US
tate
: sm
alli
nt
NU
LL
Sta
teD
escrip
tio
n:
nva
rch
ar(
50
0)
NU
LL
Un
exp
ecte
dC
on
fig
Ch
an
ge
: tin
yin
t N
UL
L
Mo
difie
dB
yS
en
so
rCo
ntr
olle
r: t
inyin
t N
OT
NU
LL
Da
em
on
Po
rt:
int
NU
LL
Eve
ntL
og
Op
tio
n:
tin
yin
t N
UL
L
Site
ID:
int
NU
LL
(F
K)
La
stP
ush
ed
Re
sp
on
se
ID:
int
NU
LL
(F
K)
XP
UD
ate
: d
ate
tim
e N
UL
L
Re
sp
on
se
: n
va
rch
ar(
43
4)
NU
LL
Po
licyG
rou
pID
: in
t N
UL
L (
FK
)
La
stH
ea
rtB
ea
t: d
ate
tim
e N
UL
L
GU
ID:
va
rch
ar(
36
) N
UL
L (
IE1
.1)
Lic
en
se
ID:
int
NU
LL
(F
K)
Po
licyC
ha
ng
ed
Fla
g:
tin
yin
t N
OT
NU
LL
FC
PE
ve
ntP
ort
: in
t N
UL
L
FC
PE
ve
ntS
ou
rce
Po
rt:
int
NU
LL
EC
Sta
tus:
tin
yin
t N
UL
L
EC
Sta
teD
escrip
tio
n:
nva
rch
ar(
50
0)
NU
LL
Op
tio
nF
lag
s:
int
NU
LL
Eve
ntC
olle
cto
rID
: in
t N
UL
L (
FK
)
Ale
rtE
ve
ntP
ort
: in
t N
UL
L
Ale
rtE
ve
ntS
ou
rce
Po
rt:
int
NU
LL
Gro
up
s
Gro
up
ID:
int
IDE
NT
ITY
(A
K1
.2)
Gro
up
Na
me
: n
va
rch
ar(
80
) N
OT
NU
LL
Gro
up
De
sc:
nva
rch
ar(
25
5)
NU
LL
Ro
leID
: in
t N
UL
L (
FK
)
Pa
ren
tGro
up
ID:
int
NU
LL
(A
K1
.1,I
E1
.1)
Gro
up
Vie
wID
: in
t N
UL
L (
FK
)
De
lete
d:
tin
yin
t N
UL
L
Site
ID:
int
NU
LL
(F
K)
Gro
up
Typ
eID
: in
t N
UL
L (
FK
)
SP
Gro
up
ID:
int
NU
LL
Ru
leID
: in
t N
UL
L (
FK
)
GU
ID:
va
rch
ar(
36
) N
UL
L
Gro
up
Ho
stL
inks
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Ho
stI
D:
int
NO
T N
UL
L (
FK
)
Sch
ed
ule
Sch
ed
ule
ID:
int
IDE
NT
ITY
De
scrip
tio
n:
va
rch
ar(
10
00
) N
UL
L
En
ab
led
: n
um
eric N
OT
NU
LL
Fre
qT
yp
e:
nu
me
ric N
OT
NU
LL
Fre
qIn
terv
al: n
um
eric N
OT
NU
LL
Fre
qS
ub
Typ
e:
nu
me
ric N
UL
L
Fre
qS
ub
Inte
rva
l: n
um
eric N
OT
NU
LL
Fre
qR
ela
tive
Int:
nu
me
ric N
OT
NU
LL
Fre
qR
ecu
rFa
cto
r: n
um
eric N
UL
L
Active
Sta
rtD
ate
: n
um
eric N
UL
L
Active
En
dD
ate
: n
um
eric N
UL
L
Active
Sta
rtT
OD
: n
um
eric N
UL
L
Active
En
dT
OD
: n
um
eric N
UL
L
Nu
mS
ch
ed
Sca
ns:
nu
me
ric N
UL
L
De
lete
d:
nu
me
ric N
OT
NU
LL
Tim
eZ
on
e:
va
rch
ar(
40
) N
UL
L
Actio
nJo
b
Actio
nJo
bID
: in
t ID
EN
TIT
Y
Actio
nD
eta
ilsID
: in
t N
OT
NU
LL
(F
K)
Co
mp
on
en
tID
: in
t N
UL
L (
FK
)
Sta
rtD
ate
Tim
e:
da
tetim
e N
OT
NU
LL
Actio
nS
tate
: n
um
eric N
OT
NU
LL
Re
su
lt:
va
rch
ar(
30
0)
NU
LL
Actio
nJo
bIn
fo:
va
rch
ar(
10
0)
NU
LL
La
stM
od
ifie
dA
t: d
ate
tim
e N
OT
NU
LL
Actio
nD
eta
ils
Actio
nD
eta
ilsID
: in
t ID
EN
TIT
Y
Ite
mID
: in
t N
UL
L
Ho
stI
D:
int
NU
LL
(F
K)
Co
mp
on
en
tID
: in
t N
UL
L (
FK
)
Ho
stG
rou
pID
: in
t N
UL
L (
IE1
.1)
Sch
ed
ule
ID:
int
NU
LL
(F
K)
Actio
nT
yp
e:
nu
me
ric N
OT
NU
LL
(IE
2.1
)
Ro
leID
: in
t N
UL
L (
FK
)
Sch
ed
ule
dB
y:
nva
rch
ar(
60
) N
OT
NU
LL
La
stM
od
ifie
dB
y:
nva
rch
ar(
60
) N
UL
L
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
Ne
xtR
un
Da
te:
da
tetim
e N
UL
L
Su
sp
en
de
d:
nu
me
ric N
OT
NU
LL
De
lete
d:
nu
me
ric N
OT
NU
LL
Co
mp
on
en
tGro
up
ID:
int
NU
LL
(F
K)
Arg
um
en
ts:
nte
xt
NU
LL
Co
ntr
olle
rID
: in
t N
UL
L
Po
licy Po
licyID
: in
t ID
EN
TIT
Y
Na
me
: n
va
rch
ar(
15
0)
NO
T N
UL
L
De
scrip
tio
n:
nva
rch
ar(
80
) N
UL
L
File
Na
me
: n
va
rch
ar(
25
5)
NU
LL
Ve
rsio
n:
va
rch
ar(
10
0)
NU
LL
Ro
leID
: in
t N
UL
L (
FK
)
Bin
ary
Da
taID
: in
t N
UL
L (
FK
)
De
lete
d:
nu
me
ric N
OT
NU
LL
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
La
stM
od
ifie
dB
y:
nva
rch
ar(
60
) N
UL
L
Re
ad
On
ly:
tin
yin
t N
UL
L
Ed
ito
rKe
y:
va
rch
ar(
50
) N
OT
NU
LL
Va
lid:
tin
yin
t N
OT
NU
LL
Ho
sts H
ostI
D:
int
IDE
NT
ITY
Ho
stI
pA
dd
ress:
va
rch
ar(
47
) N
UL
L
Ho
stD
NS
Na
me
: N
VA
RC
HA
R(2
54
) N
UL
L
Ho
stN
BN
am
e:
NV
AR
CH
AR
(16
) N
UL
L
Ho
stN
BD
om
ain
: n
va
rch
ar(
16
) N
UL
L
Ho
stO
SN
am
e:
nva
rch
ar(
64
) N
UL
L
Ho
stO
SV
ers
ion
: n
va
rch
ar(
32
) N
UL
L
Ho
stO
SR
evis
ion
Le
ve
l: v
arc
ha
r(3
2)
NU
LL
Ho
stO
wn
er:
nva
rch
ar(
50
) N
UL
L
Da
teH
ostA
dd
ed
: d
ate
tim
e N
OT
NU
LL
GU
ID:
va
rch
ar(
36
) N
UL
L
Ho
stI
PN
br:
nu
me
ric(1
0)
NO
T N
UL
L (
IE1
.1)
Ma
cA
dd
ress:
ch
ar(
17
) N
UL
L
Da
teH
ostU
pd
ate
d:
da
tetim
e N
OT
NU
LL
(IE
1.2
)
OS
Gro
up
ID:
int
NU
LL
(F
K)
ISS
ca
nD
ate
: d
ate
tim
e N
UL
L (
IE2
.1)
Sta
tNa
me
ID:
int
NU
LL
(IE
2.2
)
Pro
du
cts
Pro
du
ctI
D:
int
NO
T N
UL
L
Pro
dN
am
e:
nva
rch
ar(
40
) N
UL
L
Re
sp
on
se
Re
sp
on
se
ID:
int
IDE
NT
ITY
Na
me
: n
va
rch
ar(
15
0)
NO
T N
UL
L
De
scrip
tio
n:
nva
rch
ar(
80
) N
UL
L
File
Na
me
: n
va
rch
ar(
25
5)
NU
LL
Ve
rsio
n:
va
rch
ar(
10
0)
NU
LL
Ro
leID
: in
t N
UL
L (
FK
)
Bin
ary
Da
taID
: in
t N
UL
L (
FK
)
De
lete
d:
nu
me
ric N
OT
NU
LL
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
La
stM
od
ifie
dB
y:
nva
rch
ar(
60
) N
UL
L
Re
ad
On
ly:
tin
yin
t N
UL
L
Ed
ito
rKe
y:
va
rch
ar(
50
) N
OT
NU
LL
Va
lid:
tin
yin
t N
OT
NU
LL
Lic
en
se
Lic
en
se
ID:
int
IDE
NT
ITY
Na
me
: n
va
rch
ar(
50
) N
UL
L
Bin
ary
Da
taID
: in
t N
UL
L (
FK
)
Fe
atu
res:
nva
rch
ar(
50
) N
UL
L
Fe
atu
reD
escrip
tio
n:
nva
rch
ar(
10
0)
NU
LL
De
vic
eC
ou
nt:
in
t N
UL
L
Ma
inte
na
nce
Da
te:
va
rch
ar(
40
) N
UL
L
Exp
ire
Da
te:
va
rch
ar(
40
) N
UL
L
Sta
te:
tin
yin
t N
UL
L
Sta
teD
escrip
tio
n:
va
rch
ar(
51
2)
NU
LL
Lic
en
se
Typ
e:
tin
yin
t N
OT
NU
LL
Ke
yS
trin
g:
va
rch
ar(
50
) N
UL
L
Sta
tNa
me
ID:
int
NU
LL
(F
K)
Lic
Co
nta
ctI
nfo
GU
ID:
nva
rch
ar(
40
) N
UL
L (
FK
)
Lic
GU
ID:
nva
rch
ar(
40
) N
UL
L
De
scrip
tio
n:
nva
rch
ar(
10
0)
NU
LL
Ne
wL
ice
nse
ID:
int
NU
LL
(F
K)
Site
s Site
ID:
int
IDE
NT
ITY
(2,1
)
Na
me
: n
va
rch
ar(
60
) N
OT
NU
LL
De
scr:
nva
rch
ar(
25
5)
NU
LL
IpA
dd
ress:
va
rch
ar(
47
) N
OT
NU
LL
Po
rt:
int
NO
T N
UL
L
La
stD
ata
Lo
ad
At:
da
tetim
e N
UL
L
De
lete
d:
tin
yin
t N
UL
L
GU
ID:
va
rch
ar(
51
2)
NU
LL
Jo
bT
yp
es
Jo
bT
yp
eID
: in
t ID
EN
TIT
Y
De
scr:
va
rch
ar(
80
) N
OT
NU
LL
Ta
sks Ta
skID
: in
t ID
EN
TIT
Y
Jo
bT
yp
eID
: in
t N
OT
NU
LL
(F
K)
Na
me
: va
rch
ar(
60
) N
UL
L
De
scr:
va
rch
ar(
25
5)
NU
LL
Lo
ad
Ta
ble
Na
me
: va
rch
ar(
60
) N
UL
L
Lo
ad
Sto
red
Pro
cN
am
e:
va
rch
ar(
60
) N
UL
L
Fo
rma
tFile
: te
xt
NO
T N
UL
L
Lo
ad
SQ
LS
tate
me
nt:
va
rch
ar(
40
00
) N
UL
L
Bin
ary
Da
taT
yp
e
Bin
ary
Da
taT
yp
e:
tin
yin
t N
OT
NU
LL
Bin
ary
Da
taT
yp
eD
esc:
nva
rch
ar(
60
) N
OT
NU
LL
De
skto
pA
ge
ntV
ers
ion
GU
ID:
va
rch
ar(
36
) N
OT
NU
LL
Ve
rsio
n:
va
rch
ar(
40
) N
OT
NU
LL
Re
ad
me
File
ID:
int
NU
LL
(F
K)
Ro
leID
: in
t N
UL
L (
FK
)
Po
licyV
ers
ion
Ro
leID
: in
t N
OT
NU
LL
(F
K)
Ve
rsio
n:
va
rch
ar(
10
0)
NO
T N
UL
L
Dis
pla
yV
ers
ion
: va
rch
ar(
10
0)
NU
LL
Re
sp
on
se
Ve
rsio
n
Ro
leID
: in
t N
OT
NU
LL
(F
K)
Ve
rsio
n:
va
rch
ar(
10
0)
NO
T N
UL
L
Dis
pla
yV
ers
ion
: va
rch
ar(
10
0)
NU
LL
Co
mp
on
en
tDo
cu
me
nt
Co
mp
on
en
tID
: in
t N
OT
NU
LL
(F
K)
Na
me
sp
ace
ID:
sm
alli
nt
NO
T N
UL
L (
FK
)
Bin
ary
Da
taID
: in
t N
OT
NU
LL
(F
K)
Ve
rsio
n:
va
rch
ar(
10
0)
NU
LL
En
ab
led
: b
it N
OT
NU
LL
Gro
up
Do
cu
me
nt
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Na
me
sp
ace
ID:
sm
alli
nt
NO
T N
UL
L (
FK
)
Ve
rsio
n:
va
rch
ar(
10
0)
NO
T N
UL
L
Bin
ary
Da
taID
: in
t N
OT
NU
LL
(F
K)
En
ab
led
: b
it N
OT
NU
LL
Re
po
rtIn
sta
nce
Re
po
rtIn
sta
nce
ID:
int
NO
T N
UL
L (
FK
)
Te
mp
late
File
Na
me
: n
va
rch
ar(
25
5)
NU
LL
(IE
1.2
)
Re
po
rtC
ate
go
ry:
nva
rch
ar(
25
5)
NU
LL
Re
po
rtN
am
e:
nva
rch
ar(
25
5)
NU
LL
Re
po
rtF
ileP
ath
: n
va
rch
ar(
10
00
) N
UL
L
Da
teC
rea
ted
: d
ate
tim
e N
OT
NU
LL
Use
rID
: in
t N
UL
L (
IE1
.3)
Sh
are
d:
tin
yin
t N
OT
NU
LL
Gro
up
ID:
int
NU
LL
(IE
1.1
)
Re
cu
rsio
n:
tin
yin
t N
OT
NU
LL
Arg
um
en
ts:
nte
xt
NU
LL
La
stM
od
ifie
dA
t: d
ate
tim
e N
OT
NU
LL
La
stM
od
ifie
dB
y:
nva
rch
ar(
25
5)
NU
LL
82
Grouping Schema
Grouping Schema
Schema The following diagram displays the Grouping schema:
Site
Ra
ng
e
Site
Ra
ng
eID
: sm
alli
nt
NO
T N
UL
L
Sta
rtIP
Nb
r: n
um
eric(1
0)
NU
LL
En
dIP
Nb
r: n
um
eric(1
0)
