Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

Support bacteria -- it's the only culture some people have!

computers / comp.sys.unisys / Re: Decoding USERDATA Log Entries

SubjectAuthor
* Decoding USERDATA Log Entriesmpe...@gmail.com
+* Re: Decoding USERDATA Log Entriesbarry....@gmail.com
|`* Re: Decoding USERDATA Log Entriesmpe...@gmail.com
| `* Re: Decoding USERDATA Log EntriesPaul Kimpel
|  +* Re: Decoding USERDATA Log Entriesbarry....@gmail.com
|  |`* Re: Decoding USERDATA Log Entriesbarry....@gmail.com
|  | `* Re: Decoding USERDATA Log Entriesmpe...@gmail.com
|  |  `- Re: Decoding USERDATA Log Entriesbarry....@gmail.com
|  `* Re: Decoding USERDATA Log Entriesmpe...@gmail.com
|   `- Re: Decoding USERDATA Log EntriesPaul Kimpel
+* Re: Decoding USERDATA Log EntriesDoug Dobson
|`* Re: Decoding USERDATA Log Entriesmpe...@gmail.com
| `- Re: Decoding USERDATA Log EntriesThomas Kosfeld
`- Re: Decoding USERDATA Log EntriesTom Schaefer

1
Decoding USERDATA Log Entries

<29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=326&group=comp.sys.unisys#326

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a05:622a:180c:b0:3f9:b63d:1bd8 with SMTP id t12-20020a05622a180c00b003f9b63d1bd8mr2243056qtc.13.1686259416126;
Thu, 08 Jun 2023 14:23:36 -0700 (PDT)
X-Received: by 2002:a25:3444:0:b0:bba:d78c:3318 with SMTP id
b65-20020a253444000000b00bbad78c3318mr273783yba.11.1686259415876; Thu, 08 Jun
2023 14:23:35 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Thu, 8 Jun 2023 14:23:35 -0700 (PDT)
Injection-Info: google-groups.googlegroups.com; posting-host=2603:8000:5800:5400:3587:791c:9fa2:1cfb;
posting-account=V-JxhAoAAAA7K1REWiT1YEYM1aal3G4q
NNTP-Posting-Host: 2603:8000:5800:5400:3587:791c:9fa2:1cfb
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
Subject: Decoding USERDATA Log Entries
From: mpe...@gmail.com (mpe...@gmail.com)
Injection-Date: Thu, 08 Jun 2023 21:23:36 +0000
Content-Type: text/plain; charset="UTF-8"
X-Received-Bytes: 2394
 by: mpe...@gmail.com - Thu, 8 Jun 2023 21:23 UTC

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

Re: Decoding USERDATA Log Entries

<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=327&group=comp.sys.unisys#327

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a05:6214:162e:b0:626:1d5f:359e with SMTP id e14-20020a056214162e00b006261d5f359emr407316qvw.3.1686330226357;
Fri, 09 Jun 2023 10:03:46 -0700 (PDT)
X-Received: by 2002:a25:7385:0:b0:bb3:c4c2:5d2a with SMTP id
o127-20020a257385000000b00bb3c4c25d2amr1025530ybc.7.1686330226078; Fri, 09
Jun 2023 10:03:46 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Fri, 9 Jun 2023 10:03:45 -0700 (PDT)
In-Reply-To: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=31.94.33.246; posting-account=1JkF5goAAACasrFsThTAi4a3jlSS1Dli
NNTP-Posting-Host: 31.94.33.246
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: barry.wh...@gmail.com (barry....@gmail.com)
Injection-Date: Fri, 09 Jun 2023 17:03:46 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3188
 by: barry....@gmail.com - Fri, 9 Jun 2023 17:03 UTC

On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail.com wrote:
> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
>
> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> 6(00006) 0 000000 00047C THRU 7(00007) .....@
> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> 16(00010) 0 000000 000000 THRU 23(00017) ......
>
> Word 0-3 are the usual log entry words.
> Word 4 has the expected data as documented in the System Log Programming Guide.
> Word 5 is pointing at word 11 (hex b) for 5 words.
> But, what the heck is in word 11?
>
> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
>
> Does anyone out there have any familiarity with decoding these log entries?
>
> Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Re: Decoding USERDATA Log Entries

<04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=328&group=comp.sys.unisys#328

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:ac8:7f81:0:b0:3f6:c5c7:fc4a with SMTP id z1-20020ac87f81000000b003f6c5c7fc4amr780794qtj.5.1686331384732;
Fri, 09 Jun 2023 10:23:04 -0700 (PDT)
X-Received: by 2002:a81:8d06:0:b0:565:b269:5ef7 with SMTP id
d6-20020a818d06000000b00565b2695ef7mr1237285ywg.1.1686331384429; Fri, 09 Jun
2023 10:23:04 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Fri, 9 Jun 2023 10:23:04 -0700 (PDT)
In-Reply-To: <53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=2603:8000:5800:5400:5062:15d6:262a:512e;
posting-account=V-JxhAoAAAA7K1REWiT1YEYM1aal3G4q
NNTP-Posting-Host: 2603:8000:5800:5400:5062:15d6:262a:512e
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com> <53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: mpe...@gmail.com (mpe...@gmail.com)
Injection-Date: Fri, 09 Jun 2023 17:23:04 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3590
 by: mpe...@gmail.com - Fri, 9 Jun 2023 17:23 UTC

On Friday, June 9, 2023 at 10:03:47 AM UTC-7, barry....@gmail.com wrote:
> On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail.com wrote:
> > I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
> >
> > 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> > 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> > 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> > 6(00006) 0 000000 00047C THRU 7(00007) .....@
> > 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> > 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> > 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> > 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> > 16(00010) 0 000000 000000 THRU 23(00017) ......
> >
> > Word 0-3 are the usual log entry words.
> > Word 4 has the expected data as documented in the System Log Programming Guide.
> > Word 5 is pointing at word 11 (hex b) for 5 words.
> > But, what the heck is in word 11?
> >
> > I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
> >
> > Does anyone out there have any familiarity with decoding these log entries?
> >
> > Thanks.
> In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
>
> I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
>
> Barry.

