etrust audit irecorder reference guide for ccure · pdf fileprovided with “restricted...
TRANSCRIPT
This documentation and related computer software program (hereinafter referred to as the “Documentation”) is for the end user’s informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. (“CA”) at any time.
This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties.
Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies.
This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user’s responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed.
To the extent permitted by applicable law, CA provides this documentation “as is” without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage.
The use of any product referenced in this documentation and this documentation is governed by the end user’s applicable license agreement.
The manufacturer of this documentation is Computer Associates International, Inc.
Provided with “Restricted Rights” as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions.
2003 Computer Associates International, Inc.
All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents
Chapter 1: Welcome to iRecorder for CCURE 800/8000 5 What Is an iRecorder? ................................................................................................................................... 6 iRecorder Architecture.................................................................................................................................. 6
Chapter 2: Installation and Configuration 11 System Requirements.................................................................................................................................. 11
Hardware Requirements ................................................................................................................. 11 Pre-Installation Steps .................................................................................................................................. 11 Installing the iRecorder............................................................................................................................... 12
Installing the iRecorder from the eTrust Security Command Center CD ................................ 12 Installing the iRecorder Downloaded from eSupport................................................................. 12 Installing the iRecorder ................................................................................................................... 13 Silent Installation.............................................................................................................................. 13 Silent Uninstallation......................................................................................................................... 13 Generating a Response File for Custom Silent Installation ........................................................ 13
Windows Packages...................................................................................................................................... 14 Configuration and Use................................................................................................................................ 14
Starting the iRecorder ...................................................................................................................... 14 Stopping the iRecorder.................................................................................................................... 15
Chapter 3: Configuring the iRecorder 17 Enabling Debugging ........................................................................................................................ 17 Testing the iRecorder for CCURE 800/8000 (CCURE) ............................................................... 18
Chapter 4: Report Selection Criteria 21
Chapter 5: Adding the Default Policy Template for the iRecorder to the eTrust Audit Policy Manager 23
Configuring the Default Policy in the eTrust Audit Policy Manager................................................... 24 Sample Rules for CCURE 800/8000.......................................................................................................... 25
Contents iii
Chapter 6: eTrust Audit Field Mapping 27 Native Product Fields (CCURE)................................................................................................................ 27 eTrust Audit Mandatory Fields (CCURE)................................................................................................ 30 eTrust Audit Normalized Fields ............................................................................................................... 31
iv iRecorder Reference Guide for CCURE
Chapter 1: Welcome to iRecorder for CCURE 800/8000
This guide describes how to install, configure, and use the eTrust Audit iRecorder for CCURE 800/8000. This iRecorder harvests log data from CCURE 800/8000 and forwards it to an eTrust Audit Client.
CCure 800/8000 is security management system to control and manage physical access to secure areas. All personnel accessing the secure areas are required to use a badge to identify the person and associated privileges. The system is developed by Software House and further technical information on CCure 800/8000 system can be found at http://www.swhouse.com.
This iRecorder was developed using CCure 800/8000 version 7.
The CCure badge reader system consists of the following basic components:
■ Physical Tokens or badges issued to personnel
■ Badge readers mounted on various access points to the secure areas
■ Controller system that controls badge readers to allow, disallow, raise alarms, and so on when the badge is scanned by a badge reader.
■ Management system to configure and setup various authorization rules for badges and badge readers.
■ A repository for personnel and asset information created when badges are issued. This repository can be accessed through ODBC and is called the CF Database in the CCure technical documentation.
■ A repository for real-time events about badge accesses and other system activity. This repository can also be accessed through ODBC and is called the Journal database. During the life of the system, new Journals can be created as described in the CCure technical documentation. Each Journal is a separate database and is named as JL_xxxxx.db, where xxxxx is sequential number starting from 00001. Information on the current Journal Database in use can be determined from the CF Database. After the current Journal Database is identified, all events created due to user or system activity can be access from the Journal Database
Welcome to iRecorder for CCURE 800/8000 5
What Is an iRecorder?
What Is an iRecorder? eTrust Audit 1.5 recorders can be deployed in two different ways:
Recorders Recorders are one of the subcomponents packaged with eTrust Audit 1.5 Client components. These predefined recorders use the eTrust Audit Submit API (SAPI) to send log events to a Router and Action Manager for further processing as defined in the Policy Manager. This architecture leads to some restrictions in the Recorder development and deployment:
■ SAPI uses remote procedure calls (RPC), which makes recorders difficult to be easily deployed across firewalls
■ Deployments of new recorders that are not predefined require you to make manual changes to existing Routers and Action Managers
iRecorders iRecorders are new to eTrust Audit. They are developed using the iRecorder SDK, which is based on the iTechnololgy SDK. iRecorders can be easily deployed in an existing eTrust Audit environment without making significant changes to that environment. iRecorders, just like recorders, send log events to a Router and Action Manager for event processing. They require an intermediate component, known as an iRouter, which is installed on an existing eTrust Audit Client. The iRouter provides a bridge between the iRecorder and the eTrust Audit Client. The iRouter converts tokens from XML format to SAPI format and submits them to the Router.
iRecorder Architecture The iRecorder architecture allows easy deployment across firewalls and new iRecorder development does not require changes in the existing eTrust Audit deployment.
6 iRecorder Reference Guide for CCURE
iRecorder Architecture
The following diagram illustrates the flow of information from the iRecorder to the eTrust Audit Client components:
As you can see, an iRecorder really consists of several components that help capture, route, and convert the event data to SAPI format so that it can be processed by an eTrust Audit Client.
The components of iTechnology are as follows:
iGateway iGateway is a service that dynamically loads iSponsors and communicates with the other iGateways and iSponsors. The main features and functions of an iGateway are as follows:
■ Load the iSponsor
■ Locate and read .conf files associated for various iSponsors in its local directory.
— Load the corresponding iSponsor DLLs (such as iControl or iRecorder) at iGateway start up or upon request from another iSponsor (local or remote).
Welcome to iRecorder for CCURE 800/8000 7
iRecorder Architecture
■ Provide configuration data found in .conf file to the corresponding iSponsor
■ Support Data Communication
The iGateway uses the HTTP/HTTPS protocol on port 5250 to handle all data communication as follows:
■ The data format for iGateway communication is based on XML.
■ An iGateway receives XML formatted data from the local iSponsors and sends it to the specified iGateway for delivery to the appropriate iSponsor.
■ An iGateway receives XML formatted data from a remote iSponsor and delivers it to the appropriate local iSponsor.
Note: Each iGateway can be associated with a digital certificate used by iRecorders to sign all outgoing events. In addition, iRecorders include the digital certificate with its associated thumbprint for the first outgoing event. For all other events, only the thumbprint is included.
iControl iControl is an iSponsor DLL that is automatically loaded by the iGateway and supports the following functions:
Store and Forward (SAF) for guaranteed delivery of events as follows: If the iGateway cannot deliver an event, it is passed onto the iControl component for SAF handling.
■ iControl stores the undelivered events in a file.
■ Periodically, iControl extracts events from the event file and attempts to deliver them using iGateway.
■ All events that are extracted successfully are marked as “old,” and periodically iControl deletes the “old” events.
Event validation
■ If it is the first event, save the digital certificate and the associated thumb print
■ For all events, use the thumbprint included in the event to retrieve the matching certificate. If the certificate is not found, generate an error.
■ Use the certificate to validate signature of the event. If the signatures do not match, generate error.
Routes events to a remote iControl The iControl.conf file contains information related to routing and which Event plug-in should be loaded.
Note: iControl can load multiple Event plug-ins and sends every event to each plug-in.
8 iRecorder Reference Guide for CCURE
iRecorder Architecture
Event Plug-in (EP) The Event plug-in is a DLL used by iControl to handle specialized tasks such as converting formats, applying filters, sending events to a database, and so on.
EPAudit Plug-in If the EPAudit plug-in is configured, all events received by iControl are sent to the EPAudit plug-in to be delivered to the Router. The primary functions of EPAudit are to:
■ Convert events from XML format to eTrust Audit SAPI format.
