eTrust Audit iRecorder Reference Guide for CCURE 800/8000

Comments

Transcription

eTrust Audit iRecorder Reference Guide for CCURE 800/8000
eTrust Audit
™
iRecorder Reference Guide for CCURE 800/8000
1.5
SP2
This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for
the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates
International, Inc. (“CA”) at any time.
This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without
the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright
laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for
their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only
authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the
license for the software are permitted to have access to such copies.
This right to print copies is limited to the period during which the license for the product remains in full force and
effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced
copies or to certify to CA that same have been destroyed.
To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind,
including without limitation, any implied warranties of merchantability, fitness for a particular purpose or
noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or
indirect, from the use of this documentation, including without limitation, lost profits, business interruption,
goodwill, or lost data, even if CA is expressly advised of such loss or damage.
The use of any product referenced in this documentation and this documentation is governed by the end user’s
applicable license agreement.
The manufacturer of this documentation is Computer Associates International, Inc.
Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or
DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
 2003 Computer Associates International, Inc.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents
Chapter 1: Welcome to iRecorder for CCURE 800/8000
5
What Is an iRecorder? ................................................................................................................................... 6
iRecorder Architecture.................................................................................................................................. 6
Chapter 2: Installation and Configuration
11
System Requirements.................................................................................................................................. 11
Hardware Requirements ................................................................................................................. 11
Pre-Installation Steps .................................................................................................................................. 11
Installing the iRecorder............................................................................................................................... 12
Installing the iRecorder from the eTrust Security Command Center CD ................................ 12
Installing the iRecorder Downloaded from eSupport................................................................. 12
Installing the iRecorder ................................................................................................................... 13
Silent Installation.............................................................................................................................. 13
Silent Uninstallation......................................................................................................................... 13
Generating a Response File for Custom Silent Installation ........................................................ 13
Windows Packages...................................................................................................................................... 14
Configuration and Use................................................................................................................................ 14
Starting the iRecorder ...................................................................................................................... 14
Stopping the iRecorder.................................................................................................................... 15
Chapter 3: Configuring the iRecorder
17
Enabling Debugging ........................................................................................................................ 17
Testing the iRecorder for CCURE 800/8000 (CCURE) ............................................................... 18
Chapter 4: Report Selection Criteria
21
Chapter 5: Adding the Default Policy Template for the iRecorder to the
eTrust Audit Policy Manager
23
Configuring the Default Policy in the eTrust Audit Policy Manager................................................... 24
Sample Rules for CCURE 800/8000.......................................................................................................... 25
Contents iii
Chapter 6: eTrust Audit Field Mapping
27
Native Product Fields (CCURE) ................................................................................................................ 27
eTrust Audit Mandatory Fields (CCURE)................................................................................................ 30
eTrust Audit Normalized Fields ............................................................................................................... 31
iv iRecorder Reference Guide for CCURE
Chapter 1: Welcome to iRecorder for
CCURE 800/8000
This guide describes how to install, configure, and use the eTrust Audit
iRecorder for CCURE 800/8000. This iRecorder harvests log data from CCURE
800/8000 and forwards it to an eTrust Audit Client.
CCure 800/8000 is security management system to control and manage physical
access to secure areas. All personnel accessing the secure areas are required to
use a badge to identify the person and associated privileges. The system is
developed by Software House and further technical information on CCure
800/8000 system can be found at http://www.swhouse.com.
This iRecorder was developed using CCure 800/8000 version 7.
The CCure badge reader system consists of the following basic components:
■
Physical Tokens or badges issued to personnel
■
Badge readers mounted on various access points to the secure areas
■
■
■
■
Controller system that controls badge readers to allow, disallow, raise
alarms, and so on when the badge is scanned by a badge reader.
Management system to configure and setup various authorization rules for
badges and badge readers.
A repository for personnel and asset information created when badges are
issued. This repository can be accessed through ODBC and is called the CF
Database in the CCure technical documentation.
A repository for real-time events about badge accesses and other system
activity. This repository can also be accessed through ODBC and is called
the Journal database. During the life of the system, new Journals can be
created as described in the CCure technical documentation. Each Journal is a
separate database and is named as JL_xxxxx.db, where xxxxx is sequential
number starting from 00001. Information on the current Journal Database in
use can be determined from the CF Database. After the current Journal
Database is identified, all events created due to user or system activity can be
access from the Journal Database
Welcome to iRecorder for CCURE 800/8000 5
What Is an iRecorder?
What Is an iRecorder?
eTrust Audit 1.5 recorders can be deployed in two different ways:
Recorders
Recorders are one of the subcomponents packaged with eTrust Audit 1.5
Client components. These predefined recorders use the eTrust Audit Submit
API (SAPI) to send log events to a Router and Action Manager for further
processing as defined in the Policy Manager. This architecture leads to some
restrictions in the Recorder development and deployment:
■
■
SAPI uses remote procedure calls (RPC), which makes recorders difficult
to be easily deployed across firewalls
Deployments of new recorders that are not predefined require you to
make manual changes to existing Routers and Action Managers
iRecorders
iRecorders are new to eTrust Audit. They are developed using the iRecorder
SDK, which is based on the iTechnololgy SDK. iRecorders can be easily
deployed in an existing eTrust Audit environment without making
significant changes to that environment.
iRecorders, just like recorders, send log events to a Router and Action
Manager for event processing. They require an intermediate component,
known as an iRouter, which is installed on an existing eTrust Audit Client.
The iRouter provides a bridge between the iRecorder and the eTrust Audit
Client. The iRouter converts tokens from XML format to SAPI format and
submits them to the Router.
iRecorder Architecture
The iRecorder architecture allows easy deployment across firewalls and new
iRecorder development does not require changes in the existing eTrust Audit
deployment.
6 iRecorder Reference Guide for CCURE
iRecorder Architecture
The following diagram illustrates the flow of information from the iRecorder to
the eTrust Audit Client components:
As you can see, an iRecorder really consists of several components that help
capture, route, and convert the event data to SAPI format so that it can be
processed by an eTrust Audit Client.
The components of iTechnology are as follows:
iGateway
iGateway is a service that dynamically loads iSponsors and communicates
with the other iGateways and iSponsors. The main features and functions of
an iGateway are as follows:
■
■
—
Load the iSponsor
Locate and read .conf files associated for various iSponsors in its local
directory.
Load the corresponding iSponsor DLLs (such as iControl or
iRecorder) at iGateway start up or upon request from another iSponsor
(local or remote).
Welcome to iRecorder for CCURE 800/8000 7
iRecorder Architecture
■
■
Provide configuration data found in .conf file to the corresponding
iSponsor
Support Data Communication
The iGateway uses the HTTP/HTTPS protocol on port 5250 to handle all data
communication as follows:
■
■
■
The data format for iGateway communication is based on XML.
An iGateway receives XML formatted data from the local iSponsors and
sends it to the specified iGateway for delivery to the appropriate
iSponsor.
An iGateway receives XML formatted data from a remote iSponsor and
delivers it to the appropriate local iSponsor.
Note: Each iGateway can be associated with a digital certificate used by
iRecorders to sign all outgoing events. In addition, iRecorders include the
digital certificate with its associated thumbprint for the first outgoing event.
For all other events, only the thumbprint is included.
iControl
iControl is an iSponsor DLL that is automatically loaded by the iGateway
and supports the following functions:
Store and Forward (SAF) for guaranteed delivery of events as follows:
If the iGateway cannot deliver an event, it is passed onto the iControl
component for SAF handling.
■
■
■
iControl stores the undelivered events in a file.
Periodically, iControl extracts events from the event file and attempts to
deliver them using iGateway.
All events that are extracted successfully are marked as “old,” and
periodically iControl deletes the “old” events.
Event validation
■
■
■
If it is the first event, save the digital certificate and the associated thumb
print
For all events, use the thumbprint included in the event to retrieve the
matching certificate. If the certificate is not found, generate an error.
Use the certificate to validate signature of the event. If the signatures do
not match, generate error.
Routes events to a remote iControl
The iControl.conf file contains information related to routing and which
Event plug-in should be loaded.
Note: iControl can load multiple Event plug-ins and sends every event
to each plug-in.
8 iRecorder Reference Guide for CCURE
iRecorder Architecture
Event Plug-in (EP)
The Event plug-in is a DLL used by iControl to handle specialized tasks such
as converting formats, applying filters, sending events to a database, and so
on.