Barry -

That sounds very much on target. If you can pull that up, it would be very much appreciated.

SIEM is Security Incident Event Manager.

Re: Decoding USERDATA Log Entries

<u5vp84$1vepl$1@dont-email.me>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=329&group=comp.sys.unisys#329

  copy link   Newsgroups: comp.sys.unisys
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: paul.kim...@digm.com (Paul Kimpel)
Newsgroups: comp.sys.unisys
Subject: Re: Decoding USERDATA Log Entries
Date: Fri, 9 Jun 2023 10:58:28 -0700
Organization: A noiseless patient Spider
Lines: 44
Message-ID: <u5vp84$1vepl$1@dont-email.me>
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com>
<04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Date: Fri, 9 Jun 2023 17:58:29 -0000 (UTC)
Injection-Info: dont-email.me; posting-host="b976d3b2fd0765e1350422a56b460ea7";
logging-data="2079541"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX18mRUk5J1hnwW1pqCWrI+g7BisVJlBI/sg="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.11.2
Cancel-Lock: sha1:yIvA12Clv5+SSddXsM1ipJT8za4=
In-Reply-To: <04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
Content-Language: en-US
 by: Paul Kimpel - Fri, 9 Jun 2023 17:58 UTC

On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:
> On Friday, June 9, 2023 at 10:03:47 AM UTC-7, barry....@gmail.com wrote:
>> On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail.com wrote:
>>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
>>>
>>> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
>>> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
>>> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
>>> 6(00006) 0 000000 00047C THRU 7(00007) .....@
>>> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
>>> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
>>> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
>>> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
>>> 16(00010) 0 000000 000000 THRU 23(00017) ......
>>>
>>> Word 0-3 are the usual log entry words.
>>> Word 4 has the expected data as documented in the System Log Programming Guide.
>>> Word 5 is pointing at word 11 (hex b) for 5 words.
>>> But, what the heck is in word 11?
>>>
>>> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
>>>
>>> Does anyone out there have any familiarity with decoding these log entries?
>>>
>>> Thanks.
>> In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
>>
>> I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
>>
>> Barry.
>
> Barry -
>
> That sounds very much on target. If you can pull that up, it would be very much appreciated.
>
> SIEM is Security Incident Event Manager.

Metalogic CopyWriteNT can extract and convert files from a number of MCP
media types, including Logical Disk .asd files. See:

http://www.metalogic.eu.com/Main/Products/CopyWrite.html

Paul

Re: Decoding USERDATA Log Entries

<58f15404-96f0-47cb-8dcd-2efc84445541n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=330&group=comp.sys.unisys#330

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:ac8:59ce:0:b0:3f3:9062:4a72 with SMTP id f14-20020ac859ce000000b003f390624a72mr1498339qtf.4.1686402957792;
Sat, 10 Jun 2023 06:15:57 -0700 (PDT)
X-Received: by 2002:a0d:ec51:0:b0:552:abfa:1e77 with SMTP id
r17-20020a0dec51000000b00552abfa1e77mr2130647ywn.5.1686402957435; Sat, 10 Jun
2023 06:15:57 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Sat, 10 Jun 2023 06:15:57 -0700 (PDT)
In-Reply-To: <u5vp84$1vepl$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=31.94.33.246; posting-account=1JkF5goAAACasrFsThTAi4a3jlSS1Dli
NNTP-Posting-Host: 31.94.33.246
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com> <04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
<u5vp84$1vepl$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <58f15404-96f0-47cb-8dcd-2efc84445541n@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: barry.wh...@gmail.com (barry....@gmail.com)
Injection-Date: Sat, 10 Jun 2023 13:15:57 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 4545
 by: barry....@gmail.com - Sat, 10 Jun 2023 13:15 UTC

On Friday, June 9, 2023 at 6:58:30 PM UTC+1, Paul Kimpel wrote:
> On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:
> > On Friday, June 9, 2023 at 10:03:47 AM UTC-7, barry....@gmail.com wrote:
> >> On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail.com wrote:
> >>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
> >>>
> >>> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> >>> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> >>> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> >>> 6(00006) 0 000000 00047C THRU 7(00007) .....@
> >>> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> >>> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> >>> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> >>> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> >>> 16(00010) 0 000000 000000 THRU 23(00017) ......
> >>>
> >>> Word 0-3 are the usual log entry words.
> >>> Word 4 has the expected data as documented in the System Log Programming Guide.
> >>> Word 5 is pointing at word 11 (hex b) for 5 words.
> >>> But, what the heck is in word 11?
> >>>
> >>> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
> >>>
> >>> Does anyone out there have any familiarity with decoding these log entries?
> >>>
> >>> Thanks.
> >> In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
> >>
> >> I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
> >>
> >> Barry.
> >
> > Barry -
> >
> > That sounds very much on target. If you can pull that up, it would be very much appreciated.
> >
> > SIEM is Security Incident Event Manager.
> Metalogic CopyWriteNT can extract and convert files from a number of MCP
> media types, including Logical Disk .asd files. See:
>
> http://www.metalogic.eu.com/Main/Products/CopyWrite.html
>
> Paul

