VitalQIP DNS/DHCP & IP Management Software

VitalQIP DNS/DHCP & IP Management Software Audit Manager Release 1.7 User s Guide 190-409-034R7.1 Issue 1 August 2007 This document contains proprietary information of Alcatel-Lucent and is not to be disclosed or used except in accordance with applicable agreements. Copyright 2007 Alcatel-Lucent. Unpublished and not for publication. All rights reserved.

Copyright 2007 Alcatel-Lucent. All Rights Reserved. This material is protected by the copyright laws of the United States and other countries. It may not be reproduced, distributed, or altered in any fashion by any entity (either internal or external to Alcatel-Lucent), except in accordance with applicable agreements, contracts, or licensing, without the express written consent of Alcatel-Lucent and the business management owner of the material. Trademarks Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners. The information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. Copyright 2007 Alcatel-Lucent. All Rights Reserved.

Contents About this document 1 Audit Manager overview Introduction to Audit Manager... 1-2 Audit Manager product description... 1-3 2 To prepare an Audit Manager installation Installation preparation... 2-2 Disk space estimation... 2-3 Planning... 2-6 Preliminary steps for the installation of Audit Manager and Sybase... 2-7 Preliminary steps for the installation of Audit Manager and Oracle... 2-12 Oracle installation recommendations for Audit Manager... 2-17 3 Audit Manager UNIX installation Standard and template installation... 3-2 To install Audit Manager on UNIX... 3-7 To install the Audit Manager server... 3-8 To install Audit Manager server on Sybase... 3-12 To install Audit Manager server on Oracle... 3-21 To install the Audit Manager Command Line Interface... 3-25 To install Audit Manager Command Line Interface on Sybase... 3-27 To install Audit Manager Command Line Interface on Oracle... 3-29 To configure VitalQIP to use Audit Manager... 3-31 To start and stop the Audit Manager database on UNIX... 3-34 4 Audit Manager Windows installation To install Audit Manager on Windows... 4-2 To install the Audit Manager server package... 4-5 190-409-034R7.1 Alcatel-lucent - Proprietary iii

Contents To install the Audit Manager server on Sybase... 4-8 To install the Audit Manager server on Oracle... 4-16 To install the Audit Manager Client... 4-21 To install the Domain Control Package... 4-26 To uninstall Audit Manager... 4-28 5 Getting started Additional Sybase configuration for UNIX users... 5-2 Start and stop the Audit Manager database... 5-4 Start and stop the services... 5-5 The Audit Manager system... 5-7 To log in... 5-11 To change your password... 5-13 To exit Audit Manager... 5-14 6 Audit Manager administration To configure the Audit Manager database... 6-2 To load archived data... 6-7 Alert configuration To add alerts... 6-10 To delete alerts... 6-12 User management To add a user... 6-14 To modify a user... 6-16 To delete a user... 6-17 To set up Audit Manager organization IDs... 6-18 LAMsync... 6-19 7 Audit Manager data search Data search... 7-2 To search for current data and archived data... 7-4 To save search criteria... 7-10 To open saved search criteria... 7-11 To import and export search results... 7-12 To send search criteria or search results to another user... 7-14 iv Alcatel-lucent - Proprietary 190-409-034R7.1

Contents 8 Audit Manager reports Reports in Audit Manager... 8-2 To use Audit Manager reports... 8-3 To produce a DHCP Server Audit report... 8-7 To produce a Login ID Audit report... 8-10 To produce a General Audit report... 8-13 To produce an Alert Audit report... 8-18 To produce a Domain Controller Audit report... 8-21 9 Services Audit Manager policy files... 9-2 VitalQIP Audit Schedule Service - qip-auditsched... 9-4 VitalQIP Audit Update Service - qip-auditupdated... 9-9 Audit Alert user exit... 9-16 VitalQIP Domain Controller Logon Audit Service...9-22 VitalQIP Kerberos Domain Controller Logon Audit Service... 9-25 10 Command Line Interface Audit Manager commands... 10-3 enterlamobj... 10-7 enterlamorg... 10-9 enterlamuser... 10-12 exportqipobj4lam... 10-14 LAMarchive-concatenate... 10-16 lam-changepassword... 10-18 lam-getalerts... 10-19 lam-getarchiveset... 10-20 lam-getaudithistorydata... 10-22 lam-getuser... 10-28 lam-getuserlst... 10-29 lam-setalerts... 10-30 lam-setarchiveset... 10-32 LAMsync... 10-34 qip-crypt... 10-37 lam-export... 10-38 190-409-034R7.1 Alcatel-lucent - Proprietary v

Contents lam-import... 10-40 A IN Database administration To find version numbers with vercheck...a-2 To back up the Sybase and Audit Manager databases...a-3 To change the procedure cache size and total memory size...a-7 To encrypt your password...a-8 To reinitialize your database...a-9 To perform database administrative tasks with lam-util...a-11 To track stored procedures and triggers...a-15 To manage the Audit Manager data space...a-16 To modify user password...a-18 To manage the Audit Manager Transaction Log Space...A-19 To recover the Sybase version 15 database recovery...a-21 To maintain index statistics...a-25 To join archived files...a-26 Index vi Alcatel-lucent - Proprietary 190-409-034R7.1

About this document Purpose Welcome to Audit Manager a powerful IP address management tool. With Audit Manager, a valuable enhancement to the base VitalQIP product, you can capture, collect, and report on dynamic and static address activity. You can also access the history of all IP addresses and leases given by the Dynamic Host Configuration Protocol (DHCP) servers. This application is purchased separately and requires a license key. Refer to this preface for the audience, organization, and typographical conventions used in this manual. The preface also describes the package contents, how to order additional manuals, and how to obtain technical support. Reason for reissue This manual was reissued because of a company name change and revisions to the installation program, as described in Chapters 3 and 4. Additionally, several documentation ARs were resolved. Audit Manager User s Guide changes Feature Name Description Feature Impact Preliminary steps for installation Additional Sybase configuration Added a new sub-section on modifying a Sybase configuration file. Added a new section to Getting Started to describe additional Sybase configuration for UNIX users. Refer to UNIX: Modify the Sybase/ASE-15_0 directory configuration file (p. 2-11) Refer to Additional Sybase configuration for UNIX users (p. 5-2) vii

About this document Feature Name Description Feature Impact Domain Controller Audit report lam-setarchiveset enterlamorg lam-getuser lamgetaudithistorydata LAM database size Audit Manager data space lam-export Addresses AR LAM00000115: Domain Controller Login Audit Service does not forward logoff events immediately to the Audit Update Service and AR LAM00000117: Displaying domain login/logout information does not display correct IP address Fixes AR LAM00000464. Clarified the boolean descriptions. Fixes AR LAM00000490. Corrected the data file format example. Fixes AR LAM00000490. Added note on multiple organization associations per user. Fixes AR LAM00000490. Added note to clarify organization defaults. Fixes AR LAM00000561. More realistic sizes used in examples on pages 2-4 and 2-5. Fixes AR LAM00000613. Provides instructions for extending temp_db space. Fixes AR LAM00000648. Added note on filesize limitation. Refer to To produce a Domain Controller Audit report (p. 8-21) Refer to lamsetarchiveset (p. 10-32) Refer to enterlamorg (p. 10-9) Refer to lam-getuser (p. 10-28) Refer to lamgetaudithistorydata (p. 10-22) Refer to Disk space estimation (p. 2-3) Refer to To manage the Audit Manager data space (p. A-16) Refer to lam-export (p. 10-38) Intended audience This manual is intended for Audit Manager users who plan to manage and administer an IP network address infrastructure. The reader is expected to understand basic networking concepts and have a working knowledge of the operating system on which Audit Manager is running. The following groups interact with Audit Manager: viii

About this document Audit Manager administrators The Information Technology (IT) professionals who install, configure, and administer the Audit Manager product. Audit Manager users The IT professionals who use VitalQIP as an IP address monitoring and reporting tool. How to use this document This manual is organized as follows: Chapter 1: Overview Chapter 2: Preparing an Audit Manager Installation Chapter 3: Installing Audit Manager on UNIX Chapter 4: Installing Audit Manager on Windows Chapter 5: Getting Started Chapter 6: Audit Manager Administration Chapter 7: Using Audit Manager Chapter 8: Audit Manager Reports Chapter 9: Services Chapter 10: Command Line Interface This chapter provides you with overview information about Audit Manager and what it is used for. This chapter describes the steps you need to take for a successful installation with both Sybase and Oracle databases. This chapter provides the detailed instructions required to install Audit Manager and its related components on a UNIX system. This chapter provides the detailed instructions required to install Audit Manager and its related components on a Windows system. This chapter describes how to start and stop the Audit Manager database and services. It also describes how to use the Audit Manager management system, including information about how to log in and change your password. This chapter describes how to configure the database and alerts, manage users, and load archived data into the database. This chapter describes the Audit Manager Graphical User Interface (GUI), including information about searching for data. This chapter describes how to use and generate reports. This chapter describes the Audit Manager policy file and the services associated with Audit Manager. This chapter describes the command line interface (CLI) and its commands. ix

About this document Appendix A: Database Administration This appendix provides information only for experienced Sybase database users. It describes how to administer the database, including how to back up and reinitialize the database and how to recover data. It also describes how to find the program's version number, encrypt and modify the password, track stored procedures and triggers, maintain index statistics, join archived files, and manage your data and transaction log space. Conventions used The following table lists the typographical conventions used throughout this manual. Typographical conventions Convention Meaning Example boldface Helvetica bold Letter Gothic Letter Gothic bold <angle brackets> italics Names of items on screens. Names of commands and routines Names of buttons you should click. Uniform Resource Locators (URLs) Names of keys on the keyboard to be pressed. Output from commands, code listings, and log files Input that you should enter from your keyboard. Variables that you must substitute another value for. Manual and book titles. Directories, paths, file names, and e-mail addresses. Select the Client check box. The qip_getappllst routine returns the entire list of existing applications. Click OK. The VitalQIP product site can be found at http://www.alcatellucent.com/wps/portal/products. Press Enter to continue. # Name: Share shared-network _200_200_200_0 Run the following command: c:\setup.exe <debugfile>.bak.log See the VitalQIP User s Guide for more information. A symbolic link must be created from /etc/named.conf that points to named.conf. bold italic Emphasis Read-only. The name of the service element. x

About this document Convention Meaning Example click right-click double-click Click the left button on your mouse once. Click the right button on your mouse. Double-click the left button on your mouse. To delete the object, click Delete. Right-click on a service. Double-click the book icon. Related information Product Training Support Technical support The following documents describe the VitalQIP product: VitalQIP Administrator Reference Manual (part number: 190-409-042R7.1) This guide describes planning and configuring your network, information about the VitalQIP interface, advanced DNS and DHCP configurations, and troubleshooting. VitalQIP Installation Guide (part number: 190-409-043R7.1) This guide describes how to install the VitalQIP product. VitalQIP Command Line Interface User s Guide (part number: 190-409-044R7.1) This guide discusses and describes how to use the VitalQIP Command Line Interface. VitalQIP User s Guide (part number: 190-409-068R7.1) This guide describes how to set up and use the VitalQIP user interface. VitalQIP Web Client User s Guide (part number: 190-409-079R7.1) This guide describes how to use the VitalQIP web client. Alcatel-Lucent University offers cost-effective educational programs that support the VitalQIP product. Our offerings also include courses on the underlying technology for the VitalQIP products (for example, DNS and DHCP). Our classes blend presentation, discussion, and hands-on exercises to reinforce learning. Students acquire in-depth knowledge and gain expertise by practicing with our products in a controlled, instructorfacilitated setting. If you have any questions, please contact us at 1-888-LUCENT8, Option 2, Option 2. If you need assistance with VitalQIP, you can contact the Technical Assistance Center for your region. Contact information is provided in the following table. xi

About this document Technical support information Region Address Contact information North America Europe, Middle East, Africa, and China Central and South America Asia Pacific Alcatel-Lucent 400 Lapp Road Malvern, PA 19355 USA Alcatel-Lucent Chiltern House Sterling Court Broad Lane Bracknell, RG12 9GU UK Alcatel-Lucent Calle 10, No. 145 San Pedro de los Pinos, 01180 Ciudad de Mexico Mexico Alcatel-Lucent Australia 68 Waterloo Rd North Ryde NSW 2113 Australia Phone: 1-866-LUCENT8 (582-3688) Option 1, Option 2 Web: https://support.lucent.com Phone: 00 800 00 LUCENT or +353 1 692 4579 E-mail: emeacallcenter@alcatel-lucent.com Web: https://support.lucent.com Mexico 01 800 123 8705 or (52) 55 5278 7235 Brazil 0800 89 19325 or (55) 193707 7900 Argentina 0800 666 1687 Venezuela 0 800 1004136 Costa Rica 0800-012-2222 or 1800 58 58877 For other local CALA numbers, consult the web site https://support.lucent.com or contact your local sales representative. Phone: 1800-458-236 (toll free from within Australia) (IDD) 800-5823-6888 (toll free from Asia Pacific - Hong Kong, Indonesia, South Korea, Malaysia, New Zealand, Philippines, Singapore, Taiwan, and Thailand) (613) 9614-8530 (toll call from any country) E-mail: apactss@alcatel-lucent.com How to order Customers can order additional VitalQIP manuals online at http://www.lucentdocs.com/cgi-bin/cic_store.cgi. Select VitalQIP from the Product Line list and click Go. xii

About this document How to comment To comment on this document, go to the Online Comment Form (http://www.lucentinfo.com/comments/) or e-mail your comments to the Comments Hotline (comments@alcatel-lucent.com). xiii

About this document xiv

1 Audit Manager overview Overview Purpose Contents This chapter contains an overview of the Audit Manager add-on and describes its interaction with VitalQIP services. This chapter contains the following topics. Introduction to Audit Manager 1-2 Audit Manager product description 1-3 1-1

Audit Manager overview Introduction to Audit Manager Introduction to Audit Manager Audit Manager is an application that tracks DHCP lease information, VitalQIP static and dynamic object definitions, and Windows Domain Controller login/logout information. The information captured and collected can be audited using the graphical user interface. Audit Manager also has the capability to generate alerts when an IP address, Media Access Control (MAC) address, and/or hostname have been used. Although Audit Manager is not dependent upon VitalQIP, it relies on VitalQIP for information about static and dynamic objects. It can also be used with other DHCP Servers and messaging devices, such as the Windows Primary Domain Controller (refer to Microsoft s web site, http://www.microsoft.com/, for more information). Components of Audit Manager can run on both UNIX and Windows platforms, with the exception of the Audit Manager graphical user interface and the VitalQIP Domain Controller Logon Audit Service, which only run on Windows 2000/2003. 1-2

Audit Manager overview Audit Manager product description Audit Manager product description Audit Manager GUI Audit Manager collects, accesses, and manages data from VitalQIP, DHCP Servers, and Domain Controllers by: Collecting and auditing DHCP lease information, such as an IP address a DHCP lease has given. Collecting and auditing VitalQIP static and dynamic object definitions. Object definitions include user information, billing information, and other types of information associated with an object. Collecting and auditing Domain Controller login/logout information. Generating alerts when an IP address, hostname, or MAC address has been used. Searching a database for data that has been collected and/or archived. Generating audit reports. These capabilities are carried out through the following Audit Manager components: Audit Manager GUI Audit Manager database Command Line Interface VitalQIP Audit Schedule Service VitalQIP Audit Update Service VitalQIP Domain Controller Logon Audit Service VitalQIP Kerberos Domain Controller Logon Audit Service The Audit Manager Graphical User Interface (GUI) is a stand-alone GUI that is not dependent upon VitalQIP. This interface performs administrative tasks, such as configuring the Audit Manager database and alerts, loading archive data, querying the Audit Manager database, and generating pre-defined auditing reports. This GUI is only available on Windows XP and Windows 2000/2003. The reporting characteristics of Audit Manager are also initiated through the GUI. The information aids in the tracking of addresses and leases. Reports include records: History of a user s login History of leases granted by a DHCP server History of an IP address History of a MAC address History of generated alerts 1-3

Audit Manager overview Audit Manager product description History of Domain Controller user login/logouts Audit Manager database Command Line Interface The Audit Manager database is a centralized database that contains the DHCP information, VitalQIP static and dynamic object definitions, and Domain Controller logout/login information. The Audit Manager database collects: Audit Manager user and administrator information Audit data statistics including the number of audit records stored Audit Manager database configuration settings Alert filters and information on triggered events User information, such as Login ID DHCP Lease grant, renew, decline, and release date and time VitalQIP dynamic and static object additions, modifications, and deletions Domain Controller login/logout date and time The Command Line Interface allows users to import/export data into the database, retrieve data, configure archiving of database records, and setup alert messaging. For more information, refer to Command Line Interface (p. 10-1). VitalQIP Audit Schedule Service The VitalQIP Audit Schedule Service controls and maintains the contents of the Audit Manager database. The VitalQIP Audit Schedule Service does this by archiving audit information at scheduled intervals. This service also updates license information and obtains Audit Manager database connection information from the VitalQIP Login Service. It resides only on the Audit Manager enterprise server. Refer to VitalQIP Audit Schedule Service - qip-auditsched (p. 9-4) for information on this service. VitalQIP Audit Update Service The VitalQIP Audit Update Service monitors events, such as Domain Controller login/logout information from the VitalQIP Message Service, and places the events into the Audit Manager database. This service also generates any alerts that a System Administrator has configured through the Audit Manager client. Such alerts are recorded in the syslog (UNIX) or Event log (Windows). The VitalQIP Audit Update Service also retrieves Audit Manager database connection information from the VitalQIP Login Service. This service can reside on the Audit Manager enterprise server. Refer to VitalQIP Audit Update Service - qip-auditupdated (p. 9-9) for information on this service. 1-4

Audit Manager overview Audit Manager product description VitalQIP Domain Controller Logon Audit Service The VitalQIP Domain Controller Logon Audit Service correlates authenticated users in a Windows domain to IP addresses. The VitalQIP Domain Controller Logon Audit Service is an authentication filter DLL called by the Windows netlogon service each time a user logs in. It sends notifications of user logins and user logouts to the local VitalQIP Message Service. The VitalQIP Domain Controller Logon Audit Service resides only on a Windows Domain Controller. Refer to VitalQIP Domain Controller Logon Audit Service (p. 9-22) for information on this service. VitalQIP Kerberos Domain Controller Logon Audit Service The VitalQIP Kerberos Domain Controller Logon Audit Service correlates authenticated users in a Windows 2000/2003 domain to IP addresses. The VitalQIP Kerberos Domain Controller Logon Audit Service is an authentication filter DLL called by the Windows netlogon service each time a user logs in. It sends notifications of user logins and user logouts to the local VitalQIP Message Service. The VitalQIP Kerberos Domain Controller Logon Audit Service resides only on a Windows Domain Controller. Refer to VitalQIP Kerberos Domain Controller Logon Audit Service (p. 9-25) for information on this service. Audit Manager Component Interaction Figure 1-1 shows how Audit Manager components interact with each other on a system where VitalQIP and Audit Manager reside on separate machines. The arrows indicate the directional flow of the DHCP lease information, VitalQIP static and dynamic object definitions, or Domain Controller logins/logout information that are being sent. The illustration includes the interactions with VitalQIP. Important! If you would like information on the VitalQIP QIP Update Service shown in Figure 1-1, refer to the VitalQIP Administrator Reference Manual. 1-5

Audit Manager overview Audit Manager product description Figure 1-1 Component interaction with VitalQIP and Audit Manager on separate servers 1-6

2 To prepare an Audit Manager installation Overview Purpose Contents This chapter describes the steps you need to take to prepare for an Audit Manager installation. This chapter covers these topics. Installation preparation 2-2 Disk space estimation 2-3 Planning 2-6 Preliminary steps for the installation of Audit Manager and Sybase 2-7 Preliminary steps for the installation of Audit Manager and Oracle 2-12 Oracle installation recommendations for Audit Manager 2-17 2-1

To prepare an Audit Manager installation Installation preparation Installation preparation The Audit Manager product components are available on different platforms and can be organized in a variety of ways to best suit your system needs. The Audit Manager product consists of the following components: Audit Manager enterprise server Audit Manager graphical user interface Audit Manager command line interface VitalQIP Domain Controller Logon Audit Service Audit Manager help screens The Audit Manager server can be installed on UNIX or Windows. It is common to combine UNIX and Windows components in different ways, providing you with a product you can tailor to your network s needs. Refer to Chapter 3 for instructions on installing Audit Manager on UNIX platforms. Refer to Chapter 4 for instructions on installing Audit Manager on Windows platforms. If you have any problems installing Audit Manager, call the Technical Assistance Center at 1-866-Lucent8 (582-3688). For Oracle or Sybase database issues, contact your database administrator. 2-2

To prepare an Audit Manager installation Disk space estimation Disk space estimation Before beginning the installation of the Audit Manager components, determine the size of your Audit Manager database tables. During the installation of Audit Manager, you are prompted for the following information: Number of objects obtaining DHCP leases Number of Static Objects that are assigned IP addresses within VitalQIP Number of Windows Domain Controller Objects within one domain This information is used to size the following Audit Manager database tables: Alert_triggered Archive_audit_data Archive_alert_triggered Current_audit_data Search_current_data Search_archive_data Temp_search_data Temp_audit_data Temp_alert_triggered 33 bytes per record 324 bytes per record 40 bytes per record 317 bytes per record 125 bytes per record 132 bytes per record 132 bytes per record 324 bytes per record 40 bytes per record To help calculate your database table sizes, an algorithm has been created (described later on). Before this calculation is discussed, you need to know the assumptions on which the calculation is based. Keep in mind that your circumstances may vary. The following assumptions are made to accommodate Alcatel-Lucent s diverse customer base: Alcatel-Lucent recommends only keeping 3 months or 92 days worth of audit data active in your database before archiving. This is for performance reasons. Your organization will grant 24-hour DHCP lease times for all DHCP clients. Based on a 24 hour DHCP lease time, each DHCP object follows a standard grant and renew cycle on a daily basis. The number of DHCP objects is doubled to account for the daily grant and renew cycles. An educated guess is made as to the percentage of VitalQIP-managed static objects you will be manipulating on a daily basis. Alcatel-Lucent estimates approximately 10% of your total number of static objects will be changed or added on a regular basis. The Windows Domain Controller will be managing the activity of one domain, although it is possible that your network is configured to have multiple domains. 2-3

To prepare an Audit Manager installation Disk space estimation Each workstation within the domain will be logging on and off on a daily basis. Based on this assumption, the number of Domain Controller objects is doubled to estimate Windows daily activity. Based on these assumptions, the calculation is as follows: # of Days * [ (D * 2) + ( S *.10 ) + ( C * 2)] = # of Records The variables represent the following: D = The number of objects obtaining DHCP leases S = The number of static objects that are assigned IP addresses within VitalQIP C = The number of Windows Domain Controller objects within one domain The following sample calculation is based on a medium network configuration with 20,000 objects obtaining DHCP leases, 5,000 static objects that are assigned IP addresses within VitalQIP, and 100 Windows Domain Controller objects within one domain. [(20000 * 2) + (5000 *.10) + (100 * 2)] * 92 = 3744400 records for 3 months Alert_triggered Active = 124 MB Archive_audit_data Not active = 1MB (default) archive_alert_triggered Not active = 1MB (default) Current_audit_data Active = 1200 MB Search_current_data Active = 468 MB Search_archive_data Not active = 1 MB (default) Temp_search_data Not active = 1 MB (default) Temp_audit_data Not active = 1 MB (default) Temp_alert_triggered Not active = 1 MB (default) Total for tables 1.798 GB Total for Indexes 1.798 GB Static defined tables & other tables in Audit Manager database 10 MB Total Size for tables and Indexes in this example: 3.606 GB or 3606 MB Important! The temp_audit_data, temp_search_data, temp_alert_triggered, archive_audit_data, search_archive_data, and archive_alert_triggered variables are used for importing and searching on audit archive data. If you do not intend to load archive data, these tables can be sized extremely small (default 1024K), which affects the total database size. 2-4

To prepare an Audit Manager installation Disk space estimation Default database datafile sizes The Audit Manager database datafile sizes default to the values listed in the following sections: Sybase The datafile is sized to the sum of the nine largest database tables, which are listed in the Estimated Disk Space section of this chapter, plus 10 MB for the remainder of the Audit Database static tables. Since Sybase data and indexes are stored in this file, LAM_DATA contains sizes for both the tables and the indexes. LAM_DATA = (Total Size of Defined Large Tables + Total Size for Indexes) + 10 MB = X MB Example using data above: LAM_DATA = (1.798 GB + 1.798 GB) + 10 MB = 3.606 GB The log file is sized similar to the datafile and is used as the Sybase transaction log. LAM_LOG = (LAM_DATA) LAM_LOG = 3.606 GB The temp file is sized to be 50% of the data file to support temporary database functions and data sorting within the Audit Manager search utility. LAM_TEMP = (LAM_DATA *.5) LAM_TEMP = 1.7 GB Oracle The data tablespace is sized to the sum of the nine largest tables, which are listed in Disk space estimation (p. 2-3), plus 10 MB for the remainder of the Audit Database static tables. LAM_DATA tablespace = (Total of Defined Large Tables + 10 MB) The index tablespace is sized 10% larger than the data tablespace to support numerous index definitions for maximum search performance within the Audit Manager search utility. LAM_INDEX tablespace = (LAM_DATA tablespace *.10) + LAM_DATA tablespace The temp tablespace is sized 50% smaller than the data tablespace to support sorting and other temporary database functions. LAM_TEMP tablespace = (LAM_DATA tablespace *.5) 2-5

To prepare an Audit Manager installation Planning Planning Make sure you meet all system requirements described in the Audit Manager 1.7 Release Notes and perform the necessary steps described in this chapter before installing Audit Manager. The following checklist has been provided to help smooth the installation process. Answer the questions and have your answers handy as you install the Audit Manager components. Table 2-1 Preinstallation checklist Question Answer What is your license key? What is your serial number? Is your Audit Manager database Oracle or Sybase? Have you calculated the size of your Audit Manager database? (Audit Manager enterprise server installation only) What is the name of your Audit Manager database server? What is the IP address of your Audit Manager database server? Are you using VitalQIP with Audit Manager? Does the VitalQIP enterprise server reside on a separate machine from the Audit Manager enterprise server? Important! If you are installing Audit Manager enterprise server on a separate enterprise server from VitalQIP, you must use the VitalQIP installer to install Message Service (Distributed Service) first. Then install Audit Manager. Important! If you are installing Audit Manager client on a platform that does not have a VitalQIP Message Service running locally, you need to add (or set) the QIPMESSAGESERVICE environment variable. The IP address of the platform where the VitalQIP Message Service is installed should be the value of the QIPMESSAGESERVICE variable. 2-6

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Sybase Preliminary steps for the installation of Audit Manager and Sybase Obtain a license key Minimum disk space Shared memory (Solaris) Specific preliminary steps must be addressed before starting your installation. Use the following checklist to assist in accomplishing these preliminary steps. You must obtain a license key for the Audit Manager enterprise server and know the serial number for each system on which Audit Manager is installed. If the VitalQIP enterprise server and the Audit Manager server reside on the same machine, make sure the license key is for VitalQIP and Audit Manager. If the VitalQIP enterprise server does not reside on the same machine as the Audit Manager enterprise server, you must update the VitalQIP license to support Audit Manager before continuing. Important! Obtain a license key only for the machines on which you are installing the Audit Manager enterprise server. To obtain a license key, call Technical Support at 1-866-582-3688 with your Host ID (or IP address on Windows and Linux). The Host ID (or IP address) can be obtained by executing one of the following commands: For Solaris: usr/ucb/hostid For Windows: ipconfig <IPaddress> For Linux, the IP Address can be obtained from the first column of the /etc/hosts file, where the server is defined. Important! Obtain a license key only for the machines where you are installing the Audit Manager enterprise server. You must have a minimum of 10 MB of disk space allocated for Audit Manager under /opt or on the file system you choose to use. For the relational database to start correctly on Solaris 9 or 10, you must modify your operating system kernel to adjust the system shared memory parameter. You must be the root user to execute these procedures: 1 Before modifying your kernel file, copy your existing system file to a backup file, for example, cd/ 2-7

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Sybase mkdir oldkernel cp -R /kernel* /oldkernel/. 2 Add the following line into the /etc/system file (if it is not already present): set shmsys:shminfo_shmmax=134217728 Important! 134217728 (128 MB) is a minimal value. You can enter a larger value if needed, but it cannot be more than the computer's physical memory. 3 Sybase requires that the ASCII character set be used when the operating system is being installed. If the ASCII character set is not present, an error appears when installing Sybase, indicating the LANG value is invalid. To accommodate the installation of Sybase, modify the TIMEZONE file located in the /etc directory. Access the TIMEZONE file and remove all entries in the file except the TZ entry. Back up the TIMEZONE file before making any changes. 4 Reboot the system.... E ND OF STEPS Determine SQL server device sizes and locations You must determine your SQL server device sizes and locations. Table 2-2 outlines defaults for the Sybase 15.0 device sizes and database configuration. These defaults must only be used for a demonstration or test environment. For a production environment, the calculations in Disk space estimation (p. 2-3) must be used to determine Sybase device sizes and data configuration. The creation routine/script listed in the first column is the actual script that is configuring and creating the device and/or database. Table 2-2 Defaults for the Sybase 15.0 device sizes and database configuration Creation routine/ script Device Device size (MB) Database Default database size (MB) Notes Sybase setup.exe (Windows and UNIX master (master database size + tempdb database size) master 125 Holds system catalog information. 2-8

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Sybase Creation routine/ script Sybase setup.exe (Windows and UNIX) Audit Manager setup.exe (Windows) or lamload (UNIX) Audit Manager setup.exe (Windows) or lamload (UNIX) Audit Manager setup.exe (Windows) or lamload (UNIX) Device SYSPROCS 16 sybsystem procs LAM_DATA LAM_LOG LAM_TEMP Device size (MB) 50 (Windows) 54 (UNIX) 15 (Windows) 16 (UNIX) 15 (Windows) 27 (UNIX) Database Audit Manager Audit Manager Transactio n Log Audit Manager Temporary Space Default database size (MB) 100 Holds Sybase system stored procedures that start with sp_. 50 (Windows) 54 (UNIX) 15 (Windows) 16 (UNIX) 15 (Windows) 27 (UNIX) Notes Holds the Audit Manager database. Use the calculation in Disk space estimation (p. 2-3) to calculate your database size for production environment variables. Holds the Audit Manager Transaction Log. Calculation is 1/3 of the lam database size. Use the calculation in Disk space estimation (p. 2-3) to calculate your database size for production environment variables. Holds temporary calculations and data sorting prior to returning results to client. Calculation is half the size of the Audit Manager database. Performance problems usually can be attributed to having LAM_TEMP defined too small. Use the calculation in Disk space estimation (p. 2-3) to calculate your database size for a production environment. 2-9

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Sybase Define Sybase environment variables For the installation of Audit Manager to operate correctly, you must define the following environment variables before starting the installation routine or running Audit Manager: SYBASE SYBASE_ASE SYBASE_OCS Ensure that these variables are set in your.profile or.cshrc file. If they are not set, the installation temporarily sets them based on your menu entries, and removes them after the installation. Audit Manager is installed using the Bourne shell. When you perform the installation, these variables and their values are automatically stored in $QIPHOME/AuditManager/etc/lam_shrc or cshrc. Reference this file under $QIPHOME/AuditManager/etc after you complete the installation. To set your environment variables, follow these steps: #cd <QIP_directory>/AuditManager/etc #../lam_shrc or source./lam_cshrc SYBASE=your_target_Sybase_directory (default: /opt/sybase12) export SYBASE QIPHOME=your_target_QIP_directory (default: /opt/qip) export QIPHOME DSQUERY=your_Sybase_server_name (default: QIPSYBASE ) export DSQUERY PATH=$PATH:$QIPHOME/usr/bin:$QIPHOME/AuditManager/usr/bin$SYBASE/bin:..: /usr/bin/x12 export PATH QIPDBASE=SYBASE export QIPDBASE SYBASE_ASE=ASE-12_5 SYBASE_OCS=OCS-12_5 QIPLOGIN=IP_address_of_the_machine_where_QIP_Login_Service_resides. QIPAUDIT=IP_address_of_the_machine_where_QIP_Audit_Service_resides. [Set the Library Path as shown below.] LD_LIBRARY_PATH=$QIPHOME/usr/lib:$SYBASE/lib:$LD_LIBRARY_PATH export LD_LIBRARY_PATH Export LIBPATH Important! The DSQUERY variable is the name that references the Sybase database server instance that contains/manages the Audit Manager database. By default, LAMSYBASE is used. LAMSYBASE is commonly referred to as the SQL server name. Important! For PATH, add /usr/bin/x12 or the directory where your Motif/x-window binaries are installed (for example, x-term). 2-10

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Sybase UNIX: Modify the Sybase/ASE-15_0 directory configuration file There is a configuration file, <name of Sybase server>.cfg, located in the $SYBASE/ASE- 15_0 directory. This configuration file is not modified during the Audit Manager installation and contains all default values for the configuration parameters. The Sybase startup script located in $SYBASE/ASE-15_0/install directory uses the Sybase configuration file located in the $SYBASE/ASE-15_0 directory, which does not contain the Audit Manager modifications. The following are the available workarounds: 1. Modify the $SYBASE/ASE-15_0/install/RUN_<sybase server name> script to use the Sybase configuration file in the $SYBASE home directory and not the configuration file located in the $SYBASE/ASE-15_0 directory. It is recommended you do this prior to the Audit Manager install. If the name of the database server is LAMSYBASE, the RUN script name is RUN_LAMSYBASE. The contents of the script would be similar to this example: /opt/sybase/ase-15_0/bin/dataserver \ -slamsybase \ -d/opt/sybase/data/master.dat \ -e/opt/sybase/ase-15_0/install/lamsybase.log \ -c/opt/sybase/lamsybase.cfg \ -M/opt/sybase/ASE-15_0 \ Important! /opt/sybase is an example of the $SYBASE variable value. The script will contain the value $SYBASE is set to. 2. Create a symbolic link from the $SYBASE/ASE-15_0 configuration file to the $SYBASE home configuration file. It is recommended you do this prior to the VitalQIP installation. If the name of the database server is LAMSYBASE, the UNIX command would be the following: ln -f -s $SYBASE/LAMSYBASE.cfg $SYBASE/ASE-15_0/LAMSYBASE.cfg 2-1 1