EPAudit Plug-in
If the EPAudit plug-in is configured, all events received by iControl are sent
to the EPAudit plug-in to be delivered to the Router. The primary functions
of EPAudit are to:
■
■
Convert events from XML format to eTrust Audit SAPI format.
Submit events to the eTrust Audit Router component running on the
localhost.
EPUnicenter Plug-in
If the EPUnicenter plug-in is configured, all events received by iControl are
sent to the EPUnicenter to be delivered to the Event Management component
of Unicenter. The primary functions of the EPUnicenter plug-in are to:
■
■
Convert events from XML format to Unicenter EM format.
Submit events to the Event Management component running on the
localhost.
EPDebug Plug-in
If the EPDebug plug-in is configured, all events received by iControl are sent
to the EPDebug to be delivered to any Debug Viewer running on the local
host.
iRecorder
iRecorder is an iSponsor DLL loaded by the iGateway running on the device
generating log events. Its primary functions are as follows:
■
■
■
■
■
Extract the log events from the device or from an event log repository
using an API, ODBC, or file I/O.
Parse the event fields into tokens and create “Name–Value” pairs for
each parsed token in XML format.
Submit XML strings containing the events to a local or remote iRouter.
The iRouter sends the events to EPAudit plug-in, which in turn submits
the events to eTrust Audit for further action.
For the first log event from the device, the iRecorder attaches the
iGateway certificate as an attribute.
For all log events, iRecorder includes the iGateway certificate
thumbprint (a unique ID for the certificate) and the signature (hash of
the whole event signed by the certificate).
iRouter
An iRouter is a collection of following components installed on the eTrust
Audit Client machine:
■
iGateway
Welcome to iRecorder for CCURE 800/8000 9
iRecorder Architecture
■
iControl
■
EPAudit plug-in
The iRouter installation package is included with the iRecorder SDK and does
not require any changes. It works with the existing and new iRecorders. The
iRouter forwards all events to the eTrust Audit Client using SAPI.
10 iRecorder Reference Guide for CCURE
Chapter 2: Installation and
Configuration
This chapter describes how to install and configure the iRecorder for CCURE
800/8000.
System Requirements
The topics that follow describe the hardware and software requirements for the
iRecorder assuming that CCURE 800/8000 is already installed and operational
on some host.
Hardware Requirements
The iRecorder for CCURE 800/8000 has the following minimum hardware
requirements:
■
Approximately 10 MB of disk space for the iRecorder installation.
The iRecorder for CCURE 800/8000 has the following platform requirements:
■
x86 PC running Windows 2000 with Service Pack 2
■
Access to a CCURE 800/8000 system running version 7.1
■
CCURE 7.1 Client and ODBC driver (must be pre-installed)
Pre-Installation Steps
Install the CCURE Client and ODBC driver on the same machine where the
iRecorder will be installed.
Before you install and setup an iRecorder, you need to install the iRouter
component on a host where eTrust Audit Client components are installed.
iRouter lets iRecorders communicate with eTrust Audit. During the iRecorder
installation, you are prompted for the host where iRouter is installed.
For more details on how to install iRouter, see the iRouter Reference Guide.
The eTrust Audit Policy Manager must be installed somewhere on the network,
along with the eTrust Audit Data Tools.
Installation and Configuration 11
Installing the iRecorder
Installing the iRecorder
The following topics describe how to install the iRecorder for CCURE 800/8000
from the CD or from the web.
Installing the iRecorder from the eTrust Security Command Center CD
To install the iRecorder from the eTrust Security Command Center CD, insert CD
5 into the CD drive. The Product Explorer should automatically start and display
the installation menu. If the Product Explorer does not automatically start, click
Start, Run and enter the following command:
[CD-Drive]:\PE_I386.exe
where [CD-Drive] is your CD drive letter designation.
All iRecorders available on the eTrust Security Command Center CD are located
as follows eTrust, Audit, iRecorders.
To install an iRecorder, select the appropriate recorder from the list and follow
the detailed install instructions provided in the following sections.
Installing the iRecorder Downloaded from eSupport
You can also download and install an iRecorder from the web. To install the
downloaded package, you will need two components:
1.
iRecorder installation package from http://esupport.ca.com
2.
Appropriate (Windows, UNIX) iGateway package from
ftp://ftp.ca.com/pub/itech/downloads
Download these packages into the same directory and run the iRecorder install
package. The iRecorder install package automatically installs the iGateway
package, if needed. Detailed installation instructions for the iRecorder are
provided in the next topic.
12 iRecorder Reference Guide for CCURE
Installing the iRecorder
Installing the iRecorder
If the install package for the iRecorder is not running already, run the package
CCureODBC _<version number>.exe to start installation of the iRecorder. It
starts a wizard that guides you through installation and configuration of the
iRecorder.
Silent Installation
Enter the following command to silently install the CCure iRecorder using an
InstallShield response file:
CCureODBC_<version>.exe /s /f1 “ccureodbc_setup.iss”
The above example demonstrates the silent install capability provided by the
iRecorder package. The response file in the example should be changed to reflect
the particular conditions of the target environment. See How to Generate a
Response File for Custom Silent Installation.
Silent Uninstallation
Enter the following command to silently uninstall the CCure iRecorder using an
InstallShield response file:
CCureODBC_<version>.exe /s /f1 “ccureodbc_uninstall.iss”
Generating a Response File for Custom Silent Installation
The response files provided with the package contain an example of a silent
install session. It is often necessary to customize the silent installation to the
particular needs of the enterprise.
The sections below provide instructions on how to customize silent installation.
Choose a system that is similar if not identical to the target system.
Installation and Configuration 13
Windows Packages
Windows Packages
Note: The system must not contain the iRecorder for which you want to
customize the silent installation. If the system has the iRecorder installed,
uninstall the iRecorder using the Add/Remove Program option of the Control
Panel.
Proceed as follows to generate a custom response file:
1.
Open a DOS window
2.
Change directory to the folder that contains the iRecorder package
3.
On the CD labeled “eTrust Audit 1.5 SP2 “ part of the eTrust Security
Command Center package, the iRecorder package folder is:
<CD Drive>:\eTrust\Audit\iRecorder\Winnt
For instance, if G drive is the CD drive, the iRecorder package folder is:
G:\eTrust\Audit\iRecorder
Enter the following:
<iRecorder package>.exe /r /f1”<pathname of response file>“
For example:
CCureODBC_<version>.exe /r /f1”C:\Temp\irecorder_setup.iss”
4.
Follow instructions given by the installation procedure and install the
package as you would do on the target system.
5.
Click Finish.
The response file is generated. It can be used for silent installation on similar
target systems.
Configuration and Use
The following topics describe how to configure and use the iRecorder.
Starting the iRecorder
The iRecorder is run as a sub-component of the iTechnology-iGateway service.
To start the iRecorder on Windows 2000, start the iGateway service using either
of the following methods:
■
Use the Services Management GUI (Start, Control Panel, Services or
Administrative Tools, Services).
14 iRecorder Reference Guide for CCURE
Configuration and Use
■
Issue the following command:
net start igateway
Stopping the iRecorder
The iRecorder is run as a sub-component of the iTechnology-iGateway service.
To stop the iRecorder on Windows 2000, stop the iGateway service using either
of the following methods:
■
■
Use the Services Management GUI (Start, Control Panel, Services or
Administrative Tools, Services).
Issue the following command:
net stop igateway
Installation and Configuration 15
Chapter 3: Configuring the iRecorder
iRecorder configuration parameters are kept in a configuration file usually
located in the iGateway installation directory. The iRecorder configuration
parameters are automatically set during iRecorder installation and do not require
any changes for the normal operation of the iRecorder. If any parameters need to
be modified, you must stop the iTechnology iGateway service or daemon before
making the changes. After making the changes, restart the service for changes to
take effect.
The iRecorder configuration file is named irecordername.conf and is found in the
iGateway installation directory. For example: \Program Files\CA\iGateway on
Windows and /opt/CA/igateway on UNIXx/Linux.