Thanks Paul -- Copywrite is indeed a very useful tool. But I remembered that I also have a working (and more recent) Dev Studio environment, which also happens to contain a copy of the code (albeit version 1.0.0).
I'm just working out the best way to get that from there to here, and then I'll post some snippets. I have been a little lazy in my decoding, in that I only seem to extract the usercode, and not the detail; but at least it's a start...

Re: Decoding USERDATA Log Entries

<98434c0c-914c-4651-ad85-a4a74697ca43n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=331&group=comp.sys.unisys#331

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a37:41ce:0:b0:75b:d836:19c8 with SMTP id o197-20020a3741ce000000b0075bd83619c8mr305301qka.3.1686404667181;
Sat, 10 Jun 2023 06:44:27 -0700 (PDT)
X-Received: by 2002:a25:e049:0:b0:bc4:8939:e1f5 with SMTP id
x70-20020a25e049000000b00bc48939e1f5mr846046ybg.4.1686404666977; Sat, 10 Jun
2023 06:44:26 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Sat, 10 Jun 2023 06:44:26 -0700 (PDT)
In-Reply-To: <58f15404-96f0-47cb-8dcd-2efc84445541n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=31.94.33.246; posting-account=1JkF5goAAACasrFsThTAi4a3jlSS1Dli
NNTP-Posting-Host: 31.94.33.246
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com> <04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
<u5vp84$1vepl$1@dont-email.me> <58f15404-96f0-47cb-8dcd-2efc84445541n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <98434c0c-914c-4651-ad85-a4a74697ca43n@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: barry.wh...@gmail.com (barry....@gmail.com)
Injection-Date: Sat, 10 Jun 2023 13:44:27 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 6706
 by: barry....@gmail.com - Sat, 10 Jun 2023 13:44 UTC

On Saturday, June 10, 2023 at 2:15:58 PM UTC+1, barry....@gmail.com wrote:
> On Friday, June 9, 2023 at 6:58:30 PM UTC+1, Paul Kimpel wrote:
> > On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:
> > > On Friday, June 9, 2023 at 10:03:47 AM UTC-7, barry....@gmail..com wrote:
> > >> On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail..com wrote:
> > >>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG.. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
> > >>>
> > >>> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> > >>> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> > >>> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> > >>> 6(00006) 0 000000 00047C THRU 7(00007) .....@
> > >>> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> > >>> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> > >>> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> > >>> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> > >>> 16(00010) 0 000000 000000 THRU 23(00017) ......
> > >>>
> > >>> Word 0-3 are the usual log entry words.
> > >>> Word 4 has the expected data as documented in the System Log Programming Guide.
> > >>> Word 5 is pointing at word 11 (hex b) for 5 words.
> > >>> But, what the heck is in word 11?
> > >>>
> > >>> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
> > >>>
> > >>> Does anyone out there have any familiarity with decoding these log entries?
> > >>>
> > >>> Thanks.
> > >> In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
> > >>
> > >> I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
> > >>
> > >> Barry.
> > >
> > > Barry -
> > >
> > > That sounds very much on target. If you can pull that up, it would be very much appreciated.
> > >
> > > SIEM is Security Incident Event Manager.
> > Metalogic CopyWriteNT can extract and convert files from a number of MCP
> > media types, including Logical Disk .asd files. See:
> >
> > http://www.metalogic.eu.com/Main/Products/CopyWrite.html
> >
> > Paul
> Thanks Paul -- Copywrite is indeed a very useful tool. But I remembered that I also have a working (and more recent) Dev Studio environment, which also happens to contain a copy of the code (albeit version 1.0.0).
> I'm just working out the best way to get that from there to here, and then I'll post some snippets. I have been a little lazy in my decoding, in that I only seem to extract the usercode, and not the detail; but at least it's a start...

OK - this is what I have. I'm using Report_Log_Entries to get the log records that I'm interested in, and then writing them to a remote Windows server.
There is a big Case statement on Major type, then similar case statements on Minor type within each.
For Maj 6, Min 9 I have:

9: Begin % Userdata Change
Pu:=Pointer(U);
StandardtoDisplay(Log_0609_UPtr,Pu);
Replace P:P by
Log_06_UDfunc for * digits, comma,
Log_06_UDop for * digits, comma,
Pointer(U[0]) + 4 until = Nul, comma;
End Min 9;

U is just a temporary array for the result of the StandardtoDisplay call; Pu is a pointer to it. P is a pointer to the output record.
Defines are as follows:
RLE_Pfx = 5 #,
LinkIxF = [19:20] #,
LengthF = [23:08] #,
Log_06_UDfunc = Qmsg[RLE_Pfx + 4].[3:4] #,
Log_06_UDcopy = Qmsg[RLE_Pfx + 6].[15:16] #,
Log_06_UDop = Qmsg[RLE_Pfx + 4].[11:4] #,
Log_0609_UInx = Qmsg[RLE_Pfx + 5].LinkIxF + RLE_Pfx #,
Log_0609_ULen = Qmsg[Log_0609_UInx].LengthF #,
Log_0609_UPtr = Pointer(Qmsg[Log_0609_UInx]) #,
Qmsg is a large array for the messages received on the Queue used by Report_Log_Entries.

