(1.0.D001) Manifest

[gnucomo.git] / doc / manifest.xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE doc SYSTEM "/usr/local/xslt/doc.dtd">
<doc style="main.css" xmlns:xlink="http://www.w3.org/1999/xlink">
  <book>

<titlepage>
   <title>GNUCOMO</title>
   <subtitle>GNU COMPUTER MONITORING</subtitle>
   <subtitle>A system for interactive system monitoring.</subtitle>
   <subtitle>Development manifest</subtitle>

   <author>Brenno J.S.A.A.F. de Winter, De Winter Information Solutions</author>
   <author>Arjen Baart, Andromeda Technology &amp; Automation</author>
   <date>August 28, 2002.</date>
   <docinfo>
      <infoitem label="Version">0.19</infoitem>
   </docinfo>

</titlepage>

<toc/>

<chapter>
   <heading>About this document.</heading>

<para>This document describes the technical specifications for the Gnucomo project. It will describe the functionality achieved, design specifications and choices made. The document will be the manifest for the developers to work in the same direction and not run into unneeded disappointments.</para>

<section>
  <heading>History of the document.</heading>

<table cpos='lp{3cm}lp{4cm}'>
  <thead>
    <col> Version </col> <col> Author </col> <col> Date </col> <col> Remarks </col>
  </thead>
  <row>
    <col> 0.l </col> <col> Brenno de Winter </col> <col> July 11th 2002 </col>
    <col>
      Initial version
    </col>
  </row>
  <row>
    <col> 0.11 </col> <col> Arjen Baart </col> <col> July 12th 2002 </col>
    <col>
      Additional guidelines and dataflow diagram.
    </col>
  </row>
  <row>
    <col> 0.12 </col> <col> Brenno de Winter </col> <col> July 15th 2002 </col>
    <col>
      Database design added
    </col>
  </row>
  <row>
    <col> 0.13 </col> <col> Arjen Baart </col> <col> July 16th 2002 </col>
    <col>
      Entity-relationship model added.
    </col>
  </row>
  <row>
    <col> 0.14 </col> <col> Brenno de Winter </col> <col> July 17th 2002 </col>
    <col>
      Based on feedback. Small changes to the datamodel and finishing touches
      in lay-out of the tables. Added some examples.
    </col>
  </row>
  <row>
    <col> 0.15 </col> <col> Brenno de Winter, Arjen Baart </col> <col> July 21st 2002 </col>
    <col>
      Additional feedback processed, indexes added, ERD added and SQL-script created.
    </col>
  </row>
  <row>
    <col> 0.16 </col> <col> Brenno de Winter </col> <col> August 7th 2002 </col>
    <col>
      Communication handling added.
    </col>
  </row>
  <row>
    <col> 0.17 </col> <col> Brenno de Winter </col> <col> August 11th 2002 </col>
    <col>
      <para>* Description of the client-side for communications.</para>
      <para>* Several updates to the database descriptions, drawings added.</para>
      <para>* More work on the installation chapter.</para>
      <para>* Created an extra field to the unprocessed_log table and added
              a between the table service and unprocessed_log.</para>
    </col>
  </row>
  <row>
    <col> 0.18 </col> <col> Brenno de Winter, Peter Roozemaal </col> <col> August 15th 2002 </col>
    <col>
      <para>* Review done by Peter Roozemaal: adjusted intro and several clarifications made</para>
      <para>* Arjen Baart: Adjustments to database drawings</para>
      <para>* New installation recommendations</para>
    </col>
  </row>
  <row>
    <col> 0.19 </col> <col> Arjen Baart </col> <col> August 27 2002 </col>
    <col>
      Conversion to XMLDoc
    </col>
  </row>
</table>

</section>
</chapter>

<chapter>
<heading>Aim of the project.</heading>

<para>
The number of log-files in a system and the tools in general do not make
monitoring a system simple. Quite often there is so much information that
attention for logfiles seems to fade away. For that reason monitoring routers
and clients is often not an option. Instead of timely detection of problems,
logs more often are used to find out what went wrong. When a system is
under attack early signals can often easily be detected<footnote>Just as in
real life there a signals that things are not going in the right direction.
For the attacks on September 11th 2001 there were many signals available
that could to have led to early detection: warnings of several intelligence
agencies, warnings within the FBI, flight schools that report strange
customers that want to steer a plane and don't seem to care about take
off and landing, people opening accounts under fake names.</footnote>
and preventive measures could have been taken if the time was only available.
</para>

<para>
The Gnucomo project is meant to make pro-active monitoring of computers
and devices easier. It will contain a set of applications that will
retrieve all types of monitoring information from devices and place
it into a database. Devices can be server computers, desktop computers,
PBX'es or other systems. By running checks the manual process of
watching log files can be reduced. Also an intelligent script can
see things that a human being will easy overlook. Gnucomo won't
relieve an administrator of all manual work on log-files, but will
increase the changes on actual monitoring.
</para>
<para>
With all this data being available at one central location the gnucomo-server
acts as some kind of black box for computer systems. If something does
happen the evidence will be available at a remote location available
for exploration<footnote>This analogy is based on a remarkable anecdote:
One a trip to US I spoke to a 747-captain of Air France. While talking
over several subjects we touched security. When we went some deeper I
touched the subject gnucomo and he told me that Air France was doing
the very same with real black boxes. By sending all the data to Paris
errors can be detected earlier and be resolved. In any less fortunate
case the cause of the crash might be detected sooner (or fuller).
For me this was a signal there is a point in working gnucomo because
the analogy is valid.</footnote>. Forensics will be made easier.
Also the collected data is available from multiple locations make
it easier to found more about an attack. The change that you overlook
things will be reduced.
</para>
<para>
Based on the entered data all sorts of analysis will be performed to discover
abnormalities a normal maintenance tool or IDS wouldn't be looking at.
An example could be a website in Dutch that suddenly obtains a lot of
attention from Greek visitors (based on the location of their
IP<footnote>That IP could also warn for other things like: excessive
data traffic from wireless connections at times that you wouldn't be
expecting traffic at all, absence of traffic when you would be expecting
some traffic at least or even what article is liked in which part of the world,
what regions poses the highest threat to the security of the system (based
on the location of the IP address).</footnote>). These abnormalities will
be presented as user-friendly as possible to increase awareness of the
state of the system. By doing that the system can also be used for more
complex analysis. One than can look at long-term trends like hacking
attempts that take place, new exploits that are tried all of a sudden
or signs of distributed attacks or a certain pattern of attempts<footnote>A portscan
that last three days is hard to detect with a real-time IDS,
while gnucomo would discover this anyhow. With correct intelligence
one portscan from multiple IP-addresses can be related.</footnote>.
</para>
<para>
Also extra data will be gathered where ever possible to save time to
the administrator. If IP address attract attention of gnucomo the next
logical step would be to use tools like dig, whois and visiting arin-related
websites. This data will automatically be collected in an early stage and
stored in the database.
</para>
<para>
The results will be gathered in a warning system.
Those warnings will be presented to the administrative person
who is responsible for that particular machine or network.
Having multiple systems in the system can add to the intelligence that
can be gathered. The interface will be web-based and aimed at user-friendliness.
</para>
<para>
Since multiple systems can enter data into the Gnucomo database more
intelligent hardware and security detection can be done.
When things do go wrong Gnucomo contains as much information as
possible to figure out what happened and assist in the forensics.
Since research on the signals afterwards is broader more attention
will be given as much data as possible and do less filtering.
</para>
<para>
With the data in the database also policies can be checked automatically
retro-actively so that the security leaves some room to stretch some rules.
This may sound not logic, because one of the main functions of security is
to enforce rules. But some rules are made with the different meanings.
For instance: a rule may be that private browsing isn't allowed.
The background of such a rule might be to try and reduce the amount
of data traffic (too many people downloading mp3's, or people not
getting to work anymore). By monitoring that specific fact
(bandwidth spent on non-business related Internet use)
it's possible to be relaxed on that rule and enable many good-willing
users reading his/hers daily newspaper.
</para>
<para>
The scope of the project is clearly limited to monitoring and not to
offer automated maintenance or web-based maintenance.
There are other projects currently being able to provide that
functionality. We will focus on intelligence and user-friendliness
of representation of facts presented. A warning should trigger
an administrator to get up and do something using the tools he or she values the most.
</para>
<para>
Also we are not aiming to replace great tools like SNORT as a real-time IDS.
These tools can do thing, that in the beginning won't be a part of gnucomo
out of performance reasons. Also there is no need to duplicate what they
already did. If that energy is placed in intelligent we're very complimentary.
Gnucomo can however be a reality check on an existing NIDS (Network Intrusion
Detection System). For instance if warnings keep coming it may be time to
rethink the rules that have been set.
</para>

<para>
This evolves to the following list of functions gnucomo can provide:
</para>
<itemize>
  <item>
    Intrusion detection
  </item>
  <item>
    Detecting hacker attempts
  </item>
  <item>
    Early detection of system failures
  </item>
  <item>
    Exhaustion of system resources
  </item>
  <item>
    Capacity planning for future expansion
  </item>
  <item>
    Spotting bottlenecks in a system.
  </item>
  <item>
    Verifying system integrity
  </item>
  <item>
    Assistance with troubleshooting
  </item>
  <item>
    Perform post-mortem forensics
  </item>
  <item>
    Incident response system.
  </item>
</itemize>
</chapter>

<chapter>
   <heading>Decisions for the overall system.</heading>
<para>In order to get the project running we have to make some decisions before we can start. Of course are the decisions always open for review, but initially our main aim is to get a system running. This doesn't mean that we allow a lesser architecture, but more that we create an environment that will lead to results. </para>
    <para>The following decisions apply to the system in general:</para>
    <itemize>
      <item>
        The major part of the system will be used for security features.
        The solution itself has to be secure.
      </item>
      <item>
        <para>In general we strive to be as platform and application independent as possible. However to achieve software to get ready and to assure progress some selections will have to be made excluding options for applications<footnote>An example is in the database. By using stored procedures and triggers MySQL cannot be used. However the data integrity at that point is more important than the ability to use MySQL.</footnote>. Where possible we will enable ports to other applications and platforms.</para>
      </item>
      <item>
        The computers collecting the data will only be Linux machines, with future support for other Unices. However it is not aim our to port this part of the project to other platforms just now.
      </item>
      <item>
        The database system will make heavy use of stored procedures and triggers and thus lock out some less feature-full database.
      </item>
      <item>
        Although we're not married to a database system initially this will be PostgreSQL only so that we can build for results. The code however shouldn't be build to deliberately lock outer systems. Other database that might be interesting to add: DB2, Oracle (if the rainfall of security advisories seems to be over) and Informix.
      </item>
      <item>
        The interface for the user will be a web-interface written in PHP with PostgreSQL-database access. Despite the fact that initially this will be the preferred way to communicate with our system, other interfaces are welcome and should be supported.
      </item>
      <item>
        The technologies used for the daemons on the central site and remote site are open for discussion. A decision is made when it is clear what exactly will be needed to code.
      </item>
      <item>
        The original logfiles on systems will not be harmed in any way, but will be saved the way they presented to gnucomo.
      </item>
      <item>
        In the database processed data as well as raw data will be stored.
      </item>
      <item>
        Our main aim is to ease the life of the administrator when dealing with the symptoms of a machine so that he doesn't miss important notifications. The project will be made around detection. We won't focus on making a maintenance applications but solely on monitoring, because other applications like webmin or linuxconf do already deliver such functionality. We are complementary to those applications. This doesn't mean that the system cannot send SMS'es, e-mails or make alarms sound.
      </item>
      <item>
        Any output of the logbook will be stored and sent within a certain interval which can be set. By doing that the mechanism will not flood the total mechanism and overload machines.
      </item>
      <item>
        When applications for gnucomo we will try and do the non-server part as platform independent as possible. This in order to prevent writing a same application multiple times. For instance one for Unices, one for Macintosh and one for Microsoft.
      </item>
      <item>
        To ensure the quality of software and to prevent any unwanted functionality rolling into the project all code will be reviewed by one of the lead members before it is accepted. Since this project is aimed at throughput speed no formal procedures will be enforced, but we promise not to let software in that hasn't been checked.
      </item>
    </itemize>
    <para/>
</chapter>

<chapter>
  <heading>Overall system.</heading>

<para>The overall systems aims to make maintenance data better accessible and by doing that lowering the barrier to be on alert for intrusions, system failure and other misery that can happen to computer systems. Also more systems can be monitored and even focus can be placed on desktop computers, something that nowadays rarely happens. Since the solution is only aimed at monitoring (with some responses possible) other people can watch their system(s) without being Administrator<footnote>This can be interesting for people using this service and not doing their own maintenance (smaller companies). If technical action needs to be taken a warning can be send to an administrator. This saves costs and time.</footnote>.</para>
    <para>The main system will know to sides:</para>

    <itemize>
      <item> Central Application - server </item>
      <item> Monitored System - client </item>
    </itemize>

