1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE doc SYSTEM "/usr/local/xslt/doc.dtd">
3 <doc style="main.css" xmlns:xlink="http://www.w3.org/1999/xlink">
8 <subtitle>GNU COMPUTER MONITORING</subtitle>
9 <subtitle>A system for interactive system monitoring.</subtitle>
10 <subtitle>Development manifest</subtitle>
12 <author>Brenno J.S.A.A.F. de Winter, De Winter Information Solutions</author>
13 <author>Arjen Baart, Andromeda Technology & Automation</author>
14 <date>November 15, 2002.</date>
16 <infoitem label="Version">0.22</infoitem>
24 <heading>About this document.</heading>
27 This document describes the technical specifications for the Gnucomo project.
28 It will describe the functionality achieved, design specifications and choices made.
29 The document will be the manifest for the developers to work in the same direction
30 and not run into unneeded disappointments.
34 <heading>History of the document.</heading>
36 <table cpos='lp{3cm}lp{5cm}'>
38 <col>Version</col><col>Author</col><col>Date</col><col>Remarks</col>
41 <col>0.l</col><col>Brenno de Winter</col><col>Jul 11, 2002</col>
47 <col>0.11</col><col>Arjen Baart</col><col>Jul 12, 2002</col>
49 Additional guidelines and dataflow diagram.
53 <col>0.12</col><col>Brenno de Winter</col><col>Jul 15, 2002</col>
59 <col>0.13</col><col>Arjen Baart</col><col>Jul 16, 2002</col>
61 Entity-relationship model added.
65 <col>0.14</col><col>Brenno de Winter</col><col>Jul 17, 2002</col>
67 Based on feedback. Small changes to the datamodel and finishing touches
68 in lay-out of the tables. Added some examples.
72 <col>0.15</col><col>Brenno de Winter, Arjen Baart</col><col>Jul 21, 2002</col>
74 Additional feedback processed, indexes added, ERD added and SQL-script created.
78 <col>0.16</col><col>Brenno de Winter</col><col>Aug 7, 2002</col>
80 Communication handling added.
84 <col>0.17</col><col>Brenno de Winter</col><col>Aug 11, 2002</col>
86 <para>* Description of the client-side for communications.</para>
87 <para>* Several updates to the database descriptions, drawings added.</para>
88 <para>* More work on the installation chapter.</para>
89 <para>* Created an extra field to the unprocessed_log table and added
90 a between the table service and unprocessed_log.</para>
94 <col>0.18</col><col>Brenno de Winter, Peter Roozemaal</col><col>Aug 15, 2002</col>
96 <para>* Review done by Peter Roozemaal: adjusted intro and several clarifications made</para>
97 <para>* Arjen Baart: Adjustments to database drawings</para>
98 <para>* New installation recommendations</para>
102 <col>0.19</col><col>Arjen Baart</col><col>Aug 27, 2002</col>
108 <col>0.20</col><col>Arjen Baart</col><col>Oct 20, 2002</col>
110 Minor layout improvements
114 <col>0.21</col><col>Arjen Baart</col><col>Nov 07, 2002</col>
116 Installation instructions added.
117 Combined chapters 4 through 7 into one chapter (4).
121 <col>0.22</col><col>Arjen Baart</col><col>Nov 15, 2002</col>
123 Added parameters of monitored objects.
132 <heading>Aim of the project.</heading>
135 The number of log-files in a system and the tools in general do not make
136 monitoring a system simple. Quite often there is so much information that
137 attention for logfiles seems to fade away. For that reason monitoring routers
138 and clients is often not an option. Instead of timely detection of problems,
139 logs more often are used to find out what went wrong. When a system is
140 under attack early signals can often easily be detected<footnote>Just as in
141 real life there a signals that things are not going in the right direction.
142 For the attacks on September 11th 2001 there were many signals available
143 that could to have led to early detection: warnings of several intelligence
144 agencies, warnings within the FBI, flight schools that report strange
145 customers that want to steer a plane and don't seem to care about take
146 off and landing, people opening accounts under fake names.</footnote>
147 and preventive measures could have been taken if the time was only available.
151 The Gnucomo project is meant to make pro-active monitoring of computers
152 and devices easier. It will contain a set of applications that will
153 retrieve all types of monitoring information from devices and place
154 it into a database. Devices can be server computers, desktop computers,
155 PBX'es or other systems. By running checks the manual process of
156 watching log files can be reduced. Also an intelligent script can
157 see things that a human being will easy overlook. Gnucomo won't
158 relieve an administrator of all manual work on log-files, but will
159 increase the changes on actual monitoring.
162 With all this data being available at one central location the gnucomo-server
163 acts as some kind of black box for computer systems. If something does
164 happen the evidence will be available at a remote location available
165 for exploration<footnote>This analogy is based on a remarkable anecdote:
166 One a trip to US I spoke to a 747-captain of Air France. While talking
167 over several subjects we touched security. When we went some deeper I
168 touched the subject gnucomo and he told me that Air France was doing
169 the very same with real black boxes. By sending all the data to Paris
170 errors can be detected earlier and be resolved. In any less fortunate
171 case the cause of the crash might be detected sooner (or fuller).
172 For me this was a signal there is a point in working gnucomo because
173 the analogy is valid.</footnote>. Forensics will be made easier.
174 Also the collected data is available from multiple locations make
175 it easier to found more about an attack. The change that you overlook
176 things will be reduced.
179 Based on the entered data all sorts of analysis will be performed to discover
180 abnormalities a normal maintenance tool or IDS wouldn't be looking at.
181 An example could be a website in Dutch that suddenly obtains a lot of
182 attention from Greek visitors (based on the location of their
183 IP<footnote>That IP could also warn for other things like: excessive
184 data traffic from wireless connections at times that you wouldn't be
185 expecting traffic at all, absence of traffic when you would be expecting
186 some traffic at least or even what article is liked in which part of the world,
187 what regions poses the highest threat to the security of the system (based
188 on the location of the IP address).</footnote>). These abnormalities will
189 be presented as user-friendly as possible to increase awareness of the
190 state of the system. By doing that the system can also be used for more
191 complex analysis. One than can look at long-term trends like hacking
192 attempts that take place, new exploits that are tried all of a sudden
193 or signs of distributed attacks or a certain pattern of attempts<footnote>A portscan
194 that last three days is hard to detect with a real-time IDS,
195 while gnucomo would discover this anyhow. With correct intelligence
196 one portscan from multiple IP-addresses can be related.</footnote>.
199 Also extra data will be gathered where ever possible to save time to
200 the administrator. If IP address attract attention of gnucomo the next
201 logical step would be to use tools like dig, whois and visiting arin-related
202 websites. This data will automatically be collected in an early stage and
203 stored in the database.
206 The results will be gathered in a warning system.
207 Those warnings will be presented to the administrative person
208 who is responsible for that particular machine or network.
209 Having multiple systems in the system can add to the intelligence that
210 can be gathered. The interface will be web-based and aimed at user-friendliness.
213 Since multiple systems can enter data into the Gnucomo database more
214 intelligent hardware and security detection can be done.
215 When things do go wrong Gnucomo contains as much information as
216 possible to figure out what happened and assist in the forensics.
217 Since research on the signals afterwards is broader more attention
218 will be given as much data as possible and do less filtering.
221 With the data in the database also policies can be checked automatically
222 retro-actively so that the security leaves some room to stretch some rules.
223 This may sound not logic, because one of the main functions of security is
224 to enforce rules. But some rules are made with the different meanings.
225 For instance: a rule may be that private browsing isn't allowed.
226 The background of such a rule might be to try and reduce the amount
227 of data traffic (too many people downloading mp3's, or people not
228 getting to work anymore). By monitoring that specific fact
229 (bandwidth spent on non-business related Internet use)
230 it's possible to be relaxed on that rule and enable many good-willing
231 users reading his/hers daily newspaper.
234 The scope of the project is clearly limited to monitoring and not to
235 offer automated maintenance or web-based maintenance.
236 There are other projects currently being able to provide that
237 functionality. We will focus on intelligence and user-friendliness
238 of representation of facts presented. A warning should trigger
239 an administrator to get up and do something using the tools he or she values the most.
242 Also we are not aiming to replace great tools like SNORT as a real-time IDS.
243 These tools can do thing, that in the beginning won't be a part of gnucomo
244 out of performance reasons. Also there is no need to duplicate what they
245 already did. If that energy is placed in intelligent we're very complimentary.
246 Gnucomo can however be a reality check on an existing NIDS (Network Intrusion
247 Detection System). For instance if warnings keep coming it may be time to
248 rethink the rules that have been set.
252 This evolves to the following list of functions gnucomo can provide:
255 <item> Intrusion detection </item>
256 <item> Detecting hacker attempts </item>
257 <item> Early detection of system failures </item>
258 <item> Exhaustion of system resources </item>
259 <item> Capacity planning for future expansion </item>
260 <item> Spotting bottlenecks in a system. </item>
261 <item> Verifying system integrity </item>
262 <item> Assistance with troubleshooting </item>
263 <item> Perform post-mortem forensics </item>
264 <item> Incident response system. </item>
269 <heading>Decisions for the overall system.</heading>
272 In order to get the project running we have to make some decisions before
273 we can start. Of course are the decisions always open for review,
274 but initially our main aim is to get a system running. This doesn't
275 mean that we allow a lesser architecture, but more that we create an
276 environment that will lead to results.
279 The following decisions apply to the system in general:
283 The major part of the system will be used for security features.
284 The solution itself has to be secure.
287 In general we strive to be as platform and application independent as possible.
288 However to achieve software to get ready and to assure progress some selections
289 will have to be made excluding options for applications<footnote>An example is
290 in the database. By using stored procedures and triggers MySQL cannot be used.
291 However the data integrity at that point is more important than the ability to
292 use MySQL.</footnote>. Where possible we will enable ports to other applications
296 The computers collecting the data will only be Linux machines,
297 with future support for other Unices. However it is not aim our
298 to port this part of the project to other platforms just now.