■ Submit events to the eTrust Audit Router component running on the localhost.
EPUnicenter Plug-in If the EPUnicenter plug-in is configured, all events received by iControl are sent to the EPUnicenter to be delivered to the Event Management component of Unicenter. The primary functions of the EPUnicenter plug-in are to:
■ Convert events from XML format to Unicenter EM format.
■ Submit events to the Event Management component running on the localhost.
EPDebug Plug-in If the EPDebug plug-in is configured, all events received by iControl are sent to the EPDebug to be delivered to any Debug Viewer running on the local host.
iRecorder iRecorder is an iSponsor DLL loaded by the iGateway running on the device generating log events. Its primary functions are as follows:
■ Extract the log events from the device or from an event log repository using an API, ODBC, or file I/O.
■ Parse the event fields into tokens and create “Name–Value” pairs for each parsed token in XML format.
■ Submit XML strings containing the events to a local or remote iRouter. The iRouter sends the events to EPAudit plug-in, which in turn submits the events to eTrust Audit for further action.
■ For the first log event from the device, the iRecorder attaches the iGateway certificate as an attribute.
■ For all log events, iRecorder includes the iGateway certificate thumbprint (a unique ID for the certificate) and the signature (hash of the whole event signed by the certificate).
iRouter An iRouter is a collection of following components installed on the eTrust Audit Client machine:
■ iGateway
Welcome to iRecorder for CCURE 800/8000 9
iRecorder Architecture
■ iControl
■ EPAudit plug-in
The iRouter installation package is included with the iRecorder SDK and does not require any changes. It works with the existing and new iRecorders. The iRouter forwards all events to the eTrust Audit Client using SAPI.
10 iRecorder Reference Guide for CCURE
Chapter 2: Installation and Configuration
This chapter describes how to install and configure the iRecorder for CCURE 800/8000.
System Requirements The topics that follow describe the hardware and software requirements for the iRecorder assuming that CCURE 800/8000 is already installed and operational on some host.
Hardware Requirements
The iRecorder for CCURE 800/8000 has the following minimum hardware requirements:
■ Approximately 10 MB of disk space for the iRecorder installation.
The iRecorder for CCURE 800/8000 has the following platform requirements:
■ x86 PC running Windows 2000 with Service Pack 2
■ Access to a CCURE 800/8000 system running version 7.1
■ CCURE 7.1 Client and ODBC driver (must be pre-installed)
Pre-Installation Steps Install the CCURE Client and ODBC driver on the same machine where the iRecorder will be installed.
Before you install and setup an iRecorder, you need to install the iRouter component on a host where eTrust Audit Client components are installed. iRouter lets iRecorders communicate with eTrust Audit. During the iRecorder installation, you are prompted for the host where iRouter is installed.
For more details on how to install iRouter, see the iRouter Reference Guide.
The eTrust Audit Policy Manager must be installed somewhere on the network, along with the eTrust Audit Data Tools.
Installation and Configuration 11
Installing the iRecorder
Installing the iRecorder The following topics describe how to install the iRecorder for CCURE 800/8000 from the CD or from the web.
Installing the iRecorder from the eTrust Security Command Center CD
To install the iRecorder from the eTrust Security Command Center CD, insert CD 5 into the CD drive. The Product Explorer should automatically start and display the installation menu. If the Product Explorer does not automatically start, click Start, Run and enter the following command:
[CD-Drive]:\PE_I386.exe
where [CD-Drive] is your CD drive letter designation.
All iRecorders available on the eTrust Security Command Center CD are located as follows eTrust, Audit, iRecorders.
To install an iRecorder, select the appropriate recorder from the list and follow the detailed install instructions provided in the following sections.
Installing the iRecorder Downloaded from eSupport
You can also download and install an iRecorder from the web. To install the downloaded package, you will need two components:
1. iRecorder installation package from http://esupport.ca.com
2. Appropriate (Windows, UNIX) iGateway package from ftp://ftp.ca.com/pub/itech/downloads
Download these packages into the same directory and run the iRecorder install package. The iRecorder install package automatically installs the iGateway package, if needed. Detailed installation instructions for the iRecorder are provided in the next topic.
12 iRecorder Reference Guide for CCURE
Installing the iRecorder
Installing the iRecorder
If the install package for the iRecorder is not running already, run the package CCureODBC _<version number>.exe to start installation of the iRecorder. It starts a wizard that guides you through installation and configuration of the iRecorder.
Silent Installation
Enter the following command to silently install the CCure iRecorder using an InstallShield response file:
CCureODBC_<version>.exe /s /f1 “ccureodbc_setup.iss”
The above example demonstrates the silent install capability provided by the iRecorder package. The response file in the example should be changed to reflect the particular conditions of the target environment. See How to Generate a Response File for Custom Silent Installation.
Silent Uninstallation
Enter the following command to silently uninstall the CCure iRecorder using an InstallShield response file:
CCureODBC_<version>.exe /s /f1 “ccureodbc_uninstall.iss”
Generating a Response File for Custom Silent Installation
The response files provided with the package contain an example of a silent install session. It is often necessary to customize the silent installation to the particular needs of the enterprise.
The sections below provide instructions on how to customize silent installation. Choose a system that is similar if not identical to the target system.
Installation and Configuration 13
Windows Packages
Windows Packages Note: The system must not contain the iRecorder for which you want to customize the silent installation. If the system has the iRecorder installed, uninstall the iRecorder using the Add/Remove Program option of the Control Panel.
Proceed as follows to generate a custom response file:
1. Open a DOS window
2. Change directory to the folder that contains the iRecorder package
3. On the CD labeled “eTrust Audit 1.5 SP2 “ part of the eTrust Security Command Center package, the iRecorder package folder is: <CD Drive>:\eTrust\Audit\iRecorder\Winnt
For instance, if G drive is the CD drive, the iRecorder package folder is: G:\eTrust\Audit\iRecorder
Enter the following: <iRecorder package>.exe /r /f1”<pathname of response file>“
For example: CCureODBC_<version>.exe /r /f1”C:\Temp\irecorder_setup.iss”
4. Follow instructions given by the installation procedure and install the package as you would do on the target system.
5. Click Finish.
The response file is generated. It can be used for silent installation on similar target systems.
Configuration and Use The following topics describe how to configure and use the iRecorder.
Starting the iRecorder
The iRecorder is run as a sub-component of the iTechnology-iGateway service.
To start the iRecorder on Windows 2000, start the iGateway service using either of the following methods:
■ Use the Services Management GUI (Start, Control Panel, Services or Administrative Tools, Services).
14 iRecorder Reference Guide for CCURE
Configuration and Use
■ Issue the following command: net start igateway
Stopping the iRecorder
The iRecorder is run as a sub-component of the iTechnology-iGateway service.
To stop the iRecorder on Windows 2000, stop the iGateway service using either of the following methods:
■ Use the Services Management GUI (Start, Control Panel, Services or Administrative Tools, Services).
■ Issue the following command: net stop igateway
Installation and Configuration 15
Chapter 3: Configuring the iRecorder iRecorder configuration parameters are kept in a configuration file usually located in the iGateway installation directory. The iRecorder configuration parameters are automatically set during iRecorder installation and do not require any changes for the normal operation of the iRecorder. If any parameters need to be modified, you must stop the iTechnology iGateway service or daemon before making the changes. After making the changes, restart the service for changes to take effect.
The iRecorder configuration file is named irecordername.conf and is found in the iGateway installation directory. For example: \Program Files\CA\iGateway on Windows and /opt/CA/igateway on UNIXx/Linux.