Sample Configuration File (CCURE)
The following is a sample CCureODBC.conf configuration file:
<?xml version='1.0' encoding='UTF-8' standalone='no'?>
<iSponsor>
<Name>CCureODBC</Name>
<ISType>DSP</ISType>
<ImageName>CCureODBC</ImageName>
<DispatchEP>iDispatch</DispatchEP>
<ClsPath></ClsPath>
<LibPath></LibPath>
<Version>@[email protected]</Version>
<PreLoad>true</PreLoad>
<DBHost def=“localhost” prompt=“Servername where the CCure Server is installed”
type=“text”>localhost</DBHost>
<CFUsername def=“SYSPROGRESS” prompt=“Username used to access the CF database on the
CCure Server” type=“text”>SYSPROGRESS</CFUsername>
<CFPassword prompt=“User Password used to access the CF database on the CCure Server”
type=“password”></CFPassword>
<JNUsername def=“SYSPROGRESS” prompt=“Username used to access the JOURNAL database on the
CCure Server” type=“text”>SYSPROGRESS</JNUsername>
<JNPassword prompt=“User Password used to access the JOURNAL database on the CCure
Server” type=“password”></JNPassword>
</iSponsor>
Enabling Debugging
You can configure the iRecorder to output debugging information to a
debugging application or to a file. A file containing debug information can be
useful for technical support purposes.
To enable debugging and log debug information to a file, follow these steps:
1.
Stop the iRecorder by stopping the iTechnology iGateway Service.
Configuring the iRecorder 17
Configuration and Use
2.
Edit the iRecorder configuration file by adding the following <DebugLevel>
tag between the <iSponsor> tags:
<DebugLevel>{level}</DebugLevel>
where {level} is one of the following:
ISP_NOLEVEL
Disables debugging.
ISP_FILE
Prints all debug messages to a debug application as well as writing it to a
log file, irecordername.log, in the same directory as the iRecorder. The
debug file may grow very quickly; to avoid possible disk space shortage,
we recommend turning off the debugging option as soon as possible by
replacing ISP_FILE by ISP_NOLEVEL.
3.
Save the configuration file.
4.
Start the iRecorder by restarting the iTechnology iGateway Service.
5.
Send the debug file to CA Technical Support for further analysis.
Testing the iRecorder for CCURE 800/8000 (CCURE)
Using the following steps, you can verify that the iRecorder is installed properly
and sending events to eTrust Audit:
1.
Install the iRecorder for CCURE on a Windows host.
2.
Install iRouter component on a host where eTrust Audit Client components
are installed.
3.
Verify that the <windir>\System32\Driver\etc\services file contains the
following entries:
CFSRV
2500/tcp
# CCURE800: Progress CF database server
# JNSRV 2501/tcp
# CCURE800: Progress JOURN database server, not used, see G#2718
JNSRV1
2502/tcp
# CCURE800: Progress JOURN database server 1
JNSRV2
2503/tcp
# CCURE800: Progress JOURN database server 2
JNSRV3
2504/tcp
# CCURE800: Progress JOURN database server 3
JNSRV4
2505/tcp
# CCURE800: Progress JOURN database server 4 (not yet used)
CCDRVR 2600/tcp
# CCURE800: ApC Driver
4.
Verify that <Program Files>\CA\iGateway contains the following files:
■
CCureODBC.dll
■
CCureODBC.conf
5.
Run the eTrust Audit Policy Manager.
6.
Copy the default policy for the CCURE Badge to a new one.
7.
Choose the collection rule and add an action to it by right clicking on the
rule, choosing properties and then actions (with a machine running the
eTrust Audit Security Monitor as the target of the Security Monitor action).
18 iRecorder Reference Guide for CCURE
Configuration and Use
8.
Create a new group in the AN (Audit Node) window, then add the iRouter
machine as a new CCURE Badge source.
9.
Attach the newly created AN group to the policy you have just created.
10. Switch back to the Policy window.
11. Right-click the policy you created, and then select the Activate command to
activate the policy.
12. On the CCURE server, log into the Administration or Monitoring Client.
You will see a Login event as soon as you open the eTrust Audit Security
Monitor.
13. Verify that the generated events are displayed in the eTrust Audit Security
Monitor
iRecorders also support standard iTechnology SDK tools (like TestHarness and
Spin interface) to query the iRecorder for current status and configuration
information. For more details on these tools, use iTechnology SDK Reference Guide.
Configuring the iRecorder 19
Chapter 4: Report Selection Criteria
For events that are reported by the iRecorder and stored in the eTrust Audit
Collector database, selected reports can be generated using a Report Generator.
The following table describes suggested selection criteria for reports of general
interest.
The first column of the table is the Report Name. The second column is the Audit
Logname that can be specified to include all events for this Logname in the
report. Additional Criteria column specifies one or more additional fields that
may be used to further narrows the range of events to be included in the report.
Finally the Comment column specifies whether the field name is in the Audit
MSGTEXT field or not. The distinction is important because the MSGTEXT field
is a free form text field that may contain several fields. Since the MSGTEXT
column contains multiple field name and field value pairs, the MSGTEXT field
must be searched using wild card characters to select the specific field names and
values.
Sample Report Selection Criteria for CCure Badge
Report
Logname
AND additional criteria
(format field name : field value)
Comment
Login Failure
CCure Badge
Integer NID: 1,
Integer OID: 1
OID is in MSGTEXT field
Login Success
CCure Badge
Integer NID: 1,
Integer OID: 2
OID is in MSGTEXT field
Badge In
CCure Badge
Integer NID: 2,
Subcat: “Badge In”
Subcat is in MSGTEXT
field
Badge Out
CCure Badge
Integer NID: 2,
Subcat: “Badge Out”
Subcat is in MSGTEXT
field
Report Selection Criteria 21
Chapter 5: Adding the Default Policy
Template for the iRecorder to the eTrust
Audit Policy Manager
To be able to create policy for CCURE 800/8000, you must add the default policy
template for the iRecorder to the Policy Manager.
To add the default template, follow these steps:
1.
On the eTrust Audit Policy Manager server, open the following file:
[eTrust Audit install]\bin\pmu_template_exchange.exe.
The following window appears:
2.
Choose Import Policy Template from binary file, and then click Next.
3.
Next, enter the path of eTrust Audit CCure iRecorder Policy.ptf. This file is in
the iGateway installation directory. Click Next.
4.
Select Next again. This dialog explains the description of the policy file.
5.
The next dialog asks if you want to create the policy in the default policies
section. Select Yes, and then click Next.
6.
Enter CCure Badge as the name of the inserted subpolicy, and click Finish.
Adding the Default Policy Template for the iRecorder to the eTrust Audit Policy Manager 23
Configuring the Default Policy in the eTrust Audit Policy Manager
Configuring the Default Policy in the eTrust Audit Policy
Manager
This topic is provided as a brief guide on how to configure the policy for the
iRecorder. For further details, see the eTrust Audit Policy Management Guide.
1.
Open the eTrust Audit Policy Manager.
2.
On the left hand pane, click Audit Nodes.
3.
Select the Targets node, right-click, and choose New Group from the pop-up
menu.
4.
Give the new group a descriptive name, such as CCure ODBC.
5.
Right-click CCure ODBC, and select New AN from the pop-up menu.
6.
Enter the host name of the iRouter that you have configured the iRecorder to
communicate with.
7.
Select the AN type as CCure ODBC.
8.
Enter a description for the AN node.
9.
Click OK. Repeat steps 5 through 8 for each iRouter in your network that a
CCure iRecorder communicates with.
10. On the left hand pane, select Policies.
11. From the menu bar, select File, and choose New.
12. Select Policy Folder, this should be the only available option, and give the
folder a name, such as CCure ODBC.
13. Right-click the CCure ODBC folder, and choose New Policy from the pop-up
menu.
14. Select Policy by Template, and choose eTrust Audit CCure ODBC iRecorder
Policy.
15. Enter a name, such as CCure ODBC Policy, and click Finish.
16. An action must be defined for each rule. For the purposes of this guide, we
will define an action for the All Events rule.
17. Right-click the All Events rule, and choose Properties from the pop-up
menu.
18. Click the Action tab.
19. Check the box, for the Collector action.
20. Click Add, and enter the host name or IP address of the eTrust Audit
Collector.
21. Repeat these steps 19 and 20 for the Security Monitor action.
22. Click OK when finished.
24 iRecorder Reference Guide for CCURE
Sample Rules for CCURE 800/8000
This causes the icon for the All Events rule to turn from a white bell, to a blue
bell.
23. Click the bell to select the rule.
This turns the color of the bell to red.
24. Right-click the CCure ODBC folder, and choose Attach AN Group from the
pop-up menu.