NU
LL
De
scrip
tio
n:
nva
rch
ar(
64
) N
UL
L
De
lete
d:
tin
yin
t N
OT
NU
LL
Ro
le
Ro
leID
: in
t N
OT
NU
LL
Ro
leN
am
e:
va
rch
ar(
60
) N
OT
NU
LL
Pro
du
ctI
D:
int
NU
LL
(F
K)
Cla
ssN
am
e:
va
rch
ar(
25
5)
NO
T N
UL
L (
AK
1.1
)
Na
me
sp
ace
: va
rch
ar(
25
5)
NU
LL
De
fau
ltL
og
gin
gL
eve
l: t
inyin
t N
UL
L
De
fau
ltS
tatu
s:
tin
yin
t N
UL
L
De
fau
ltO
ptio
nF
lag
s:
tin
yin
t N
UL
L
Su
pp
ort
sE
C:
tin
yin
t N
OT
NU
LL
Su
pp
ort
sG
rou
pP
olic
y:
tin
yin
t N
OT
NU
LL
Co
mp
on
en
t
Co
mp
on
en
tID
: in
t N
OT
NU
LL
Ro
leID
: in
t N
UL
L (
FK
) (A
K1
.3)
La
stP
ush
ed
Po
licyID
: in
t N
UL
L (
FK
)
Pro
pe
rtyF
ileID
: IN
TE
GE
R N
UL
L (
FK
)
Ho
stI
D:
int
NU
LL
(F
K)
(AK
1.1
)
Prio
rity
: n
um
eric N
OT
NU
LL
Sta
tus:
nu
me
ric N
OT
NU
LL
La
stM
od
ifie
dB
y:
nva
rch
ar(
60
) N
UL
L
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
De
lete
d:
nu
me
ric N
OT
NU
LL
Eve
ntS
ou
rce
Po
rt:
int
NU
LL
Eve
ntP
ort
: in
t N
UL
L
Ve
rsio
n:
va
rch
ar(
40
) N
UL
L
Se
nso
rNa
me
: n
va
rch
ar(
10
0)
NU
LL
(A
K1
.2)
Po
licy:
nva
rch
ar(
43
4)
NU
LL
Ma
ste
r: v
arc
ha
r(3
0)
NU
LL
Ava
ilab
leX
PU
: va
rch
ar(
40
) N
UL
L
La
stI
nsta
lled
XP
U:
va
rch
ar(
40
) N
UL
L
Lo
gg
ing
Le
ve
l: t
inyin
t N
UL
L
Lic
en
se
Sta
te:
sm
alli
nt
NU
LL
XP
US
tate
: sm
alli
nt
NU
LL
Sta
teD
escrip
tio
n:
nva
rch
ar(
50
0)
NU
LL
Un
exp
ecte
dC
on
fig
Ch
an
ge
: tin
yin
t N
UL
L
Mo
difie
dB
yS
en
so
rCo
ntr
olle
r: t
inyin
t N
OT
NU
LL
Da
em
on
Po
rt:
int
NU
LL
Eve
ntL
og
Op
tio
n:
tin
yin
t N
UL
L
Site
ID:
int
NU
LL
(F
K)
La
stP
ush
ed
Re
sp
on
se
ID:
int
NU
LL
(F
K)
XP
UD
ate
: d
ate
tim
e N
UL
L
Re
sp
on
se
: n
va
rch
ar(
43
4)
NU
LL
Po
licyG
rou
pID
: in
t N
UL
L (
FK
)
La
stH
ea
rtB
ea
t: d
ate
tim
e N
UL
L
GU
ID:
va
rch
ar(
36
) N
UL
L (
IE1
.1)
Lic
en
se
ID:
int
NU
LL
(F
K)
Po
licyC
ha
ng
ed
Fla
g:
tin
yin
t N
OT
NU
LL
FC
PE
ve
ntP
ort
: in
t N
UL
L
FC
PE
ve
ntS
ou
rce
Po
rt:
int
NU
LL
EC
Sta
tus:
tin
yin
t N
UL
L
EC
Sta
teD
escrip
tio
n:
nva
rch
ar(
50
0)
NU
LL
Op
tio
nF
lag
s:
int
NU
LL
Eve
ntC
olle
cto
rID
: in
t N
UL
L (
FK
)
Ale
rtE
ve
ntP
ort
: in
t N
UL
L
Ale
rtE
ve
ntS
ou
rce
Po
rt:
int
NU
LL
Gro
up
Vie
w
Gro
up
Vie
wID
: in
t N
OT
NU
LL
(IE
1.1
)
Gro
up
Vie
wN
am
e:
nva
rch
ar(
64
) N
OT
NU
LL
De
lete
d:
tin
yin
t N
UL
L
Gro
up
s
Gro
up
ID:
int
NO
T N
UL
L (
AK
1.2
)
Gro
up
Na
me
: n
va
rch
ar(
80
) N
OT
NU
LL
Gro
up
De
sc:
nva
rch
ar(
25
5)
NU
LL
Ro
leID
: in
t N
UL
L (
FK
)
Pa
ren
tGro
up
ID:
int
NU
LL
(A
K1
.1,I
E1
.1)
Gro
up
Vie
wID
: in
t N
UL
L (
FK
)
De
lete
d:
tin
yin
t N
UL
L
Site
ID:
int
NU
LL
(F
K)
Gro
up
Typ
eID
: in
t N
UL
L (
FK
)
SP
Gro
up
ID:
int
NU
LL
Ru
leID
: in
t N
UL
L (
FK
)
GU
ID:
va
rch
ar(
36
) N
UL
L
Gro
up
Ho
stL
inks
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Ho
stI
D:
int
NO
T N
UL
L (
FK
)
Ho
sts H
ostI
D:
int
NO
T N
UL
L
Ho
stI
pA
dd
ress:
va
rch
ar(
47
) N
UL
L
Ho
stD
NS
Na
me
: N
VA
RC
HA
R(2
54
) N
UL
L
Ho
stN
BN
am
e:
NV
AR
CH
AR
(16
) N
UL
L
Ho
stN
BD
om
ain
: n
va
rch
ar(
16
) N
UL
L
Ho
stO
SN
am
e:
nva
rch
ar(
64
) N
UL
L
Ho
stO
SV
ers
ion
: n
va
rch
ar(
32
) N
UL
L
Ho
stO
SR
evis
ion
Le
ve
l: v
arc
ha
r(3
2)
NU
LL
Ho
stO
wn
er:
nva
rch
ar(
50
) N
UL
L
Da
teH
ostA
dd
ed
: d
ate
tim
e N
OT
NU
LL
GU
ID:
va
rch
ar(
36
) N
UL
L
Ho
stI
PN
br:
nu
me
ric(1
0)
NO
T N
UL
L (
IE1
.1)
Ma
cA
dd
ress:
ch
ar(
17
) N
UL
L
Da
teH
ostU
pd
ate
d:
da
tetim
e N
OT
NU
LL
(IE
1.2
)
OS
Gro
up
ID:
int
NU
LL
(F
K)
ISS
ca
nD
ate
: d
ate
tim
e N
UL
L (
IE2
.1)
Sta
tNa
me
ID:
int
NU
LL
(IE
2.2
)
Pro
du
cts
Pro
du
ctI
D:
int
NO
T N
UL
L
Pro
dN
am
e:
nva
rch
ar(
40
) N
UL
L
Site
s Site
ID:
int
NO
T N
UL
L
Na
me
: n
va
rch
ar(
60
) N
OT
NU
LL
De
scr:
nva
rch
ar(
25
5)
NU
LL
IpA
dd
ress:
va
rch
ar(
47
) N
OT
NU
LL
Po
rt:
int
NO
T N
UL
L
La
stD
ata
Lo
ad
At:
da
tetim
e N
UL
L
De
lete
d:
tin
yin
t N
UL
L
Gro
up
Typ
es
Gro
up
Typ
eID
: in
t N
OT
NU
LL
Na
me
: n
va
rch
ar(
64
) N
UL
L (
AK
1.1
)
De
scr:
nva
rch
ar(
25
5)
NU
LL
Ho
stC
ou
nts
Co
un
tDa
te:
da
tetim
e N
OT
NU
LL
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Ho
stC
ou
nt:
in
t N
OT
NU
LL
Gro
up
sP
are
ntC
hild
Pa
ren
tID
: in
t N
UL
L (
FK
)
Ch
ildID
: in
t N
OT
NU
LL
(F
K)
Gro
up
Ru
le
Ru
leID
: in
t N
OT
NU
LL
Ru
leT
yp
e:
tin
yin
t N
OT
NU
LL
(F
K)
Ru
leV
alu
e:
nte
xt
NO
T N
UL
L
De
scrip
tio
n:
nva
rch
ar(
25
4)
NU
LL
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
Gro
up
Po
licy
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Ro
leID
: in
t N
OT
NU
LL
(F
K)
Po
licyID
: in
t N
OT
NU
LL
(F
K)
Gro
up
Ru
leT
yp
e
Ru
leT
yp
e:
tin
yin
t N
OT
NU
LL
De
scrip
tio
n:
nva
rch
ar(
60
) N
OT
NU
LL
Un
Gro
up
ed
Ho
sts
Ho
stI
D:
int
NO
T N
UL
L (
FK
)
Un
Gro
up
ed
Sta
tus:
tin
yin
t N
UL
L (
FK
)
Un
Gro
up
ed
De
tails
: n
va
rch
ar(
25
4)
NU
LL
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
Un
Gro
up
ed
Sta
tus
Un
Gro
up
ed
Sta
tus:
tin
yin
t N
OT
NU
LL
Un
Gro
up
ed
Sta
tusD
esc:
nva
rch
ar(
60
) N
UL
L
83Technical Reference Guide Version 2.0, SP4
Appendix A: Database Schema
ITRSO Schema
Schema The following diagram displays the ITRSO schema:
RatingS
et
RatingID
: in
t N
OT
NU
LL (
FK
)
RatingA
ttribute
ID: in
t N
OT
NU
LL (
FK
)
RatingO
rder:
int N
OT
NU
LL
RatingA
ttribute
RatingA
ttribute
ID: in
t N
OT
NU
LL
RatingA
ttribute
CodeID
: in
t N
OT
NU
LL (
FK
)
Attribute
Valu
e: varc
har(
80)
NU
LL
RatingA
ttribute
Code
RatingA
ttribute
CodeID
: in
t N
OT
NU
LL
Attribute
Nam
e: nvarc
har(
80)
NO
T N
ULL
CheckP
roducts
CheckP
roductID
: in
t N
OT
NU
LL
SecC
hkID
: in
t N
OT
NU
LL (
FK
)
Pro
dV
erI
D: in
t N
OT
NU
LL (
FK
)
Com
ment: v
arc
har(
4000)
NU
LL
Fals
eN
egative: nte
xt N
ULL
Fals
eP
ositiv
e: nte
xt N
ULL
Pro
ductC
heckN
am
e: varc
har(
120)
NU
LL
Alg
orith
mID
: in
t N
ULL (
FK
)
Vuln
Sta
tus: bit N
ULL
Alg
orith
mR
ating
Alg
orith
mID
: in
t N
OT
NU
LL (
FK
)
RatingID
: in
t N
OT
NU
LL (
FK
)
Alg
orith
m
Alg
orith
mID
: in
t N
OT
NU
LL
Alg
orith
mN
um
: in
t N
OT
NU
LL
Nam
eS
pace: char(
10)
NU
LL
Rating RatingID
: in
t N
OT
NU
LL
Corr
ela
tionIn
fo
RS
CheckP
roductID
: in
t N
OT
NU
LL (
FK
)
ScannerP
roductID
: in
t N
OT
NU
LL (
FK
)
Role
Num
ber:
int N
OT
NU
LL
Security
Checks
SecC
hkID
: in
t N
OT
NU
LL
TagN
am
e: varc
har(
60)
NO
T N
ULL
ChkN
am
e: varc
har(
40)
NO
T N
ULL
ChkB
riefD
esc: N
VA
RC
HA
R(2
55)
NU
LL
ChkD
eta
ilDesc: nte
xt N
ULL
ChkD
ate
Report
ed: date
tim
e N
ULL
ChkD
ate
Ente
red: date
tim
e N
ULL
ChkD
ate
Changed: date
tim
e N
ULL
Item
Affecte
d: nvarc
har(
255)
NU
LL
Dis
covere
r: n
varc
har(
255)
NU
LL
ConseqN
am
e: varc
har(
20)
NU
LL
ConseqB
riefD
esc: nvarc
har(
255)
NU
LL
ConseqD
eta
ilDesc: nte
xt N
ULL
Obsole
te: bit N
OT
NU
LL
Repla
cedB
y: in
t N
ULL
Vuln
Sta
tus: bit N
OT
NU
LL
84
Metrics Schema
Metrics Schema
Schema The following diagram displays the Metrics schema:
Gro
up
s
Gro
up
ID:
int
NO
T N
UL
L (
AK
1.2
)
Gro
up
Na
me
: n
va
rch
ar(
80
) N
OT
NU
LL
Gro
up
De
sc:
nva
rch
ar(
25
5)
NU
LL
Ro
leID
: in
t N
UL
L (
FK
)
Pa
ren
tGro
up
ID:
int
NU
LL
(A
K1
.1,I
E1
.1)
Gro
up
Vie
wID
: in
t N
UL
L (
FK
)
De
lete
d:
tin
yin
t N
UL
L
SiteID
: in
t N
ULL (
FK
)
Gro
up
Typ
eID
: in
t N
UL
L (
FK
)
SP
Gro
up
ID:
int
NU
LL
Ru
leID
: in
t N
UL
L (
FK
)
GU
ID:
va
rch
ar(
36
) N
UL
L
Vu
lnS
tatu
s
Vu
lnS
tatu
s:
tin
yin
t N
OT
NU
LL
Vu
lnS
tatu
sD
esc:
nva
rch
ar(
60
) N
UL
L
So
rtID
: in
t N
OT
NU
LL
Se
ve
rity
Se
ve
rity
ID:
tin
yin
t N
OT
NU
LL
Se
ve
rity
De
sc:
nva
rch
ar(
10
) N
UL
L
Me
tric
s
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Se
ve
rity
ID:
tin
yin
t N
OT
NU
LL
(F
K)
Me
tric
sT
yp
eID
: in
t N
OT
NU
LL
(F
K)
Da
yID
: in
t N
OT
NU
LL
(F
K)
Vu
lnS
tatu
s:
tin
yin
t N
OT
NU
LL
(F
K)
Se
cC
hkID
: in
t N
UL
L
Co
un
ts:
INT
EG
ER
NO
T N
UL
L
Me
tric
sD
ay
Da
yID
: in
t N
OT
NU
LL
Cu
rre
ntD
ate
: d
ate
tim
e N
OT
NU
LL
(A
K1
.1)
Da
yN
br:
sm