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Oracle Preliminary steps for the installation of Audit Manager and Oracle Obtaining a license key Minimum disk space Specific preliminary steps must be addressed before starting your installation. Use the following checklist to assist in accomplishing these preliminary steps. Important! Because Alcatel-Lucent does not supply the Oracle database or runtime, it is the responsibility of the customer to obtain, install, and configure the Oracle database. Alcatel-Lucent is not responsible for your Oracle database or runtime installation. The information listed in this section must be completed prior to installing Audit Manager. You must obtain a license key for the Audit Manager enterprise server and serial number for each system on which Audit Manager is installed. If the VitalQIP enterprise server and the Audit Manager enterprise server reside on the same machine, make sure the license key is for VitalQIP and Audit Manager. If the VitalQIP enterprise server does not reside on the same machine as the Audit Manager enterprise server, you must update the VitalQIP license to support Audit Manager before continuing. To obtain a license key, call Technical Support at 1-866-582-3688 with your Host ID (or IP address on Windows and Linux). The Host ID (or IP address) can be obtained by executing one of the following commands: For Solaris: usr/ucb/hostid For Windows: ipconfig <IPaddress> For Linux, the IP Address can be obtained from the first column of the /etc/hosts file, where the server is defined. Important! Obtain a license key only for the machines where you are installing the Audit Manager enterprise server. You must have a minimum of 10 MB of disk space allocated for Audit Manager under /opt or on the file system you choose to use. Define Oracle environment variables For the installation of Audit Manager to operate correctly, you must define the following environmental variables prior to starting the installation routine or running Audit Manager: ORACLE_HOME 2-12

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Oracle ORACLE_SID Ensure that these environment variables are set in your.profile or.cshrc file. If they are not set, the installation temporarily sets them based on your menu entries, then removes them after the installation. Audit Manager is installed using the Bourne shell. When you perform the install, these variables and their values are automatically stored in $QIPHOME/AuditManager/etc/lam_shrc or lam_cshrc. Reference this file under $QIPHOME/AuditManager/etc after you complete the installation. For a new installation of Audit Manager on UNIX platforms, the environment variables with an Oracle database are set as follows: #cd <QIP_directory>/AuditManager/etc #../lam_shrc or source./lam_cshrc ORACLE_HOME=your_target_Oracle_directory export ORACLE_HOME QIPHOME=your_target_QIP_directory (default: /opt/qip) export QIPHOME PATH=$PATH:$QIPHOME/usr/bin:$QIPHOME/AuditManager/usr/bin:$ORACLE_HOME/b in:.:/usr/bin/x12 ORACLE_SID=Oracle database name export ORACLE_SID export PATH QIPDBASE=ORACLE export QIPDBASE QIPLOGIN=IP_address_of_the_machine_where_VitalQIP_Login_Service_resides. QIPAUDIT=IP_address_of_the_machine_where_VitalQIP_Audit_Service_resides. LD_LIBRARY_PATH=$QIPHOME/usr/lib:$ORACLE_HOME/lib:$LD_LIBRARY_PATH export LD_LIBRARY_PATH Oracle database setup An Oracle database administrator (DBA) must perform the following steps before continuing with the installation: Important! The following steps must be performed by an Oracle database administrator. There are no exceptions. 1 Install Oracle by doing the following: a. Ensure the operating system kernel is configured with enough memory. b. At a minimum, you need to install the following modules: Oracle Server 10gR2 (10.2.0.1) PL/SQL SQL*NET 2-1 3

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Oracle SQL*PLUS A Protocol Adapter Configure SQL*NET Important! If the Audit Manager enterprise server resides on a different server than the VitalQIP enterprise server, but the Audit Manager and VitalQIP databases reside on the VitalQIP enterprise server, you will need to install the client component on the Audit Manager enterprise server, Oracle Database Utilities containing sqlldr. 2 Since VitalQIP supports a database that stores multiple languages, Audit Manager s Oracle database character set must be set to AL32UTF8 and the Oracle National Character to AL16UTF16. These settings can be configured in the Oracle Database Creation Assistant (DBCA) when creating an Oracle database instance. 3 Create tablespaces in Oracle using the given tablespace names. Use the following calculation to determine the tablespace sizes: [(D * 2) + (S *.10) + (C *2)] * 92 = # records for 3 months The variable definitions are as follows: D = The number of objects obtaining DHCP leases S = The number of static objects being assigned IP addresses within VitalQIP C = The number of Windows Domain Controller Objects on one domain For more information about this calculation, refer to Disk space estimation (p. 2-3). The following tablespaces are created based on the following calculations: a. LAM_DATA tablespace contains the Audit Manager tables. It is the default tablespace for all Audit Manager administrators. LAM_DATA tablespace = (Total of Defined Large Tables + 8 MB) b. LAM_INDEX tablespace contains the Audit Manager indexes. LAM_INDEX tablespace = (LAM_DATA tablespace *.10) + LAM_DATA tablespace c. LAM_TEMP tablespace is used as the temporary tablespace for the Audit Manager administrator. The Audit Manager administrator references LAM_TEMP for sorting and other temporary database functions. During the Audit Manager installation, the tablespace is called LAM_TEMP. LAM_TEMP tablespace = (LAM_DATA tablespace *.5) 4 Ensure Oracle s UndoTablespace parameter is properly configured. 2-14

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Oracle 5 During the installation, a database schema owner name lamadmin is created. The following database permissions are given to lamadmin: Create sessions Create snapshot Create table Create trigger Create procedure Create view Select any table Select on dba_role_privs Select any dictionary Query rewrite Another administrator named updateservice also is created during the installation. This administrator supports the Update Service with connection to the database and inserts audit data into the database. The updateservice administrator cannot be deleted. The administrator scheduleservice supports the Audit Schedule Service connection to the database and updates scheduling information in the database. The scheduleservice administrator cannot be deleted. 6 Depending upon the size of your network, some Audit Manager tables could be large. The script used to create tables does not specify initial or next extents due to varying customer database sizes. Alcatel-Lucent recommends that you calculate the potential size of the tables and add initial/next extent specifications to create table statements if necessary, or utilize the tab_storage.conf file to specify initial and next extent segments, as described in step 6. (For more information about the calculation, refer to Disk space estimation (p. 2-3).) Refer to the following table for the Data Tables and the number of bytes per record. These tables and their size per record in bytes are located in QIPHOME/AuditManager/script/tab_storage.conf. Table 2-3 Audit Manager data tables and bytes per record Data table Alert_triggered Archive_audit_data Current_audit_data Search_current_data Search_archive_data Bytes per record 33 bytes per record 324 bytes per record 317 bytes per record 125 bytes per record 132 bytes per record 2-1 5

To prepare an Audit Manager installation Preliminary steps for the installation of Audit Manager and Oracle Data table Temp_search_data Temp_audit_data Temp_alert_triggered Bytes per record 132 bytes per record 324 bytes per record 40 bytes per record Because one row is written to the appropriate Audit Table during a dml statement to its Data Table, these tables can become very large if left unattended. Refer to the following table for the Audit Tables and the number of rows per dml. Table 2-4 Audit Manager audit tables and rows per dml Audit table administrators_aud alert_filters_aud archive_settings_aud organization_aud Rows per dml 1 row per dml performed on an administrator 1 row per dml performed on an alert 1 row per dml performed on an archive setting 1 row per dml performed on an organization 7 The $QIPHOME/AuditManager/script/tab_storage.conf file is used to specify the storage parameters such as extent sizes for Audit Manager Tables. During the Audit Manager enterprise server installation, you are informed when it is appropriate to modify this file. You may modify the $QIPHOME/AuditManager/script/tab_storage.conf script to change the necessary extent specifications. 8 During the Audit Manager installation, the user is prompted for the Oracle sys password. This password must be obtained from your Oracle DBA.... E ND OF STEPS 2-16

To prepare an Audit Manager installation Oracle installation recommendations for Audit Manager Oracle installation recommendations for Audit Manager There are several Oracle parameters that need to be modified for your database and operational environment. Increasing these parameters within Oracle can result in better performance within Oracle and VitalQIP. These parameter settings represent minimum requirements for an Oracle and VitalQIP configuration: cursor_sharing = force db_file_multiblock_read_count = 16 shared_pool_size = 14000000 processes = 50 dml_locks = 200 log_buffer = 32768 Important! It is recommended that the settings for sga_max_size and sga_target parameters be set to the maximum allowed based on available memory to Oracle. See Oracle installation documentation for more details on how to set the sga_max_size and sga_target parameters. Important! The compatible parameter must be set to at least 9.2.0.0 (for example, compatible=9.2.0.0) to support the MAXEXTENTS UNLIMITED parameter. This storage parameter is used when creating temporary tables, and the indexes are used to move the database design. These tables and indexes are dropped at the end of the migration. Following the upgrade, export and import data into the Oracle database to defragment the disk space that was fragmented by temporary tables and indexes. 2-1 7

To prepare an Audit Manager installation Oracle installation recommendations for Audit Manager 2-18

3 Audit Manager UNIX installation Overview Purpose Contents This chapter describes how to install the Audit Manager components on UNIX. Before beginning the installation, take the time to read Chapter 1 of this manual, since it assists you in determining how to set up your Audit Manager system. After you have determined how to set up the Audit Manager system, make sure you have met the system requirements described in the Audit Manager 1.7 Release Notes and then follow the planning instructions in Chapter 2. This chapter covers these topics. Standard and template installation 3-2 To install Audit Manager on UNIX 3-7 To install the Audit Manager server 3-8 To install Audit Manager server on Sybase 3-12 To install Audit Manager server on Oracle 3-21 To install the Audit Manager Command Line Interface 3-25 To install Audit Manager Command Line Interface on Sybase 3-27 To install Audit Manager Command Line Interface on Oracle 3-29 To configure VitalQIP to use Audit Manager 3-31 To start and stop the Audit Manager database on UNIX 3-34 3-1

Audit Manager UNIX installation Standard and template installation Standard and template installation Standard Installation The standard installation command is lam-load. The installation process is a series of questions to which you supply valid responses. The process occurs in sections, one for each component of the Audit Manager software. Thus, separate sections in this chapter describe each part of the installation. Once you have answered all the questions and completed the installation, the following file is created with all your values in field=value pairs: lam-load.template.yyyymmdd.hhmm where yyyy=year, mm=month, dd=day, hh=hour, and mm=minute. In addition, the following log file is also created: lam-load.log.yyyymmdd.hhmm Both files are located in the $QIPHOME/AuditManager/log directory. If this directory cannot be found, it is created in the current directory (wherever you are currently working from). When the current working directory is read-only, lam-load.log and lamload.template copy the data to /tmp. If for some reason you need to re-run the installation, you can recall all information you entered via the prompts supplied by the installation process. The information is stored in this file by running the lam-load command. lam-load command Once you have entered all the necessary field=value pairs into the lam-load.template file, run the following command: lam-load [-t template_file -w create_template_file] [-l log_file] Parameters -t template_file The name of the template installation file (for example, mytemplate). If you use this parameter, the w parameter cannot be used. -w create_template_file The -w parameter creates a template file in the directory you are currently working in. This parameter can only be used when the t parameter is not used. -l log_file The name of the log file (for example, mytemplatelog). 3-2

Audit Manager UNIX installation Standard and template installation Template installation Another way to install Audit Manager is to create a template by placing the field=value pairs in the lam-load.template file and running the lam-load command (the program that installs Audit Manager) with specific parameters as described in the following paragraphs. The template installation can also be used to re-install or install another server with predetermined option values. Important! The database administrator password written to the template file is the default, and for security reasons cannot be changed. In each Step section of this chapter, there is a table providing the prompt, its default value, a description of the option, and a column specifying the Installation Template field. Match this field name with your value and enter it into the template file using a text editor (for example, vi). For example, instead of responding to the Company Name prompt in the Product License Setup menu, you would input the following field=value pair in the template file: license.company=your Company, Inc. Your lam-load.template file looks similar to the following: # # Version : Version 1.7 # # If you want to use the default value, please type "item.field=use_default" # LOAD_MENU: # --------------------------- # 1) QIP directory; Default=`pwd`/qip load.qiphome=/opt/qip # 2) Load Device (file or cdrom); Default=cdrom load.devicetype=cdrom # 3) Load Path; Default=`pwd` load.loadpath=/cdrom # 4) Load Audit Manager Server (yes or no); Default=no # if yes, please set values in the LICENSE_MENU & LAM_SERVER_MENU load.auditserver=no # 5) Load Audit Manager Coommand Line Interface (yes or no); Default=no load.auditcli=no # 6) Change the QIP Configuration (yes or no); Default=no # if yes, please set values in the QIP_CONFIG_MENU load.qipconfig=no # 7) Login Service; Default=no #load.slogin=no 3-3

Audit Manager UNIX installation Standard and template installation # LICENSE_MENU: # --------------------------- # 1) Company Name license.company=$company_name # 2) Serial Number license.serialno=12345 # 3) License Key license.licensekey=1234567901234567890 # LAM_SERVER_MENU: # --------------------------- # 1) Do you want to export data from the existing database? (yes or no); Default=no; use EXPORT_MENU # if yes, please set values in the EXPORT_MENU lamserver.exportdata=yes # 2) Audit Manager Server Image; Default=$LOADPATH/$OSTYPE_PATH/lamsrv.z lamserver.lamserverimage=/cdrom/solaris.2x/lamsrv.z # 3) LAM Database Type; Default=SYBASE lamserver.qipdbase=sybase # 4) Sybase Directory; Default=`pwd`/sybase11 lamserver.sybasedirectory=/opt/sybase11 # 4) Oracle Home Directory; Default=`pwd`/oracle lamserver.oracledirectory=/opt/oracle # 5) Sybase Server Name or Oracle Database Alias Name; Default=QIPSYBASE or QIPORACLE lamserver.qipdataserver=qipsybase # 6) sa's password for Sybase Server; Default= lamserver.sapassword= # 6) SYS's password for Oracle Database; Default=manager lamserver.syspassword=manager # 7) lamadmin's password; Default=lamadmin lamserver.lamadminpassword=lamadmin # 8) Audit Manager Update Service Address; Default=127.0.0.1 lamserver.updateserviceip=127.0.0.1 # 9) Audit Manager Login Service Address; Default= lamserver.loginserviceip= # 10) Prepared Export Data; Default=$SYBASE/script/export_lam_data lamserver.datadirectory=/opt/qip/script/export_lam_data # 11) Sybase OCS Subdirectory; Default=$SYBASE_OCS lamserver.ocssub=ocs-12_5 # 12) Sybase ASE Subdirectory; Default=$SYBASE_ASE lamserver.asesub=ase-12_5 # LAM_CLI_MENU: # --------------------------- # 1) Audit Manager CLI Image; Default=$LOADPATH/$OSTYPE_PATH/lamclt.z lamcli.lamcliimage=/cdrom/solaris.2x/lamclt.z # 2) LAM Database Type; Default=SYBASE 3-4

Audit Manager UNIX installation Standard and template installation lamcli.qipdbase=sybase # 3) Sybase Directory; Default=`pwd`/sybase11 lamcli.sybasedirectory=/opt/sybase11 # 3) Oracle Home Directory; Default=`pwd`/oracle lamcli.oracledirectory=/opt/oracle # 4) Sybase Server Name or Oracle Database Alias Name; Default=QIPSYBASE or QIPORACLE lamcli.qipdataserver=qipsybase # 5) Audit Manager Update Service Address; Default=127.0.0.1 lamcli.updateserviceip=127.0.0.1 # 6) Audit Manager Login Service Address; Default=127.0.0.1 lamcli.loginserviceip=127.0.0.1 # LAM_SYBASE_MENU: # --------------------------- # 1) Do you want to calculate LAM sizes automatically? (yes or no); Default=no; use AUTO_SIZE_MENU # if yes, please set values in the AUTO_SIZE_MENU sybaselam.autosize=no # 2) LAM Data Device Type (file or raw-partition); Default=file sybaselam.lamdatadevicetype=file # 3) LAM Data Device Name; Default=$SYBASE/devs/lam_dat sybaselam.lamdatadevicename=/opt/sybase/devs/lam_dat # 4) LAM Data Device Size; Default=54 sybaselam.lamdatadevicesize=54 # 5) LAM Log Device Type (file or raw-partition); Default=file sybaselam.lamlogdevicetype=file # 6) LAM Log Device Name; Default=$SYBASE/devs/lam_log sybaselam.lamlogdevicename=/opt/sybase/devs/lam_log # 7) LAM Log Device Size; Default=16 sybaselam.lamlogdevicesize=16 # 8) LAM Tempdb Device Type (file or raw-partition); Default=file sybaselam.tempdbdevicetype=file # 9) LAM Tempdb Device Name; Default=$SYBASE/devs/lam_tempdb sybaselam.tempdbdevicename=/opt/sybase/devs/lam_tempdb # 10) LAM Tempdb Device Size; Default=27 sybaselam.tempdbdevicesize=27 # AUTO_SIZE_MENU: # --------------------------- # 1) Number of Clients Obtaining DHCP Leases; Default=5000 autosize.numberofdhcpclients=use_default # 2) Number of Static Objects Being Assigned IP Addresses within QIP; Default=5000 autosize.numberofstaticobjects=use_default # 3) Number of NT Domain Controller Object Login/Logouts per Day; Default=5000 autosize.numberofntdomainobjects=use_default 3-5

Audit Manager UNIX installation Standard and template installation # QIP_CONFIG_MENU: # --------------------------- # 1) Company Name qipconfig.company=$company_name # 2) Serial Number qipconfig.serialno=12345 # 3) License Key qipconfig.licensekey=1234567901234567890 # 4) Audit Manager Update Service Address; Default=127.0.0.1 qipconfig.updateserviceip=127.0.0.1 # 5) Audit Manager Server Image; Default=$LOADPATH/$OSTYPE_PATH/lamsrv.z qipconfig.lamserverimage=/cdrom/solaris.2x/lamsrv.z 3-6

Audit Manager UNIX installation To install Audit Manager on UNIX To install Audit Manager on UNIX Purpose Follow the instructions for each component after retrieving the files from the LED site. Instructions on downloading files from the LED site are located in the Audit Manager 1.7 Release Notes. To begin the installation To start the installation, follow these steps: 1 Download the appropriate LAM file from the LED site to a temporary directory and untar the files. 2 Make sure that all the environmental variables are set. Refer to Define Sybase environment variables (p. 2-10) and Define Oracle environment variables (p. 2-12). 3 Run the following command from the temporary directory:./lam-load 4 Proceed to the appropriate section for further installation procedures.... E ND OF STEPS 3-7

Audit Manager UNIX installation To install the Audit Manager server To install the Audit Manager server Purpose This section is an installation guide for the Audit Manager server only. If you intend to install the Audit Manager server on a different machine than the VitalQIP enterprise server, the VitalQIP enterprise server needs to be configured after this installation. For details on configuring the VitalQIP enterprise server, refer to To configure VitalQIP to use Audit Manager (p. 3-31). Important! Do not kill or close the Sybase server or console screens during installation. Terminating these screens results in suspension of the Audit Manager installation process and requires a complete re-installation. Procedure To install the Audit Manager server, follow these steps: 1 Follow the instructions in To begin the installation (p. 3-7). 2 After running./lam-load (Linux, and Solaris), the Product Component Load Menu opens. ############################################################################ Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ############################################################################ Product Component Load ############################################################################ 1) VitalQIP Directory = /opt/qip 2) Media to load from = file 3) Load Path = /download/lam 4) Audit Manager Server = no 5) Audit Manager Command Line Interface = no 6) VitalQIP Configuration Changes for Audit Manager = no x) Exit Are these options correct? Enter the option number you want to change or enter y to install: 3 Refer to the following table for descriptions of the options to be configured and then make changes to these options, as necessary. Enter yes for option 4, Audit Manager Server, to install the Audit Manager on your enterprise server. 3-8

Audit Manager UNIX installation To install the Audit Manager server Table 3-1 Product Component Load menu options Option Prompt Default Description 1 VitalQIP Directory 2 Media to load from /opt/qip file 3 Load Path /download /lam 4 Audit Manager Server 5 Audit Manager Command Line Interface no no Enter the directory specification (path) where Audit Manager is to be loaded. Enter file when loading the Audit Manager software from the FTP site or cdrom when loading from the cdrom. Enter the current directory location (path) of the installation files. Specify /cdrom or the directory (path) to load the files from. Enter yes if you want to install the run-time version of the Audit Manager enterprise server on this machine. Enter yes if you want to install the Audit Manager command line interface. Enter no if you do not want to install the Audit Manager command line interface. The Audit Manager CLI commands are installed by default during the Audit Manager enterprise server installation. Installation template field load.qiphome load.devicetype load.loadpath load.auditserver load.auditcli 3-9

Audit Manager UNIX installation To install the Audit Manager server Option Prompt Default Description 6 VitalQIP Configuration Changes for Audit Manager no Enter yes if you want to configure the VitalQIP policy file on the VitalQIP enterprise server to send updates to Audit Manager. This is only required when VitalQIP resides on a separate machine from Audit Manager. Installation template field load.qipconf 4 When the options have been configured, enter y at the Are these options correct? prompt. The Product License Setup menu appears. ################################################################ Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ################################################################ Product License Setup ################################################################ 1) Company Name = Alcatel-Lucent 2) LAM Serial No. = 12345 3) LAM License Key = 12345678901234567890 x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 5 Refer to the following table for descriptions of the options to be configured and make changes to these options, as necessary. All options are required. Table 3-2 Product License Setup menu options Option Prompt Default Description 1 Company Name Installation template field (none) Enter the name of your company. license.company 3-10

Audit Manager UNIX installation To install the Audit Manager server Option Prompt Default Description 2 LAM Serial No. 3 LAM License Key (none) (none) Enter the Audit Manager serial number that you obtained from the IP Services Product Group Service Center. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7) or Preliminary steps for the installation of Audit Manager and Oracle (p. 2-12) for additional information. Enter the Audit Manager license key that you obtained from IP Services Product Group Service Center. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7) or Preliminary steps for the installation of Audit Manager and Oracle (p. 2-12) for additional information. Installation template field license.serialno license.licensekey 6 When all options have been configured, enter y in response to the Are these options correct? prompt at the end of the menu. The menu that displays is determined by the database located on your machine. 7 If you are installing Audit Manager on Sybase, refer to To install Audit Manager server on Sybase (p. 3-12). If you are installing on Oracle, go to To install Audit Manager server on Oracle (p. 3-21).... E ND OF STEPS 3-1 1

Audit Manager UNIX installation To install Audit Manager server on Sybase To install Audit Manager server on Sybase Purpose Procedure To install the Audit Manager server on Sybase. To install the Audit Manager server on Sybase, follow these steps: 1 Configure the options in the Audit Manager Server menu. ############################################################################# Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ############################################################################# Audit Manager Server ############################################################################# 1) Keep the Existing Data = no 2) LAM Server Distribution Image = <directory>/<op_system>/lamsrv.z 3) Database Server Type = SYBASE 4) Sybase Directory = /opt/sybase 5) Sybase Server Name = LAMSYBASE 6) Password of sa = 7) Password of lamadmin = lamadmin 8) Audit Manager Update Service Address = 127.0.0.1 9) Audit Manager Login Service Address = 127.0.0.1 10) Import Data from Prepared Export Data = /opt/qip/export_lam_data 11) Sybase OCS SubDirectory = OCS-12_5 12) Sybase ASE SubDirectory = ASE-12_5 x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 2 Refer to the following table for descriptions of the options to be configured. Enter yes for option 1, Keep the Existing Data. 3-12

Audit Manager UNIX installation To install Audit Manager server on Sybase Table 3-3 Audit Manager Server menu options Option Prompt Default Description 1 Keep the Existing Data 2 LAM server Distribution Image 3 Database Server Type 4 Sybase Directory 5 Sybase Server Name 6 Password of sa 7 Password of lamadmin no <directory>/ <operating_system> /lamsrv.z SYBASE /opt/sybase LAMSYBASE (none) lamadmin Enter yes if you want to export data from your existing system before installing the new Audit Server software. Enter the location and file name of the Audit Manager enterprise server distribution image lamsrv.z. Enter SYBASE if you are using Sybase database server. Enter the directory specification (path) where Sybase is to be loaded. Enter the name that references the Sybase database server instance that contains and manages the Audit Manager database. Enter the Sybase system administrator's (sa s) password. Enter the Sybase lamadmin s password. Installation template field lamserver. exportdata lamserver. lamserverimage lamserver. qipdbase lamserver. sybasedirectory lamserver. qipdataserver lamserver. sapassword lamserver. lamadmin password 3-1 3

Audit Manager UNIX installation To install Audit Manager server on Sybase Option Prompt Default Description 8 Audit Manager Update Service Address 9 Audit Manager Login Service Address 10 Import Data from Prepared Export Data 11 Sybase OCS Subdirectory 12 Sybase ASE Subdirectory 127.0.0.1 Enter the IP address of the Audit Manager Update Service. The service resides on the Audit Manager server. This can be different from the address of the server where the Audit Login Service resides. 127.0.0.1 Enter the IP address of the Audit Manager Login Service. The Login Service resides on a primary domain controller. This can be different from the address of the server where the Audit Update Service resides. /opt/qip/export_ lam_data OCS-12_5 ASE-12_5 Enter the directory specification (path) where you want the installation to import your data from. Sets up the load library path to the Sybase client executable and library files. Type the directory name where the Sybase client executable and library files are installed. Sets up the load library path to the Sybase server files. Type the directory name where the Sybase server is installed. Installation template field lamserver. lupdateserviceip lamserver.login serviceip lamserver.data directory sybaseserver. ocssub sybaseserver. asesub 3-14

Audit Manager UNIX installation To install Audit Manager server on Sybase 3 When the options have been configured, enter y in response to the Are these options correct? prompt. If you answered yes in response to option 1, the Audit Manager Data Export Setup menu appears. ############################################################################# Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ############################################################################# Audit Manager Data Export Setup ############################################################################# 1) Database Server Type = SYBASE 2) Sybase Directory = /opt/sybase 3) Sybase Server Name = LAMSYBASE 4) Password of lamadmin = lamadmin 5) Data Directory = /opt/qip/export_lam_data x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 4 Refer to the following table for descriptions of the options to be configured and then make changes to these options, as necessary. Table 3-4 Audit Manager Data Export Setup menu options Option Prompt Default Description 1 Database Server Type 2 Sybase Directory 3 Sybase Server Name 4 Password of lamadmin SYBASE /opt/sybase LAMSYBASE lamadmin Enter SYBASE if you are using Sybase database server. Enter the directory specification (path) where Sybase is to be loaded. Enter the name that references the Sybase database server instance that contains and manages the Audit Manager database. Enter the password of the Audit Manager administrator. Installation template field lamexport. qipdbase lamexport. sybasedirectory lamexport. qipdataserver lamexport. lamadminpassword 3-1 5

Audit Manager UNIX installation To install Audit Manager server on Sybase Option Prompt Default Description 5 Data Directory /opt/qip/export_ lam_data Enter the directory specification (path) where you want the installation to export your data to. Installation template field lamexport. datadirectory 5 When the options have been configured, enter y in response to the Are these options correct? prompt. If the database type is Sybase and the Audit Manager database does not exist, the LAM Database Setup menu appears. ################################################################ Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ################################################################ LAM Database Setup ################################################################ 1) Auto-Calculate LAM Sizes = no 2) LAM Data Device Type = file 3) LAM Data Device/File Name = opt/sybase/ase-12_5/devs/lam_dat 4) LAM Data Size = 54 MB 5) LAM Log Device Type = file 6) LAM Log Device/File Name = opt/sybase/ase-12_5/devs/lam_log 7) LAM Log Size = 16 MB 8) Additional Tempdb Device Type = file 9) Additional Tempdb Device/File Name = opt/sybase/ase-12_5/devs/lam_tempdb 10) Additional Tempdb Size = 27 MB x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 6 Refer to the following table for descriptions of the options to be configured and then make changes to these options, as necessary. Refer to Disk space estimation (p. 2-3) to determine the values to enter in options 4, 7, and 10. Enter yes for option 1, Auto- Calculate Lam Sizes. 3-16

Audit Manager UNIX installation To install Audit Manager server on Sybase Table 3-5 LAM Database Setup menu options Option Prompt Default Description 1 Auto- Calculate LAM Sizes 2 LAM Data Device Type 3 LAM Data Device/File Name 4 LAM Data Size no file opt/sybase/ devs/lam_dat Answer yes or no. If you respond with yes, the Calculate LAM Device Sizes menu appears. If you answer no, the installation accepts the entries in numbers 4, 7, and 10. Enter file or raw-partition. For additional information on each option, refer to the checklist at the beginning of the installation procedure. If you select file, you must enter the location and file name of your database devices. If you select raw-partition, you must enter the partition names for your database devices. Enter the location and file name of the LAM Data device. This device contains the LAM Data database, which contains all LAM data. 54 MB Enter the size, in megabytes, of the LAM Data device. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7) for additional information. Installation template field sybaselam. autosize sybaselam. lamdatadevice type sybaselam. lamdatadevice name sybaselam.lam datadevicesize 3-1 7

Audit Manager UNIX installation To install Audit Manager server on Sybase Option Prompt Default Description 5 LAM Log Device Type 6 LAM Log Device/File Name 7 LAM Log Size 8 Additional Tempdb Device Type 9 Additional Tempdb Device/ File Name file opt/sybase /devs/lam_log Select file or raw-partition. For additional information on each option, refer to the checklist at the beginning of the installation procedure. If you select file, you must enter the location and file name of your log devices. If you select raw partition, you must enter the partition names for your log devices. Enter the location and file name of the LAM Log device. An example for database device type of Raw Partition is /dev/rdsk/c0t1d0s2. 16 MB Enter the size, in megabytes, of the LAM Log device. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7) for additional information. file opt/sybase /devs /lam_tempdb Select file or rawpartition. For additional information on each option, refer to the checklist at the beginning of the installation procedure. If you select file, you must enter the location and file name of your log devices. If you select rawpartition, you must enter the partition names for your log devices. Enter the location and file name of the Audit Manager tempdb device. An example for tempdb device type of Raw Partition is /dev/rdsk/c0t1d0s2. Installation template field sybaselam.lam logdevicetype sybaselam.lam logdevicename sybaselam.lam logdevicesize sybaselam. tempdbdevice type sybaselam. tempdbdevice name 3-18

Audit Manager UNIX installation To install Audit Manager server on Sybase Option Prompt Default Description 10 Additional Tempdb Size 27 MB Enter the size, in megabytes, of the lam_tempdb device. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7) for additional information. Installation template field sybaselam. tempdbdevice size 7 When the options have been configured, enter y in response to the Are these options correct? prompt. If you answered yes in response to option 1, the Calculate LAM Device Sizes menu appears. If you have not answered yes, you have completed the installation of the Audit Manager server. ############################################################################ Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ############################################################################ Calculate LAM Device Sizes ############################################################################ 1) Number of Clients Obtaining DHCP Leases = 100 2) Number of Static Objects Being Assigned IP Addresses within VitalQIP = 100 3) Number of NT Domain Controller Object Login/Logouts per Day = 100 x) Go back to the previous menu Assumptions: Size to store enough data for 3 months (92 days). 24 Hour DHCP lease times for workstations. DHCP objects will be multiplied by 2 to handle Grant/Renew on a daily basis. VitalQIP Static objects will be multiplied by 10% to define rough VitalQIP daily activity. NT Domain Controller workstations for 1 domain. NT Domain Controller workstations will be powered on/off daily. NT Domain Controller objects will be doubled to define rough NT daily activity. Are these options correct? Enter the option number you want to change or enter y to install: 8 Refer to the following table for descriptions of the options in the Calculate LAM Device Sizes menu and make changes to these options, based on the information in this table and in the text following it. 3-1 9

Audit Manager UNIX installation To install Audit Manager server on Sybase Table 3-6 Calculate LAM Device Sizes menu options Option Prompt Default Description 1 Number of Clients Obtaining DHCP Leases 2 Number of Static Objects Being Assigned IP Addresses within VitalQIP 3 Number of NT Domain Controller Object Login/ Logouts per Day 100 Enter the number of clients obtaining DHCP leases. 100 Enter the number of static objects being assigned IP addresses within VitalQIP. 100 Enter the number of NT domain controller object login and logouts per day. Installation template field name autosize. numberof dhcpclients autosize. numberof staticobjects autosize. numberof ntdomain objects The size of the LAM database and log devices vary depending on several conditions: The number of defined static objects in VitalQIP The number of defined DHCP objects in VitalQIP that are being granted leases The number of Domain Controllers being audited over a period of time To determine the space you need, refer to Disk space estimation (p. 2-3). This section gives instructions for determining the total size needed for the database device. The LAM log device size must be approximately one-third of the database device size. The size of the tempdb device must be approximately one-half of the database device size. 9 When the options have been configured, enter y in response to the Are these options correct? prompt. The installation takes you back to the Product Component Load menu. You can continue installation of other components or exit the program. 10 You are asked if you would like to start the Audit Manager and VitalQIP daemons/services. If you answer yes, all daemons/services that were loaded during the installation will attempt to automatically start. If you answer no, you are responsible for starting the daemons/services manually.... E ND OF STEPS 3-20