301 The database system will make heavy use of stored procedures and
302 triggers and thus lock out some less feature-full database.
305 Although we're not married to a database system initially this will be
306 PostgreSQL only so that we can build for results. The code however
307 shouldn't be build to deliberately lock outer systems.
308 Other database that might be interesting to add: DB2, Oracle
309 (if the rainfall of security advisories seems to be over) and Informix.
312 The interface for the user will be a web-interface written in PHP
313 with PostgreSQL-database access. Despite the fact that initially
314 this will be the preferred way to communicate with our system,
315 other interfaces are welcome and should be supported.
318 The technologies used for the daemons on the central site and remote
319 site are open for discussion. A decision is made when it is clear what
320 exactly will be needed to code.
323 The original logfiles on systems will not be harmed in any way,
324 but will be saved the way they presented to gnucomo.
327 In the database processed data as well as raw data will be stored.
330 Our main aim is to ease the life of the administrator when dealing with
331 the symptoms of a machine so that he doesn't miss important notifications.
332 The project will be made around detection. We won't focus on making a
333 maintenance applications but solely on monitoring, because other applications
334 like webmin or linuxconf do already deliver such functionality.
335 We are complementary to those applications. This doesn't mean that
336 the system cannot send SMS'es, e-mails or make alarms sound.
339 Any output of the logbook will be stored and sent within a certain
340 interval which can be set. By doing that the mechanism will not flood
341 the total mechanism and overload machines.
344 When applications for gnucomo we will try and do the non-server part
345 as platform independent as possible. This in order to prevent writing
346 a same application multiple times. For instance one for Unices, one
347 for Macintosh and one for Microsoft.
350 To ensure the quality of software and to prevent any unwanted functionality
351 rolling into the project all code will be reviewed by one of the lead members
352 before it is accepted. Since this project is aimed at throughput speed no
353 formal procedures will be enforced, but we promise not to let software in
354 that hasn't been checked.
361 <heading>Overall system Architecture</heading>
364 The overall systems aims to make maintenance data better accessible and by
365 doing that lowering the barrier to be on alert for intrusions,
366 system failure and other misery that can happen to computer systems.
367 Also more systems can be monitored and even focus can be placed on desktop computers,
368 something that nowadays rarely happens. Since the solution is only aimed at
369 monitoring (with some responses possible) other people can watch their system(s)
370 without being Administrator<footnote>This can be interesting for people using
371 this service and not doing their own maintenance (smaller companies).
372 If technical action needs to be taken a warning can be send to an administrator.
373 This saves costs and time.</footnote>.
376 The main system will know to sides:
380 <item> Central Application - server </item>
381 <item> Monitored System - client </item>
385 The project has been setup as a two sided system in order to be able to
386 guard many computers at the same time.
387 However it may be obvious that both sides of the application can very
388 well be installed on a single system.
391 To monitor a system, Gnucomo uses two kinds of input: <emph>event</emph> and
392 <emph>parameters</emph>. Events occur on a system while it is running and reflect
393 the transient behaviour of the system.
394 Parameters reflect the current state of the system.
395 The most obvious way to gather events from a monitored system is to read
396 the system log files.
397 Examples of events are IP packets that are rejected by the firewall or clients
398 that access the http daemon.
399 Parameters are obtained for example by reading configuration files or kernel
401 Examples of parameters are the size and free space of a filesystem or
402 the users that are listed in the password file.
403 Both kinds of input are obtained actively or passively, i.e. by installing probe
404 agents in the system which regularly aquire the system's parameters or passively
405 by sending the output of programs to the Gnucomo server.
408 When signals<footnote>A signal can be the outcome of process that finished,
409 logbook entries, warnings from intrusion detection systems,
410 etc. </footnote> arrive they will be stored in a file.
411 When this file is delivered to a certain directory a daemon will detect
412 this and start the transfer of the file. The file will be transferred
413 to the central application or the client. This transfer will be triggered
414 immediately after a process has finished or with a certain time-interval
415 when it concerns a logbook. All output will be placed in a directory where
416 the daemon detects it and ensures the transport. For transport currently
417 only two mechanisms will be supported:
421 Encrypted file copy relying on the SSH protocol.
422 On Unix-based systems this will scp (secure copy).
425 E-Mail. The e-mail is encrypted and signed using gpg and then sent to the server.
426 Since the file format will identify the type-of-output the Subject-field of
427 the e-mail is not really needed.
432 <heading>Central Application: signal handler.</heading>
437 <picture src="architecture.png" eps="architecture"/>
440 Illustration 1 Basic overview of the processes on the server.
443 On one machine signals from the network will come in.
444 These signals can be logfiles, result files from applications,
445 remarks entered by the administrator or whatever.
446 Data delivery takes place into a certain directory.
447 A daemon detects that data has come in and will enter it into the database.
448 Once in the database stored procedures and triggers will recognize certain
449 behavior and generate alerts. The user responsible for the server will be
450 confronted with the alerts and can mark them, add comments to it or ignore them.
451 Also it will be possible to do intelligent analysis on not so logical relations
452 per computer or across computers<footnote>A good example could be a portscan
453 on a system that takes place during a week. Normal a simple portscan takes
454 place in a couple of minutes and will thus be easy to detect.
455 By taking a longer period such a scan is harder to detect. </footnote>. Such
456 scripts make detection possible, that is too time consuming to do during
457 processing of the data.
462 <heading>Data processing.</heading>
464 <para>The data processing has four tasks:</para>
467 Extracting data from e-mail and store it in the input-buffer.
468 This can be done by a daemon that checks the e-mail<footnote>It would be logical
469 to place an e-mail server like sendmail or postfix on the server.
470 In many cases the monitored computer will be featuring a SMTP daemon.
471 If a system is comprimised no evidence that comes through will be really
472 trustworthy. By sending it to another machine all evidence that is
473 available will have left the system the moment a hack takes place.</footnote>
474 with a certain interval extracts the e-mails and leave the content
475 in a file in the input buffer. This daemon has only rights to write
476 to the directory it has to write to. <emph>We may as well have the
477 email captured directly by a program with a
478 "gnucomo: |/usr/local/bin/gnucomo-input" - like alias.</emph>
481 Detect files in the input buffer decrypt the content and verify the signature.
482 Another daemon will see the log-files and starts checking if the origin is
483 correct (by verifying the signature) and decrypting the content.
484 The legible files will be processed by entering the data into the database.
487 The database will accept the data and perform a certain number of
488 checks as the data comes in. During the processing of the data
489 abnormalities will be detected and entered into a notification table.
490 The database system will also carry out more complex tasks on given
491 moments in time and enter them as well in the notification table.
494 The database system must be able to undertake action when high
495 alerts are being entered into the database.
496 This can be a couple of things to begin with:
497 send an e-mail or SMS. In a later stage other technologies may be added as well.
498 In this scheme we also make a possibility to escalate problems when no
499 action is taken in a certain amount of time.
504 <heading>System Parameters</heading>
507 Gnucomo maintains the operational parameters of a monitored system for a
509 The most important reason is to create notifications when somthing about a
510 parameter changes while the parameter is not supposed to change.
511 Such a change may be intended by the system administrator, e.g. when a
512 package is upgraded, or there may be something wrong.
513 In any case, you will want to know about a change in your system when it happens.
514 Furthermore, a change history of a parameter's values will come in
515 handy when you want to look back in time and figure out
516 what happened in the past.
517 Another usefull application of parameters concerns the maintenance of a
518 large number of similar systems.
519 When the parameters of each system are reported regularly to Gnucomo,
520 deviations from the 'standard' system configuration can be easily spotted.
523 Some properties of parameters are supposed to change regularly.
524 A changed value of such a property will of course not lead to any
526 On the other hand, the change history of these parameters may provide
527 interesting information about the monitored system.
528 This leads to the distiction between static and dynamic properties of parameters.
529 The difference between dynamic and static properties manifests itself mainly
530 in the change history of the parameter's property.
531 Dynamic properties typically have a change record once a day or even a couple
533 Change records for static properties are usually months apart.
536 The state of parameters is scanned or probed regularly on a client system
537 and reported to the Gnucomo server.
538 These reports can be created in a variety of ways.
539 For example, filesystems are reported with 'df', installled packages with 'rpm -qa',
540 users by reading /etc/passwd, etc.
541 Many other probing methods may be implemented.
542 Each report from a probe holds the current value of several parameters.
543 Gnucomo will check each property of these parameters against the stored knwon value.
544 If the property's value changed, the actual value in the database is updated
545 and a record is added to the change history of the parameter.
551 <heading>Web interface</heading>
554 The web interface will used to interact with the user.
555 The interface should be intuitive and easy to understand.
556 More important warnings should directly draw attention.
557 The user must be able to perform settings so that warnings
558 can be rated differently than the original settings.
561 The interface will do the following things:
565 Show a list of warnings that are currently open.
568 It must be possible to sort the list on all the fields shown.
571 Deliver detailed information (logbook entries) upon request that have led to the warning.
574 Undertake certain actions like sending
575 <reference href="mailto:abuse@internet-provider.net">abuse@internet-provider.net</reference>
576 e-mails with information.
579 Monitor actions on outstanding issues.
586 <heading>Priority mechanism.</heading>
588 Each notification has a certain priority that requires a different handling
589 of the issue. How each priority will be dealt with is something that can
590 be set per server. The priority mechanism is a simple system of five
591 categories (can be more or less).
596 <heading>The dataflow diagram.</heading>
597 <para>The main dataflow will be as follows.</para>
599 <picture src="dataflow.png" eps="dataflow" scale="0.7"/>
605 <heading>Sending messages to the central gnucomo system.</heading>
608 One of the main tasks is getting all the messages to the database.
609 Ultimately gnucomo will support multiple ways of receiving the data.
610 Basically anything goes, but two mechanisms will be supported in the project
615 E-mail. Messages and elements from logfiles will be sent through e-mail.
618 File copy. Using technologies like scp or ftp (not preferred due to
619 the insecure nature) can place files directly in the receiving directory.
