novaBBS - comp.os.vms - Audit journal to MySQL database to PDF report

Re: Audit journal to MySQL database to PDF report

<5c7d7ec8-499f-46a7-8628-10cb88ec760dn@googlegroups.com>

https://www.novabbs.com/computers/article-flat.php?id=27570&group=comp.os.vms#27570

X-Received: by 2002:a05:622a:1884:b0:3bf:cdf8:61f4 with SMTP id v4-20020a05622a188400b003bfcdf861f4mr3615507qtc.4.1681682516554;
Sun, 16 Apr 2023 15:01:56 -0700 (PDT)
X-Received: by 2002:ac8:5ac2:0:b0:3e6:c9e1:3020 with SMTP id
d2-20020ac85ac2000000b003e6c9e13020mr3769731qtd.0.1681682516321; Sun, 16 Apr
2023 15:01:56 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.vms
Date: Sun, 16 Apr 2023 15:01:56 -0700 (PDT)
In-Reply-To: <u1h0pp$2isan$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=172.110.168.227; posting-account=uNeudQoAAACm0ETOCzPNrvtq-73lRbuD
NNTP-Posting-Host: 172.110.168.227
References: <u1h0pp$2isan$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <5c7d7ec8-499f-46a7-8628-10cb88ec760dn@googlegroups.com>
Subject: Re: Audit journal to MySQL database to PDF report
From: jchim...@gmail.com (plugh)
Injection-Date: Sun, 16 Apr 2023 22:01:56 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 1569

by: plugh - Sun, 16 Apr 2023 22:01 UTC

On Sunday, April 16, 2023 at 7:30:21 AM UTC-7, Arne Vajhøj wrote:
> https://www.vajhoej.dk/arne/articles/vmstd7.html
>
> has some examples showing how audit journal to MySQL database
> to PDF report can be done on VMS.
>
> Arne

I take it that's follow-up on ossec? Very interesting. I will have to look at it more closely, thanks!

I don't want to hijack this thread, so I'm posting a related message.

Re: Audit journal to MySQL database to PDF report

<e745cdc8-40bf-4fd3-a179-af2dedc1158bn@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=27572&group=comp.os.vms#27572

copy link Newsgroups: comp.os.vms

X-Received: by 2002:a05:620a:12c9:b0:74d:f7d0:6a56 with SMTP id e9-20020a05620a12c900b0074df7d06a56mr16028qkl.10.1681684144101;
Sun, 16 Apr 2023 15:29:04 -0700 (PDT)
X-Received: by 2002:a05:622a:1898:b0:3d7:8712:a808 with SMTP id
v24-20020a05622a189800b003d78712a808mr3695047qtc.1.1681684143873; Sun, 16 Apr
2023 15:29:03 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.vms
Date: Sun, 16 Apr 2023 15:29:03 -0700 (PDT)
In-Reply-To: <u1h0pp$2isan$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=172.110.168.227; posting-account=uNeudQoAAACm0ETOCzPNrvtq-73lRbuD
NNTP-Posting-Host: 172.110.168.227
References: <u1h0pp$2isan$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <e745cdc8-40bf-4fd3-a179-af2dedc1158bn@googlegroups.com>
Subject: Re: Audit journal to MySQL database to PDF report
From: jchim...@gmail.com (plugh)
Injection-Date: Sun, 16 Apr 2023 22:29:04 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 1730

by: plugh - Sun, 16 Apr 2023 22:29 UTC

It looks like all audit records are based on the DECnet architecture; which means there will have to be a way to get an IP address from the DECnet node.
Beyond that, the audit journal has what's necessary to generate a response for many ossec event handling services such as file and process monitoring, integrity checking.

Re: Audit journal to MySQL database to PDF report

<06ef8d85-1d93-4835-96ce-2a93713d92e2n@googlegroups.com>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=27573&group=comp.os.vms#27573

copy link Newsgroups: comp.os.vms

X-Received: by 2002:ac8:5808:0:b0:3e8:316e:3dd4 with SMTP id g8-20020ac85808000000b003e8316e3dd4mr4041405qtg.11.1681684984603;
Sun, 16 Apr 2023 15:43:04 -0700 (PDT)
X-Received: by 2002:ac8:4e8e:0:b0:3ef:2db1:6e59 with SMTP id
14-20020ac84e8e000000b003ef2db16e59mr469182qtp.9.1681684984365; Sun, 16 Apr
2023 15:43:04 -0700 (PDT)
Path: i2pn2.org!i2pn.org!news.1d4.us!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.os.vms
Date: Sun, 16 Apr 2023 15:43:04 -0700 (PDT)
In-Reply-To: <e745cdc8-40bf-4fd3-a179-af2dedc1158bn@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=172.110.168.227; posting-account=uNeudQoAAACm0ETOCzPNrvtq-73lRbuD
NNTP-Posting-Host: 172.110.168.227
References: <u1h0pp$2isan$1@dont-email.me> <e745cdc8-40bf-4fd3-a179-af2dedc1158bn@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <06ef8d85-1d93-4835-96ce-2a93713d92e2n@googlegroups.com>
Subject: Re: Audit journal to MySQL database to PDF report
From: jchim...@gmail.com (plugh)
Injection-Date: Sun, 16 Apr 2023 22:43:04 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2656

by: plugh - Sun, 16 Apr 2023 22:43 UTC

On Sunday, April 16, 2023 at 3:29:05 PM UTC-7, plugh wrote:

> It looks like all audit records are based on the DECnet architecture; which means there will have to be a way to get an IP address from the DECnet node.
> Beyond that, the audit journal has what's necessary to generate a response for many ossec event handling services such as file and process monitoring, integrity checking.