alli
nt
NO
T N
UL
L
Da
yO
fWe
ek:
nva
rch
ar(
20
) N
OT
NU
LL
Mo
nth
: sm
alli
nt
NO
T N
UL
L
Qu
art
er:
sm
alli
nt
NO
T N
UL
L
Ye
ar:
sm
alli
nt
NO
T N
UL
L
We
ekE
nd
Fla
g:
sm
alli
nt
NO
T N
UL
L
Metr
icsT
yp
e
Me
tric
sT
yp
eID
: in
t N
OT
NU
LL
De
scr:
nva
rch
ar(
30
) N
UL
L
Ho
stC
ou
nts
Co
un
tDa
te:
da
tetim
e N
OT
NU
LL
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Ho
stC
ou
nt:
in
t N
OT
NU
LL
Re
jectM
etr
ics
Site
ID:
INT
EG
ER
NU
LL
SP
Gro
up
ID:
int
NO
T N
UL
L
Se
cC
hkID
: in
t N
OT
NU
LL
Se
ve
rity
ID:
int
NO
T N
UL
L
Me
tric
sT
yp
eID
: in
t N
OT
NU
LL
Me
tric
sD
ay:
da
tetim
e N
OT
NU
LL
Vu
lnS
tatu
s:
int
NO
T N
UL
L
Co
un
ts:
int
NO
T N
UL
L
85Technical Reference Guide Version 2.0, SP4
Appendix A: Database Schema
Sensor Data Schema
Schema The following diagram displays the Sensor Data schema:
SensorD
ata
SensorD
ata
ID: big
int N
OT
NU
LL
Ale
rtD
ata
ID: in
t N
OT
NU
LL
Ale
rtF
orm
atV
ers
ion: in
t N
ULL
Ale
rtN
am
eT
ype: in
t N
ULL
Ale
rtN
am
e: nvarc
har(
60)
NU
LL
Ale
rtD
ate
Tim
e: date
tim
e N
ULL (
IE8.2
)
LocalT
imezoneO
ffset: int N
ULL
Ale
rtT
imeP
recis
ion: in
t N
ULL
Ale
rtT
imeS
eqID
: in
t N
ULL
Ale
rtID
: char(
26)
NU
LL
SensorA
ddre
ss: varc
har(
60)
NU
LL
SensorN
am
e: nvarc
har(
100)
NU
LL
Pro
ductID
: in
t N
ULL
Ale
rtT
ypeID
: in
t N
ULL
Ale
rtP
riority
: in
t N
ULL
Ale
rtF
lags: in
t N
ULL
SensorA
ddre
ssIn
t: n
um
eric(1
0)
NU
LL
Src
Addre
ssN
am
e: V
AR
CH
AR
(60)
NU
LL
Src
Addre
ssIn
t: n
um
eric(1
0)
NU
LL
DestA
ddre
ssN
am
e: V
AR
CH
AR
(60)
NU
LL
DestA
ddre
ssIn
t: n
um
eric(1
0)
NU
LL
Pro
tocolID
: IN
TE
GE
R N
ULL
Sourc
eP
ort
: in
t N
ULL
Obje
ctN
am
e: nvarc
har(
2000)
NU
LL
Obje
ctT
ype: tinyin
t N
ULL
Sourc
eP
ort
Nam
e: nvarc
har(
60)
NU
LL
DestP
ort
Nam
e: nvarc
har(
60)
NU
LL
AttackS
uccessfu
l: tin
yin
t N
ULL
AttackF
ragm
ente
d: tinyin
t N
ULL
AttackO
rigin
: nvarc
har(
60)
NU
LL
Resourc
eID
: in
t N
ULL
Resourc
eS
ubID
: varc
har(
60)
NU
LL
Applic
ation: nvarc
har(
60)
NU
LL
UserN
am
e: nvarc
har(
60)
NU
LL
Pro
cessin
gF
lag: in
t N
ULL (
IE7.1
)
Cle
are
d: char(
1)
NU
LL (
IE8.3
)
HostG
UID
: varc
har(
36)
NU
LL
Sta
rtT
ime: D
AT
E N
ULL
Sto
pT
ime: D
AT
E N
ULL
HostD
NS
Nam
e: nvarc
har(
254)
NU
LL
HostN
BN
am
e: nvarc
har(
20)
NU
LL
HostN
BD
om
ain
: nvarc
har(
255)
NU
LL
HostO
SN
am
e: nvarc
har(
64)
NU
LL
HostO
SV
ers
ion: nvarc
har(
32)
NU
LL
HostO
SR
evis
ionLevel: v
arc
har(
32)
NU
LL
Vuln
Sta
tus: tinyin
t N
ULL
Ale
rtC
ount: IN
TE
GE
R N
OT
NU
LL
Observ
anceID
: big
int N
ULL (
IE8.1
)
OS
Gro
upID
: in
t N
ULL
Com
ponentID
: in
t N
ULL
SensorG
UID
: varc
har(
36)
NU
LL
Lic
Module
: varc
har(
100)
NU
LL
SensorD
ata
Update
s
SensorD
ata
ID: big
int N
OT
NU
LL (
FK
)
Ale
rtU
pdate
Nam
e: nvarc
har(
50)
NU
LL
Ale
rtU
pdate
Ord
er:
int N
ULL
Ale
rtU
pdate
Data
Type: varc
har(
30)
NU
LL
Ale
rtU
pdate
Valu
e: nvarc
har(
2000)
NU
LL
Ale
rtU
pdate
Blo
b: T
EX
T N
ULL
Ale
rtU
pdate
Section: IN
TE
GE
R N
ULL
SensorD
ata
AV
P
SensorD
ata
ID: big
int N
OT
NU
LL (
FK
)
Attribute
Nam
e: nvarc
har(
50)
NU
LL
Attribute
Ord
er:
int N
ULL
Attribute
Data
Type: varc
har(
30)
NU
LL
Attribute
Valu
e: nvarc
har(
2000)
NU
LL
Attribute
Blo
b: T
EX
T N
ULL
Attribute
Section: IN
TE
GE
R N
ULL
SensorD
ata
Response
SensorD
ata
ID: big
int N
OT
NU
LL (
FK
)
ResponseT
ypeN
am
e: varc
har(
32)
NU
LL
ResponseN
am
e: nvarc
har(
32)
NU
LL
Sta
tus: tinyin
t N
ULL
Ale
rtT
ype
Ale
rtT
ypeID
: IN
TE
GE
R N
OT
NU
LL
Ale
rtT
ypeN
am
e: varc
har(
30)
NU
LL
Observ
anceT
ype: tinyin
t N
ULL
Ale
rtC
ate
gory
ID: IN
TE
GE
R N
ULL (
FK
)
Description: varc
har(
80)
NU
LL
Ale
rtC
ate
gory
Ale
rtC
ate
gory
ID: in
t N
OT
NU
LL
Ale
rtC
ate
gory
Nam
e: varc
har(
20)
NU
LL
Description: varc
har(
80)
NU
LL
Ale
rtT
ypeV
iew
Ale
rtT
ypeID
: A
lert
Type.A
lert
TypeID
: IN
TE
GE
R N
OT
NU
LL
Observ
anceT
ype: A
lert
Type.O
bserv
anceT
ype: tinyin
t N
ULL
Observ
anceT
ypeD
esc: O
bserv
anceT
ype.O
bserv
anceT
ypeD
esc: nvarc
har(
30)
NU
L
wrk
_S
ensorD
ata
SensorD
ata
ID: big
int N
OT
NU
LL
SecC
hkID
: IN
TE
GE
R N
ULL
Ale
rtN
am
e: nvarc
har(
60)
NU
LL
Ale
rtN
am
eT
ype: IN
TE
GE
R N
ULL
Ale
rtT
ypeID
: IN
TE
GE
R N
ULL
Pro
ductID
: in
t N
ULL
Ale
rtD
ate
Tim
e: D
AT
E N
ULL
Ale
rtP
riority
: IN
TE
GE
R N
ULL
Src
Addre
ssN
am
e: varc
har(
60)
NU
LL
Src
Addre
ssIn
t: n
um
eric(1
0)
NU
LL
DestA
ddre
ssN
am
e: varc
har(
60)
NU
LL
DestA
ddre
ssIn
t: n
um
eric(1
0)
NU
LL
SensorA
ddre
ss: varc
har(
100)
NU
LL
SensorN
am
e: nvarc
har(
100)
NU
LL
SensorA
ddre
ssIn
t: n
um
eric(1
0)
NU
LL
Pro
cessin
gF
lag: IN
TE
GE
R N
ULL
Obje
ctID
: in
t N
ULL
Sourc
eP
ort
: IN
TE
GE
R N
ULL
DestP
ort
Nam
e: nvarc
har(
60)
NU
LL
HostD
NS
Nam
e: nvarc
har(
254)
NU
LL
HostN
BD
om
ain
: nvarc
har(
255)
NU
LL
HostN
BN
am
e: nvarc
har(
20)
NU
LL
HostO
SN
am
e: nvarc
har(
64)
NU
LL
HostO
SV
ers
ion: nvarc
har(
32)
NU
LL
HostG
UID
: varc
har(
36)
NU
LL
Src
HostID
: in
t N
ULL
DstH
ostID
: in
t N
ULL
Com
ponentID
: IN
TE
GE
R N
ULL
Cle
are
d: char(
1)
NU
LL
Vuln
Sta
tus: tinyin
t N
ULL
Reje
ctR
eason: varc
har(
200)
NU
LL
Ale
rtC
ount: IN
TE
GE
R N
ULL
Obje
ctT
ype: tinyin
t N
ULL
Obje
ctN
am
e: nvarc
har(
200)
NU
LL
Ale
rtF
lags: in
t N
ULL
Observ
anceID
: big
int N
ULL
OS
Gro
upID
: in
t N
ULL
SensorG
UID
: varc
har(
36)
NU
LL
Lic
Module
: varc
har(
100)
NU
LL
stg
_S
ensorD
ata
SensorD
ata
ID: big
int N
OT
NU
LL
Ale
rtD
ata
ID: in
t N
ULL
Work
ingS
etN
br:
tin
yin
t N
ULL
86
Site Analysis Schema
Site Analysis Schema
Schema The following diagram displays the Site Analysis schema:
Vu
lnS
tatu
s
Vu
lnS
tatu
s: tin
yin
t N
OT
NU
LL
Vu
lnS
tatu
sD
esc: n
va
rch
ar(
60)
NU
LL
Sort
ID: in
t N
OT
NU
LL
Se
nso
rHo
st
Se
nso
rID
: C
om
po
ne
nt.C
om
po
ne
ntID
: in
t N
OT
NU
LL
Se
nso
rHo
stID
: H
osts
.Ho
stID
: in
t N
OT
NU
LL
Se
nso
rIP
Ad
dre
ss: H
osts
.Ho
stIP
Nb
r: n
um
eric(1
0)
NO
T N
UL
L
SensorD
NS
Nam
e: H
osts
.HostD
NS
Nam
e: N
VA
RC
HA
R(2
54)
NU
LL
Se
nso
rOS
Na
me
: H
osts
.Ho
stO
SN
am
e: n
va
rch
ar(
64
) N
UL
L
Se
nso
rNa
me
: C
om
po
ne
nt.S
en
so
rNa
me
: n
va
rch
ar(
10
0)
NU
LL
Ob
se
rva
nce
Typ
e
Ob
se
rva
nce
Typ
e: tin
yin
t N
OT
NU
LL
Ob
se
rva
nce
Typ
eD
esc: n
va
rch
ar(
30
) N
UL
L
Se
ve
rity
Se
ve
rity
ID: tin
yin
t N
OT
NU
LL
Se
ve
rity
De
sc: n
va
rch
ar(
10)
NU
LL
Observ
ances
Ob
se
rva
nce
ID: b
igin
t N
OT
NU
LL
Observ
anceT
ime: date
tim
e N
OT
NU
LL (
IE10.1
,IE
8.1
,IE
9.1
)
SecC
hkID
: IN
TE
GE
R N
ULL (
FK
) (I
E9.4
)
Se
nso
rID
: in
t N
OT
NU
LL
(IE
4.1
,IE
9.5
)
Sourc
eID
: in
t N
OT
NU
LL (
IE10.3
,IE
6.1
,IE
9.3
)
Targ
etID
: in
t N
OT
NU
LL (
IE10.2
,IE
5.1
,IE
9.2
)
Ob
se
rva
nce
Co
un
t: in
t N
UL
L
Ob
jectID
: in
t N
UL
L (
FK
) (I
E9
.6)
Se
ve
rity
ID: tin
yin
t N
UL
L (
FK
) (I
E9
.7)
Cle
are
dC
ount: IN
TE
GE
R N
ULL
Vu
lnS
tatu
s: tin
yin
t N
UL
L (
FK
) (I
E9
.9)
Ob
se
rva
nce
Typ
e: tin
yin
t N
UL
L (
FK
) (I
E9
.8)
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L (
IE1
1.1
)
Observ
anceC
olu
mn
Dis
pla
yN
am
e: va
rch
ar(
10
0)
NO
T N
UL
L
Qu
alif
ied
Co
lNa
me
: va
rch
ar(
10
0)
NU
LL
Ta
ble
Na
me
: va
rch
ar(
10
0)
NU
LL
Co
lNa
me
: va
rch
ar(
10
0)
NU
LL
PK
_C
olN
am
e: varc
har(
10
0)
NU
LL
FK
_C
olN
am
e: varc
har(
10
0)
NU
LL
FK
_T
able
Nam
e: varc
har(
10
0)
NU
LL
Co
lTyp
e: ch
ar(
1)
NU
LL
Jo
inT
yp
e: va
rch
ar(
15
) N
UL
L
Filt
erC
olN
am
e: va
rch
ar(
10
0)
NU
LL
Ind
exH
int: v
arc
ha
r(1
00)
NU
LL
Un
iqu
eT
oD
ime
nsio
n: tin
yin
t N
UL
L
Com
ponent
Com
ponentID
: in
t N
OT
NU
LL
Ro
leID
: in
t N
UL
L (
FK
) (A
K1
.3)
La
stP
ush
ed
Po
licyID
: in
t N
UL
L (
FK
)
Pro
pe
rtyF
ileID
: IN
TE
GE
R N
UL
L (
FK
)
Ho
stID
: in
t N
UL
L (
FK
) (A
K1
.1)
Prio
rity
: n
um
eric N
OT
NU
LL
Sta
tus: n
um
eric N
OT
NU
LL
La
stM
od
ifie
dB
y: n
va
rch
ar(
60
) N
UL
L
La
stM
od
ifie
dA
t: d
ate
tim
e N
UL
L
De
lete
d: n
um
eric N
OT
NU
LL
Eve
ntS