    <para>The project has been setup as a two sided system in order to be able to guard many computers at the same time. However it may be obvious that both sides of the application can very well be installed on a single system.</para>
    <para>When events<footnote>A signal can be the outcome of process that finished, logbook entries, warnings from intrusion detection systems, etc. </footnote> happen they will be stored in a file. When this file is delivered to a certain directory a daemon will detect this and start the transfer of the file. The file will be transferred to the central application or the client. This transfer will be triggered immediately after a process has finished or with a certain time-interval when it concerns a logbook. All output will be placed in a directory where the daemon detects it and ensures the transport. For transport currently only two mechanisms will be supported:</para>
    <itemize>
      <item>
        Encrypted file copy relying on the SSH protocol. On Unix-based systems this will scp (secure copy).
      </item>
      <item>
        E-Mail. The e-mail is encrypted and signed using gpg and then sent to the server. Since the file format will identify the type-of-output the Subject-field of the e-mail is not really needed.
      </item>
    </itemize>

    <section>
      <heading>Priority mechanism.</heading>
    <para>Each notification has a certain priority that requires a different handling of the issue. How each priority will be dealt with is something that can be set per server. The priority mechanism is a simple system of five categories (can be more or less). </para>
    <para/>
    </section>

    <section>
      <heading>The dataflow diagram.</heading>
    <para>The main dataflow will be as follows.</para>
    <para>
      <picture src="dataflow.png" eps="dataflow" scale="0.7"/>
    </para>
    <para/>
    </section>
</chapter>

<chapter>
  <heading>Central Application: signal handler.</heading>

<para>
    <para>

      <picture src="architecture.png" eps="architecture"/>
       Illustration 1 Basic overview of the processes on the server.
    </para>

On one machine signals from the network will come in. These signals can be logfiles, result files from applications, remarks entered by the administrator or whatever. Data delivery takes place into a certain directory. A daemon detects that data has come in and will enter it into the database. Once in the database stored procedures and triggers will recognize certain behavior and generate alerts. The user responsible for the server will be confronted with the alerts and can mark them, add comments to it or ignore them. Also it will be possible to do intelligent analysis on not so logical relations per computer or across computers<footnote>A good example could be a portscan on a system that takes place during a week. Normal a simple portscan takes place in a couple of minutes and will thus be easy to detect. By taking a longer period such a scan is harder to detect. </footnote>. Such scripts make detection possible, that is too time consuming to do during processing of the data. </para>

    <section>
      <heading>Data processing.</heading>
    <para>The data processing has four tasks:</para>
    <itemize>
      <item>
        <para>Extracting data from e-mail and store it in the input-buffer. This can be done by a daemon that checks the e-mail<footnote>It would be logical to place an e-mail server like sendmail or postfix on the server. In many cases the monitored computer will be featuring a SMTP daemon. If a system is comprimised no evidence that comes through will be really trustworthy. By sending it to another machine all evidence that is available will have left the system the moment a hack takes place.</footnote> with a certain interval extracts the e-mails and leave the content in a file in the input buffer. This daemon has only rights to write to the directory it has to write to. <emph>We may as well have the email captured directly by a program with a "gnucomo: |/usr/local/bin/gnucomo-input" - like alias.</emph></para>
      </item>
      <item>
        <para>Detect files in the input buffer decrypt the content and verify the signature. Another daemon will see the log-files and starts checking if the origin is correct (by verifying the signature) and decrypting the content. The legible files will be processed by entering the data into the database.</para>
      </item>
      <item>
        <para>The database will accept the data and perform a certain number of checks as the data comes in. During the processing of the data abnormalities will be detected and entered into a notification table. The database system will also carry out more complex tasks on given moments in time and enter them as well in the notification table.</para>
      </item>
      <item>
        <para>The database system must be able to undertake action when high alerts are being entered into the database. This can be a couple of things to begin with: send an e-mail or SMS. In a later stage other technologies may be added as well. In this scheme we also make a possibility to escalate problems when no action is taken in a certain amount of time.</para>
      </item>
    </itemize>
    </section>
    <section>
      <heading>Web interface.</heading>
    <para>The web interface will used to interact with the user. The interface should be intuitive and easy to understand. More important warnings should directly draw attention. The user must be able to perform settings so that warnings can be rated differently than the original settings. </para>
    <para>The interface will do the following things:</para>
    <itemize>
      <item>
        <para>Show a list of warnings that are currently open.</para>
      </item>
      <item>
        <para>It must be possible to sort the list on all the fields shown.</para>
      </item>
      <item>
        <para>Deliver detailed information (logbook entries) upon request that have led to the warning. </para>
      </item>
      <item>
        <para>Undertake certain actions like sending <reference href="mailto:abuse@internet-provider.net">abuse@internet-provider.net</reference> e-mails with information.</para>
      </item>
      <item>
        <para>Monitor actions on outstanding issues. </para>
      </item>
    </itemize>
    <para/>
    </section>
</chapter>

<chapter>
  <heading>Sending messages to the central gnucomo system.</heading>

<para>One of the main tasks is getting all the messages to the database. Ultimately gnucomo will support multiple ways of receiving the data. Basically anything goes, but two mechanisms will be supported in the project to begin with:</para>
<enumerate>
    <item>
      <para>E-mail. Messages and elements from logfiles will be sent through e-mail.</para>
    </item>
    <item>
      <para>File copy. Using technologies like scp or ftp (not preferred due to the insecure nature) can place files directly in the receiving directory. </para>
    </item>
</enumerate>

    <section>
      <heading>Ensuring data integrity.</heading>
    <para>&lt;TO BE DESCRIBED&gt;</para>
    </section>

    <section>
      <heading>Directories and filenames on the server.</heading>

<para>
Files will be dealt with as if gnucomo were a user (actually there will
be a user gnucomo). The files will be placed in the <code>/home/gnucomo/</code> directory.
Only <code>/home/gnucomo/incoming/dropbox/</code> can be used to save data in
from external systems. All other directories are only available for the user gnucomo.
The filename will represent the data that is received. The details are seperated with
underscores. When data is sent by e-mail the filename will be written in the first
line of the e-mail. A typical filename looks like this:
</para>

<para>
<strong>3_messages_20020807235208_1.asc</strong>
</para>

<para>
the logic behind this is following:
</para>

<para>
<emph>urgency_typeofmessage_timestamp_objectid.typeoffile.</emph>
</para>

<table cpos='lp{10cm}'>
  <thead>
    <col>
      <para>Part of filename</para>
    </col>
    <col>
      <para>Explanation</para>
    </col>
  </thead>
  <row>
    <col>
      <para>Urgency</para>
    </col>
    <col>
      <para>This indicates the urgency of the file. The lower the number the higher it will rank when an overview is given. Standard files are ranked value 3. The ranking works as follows:</para>
      <para>* 1 <strong>Urgent flash message.</strong> Something urgent needs to be reported. This is only used for emergencies like serious alarms.</para>
      <para>* 2 <strong>Rapid delivery.</strong> An important message has to get through that is more important than normal delivery, but is not top priority like an emergency.</para>
      <para>* 3 <strong>Normal.</strong> This is used in most case for normal messages.</para>
      <para>* 4 <strong>Low priority.</strong> This is data would be useful to place into the system as nice to have.</para>
    </col>
  </row>
  <row>
    <col>
      <para>TypeOfMessage</para>
    </col>
    <col>
      <para>This is an indicator what type of data is delivered to gnucomo. There are several categories:</para>
      <para>* <strong>cron.</strong> This data comes from the /var/log/cron-log (unix).</para>
      <para>* <strong>httpaccess.</strong> This data comes from the normal http-log (Apache).</para>
      <para>* <strong>httperror.</strong> This data comes from the http_error-log (Apache).</para>
      <para>* <strong>maillog.</strong> This data comes from the /var/log/maillog (unix).</para>
      <para>* <strong>messages.</strong> The data delivered here comes from the /var/log/messages file (unix)</para>
      <para>* <strong>text.</strong> This file contains a message in plaintext generated by a gnucomo-client and can be anything. It will be dealt with as plaintext.</para>
    </col>
  </row>
  <row>
    <col>
      <para>Timestamp</para>
    </col>
    <col>
      <para>The timestamp is made in war-log (YYYYMMDDHHMMSS) format. The timestamp is generated on the client in GMT (to discover discrepancies in timing).</para>
    </col>
  </row>
  <row>
    <col>
      <para>Objectid</para>
    </col>
    <col>
      <para>The objectid is the id that is used within the central gnucomo system to recognize the client. Based on this entry the database can link the data to the correct object. Also gpg can obtain the correct e-mail address (by running a query in the database) for verification of the signature of the crypted message.</para>
    </col>
  </row>
  <row>
    <col>
      <para>TypeOfFile</para>
    </col>
    <col>
      <para>Indicates the file type:</para>
      <para>* <strong>asc.</strong> Plaintext ASCII</para>
      <para>* <strong>gpg.</strong> gpg-crypted data.</para>
      <para>* <strong>und.</strong> Undertermined data. When files come in by e-mail it is not 100% sure if they are crypted or not. These data has first to be analyzed before it is moved to the correct queue. </para>
    </col>
  </row>
</table>

<subsection>
  <heading>Directory for incoming data.</heading>

<para>For incoming messages there will be separate directories (<code>/home/gnucomo/incoming/</code>)for:</para>
<enumerate>
    <item>
      <para>Dropbox. This directory is ready to receive data from all sorts of systems. This directory is world writeable (<strong><emph>but not deleteable!</emph></strong>): <code>/home/gnucomo/incoming/dropbox/</code></para>
    </item>
    <item>
      <para>Encrypted messages. In this directory messages will be placed that are still gpg-crypted. In this directory the files await decryption and verification of the signature. This directory is: <code>/home/gnucomo/incoming/crypted/</code></para>
    </item>
    <item>
      <para>Decrypted with errors. During the decryption exercise anything can go wrong. Decrypting can fail or the signature may show errors. If this happens the original message is moved to a different directory: <code>/home/gnucomo/incoming/cryptfail/</code></para>
    </item>
    <item>
      <para>Inbox. After successful decryption the decrypted message is moved to the inbox. Data that is not encrypted can be moved here from the dropbox after certain verifications. The directory is: <code>/home/gnucomo/incoming/inbox/</code></para>
    </item>
    <item>
      <para>Processed. After processing the data the file is stored in the directory processed for further reference for a certain amount of time. The directory is: <code>/home/gnucomo/incoming/processed/</code></para>
    </item>
    <item>
      <para>Archive. After a certain period the files will be archived. Since not every system will archive everything this directory may also be a symbolic link to <code>/dev/null</code>. The used directory is: <code>/home/gnucomo/archive/</code></para>
    </item>
</enumerate>
</subsection>

<subsection>
   <heading>Directory for outgoing data.</heading>

    <para>For outgoing messages the directory <code>/home/gnucomo/outgoing</code> will be used. This directory knows a couple of sub directories:</para>

<enumerate>
    <item>
      <para>Dropbox. This directory is used by the central gnucomo system to place outgoing messages in. The used directory is: <code>/home/gnucomo/outgoing/dropbox/</code></para>
    </item>
    <item>
      <para>Outbox. After processing the message (including signing and encrypting when applicable) the messages are placed in the outbox: <code>/home/gnucomo/outgoing/outbox/</code></para>
    </item>
    <item>
      <para>Processed. After processing the data the file is stored in the directory processed for further reference for a certain amount of time. After sending a message a confirmation will be made that is saved as an incoming message. The directory is: <code>/home/gnucomo/outgoing/processed/</code></para>
    </item>
    <item>
      <para>Archive. After a certain period the files will be archived. Since not every system will archive everything this directory may also be a symbolic link to <code>/dev/null</code>. The used directory is: <code>/home/gnucomo/archive/</code></para>
    </item>
</enumerate>

</subsection>

<subsection>
   <heading>Overview. </heading>

<para>The total directory-structure looks like this:</para>

<verbatim>
    /home/gnucomo/
    /home/gnucomo/archive
    /home/gnucomo/incoming
    /home/gnucomo/incoming/crypted
    /home/gnucomo/incoming/cryptfail
    /home/gnucomo/incoming/dropbox
    /home/gnucomo/incoming/inbox
    /home/gnucomo/incoming/processed
    /home/gnucomo/outgoing
    /home/gnucomo/outgoing/dropbox
    /home/gnucomo/outgoing/outbox
    /home/gnucomo/outgoing/processed
</verbatim>

</subsection>
</section>

<section>
  <heading>Directories on the client-side.</heading>

<para>On the client-side the files that need to be transmitted will be placed in a directory system as well. In the future this system may not be in use at all devices (routers, certain MS Windows-machine, IP Telephones, etc.). For those systems a different mechanism will become be described here. Initially we focus on Linux systems that will enter data into the database.</para>
    <para>The filename convention will be totally identical to the filename convention on the server, since this the same mechanism.</para>
    <para>To facilitate gnucomo client and server on one and the same machine the gnucomo-client should have a different default user. For this purpose the user <strong>gcm_client</strong> will be created. </para>