Audit Manager UNIX installation To install Audit Manager server on Oracle To install Audit Manager server on Oracle Purpose Procedure To install the Audit Manager server on Oracle. To install the Audit Manager server on Oracle, follow these steps: 1 Configure the options in the Audit Manager Server menu. ############################################################################# Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ############################################################################# Audit Manager Server ############################################################################# 1) Keep the Existing Data = no 2) LAM Server Distribution Image = <directory>/<operating_system>/lamsrv.z 3) Database Server Type = ORACLE 4) Oracle Home Directory = /opt/oracle 5) Oracle Database Alias Name = LAMORACLE 6) Password of SYS = manager 7) Password of lamadmin = lamadmin 8) Audit Manager Update Service Address = 127.0.0.1 9) Audit Manager Login Service Address = 127.0.0.1 10) Import Data from Prepared Export Data = /opt/qip/export_lam_data x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 2 Refer to the following table for descriptions of the options to be configured. Enter yes for option 1, Keep the Existing Data. Table 3-7 Audit Manager Server menu options Option Prompt Default Description 1 Keep the Existing Data no Enter yes if you want to export data from your existing system before installing the new Audit Server software. Installation template field lamserver.export data 3-2 1

Audit Manager UNIX installation To install Audit Manager server on Oracle Option Prompt Default Description 2 LAM server Distribution Image 3 Database Server Type 4 Oracle Home Directory 5 Oracle Database Alias Name 6 Password of SYS 7 Password of lamadmin 8 Audit Manager Update Service Address 9 Audit Manager Login Service Address <directory>/ <operating_system> /lamsrv.z ORACLE /opt/oracle LAMORACLE (none) lamadmin Enter the location and file name of the Audit Manager server distribution image lamsrv.z. Enter ORACLE if you are using Oracle database server. Enter the directory specification (path) where Oracle will be loaded. Enter the name that references the Oracle database server instance that contains and manages the LAM database. Enter the Oracle SYS s password. Enter the Oracle lamadmin s password. 127.0.0.1 Enter the IP address of the Audit Manager Update Service. This can be different from the address of the server where the Audit Login Service resides. 127.0.0.1 Enter the IP address of the Audit Manager Login Service. The Login Service resides on the Audit Manager enterprise server. This can be different from the address of the server where the Audit Update Service resides. Installation template field lamserver.lam serverimage lamserver. qipdbase lamserver.oracle directory lamserver.qip dataserver lamserver.sys password lamserver.lam adminpassword lamserver. updateserviceip lamserver.login serviceip 3-22

Audit Manager UNIX installation To install Audit Manager server on Oracle Option Prompt Default Description 10 Import Data from Prepared Export Data /opt/qip/export_ lam_data Enter the directory specification (path) where you want the installation to import your data from Installation template field lamserver. datadirectory 3 When the options have been configured, enter y in response to the Are these options correct? prompt. If you answered yes in response to option 1, you are asked which version of Oracle is installed on the system. Answering no to option 1 completes the installation. 4 Enter 10 if your system has Oracle 10gR2 server/client installed. The Audit Manager Data Export Setup menu appears. ############################################################################# Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager 1.7 ############################################################################# Audit Manager Data Export Setup ############################################################################# 1) Database Server Type = ORACLE 2) Oracle Home Directory = /opt/oracle 3) Oracle Database Alias Name = LAMORACLE 4) Password of lamadmin = lamadmin 5) Data Directory = /opt/qip/export_lam_data x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 5 Refer to the following table for descriptions of the options to be configured and then make changes to these options, as necessary. Table 3-8 Audit Manager Data Export Setup menu Step Prompt Default Description 1 Database Server Type ORACLE Enter Oracle if you are using Oracle database server. Installation template field lamexport.qip dbase 3-2 3

Audit Manager UNIX installation To install Audit Manager server on Oracle Step Prompt Default Description 2 Oracle Directory 3 Oracle Database Alias Name 4 Password of lamadmin 5 Data Directory /opt/oracle LAMORACLE lamadmin /opt/qip/export_ lam_data Enter the directory specification (path) where Oracle is to be loaded. Enter the name that references the Oracle database server instance that contains and manages the LAM database. Enter the password of the Audit Manager administrator. Enter the directory specification (path) where you want the installation to export your data to. Installation template field lamexport.oracle directory lamexport.qip dataserver lamexport.lam adminpassword lamexport.data directory 6 When the options have been configured, enter y in response to the Are these options correct? prompt. Your setup of the Audit Manager server is complete. You can continue installation of other components or exit the program. 7 You are asked if you would like to start Audit Manager and the VitalQIP daemons/services. If you answer yes, all daemons/services that were loaded during the installation attempt to automatically start. If you answer no, you are responsible for starting the daemons/services manually.... E ND OF STEPS 3-24

Audit Manager UNIX installation To install the Audit Manager Command Line Interface To install the Audit Manager Command Line Interface Purpose The Audit Manager Command Line Interface (CLI) is a series of commands providing access to the Audit Manager database. Unlike the Audit Manager GUI on Windows, the Audit Manager CLI commands are not a graphical user interface. However, these Audit Manager CLI commands provide most of the functionality as the Audit Manager GUI (there are no reporting CLI commands, for example). As with the Audit Manager GUI, the Audit Manager CLI commands require a Sybase or Oracle client to be present on the same machine. Important! For information on using the Audit Manager CLI, consult Chapter 10. A Sybase client component is included in the installation. The Sybase client can be installed along with the Audit Manager command line interface, so that it is able to connect to the Sybase database on the Audit Manager enterprise server. This is assuming you are using Sybase as your relational database. If Oracle is your relational database, an Oracle client must be installed before the Audit Manager CLI installation. A Sybase client does not need to be installed when the Audit Manager enterprise server and VitalQIP enterprise server coexist on the same machine. A Sybase client is included in the Sybase server portion of the Audit Manager enterprise server installation. Procedure To install the Audit Manager Command Line Interface, follow these steps: 1 Follow the instructions in To begin the installation (p. 3-7). 2 The Product Component Load menu appears. 3 Refer to the Product Component Load menu options table on page 9 for descriptions of the options to be configured and then make changes to these options, as necessary. Enter yes for option 5, Audit Manager Command Line Interface. 4 When the options have been configured, enter y in response to the Are these options correct? prompt. The menu that displays is determined by the database that is located on your machine. 3-2 5

Audit Manager UNIX installation To install the Audit Manager Command Line Interface 5 If you are installing on Sybase, go to To install Audit Manager Command Line Interface on Sybase following. If you are installing on Oracle, go to To install Audit Manager Command Line Interface on Oracle (p. 3-29).... E ND OF STEPS 3-26

Audit Manager UNIX installation To install Audit Manager Command Line Interface on Sybase To install Audit Manager Command Line Interface on Sybase Purpose Procedure To install the Audit Manager Command Line Interface on Sybase. To install the Audit Manager Command Line Interface on Sybase, follow these steps: 1 Configure the options in the Audit Manager Command Line Interface Setup menu. ################################################################ Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ################################################################ Audit Manager Command Line Interface Setup ################################################################ 1) LAM CLI Distribution Image = <directory>/<operating_system>/lamclt.z 2) Database Server Type = SYBASE 3) Sybase Directory = /opt/sybase125 4) Sybase Server Name = LAMSYBASE 5) Audit Manager Update Service Address = 127.0.0.1 6) Audit Manager Login Service Address = 127.0.0.1 x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 2 Refer to the following table for descriptions of the options to be configured. Table 3-9 Audit Manager Command Line Interface Setup menu options Option Prompt Default Description 1 LAM CLI Distribution Image 2 Database Server Type <directory>/ <operating_system> /lamsrv.z SYBASE Enter the location and file name of the Audit Manager CLI distribution image, lamclt.z. Enter SYBASE if you are using Sybase database server. Installation template field lamcli.lam cliimage lamcli.qip dbase 3-2 7

Audit Manager UNIX installation To install Audit Manager Command Line Interface on Sybase Option Prompt Default Description 3 Sybase Directory 4 Sybase Server Name 5 Audit Manager Update Service Address 6 Audit Manager Login Service Address /opt/sybase125 LAMSYBASE Enter the directory specification (path) where Sybase is to be loaded. Enter the name that references the Sybase database server instance that contains and manages the Audit Manager database. 127.0.0.1 Enter the IP address of the Audit Manager Update Service. This can be different from the address of the server where the Audit Login Service resides. 127.0.0.1 Enter the IP address of the Audit Manager Login Service. The Login Service resides on the Audit Manager enterprise server. This can be different from the address of the server where the Audit Update Service resides. Installation template field lamcli.sybase directory lamcli.qip dataserver lamcli.lup dateserviceip lamcli.login serviceip 3 When the options have been configured, enter y in response to the Are these options correct? prompt. Your setup of the Audit Manager command line interface is complete. You can continue installation of other components or exit the program.... E ND OF STEPS 3-28

Audit Manager UNIX installation To install Audit Manager Command Line Interface on Oracle To install Audit Manager Command Line Interface on Oracle Purpose Procedure To install the Audit Manager Command Line Interface on Oracle. To install the Audit Manager Command Line Interface on Oracle, follow these steps: 1 Configure the options in the Audit Manager Command Line Interface Setup menu. ############################################################################# Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager Version 1.7 ############################################################################# Audit Manager Command Line Interface Setup ############################################################################# 1) LAM CLI Distribution Image = <directory>/<operating_system>/lamclt.z 2) Database Server Type = ORACLE 3) Oracle Home Directory = /opt/oracle 4) Oracle Database Alias Name = LAMORACLE 5) Audit Manager Update Service Address = 127.0.0.1 6) Audit Manager Login Service Address = 127.0.0.1 x) Go back to the main menu Are these options correct? Enter the option number you want to change or enter y to install: 2 Refer to the following table for descriptions of the options to be configured. Table 3-10 Audit Manager Command Line Interface Setup menu options Option Prompt Default Description 1 LAM CLI Distribution Image 2 Database Server Type <directory>/ <operating_system> /lamsrv.z ORACLE Enter the location and file name of the Audit Manager CLI distribution image, lamclt.z. Enter ORACLE if you are using Oracle database server. Installation template field lamcli.lam cliimage lamcli.qipdbase 3-2 9

Audit Manager UNIX installation To install Audit Manager Command Line Interface on Oracle Option Prompt Default Description 3 Oracle Home Directory 4 Oracle Database Alias Name 5 Audit Manager Update Service Address 6 Audit Manager Login Service Address /opt/oracle LAMORACLE Enter the directory specification (path) where Oracle is to be loaded. Enter the name that references the Oracle database server instance that contains and manages the Audit Manager database. 127.0.0.1 Enter the IP address of the Audit Manager Update Service. This can be different from the address of the server where the Audit Login Service resides. 127.0.0.1 Enter the IP address of the Audit Manager Login Service. The Audit Manager Login Service resides on the Audit Manager enterprise server. This can be different from the address of the server where the Audit Update Service resides. Installation template field lamcli.oracle directory lamcli.qip dataserver lamcli.lupdate serviceip lamcli.login serviceip 3 When the options have been configured, enter y in response to the Are these options correct? prompt. Your setup of the Audit Manager command line interface is complete. You can continue installation of other components or exit the program.... E ND OF STEPS 3-30

Audit Manager UNIX installation To configure VitalQIP to use Audit Manager To configure VitalQIP to use Audit Manager Purpose Procedure The VitalQIP enterprise server needs to be configured if the VitalQIP enterprise server resides on a separate machine from Audit Manager. This step can be skipped if the Audit Manager enterprise server is on the same machine as the VitalQIP enterprise server. During this portion of the installation, the Lucent Message Service is installed and the VitalQIP policy file is configured. For more information about the service and policy files, refer to the VitalQIP Administrator Reference Manual. To configure VitalQIP to use Audit Manager, follow these steps: 1 Follow the instructions in To begin the installation (p. 3-7). 2 The Product Component Load menu appears. Refer to the Product Component Load menu options on page 9 for descriptions of the options to be configured and then make changes to these options, as necessary. Enter yes for option 6, VitalQIP Configuration Changes for Audit Manager. 3 When the options have been configured, enter y in response to the Are these options correct? prompt. If you answered yes in response to option 6, the VitalQIP Enterprise Configuration Setup for Audit Manager menu appears. ############################################################################# Alcatel-Lucent Copyright (c) 2007, All Rights Reserved Audit Manager 1.7 ############################################################################# VitalQIP Configuration Setup for Audit Manager ############################################################################# 1) Company Name = Alcatel-Lucent 2) VitalQIP Serial No. = 12345 3) VitalQIP License Key = 12345678901234567890 4) Audit Manager Update Service Address = 127.0.0.1 5) LAM Server Distribution Image = <directory>/<operating_system>/lamsrv.z x) Go back to the previous menu Are these options correct? Enter the option number you want to change or enter y to install: 3-3 1

Audit Manager UNIX installation To configure VitalQIP to use Audit Manager 4 Refer to the following table for descriptions of the options to be configured and make changes to these options, as necessary. Table 3-11 VitalQIP Configuration Setup for Audit Manager menu options Option Prompt Default Description 1 Company Name 2 LAM Serial No. 3 LAM License Key 4 Audit Manager Update Server Service 5 LAM Server Distribution Image (none) (none) (none) Enter the name of your company. Enter the Audit Manager serial number that you obtained from the IP Services Product Group Service Center. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7) or Preliminary steps for the installation of Audit Manager and Oracle (p. 2-12) for additional information. Enter the Audit Manager license key that you obtained from IP Services Product Group Service Center. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7) or Preliminary steps for the installation of Audit Manager and Oracle (p. 2-12) for additional information. 127.0.0.1 Enter the IP address of the Audit Manager Audit Update Service. This service resides on the Audit Manager enterprise server. <directory>/ <operating_ system>/lamsrv.z Enter the location and file name of the Audit Manager server distribution image lamsrv.z. Installation template field qipconfig. company qipconfig. serialno qipconfig. licensekey qipconfig. updateserviceip qipconfig.lam serverimage 3-32

Audit Manager UNIX installation To configure VitalQIP to use Audit Manager 5 When the options have been configured, enter y in response to the Are these options correct? prompt. Your setup of the VitalQIP enterprise server is complete. You can continue installation of other components or exit the program from the Product Component Load menu.... E ND OF STEPS 3-3 3

Audit Manager UNIX installation To start and stop the Audit Manager database on UNIX To start and stop the Audit Manager database on UNIX Purpose Before you can use the Audit Manager system for any purpose, you must first start your relational database system (Oracle or Sybase) and all the required services before beginning the installation. Before you begin Set up the Sybase environment before either starting or stopping Sybase. 1. Go to the Sybase home directory. 2. Enter../SYBASE.sh Starting and Stopping Sybase on UNIX Before you begin to use the Audit Manager system, you must start the Sybase SQL Manager. To start Sybase, type the following at a command line: # cd $SYBASE/$SYBASE_ASE/install # RUN_[SQL_Server_Name] & To stop Sybase, type the following at a command line: # isql -U <sa_login> P <sa_password> -S <Database_Name> 1>shutdown 2>go Starting and Stopping Oracle on UNIX Before you begin to use the Audit Manager system, Oracle must be started. See your Oracle DBA to start or stop the Oracle database. 3-34

4 Audit Manager Windows installation Overview Purpose Contents This chapter describes how to install the Audit Manager components on Windows systems. Before beginning the installation, take the time to read Chapter 1 of this manual, since it assists you in determining how to set up your Audit Manager system. After you have determined how to set up the Audit Manager system, make sure you have met the system requirements described in the Audit Manager 1.7 Release Notes and then follow the planning instructions in Chapter 2. This chapter covers these topics. To install Audit Manager on Windows 4-2 To install the Audit Manager server package 4-5 To install the Audit Manager server on Sybase 4-8 To install the Audit Manager server on Oracle 4-16 To install the Audit Manager Client 4-21 To install the Domain Control Package 4-26 To uninstall Audit Manager 4-28 4-1

Audit Manager Windows installation To install Audit Manager on Windows To install Audit Manager on Windows Purpose Procedure Read the Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7), and Preliminary steps for the installation of Audit Manager and Oracle (p. 2-12) before you begin the installation. To start the installation, follow these steps: 1 Ensure no programs are running. Exit all Windows programs you are currently running. 2 Make sure that all the environmental variables are set. Refer to Preliminary steps for the installation of Audit Manager and Sybase (p. 2-7), or Preliminary steps for the installation of Audit Manager and Oracle (p. 2-12). 3 Download the appropriate LAM file from the LED site to a temporary directory and execute the setup.exe file in the zip file to extract the Audit Manager installation set and start the installation process. 4 After a few seconds, the Audit Manager Software License Agreement screen opens. 5 Read the software license agreement; click Yes to accept it. The Welcome screen appears. 6 Read the Welcome screen and click Next. 4-2

Audit Manager Windows installation To install Audit Manager on Windows Result: The Choose Destination Location screen opens. 7 The Choose Location Destination screen shows the directory where the files will be stored. If necessary, click Browse to change the destination directory for the Audit Manager software, and click Next. Result: The Audit Manager 1.7 Installation Components and Sub-components screen opens. 4-3

Audit Manager Windows installation To install Audit Manager on Windows The left side of the Components list box shows the packages available with the Audit Manager product or components. The list box on the right side contains the subcomponents belonging to each component. You must select the components and then select the subcomponents. For example, after you select the Audit Client Package, you select the subcomponents you want to install from the list box on the right. Important! The Audit Manager files are installed only in the AuditManager subdirectory under the existing QIPHOME directory (for example, c:\qip). If the QIPHOME directory does not exist, it is created during the installation. 8 If you want to install only one component of Audit Manager, click in front of the component s name. A check mark appears indicating the component has been selected. For example, if you want to install only the Audit Server Package, click in front of the Audit Server Package. Then go to the appropriate section in this chapter that provides instructions on how to install the component. In this case, you would go to To install the Audit Manager server package.... E ND OF STEPS 4-4

Audit Manager Windows installation To install the Audit Manager server package To install the Audit Manager server package Purpose This step gives you the instructions about how to install the Audit Manager enterprise server within a multi-server environment. If you have problems installing the software, call the Technical Assistance Center at 1-866-Lucent8 (582-3688). Hard disk and memory requirements may have to be increased based on the number of IP addresses you want to audit. Refer to Disk space estimation (p. 2-3). Important! If you are planning to use Sybase as your database, it must be installed before installing the Audit Manager enterprise server. Follow the procedures in Appendix A of the VitalQIP Installation Guide. Important! If you are installing Audit Manager enterprise server on a separate enterprise server from VitalQIP, you must use the VitalQIP installer to install Message Service (Distributed Service) first. Then install Audit Manager. Procedure To install the Audit Manager enterprise server, follow these steps: 1 Follow the instructions in To install Audit Manager on Windows (p. 4-2). Result: The Audit Manager 1.7 Installation Components and Sub-components screen should be displayed. 2 In the Components list box, click beside Audit Server Package. Result: A check mark appears indicating the component has been selected. 3 From the list box on the right, select the subcomponents to be installed. Refer to Table 4-1 for descriptions of these subcomponents. Table 4-1 Audit Manager Server Package subcomponents Subcomponents GUI Help Files Description Required. Installs the Audit Manager Graphical User Interface. Optional. Installs the Help files for the Audit Manager GUI. 4-5

Audit Manager Windows installation To install the Audit Manager server package Subcomponents CLIs Description Optional. Installs the Command Line Interface programs. 4 Click Next when all subcomponents have been selected. Result: The Get License Key screen opens. Important! You must obtain a license key from the Technical Assistance Center at 1-866-Lucent8 (582-3688) before continuing with the installation. 5 Fill in your company name, the serial number, and the license key, and click Next. Result: A message opens asking you to confirm that you have Administrator privileges. 6 Click Yes to continue. 4-6

Audit Manager Windows installation To install the Audit Manager server package Result: The Determine Database Type screen opens. 7 Click the Sybase or Oracle option button for the type of database that is to be used by the Audit Manager server and click Next. Result: The SYBASE or ORACLE Home Directory Selection screen opens. 8 If you clicked Sybase in the previous step, refer to To install the Audit Manager server on Sybase (p. 4-8). If you clicked Oracle, go to To install the Audit Manager server on Oracle (p. 4-16).... E ND OF STEPS 4-7

Audit Manager Windows installation To install the Audit Manager server on Sybase To install the Audit Manager server on Sybase Purpose Procedure To install Audit Manager server on Sybase. To install Audit Manager on Sybase, follow these steps: 1 Refer to step 6 in the previous section. When Sybase is the selected database type, the SYBASE Home Directory Selection screen opens. 2 This screen shows the destination directory for the Sybase database. If necessary, click Browse to change the destination directory and then click Next. Result: The Sybase Data & Log Directory screen opens. 3 The Sybase Data & Log Directory screen shows the directory where the data is to be stored. If necessary, click Browse to change the destination directory. Click Next. 4-8

Audit Manager Windows installation To install the Audit Manager server on Sybase Result: The Obtain AUDIT DATASERVER Value screen opens. 4 In the Obtain AUDIT DATASERVER Value screen, enter the name of the Audit Manager database server (for example, LAMSYBASE). This identifies the type of database on which you are installing Audit Manager. Click Next. 4-9

Audit Manager Windows installation To install the Audit Manager server on Sybase Result: The Service Controller dialog appears with a Question dialog box superimposed. Important! As a default, the service for Sybase is not listed. You may need to configure the Service Controller to display the service. Refer to Configure the Service Controller, in Chapter 2 of the VitalQIP Administrator Reference Manual. 5 Drag the Question dialog out of the way and confirm that the Sybase server you selected in the previous step has a status of Started. If not, select the database entry and click Start. After you have confirmed that the Audit Manager enterprise server database has started, click Yes in the Question dialog box. 6 The installation checks to see if a version of the Audit Manager database is installed. If there is a current version of the Audit Manager database, a dialog box opens asking if you want to keep your old data. Click Yes to keep your old data or No to delete the old data. 4-10

Audit Manager Windows installation To install the Audit Manager server on Sybase If you choose to keep the old data, a dialog box opens requesting the Audit Manager export directory location. Change the destination, if necessary, and then click Next. The default destination is c:\qip\auditmanager\export. If there is an out-of-date version of the Audit Manager database, a dialog box opens asking if you want to upgrade it. If there is an out-of-date version of the Audit Manager database that requires a patch, a dialog box opens asking if you want to apply the patch. When Sybase is the selected database type, the installation checks to see if there is an Audit Manager database installed. If the Audit Manager database is not installed, a message box appears asking if you want to calculate the database size. Go to the next step if the Audit Manager database is not installed. Otherwise, you may skip the Audit Manager calculation steps. If an Audit Manager database does not exist, a dialog box opens. Click Yes to calculate the database size or click No, if you do not want to calculate the size. If you clicked Yes, the Auto Calculate screen opens. 4-1 1

Audit Manager Windows installation To install the Audit Manager server on Sybase 7 The Auto Calculate screen automatically calculates the size of your Audit Manager database. Enter the number of DHCP leases, static objects, and NT logins/logouts that Audit Manager can manage. Click Next. Result: The Audit Manager Data & Log Size Specification screen opens. 8 The sizes of the Data, Log, and TempDB files are automatically calculated. Change the values in the Data (MB), Log (MB), and TempDB (MB) fields, if necessary. However, Alcatel-Lucent recommends that you accept the calculated values if you do not have proficient knowledge of Sybase. If you choose to change the values, you must calculate the amount of disk space you need (refer to Disk space estimation (p. 2-3)). Click Next. 4-12

Audit Manager Windows installation To install the Audit Manager server on Sybase Result: The Audit Server IP Address screen opens. 9 Verify that the IP address in the Audit Manager Server field is correct. If necessary, change the default Audit Manager IP address. Click Next. Result: The Login Server IP Address screen opens. 10 Verify that the Login Server IP Address field is correct and click Next. 4-1 3

Audit Manager Windows installation To install the Audit Manager server on Sybase Result: The Obtain SMTP Server screen opens. 11 The Obtain SMTP Server screen requires that you enter the host name or IP address of your email server if you plan on sending e-mail alerts. For information on configuring alerts, refer to Alert configuration (p. 6-9). Enter your e-mail server host name or IP address and click Next. Important! The SMTP server can be set up (or changed) after the installation. For more information on setting up or changing these values, refer to VitalQIP Audit Update Service - qip-auditupdated (p. 9-9). 12 The Start Copying Files screen opens. Verify that the settings displayed in the Current Settings list box are correct and click Next. 13 When the question screen appears, check that VitalQIP and Service Controller windows are closed and click OK. Result: The installation begins. 4-14

Audit Manager Windows installation To install the Audit Manager server on Sybase 14 When the installation is complete, the Setup Complete screen opens. Click Finish and reboot your server.... E ND OF STEPS 4-1 5

Audit Manager Windows installation To install the Audit Manager server on Oracle To install the Audit Manager server on Oracle Purpose Procedure To install Audit Manager on Oracle. To install Audit Manager on Oracle, follow these steps: 1 Refer to step 6 in To install Audit Manager on Windows (p. 4-2). When Oracle is the selected database type, the ORACLE Home Directory Selection screen opens. 2 The above illustration shows the destination directory for the Oracle database. If necessary, click Browse to change the destination directory and click Next. 4-16

Audit Manager Windows installation To install the Audit Manager server on Oracle Result: The Obtain AUDIT DATASERVER Value screen opens. 3 In the Obtain AUDIT DATASERVER Value screen, enter the name of the Audit Manager database server (for example, LAMORACLE). This identifies the type of database on which you are installing Audit Manager. Click Next. 4 The installation procedure checks to see if an existing Audit Manager database version is installed: If there is a current version of the Audit Manager database, a dialog box opens asking if you want to keep your old data. Click Yes to keep your old data or No to delete the old data. If you choose to keep the old data, a dialog box opens requesting the Audit Manager export directory location. Change the destination if necessary. The default destination is c:\qip\export. If there is an out-of-date version of the Audit Manager database, a dialog box opens asking if you want to upgrade it. If there is an out-of-date version of the Audit Manager database that requires a patch, a dialog box opens asking if you want to apply the patch. Click Next. Result: A message asking whether you have edited the tab_storage.conf file to modify the necessary extent specifications appears. 4-1 7

Audit Manager Windows installation To install the Audit Manager server on Oracle 5 Before responding to the question, modify the following file using a text editor: QIP\AuditManager\script\tab_storage.conf For more information about this file, refer to Preliminary steps for the installation of Audit Manager and Oracle (p. 2-12). After you have modified the file, click Yes or click No to return to the previous screen. Result: If you clicked Yes, the Audit Server IP Address screen opens. 6 Verify that the address in the IP Address field is correct. If necessary, change the default Audit Server IP address. Click Next. 4-18

Audit Manager Windows installation To install the Audit Manager server on Oracle Result: The Login Server IP Address screen opens. 7 Verify that the Login Server IP Address field is correct and click Next. Result: The Obtain SMTP Server screen opens. 8 The Obtain SMTP Sever screen requires that you enter the Host Name or IP address of your e-mail server if you plan on sending e-mail alerts. (For information on alerts, refer to 4-1 9

Audit Manager Windows installation To install the Audit Manager server on Oracle Alert configuration (p. 6-9).) Enter your e-mail server host name or IP address and click Next. Important! The SMTP server can be set up or changed after the installation. For more information on setting up or changing these values, refer to VitalQIP Audit Update Service - qip-auditupdated (p. 9-9). 9 The Start Copying Files screen opens. Verify that the settings displayed in the Current Settings list box are correct and click Next. 10 When the question dialog box appears, check that VitalQIP and Service Controller windows are closed and click OK. Result: The installation begins. 11 When the installation is complete, the Setup Complete screen opens. Click Finish and reboot your server if you want.... E ND OF STEPS 4-20

Audit Manager Windows installation To install the Audit Manager Client To install the Audit Manager Client Purpose The Audit Manager client provides access to the Audit Manager database. The client can be installed on any machine that has a QIPHOME directory. The Sybase client must be installed before the Audit Manager client so that it is able to connect to the Sybase database on the Audit Manager server. If Oracle is your relational database, you must install an Oracle client. Before you begin Important! Sybase client does not need to be installed on an Audit Manager server when the Audit Manager server and VitalQIP server coexist on the same machine. If you are installing Audit Manager client on a platform that does not have a VitalQIP Message Service running locally, you need to add (or set) the QIPMESSAGESERVICE environment variable. The IP address of the platform where the VitalQIP Message Service is installed should be the value of the QIPMESSAGESERVICE variable. Procedure To install the Audit Manager client, follow these steps: 1 Follow the instructions in To install Audit Manager on Windows (p. 4-2). Result: The Audit Manager 1.7 Installation Components and Sub-components screen is displayed. 2 In the Components list box, click beside Audit Client Package. Result: A check mark appears indicating this component has been selected. 3 From the list box on the right, select the subcomponents to be installed. Refer to the following table for descriptions of these subcomponents. Table 4-2 Audit Client Package subcomponents Subcomponents GUI Client Description Required. This installs the user interface for Audit Manager. 4-2 1

Audit Manager Windows installation To install the Audit Manager Client Subcomponents CLIs Description Optional. Installs the Command Line Interface programs. 4 Click Next when all subcomponents have been selected. Result: The Determine Database Type screen opens. If you select Sybase as your database type, go to the next step. If you select Oracle as your database type, you can skip to step 7. 5 SYBASE ONLY. Click Next. 4-22

Audit Manager Windows installation To install the Audit Manager Client Result: The SYBASE Home Directory Selection screen opens. 6 The SYBASE Home Directory Selection screen shows the destination directory for the Sybase client files. If necessary, click Browse to change this directory. 7 SYBASE and ORACLE. Click Next. Result: The Obtain AUDIT DATASERVER Value screen opens. 4-2 3

Audit Manager Windows installation To install the Audit Manager Client 8 Enter the name of the Audit Manager database server to identify the type of database on which you are installing Audit Manager (for example, LAMSYBASE for Sybase or LAMORACLE for Oracle). Important! If Sybase is the selected database type, the name must match the adaptive server name (Step 3 in the To install the Audit Manager server package section of this chapter.) Otherwise, the installation will fail. Click Next. Result: The Audit Server IP Address screen opens. 9 In the IP Address field, enter the IP address of the Audit Manager enterprise server and click Next. 4-24

Audit Manager Windows installation To install the Audit Manager Client Result: The Login Server IP Address screen opens. 10 Enter the Login Server IP Address and click Next. Result: SYBASE ONLY. The Obtain Database Port Number screen opens. Enter the port number of the database server. 11 Click Next. Result: The Start Copying Files screen opens. 12 After verifying that the settings in the Current Settings list box are correct, click Next. When the question dialog box appears, check that VitalQIP and Service Controller windows are closed and click OK. Result: The installation begins. 13 When the installation is complete, the Setup Complete screen opens. Click Finish and reboot your server.... E ND OF STEPS 4-2 5

Audit Manager Windows installation To install the Domain Control Package To install the Domain Control Package Purpose The Domain Control Package is installed on a Domain Controller. This package permits a Domain Controller (a machine dedicated to processing user authentication for Windows Domain) to access the Audit Manager database where Audit Manager can audit logins to the Domain Controller. (For more information about this service, refer to VitalQIP Domain Controller Logon Audit Service (p. 9-22) and VitalQIP Kerberos Domain Controller Logon Audit Service (p. 9-25).) During the installation, you are presented with the option to install the Domain Controller Service only if the installation has identified that the machine is a Domain Controller. If your machine is not a Domain Controller, you are not presented with the option to install the package. Before you begin Prior to installing the Domain Control package on a Windows 2000/2003 DC, you must use the VitalQIP installer to install Message Service (Distributed Service) first. Then follow the instructions for installing the Domain Control package. Procedure To install the Domain Control Package, follow these steps: 1 Follow the instructions in To install Audit Manager on Windows (p. 4-2). Result: The Audit Manager 1.7 Installation Components and Sub-components screen is displayed. 2 In the Components list box, click beside Domain Control Package. Result: A check mark appears indicating this component has been selected. 3 From the list box on the right, select the subcomponents to be installed. Refer to Table 4-3 for a description of this subcomponent. 4-26

Audit Manager Windows installation To install the Domain Control Package Table 4-3 Domain Control Package subcomponent Subcomponent Library Description Required. Install the library needed to operate the Domain Controller Server. 4 Click Next when the subcomponent has been selected. Result: The Start Copying Files screen opens. 5 Verify that the settings in the Current Settings list box are correct and click Next. After a few moments, the Setup Complete screen opens. 6 The Setup Complete screen indicates the installation is complete. Click Finish and reboot your server if you want.... E ND OF STEPS 4-2 7

Audit Manager Windows installation To uninstall Audit Manager To uninstall Audit Manager Purpose Procedure If you need to re-install Audit Manager, it is recommended that you uninstall it first. To uninstall Audit Manager, follow these steps: 1 Select Uninstall Audit Manager from the Start All Programs Lucent Audit Manager menu. Result: The Choose Destination Location screen opens. 2 The Choose Destination Location screen displays the directory where the Audit Manager software is stored. If necessary, click Browse to change the destination directory for the Audit Manager software. Click Next. Result: The Select Products to Remove screen opens. 3 The Select Products to Remove screen shows a list of installed components. You may see more items than shown above. Select the component that you want to uninstall by clicking in front of the component. Result: A check mark appears to indicate the component to be uninstalled. 4 Click Next. Result: Depending on the component you selected to uninstall, you could be required to name the location of the files. 5 Proceed with the instructions shown on the screen.... E ND OF STEPS 4-28

5 Getting started Overview Purpose Contents This chapter describes how to get started with Audit Manager. This chapter contains the following topics. Additional Sybase configuration for UNIX users 5-2 Start and stop the Audit Manager database 5-4 Start and stop the services 5-5 The Audit Manager system 5-7 To log in 5-11 To change your password 5-13 To exit Audit Manager 5-14 5-1