ou
rce
Po
rt: in
t N
UL
L
Eve
ntP
ort
: in
t N
UL
L
Ve
rsio
n: va
rch
ar(
40
) N
UL
L
Se
nso
rNa
me
: n
va
rch
ar(
10
0)
NU
LL
(A
K1
.2)
Po
licy: n
va
rch
ar(
43
4)
NU
LL
Ma
ste
r: v
arc
ha
r(3
0)
NU
LL
Ava
ilab
leX
PU
: va
rch
ar(
40)
NU
LL
La
stIn
sta
lled
XP
U: va
rch
ar(
40)
NU
LL
Lo
gg
ing
Le
ve
l: tin
yin
t N
UL
L
Lic
en
se
Sta
te: sm
alli
nt N
UL
L
XP
US
tate
: sm
alli
nt N
UL
L
Sta
teD
escrip
tio
n: n
va
rch
ar(
50
0)
NU
LL
Un
exp
ecte
dC
on
fig
Ch
an
ge
: tin
yin
t N
UL
L
Mo
difie
dB
yS
en
so
rCo
ntr
olle
r: tin
yin
t N
OT
NU
LL
Da
em
on
Po
rt: in
t N
UL
L
Eve
ntL
og
Op
tio
n: tin
yin
t N
UL
L
Site
ID: in
t N
UL
L (
FK
)
La
stP
ush
ed
Re
sp
on
se
ID: in
t N
UL
L (
FK
)
XP
UD
ate
: d
ate
tim
e N
UL
L
Re
sp
on
se
: n
va
rch
ar(
43
4)
NU
LL
Po
licyG
rou
pID
: in
t N
UL
L (
FK
)
La
stH
ea
rtB
ea
t: d
ate
tim
e N
UL
L
GU
ID: va
rch
ar(
36
) N
UL
L (
IE1
.1)
Lic
en
se
ID: in
t N
UL
L (
FK
)
Po
licyC
ha
ng
ed
Fla
g: tin
yin
t N
OT
NU
LL
FC
PE
ve
ntP
ort
: in
t N
UL
L
FC
PE
ve
ntS
ou
rce
Po
rt: in
t N
UL
L
EC
Sta
tus: tin
yin
t N
UL
L
EC
Sta
teD
escrip
tio
n: n
va
rch
ar(
50
0)
NU
LL
Op
tio
nF
lag
s: in
t N
UL
L
Eve
ntC
olle
cto
rID
: in
t N
UL
L (
FK
)
Ale
rtE
ve
ntP
ort
: in
t N
UL
L
Ale
rtE
ve
ntS
ou
rce
Po
rt: in
t N
UL
L
Se
cu
rity
Ch
ecks
Se
cC
hkID
: in
t N
OT
NU
LL
TagN
am
e: varc
har(
60)
NO
T N
ULL (
AK
1.1
)
ChkN
am
e: varc
har(
40)
NO
T N
ULL
ChkB
riefD
esc: N
VA
RC
HA
R(2
55)
NU
LL
Ch
kD
eta
ilDe
sc: n
text N
UL
L
ChkD
ate
Report
ed: date
tim
e N
ULL
ChkD
ate
Ente
red: date
tim
e N
ULL
ChkD
ate
Changed: date
tim
e N
ULL
Ite
mA
ffe
cte
d: n
va
rch
ar(
25
5)
NU
LL
Dis
co
ve
rer:
nva
rch
ar(
25
5)
NU
LL
Co
nse
qN
am
e: va
rch
ar(
20)
NU
LL
Co
nse
qB
rie
fDe
sc: n
va
rch
ar(
25
5)
NU
LL
Co
nse
qD
eta
ilDe
sc: n
text N
UL
L
Ob
so
lete
: b
it N
OT
NU
LL
Re
pla
ce
dB
y: in
t N
UL
L
Vu
lnS
tatu
s: b
it N
OT
NU
LL
Ho
sts H
ostID
: in
t N
OT
NU
LL
Ho
stIp
Ad
dre
ss: va
rch
ar(
47
) N
UL
L
HostD
NS
Nam
e: N
VA
RC
HA
R(2
54)
NU
LL
HostN
BN
am
e: N
VA
RC
HA
R(1
6)
NU
LL
HostN
BD
om
ain
: nvarc
har(
16)
NU
LL
Ho
stO
SN
am
e: n
va
rch
ar(
64
) N
UL
L
Ho
stO
SV
ers
ion
: n
va
rch
ar(
32
) N
UL
L
Ho
stO
SR
evis
ion
Le
ve
l: v
arc
ha
r(3
2)
NU
LL
Ho
stO
wn
er:
nva
rch
ar(
50
) N
UL
L
Da
teH
ostA
dd
ed
: d
ate
tim
e N
OT
NU
LL
GU
ID: va
rch
ar(
36
) N
UL
L
Ho
stIP
Nb
r: n
um
eric(1
0)
NO
T N
UL
L (
IE1
.1)
Ma
cA
dd
ress: ch
ar(
17
) N
UL
L
Da
teH
ostU
pd
ate
d: d
ate
tim
e N
OT
NU
LL
(IE
1.2
)
OS
Gro
upID
: in
t N
ULL (
FK
)
ISS
ca
nD
ate
: d
ate
tim
e N
UL
L (
IE2
.1)
Sta
tNa
me
ID: in
t N
UL
L (
IE2
.2)
Sourc
eH
ost
So
urc
eID
: <
Ho
sts
.Ho
stID
>
So
urc
eIp
Ad
dre
ss: <
Ho
sts
.Ho
stIp
Nb
r>
Sourc
eD
NS
Nam
e: <
Hosts
.HostD
NS
Nam
e>
Sourc
eO
SN
am
e: <
Hosts
.HostO
SN
am
e>
Ta
rge
tHo
st
Ta
rge
tID
: <
Ho
sts
.Ho
stID
>
Ta
rge
tIp
Ad
dre
ss: <
Ho
sts
.Ho
stIp
Nb
r>
Targ
etD
NS
Nam
e: <
Hosts
.HostD
NS
Nam
e>
Targ
etO
SN
am
e: <
Hosts
.HostO
SN
am
e>
Ta
rge
tIP
Dis
pla
y: H
osts
.Ho
stIp
Ad
dre
ss: va
rch
ar(
47
) N
UL
L
Ta
rge
tOS
Re
vis
ion
Le
ve
l: H
osts
.Ho
stO
SR
evis
ion
Le
ve
l: v
arc
ha
r(3
2)
NU
LL
Targ
etN
BN
am
e: H
osts
.HostN
BN
am
e: N
VA
RC
HA
R(1
6)
NU
LL
Site
Filt
ers
Site
Filt
erI
D: in
t N
OT
NU
LL
Site
Filt
erT
yp
eID
: in
t N
UL
L (
FK
)
Site
Filt
erN
am
e: n
va
rch
ar(
60)
NU
LL
Site
Filt
erD
esc: n
text N
UL
L
Fusio
nIg
nore
Fla
g: bit N
OT
NU
LL
De
lete
d: tin
yin
t N
UL
L
Cre
ate
dB
y: va
rch
ar(
60)
NU
LL
Date
Modifie
d: date
tim
e N
ULL
Ob
se
rva
nce
Site
Filt
ers
Ob
se
rva
nce
ID: b
igin
t N
OT
NU
LL
(IE
1.1
)
Site
Filt
erR
ule
ID: in
t N
OT
NU
LL
(F
K)
Site
Filt
erI
D: in
t N
OT
NU
LL
(F
K)
Ob
se
rva
nce
Site
Filt
ers
Vie
w
Ob
se
rva
nce
ID: O
bse
rva
nce
Site
Filt
ers
.Ob
se
rva
nce
ID: b
igin
t N
OT
NU
LL
Site
Filt
erI
D: O
bse
rva
nce
Site
Filt
ers
.Site
Filt
erI
D: in
t N
OT
NU
LL
Site
Filt
erT
yp
e: S
ite
Filt
erT
yp
e.S
ite
Filt
erT
yp
e: ch
ar(
2)
NO
T N
UL
L
Site
Filt
erN
am
e: S
ite
Filt
ers
.Site
Filt
erN
am
e: n
va
rch
ar(
60)
NU
LL
Site
Filt
erD
esc: <
co
nve
rt(v
arc
ha
r(4
000...>
Cre
ate
dB
y: S
ite
Filt
ers
.Cre
ate
dB
y: va
rch
ar(
60)
NU
LL
Site
Filt
erT
yp
e
Site
Filt
erT
yp
eID
: in
t N
OT
NU
LL
Site
Filt
erT
yp
e: ch
ar(
2)
NO
T N
UL
L (
AK
1.1
)
Site
Filt
erN
am
e: n
va
rch
ar(
80)
NO
T N
UL
L
Obje
ctT
ype
Ob
jectT
yp
e: tin
yin
t N
OT
NU
LL
Ob
jectT
yp
eD
esc: n
va
rch
ar(
30)
NO
T N
UL
L
Ob
ject
Ob
jectID
: in
t N
OT
NU
LL
Ob
jectT
yp
e: tin
yin
t N
OT
NU
LL
(F
K)
(IE
2.2
)
Obje
ctN
am
e: nvarc
har(
200)
NO
T N
ULL (
IE1.1
,IE
2.1
)
Ob
jectV
iew
Ob
jectID
: O
bje
ct.O
bje
ctID
: in
t N
OT
NU
LL
Ob
jectT
yp
e: O
bje
ct.O
bje
ctT
yp
e: tin
yin
t N
OT
NU
LL
Ob
jectN
am
e: O
bje
ct.O
bje
ctN
am
e: n
va
rch
ar(
200)
NO
T N
UL
L
Ob
jectT
yp
eD
esc: O
bje
ctT
yp
e.O
bje
ctT
yp
eD
esc: n
va
rch
ar(
30)
NO
T N
UL
L
La
stV
uln
Sta
tus
Vu
lnS
tatu
sD
esc: V
uln
Sta
tus.V
uln
Sta
tusD
esc: n
va
rch
ar(
60)
NU
LL
Vu
lnS
tatu
s: V
uln
Sta
tus.V
uln
Sta
tus: tin
yin
t N
OT
NU
LL
Site
Filt
erR
ule
s
Site
Filt
erR
ule
ID: in
t N
OT
NU
LL
SiteF
ilterI
D: in
t N
OT
NU
LL (
FK
)
Site
Filt
erS
tart
Da
te: d
ate
tim
e N
UL
L
SiteF
ilterE
ndD
ate
: date
tim
e N
ULL
Be
gin
Src
Ad
dre
ssIn
t: n
um
eric(1
0,0
) N
UL
L (
IE1
.1)
En
dS
rcA
dd
ressIn
t: n
um
eric(1
0,0
) N
UL
L (
IE2
.1)
Be
gin
De
stA
dd
ressIn
t: n
um
eric(1
0,0
) N
UL
L (
IE3
.1)
En
dD
estA
dd
ressIn
t: n
um
eric(1
0,0
) N
UL
L (
IE4
.1)
Ta
gN
am
eIn
: va
rch
ar(
900)
NU
LL
(IE
5.1
)
TagN
am
eLik
e: varc
har(
60
) N
ULL (
IE6.1
)
Ta
rge
tOb
jectN
am
eL
ike
: va
rch
ar(
20
0)
NU
LL
(IE
7.1
)
Vu
lnS
tatu
sIn
: va
rch
ar(
90
0)
NU
LL
(IE
8.1
)
Ta
rge
tOb
jectT
yp
e: tin
yin
t N
UL
L (
FK
)
Ob
se
rva
nce
Typ
e: tin
yin
t N
UL
L (
FK
)
87Technical Reference Guide Version 2.0, SP4
Appendix A: Database Schema
Site Filters Schema
Schema The following diagram displays the Site Filters schema:
Site
Filt
erT
yp
e
Site
Filt
erT
yp
eID
: in
t
Site
Filt
erT
yp
e:
ch
ar(
2)
Site
Filt
erN
am
e:
nva
rch
ar(
80
)
Site
Filt
ers
Site
Filt
erI
D:
int
Site
Filt
erT
yp
eID
: in
t (F
K)
Site
Filt
erN
am
e:
nva
rch
ar(
60
)S
ite
Filt
erD
esc:
nte
xt
Fu
sio
nIg
no
reF
lag
: b
itD
ele
ted
: tin
yin
tC
rea
ted
By:
va
rch
ar(
60
)D
ate
Mo
difie
d:
da
tetim
e
Ob
ject
Ob
jectI
D:
int
Ob
jectT
yp
e:
tin
yin
t (F
K)
Ob
jectN
am
e:
nva
rch
ar(
20
0)
Ob
jectT
yp
e
Ob
jectT
yp
e:
tin
yin
t
Ob
jectT
yp
eD
esc:
nva
rch
ar(
30
)
Site
Filt
erR
ule
s
Site
Filt
erR
ule
ID:
int
Site
Filt
erI
D:
int
(FK
)
Site
Filt
erS
tart
Da
te:
da
tetim
eS
ite
Filt
erE
nd
Da
te:
da
tetim
eB
eg
inS
rcA
dd
ressIn
t: n
um
eric(1
0,0
)E
nd
Src
Ad
dre
ssIn
t: n
um
eric(1
0,0
)B
eg
inD
estA
dd
ressIn
t: n
um
eric(1
0,0
)E
nd
De
stA
dd
ressIn
t: n
um
eric(1
0,0
)T
ag
Na
me
In:
va
rch
ar(
90
0)
Ta
gN
am
eL
ike
: va
rch
ar(
60
)T
arg
etO
bje
ctN
am
eL
ike
: va
rch
ar(
20
0)
Vu
lnS
tatu
sIn
: va
rch
ar(
90
0)
Ta
rge
tOb
jectT
yp
e:
tin
yin
t (F
K)
Ob
se
rva
nce
Typ
e:
tin
yin
t (F
K)
Ob
se
rva
nce
Site
Filt
ers
Ob
se
rva
nce
ID:
big
int
Site
Filt
erR
ule
ID: in
t (F
K)
Site
Filt
erI
D: in
t (F
K)
Ob
se
rva
nce
s
Ob
se
rva
nce
ID:
big
int
Ob
se
rva
nce
Tim
e:
da
tetim
eS
ecC
hkID
: IN
TE
GE
R (
FK
)S
en
so
rID
: in
tS
ou
rce
ID:
int
Ta
rge
tID
: in
tO
bse
rva
nce
Co
un
t: in
tO
bje
ctI
D:
int
(FK
)S
eve
rity
ID:
tin
yin
t (F
K)
Cle
are
dC
ou
nt:
IN
TE
GE
RV
uln
Sta
tus:
tin
yin
t (F
K)
Ob
se
rva
nce
Typ
e:
tin
yin
t (F
K)
La
stM
od
ifie
dA
t: d
ate
tim
eO
bse
rva
nce
Site
Filt
ers
Vie
w
Ob
se
rva
nce
ID:
Ob
se
rva
nce
Site
Filt
ers
.Ob
se
rva
nce
ID:
big
int
NO
T N
UL
LS
ite
Filt
erI
D:
Ob
se
rva
nce
Site
Filt
ers
.Site
Filt
erI
D:
int
NO
T N
UL
LS
ite
Filt
erT
yp
e:
Site
Filt
erT
yp
e.S
ite
Filt
erT
yp
e:
ch
ar(
2)
NO
T N
UL
LS
ite
Filt
erN
am
e:
Site
Filt
ers
.Site
Filt
erN
am
e:
nva
rch
ar(
60
) N
UL
LS
ite
Filt
erD
esc:
<co
nve
rt(v
arc
ha
r(4
00
0..