25. Select the CCure ODBC AN group, and click OK.
26. Right-click the CCure ODBC folder, and click Activate.
27. Click OK, when the confirmation dialog box appears.
28. From the left pane click Audit Nodes.
29. Select the CCure ODBC Group, and verify for each AN, that there are no
errors.
If there are no errors, then there will be a key icon in the Name of each AN.
Sample Rules for CCURE 800/8000
The Report Selection CCure iRecorder Policy.ptf file includes 3 sample rules:
Badge In
Detect all badge in events.
Badge Out
Detect all badge out events.
Login Failure
Detect login failure to CCure applications.
Adding the Default Policy Template for the iRecorder to the eTrust Audit Policy Manager 25
Chapter 6: eTrust Audit Field Mapping
The following topics describe how fields in CCURE 800/8000 events are
captured by the eTrust Audit iRecorder and mapped to a standard set of
normalized fields. eTrust Audit requires all iRecorder to follow a standard Data
Model and Taxonomy. The following topics describe how the iRecorder for
CCURE 800/8000 maps the native CCURE 800/8000 fields into eTrust Audit
fields
Native Product Fields (CCURE)
CCure Journal Event Data Structure
Field Name
Data
Type
Description
Jnl_ID
Int
Unique ID for message (max of 2 billion)
Local_DT
Int
Encoded Date/Time activity actually
occurred
Host_DT
Int
Encoded Date/Time message was
received at host
TZ_Offset
Int
Time-zone offset in half-hours
Msg_Code
Int
Message Code for activity
User_PID
Int
PID of person associated with activity
Int_Data1
Int
May only contain object IDs
Int_Data2
Int
May contain either Object IDs, or codes <
1000
Int_Data3
Int
May contain either personnel ID (PIDs),
or codes < 1000
Int_Data4
Int
May not contain object IDs or PIDs
Txt_Data1
Char
A message specific text string
Txt_Data2
Char
Another message specific text string
eTrust Audit Field Mapping 27
Native Product Fields (CCURE)
CCure Journal Event Data Format
Msg
Code
Desc
001
User
Login/
Logout
002
Card
Admitt
ed
003
Card
Rejecte
d
004
Log
Messag
e
005
Object
Change
d State
(Event,
Distrib
utd,
Manual
)
006
Manual
Action
007
System
Activity
(Norma
l)
008
System
Error
User_PID
Supplied
PID User
Int_
Data1
Int_
Data2
Int_
Data3
None
Program
started PRM$JP
R_ xxx
Login/out
Code PRM$JLO_
xxx
Int_
Data4
Txt_
Data1
Txt_
Data2
None
Node
User
name - if
invalid
Card
Number
None
None
PID
DoorI
D
Admit
Code
Sec Officer
ID, if
admitted
manually
PID
DoorI
D
Admit
Code
Reject Code PRM$JRE_xx
x
Card
Number
None
None
SO ID; PID
User
Event
Object
ID
None
JNL ID
of related
activity
Text
of Log
Messa
ge
None
PID
ID of
Object
Chang
ing
the
state
None
State Code
StateCha
nge
Method
Code/iSt
ar
Connecti
on Code
None
None
SO ID; PID
User
ID of
Object
Acted
On
Action
Code
Manual
Action Object
ID
Manual
Action PRM$JM
A_xxx
None
None
None
Activity
Code PRM$JSM_x
xx
None
Node
Name
Mac
Name
None
System Error
Code PRM$JSE_xx
x
API
Error
Code
Node
Name
API
Name
No
No
None
None
28 iRecorder Reference Guide for CCURE
None
Native Product Fields (CCURE)
Msg
Code
Desc
009
Device
Activity
(Norma
l)
010
Device
Error /
Recover
y
User_PID
Supplied
Int_
Data1
PID
ID of
Unit
or
Comp
onent
No
Int_
Data2
Int_
Data3
Int_
Data4
Txt_
Data1
Txt_
Data2
Another
Object ID
Activity
Code PRM$JDM_x
xx
None
Firmw
are
Versio
n
None
ID of
Unit
or
Comp
onent
Another
Object ID
Error Code PRM$JDE_xx
x
SubError
Code
(paging)
Firmw
are
Versio
n
None
Asset ID
None
Info
Code PRM$JA
T_xxx
PersonID
Access
Code
None
None
Asset ID
Reade
r ID
PersonID
Access
Code
Tag
Numb
er
AreaID
Asset ID
Reade
r ID
PersonID
Access
Code
Tag
Numb
er
AreaID
Asset ID
Reade
r ID
PersonID
Access
Code
Tag
Numb
er
AreaID
HHRId
PersonID
Access
Code
Tag
Numb
er
None
011
Asset
Activity
012
Asset
Movem
ent
Authori
zed
013
Asset
Movem
ent
Unauth
orized
014
Asset
Movem
ent
Attemp
ted
015
Asset
Locatio
n
Update
Asset ID
Area
ID
016
Watcht
our
Action
PID
Action
Code
ObjectID
TourGaurdI
D
?
None
None
017
Watcht
our
Activity
No
InfoC
ode
ObjectID
TourGaurdI
D
ReaderID
None
None
HHRId
HHRId
(none)
eTrust Audit Field Mapping 29
eTrust Audit Mandatory Fields (CCURE)
Msg
Code
Desc
User_PID
Supplied
Int_
Data1
Int_
Data2
Int_
Data3
Int_
Data4
Txt_
Data1
Txt_
Data2
018
Watcht
our
Error
No
InfoC
ode
ObjectID
TourGaurdI
D
?
None
None
019
Watcht
our
Stop
Activity
No
InfoC
ode
ObjectID
TourGaurdI
D
TourStop
ID
None
None
020
NetVid
eo
Activity
PID
Camer
aID
NetVide
oActionI
D
None
EventID
Segme
ntID
None
eTrust Audit Mandatory Fields (CCURE)
Mandatory fields are a fixed set of fields that are added to each event processed
by any iRecorders. The following tables describe what values are assigned to the
Mandatory Fields in the iRecorder for <irecroder>.
Required Fields
Field Name
Field Value
Description
Taxonomy
<Category>.<System>.
<Action>.<Result>.
<Severity>
See Table 2 for further
breakdown of Taxonomy
Date
Timestamp
host_dt
TimeZone
timezone in +/- seconds
format (calculated from
GMT)
TimeZone of system where
iRecorder is installed
Src
Variable
Journal Name
Log
CCure Badge
Location
Variable
Location of CCure Database
Table 1: Mapping of eTrust Audit Required fields
The table provides Field Names, Descriptions as well as Values (or possible
values). Additional information about the Taxonomy field is provided in Table 2
below.
30 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Taxonomy
Taxonomy
Possible Values
Category
Not defined yet
System
Not defined yet
Action
Not defined yet
Result
Not defined yet
Severity
Not defined yet
Description
Table 2: Details of Taxonomy Field
eTrust Audit Normalized Fields
Normalized Fields are eTrust Audit field names that are mapped or translated
from the native event field names according to the classification of the iRecorder.
Normalized fields are common across all products in the same classification. The
Taxonomy field, one of the mandatory fields, defines the classification of this
iRecorder.
eTrust Audit Field Mapping 31
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 001 – User Login/Logout
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
System Access
“Status”
See Message Code List 1
“State”
See Message Code List 1
“User”
User_PID
Operation “Oper”
See Message Code List 1
“ObjClass”
See Message Code List 1
“ObjName”
See Message Code List 1
Native “OID”
Int_Data3
Native ID “NID”
MsgCode
Secondary “SObjClass”
Program
Secondary “SObjName
Program
Secondary “SObjID”
Int_Data2
“Node”
Txt_Data1
“Invalid User”
See Message Code List 1
Info
Info
32 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Status
State
Oper
Obj
Class
Obj Name
1
PRM$JLO_User_Logged_In
S
Access
Login
Login
LoginCode
2
PRM$JLO_Login_Attempt_
Rejected
F
Fail
Login
Login
LoginCode
3
PRM$JLO_User_Logged_
Out
S
Normal
Logout
Logou
t
LogoutCode
4
PRM$JLO_Disconected
F
Error
Logout
Login
LogoutCode
Invalid
User
Invalid
User
Message Code List 1
Field Mapping for CCure Event:
Message Code 002 – Card Admitted
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet.