Getting started Additional Sybase configuration for UNIX users Additional Sybase configuration for UNIX users Introduction The VitalQIP installation makes changes to the Sybase database. Because of these changes, UNIX users need to perform additional configuration tasks after Sybase and the Audit Managere server have been installed. Configure the Sybase directory configuration file The Audit Manager server installation modifies the Sybase configuration file located in the Sybase home directory in order to change and/or increase certain Sybase configuration parameters. Audit Manager requires these modifications. The parameters that are modified by Audit Manager are: max memory = 50000 procedure cache size = 12500 number of locks = 100000 lock scheme = datarows Table 5-1 describes the parameters. Table 5-1 Description of Sybase parameters Parameter Max memory Procedure Cache Size Description Specifies the maximum amount of total physical memory that you can configure the Adaptive server to allocate. The default value is platform-dependent. The Audit Manager installation sets it to 50000, which is roughly 100MB for a minimum setting. Tune this value to obtain maximum performance within Sybase and the Audit Manager application. Specifies the size of the procedure cache in 2K pages. The Adaptive server uses the procedure cache while running stored procedures. If the Adaptive server finds a copy of a procedure already in the cache, it does not need to read it from the disk. The Adaptive server also uses space in the procedure cache to compile queries while creating stored procedures. The default value is 3271. The Audit Manager installation sets it to 12500 which is roughly 25MB for minimum setting. Tune this value to obtain maximum performance within Sybase and the Audit Manager application. The procedure cache size can not exceed the setting of max memory. 5-2

Getting started Additional Sybase configuration for UNIX users Parameter Number of locks Lock scheme Description The number of locks parameter sets the total number of available locks for all users on the Adaptive server. The total number of locks needed by the Adaptive server depends on the number and nature of the queries that are running. The number of locks required by a query can vary widely, depending on the number of concurrent and parallel processes and the types of actions performed by the transactions. The default value is 5000. The Audit Manager server sets this to 100000 due to possible large transactions within Audit Manager. This can be increased based on the amount of data that is being operated on in the Audit Manager database. Lock scheme sets the default locking scheme to be used by create table and select into commands when a lock scheme is not specified in the command. The default value is allpages. The Audit Manager application requires this to be set to datarows to avoid contention and deadlocks. Configure the server.properties file For Linux and Solaris platforms, you must edit the <server>.properties file so Sybase finds the permanent license file installed by Audit Manager. To edit the file, perform the following steps: 1 Edit the file /SYBASEHOME/ASE-15_0/sysam/<Server Name>.properties. 2 Change the line that reads LT to LT=AR... E ND OF STEPS 5-3

Getting started Start and stop the Audit Manager database Start and stop the Audit Manager database Start and stop Sybase A few basic start-up rules must be followed before you can navigate the Audit Manager system for any purpose. You must start your relational database system (Oracle or Sybase) and all the required services. Before you begin to use the Audit Manager system, you must start the Sybase SQL Manager. To start or stop the Sybase SQL Manager on UNIX or Windows, follow these instructions. For UNIX To start Sybase, type the following at the command line: # cd $SYBASE/install # RUN_[SQL Server Name] & To stop Sybase, type the following at the command line: #isql -U <sa_login> P <sa_password> -S <database_name> 1> shutdown 2> go For Windows Start and stop Oracle The Sybase SQL Manager may be started from the Windows Services utility. The instructions provided are for Sybase database users only. To start Sybase SQL Manager from Services, follow these steps: 1. Access Sybase Central from Start All Programs Administrative Tools Services. The Services window opens. 2. From Services, select the name of the Sybase server (for example, Sybase SQL Server_<server_name>) 3. Use the Start Service icon to start the Sybase server or use the Stop Service icon to stop the Sybase server. Alternatively, you can start and stop the server by selecting and then right clicking the server name and then selecting Start or Stop from the pop-up menu. Before you begin to use the Audit Manager system, Oracle must be started. Refer to your Oracle database administrator (DBA) to start or stop your Oracle database for UNIX and Windows. 5-4

Getting started Start and stop the services Start and stop the services Audit Manager services run on different types of systems. The Audit Manager Schedule Service runs on the Audit Manager enterprise server. Other services can run on different machines, depending on your configuration needs. The VitalQIP Domain Controller Logon Audit Service and VitalQIP Kerberos Domain Controller Logon Audit Service run only on a Domain Controller. Audit Manager uses the VitalQIP Message Service, which can be found on a Domain Controller, Audit Manager enterprise server, DHCP server, VitalQIP Graphical User Interface, and/or the VitalQIP enterprise server (if used with Audit Manager). The following table gives a brief summary of the services used by Audit Manager, the daemons associated with the services, the machines they run on, and the supported platforms. Table 5-2 Audit Manager services Service Daemon Function Runs on Platforms VitalQIP Audit Schedule Service qip-auditsched Controls and maintains the Audit Manager database by archiving DHCP lease information, VitalQIP static/dynamic object definitions, and Domain Controller login/logout information in the Audit Manager database. Audit Manager enterprise server UNIX and Windows VitalQIP Audit Update Service qip-auditupdated Updates the Audit Manager database with information received from the Message Service. Applies alerts that are configured through the Audit Manager GUI. Typically on Audit Manager enterprise server or VitalQIP enterprise server but could be installed on remote server or client UNIX and Windows Retrieves connection information for the Audit Manager database from the Login Service. VitalQIP Domain Controller Logon Audit Service None Sends login and logout information to the Message Service. Domain Controller Windows only 5-5

Getting started Start and stop the services Service Daemon Function Runs on Platforms VitalQIP Kerberos Domain Controller Logon Audit Service None Sends login and logout information to the Message Service. Domain Controller Windows 2000/2003 Services on UNIX Audit Manager includes daemons/services that run on the Audit Manager server. They are installed during the installation process. Before you start the daemons/services, Sybase or Oracle must be running. To start the daemons/services, run the lam-es-startup script. All daemons are started from a command line or via the startup script. Important! Ensure that qip-es-startup has already been run. Services on Windows Audit Manager services can be run on all supported Windows platforms in two ways: through the VitalQIP Service Controller (if VitalQIP is also installed on the same platform) or through the Windows Services window (accessed via Start All Programs Administrative Tools Services). The Services window opens. You can run Audit Manager services on Windows by using the VitalQIP Service Controller (Start All Programs Lucent VitalQIP VitalQIP Service Controller). The Service Controller allows you to start and stop Audit Manager services. Important! If VitalQIP is not installed on the Audit Manager enterprise server, the VitalQIP Services Controller is not available. Either use Windows Services (Start All Programs Administrative Tools Services), or install a VitalQIP service (which will automatically install the VitalQIP Services Controller). Add the Audit Schedule Service and Audit Update Service manually, as described in Chapter 3 of the VitalQIP Administrator Reference Manual. The VitalQIP Service Controller displays messages about the events that occur related to Audit Manager services. It also allows you to save the Audit Manager service log as a text or comma-delimited file. The VitalQIP Service Controller can be configured to start, stop, and view events for any Windows services, in addition to Audit Manager services. For example, the Apache and SQL server can be added to the VitalQIP Service Controller to monitor their operability. For further information on using the Service Controller, refer to Chapter 2 of the VitalQIP Administrator Reference Manual. 5-6

Getting started The Audit Manager system The Audit Manager system Enter a date and time The following are a few shortcuts for using the Audit Manager system: The standard format for entering a date and time is mm/dd/yyyy hh:mm (month/day/year hours:minutes). The mmddyy format is rejected. Get help Open the Help menu to access a table of contents. Context-sensitive help can also be accessed by clicking the Help button. Cancel a function Exit a screen At times, you may need to cancel a function. Clicking Cancel cancels a function and exits the screen without saving data. Click Close to exit a screen and return to the previously opened screen (if the previous screen is available). Menus The Audit Manager GUI has six menus that can be accessed from the main Audit Manager screen. These menus provide access to major functions, such as generating reports and configuring the Audit Manager database. The menus and options available for each menu are described in the following table. 5-7

Getting started The Audit Manager system Table 5-3 Audit Manager GUI menus Menu Description Options File Results Reports The File menu provides options for saving search criteria, loading saved search criteria, changing your password, sending search criteria to another user, and exiting the Audit Manager GUI. The Results menu is used in conjunction with the Audit Manager screen. Search results can be exported to a flat file outside the Audit Manager GUI. They can be imported back into the Audit Manager screen. The Reports menu gives access to audit reports to aid in the management and maintenance of Audit Manager. Open This option loads previously saved search criteria. Save Current search criteria can be saved using this option. By saving search criteria into a file, the file can be loaded at another time and the search criteria reused. Send To Saved search criteria can be sent through email to another user. Change Password Provides the ability to change the password for the current user. Exit This option exits the Audit Manager GUI. Import This option imports data results into the Audit Manager screen of Audit Manager. Export This option exports search results obtained by searching the Audit Manager database to a flat file. Send to Search results can be sent to another user using this option. DHCP Server Audit A report that tracks lease activities of a DHCP Server. General Audit A report can be generated for an IP address, MAC address, hostname, domain, type, and/or Login ID. Login ID Audit This option can generate audit reports for a user. Alert Audit Audit reports can be generated for configured alerts, which occurred in the Audit Manager database. Domain Controller Audit A report can be generated for specific logon/logout activity of a Domain Controller. 5-8

Getting started The Audit Manager system Menu Description Options Administration View The Administration menu is only available for administrators. The menu is enabled when the Administrator option is enabled in the Users screen. (Refer to User management (p. 6-13) for more details.) When the Administration menu is enabled, administrators and users can be added, modified, or deleted. The Audit Manager database can also be configured, archive data can be saved or restored, and alerts can be added or deleted. The View Menu allows you to specify which columns should be displayed in the Search Results table at the bottom of the Audit Manager main GUI window. Audit Manager defaults to all columns selected except the Relay Agent Information columns. Users With this option, users and administrators can be added, deleted, or modified. Database Configuration This option provides you with the ability to configure the Audit Manager database for archiving. The message types to be audited are also configured through this option. Load Archive Data This option allows the administrator to load archived data into Audit Manager. Alerts This option enables you to configure alert filters for hostnames, IP addresses, and MAC addresses. The actions to take place when an alert is triggered are also defined through this screen. The following column selections are available: Audit Date Type IP Address MAC Address Hostname Domain Login ID Grant Date Expiration Date NT Domain Data Source Relay Agent Information Sub-options Circuit ID Relay Agent Information Sub-options Remote ID Relay Agent Information Sub-options Device Class Relay Agent Information Sub-options Subnet Selection Relay Agent Information Option (raw Option 82 data) Save on Exit To remove a column in the Search Results table, uncheck the view you no longer require. To save the layout for future use, check Save on Exit. 5-9

Getting started The Audit Manager system Menu Description Options Help The Help menu has options to access help regarding the operation of the Audit Manager System. Contents This option accesses online help documentation using standard help features, such as Contents, Index, and hyperlinks. Technical Support This option accesses technical support information, such as the telephone number and web site address. About This option provides access to information about the installed version of Audit Manager. 5-10

Getting started To log in To log in Before you begin Before you can access the GUI, the Audit Manager database and services must be running. Refer to Start and stop the services (p. 5-5) for more information. Procedure To access the GUI, follow these steps: 1 Select Start Programs Lucent Audit Manager Audit Manager. Result: The Audit Manager login screen opens. 2 In the Database field, select the database. 3 In the User Name field, enter the user name. 4 In the Password field, enter your password and press Enter. Important! For the initial login, you can use lamman for the user name and password. After logging onto the GUI, change the lamman password to prevent access by unauthorized users. This user name has administrative privileges, such as 5-1 1

Getting started To log in configuring the Audit Manager database and adding, modifying, and deleting users. When additional administrators are added, the lamman user name can be deleted by another administrator. Refer to User management (p. 6-13) for more information on changing privileges. Result: If you have more than one organization assigned to you, the Organization Selection screen is displayed. 5 Select the organization you wish to use and click Continue.... E ND OF STEPS 5-12

Getting started To change your password To change your password Purpose Procedure For security reasons, you should change your password after logging in for the first time. To change your password, follow these steps. 1 Select the Change Password option from the File menu. Result: The Change Password screen opens. 2 In the Old Password field, enter your original password. 3 In the New Password field, enter a new password. Important! The password must be at least six alphanumeric characters long. 4 In the Confirm Password field, re-enter the new password and click OK. Result: A confirmation message appears. 5 Click OK. The new password becomes effective with your next login.... E ND OF STEPS 5-1 3

Getting started To exit Audit Manager To exit Audit Manager Purpose Procedure This section describes how to exit Audit Manager. To exit the Audit Manager GUI, follow these steps: 1 Select the Exit option from the File menu. Result: A message appears asking you if you want to exit. 2 Click Yes to exit, or click No if you do not want to exit.... E ND OF STEPS 5-14

6 Audit Manager administration Overview Purpose Contents The Audit Manager Administration menu allows you to perform the following functions: Configure operational characteristics of Audit Manager. Configure alert messaging characteristics. Add, modify, or delete administrators and users. This chapter contains the following topics. To configure the Audit Manager database 6-2 To load archived data 6-7 Alert configuration 6-9 To add alerts 6-10 To delete alerts 6-12 User management 6-13 To add a user 6-14 To modify a user 6-16 To delete a user 6-17 To set up Audit Manager organization IDs 6-18 LAMsync 6-19 6-1

Audit Manager administration To configure the Audit Manager database To configure the Audit Manager database Purpose After you have installed the Audit Manager database, the database needs to be configured. Configuring the database assists in maintaining the size of the database and includes: Limiting the database to the number of records that can remain in the database before archiving Choosing to archive and/or delete old records Selecting the time of day that records are be archived and/or deleted Choosing what types of records are audited Important! database. Only users with administrative status can configure the Audit Manager Before you begin When audit data is stored, the date used in the filename is converted to Greenwich Mean Time (GMT), whereas the date in the archive data is stored in local time. In the Eastern Time Zone, this results in archive data content displaying a date that is GMT-05:00 (or GMT-4:00 when Daylight Saving Time (DST) is in effect) versus the date in the filename. For example, the first archive data entry in a LAMar_audit_comb file containing the date string 20050405203933 reads 04/05/2005 16:39:33, and the last archive data entry in a LAMar_audit_comb file containing the date string 20050422170259 reads 04/22/2005 13:02:59. Procedure To configure the Audit Manager database, follow these steps: 1 In the Audit Manager main screen, select the Database Configuration option from the Administration menu. 6-2

Audit Manager administration To configure the Audit Manager database Result: The Database Configuration screen opens. 2 In the Audit Types drop-down list, select one or more of the following message types: DHCP Lease Decline DHCP Lease Grant DHCP Lease Renew DHCP Lease Release Domain Controller Login Domain Controller Logout Kerberos Domain Control Login Kerberos Domain Control Logout VitalQIP Dynamic Address Add VitalQIP Dynamic Address Delete VitalQIP Dynamic Address Modify 6-3

Audit Manager administration To configure the Audit Manager database VitalQIP External Add VitalQIP External Modify VitalQIP External Delete VitalQIP Static Address Add VitalQIP Static Address Delete VitalQIP Static Address Modify Important! Audit Manager only tracks VitalQIP static and dynamic object modifications for the MAC Address field, IP Address field, Hostname (Object Name) field, and usage billing fields. The usage billing fields (Billing Location, Billing User Group, and Billing Class) do not appear in the GUI or reports. You can only access billing information using the lam-getaudithistorydata command, described on page 10-22. 3 In the Data Options box, check the Store Relay Agent Information Option data check box if you wish to store Option 82 (Relay Agent Information Option) data in the Audit Manager database. When checked, Audit Manager will store the Agent Circuit ID and Agent Remote ID sub-options (defined in RFC 3046), the DOCSIS Device Class suboption (defined in RFC 3256), the Link Selection sub-option (defined in RFC 3527. This field is also identified as Subnet Selection when entering Search Criteria), as well as the raw Option 82 data. 4 In the Database Limits box, select the number of days or the number of records that are to remain in the database after archiving. To keep a designated number of days worth of records after archiving, do the following: Click the Number of Days radio button. In the Number of Days field, enter the number of days that the records are to be kept after the archiving process has occurred. For example, if the number of days specified is 90, then records for the past 90 days are kept in the database after the archiving process has occurred. The number of days specified must be between 1 and 32,000. (The default number of days is 90.) The records are archived and/or deleted after the specified number of days has been reached. To keep a designated number of records after archiving, do the following: Click the Number of Records radio button. In the Number of Records field, enter the number of records that are to be kept after the archiving process has occurred. For example, if the number of records specified is 5000, then 5000 records are kept in the database after the archiving process has occurred. The 6-4

Audit Manager administration To configure the Audit Manager database number of records specified must be between 1 and 4,000,000,000. (The default number of records is 5000.) The records are archived and/or deleted after the specified number of audit records has been reached. 5 From the Archive Options box, click one of the archive option radio buttons described in the following table. Table 6-1 Archive Options Archive option Delete Records Archive then Delete Records Do Not Delete Records Action Removes records from the Audit Manager database. Records are archived to an ASCII file and then removed from the Audit Manager database at the specified date and time. You must specify the directory in the Directory field where the records are to be archived. Records are not archived or deleted. All records are kept in the Audit Manager database. 6 In the Time of Day to Delete and/or Archive Records field, enter the time the archive function is to be performed in one of the following ways: Use the arrows to change the hour, minutes, seconds, or AM/PM. Type the hour, minutes, seconds, or AM/PM directly into the field. Important! The archiving process runs once a day. If the archive time is changed and an archiving process has already occurred for that day, the next archiving process is not executed until the specified time on the following day. 7 Click OK to save the settings. During the archiving process, archiving utilities produce the following files that can be used for troubleshooting: LAMar_triggered.yyyymmddHHMMSS.yyyymmddHHMMSS.qef LAMar_audit.yyyymmddHHMMSS.yyyymmddHHMMSS.qef LAMar_search.yyyymmddHHMMSS.yyyymmddHHMMSS.qef 6-5

Audit Manager administration To configure the Audit Manager database These files are named according to the start date and end date of the date range, where yyyy = year mm = month (01-12) dd = day (01-31) HH = hour (00-23) MM = minutes (00-59) SS = seconds (00-59)... E ND OF STEPS 6-6

Audit Manager administration To load archived data To load archived data Purpose Archived files can be loaded into the Audit Manager database for troubleshooting and administrative purposes. Loading archived files can be useful for running reports on old data or searching old data. Important! Letter cases in archived file names sometimes change when using an FTP method to transfer archived files from another system. Be aware of the correct letter casing and change the file names as appropriate. Audit Manager looks for the files in LAMar_audit.*.qef, LAMar_search.*.qef, and LAMar_triggered.*.qef file format (* indicates a time/date stamp). Procedure To load archived files into the database, follow these steps: 1 From the Audit Manager main screen, select the Load Archive Data option from the Administration menu. Result: The Archive screen opens. 2 Click List Archive Files. 6-7

Audit Manager administration To load archived data Result: The archived files appear in the Archive Files list box. 3 Select an archived file from the Archive Files list box. You can only select one file at a time. (The selected file must be loaded before selecting a new file.) 4 Load the archive file by clicking Load. Result: A message appears asking if you want to load the archived data. Important! Once you have loaded the archive file, it can only be removed from the database by clearing all archived files. 5 Click Yes to load the archived file or click No to return to the Archive screen without loading any files. Result: If you choose to load the archived files, the archived files appear in the Loaded Archived list box. The status for the archived files is shown in the Status column. 6 If you want to clear all loaded archive files from the database, click Clear Archive.... E ND OF STEPS 6-8

Audit Manager administration To load archived data Alert configuration Audit Manager features a central alert capability that is instrumental in tracking IP address usage and in tightening network-wide security. You can define alerts to monitor activity of IP addresses, Media Access Control (MAC) addresses, or hostnames across your network. Audit Manager can email alerts to managers automatically so you can detect login or lease grants for specific users. Important! Audit Manager can be configured to send email alerts. On Windows platforms, you set this up during the Audit Manager enterprise server installation. For more information on configuring this feature, refer to VitalQIP Audit Update Service - qip-auditupdated (p. 9-9). Alerts can only be added or deleted by a user with administrator status. A user with administrative status sees only the alerts that the administrator has set up and not all of the alerts configured in the database. For more information, refer to User management (p. 6-13). 6-9

Audit Manager administration To add alerts To add alerts Purpose Procedure This section describes how to add an alert. To add an alert, follow these steps: 1 Select the Alerts option from the Administration menu. The Alerts screen opens. 2 Refer to the following table to complete the fields in this screen. All fields are required unless specified otherwise. Table 6-2 Field MAC Address Hostname IP Address Alerts fields Description The MAC Address field triggers an alert when the defined MAC address is used. The Hostname field triggers an alert when the defined Hostname is used. The IP Address field triggers an alert when the defined IP address is used. 6-10

Audit Manager administration To add alerts Field Additional Text Description The Additional Text field is a free text field that appears in each of the alerts. All text entered in this field is applied to alert criteria currently defined in the screen. Important! If you intend to have an alert emailed to a System Administrator, you must enter the administrator's email address in this field. For more information about this feature, refer to VitalQIP Audit Update Service - qip-auditupdated (p. 9-9). 3 Once you have entered the alert criteria, click Add. The alert criteria appears in the Alert Criteria list box along with any additional text. All Alert Criteria fields are cleared except for the Additional Text field. Remove the remaining text manually by deleting it from the fields. 4 Click OK.... E ND OF STEPS 6-1 1

Audit Manager administration To delete alerts To delete alerts Purpose Procedure This section describes how to delete an alert. To delete alerts, follow these steps: 1 From the Audit Manager main screen, select the Alerts option from the Administration menu. The Alerts screen opens. 2 Select the Alert Criteria to be deleted from the Alert Criteria list box. 3 Click Delete. A confirmation dialog box appears. Click Yes to confirm and the selected alert criteria is deleted. 4 Click OK.... E ND OF STEPS 6-12

Audit Manager administration To delete alerts User management Audit Manager permits two levels of users Administrator and User. These user levels have been provided to add a layer of security. Individuals are added to the system as Users. A check box allows you to identify certain Users as Administrators. A User who has been designated as an Administrator can add, modify, or delete other administrators and users. Permission is also given for configuring the database, setting alerts, and loading archived data into the database. Users who are not designated as Administrators are restricted from using the Administration menu. They are prevented from adding, changing, or deleting administrators and users, configuring the database, configuring alerts, and loading archived data. These Users are given access only to the Audit Manager screen and report functions. 6-1 3

Audit Manager administration To add a user To add a user Purpose Procedure This section describes how to add a user. To add a user, follow these steps: 1 From the Audit Manager main screen, select the Users option from the Administration menu. Result: The Users screen opens. 2 Complete the fields in this screen using the information in the following table. All fields are required. 6-14

Audit Manager administration To add a user Table 6-3 Field Login ID Password Organizations Users fields Description Enter the login ID of the new user. Enter the password for the new user. Important! in length. The password must be at least six alphanumeric characters Select the Organizations that the new user will be able to access. Important! Only one organization (VitalQIP Organization) is defined after Audit Manager is installed. Several CLIs need to be run to establish other organizations in the Audit Manager database. Refer to To set up Audit Manager organization IDs (p. 6-18) for more information. 3 If the user is to have access to the Administration menu, select the Administrator check box. When the Administrator option is enabled, the user has access to administrative functions. Important! Selecting Administrator assigns the administrator user to all available organizations. Only a normal user (that is, a user for whom the Administrator check box is not checked), can be assigned to selected organizations. 4 Click Add. The user is added to the User list box.... E ND OF STEPS 6-1 5

Audit Manager administration To modify a user To modify a user Purpose This section describes how to modify a user. Before you begin: A password must be at least six alphanumeric characters long. Administrators who are logged in under their own Login IDs will not see their IDs. If administrators want to change their passwords, their passwords must be changed using the File Change Password option (refer to To change your password (p. 5-13) for information about changing your password). Procedure To modify a user, follow these steps: 1 From the Audit Manager main screen, select Users from the Administration menu. Result: The Users screen opens. 2 Select the user you want to modify from the Users list box. The user s Login ID and password appear in the Login ID and Password fields, and the user s Organization is selected. The password is masked. 3 Make the necessary modifications. 4 Click Modify. Result: A message appears asking if you want to modify the user. 5 Click Yes to accept the changes. Click No to cancel the change.... E ND OF STEPS 6-16

Audit Manager administration To delete a user To delete a user Purpose This section describes how to delete a user. Important! Only administrators can delete other administrators and users. Procedure To delete a user, follow these steps: 1 From the Audit Manager main screen, select Users from the Administration menu. Result: The Users screen opens. 2 From the User list box, select the user you want to delete. The user s Login ID and password appear in the Login ID and Password fields, and the user s Organization is selected. (The password is masked.) 3 Click Delete. Result: A message appears asking if you want to delete the user. 4 Click Yes to accept the deletion or click No to cancel the deletion.... E ND OF STEPS 6-1 7

Audit Manager administration To set up Audit Manager organization IDs To set up Audit Manager organization IDs Purpose Procedure When Audit Manager is first installed, there is only one administrator (lamman) and one organization (VitalQIP Organization) defined in the Audit Manager database. This section describes how to set up additional organization data in Audit Manager. To work with other organizations, follow these steps. 1 Export organizations from the VitalQIP database using the exportorganization CLI (described in the VitalQIP Command Line Interface User s Guide), and store the output in a file. 2 Run the enterlamorg CLI, specifying the same file saved in step 1. 3 Run the LAMsync utility (described on page 6-19 and page 10-34) if errors or warnings occur while running enterlamorg. 4 Log into Audit Manager using the default administrator for a specific imported organization. 5 Select Users from the Administration menu. 6 Add users and assign them to an organization by selecting the organization they will be assigned to from the Organization field. Important! You can also use the enterlamuser CLI to create users and assign them to specific organizations. Refer to enterlamuser (p. 10-12) for further information.... E ND OF STEPS 6-18

Audit Manager administration LAMsync LAMsync LAMsync synchronizes Organization IDs between Audit Manager and VitalQIP for customers with existing data. Because the VitalQIP and LAM databases can be deployed on different servers and platforms, the utility relies on the exportorganization CLI to provide the reference data. For further information on the exportorganization CLI, refer to the VitalQIP Command Line Reference User s Guide. Synopsis Parameters LAMsync [-g loginserver] -s server -u username[/password[@server]] -p password -f import_file [-t O[racle] S[ybase]] LAMsync recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s server The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password for the user name. -f import_file A directory and filename of the input data. -t O[racle] S[ybase] Specifies whether the VitalQIP and LAM databases are using Sybase or Oracle. 6-1 9

Audit Manager administration LAMsync 6-20

7 Audit Manager data search Overview Purpose Contents This chapter describes how to search, save, load, and send search criteria or search results from the Audit Manager screen. This chapter covers these topics. Data search 7-2 To search for current data and archived data 7-4 To save search criteria 7-10 To open saved search criteria 7-11 To import and export search results 7-12 To send search criteria or search results to another user 7-14 7-1

Audit Manager data search Data search Data search Database status Audit Manager makes it possible to search for current or archived data using the Audit Manager screen. This screen is useful for obtaining information that can be used for troubleshooting and administrative purposes. Search criteria is limited to MAC address, hostname, domain, IP address, login ID, data source, type, and Option 82 data. Search criteria can be combined to create a more limiting or flexible search. All search criteria can be saved to use for another time. Previously saved search criteria can be loaded and reused on an as needed basis. The status of the database is displayed in the upper-left corner of the Audit Manager screen. The status includes the server date and time, the number of records currently stored in the database, and the data range for the records in the database. If no archived information has been loaded, the Audit Manager screen displays the fields described in. 7-2

Audit Manager data search Data search Archived information If archived information has been loaded (refer to To load archived data (p. 6-7) for more information) into the database, the Loaded Archive Files list box appears in the upper right corner of the Audit Manager screen, as shown in the following illustration. The Current and Archive check boxes also appear. The Loaded Archive Files list box shows the files that are loaded and the status of each file. This list box is for informational purposes only. 7-3

Audit Manager data search To search for current data and archived data To search for current data and archived data Purpose Procedure To search for current and archived data. To search the Audit Manager database for records, follow these steps: 1 Decide which data source you wish to search. Check Current Data and/or Archive Data, depending on whether you want to search either data set or both. 2 From the Audit Manager screen, enter the appropriate criteria in the search criteria fields. You do not need to enter search criteria in all fields. Important! The use of a wildcard (*) is permitted. Table 7-1 Search criteria fields Field Description MAC Address Enter the MAC address in this field. The MAC address can be 12 or 16 characters long. A wildcard search character (*) can be used. For example, enter 12:23:33:*, 11:*, or * (for all MAC addresses). Hostname Domain IP Address Enter the Hostname. A wildcard search character (*) can be located anywhere within the Hostname. For example, enter QAWIN*, QA*, or * (for all Hostnames). Enter the domain. A wildcard search character (*) can be located anywhere within the domain. For example, enter luc*, lucent.*, or * (for all domains). Enter the IP address. A wildcard search character (*) is not permitted in the first octet but can be located in the next three octets. For example, enter 198.11.11.*, 198.11.*, or 198.*. Login ID Enter the login ID. The login ID is the assigned login value for the user. The login ID is assigned in VitalQIP through the User Profile. (For more information about User Profiles, refer to the VitalQIP User s Guide.) A wildcard search character (*) can be located anywhere within the login ID. For example, enter AUDUSER*, AUD*, or * (for all Login IDs). 7-4

Audit Manager data search To search for current data and archived data Field Data Source Type Circuit ID Description Enter the IP address of the data source. The data source is the IP address of the DHCP server granting and renewing leases or a workstation's IP address assigned to perform a task within VitalQIP. A wildcard search character (*) is not permitted in the first octet but can be located in the next three octets. For example, enter 198.11.11.*, 198.11.*, or 198.*. From the Type drop-down list, select one of the following message types: All DHCP Lease Decline DHCP Lease Grant DHCP Lease Renew DHCP Lease Release Domain Controller Login Domain Controller Logout Kerberos Domain Control Login Kerberos Domain Control Logout VitalQIP Dynamic Address Add VitalQIP Dynamic Address Delete VitalQIP Dynamic Address Modify VitalQIP External Address Add VitalQIP External Address Delete VitalQIP External Address Modify VitalQIP Static Address Add VitalQIP Static Address Delete VitalQIP Static Address Modify Optional. Enter the agent-local identifier of the circuit from which a DHCP client-to-server packet was received. It is intended for use by relay agents in forwarding DHCP responses back to the proper circuit. Possible uses of this field include: Router interface number Switching Hub port number Remote Access Server port number Frame Relay DLCI ATM virtual circuit number Cable Data virtual circuit number Refer to RFC 3046 for further information. 7-5

Audit Manager data search To search for current data and archived data Field Remote ID Device Class Subnet Selection Description Optional. Enter the ID that identifies the remote host end of the circuit to a DHCP relay agent that terminates a switched or permanent circuit. The Remote ID field may be used to encode, for instance: A caller ID telephone number for dial-up connection A username prompted for by a Remote Access Server A remote caller ATM address A modem ID of a cable data modem The remote IP address of a point-to-point link A remote X.25 address for X.25 connections DHCP servers may use this option to select parameters specific to particular users, hosts, or subscriber modems. The relay agent may use this field in addition to or instead of the Circuit ID field to select the circuit on which to forward the DHCP reply (for example, Offer, Ack, or Nak). Refer to RFC 3046 for further information. Optional. Enter the device class to which the DOCSIS (Data-Over-Cable Service Interface Specifications) cable modems belongs. Possible uses of this field include: Host endpoint information Host hardware capabilities Host software capabilities Host options information DOCSIS defines the Device Class to be a 32-bit field where individual bits represent individual attributes of the cable modem. Bit #0 is the least significant bit of the field. Bits are set to 1 to select the following attributes. Bit #0 (0x00000001)- CPE Controlled Cable Modem (CCCM). Bit #1-31 - Reserved and set to zero. Refer to RFC 3256 for further information. Optional. Enter the subnet/link IP address requested by a DHCP relay agent, as the subnet from which an IP address lease will be offered when forwarding a DHCP client request to the server. Refer to RFC 3527 for further information. Important! Audit Manager only tracks VitalQIP static and dynamic object modifications for the MAC Address field, IP Address field, Hostname (Object Name) field, and usage billing fields. The usage billing fields (Billing Location, Billing User Group, and Billing Class) do not appear in the GUI or reports. You can only access billing information using the lam-getaudithistorydata command. 7-6

Audit Manager data search To search for current data and archived data 3 Once all search criteria have been entered, click Add. The search criteria are then added to the Search Type list box. You may look for two of the same search criteria at the same time only when the OR radio button is selected. For example, you can enter a MAC address in the search criteria field and click Add. Another MAC address can then be entered in the MAC Address field and added to the Search Type list box. The Search Type list box contains both MAC addresses. To delete search criteria from the list box, highlight the search criteria to be deleted and click Delete. You can delete multiple search criteria by holding down the Ctrl key while you make your selections and then clicking Delete. If you want to remove all the search criteria from the Search Type list box, click Clear. 4 Click the AND radio button or the OR radio button. If the AND radio button is selected, only data matching the search criteria is returned. For example, if the Search Type list box contains a MAC address and a hostname, then the search returns only those audit records that match both the MAC address and hostname. If the OR radio button is selected, data matching any of the defined search criteria is returned. For example, a MAC address and hostname are the defined search criteria and the OR radio button is selected. Data that matches either the hostname or the MAC address is returned. 5 Enter the dates that the search is to encompass. In the Start Date field, enter the beginning date for the search range. The default is no start date and time. If a start date is not entered, all data matching the search criteria is returned. The Start Date field is optional. In the End Date field, enter the ending date for the search range. The field defaults to the current date and time when no date is entered. The End Date field is required. If you are typing the date and time into the field, enter the date in the mm/dd/yyyy HH:MM format (for example, enter 01/02/1999 13:20). You can enter the date by clicking the arrow in the Start Date and End Date fields. A calendar appears. To change the year, click << to go back one year or click >> to go forward one year. To go back one month, click <. To go forward one month, click >. Click a day to select the day. 7-7