624 <heading>Ensuring data integrity.</heading>
625 <para><TO BE DESCRIBED></para>
629 <heading>Directories and filenames on the server.</heading>
632 Files will be dealt with as if gnucomo were a user (actually there will
633 be a user gnucomo). The files will be placed in the <code>/home/gnucomo/</code> directory.
634 Only <code>/home/gnucomo/incoming/dropbox/</code> can be used to save data in
635 from external systems. All other directories are only available for the user gnucomo.
636 The filename will represent the data that is received. The details are seperated with
637 underscores. When data is sent by e-mail the filename will be written in the first
638 line of the e-mail. A typical filename looks like this:
642 <strong>3_messages_20020807235208_1.asc</strong>
646 the logic behind this is following:
650 <emph>urgency_typeofmessage_timestamp_objectid.typeoffile.</emph>
653 <table cpos='lp{10cm}'>
656 <para>Part of filename</para>
659 <para>Explanation</para>
667 <para>This indicates the urgency of the file. The lower the number the higher
668 it will rank when an overview is given. Standard files are ranked value 3.
669 The ranking works as follows:</para>
670 <para>* 1 <strong>Urgent flash message.</strong> Something urgent needs to
671 be reported. This is only used for emergencies like serious alarms.</para>
672 <para>* 2 <strong>Rapid delivery.</strong> An important message has to get
673 through that is more important than normal delivery, but is not top
674 priority like an emergency.</para>
675 <para>* 3 <strong>Normal.</strong> This is used in most
676 case for normal messages.</para>
677 <para>* 4 <strong>Low priority.</strong> This is data would be useful
678 to place into the system as nice to have.</para>
683 <para>TypeOfMessage</para>
686 <para>This is an indicator what type of data is delivered to gnucomo.
687 There are several categories:</para>
688 <para>* <strong>cron.</strong> This data comes from the /var/log/cron-log (unix).</para>
689 <para>* <strong>httpaccess.</strong> This data comes from the normal http-log (Apache).</para>
690 <para>* <strong>httperror.</strong> This data comes from the http_error-log (Apache).</para>
691 <para>* <strong>maillog.</strong> This data comes from the /var/log/maillog (unix).</para>
692 <para>* <strong>messages.</strong> The data delivered here comes from
693 the /var/log/messages file (unix)</para>
694 <para>* <strong>text.</strong> This file contains a message in plaintext
695 generated by a gnucomo-client and can be anything.
696 It will be dealt with as plaintext.</para>
701 <para>Timestamp</para>
704 <para>The timestamp is made in war-log (YYYYMMDDHHMMSS) format.
705 The timestamp is generated on the client in GMT (to discover
706 discrepancies in timing).</para>
711 <para>Objectid</para>
714 <para>The objectid is the id that is used within the central
715 gnucomo system to recognize the client.
716 Based on this entry the database can link the data to the correct object.
717 Also gpg can obtain the correct e-mail address (by running a query
718 in the database) for verification of the signature of the crypted message.</para>
723 <para>TypeOfFile</para>
726 <para>Indicates the file type:</para>
727 <para>* <strong>asc.</strong> Plaintext ASCII</para>
728 <para>* <strong>gpg.</strong> gpg-crypted data.</para>
729 <para>* <strong>und.</strong> Undertermined data. When files
730 come in by e-mail it is not 100% sure if they are crypted
731 or not. These data has first to be analyzed before it is
732 moved to the correct queue. </para>
738 <heading>Directory for incoming data.</heading>
741 For incoming messages there will be separate directories
742 (<code>/home/gnucomo/incoming/</code>)for:
746 Dropbox. This directory is ready to receive data from all sorts of systems.
747 This directory is world writeable (<strong><emph>but not deleteable!</emph></strong>):
748 <code>/home/gnucomo/incoming/dropbox/</code>
751 Encrypted messages. In this directory messages will be placed that are still
752 gpg-crypted. In this directory the files await decryption and verification of
753 the signature. This directory is: <code>/home/gnucomo/incoming/crypted/</code>
756 Decrypted with errors. During the decryption exercise anything can go wrong.
757 Decrypting can fail or the signature may show errors. If this happens the
758 original message is moved to a different directory:
759 <code>/home/gnucomo/incoming/cryptfail/</code>
762 Inbox. After successful decryption the decrypted message is moved to the inbox.
763 Data that is not encrypted can be moved here from the dropbox after certain
764 verifications. The directory is: <code>/home/gnucomo/incoming/inbox/</code>
767 Processed. After processing the data the file is stored in the directory
768 processed for further reference for a certain amount of time.
769 The directory is: <code>/home/gnucomo/incoming/processed/</code>
772 Archive. After a certain period the files will be archived.
773 Since not every system will archive everything this directory may
774 also be a symbolic link to <code>/dev/null</code>.
775 The used directory is: <code>/home/gnucomo/archive/</code>
781 <heading>Directory for outgoing data.</heading>
784 For outgoing messages the directory <code>/home/gnucomo/outgoing</code> will
785 be used. This directory knows a couple of sub directories:
790 Dropbox. This directory is used by the central gnucomo system to
791 place outgoing messages in.
792 The used directory is: <code>/home/gnucomo/outgoing/dropbox/</code>
795 Outbox. After processing the message (including signing and encrypting
796 when applicable) the messages are placed in the outbox:
797 <code>/home/gnucomo/outgoing/outbox/</code>
800 Processed. After processing the data the file is stored in the
801 directory processed for further reference for a certain amount
802 of time. After sending a message a confirmation will be made that
803 is saved as an incoming message.
804 The directory is: <code>/home/gnucomo/outgoing/processed/</code>
807 Archive. After a certain period the files will be archived.
808 Since not every system will archive everything this directory
809 may also be a symbolic link to <code>/dev/null</code>.
810 The used directory is: <code>/home/gnucomo/archive/</code>
817 <heading>Overview. </heading>
819 <para>The total directory-structure looks like this:</para>
823 /home/gnucomo/archive
824 /home/gnucomo/incoming
825 /home/gnucomo/incoming/crypted
826 /home/gnucomo/incoming/cryptfail
827 /home/gnucomo/incoming/dropbox
828 /home/gnucomo/incoming/inbox
829 /home/gnucomo/incoming/processed
830 /home/gnucomo/outgoing
831 /home/gnucomo/outgoing/dropbox
832 /home/gnucomo/outgoing/outbox
833 /home/gnucomo/outgoing/processed
840 <heading>Directories on the client-side.</heading>
843 On the client-side the files that need to be transmitted will be placed in a
844 directory system as well. In the future this system may not be in use at all
845 devices (routers, certain MS Windows-machine, IP Telephones, etc.). For those
846 systems a different mechanism will become be described here.
847 Initially we focus on Linux systems that will enter data into the database.
850 The filename convention will be totally identical to the filename
851 convention on the server, since this the same mechanism.
854 To facilitate gnucomo client and server on one and the same machine
855 the gnucomo-client should have a different default user.
856 For this purpose the user <strong>gcm_client</strong> will be created.
860 <heading>Directory for incoming data.</heading>
862 For incoming messages there will be separate directories
863 (<code>/home/gnucomo/incoming/</code>)for:
867 Dropbox. This directory is ready to receive data from all sorts of systems.
868 This directory is world writeable (<emph><strong>but not deleteable!</strong></emph>):
869 <code>/home/gcm_client/incoming/dropbox/</code>
872 Encrypted messages. In this directory messages will be placed that
873 are still gpg-crypted. In this directory the files await decryption
874 and verification of the signature.
875 This directory is: <code>/home/gcm_client/incoming/crypted/</code>
878 Decrypted with errors. During the decryption exercise anything can go wrong.
879 Decrypting can fail or the signature may show errors.
880 If this happens the original message is moved to a different directory:
881 <code>/home/gcm_client/incoming/cryptfail/</code>
884 Inbox. After successful decryption the decrypted message is moved
885 to the inbox. Data that is not encrypted can be moved here from
886 the dropbox after certain verifications. The directory is:
887 <code>/home/gcm_client/incoming/inbox/</code>
890 Processed. After processing the data the file is stored
891 in the directory processed for further reference for a
892 certain amount of time. The directory is:
893 <code>/home/gcm_client/incoming/processed/</code>
900 <heading>Directory for outgoing data.</heading>
903 For outgoing messages the directory <code>/home/gcm_client/outgoing</code> will be used.
904 This directory knows a couple of sub directories:
908 Dropbox. This directory is used by the central gnucomo system to place
909 outgoing messages in.
910 The used directory is: <code>/home/gcm_client/outgoing/dropbox/</code>
913 Outbox. After processing the message (including signing and
914 encrypting when applicable) the messages are placed in the outbox:
915 <code>/home/gcm_client/outgoing/outbox/</code>
918 Processed. After processing the data the file is stored in the
919 directory processed for further reference for a certain amount
920 of time. After sending a message a confirmation will be made
921 that is saved as an incoming message.
922 The directory is: <code>/home/gcm_client/outgoing/processed/</code>
928 <heading>Overview. </heading>
929 <para>The total directory-structure looks like this:</para>
933 /home/gcm_client/archive
934 /home/gcm_client /incoming
935 /home/gcm_client/incoming/crypted
936 /home/gcm_client/incoming/cryptfail
937 /home/gcm_client/incoming/dropbox
938 /home/gcm_client/incoming/inbox
939 /home/gcm_client/incoming/processed
940 /home/gcm_client/outgoing
941 /home/gcm_client/outgoing/dropbox
942 /home/gcm_client/outgoing/outbox
943 /home/gcm_client/outgoing/processed
950 <heading>Getting data into the database.</heading>
953 The files in the /home/gnucomo/incoming/inbox/ should be stored in the database.
954 For this purpose there is a table <emph>unprocessed_log</emph>.
955 The data of the filename as well as the content of the file need
956 to be placed in one record.