Hope that might be of some use...
Barry.

Re: Decoding USERDATA Log Entries

<7e44281b-7079-434c-b902-07173e36bdben@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=332&group=comp.sys.unisys#332

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a37:41d4:0:b0:759:5e3e:2867 with SMTP id o203-20020a3741d4000000b007595e3e2867mr1658631qka.12.1686605969686;
Mon, 12 Jun 2023 14:39:29 -0700 (PDT)
X-Received: by 2002:a25:d215:0:b0:bc7:f6af:8cff with SMTP id
j21-20020a25d215000000b00bc7f6af8cffmr3208045ybg.2.1686605969440; Mon, 12 Jun
2023 14:39:29 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Mon, 12 Jun 2023 14:39:29 -0700 (PDT)
In-Reply-To: <u5vp84$1vepl$1@dont-email.me>
Injection-Info: google-groups.googlegroups.com; posting-host=2603:8000:5800:5400:5062:15d6:262a:512e;
posting-account=V-JxhAoAAAA7K1REWiT1YEYM1aal3G4q
NNTP-Posting-Host: 2603:8000:5800:5400:5062:15d6:262a:512e
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com> <04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
<u5vp84$1vepl$1@dont-email.me>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <7e44281b-7079-434c-b902-07173e36bdben@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: mpe...@gmail.com (mpe...@gmail.com)
Injection-Date: Mon, 12 Jun 2023 21:39:29 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 4198
 by: mpe...@gmail.com - Mon, 12 Jun 2023 21:39 UTC

On Friday, June 9, 2023 at 10:58:30 AM UTC-7, Paul Kimpel wrote:
> On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:
> > On Friday, June 9, 2023 at 10:03:47 AM UTC-7, barry....@gmail.com wrote:
> >> On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail.com wrote:
> >>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
> >>>
> >>> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> >>> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> >>> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> >>> 6(00006) 0 000000 00047C THRU 7(00007) .....@
> >>> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> >>> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> >>> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> >>> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> >>> 16(00010) 0 000000 000000 THRU 23(00017) ......
> >>>
> >>> Word 0-3 are the usual log entry words.
> >>> Word 4 has the expected data as documented in the System Log Programming Guide.
> >>> Word 5 is pointing at word 11 (hex b) for 5 words.
> >>> But, what the heck is in word 11?
> >>>
> >>> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
> >>>
> >>> Does anyone out there have any familiarity with decoding these log entries?
> >>>
> >>> Thanks.
> >> In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
> >>
> >> I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
> >>
> >> Barry.
> >
> > Barry -
> >
> > That sounds very much on target. If you can pull that up, it would be very much appreciated.
> >
> > SIEM is Security Incident Event Manager.
> Metalogic CopyWriteNT can extract and convert files from a number of MCP
> media types, including Logical Disk .asd files. See:
>
> http://www.metalogic.eu.com/Main/Products/CopyWrite.html
>
> Paul

Paul -

Thanks for the reference. However, we need to do this on-box.

Re: Decoding USERDATA Log Entries

<0e6f6360-42fa-4dc8-a21b-763147ed9b37n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=333&group=comp.sys.unisys#333

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a37:a88a:0:b0:75d:2dd7:a343 with SMTP id r132-20020a37a88a000000b0075d2dd7a343mr1613306qke.0.1686606186272;
Mon, 12 Jun 2023 14:43:06 -0700 (PDT)
X-Received: by 2002:a25:25c9:0:b0:ba8:4b22:4e8a with SMTP id
l192-20020a2525c9000000b00ba84b224e8amr8366ybl.0.1686606185942; Mon, 12 Jun
2023 14:43:05 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!1.us.feeder.erje.net!feeder.erje.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Mon, 12 Jun 2023 14:43:05 -0700 (PDT)
In-Reply-To: <98434c0c-914c-4651-ad85-a4a74697ca43n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=2603:8000:5800:5400:5062:15d6:262a:512e;
posting-account=V-JxhAoAAAA7K1REWiT1YEYM1aal3G4q
NNTP-Posting-Host: 2603:8000:5800:5400:5062:15d6:262a:512e
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com> <04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
<u5vp84$1vepl$1@dont-email.me> <58f15404-96f0-47cb-8dcd-2efc84445541n@googlegroups.com>
<98434c0c-914c-4651-ad85-a4a74697ca43n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <0e6f6360-42fa-4dc8-a21b-763147ed9b37n@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: mpe...@gmail.com (mpe...@gmail.com)
Injection-Date: Mon, 12 Jun 2023 21:43:06 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 6563
 by: mpe...@gmail.com - Mon, 12 Jun 2023 21:43 UTC