.>C
rea
ted
By:
Site
Filt
ers
.Cre
ate
dB
y:
va
rch
ar(
60
) N
UL
L
Site
Filt
erV
iew
Site
Filt
erI
D:
Site
Filt
ers
.Site
Filt
erI
D: in
t N
OT
NU
LL
Site
Filt
erR
ule
ID:
Site
Filt
erR
ule
s.S
ite
Filt
erR
ule
ID:
int
NO
T N
UL
LS
ite
Filt
erT
yp
eID
: S
ite
Filt
ers
.Site
Filt
erT
yp
eID
: in
t N
UL
LS
ite
Filt
erT
yp
e:
Site
Filt
erT
yp
e.S
ite
Filt
erT
yp
e:
ch
ar(
2)
NO
T N
UL
LS
ite
Filt
erN
am
e:
Site
Filt
ers
.Site
Filt
erN
am
e:
nva
rch
ar(
60
) N
UL
LS
ite
Filt
erS
tart
Da
te:
Site
Filt
erR
ule
s.S
ite
Filt
erS
tart
Da
te: d
ate
tim
e N
UL
LS
ite
Filt
erE
nd
Da
te:
Site
Filt
erR
ule
s.S
ite
Filt
erE
nd
Da
te:
da
tetim
e N
UL
LB
eg
inS
rcA
dd
ressIn
t: S
ite
Filt
erR
ule
s.B
eg
inS
rcA
dd
ressIn
t: n
um
eric(1
0,0
) N
UL
LE
nd
Src
Ad
dre
ssIn
t: S
ite
Filt
erR
ule
s.E
nd
Src
Ad
dre
ssIn
t: n
um
eric(1
0,0
) N
UL
LB
eg
inD
estA
dd
ressIn
t: S
ite
Filt
erR
ule
s.B
eg
inD
estA
dd
ressIn
t: n
um
eric(1
0,0
) N
UL
LE
nd
De
stA
dd
ressIn
t: S
ite
Filt
erR
ule
s.E
nd
De
stA
dd
ressIn
t: n
um
eric(1
0,0
) N
UL
LT
ag
Na
me
In:
Site
Filt
erR
ule
s.T
ag
Na
me
In:
va
rch
ar(
90
0)
NU
LL
Ta
gN
am
eL
ike
: S
ite
Filt
erR
ule
s.T
ag
Na
me
Lik
e:
va
rch
ar(
60
) N
UL
LT
arg
etO
bje
ctN
am
eL
ike
: S
ite
Filt
erR
ule
s.T
arg
etO
bje
ctN
am
eL
ike
: va
rch
ar(
20
0)
NU
LL
Vu
lnS
tatu
sIn
: S
ite
Filt
erR
ule
s.V
uln
Sta
tusIn
: va
rch
ar(
90
0)
NU
LL
Ta
rge
tOb
jectT
yp
e:
Site
Filt
erR
ule
s.T
arg
etO
bje
ctT
yp
e:
tin
yin
t N
UL
L
88
Staging and Rejects Schema
Staging and Rejects Schema
Schema The following table displays the Staging and Rejects schema:
Se
nso
rDa
taR
eje
cte
d
Ale
rtD
ata
ID:
big
int
NO
T N
UL
L (
IE1
.1)
Ale
rtF
orm
atV
ers
ion
: in
t N
UL
L
Ale
rtN
am
eT
yp
e:
int
NU
LL
Ale
rtN
am
e:
nva
rch
ar(
60)
NU
LL
Ale
rtD
ate
Tim
e:
da
tetim
e N
UL
L
Lo
ca
lTim
ezo
ne
Off
se
t: in
t N
UL
L
Ale
rtT
ime
Pre
cis
ion
: in
t N
UL
L
Ale
rtT
ime
Se
qID
: in
t N
UL
L
Ale
rtID
: va
rch
ar(
26
) N
UL
L
Se
nso
rAd
dre
ss:
va
rch
ar(
60
) N
UL
L
Se
nso
rNa
me
: n
va
rch
ar(
10
0)
NU
LL
Pro
du
ctI
D:
int
NU
LL
Ale
rtT
yp
eID
: in
t N
UL
L
Ale
rtP
rio
rity
: in
t N
UL
L
Ale
rtF
lag
s:
int
NU
LL
Pro
toco
lID
: in
t N
UL
L
So
urc
eP
ort
: in
t N
UL
L
So
urc
eP
ort
Na
me
: n
va
rch
ar(
60
) N
UL
L
De
stP
ort
Na
me
: n
va
rch
ar(
60
) N
UL
L
Src
Ad
dre
ssN
am
e:
va
rch
ar(
60
) N
UL
L
Src
Ad
dre
ssIn
t: n
um
eric(1
0)
NU
LL
De
stA
dd
ressN
am
e:
va
rch
ar(
60
) N
UL
L
De
stA
dd
ressIn
t: n
um
eric(1
0)
NU
LL
Se
nso
rAd
dre
ssIn
t: n
um
eric(1
0)
NU
LL
Att
ackS
ucce
ssfu
l: t
inyin
t N
UL
L
Att
ackF
rag
me
nte
d:
tin
yin
t N
UL
L
Att
ackO
rig
in:
nva
rch
ar(
60
) N
UL
L
Re
so
urc
eID
: in
t N
UL
L
Re
so
urc
eS
ub
ID:
va
rch
ar(
60
) N
UL
L
Ap
plic
atio
n:
nva
rch
ar(
60
) N
UL
L
Use
rNa
me
: n
va
rch
ar(
60
) N
UL
L
Ho
stG
UID
: va
rch
ar(
36
) N
UL
L
Sta
rtT
ime
: d
ate
tim
e N
UL
L
Sto
pT
ime
: d
ate
tim
e N
UL
L
Ho
stD
NS
Na
me
: n
va
rch
ar(
25
4)
NU
LL
Ho
stN
BN
am
e:
nva
rch
ar(
20
) N
UL
L
Ho
stN
BD
om
ain
: n
va
rch
ar(
25
5)
NU
LL
Ho
stO
SN
am
e:
nva
rch
ar(
64
) N
UL
L
Ho
stO
SV
ers
ion
: n
va
rch
ar(
32
) N
UL
L
Ho
stO
SR
evis
ion
Le
ve
l: v
arc
ha
r(3
2)
NU
LL
Vu
lnS
tatu
s:
tin
yin
t N
UL
L
Pro
ce
ssin
gF
lag
: sm
alli
nt
NU
LL
Se
nso
rDa
taID
: b
igin
t N
UL
L
Cle
are
d:
ch
ar(
1)
NU
LL
Re
jectR
ea
so
n:
va
rch
ar(
20
0)
NU
LL
Ale
rtC
ou
nt:
IN
TE
GE
R N
UL
L
Ob
jectT
yp
e:
tin
yin
t N
UL
L
Ob
jectN
am
e:
nva
rch
ar(
20
00
) N
UL
L
OS
Gro
up
ID:
int
NU
LL
Co
mp
on
en
tID
: in
t N
UL
L
Se
nso
rGU
ID:
va
rch
ar(
36
) N
UL
L
Stg
Wo
rkin
gS
et
Se
tID
: sm
alli
nt
NO
T N
UL
L
EC
_H
ost:
va
rch
ar(
60
) N
UL
L
EC
_G
UID
: va
rch
ar(
60
) N
UL
L
La
stC
ou
nt:
in
t N
UL
L
Ro
wsT
oL
oa
d:
int
NU
LL
Utiliz
atio
n:
int
NU
LL
Lo
ad
Da
te:
da
tetim
e N
UL
L
stg
_A
lert
Up
da
tes
Ale
rtD
ata
ID:
int
NO
T N
UL
L
Ale
rtU
pd
ate
Na
me
: n
va
rch
ar(
50)
NU
LL
Ale
rtU
pd
ate
Ord
er:
in
t N
UL
L
Ale
rtU
pd
ate
Da
taT
yp
e:
va
rch
ar(
30
) N
UL
L
Ale
rtU
pd
ate
Va
lue
: n
va
rch
ar(
20
00
) N
UL
L
Ale
rtU
pd
ate
Blo
b:
text
NU
LL
Ale
rtU
pd
ate
Se
ctio
n:
INT
EG
ER
NU
LL
stg
_A
lert
Da
ta
Ale
rtD
ata
ID:
int
NO
T N
UL
L
Ale
rtF
orm
atV
ers
ion
: in
t N
UL
L
Ale
rtN
am
eT
yp
e:
int
NU
LL
Ale
rtN
am
e:
nva
rch
ar(
60
) N
UL
L
Ale
rtD
ate
Tim
e:
da
tetim
e N
UL
L
Lo
ca
lTim
ezo
ne
Off
se
t: in
t N
UL
L
Ale
rtT
ime
Pre
cis
ion
: in
t N
UL
L
Ale
rtT
ime
Se
qID
: in
t N
UL
L
Ale
rtID
: ch
ar(
26
) N
UL
L
Se
nso
rAd
dre
ss:
va
rch
ar(
60
) N
UL
L
Se
nso
rNa
me
: n
va
rch
ar(
10
0)
NU
LL
Pro
du
ctI
D:
int
NU
LL
Ale
rtT
yp
eID
: in
t N
UL
L
Ale
rtP
rio
rity
: in
t N
UL
L
Ale
rtF
lag
s:
int
NU
LL
Pro
toco
lID
: in
t N
UL
L
So
urc
eP
ort
: in
t N
UL
L
Ob
jectN
am
e:
nva
rch
ar(
20
00
) N
UL
L
So
urc
eP
ort
Na
me
: n
va
rch
ar(
60
) N
UL
L
De
stP
ort
Na
me
: n
va
rch
ar(
60
) N
UL
L
Src
Ad
dre
ssN
am
e:
va
rch
ar(
60
) N
UL
L
Src
Ad
dre
ssIn
t: n
um
eric(1
0)
NU
LL
De
stA
dd
ressN
am
e:
va
rch
ar(
60
) N
UL
L
De
stA
dd
ressIn
t: n
um
eric(1
0)
NU
LL
Se
nso
rAd
dre
ssIn
t: n
um
eric(1
0)
NU
LL
Att
ackS
ucce
ssfu
l: t
inyin
t N
UL
L
Att
ackF
rag
me
nte
d:
tin
yin
t N
UL
L
Att
ackO
rig
in:
nva
rch
ar(
60
) N
UL
L
Re
so
urc
eID
: in
t N
UL
L
Re
so
urc
eS
ub
ID:
va
rch
ar(
60
) N
UL
L
Ap
plic
atio
n:
nva
rch
ar(
60
) N
UL
L
Use
rNa
me
: n
va
rch
ar(
60
) N
UL
L
Ho
stG
UID
: va
rch
ar(
36
) N
UL
L
Sta
rtT
ime
: D
AT
E N
UL
L
Sto
pT
ime
: D
AT
E N
UL
L
Ho
stD
NS
Na
me
: n
va
rch
ar(
25
4)
NU
LL
Ho
stN
BN
am
e:
nva
rch
ar(
20
) N
UL
L
Ho
stN
BD
om
ain
: n
va
rch
ar(
25
5)
NU
LL
Ho
stO
SN
am
e:
nva
rch
ar(
64
) N
UL
L
Ho
stO
SV
ers
ion
: n
va
rch
ar(
32
) N
UL
L
Ho
stO
SR
evis
ion
Le
ve
l: v
arc
ha
r(3
2)
NU
LL
Vu
lnS
tatu
s:
tin
yin
t N
UL
L
Pro
ce
ssin
gF
lag
: sm
alli
nt
NU
LL
Se
nso
rDa
taID
: in
t N
UL
L
Cle
are
d:
ch
ar(
1)
NU
LL
Ale
rtC
ou
nt:
in
t N
UL
L
Ob
jectT
yp
e:
tin
yin
t N
UL
L
OS
Gro
up
ID:
int
NU
LL
stg
_A
lert
AV
P
Ale
rtD
ata
ID:
int
NO
T N
UL
L
Att
rib
ute
Na
me
: n
va
rch
ar(
50
) N
UL
L
Att
rib
ute
Ord
er:
in
t N
UL
L
Att
rib
ute
Da
taT
yp
e:
va
rch
ar(
30
) N
UL
L
Att
rib
ute
Va
lue
: n
va
rch
ar(
20
00
) N
UL
L
Att
rib
ute
Blo
b:
TE
XT
NU
LL
Att
rib
ute
Se
ctio
n:
INT
EG
ER
NU
LL
stg
_A
lert
Re
sp
on
se
Ale
rtD
ata
ID:
int
NO
T N
UL
L
Re
sp
on
se
Typ
eN
am
e:
va
rch
ar(
32
) N
UL
L
Re
sp
on
se
Na
me
: n
va
rch
ar(
32
) N
UL
L
Sta
tus:
tin
yin
t N
UL
L
SD
AV
PR
eje
cte
d
Ale
rtD
ata
ID:
big
int
NO
T N
UL
L (
IE1
.1)
Ale
rtID
: va
rch
ar(
26
) N
UL
L
Att
rib
ute
Na
me
: n
va
rch
ar(
50
) N
UL
L
Att
rib
ute
Ord
er:
in
t N
UL
L
Att
rib
ute
Da
taT
yp
e:
va
rch
ar(
30)
NU
LL
Att
rib
ute
Va
lue
: n
va
rch
ar(
20
00
) N
UL
L
Att
rib
ute
Blo
b:
TE
XT
NU
LL
Att
rib
ute
Se
ctio
n:
INT
EG
ER
NU
LL
SD
Up
da
tesR
eje
cte
d
Ale
rtD
ata
ID:
big
int
NO
T N
UL
L (
IE1
.1)
Ale
rtID
: va
rch
ar(
26
) N
UL
L
Ale
rtU
pd
ate
Na
me
: n
va
rch
ar(
50
) N
UL
L
Ale
rtU
pd
ate
Ord
er:
in
t N
UL
L
Ale
rtU
pd
ate
Da
taT
yp
e:
va
rch
ar(
30
) N
UL
L
Ale
rtU
pd
ate
Va
lue
: n
va
rch
ar(
20
00
) N
UL
L
Ale
rtU
pd
ate
Blo
b:
text
NU
LL
Ale
rtU
pd
ate
Se
ctio
n:
INT
EG
ER
NU
LL
SD
Re
sp
on
se
Re
jecte
d
Ale
rtD
ata
ID:
big
int
NO
T N
UL
L (
IE1
.1)
Ale
rtID
: va
rch
ar(
26
) N
UL
L
Re
sp
on
se
Typ
eN
am
e:
va
rch
ar(
32
) N
UL
L
Re
sp
on
se
Na
me
: n
va
rch
ar(
32
) N
UL
L
Sta
tus:
tin
yin
t N
UL
LR
eje
ctM
etr
ics
Site
ID:
INT
EG
ER
NU
LL
SP
Gro
up
ID:
int
NO
T N
UL
L
Se
cC
hkID
: in
t N
OT
NU
LL
Se
ve
rity
ID:
int
NO
T N
UL
L
Me
tric
sT
yp
eID
: in
t N
OT
NU
LL
Me
tric
sD
ay:
da
tetim
e N
OT
NU
LL
Vu
lnS
tatu
s:
int
NO
T N
UL
L
Co
un
ts:
int
NO
T N
UL
L
wrk
_S
en
so
rDa
ta
Se
nso
rDa
taID
: b
igin
t N
OT
NU
LL
SecC
hkID
: IN
TE
GE
R N
ULL
Ale
rtN
am
e:
nva
rch
ar(
60)
NU
LL
Ale
rtN
am
eT
yp
e:
INT
EG
ER
NU
LL
Ale
rtT
yp
eID
: IN
TE
GE
R N
UL
L
Pro
du
ctI
D:
int
NU
LL
Ale
rtD
ate
Tim
e:
DA
TE
NU
LL
Ale
rtP
rio
rity
: IN
TE
GE
R N
UL
L
Src
Ad
dre
ssN
am
e:
va
rch
ar(
60
) N
UL
L
Src
Ad
dre
ssIn
t: n
um
eric(1
0)
NU
LL
De
stA
dd
ressN
am
e:
va
rch
ar(
60
) N
UL
L
De
stA
dd
ressIn
t: n
um
eric(1
0)
NU
LL
Se
nso
rAd
dre
ss:
va
rch
ar(
10
0)
NU
LL
Se
nso
rNa
me
: n
va
rch
ar(
10
0)
NU
LL
Se
nso
rAd
dre
ssIn
t: n
um
eric(1
0)
NU
LL
Pro
ce
ssin
gF
lag
: IN
TE
GE
R N
UL
L
Ob
jectI
D:
int
NU
LL
So
urc
eP
ort
: IN
TE
GE
R N
UL
L
De
stP
ort
Na
me
: n
va
rch
ar(
60
) N
UL
L
Ho
stD
NS
Na
me
: n
va
rch
ar(
25
4)
NU
LL
Ho
stN
BD
om
ain
: n
va
rch
ar(
25
5)
NU
LL
Ho
stN
BN
am
e:
nva
rch
ar(
20)
NU
LL
Ho
stO
SN
am
e:
nva
rch
ar(
64
) N
UL
L
Ho
stO
SV
ers
ion
: n
va
rch
ar(
32
) N
UL
L
Ho
stG
UID
: va
rch
ar(
36
) N
UL
L
Src
Ho
stI
D:
int
NU
LL
DstH
ostI
D:
int
NU