<subsection>
   <heading>Directory for incoming data.</heading>
    <para>For incoming messages there will be separate directories (<code>/home/gnucomo/incoming/</code>)for:</para>
<enumerate>
    <item>
      <para>Dropbox. This directory is ready to receive data from all sorts of systems. This directory is world writeable (<emph><strong>but not deleteable!</strong></emph>): <code>/home/gcm_client/incoming/dropbox/</code></para>
    </item>
    <item>
      <para>Encrypted messages. In this directory messages will be placed that are still gpg-crypted. In this directory the files await decryption and verification of the signature. This directory is: <code>/home/gcm_client/incoming/crypted/</code></para>
    </item>
    <item>
      <para>Decrypted with errors. During the decryption exercise anything can go wrong. Decrypting can fail or the signature may show errors. If this happens the original message is moved to a different directory: <code>/home/gcm_client/incoming/cryptfail/</code></para>
    </item>
    <item>
      <para>Inbox. After successful decryption the decrypted message is moved to the inbox. Data that is not encrypted can be moved here from the dropbox after certain verifications. The directory is: <code>/home/gcm_client/incoming/inbox/</code></para>
    </item>
    <item>
      <para>Processed. After processing the data the file is stored in the directory processed for further reference for a certain amount of time. The directory is: <code>/home/gcm_client/incoming/processed/</code></para>
    </item>
</enumerate>

</subsection>

<subsection>
   <heading>Directory for outgoing data.</heading>

    <para>For outgoing messages the directory <code>/home/gcm_client/outgoing</code> will be used. This directory knows a couple of sub directories:</para>
<enumerate>
    <item>
      <para>Dropbox. This directory is used by the central gnucomo system to place outgoing messages in. The used directory is: <code>/home/gcm_client/outgoing/dropbox/</code></para>
    </item>
    <item>
      <para>Outbox. After processing the message (including signing and encrypting when applicable) the messages are placed in the outbox: <code>/home/gcm_client/outgoing/outbox/</code></para>
    </item>
    <item>
      <para>Processed. After processing the data the file is stored in the directory processed for further reference for a certain amount of time. After sending a message a confirmation will be made that is saved as an incoming message. The directory is: <code>/home/gcm_client/outgoing/processed/</code></para>
    </item>
</enumerate>
</subsection>

<subsection>
  <heading>Overview. </heading>
    <para>The total directory-structure looks like this:</para>

<verbatim>
    /home/gcm_client/
    /home/gcm_client/archive
    /home/gcm_client /incoming
    /home/gcm_client/incoming/crypted
    /home/gcm_client/incoming/cryptfail
    /home/gcm_client/incoming/dropbox
    /home/gcm_client/incoming/inbox
    /home/gcm_client/incoming/processed
    /home/gcm_client/outgoing
    /home/gcm_client/outgoing/dropbox
    /home/gcm_client/outgoing/outbox
    /home/gcm_client/outgoing/processed
</verbatim>
</subsection>
</section>
</chapter>

<chapter>
      <heading>Getting data into the database.</heading>
    <para>The files in the /home/gnucomo/incoming/inbox/ should be stored in the database. For this purpose there is a table <emph>unprocessed_log</emph>. The data of the filename as well as the content of the file need to be placed in one record.</para>
    <para>There are some fields that have to be addressed immediately:</para>
<enumerate>
    <item>
      <para>Servicecode: The servicecode will be obtained out of the filename the is the type_of_message-field in the filename. </para>
    </item>
    <item>
      <para>Objectid: This data is given in the filename it can be found in the <emph>objectid</emph>-part of the filename.</para>
    </item>
    <item>
      <para>Logdata: The data is saved as follows: filename (unaltered) &lt;CR&gt;textual data of the file.</para>
    </item>
</enumerate>
    <para>The daemon application that delivers the data is called <strong>gcm-input</strong>. It performs the following steps with no extra functionality:</para>

<enumerate>
    <item>
      <para>Detect if a file is available.</para>
    </item>
    <item>
      <para>Write the data in the database.</para>
    </item>
</enumerate>

    <para>To write the data in the database a database user gcm_input exists. This user has only the right to enter data into the database. There are no deletion, update or select-permissions.</para>
    <para/>
</chapter>

<chapter>
  <heading>The database.</heading>

    <para>The database is the heart of the system. It will contain all event-data of multiple computers. The intelligence that can be performed on the database will be placed there. To do this as integrated as possible stored procedures and triggers will be used. To begin with we have selected checks to be performed that will be expanded throughout time.</para>
    <para>Since the gnucomo database and files contain sensitive data security measures have to be in place. Several database users will be exist that have limited rights to perform a certain task ensuring some protection against unauthorized access. However these mechanisms on it's own will work fine, bad maintenance may still screw-up good security. Good database maintenance is needed. For the gnucomo the protection of the valid authentic nature of the data in the database has our highest priority.</para>
    <para>A <emph>table-name</emph> in this chapter is written in cursive writing.</para>

<section>
  <heading>Database conventions.</heading>
    <para>The database will be built according the following conventions:</para>
    <itemize>
      <item>
        <para>All names for tables, indexes and fields will be written in lower case and will be singular. Spaces in names are not allowed.</para>
      </item>
      <item>
        <para>If a table contains field referring to other tables the mother-tables are mentioned in alphabetical order with an underscore between the table-names. So <emph>object</emph> and <emph>user</emph> will make a third table <emph>object_user</emph></para>
      </item>
      <item>
        <para>A data access user (being the interface) is not allowed to write to the log-entries and the warnings. To change the state of a warning a stored procedure will do so by having a different entry in a table. This should make it possible to discover who did what at which moment in time.</para>
      </item>
      <item>
        <para>The name of two related fields that make the relationship between two tables will be the same to avoid confusion.</para>
      </item>
    </itemize>
</section>

<section>
  <heading>Database design.</heading>

    <para>In the design we anticipate to deliver an as best as possible database performance. That means that data that needs to be entered occasionally can be heavily indexed to increase performance. However data that is mainly stored will only be indexed marginally to have the best possible performance on data entry. If during one of the checks on data-entry a notification is made, the information related to that notification will be indexed very well to increase retrieval performance. What we will try to avoid is that the user interface will cause full table scan and affect the performance of the overall system dramatically. One of the techniques to increase performance on display is to work with views. So where it is feasible we will use them.</para>
    <para>In general the database must also be maintained well. So daily maintenance scripts should keep the performance good<footnote>PostgreSQL seems to have very good features to do proper maintenance and they have to be exploited to the full extend.</footnote>. </para>

    <subsection>
      <heading>Actual design.</heading>

    <para>In this part of the chapter the tables will be explained and then described with all important elements. Per table a sub-chapter will be created. Each table will have a table design, indexes, relationships and the required data (for those tables where the data itself is relevant in the design or sample data (for those cases where no set data is needed). For the relationships beside a description the subset of the total schema has been incorporated in the document so that it is more clear what exactly is meant. Due to the complex nature of the design those drawings sometimes will seem funny.</para>
    <para>For the fieldtypes the types of PostgreSQL will be used. These values can be found in Chapter 3 of the PostgreSQL User Manual (<reference href="http://www.postgresql.org/">http://www.postgresql.org</reference>). </para>
    <para>For indexes primary keys are always <emph>unique</emph> and called primary key in the name. Since unique indexes within PostgreSQL only work on B-Tree indexes (which is default) we will use B-Tree for all indexes. In cases where an exception is made the used type of index will be indicated in the characteristics. A footnote will explain why a different type of index has been selected.</para>

<subsubsection>
<heading>action</heading>

<para>
In the table action all recognized actions that can be taken are stored. Several actions will lead to change in <emph>statuscode</emph>. However this doesn't apply to all actions<footnote>A status NEW of a notification that cannot be dealt with automatically will <strong>not</strong> change before a user looked at it.</footnote>. Actions take place through background processes and the interface. This table mainly is used for retrieval so indexing will be done as much as possible.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The table below describes the fields:
</para>
<para/>
<para>
<table cpos='lllp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> actionid </col> <col> Bigserial </col> <col> 8 </col>
    <col>
      Autonumber bigint (eight bit)
    </col>
  </row>
  <row>
    <col> actionname </col> <col> Text </col> <col> <para/> </col>
    <col>
      Short descriptive name for the type of action
    </col>
  </row>
  <row>
    <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
    <col>
      New status that will be given to a notification when this action takes place.
    </col>
  </row>
  <row>
    <col> description </col> <col> Text </col> <col> <para/> </col>
    <col>
      A longer description (without limit) on the action.
    </col>
  </row>
</table>
</para>

</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
Indices for this table are:
</para>
    <table cpos='lll'>
      <thead>
        <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
      </thead>
      <row>
        <col> act_pk </col> <col> actionID </col> <col> Primary key </col>
      </row>
      <row>
        <col> act_actionname </col> <col> actionname </col> <col> Unique </col>
      </row>
      <row>
        <col> act_statuscode </col> <col> statuscode </col> <col> <para/> </col>
      </row>
    </table>
    <para/>

</paragraph>
<paragraph>
  <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>
    <table cpos='llp{7cm}'>
      <thead>
        <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
      </thead>
      <row>
        <col> actionid </col> <col> action_notification_user </col>
        <col>
          Each action that takes place will be log. The Actionid will bring
          classification to the individual records. This relationship has to be enforced.
        </col>
      </row>
    </table>
    <para>In the model this looks like this:</para>
    <para>
      <picture src="erd-action.png" eps="erd-action"/>
    </para>
</paragraph>

<paragraph>
  <heading>Default data in table.</heading>

<para>
The data in this table is standard for the system and part of the design.
The user cannot change this or add value to it.
</para>

<table cpos='llp{4cm}p{6cm}'>
  <thead>
    <col> Actionid </col> <col> Actionname </col> <col> Statuscode </col>
    <col>
      Description
    </col>
  </thead>
  <row>
    <col> 1 </col> <col> Entry in the system </col> <col> NEW </col>
    <col>
      This indicates that a notification is entered into the system. The status is a <strong>NEW</strong>.
    </col>
  </row>
  <row>
    <col> 2 </col> <col> Displayed to user </col> <col> OPN </col>
    <col>
      The notification has been displayed to the user. It is not guaranteed that the user has read the notification, but he/she should be aware of it. The status will now be changed to <strong>OPEN</strong> if the current status is <strong>NEW</strong>.
    </col>
  </row>
  <row>
    <col> 3 </col> <col> Remarks added </col> <col> PEN </col>
    <col>
      Remarks have been added to the notification. The status has now been changed to <strong>PENDING</strong>.
    </col>
  </row>
  <row>
    <col> 4 </col> <col> Priority changed manually </col> <col> PEN </col>
    <col>
      The priority of the notification has been changed by the user. The new status is now <strong>PENDING</strong>.
    </col>
  </row>
  <row>
    <col> 5 </col> <col> Priority changed automatically </col> <col> PEN </col>
    <col>
      The priority of the notification has been changed by the system. If the status is not <strong>OPEN</strong> or <strong>NEW</strong> the new status is become <strong>PENDING</strong>.
    </col>
  </row>
  <row>
    <col> 6 </col> <col> Action taken </col> <col> PEN </col>
    <col>
      A action has been taken. The status is now <strong>PENDING</strong>.
    </col>
  </row>
  <row>
    <col> 7 </col> <col> Assignment to user </col> <col> PEN </col>
    <col>
      A notification has been explicitly assigned to another user. The status is now <strong>PENDING</strong>.
    </col>
  </row>
  <row>
    <col> 8 </col> <col> More information or research needed.  </col> <col> INV </col>
    <col>
      The notification is relevant and will be handled, however more information or research will be needed. The status is <strong>UNDER INVESTIGATION</strong>.
    </col>
  </row>
  <row>
    <col> 9 </col> <col> Make output reference.  </col> <col> REF </col>
    <col>
      Automated output from an object has been sent to gnucomo. The input has been identified as a valid reference for future. Status is now <strong>REFERENCE</strong><footnote>A reference is used to find differences in output. This feature must reduce the number of wrongful alerts. Only if a change has taken place a notification is generated. First time reports will always generate a notification. By signing this off the system will be silent again.</footnote>.
    </col>
  </row>
  <row>
    <col> 10 </col> <col> Job output no longer reference.  </col> <col> CLS </col>
    <col>
  By making a newer job output reference this output has been obsoleted. Since once it was a reference the notification can be closed. The new status for the notification is now <strong>CLOSED</strong>.
    </col>
  </row>
  <row>
    <col> 11 </col> <col> Action taken please verify.  </col> <col> VRF </col>
    <col>
      An action has been taken and things should have been resolved. Before the notification can be closed a verification has to be done. New status is now <strong>VERIFY</strong>.
    </col>
  </row>
  <row>
    <col> 12 </col> <col> Action not accepted.  </col> <col> PEN </col>
    <col>
      A check has been done and the results were not good. New verification is needed. New status is now <strong>PENDING</strong>.
    </col>
  </row>
  <row>
    <col> 13 </col> <col> Action verified </col> <col> CLS </col>
    <col>
      The verification for the action has been done and the action is approved. The new status is now <strong>CLOSED</strong>.
    </col>
  </row>
  <row>
    <col> 14 </col> <col> E-mail sent </col> <col> OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote> </col>
    <col>
      An e-mail has been sent.
    </col>
  </row>
  <row>
    <col> 15 </col> <col> SMS sent </col> <col> OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote> </col>
    <col>
      A SMS has been sent.
    </col>
  </row>
  <row>
    <col> 16 </col> <col> Fax sent </col> <col> OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote> </col>
    <col>
      A fax has been sent.
    </col>
  </row>
  <row>
    <col> 17 </col> <col> Log-entries shown </col> <col> XXXX </col>
    <col>
      The log entries have been shown. No changes to the status made.
    </col>
  </row>
  <row>
    <col> 18 </col> <col> Notification closed </col> <col> CLS </col>
    <col>
      Notification has been closed.
    </col>
  </row>
  <row>
    <col> 19 </col> <col> Notification reopened </col> <col> OPN </col>
    <col>
      Notification has been re-opened
    </col>
  </row>
</table>
</paragraph>