Sample Configuration File (CCURE)
The following is a sample CCureODBC.conf configuration file: <?xml version='1.0' encoding='UTF-8' standalone='no'?> <iSponsor> <Name>CCureODBC</Name> <ISType>DSP</ISType> <ImageName>CCureODBC</ImageName> <DispatchEP>iDispatch</DispatchEP> <ClsPath></ClsPath> <LibPath></LibPath> <Version>@VERSION@</Version> <PreLoad>true</PreLoad> <DBHost def=“localhost” prompt=“Servername where the CCure Server is installed” type=“text”>localhost</DBHost> <CFUsername def=“SYSPROGRESS” prompt=“Username used to access the CF database on the CCure Server” type=“text”>SYSPROGRESS</CFUsername> <CFPassword prompt=“User Password used to access the CF database on the CCure Server” type=“password”></CFPassword> <JNUsername def=“SYSPROGRESS” prompt=“Username used to access the JOURNAL database on the CCure Server” type=“text”>SYSPROGRESS</JNUsername> <JNPassword prompt=“User Password used to access the JOURNAL database on the CCure Server” type=“password”></JNPassword> </iSponsor>
Enabling Debugging
You can configure the iRecorder to output debugging information to a debugging application or to a file. A file containing debug information can be useful for technical support purposes.
To enable debugging and log debug information to a file, follow these steps:
1. Stop the iRecorder by stopping the iTechnology iGateway Service.
Configuring the iRecorder 17
Configuration and Use
2. Edit the iRecorder configuration file by adding the following <DebugLevel> tag between the <iSponsor> tags: <DebugLevel>{level}</DebugLevel>
where {level} is one of the following:
ISP_NOLEVEL Disables debugging.
ISP_FILE Prints all debug messages to a debug application as well as writing it to a log file, irecordername.log, in the same directory as the iRecorder. The debug file may grow very quickly; to avoid possible disk space shortage, we recommend turning off the debugging option as soon as possible by replacing ISP_FILE by ISP_NOLEVEL.
3. Save the configuration file.
4. Start the iRecorder by restarting the iTechnology iGateway Service.
5. Send the debug file to CA Technical Support for further analysis.
Testing the iRecorder for CCURE 800/8000 (CCURE)
Using the following steps, you can verify that the iRecorder is installed properly and sending events to eTrust Audit:
1. Install the iRecorder for CCURE on a Windows host.
2. Install iRouter component on a host where eTrust Audit Client components are installed.
3. Verify that the <windir>\System32\Driver\etc\services file contains the following entries:
CFSRV 2500/tcp # CCURE800: Progress CF database server # JNSRV 2501/tcp # CCURE800: Progress JOURN database server, not used, see G#2718 JNSRV1 2502/tcp # CCURE800: Progress JOURN database server 1 JNSRV2 2503/tcp # CCURE800: Progress JOURN database server 2 JNSRV3 2504/tcp # CCURE800: Progress JOURN database server 3 JNSRV4 2505/tcp # CCURE800: Progress JOURN database server 4 (not yet used) CCDRVR 2600/tcp # CCURE800: ApC Driver
4. Verify that <Program Files>\CA\iGateway contains the following files:
■ CCureODBC.dll
■ CCureODBC.conf
5. Run the eTrust Audit Policy Manager.
6. Copy the default policy for the CCURE Badge to a new one.
7. Choose the collection rule and add an action to it by right clicking on the rule, choosing properties and then actions (with a machine running the eTrust Audit Security Monitor as the target of the Security Monitor action).
18 iRecorder Reference Guide for CCURE
Configuration and Use
8. Create a new group in the AN (Audit Node) window, then add the iRouter machine as a new CCURE Badge source.
9. Attach the newly created AN group to the policy you have just created.
10. Switch back to the Policy window.
11. Right-click the policy you created, and then select the Activate command to activate the policy.
12. On the CCURE server, log into the Administration or Monitoring Client.
You will see a Login event as soon as you open the eTrust Audit Security Monitor.
13. Verify that the generated events are displayed in the eTrust Audit Security Monitor
iRecorders also support standard iTechnology SDK tools (like TestHarness and Spin interface) to query the iRecorder for current status and configuration information. For more details on these tools, use iTechnology SDK Reference Guide.
Configuring the iRecorder 19
Chapter 4: Report Selection Criteria For events that are reported by the iRecorder and stored in the eTrust Audit Collector database, selected reports can be generated using a Report Generator.
The following table describes suggested selection criteria for reports of general interest.
The first column of the table is the Report Name. The second column is the Audit Logname that can be specified to include all events for this Logname in the report. Additional Criteria column specifies one or more additional fields that may be used to further narrows the range of events to be included in the report. Finally the Comment column specifies whether the field name is in the Audit MSGTEXT field or not. The distinction is important because the MSGTEXT field is a free form text field that may contain several fields. Since the MSGTEXT column contains multiple field name and field value pairs, the MSGTEXT field must be searched using wild card characters to select the specific field names and values.
Sample Report Selection Criteria for CCure Badge
Report Logname AND additional criteria (format field name : field value)
Comment
Login Failure CCure Badge Integer NID: 1, Integer OID: 1
OID is in MSGTEXT field
Login Success CCure Badge Integer NID: 1, Integer OID: 2
OID is in MSGTEXT field
Badge In CCure Badge Integer NID: 2, Subcat: “Badge In”
Subcat is in MSGTEXT field
Badge Out CCure Badge Integer NID: 2, Subcat: “Badge Out”
Subcat is in MSGTEXT field
Report Selection Criteria 21
Chapter 5: Adding the Default Policy Template for the iRecorder to the eTrust Audit Policy Manager
To be able to create policy for CCURE 800/8000, you must add the default policy template for the iRecorder to the Policy Manager.
To add the default template, follow these steps:
1. On the eTrust Audit Policy Manager server, open the following file: [eTrust Audit install]\bin\pmu_template_exchange.exe.
The following window appears:
2. Choose Import Policy Template from binary file, and then click Next.
3. Next, enter the path of eTrust Audit CCure iRecorder Policy.ptf. This file is in the iGateway installation directory. Click Next.
4. Select Next again. This dialog explains the description of the policy file.
5. The next dialog asks if you want to create the policy in the default policies section. Select Yes, and then click Next.
6. Enter CCure Badge as the name of the inserted subpolicy, and click Finish.
Adding the Default Policy Template for the iRecorder to the eTrust Audit Policy Manager 23
Configuring the Default Policy in the eTrust Audit Policy Manager
Configuring the Default Policy in the eTrust Audit Policy Manager
This topic is provided as a brief guide on how to configure the policy for the iRecorder. For further details, see the eTrust Audit Policy Management Guide.
1. Open the eTrust Audit Policy Manager.
2. On the left hand pane, click Audit Nodes.
3. Select the Targets node, right-click, and choose New Group from the pop-up menu.
4. Give the new group a descriptive name, such as CCure ODBC.
5. Right-click CCure ODBC, and select New AN from the pop-up menu.
6. Enter the host name of the iRouter that you have configured the iRecorder to communicate with.
7. Select the AN type as CCure ODBC.
8. Enter a description for the AN node.
9. Click OK. Repeat steps 5 through 8 for each iRouter in your network that a CCure iRecorder communicates with.
10. On the left hand pane, select Policies.
11. From the menu bar, select File, and choose New.
12. Select Policy Folder, this should be the only available option, and give the folder a name, such as CCure ODBC.
13. Right-click the CCure ODBC folder, and choose New Policy from the pop-up menu.
14. Select Policy by Template, and choose eTrust Audit CCure ODBC iRecorder Policy.
15. Enter a name, such as CCure ODBC Policy, and click Finish.
16. An action must be defined for each rule. For the purposes of this guide, we will define an action for the All Events rule.
17. Right-click the All Events rule, and choose Properties from the pop-up menu.
18. Click the Action tab.
19. Check the box, for the Collector action.
20. Click Add, and enter the host name or IP address of the eTrust Audit Collector.
21. Repeat these steps 19 and 20 for the Security Monitor action.
22. Click OK when finished.
24 iRecorder Reference Guide for CCURE
Sample Rules for CCURE 800/8000
This causes the icon for the All Events rule to turn from a white bell, to a blue bell.
23. Click the bell to select the rule.
This turns the color of the bell to red.