959 There are some fields that have to be addressed immediately:
963 Servicecode: The servicecode will be obtained out of the filename the
964 is the type_of_message-field in the filename.
967 Objectid: This data is given in the filename it can be found
968 in the <emph>objectid</emph>-part of the filename.
971 Logdata: The data is saved as follows: filename (unaltered)
972 <CR>textual data of the file.
976 The daemon application that delivers the data is called <strong>gcm-input</strong>.
977 It performs the following steps with no extra functionality:
982 <para>Detect if a file is available.</para>
985 <para>Write the data in the database.</para>
990 To write the data in the database a database user gcm_input exists.
991 This user has only the right to enter data into the database.
992 There are no deletion, update or select-permissions.
999 <heading><label name='database'/>The database.</heading>
1002 The database is the heart of the system.
1003 It will contain all event-data of multiple computers.
1004 The intelligence that can be performed on the database will be placed there.
1005 To do this as integratedly as possible stored procedures and triggers will be used.
1006 To begin with we have selected checks to be performed that will be
1007 expanded throughout time.
1010 Since the gnucomo database and files contain sensitive data
1011 security measures have to be in place. Several database users
1012 will exist that have limited rights to perform a certain task
1013 ensuring some protection against unauthorized access.
1014 However these mechanisms on it's own will work fine, bad maintenance may still
1015 screw-up good security. Good database maintenance is needed.
1016 For the gnucomo the protection of the valid authentic nature of
1017 the data in the database has our highest priority.
1020 A <emph>table-name</emph> in this chapter is written in cursive writing.
1024 <heading>Database conventions.</heading>
1027 The database will be built according the following conventions:
1031 All names for tables, indexes and fields will be written in lower
1032 case and will be singular. Spaces in names are not allowed.
1035 If a table contains field referring to other tables the mother-tables are
1036 mentioned in alphabetical order with an underscore between the table-names.
1037 So <emph>object</emph> and <emph>user</emph>
1038 will make a third table <emph>object_user</emph>
1041 A data access user (being the interface) is not allowed to write to
1042 the log-entries and the warnings. To change the state of a warning
1043 a stored procedure will do so by having a different entry in a table.
1044 This should make it possible to discover who did what at which moment in time.
1047 The name of two related fields that make the relationship between two
1048 tables will be the same to avoid confusion.
1054 <heading>Database design.</heading>
1057 In the design we anticipate to deliver an as best as possible database performance.
1058 That means that data that needs to be entered occasionally can be heavily indexed
1059 to increase performance. However data that is mainly stored will only be indexed
1060 marginally to have the best possible performance on data entry. If during one of
1061 the checks on data-entry a notification is made, the information related to that
1062 notification will be indexed very well to increase retrieval performance.
1063 What we will try to avoid is that the user interface will cause full table
1064 scan and affect the performance of the overall system dramatically.
1065 One of the techniques to increase performance on display is to work with views.
1066 So where it is feasible we will use them.
1070 The following model pictures the database as described in the remainder
1074 <picture src="erd.png" eps="erd" scale="0.7"/>
1078 In general the database must also be maintained well.
1079 So daily maintenance scripts should keep the performance good<footnote>PostgreSQL seems
1080 to have very good features to do proper maintenance and they have to be exploited to
1081 the full extend.</footnote>.
1086 <heading>Actual design.</heading>
1089 In this part of the chapter the tables will be explained and then described
1090 with all important elements. Per table a sub-chapter will be created.
1091 Each table will have a table design, indexes, relationships and the required data
1092 (for those tables where the data itself is relevant in the design or sample data
1093 (for those cases where no set data is needed). For the relationships beside a
1094 description the subset of the total schema has been incorporated in
1095 the document so that it is more clear what exactly is meant.
1096 Due to the complex nature of the design those drawings sometimes will seem funny.
1099 For the fieldtypes the types of PostgreSQL will be used.
1100 These values can be found in Chapter 3 of the PostgreSQL User Manual
1101 (<reference href="http://www.postgresql.org/">http://www.postgresql.org</reference>).
1104 For indexes primary keys are always <emph>unique</emph> and called
1105 primary key in the name. Since unique indexes within PostgreSQL only
1106 work on B-Tree indexes (which is default) we will use B-Tree for all indexes.
1107 In cases where an exception is made the used type of index will be indicated
1108 in the characteristics. A footnote will explain why a different type of
1109 index has been selected.
1113 <heading>action</heading>
1116 In the table action all recognized actions that can be taken are stored.
1117 Several actions will lead to change in <emph>statuscode</emph>.
1118 However this doesn't apply to all actions<footnote>A status NEW
1119 of a notification that cannot be dealt with automatically will
1120 <strong>not</strong> change before a user looked at it.</footnote>.
1121 Actions take place through background processes and the interface.
1122 This table mainly is used for retrieval so indexing will be done as much as possible.
1126 <heading>The fields.</heading>
1129 The table below describes the fields:
1133 <table cpos='lllp{6cm}'>
1135 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1141 <col> actionid </col> <col> Bigserial </col> <col> 8 </col>
1143 Autonumber bigint (eight bit)
1147 <col> actionname </col> <col> Text </col> <col> <para/> </col>
1149 Short descriptive name for the type of action
1153 <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
1155 New status that will be given to a notification when this action takes place.
1159 <col> description </col> <col> Text </col> <col> <para/> </col>
1161 A longer description (without limit) on the action.
1170 <heading>The indexes.</heading>
1173 Indices for this table are:
1177 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
1180 <col> act_pk </col> <col> actionID </col> <col> Primary key </col>
1183 <col> act_actionname </col> <col> actionname </col> <col> Unique </col>
1186 <col> act_statuscode </col> <col> statuscode </col> <col> <para/> </col>
1193 <heading>The relationships.</heading>
1196 Relationships with other tables:
1198 <table cpos='llp{7cm}'>
1200 <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
1203 <col> actionid </col> <col> action_notification_user </col>
1205 Each action that takes place will be log. The Actionid will bring
1206 classification to the individual records. This relationship has to be enforced.
1210 <para>In the model this looks like this:</para>
1212 <picture src="erd-action.png" eps="erd-action"/>
1217 <heading>Default data in table.</heading>
1220 The data in this table is standard for the system and part of the design.
1221 The user cannot change this or add value to it.
1224 <table cpos='p{1cm}p{2cm}p{1.5cm}p{6cm}'>
1226 <col>Actionid</col><col>Actionname</col><col>Statuscode</col>
1232 <col>1</col><col>Entry in the system</col><col>NEW</col>
1234 This indicates that a notification is entered into the system. The status is a <strong>NEW</strong>.
1238 <col>2</col><col>Displayed to user</col><col>OPN</col>
1240 The notification has been displayed to the user.
1241 It is not guaranteed that the user has read the notification,
1242 but he/she should be aware of it.
1243 The status will now be changed to <strong>OPEN</strong> if the current
1244 status is <strong>NEW</strong>.
1248 <col>3</col><col>Remarks added</col><col>PEN</col>
1250 Remarks have been added to the notification. The status has now been
1251 changed to <strong>PENDING</strong>.
1255 <col>4</col><col>Priority changed manually</col><col>PEN</col>
1257 The priority of the notification has been changed by the user.
1258 The new status is now <strong>PENDING</strong>.
1262 <col>5</col><col>Priority changed automatically</col><col>PEN</col>
1264 The priority of the notification has been changed by the system.
1265 If the status is not <strong>OPEN</strong> or <strong>NEW</strong> the new
1266 status is become <strong>PENDING</strong>.
1270 <col>6</col><col>Action taken</col><col>PEN</col>
1272 A action has been taken. The status is now <strong>PENDING</strong>.
1276 <col>7</col><col>Assignment to user</col><col>PEN</col>
1278 A notification has been explicitly assigned to another user.
1279 The status is now <strong>PENDING</strong>.
1283 <col>8</col><col>More information or research needed.</col><col>INV</col>
1285 The notification is relevant and will be handled, however more information
1286 or research will be needed. The status is <strong>UNDER INVESTIGATION</strong>.
1290 <col>9</col><col>Make output reference.</col><col>REF</col>
1292 Automated output from an object has been sent to gnucomo.
1293 The input has been identified as a valid reference for future.
1294 Status is now <strong>REFERENCE</strong><footnote>A reference is used to
1295 find differences in output. This feature must reduce the number of wrongful alerts.
1296 Only if a change has taken place a notification is generated.
1297 First time reports will always generate a notification.
1298 By signing this off the system will be silent again.</footnote>.
1302 <col>10</col><col>Job output no longer reference.</col><col>CLS</col>
1304 By making a newer job output reference this output has been obsoleted.
1305 Since once it was a reference the notification can be closed.
1306 The new status for the notification is now <strong>CLOSED</strong>.
1310 <col>11</col><col>Action taken please verify.</col><col>VRF</col>
1312 An action has been taken and things should have been resolved.
1313 Before the notification can be closed a verification has to be done.
1314 New status is now <strong>VERIFY</strong>.
1318 <col>12</col><col>Action not accepted.</col><col>PEN</col>
1320 A check has been done and the results were not good.
1321 New verification is needed.
1322 New status is now <strong>PENDING</strong>.
1326 <col>13</col><col>Action verified</col><col>CLS</col>
1328 The verification for the action has been done and the action is approved.
1329 The new status is now <strong>CLOSED</strong>.
1333 <col>14</col><col>E-mail sent</col>
1334 <col>OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote></col>
1336 An e-mail has been sent.
1340 <col>15</col><col> SMS sent </col>
1341 <col>OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote></col>
1343 A SMS has been sent.
1347 <col>16</col><col>Fax sent</col>
1348 <col>OPN<footnote>Only if the status is <strong>NEW</strong>.</footnote></col>
1350 A fax has been sent.
1354 <col>17</col><col>Log-entries shown</col><col>XXXX</col>
1356 The log entries have been shown. No changes to the status made.
1360 <col>18</col><col>Notification closed</col><col>CLS</col>
1362 Notification has been closed.
1366 <col>19</col><col>Notification reopened</col><col>OPN</col>
1368 Notification has been re-opened
1377 <heading>Action_notification_user.</heading>
1380 In the table action_notification_user each step that is taken regarding a
1381 notification is logged. This table is very important for later use if
1382 something goes wrong, but is also relevant for the interface.