On Saturday, June 10, 2023 at 6:44:27 AM UTC-7, barry....@gmail.com wrote:
> On Saturday, June 10, 2023 at 2:15:58 PM UTC+1, barry....@gmail.com wrote:
> > On Friday, June 9, 2023 at 6:58:30 PM UTC+1, Paul Kimpel wrote:
> > > On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:
> > > > On Friday, June 9, 2023 at 10:03:47 AM UTC-7, barry....@gmail.com wrote:
> > > >> On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail.com wrote:
> > > >>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
> > > >>>
> > > >>> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> > > >>> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> > > >>> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> > > >>> 6(00006) 0 000000 00047C THRU 7(00007) .....@
> > > >>> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> > > >>> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> > > >>> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> > > >>> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> > > >>> 16(00010) 0 000000 000000 THRU 23(00017) ......
> > > >>>
> > > >>> Word 0-3 are the usual log entry words.
> > > >>> Word 4 has the expected data as documented in the System Log Programming Guide.
> > > >>> Word 5 is pointing at word 11 (hex b) for 5 words.
> > > >>> But, what the heck is in word 11?
> > > >>>
> > > >>> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
> > > >>>
> > > >>> Does anyone out there have any familiarity with decoding these log entries?
> > > >>>
> > > >>> Thanks.
> > > >> In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
> > > >>
> > > >> I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
> > > >>
> > > >> Barry.
> > > >
> > > > Barry -
> > > >
> > > > That sounds very much on target. If you can pull that up, it would be very much appreciated.
> > > >
> > > > SIEM is Security Incident Event Manager.
> > > Metalogic CopyWriteNT can extract and convert files from a number of MCP
> > > media types, including Logical Disk .asd files. See:
> > >
> > > http://www.metalogic.eu.com/Main/Products/CopyWrite.html
> > >
> > > Paul
> > Thanks Paul -- Copywrite is indeed a very useful tool. But I remembered that I also have a working (and more recent) Dev Studio environment, which also happens to contain a copy of the code (albeit version 1.0.0).
> > I'm just working out the best way to get that from there to here, and then I'll post some snippets. I have been a little lazy in my decoding, in that I only seem to extract the usercode, and not the detail; but at least it's a start...
> OK - this is what I have. I'm using Report_Log_Entries to get the log records that I'm interested in, and then writing them to a remote Windows server.
> There is a big Case statement on Major type, then similar case statements on Minor type within each.
> For Maj 6, Min 9 I have:
>
> 9: Begin % Userdata Change
> Pu:=Pointer(U);
> StandardtoDisplay(Log_0609_UPtr,Pu);
> Replace P:P by
> Log_06_UDfunc for * digits, comma,
> Log_06_UDop for * digits, comma,
> Pointer(U[0]) + 4 until = Nul, comma;
> End Min 9;
>
> U is just a temporary array for the result of the StandardtoDisplay call; Pu is a pointer to it. P is a pointer to the output record.
> Defines are as follows:
> RLE_Pfx = 5 #,
> LinkIxF = [19:20] #,
> LengthF = [23:08] #,
> Log_06_UDfunc = Qmsg[RLE_Pfx + 4].[3:4] #,
> Log_06_UDcopy = Qmsg[RLE_Pfx + 6].[15:16] #,
> Log_06_UDop = Qmsg[RLE_Pfx + 4].[11:4] #,
> Log_0609_UInx = Qmsg[RLE_Pfx + 5].LinkIxF + RLE_Pfx #,
> Log_0609_ULen = Qmsg[Log_0609_UInx].LengthF #,
> Log_0609_UPtr = Pointer(Qmsg[Log_0609_UInx]) #,
> Qmsg is a large array for the messages received on the Queue used by Report_Log_Entries.
>
> Hope that might be of some use...
> Barry.

Barry -

If I'm reading your code right, the only place you're looking at word 11 is via Log_06_UDcopy. Do you use that value anywhere?

Re: Decoding USERDATA Log Entries

<9b17d896-fd5c-f839-0c72-5c6cb30deae0@digm.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=334&group=comp.sys.unisys#334

  copy link   Newsgroups: comp.sys.unisys
Path: i2pn2.org!i2pn.org!eternal-september.org!news.eternal-september.org!.POSTED!not-for-mail
From: paul.kim...@digm.com (Paul Kimpel)
Newsgroups: comp.sys.unisys
Subject: Re: Decoding USERDATA Log Entries
Date: Mon, 12 Jun 2023 16:16:21 -0700
Organization: A noiseless patient Spider
Lines: 61
Message-ID: <9b17d896-fd5c-f839-0c72-5c6cb30deae0@digm.com>
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com>
<04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
<u5vp84$1vepl$1@dont-email.me>
<7e44281b-7079-434c-b902-07173e36bdben@googlegroups.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
Injection-Info: dont-email.me; posting-host="cf782f9ef799f89d64a7eac7805d12a5";
logging-data="3427848"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX19pHlczuF5vbB9CQciiX7FigJ8rCDVnox4="
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101
Thunderbird/102.11.2
Cancel-Lock: sha1:AgzVBA0IlHQkairIUK9s6Hf6tw8=
In-Reply-To: <7e44281b-7079-434c-b902-07173e36bdben@googlegroups.com>
Content-Language: en-US
 by: Paul Kimpel - Mon, 12 Jun 2023 23:16 UTC

-------- Original Message --------
Subject: Re: Decoding USERDATA Log Entries
From: mpe...@gmail.com <mperew@gmail.com>
To:
Date: Mon Jun 12 2023 14:39:29 GMT-0700 (Pacific Daylight Time)