24. Right-click the CCure ODBC folder, and choose Attach AN Group from the pop-up menu.
25. Select the CCure ODBC AN group, and click OK.
26. Right-click the CCure ODBC folder, and click Activate.
27. Click OK, when the confirmation dialog box appears.
28. From the left pane click Audit Nodes.
29. Select the CCure ODBC Group, and verify for each AN, that there are no errors.
If there are no errors, then there will be a key icon in the Name of each AN.
Sample Rules for CCURE 800/8000 The Report Selection CCure iRecorder Policy.ptf file includes 3 sample rules:
Badge In Detect all badge in events.
Badge Out Detect all badge out events.
Login Failure Detect login failure to CCure applications.
Adding the Default Policy Template for the iRecorder to the eTrust Audit Policy Manager 25
Chapter 6: eTrust Audit Field Mapping The following topics describe how fields in CCURE 800/8000 events are captured by the eTrust Audit iRecorder and mapped to a standard set of normalized fields. eTrust Audit requires all iRecorder to follow a standard Data Model and Taxonomy. The following topics describe how the iRecorder for CCURE 800/8000 maps the native CCURE 800/8000 fields into eTrust Audit fields
Native Product Fields (CCURE) CCure Journal Event Data Structure
Field Name Data Type Description
Jnl_ID Int Unique ID for message (max of 2 billion)
Local_DT Int Encoded Date/Time activity actually occurred
Host_DT Int Encoded Date/Time message was received at host
TZ_Offset Int Time-zone offset in half-hours
Msg_Code Int Message Code for activity
User_PID Int PID of person associated with activity
Int_Data1 Int May only contain object IDs
Int_Data2 Int May contain either Object IDs, or codes < 1000
Int_Data3 Int May contain either personnel ID (PIDs), or codes < 1000
Int_Data4 Int May not contain object IDs or PIDs
Txt_Data1 Char A message specific text string
Txt_Data2 Char Another message specific text string
eTrust Audit Field Mapping 27
Native Product Fields (CCURE)
CCure Journal Event Data Format
Msg Code Desc
User_PID Supplied
Int_ Data1
Int_ Data2
Int_ Data3
Int_ Data4
Txt_ Data1
Txt_ Data2
001
User Login/Logout PID User None
Program started - PRM$JPR_ xxx
Login/out Code - PRM$JLO_ xxx None Node
User name - if invalid
002
Card Admitted PID
DoorID
Admit Code
Sec Officer ID, if admitted manually
Card Number None None
003
Card Rejected PID
DoorID
Admit Code
Reject Code - PRM$JRE_xxx
Card Number None None
004
Log Message
SO ID; PID User
Event Object ID None None
JNL ID of related activity
Text of Log Message None
005
Object Changed State (Event, Distributd, Manual) PID
ID of Object Changing the state None State Code
StateChange Method Code/iStar Connection Code None None
006 Manual Action
SO ID; PID User
ID of Object Acted On
Action Code
Manual Action Object ID
Manual Action - PRM$JMA_xxx None None
007
System Activity (Normal) No None None
Activity Code - PRM$JSM_xxx None
Node Name
Mac Name
008 System Error No None None
System Error Code - PRM$JSE_xxx
API Error Code
Node Name
API Name
28 iRecorder Reference Guide for CCURE
Native Product Fields (CCURE)
Msg Code Desc
User_PID Supplied
Int_ Data1
Int_ Data2
Int_ Data3
Int_ Data4
Txt_ Data1
Txt_ Data2
009
Device Activity (Normal) PID
ID of Unit or Component
Another Object ID
Activity Code - PRM$JDM_xxx None
Firmware Version None
010
Device Error / Recovery No
ID of Unit or Component
Another Object ID
Error Code - PRM$JDE_xxx
SubError Code (paging)
Firmware Version None
011 Asset Activity Asset ID None
Info Code - PRM$JAT_xxx PersonID
Access Code None None
012
Asset Movement Authorized Asset ID
Reader ID HHRId PersonID
Access Code
Tag Number AreaID
013
Asset Movement Unauthorized Asset ID
Reader ID HHRId PersonID
Access Code
Tag Number AreaID
014
Asset Movement Attempted Asset ID
Reader ID (none) PersonID
Access Code
Tag Number AreaID
015
Asset Location Update Asset ID
Area ID HHRId PersonID
Access Code
Tag Number None
016
Watchtour Action PID
Action Code ObjectID
TourGaurdID ? None None
017
Watchtour Activity No
InfoCode ObjectID
TourGaurdID ReaderID None None
eTrust Audit Field Mapping 29
eTrust Audit Mandatory Fields (CCURE)
Msg Code Desc
User_PID Supplied
Int_ Data1
Int_ Data2
Int_ Data3
Int_ Data4
Txt_ Data1
Txt_ Data2
018
Watchtour Error No
InfoCode ObjectID
TourGaurdID ? None None
019
Watchtour Stop Activity No
InfoCode ObjectID
TourGaurdID
TourStopID None None
020
NetVideo Activity PID
CameraID
NetVideoActionID None EventID
SegmentID None
eTrust Audit Mandatory Fields (CCURE) Mandatory fields are a fixed set of fields that are added to each event processed by any iRecorders. The following tables describe what values are assigned to the Mandatory Fields in the iRecorder for <irecroder>.
Required Fields
Field Name Field Value Description Taxonomy <Category>.<System>.
<Action>.<Result>. <Severity>
See Table 2 for further breakdown of Taxonomy
Date Timestamp host_dt
TimeZone timezone in +/- seconds format (calculated from GMT)
TimeZone of system where iRecorder is installed
Src Variable Journal Name
Log CCure Badge
Location Variable Location of CCure Database
Table 1: Mapping of eTrust Audit Required fields
The table provides Field Names, Descriptions as well as Values (or possible values). Additional information about the Taxonomy field is provided in Table 2 below.
30 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Taxonomy
Taxonomy Possible Values Description Category Not defined yet
System Not defined yet
Action Not defined yet
Result Not defined yet
Severity Not defined yet
Table 2: Details of Taxonomy Field
eTrust Audit Normalized Fields Normalized Fields are eTrust Audit field names that are mapped or translated from the native event field names according to the classification of the iRecorder. Normalized fields are common across all products in the same classification. The Taxonomy field, one of the mandatory fields, defines the classification of this iRecorder.
eTrust Audit Field Mapping 31
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 001 – User Login/Logout
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” System Access
“Status” See Message Code List 1
“State” See Message Code List 1
“User” User_PID
Operation “Oper” See Message Code List 1
“ObjClass” See Message Code List 1
“ObjName” See Message Code List 1
Native “OID” Int_Data3
Native ID “NID” MsgCode
Secondary “SObjClass” Program
Secondary “SObjName Program
Secondary “SObjID” Int_Data2
“Node” Txt_Data1
“Invalid User” See Message Code List 1
Info Info
32 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1 Status State Oper Obj Class Obj Name
Invalid User
1 PRM$JLO_User_Logged_In S Access Login Login LoginCode
2 PRM$JLO_Login_Attempt_ Rejected F Fail Login Login LoginCode
InvalidUser
3 PRM$JLO_User_Logged_ Out S Normal Logout
Logout LogoutCode
4 PRM$JLO_Disconected F Error Logout Login LogoutCode
Message Code List 1
Field Mapping for CCure Event: Message Code 002 – Card Admitted
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet.