Thinking about it further, any such translation would be coddling ossec in that I'm /pretty/ sure it wants objects to block identified either by IP V4 or V6 addresses. DECnet demonstrates a faulty ossec architectural design in that respect. After all, the response will run only on the ossec agent generating the event; there's no need for the ossec server to grok the network id that the agent transmits. It's up to the agent to handle the response if it's warranted; which decision occurs on the server. There's no reason the server event management logic should impose an IP address domain requirement. The upshot of this observation is that the XML ossec rule definition DTD contains tags whose interpretation (ossec actions at runtime) can't be a DECnet node name. I'll have to follow up on this, but I'm pretty sure that's the case.

Additionally, ossec relies a lot on regular expressions to trigger rule selection. DECnet object ids and IP V6 addressess both contain the ":::" string

Re: Audit journal to MySQL database to PDF report

<u1htv5$2na5t$1@dont-email.me>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=27574&group=comp.os.vms#27574

copy link Newsgroups: comp.os.vms

Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: arn...@vajhoej.dk (Arne Vajhøj)
Newsgroups: comp.os.vms
Subject: Re: Audit journal to MySQL database to PDF report
Date: Sun, 16 Apr 2023 18:48:05 -0400
Organization: A noiseless patient Spider
Lines: 21
Message-ID: <u1htv5$2na5t$1@dont-email.me>
References: <u1h0pp$2isan$1@dont-email.me>
<5c7d7ec8-499f-46a7-8628-10cb88ec760dn@googlegroups.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Sun, 16 Apr 2023 22:48:05 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="80280051fea4a1d75a42f7c63f12493b";
logging-data="2861245"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18QqmsT58qolpEPJ0J3mVOJKXyXxoDG2cM="
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.10.0
Cancel-Lock: sha1:q0PAjVBAx/9CvCwhHJS1k0mn0to=
Content-Language: en-US
In-Reply-To: <5c7d7ec8-499f-46a7-8628-10cb88ec760dn@googlegroups.com>

by: Arne Vajhøj - Sun, 16 Apr 2023 22:48 UTC

On 4/16/2023 6:01 PM, plugh wrote:
> On Sunday, April 16, 2023 at 7:30:21 AM UTC-7, Arne Vajhøj wrote:
>> https://www.vajhoej.dk/arne/articles/vmstd7.html
>>
>> has some examples showing how audit journal to MySQL database
>> to PDF report can be done on VMS.
>
> I take it that's follow-up on ossec?

Actually it was triggered by this one:

https://forum.vmssoftware.com/viewtopic.php?f=8&p=18184

> Very interesting.

I will have to look at it more closely, thanks!

Thanks.

Arne

Audit journal to MySQL database to PDF report

<u1h0pp$2isan$1@dont-email.me>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=27598&group=comp.os.vms#27598

copy link Newsgroups: comp.os.vms

Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: arn...@vajhoej.dk (Arne Vajhøj)
Newsgroups: comp.os.vms
Subject: Audit journal to MySQL database to PDF report
Date: Sun, 16 Apr 2023 10:30:17 -0400
Organization: A noiseless patient Spider
Lines: 6
Message-ID: <u1h0pp$2isan$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Date: Sun, 16 Apr 2023 14:30:18 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="910fd9bec9018e31126ba3e15947f559";
logging-data="2715991"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18XsQItzSCRtR3bqQpbVCdOfSZ02NoQyfA="
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.10.0
Cancel-Lock: sha1:oL7kGu1Hk//w+clvAIcBbEBQEd4=
Content-Language: en-US

by: Arne Vajhøj - Sun, 16 Apr 2023 14:30 UTC

Re: Audit journal to MySQL database to PDF report

<u2u4o4$1c1ip$2@dont-email.me>

copy mid

https://www.novabbs.com/computers/article-flat.php?id=27898&group=comp.os.vms#27898

copy link Newsgroups: comp.os.vms

Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: arn...@vajhoej.dk (Arne Vajhøj)
Newsgroups: comp.os.vms
Subject: Re: Audit journal to MySQL database to PDF report
Date: Wed, 3 May 2023 13:13:38 -0400
Organization: A noiseless patient Spider
Lines: 20
Message-ID: <u2u4o4$1c1ip$2@dont-email.me>
References: <u1h0pp$2isan$1@dont-email.me>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Wed, 3 May 2023 17:13:40 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="d5c9de1e52bb71ea6ac41aa94fe54f90";
logging-data="1443417"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19pPyZnSaFcZ8tojINTLjiyxc/ChE2797E="
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.10.1
Cancel-Lock: sha1:xYy84UhKwz9jmqThSbapzrZtduc=
In-Reply-To: <u1h0pp$2isan$1@dont-email.me>
Content-Language: en-US

by: Arne Vajhøj - Wed, 3 May 2023 17:13 UTC

On 4/16/2023 10:30 AM, Arne Vajhøj wrote:
> https://www.vajhoej.dk/arne/articles/vmstd7.html
>
> has some examples showing how audit journal to MySQL database
> to PDF report can be done on VMS.

https://www.vajhoej.dk/arne/articles/vmstd8.html

similar stuff for accounting data.

Actually less code, but the PDF report contains graphics
this time.

:-)

Arne

There are never any bugs you haven't found yet.

computers / comp.os.vms / Audit journal to MySQL database to PDF report

Subject	Author
Audit journal to MySQL database to PDF report	Arne Vajhøj
Re: Audit journal to MySQL database to PDF report	plugh
Re: Audit journal to MySQL database to PDF report	Arne Vajhøj
Re: Audit journal to MySQL database to PDF report	plugh
Re: Audit journal to MySQL database to PDF report	plugh
Re: Audit journal to MySQL database to PDF report	Arne Vajhøj