</subsubsection>

<subsubsection>
   <heading>Action_notification_user.</heading>

<para>
In the table action_notification_user each step that is taken regarding a
notification is logged. This table is very important for later use if
something goes wrong, but is also relevant for the interface.
All steps of a notification can be traced here.
There will be a lot of entries here, but retrieval is more crucial for
performance than data entry. So indexing on logic fields is very relevant.
Processing might be slower, but that's worth the price.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The table below describes the fields:
</para>

<table cpos='lllp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> actionstepid </col> <col> Bigserial </col> <col> 8 </col>
    <col>
      Autonumber bigint (eight bit)
    </col>
  </row>
  <row>
    <col> actionid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the action that is being registered here.
    </col>
  </row>
  <row>
    <col> username </col> <col> Text </col> <col> <para/> </col>
    <col>
      The username of the user that is involved in the action.
    </col>
  </row>
  <row>
    <col> notificationid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the notification.
    </col>
  </row>
  <row>
    <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
    <col>
      The time when the action has been entered into the system. This is the time without the timezone<footnote>The timestamp without time has been selected, since this is the system time. To have the system functioning without any physical borders one of the settings on the system is time in GMT (UTC). This ensures also the added value of the system log.</footnote>. This will be automatically added when the record is added into the database.
    </col>
  </row>
  <row>
    <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
    <col>
      The status of the Notification
    </col>
  </row>
  <row>
    <col> remarks </col> <col> Text </col> <col> <para/> </col>
    <col>
      Remarks entered by the user if it concerns a manual action or the text of automatically generated warnings.
    </col>
  </row>
</table>

</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The table is indexed on the following fields:
</para>

<table cpos='lll'>
  <thead>
    <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
  </thead>
  <row>
    <col> anu_pk (action_user_actionstepid_key) </col> <col> actionstepid </col>
    <col> Primary key </col>
  </row>
  <row>
    <col> anu_actionid </col> <col> actionid </col> <col> <para/> </col>
  </row>
  <row>
    <col> anu_username </col> <col> username </col> <col> <para/> </col>
  </row>
  <row>
    <col> anu_notificationid </col> <col> notificationid </col> <col> <para/> </col>
  </row>
  <row>
    <col> anu_timestamp </col> <col> timestamp </col> <col> <para/> </col>
  </row>
  <row>
    <col> anu_statuscode </col> <col> statuscode </col> <col> <para/> </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<table cpos='llp{7cm}'>
  <thead>
    <col> Fieldname </col> <col> Remote Table </col>
    <col> Remarks </col>
  </thead>
  <row>
    <col> actionid </col> <col> action </col>
    <col>
      Indicates the action that has been taken. The relationship has to be enforced.
    </col>
  </row>
  <row>
    <col> notificationid </col> <col> notification </col>
    <col>
      Each action that takes place is registered in this table. By using the notification the relevant notification. The relationship has to be enforced.
    </col>
  </row>
  <row>
    <col> username </col> <col> user </col>
    <col>
      Each step in the process has to be related to the user. If the system itself generates an action the user will be <strong>gnucomo</strong><footnote>This implies that the system automatically has an username gnucomo.</footnote>.
    </col>
  </row>
</table>

<para>
In the model this looks like this:
</para>
<para>
<picture src="erd-anu.png" eps="erd-anu"/>
</para>

</paragraph>

<paragraph>
  <heading>Sample data.</heading>

<para>
Since no data is delivered automatically a couple of sample records are shown here.
</para>

    <table cpos='llllllp{4cm}'>
      <thead>
        <col> Actionstepid </col> <col> Actionid </col> <col> Notificationid </col>
        <col> Username </col> <col> Timestamp </col> <col> Status </col>
        <col> Remarks </col>
      </thead>
      <row>
        <col> 1 </col> <col> 1 </col> <col> 1 </col> <col> Gnucomo </col>
        <col> 2002-07-14 16:14:09 </col> <col> NEW </col>
        <col>
          Gnucomo detected a portscan
        </col>
      </row>
      <row>
        <col> 2 </col> <col> 5 </col> <col> 1 </col> <col> Gnucomo </col>
        <col> 2002-07-14 16:14:09 </col> <col> NEW </col>
        <col>
          Priority set to: 3
        </col>
      </row>
      <row>
        <col> 3 </col> <col> 5 </col> <col> 1 </col> <col> Gnucomo </col>
        <col> 2002-07-14 16:14:09 </col> <col> OPN </col>
        <col>
          <para>Automatic e-mail to user: <reference href="mailto:brenno@dewinter.com">brenno@dewinter.com</reference>:</para>
          <para>Gnucomo detected a portscan on system <reference href="http://gnucomo.dewinter.com/">gnucomo.dewinter.com</reference></para>
        </col>
      </row>
      <row>
        <col> 4 </col> <col> 2 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:18:09 </col> <col> OPN </col>
        <col>
          Notification shown through webinterface.
        </col>
      </row>
      <row>
        <col> 5 </col> <col> 17 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:18:12 </col> <col> PEN </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col> 6 </col> <col> 4 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:20:37 </col> <col> PEN </col>
        <col>
          Priority set to: 1
        </col>
      </row>
      <row>
        <col> 7 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-1416:21:58 </col> <col> PEN </col>
        <col>
          After reviewing the logs I see a portscan. On very specific ports. More analysis needed.
        </col>
      </row>
      <row>
        <col> 8 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:24:59 </col> <col> PEN </col>
        <col>
          Services tables learns me that all services are aimed at Windows-based services. Attempts for platform specific expoits.
        </col>
      </row>
      <row>
        <col> 9 </col> <col> 4 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:25:03 </col> <col> PEN </col>
        <col>
          Priority set to: 4
        </col>
      </row>
      <row>
        <col> 10 </col> <col> 2 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:30:09 </col> <col> PEN </col>
        <col>
          Notification shown through webinterface.
        </col>
      </row>
      <row>
        <col> 11 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:31:48 </col> <col> PEN </col>
        <col>
          Portscan has finished and no other action seems to take place now.
        </col>
      </row>
      <row>
        <col> 12 </col> <col> 18 </col> <col> 1 </col> <col> Brenno </col>
        <col> 2002-07-14 16:43:03 </col> <col> CLS </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
    </paragraph>
</subsubsection>

<subsubsection>
  <heading>log &amp; log_adv. </heading>

<para>
To store the log-data there are two tables in use that have a one-on-one relationship. The logic behind this is the difference between raw-always needed data and the somewhat processed data to support basic retrieval. The last category isn't always used and when it's used it is redundant. Also the raw log is very important to the integrity of the system. For these reasons the processed data has been physically separated in a second table called <emph>log_adv</emph>. If needed a view will be available that combines the two tables. Despite the load indexing on <emph>log_adv</emph> will be done thoroughly.
</para>
</subsubsection>

<subsubsection>
  <heading>log.</heading>

<paragraph>
  <heading>The fields of log.</heading>

<para>
The fields in log are focussed around the raw data and the data needed to link this to other tables in the system.
</para>

<table cpos='lllp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> logid </col> <col> Bigserial </col> <col> 8 </col>
    <col>
      Autonumber bigint (eight bit)
    </col>
  </row>
  <row>
    <col> objectid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the object that submitted this log entry
    </col>
  </row>
  <row>
    <col> original_filename </col> <col> Text </col> <col> <para/> </col>
    <col>
      This field refers to the filename that contained this entry. The original entries as received by the gnucomo-server (flat files). The files are sent in batches, which makes it very hard to find where the original logline is. This will enable to see the files to detect bugs in gnucomo if any occur. It may well be that in a later stage this functionality becomes obsolete.
    </col>
  </row>
  <row>
    <col> servicecode </col> <col> Text </col> <col> <para/> </col>
    <col>
      This field explains what service was recognized (for instance 'kernel, 'httpd' or 'smtp')
    </col>
  </row>
  <row>
    <col> type_of_logid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the table type_of_log that contains information on what type of log/report we have here (how gnucomo recognized it).
    </col>
  </row>
  <row>
    <col> object_timestamp </col> <col> Timestamp </col> <col> 8 </col>
    <col>
      Timestamp as has been written into the log.
    </col>
  </row>
  <row>
    <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
    <col>
      The time when the action has been entered into the system. This is the time without the timezone<footnote>The timestamp without time has been selected, since this is the system time. To have the system functioning without any physical borders one of the settings on the system is time in GMT (UTC). This ensures also the added value of the system log.</footnote>. This will be generated upon entry into the database.
    </col>
  </row>
  <row>
    <col> rawdata </col> <col> TEXT </col> <col> <para/> </col>
    <col>
      The raw log data
    </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The indices of the table:
</para>

<table cpos='lll'>
  <thead>
    <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
  </thead>
  <row>
    <col> log_pk (log_logid_key) </col> <col> logid </col> <col> Primary key </col>
  </row>
  <row>
    <col> log_objectid </col> <col> objectid </col> <col> <para/> </col>
  </row>
  <row>
    <col> log_original_filename </col> <col> original_filename </col> <col> <para/> </col>
  </row>
  <row>
    <col> log_servicecode </col> <col> servicecode </col> <col> <para/> </col>
  </row>
  <row>
    <col> log_type_of_logid </col> <col> type_of_logid </col> <col> <para/> </col>
  </row>
  <row>
    <col> log_object_timestamp </col> <col> object_timestamp </col> <col> <para/> </col>
  </row>
  <row>
    <col> log_timestamp </col> <col> timestamp </col> <col> <para/> </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>

<table cpos='llp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Remote Table </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> objectid </col> <col> object </col>
    <col>
      This make the link from what object the logline came
    </col>
  </row>
  <row>
    <col> type_of_logid </col> <col> type_of_log </col>
    <col>
      Each logbook has a certain type of reporting. This explains what type of log was received (and thus which rules for detection was applied).
    </col>
  </row>
  <row>
    <col> systemuser </col> <col> user </col>
    <col>
      Links a registered user of an object to this log entry<footnote>Upon entry of an object most of the times the passwd-file (UNIX-systems) or the userlist will serve as the entrypoint of users. Non existing users will be added and will have to be verified by an administrator before this entry become definite.</footnote>.
    </col>
  </row>
</table>

<para>In the model this looks like this:</para>
    
<para>
  <picture src="erd-log.png" eps="erd-log"/>
</para>

    
</paragraph>
<paragraph>
  <heading>The fields of log_adv.</heading>

<para>
The fields of the table <emph>log_adv</emph> are shown below:
</para>

<table cpos='lllp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> logid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Bigint (eight bit) 1-to-1 relationship with log
    </col>
  </row>
  <row>
    <col> source_ip </col> <col> Inet </col> <col> <para/> </col>
    <col>
      This is the IP-address (V4) of the host that sended the data.
    </col>
  </row>
  <row>
    <col> destination_ip </col> <col> Inet </col> <col> <para/> </col>
    <col>
      This is the IP-address (V4) of the host that was targetted.
    </col>
  </row>
  <row>
    <col> mac_address </col> <col> Macaddr </col> <col> <para/> </col>
    <col>
      This is the MAC-address logged
    </col>
  </row>
  <row>
    <col> packetlength </col> <col> Int </col> <col> <para/> </col>
    <col>
      The length of the packet
    </col>
  </row>
  <row>
    <col> protocol </col> <col> Text </col> <col> <para/> </col>
    <col>
      The protocol used for transmission(mostly TCP/UDP/ICMP).
    </col>
  </row>
  <row>
    <col> source_port </col> <col> Int </col> <col> <para/> </col>
    <col>
      The portnumber used at origin.
    </col>
  </row>
  <row>
    <col> destination_port </col> <col> Int </col> <col> <para/> </col>
    <col>
      The portnumber for the target
    </col>
  </row>
  <row>
    <col> messageid </col> <col> Text </col> <col> <para/> </col>
    <col>
      Messageid for e-mails
    </col>
  </row>
  <row>
    <col> system_username </col> <col> Text </col> <col> <para/> </col>
    <col>
      Username on the object
    </col>
  </row>
  <row>
    <col> networkdevice </col> <col> Text </col> <col> <para/> </col>
    <col>
      When this is about network-traffic the device that worked the data
    </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The table is indexed on the following fields:
</para>