“User” User_PID
“Badge” CardNumber
“Category” Physical Security
“Location” Int_Data1
“Status” See Message Code List 1
“State” See Message Code List 1
Operation “Oper” Card Access
“ObjClass” Card
“ObjName” AdmitCode
Native “OID” Int_Data2
Native ID “NID” MsgCode
Info Info
eTrust Audit Field Mapping 33
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1 Status State 1 PRM$JAD_Door_Unused F Admit
2 PRM$JAD_Noticed F Admit
3 PRM$JAD_Duress F Admit
4 PRM$JAD_Host F Admit
5 PRM$JAD_Manual F Admit
6 PRM$JAD_Deleted F Admit
7 PRM$JAD_Direction_IN S Admit
8 PRM$JAD_Direction_OUT S Admit
Field Mapping for CCure Event: Message Code 003 – Card Rejected
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“User” User_PID
“Badge” CardNumber
“Category” Physical Security
“Location” Int_Data1
“Status” F
“State” Reject
Operation “Oper” Card Access
“ObjClass” Card
“ObjName” RejectCode
Native “OID” Int_Data3
Native ID “NID” MsgCode
“AdmitCode” Int_Data2
Info Info
34 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1 1 PRM$JRE_Admit
2 PRM$JRE_Unknown_Card
3 PRM$JRE_Clearence
4 PRM$JRE_Facility_Code
5 PRM$JRE_Site_code
6 PRM$JRE_PIN
7 PRM$JRE_Issue_Code
8 PRM$JRE_Lost
9 PRM$JRE_Disabled
10 PRM$JRE_Expired
11 PRM$JRE_Not_Activated
12 PRM$JRE_Not_Downloaded
13 PRM$JRE_Illegal_Reject_Code
14 PRM$JRE_Misread
15 PRM$JRE_Tailgate
16 PRM$JRE_Passback
17 PRM$JRE_Timed_AP
18 PRM$JRE_Floor
19 PRM$JRE_Linked_Asset
20 PRM$JRE_RSRV1
21 PRM$JRE_RSRV2
22 PRM$JRE_Invalid_Escort
23 PRM$JRE_No_Escort
eTrust Audit Field Mapping 35
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 004 – Log Message
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Object Access
“Status” S
“State” Normal
“User” User_PID
“ObjClass” Log
“ObjName” EventID
Native “OID” Int_Data1
Native ID “NID” MsgCode
Info LogMessage:Txt_Data1
36 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 005 – Object Changed State (Event, Distributed, Manual)
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“Status” See Message Code List 1
“State” See Message Code List 1
“User” User_PID
Operation “Oper” Obj State Change
“ObjClass” See Message Code List 1
“ObjName” ObjectID
Native “OID” Int_Data1
Native ID “NID” MsgCode
Secondary “SObjClass” State
Secondary “SObjName StateCode
Secondary “SObjID” Int_Data3
“StateChange MethodCode” Int_Data4
Info Info
eTrust Audit Field Mapping 37
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1 Status State Severity
1 PRM$OST_None S None Info Generic
2 PRM$OST_Active S Active Info Generic
3 PRM$OST_Inactive S Inactive Info Generic
4 PRM$OST_Mom_Active S Inactive Warning Generic
5 PRM$OST_On_Line S Online Info Generic
6 PRM$OST_Off_line S Offline Warning Generic
7 PRM$OST_Supervision F Error Warning Supervisor
8 PRM$OST_Grounded_Loop S Info Info Supervisor
9 PRM$OST_Shorted_Loop S Info Info Supervisor
10 PRM$OST_Open_Loop S Info Info Supervisor
11 PRM$OST_Fault S Info Info Supervisor
12 PRM$OST_Locked F Locked Info Generic
13 PRM$OST_Unlocked S Unlocked Info Generic
14 PRM$OST_Secure S Armed Info Generic
15 PRM$OST_Armed S Armed Info Generic
16 PRM$OST_Disarmed S Disarmed Info Generic
17 PRM$OST_Neutral S Undefined Info Generic
18 PRM$OST_Active_in_TimeSpec S Active Info Generic
19 PRM$OST_Active_Outside_ TimeSpec S Active Info Generic
20 PRM$OST_ADA_Unlocked S Unlocked Info Generic
21 PRM$OST_Reader_1
22 PRM$OST_Reader_2
23 PRM$OST_Door_Switch_ Monitor
24 PRM$OST_Door_Latch_Monitor
25 PRM$OST_Request_To_Exit
26 PRM$OST_Door_Forced S Forced Critical Door
27 PRM$OST_Door_Held F Held Warning Door
38 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1 Status State Severity
28 PRM$OST_Admit S Admit Info Card
29 PRM$OST_Reject F Reject Warning Card
30 PRM$OST_Visitor_Admit S Admit Info Visitor
31 PRM$OST_Visitor_Reject F Reject Warning Visitor
32 PRM$OST_Noticed_Admit S Admit Info Card
33 PRM$OST_Noticed_Reject F Reject Warning Card
34 PRM$OST_Map
35 PRM$OST_Duress F Duress Critical Card
36 PRM$OST_Comm_Port
37 PRM$OST_Tamper F Tamper Warning Generic
38 PRM$OST_Power_Failure F PowerFailure Critical Generic
39 PRM$OST_Communications_ Failure F CommFailure Warning Generic
40 PRM$OST_Communications_ Restored S Normal Info Generic
41 PRM$OST_Power_Restored S PowerRestored Info Generic
42 PRM$OST_Tamper_Cleared S Normal Info Generic
43 PRM$OST_Door_Closed S Close Info Door
44 PRM$OST_Door_Open S Open Warning Door
45 PRM$OST_Supervision_Cleared F Error Warning Supervisor
46 PRM$OST_Grounded_Loop_ Cleared S Info Info Supervisor
47 PRM$OST_Shorted_Loop_ Cleared S Info Info Supervisor
48 PRM$OST_Open_Loop_Cleared S Info Info Supervisor
49 PRM$OST_Fault_Cleared S Info Info Supervisor
50 PRM$OST_Acknowledge S Ack Info Generic
51 PRM$OST_Mom_Unlock S Locked Info Generic
52 PRM$OST_Reset_Actions
53 PRM$OST_Area_Enter_Event
54 PRM$OST_Area_Exit_Event
eTrust Audit Field Mapping 39
eTrust Audit Normalized Fields
Message Code List 1 Status State Severity
55 PRM$OST_Door_Enter_Area
56 PRM$OST_Door_Exit_Area
57 PRM$OST_Controlled Access S Access Info Generic
58 PRM$OST_Uncontrolled_Access S Access Warning Generic
59 PRM$OST_Elevator
60 PRM$OST_Elevator_Floor
61 PRM$OST_Connection_Failure F Error Warning Generic
62 PRM$OST_Asset_Overdue
63 PRM$OST_Event_Ack_Overdue
64 PRM$OST_In_Directional_Input
65 PRM$OST_Out_Directional_ Input
66 PRM$OST_Stationary
67 PRM$OST_Portable
68 PRM$OST_Unauthorized_ Portable
69 PRM$OST_Noticed
70 PRM$OST_Unauthorized_ Noticed
71 PRM$OST_Asset_Reject F Denied Warning Card
72 PRM$OST_Asset_Area_Enter
73 PRM$OST_Asset_Area_Exit
74 PRM$OST_Reader_3
75 PRM$OST_Reader_4
76 PRM$OST_Reader_1_2
77 PRM$OST_Reader_3_4
78 PRM$OST_Reader_1_3
79 PRM$OST_Reader_2_4
80 PRM$OST_Reader_1_2_3_4
81 PRM$OST_Asset_Checkin S Info Info Generic
40 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1 Status State Severity
82 PRM$OST_Printer_Buffer_ Overflow F Error Warning Printer
83 PRM$OST_Printer_Abnormal F Error Warning Printer