LL
Co
mp
on
en
tID
: IN
TE
GE
R N
UL
L
Cle
are
d:
ch
ar(
1)
NU
LL
Vu
lnS
tatu
s:
tin
yin
t N
UL
L
Re
jectR
ea
so
n:
va
rch
ar(
20
0)
NU
LL
Ale
rtC
ou
nt:
IN
TE
GE
R N
UL
L
Ob
jectT
yp
e:
tin
yin
t N
UL
L
Ob
jectN
am
e:
nva
rch
ar(
20
0)
NU
LL
Ale
rtF
lag
s:
int
NU
LL
Ob
se
rva
nce
ID:
big
int
NU
LL
OS
Gro
up
ID:
int
NU
LL
Se
nso
rGU
ID:
va
rch
ar(
36
) N
UL
L
Lic
Mo
du
le:
va
rch
ar(
10
0)
NU
LL
stg
_S
en
so
rDa
ta
Se
nso
rDa
taID
: b
igin
t N
OT
NU
LL
Ale
rtD
ata
ID:
int
NU
LL
Wo
rkin
gS
etN
br:
tin
yin
t N
UL
L
wrk
_O
bse
rva
nce
s
Ob
sID
: b
igin
t N
UL
L
Ob
sT
ime
: d
ate
tim
e N
UL
L
Ob
sT
yp
e:
tin
yin
t N
UL
L
Ob
sS
ecC
hkID
: in
t N
UL
L
Ob
sS
eve
rity
ID:
tin
yin
t N
UL
L
Ob
sS
en
so
rID
: in
t N
UL
L
Ob
sS
ou
rce
ID:
int
NU
LL
Ob
sT
arg
etI
D:
int
NU
LL
Ob
sO
bje
ctI
D:
int
NU
LL
Ob
sV
uln
Sta
tus:
tin
yin
t N
UL
L
Actio
n:
ch
ar(
1)
NU
LL
Ob
sC
ou
nt:
in
t N
UL
L
Ob
sC
lea
red
Co
un
t: in
t N
UL
L
89Technical Reference Guide Version 2.0, SP4
Appendix A: Database Schema
Statistics Schema
Schema The following diagram displays the Statistics schema:
Sta
tCate
gory
Sta
tCate
gory
ID: in
t N
OT
NU
LL
Nam
e: nvarc
har(
200)
NO
T N
ULL
Sta
tNam
e
Sta
tNam
eID
: in
t N
OT
NU
LL
LM
Nam
e: nvarc
har(
200)
NO
T N
ULL
Dis
pla
yN
am
e: nvarc
har(
200)
NO
T N
ULL
Sta
tCatA
tt
Sta
tAttribute
ID: in
t N
OT
NU
LL (
FK
)
Sta
tCate
gory
ID: in
t N
OT
NU
LL (
FK
)
Sta
tistic
Sta
tCate
gory
ID: in
t N
OT
NU
LL (
FK
)
Sta
tNam
eID
: in
t N
OT
NU
LL (
FK
)
Sta
tAttribute
ID: in
t N
OT
NU
LL (
FK
)
Date
Update
d: date
tim
e N
ULL
Valu
e: nvarc
har(
2000)
NU
LL
SiteID
: in
t N
ULL
Sta
tAtt
rib
ute
Sta
tAttribute
ID: in
t N
OT
NU
LL
Data
Type: varc
har(
20)
NO
T N
ULL
Nam
e: nvarc
har(
200)
NO
T N
ULL
Lic
ense
Lic
enseID
: in
t N
OT
NU
LL
Nam
e: nvarc
har(
50)
NU
LL
Bin
ary
Data
ID: IN
TE
GE
R N
ULL (
FK
)
Featu
res: nvarc
har(
50)
NU
LL
Featu
reD
escription: nvarc
har(
100)
NU
LL
Devic
eC
ount: int N
ULL
Main
tenanceD
ate
: varc
har(
40)
NU
LL
ExpireD
ate
: varc
har(
40)
NU
LL
Sta
te: tinyin
t N
ULL
Sta
teD
escription: varc
har(
512)
NU
LL
Lic
enseT
ype: tinyin
t N
OT
NU
LL
KeyS
trin
g: varc
har(
50)
NU
LL
Sta
tNam
eID
: in
t N
ULL (
FK
)
Lic
Conta
ctInfo
GU
ID: nvarc
har(
40)
NU
LL (
FK
)
Lic
GU
ID: nvarc
har(
40)
NU
LL
Description: nvarc
har(
100)
NU
LL
New
Lic
enseID
: in
t N
ULL (
FK
)
Lic
Conta
ctInfo
Lic
Conta
ctInfo
GU
ID: nvarc
har(
40)
NO
T N
ULL
Subje
ctN
am
e: nvarc
har(
255)
NO
T N
ULL
Title
: nvarc
har(
100)
NU
LL
Com
panyN
am
e: nvarc
har(
255)
NU
LL
Addre
ss1: nvarc
har(
255)
NU
LL
Addre
ss2: nvarc
har(
255)
NU
LL
City: nvarc
har(
100)
NU
LL
Sta
te: nvarc
har(
50)
NU
LL
PostC
ode: nvarc
har(
40)
NU
LL
Countr
y: nvarc
har(
60)
NU
LL
Em
ail:
nvarc
har(
255)
NU
LL
Additio
nalInfo
: nvarc
har(
255)
NU
LL
Lic
ConsqM
essage
Sta
tNam
eID
: in
t N
OT
NU
LL
Phase: in
t N
OT
NU
LL
Mode: char(
10)
NO
T N
ULL
Message: nte
xt N
ULL
Hosts H
ostID
: in
t N
OT
NU
LL
HostIpA
ddre
ss: varc
har(
47)
NU
LL
HostD
NS
Nam
e: N
VA
RC
HA
R(2
54)
NU
LL
HostN
BN
am
e: N
VA
RC
HA
R(1
6)
NU
LL
HostN
BD
om
ain
: nvarc
har(
16)
NU
LL
HostO
SN
am
e: nvarc
har(
64)
NU
LL
HostO
SV
ers
ion: nvarc
har(
32)
NU
LL
HostO
SR
evis
ionLevel: v
arc
har(
32)
NU
LL
HostO
wner:
nvarc
har(
50)
NU
LL
Date
HostA
dded: date
tim
e N
OT
NU
LL
GU
ID: varc
har(
36)
NU
LL
HostIP
Nbr:
num
eric(1
0)
NO
T N
ULL
MacA
ddre
ss: char(
17)
NU
LL
Date
HostU
pdate
d: date
tim
e N
OT
NU
LL
OS
Gro
upID
: in
t N
ULL (
FK
)
ISS
canD
ate
: date
tim
e N
ULL
Sta
tNam
eID
: in
t N
ULL
90
X-Force Schema
X-Force Schema
Schema The following diagram displays the X-force schema:
Pro
toco
ls
Pro
toco
lID
: in
t N
OT
NU
LL
Pro
toco
lNa
me
: va
rch
ar(
40
) N
OT
NU
LL
Pro
toco
lDe
sc:
va
rch
ar(
25
5)
NU
LL
Se
rvic
es
Se
rvic
eID
: in
t N
OT
NU
LL
Se
rvic
eN
am
e:
nva
rch
ar(
64
) N
OT
NU
LL
(A
K1
.1)
Se
rvic
eP
roto
co
l: v
arc
ha
r(2
0)
NO
T N
UL
L (
AK
1.2
)
Se
rvR
FC
Po
rt:
int
NU
LL
(A
K1
.3)
Se
rvB
rie
fDe
sc:
nva
rch
ar(
25
5)
NU
LL
Ch
eckS
erv
ice
s
Se
cC
hkID
: in
t N
OT
NU
LL
(F
K)
Se
rvic
eID
: in
t N
OT
NU
LL
(F
K)
Pla
tfo
rmT
yp
es
Pla
tfo
rmT
yp
eID
: in
t N
OT
NU
LL
Pla
tfo
rmT
yp
eN
am
e:
va
rch
ar(
50
) N
UL
L (
AK
1.1
)
Pla
tfo
rmT
yp
eD
esc:
nva
rch
ar(
25
5)
NU
LL
Pla
tfo
rms
Pla
tfo
rmID
: in
t N
OT
NU
LL
Pla
tfo
rmN
am
e:
va
rch
ar(
40
) N
OT
NU
LL
(IE
1.1
)
Pla
tfo
rmV
ers
ion
: va
rch
ar(
20
) N
UL
L
Pla
tfo
rmM
fg:
va
rch
ar(
50
) N
UL
L
Pla
tfo
rmT
yp
eID
: in
t N
UL
L (
FK
)
Re
lea
se
Da
te:
da
tetim
e N
UL
L
Ch
eckP
latf
orm
s
Se
cC
hkID
: in
t N
OT
NU
LL
(F
K)
Pla
tfo
rmID
: in
t N
OT
NU
LL
(F
K)
Ch
kP
latf
orm
Co
mm
en
t: n
va
rch
ar(
25
5)
NU
LL
Fm
tRe
me
dyD
esc:
nte
xt
NU
LL
Re
me
dyD
esc:
nte
xt
NU
LL
Ch
eckC
ate
go
rie
s
Se
cC
hkID
: in
t N
OT
NU
LL
(F
K)
Ca
teg
ory
ID:
int
NO
T N
UL
L (
FK
)
Ca
teg
ory
Gro
up
Ca
tGro
up
ID:
int
NO
T N
UL
L
Ca
tGro
up
Na
me
: va
rch
ar(
40
) N
UL
L (
AK
1.1
)
Ca
tGro
up
De
sc:
nte
xt
NU
LL
Ca
teg
orie
s
Ca
teg
ory
ID:
int
NO
T N
UL
L
Ca
tGro
up
ID:
int
NO
T N
UL
L (
FK
)
Ca
teg
ory
Na
me
: va
rch
ar(
40
) N
UL
L
Ca
teg
ory
De
sc:
nte
xt
NU
LL
Se
cu
rity
Ch
ecks
Se
cC
hkID
: in
t N
OT
NU
LL
Ta
gN
am
e:
va
rch
ar(
60
) N
OT
NU
LL
(A
K1
.1)
Ch
kN
am
e:
va
rch
ar(
40
) N
OT
NU
LL
Ch
kB
rie
fDe
sc:
NV
AR
CH
AR
(25
5)
NU
LL
Ch
kD
eta
ilDe
sc:
nte
xt
NU
LL
Ch
kD
ate
Re
po
rte
d:
da
tetim
e N
UL
L
Ch
kD
ate
En
tere
d:
da
tetim
e N
UL
L
Ch
kD
ate
Ch
an
ge
d:
da
tetim
e N
UL
L
Ite
mA
ffe
cte
d:
nva
rch
ar(
25
5)
NU
LL
Dis
co
ve
rer:
nva
rch
ar(
25
5)
NU
LL
Co
nse
qN
am
e:
va
rch
ar(
20
) N
UL
L
Co
nse
qB
rie
fDe
sc:
nva
rch
ar(
25
5)
NU
LL
Co
nse
qD
eta
ilDe
sc:
nte
xt
NU
LL
Ob
so
lete
: b
it N
OT
NU
LL
Re
pla
ce
dB
y:
int
NU
LL
Vu
lnS
tatu
s:
bit N
OT
NU
LL
Exte
rna
lRe
fere
nce
s
ExtR
efI
D:
int
NO
T N
UL
L
Se
cC
hkID
: in
t N
UL
L (
FK
)
Exte
rna
lRe
fere
nce
: n
va
rch
ar(
25
5)
NU
LL
Title
: va
rch
ar(
25
5)
NU
LL
So
urc
e:
va
rch
ar(
10
0)
NU
LL
Pre
ferr
ed
Re
f: b
it N
OT
NU
LL
Re
me
die
s
Se
cC
hkID
: in
t N
OT
NU
LL
(F
K)
Re
me
dyD
esc:
nte
xt
NU
LL
Re
me
dyL
oca
tio
n:
va
rch
ar(
50
) N
UL
L
Mo
reIn
fo:
va
rch
ar(
50
) N
UL
L
Eff
ort
InH
ou
rs:
int
NU
LL
Lo
ca
lLo
ca
tio
n:
va
rch
ar(
50
) N
UL
L
Fm
tRe
me
dyD
esc:
nte
xt
NU
LL
UD
Se
cu
rity
Ch
ecks
UD
Se
cC
hkID
: in
t ID
EN
TIT
Y(5
00
00
0,1
)
Ta
gN
am
e:
va
rch
ar(
60
) N
OT
NU
LL
(IE
1.1
)
Ch
kN
am
e:
va
rch
ar(
40
) N
UL
L
Ch
kB
rie
fDe
sc:
va
rch
ar(
25
5)
NU
LL
Ch
kD
eta
ilDe
sc:
text
NU
LL
Co
nse
qD
eta
ilDe
sc:
text
NU
LL
Ta
rge
tStr
ing
: va
rch
ar(
60
) N
UL
L
Co
nte
xt:
va
rch
ar(
60
) N
UL
L
Pro
du
cts
Pro
du
ctI
D:
int
NO
T N
UL
L
Pro
dN
am
e:
nva
rch
ar(
40
) N
UL
L
Pro
du
ctV
ers
ion
s
Pro
dV
erI
D:
int
NO
T N
UL
L
Pro
dID
: in
t N
OT
NU
LL
(F
K)
Pro
dV
ers
ion
: n
va
rch
ar(
15
) N
UL
L
Ch
eckP
rod
ucts
Ch
eckP
rod
uctI
D:
int
NO
T N
UL
L
Se
cC
hkID
: in
t N
OT
NU
LL
(F
K)
(IE
1.2
)
Pro
dV
erI
D:
int
NO
T N
UL
L (
FK
) (I
E1
.1)
Co
mm
en
t: v
arc
ha
r(4
00
0)
NU
LL
Fa
lse
Ne
ga
tive
: n
text
NU
LL
Fa
lse
Po
sitiv
e:
nte
xt
NU
LL
Pro
du
ctC
he
ckN
am
e:
va
rch
ar(
12
0)
NU
LL
Alg
orith
mID
: in
t N
UL
L (
FK
)
Vu
lnS
tatu
s:
bit N
UL
L
Ch
eckO
SG
rou
p
OS
Gro
up
ID:
int
NO
T N
UL
L (
FK
)
Se
cC
hkID
: in
t N
OT
NU
LL
(F
K)
Co
rre
latio
nIn
fo
RS
Ch
eckP
rod
uctI
D:
int
NO
T N
UL
L (
FK
)
Sca
nn
erP
rod
uctI
D:
int
NO
T N
UL
L (
FK
)
Ro
leN
um
be
r: in
t N
OT
NU
LL
OS
Gro
up
OS
Gro
up
ID:
int
NO
T N
UL
L
OS
Gro
up
Na
me
: va
rch
ar(
12
0)
NO
T N
UL
L
Ch
eckS
td
Std
ID:
int
NO
T N
UL
L (
FK
)
Se
cC
hkID
: in
t N
OT
NU
LL
(F
K)
IAV
AC
he
cks
IAV
AG
rou
pN
am
e:
va
rch
ar(
60
) N
OT
NU
LL
(IE
1.1
)
Prio
rity
: va
rch
ar(
30
) N
OT
NU
LL
IAV
AID
: in
t N
OT
NU
LL
IAV
A:
va
rch
ar(
20
) N
OT
NU
LL
IAV
AD
esc:
va
rch
ar(
80
0)
NU
LL
CV
EID
: in
t N
UL
L
CV
E:
va
rch
ar(
20
) N
UL
L
Se
cC
hkID
: in
t N
UL
L (
IE2
.1)
Gh
ostC
he
ck:
tin
yin
t N
UL
L
Std
Ind
ex
Std
ID:
int
NO
T N
UL
L
Std
Co
de
: va
rch
ar(
20
) N
OT
NU
LL
(A
K1
.1)
Std
Re
pla
ce
dB
y:
int
NU
LL
(F
K)
Std
Gro
up
ID:
INT
EG
ER
NO
T N
UL
L (
FK
) (A
K1
.2,I
E1
.1)
Std
Ind
exD
esc:
va
rch
ar(
80
0)
NU
LL
Std
Gro
up
s
Std
Gro
up
ID:
int
NO
T N
UL
L
Std
Gro
up
Na
me
: va
rch
ar(
60
) N
OT
NU
LL
Std
Gro
up
De
sc:
text
NU
LL
Std
Re
vis
ion
No
: va
rch
ar(
25
5)
NU
LL
91Technical Reference Guide Version 2.0, SP4
Appendix A: Database Schema
Complete Database Schema
Schema The following diagram displays a high-level overview of the entire database schema:
Au
ditIn
foA
ud
itT
rail
Au
ditE
ve
ntC
MD
DB
Su
bC
om
po
ne
nt
DB
Co
mp
on
en
t
Site
Ra
ng
e
Pro
toco
ls
Se
rvic
es
Ch
eckS
erv
ice
s
Pla