> On Friday, June 9, 2023 at 10:58:30 AM UTC-7, Paul Kimpel wrote:
>> On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:
>>> On Friday, June 9, 2023 at 10:03:47 AM UTC-7, barry....@gmail.com wrote:
>>>> On Thursday, June 8, 2023 at 10:23:44 PM UTC+1, mpe...@gmail.com wrote:
>>>>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
>>>>>
>>>>> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
>>>>> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
>>>>> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
>>>>> 6(00006) 0 000000 00047C THRU 7(00007) .....@
>>>>> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
>>>>> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
>>>>> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
>>>>> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
>>>>> 16(00010) 0 000000 000000 THRU 23(00017) ......
>>>>>
>>>>> Word 0-3 are the usual log entry words.
>>>>> Word 4 has the expected data as documented in the System Log Programming Guide.
>>>>> Word 5 is pointing at word 11 (hex b) for 5 words.
>>>>> But, what the heck is in word 11?
>>>>>
>>>>> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
>>>>>
>>>>> Does anyone out there have any familiarity with decoding these log entries?
>>>>>
>>>>> Thanks.
>>>> In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
>>>>
>>>> I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
>>>>
>>>> Barry.
>>>
>>> Barry -
>>>
>>> That sounds very much on target. If you can pull that up, it would be very much appreciated.
>>>
>>> SIEM is Security Incident Event Manager.
>> Metalogic CopyWriteNT can extract and convert files from a number of MCP
>> media types, including Logical Disk .asd files. See:
>>
>> http://www.metalogic.eu.com/Main/Products/CopyWrite.html
>>
>> Paul
>
> Paul -
>
> Thanks for the reference. However, we need to do this on-box.

That reference was intended to help Barry extract his code form the
inactive MCP Express environment, not process log records. As far as I
know, CopyWriteNT doesn't have anything to do with MCP system logs.
Sorry for the confusion.

Paul

Re: Decoding USERDATA Log Entries

<84131788-c8af-41f6-bb05-3485fffcfdefn@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=339&group=comp.sys.unisys#339

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:ad4:55e5:0:b0:628:343d:f1f8 with SMTP id bu5-20020ad455e5000000b00628343df1f8mr2932574qvb.2.1687414843433;
Wed, 21 Jun 2023 23:20:43 -0700 (PDT)
X-Received: by 2002:a81:ca49:0:b0:570:21d:3af4 with SMTP id
y9-20020a81ca49000000b00570021d3af4mr6526610ywk.4.1687414843194; Wed, 21 Jun
2023 23:20:43 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer01.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Wed, 21 Jun 2023 23:20:42 -0700 (PDT)
In-Reply-To: <0e6f6360-42fa-4dc8-a21b-763147ed9b37n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=31.94.70.126; posting-account=1JkF5goAAACasrFsThTAi4a3jlSS1Dli
NNTP-Posting-Host: 31.94.70.126
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<53eb4ced-7563-4345-a253-1c31d7c1beeen@googlegroups.com> <04127845-25b8-4e8d-896f-5a137ee099ffn@googlegroups.com>
<u5vp84$1vepl$1@dont-email.me> <58f15404-96f0-47cb-8dcd-2efc84445541n@googlegroups.com>
<98434c0c-914c-4651-ad85-a4a74697ca43n@googlegroups.com> <0e6f6360-42fa-4dc8-a21b-763147ed9b37n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <84131788-c8af-41f6-bb05-3485fffcfdefn@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: barry.wh...@gmail.com (barry....@gmail.com)
Injection-Date: Thu, 22 Jun 2023 06:20:43 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 1999
 by: barry....@gmail.com - Thu, 22 Jun 2023 06:20 UTC

> If I'm reading your code right, the only place you're looking at word 11 is via Log_06_UDcopy. Do you use that value anywhere?

Sorry for the delay in replying - I forgot to check back.
I just did a search, and no - I don't use this value anywhere. It was a "quick & dirty" implementation to get something working to appease the security folks. The planned enhancements to provide more complete decoding never happened before the kit was scheduled for decommissioning. :(
Barry.

Re: Decoding USERDATA Log Entries

<3fe59925-6070-49bd-b365-b2911fed21b5n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=352&group=comp.sys.unisys#352

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a05:620a:28d2:b0:765:ada6:5733 with SMTP id l18-20020a05620a28d200b00765ada65733mr6204qkp.10.1688668142337;
Thu, 06 Jul 2023 11:29:02 -0700 (PDT)
X-Received: by 2002:a65:5b86:0:b0:55b:603b:4a5b with SMTP id
i6-20020a655b86000000b0055b603b4a5bmr1550953pgr.9.1688668141750; Thu, 06 Jul
2023 11:29:01 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Thu, 6 Jul 2023 11:29:01 -0700 (PDT)
In-Reply-To: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=135.134.226.83; posting-account=2X5sXQkAAABfNgVCEPtLN8xtXW7wX23Z
NNTP-Posting-Host: 135.134.226.83
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <3fe59925-6070-49bd-b365-b2911fed21b5n@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: dob...@gmail.com (Doug Dobson)
Injection-Date: Thu, 06 Jul 2023 18:29:02 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 2622
 by: Doug Dobson - Thu, 6 Jul 2023 18:29 UTC

On Thursday, June 8, 2023 at 4:23:44 PM UTC-5, mpe...@gmail.com wrote:
> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
>
> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> 6(00006) 0 000000 00047C THRU 7(00007) .....@
> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> 16(00010) 0 000000 000000 THRU 23(00017) ......
>
> Word 0-3 are the usual log entry words.
> Word 4 has the expected data as documented in the System Log Programming Guide.
> Word 5 is pointing at word 11 (hex b) for 5 words.
> But, what the heck is in word 11?
>
> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
>
> Does anyone out there have any familiarity with decoding these log entries?
>
> Thanks.