84 PRM$OST_Printer_Paper_Jam F Error Warning Printer
85 PRM$OST_Printer_Out_Of_ Paper F Error Warning Printer
86 PRM$OST_Printer_Offline F Error Warning Printer
87 PRM$OST_Printer_General_ Error
88 PRM$OST_Printer_Normal S Active Info Printer
89 PRM$OST_Printer_Overflow_ Buffer_Cleared S Active Info Printer
90 PRM$OST_Printer_Paper_Jam_ Cleared S Active Info Printer
91 PRM$OST_Printer_Out_of_Paper_Cleared S Active Info Printer
92 PRM$OST_Printer_Online S Active Info Printer
93 PRM$OST_Printer_General_ Error_Cleared F Error Warning Printer
94 PRM$OST_PIN_Required F Error Warning Generic
95 PRM$OST_PIN_Disabled F Disabled Warning Generic
96 PRM$OST_Printer_Power_Off F Inactive Warning Printer
97 PRM$OST_Printer_Power_On S Active Info Printer
98 PRM$OST_Page_Fault F Error Warning Generic
99 PRM$OST_Email_Failed F Error Warning Generic
100 PRM$OST_Control_Zone_Mode_Secure S Secure Info Intrusion
101 PRM$OST_Control_Zone_Mode_Access S Access Warning Intrusion
102 PRM$OST_Control_Zone_Access_Input S Disarmed Warning Intrusion
103 PRM$OST_Control_Zone_Secure_Input S Armed Info Intrusion
eTrust Audit Field Mapping 41
eTrust Audit Normalized Fields
Message Code List 1 Status State Severity
104 PRM$OST_Control_Zone_Access_Tamper S Disarmed Warning Intrusion
105 PRM$OST_Control_Zone_Secure_Tamper S Armed Info Intrusion
106 PRM$OST_Control_Zone_Access_Output S Disarmed Warning Intrusion
107 PRM$OST_Control_Zone_Secure_Output S Armed Info Intrusion
108 PRM$OST_Control_Zone_ Violated_Output F Error Warning Intrusion
109 PRM$OST_Control_Zone_Input_Off_Normal F Error Warning Intrusion
110 PRM$OST_Control_Zone_Input_Normal S Active Info Intrusion
111 PRM$OST_Control_Zone_Door_Open S Open Warning Intrusion
112 PRM$OST_Control_Zone_Door_Closed S Close Info Intrusion
113 PRM$OST_Control_Zone_ General_Input S Active Info Intrusion
114 PRM$OST_Primary_Comm_ Method_Fail F Error Warning Generic
115 PRM$OST_Secondary_Comm_ Method_Fail F Error Warning Generic
116 PRM$OST_Control_Zone_State_Violated F Error Warning Intrusion
117 PRM$OST_Control_Zone_Not_ Secure S Access Warning Intrusion
118 PRM$OST_Control_Zone_Access_Secure_Input S Access Warning Intrusion
119 PRM$OST_Primary_Comm_ Method_Fail_Host F Error Warning Generic
120 PRM$OST_Secondary_Comm_ Test_Restored S Active Info Generic
212 PRM$OST_Slave_Master_Comm_Fail F Error Warning Generic
42 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1 Status State Severity
122 PRM$OST_Secondary_Comm_ Test_Fail F Error Warning Generic
123 PRM$OST_Low_Battery S Error Warning Generic
124 PRM$OST_Primary_Comm_ Method_Restored_Host S Active Info Generic
125 PRM$OST_Secondary_Comm_ Method_Restored_Host S Active Info Generic
126 PRM$OST_Cluster_Split S Active Info Generic
127 PRM$OST_Cluster_Not_Split S Normal Info Generic
128 PRM$OST_Secondary_Comm_ Method_Fail_Host F Error Warning Generic
129 PRM$OST_Panel_Full S Error Warning Generic
130 PRM$OST_Panel_Nearly_Full S Warning Warning Generic
131 PRM$OST_Panel_Not_Full S Active Info Generic
132 PRM$OST_Panel_Not_Nearly_ Full S Warning Warning Generic
133 PRM$OST_Admit_Reject_CCTV S Error Warning Generic
134 PRM$OST_Shunt_Expire_ Warning S Normal Info Generic
135 PRM$OST_TourStop_Input S Normal Info Generic
136 PRM$OST_Tour_End_Early S Warning Warning Generic
137 PRM$OST_Tour_End_Late S Warning Warning Generic
138 PRM$OST_TourSTop_Reached_OutOfSeq S Warning Warning Generic
139 PRM$OST_TourAtop_Reached_ Early S Warning Warning Generic
140 PRM$OST_Tour_Stop_Reached_Late S Warning Warning Generic
141 PRM$OST_RadReceiver_Battery_Fail F Error Warning Generic
142 PRM$OST_RadReceiver_Battery_Restored S Active Info Generic
143 PRM$OST_Door_Position_ Sensor S Change Warning Door
eTrust Audit Field Mapping 43
eTrust Audit Normalized Fields
Message Code List 1 Status State Severity
144 PRM$OST_Lock_Status_Sensor S Change Warning Generic
145 PRM$OST_Set_Event S Info Generic
146 PRM$OST_Reset_Event S Info Generic
Field Mapping for CCure Event: Message Code 006 – Manual Action
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” Action
“Status” S
“State” Normal
“User” User_PID
Operation “Oper” Scheduled
“ObjClass” Generic
“ObjName” ObjectID
Native “OID” Int_Data1
Native ID “NID” MsgCode
Secondary “SObjClass” Action
Secondary “SObjName ActionCode
Secondary “SObjID” Int_Data2
“ManualAction” Int_Data4
Info Info
44 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 2
Message Code List 2 Severity 1 PRM$JMA_Scheduled Info
2 PRM$JMA_Activated Info
3 PRM$JMA_Cancelled Warning
4 PRM$JMA_Deactivated Info
5 PRM$JMA_Momentary Info
6 PRM$JMA_Acknowledge Info
7 PRM$JMA_Reset_Actions Warning
Field Mapping for CCure Event: Message Code 007 – System Activity (Normal)
eTrust Audit Field Name CCure Event Field “Taxonomy” Note defined yet
“Category” Security Systems
“SubCat” System
“Status” S
“State” Normal
Operation “Oper” See Message Code List 1
“ObjClass” SysActivity
“ObjName” ActivityCode
Native “OID” Int_Data3
Native ID “NID” MsgCode
Secondary “SObjClass” Node
Secondary “SObjName NodeName
Secondary “SObjID” Txt_Data1
“Mac Name” Txt_Data2
Info Info
eTrust Audit Field Mapping 45
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1 Severity Oper 1 PRM$JSM_System_Startup Info Startup
2 PRM$JSM_System_Shutdown Info Shutdown
3 PRM$JSM_Journal_File_Changed Info FileChange
4 PRM$JSM_System_Backup_Start Info Backup
5 PRM$JSM_Controller_Denied Warning Rejected
Field Mapping for CCure Event: Message Code 008 – System Error
eTrust Audit Field Name CCure Event Field “Category” System Access
“SubCat” System
“Status” F
“State” Error
“Severity” Critical
“API Code” See Message Code List 1
“ObjClass” SysActivity
“ObjName” ActivityCode
Native “OID” Int_Data3
Native ID “NID” MsgCode
Secondary “SObjClass” Node
Secondary “SObjName NodeName
Secondary “SObjID” Txt_Data1
Info System Error
46 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1 API Code 1 PRM$JSE_Disk_error
2 PRM$JSE_Database_error