<table cpos='lll'>
  <thead>
    <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
  </thead>
  <row>
    <col> loa_logid </col> <col> logid </col> <col> Primary key </col>
  </row>
  <row>
    <col> loa_source_ip </col> <col> source_ip </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_destination_ip </col> <col> destination_ip </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_mac_address </col> <col> mac_address </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_packetlength </col> <col> packetlength </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_protocol </col> <col> protocol </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_source_port </col> <col> source_port </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_destination_port </col> <col> destination_port </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_messageid </col> <col> messageid </col> <col> <para/> </col>
  </row>
  <row>
    <col> loa_system_username </col> <col> system_username </col> <col> <para/> </col>
  </row>
  <row>
    <col> networkdevice </col> <col> networkdevice </col> <col> <para/> </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
There is only one relation with this table.
</para>

<table cpos='llp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Remote Table </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> Logid </col> <col> Log </col>
    <col>
      This will make a link to the table <emph>log</emph>. The relationship is a one-on-one relationship.
    </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>Sample data combined from log and log_adv.</heading>

<para>
The sample data derrived here has been gathered in logs. Since the tablestructure is very long the representation is somewhat different:
</para>

<table cpos='lp{8cm}'>
  <thead>
    <col> Fieldname </col> <col> Value.  </col>
  </thead>
  <row>
    <col> Logid </col> <col> 1 </col>
  </row>
  <row>
    <col> Objectid </col> <col> 1 </col>
  </row>
  <row>
    <col> Original_filename </col> <col> 7f0100.messages.20020714231801 </col>
  </row>
  <row>
    <col> Rawdata </col>
    <col>
      Jul 14 18:16:42 webber kernel: IN=eth0 OUT= MAC=00:60:67:36:61:a5:00:90:69:60:c0:5d:08:00 SRC=193.79.237.146 DST=212.204.216.11 LEN=40 TOS=0x00 PREC=0x00 TTL=245 id=19308 DF PROTO=TCP SPT=36375 DPT=113 WINDOW=8760 RES=0x00 RST URGP=0
    </col>
  </row>
  <row>
    <col> Type_of_logid </col> <col> 1 </col>
  </row>
  <row>
    <col> Timestamp </col> <col> 2002-07-14 23:29:01 </col>
  </row>
  <row>
    <col> Object_timestamp </col> <col> 2002-07-14 18:16:42 </col>
  </row>
  <row>
    <col> Source_ip </col> <col> 193.79.237.146 </col>
  </row>
  <row>
    <col> Destination_ip </col> <col> 212.204.216.11 </col>
  </row>
  <row>
    <col> Mac_address </col> <col> 00:60:67:36:61:a5:00:90:69:60:c0:5d:08:00 </col>
  </row>
  <row>
    <col> Packetlength </col> <col> 40 </col>
  </row>
  <row>
    <col> Protocol </col> <col> TCP </col>
  </row>
  <row>
    <col> Source_port </col> <col> 36375 </col>
  </row>
  <row>
    <col> Destination_port </col> <col> 113 </col>
  </row>
  <row>
    <col> Messageid </col> <col> <para/> </col>
  </row>
  <row>
    <col> Systemuser </col> <col> <para/> </col>
  </row>
  <row>
    <col> Networkdevice </col> <col> eth0 </col>
  </row>
</table>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>log_notification. </heading>

<para>
In the log_notification the logbook entries that have caused an alert to occur are saved. When this table is used something has been detected. As this is clearly an intermediate table we anticipate to design checks where multiple entries in a log-file can lead to one notification. For forensics indexing will be focussed on retrieval speed.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields are listed below:
</para>

<table cpos='lllp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> notificationid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the notification
    </col>
  </row>
  <row>
    <col> logid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the logbook
    </col>
  </row>
</table>

</paragraph>
<paragraph>
  <heading>The indexes.</heading>

<para>
The table is indexed on the following fields:
</para>
<table cpos='lll'>
  <thead>
    <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
  </thead>
  <row>
    <col> lon_pk </col> <col>notificationid </col> <col>Primary key </col>
  </row>
  <row>
    <col> <para/> </col> <col>logid </col> <col>Primary key (second field) </col>
  </row>
  <row>
    <col>lon_notificationid </col> <col> notificationid </col> <col> <para/> </col>
  </row>
  <row>
    <col> lon_logid </col> <col>logid </col> <col> <para/> </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>

<table cpos='llp{8cm}'>
  <thead>
    <col> Fieldname </col> <col> Remote Table </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> Logid </col> <col> Log </col>
    <col>
      Indicates the log-entry that was on of the triggers that led to the notification.
    </col>
  </row>
  <row>
    <col> NotificationID </col> <col> Notification </col>
    <col>
      Indicates the notification where the entry in the log was a trigger.
    </col>
  </row>
</table>

<para>In the model this look like this:</para>
<para>
  <picture src="erd-lognotif.png" eps="erd-lognotif"/>
</para>
</paragraph>

<paragraph>
  <heading>Sample data.</heading>
<para>
Some sample data:
</para>

<table cpos='ll'>
  <thead>
    <col> LogID </col> <col> NotificationID </col>
  </thead>
  <row>
    <col> 4 </col> <col> 1 </col>
  </row>
  <row>
    <col> 5 </col> <col> 1 </col>
  </row>
  <row>
    <col> 8 </col> <col> 1 </col>
  </row>
  <row>
    <col> 9 </col> <col> 1 </col>
  </row>
  <row>
    <col> 5 </col> <col> 2 </col>
  </row>
  <row>
    <col> 6 </col> <col> 2 </col>
  </row>
  <row>
    <col> 11 </col> <col> 2 </col>
  </row>
</table>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>notification. </heading>

<para>
In this table all detected issues per object will be written. Issues are entered based on immediate detection, periodical detection or manually. Since this table is mostly used to work from in the interface being in control is crucial. When systems function properly more retrieval than data entry will take place. Also data retrieval will be done in all sorts of ways. Indexing must be huge to facilitate that.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields of the <emph>notification</emph> table are:
</para>

<table cpos='lllp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> notificationid </col> <col> Bigserial </col> <col> 8 </col>
    <col>
      Autonumber
    </col>
  </row>
  <row>
    <col> objectid </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the <emph>object</emph>
    </col>
  </row>
  <row>
    <col> type_of_notification_id </col> <col> Bigint </col> <col> 8 </col>
    <col>
      Reference to the <emph>type_of_notification</emph> indicating what type of notification we have here and what basic rules apply.
    </col>
  </row>
  <row>
    <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
    <col>
      Timestamp that this notification was created.
    </col>
  </row>
  <row>
    <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
    <col>
      The status the actual status a notification has.
    </col>
  </row>
  <row>
    <col> priority </col> <col> Int </col> <col> 4 </col>
    <col>
      The priority that is given to this issue<footnote>Basically there will be five priority levels. The rule is that the lower the number gets the more urgent the issue is. At the moment the priority level is set by the system pre-defined actions will take place.</footnote>.
    </col>
  </row>
  <row>
    <col> escalation_count_timestamp </col> <col> Timestamp </col> <col> <para/> </col>
    <col>
      Timestamp since the last escalation took place<footnote>The system offers the possibility to automatically escalate issue if no action has been taken within a certain amount of time. Based on the status and the type of notification escalation can take place.</footnote>.
    </col>
  </row>
  <row>
    <col> repeat_notification_timestamp </col> <col> Timestamp </col> <col> <para/> </col>
    <col>
      Timestamp at which moment in time a repeat notification should occur<footnote>After this time has passed a notification is being resent. After a resent automatically a new time is set for another resent. If any actions takes place (except automated entries of course) the time is emptied so that an administrator will no longer be bothered by the system.</footnote>.
    </col>
  </row>
  <row>
    <col> securitylevel_view </col> <col> Int </col> <col> 4 </col>
    <col>
      The securitylevel that is needed to view this entry.
    </col>
  </row>
  <row>
    <col> securitylevel_add </col> <col> Int </col> <col> 4 </col>
    <col>
      Securitylevel to add information to this item or to undertake action
    </col>
  </row>
  <row>
    <col> securitylevel_close </col> <col> Int </col> <col> 4 </col>
    <col>
      The securitylevel needed to be able to close this notification.
    </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The indices are:
</para>
<table cpos='lll'>
  <thead>
    <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
  </thead>
  <row>
    <col> not_pk (notification_notificationid_key) </col> <col> notificationid </col>
    <col> Primary key </col>
  </row>
  <row>
    <col> not_objectid </col> <col> objectid </col> <col> <para/> </col>
  </row>
  <row>
    <col> not_type_of_notificationid </col> <col> type_of_notificationid </col>
    <col> <para/> </col>
  </row>
  <row>
    <col> not_timestamp </col> <col> timestamp </col> <col> <para/> </col>
  </row>
  <row>
    <col> not_statuscode </col> <col> statuscode </col> <col> <para/> </col>
  </row>
  <row>
    <col> not_priority </col> <col> priority </col> <col> <para/> </col>
  </row>
  <row>
    <col> not_escalation_count_timestamp </col> <col> escalation_count_timestamp </col>
    <col> <para/> </col>
  </row>
  <row>
    <col>
      <para>not_repeat_notification_timestamp</para>
      <para>(not_repeat_notification_timesta)</para>
    </col>
    <col> repeat_notification_timestamp </col> <col> <para/> </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>

<table cpos='llp{8cm}'>
  <thead>
    <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
  </thead>
  <row>
    <col> Logid </col> <col> Log </col>
    <col>
      Indicates the log-entry that was on of the triggers that led to the notification.
    </col>
  </row>
  <row>
    <col> NotificationID </col> <col> Notification </col>
    <col>
      Indicates the notification where the entry in the log was a trigger.
    </col>
  </row>
</table>

<para>In the model this look like this:</para>
<para>
  <picture src="erd-notif.png" eps="erd-notif"/>
</para>
</paragraph>

<paragraph>
  <heading>Sample data.</heading>

<para>
The following data is an example of a notification placed in the database.
</para>
<table cpos='ll'>
  <thead>
    <col> Fieldname </col> <col> Data </col>
  </thead>
  <row>
    <col> Notificationid </col> <col> 1 </col>
  </row>
  <row>
    <col> ObjectID </col> <col> 1 </col>
  </row>
  <row>
    <col> Type_of_notification_id </col> <col> 1 </col>
  </row>
  <row>
    <col> Timestamp </col> <col> 17-07-2002 16:07 </col>
  </row>
  <row>
    <col> Statuscode </col> <col> NEW </col>
  </row>
  <row>
    <col> Priority </col> <col> 3 </col>
  </row>
  <row>
    <col> Escalation_count_timestamp </col> <col> 17-07-2002 16:07 </col>
  </row>
  <row>
    <col> Repeat_notification_timestamp </col> <col> 17-07-2002 20:48PM </col>
  </row>
  <row>
    <col> Securitylevel_view </col> <col> 3 </col>
  </row>
  <row>
    <col> Securitylevel_add </col> <col> 3 </col>
  </row>
  <row>
    <col> Securitylevel_close </col> <col> 4 </col>
  </row>
</table>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>object</heading>

<para>
The <emph>object</emph> table contains general information on the objects being monitored. The table object will more be used for retrieval, since adding objects will be an occasional process. Anything that for some reason can be indexed ought to be indexed.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields are:
</para>
<table cpos='lllp{6cm}'>
  <thead>
    <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
    <col>
      Remarks
    </col>
  </thead>
  <row>
    <col> objectid </col> <col> Bigserial </col> <col> 8 </col>
    <col>
      Autonumbering code for the computer or device.
    </col>
  </row>
  <row>
    <col> objectname </col> <col> Text </col> <col> <para/> </col>
    <col>
      The hostname of the object
    </col>
  </row>
  <row>
    <col> objectcode </col> <col> Text </col> <col> <para/> </col>
    <col>
      Unique identifier (if existent) on the system<footnote>In Linux this will typically be the <emph>hostid</emph>.</footnote>.
    </col>
  </row>
  <row>
    <col> scp_enabled </col> <col> Boolean </col> <col> <para/> </col>
    <col>
      Can communication occur through scp (T = Yes / F = No)
    </col>
  </row>
  <row>
    <col> scp_inet </col> <col> Inet </col> <col> <para/> </col>
    <col>
      IP Address of the object for scp-data transfer.
    </col>
  </row>
  <row>
    <col> mail_enabled </col> <col> Boolean </col> <col> <para/> </col>
    <col>
      Can communication occur through e-mail (T = Yes/F = No).
    </col>
  </row>
  <row>
    <col> mail_from </col> <col> Text </col> <col> <para/> </col>
    <col>
      The e-mail address where e-mail will come from.
    </col>
  </row>
  <row>
    <col> sms_enabled </col> <col> Boolean </col> <col> <para/> </col>
    <col>
      Can communication occur through SMS (T = Yes/F = No).
    </col>
  </row>
  <row>
    <col> sms_number </col> <col> Text </col> <col> <para/> </col>
    <col>
      The SMS-number to send a notification to.
    </col>
  </row>
  <row>
    <col> fax_enabled </col> <col> Boolean </col> <col> <para/> </col>
    <col>
      Can communication occur through Fax (T = Yes/F = No).
    </col>
  </row>
  <row>
    <col> fax_number </col> <col> Text </col> <col> <para/> </col>
    <col>
      The fax-number to send a notification to.
    </col>
  </row>
  <row>
    <col>
      object_description
    </col>
    <col>
      Text
    </col>
    <col>
      <para/>
    </col>
    <col>
      Description of the object. What type of system is it
    </col>
  </row>
  <row>
    <col> object_owner </col> <col> Text </col> <col> <para/> </col>
    <col>
      Owner-details
    </col>
  </row>
  <row>
    <col> physical_location </col> <col> Text </col> <col> <para/> </col>
    <col>
      Physical address and when applicable entry-details needed to get to the object.
    </col>
  </row>
  <row>
    <col> timezone </col> <col> Text </col> <col> <para/> </col>
    <col>
      The timezone where this object is located<footnote>For objects that move around like PDA's and laptops the timezone can be the place where a person is stationed or better GMT.</footnote>.
    </col>
  </row>
  <row>
    <col> remark </col> <col> Text </col> <col> <para/> </col>
    <col>
      Additional remarks that shouldn't be in the previous TEXT fields.
    </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The <emph>object</emph> table is indexed on the following fields:
</para>