1383 All steps of a notification can be traced here.
1384 There will be a lot of entries here, but retrieval is more crucial for
1385 performance than data entry. So indexing on logic fields is very relevant.
1386 Processing might be slower, but that's worth the price.
1390 <heading>The fields.</heading>
1393 The table below describes the fields:
1396 <table cpos='lllp{6cm}'>
1398 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1404 <col> actionstepid </col> <col> Bigserial </col> <col> 8 </col>
1406 Autonumber bigint (eight bit)
1410 <col> actionid </col> <col> Bigint </col> <col> 8 </col>
1412 Reference to the action that is being registered here.
1416 <col> username </col> <col> Text </col> <col> <para/> </col>
1418 The username of the user that is involved in the action.
1422 <col> notificationid </col> <col> Bigint </col> <col> 8 </col>
1424 Reference to the notification.
1428 <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
1430 The time when the action has been entered into the system.
1431 This is the time without the timezone<footnote>The timestamp without
1432 time has been selected, since this is the system time.
1433 To have the system functioning without any physical borders one
1434 of the settings on the system is time in GMT (UTC).
1435 This ensures also the added value of the system log.</footnote>.
1436 This will be automatically added when the record is added into the database.
1440 <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
1442 The status of the Notification
1446 <col> remarks </col> <col> Text </col> <col> <para/> </col>
1448 Remarks entered by the user if it concerns a manual action
1449 or the text of automatically generated warnings.
1457 <heading>The indexes.</heading>
1460 The table is indexed on the following fields:
1465 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
1468 <col> anu_pk (action_user_actionstepid_key) </col> <col> actionstepid </col>
1469 <col> Primary key </col>
1472 <col> anu_actionid </col> <col> actionid </col> <col> <para/> </col>
1475 <col> anu_username </col> <col> username </col> <col> <para/> </col>
1478 <col> anu_notificationid </col> <col> notificationid </col> <col> <para/> </col>
1481 <col> anu_timestamp </col> <col> timestamp </col> <col> <para/> </col>
1484 <col> anu_statuscode </col> <col> statuscode </col> <col> <para/> </col>
1490 <heading>The relationships.</heading>
1493 Relationships with other tables:
1495 <table cpos='llp{7cm}'>
1497 <col> Fieldname </col> <col> Remote Table </col>
1498 <col> Remarks </col>
1501 <col> actionid </col> <col> action </col>
1503 Indicates the action that has been taken. The relationship has to be enforced.
1507 <col> notificationid </col> <col> notification </col>
1509 Each action that takes place is registered in this table.
1510 By using the notification the relevant notification. The relationship has to be enforced.
1514 <col> username </col> <col> user </col>
1516 Each step in the process has to be related to the user.
1517 If the system itself generates an action the user will be
1518 <strong>gnucomo</strong><footnote>This implies that the system
1519 automatically has an username gnucomo.</footnote>.
1525 In the model this looks like this:
1528 <picture src="erd-anu.png" eps="erd-anu"/>
1534 <heading>Sample data.</heading>
1537 Since no data is delivered automatically a couple of sample records are shown here.
1540 <table cpos='p{1cm}p{1cm}p{1cm}lllp{4cm}'>
1542 <col> Actionstepid </col> <col> Actionid </col> <col> Notificationid </col>
1543 <col> Username </col> <col> Timestamp </col> <col> Status </col>
1544 <col> Remarks </col>
1547 <col> 1 </col> <col> 1 </col> <col> 1 </col> <col> Gnucomo </col>
1548 <col> 2002-07-14 16:14:09 </col> <col> NEW </col>
1550 Gnucomo detected a portscan
1554 <col> 2 </col> <col> 5 </col> <col> 1 </col> <col> Gnucomo </col>
1555 <col> 2002-07-14 16:14:09 </col> <col> NEW </col>
1561 <col> 3 </col> <col> 5 </col> <col> 1 </col> <col> Gnucomo </col>
1562 <col> 2002-07-14 16:14:09 </col> <col> OPN </col>
1564 <para>Automatic e-mail to user:
1565 <reference href="mailto:brenno@dewinter.com">brenno@dewinter.com</reference>:</para>
1566 <para>Gnucomo detected a portscan on system
1567 <reference href="http://gnucomo.dewinter.com/">gnucomo.dewinter.com</reference></para>
1571 <col> 4 </col> <col> 2 </col> <col> 1 </col> <col> Brenno </col>
1572 <col> 2002-07-14 16:18:09 </col> <col> OPN </col>
1574 Notification shown through webinterface.
1578 <col> 5 </col> <col> 17 </col> <col> 1 </col> <col> Brenno </col>
1579 <col> 2002-07-14 16:18:12 </col> <col> PEN </col>
1585 <col> 6 </col> <col> 4 </col> <col> 1 </col> <col> Brenno </col>
1586 <col> 2002-07-14 16:20:37 </col> <col> PEN </col>
1592 <col> 7 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
1593 <col> 2002-07-1416:21:58 </col> <col> PEN </col>
1595 After reviewing the logs I see a portscan. On very specific ports. More analysis needed.
1599 <col> 8 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
1600 <col> 2002-07-14 16:24:59 </col> <col> PEN </col>
1602 Services tables learns me that all services are aimed at Windows-based services.
1603 Attempts for platform specific expoits.
1607 <col> 9 </col> <col> 4 </col> <col> 1 </col> <col> Brenno </col>
1608 <col> 2002-07-14 16:25:03 </col> <col> PEN </col>
1614 <col> 10 </col> <col> 2 </col> <col> 1 </col> <col> Brenno </col>
1615 <col> 2002-07-14 16:30:09 </col> <col> PEN </col>
1617 Notification shown through webinterface.
1621 <col> 11 </col> <col> 3 </col> <col> 1 </col> <col> Brenno </col>
1622 <col> 2002-07-14 16:31:48 </col> <col> PEN </col>
1624 Portscan has finished and no other action seems to take place now.
1628 <col> 12 </col> <col> 18 </col> <col> 1 </col> <col> Brenno </col>
1629 <col> 2002-07-14 16:43:03 </col> <col> CLS </col>
1639 <heading>history</heading>
1641 The history table records all changes to properties of parameters.
1645 <heading>The fields</heading>
1647 The fields of the <emph>history</emph> table are listed below:
1649 <table cpos='lllp{6cm}'>
1651 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1652 <col> Remarks </col>
1655 <col>paramid</col><col>bigint</col><col>8</col>
1656 <col>The parameter to which this history belongs. Refers to the parameter table</col>
1659 <col>modified</col><col>timestamp</col><col> </col>
1660 <col>Time at which the property value or parameter changed</col>
1663 <col>change_nature</col><col>enum</col><col> </col>
1664 <col>Parameter created to destroyed; property value changed</col>
1667 <col>changed_property</col><col>text</col><col> </col>
1668 <col>Name of the parameter's property that changed.</col>
1671 <col>new_value</col><col>text</col><col> </col>
1672 <col>The new actual value of the property at the time of modification</col>
1675 <col>remark</col><col>text</col><col> </col>
1676 <col>A short explanation of why the property changed</col>
1681 Each time something about a parameter changes, this is recorded in the
1682 change history of the paraneter.
1683 When such a change happens, one of three things may occur to a parameter,
1684 as stated in the 'change_nature' field:
1687 <item>A new parameter is created.</item>
1688 <item>The value of one of the properties was altered.</item>
1689 <item>The parameter is removed.</item>
1692 When a parameter is created or destroyed, the fields 'changed_property' and
1693 'new_value' are irrelevant.
1700 <heading>log & log_adv. </heading>
1703 To store the log-data there are two tables in use that have a one-on-one relationship.
1704 The logic behind this is the difference between raw-always needed data and the somewhat
1705 processed data to support basic retrieval.
1706 The last category isn't always used and when it's used it is redundant.
1707 Also the raw log is very important to the integrity of the system.
1708 For these reasons the processed data has been physically separated in a
1709 second table called <emph>log_adv</emph>.
1710 If needed a view will be available that combines the two tables.
1711 Despite the load indexing on <emph>log_adv</emph> will be done thoroughly.
1716 <heading>log.</heading>
1719 <heading>The fields of log.</heading>
1722 The fields in log are focussed around the raw data and the data needed
1723 to link this to other tables in the system.
1726 <table cpos='lllp{6cm}'>
1728 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1734 <col> logid </col> <col> Bigserial </col> <col> 8 </col>
1736 Autonumber bigint (eight bit)
1740 <col> objectid </col> <col> Bigint </col> <col> 8 </col>
1742 Reference to the object that submitted this log entry
1746 <col> original_filename </col> <col> Text </col> <col> <para/> </col>
1748 This field refers to the filename that contained this entry.
1749 The original entries as received by the gnucomo-server (flat files).
1750 The files are sent in batches, which makes it very hard to find where the
1751 original logline is. This will enable to see the files to detect
1752 bugs in gnucomo if any occur.
1753 It may well be that in a later stage this functionality becomes obsolete.
1757 <col> servicecode </col> <col> Text </col> <col> <para/> </col>
1759 This field explains what service was recognized (for instance 'kernel, 'httpd' or 'smtp')
1763 <col> type_of_logid </col> <col> Bigint </col> <col> 8 </col>
1765 Reference to the table type_of_log that contains information on what
1766 type of log/report we have here (how gnucomo recognized it).