Audit Manager data search To search for current data and archived data You can use the left and right arrow keys on the keyboard to navigate within the date time control. To increase or decrease the values, use the up and down arrow keys. Important! If you perform a search with no Start date and an End date that is prior to the earliest date in the database, an Invalid date range error message is displayed because the Start date defaults to the earliest date in the database. 6 Click the Search button. Result: The results are displayed at the bottom of the screen. The following illustration shows how the Audit Manager screen looks after results are displayed (archived data is not loaded). You can use the vertical scroll bar to move up and down the list and the horizontal scroll bar to move the list from side to side. 7-8

Audit Manager data search To search for current data and archived data 7 The Clear Results button appears after a successful search. When you no longer need the audit data, click the Clear Results button to clear the Audit Data list box. Result: A message appears asking if you want to clear the search results. 8 Click Yes to clear the results or click No if you do not want to clear the results.... E ND OF STEPS Change columns in the Search Results table The View menu allows you to specify which columns you wish to display in the Search Results table. Initially, all columns except the Relay Information Agent Option 82 suboptions are selected. To check or uncheck a column, select the View menu and click beside a column heading in the menu. If you select Relay Agent Information Option, a raw hex blob of Option 82 data is displayed. If you wish to save your column selection for the next time you log into Audit Manager, check the Save on Exit option. 7-9

Audit Manager data search To save search criteria To save search criteria Purpose Procedure Once you have defined your search criteria, you can save it to use at another time or send it to another user. To save your search criteria, follow these steps: 1 From the Audit Manager main screen, select the Save option from the File menu. Result: The Save Search Criteria screen opens. 2 Navigate to the directory in which you want to save the file. 3 Enter the name of the file in the File Name field. Give the file a name that is descriptive of the search criteria. 4 Click Save. Result: The file is saved to the specified location with a.lam extension.... E ND OF STEPS 7-10

Audit Manager data search To open saved search criteria To open saved search criteria Purpose This section describes how to open and load saved search criteria. Important! Loading saved search criteria overrides any information currently displayed in the Audit Manager screen. Procedure To open saved search criteria, follow these steps: 1 From the Audit Manager main screen, select Open option from the File menu. Result: The Open Search Criteria screen opens. 2 Navigate to where the.lam file is stored. 3 Select the.lam file. 4 Click Open. Result: The search criteria and/or search results are loaded in the Audit Manager screen. 5 Once you have loaded the search criteria, additional search criteria may be added.... E ND OF STEPS 7-1 1

Audit Manager data search To import and export search results To import and export search results Purpose Search results obtained from searching the Audit Manager database can be imported or exported. Imported and exported search results can be reused for troubleshooting or administrative purposes. All information is imported or exported to a specified location. Export search results Before you can export search results, the search results must be loaded into the Audit Manager screen. Refer to To search for current data and archived data (p. 7-4) for more information. To export search results, follow these steps: 1 Select Export from the Results menu. Result: The Export Result Set screen opens. 2 Navigate to the directory in which you want to store the exported file. 3 Enter a name for the exported file in the File name field. 4 From the Save as type drop-down list, select Text Files (*.txt) or.csv. 5 Click Save. The data is saved to a.txt or.csv file in the specified location.... E ND OF STEPS 7-12

Audit Manager data search To import and export search results Import search results Only files formatted as.txt or.csv files are can be imported as search results. To import search results, follow these steps: 1 From the Audit Manager main screen, select the Import option from the Results menu. Result: The Import Result Set screen opens. 2 Navigate to the directory in which the file to be imported is stored. 3 Select the file to be imported. 4 Click Open. Result: The data is loaded into the Audit Manager screen.... E ND OF STEPS 7-1 3

Audit Manager data search To send search criteria or search results to another user To send search criteria or search results to another user Purpose Procedure You can send search criteria and search results to another user. The receiving user can use the criteria or results for searching the database, troubleshooting problems, or administrative purposes. Search criteria and results use different options to send email. To send search criteria by email, access the e-mail feature using the File Send To option. To send search results by email, use the Results Send To option. Both options function in the same manner. Search criteria and search results do not need to be saved to a file in order to be sent to another user. As long as the search criteria or results appear in Audit Manager, you can send them to another user. A temporary file is created and automatically attached to an email. After the email is sent, the temporary file is deleted. To send search criteria or results, follow these steps. 1 To send search criteria or results, select Send To from the File menu (for sending search criteria) or the Results menu (for sending search results). If mail information is found 7-14

Audit Manager data search To send search criteria or search results to another user The e-mail screen is displayed and the user can send the results using email, as follows. 1 To email information to a user, enter at least one email address in the To: field. To send the email to multiple recipients, separate their addresses with a comma or semi-colon. 2 You can add one or more attachments by clicking Attach. Result: The Attach File screen opens. 3 Navigate to where the files are stored and highlight the file you want to send. Click Attach. Repeat this step as needed. To delete attachments, click an attachment and press Delete. 4 Click Send when you have completed the e-mail.... E ND OF STEPS 7-1 5

Audit Manager data search To send search criteria or search results to another user If mail information is not found The Registry Email Information screen opens. 1 Enter your name, mail server, email address, and reply-to address. Your reply-to address is only needed if it is different from your email address. 2 To save this data to the registry, click OK. You can change mail information at anytime by clicking Configure in the email screen. Clicking Configure opens the Registry Email Information screen. Important! This program does not keep track of sent mail. 7-16

8 Audit Manager reports Overview Purpose Contents This chapter describes the reports that are available in Audit Manager. This chapter covers these topics. Reports in Audit Manager 8-2 To use Audit Manager reports 8-3 To produce a DHCP Server Audit report 8-7 To produce a Login ID Audit report 8-10 To produce a General Audit report 8-13 To produce an Alert Audit report 8-18 To produce a Domain Controller Audit report 8-21 8-1

Audit Manager reports Reports in Audit Manager Reports in Audit Manager Overview Audit Manager provides several types of reports that are useful for auditing DHCP servers, users, alert messages, domain controller, and general information. Reports can be used for troubleshooting and administrative purposes. Following is a list of Audit Manager reports: DHCP Server Audit Login ID Audit General Audit Alert Audit Domain Controller Audit 8-2

Audit Manager reports To use Audit Manager reports To use Audit Manager reports Purpose All reports have common functions. You can do the following with the Audit Manager reports: Search reports View reports on a screen Save reports to a.txt or.csv file Send reports to another user Print reports The functions can be accessed by filling in the fields in the following reports and then clicking Screen to display the report. Important! Audit Manager only tracks VitalQIP static and dynamic object modifications for the MAC Address field, IP Address field, Hostname (Object Name) field, and usage billing fields. The usage billing fields (Billing Location, Billing User Group, and Billing Class) do not appear in the GUI or reports. You can only access billing information using the lam-getaudithistorydata command. The following illustration displays the results of a requested report in Text format. 8-3

Audit Manager reports To use Audit Manager reports Search for a text string Once the report has been generated to the screen, you can search the report, save it to a file, print it, or e-mail it. To search a report, follow these steps: 1 Type the string to be searched in the Search Pattern field and press Enter. 2 To find the same string again, press Enter again.... E ND OF STEPS Save the report to a file To save a report to a file, follow these steps: 1 Click the disk icon (at the top left of the screen). The Save As screen opens. 2 In the File name field, enter the name to be assigned to the file and click OK.... E ND OF STEPS Print a report To print a report, follow these steps: 1 Click the printer icon (at the top left of the screen). 2 Enter the name of your printer and click OK. Important! To have the report print correctly on a page, you must set your printer setting to print landscape. To do this, click the printer icon and then click Properties. Click the Landscape radio button and click OK.... E ND OF STEPS 8-4

Audit Manager reports To use Audit Manager reports E-mail a report To e-mail a report, follow these steps: 1 Click the e-mail icon (at the top left of the screen). Audit Manager searches for mail information in the registry. If mail information is not found, enter your name, mail server, e-mail address, and reply-to address in the Registry Email Information screen. Your reply-to address is only needed if it is different from the email address. Click OK to save data in the registry. Result: The Email screen is displayed, and you can send an e-mail. 2 Enter at least one e-mail address in the To: field. To send the e-mail to multiple recipients, separate their addresses with a comma or semi-colon. 3 You can add one or more attachments by clicking Attach. Result: The Attach File screen opens. 4 Navigate to where the files are stored and highlight the file you want to send. Click Attach. Repeat this step as needed. 5 To delete attachments, click an attachment and press Delete. 6 Click Send when you have completed the e-mail.... E ND OF STEPS You can change mail information at anytime: click Configure in the email screen to open the Registry Email Information screen. Important! This program does not keep track of sent mail. Enter date ranges Many of the reports have fields in which the range of information to be reported is defined. Configure the Start Date and End Date fields as described following: 8-5

Audit Manager reports To use Audit Manager reports 1 In the Start Date field, enter the beginning date for the search range. The default is no start date and time. If a start date is not entered, all data matching the search criteria is returned. This field is optional. 2 In the End Date field, enter the ending date for the search range. The field defaults to the current date and time when no date is entered. The End Date field is required. If you are typing the date and time into the field, enter the date in mm/dd/yyyy HH:MM format (for example, enter 01/02/2007 13:20). You can also enter the date by clicking the down-arrow in the Start Date and End Date fields. A calendar appears. To change the year, click << to go back one year or click >> to go forward one year. To go back one month, click <. To go forward one month, click >. Click a day to select the day.... E ND OF STEPS 8-6

Audit Manager reports To produce a DHCP Server Audit report To produce a DHCP Server Audit report Purpose Procedure The DHCP Server Audit report produces a report detailing DHCP lease information for a specified DHCP server. This report is useful for troubleshooting and administrative purposes. To produce a DHCP Server Audit report, follow these steps: 1 From the Audit Manager screen, select DHCP Server Audit from the Reports menu. Result: The DHCP Server Audit Report screen opens. 2 Complete the fields in this screen using the following information. All fields are required unless specified otherwise. Table 8-1 Field IP Address DHCP Server Audit report fields Description Enter the IP address of the DHCP server for which you want to generate a report. 8-7

Audit Manager reports To produce a DHCP Server Audit report Field Start Date End Date Type Description Optional. Enter the beginning date for the search range. The default is no start date and time. If a start date is not entered, all data matching the search criteria is returned. Refer to Enter date ranges (p. 8-5) for more information. Enter the ending date for the search range in mm/dd/yyyy HH:MM format (for example, enter 01/02/2007 13:20). The field defaults to the current date and time when no date is entered. Refer to Enter date ranges (p. 8-5) for more information. Select one of the following message types: All DHCP Lease Decline DHCP Lease Grant DHCP Lease Renew DHCP Lease Release 3 In the Sort by Date/Time box, choose the date and time sorting order by clicking the Ascending or Descending radio button. 4 To display the report, click Screen. 5 From the displayed report, you can print the report, save it, or send it to other users. Refer to To use Audit Manager reports (p. 8-3) for more information. 6 To exit, click Close.... E ND OF STEPS 8-8

Audit Manager reports To produce a DHCP Server Audit report Sample DHCP Server Audit report A sample DHCP Server Audit Report is shown following. Audit Manager DHCP Server Audit Report Date: 06/02/2007 12:39:34 DHCP Server: 198.200.138.21 Report Date Range: 12/31/2006 12:30:00 to 01/01/2007 12:10:00 DHCP Messages: ALL Date/Time Message Type MAC Address IP Address Hostname LoginID 01/01/2007 12:30:01 DHCP GRANT 11-11-11-99-11-11 198.100.100.1 QAWI95 mylogin 01/02/2007 11:30:12 DHCP GRANT 10-11-11-99-11-11 198.100.100.2 QAWI98 dunno 01/03/2007 11:30:23 DHCP RELEASE 19-11-11-99-11-11 198.100.100.3 QAWI99 jram 01/04/2007 11:30:08 DHCP RENEW 13-11-11-99-11-11 198.100.100.4 QAWI90 john 01/05/2007 11:30:45 DHCP GRANT 14-11-11-99-11-11 198.100.100.5 QAWI91 whisler 8-9

Audit Manager reports To produce a Login ID Audit report To produce a Login ID Audit report Purpose Procedure The Login ID Audit report produces an audit report that can be used for troubleshooting and administrative purposes. This report can only be generated when VitalQIP is used with Audit Manager. To produce a LoginID Audit report, follow these steps: 1 Select Login ID Audit from the Reports menu. Result: The Login ID Audit Report screen opens. 2 Complete the fields in this screen using the following information. All fields are required unless specified otherwise. Table 8-2 Field Login ID Login ID Audit Report fields Description Enter the login ID. This is the login value for the user that was assigned in VitalQIP through the user profile. For more information about user profiles, refer to the VitalQIP User s Guide. 8-10

Audit Manager reports To produce a Login ID Audit report Field Start Date End Date Type Description Optional. Enter the beginning date for the search range. The default is no start date and time. If a start date is not entered, all data matching the search criteria is returned. Refer to Enter date ranges (p. 8-5) for more information. Enter the ending date for the search range in mm/dd/yyyy HH:MM format (for example, enter 01/02/2007 13:20). The field defaults to the current date and time when no date is entered. Refer to Enter date ranges (p. 8-5) for more information. From the Type drop-down list, select the one of the following message types: All DHCP Lease Decline DHCP Lease Grant DHCP Lease Renew DHCP Lease Release Domain Controller Login Domain Controller Logout Kerberos Domain Control Login Kerberos Domain Control Logout VitalQIP Dynamic Address Add VitalQIP Dynamic Address Delete VitalQIP Dynamic Address Modify VitalQIP External Address Add VitalQIP External Address Delete VitalQIP External Address Modify VitalQIP Static Address Add VitalQIP Static Address Delete VitalQIP Static Address Modify Important! Audit Manager only tracks VitalQIP Static and Dynamic object modifications for the MAC Address field, IP Address field, Hostname (Object Name) field, and usage billing fields. The usage billing fields (Billing Location, Billing User Group, and Billing Class) do not appear in the GUI or reports. You can only access billing information using the lam-getaudithistorydata command. 3 In the Sort by Date/Time box, choose the date and time sorting order by clicking the Ascending or Descending radio button. 8-1 1

Audit Manager reports To produce a Login ID Audit report 4 To display the report, click Screen. 5 From the displayed report, you can print the report, save it, or send it to other users. Refer to To use Audit Manager reports (p. 8-3) for more information. 6 To exit, click Close.... E ND OF STEPS Sample Audit Manager Login ID Audit report A sample Login ID Audit report is shown following. Audit Manager Login ID Audit Report Date: 06/20/2007 12:39:44 LoginID: drooly Report Date Range: 01/01/2007 12:29:00 to 01/15/2007 12:10:00 DHCP Messages: ALL Date/Time Message Type MAC Address IP Address Hostname Source 01/01/2007 12:30:10 DHCP GRANT 11-11-11-99-11-11 198.100.100.1 drooly 199.200.199.1 01/02/2007 11:30:13 DHCP GRANT 10-11-11-99-11-11 198.100.100.2 drooly 199.200.198.2 01/03/2007 11:30:34 QIP Add 19-11-11-99-11-11 198.100.100.3 QAIN95 198.200.200.1 01/04/2007 11:30:55 DHCP RENEW 13-11-11-99-11-11 198.100.100.4 drooly 199.200.198.2 01/05/2007 11:30:24 QIP Delete 14-11-11-99-11-11 198.100.100.5 QAWIN99 199.200.198.2 01/06/2007 11:30:14 DHCP GRANT 15-11-11-99-11-11 198.100.100.6 cli1988 199.200.198.2 8-12

Audit Manager reports To produce a General Audit report To produce a General Audit report Purpose Procedure The General Audit report produces a generalized audit report for an IP address, domain, MAC address, hostname, message type, or login ID. This report can be used for troubleshooting and administrative purposes. To produce a General Audit report, follow these steps: 1 From the Audit Manager main screen, select General Audit from the Reports menu. Result: The General Audit Report screen opens. 2 Complete the fields in the Search Criteria box using the following information. Enter at least one value to search, although you do not need to enter search criteria in all the fields. All fields are optional unless indicated otherwise. Important! You can use a wildcard (*). 8-1 3

Audit Manager reports To produce a General Audit report Table 8-3 Field MAC Address Hostname Domain IP Address Login ID General Audit Report fields Description Enter the MAC address. The MAC address can be 12 or 16 characters long. A wildcard search character (*) can be located anywhere within a MAC address. For example enter 11:22:33: *, 11:*:, or * (for all MAC addresses). Enter the hostname. A wildcard search character (*) can be located anywhere within the hostname. For example, enter QAWIN*, QA*, or * (for all hostnames). Enter the domain. A wildcard search character (*) can be located anywhere within the domain. For example, enter luc*, lucent.*, or * (for all domains). Enter the IP address. A wildcard search character (*) can be located anywhere but in the first octet. For example, enter 198:11:11:*, 198.11:*, or 198:*. Enter the login ID. The login ID is the login value of the user assigned in VitalQIP through the user profile. (For more information about user profiles, refer to the VitalQIP User s Guide.) A wildcard search character (*) can be located anywhere within the Login ID. For example, enter AUDUSER*, AUD*, or * (for all Login IDs). 8-14

Audit Manager reports To produce a General Audit report Field Type Description From the Type drop-down list, select one of the following message types: All DHCP Lease Decline DHCP Lease Grant DHCP Lease Renew DHCP Lease Release Domain Controller Login Domain Controller Logout Kerberos Domain Control Login Kerberos Domain Control Logout VitalQIP Dynamic Address Add VitalQIP Dynamic Address Delete VitalQIP Dynamic Address Modify VitalQIP External Address Add VitalQIP External Address Delete VitalQIP External Address Modify VitalQIP Static Address Add VitalQIP Static Address Delete VitalQIP Static Address Modify Important! Audit Manager only tracks VitalQIP Static and Dynamic object modifications for the MAC Address field, IP Address field, Hostname (Object Name) field, and the usage billing fields. The usage billing fields (Billing Location, Billing User Group, and Billing Class) do not appear in the GUI or reports. You can only access billing information using the lam-getaudithistorydata command. For details about lam-getaudithistorydata command, refer to lamgetaudithistorydata (p. 10-22). 3 When all search criteria has been entered, click Add. Result: The search criteria are added to the Search Type list box. You can look for two of the same search criteria at the same time only when the OR radio button is selected. For example, you can enter a MAC address in the search criteria field and click Add. Another MAC address can then be entered in the MAC Address field and added to the Search Type list box. The Search Type list box contains both MAC addresses. 8-1 5

Audit Manager reports To produce a General Audit report To delete search criteria from the list box, highlight the search criteria to be deleted and click Delete. You can delete multiple search criteria by holding down the Ctrl key while you make your selections and then clicking Delete. If you want to remove all the search criteria from the list box, click Clear. 4 Click the And radio button or the OR radio button. You can add multiple search criteria only when the OR radio button is selected. If the And radio button is selected, only data matching the search criteria is returned. For example, if the Search Type list box contains a MAC address and a hostname, then the search returns only those audit records that match both the MAC address and hostname. If the OR radio button is selected, data matching any of the defined search criteria is returned. For example, a MAC address and hostname are the defined search criterion and the OR radio button is selected. Data that matches either the hostname or the MAC address is returned. 5 Enter the dates that the search is to encompass in the Start Date and End Date fields. Refer to Enter date ranges (p. 8-5) for more information. 6 In the Sort by Date/Time box, select the date and time sorting order by clicking the Ascending or Descending radio button. 7 To display the report, click Screen. From the displayed report, you can print the report, save it, or send it to other users. Refer to To use Audit Manager reports (p. 8-3) for more information. 8 To exit, click Close.... E ND OF STEPS 8-16

Audit Manager reports To produce a General Audit report Sample General Audit report A sample General Audit report is shown following. Audit Manager General Audit Report Date: 06/20/2007 12:39:45 Mac Address: ANY IP Address : ANY Hostname : ANY LoginID : ANY Report Date Range: 01/01/2007 12:29:00 to 01/10/2007 12:10:00 Messages: ALL Date/Time Message Type MAC Address IP Address Hostname LoginID Source 01/01/2007 12:30:15 DHCP GRANT 11-11-11-99-11-11 198.100.100.1 drooly --- 199.200.199.1 01/02/2007 11:30:25 DHCP GRANT 10-11-11-99-11-11 198.100.100.2 drooly drooly 199.200.198.2 01/03/2007 11:30:32 QIP Add 19-11-11-99-11-11 198.100.100.3 QA95 --- 198.200.200.1 01/04/2007 11:30:14 DHCP RENEW 13-11-11-99-11-11 198.100.100.4 drooly --- 199.200.198.2 01/05/2007 11:30:45 QIP Delete 14-11-11-99-11-11 198.100.100.5 QA99 drooly 199.200.198.2 01/06/2007 11:30:52 DHCP GRANT 15-11-11-99-11-11 198.100.100.6 cli1988 --- 199.200.198.2 8-1 7

Audit Manager reports To produce an Alert Audit report To produce an Alert Audit report Purpose The Alert Audit report produces a report for alerts that have been generated based on events occurring in the Audit Manager database. This report displays the MAC address, hostname, and/or IP address for each alert. This report can be used for troubleshooting and administrative purposes. Before you begin Users with administrative status are the only users that have access to the Alert Audit report. Each user only sees the alerts that he or she has configured. Procedure To produce an Alert Audit report, follow these steps: 1 Select Alert Audit from the Reports menu. Result: The Alert Audit Report screen opens. 2 Complete the fields in this screen using the following information. All fields are required unless specified otherwise. Important! Audit Manager only tracks VitalQIP static and dynamic object modifications for the MAC Address field, IP Address field, Hostname (Object Name) field, and usage billing fields. The usage billing fields (Billing Location, 8-18

Audit Manager reports To produce an Alert Audit report Billing User Group, and Billing Class) do not appear in the GUI or reports. You can only access billing information using the lam-getaudithistorydata command. Table 8-4 Field Type Start Date End Date Alert Audit Report fields Description From the Type drop-down list, select one of the following message types: All Hostname IP Address MAC Address Optional. Enter the beginning date for the search range. The default is no start date and time. If a start date is not entered, all data matching the search criteria is returned. Refer to Enter date ranges (p. 8-5) for more information. Enter the ending date for the search range in mm/dd/yyyy HH:MM format (for example, enter 01/02/2007 13:20). The field defaults to the current date and time when no date is entered. Refer to Enter date ranges (p. 8-5) for more information. 3 In the Sort by Date/Time box, select the date and time sorting order by clicking the Ascending or Descending radio button. 4 To display the report, click Screen. From the displayed report, you can print the report, save it, or send it to other users. Refer to To use Audit Manager reports (p. 8-3) for more information. 5 To exit, click Close.... E ND OF STEPS 8-1 9

Audit Manager reports To produce an Alert Audit report Sample Alert Audit report A sample Alert Audit report is shown following. Audit Manager Alert Audit Report Date: 04/02/2004 19:45:40 Alert Type: ALL Report Date Range: 04/02/2004 19:22:00 to 04/02/2004 23:59:00 Administrator: lamman Date/Time Alert Type Action MAC Address IP Address Hostname LoginID Source ========================================================================================================= ========================================================================== 04/02/2004 19:41:46 IP bschear@example.com 135.114.106.41 wsp000019wss jentwistle 10.100.25.151 04/02/2004 19:40:25 MAC bschear@example.com ea:00:ac:1e:dd:fa 135.114.106.11 udp000015uds 10.100.25.151 04/02/2004 19:27:00 MAC bschear@example.com ac:dc:15:73:de:a3 135.114.106.10 udp000014uds 10.100.25.151 04/02/2004 19:24:18 IP bschear@example.com 135.114.106.38 wsp000016wss 10.100.25.151 04/02/2004 19:24:18 HOSTNAME bschear@example.com 135.114.106.38 wsp000016wss 10.100.25.151 8-20

Audit Manager reports To produce a Domain Controller Audit report To produce a Domain Controller Audit report Purpose The Domain Controller Audit report produces a report about the user logins and logouts received by a domain controller. This report can be used for troubleshooting and administrative purposes. Before you begin You can only use this report if Audit Manager is tracking domain controller logins and logouts. The Domain Controller Login Audit Service does not forward logoff events immediately to the Audit Update Service. The Domain Controller does not invoke the callout when a user logs out. This is due to the vendor s assumption (Microsoft) that the box is not being used until someone else logs in. When the second login occurs, the callout is invoked and the Domain Controller Login Audit Service sends the logout of the previous user, followed by the login of the new user. Since the callout is not invoked on user logout there is nothing else the Domain Controller Login Audit Service can do. When reporting on domain login information to Audit Manager, the client address may be displayed as 255.255.255.255. The IP address and MAC address are resolved via calls into the Operating System (OS). An IP address of 255.255.255.255 indicates that the OS does not yet know the IP address of the requested host. The OS call timed out. The IP Address will not be known until all DC replication and DNS replication has completed (unknown timeframe). Procedure To produce a Domain Controller Audit report, follow these steps: 8-2 1

Audit Manager reports To produce a Domain Controller Audit report 1 From the Audit Manager main screen, select Domain Controller Audit from the Reports menu. The Domain Controller Audit Report screen opens. 2 Complete the fields in this screen using the following information. All fields are required unless specified otherwise. Table 8-5 Field NT Domain Start Date End Date Domain Controller Audit Report fields Description Enter the domain of the domain controller. This field is required. Wildcard search characters can be located anywhere within the domain name. For example, enter QAWIN*, QA*, or * (for all Domain Controllers). Optional. Enter the beginning date for the search range. The default is no start date and time. If a start date is not entered, all data matching the search criteria is returned. Refer to Enter date ranges (p. 8-5) for more information. Enter the ending date for the search range in mm/dd/yyyy HH:MM format (for example, enter 01/02/2007 13:20). The field defaults to the current date and time when no date is entered. Refer to Enter date ranges (p. 8-5) for more information. 3 In the Sort by Date/Time box, select the date and time sorting order by clicking the Ascending or Descending radio button. 4 To display the report, click Screen. 8-22

Audit Manager reports To produce a Domain Controller Audit report 5 From the displayed report, you can print the report, save it, or send it to other users. Refer to To use Audit Manager reports (p. 8-3) for more information. 6 To exit, click Close.... E ND OF STEPS Sample Domain Controller Audit report Domain Controller Audit Report A sample Domain Controller Audit report is shown following. Date: 08/10/1999 09:52:34 NT Domain: MYSERVER-NT Report Date Range: 01/01/2007 10:46:00 to 08/10/2007 09:52:27 Date/Time Message Type NT Domain IP Address Hostname LoginID Source 01/01/2007 12:30:15 Domain Controller Logout MYSERVER-NT 198.100.100.1 drooly Wahoo 199.200.199.1 01/02/2007 11:30:25 Domain Controller Login MYSERVER-NT 198.100.100.2 drooly Wahoo 199.200.198.2 8-2 3

Audit Manager reports To produce a Domain Controller Audit report 8-24

9 Services Overview Purpose Contents This chapter describes the policies that Audit Manager uses in the qip.pcy file. This chapter covers these topics. Audit Manager policy files 9-2 VitalQIP Audit Schedule Service - qip-auditsched 9-4 VitalQIP Audit Update Service - qip-auditupdated 9-9 Audit Alert user exit 9-16 VitalQIP Domain Controller Logon Audit Service 9-22 VitalQIP Kerberos Domain Controller Logon Audit Service 9-25 9-1

Services Audit Manager policy files Audit Manager policy files Overview When the Audit Manager server is installed, the qip.pcy policy file is created (or updated if VitalQIP resides on the same system). It contains sections for the following services that affect the functionality of Audit Manager: VitalQIP Message Service VitalQIP Login Service VitalQIP Audit Schedule Service VitalQIP Audit Update Service VitalQIP Domain Controller Logon Audit Service VitalQIP Kerberos Domain Controller Logon Audit Service The VitalQIP Message Service and the VitalQIP Login Service are used by other components of VitalQIP and are described in detail in Chapters 7 and 8 of the VitalQIP Administrator Reference Manual. The remaining services in the list above are used only by Audit Manager and are described in this chapter. Policy file format All daemons/services defined in the qip.pcy file are located in %QIPHOME% (Windows) or $QIPHOME (UNIX) by default. You can move.pcy files to a different directory, but you must then specify an optional environment variable, QIP_POLICYPATH. The value of this environment variable is set up like that of your PATH environment variable. Each section is separated by section headers (for example, [VitalQIP Audit Schedule Service]). Any option specified in the [Global Section] of the policy file that appears before the section headers is treated as global (that is, affecting all services) and is passed to every service. The general format of the entries in the policy file is Policy=Value. Policy and values are case insensitive, and all blank lines and lines beginning with a semicolon (;) are ignored. For example, if you are establishing a policy in the Schedule Service to identify the license interval as 1 hour (in seconds), the entry in the policy file is LicenseInterval=3600. You can use a text editor such as Notepad (Windows) or vi (UNIX) to create or edit the file. Rather than use the qip.pcy file, you can opt to use individual policy files. In an upgrade, a qip.pcy file is installed but the smaller existing files override the qip.pcy file. The required name for the file is contained in the description of each service. 9-2

Services Audit Manager policy files Change lamadmin password Debug policy CLIDebug policy Important! Alcatel-Lucent recommends the use of qip.pcy rather than individual policy files because it simplifies troubleshooting. If you change your encrypted lamadmin password, the new password must be encrypted using the qip-crypt utility and entered into the qip.pcy file. The location of the password in the qip.pcy file appears as follows: [VitalQIP Login Service] audit.<database_name>.lamadmin.password=<encrypted_password AuditServer=<name_of_server> For all Audit Manager services, each service has a debug policy that can be specified in the policy file. Most clients and the Command Line Interface read the policy file as services do and adhere to the value specified for the debug policy. Important! When diagnosing a potential problem, access the Event Viewer in Windows or syslog in UNIX first to determine the problem. VitalQIP has a debugging feature for the Command Line Interface, which can be optimized by Audit Manager. Debugging can be implemented on a global or individual basis. To enable debugging for all commands, set the CLIDebug policy in the Global Section of the qip.pcy file. The CLIDebug policy uses the same values and modifiers as the Debug policy described in Chapter 3 of the VitalQIP Administrator Reference Manual. All debug information defaults to individual log files named <command_name>.log, which are located in the QIPHOME/log directory. Debugging can also be enabled for most individual commands. A section named after a command (for example, [qip-syncexternal]) can be added to the qip.pcy file. The CLIDebug and DebugFile policies are the only two policies that can be used in this section. If the DebugFile policy is used, debug information pertaining to the command is written to the specified file and overrides the default, QIPHOME/log/<command_name>.log. The CLIDebug policy set in the individual command section overrides the CLIDebug policy in the Global Section. The following is a sample command section in the qip.pcy file: [qip-syncexternal] CLIDebug = None DebugFile = QIP/log/qipsyncexternal.log 9-3

Services VitalQIP Audit Schedule Service - qip-auditsched VitalQIP Audit Schedule Service - qip-auditsched The VitalQIP Audit Schedule Service (qip-auditsched) handles all scheduled events, such as updating the Audit Manager license key and archiving old data. By default, the license is updated every 30 minutes. Each license has a 15 minute grace period. Behavior of the VitalQIP Audit Schedule Service is controlled by policies in the qipauditsched.pcy file or, if it is not found, the qip.pcy file, located in the %QIPHOME% (Windows) or $QIPHOME (UNIX) directory. Only one policy file is processed. The following policies can be part of the qip-auditsched.pcy file or the [VitalQIP Audit Schedule Service] section of the qip.pcy file. AuditServer Values Default value Description Up to 30 alphanumeric characters None The name of the Audit Manager database server to use if the VitalQIP Login Service is not available. AuditScheduleUser Values Default value Description Alphanumeric None The name of the Audit Manager user that the service uses to connect to the Audit Manager database. AuditSchedulePassword Values Default value Description Alphanumeric None Specifies the encrypted password of the Audit Manager Schedule Service administrator. 9-4

Services VitalQIP Audit Schedule Service - qip-auditsched Debug Values Default value Description The following values can be used for the debug level: All - The maximum level of debugging; all levels. LevelCritical - A critical error is one that shuts down the program. Only critical messages are logged. LevelError - An error has occurred, but the program should continue. Critical messages are included. LevelWarning - The program has encountered an unexpected issue but continues. Errors and critical messages are included with these warnings. LevelInfo - These are informational messages about the program events and flow. These messages include critical messages, errors, and warnings. LevelDebug - Indicates that all levels should be logged. None - No debugging. This is the default. None Sets the debug level. Refer to The debug policy section in Chapter 3 of the VitalQIP Administrator Reference Manual. DebugFile Values Default value Description Relative or absolute filename qip-auditsched.log The filename where the debug output is sent. LoginServer Values Default value 127.0.0.1 Description Up to 30 alphanumeric characters The IP address of the servers running the Login Service. More than one IP address can be specified to minimize VitalQIPís downtime in the event connectivity is lost with the Login Service. Each IP address must be separated by comma. DumpStatsOnExit Values Default value Description True/False False If this is set to True, statistics are dumped to the event log when the service exits. 9-5