“User”
User_PID
“Badge”
CardNumber
“Category”
Physical Security
“Location”
Int_Data1
“Status”
See Message Code List 1
“State”
See Message Code List 1
Operation “Oper”
Card Access
“ObjClass”
Card
“ObjName”
AdmitCode
Native “OID”
Int_Data2
Native ID “NID”
MsgCode
Info
Info
eTrust Audit Field Mapping 33
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1
Status
State
1
PRM$JAD_Door_Unused
F
Admit
2
PRM$JAD_Noticed
F
Admit
3
PRM$JAD_Duress
F
Admit
4
PRM$JAD_Host
F
Admit
5
PRM$JAD_Manual
F
Admit
6
PRM$JAD_Deleted
F
Admit
7
PRM$JAD_Direction_IN
S
Admit
PRM$JAD_Direction_OUT
S
Admit
8
Field Mapping for CCure Event:
Message Code 003 – Card Rejected
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“User”
User_PID
“Badge”
CardNumber
“Category”
Physical Security
“Location”
Int_Data1
“Status”
F
“State”
Reject
Operation “Oper”
Card Access
“ObjClass”
Card
“ObjName”
RejectCode
Native “OID”
Int_Data3
Native ID “NID”
MsgCode
“AdmitCode”
Int_Data2
Info
Info
34 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1
1
PRM$JRE_Admit
2
PRM$JRE_Unknown_Card
3
PRM$JRE_Clearence
4
PRM$JRE_Facility_Code
5
PRM$JRE_Site_code
6
PRM$JRE_PIN
7
PRM$JRE_Issue_Code
8
PRM$JRE_Lost
9
PRM$JRE_Disabled
10
PRM$JRE_Expired
11
PRM$JRE_Not_Activated
12
PRM$JRE_Not_Downloaded
13
PRM$JRE_Illegal_Reject_Code
14
PRM$JRE_Misread
15
PRM$JRE_Tailgate
16
PRM$JRE_Passback
17
PRM$JRE_Timed_AP
18
PRM$JRE_Floor
19
PRM$JRE_Linked_Asset
20
PRM$JRE_RSRV1
21
PRM$JRE_RSRV2
22
PRM$JRE_Invalid_Escort
23
PRM$JRE_No_Escort
eTrust Audit Field Mapping 35
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 004 – Log Message
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Object Access
“Status”
S
“State”
Normal
“User”
User_PID
“ObjClass”
Log
“ObjName”
EventID
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Info
LogMessage:Txt_Data1
36 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 005 – Object Changed State (Event, Distributed, Manual)
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“Status”
See Message Code List 1
“State”
See Message Code List 1
“User”
User_PID
Operation “Oper”
Obj State Change
“ObjClass”
See Message Code List 1
“ObjName”
ObjectID
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Secondary “SObjClass”
State
Secondary “SObjName
StateCode
Secondary “SObjID”
Int_Data3
“StateChange MethodCode”
Int_Data4
Info
Info
eTrust Audit Field Mapping 37
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1
Status
State
Severity
1
PRM$OST_None
S
None
Info
Generic
2
PRM$OST_Active
S
Active
Info
Generic
3
PRM$OST_Inactive
S
Inactive
Info
Generic
4
PRM$OST_Mom_Active
S
Inactive
Warning
Generic
5
PRM$OST_On_Line
S
Online
Info
Generic
6
PRM$OST_Off_line
S
Offline
Warning
Generic
7
PRM$OST_Supervision
F
Error
Warning
Supervisor
8
PRM$OST_Grounded_Loop
S
Info
Info
Supervisor
9
PRM$OST_Shorted_Loop
S
Info
Info
Supervisor
10
PRM$OST_Open_Loop
S
Info
Info
Supervisor
11
PRM$OST_Fault
S
Info
Info
Supervisor
12
PRM$OST_Locked
F
Locked
Info
Generic
13
PRM$OST_Unlocked
S
Unlocked
Info
Generic
14
PRM$OST_Secure
S
Armed
Info
Generic
15
PRM$OST_Armed
S
Armed
Info
Generic
16
PRM$OST_Disarmed
S
Disarmed
Info
Generic
17
PRM$OST_Neutral
S
Undefined
Info
Generic
18
PRM$OST_Active_in_TimeSpec
S
Active
Info
Generic
19
PRM$OST_Active_Outside_
TimeSpec
S
Active
Info
Generic
20
PRM$OST_ADA_Unlocked
S
Unlocked
Info
Generic
21
PRM$OST_Reader_1
22
PRM$OST_Reader_2
23
PRM$OST_Door_Switch_
Monitor
24
PRM$OST_Door_Latch_Monitor
25
PRM$OST_Request_To_Exit
26
PRM$OST_Door_Forced
S
Forced
Critical
Door
27
PRM$OST_Door_Held
F
Held
Warning
Door
38 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Status
State
Severity
28
PRM$OST_Admit
S
Admit
Info
Card
29
PRM$OST_Reject
F
Reject
Warning
Card
30
PRM$OST_Visitor_Admit
S
Admit
Info
Visitor
31
PRM$OST_Visitor_Reject
F
Reject
Warning
Visitor
32
PRM$OST_Noticed_Admit
S
Admit
Info
Card
33
PRM$OST_Noticed_Reject
F
Reject
Warning
Card
34
PRM$OST_Map
35
PRM$OST_Duress
F
Duress
Critical
Card
36
PRM$OST_Comm_Port
37
PRM$OST_Tamper
F
Tamper
Warning
Generic
38
PRM$OST_Power_Failure
F
PowerFailure
Critical
Generic
39
PRM$OST_Communications_
Failure
F
CommFailure
Warning
Generic
40
PRM$OST_Communications_
Restored
S
Normal
Info
Generic
41
PRM$OST_Power_Restored
S
PowerRestored
Info
Generic
42
PRM$OST_Tamper_Cleared
S
Normal
Info
Generic
43
PRM$OST_Door_Closed
S
Close
Info
Door
44
PRM$OST_Door_Open
S
Open
Warning
Door
45
PRM$OST_Supervision_Cleared
F
Error
Warning
Supervisor
46
PRM$OST_Grounded_Loop_
Cleared
S
Info
Info
Supervisor
47
PRM$OST_Shorted_Loop_
Cleared
S
Info
Info
Supervisor
48
PRM$OST_Open_Loop_Cleared
S
Info
Info
Supervisor
49
PRM$OST_Fault_Cleared
S
Info
Info
Supervisor
50
PRM$OST_Acknowledge
S
Ack
Info
Generic
51
PRM$OST_Mom_Unlock
S
Locked
Info
Generic
52
PRM$OST_Reset_Actions
53
PRM$OST_Area_Enter_Event
54
PRM$OST_Area_Exit_Event
eTrust Audit Field Mapping 39
eTrust Audit Normalized Fields
Message Code List 1
Status
State
Severity
55
PRM$OST_Door_Enter_Area
56
PRM$OST_Door_Exit_Area
57
PRM$OST_Controlled Access
S
Access
Info
Generic
58
PRM$OST_Uncontrolled_Access
S
Access
Warning
Generic
59
PRM$OST_Elevator
60
PRM$OST_Elevator_Floor
61
PRM$OST_Connection_Failure
F
Error
Warning
Generic
62
PRM$OST_Asset_Overdue
63
PRM$OST_Event_Ack_Overdue
64
PRM$OST_In_Directional_Input
65
PRM$OST_Out_Directional_
Input
66
PRM$OST_Stationary
67
PRM$OST_Portable
68
PRM$OST_Unauthorized_
Portable
69
PRM$OST_Noticed
70
PRM$OST_Unauthorized_
Noticed
71
PRM$OST_Asset_Reject
F
Denied
Warning
Card
72
PRM$OST_Asset_Area_Enter
73
PRM$OST_Asset_Area_Exit
74
PRM$OST_Reader_3
75
PRM$OST_Reader_4
76
PRM$OST_Reader_1_2
77
PRM$OST_Reader_3_4
78
PRM$OST_Reader_1_3
79
PRM$OST_Reader_2_4
80
PRM$OST_Reader_1_2_3_4
81
PRM$OST_Asset_Checkin
S
Info
Info
Generic
40 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Status
State
Severity
82
PRM$OST_Printer_Buffer_
Overflow
F
Error
Warning
Printer
83
PRM$OST_Printer_Abnormal
F
Error
Warning
Printer
84