<table cpos='lll'>
  <thead>
    <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
  </thead>
  <row>
    <col> obj_pk (object_objectid_key) </col> <col> objectid </col> <col> Primary key </col>
  </row>
  <row>
    <col> obj_objectname </col> <col> objectname </col> <col> Unique </col>
  </row>
  <row>
    <col> obj_objectcode </col> <col> objectcode </col> <col> Unique </col>
  </row>
  <row>
    <col> obj_mail_from </col> <col> mail_from </col> <col> <para/> </col>
  </row>
</table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
The relationships with other tables are listed below:
</para>

<table cpos='llp{8cm}'>
  <thead>
    <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
  </thead>
  <row>
    <col> ObjectID </col> <col> Log (adv) </col>
    <col> Reference to processed log-entries </col>
  </row>
  <row>
    <col> <para/> </col> <col> Notification </col>
    <col>
      Reference to the table <emph>notification</emph> that contains the notifications that have been created.
    </col>
  </row>
  <row>
    <col> <para/> </col> <col> Object_issue </col>
    <col>
      Reference to the <emph>object_issue</emph> that indicates how notifications have to be handled .
    </col>
  </row>
  <row>
    <col> <para/> </col> <col> Object_priority </col>
    <col>
      Reference to the <emph>object_priority</emph> table that indicates how a certain level of priority has to be dealt with.
    </col>
  </row>
  <row>
    <col> <para/> </col> <col> Object_system_user </col>
    <col>
      Reference to a list of system user to discover abnormalities in user behaviour.
    </col>
  </row>
  <row>
    <col> <para/> </col> <col> Object_user </col>
    <col> Reference to the <emph>object_user</emph> </col>
  </row>
  <row>
    <col> <para/> </col> <col> Unprocessed_log </col>
    <col>
      Reference to the entries that have not been processed at all.
    </col>
  </row>
</table>

<para>In the relationshipmodel this looks like this:</para>
<para>
  <picture src="erd-object.png" eps="erd-object"/>
</para>
</paragraph>

<paragraph>
  <heading>Sample data.</heading>
<para>
There is no preset data and therefor it's an example has been created. The table has quite some fields so the example has the fieldname in the left column and the data in the right column.
</para>
<table cpos='ll'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Sample data</para>
        </col>
      </thead>
      <row>
        <col>
          <para>Objectid</para>
        </col>
        <col>
          <para>1</para>
        </col>
      </row>
      <row>
        <col>
          <para>Objectname</para>
        </col>
        <col>
          <para>webber.dewinter.com</para>
        </col>
      </row>
      <row>
        <col>
          <para>Objectcode</para>
        </col>
        <col>
          <para>7f0100</para>
        </col>
      </row>
      <row>
        <col>
          <para>Scp_enabled</para>
        </col>
        <col>
          <para>T</para>
        </col>
      </row>
      <row>
        <col>
          <para>Scp_inet</para>
        </col>
        <col>
          <para>192.168.221.212</para>
        </col>
      </row>
      <row>
        <col>
          <para>Mail_enabled</para>
        </col>
        <col>
          <para>T</para>
        </col>
      </row>
      <row>
        <col>
          <para>Mail_from</para>
        </col>
        <col>
          <para>
            <reference href="mailto:gnucomo@maintenance.dewinter.com">gnucomo@maintenance.dewinter.com</reference>
          </para>
        </col>
      </row>
      <row>
        <col>
          <para>Sms_enabled</para>
        </col>
        <col>
          <para>T</para>
        </col>
      </row>
      <row>
        <col>
          <para>Sms_number</para>
        </col>
        <col>
          <para>06-XXXXXXXX</para>
        </col>
      </row>
      <row>
        <col>
          <para>Fax_enabled</para>
        </col>
        <col>
          <para>T</para>
        </col>
      </row>
      <row>
        <col>
          <para>Fax_number</para>
        </col>
        <col>
          <para>0318-XXXXXX</para>
        </col>
      </row>
      <row>
        <col>
          <para>Object_description</para>
        </col>
        <col>
          <para>19 inch 4 units, AMD-300 with two 27Gb disks (RAID-0), 256Mb memory</para>
        </col>
      </row>
      <row>
        <col>
          <para>Object_owner</para>
        </col>
        <col>
          <para>Brenno de Winter</para>
          <para>De Winter Information Solutions</para>
          <para>Your street here 32</para>
          <para>9999 XX YOUR CITY</para>
          <para>THE NETHERLANDS</para>
          <para>Phone: +31 XXX XXX XXX</para>
        </col>
      </row>
      <row>
        <col>
          <para>Physical_location</para>
        </col>
        <col>
          <para>Internet Provider XYZ</para>
          <para>Your street here 38</para>
          <para>9999 XX YOUR CITY</para>
          <para>THE NETHERLANDS</para>
          <para>Phone: +31 XXX XXX XXX</para>
          <para/>
          <para>Dataroom. System: Q7845</para>
        </col>
      </row>
      <row>
        <col>
          <para>Remark</para>
        </col>
        <col>
          <para>A replacement system is available at the office location. The following persons have been authorized to enter the data room at the ISP:</para>
          <para>* Arjen Baart</para>
          <para>* Peter Busser</para>
          <para>* Brenno de Winter</para>
        </col>
      </row>
    </table>
    <para/>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>object_issue. </heading>
<para>
This table will store the policy on a certain issue like the priority being recognized and special actions to take. Since policies are utilized by the systems continuously all other process will rely on this index, while users will change the values occasionally.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields of <emph>object_issue</emph>:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>Reference to the object</para>
        </col>
      </row>
      <row>
        <col>
          <para>type_of_notificationid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>Reference to the <emph>type_of_notification</emph> indicating what type of notification we have here and what basic rules apply.</para>
        </col>
      </row>
      <row>
        <col>
          <para>default_priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>The priority that will be set automatically when this type of notification is entered into the system.</para>
        </col>
      </row>
      <row>
        <col>
          <para>escalation</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Will the system perform automatic escalation (T = Yes / F = No)</para>
        </col>
      </row>
      <row>
        <col>
          <para>escalation_time</para>
        </col>
        <col>
          <para>Time</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The time after which a higher priority is awarded to the notification.</para>
        </col>
      </row>
      <row>
        <col>
          <para>max_priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The maximum priority given to this type of notification.</para>
        </col>
      </row>
      <row>
        <col>
          <para>adjusted_setting</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Some checks can have a special settings (for instance alert after 5 failed login attempts instead of 3).</para>
        </col>
      </row>
</table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
These are the indices:
</para>
<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>obi_pk</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para>type_of_notification_id</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>obi_objectid</para>
        </col>
        <col>
          <para>Objectid</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>obi_type_of_notificationid</para>
        </col>
        <col>
          <para>type_of_notification_id</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
    </paragraph>

<paragraph>
   <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>

<table cpos='llp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>ObjectID</para>
        </col>
        <col>
          <para>Object</para>
        </col>
        <col>
          <para>Reference to the <emph>object</emph> (which object does this apply to).</para>
        </col>
      </row>
      <row>
        <col>
          <para>Type_of_issueid</para>
        </col>
        <col>
          <para>Type_of_issue</para>
        </col>
        <col>
          <para>Reference to the type of issue.</para>
        </col>
      </row>
    </table>

<para>In the model this look like this:</para>
<para>
    <picture src="erd-objissue.png" eps="erd-objissue"/>
</para>

</paragraph>
<paragraph>
  <heading>Sample data.</heading>

<para>
Some sample data:
</para>
<table cpos='lllllll'>
      <thead>
        <col>
          <para>Objectid</para>
        </col>
        <col>
          <para>Type_of_notification_id</para>
        </col>
        <col>
          <para>Default Priority</para>
        </col>
        <col>
          <para>Escalation</para>
        </col>
        <col>
          <para>Escalation_time</para>
        </col>
        <col>
          <para>Max_priority</para>
        </col>
        <col>
          <para>Adjusted_setting</para>
        </col>
      </thead>
      <row>
        <col>
          <para>1</para>
        </col>
        <col>
          <para>1</para>
        </col>
        <col>
          <para>3</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>00:15:00</para>
        </col>
        <col>
          <para>1</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>1</para>
        </col>
        <col>
          <para>2</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>00:30:00</para>
        </col>
        <col>
          <para>2</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>1</para>
        </col>
        <col>
          <para>3</para>
        </col>
        <col>
          <para>5</para>
        </col>
        <col>
          <para>F</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>7</para>
        </col>
      </row>
      <row>
        <col>
          <para>2</para>
        </col>
        <col>
          <para>1</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>00:45:00</para>
        </col>
        <col>
          <para>2</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>2</para>
        </col>
        <col>
          <para>3</para>
        </col>
        <col>
          <para>5</para>
        </col>
        <col>
          <para>F</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>8</para>
        </col>
      </row>
    </table>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>object_priority. </heading>

<para>
This table stores per object how a certain level of priority is being dealt with. What policies do apply. This table is mostly used for retrieval, so firm indexing is logic.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields are listed below:
</para>
<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>Reference to the object</para>
        </col>
      </row>
      <row>
        <col>
          <para>priorityid</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>Priority.</para>
        </col>
      </row>
      <row>
        <col>
          <para>send_mail</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Send an e-mail if this priority is set? Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>send_sms</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Send a sms message if this priority is set? Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>send_fax</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Send a fax if this priority is set? Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>repeat_notification</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Repeat this notification if no action occurs since the notification. Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>interval_for_repeat</para>
        </col>
        <col>
          <para>Time</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Time interval that is set to wait for a response.</para>
        </col>
      </row>
    </table>
    </paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
Indices of the <emph>object_priority</emph> table:
</para>

<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>obi_pk</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para>priorityid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>obi_objectid</para>
        </col>
        <col>
          <para>Objectid</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>obi_type_of_notification_id</para>
        </col>
        <col>
          <para>type_of_notification_id</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>

<table cpos='llp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>ObjectID</para>
        </col>
        <col>
          <para>Object</para>
        </col>
        <col>
          <para>Reference to the object (which object does this apply to).</para>
        </col>
      </row>
      <row>
        <col>
          <para>Priorityid</para>
        </col>
        <col>
          <para>Priority</para>
        </col>
        <col>
          <para>Reference to the priority.</para>
        </col>
      </row>
    </table>

<para>
In the model this look like this:
</para>
<para>
<picture src="erd-objprior.png" eps="erd-objprior"/>
</para>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>object_service</heading>

<para>
The object service table indicates which services can be expected on the system If input fails to show up a notification can be generated.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields are listed below:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>Reference to the object</para>
        </col>
      </row>
      <row>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Reference to service.</para>
        </col>
      </row>
      <row>
        <col>
          <para>expected_interval</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>The expected interval in minutes between two log entries. If this gives a time-out a notification is generated<footnote>To avoid many false positives it may be wise to give the system always 1 or 2 minutes extra time. If for some reason a connection is slow or a mail-daemon restarted the effect would generate tuns of notifications.</footnote>. The following values can be considered the most common:</para>
          <para>* 60 hourly entries</para>
          <para>* 120 two hourly entries</para>
          <para>* 240 four hourly entries</para>
          <para>* 480 eight hourly entries</para>
          <para>* 920 twelve hourly entries</para>
          <para>* 1840 daily entries</para>
          <para>* 12880 weekly entries</para>
        </col>
      </row>
      <row>
        <col>
          <para>last_entry</para>
        </col>
        <col>
          <para>Timestamp</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The timestamp of the last entry (for detecting exceeded interval). This field could be derived from the log-table as well, but the redundance gives a performance on detection that is useful, since a check should run every minute.</para>
        </col>
      </row>
      <row>
        <col>
          <para>default_priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>Priority given if this service didn't occur.</para>
        </col>
      </row>
      <row>
        <col>
          <para>maximum_priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>Maximum priority (in case of escalation)</para>
        </col>
      </row>
      <row>
        <col>
          <para>accepted</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>If a service hasn't been set, the application user should indicate that this is valid (logs shouldn't just appear). New entries will be added automatically but still have to be verified.</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The table is indexed on the following fields:
</para>
<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>obs_pk</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>obs_objectid</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>obs_servicecode</para>
        </col>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>obs_accepted</para>
        </col>
        <col>
          <para>accepted</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
   <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>