Services VitalQIP Audit Schedule Service - qip-auditsched ProcessInterval Values Default value Description Numeric 60 seconds Specifies the interval (in seconds) at which the scheduled events are performed. This value specifies the process interval rather than the sleep time between each event. LicenseInterval Values Default value Description Numeric 1800 seconds (30 minutes) Specifies the interval (in seconds) at which the License Key is updated. This value must be greater than the ProcessInterval. Any value greater than 1 day is reset to 1 day. Signal Handling Signal handling is applicable to UNIX applications only. Signals, which are not specified, have the default behavior for the applicable OS. To send a signal to a process, run: kill <signal_type> <pid> Refer to the following table for the actions associated with each signal. Table 9-1 Signal type SIGTERM SIGUSR1 SIGBUS SIGSEGV SIGINT SIGQUIT SIGHUP Signal types Action Used to shutdown the daemon. Dumps statistical information to SYSLOG. ***Critical Program Error*** logged to SYSLOG followed by default action. ***Critical Program Error*** logged to SYSLOG followed by default action. If debugging was enabled on the command line, this signal terminates the application (Ctrl-C). Otherwise, this signal is ignored. Ignored. Ignored. SYSLOG Important! Refer to the man page for SYSLOG on your respective UNIX OS before reading this section. 9-6

Services VitalQIP Audit Schedule Service - qip-auditsched This section is only applicable to UNIX. Informational, warning and error messages are logged by this service. The /etc/syslog.conf file must be properly configured for user.info messages. For example, in the syslog.conf, you will have an entry for user.info: user.info /var/log/mylog user.warning and user.error messages are logged in the /var/log/mylog file because they provide more severe messages than type info. This file must exist before the daemon (syslogd) is started and writes to the specified log file. After you have edited the file, execute a kill -1 on the process ID of syslogd. This restarts the syslogd daemon. If you configured the syslog.conf correctly, your SYSLOG file looks similar to the following example: Jul 08:16:25 enterprise1 qip-auditsched[21819]: Started Jul 08:16:25 enterprise1 qip-auditsched[21819]: Accepting connections Jul 08:16:25 enterprise1 qip-auditsched[21819]: Established Connection to remote1 The number following the service name (qip-auditsched) is the process ID (pid). For example, the service shown in the previous example can be killed by issuing the command kill 21819. Statistics may be examined by issuing the command kill - USR1 21819. Statistics are sent to the SYSLOG. Refer to the following table for descriptions of a subset of messages generated by the VitalQIP Audit Schedule Service. Other messages could be logged. Table 9-2 VitalQIP Audit Schedule Service messages Message Severity Description Service is already running as PID # ***Critical Program Error*** ERROR ERROR According to the file $QIPHOME/etc/qip-auditshed.pid, the process is already running. Program received a SIGSEGV or a SIGBUS. A stack trace is generated on Solaris. Archiving... INFO The command line utility LAMarchive-export is being called to archive audit data. Initialization complete INFO The service is running and can log messages. Stopped INFO A shutdown of the service is imminent. Using DB Connect information from Login Service. Using DB Connect information from policy file. INFO INFO The VitalQIP Login Server was available to supply database connection credentials. The VitalQIP Login Server was not available to supply database connection credentials. The credentials from the policy file are being used. Miscellaneous Stats INFO A SIGUSR1 was sent. Refer to Statistics following. 9-7

Services VitalQIP Audit Schedule Service - qip-auditsched Statistics Statistics are a useful tool for troubleshooting problems. For this service, the following statistics are available: Total Cycles Completed Minimum Cycle Time Maximum Cycle Time Average Cycle Time These statistics are dumped to the SYSLOG file when the process receives a SIGUSR1 signal. 9-8

Services VitalQIP Audit Update Service - qip-auditupdated VitalQIP Audit Update Service - qip-auditupdated Debug The default policy file for the VitalQIP Audit Update Service that is processed is qipauditupdated.pcy, or if it is not found, qip.pcy. This file is found in the %QIPHOME% directory (Windows) or $QIPHOME directory (UNIX). Only one policy file is processed. When creating this file, the [QIP Audit Update Service] section name must precede all policy entries in the file if it is part of qip.pcy. The format of entries in the policy file is Policy=Value. Policies and values are not case-sensitive, and all blank lines and lines beginning with a semicolon (;) are ignored. [VitalQIP Audit Update Service] The following policies can be part of the qip-auditupdated.pcy file or the [VitalQIP Audit Schedule Service] section of the qip.pcy file. Values Default value Description The following values can be used for the debug level: All - The maximum level of debugging; all levels. LevelCritical - A critical error is one that shuts down the program. Only critical messages are logged. LevelError - An error has occurred, but the program should continue. Critical messages are included. LevelWarning - The program has encountered an unexpected issue but continues. Errors and critical messages are included with these warnings. LevelInfo - These are informational messages about the program events and flow. These messages include critical messages, errors, and warnings. LevelDebug - Indicates that all levels should be logged. None - No debugging. This is the default. None Sets the debug level. Refer to The debug policy section in Chapter 3 of the VitalQIP Administrator Reference Manual. DebugFile Values Default value Description Relative or absolute filename qip-auditupdated.log The filename where the debug output is sent. 9-9

Services VitalQIP Audit Update Service - qip-auditupdated ListenPort Values Default value Description Ephemeral Any valid port number Any service name in /etc/services Ephemeral This policy specifies which port the service listens for messages. Ephemeral indicates that the service will use a port that is dynamically allocated by the operating system. It will register this port with the local message service. To accept messages from previous releases of VitalQIP, set this policy to the service name qip-audup, or the port number 2765. Ports are usually less than 32,000. For more information on message tunneling, refer to Chapter 6 of the VitalQIP Administrator Reference Manual. Master Values Default value Description True/False False When this tag is set to True, qip-auditupdated runs in Master mode. Under UNIX, a new Audit Update Service is forked for each new connection to a Message Service. This option is case sensitive. DumpStatsOnExit Values Default value Description True/False False If this is set to True, statistics are dumped to the event log when the service exits. ConnectQueueDepth Values A number between 5 and 1000. Default value 5 Description This option specifies how large to make the pending connection queue. If the queue is too small and the Audit Update Service is busy in a database request, connecting services will start to send error messages. MaxConnections Values A number between 1 and 1014 Default value 60 Description This specifies the number of message services that may connect. For Solaris, the number of connections can be changed. Windows cannot have the number of connections changed. 9-10

Services VitalQIP Audit Update Service - qip-auditupdated DenyConnectionList Values Default value Description A comma delimited list of IP addresses and CIDR-style IP address ranges All None This policy does not allow connections from listed IP addresses and networks. An example of listed IP addresses would be: DenyConnectionList=127.0.0.1,10.0.0.0/8 In this example, connections from the loopback address and the Class A 10 network are not allowed. If this policy is set to All, connections from all IP addresses and networks are not allowed. If AllowConnectionList and DenyConnectionList are set at the same time, AllowConnectionList takes precedence over the DenyConnectionList. AllowConnectionList Values Default value Description A comma delimited list of IP addresses and CIDR-style IP address ranges All None This policy allows connections from all listed IP addresses and networks. An example of a list of IP addresses would be: AllowConnectionList=127.0.0.1,10.0.0.0/8 In this example, connections from the loopback address and the Class A 10 network are allowed. If this policy is set to All, connections from all IP addresses and networks are allowed. If AllowConnectionList and DenyConnectionList are set at the same time, AllowConnectionList takes precedence over the DenyConnectionList. LoginServer Values Up to 30 alphanumeric characters Default value 127.0.0.1 Description The name or address of the server running the VitalQIP Login Service. AuditUpdatePassword Values Default value Description Alphanumeric None Specifies the encrypted password of the Audit Manager Update Service administrator. 9-1 1

Services VitalQIP Audit Update Service - qip-auditupdated AuditUpdateUser Values Default value Description Alphanumeric None The name of the Audit Manager user that the service uses to connect to the Audit Manager database. AuditServer Values Default value Description Up to 30 alphanumeric characters None The name of the Audit Manager database server to use if the VitalQIP Login Service is not available. AlertArgs=SMTPServer Values Default value Alphanumeric Hostname of the SMTP server Description Windows only. The Hostname or IP address of the e-mail server to which alerts are to be e- mailed. The value is passed to qip-auditalertuserexit. This is usually defined during the installation of the Audit Manager server. AlertArgs=SMTPFrom Values Default value Description Alphanumeric AuditManager Windows only. The destination defined by the qip-auditalertuserexit where alerts are passed. The value provides the "From" address for alert e-mail generated by qip-auditalertuserexit. Signal handling Signal handling is applicable to UNIX applications only. Signals, which are not specified, have the default behavior for the applicable OS. To send a signal to a process, run: kill <signal_type> <pid> Refer to the following table for the actions associated with each signal. 9-12

Services VitalQIP Audit Update Service - qip-auditupdated Table 9-3 Signal type SIGTERM SIGUSR1 SIGPIPE SIGBUS SIGSEGV SIGINT SIGQUIT SIGHUP Signal types Action Used to shutdown the daemon. Dumps statistical information to SYSLOG. Handled. ***Critical Program Error*** logged to SYSLOG followed by default action. ***Critical Program Error*** logged to SYSLOG followed by default action. If debugging was enabled on the command line, this signal terminates the application (Ctrl-C). Otherwise, this signal is ignored. Ignored. Rereads the alert configuration from the LAM database. SYSLOG Important! Refer to the man page for SYSLOG on your respective UNIX OS before reading this section. This section is only applicable to UNIX. Informational, warning and error messages are logged by this service. The /etc/syslog.conf file must be properly configured for user.info messages. For example, in the syslog.conf, you have an entry for user.info: user.info /var/log/mylog user.warning and user.error messages can be logged to a separate file because they provide more severe messages then type info. This file must exist before the daemon (syslogd) will write to it. After you have edited the file, execute a kill -1 on the process ID of syslogd. This restarts the syslogd daemon. If you configured the syslog.conf correctly, your SYSLOG file will look similar to the following example: Jul 08:16:25 enterprise1 qip-auditupdated[21407]: Started Jul 08:16:25 enterprise1 qip-auditupdated[21407]: Accepting connections Jul 08:16:25 enterprise1 qip-auditupdated[21407]: Established Connection to remote1 The number following the service name (qip-auditupdated) is the process ID (pid). For example, the service shown in the previous example can be killed by issuing the command kill 21407. Statistics may be examined by issuing the command kill USR1 21407. Statistics are sent to the SYSLOG. Refer to the following table for 9-1 3

Services VitalQIP Audit Update Service - qip-auditupdated descriptions of a subset of messages generated by the VitalQIP Audit Update Service. Other messages may be logged. For more information on stopping services, refer to Start and stop the services (p. 5-5). Table 9-4 VitalQIP Audit Update Service messages Message Severity Description Service is already running as PID # ERROR According to the file $QIPHOME/etc/qipauditupdated.pid, the process is already running. ***Critical Program Error*** ERROR Program received a SIGSEGV or a SIGBUS. A stack trace is generated on Solaris. Could not determine <service> port number ERROR There was no entry for the service in /etc/services. Failed to load alert filter ERROR There was an internal database error. Set Socket Option Failure ERROR There was an internal socket error. Accepting connections INFO The service has initialized and is accepting connections. Database update failed: Status = <error code> <hostname> <ip address> QIP Audit AlertType= <alert type> MsgType=<message type> Value=<key> Data=<data> INFO INFO There was an internal database error. The message has triggered an administrative alert. Stopped INFO A shutdown of the service is imminent. Using DB Connect information from policy file INFO The VitalQIP Login Server was not available to supply database connection credentials. The credentials from the policy file are being used. Miscellaneous Stats INFO A SIGUSR1 was sent. Refer to Statistics. Statistics Statistics are a useful tool for troubleshooting problems. For this service, the following statistics are available: Connected Message Services Total Number of Messages Received Database Connection Failures Database Update Failures 9-14

Services VitalQIP Audit Update Service - qip-auditupdated These statistics are dumped to the SYSLOG file when the process receives a SIGUSR1 signal. 9-1 5

Services Audit Alert user exit Audit Alert user exit AlertType The Audit Alert user exit enables an action to be taken when an alert is generated. The Audit Alert user exit emails alerts to a specified email address, which is defined through the GUI (refer to Alert configuration (p. 6-9) for more information). The VitalQIP Audit Update Service (qip-auditupdated) determines which alert matches alert criteria. The service then: Sends a message to the SYSLOG/event log Indicates that the event caused an alert in the Audit Manager database Calls a user exit for additional processing During the installation of Audit Manager, a sample Audit Alert user exit, called qipauditalertuserexit, is installed. The sample user exit sends an email to the specified address when an event occurs. To send an email alert to a particular administrator, the administrator s email address must be configured through the GUI. In UNIX, qip-auditalertuserexit is a Bourne shell script that calls the local mailer. In Windows, qip-auditalertuserexit.exe is an executable file that composes and sends an e-mail alert. The command line arguments for qip-auditalertuserexit are a list of attribute value pairs characterizing the event, the alert that it triggered, and any additional data specified by the Audit Update Service. The following table describes the attribute value pairs (each attribute pair is in policy=keyword format) that are understood by both the Windows and UNIX qipauditalertuserexit. Important! If you are planning to use your own script, your script should understand the attribute value pairs, as described below. Value Description The follow alphanumeric values are valid values: Hostname IP_Address MAC_Address The type of audit alert that this event has triggered. 9-16

Services Audit Alert user exit Trigger Value Description A double quoted string of arbitrary length The hostname, IP address or MAC address that triggered this event. Data Value Description A double quoted string of arbitrary length The user supplied value entered at the Additional text prompt. The example user exit expects this to be an email address. Sequence Value Description Numeric The internal number used to sequence audit messages. MessageType Value Description The following are valid values: DHCP_Grant DHCP_Renew DHCP_Release DHCP_Decline QIP_Static_Add QIP_Static_Delete QIP_Static_Modify QIP_Dynamic_Add QIP_Dynamic_Delete QIP_Dynamic_Modify NT_Login NT_Logout Kerberos_Login Kerberos_Logout QIP_External_Add QIP_External_Modify QIP_External_Delete The message type that generated this audit alert. 9-1 7

Services Audit Alert user exit OrgID Value Description Numeric Optional. The number of the VitalQIP organization that generated this event. MacAddr Value Description A double quoted string of 16 hexadecimal digits without colons Optional. The hardware address of the device that generated this event. GrantDate Value A double-quoted string with dates formatted like Fri Sep 13 00:00:00 1986 Description Optional. The date that the DHCP lease was granted, the VitalQIP object was added, or the Windows login occurred. ExpirationDate Value A double quoted string with dates formatted like Fri Sep 13 00:00:00 1986 Description Optional. The date that the DHCP lease expired, the VitalQIP object was deleted, or the Windows logout occurred. Hostname Value Description A double quoted string of arbitrary length Optional. The host name of the object that generated this event. Domain Value Description A double quoted string of arbitrary length Optional. The domain name of the object that generated this event. ObjIpAddr Value Description An IP address in dotted decimal notation Optional. The IP address of the object that generated this event. 9-18

Services Audit Alert user exit SrcIPAddr Value Description An IP address in dotted decimal notation Optional. The IP address of the system that generated this event. This can be the IP address of a DHCP server, Windows Domain Controller, or VitalQIP client. LoginName Value Description A double quoted string of arbitrary length Optional. The login name associated with an object in VitalQIP, or the login name of a user logging onto a Windows domain. FirstName Value Description A double quoted string of arbitrary length Optional. The first name associated with an object in VitalQIP, or the full name of a user logging onto a Windows domain. LastName Value Description A double quoted string of arbitrary length Optional. The last name associated with an object in VitalQIP. GenStorage Value Description A double quoted string of arbitrary length Optional. The name of a Windows domain where a Windows logon or a Windows logout has occurred. BillingLocation Value Description A double quoted string of arbitrary length The location name of the Usage Billing Service. For additional information on Usage Billing Service, refer to the VitalQIP Help Screens. BillingObjectClass Value Description A double quoted string of arbitrary length The object class of the Usage Billing Service. For additional information on Usage Billing Service, refer to the VitalQIP Help Screens. 9-1 9

Services Audit Alert user exit BillingGroup Value Description A double quoted string of arbitrary length The user group of the Usage Billing Service. For additional information on Usage Billing Service, refer to the VitalQIP Help Screens. IPXNumber Value Description Numeric The IPX network number of an object. For additional information on Usage Billing Service, refer to the VitalQIP Help Screens. IPXNode Value Description A double quoted string of arbitrary length The IPX node of an object. For additional information on Usage Billing Service, refer to the VitalQIP Help Screens. Option82 Value Description Hexadecimal blob Optional. The raw data comprising the Option 82 data (Circuit ID, Remote ID, Device Class, and Link Selection). The qip-auditalertuserexit for Windows also understands the following entries. SMTPServer Value Description A fully qualified domain name or IP address Optional and Windows only. The hostname or address of the mail server used to deliver messages. SMTPFrom Value Description An e-mail address Optional and Windows only. The name to use as the SMTP From address. These additional entries can be added to the qip.pcy file in the [VitalQIP Audit Update Service] using the AlertArgs policy. For example: AlertArgs = SMTPServer=smtphost.mydomain.com AlertArgs = SMTPFrom=AuditManager 9-20

Services Audit Alert user exit These entries are defined during the installation process of the Audit Manager enterprise server, but may be changed if the SMTP server has changed since the installation of the Audit Manager enterprise server. 9-2 1

Services VitalQIP Domain Controller Logon Audit Service VitalQIP Domain Controller Logon Audit Service Debug The default policy file for the VitalQIP Domain Controller Logon Service is qip-dclas.pcy, or if it is not found, qip.pcy. This file is found in the %QIPHOME% (Windows) directory. Only one policy file is processed. The following policies are available. Values Default value Description The following values can be used for the debug level: All - The maximum level of debugging; all levels. LevelCritical - A critical error is one that shuts down the program. Only critical messages are logged. LevelError - An error has occurred, but the program should continue. Critical messages are included. LevelWarning - The program has encountered an unexpected issue but continues. Errors and critical messages are included with these warnings. LevelInfo - These are informational messages about the program events and flow. These messages include critical messages, errors, and warnings. LevelDebug - Indicates that all levels should be logged. None - No debugging. This is the default. None Sets the debug level. Refer to The debug policy section in Chapter 3 of the VitalQIP Administrator Reference Manual. DebugFile Values Default value Description Relative or absolute filename qip-dclas.log The filename where the debug output is sent. Message_Server_Address Values Numeric Default value 127.0.0.1 Description The address of the machine that contains the Message Service for the Domain Controller. 9-22

Services VitalQIP Domain Controller Logon Audit Service Message_Server_Port Values Default value Description Numeric Value determined by entry in WINNT/system32/drivers/etc/services on Windows NT or etc/services on UNIX for this policy. Specifies on what port the service will send audit updates. OrgID Values Numeric Default value 1 Description ID number of an organization. SendLogon Values Default value Description True or False True Sends login audit packets to the Message Service. SendLogout Values Default value Description True or False True Sends login audit packets to the Message Service. Domain_Controller_ Address Values Default value Description IP address in dotted decimal notation None The address that the Domain Controller identifies itself by default. The name is determined by gethostname. Resolve_Client_MAC Values Default value Description True or False True Determines whether the lamdclas.dll (VitalQIP Domain Controller Logon Audit Service) attempts to resolve the client's MAC address through WINS. 9-2 3

Services VitalQIP Domain Controller Logon Audit Service Resolve_Client_IP Values Default value Description True or False True Determines whether the lamdclas.dll (VitalQIP Domain Controller Logon Audit Service) attempts to resolve the client s IP address through winsock2. The VitalQIP Domain Controller Logon Audit Service can be reconfigured by changing the qip.pcy file and restarting the machine. When restarted, the Domain Controller Logon Audit Service overwrites the current log file. To create a user that will trigger the restart of the service, run the User Manager for Domains (Start Programs Administrative Tools (Common) User Manager For Domains). Create a user (User New User) with the Description field set to QIPDCLASRestart. When this user logs into the Windows Domain, the Domain Controller Logon Audit Service restarts. Logins from users with the QIPDCLASRestart directive restart the VitalQIP Domain Controller Logon Audit Service from anywhere in the Windows Domain. When logging onto a Windows Domain with multiple Domain Controllers, it is best to log onto the Domain Controller s console. This ensures that the specific Domain Controller s service will restart when the logon request is serviced locally. To uninstall the service, follow these steps: 1. From the Windows Start menu, select Run. 2. In the Open field, enter regedt32 and click OK. 3. Expand the HKEY_LOCAL_MACHINE. 4. Select the following registry key directory: HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa MSV1_0 Auth0 5. From the Edit menu, select Delete. 6. In the Warning screen, click Yes. 7. Restart the domain controller. 9-24

Services VitalQIP Kerberos Domain Controller Logon Audit Service VitalQIP Kerberos Domain Controller Logon Audit Service Debug The default policy file for the VitalQIP Kerberos Domain Controller Logon Service is qipkdclas.pcy, or if it is not found, qip.pcy. This file is found in the %QIPHOME% (Windows) directory. Only one policy file is processed. The following policies are available. Values Default value Description The following values can be used for the debug level: All - The maximum level of debugging; all levels. LevelCritical - A critical error is one that shuts down the program. Only critical messages are logged. LevelError - An error has occurred, but the program should continue. Critical messages are included. LevelWarning - The program has encountered an unexpected issue but continues. Errors and critical messages are included with these warnings. LevelInfo - These are informational messages about the program events and flow. These messages include critical messages, errors, and warnings. LevelDebug - Indicates that all levels should be logged. None - No debugging. This is the default. None Sets the debug level. Refer to The debug policy section in Chapter 3 of the VitalQIP Administrator Reference Manual. DebugFile Values Default value Description Relative or absolute filename qip-kdclas.log The filename where the debug output is sent. Message_Server_Address Values Numeric Default value 127.0.0.1 Description The address of the machine that contains the Message Service for the Domain Controller. 9-2 5

Services VitalQIP Kerberos Domain Controller Logon Audit Service Message_Server_Port Values Default value Description Numeric Value determined by entry in WINNT/system32/drivers/etc/services on Windows NT or etc/services on UNIX for this policy. Specifies on what port the service will send audit updates. OrgID Values Numeric Default value 1 Description ID number of an organization. SendLogon Values Default value Description True or False True Sends login audit packets to the Message Service. SendLogout Values Default value Description True or False True Sends login audit packets to the Message Service. Domain_Controller_ Address Values Default value Description IP address in dotted decimal notation None The address that the Domain Controller identifies itself by default. The name is determined by gethostname. Resolve_Client_MAC Values Default value Description True or False True Determines whether the lamdclas.dll (VitalQIP Domain Controller Logon Audit Service) attempts to resolve the client's MAC address through WINS. 9-26

Services VitalQIP Kerberos Domain Controller Logon Audit Service Resolve_Client_IP Values Default value Description True or False True Determines whether the lamdclas.dll (VitalQIP Domain Controller Logon Audit Service) attempts to resolve the client s IP address through winsock2. The VitalQIP Kerberos Domain Controller Logon Audit Service can be reconfigured by changing the qip.pcy file and restarting the machine. When restarted, the Domain Controller Logon Audit Service overwrites the current log file. To create a user that will trigger the restart of the service, run the User Manager for Domains (Start Programs Administrative Tools (Common) User Manager For Domains). Create a user (User New User) with the Description field set to QIPDCLASRestart. When this user logs into the Windows Domain, the Domain Controller Logon Audit Service restarts. Logins from users with the QIPDCLASRestart directive restart the VitalQIP Domain Controller Logon Audit Service from anywhere in the Windows Domain. When logging onto a Windows Domain with multiple Domain Controllers, it is best to log onto the Domain Controller s console. This ensures that the specific Domain Controller s service will restart when the logon request is serviced locally. To uninstall the service, follow these steps: 1. From the Windows Start menu, select Run. 2. In the Open field, enter regedt32 and click OK. 3. Expand the HKEY_LOCAL_MACHINE. 4. Select the following registry key directory: HKEY_LOCAL_MACHINE System CurrentControlSet Control Lsa MSV1_0 Auth0 5. From the Edit menu, select Delete. 6. In the Warning screen, click Yes. 7. Restart the domain controller. 9-2 7

Services VitalQIP Kerberos Domain Controller Logon Audit Service 9-28

10 Command Line Interface Overview Purpose Contents The command line interface (CLI) provides an alternative process to using the Audit Manager GUI. Commands provide the ease of using a prompt to carry out functions. The commands provide the following capabilities: Importing organizations Retrieving and importing administrator or user information Importing data from VitalQIP Changing passwords Retrieving and setting the alert options Retrieving and setting archive options This information presents the following topics. Audit Manager commands 10-3 enterlamobj 10-7 enterlamorg 10-9 enterlamuser 10-12 exportqipobj4lam 10-14 LAMarchive-concatenate 10-16 lam-changepassword 10-18 lam-getalerts 10-19 lam-getarchiveset 10-20 10-1

Command Line Interface Overview lam-getaudithistorydata 10-22 lam-getuser 10-28 lam-getuserlst 10-29 lam-setalerts 10-30 lam-setarchiveset 10-32 LAMsync 10-34 qip-crypt 10-37 lam-export 10-38 lam-import 10-40 10-2

Command Line Interface Audit Manager commands Audit Manager commands Overview The command line interface (CLI) provides an alternative process to using the Audit Manager GUI. Commands provide the ease of using a prompt to carry out functions. The commands provide the following capabilities: Importing organizations Retrieving and importing administrator or user information Importing data from VitalQIP Changing passwords Retrieving and setting the alert options Retrieving and setting archive options Command execution location Commands are executable from various places depending on the platform and command. Refer to the following table to determine from where you should be executing the commands. Table 10-1 Command execution location by platform Platform Command Execute from: Windows Audit Manager enterprise server lam-dbinit lam-export lam-import LAMarchive-concatenate LAMsync %QIPHOME%\AuditManager %QIPHOME%\AuditManager\utils 10-3

Command Line Interface Audit Manager commands Platform Command Execute from: UNIX Audit Manager enterprise server exportqipobj4lam enterlamobj enterlamorg enterlamuser lam-changepassword lam-getalerts lamgetaudithistorydata lam-getarchiveset lam-getuser lam-getuserlst lam-setalerts lam-setarchiveset qip-crypt LAMarchive-concatenate LAMsync lam-dbinit lam-export lam-import All commands %QIPHOME%\cli %QIPHOME%\AuditManager\cli $QIPHOME/AuditManager/utils $QIPHOME/AuditManager/scripts $QIPHOME/AuditManager/usr/bin $QIPHOME/usr/bin Common arguments/parameters Important! All data lines must end in a carriage return, or they are not imported. For all commands, the date and year format must be mm/dd/yyyy. If you do not use mm/dd/yyyy, the command is rejected and an error message is displayed. The [-o organization] parameter is case sensitive for all commands. The parameters described in the following table are valid for all CLI commands. Table 10-2 Valid CLI command parameters Parameter Explanation Important note -g loginserver Specifies the VitalQIP login server s IP address. This value is the equivalent of the LOGIN environment variable. 10-4

Command Line Interface Audit Manager commands Parameter Explanation Important note -s servername Specifies the server to operate on. -u username Specifies the user ID for the database. -p password Specifies the user password for the database. -o organization Specifies the organization on which to operate. -? or h Displays the parameter syntax (to assist you in coding the command). -v Displays version information for the CLI command. Optional if the appropriate value is defined in your policy file (qip.pcy).* Optional if the appropriate value is defined in your policy file (qip.pcy).* Optional if the appropriate value is defined in your policy file (qip.pcy).* Enter? or h to display the syntax without processing the command. Important! * A value must be provided. If the appropriate value is not defined in your policy file (qip.pcy), specify it in this parameter. If this parameter is omitted, the CLI command looks for the value in the qip.pcy file. Notation key To make it easier for you to code the parameters, this manual uses the notations described in Table 10-3 when explaining the synopsis of each CLI command. Table 10-3 Notation Bold Synopsis notation conventions Description Used for directories, filenames, commands, and parameters. Type the boldface term as is appears in the Synopsis. Example: Type qip-dbinit as: qip-dbinit 10-5

Command Line Interface Audit Manager commands Notation Italics Description Used to show generic arguments and options; replace these with your own values. Example: Type i input_filename as: -i input1.txt Note: Italics are also used to highlight comments in input and output examples. [ ] Used to surround optional elements in a description of syntax. (Do not type the brackets themselves.) Example: Type [-m] as: -m Used in syntax descriptions to separate items for which only one alternative can be chosen at a time. Example: Type t active expired all as: t active or t expired or t all Constant width Used to show the contents of files or the output from commands. 10-6

Command Line Interface enterlamobj enterlamobj enterlamobj is used for the initial import of object information to the Audit Manager database. All objects will be are entered as VitalQIP Static Address Adds and VitalQIP Dynamic Address Adds. The exportqipobj4lam provides the VitalQIP format file to use with this command. Refer to exportqipobj4lam (p. 10-14) for more information. Synopsis Parameters enterlamobj [ g loginserver] [ s servername] -u username -p password -f input_file [-r reject_file] [-e errmsg_file] enterlamobj recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password for the user name. -f input_file A directory and filename of the input data. -r reject_file A directory and file name of the rejected records. The default is STDERR. -e errmsg_file The filename to which this command will write error messages if they occur. The default is STDERR. Refer to the following table for the format of the LAM Object data file. Table 10-4 LAM Object data file format Field Value type Description Message Type ID [M] numeric (1 char) The message type of the process (the valid value for this process is 5 or 8). Organization Name [M] text (up to 32 char) Enter the organization name. MAC Address [O] 12 or 16 hex The MAC address of the object. Object IP address [M] dotted decimals (up to 15 digits) The object s IP address. Object Name [O] text (up to 32) The name of the object. Domain Name [O] text (up to 60) Domain name of the object. Source IP address [O] dotted decimals (up to 15 digits) The IP address of object data source. 10-7

Command Line Interface enterlamobj Field Value type Description Login Name [O] text (up to 31) Login name of the responsible user. Lease grant time Lease expire time [M] mm/dd/yyyy HH:MM:SS [M] mm/dd/yyyy HH:MM:SS The date/time the lease was granted. The date/time that the lease will expire (enter unlimited for unlimited leases). Billing Status [O] 1/0 or On/Off Determines if the Usage Billing Service is turned on or off. Billing Location [O] up to 16 char Billing location the object is assigned to. Billing user group [O] up to 16 char Billing user group the object is assigned to. Billing object class [O] up to 32 char Billing object class the object is assigned to. Important! All data lines must end in a carriage return or they will not be imported. Data file format example 5,QIPOrg,001122334455,144.144.144.1,,qtek.com,144.144.100.0,psl1,05/22/1 999 12:00,unlimited Command line input example enterlamobj f c:\data\home\input.txt -u lamman p lamman 10-8

Command Line Interface enterlamorg enterlamorg enterlamorg imports organization information into the Audit Manager database. The VitalQIP command exportorganization creates a format file that can be used with the enterlamorg command. For more information about the exportorganization command, refer to the VitalQIP Command Line Interface User s Guide. Synopsis Parameters enterlamorg [-g loginserver] [-s servername] -u username p password f input_file [-r reject_file] [-e errmsg_file] enterlamorg recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password. -f input_file A directory and filename of the input data. -r reject_file A directory and filename of the rejected records. -e errmsg_file The filename to which this command will write error messages if they occur. The default is STDERR. Refer to the following table for the format of the organization data file. 10-9

Command Line Interface enterlamorg Table 10-5 Organization data file format Field Value type Description Organization ID [M] numeric exportorganization and enterlamorg have been updated to handle the Organization ID in order to keep the Organization IDs in sync between VitalQIP and Audit Manager. There are four possible scenarios for the organization name and ID data contained in the input file: 1. New ID and new name - The name and ID get inserted into the Audit Manager database. 2. New ID and existing name - A duplicate name error is given which directs the user to run LAMsync. 3. Existing ID and new name - The organization name in the Audit Manager database is replaced with the organization name from the input file. A warning is given. 4. Existing ID and existing name - If the name/id pair matches up with a name/id pair in the Audit Manager database, the name/id pair is saved (in case the Description has changed). If there is an existing name and ID in the LAM database but they are in separate records (that is, not a pair), an error is generated. A utility called LAMsync can be run if problems arise with synchronizing an existing LAM database. Refer to LAMsync (p. 10-34) for more information. Organization Name [M] text (32 char) The Organization name. Description [O] text (255 char) The description of the organization. 10-10

Command Line Interface enterlamorg Field Value type Description Maximum Objects [M] numeric Defines the number if objects that can exist for the organization. An entry of zero indicates that there is no limit. If an administrator tries to add more objects than the limit, an error message is displayed. Important! The objects that are counted are static and dynamic objects. Reserved, planned to use, selected and unused objects are not counted. Important! All data lines must end in a carriage return or they will not be imported. Data file format example for input.txt 1,Example, the Example Corporation,0 2, QIP Org, the QIP Organization,0 Command line input example enterlamorg u lamman p lamman f c:\data\home\input.txt 10-11

Command Line Interface enterlamuser enterlamuser enterlamuser imports administrator or user information to the Audit Manager database. You do not need to specify an organization for type admin since Administrators are automatically associated with all organizations. Important! Only users with administrative status may use this command. Refer to User management (p. 6-13) for more information. Synopsis Parameters enterlamuser [-g loginserver] [-s servername] -u username -p password f input_filename [-r reject_file] [-e errmsg_file] enterlamuser recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password. -f input_file A directory and filename of the input data. -r reject_file A directory and filename of the rejected records. -e errmsg_file The filename where error messages are written if they occur. The default is STDERR. Refer to Table 10-6 for the format of the User data file. Table 10-6 User data file format Field Value type Description Login Name [M] text (30 char) The name the user uses to log in. Password [M] text (10 char) The password the user uses to log in. User Type [M] text (30 char) Type of user (admin or user). Organization Name [M] text (32 char) The organization name. Important! All data lines must end in a carriage return, or they will not be imported. Data file format example for lamobj.csv lamadmin1,lamadmin1,user, QIP Organization, org2, org3, Test Org lamuser2,lamuser2,user, LAM Organization, org2 10-12