PRM$OST_Printer_Paper_Jam
F
Error
Warning
Printer
85
PRM$OST_Printer_Out_Of_
Paper
F
Error
Warning
Printer
86
PRM$OST_Printer_Offline
F
Error
Warning
Printer
87
PRM$OST_Printer_General_
Error
88
PRM$OST_Printer_Normal
S
Active
Info
Printer
89
PRM$OST_Printer_Overflow_
Buffer_Cleared
S
Active
Info
Printer
90
PRM$OST_Printer_Paper_Jam_
Cleared
S
Active
Info
Printer
91
PRM$OST_Printer_Out_of_Paper
_Cleared
S
Active
Info
Printer
92
PRM$OST_Printer_Online
S
Active
Info
Printer
93
PRM$OST_Printer_General_
Error_Cleared
F
Error
Warning
Printer
94
PRM$OST_PIN_Required
F
Error
Warning
Generic
95
PRM$OST_PIN_Disabled
F
Disabled
Warning
Generic
96
PRM$OST_Printer_Power_Off
F
Inactive
Warning
Printer
97
PRM$OST_Printer_Power_On
S
Active
Info
Printer
98
PRM$OST_Page_Fault
F
Error
Warning
Generic
99
PRM$OST_Email_Failed
F
Error
Warning
Generic
100
PRM$OST_Control_Zone_Mode_
Secure
S
Secure
Info
Intrusion
101
PRM$OST_Control_Zone_Mode_
Access
S
Access
Warning
Intrusion
102
PRM$OST_Control_Zone_Access
_Input
S
Disarmed
Warning
Intrusion
103
PRM$OST_Control_Zone_Secure
_Input
S
Armed
Info
Intrusion
eTrust Audit Field Mapping 41
eTrust Audit Normalized Fields
Message Code List 1
Status
State
Severity
104
PRM$OST_Control_Zone_Access
_Tamper
S
Disarmed
Warning
Intrusion
105
PRM$OST_Control_Zone_Secure
_Tamper
S
Armed
Info
Intrusion
106
PRM$OST_Control_Zone_Access
_Output
S
Disarmed
Warning
Intrusion
107
PRM$OST_Control_Zone_Secure
_Output
S
Armed
Info
Intrusion
108
PRM$OST_Control_Zone_
Violated_Output
F
Error
Warning
Intrusion
109
PRM$OST_Control_Zone_Input_
Off_Normal
F
Error
Warning
Intrusion
110
PRM$OST_Control_Zone_Input_
Normal
S
Active
Info
Intrusion
111
PRM$OST_Control_Zone_Door_
Open
S
Open
Warning
Intrusion
112
PRM$OST_Control_Zone_Door_
Closed
S
Close
Info
Intrusion
113
PRM$OST_Control_Zone_
General_Input
S
Active
Info
Intrusion
114
PRM$OST_Primary_Comm_
Method_Fail
F
Error
Warning
Generic
115
PRM$OST_Secondary_Comm_
Method_Fail
F
Error
Warning
Generic
116
PRM$OST_Control_Zone_State_
Violated
F
Error
Warning
Intrusion
117
PRM$OST_Control_Zone_Not_
Secure
S
Access
Warning
Intrusion
118
PRM$OST_Control_Zone_Access
_Secure_Input
S
Access
Warning
Intrusion
119
PRM$OST_Primary_Comm_
Method_Fail_Host
F
Error
Warning
Generic
120
PRM$OST_Secondary_Comm_
Test_Restored
S
Active
Info
Generic
212
PRM$OST_Slave_Master_Comm
_Fail
F
Error
Warning
Generic
42 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Status
State
Severity
122
PRM$OST_Secondary_Comm_
Test_Fail
F
Error
Warning
Generic
123
PRM$OST_Low_Battery
S
Error
Warning
Generic
124
PRM$OST_Primary_Comm_
Method_Restored_Host
S
Active
Info
Generic
125
PRM$OST_Secondary_Comm_
Method_Restored_Host
S
Active
Info
Generic
126
PRM$OST_Cluster_Split
S
Active
Info
Generic
127
PRM$OST_Cluster_Not_Split
S
Normal
Info
Generic
128
PRM$OST_Secondary_Comm_
Method_Fail_Host
F
Error
Warning
Generic
129
PRM$OST_Panel_Full
S
Error
Warning
Generic
130
PRM$OST_Panel_Nearly_Full
S
Warning
Warning
Generic
131
PRM$OST_Panel_Not_Full
S
Active
Info
Generic
132
PRM$OST_Panel_Not_Nearly_
Full
S
Warning
Warning
Generic
133
PRM$OST_Admit_Reject_CCTV
S
Error
Warning
Generic
134
PRM$OST_Shunt_Expire_
Warning
S
Normal
Info
Generic
135
PRM$OST_TourStop_Input
S
Normal
Info
Generic
136
PRM$OST_Tour_End_Early
S
Warning
Warning
Generic
137
PRM$OST_Tour_End_Late
S
Warning
Warning
Generic
138
PRM$OST_TourSTop_Reached_
OutOfSeq
S
Warning
Warning
Generic
139
PRM$OST_TourAtop_Reached_
Early
S
Warning
Warning
Generic
140
PRM$OST_Tour_Stop_Reached_
Late
S
Warning
Warning
Generic
141
PRM$OST_RadReceiver_Battery_
Fail
F
Error
Warning
Generic
142
PRM$OST_RadReceiver_Battery_
Restored
S
Active
Info
Generic
143
PRM$OST_Door_Position_
Sensor
S
Change
Warning
Door
eTrust Audit Field Mapping 43
eTrust Audit Normalized Fields
Message Code List 1
Status
State
Severity
144
PRM$OST_Lock_Status_Sensor
S
Change
Warning
Generic
145
PRM$OST_Set_Event
S
Info
Generic
146
PRM$OST_Reset_Event
S
Info
Generic
Field Mapping for CCure Event:
Message Code 006 – Manual Action
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
Action
“Status”
S
“State”
Normal
“User”
User_PID
Operation “Oper”
Scheduled
“ObjClass”
Generic
“ObjName”
ObjectID
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Secondary “SObjClass”
Action
Secondary “SObjName
ActionCode
Secondary “SObjID”
Int_Data2
“ManualAction”
Int_Data4
Info
Info
44 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 2
Message Code List 2
Severity
1
PRM$JMA_Scheduled
Info
2
PRM$JMA_Activated
Info
3
PRM$JMA_Cancelled
Warning
4
PRM$JMA_Deactivated
Info
5
PRM$JMA_Momentary
Info
6
PRM$JMA_Acknowledge
Info
7
PRM$JMA_Reset_Actions
Warning
Field Mapping for CCure Event:
Message Code 007 – System Activity (Normal)
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Note defined yet
“Category”
Security Systems
“SubCat”
System
“Status”
S
“State”
Normal
Operation “Oper”
See Message Code List 1
“ObjClass”
SysActivity
“ObjName”
ActivityCode
Native “OID”
Int_Data3
Native ID “NID”
MsgCode
Secondary “SObjClass”
Node
Secondary “SObjName
NodeName
Secondary “SObjID”
Txt_Data1
“Mac Name”
Txt_Data2
Info
Info
eTrust Audit Field Mapping 45
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1
Severity
Oper
1
PRM$JSM_System_Startup
Info
Startup
2
PRM$JSM_System_Shutdown
Info
Shutdown
3
PRM$JSM_Journal_File_Changed
Info
FileChange
4
PRM$JSM_System_Backup_Start
Info
Backup
5
PRM$JSM_Controller_Denied
Warning
Rejected
Field Mapping for CCure Event:
Message Code 008 – System Error
eTrust Audit Field Name
CCure Event Field
“Category”
System Access
“SubCat”
System
“Status”
F
“State”
Error
“Severity”
Critical
“API Code”
See Message Code List 1
“ObjClass”
SysActivity
“ObjName”
ActivityCode
Native “OID”
Int_Data3
Native ID “NID”
MsgCode
Secondary “SObjClass”
Node
Secondary “SObjName
NodeName
Secondary “SObjID”
Txt_Data1
Info
System Error
46 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1
1
PRM$JSE_Disk_error
2