There is a procedure exported by JOBFORMATTER called ANALYZETHELOG that will format most SUMLOG records.

Doug Dobson

Re: Decoding USERDATA Log Entries

<97f9579a-d4ed-4a97-a6b3-0af37ccd4365n@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=353&group=comp.sys.unisys#353

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a05:6214:4a51:b0:637:86d1:c904 with SMTP id ph17-20020a0562144a5100b0063786d1c904mr16316qvb.3.1688745401366;
Fri, 07 Jul 2023 08:56:41 -0700 (PDT)
X-Received: by 2002:a17:902:d902:b0:1b8:a555:385d with SMTP id
c2-20020a170902d90200b001b8a555385dmr4518652plz.9.1688745401048; Fri, 07 Jul
2023 08:56:41 -0700 (PDT)
Path: i2pn2.org!i2pn.org!weretis.net!feeder6.news.weretis.net!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Fri, 7 Jul 2023 08:56:40 -0700 (PDT)
In-Reply-To: <3fe59925-6070-49bd-b365-b2911fed21b5n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=2603:8000:5800:5400:4d56:5944:6a5b:b693;
posting-account=V-JxhAoAAAA7K1REWiT1YEYM1aal3G4q
NNTP-Posting-Host: 2603:8000:5800:5400:4d56:5944:6a5b:b693
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com> <3fe59925-6070-49bd-b365-b2911fed21b5n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <97f9579a-d4ed-4a97-a6b3-0af37ccd4365n@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: mpe...@gmail.com (mpe...@gmail.com)
Injection-Date: Fri, 07 Jul 2023 15:56:41 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3428
 by: mpe...@gmail.com - Fri, 7 Jul 2023 15:56 UTC

On Thursday, July 6, 2023 at 11:29:03 AM UTC-7, Doug Dobson wrote:
> On Thursday, June 8, 2023 at 4:23:44 PM UTC-5, mpe...@gmail.com wrote:
> > I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
> >
> > 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> > 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> > 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> > 6(00006) 0 000000 00047C THRU 7(00007) .....@
> > 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> > 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> > 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> > 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> > 16(00010) 0 000000 000000 THRU 23(00017) ......
> >
> > Word 0-3 are the usual log entry words.
> > Word 4 has the expected data as documented in the System Log Programming Guide.
> > Word 5 is pointing at word 11 (hex b) for 5 words.
> > But, what the heck is in word 11?
> >
> > I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
> >
> > Does anyone out there have any familiarity with decoding these log entries?
> >
> > Thanks.
> There is a procedure exported by JOBFORMATTER called ANALYZETHELOG that will format most SUMLOG records.
>
> Doug Dobson

I'm trying to dial out some specific user code change activities. I'd rather not convert the log into text to be scanned. The information is there, but there's no documentation on how to decode it.

The JOBFORMATTER code is a bit arcane. There are very few comments. The only comments in that area have 59 MarkIDs. At least someone figured out that a few breadcrumbs are helpful. Also, there are multiple defines that reference other defines. There are even GO TO statements inside a CASE block. It is headache inducing.

Re: Decoding USERDATA Log Entries

<57a06e75-5a6a-475e-87dc-57af844f57ean@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=354&group=comp.sys.unisys#354

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a05:6214:1634:b0:634:f275:302c with SMTP id e20-20020a056214163400b00634f275302cmr13318qvw.5.1688751990394;
Fri, 07 Jul 2023 10:46:30 -0700 (PDT)
X-Received: by 2002:a17:90a:7e98:b0:263:6e49:4b60 with SMTP id
j24-20020a17090a7e9800b002636e494b60mr3184047pjl.5.1688751989775; Fri, 07 Jul
2023 10:46:29 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer02.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Fri, 7 Jul 2023 10:46:29 -0700 (PDT)
In-Reply-To: <97f9579a-d4ed-4a97-a6b3-0af37ccd4365n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=191.215.251.23; posting-account=_7vlvAoAAABr0LeqBTTOaAJgRDicJIJu
NNTP-Posting-Host: 191.215.251.23
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
<3fe59925-6070-49bd-b365-b2911fed21b5n@googlegroups.com> <97f9579a-d4ed-4a97-a6b3-0af37ccd4365n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <57a06e75-5a6a-475e-87dc-57af844f57ean@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: tkosf...@gmail.com (Thomas Kosfeld)
Injection-Date: Fri, 07 Jul 2023 17:46:30 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3677
 by: Thomas Kosfeld - Fri, 7 Jul 2023 17:46 UTC