tfo
rmT
yp
es
Pla
tfo
rms
Ch
eckP
latf
orm
s
Ch
eckC
ate
go
rie
s
Ca
teg
ory
Gro
up
Ca
teg
orie
s
Vu
lnS
tatu
s
Err
orM
essag
e
Bin
ary
Da
ta
Se
nso
rHo
st Se
nso
rDa
taR
eje
cte
d
Stg
Wo
rkin
gS
et
Ob
se
rva
nce
Typ
e
Se
ve
rity
Ob
se
rva
nce
s
Ob
se
rva
nce
Co
lum
n
Ro
le
Co
mp
on
en
t
Gro
up
Vie
w
Gro
up
s
Gro
up
Ho
stL
inks
Sch
ed
ule
Actio
nJo
b
Actio
nD
eta
ils
Po
licy
Se
cu
rity
Ch
ecks
Ho
sts
Exte
rna
lRe
fere
nce
s
Ve
rsio
n
Re
me
die
s
UD
Se
cu
rity
Ch
ecks
stg
_A
lert
Up
da
tes
stg
_A
lert
Da
ta
stg
_A
lert
AV
P
stg
_A
lert
Re
sp
on
se
Se
nso
rDa
ta
Se
nso
rDa
taU
pd
ate
sS
en
so
rDa
taA
VP
Se
nso
rDa
taR
esp
on
se
SD
AV
PR
eje
cte
d
SD
Up
da
tesR
eje
cte
d
SD
Re
sp
on
se
Re
jecte
d
Ale
rtT
yp
e
Ale
rtC
ate
go
ry
So
urc
eH
ost
Ta
rge
tHo
st
wrk
_S
en
so
rDa
ta
Site
Filt
ers
Err
orS
eve
rity
Me
ssag
eL
og
Pro
du
cts
Pro
du
ctV
ers
ion
s
Ch
eckP
rod
ucts
Re
sp
on
se
Lic
en
se
stg
_S
en
so
rDa
ta
wrk
_O
bse
rva
nce
s
Site
s
Au
dit
Use
rs
Use
rsG
roup
s
Use
rsS
ite
s
Gro
up
Typ
es
Ho
stC
ou
nts
Re
jectM
etr
ics
Me
tric
s
Me
tric
sD
ay
Me
tric
sT
yp
e
Gro
up
sP
are
ntC
hild
Jo
bT
yp
es
Ta
sks
Ale
rtT
yp
eV
iew
Ve
rsio
nU
pd
ate
s
Site
Filt
erT
yp
e
Ob
se
rva
nce
Site
Filt
ers
Ob
se
rva
nce
Site
Filt
ers
Vie
w
Obje
ctT
yp
e
Obje
ct
Obje
ctV
iew
La
stV
uln
Sta
tus
Ra
tin
gS
et
Ra
tin
gA
ttrib
ute
Ra
tin
gA
ttrib
ute
Co
de
Alg
orith
mR
atin
g
Alg
orith
m
Site
Filt
erR
ule
s
Site
Filt
erV
iew
Sta
tCa
teg
ory
Sta
tNa
me
Sta
tCa
tAtt
Sta
tistic
Sta
tAtt
rib
ute
Gro
up
Ru
le
Gro
up
Po
licy
Gro
up
Ru
leT
yp
e
Bin
ary
Da
taT
yp
e
Ra
tin
gUn
Gro
up
ed
Ho
sts
Un
Gro
up
ed
Sta
tus
Ch
eckO
SG
roup
Co
rre
latio
nIn
fo
Lic
Co
nta
ctI
nfo
De
skto
pA
ge
ntV
ers
ion
Po
licyV
ers
ion
Re
sp
on
se
Ve
rsio
n
Lic
Co
nsq
Me
ssag
e
Up
da
teS
tatu
sU
pd
ate
Op
era
tio
nS
tatu
sU
pd
ate
Ste
pS
tatu
s
OS
Gro
up
RS
DB
Op
tio
nsM
ain
ten
an
ce
Lo
g
An
aly
sis
Lo
g
Co
mp
on
en
tDo
cu
me
nt
Na
me
sp
ace
Gro
up
Do
cu
me
nt
stg
_R
OL
Std
Ind
ex
Std
Gro
up
s
Ch
eckS
td
Re
po
rtIn
sta
nce
IAV
AC
he
cks
92
Index
aActive Directory 26, 63adding event collectors 14application server
debug logs 20–21
ccontroller card for database 4conventions, typographical
in commands viiin procedures viiin this manual vii
ddebug logs
application server 20–21application server, log4j 29installation 23issDaemon 20See also Sensor Controller Diagnostics consolesensor controller 32–34sensor controller, log4j 29setting up 55SiteProtector database 22SiteProtector database, installation 24X-Press Update 25
Desktop Controllerlogs 48
disk performance counters, disabling 10documentation
online documentation (Help) viSiteProtector Installation and Configuration Guide
Guide viSiteProtector Strategy Guide viSiteProtector Supported Agents and Appliances viSiteProtector System Requirementts vi
Technical Reference Guide Version 2.0, SP4
eEC trace level 12Event Collector
debug logs 35event collector
adding to configuration 14throttle messages 12–13trace level 12
iinstallation
logs 23Internet Scanner
debug logs 39Internet Scanner Databridge
debug logs 40Internet Security Systems
technical support viiiWeb site viii
llogging level
application server 20Desktop Protection 48sensor controler 32X-Press Update 25
logsdatabase 22Desktop Controller
Desktop Protection 48installation 23levels 29log4j application server 28log4j server sensor 28sensor controller 32
A-Series Appliance 41Desktop Controller 37event collector 17Gigabit network sensor 44G-Series Appliance 42Internet Scanner 39
93
Index
Internet Scanner Databridge 40network sensor 43server sensor 45SiteProtector core 34SiteProtector database 33SiteProtector Third Party Module 46
viewing 17, 22, 24, 28X-Press Update 25
logs, debugSee debug logs
oonline documentation (Help) vi
pperformance
disabling disk performance counters 10
sschema
application security 80auditing and diagnostics 81command and control 82complete database schema 92grouping 82–83ITRSO 84metrics 85sensor data 86site analysis 87site filters 88staging and rejects 89statistics 90X-Force 91
sensor controllerdebug logs 32–34
Sensor Controller Diagnostics consolestarting 52
separating the event collector and the Site database 14
SiteProtectorThird Party Module 46
SiteProtector databasedebug logs 22installation logs 24
SiteProtector Installation and Configuration Guide viSiteProtector Strategy Guide viSiteProtector Supported Agents and Appliances viSiteProtector System Requirementts vi
94
ttechnical support, Internet Security Systems viiithrottle messages 12–13typographical conventions vii
wWeb site, Internet Security Systems viii
xX-Press Updates
debug logs 25
Internet Security Systems, Inc. Software License AgreementTHIS SOFTWARE PRODUCT IS PROVIDED IN OBJECT CODE AND IS LICENSED, NOT SOLD. BY INSTALLING, ACTIVATING, COPYING OR OTHERWISE USING THIS SOFTWARE PRODUCT, YOU AGREE TO ALL OF THE PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE PRODUCT AND LICENSE KEYS TO ISS WITHIN FIFTEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE PRODUCT WAS OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF RETURN.1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a nonexclusive and
nontransferable, limited license for the accompanying ISS software product and the related documentation (“Software”) and the associated license key(s) for use only on the specific network configuration, for the number and type of devices, and for the time period (“Term”) that are specified in ISS’ quotation and Licensee’s purchase order, as accepted by ISS. ISS limits use of Software based upon the number of nodes, users and/or the number and type of devices upon which it may be installed, used, gather data from, or report on, depending upon the specific Software licensed. A device includes any network addressable device connected to Licensee’s network, including remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. A device may also include ISS hardware delivered with pre-installed Software and the license associated with such shall be a non-exclusive, nontransferable, limited license to use such pre-installed Software only in conjunction with the ISS hardware with which it is originally supplied and only during the usable life of such hardware. Except as provided in the immediately preceding sentence, Licensee may reproduce, install and use the Software on multiple devices, provided that the total number and type are authorized by ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Software on devices that could exceed the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and controls to prevent loss or disclosure of the license key and unauthorized or unlicensed use of the Software. Licensee may make a reasonable number of backup copies of the Software and the associated license key solely for archival and disaster recovery purposes. In connection with certain Software products, ISS licenses security content on a subscription basis for a Term and provides Licensee with a license key for each such subscription. Content subscriptions are licensed pursuant to this License based upon the number of protected nodes or number of users. Security content is regularly updated and includes, but is not limited to, Internet content (URLs) and spam signatures that ISS classifies, security algorithms, checks, decodes, and ISS’ related analysis of such information, all of which ISS regards as its confidential information and intellectual property. Security content may only be used in conjunction with the applicable Software in accordance with this License. The use or re-use of such content for commercial purposes is prohibited. Licensee’s access to the security content is through an Internet update using the Software. In addition, unknown URLs may be automatically forwarded to ISS through the Software, analyzed, classified, entered in to ISS’ URL database and provided to Licensee as security content updates at regular intervals. ISS’ URL database is located at an ISS facility or as a mirrored version on Licensee’s premises. Any access by Licensee to the URL database that is not in conformance with this License is prohibited. Upon expiration of the security content subscription Term, unless Licensee renews such content subscription, Licensee shall implement appropriate system configuration modifications to terminate its use of the content subscription. Upon expiration of the license Term, Licensee shall cease using the Software and certify return or destruction of it upon request.