PRM$JSE_Database_error
3
PRM$JSE_API_Call_Failed
4
PRM$JSE_Thread_Init_Failure
5
PRM$JSE_Using_Mouse_Port
6
PRM$JSE_Error_While_Allocating_Port
7
PRM$JSE_Disk_Space_Low
8
PRM$JSE_Site_Expired
9
PRM$JSE_Site_Will_Expire
10
PRM$JSE_SSA_Expired
11
PRM$JSE_SSA_Will_Expire
12
PRM$JSE_Badging_Expired
13
PRM$JSE_Badging_Will_Expire
14
PRM$JSE_Invalid_Sentinel
15
PRM$JSE_Unknown_Panel
16
PRM$JSE_NTEventLogError
17
PRM$JSE_Asset_Tracking_Will_Expire
18
PRM$JSE_Asset_Tracking_Expired
19
PRM$JSE_Paging_Will_Expire
20
PRM$JSE_Paging_Expired
API Code
int_data4
eTrust Audit Field Mapping 47
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 009 – Device Activity (Normal)
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
General
“SubCat”
System
“Status”
S
“State”
Normal
“Severity”
Info
“User”
User_PID
Operation “Oper”
See Message Code List 1
“ObjClass”
SysActivity
“ObjName”
ActivityCode
Native “OID”
Int_Data3
Native ID “NID”
MsgCode
Secondary “SObjClass”
Unit
Secondary “SObjName
UnitID
Secondary “SObjID”
Int_Data1
“Another ObjectID”
Int_Data2
Info
Device Activity (Normal)
48 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1
Oper
1
PRM$JDM_Memory_Erased
Memory
2
PRM$JDM_Hardware_Reset
Reset
3
PRM$JDM_Power_Recycle
Recycle
4
PRM$JDM_Download_Started
Download
5
PRM$JDM_Download_Completed
Download
6
PRM$JDM_Host_Init_Connection_Started
Init
7
PRM$JDM_Host_Init_Connection_Completed
Init
8
PRM$JDM_Panel_Init_Connection_Started
9
PRM$JDM_Panel_Init_Connection_Completed
10
PRM$JDM_Flash_Started
Flash
11
PRM$JDM_Flash_Completed
Flash
12
PRM$JDM_Email_Sent
Email
13
PRM$JDM_Page_Sent
Page
14
PRM$JDM_Grace_All
Grace
15
PRM$JDM_Grace_Card
Grace
16
PRM$JDM_Download_UnitIsFull
Download
17
PRM$JDM_iStar_Dialup_Connected
Dialup
18
PRM$JDM_iStar_Dialup_Started
Dialup
19
PRM$JDM_RAD_BUSY_SECOND
20
PRM$JDM_RAD_COMPUTER_ERROR
21
PRM$JDM_RAD_COMPUTER_RESTORED
22
PRM$JDM_RAD_PHONE_LINE_FAIL
23
PRM$JDM_RAD_PHONE_LINE_RESTORED
24
PRM$JDM_RAD_ACCOUNT_CLOSE
25
PRM$JDM_RAD_ACCOUNT_OPEN
26
PRM$JDM_RAD_UNKNOWN_MSG
27
PRM$JDM_RAD_CRC_ERROR
28
PRM$JDM_RAD_RECEIVER_NUM_WRONG
eTrust Audit Field Mapping 49
eTrust Audit Normalized Fields
Message Code List 1
29
PRM$JDM_RAD_ACCOUNT_CLOSE_ZN
30
PRM$JDM_RAD_ACCOUNT_OPEN_ZN
31
PRM$JDM_RAD_ACCOUNT_CLOSE_ID
32
PRM$JDM_RAD_ACCOUNT_OPEN_ID
33
PRM$JDM_RAD_ACCOUNT_CLOSE_AREA
34
PRM$JDM_RAD_ACCOUNT_OPEN_AREA
35
PRM$JDM_RAD_ACCOUNT_CLOSE_AREA_ID
36
PRM$JDM_RAD_ACCOUNT_OPEN_AREA_ID
37
PRM$JDM_RAD_ACCOUNT_UNKNOWN_MSG
38
PRM$JDM_RAD_ALARM
39
PRM$JDM_RAD_ALARM_RESTORE
40
PRM$JDM_RAD_ALARM_ZONE
41
PRM$JDM_RAD_ALARM_RESTORE_ZONE
42
PRM$JDM_RAD_ALARM_AREA
43
PRM$JDM_RAD_ALARM_RESTORE_AREA
44
PRM$JDM_RAD_LINE_CARD_TROUBLE
45
PRM$JDM_RAD_LINE_CARD_RESTORE
46
PRM$JDM_RAD_PRINTER_TROUBLE
47
PRM$JDM_RAD_PRINTER_RESTORE
48
PRM$JDM_RAD_ACCOUNT_DIAGNOSTIC
49
PRM$JDM_RAD_ACCOUNT_DIAGNOSTIC_ZONE
50
PRM$JDM_RAD_ACCOUNT_BATTERY_FAIL
51
PRM$JDM_RAD_ACCOUNT_BATTERY_RESTORE
52
PRM$JDM_RAD_ACCOUNT_AC_FAIL
53
PRM$JDM_RAD_ACCOUNT_AC_RESTORE
54
PRM$JDM_RAD_ACCOUNT_REBOOT
55
PRM$JDM_RAD_ACCOUNT_POINT_BUS_FAIL
56
PRM$JDM_RAD_ACCOUNT_POINT_BUS_RESTORE
57
PRM$JDM_RAD_ACCOUNT_SDI_FAIL
58
PRM$JDM_RAD_ACCOUNT_SDI_RESTORE
50 iRecorder Reference Guide for CCURE
Oper
eTrust Audit Normalized Fields
Message Code List 1
Oper
59
PRM$JDM_RAD_FIRE_ALARM_POINT
60
PRM$JDM_RAD_FIRE_ALARM_RESTORE_POINT
61
PRM$JDM_RAD_FIRE_ALARM_AREA
62
PRM$JDM_RAD_FIRE_ALARM_RESTORE_AREA
63
PRM$JDM_RAD_ALARM_TROUBLE
64
PRM$JDM_RAD_ALARM_TROUBLE_POINT
65
PRM$JDM_RAD_ALARM_TROUBLE_AREA_POINT
66
PRM$JDM_RAD_FIRE_ALARM_TROUBLE
67
PRM$JDM_RAD_FIRE_ALARM_TROUBLE_POINT
68
PRM$JDM_RAD_FIRE_ALARM_TROUBLE_AREA_
POINT
69
PRM$JDM_RAD_PRINTER_TEST
70
PRM$JDM_RAD_PRINTER_ONLINE
71
PRM$JDM_RAD_PRINTER_OFFLINE
72
PRM$JDM_RAD_CANCEL_ALARM_ID
73
PRM$JDM_RAD_CANCEL_ALARM_AREA_ID
74
PRM$JDM_RAD_CANCEL_FIRE_ALARM_AREA_ID
75
PRM$JDM_WatchFlash_Download_Started
76
PRM$JDM_WatchFlash_Download_Completed
77
PRM$JDM_WatchFlash_Swapped
78
PRM$JDM_WatchFlash_Upload_Started
79
PRM$JDM_WatchFlash_Upload_Completed
80
PRM$JDM_Watch_Flash_Loading_Canceled
81
PRM$JDM_NetVideo_Server_Comm_Error
82
PRM$JDM_NetVideo_Server_Comm_Restored
83
PRM$JDM_NetVideo_Status_Retry
84
PRM$JDM_NetVideo_Pipe_Server_Timeout
85
PRM$JDM_NetVideo_Server_Error
86
PRM$JDM_NetVideo_Camera_Error
87
PRM$JDM_NetVideo_Action_Error
eTrust Audit Field Mapping 51
eTrust Audit Normalized Fields
Message Code List 1
88
PRM$JDM_NetVideo_Server_Comm_Success
89
PRM$JDM_BID_Receiver_JnlMsg
90
PRM$JDM_BID_Action_JnlMsg1
91
PRM$JDM_BID_Action_JnlMsg2
92
PRM$JDM_BID_Action_JnlMsg3
93
PRM$JDM_BID_Action_JnlMsg4
94
PRM$JDM_BID_Action_JnlMsg5
95
PRM$JDM_BID_Action_JnlMsg6
96
PRM$JDM_BID_Receiver_JnlMsg1
97
PRM$JDM_BID_Action_No_Command
98
PRM$JDM_BID_Action_Empty_Command
99
PRM$JDM_BID_Action_Set_Command_Err
101
PRM$JDM_BID_Action_Device_Comm_Err
102
PRM$JDM_Watch_Loading_Canceled
52 iRecorder Reference Guide for CCURE
Oper
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 010 – Device Error/Recovery
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
General
“SubCat”
System
“Status”
F
“State”
Error
“Severity”
Critical
Operation “Oper”
UnitAccess
“ObjClass”
Error
“ObjName”
ErrorCode
Native “OID”
Int_Data3
Native ID “NID”
MsgCode
Secondary “SObjClass”
Unit
Secondary “SObjName
UnitID
Secondary “SObjID”
Int_Data1
“Another ObjectID”
Int_Data2
“SubErrorCode”
Int_Data4
Info
Info
Message Code List 1
Message Code List 1
1
PRM$JDE_Download_Aborted
2
PRM$JDE_Buffer_Full
3
PRM$JDE_Wrong_Firmware
4
PRM$JDE_Sequence_Error
5
PRM$JDE_Encryption_Error
6
PRM$JDE_Unable_To_Contact_Panel
7
PRM$JDE_Unable_To_Contact_Host
eTrust Audit Field Mapping 53
eTrust Audit Normalized Fields
Message Code List 1
8
PRM$JDE_Host_Init_Connection_Failure
9
PRM$JDE_Panel_Init_Connection_Failure
10
PRM$JDE_Received_Call_Inuse_Panel
11
PRM$JDE_Manual_Connect_Failed
12
PRM$JDE_Password_Verification_Error
13
PRM$JDE_Panel_Reported_Password_Error
14
PRM$JDE_Panel_Reported_Modem_Error
15