1770 <col> object_timestamp </col> <col> Timestamp </col> <col> 8 </col>
1772 Timestamp as has been written into the log.
1776 <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
1778 The time when the action has been entered into the system.
1779 This is the time without the timezone<footnote>The timestamp without time
1780 has been selected, since this is the system time.
1781 To have the system functioning without any physical borders one of
1782 the settings on the system is time in GMT (UTC).
1783 This ensures also the added value of the system log.</footnote>.
1784 This will be generated upon entry into the database.
1788 <col> rawdata </col> <col> TEXT </col> <col> <para/> </col>
1797 <heading>The indexes.</heading>
1800 The indices of the table:
1805 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
1808 <col> log_pk (log_logid_key) </col> <col> logid </col> <col> Primary key </col>
1811 <col> log_objectid </col> <col> objectid </col> <col> <para/> </col>
1814 <col> log_original_filename </col> <col> original_filename </col> <col> <para/> </col>
1817 <col> log_servicecode </col> <col> servicecode </col> <col> <para/> </col>
1820 <col> log_type_of_logid </col> <col> type_of_logid </col> <col> <para/> </col>
1823 <col> log_object_timestamp </col> <col> object_timestamp </col> <col> <para/> </col>
1826 <col> log_timestamp </col> <col> timestamp </col> <col> <para/> </col>
1832 <heading>The relationships.</heading>
1835 Relationships with other tables:
1838 <table cpos='llp{6cm}'>
1840 <col> Fieldname </col> <col> Remote Table </col>
1846 <col> objectid </col> <col> object </col>
1848 This make the link from what object the logline came
1852 <col> type_of_logid </col> <col> type_of_log </col>
1854 Each logbook has a certain type of reporting.
1855 This explains what type of log was received (and thus which rules for detection was applied).
1859 <col> systemuser </col> <col> user </col>
1861 Links a registered user of an object to this log
1862 entry<footnote>Upon entry of an object most of the times the
1863 passwd-file (UNIX-systems) or the userlist will serve as the entrypoint of users.
1864 Non existing users will be added and will have to be verified by an
1865 administrator before this entry become definite.</footnote>.
1870 <para>In the model this looks like this:</para>
1873 <picture src="erd-log.png" eps="erd-log"/>
1879 <heading>The fields of log_adv.</heading>
1882 The fields of the table <emph>log_adv</emph> are shown below:
1885 <table cpos='lllp{6cm}'>
1887 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
1893 <col> logid </col> <col> Bigint </col> <col> 8 </col>
1895 Bigint (eight bit) 1-to-1 relationship with log
1899 <col> source_ip </col> <col> Inet </col> <col> <para/> </col>
1901 This is the IP-address (V4) of the host that sended the data.
1905 <col> destination_ip </col> <col> Inet </col> <col> <para/> </col>
1907 This is the IP-address (V4) of the host that was targetted.
1911 <col> mac_address </col> <col> Macaddr </col> <col> <para/> </col>
1913 This is the MAC-address logged
1917 <col> packetlength </col> <col> Int </col> <col> <para/> </col>
1919 The length of the packet
1923 <col> protocol </col> <col> Text </col> <col> <para/> </col>
1925 The protocol used for transmission(mostly TCP/UDP/ICMP).
1929 <col> source_port </col> <col> Int </col> <col> <para/> </col>
1931 The portnumber used at origin.
1935 <col> destination_port </col> <col> Int </col> <col> <para/> </col>
1937 The portnumber for the target
1941 <col> messageid </col> <col> Text </col> <col> <para/> </col>
1943 Messageid for e-mails
1947 <col> system_username </col> <col> Text </col> <col> <para/> </col>
1949 Username on the object
1953 <col> networkdevice </col> <col> Text </col> <col> <para/> </col>
1955 When this is about network-traffic the device that worked the data
1962 <heading>The indexes.</heading>
1965 The table is indexed on the following fields:
1970 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
1973 <col> loa_logid </col> <col> logid </col> <col> Primary key </col>
1976 <col> loa_source_ip </col> <col> source_ip </col> <col> <para/> </col>
1979 <col> loa_destination_ip </col> <col> destination_ip </col> <col> <para/> </col>
1982 <col> loa_mac_address </col> <col> mac_address </col> <col> <para/> </col>
1985 <col> loa_packetlength </col> <col> packetlength </col> <col> <para/> </col>
1988 <col> loa_protocol </col> <col> protocol </col> <col> <para/> </col>
1991 <col> loa_source_port </col> <col> source_port </col> <col> <para/> </col>
1994 <col> loa_destination_port </col> <col> destination_port </col> <col> <para/> </col>
1997 <col> loa_messageid </col> <col> messageid </col> <col> <para/> </col>
2000 <col> loa_system_username </col> <col> system_username </col> <col> <para/> </col>
2003 <col> networkdevice </col> <col> networkdevice </col> <col> <para/> </col>
2009 <heading>The relationships.</heading>
2012 There is only one relation with this table.
2015 <table cpos='llp{6cm}'>
2017 <col> Fieldname </col> <col> Remote Table </col>
2023 <col> Logid </col> <col> Log </col>
2025 This will make a link to the table <emph>log</emph>. The relationship is a one-on-one relationship.
2032 <heading>Sample data combined from log and log_adv.</heading>
2035 The sample data derrived here has been gathered in logs.
2036 Since the tablestructure is very long the representation is somewhat different:
2039 <table cpos='lp{8cm}'>
2041 <col> Fieldname </col> <col> Value. </col>
2044 <col> Logid </col> <col> 1 </col>
2047 <col> Objectid </col> <col> 1 </col>
2050 <col> Original_filename </col> <col> 7f0100.messages.20020714231801 </col>
2053 <col> Rawdata </col>
2055 Jul 14 18:16:42 webber kernel: IN=eth0 OUT= MAC=00:60:67:36:61:a5:00:90:69:60:c0:5d:08:00 SRC=193.79.237.146 DST=212.204.216.11 LEN=40 TOS=0x00 PREC=0x00 TTL=245 id=19308 DF PROTO=TCP SPT=36375 DPT=113 WINDOW=8760 RES=0x00 RST URGP=0
2059 <col> Type_of_logid </col> <col> 1 </col>
2062 <col> Timestamp </col> <col> 2002-07-14 23:29:01 </col>
2065 <col> Object_timestamp </col> <col> 2002-07-14 18:16:42 </col>
2068 <col> Source_ip </col> <col> 193.79.237.146 </col>
2071 <col> Destination_ip </col> <col> 212.204.216.11 </col>
2074 <col> Mac_address </col> <col> 00:60:67:36:61:a5:00:90:69:60:c0:5d:08:00 </col>
2077 <col> Packetlength </col> <col> 40 </col>
2080 <col> Protocol </col> <col> TCP </col>
2083 <col> Source_port </col> <col> 36375 </col>
2086 <col> Destination_port </col> <col> 113 </col>
2089 <col> Messageid </col> <col> <para/> </col>
2092 <col> Systemuser </col> <col> <para/> </col>
2095 <col> Networkdevice </col> <col> eth0 </col>
2102 <heading>log_notification. </heading>
2105 In the log_notification the logbook entries that have caused an alert to occur are saved.
2106 When this table is used something has been detected.
2107 As this is clearly an intermediate table we anticipate to design checks where
2108 multiple entries in a log-file can lead to one notification.
2109 For forensics indexing will be focussed on retrieval speed.
2113 <heading>The fields.</heading>
2116 The fields are listed below:
2119 <table cpos='lllp{6cm}'>
2121 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
2127 <col> notificationid </col> <col> Bigint </col> <col> 8 </col>
2129 Reference to the notification
2133 <col> logid </col> <col> Bigint </col> <col> 8 </col>
2135 Reference to the logbook
2142 <heading>The indexes.</heading>
2145 The table is indexed on the following fields:
2149 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
2152 <col> lon_pk </col> <col>notificationid </col> <col>Primary key </col>
2155 <col> <para/> </col> <col>logid </col> <col>Primary key (second field) </col>
2158 <col>lon_notificationid </col> <col> notificationid </col> <col> <para/> </col>
2161 <col> lon_logid </col> <col>logid </col> <col> <para/> </col>
2167 <heading>The relationships.</heading>
2170 Relationships with other tables:
2173 <table cpos='llp{8cm}'>
2175 <col> Fieldname </col> <col> Remote Table </col>
2181 <col> Logid </col> <col> Log </col>
2183 Indicates the log-entry that was on of the triggers that led to the notification.
2187 <col> NotificationID </col> <col> Notification </col>
2189 Indicates the notification where the entry in the log was a trigger.
2194 <para>In the model this look like this:</para>
2196 <picture src="erd-lognotif.png" eps="erd-lognotif"/>
2201 <heading>Sample data.</heading>
2208 <col> LogID </col> <col> NotificationID </col>
2211 <col> 4 </col> <col> 1 </col>
2214 <col> 5 </col> <col> 1 </col>
2217 <col> 8 </col> <col> 1 </col>
2220 <col> 9 </col> <col> 1 </col>
2223 <col> 5 </col> <col> 2 </col>
2226 <col> 6 </col> <col> 2 </col>
2229 <col> 11 </col> <col> 2 </col>
2236 <heading>notification. </heading>
2239 In this table all detected issues per object will be written.
2240 Issues are entered based on immediate detection, periodical detection or manually.
2241 Since this table is mostly used to work from in the interface being in control is crucial.
2242 When systems function properly more retrieval than data entry will take place.
2243 Also data retrieval will be done in all sorts of ways. Indexing must be huge to facilitate that.
2247 <heading>The fields.</heading>
2250 The fields of the <emph>notification</emph> table are:
2253 <table cpos='lllp{6cm}'>
2255 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
2261 <col> notificationid </col> <col> Bigserial </col> <col> 8 </col>
2267 <col> objectid </col> <col> Bigint </col> <col> 8 </col>
2269 Reference to the <emph>object</emph>
2273 <col> type_of_notification_id </col> <col> Bigint </col> <col> 8 </col>
2275 Reference to the <emph>type_of_notification</emph> indicating what
2276 type of notification we have here and what basic rules apply.