3 PRM$JSE_API_Call_Failed int_data4
4 PRM$JSE_Thread_Init_Failure
5 PRM$JSE_Using_Mouse_Port
6 PRM$JSE_Error_While_Allocating_Port
7 PRM$JSE_Disk_Space_Low
8 PRM$JSE_Site_Expired
9 PRM$JSE_Site_Will_Expire
10 PRM$JSE_SSA_Expired
11 PRM$JSE_SSA_Will_Expire
12 PRM$JSE_Badging_Expired
13 PRM$JSE_Badging_Will_Expire
14 PRM$JSE_Invalid_Sentinel
15 PRM$JSE_Unknown_Panel
16 PRM$JSE_NTEventLogError
17 PRM$JSE_Asset_Tracking_Will_Expire
18 PRM$JSE_Asset_Tracking_Expired
19 PRM$JSE_Paging_Will_Expire
20 PRM$JSE_Paging_Expired
eTrust Audit Field Mapping 47
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 009 – Device Activity (Normal)
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” General
“SubCat” System
“Status” S
“State” Normal
“Severity” Info
“User” User_PID
Operation “Oper” See Message Code List 1
“ObjClass” SysActivity
“ObjName” ActivityCode
Native “OID” Int_Data3
Native ID “NID” MsgCode
Secondary “SObjClass” Unit
Secondary “SObjName UnitID
Secondary “SObjID” Int_Data1
“Another ObjectID” Int_Data2
Info Device Activity (Normal)
48 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1 Message Code List 1 Oper
1 PRM$JDM_Memory_Erased Memory
2 PRM$JDM_Hardware_Reset Reset
3 PRM$JDM_Power_Recycle Recycle
4 PRM$JDM_Download_Started Download
5 PRM$JDM_Download_Completed Download
6 PRM$JDM_Host_Init_Connection_Started Init
7 PRM$JDM_Host_Init_Connection_Completed Init
8 PRM$JDM_Panel_Init_Connection_Started
9 PRM$JDM_Panel_Init_Connection_Completed
10 PRM$JDM_Flash_Started Flash
11 PRM$JDM_Flash_Completed Flash
12 PRM$JDM_Email_Sent Email
13 PRM$JDM_Page_Sent Page
14 PRM$JDM_Grace_All Grace
15 PRM$JDM_Grace_Card Grace
16 PRM$JDM_Download_UnitIsFull Download
17 PRM$JDM_iStar_Dialup_Connected Dialup
18 PRM$JDM_iStar_Dialup_Started Dialup
19 PRM$JDM_RAD_BUSY_SECOND
20 PRM$JDM_RAD_COMPUTER_ERROR
21 PRM$JDM_RAD_COMPUTER_RESTORED
22 PRM$JDM_RAD_PHONE_LINE_FAIL
23 PRM$JDM_RAD_PHONE_LINE_RESTORED
24 PRM$JDM_RAD_ACCOUNT_CLOSE
25 PRM$JDM_RAD_ACCOUNT_OPEN
26 PRM$JDM_RAD_UNKNOWN_MSG
27 PRM$JDM_RAD_CRC_ERROR
28 PRM$JDM_RAD_RECEIVER_NUM_WRONG
eTrust Audit Field Mapping 49
eTrust Audit Normalized Fields
Message Code List 1 Oper
29 PRM$JDM_RAD_ACCOUNT_CLOSE_ZN
30 PRM$JDM_RAD_ACCOUNT_OPEN_ZN
31 PRM$JDM_RAD_ACCOUNT_CLOSE_ID
32 PRM$JDM_RAD_ACCOUNT_OPEN_ID
33 PRM$JDM_RAD_ACCOUNT_CLOSE_AREA
34 PRM$JDM_RAD_ACCOUNT_OPEN_AREA
35 PRM$JDM_RAD_ACCOUNT_CLOSE_AREA_ID
36 PRM$JDM_RAD_ACCOUNT_OPEN_AREA_ID
37 PRM$JDM_RAD_ACCOUNT_UNKNOWN_MSG
38 PRM$JDM_RAD_ALARM
39 PRM$JDM_RAD_ALARM_RESTORE
40 PRM$JDM_RAD_ALARM_ZONE
41 PRM$JDM_RAD_ALARM_RESTORE_ZONE
42 PRM$JDM_RAD_ALARM_AREA
43 PRM$JDM_RAD_ALARM_RESTORE_AREA
44 PRM$JDM_RAD_LINE_CARD_TROUBLE
45 PRM$JDM_RAD_LINE_CARD_RESTORE
46 PRM$JDM_RAD_PRINTER_TROUBLE
47 PRM$JDM_RAD_PRINTER_RESTORE
48 PRM$JDM_RAD_ACCOUNT_DIAGNOSTIC
49 PRM$JDM_RAD_ACCOUNT_DIAGNOSTIC_ZONE
50 PRM$JDM_RAD_ACCOUNT_BATTERY_FAIL
51 PRM$JDM_RAD_ACCOUNT_BATTERY_RESTORE
52 PRM$JDM_RAD_ACCOUNT_AC_FAIL
53 PRM$JDM_RAD_ACCOUNT_AC_RESTORE
54 PRM$JDM_RAD_ACCOUNT_REBOOT
55 PRM$JDM_RAD_ACCOUNT_POINT_BUS_FAIL
56 PRM$JDM_RAD_ACCOUNT_POINT_BUS_RESTORE
57 PRM$JDM_RAD_ACCOUNT_SDI_FAIL
58 PRM$JDM_RAD_ACCOUNT_SDI_RESTORE
50 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1 Oper
59 PRM$JDM_RAD_FIRE_ALARM_POINT
60 PRM$JDM_RAD_FIRE_ALARM_RESTORE_POINT
61 PRM$JDM_RAD_FIRE_ALARM_AREA
62 PRM$JDM_RAD_FIRE_ALARM_RESTORE_AREA
63 PRM$JDM_RAD_ALARM_TROUBLE
64 PRM$JDM_RAD_ALARM_TROUBLE_POINT
65 PRM$JDM_RAD_ALARM_TROUBLE_AREA_POINT
66 PRM$JDM_RAD_FIRE_ALARM_TROUBLE
67 PRM$JDM_RAD_FIRE_ALARM_TROUBLE_POINT
68 PRM$JDM_RAD_FIRE_ALARM_TROUBLE_AREA_ POINT
69 PRM$JDM_RAD_PRINTER_TEST
70 PRM$JDM_RAD_PRINTER_ONLINE
71 PRM$JDM_RAD_PRINTER_OFFLINE
72 PRM$JDM_RAD_CANCEL_ALARM_ID
73 PRM$JDM_RAD_CANCEL_ALARM_AREA_ID
74 PRM$JDM_RAD_CANCEL_FIRE_ALARM_AREA_ID
75 PRM$JDM_WatchFlash_Download_Started
76 PRM$JDM_WatchFlash_Download_Completed
77 PRM$JDM_WatchFlash_Swapped
78 PRM$JDM_WatchFlash_Upload_Started
79 PRM$JDM_WatchFlash_Upload_Completed
80 PRM$JDM_Watch_Flash_Loading_Canceled
81 PRM$JDM_NetVideo_Server_Comm_Error
82 PRM$JDM_NetVideo_Server_Comm_Restored
83 PRM$JDM_NetVideo_Status_Retry
84 PRM$JDM_NetVideo_Pipe_Server_Timeout
85 PRM$JDM_NetVideo_Server_Error
86 PRM$JDM_NetVideo_Camera_Error
87 PRM$JDM_NetVideo_Action_Error
eTrust Audit Field Mapping 51
eTrust Audit Normalized Fields
Message Code List 1 Oper
88 PRM$JDM_NetVideo_Server_Comm_Success
89 PRM$JDM_BID_Receiver_JnlMsg
90 PRM$JDM_BID_Action_JnlMsg1
91 PRM$JDM_BID_Action_JnlMsg2
92 PRM$JDM_BID_Action_JnlMsg3
93 PRM$JDM_BID_Action_JnlMsg4
94 PRM$JDM_BID_Action_JnlMsg5
95 PRM$JDM_BID_Action_JnlMsg6
96 PRM$JDM_BID_Receiver_JnlMsg1
97 PRM$JDM_BID_Action_No_Command
98 PRM$JDM_BID_Action_Empty_Command
99 PRM$JDM_BID_Action_Set_Command_Err
101 PRM$JDM_BID_Action_Device_Comm_Err
102 PRM$JDM_Watch_Loading_Canceled
52 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 010 – Device Error/Recovery
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” General
“SubCat” System
“Status” F
“State” Error
“Severity” Critical
Operation “Oper” UnitAccess
“ObjClass” Error
“ObjName” ErrorCode
Native “OID” Int_Data3
Native ID “NID” MsgCode
Secondary “SObjClass” Unit
Secondary “SObjName UnitID
Secondary “SObjID” Int_Data1
“Another ObjectID” Int_Data2
“SubErrorCode” Int_Data4
Info Info
Message Code List 1 Message Code List 1
1 PRM$JDE_Download_Aborted
2 PRM$JDE_Buffer_Full
3 PRM$JDE_Wrong_Firmware
4 PRM$JDE_Sequence_Error
5 PRM$JDE_Encryption_Error
6 PRM$JDE_Unable_To_Contact_Panel
7 PRM$JDE_Unable_To_Contact_Host
eTrust Audit Field Mapping 53
eTrust Audit Normalized Fields
Message Code List 1
8 PRM$JDE_Host_Init_Connection_Failure
9 PRM$JDE_Panel_Init_Connection_Failure
10 PRM$JDE_Received_Call_Inuse_Panel
11 PRM$JDE_Manual_Connect_Failed
12 PRM$JDE_Password_Verification_Error
13 PRM$JDE_Panel_Reported_Password_Error
14 PRM$JDE_Panel_Reported_Modem_Error
15 PRM$JDE_Received_Call_Offline_Panel
16 PRM$JDE_Unable_To_Flash