PRM$JDE_Received_Call_Offline_Panel
16
PRM$JDE_Unable_To_Flash
17
PRM$JDE_Flash_Aborted
18
PRM$JDE_Flash_Too_Big
19
PRM$JDE_Flash_Error
20
PRM$JDE_Flash_Bad_Version
21
PRM$JDE_Unable_Cancel_Flash
22
PRM$JDE_No_Flash_Chip
23
PRM$JDE_Email_Failed
24
PRM$JDE_Page_Failed
25
PRM$JDE_Control_Zone_Violated
26
PRM$JDE_ControlZone_Secure_Failed
27
PRM$JDE_ControlZone_Access_Failed
28
PRM$JDE_Flash_CRC_Error
29
PRM$JDE_Flash_NoFlashMemory
30
PRM$JDE_Flash_NoDramMemory
31
PRM$JDE_Flash_FallbackImage
32
PRM$JDE_Event_Buffer_Full
33
PRM$JDE_Event_Buffer_HighWaterMark
34
PRM$JDE_Flash_NotRequestedFlashImage
35
PRM$JDE_iSTAR_Dialup_Disconnect
36
PRM$JDE_iSTAR_Dialup_Communication_failed
37
PRM$JDE_Need_KGI_Image
54 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
38
PRM$JDE_WatchFlash_Download_Error
39
PRM$JDE_WatchFlash_Swap_Error
40
PRM$JDE_WatchFlash_Upload_Error
41
PRM$JDE_Watch_Loading_Error
Field Mapping for CCure Event:
Message Code 011 – Asset Activity
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
Asset
“Status”
S
“State”
Warning
“Severity”
Info
“Asset”
user_pid
User
int_data3
Operation “Oper”
AssetActivity
“ObjClass”
AssetInfo
“ObjName”
AssetInfoCode
Native “OID”
Int_Data2
Native ID “NID”
MsgCode
Secondary “SObjClass”
AssetAccess
Secondary “SObjName
AccessCode
Secondary “SObjID”
Int_Data4
Info
Info
eTrust Audit Field Mapping 55
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1
1
PRM$JAT_Overdue
2
PRM$JAT_Checkout
3
PRM$JAT_Checkin
Field Mapping for CCure Event:
Message Code 012 – Asset Movement Authorized
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
Asset
“Status”
S
“State”
Normal
“Severity”
Info
“Asset”
user_pid
“User”
int_data3
Operation “Oper”
AssetMove
“ObjClass”
AssetInfo
“ObjName”
HHRID
Native “OID”
Int_Data2
Native ID “NID”
MsgCode
Secondary “SObjClass”
AssetAccess
Secondary “SObjName
AccessCode
Secondary “SObjID”
Int_Data4
“ReaderID”
Int_Data1
“Tag Number”
Txt_Data1
“AreaID”
Txt_Data2
Info
Info
Field Mapping for CCure Event:
Message Code 013 – Asset Movement Unauthorized
56 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
Asset
“Status”
F
“State”
Reject
“Severity”
Warning
“Asset”
user_pid
“User”
int_data3
Operation “Oper”
AssetMove
“ObjClass”
AssetInfo
“ObjName”
HHRID
Native “OID”
Int_Data2
Native ID “NID”
MsgCode
Secondary “SObjClass”
AssetAccess
Secondary “SObjName
AccessCode
Secondary “SObjID”
Int_Data4
“ReaderID”
Int_Data1
“Tag Number”
Txt_Data1
“AreaID”
Txt_Data2
Info
Info
eTrust Audit Field Mapping 57
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 014 – Asset Movement Attempted
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
Asset
“Status”
F
“State”
Reject
“Severity”
Warning
“Asset”
user_pid
“User”
int_data3
Operation “Oper”
AssetMove
Native ID “NID”
MsgCode
Secondary “SObjClass”
AssetAccess
Secondary “SObjName
AccessCode
Secondary “SObjID”
Int_Data4
“ReaderID”
Int_Data1
“Tag Number”
Txt_Data1
“AreaID”
Txt_Data2
Info
Info
58 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 015 – Asset Location Update
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
Asset
“Status”
S
“State”
Normal
“Severity”
Info
“Asset”
user_pid
“User”
int_data3
Operation “Oper”
AssetMove
“ObjClass”
AssetInfo
“ObjName”
HHRID
Native “OID”
Int_Data2
Native ID “NID”
MsgCode
Secondary “SObjClass”
AssetAccess
Secondary “SObjName
AccessCode
Secondary “SObjID”
Int_Data4
“Tag Number”
Txt_Data1
“AreaID”
Txt_Data2
Info
Info
eTrust Audit Field Mapping 59
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 016 – Watchtour Action
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
WatchTour
“Status”
S
“State”
Normal
“Severity”
Info
“User”
user_pid
Operation “Oper”
WatchTourAction
“ObjClass”
WatchTourAction
“ObjName”
WatchTourActionCode
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Secondary “SObjClass”
Object
Secondary “SObjName
ObjectID
Secondary “SObjID”
Int_Data2
“TourGaurdID”
Int_Data3
Info
Info
60 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 017 – Watchtour Activity
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
WatchTour
“Status”
S
“State”
Normal
“Severity”
Info
Operation “Oper”
WatchTourActivity
“ObjClass”
WatchTourInfo
“ObjName”
WatchTourInfoCode
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Secondary “SObjClass”
Object
Secondary “SObjName
ObjectID
Secondary “SObjID”
Int_Data2
“ReaderID”
Int_Data4
“TourGaurdID”
Int_Data3
Info
Info
eTrust Audit Field Mapping 61
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 018 – Watchtour Error
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
WatchTour
“Status”
F
“State”
Error
“Severity”
Warning
Operation “Oper”
WatchTourAction
“ObjClass”
WatchTourAction
“ObjName”
WatchTourActionCode
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Secondary “SObjClass”
Object
Secondary “SObjName
ObjectID
Secondary “SObjID”
Int_Data2
“TourGaurdID”
Int_Data3
Info
Info
62 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 019 – Watchtour Stop Activity
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
WatchTour
“Status”
S
“State”
Normal
“Severity”
Info
Operation “Oper”
WatchTourAction
“ObjClass”
WatchTourAction
“ObjName”
WatchTourActionCode
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Secondary “SObjClass”
Object
Secondary “SObjName
ObjectID
Secondary “SObjID”
Int_Data2
“TourGaurdID”
Int_Data3
Info
Info
eTrust Audit Field Mapping 63
eTrust Audit Normalized Fields
Field Mapping for CCure Event:
Message Code 020 – NetVideo Activity
eTrust Audit Field Name
CCure Event Field
“Taxonomy”
Not defined yet
“Category”
Physical Security
“SubCat”
NetVideo
“Status”
S
“State”
Normal
“Severity”
Info
“User”
User_PID
Operation “Oper”
NetVideoActivity
“ObjClass”
Camera
“ObjName”
CameraID
Native “OID”
Int_Data1
Native ID “NID”
MsgCode
Secondary “SObjClass”
NetVideoAction
Secondary “SObjName
NetVideoActionID
Secondary “SObjID”
Int_Data2
“EventID”
Int_Data4
Info
Info
64 iRecorder Reference Guide for CCURE

Similar documents