<table cpos='llp{8cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>objectID</para>
        </col>
        <col>
          <para>Object</para>
        </col>
        <col>
          <para>Reference to the object (which object does this apply to).</para>
        </col>
      </row>
      <row>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>Service</para>
        </col>
        <col>
          <para>Reference to the service table. </para>
        </col>
      </row>
    </table>

<para>In the model this look like this:</para>
<para>
  <picture src="erd-objservice.png" eps="erd-objservice"/>
</para>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>object_system_user</heading>

<para>
This table will derive a list of users that can be identified based on the log-files in the system. This table is filled during data entry. But the filling of the table is dependent on the fact if the user has been entered before. So during the processing the read will be done more than the data entry and that makes heavy indexing logic.
</para>
<paragraph>
  <heading>The fields.</heading>

<para>
The fields of <emph>object_system_user</emph> are listed below:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>Reference to the object</para>
        </col>
      </row>
      <row>
        <col>
          <para>system_username</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Username on the object/system.</para>
        </col>
      </row>
      <row>
        <col>
          <para>can_login</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Can this user login (T = Yes / F = No)?</para>
        </col>
      </row>
      <row>
        <col>
          <para>can_be_root</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Can this user become root (T = Yes / F = No)?</para>
        </col>
      </row>
    </table>
    </paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The table is indexed on the following fields:
</para>
<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>osu_pk</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para>system_username</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>osu_objectid</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>osu_system_username</para>
        </col>
        <col>
          <para>system_username</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
    </paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>
<table cpos='llp{8cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>ObjectID</para>
        </col>
        <col>
          <para>Object</para>
        </col>
        <col>
          <para>Reference to the object (which object does this apply to).</para>
        </col>
      </row>
      <row>
        <col>
          <para>System_username</para>
        </col>
        <col>
          <para>Log</para>
        </col>
        <col>
          <para>Log entries can refer to the system username.</para>
        </col>
      </row>
    </table>
    <para>In the model this look like this:</para>
    <para/>

    <para>
      <picture src="erd-objsysusr.png" eps="erd-objsysusr"/>
    </para>
    </paragraph>
</subsubsection>

<subsubsection>
  <heading>object_user</heading>

<para>
This table will enable users to get access to the information belonging to an object. Also this table is mainly used for data retrieval and will rely on the indexes.
</para>
<paragraph>
  <heading>The fields.</heading>

<para>
The fields of <emph>object_user</emph> are listed below:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>Objectid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>Reference to the <emph>object</emph></para>
        </col>
      </row>
      <row>
        <col>
          <para>Username</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Username in gnucomo. A reference to <emph>user</emph>.</para>
        </col>
      </row>
      <row>
        <col>
          <para>Security_level</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The security-level granted to this user.</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>
<para>
The indices of the <emph>object_user</emph> table:
</para>
<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>ous_pk</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para>username</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>ous_objectid</para>
        </col>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>ous_username</para>
        </col>
        <col>
          <para>username</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
      <row>
        <col>
          <para>ous_security_level</para>
        </col>
        <col>
          <para>ous_security_level</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
Relationshiips with other tables:
</para>

<table cpos='llp{8cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>objectID</para>
        </col>
        <col>
          <para>object</para>
        </col>
        <col>
          <para>Reference to the object (which object does this apply to).</para>
        </col>
      </row>
      <row>
        <col>
          <para>username</para>
        </col>
        <col>
          <para>user</para>
        </col>
        <col>
          <para>Reference to the user.</para>
        </col>
      </row>
    </table>

    <para>In the model this look like this:</para>
    <picture src="erd-objusr.png" eps="erd-objusr"/>

</paragraph>
</subsubsection>

<subsubsection>
  <heading>priority</heading>

<para>
The priority table contains information on the levels that are recognized by the system. Mainly data retrieval so depending on indexing. It needs to be said that most likely only a couple of states will exist<footnote>By default we will use five states, but many states can be given to enable all types of differentiation.</footnote>.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields of the <emph>priority</emph> table are listed below:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>Priority</para>
        </col>
      </row>
      <row>
        <col>
          <para>send_mail</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Send an e-mail if this priority is set? Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>send_sms</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Send a sms message if this priority is set? Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>send_fax</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Send a fax if this priority is set? Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>repeat_notification</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Repeat this notification if no action occurs since the notification. Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>interval_for_repeat</para>
        </col>
        <col>
          <para>Time</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Time interval that is set to wait for a response.</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The table is indexed on the following fields:
</para>

<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>pri_pk</para>
        </col>
        <col>
          <para>priority</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>

<para>
Relationships with other tables:
</para>
<table cpos='llp{8cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>priority</para>
        </col>
        <col>
          <para>object_priority</para>
        </col>
        <col>
          <para>Reference to the object (which object does this apply to). </para>
        </col>
      </row>
    </table>

    <para>In the model this look like this:</para>
    <para>
      <picture src="erd-prior.png" eps="erd-prior"/>
    </para>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>service</heading>

<para>
The table <emph>service</emph> indicates the service that can be handled by the system. Out of the servicelist the administrator can indicate what services to expect.
</para>
<paragraph>
  <heading>The fields.</heading>

<para>
The fields are listed below:
</para>
<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The code that is written for the service</para>
        </col>
      </row>
      <row>
        <col>
          <para>servicename</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The expanded name for the service</para>
        </col>
      </row>
      <row>
        <col>
          <para>default_priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>The advised priority if these log-entries don't come in<footnote>Advised priorities can be changed in the object_service table per object. </footnote>.</para>
        </col>
      </row>
      <row>
        <col>
          <para>max_priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>The maximum priority advised for this service<footnote>Advised priorities can be changed in the object_service table per object.</footnote>.</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>

<para>
The table is indexed on the following fields:
</para>
<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>ser_pk</para>
        </col>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>ser_servicename</para>
        </col>
        <col>
          <para>servicename</para>
        </col>
        <col>
          <para>Unique</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>
<para>
Relationships with other tables:
</para>
<table cpos='llp{8cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>log</para>
        </col>
        <col>
          <para>What log entries have been tied to this type of service.</para>
        </col>
      </row>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para>object_service</para>
        </col>
        <col>
          <para>Settings for this service per object.</para>
        </col>
      </row>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para>unprocessed_log</para>
        </col>
        <col>
          <para>What unprocessed log entries have been tied to this type of service.</para>
        </col>
      </row>
    </table>
 
    <para>In the model this look like this:</para>
    <para>
      <picture src="erd-service.png" eps="erd-service"/>
    </para>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>status.</heading>

<para>
The table <emph>status</emph> contains the possible states that a notification can have. As with the table <emph>priority</emph> these statuses are limited in number by default but can be expanded. Also here retrieval prevails above data entry and therefor indexing is important.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields of the <emph>status</emph> table are listed below:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>statuscode</para>
        </col>
        <col>
          <para>Varchar</para>
        </col>
        <col>
          <para>3</para>
        </col>
        <col>
          <para>The code for the status</para>
        </col>
      </row>
      <row>
        <col>
          <para>statusname</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>What is the correct name for the status</para>
        </col>
      </row>
      <row>
        <col>
          <para>open_notification</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Is the notification still open when this status is set? Yes = T / No = F</para>
        </col>
      </row>
      <row>
        <col>
          <para>description</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Explanation of the code</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>
<para>
The table is indexed on the following fields:
</para>

<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>sta_pk</para>
        </col>
        <col>
          <para>statuscode</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>sta_statusname</para>
        </col>
        <col>
          <para>statusname</para>
        </col>
        <col>
          <para>Unique</para>
        </col>
      </row>
      <row>
        <col>
          <para>sta_open_notification</para>
        </col>
        <col>
          <para>open_notification</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>
<para>
Relationships with other tables
</para>

<table cpos='lll'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para/>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
    <para>In the model this look like this:</para>
    <para>
      <picture src="erd-status.png" eps="erd-status"/>
    </para>
</paragraph>

<paragraph>
  <heading>Default values.</heading>
<para>The status values are default for the system and for that reason are predefined.</para>
<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Statuscode</para>
        </col>
        <col>
          <para>Statusname</para>
        </col>
        <col>
          <para>Open Notification</para>
        </col>
        <col>
          <para/>
        </col>
      </thead>
      <row>
        <col>
          <para>new</para>
        </col>
        <col>
          <para>New entry</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>Just detected nothing has been done yet.</para>
        </col>
      </row>
      <row>
        <col>
          <para>opn</para>
        </col>
        <col>
          <para>Open</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>The notification has been displayed, but nothing has been done yet.</para>
        </col>
      </row>
      <row>
        <col>
          <para>pen</para>
        </col>
        <col>
          <para>Pending</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>The notification is currently being worked on.</para>
        </col>
      </row>
      <row>
        <col>
          <para>ver</para>
        </col>
        <col>
          <para>Waiting for verification</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>The notification has been worked on. After it has been verified the notification can be closed.</para>
        </col>
      </row>
      <row>
        <col>
          <para>cls</para>
        </col>
        <col>
          <para>Closed</para>
        </col>
        <col>
          <para>F</para>
        </col>
        <col>
          <para>The notification has been closed</para>
        </col>
      </row>
      <row>
        <col>
          <para>rej</para>
        </col>
        <col>
          <para>Rejected</para>
        </col>
        <col>
          <para>F</para>
        </col>
        <col>
          <para>This was a false positive and has been rejected.</para>
        </col>
      </row>
      <row>
        <col>
          <para>inv</para>
        </col>
        <col>
          <para>Investigate</para>
        </col>
        <col>
          <para>T</para>
        </col>
        <col>
          <para>The notification is under investigation and awaiting additional details.</para>
        </col>
      </row>
    </table>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>type_of_issue.</heading>

<para>This table will contain a list of all available issues that can be detected. All issues have a suggested priority setting. This is typically data retrieval and good indexing is needed.</para>

<paragraph>
  <heading>The fields.</heading>

<para>
Fields of <emph>type_of_issue</emph> are:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>type_of_issueid</para>
        </col>
        <col>
          <para>Bigserial</para>
        </col>
        <col>
          <para>8</para>
        </col>
        <col>
          <para>The sequential code for the issue.</para>
        </col>
      </row>
      <row>
        <col>
          <para>name</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Name for the issue</para>
        </col>
      </row>
      <row>
        <col>
          <para>suggested_priority</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>The advised priority setting.</para>
        </col>
      </row>
      <row>
        <col>
          <para>description</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Description of the method and how this can be set.</para>
        </col>
      </row>
      <row>
        <col>
          <para>active</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Is this check currently being used in the system.</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>
<para>
The table is indexed on the following fields:
</para>

<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>toi_pk</para>
          <para>(type_of_issue_type_of_issue_key)</para>
        </col>
        <col>
          <para>type_of_issueid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>toi_name</para>
        </col>
        <col>
          <para>name</para>
        </col>
        <col>
          <para>Unique</para>
        </col>
      </row>
      <row>
        <col>
          <para>toi_active</para>
        </col>
        <col>
          <para>active</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>
<table cpos='lll'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>type_of_issueid</para>
        </col>
        <col>
          <para>object_issue</para>
        </col>
        <col>
          <para/>
        </col>
      </row>
    </table>

    <para>In the model this look like this:</para>
    <para>
      <picture src="erd-toi.png" eps="erd-toi"/>
    </para>
</paragraph>

<paragraph>
  <heading>Default values.</heading>

<para>
All checks are entered as code into the system. This table only works for the application only. The user can set specifics in the application only.
</para>
<table cpos='lllll'>
      <thead>
        <col>
          <para>Type_of_issueid</para>
        </col>
        <col>
          <para>Name</para>
        </col>
        <col>
          <para>Suggested_priority</para>
        </col>
        <col>
          <para>Description</para>
        </col>
        <col>
          <para>Active</para>
        </col>
      </thead>
      <row>
        <col>
          <para>1</para>
        </col>
        <col>
          <para>Manual entry</para>
        </col>
        <col>
          <para>4</para>
        </col>
        <col>
          <para>A manual entry of a notification.</para>
        </col>
        <col>
          <para>T</para>
        </col>
      </row>
</table>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>unprocessed_log</heading>

<para>
The <emph>user</emph> table contains the users that can login the monitoring application. It will also store if the users maintains the system. Mainly used for retrieval so properly indexed.
</para>

<paragraph>
  <heading>The fields.</heading>

<para>
The fields are listed below:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>unprocessedid</para>
        </col>
        <col>
          <para>Bigserial</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Autonumber entry</para>
        </col>
      </row>
      <row>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Reference to the object</para>
        </col>
      </row>
      <row>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The service that entered this data.</para>
        </col>
      </row>
      <row>
        <col>
          <para>logdata</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>The data that comes from the file.</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes.</heading>
<para>
The indices of the table:
</para>

<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>unl_pk</para>
          <para>(unprocessed_l_unprocessedid_key)</para>
        </col>
        <col>
          <para>unprocessedid</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>
<para>
Relationships with other tables:
</para>