2280 <col> timestamp </col> <col> Timestamp </col> <col> <para/> </col>
2282 Timestamp that this notification was created.
2286 <col> statuscode </col> <col> Varchar </col> <col> 3 </col>
2288 The status the actual status a notification has.
2292 <col> priority </col> <col> Int </col> <col> 4 </col>
2294 The priority that is given to this issue<footnote>Basically there will be
2295 five priority levels. The rule is that the lower the number gets the more
2296 urgent the issue is. At the moment the priority level is set by the system
2297 pre-defined actions will take place.</footnote>.
2301 <col> escalation_count_timestamp </col> <col> Timestamp </col> <col> <para/> </col>
2303 Timestamp since the last escalation took place<footnote>The system offers
2304 the possibility to automatically escalate issue if no action has been
2305 taken within a certain amount of time.
2306 Based on the status and the type of notification escalation can take place.</footnote>.
2310 <col> repeat_notification_timestamp </col> <col> Timestamp </col> <col> <para/> </col>
2312 Timestamp at which moment in time a repeat notification should occur<footnote>After
2313 this time has passed a notification is being resent.
2314 After a resent automatically a new time is set for another resent.
2315 If any actions takes place (except automated entries of course)
2316 the time is emptied so that an administrator will no longer be bothered by the system.</footnote>.
2320 <col> securitylevel_view </col> <col> Int </col> <col> 4 </col>
2322 The securitylevel that is needed to view this entry.
2326 <col> securitylevel_add </col> <col> Int </col> <col> 4 </col>
2328 Securitylevel to add information to this item or to undertake action
2332 <col> securitylevel_close </col> <col> Int </col> <col> 4 </col>
2334 The securitylevel needed to be able to close this notification.
2341 <heading>The indexes.</heading>
2348 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
2351 <col> not_pk (notification_notificationid_key) </col> <col> notificationid </col>
2352 <col> Primary key </col>
2355 <col> not_objectid </col> <col> objectid </col> <col> <para/> </col>
2358 <col> not_type_of_notificationid </col> <col> type_of_notificationid </col>
2359 <col> <para/> </col>
2362 <col> not_timestamp </col> <col> timestamp </col> <col> <para/> </col>
2365 <col> not_statuscode </col> <col> statuscode </col> <col> <para/> </col>
2368 <col> not_priority </col> <col> priority </col> <col> <para/> </col>
2371 <col> not_escalation_count_timestamp </col> <col> escalation_count_timestamp </col>
2372 <col> <para/> </col>
2376 <para>not_repeat_notification_timestamp</para>
2377 <para>(not_repeat_notification_timesta)</para>
2379 <col> repeat_notification_timestamp </col> <col> <para/> </col>
2385 <heading>The relationships.</heading>
2388 Relationships with other tables:
2391 <table cpos='llp{8cm}'>
2393 <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
2396 <col> Logid </col> <col> Log </col>
2398 Indicates the log-entry that was on of the triggers that led to the notification.
2402 <col> NotificationID </col> <col> Notification </col>
2404 Indicates the notification where the entry in the log was a trigger.
2409 <para>In the model this look like this:</para>
2411 <picture src="erd-notif.png" eps="erd-notif"/>
2416 <heading>Sample data.</heading>
2419 The following data is an example of a notification placed in the database.
2423 <col> Fieldname </col> <col> Data </col>
2426 <col> Notificationid </col> <col> 1 </col>
2429 <col> ObjectID </col> <col> 1 </col>
2432 <col> Type_of_notification_id </col> <col> 1 </col>
2435 <col> Timestamp </col> <col> 17-07-2002 16:07 </col>
2438 <col> Statuscode </col> <col> NEW </col>
2441 <col> Priority </col> <col> 3 </col>
2444 <col> Escalation_count_timestamp </col> <col> 17-07-2002 16:07 </col>
2447 <col> Repeat_notification_timestamp </col> <col> 17-07-2002 20:48PM </col>
2450 <col> Securitylevel_view </col> <col> 3 </col>
2453 <col> Securitylevel_add </col> <col> 3 </col>
2456 <col> Securitylevel_close </col> <col> 4 </col>
2463 <heading>object</heading>
2466 The <emph>object</emph> table contains general information on the objects being monitored.
2467 The table object will more be used for retrieval, since adding objects will be an
2468 occasional process. Anything that for some reason can be indexed ought to be indexed.
2472 <heading>The fields.</heading>
2477 <table cpos='lllp{6cm}'>
2479 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
2485 <col> objectid </col> <col> Bigserial </col> <col> 8 </col>
2487 Autonumbering code for the computer or device.
2491 <col> objectname </col> <col> Text </col> <col> <para/> </col>
2493 The hostname of the object
2497 <col> objectcode </col> <col> Text </col> <col> <para/> </col>
2499 Unique identifier (if existent) on the system<footnote>In Linux this will
2500 typically be the <emph>hostid</emph>.</footnote>.
2504 <col> scp_enabled </col> <col> Boolean </col> <col> <para/> </col>
2506 Can communication occur through scp (T = Yes / F = No)
2510 <col> scp_inet </col> <col> Inet </col> <col> <para/> </col>
2512 IP Address of the object for scp-data transfer.
2516 <col> mail_enabled </col> <col> Boolean </col> <col> <para/> </col>
2518 Can communication occur through e-mail (T = Yes/F = No).
2522 <col> mail_from </col> <col> Text </col> <col> <para/> </col>
2524 The e-mail address where e-mail will come from.
2528 <col> sms_enabled </col> <col> Boolean </col> <col> <para/> </col>
2530 Can communication occur through SMS (T = Yes/F = No).
2534 <col> sms_number </col> <col> Text </col> <col> <para/> </col>
2536 The SMS-number to send a notification to.
2540 <col> fax_enabled </col> <col> Boolean </col> <col> <para/> </col>
2542 Can communication occur through Fax (T = Yes/F = No).
2546 <col> fax_number </col> <col> Text </col> <col> <para/> </col>
2548 The fax-number to send a notification to.
2562 Description of the object. What type of system is it
2566 <col> object_owner </col> <col> Text </col> <col> <para/> </col>
2572 <col> physical_location </col> <col> Text </col> <col> <para/> </col>
2574 Physical address and when applicable entry-details needed to get to the object.
2578 <col> timezone </col> <col> Text </col> <col> <para/> </col>
2580 The timezone where this object is located<footnote>For objects that
2581 move around like PDA's and laptops the timezone can be the place where
2582 a person is stationed or better GMT.</footnote>.
2586 <col> remark </col> <col> Text </col> <col> <para/> </col>
2588 Additional remarks that shouldn't be in the previous TEXT fields.
2595 <heading>The indexes.</heading>
2598 The <emph>object</emph> table is indexed on the following fields:
2603 <col> Indexname </col> <col> Field </col> <col> Characteristics </col>
2606 <col> obj_pk (object_objectid_key) </col> <col> objectid </col> <col> Primary key </col>
2609 <col> obj_objectname </col> <col> objectname </col> <col> Unique </col>
2612 <col> obj_objectcode </col> <col> objectcode </col> <col> Unique </col>
2615 <col> obj_mail_from </col> <col> mail_from </col> <col> <para/> </col>
2621 <heading>The relationships.</heading>
2624 The relationships with other tables are listed below:
2627 <table cpos='llp{8cm}'>
2629 <col> Fieldname </col> <col> Remote Table </col> <col> Remarks </col>
2632 <col> ObjectID </col> <col> Log (adv) </col>
2633 <col> Reference to processed log-entries </col>
2636 <col> <para/> </col> <col> Notification </col>
2638 Reference to the table <emph>notification</emph> that contains the notifications
2639 that have been created.
2643 <col> <para/> </col> <col> Object_issue </col>
2645 Reference to the <emph>object_issue</emph> that indicates how notifications have to be handled .
2649 <col> <para/> </col> <col> Object_priority </col>
2651 Reference to the <emph>object_priority</emph> table that indicates how a
2652 certain level of priority has to be dealt with.
2656 <col> <para/> </col> <col> Object_system_user </col>
2658 Reference to a list of system user to discover abnormalities in user behaviour.
2662 <col> <para/> </col> <col> Object_user </col>
2663 <col> Reference to the <emph>object_user</emph> </col>
2666 <col> <para/> </col> <col> Unprocessed_log </col>
2668 Reference to the entries that have not been processed at all.
2673 <para>In the relationshipmodel this looks like this:</para>
2675 <picture src="erd-object.png" eps="erd-object"/>
2680 <heading>Sample data.</heading>
2682 There is no preset data and therefor it's an example has been created.
2683 The table has quite some fields so the example has the fieldname in the
2684 left column and the data in the right column.