Command Line Interface enterlamuser admin3,admin3,user, org2 admin4,admin4,admin Command line input example enterlamuser -f /home/qip/lam/lamobj.csv -u lamman -p lamman 10-13

Command Line Interface exportqipobj4lam exportqipobj4lam exportqipobj4lam is the command for exporting VitalQIP object information into LAM CSV format. Static objects exported from VitalQIP database into the Audit Manager database are entered into the database as VitalQIP Static Address Add. Dynamic objects exported from VitalQIP database into the Audit Manager database are entered into the database as VitalQIP Dynamic Address Add. GAP (Global Allocation Policy), reserved, and planned moved objects, along with any dynamic objects that do not have a MAC address assigned to them, will not be exported. Synopsis Parameters exportqipobj4lam [-g loginserver] [-s servername] [-u username] [-p password] [-f filename] [-o organization] exportqipobj4lam recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername VitalQIP database server name. -u username A VitalQIP user name. -p password A VitalQIP password. -f filename A directory and filename of the output data. -o organization An organization name. Refer to the following table for the format of the VitalQIP Object data file. Table 10-7 VitalQIP Object data file format Field Value type Description Message Type ID [M] numeric (1 char) The message type of the process (the valid value for this process is 5 or 8). Organization Name [M] text (up to 32 char) Enter the organization name. MAC Address [O] 12 or 16 hex The MAC address of the object. Object IP address [M] dotted decimals (up to 15 digits) The object IP address. Object Name [O] text (up to 32) The name of the object. Domain Name [O] text (up to 60) Domain name of the object. 10-14

Command Line Interface exportqipobj4lam Field Value type Description Source IP address [O] dotted decimals (up to 15 digits) The IP address of object data source. When exporting from a VitalQIP database, the source IP address field always contains a local host value of 127.0.0.1. This information is not stored in the VitalQIP database. Login Name [O] text (up to 31) Log in name of the responsible user. Lease grant time [M] mm/dd/yyyy HH:MM:SS Lease expire time [M] mm/dd/yyyy HH:MM:SS The date/time the lease was granted. The date/time the lease will expire (enter unlimited for unlimited leases). Billing Status [O] 1/0 or On/Off Determines if the Usage Billing Service is turned on or off. Billing Location [O] up to 16 char Billing location the object is assigned to. Billing user group [O] up to 16 char Billing user group the object is assigned to. Billing object class [O] up to 32 char Billing object class the object is assigned to. Important! All data lines must end in a carriage return, or they will not be imported. Output example 5,QIPOrg,001122334455,144.144.144.1,,qtek.com,0,psl1,05/22/1999 12:00,unlimited Command line input example exportqipobj4lam -s qipserver -f /home/qip/lam/lamobj.csv 10-15

Command Line Interface LAMarchive-concatenate LAMarchive-concatenate LAMarchive-concatenate joins together two or more archive tables into one table. After the tables are combined, the following three default output files are created: LAMar_triggered_comb.yyyymmddHHMMSS.yyyymmddHHMMSS.qef LAMar_audit_comb.yyyymmddHHMMSS.yyyymmddHHMMSS.qef LAMar_search_comb.yyyymmddHHMMSS.yyyymmddHHMMSS.qef The time stamps included in these file names specify the overall start and end dates of the record set contained within the file, where yyyy = year mm = month (01-12) dd = day (01-31) HH = hour (00-23) MM = minutes (00-59) SS = seconds (00-59) Synopsis LAMarchive-concatenate [-d directory] [-y year] [-m month] [-f from_datetime] [-t to_datetime] [-i {datetime[, ]}] [-o output_file] Parameters -d directory The archive directory. If not specified, the current directory is used. -y year The year the combined files summarize. The year must be entered in yyyy format (for example, 1999). If the -y parameter is not specified, the current year is used. -m month The month the combined files summarize. The month must be entered in mm format (for example, 01). If the m parameter is not specified, the current month is used. -f from_datetime The starting date and time of the combined file set. The date and time must be entered in yyyymmhhmmss format (for example, 20040301201644). If the t parameter is not specified, all the files after the specified date and time are joined. The y, -m, and i parameters should not be used with this parameter. -t to_datetime The ending date and time of the combined file set. The date and time must be entered in yyyymmhhmmss format (for example, 20040331210922). The y, -m, and i parameters should not be used with this parameter. 10-16

Command Line Interface LAMarchive-concatenate -i datetime1[, ] The date[time] of archive files that are to be joined. Each specified date[time] should be separated by a comma. If time is not provided, all archive files in that date are concatenated. The y, -m, -f, and -t parameters should not be used with this parameter. -o filename Enter the data output file name. If the -o option is used, the files created are given the prefix LAMar_audit, LAMar_search, and LAMar_triggered with the extension.qef. The created files follow the following format: LAMar_audit.[specified file name].qef LAMar_search.[specified file name].qef LAMar_triggered.[specified file name].qef Important! The search options in this utility operate on the starting date component of the file name. Command line input example LAMarchive-concatenate -d /home/usr/tmp/ -i 1999071245,1999072337,1999081620 o AuditManageArchive Output example The following is an output example for LAMar_triggered.AManageArchive.qef: AUDIT_NUM,ALERT_TYPE,ALERT_VALUE,ARCHIVE_DATE 303,2,"10.58.206.12",04/09/2004 12:53:41 The following is an output example for LAMar_audit.AManageArchive.qef: AUDIT_NUM,MESSAGE_TYPE_ID,ORG_ID,MAC_ADDR,OBJ_IP_ADDR,OBJ_NAME,DOMN_NAME,SRC_IP_ ADDR,LOGIN_NAME,GRANT_DATE,EXPIRATION_DATE,GENERIC_VALUE,UBI_FLAG,UBI_LOC,UBI_US RGRP,UBI_OBJCLASS,IPX_NAME,NETWORK_NUM,FIRST_NAME,LAST_NAME,AUDIT_DATE,OP82_CIRC UIT_ID,OP82_REMOTE_ID,OP82_DEVICE_CLASS,OP82_LINK_SELECT,OP82_RAW_DATA,ARCHIVE_DATE 303,1,2,"0006000000aa",171626079,"dhcp-client-00aa","qa.quadritek.com",180899850,,04/05/2004 20:50:56,04/05/2004 23:50:56,,0,,,,,0,,,04/05/2004 20:50:57,"abcdef ","00aa00060000","1","10.58.164.5","0103abcdef020600aa0006000004040000000105040a 3aa405",04/09/2004 12:53:41 The following is an output example for LAMar_search.AManageArchive.qef: AUDIT_NUM,SEARCH_OBJ_NAME,SEARCH_DOMN_NAME,SEARCH_LOGIN_NAME,SEARCH_OP82_CIRCUIT _ID,SEARCH_OP82_REMOTE_ID,ARCHIVE_DATE 303,"DHCP-CLIENT-00AA","QA.QUADRITEK.COM",,"ABCDEF","00AA00060000",04/09/2004 12:53:41 10-17

Command Line Interface lam-changepassword lam-changepassword lam-changepassword changes a user s password. Synopsis Parameters lam-changepassword -s server_name -u login_name -p password -n new_password lam-changepassword recognizes the following options: -s server_name The Audit Manager database server name. -u login_name The Audit Manager login name of the user for whom you are changing the password. -p password The Audit Manager user password for this username. -n new_password The new password to replace the old password. Command line input example lam-changepassword -u lamman -p lamman -n lammanxyz 10-18

Command Line Interface lam-getalerts lam-getalerts lam-getalerts retrieves alert settings for the Audit Manager system. Only alert settings you have configured are returned. Refer to Alert configuration (p. 6-9) for more information. Important! Only users with administrative status may use this command. Refer to User management (p. 6-13) for more information. Synopsis Parameters lam-getalerts [-g loginserver] [-s servername] -u username -p password [-f filename] lam-getalerts recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password. -f filename The directory and filename for the output data. The default is to STDOUT. Command line input example lam-getalerts -u lamman -p lamman Output example AlertType=IpAddress AlertValue=198.200.138.40 AlertAdmin=lamman AlertAction=manley@qtek.com 10-19

Command Line Interface lam-getarchiveset lam-getarchiveset lam-getarchiveset retrieves archive settings of the Audit Manager system. Important! Only users with administrative status may use this command. Refer to User management (p. 6-13) for more information. Synopsis Parameters lam-getarchiveset [-g loginserver] [-s servername] -u username -p password [-f filename] lam-getarchiveset recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password. -f filename The directory and filename for the output data. The default is STDOUT. Command line input example lam-getarchiveset u lamman p lamman Output example StoreOption82=1 DeleteRecordFlag=1 ArchiveRecordFlag=0 CurrentValueRecords=0 CurrentValueDays=1 KeptDays=30 KeptRecords=500 ArchiveTime=13:00:00 ArchiveDir=/opt/qip50/AuditManager/archive Refer to the following table for descriptions of the fields in the output example. Table 10-8 Field StoreOption82 Output file field definitions Description Specifies that Relay Agent Information raw data will be stored as part of the archive dataset. If StoreOption82=0, such data will not be stored. 10-20

Command Line Interface lam-getarchiveset Field DeleteRecordFlag ArchiveRecordFlag CurrentValueRecords CurrentValueDays KeptDays KeptRecords ArchiveTime ArchiveDir Description Specifies deletion of records from the Audit Manager database. If DeleteRecordFlag =0, audit records will not be deleted. They will remain in the Audit Manager database. If DeleteRecordFlag=1, audit records are deleted from Audit Manager database. Specifies archival of records to an ASCII file at the specified date and time. If ArchiveRecordFlag=0, audit records will not be archived. If ArchiveRecordFlag=1, audit records are archived to an ASCII file. Refer to To configure the Audit Manager database (p. 6-2) for more information. Reflects status of the Number of Records radio button (accessed through the GUI via Database Configuration option from the Administration menu). If CurrentValueRecords=0, this radio button is not selected. If CurrentValueRecords=1, this radio button is selected. Refer to To configure the Audit Manager database (p. 6-2) for more information. Reflects status of the Number of Days radio button (accessed through the GUI via Database Configuration option from the Administration menu). If CurrentValueDays=0, this radio button is not selected. If CurrentValueDays=1, this radio button is selected. The number of days of audit records to be kept in the database. The number of audit records to be kept in the database. The time of day to archive or delete the audit records. The location of the archive records. 10-21

Command Line Interface lam-getaudithistorydata lam-getaudithistorydata Before you begin lam-getaudithistorydata extracts audit history information from the Audit Manager database. This information can then be used for billing, reporting, and so on. The data is returned in ASCII text format with each Audit Manager record on a separate line and data fields separated by commas. This command reports the data; it does not remove the data from the Audit Manager database. If no organization is specified, the default organization of the issuer (admin running the command specified after the "-u" option) is used. The default is usually VitalQIP Organization or the organization assigned with the lowest ID number. Synopsis Parameters lam-getaudithistorydata [-g loginserver] [-s servername] -u username -p password [-d start_date] [-e end_date] [-f report_file] [-m format_file] [-o organization] [-r option82] [-t datasource] lam-getaudithistorydata recognizes the following parameters: -g loginserver Specifies the VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. This field is required. -p password An Audit Manager password. This field is required. -d start_date The starting date and time when the record was entered into the Audit Manager database (format is mm/dd/yyyy HH:MM). If specified, only data that has been logged to the Audit Manager database on or after the start datetime is returned. If not specified then all data contained in the Audit Manager database up to the end datetime is returned. This must be in the format mm/dd/yyyy HH:MM, where mm is the month, dd is the day, yyyy is the year, HH is the hour (24 hour clock) and MM is the minute (0 59). -e end_date The ending date and time format is mm/dd/yyyy HH:MM. If specified, only data that has been logged to the Audit Manager database prior to and including the end datetime is returned. If not specified then all data on and after the start-datetime is returned. This MUST be in the format mm/dd/yyyy HH:MM where mm is the month, dd is the day, yyyy is the year, HH is the hour (24 hour clock) and MM is the minute (0-59). 10-22

Command Line Interface lam-getaudithistorydata -f report_file The directory and file name for the output data. If not specified, the output is written to the screen (STDOUT). If the report_file already exists then the data is appended to the current file. Output field values are separated by commas. If the data value contains a comma, that field is enclosed in quotation marks. -m format_file A file that contains a list of fields separated by commas. Refer to Table 10-9 for descriptions of these fields. If this parameter is specified, only the fields associated with the keywords are returned. The data is returned in the order of the fields. If this parameter is not specified, all audit information matching the fields is returned. -o organization An organization name. -r option82 Specifies which Option 82 data is displayed, as follows: P Displays the Option 82 sub-options (separate columns for Circuit ID, Remote ID, Device Class, and Subnet Selection) U Displays the unparsed raw Option 82 hex data B Displays both the Option 82 sub-options and the unparsed Option 82 data -t datasource Specifies which data source to query, as follows. C Queries current audit data only A Queries archive audit data only B Queries current and archive audit data concurrently If the data source switch is not specified, the data source defaults to the current data. The -m format_file consists of one or more fields separated by a comma. If you do not specify the fields in a format_file, all information matching the fields is returned. 10-23

Command Line Interface lam-getaudithistorydata Table 10-9 format_file fields Field Description Notes TYPE TYPECODE AUDITDATE IPADDRESS MACADDRESS HOSTNAME Audit Type text string (for example, DHCP Grant). Audit type code (numeric representation of TYPE field, as shown in TYPE field notes above). Date/time stamp that the entry was recorded by Audit Manager (format mm/dd/yyyy HH:MM). IP address or primary domain controller workstation IP address. Hardware (MAC) address. Hostname or primary domain controller workstation name. Audit Types are as follows: 0 All 1 DHCP Lease Grant 2 DHCP Lease Renew 3 DHCP Lease Release 4 DHCP Lease Decline 5 VitalQIP Static Address Add 6 VitalQIP Static Address Modify 7 VitalQIP Static Address Delete 8 VitalQIP Dynamic Address Add 9 VitalQIP Dynamic Address Modify 10 VitalQIP Dynamic Address Delete 11 Domain Controller Login 12 Domain Controller Logout 13 Kerberos Domain Control Login 14 Kerberos Domain Control Logout 15 VitalQIP External Address Add 16 VitalQIP External Address Modify 17 VitalQIP External Address Delete 1 17 corresponds to the order in the Audit Types shown above. 10-24

Command Line Interface lam-getaudithistorydata Field Description Notes DOMAIN LEASEGRANT LEASEEXPIRE LOGINID FIRSTNAME LASTNAME SOURCE MISC IPX BILLSTATUS BILLLOCATION BILLGROUP BILLOBJECT CIRCUITID REMOTEID DEVICECLASS Domain name. Lease grant time stamp (format mm/dd/yyyy HH:MM) or primary domain controller login time stamp. Lease expiration time stamp (format mm/dd/yyyy HH:MM) or primary domain controller logout time stamp. Administrator ID or primary domain controller login name. User's first name or primary domain controller full name of windows user. User's last name. DHCP server IP address or primary domain controller address. Miscellaneous data or primary domain controller NT domain. IPX node and number (format Node/Number). 0 = billing disabled, 1 = billing enabled. Billing location. Billing user group. Billing object class. Relay Information Agent Option 82 Circuit ID sub-option. Relay Information Agent Option 82 Remote ID sub-option. Relay Information Agent Option 82 Device Class sub-option. 10-25

Command Line Interface lam-getaudithistorydata Field Description Notes LINKSELECT OP82RAWDATA Relay Information Agent Option 82 Subnet/Link Selection suboption. Relay Information Agent Option 82 raw hex blob of Circuit ID, Remote ID, Device Class, and Link Selection. The -m format_file for test.txt in the third input example would look like the following: TYPE, AUDITDATE, IPADDRESS, HOSTNAME, DOMAIN, FIRSTNAME, LASTNAME, BILLSTATUS, BILLINGLOCATION, BILLGROUP, BILLOBJECT Refer to the Output Example for an example of the returned audit information. Command line input examples The following command line input example returns all Audit Manager data that occurred on 01/01/1999. lam-getaudithistorydata -u lamman -p lamman -d 01/01/1999 00:00 -e 01/01/1999 23:59 The command line input example returns all Audit Manager data from the first available record up to 01/31/1999 at 23:59. lam-getaudithistorydata -u lamman -p lamman -e 01/31/1999 23:59 The following command line input example returns all of the current audit data in the database. lam-getaudithistorydata -u lamman -p lamman -t C The following command line input example returns all of the loaded archive data. lam-getaudithistorydata -u lamman -p lamman -t a The following command line input example returns all of the data in the database and displays the Option 82 data (if any exists) in its sub-option format, and the raw unparsed Option 82 hex string. lam-getaudithistorydata -u lamman -p lamman -r b The output returned is shown in the following output example. Output example DHCP Lease Grant,1,03/12/2004 17:08:00,135.114.106.4,0fffffff0001,dhcp-client- 0001,quadritek.com,03/12/2004 17:07:59,06/10/2004 18:07:59,,,,10.100.25.101,,,1,,,Undefined,00feacdc1179,00010fffffff,CCCM,125.100. 107.0,010600feacdc1179020600010fffffff04040000000105047d646b00 10-26

Command Line Interface lam-getaudithistorydata DHCP Lease Grant,1,03/12/2004 17:12:35,135.114.106.4,0fffffff0001,dhcp-client- 0001,quadritek.com,03/12/2004 17:12:35,06/10/2004 18:12:35,,,,10.100.25.101,,,1,,,Undefined,00fe03dc11ad,00010fffffff,CCCM,125.100. 107.0,010600fe03dc11ad020600010fffffff04040000000105047d646b00 DHCP Lease Grant,1,03/12/2004 17:16:49,135.114.106.4,0fffffff0001,dhcp-client- 0001,quadritek.com,03/12/2004 17:16:49,06/10/2004 18:16:49,,,,10.100.25.101,,,1,,,Undefined,ac12dea0b0dc,00010fffffff,CCCM,10.100.2 5.0,0106ac12dea0b0dc020600010fffffff05040a641900 DHCP Lease Grant,1,03/12/2004 18:25:47,135.114.106.4,0fffffff0001,dhcp-client- 0001,quadritek.com,03/12/2004 18:25:47,06/10/2004 19:25:47,,,,10.100.25.101,,,1,,,Undefined,ff020a4dd0c9,00010fffffff,CCCM,135.124. 100.0,0106ff020a4dd0c9020600010fffffff0504877c6400 VitalQIP Dynamic Address Delete,10,03/12/2004 18:26:19,135.114.106.4,,udp000005uds,quadritek.com,03/12/2004 18:26:19,03/12/2004 18:26:19,,,,10.100.25.101,,,1,,,Undefined,,,,, 10-27

Command Line Interface lam-getuser lam-getuser lam-getuser retrieves Audit Manager user information. The output is stored in an output file. Only users with administrative status may use this command. Refer to User management (p. 6-13) for more information. Important! Users can be associated with more than one organization. For example, in the output example below user pal3 is associated with four organizations. Synopsis Parameters lam-getuser [-g loginserver] [-s servername] [-o organization] -u username -p password -l login_name [-f filename] lam-getuser recognizes the following parameters: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -o organization Specifies the organization from which to retrieve user data. -u username An Audit Manager user name. -p password An Audit Manager user password for username. -l login_name The login ID of the Audit Manager user whose information is being retrieved. -f filename The directory and filename for the output data. The default is STDOUT. Command line input example lam-getuser -u lamman -p lamman -l pal3 Output example AdminName=lamman AdminType=Administrator Organization=VitalQIP Organization Organization=org2 Organization=org3 Organization=Test 10-28

Command Line Interface lam-getuserlst lam-getuserlst lam-getuserlst retrieves and lists Audit Manager users. The output is stored in an output file if specified. Only users with administrative status may use this command. Refer to User management (p. 6-13) for more information. Important! If an organization is specified, lam-getuserlst returns all the Administrators (since administrator users are assigned to all organizations), and only the users that have been assigned to the specified organization. Synopsis Parameters lam-getuserlst [-g loginserver] [-s servername] [-o organization] -u username -p password [-f filename] lam-getuserlst recognizes the following parameters: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -o organization Specifies the organization from which to retrieve user data. -u username An Audit Manager user name. -p password An Audit Manager user password for username. -f filename The directory and filename for the output data. The default is STDOUT. Command line input example lam-getuserlst -u lamman -p lamman Output example Admin1 User2 10-29

Command Line Interface lam-setalerts lam-setalerts lam-setalerts sets the Audit Manager alert settings from a specified input file. For additional information on alerts, refer to Alert configuration (p. 6-9). Important! Only users with administrative status may use this command. Refer to User management (p. 6-13) for more information. Synopsis Parameters lam-setalerts [-g loginserver] [-s servername] -u username -p password -f input_filename -r [reject_file] -e [errmsg_file] lam-setalerts recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password. -f input_filename A directory and filename of the input data. -r reject_file A directory and filename of the rejected records. -e errmsg_file The filename where error messages are written if they occur. The default is STDERR. Alert setting data file format The input file format consists of name/value pairs separated with an equal sign (=). These pairs must be preceded by the appropriate prefix. Name keys are described in the following table. Table 10-10 Name keys for alert setting data file Field Value type Description AlertType [M] Text The type of alert that indicates the AlertValue: IPAddress, MACAddress, Host Name. AlertValue [M] Alphanumeric (32 characters) IP address, MAC address, or host name, which causes an alert to be sent. 10-30

Command Line Interface lam-setalerts Field Value type Description AlertAction [O] Alphanumeric (128 characters) AlertAdmin [O] Alphanumeric (minimum of 6 characters) The action to be taken which could be an email address, phone number, message, and so on. There is no default for this field. The login name of an existing administrator. When this field is not used, the user that is specified in the command line is used. Alert setting data file format example for input.txt AlertType=IpAddress AlertValue=198.200.138.40 AlertAction=mdooley@quadritek.com AlertAdmin=lamman Command line input example lam-setalerts -u lamman -p lamman -f input.txt Important! When setting multiple alerts in an input file, the AlertType and AlertValue fields must always be set for each alert. The AlertAdmin and AlertAction fields do not need to be specified, however, if you want to set multiple instances of the same alert action. For example, in the following input file five new alerts will be created for five different host names: AlertAdmin=lamman AlertAction=lamadmin@example.com AlertType=HostName AlertValue=lamobj1 AlertType=HostName AlertValue=lamobj2 AlertType=HostName AlertValue=lamobj3 AlertType=HostName AlertValue=lamobj4 AlertType=HostName AlertValue=lamobj5 10-31

Command Line Interface lam-setarchiveset lam-setarchiveset lam-setarchiveset sets the Audit Manager archive setting. Important! Only users with administrative status may use this command. Refer to User management (p. 6-13) for more information. Synopsis Parameters lam-setarchiveset [-g loginserver] [-s servername] -u username -p password -f input_filename -r [reject_file] -e [errmsg_file] lam-setarchiveset recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s servername The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password. -f input_filename A directory and filename of the input data. -r reject_file A directory and filename of the rejected records. -e errmsg_file The filename where error messages are written if they occur. The default is STDERR. Archive setting data file The input file format consists of name/value pairs separated with an equal sign (=). These pairs must be preceded by the appropriate prefix. Name keys are described in the following table. Table 10-11 Name keys for the archive setting data file Field Value types Description StoreOption82 [M] numeric A Boolean value that enables (1) or disables (0) the storage of Relay Agent Information in the archived records. DeleteRecordFlag [M] numeric A Boolean value that enables (1) or disables (0) the delete records function from the LAM database after records are archived. ArchiveRecordFlag [M] numeric A Boolean value that enables (1) or disables (0) the archive records function. 10-32

Command Line Interface lam-setarchiveset Field Value types Description CurrentValueRecords [M] numeric A Boolean value that enables (1) or disables (0) the archive records for the specified number of records (KeptRecords). This must be set to 0 if CurrentValueDays is set to 1. CurrentValueDays [M] numeric A Boolean value that enables (1) or disables (0) the archive records for the specified number of days (KeptDays). This must be set to 0 if CurrentValueRecords is set to 1. KeptDays [M] numeric The numbers of days that are to be kept after records are archived. KeptRecords [M] numeric The number of records that are to be kept after records are archived. ArchiveTime [M] numeric The time (HH24:MM:SS) records are to be archived. ArchiveDir [M] alphanumeric The directory where archived records are to be stored Archive setting data file format for input.txt StoreOption82=0 DeleteRecordFlag=0 ArchiveRecordFlag=0 CurrentValueRecords=0 CurrentValueDays=1 KeptDays=1 KeptRecords=5000 ArchiveTime=05/07/1999 13:45 ArchiveDir= Command line input example lam-setarchiveset -u lamman -p lamman -f c:\data\input.txt 10-33

Command Line Interface LAMsync LAMsync LAMsync synchronizes Organization IDs between Audit Manager and VitalQIP for customers with existing data. Because the VitalQIP and LAM databases can be deployed on different servers and platforms, the utility relies on the exportorganization CLI to provide the reference data. For further information on the exportorganization CLI, refer to the VitalQIP Command Line Reference User s Guide. Synopsis Parameters LAMsync [-g loginserver] -s server -u username[/password[@server]] [-p password] -f import_file [-t O[racle] S[ybase]] LAMsync recognizes the following options: -g loginserver The VitalQIP login server s IP address. -s server The Audit Manager database server name. -u username An Audit Manager user name. -p password An Audit Manager password for the user name. -f import_file A directory and filename of the input data. -t O[racle] S[ybase] Specifies whether the VitalQIP and LAM databases are using Sybase or Oracle. Sample log file A sample log file produced by the LAMsync utility is shown following. [2004-03-02 14:50:41] # [2004-03-02 14:50:41] # LAMsync STARTED [2004-03-02 14:50:41] # [2004-03-02 14:50:41] Login Server not specified, using QIPLOGIN [2004-03-02 14:50:41] USER - 'lamman', PASSWORD - '********', SERVER - 'labsun01', Login Server - '10.100.30.50' [2004-03-02 14:50:42] Database connected [2004-03-02 14:50:42] --------------------------------------------- A potential record collision has been detected in this dataset that if left unchecked, could associate multiple organization names with the same organization ID. To avoid this situation, the offending ID will be set to max(org_id) + 1 to prevent the lost of legacy data. [2004-03-02 14:50:42] Setting ORG_ID from 400 to 401 in... [2004-03-02 14:50:42] Table ADMINS 10-34

Command Line Interface LAMsync [2004-03-02 14:50:42] Table ARCHIVE_AUDIT_DATA [2004-03-02 14:50:43] Table CURRENT_AUDIT_DATA [2004-03-02 14:50:43] Table OBJ_PROF [2004-03-02 14:50:43] Table ORGANIZATIONS [2004-03-02 14:50:43] Table PERSON_PROF [2004-03-02 14:50:43] Table SCHED_PROF [2004-03-02 14:50:43] Table TEMP_AUDIT_DATA [2004-03-02 14:50:43] Table USER_HIER_ROOTS [2004-03-02 14:50:43] --------------------------------------------- [2004-03-02 14:50:43] Setting ORG_ID from 200 to 400 in... [2004-03-02 14:50:43] Table ADMINS [2004-03-02 14:50:43] Table ARCHIVE_AUDIT_DATA [2004-03-02 14:50:43] Table CURRENT_AUDIT_DATA [2004-03-02 14:50:43] Table OBJ_PROF [2004-03-02 14:50:43] Table ORGANIZATIONS [2004-03-02 14:50:43] Table PERSON_PROF [2004-03-02 14:50:43] Table SCHED_PROF [2004-03-02 14:50:43] Table TEMP_AUDIT_DATA [2004-03-02 14:50:43] Table USER_HIER_ROOTS [2004-03-02 14:50:43] --------------------------------------------- [2004-03-02 14:50:43] Setting ORG_ID from 300 to 500 in... [2004-03-02 14:50:43] Table ADMINS [2004-03-02 14:50:43] Table ARCHIVE_AUDIT_DATA [2004-03-02 14:50:43] Table CURRENT_AUDIT_DATA [2004-03-02 14:50:43] Table OBJ_PROF [2004-03-02 14:50:43] Table ORGANIZATIONS [2004-03-02 14:50:43] Table PERSON_PROF [2004-03-02 14:50:43] Table SCHED_PROF [2004-03-02 14:50:43] Table TEMP_AUDIT_DATA [2004-03-02 14:50:43] Table USER_HIER_ROOTS [2004-03-02 14:50:43] --------------------------------------------- [2004-03-02 14:50:43] Setting ORG_ID from 401 to 600 in... [2004-03-02 14:50:43] Table ADMINS [2004-03-02 14:50:43] Table ARCHIVE_AUDIT_DATA [2004-03-02 14:50:43] Table CURRENT_AUDIT_DATA [2004-03-02 14:50:43] Table OBJ_PROF [2004-03-02 14:50:43] Table ORGANIZATIONS [2004-03-02 14:50:43] Table PERSON_PROF [2004-03-02 14:50:43] Table SCHED_PROF [2004-03-02 14:50:43] Table TEMP_AUDIT_DATA 10-35

Command Line Interface LAMsync [2004-03-02 14:50:43] Table USER_HIER_ROOTS [2004-03-02 14:50:43] # [2004-03-02 14:50:43] # LAMsync SUCCESS [2004-03-02 14:50:43] # 10-36

Command Line Interface qip-crypt qip-crypt qip-crypt allows you to encrypt your password. qip-crypt takes the password as the first argument and sends a hex-string encrypted password to STDOUT. The qip-crypt CLI command must be run again and the new password placed in the qip.pcy file if the qipman password, the qipadmin password, the Schedule Password, or the Update Password is changed. Important! qip-crypt is only intended for use with a password in the qip.pcy file. It should not be used to encrypt the database login. Database logins can be encrypted using third-party tools; refer to your system administrator for more information relevant to your database. Synopsis Parameters qip-crypt [password] qip-crypt recognizes the following parameters: password Specifies your current password. 10-37

Command Line Interface lam-export lam-export lam-export exports all data from the Audit Manager database for use with Sybase and Oracle. This can be performed on either a UNIX or Windows platform. It does not change the data in the database. Error data is output to the QIPHOME/log/lam-export.log file. Important! Files created by lam-export will be corrupted and unusable if they reach 2 GB. Please contact VitalQIP Support for assistance if you have more than 2GB of data in your Audit Manager database. Synopsis lam-export [-t qip_dbase] [-s qip_dataserver] -u username -p password [-l log_file] [-q output_file] [-i script_path] [-d export_path] [-a] Parameters lam-export recognizes the following parameters: -t qip_dbase Specifies the type of database - either SYBASE or ORACLE. This parameter is optional if the $QIPDBASE environment variable is set. The command line argument overrides the environment variable. -s qip_dataserver Specifies the name of the database server. The database server name must match the Sybase server name or the Oracle database alias name. This parameter is optional if the $QIPDATASERVER environment variable is set. The command line argument overrides the environment variable. For Audit Manager, the Audit Manager database server name must be specified. -u username Specifies the VitalQIP administrator account to be used in establishing the database connection. -p password Specifies the password for the associated administrator account. -l log_file Specifies the file name of the log file. -q output_file Quiet Mode. If this parameter is omitted, the output is sent to STDOUT. -i script_path Specifies the directory where the SQL scripts reside. -d export_path Specifies the path and directory of the export data file. -a Appends to the log file. The default is to overwrite the log file. 10-38

Command Line Interface lam-export Command line input example lam-export -u lamadmin -p password -d /tmp/lamexport -b LAM 10-39

Command Line Interface lam-import lam-import lam-import imports all Audit Manager data from an earlier database export into the database for use with Sybase and Oracle. It overwrites the entire database. Error data is output to the file $QIPHOME/log/lam-import.log. Part of the lam-import CLI command synchronizes the VitalQIP user IDs and passwords between the VitalQIP part of the database and the master/sys database automatically. To obtain a list of all users who can access VitalQIP, issue the following commands. Oracle: $ORACLE_HOME/bin/sqlplus qipman/<password>@<dataserver> SQL> select * from sys.dba_users; Sybase: $SYBASE/bin/isql -U qipman -P <password> 1> select name 2> from sysusers 3> where uid <> gid 4> and name <> 'dbo' 5> go Synopsis Parameters lam-import [-t qip_dbase] [-s qip_dataserver] -u username -p password [-l log_file] [-q output_file] [-i script_path] [-d import_directory [-h] [-a] [-v] [-k] lam-import recognizes the following parameters: -t qip_dbase Specifies the type of database - either SYBASE or ORACLE. This parameter is optional if the $QIPDBASE environment variable is set. The command line argument overrides the environment variable. -s qip_dataserver Specifies the name of the database server. Note the following: The database server name must match the Sybase server name or the Oracle database alias name. This parameter is optional if the $QIPDATASERVER environment variable is set. The command line argument overrides the environment variable. For Audit Manager, the Audit Manager database server name must be specified. -u username Specifies the VitalQIP administrator account to be used in establishing the database connection. If the administrator is not specified, it will use the information in the qip.pcy file. 10-40

Command Line Interface lam-import -p password Specifies the password for the associated administrator account. If the administrator is not specified, it will use the information in the qip.pcy file. -l log_file Specifies the file name of the log file. -q output_file Specifies Quiet Mode. If this parameter is omitted, the output is sent to STDOUT. -i script_path Specifies the directory where the SQL scripts reside. -d import_path Specifies the path (directory) of the input data. -a Appends to the log file. The default is to overwrite the log file. -k Skips the prompt. Command line input example lam-import b LAM u lamadmin p lamadmin d /tmp/lamdata 10-41