<table cpos='llp{8cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>objectid</para>
        </col>
        <col>
          <para>object</para>
        </col>
        <col>
          <para>Reference to the object that is reporting the data</para>
        </col>
      </row>
      <row>
        <col>
          <para>servicecode</para>
        </col>
        <col>
          <para>service</para>
        </col>
        <col>
          <para>Reference to the servicecode that is mentioned in the filename.</para>
        </col>
      </row>
    </table>
    <para>In the model this look like this:</para>
    <para>
      <picture src="erd-unplog.png" eps="erd-unplog"/>
    </para>
</paragraph>

<paragraph>
  <heading>Sample values.</heading>
    <para>To do</para>
</paragraph>
</subsubsection>

<subsubsection>
  <heading>user_gnucomo</heading>

<para>The <emph>user</emph> table contains the users that can login the monitoring application. It will also store if the users maintains the system. Mainly used for retrieval so properly indexed.</para>
<paragraph>
  <heading>The fields.</heading>
<para>
The fields are listed in the table below:
</para>

<table cpos='lllp{6cm}'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Fieldtype</para>
        </col>
        <col>
          <para>Size</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>username</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Name the user is known by</para>
        </col>
      </row>
      <row>
        <col>
          <para>password</para>
        </col>
        <col>
          <para>Text</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Password</para>
        </col>
      </row>
      <row>
        <col>
          <para>active_sessionid</para>
        </col>
        <col>
          <para>Bigint</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Sessionnumber currently used by user. If this is set to 0 a user is not present on the system. Only one session can be open at a time.</para>
        </col>
      </row>
      <row>
        <col>
          <para>account_active</para>
        </col>
        <col>
          <para>Boolean</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Is the account currently active?</para>
        </col>
      </row>
      <row>
        <col>
          <para>security_level</para>
        </col>
        <col>
          <para>Int</para>
        </col>
        <col>
          <para/>
        </col>
        <col>
          <para>Given securitylevel to this user</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The indexes</heading>
<para>
The table is indexed on the following fields:
</para>
<table cpos='lll'>
      <thead>
        <col>
          <para>Indexname</para>
        </col>
        <col>
          <para>Field</para>
        </col>
        <col>
          <para>Characteristics</para>
        </col>
      </thead>
      <row>
        <col>
          <para>usr_pk</para>
        </col>
        <col>
          <para>username</para>
        </col>
        <col>
          <para>Primary key</para>
        </col>
      </row>
      <row>
        <col>
          <para>usr_active_sessionid</para>
        </col>
        <col>
          <para>active_sessionid</para>
        </col>
        <col>
          <para>Unique</para>
        </col>
      </row>
    </table>
</paragraph>

<paragraph>
  <heading>The relationships.</heading>
<para>
Relationships with other tables
</para>
<table cpos='lll'>
      <thead>
        <col>
          <para>Fieldname</para>
        </col>
        <col>
          <para>Remote Table</para>
        </col>
        <col>
          <para>Remarks</para>
        </col>
      </thead>
      <row>
        <col>
          <para>ObjectID</para>
        </col>
        <col>
          <para>Object</para>
        </col>
        <col>
          <para>Link to the object</para>
        </col>
      </row>
    </table>
    <para>In the model this look like this:</para>
    <para>
      <picture src="erd-usr.png" eps="erd-usr"/>
    </para>
</paragraph>
</subsubsection>
</subsection>
</section>

<section>
  <heading>Model of table-relations.</heading>

<para>The following model pictures the database as it has been described before.</para>
<para>
      <picture src="erd.png" eps="erd" scale="0.7"/>
</para>

</section>
</chapter>

<chapter>
  <heading>Warnings that can be detected.</heading>
</chapter>

    <chapter>
      <heading>User Interface.</heading>

    <para>To be determined in the near future.</para>
    </chapter>

    <chapter>
      <heading>The installation process.</heading>

    <para>Since the system must make maintenance and security easier to use, the burden of installation should as easy as possible. Where possible the installation script should take away as much work as possible. Where settings need to be done, this should be done through an interface. However at no point we take the user's right to understand and work with system. Configuration-files should be easy to understand and the choice must be there to do installation manually. </para>

    <section>
      <heading>Supported platforms.</heading>

    <para>The following two Linux distributions have been selected to be actively supported:</para>
    <itemize>
      <item>
        <para>Debian GNU/Linux (.deb packages)</para>
      </item>
      <item>
        <para>RedHat Linux (.rpm packages)</para>
      </item>
    </itemize>
    <para>We will try and facilitate as many operating systems client-side and as many unices server-side, but efforts on testing out of the projects will be very minimalistic to ensure that the project keeps delivering new version and new features. </para>
    </section>

    <section>
      <heading>Installation on the server.</heading>

    <para>The following steps will be part of a script, that can automatically perform these steps:</para>

<enumerate>
    <item>
      <para>Create the user <emph>gnucomo</emph>.</para>
    </item>
    <item>
      <para>Make the directory as described in the chapter <emph>Sending messages to the central gnucomo system</emph> in the subchapter <emph>directories</emph>.(server-side).</para>
    </item>
</enumerate>
    </section>

    <section>
      <heading>Installation on a UNIX-client.</heading>

    <para>The following steps will be part of a script, that can automatically perform these steps:</para>
<enumerate>
    <item>
      <para>Create the user <emph>gcm_client</emph>.</para>
    </item>
    <item>
      <para>Make the directory as described in the chapter <emph>Sending messages to the central gnucomo system</emph> in the subchapter <emph>directories</emph> (client-side).</para>
    </item>
    <item>
      <para>Creation of the database user gcm_input. This user has only the right to enter data into the database. There are no deletion, update or select-permissions.</para>
    </item>
</enumerate>

    </section>
    </chapter>

    <chapter>
      <heading>Dependency on other free software.</heading>
    <para>The following list is a set of applications that will be used on to make our application work:</para>
    <table cpos='lp{8cm}l'>
      <thead>
        <col>
          <para>Application</para>
        </col>
        <col>
          <para>Needed for</para>
        </col>
        <col>
          <para>Client/Server</para>
        </col>
      </thead>
      <row>
        <col>
          <para>gpg</para>
        </col>
        <col>
          <para>The encryption of the information being transferred between the two systems.</para>
        </col>
        <col>
          <para>Client</para>
          <para>Server</para>
        </col>
      </row>
      <row>
        <col>
          <para>GNU/Linux</para>
        </col>
        <col>
          <para>The basic operating system. Allthough the system might work very well on all types on versions of Linux, FreeBSD, OpenBSD or any unices the main focus for distribution is given to: Debian GNU/Linux and RedHat Linux (the downloadable iso-version). </para>
        </col>
        <col>
          <para>Server</para>
        </col>
      </row>
      <row>
        <col>
          <para>mail</para>
        </col>
        <col>
          <para>The application enabling the sending of messages.</para>
        </col>
        <col>
          <para>Client</para>
          <para>Server</para>
        </col>
      </row>
      <row>
        <col>
          <para>openssh</para>
        </col>
        <col>
          <para>If e-mail is not used this application will deliver the file-copy</para>
        </col>
        <col>
          <para>Client</para>
          <para>Server</para>
        </col>
      </row>
      <row>
        <col>
          <para>PostgreSQL</para>
        </col>
        <col>
          <para>The database where all the signals from client will be stored.</para>
        </col>
        <col>
          <para>Client</para>
        </col>
      </row>
    </table>
    <para/>
    </chapter>

    <chapter>
      <heading>Settings on the server machine.</heading>

    <section>
      <heading>Required.</heading>

    <para>The following settings are required to ensure that the functionality is as much as expected.</para>

    <subsection>
      <heading>Timezone in GMT (UTC).</heading>

    <para>Since all international traffic registers all entries in UTC (Universal Time Coordinate) this system will do so as well. Therefore the clock has to be adjusted to that as well as the system settings.</para>
    <para>These settings can found on a RedHat computer in the <code>/etc/sysconfig/clock-file</code>. On Debian this stored in the file <code>/etc/timezone</code>.</para>
    </subsection>
    </section>

    <section>
      <heading>Suggested.</heading>

    <subsection>
      <heading>Use NTP.</heading>

    <para>If a computer is running for some time the clocks tend to be off the correct time. This makes it harder to detect what exactly happened exactly at what moment in time and reduce value of log-entries. Especially considering that ultimately all data is gathered in one central system. To overcome this Network Time Protocol (NTP RFC 13025 March 1992) has been created that explains a protocol to synchronize clocks through the Internet. Many operating systems like Microsoft Windows 2000 Server and FreeBSD, OpenBSD and Linux  support this. A ntp-server (or ntpd) can be found at: http://www.eecis.udel.edu/~ntp/ It is strongly recommended that you use this.</para>

    </subsection>
    </section>
    </chapter>

    <chapter>
      <heading>Settings on the client machine.</heading>

    <section>
      <heading>Required.</heading>
    </section>

    <section>
      <heading>Suggested.</heading>

    <subsection>
      <heading>Use NTP.</heading>

    <para>If a computer is running for some time the clocks tend to be off the correct time. This makes it harder to detect what exactly happened exactly at what moment in time and reduce value of log-entries. Especially considering that ultimately all data is gathered in one central system. To overcome this Network Time Protocol (NTP RFC 13025 March 1992) has been created that explains a protocol to synchronize clocks through the Internet. Many operating systems like Microsoft Windows 2000 Server and FreeBSD, OpenBSD and Linux  support this. A ntp-server (or ntpd) can be found at: http://www.eecis.udel.edu/~ntp/ It is strongly recommended that you use this.</para>

    </subsection>
    </section>
    </chapter>

    <chapter>
      <heading>Appendices.</heading>

    <section>
      <heading>Appendix A. GNU Public License Version 2, June 1991.</heading>

    <para>Copyright (C) 1989, 1991 Free Software Foundation, Inc.</para>
    <para>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</para>
    <para>Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.</para>

    <subsection>
      <heading>Preamble</heading>
    <para>The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. </para>
    <para>When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.</para>
    <para>To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.</para>
    <para>For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.</para>
    <para>We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. </para>
    <para>Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.</para>
    <para>Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.</para>
    <para>The precise terms and conditions for copying, distribution and modification follow.</para>
    <para>GNU GENERAL PUBLIC LICENSE</para>
    </subsection>

    <subsection>
      <heading>TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</heading>

<enumerate>
    <item>
      <para>This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The &quot;Program&quot;, below, refers to any such program or work, and a &quot;work based on the Program&quot; means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term &quot;modification&quot;.) Each licensee is addressed as &quot;you&quot;.</para>
    <para>Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. </para>
    </item>
    <item>
      <para>You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.</para>
    <para>You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.</para>
    </item>
    <item>
      <para>You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:</para>
    <para>a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.</para>
    <para>b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.</para>
    <para>c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)</para>
    <para>These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.</para>
    <para>Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.</para>
    <para>In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.</para>
    </item>
    <item>
      <para>You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:</para>
    <para>a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, </para>
    <para>b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,</para>
    <para>c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)</para>
    <para>The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.</para>
    <para>If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.</para>
    </item>
    <item>
      <para>You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.</para>
    </item>
    <item>
      <para>You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.</para>
    </item>
    <item>
      <para>Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.</para>
    <para>You are not responsible for enforcing compliance by third parties to this License.</para>
    </item>
    <item>
      <para>If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.</para>
    <para>If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.</para>
    <para>It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.</para>
    <para>This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.</para>
    </item>
    <item>
      <para>If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.</para>
    </item>
    <item>
      <para>The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.</para>
    <para>Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and &quot;any later version&quot;, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.</para>
    </item>
    <item>
      <para>If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.</para>
    </item>
</enumerate>
    </subsection>
    <subsection>
      <heading>NO WARRANTY</heading>
<enumerate>
    <item>
      <para>BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVidE THE PROGRAM &quot;AS IS&quot; WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</para>
    </item>
    <item>
      <para>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.</para>
    </item>
</enumerate>
    <para>END OF TERMS AND CONDITIONS</para>
    </subsection>
    <subsection>
      <heading>How to Apply These Terms to Your New Programs</heading>
    <para>If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. </para>
    <para>To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the &quot;copyright&quot; line and a pointer to where the full notice is found.</para>
    <para>&lt;one line to give the program's name and a brief idea of what it does.&gt; Copyright (C) &lt;year&gt; &lt;name of author&gt; This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.</para>
    <para>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.</para>
    <para>You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</para>
    <para>Also add information on how to contact you by electronic and paper mail.</para>
    <para>If the program is interactive, make it output a short notice like this when it starts in an interactive mode:</para>
    <para>Gnomovision version 69, Copyright (C) year name of author</para>
    <para>Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.</para>
    <para>This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.</para>
    <para/>
    <para>The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.</para>
    <para>You should also get your employer (if you work as a programmer) or your school, if any, to sign a &quot;copyright disclaimer&quot; for the program, if necessary. Here is a sample; alter the names:</para>
    <para>Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. </para>
    <para>&lt;signature of Ty Coon&gt;, 1 April 1989 Ty Coon, President of Vice</para>
    <para>This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.</para>
    </subsection>
    </section>
    </chapter>
  </book>
</doc>