2. Migration Utilities – For Software ISS markets or sells as a Migration Utility, the following shall apply. Provided Licensee holds a valid license to the ISS Software to which the Migration Utility relates (the “Original Software”), ISS grants to Licensee as the only end user a nonexclusive and nontransferable, limited license to the Migration Utility and the related documentation (“Migration Utility”) for use only in connection with Licensee’s migration of the Original Software to the replacement software, as recommended by ISS in the related documentation. The Term of this License is for as long as Licensee holds a valid license to the applicable Original Software. Licensee may reproduce, install and use the Migration Utility on multiple devices in connection with its migration from the Original Software to the replacement software. Licensee shall implement appropriate safeguards and controls to prevent unlicensed use of the Migration Utility. Licensee may make a reasonable number of backup copies of the Migration Utility solely for archival and disaster recovery purposes.
3. Third-party Products - Use of third party product(s) supplied hereunder, if any, will be subject solely to the manufacturer’s terms and conditions that will be provided to Licensee upon delivery. ISS will pass any third party product warranties through to Licensee to the extent authorized. If ISS supplies Licensee with Crystal Decisions Runtime Software, then the following additional terms apply: Licensee agrees not to alter, disassemble, decompile, translate, adapt or reverse-engineer the Runtime Software or the report file (.RPT) format, or to use, distribute or integrate the Runtime Software with any general-purpose report writing, data analysis or report delivery product or any other product that performs the same of similar functions as Crystal Decisions’ product offerings; Licensee agrees not to use the Software to create for distribution a product that converts the report file (.RPT) format to an alternative report file format used by any general-purpose report writing, data analysis or report delivery product that is not the property of Crystal Decisions; Licensee agrees not to use the Runtime Software on a rental or timesharing basis or to operate a service bureau facility for the benefit of third–parties unless Licensee first acquires an Application Service Provider License from Crystal Decisions; Licensee may not use the Software or Runtime Software by itself or as part of a system to regularly deliver, distribute or share Reports outside of the Runtime Software environment: (a) to more than fifty (50) end users directly, or (b) to a location that is accessible to more than 50 end users without obtaining an additional license from Crystal Decisions; CRYSTAL DECISIONS AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESS, OR IMPLIED, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF MERCHANTABILITY, FIRNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. CRYSTAL DECISIONS AND ITS SUPPLIERS SHALL HAVE NO LIABILITY WHATSOEVER UNDER THIS AGREEMENT OR IN CONNECTION WITH THE SOFTWARE. In this section 3 “Software” means the Crystal Reports software and associated documentation supplied by ISS and any updates, additional modules, or additional software provided by Crystal Decisions in connection therewith; it includes Crystal Decisions’ Design Tools, Report Application Server and Runtime Software, but does not include any promotional software of other software products provided in the same package, which shall be governed by the online software license agreements included with such promotional software or software product.
4. Beta License – If ISS is providing Licensee with the Software, security content and related documentation as a part of an alpha or beta test, the following terms of this Section 4 additionally apply and supercede any conflicting provisions herein or any other license agreement accompanying, contained or embedded in the subject Beta Software or any associated documentation. ISS grants to Licensee a nonexclusive, nontransferable, limited license to use the ISS alpha/prototype software program, security content, if any, and any related documentation furnished by ISS (“Beta Software”) for Licensee’s evaluation and comment (the “Beta License”) during the Test Period. ISS’ standard test cycle, which may be extended at ISS’ discretion, extends for sixty (60) days, commencing on the date of delivery of the Beta Software (the “Test Period”). Upon expiration of the Test Period or termination of the License, Licensee shall, within thirty (30) days, return to ISS or destroy all copies of the Beta Software, and shall furnish ISS written confirmation of such return or destruction upon request. Licensee will provide ISS information reasonably requested by ISS regarding Licensee’s experiences with the installation and operation of the Beta Software. Licensee agrees that ISS shall have the right to use, in any manner and for any purpose, any information gained as a result of Licensee’s use and evaluation of the Beta Software. Such information shall include but not be limited to changes, modifications and corrections to the Beta Software. Licensee grants to ISS a perpetual, royalty-free, non-exclusive, transferable, sublicensable right and license to use, copy, make derivative works of and distribute any report, test result, suggestion or other item resulting from Licensee’s evaluation of its installation and operation of the Beta Software. If Licensee is ever held or deemed to be the owner of any copyright rights in the Beta Software or any changes, modifications or corrections to the Beta Software, then Licensee hereby irrevocably assigns to ISS all such rights, title and interest and agrees to execute all documents necessary to implement and confirm the letter and intent of this Section. Licensee acknowledges and agrees that the Beta Software (including its existence, nature and specific features) constitute Confidential Information as defined in Section 18. Licensee further agrees to treat as Confidential Information all feedback, reports, test results, suggestions, and other items resulting from Licensee’s evaluation and testing of the Beta Software as contemplated in this Agreement. With regard to the Beta Software, ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases. However, ISS agrees to use its reasonable efforts to correct errors in the Beta Software and related documentation within a reasonable time, and will provide Licensee with any corrections it makes available to other evaluation participants. The documentation relating to the Beta Software may be in draft form and will, in many cases, be incomplete. Owing to the experimental nature of the Beta Software, Licensee is advised not to rely exclusively on the Beta Software for any reason. LICENSEE AGREES THAT THE BETA SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. LICENSEE ACKNOWLEDGES AND AGREES THAT THE BETA SOFTWARE MAY CONTAIN DEFECTS, PRODUCE ERRONEOUS AND UNINTENDED RESULTS AND MAY AFFECT DATA NETWORK SERVICES AND OTHER MATERIALS OF LICENSEE. LICENSEE’S USE OF THE BETA SOFTWARE IS AT THE SOLE RISK OF LICENSEE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE BETA SOFTWARE LICENSE BY WRITTEN NOTICE TO ISS.
5. Evaluation License - If ISS is providing Licensee with the Software, security content and related documentation on an evaluation trial basis at no cost, such license Term is 30 days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software and security content for evaluation in a non-production, test environment. The following terms of this Section 5 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove or disable the Software and security content from the authorized platform and return the Software, security content and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing. ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases to the Software or security content under evaluation. LICENSEE AGREES THAT THE EVALUATION SOFTWARE, SECURITY CONTENT AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS” FOR TEST AND EVALUATION PURPOSES ONLY WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITHOUT LIMITATION ANY IMPLIED WARRANTY OF NONINFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR EXPENSES INCURRED BY LICENSEE. LICENSEE’S SOLE AND EXCLUSIVE REMEDY SHALL BE TO TERMINATE THE EVALUATION LICENSE BY WRITTEN NOTICE TO ISS.
6. Covenants - ISS reserves all intellectual property rights in the Software, security content and Beta Software. Licensee agrees: (i) the Software, security content or Beta Software is owned by ISS and/or its licensors, is a valuable trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii)
to take all reasonable precautions to protect the Software, security content or Beta Software from unauthorized access, disclosure, copying or use; (iii) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover the source code of the Software, security content or Beta Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software, security content or Beta Software; and (vi) not to transfer, lease, assign, sublicense, or distribute the Software, security content or Beta Software or make it available for time-sharing, service bureau, managed services offering, or on-line use.
7. Support and Maintenance – Depending upon what maintenance programs Licensee has purchased, ISS will provide maintenance, during the period for which Licensee has paid the applicable maintenance fees, in accordance with its prevailing Maintenance and Support Policy that is available at http://documents.iss.net/maintenance_policy.pdf. Any supplemental Software code or related materials that ISS provides to Licensee as part of any support and maintenance service are to be considered part of the Software and are subject to the terms and conditions of this License, unless otherwise specified.
8. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Software or security content will conform to material operational specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software or security content is installed, implemented, and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Furthermore, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software or security content, (ii) modification of the Software or security content, (iii) failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interaction with software or firmware not provided by ISS. If Licensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Software or security content or, if ISS determines that repair or replacement is impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such nonconformity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURISDICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE OR THE SECURITY CONTENT WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION OF THE SOFTWARE OR SECURITY CONTENT WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE OR SECURITY CONTENT ERRORS WILL BE CORRECTED. LICENSEE UNDERSTANDS AND AGREES THAT THE SOFTWARE AND THE SECURITY CONTENT ARE NO GUARANTEE AGAINST UNSOLICITED E-MAILS, UNDESIRABLE INTERNET CONTENT, INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR THAT ALL SECURITY THREATS AND VULNERABILITIES, UNSOLICITED E-MAILS OR UNDESIRABLE INTERNET CONTENT WILL BE DETECTED OR THAT THE PERFORMANCE OF THE SOFTWARE AND SECURITY CONTENT WILL RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 8 ARE THE SOLE AND EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.
9. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE AND SECURITY CONTENT ARE EACH PROVIDED “AS IS” AND ISS HEREBY DISCLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, NONINFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, AND THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.
10. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software and security content that are granted herein. ISS shall defend and indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or patent as a result of the use or distribution of a current, unmodified version of the Software and security content, but only if ISS is promptly notified in writing of any such suit or claim, and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Software and security content.
11. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE RECEIVED THE SOFTWARE. OR SECURITY CONTENT, AS APPLICABLE, IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT (INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS, LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
12. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, without prior written notice from ISS, at the end of the term of the License, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may immediately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or expiration of a license for Software, Licensee shall cease all use of such Software, including Software pre-installed on ISS hardware, and destroy all copies of the Software and associated documentation. Termination of this License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other remedies available to it.
13. General Provisions - This License, together with the identification of the Software and/or security content, pricing and payment terms stated in the applicable ISS quotation and Licensee purchase order (if applicable) as accepted by ISS, constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions contained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. ISS Software and security content are generally delivered to Customer by supplying Customer with license key data. If Customer has not already downloaded the Software, security content and documentation, then it is available for download at http://www.iss.net/download/. All ISS hardware with pre-installed Software and any other products not delivered by download are delivered f.o.b. origin. This License will be governed by the substantive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing signed by an authorized officer of ISS.
14. Notice to United States Government End Users - Licensee acknowledges that any Software and security content furnished under this License is commercial computer software and any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduction, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms, conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR Subsection 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield Road, Atlanta, GA 30328, USA.
15. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, security content, any related technology, or any direct product of either except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Licensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Commerce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to which the United States has embargoed the export of goods (currently Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria) or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. ISS makes its current export classification information available at http://www.iss.net/export. Please contact ISS’ Sourcing and Fulfillment for export questions relating to the Software or security content ([email protected]). Licensee understands that the foregoing obligations are U.S. legal requirements and agrees that they shall survive any term or termination of this License.
16. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that computer network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use the Software in accordance with all applicable laws, regulations and rules.
17. Disclaimers - Licensee acknowledges that some of the Software and security content is designed to test the security of computer networks and may disclose or create problems in the operation of the systems tested. Licensee further acknowledges that neither the Software nor security content is fault tolerant or designed or intended for use in hazardous environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems, nuclear facilities, or any other applications in which the failure of the Software and security content could lead to death or personal injury, or severe physical or property damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom.
18. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time of disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confidentiality to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of the Disclosing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could severely
and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information of the Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon demand by the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all copies of the Disclosing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclosing Party’s Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive property of the Disclosing Party.
19. Compliance - From time to time, ISS may request Licensee to provide a certification that the Software and security content is being used in accordance with the terms of this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state Licensee’s compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its own expense appoint a nationally recognized software use auditor, to whom Licensee has no reasonable objection, to audit and examine use and records at Licensee offices during normal business hours, solely for the purpose of confirming that Licensee’s use of the Software and security content is in compliance with the terms of this License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal business operations of Licensee. If such audit should reveal that use of the Software or security content has been expanded beyond the scope of use and/or the number of Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable current list prices required to bring Licensee in compliance with its obligations hereunder with respect to its current use of the Software and security content. In addition to the foregoing, ISS may pursue any other rights and remedies it may have at law, in equity or under this License.
20. Data Protection - The data needed to process this transaction will be stored by ISS and may be forwarded to companies affiliated with ISS and possibly to Licensee’s vendor within the framework of processing Licensee’s order. All personal data will be treated confidentially.
Revised March 16, 2004.