Command Line Interface lam-import 10-42

Appendix A: Database administration Overview Purpose This appendix applies to Audit Manager on a Sybase database only and should be used only by experienced Sybase users. It does not refer to Audit Manager on an Oracle database. For Oracle database administration, refer to your Oracle DBA. This information presents the following topics. To find version numbers with vercheck A-2 To back up the Sybase and Audit Manager databases A-3 To change the procedure cache size and total memory size A-7 To encrypt your password A-8 To reinitialize your database A-9 To perform database administrative tasks with lam-util A-11 To track stored procedures and triggers A-15 To manage the Audit Manager data space A-16 To modify user password A-18 To manage the Audit Manager Transaction Log Space A-19 To recover the Sybase version 15 database recovery A-21 To maintain index statistics A-25 To join archived files A-26 A- 1

Database administration To find version numbers with vercheck To find version numbers with vercheck Parameters To produce a version number for every Audit Manager program under a specified directory, you can run the utility, vercheck. You can print this version number to a screen or out to the file of your choice. This utility helps you maintain consistency between upgrades. To run the utility, on a command line, type: vercheck [-d directory] [-m field_mask] [-h] [-v] [-c] [-e] [-z] [filename] -d directory Specifies the directory for which version information is to be obtained. The default is the current working directory. -m field_mask Identifies the fields that are to be displayed by vercheck. The fields are identified using a field mask consisting of zeros (0) and ones (1). A 1 indicates that the field should be displayed, and a 0 indicates that the field should not be displayed. The fields, in order of specification, are as follows. - File Name - File Size - File Owner - File Permissions - File Creation Date - File Modification Date - File Type - File Version - File Checksum If this parameter is omitted, all of the fields are displayed. -c Outputs the information in comma separated value (CSV) format. -e Provides VitalQIP environment information. -z Provides only the filenames and product version numbers. filename Provides information about the specified file. If this parameter is omitted, all files in the current directory or directory specified by the -d option are processed. The subdirectories are also processed. A-2

Database administration To back up the Sybase and Audit Manager databases To back up the Sybase and Audit Manager databases Purpose Before upgrading, back up all Sybase and Audit Manager data files from MS-DOS or the graphical user interface, as described in the following sections. Using MS-DOS To back up the Sybase and Audit Manager databases using MS-DOS, follow these steps: 1 Start up the backup server in SYBASE Services Manager. Click Services, select Backup Server, and click Start. The DOS prompt appears. 2 At the DOS prompt, enter: c:\sybase\bin\isql U sa P >sp_addumpdevice "disk","lam_dump_dat","\lam\backup\lam_dump_dat",2 >dump database LAM to lam_dump_dat >go 3 The backup is completed. 4 To restore, run isql from DOS prompt: c:\sybase\bin\isql U sa P >load database LAM from lam_dump_dat >go... E ND OF STEPS Using the GUI Complete these steps before and then begin the functions following: 1 Start the Services Manager provided with the Audit Manager product. Ensure the green light is on. 2 From the Services field, select Backup Server. Ensure the green light is on. A- 3

Database administration To back up the Sybase and Audit Manager databases 3 Access the Sybase Central option in the Sybase for Windows program.... E ND OF STEPS Create three dump devices To create three dump devices, one for the Audit Manager database, one for the Transaction Log and one for the Master Database, follow these steps: 1 In the Sybase for Windows program folder, access the Sybase Central option. 2 Double click LAM Sybase database. 3 Double click the Dump Devices folder and then select Add Dump Device. 4 In the New Device field, enter lam_dump_dat. 5 In the Physical Name field, enter c:\backup\lam_dump_dat and click Next. 6 Select the type of device to create (Disk or Tape) and click Next. 7 Click Finish to create a new device. 8 Repeat steps 3 through 7 to create two more devices, one each for the Transaction Log and the Master database. Enter a different name for each device, such as lam_backup_master and lam_backup_log.... E ND OF STEPS Turn off Truncate Log on Checkpoint To turn off the Truncate Log on Checkpoint option, follow these steps: A-4

Database administration To back up the Sybase and Audit Manager databases 1 Select LAMSYBASE Databases LAM. 2 Right-click on the Audit Manager database and select Properties from the pop-up menu, then select the Options tab. 3 Clear the Truncate Log on Checkpoint check box. 4 Click OK to exit.... E ND OF STEPS Perform backup of the databases To perform the database backup, follow these steps: 1 In the Sybase for Windows program folder, access the Sybase Central option. 2 Double click a server name, and enter the login as sa. Click OK. 3 Double click the Databases icon, and then double-click the QIP icon. 4 Right-click the Audit Manager database and select Backup. 5 Highlight the Audit Manager database and click Next. 6 Select the type of backup, either database or transaction log. Click Next. 7 In the Select dump devices screen, click Add and select the Audit Manager database dump device. Click OK, and then click Next. A- 5

Database administration To back up the Sybase and Audit Manager databases 8 In the Select Backup Name screen, answer the questions for which you want to change the values. Click Next if there are no changes. 9 Click Finish to start the database dump. 10 Repeat steps 5 through 8 for the Master Database and the Transaction Log. From the Select Dump Devices screen, add the appropriate dump device.... E ND OF STEPS A-6

Database administration To change the procedure cache size and total memory size To change the procedure cache size and total memory size The following scripts show how to change the procedure cache size and the total memory size of your Sybase database: sp_configure "total memory", 7500 //the default is 2k block sp_configure "procedure cache percent", 20 //the default is 20% of memory A- 7

Database administration To encrypt your password To encrypt your password You can encrypt your lamman password by running the qip-crypt utility. qip-crypt takes the password as the first argument and sends a hex-string encrypted password to STDOUT unless you specify a file name in the command. To run qip-crypt, enter on the command line: qip-crypt <your_password> This newly encrypted password must be placed in the qip.pcy file. To find what the password is, access the filename you defined in the utility or refer to STDOUT. A-8

Database administration To reinitialize your database To reinitialize your database Audit Manager has a command, lam-dbinit, which can be used to reinitialize your database under specific circumstances. The command can be used for Oracle and Sybase. Once your Audit Manager database is in place, you can begin collecting information on changes within VitalQIP via updates to Audit Manager. However, if at any point you need to scratch the collection of data, and begin again from a clean slate so to speak, the lam-dbinit procedure can be used. Important! The lam-dbinit process is automatically run during an upgrade of Audit Manager. An import of previously saved data typically follows. lam-dbinit Synopsis Parameters The lam-dbinit command clears the data from the database, re-initializes the database, and re-installs the triggers, stored procedures, tables, and indexes. It is run as part of a new installation of Audit Manager. It can also be run to re-initialize your Audit Manager database (for example, erase a test system). This command can be used for both Sybase and Oracle databases. lam-dbinit [-t qip_dbase] [-s servername] -u username -p password [-l log_file] [-q output_file] [-i script_path] [-a] [-k] lam-dbinit recognizes the following parameters: -t qip_dbase Specifies the database server type, either Oracle or Sybase. This parameter is optional if the QIPDBASE environment variable is set. -s servername Specifies the name of the database server. Note the following: The database server name must match the Sybase server name or the Oracle database alias name. This parameter is optional if the QIPDATASERVER environment variable is set. The command line argument overrides the environment variable. -u username Specifies the Audit Manager database user to be used in establishing the database connection. -p password Specifies the Audit Manager database password. -l log_file Specifies the name of the log file. If it is not supplied the default lam-dbinit.log filename and Audit Manager log directory will be used. A- 9

Database administration To reinitialize your database -q output_file Quiet Mode. If this parameter is omitted, the output is sent to STDOUT. -i script_path Specifies the directory where the SQL scripts reside. If it is not supplied, the default Audit Manager script directory is used. -a Appends to the log file. The default is to overwrite the log file. -k Skips the prompt. A-10

Database administration To perform database administrative tasks with lam-util To perform database administrative tasks with lam-util lam-util lam-util is a command used to perform specific database functions that can be helpful for a database administrator. Functions such as where data is written and what administrator connects to the database are a few functions. This command can be used on a Sybase or Oracle Audit Manager database. The following sections provide a synopsis and descriptions for the parameters used by lam-util. The following table shows the values that can be passed as parameters to lam-util. Synopsis lam-util [-t QIPDBASE] [-s QIPDATASERVER] -u user -p password [-l log_file] [-q output_file] [-i script_path] [-a] FUNCTION VALUES Parameters lam-util recognizes the following parameters: -t QIPDBASE Specifies the database server type: Oracle or Sybase. This parameter is optional if the QIPDBASE environment variable is set. -s QIPDATASERVER Specifies the name of the database server. Note the following: The database server name must match the Sybase server name or the Oracle database alias name. This parameter is optional if the $QIPDATASERVER environment variable is set. The command line argument overrides the environment variable. -u user Specifies the Audit Manager database user to be used in establishing the database connection. -p password Specifies the Audit Manager database password. -l log_file Specifies the name of the log file. If it is not supplied the default lam-util.log filename and Audit Manager log directory will be used. -q output_file Specifies Quiet Mode. If this parameter is omitted, the output is sent to STDOUT. -i script_path Specifies the directory where the SQL scripts are located. If it is not supplied, the default Audit Manager script directory is used. -a Appends function values discussed in Table A-1 to the log file. The default is to overwrite the log file. A- 1 1

Database administration To perform database administrative tasks with lam-util Table A-1 Function values Function values name Description Database CalculateLAMSize CheckDatabaseLogin CheckDBProcesses CheckVersionFromDatabase CheckVersionFromData CheckVersionFromScript CheckSybaseDevice CheckSybaseDatabase CheckUserExists ClearAdmin ClearData CreateAccess Estimates the size of the LAM (Audit Manager) database, based on the following: <number_of_dhcp_clients> <number_of_static_objects> <number_of_nt_objects> Checks to see if the connection to Sybase/Oracle is okay. Shows the number of processes that are currently connected to the Sybase/Oracle database by using: <database_name>. Checks the version information from the qip_version table in the Sybase/Oracle database by using: <database_name>. Checks the version information from the qip_version (qef) file by using: <export_path>. Checks the version information from the table.sql script. Checks to see if a Sybase device exists by using: <logical_device_name>. Checks to see if a Sybase database exists by using: <database_name>. Checks to see if the database login user exists by using: <login_name>. Removes all logins and users assigned to the database with the related roles or groups by using: <database_name>. Truncates all data from all user tables by using: <database_name>. For Sybase, drops all tables with type equal to U (user tables -- not system tables). For Oracle, drops all tables owned by the user running lam-util. Calls create_access.sql. This function should only be called by the installation. Sybase/Oracle Sybase/Oracle Sybase/Oracle Sybase/Oracle N/A Sybase/Oracle Sybase Sybase Oracle Sybase/Oracle Sybase/Oracle Sybase/Oracle A-12

Database administration To perform database administrative tasks with lam-util CreateSybaseDatabase CreateSybaseDevice DropIndex DropSP DropTable DropTrigger EditTextFile EstimateRequiredSpace GetAndSetSybaseDBOption Creates a Sybase database by using: <data_device_name><data_size> <log_device_name><log_size> <database_name> Creates a Sybase device by using: <logical_device_name physical_name size device_size> Drops all indexes on all user indexes in the database by using: <database_name>. For Sybase, drops all indexes on all user tables. For Oracle, drops all indexes owned by the user running lam-util. Drops all stored procedures in the database by using: <database_name>. For Sybase, drops all stored procedures in the database. For Oracle, drops all stored procedures owned by the user running lam-util. Drops all user tables in the database by using: <database_name>. For Sybase, drops all user tables in the database. For Oracle, drops all tables owned by the user running lam-util. Drops all triggers on all user tables in the database by using: <database_name>. For Sybase, drops all triggers on all user tables in the database. For Oracle, drops all triggers on all user tables owned by the user running lam-util. Finds the text file name and the first line containing the text you want to delete. You can then establish what you would like to add in its place with the add_line (optional). Use: <text_file_name><delete_line> <add_line>. Estimates the minimum disk space used during qip-import using: <database_name>. Gets and sets the value of the Sybase dboption trunc.log on chkpt by using <option_value><database_name>. Sybase Sybase Sybase/Oracle Sybase/Oracle Sybase/Oracle Sybase/Oracle N/A Sybase/Oracle Sybase A- 1 3

Database administration To perform database administrative tasks with lam-util GetDatabaseSize OracleReCompile RemoveInvalidChars RemoveSpaceFields SearchReplace SetSybaseConfigure SybaseUpdateStatistics OracleUpdateStatistics Gets and sets the size of the database by using: <database_name>. Recompiles all stored procedures and triggers owned by the user running lam-util by using: <database_name>. Removes all invalid (unprintable) characters from all files in the specified directory by using: <export_path file_name> Goes through all the string fields on all user tables and removes all space-only fields by using: <table_name> Searches some special characters, and replaces them with proper characters by using: <search_char> <replace_char>. By default, changes \n to a single space; a double quote to a single quote; and ^ to a single space. Sets Sybase configuration values based on the file <config_file>. The Audit Manager database requires the following settings: Procedure cache percent=22 Total memory=21577 Number of locks=100000 Runs update statistics on all tables by using: <database_name> Runs an analysis on all objects within the database. Sybase Oracle N/A Sybase Sybase Sybase Sybase Oracle A-14

Database administration To track stored procedures and triggers To track stored procedures and triggers At times, Alcatel-Lucent Technical Support may ask you to identify the version of a component. A tracking system maintains the current version of all Audit Manager stored procedures and triggers. It is maintained in the Audit Manager database. To display this table, issue the following commands: $SYBASE/bin/isql -U lamadmin -P <lamadmin_password> 1> select * from qip_version 2> go The resulting display gives a version string for all stored procedures and triggers in the system. A- 1 5

Database administration To manage the Audit Manager data space To manage the Audit Manager data space Procedure To manage the Audit Manager data space, follow these steps: 1 Enter the following commands to determine the total allocation of the Audit Manager database: #isql -U sa -P <sa_password> 1>sp_helpdb LAM 2>go Output looks like this: device_fragments size usage free kbytes ---------------- ----- ------ ------------- lam_dat 50.0 MB data only 20752 lam_log 15.0 MB log only 15344 2 If there are multiple device_fragments with a usage of data only, add up the sizes to come up with the total data allocation of the Audit Manager database. 3 To determine the amount of free space in the data allocation portion of the Audit Manager database, enter the following commands: #isql U sa P <sa_password> 1> use LAM 2> go 1> sp_spaceused 2> go Output looks like this: database_name database_size -------------- ------------------ LAM 65.0 MB reserved data index_size unused --------- ---------- --------------- ---------- 30330 KB 27420 KB 456 KB 2454 KB 4 To determine the amount of free space, subtract the reserved space from total data allocation space (in the preceding example, 50 MB 30330 KB = 20.3 MB). A-16

Database administration To manage the Audit Manager data space 5 If you have less than 1 MB of free space (1 MB is recommended by Sybase for reliable operation), you must enlarge your data space: #isql -U sa -P sa_password 1>sp_helpdevice //*to check the vdevno number used* 2>go >Use master >go 1>disk init // create a device for Audit Manager data 2>name= newlam_log or dat, physname= <full_path_to_physical_location_of_new_device>, //The path must contain newlam_log or dat in the path 3>vdevno=9, size=4096 //Assumes 9 is the next unused device number and 4096 2-KB blocks=8mb 4>go 1>alter database LAM //This will add an additional 8 MB of space for data 2>on newlam_dat=8 //Assumes 8MB is how much you want to add to the database. Use only as much space from the new device as needed since it can be extended later. 3>go 1>quit 6 If you also need to enlarge your temp_db space, follow these steps: #isql -U sa -P sa_password 1>sp_helpdevice //*to check the vdevno number used* 2>go >Use master >go 1>disk init // create a device for Audit Manager data 2>name= newlam_tempdb, physname= <full_path_to_physical_location_of_new_device>, //The path must contain newlam_tempdb in the path 3>vdevno=9, size=4096 //assume 9 is the next unused device number and 4096 2-KB blocks=8mb 4>go 1>alter database tempdb //This will add an additional 8 MB of space for data 2>on newlam_tempdb=8 //Assumes 8MB is how much you want to add to the database. Use only as much space from the new device as needed since it can be extended later. 3>go 1>quit... E ND OF STEPS A- 1 7

Database administration To modify user password To modify user password The owner of the Audit Manager database, lamadmin, can be modified using the isql command. To use the isql command, you must first log in as sa (system administrator): # isql -U sa -P <sa_password> To change the password, enter the following commands: 1> sp_password <sa_password>,<user's_new_password>,<user's_login_name> 2> go Important! To change the system administrator (sa) password, the <sa_password> should be equal to null. If the default sa password has not been changed, this value (null) must be entered when changing the password. A-18

Database administration To manage the Audit Manager Transaction Log Space To manage the Audit Manager Transaction Log Space Managing Audit Manager transaction log space involves monitoring disk space utilization, dumping the transaction log, and enlarging the transaction. Instructions are given in this section to monitor, dump, and enlarge the transaction log. Monitoring the Transaction Log Disk Space Utilization To monitor the transaction log disk space utilization, enter the following commands: #isql -U sa -P <sa_password> 1>use LAM 2>go 1>dbcc checktable (syslogs) 2>go The system displays the percentage of the transaction log currently in use. Dumping the Transaction Log Without Uninstalling Sybase To dump the transaction log without uninstalling your Sybase database (when your log disk space is full and there is no space for the truncate-only option), enter the following commands: #isql -U sa -P <sa_password> 1> dump tran LAM with no_log 2> go Once you complete this process, all the log information in the SYSLOGs is destroyed. Hence, a dump database process has to be done immediately. Otherwise, the database cannot be recovered with the previous database dump since all logs were destroyed. After you dump your transaction log, it is recommended that you make one (or both) of the following changes: 1. Enlarge the log device. 2. Reduce the time between transaction log backups. Enlarging the Transaction Log Space To enlarge the transaction log space: #isql -U sa -P <sa_password> 1>sp_helpdevice //*to check the vdevno number used* 2>go 1>disk init // create a device for Audit Manager log 2>name="newlam_log or dat", physname="<full_path_to_physical_location>", device name database file name (Note that the path must contain "newlam_log or dat" in the path.) A- 1 9

Database administration To manage the Audit Manager Transaction Log Space 3>vdevno=8, size=1024 //assume 8 is the next unused device number and 1024 2-KB blocks=2mb (for example, 20MB=10240, 1MB=512, and so on)* 4>go 1>alter database LAM //This will add additional 2MB space for Audit Manager log 2>on newlam_log=2 //use only as much from the new device as needed, it can be extended later using the first approach 3>go 1>sp_logdevice LAM, newlam_log 2>go 1>quit Important! If you need to add a new device, make the device big enough for future use. Device numbers are limited. A-20

Database administration To recover the Sybase version 15 database recovery To recover the Sybase version 15 database recovery In the event that your system should crash, use the following procedure to recover your Audit Manager database. Important! be off. To provide up-to-the-minute recovery, the database option trunc must Dump the Current Transaction Log To dump the current transaction log, follow these steps: 1 If you have chosen to log transactions in your database, you might need to dump the current transaction log. Run the following command to determine whether you need to dump the transaction log: sp_helpdb LAM 2> go If the status is set to trunc. Log on chkpt., then you have not been logging transactions and do not need to dump the transaction log. Otherwise, you are logging transactions and you do need to dump the transaction log. 2 To dump the current transaction log, run the following script: $SYBASE/bin/isql -U sa -P <sa_password> 1> dump tran LAM to lam_dump_log with no_truncate //if running in log mode, dump the log file 2> go... E ND OF STEPS Drop the Existing Database To drop the existing database, run one of the following scripts: 1> dbcc dbrepair (LAM, dropdb )// delete the current database 2> go or 1> drop database LAM 2> go PurposeDrop the existing devices To drop the existing devices, run the following script: A- 2 1

Database administration To recover the Sybase version 15 database recovery 1> sp_helpdevice 2> go Make note of the size, location and vdevno of LAM_DAT and LAM_LOG. The database and device sizes are used later and are important because the devices must be at least the same size as they were prior to the failure. To delete existing devices, run the following script: 1> sp_dropdevice lam_dat // delete the devices for Audit Manager 2> go 1> sp_dropdevice lam_log 2> go Shut down and restart the Sybase database Shut down and restart the server and Sybase database in the following order: 1 Shut down and restart the backup server. 2 Shut down and restart the Sybase database.... E ND OF STEPS Delete LAM_DAT and LAM_LOG from the operating system To delete LAM_DAT and LAM_LOG from the operating system, follow these steps: 1 Locate LAM_DAT and LAM_LOG using sp_helpdevice as specified in Step 3. 2 Delete LAM_DAT and LAM_LOG from the operating system.... E ND OF STEPS Recreate the database Change first sentence to: Recreate the Audit Manager database, as follows: $SYBASE/bin/isql -U sa -P <sa_password> 1> disk init// recreate the device for Audit Manager data 2> name="lam_dat", physname= "<full_path_to_physical_location>", 3> vdevno= <lam_dat's vdevno>, size= <number_of_blocks> 4> go A-22

Database administration To recover the Sybase version 15 database recovery Important! The vdevno, location, and size were located in Step 3 using sp_helpdevice. The number of blocks = the size of LAM_DAT ( in MB) x 512 (for example, if LAM_LOG = 30 MB, the number of blocks = 30 x 512 = 15360). 1> disk init // create a device for Audit Manager log 2> name="lam_log", physname= "<full_path_to_physical_location>", 3> vdevno= <lam_log's_vdevno>, size=<number_of_blocks> 4> go Important! The vdevno, location, and size were determined in Step 3 using sp_helpdevice. The number of blocks = the size of LAM_LOG (in MB) x 512 (for example, if LAM_LOG = 10 MB, the number of blocks = 10 x 512 = 5120). Create the Audit Manager database Create the Audit Manager database, as follows: 1> create database LAM // create a database for Audit Manager 2> on lam_dat = <size_in_mb> //size = 30 in above example 3> log on lam_log = <size_in_mb> //size = 10 in above example 4> for load 5> go Reload the Audit Manager database After you have recreated the database, you can reload the database from the dumped database, as follows: 1> load database Audit Manager from lam_dump_dat // for the recent database dump 2> go If you had been logging transactions (this was determined in Step 1) you will need to reload the transaction log. Reloading the Audit Manager transaction log must follow first_out/first_in order. In other words, the first file that you dumped needs to be the first file that you reapply, the second file you dumped needs to be the second file that you reapply, and so on. 1> load tran Audit Manager from lam_dump_log // for all recent log dumps 2> go // after the recent database dump Ensure a successful recovery To run the checkdb and checkalloc commands, follow these steps: 1 To set the server to single-user mode, enter the following: > sp_dboption LAM, 'single user',true > go > use LAM > go A- 2 3

Database administration To recover the Sybase version 15 database recovery > checkpoint > go 2 Run the following command that checks whether the data loaded correctly: $SYBASE/bin/isql -U sa P <password> -i dbcc > dbcc.out 3 Create the dbcc file. It should contain the following: dbcc checkdb(lam) go dbcc checkalloc(lam) go exit 4 Review the dbcc.out file for errors. If errors are displayed, call the Technical Support.... E ND OF STEPS Bringing the LAM database online Bring the LAM database online, as follows: $SYBASE/bin/isql -U sa -P <sa_password> 1> online database LAM 2> go A-24

Database administration To maintain index statistics To maintain index statistics When you create an index after a table is loaded, a data distribution table is created for that index. The distribution page is not automatically maintained. The database owner must issue an update statistics command to ensure that statistics are current. In Audit Manager, you would need to do this whenever you import a great deal of data. Failure to update statistics can severely hurt performance. Run the lam-util (p. A-11) command with the SybaseUpdateStatistics or OracleUpdateStatistics function. Important! qip-import runs this script automatically. Refer to lam-import (p. 10-40) for more information. A- 2 5

Database administration To join archived files To join archived files Periodically, you may want to join archived files. You join files by running the LAMarchive-concatenate utility. This combines data from the tables into three output files: LAMar_triggered_comb.yyyymmddHHMMSS.yyyymmddHHMMSS.qef LAMar_audit_comb.yyyymmddHHMMSS.yyyymmddHHMMSS.qef LAMar_search_comb.yyyymmddHHMMSS.yyyymmddHHMMSS.qef Refer to LAMarchive-concatenate (p. 10-16) for more information on archiving and the output files. A-26

Index... A Adaptive Server, 4-24 administrators_aud, 2-16 Alert Audit report, 8-18 alert_filters_aud, 2-16 Alert_triggered, 2-15 AlertArgs policy, 9-20 AlertArgs=SMTPFrom policy, 9-12 AlertArgs=SMTPServer policy, 9-12 Alerts adding, 6-10 configuring, 6-9 deleting, 6-12 report, 8-18 Alerts option, 6-10 AlertType user exit attribute, 9-16 AllowConnectionList policy, 9-11 Apache server, 5-6 Archive_audit_data, 2-15 archive_settings_aud, 2-16 Archived Data joining, A-26 loading, 6-7 searching, 7-4 Audit Alert User Exit, 9-16 Audit Manager database, 1-4 backing up, A-3 configuring, 6-2 re-initialize, A-9 Audit Manager enterprise server installation, 4-5 Audit Manager Graphical User Interface, 1-3 AuditSchedulePassword policy, 9-4 AuditScheduleUser policy, 9-4 AuditServer policy, 9-4, 9-12 AuditUpdatePassword policy, 9-11 AuditUpdateUser policy, 9-12... B BillingGroup user exit attribute, 9-20 BillingLocation user exit attribute, 9-19 BillingObjectClass user exit attribute, 9-19... C Cache Size, A-7 CalculateLAMSize function value, A-12 CheckDatabaseLogin function value, A-12 CheckDBProcesses function value, A-12 CheckSybaseDatabase function value, A-12 CheckSybaseDevice function value, A-12 CheckUserExists function value, A-12 CheckVersionFromData function value, A-12 CheckVersionFromDatabase function value, A-12 CheckVersionFromScript function value, A-12 ClearAdmin function value, A-12 ClearData function value, A-12 CLIDebug, 9-3 CLIDebug policy, 9-3 CLIs Audit Manager, 10-3 Command Line Interface, 1-4 common parameters, 10-4 ConnectQueueDepth policy, 9-10 CreateAccess function value, A-12 CreateSybaseDatabase function value, A-13 CreateSybaseDevice function value, A-13 Creation Routine/Script, 2-8 Current Data searching, 7-4 Current_audit_data, 2-15 190-409-034R7.1 IN-1

Index... D Data Space, A-16 Data user exit attribute, 9-17 Database backing up, A-3 recovery, A-21 databases import, 10-40 Debug Policy, 9-3 Debug policy, 9-5, 9-9, 9-22, 9-25 DebugFile policy, 9-3, 9-5, 9-9, 9-22, 9-25 Default Datafile Sizes, 2-5 DenyConnectionList policy, 9-11 DHCP Server Audit report, 8-7 Domain Controller Audit report, 8-21 Domain Controller Service, 4-26 Domain user exit attribute, 9-18 Domain_Controller_ Address policy, 9-23, 9-26 DropIndex function value, A-13 DropSP function value, A-13 DropTable function value, A-13 DropTrigger function value, A-13 DSQUERY, 2-10 DumpStatsOnExit policy, 9-5, 9-10... E EditTextFile function value, A-13 enterlamobj, 10-7 enterlamorg, 10-9 enterlamorg CLI, 6-18 enterlamuser, 10-12 environment variables, 2-13, 3-7, 4-2 EstimateRequiredSpace function value, A-13 ExpirationDate user exit attribute, 9-18 exportorganization CLI, 6-18, 6-19, 10-34 exportqipobj4lam, 10-14... F FirstName user exit attribute, 9-19... G General Audit report, 8-13 GenStorage user exit attribute, 9-19 GetAndSetSybaseDBOption function value, A-13 GetDatabaseSize function value, A-14 GrantDate user exit attribute, 9-18... H Hostname user exit attribute, 9-18... I Index Statistics Maintenance, A-25 installation Audit Manager Client, 4-21 Audit Manager CLIs, 3-25 Domain Controller Service, 4-26 preliminary steps, 2-7, 2-12 start, 3-7 Sybase Server, 3-8 VitalQIP update, 3-31 IPXNode user exit attribute, 9-20 IPXNumber user exit attribute, 9-20... J Joining Archived Files, A-26... L LAM_DATA, 2-14 LAM_INDEX, 2-14 LAM_TEMP, 2-14 lamadmin password change, 9-3 LAMar_audit.yymmddhhmm.qe f, 6-5, 10-16 LAMar_search.yymmddhhmm.q ef, 6-5, 10-16 LAMar_triggered.yymmddhhm m.qef, 6-5, 10-16 LAMarchive-concatenate, 10-16, A-26 lam-changepassword, 10-18 lam-dbinit, A-9 lam-export, 10-38 lam-getalerts, 10-19 lam-getarchiveset, 10-20 lam-getaudithistorydata, 6-4, 10-22 lam-getuser, 10-28 lam-getuserlst, 10-29 lam-import, 10-40 lam-load, 3-2, 3-3 template installation, 3-3 lamman, 5-11 lam-setalerts, 10-30 lam-setarchiveset, 10-32 LAMsync sample log file, 10-34 LAMsync utility, 6-19, 10-34 lam-util, A-11 LastName user exit attribute, 9-19 License Agreement, 4-2 License Key, 2-12 license key, 2-7 LicenseInterval policy, 9-6 ListenPort policy, 9-10 IN-2 190-409-034R7.1

Index Load Archive Data option, 6-7 Logging In, 5-11 Login ID Audit report, 8-10 LoginName user exit attribute, 9-19 loginserver parameter, 10-4 LoginServer policy, 9-5, 9-11... M MacAddr user exit attribute, 9-18 Master policy, 9-10 MaxConnections policy, 9-10 Memory Size, A-7 Message_Server_Address policy, 9-22, 9-25 Message_Server_Port policy, 9-26 MessageType user exit attribute, 9-17... N notation conventions, 10-5... O object definitions, 1-3 ObjIpAddr user exit attribute, 9-18 Option 82 data, 6-4 option82 parameter, 10-23 Option82 user exit attribute, 9-20 Oracle, 2-2, 2-13 before installing, 2-12 import data, 10-40 init.ora, 2-17 installation, 2-13 starting, 3-34 starting and stopping, 5-4 stop, 3-34 ORACLE_HOME, 2-12 OracleReCompile function value, A-14 OracleUpdateStatistics function value, A-14 Organization ID synchronize, 6-19, 10-34 organization parameter, 10-5 organization_aud, 2-16 OrgID policy, 9-23, 9-26 OrgID user exit attribute, 9-18... P Password changing, 5-13 encrypting, A-8 modifying, A-18 password change, 9-3 encrypt, 10-37 PATH, 2-10, 2-12 policy Debug, 9-3 policy file qip-dclas.pcy, 9-22, 9-25 ProcessInterval policy, 9-6 program version, A-2... Q QIPAUDIT, 2-10, 2-12 qip-auditalertuserexit, 9-16 qip-auditsched.log file, 9-5 qip-auditsched.pcy, 9-4 qip-auditupdated.log file, 9-9 qip-auditupdated.pcy, 9-9 qip-crypt, 10-37, A-8 qip-crypt utility, 9-3 QIPDBASE, 2-10, 2-12 qip-dclas.log file, 9-22 qip-dclas.pcy policy file, 9-22, 9-25 QIPHOME, 2-10, 2-12 qip-kdclas.log file, 9-25 QIPLOGIN, 2-10, 2-12 QIPMESSAGESERVICE environment variable, 4-21... R re-initialize database, A-9 RemoveInvalidChars function value, A-14 RemoveSpaceFields function value, A-14 Report printing, 8-4 saving, 8-4 searching for text, 8-4 sending, 8-5 Resolve_Client_IP policy, 9-24, 9-27 Resolve_Client_MAC policy, 9-23, 9-26... S Search Criteria opening, 7-11 saving, 7-10 sending, 7-14 search results exporting, 7-12 sending, 7-14 Search_archive_data, 2-15 Search_current_data, 2-15 SearchReplace function value, A-14 SendLogon policy, 9-23, 9-26 SendLogout policy, 9-23, 9-26 Sequence user exit attribute, 9-17 Serial Number, 2-12 serial number, 2-7 servername parameter, 10-5 Service Controller, 5-6 services running on Windows, 5-6 190-409-034R7.1 IN-3

Index VitalQIP Service Controller, 5-6 SetSybaseConfigure function value, A-14 signal handling, 9-6, 9-12 SMTPFrom user exit attribute, 9-20 SMTPServer user exit attribute, 9-20 SQL Manager, 3-34 SrcIPAddr user exit attribute, 9-19 Standard Installation, 3-2 stop Oracle, 3-34 Sybase, 3-34 Store Relay Agent Information Option data, 6-4 Stored Procedures, A-15 SYBASE, 2-10 Sybase backing up, A-3 before installation, 3-7 import data, 10-40 recovery, A-21 server installation, 3-8 start, 3-34 starting and stopping, 5-4 stop, 3-34 stopping, 3-34 Sybase Client installation, 4-21 installation of, 3-25 Sybase environment set up, 3-34 SybaseUpdateStatistics function value, A-14 synchronize Organization IDs, 6-19, 10-34 SYSLOG, 9-6, 9-13... T tab_storage.conf, 2-15, 2-16, 4-18 Temp_alert_triggered, 2-16 Temp_audit_data, 2-16 Temp_search_data, 2-16 Template Installation, 3-3 template installation lam-load, 3-3 Transaction Log Space, A-19 Trigger user exit attribute, 9-17 Triggers, A-15... U uninstall, 4-28 user, 10-40 username parameter, 10-5 Users adding, 6-14 deleting, 6-17 managing, 6-13 modifying, 6-16 utility qip-crypt, 9-3... V vercheck, A-2 VitalQIP Audit Schedule Service, 1-4, 9-4 VitalQIP Audit Update Service, 1-4, 9-9 VitalQIP Domain Controller Audit Login Service, 1-5 VitalQIP Login Service, 9-3 VitalQIP Service Controller, 5-6 VitalQIP services running on Windows, 5-6 VitalQIP Service Controller, 5-6 IN-4 190-409-034R7.1