On Friday, July 7, 2023 at 12:56:42 PM UTC-3, mpe...@gmail.com wrote:
> On Thursday, July 6, 2023 at 11:29:03 AM UTC-7, Doug Dobson wrote:
> > On Thursday, June 8, 2023 at 4:23:44 PM UTC-5, mpe...@gmail.com wrote:
> > > I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
> > >
> > > 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> > > 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> > > 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> > > 6(00006) 0 000000 00047C THRU 7(00007) .....@
> > > 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> > > 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> > > 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> > > 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> > > 16(00010) 0 000000 000000 THRU 23(00017) ......
> > >
> > > Word 0-3 are the usual log entry words.
> > > Word 4 has the expected data as documented in the System Log Programming Guide.
> > > Word 5 is pointing at word 11 (hex b) for 5 words.
> > > But, what the heck is in word 11?
> > >
> > > I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
> > >
> > > Does anyone out there have any familiarity with decoding these log entries?
> > >
> > > Thanks.
> > There is a procedure exported by JOBFORMATTER called ANALYZETHELOG that will format most SUMLOG records.
> >
> > Doug Dobson
> I'm trying to dial out some specific user code change activities. I'd rather not convert the log into text to be scanned. The information is there, but there's no documentation on how to decode it.
>
> The JOBFORMATTER code is a bit arcane. There are very few comments. The only comments in that area have 59 MarkIDs. At least someone figured out that a few breadcrumbs are helpful. Also, there are multiple defines that reference other defines. There are even GO TO statements inside a CASE block. It is headache inducing.

Looks like a list os userdata locators and the values of the different attributes between.

Re: Decoding USERDATA Log Entries

<fbe7eb10-ffc3-46e9-959b-d46c436c913bn@googlegroups.com>

  copy mid

https://www.novabbs.com/computers/article-flat.php?id=367&group=comp.sys.unisys#367

  copy link   Newsgroups: comp.sys.unisys
X-Received: by 2002:a05:620a:3196:b0:767:3541:413b with SMTP id bi22-20020a05620a319600b007673541413bmr89098qkb.1.1689483484450;
Sat, 15 Jul 2023 21:58:04 -0700 (PDT)
X-Received: by 2002:a05:6808:1829:b0:3a3:fa78:415d with SMTP id
bh41-20020a056808182900b003a3fa78415dmr12086994oib.9.1689483483987; Sat, 15
Jul 2023 21:58:03 -0700 (PDT)
Path: i2pn2.org!i2pn.org!usenet.blueworldhosting.com!diablo1.usenet.blueworldhosting.com!peer03.iad!feed-me.highwinds-media.com!news.highwinds-media.com!news-out.google.com!nntp.google.com!postnews.google.com!google-groups.googlegroups.com!not-for-mail
Newsgroups: comp.sys.unisys
Date: Sat, 15 Jul 2023 21:58:03 -0700 (PDT)
In-Reply-To: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
Injection-Info: google-groups.googlegroups.com; posting-host=47.205.214.185; posting-account=wMZzVQoAAAC5LtCt9val9ojroYZHH5ZL
NNTP-Posting-Host: 47.205.214.185
References: <29f8c047-bcff-46a1-8a50-6c26a7fad827n@googlegroups.com>
User-Agent: G2/1.0
MIME-Version: 1.0
Message-ID: <fbe7eb10-ffc3-46e9-959b-d46c436c913bn@googlegroups.com>
Subject: Re: Decoding USERDATA Log Entries
From: thomasms...@gmail.com (Tom Schaefer)
Injection-Date: Sun, 16 Jul 2023 04:58:04 +0000
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Received-Bytes: 3921
 by: Tom Schaefer - Sun, 16 Jul 2023 04:58 UTC

On Thursday, June 8, 2023 at 5:23:44 PM UTC-4, mpe...@gmail.com wrote:
> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:
>
> 0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
> 2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
> 4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
> 6(00006) 0 000000 00047C THRU 7(00007) .....@
> 8(00008) 0 000000 00001C 0 000000 000000 ...... ......
> 10(0000A) 0 000000 000000 0 000001 202030 ...... ......
> 12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
> 14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
> 16(00010) 0 000000 000000 THRU 23(00017) ......
>
> Word 0-3 are the usual log entry words.
> Word 4 has the expected data as documented in the System Log Programming Guide.
> Word 5 is pointing at word 11 (hex b) for 5 words.
> But, what the heck is in word 11?
>
> I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.
>
> Does anyone out there have any familiarity with decoding these log entries?
>
> Thanks.

This is from the System Log Programming Reference

Word[4].[03:04] = the USERDATA function that triggered the CHANGE record.. In this case, that is a Create, modify, or delete entry.
Since that Word[4].[03:04] = 7, then the value in Word[4].[11:04] indicates which one of the three (Create, Modify or Delete). Here it is 5 so this is a Modify record.

Again according to the book, since the function is 7, the link will point to the Doings parameter passed to USERDATAREBUILD.

Info about USERDATAREBUILD can be found in the newly created HTML file for the Security SDK here: https://public.support.unisys.com/aseries/docs/ClearPath-MCP-21.0/26211060-015/WebHelp%20files/USERDATAREBUILD.htm but that does not show the DOINGS parameter so I cannot tell further without looking at the MCP source to see when it would pass DUMMYUC as the usercode which to act upon.

It is late so I could be reading this all wrong.

I do have an active program that dumps security-related SUMLOG records into SYSLOG records to send to our enterprise logging platform (ELP). If you have not found an answer yet,. I can check to see if I handle Major 6, minor 9.

If you do a LOG SECURITY at the time of this record (pulled from the header words), JOBFORMATTER does a good job of telling you what is in the records too for comparison.

Tom Schaefer

1
server_pubkey.txt

rocksolid light 0.9.8
clearnet tor