17 PRM$JDE_Flash_Aborted
18 PRM$JDE_Flash_Too_Big
19 PRM$JDE_Flash_Error
20 PRM$JDE_Flash_Bad_Version
21 PRM$JDE_Unable_Cancel_Flash
22 PRM$JDE_No_Flash_Chip
23 PRM$JDE_Email_Failed
24 PRM$JDE_Page_Failed
25 PRM$JDE_Control_Zone_Violated
26 PRM$JDE_ControlZone_Secure_Failed
27 PRM$JDE_ControlZone_Access_Failed
28 PRM$JDE_Flash_CRC_Error
29 PRM$JDE_Flash_NoFlashMemory
30 PRM$JDE_Flash_NoDramMemory
31 PRM$JDE_Flash_FallbackImage
32 PRM$JDE_Event_Buffer_Full
33 PRM$JDE_Event_Buffer_HighWaterMark
34 PRM$JDE_Flash_NotRequestedFlashImage
35 PRM$JDE_iSTAR_Dialup_Disconnect
36 PRM$JDE_iSTAR_Dialup_Communication_failed
37 PRM$JDE_Need_KGI_Image
54 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Message Code List 1
38 PRM$JDE_WatchFlash_Download_Error
39 PRM$JDE_WatchFlash_Swap_Error
40 PRM$JDE_WatchFlash_Upload_Error
41 PRM$JDE_Watch_Loading_Error
Field Mapping for CCure Event: Message Code 011 – Asset Activity
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” Asset
“Status” S
“State” Warning
“Severity” Info
“Asset” user_pid
User int_data3
Operation “Oper” AssetActivity
“ObjClass” AssetInfo
“ObjName” AssetInfoCode
Native “OID” Int_Data2
Native ID “NID” MsgCode
Secondary “SObjClass” AssetAccess
Secondary “SObjName AccessCode
Secondary “SObjID” Int_Data4
Info Info
eTrust Audit Field Mapping 55
eTrust Audit Normalized Fields
Message Code List 1
Message Code List 1 1 PRM$JAT_Overdue
2 PRM$JAT_Checkout
3 PRM$JAT_Checkin
Field Mapping for CCure Event: Message Code 012 – Asset Movement Authorized
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” Asset
“Status” S
“State” Normal
“Severity” Info
“Asset” user_pid
“User” int_data3
Operation “Oper” AssetMove
“ObjClass” AssetInfo
“ObjName” HHRID
Native “OID” Int_Data2
Native ID “NID” MsgCode
Secondary “SObjClass” AssetAccess
Secondary “SObjName AccessCode
Secondary “SObjID” Int_Data4
“ReaderID” Int_Data1
“Tag Number” Txt_Data1
“AreaID” Txt_Data2
Info Info
Field Mapping for CCure Event: Message Code 013 – Asset Movement Unauthorized
56 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” Asset
“Status” F
“State” Reject
“Severity” Warning
“Asset” user_pid
“User” int_data3
Operation “Oper” AssetMove
“ObjClass” AssetInfo
“ObjName” HHRID
Native “OID” Int_Data2
Native ID “NID” MsgCode
Secondary “SObjClass” AssetAccess
Secondary “SObjName AccessCode
Secondary “SObjID” Int_Data4
“ReaderID” Int_Data1
“Tag Number” Txt_Data1
“AreaID” Txt_Data2
Info Info
eTrust Audit Field Mapping 57
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 014 – Asset Movement Attempted
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” Asset
“Status” F
“State” Reject
“Severity” Warning
“Asset” user_pid
“User” int_data3
Operation “Oper” AssetMove
Native ID “NID” MsgCode
Secondary “SObjClass” AssetAccess
Secondary “SObjName AccessCode
Secondary “SObjID” Int_Data4
“ReaderID” Int_Data1
“Tag Number” Txt_Data1
“AreaID” Txt_Data2
Info Info
58 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 015 – Asset Location Update
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” Asset
“Status” S
“State” Normal
“Severity” Info
“Asset” user_pid
“User” int_data3
Operation “Oper” AssetMove
“ObjClass” AssetInfo
“ObjName” HHRID
Native “OID” Int_Data2
Native ID “NID” MsgCode
Secondary “SObjClass” AssetAccess
Secondary “SObjName AccessCode
Secondary “SObjID” Int_Data4
“Tag Number” Txt_Data1
“AreaID” Txt_Data2
Info Info
eTrust Audit Field Mapping 59
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 016 – Watchtour Action
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” WatchTour
“Status” S
“State” Normal
“Severity” Info
“User” user_pid
Operation “Oper” WatchTourAction
“ObjClass” WatchTourAction
“ObjName” WatchTourActionCode
Native “OID” Int_Data1
Native ID “NID” MsgCode
Secondary “SObjClass” Object
Secondary “SObjName ObjectID
Secondary “SObjID” Int_Data2
“TourGaurdID” Int_Data3
Info Info
60 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 017 – Watchtour Activity
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” WatchTour
“Status” S
“State” Normal
“Severity” Info
Operation “Oper” WatchTourActivity
“ObjClass” WatchTourInfo
“ObjName” WatchTourInfoCode
Native “OID” Int_Data1
Native ID “NID” MsgCode
Secondary “SObjClass” Object
Secondary “SObjName ObjectID
Secondary “SObjID” Int_Data2
“ReaderID” Int_Data4
“TourGaurdID” Int_Data3
Info Info
eTrust Audit Field Mapping 61
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 018 – Watchtour Error
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” WatchTour
“Status” F
“State” Error
“Severity” Warning
Operation “Oper” WatchTourAction
“ObjClass” WatchTourAction
“ObjName” WatchTourActionCode
Native “OID” Int_Data1
Native ID “NID” MsgCode
Secondary “SObjClass” Object
Secondary “SObjName ObjectID
Secondary “SObjID” Int_Data2
“TourGaurdID” Int_Data3
Info Info
62 iRecorder Reference Guide for CCURE
eTrust Audit Normalized Fields
Field Mapping for CCure Event: Message Code 019 – Watchtour Stop Activity
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” WatchTour
“Status” S
“State” Normal
“Severity” Info
Operation “Oper” WatchTourAction
“ObjClass” WatchTourAction
“ObjName” WatchTourActionCode
Native “OID” Int_Data1
Native ID “NID” MsgCode
Secondary “SObjClass” Object
Secondary “SObjName ObjectID
Secondary “SObjID” Int_Data2
“TourGaurdID” Int_Data3
Info Info
eTrust Audit Field Mapping 63
eTrust Audit Normalized Fields
64 iRecorder Reference Guide for CCURE
Field Mapping for CCure Event: Message Code 020 – NetVideo Activity
eTrust Audit Field Name CCure Event Field “Taxonomy” Not defined yet
“Category” Physical Security
“SubCat” NetVideo
“Status” S
“State” Normal
“Severity” Info
“User” User_PID
Operation “Oper” NetVideoActivity
“ObjClass” Camera
“ObjName” CameraID
Native “OID” Int_Data1
Native ID “NID” MsgCode
Secondary “SObjClass” NetVideoAction
Secondary “SObjName NetVideoActionID
Secondary “SObjID” Int_Data2
“EventID” Int_Data4
Info Info