2686 <table cpos='lp{6cm}'>
2688 <col> Fieldname </col>
2689 <col> Sample data </col>
2692 <col> Objectid </col>
2696 <col> Objectname </col>
2697 <col> webber.dewinter.com </col>
2700 <col> Objectcode </col>
2704 <col> Scp_enabled </col>
2708 <col> Scp_inet </col>
2709 <col> 192.168.221.212 </col>
2712 <col> Mail_enabled </col>
2716 <col> Mail_from </col>
2717 <col> <reference href="mailto:gnucomo@maintenance.dewinter.com">gnucomo@maintenance.dewinter.com</reference> </col>
2720 <col> Sms_enabled </col>
2724 <col> Sms_number </col>
2725 <col> 06-XXXXXXXX </col>
2728 <col> Fax_enabled </col>
2732 <col> Fax_number </col>
2733 <col> 0318-XXXXXX </col>
2736 <col> Object_description </col>
2737 <col> 19 inch 4 units, AMD-300 with two 27Gb disks (RAID-0), 256Mb memory </col>
2740 <col> Object_owner </col>
2742 <para>Brenno de Winter</para>
2743 <para>De Winter Information Solutions</para>
2744 <para>Your street here 32</para>
2745 <para>9999 XX YOUR CITY</para>
2746 <para>THE NETHERLANDS</para>
2747 <para>Phone: +31 XXX XXX XXX</para>
2751 <col> Physical_location </col>
2753 <para>Internet Provider XYZ</para>
2754 <para>Your street here 38</para>
2755 <para>9999 XX YOUR CITY</para>
2756 <para>THE NETHERLANDS</para>
2757 <para>Phone: +31 XXX XXX XXX</para>
2759 <para>Dataroom. System: Q7845</para>
2765 <para>A replacement system is available at the office location. The following persons have been authorized to enter the data room at the ISP:</para>
2766 <para>* Arjen Baart</para>
2767 <para>* Peter Busser</para>
2768 <para>* Brenno de Winter</para>
2777 <heading>object_issue. </heading>
2779 This table will store the policy on a certain issue like the priority being
2780 recognized and special actions to take.
2781 Since policies are utilized by the systems continuously all other process will rely on this index,
2782 while users will change the values occasionally.
2786 <heading>The fields.</heading>
2789 The fields of <emph>object_issue</emph>:
2792 <table cpos='lllp{6cm}'>
2795 <para>Fieldname</para>
2798 <para>Fieldtype</para>
2804 <para>Remarks</para>
2809 <para>objectid</para>
2818 <para>Reference to the object</para>
2823 <para>type_of_notificationid</para>
2832 <para>Reference to the <emph>type_of_notification</emph> indicating
2833 what type of notification we have here and what basic rules apply.</para>
2838 <para>default_priority</para>
2847 <para>The priority that will be set automatically when this type of
2848 notification is entered into the system.</para>
2853 <para>escalation</para>
2856 <para>Boolean</para>
2862 <para>Will the system perform automatic escalation (T = Yes / F = No)</para>
2867 <para>escalation_time</para>
2876 <para>The time after which a higher priority is awarded to the notification.</para>
2881 <para>max_priority</para>
2890 <para>The maximum priority given to this type of notification.</para>
2895 <para>adjusted_setting</para>
2904 <para>Some checks can have a special settings (for instance alert
2905 after 5 failed login attempts instead of 3).</para>
2912 <heading>The indexes.</heading>
2915 These are the indices:
2920 <para>Indexname</para>
2926 <para>Characteristics</para>
2934 <para>objectid</para>
2937 <para>Primary key</para>
2945 <para>type_of_notification_id</para>
2948 <para>Primary key</para>
2953 <para>obi_objectid</para>
2956 <para>Objectid</para>
2964 <para>obi_type_of_notificationid</para>
2967 <para>type_of_notification_id</para>
2977 <heading>The relationships.</heading>
2980 Relationships with other tables:
2983 <table cpos='llp{6cm}'>
2986 <para>Fieldname</para>
2989 <para>Remote Table</para>
2992 <para>Remarks</para>
2997 <para>ObjectID</para>
3003 <para>Reference to the <emph>object</emph> (which object does this apply to).</para>
3008 <para>Type_of_issueid</para>
3011 <para>Type_of_issue</para>
3014 <para>Reference to the type of issue.</para>
3019 <para>In the model this look like this:</para>
3021 <picture src="erd-objissue.png" eps="erd-objissue"/>
3026 <heading>Sample data.</heading>
3031 <table cpos='lllllll'>
3034 <para>Objectid</para>
3037 <para>Type_of_notification_id</para>
3040 <para>Default Priority</para>
3043 <para>Escalation</para>
3046 <para>Escalation_time</para>
3049 <para>Max_priority</para>
3052 <para>Adjusted_setting</para>
3069 <para>00:15:00</para>
3092 <para>00:30:00</para>
3138 <para>00:45:00</para>
3175 <heading>object_priority.</heading>
3178 This table stores per object how a certain level of priority is being dealt with.
3179 What policies do apply. This table is mostly used for retrieval, so firm indexing is logic.
3183 <heading>The fields.</heading>
3186 The fields are listed below:
3188 <table cpos='lllp{6cm}'>
3191 <para>Fieldname</para>
3194 <para>Fieldtype</para>
3200 <para>Remarks</para>
3205 <para>objectid</para>
3214 <para>Reference to the object</para>
3219 <para>priorityid</para>
3228 <para>Priority.</para>
3233 <para>send_mail</para>
3236 <para>Boolean</para>
3242 <para>Send an e-mail if this priority is set? Yes = T / No = F</para>
3247 <para>send_sms</para>
3250 <para>Boolean</para>
3256 <para>Send a sms message if this priority is set? Yes = T / No = F</para>
3261 <para>send_fax</para>
3264 <para>Boolean</para>
3270 <para>Send a fax if this priority is set? Yes = T / No = F</para>
3275 <para>repeat_notification</para>
3278 <para>Boolean</para>
3284 <para>Repeat this notification if no action occurs since the notification. Yes = T / No = F</para>
3289 <para>interval_for_repeat</para>
3298 <para>Time interval that is set to wait for a response.</para>
3305 <heading>The indexes.</heading>
3308 Indices of the <emph>object_priority</emph> table:
3314 <para>Indexname</para>
3320 <para>Characteristics</para>
3328 <para>objectid</para>
3331 <para>Primary key</para>
3339 <para>priorityid</para>
3342 <para>Primary key</para>
3347 <para>obi_objectid</para>
3350 <para>Objectid</para>
3358 <para>obi_type_of_notification_id</para>
3361 <para>type_of_notification_id</para>
3371 <heading>The relationships.</heading>
3374 Relationships with other tables:
3377 <table cpos='llp{6cm}'>
3380 <para>Fieldname</para>
3383 <para>Remote Table</para>
3386 <para>Remarks</para>
3391 <para>ObjectID</para>
3397 <para>Reference to the object (which object does this apply to).</para>
3402 <para>Priorityid</para>
3405 <para>Priority</para>
3408 <para>Reference to the priority.</para>
3414 In the model this look like this:
3417 <picture src="erd-objprior.png" eps="erd-objprior"/>
3423 <heading>object_service</heading>
3426 The object service table indicates which services can be expected on the system.
3427 If input fails to show up a notification can be generated.
3431 <heading>The fields.</heading>
3434 The fields are listed below:
3437 <table cpos='lllp{6cm}'>
3440 <para>Fieldname</para>
3443 <para>Fieldtype</para>
3449 <para>Remarks</para>
3454 <para>objectid</para>
3463 <para>Reference to the object</para>
3468 <para>servicecode</para>
3477 <para>Reference to service.</para>
3482 <para>expected_interval</para>
3491 <para>The expected interval in minutes between two log entries.
3492 If this gives a time-out a notification is generated<footnote>To avoid many
3493 false positives it may be wise to give the system always 1 or 2 minutes extra time.
3494 If for some reason a connection is slow or a mail-daemon restarted
3495 the effect would generate tuns of notifications.</footnote>.
3496 The following values can be considered the most common:</para>
3497 <para>* 60 hourly entries</para>
3498 <para>* 120 two hourly entries</para>
3499 <para>* 240 four hourly entries</para>
3500 <para>* 480 eight hourly entries</para>
3501 <para>* 920 twelve hourly entries</para>
3502 <para>* 1840 daily entries</para>
3503 <para>* 12880 weekly entries</para>
3508 <para>last_entry</para>
3511 <para>Timestamp</para>
3517 <para>The timestamp of the last entry (for detecting exceeded interval).
3518 This field could be derived from the log-table as well, but the
3519 redundance gives a performance on detection that is useful, since a
3520 check should run every minute.</para>
3525 <para>default_priority</para>
3534 <para>Priority given if this service didn't occur.</para>
3539 <para>maximum_priority</para>
3548 <para>Maximum priority (in case of escalation)</para>
3553 <para>accepted</para>
3556 <para>Boolean</para>
3562 <para>If a service hasn't been set, the application user should
3563 indicate that this is valid (logs shouldn't just appear).
3564 New entries will be added automatically but still have to be verified.</para>
3571 <heading>The indexes.</heading>
3574 The table is indexed on the following fields:
3579 <para>Indexname</para>
3585 <para>Characteristics</para>
3593 <para>objectid</para>
3596 <para>Primary key</para>
3604 <para>servicecode</para>
3607 <para>Primary key</para>
3612 <para>obs_objectid</para>
3615 <para>objectid</para>
3623 <para>obs_servicecode</para>
3626 <para>servicecode</para>
3634 <para>obs_accepted</para>
3637 <para>accepted</para>
3647 <heading>The relationships.</heading>
3650 Relationships with other tables:
3653 <table cpos='llp{8cm}'>
3656 <para>Fieldname</para>
3659 <para>Remote Table</para>
3662 <para>Remarks</para>
3667 <para>objectID</para>
3673 <para>Reference to the object (which object does this apply to).</para>
3678 <para>servicecode</para>
3681 <para>Service</para>
3684 <para>Reference to the service table. </para>
3689 <para>In the model this look like this:</para>
3691 <picture src="erd-objservice.png" eps="erd-objservice"/>
3697 <heading>object_system_user</heading>
3700 This table will derive a list of users that can be identified based
3701 on the log-files in the system. This table is filled during data entry.
3702 But the filling of the table is dependent on the fact if the user has been entered before.
3703 So during the processing the read will be done more than the data entry and
3704 that makes heavy indexing logic.
3707 <heading>The fields.</heading>
3710 The fields of <emph>object_system_user</emph> are listed below:
3713 <table cpos='lllp{6cm}'>
3716 <para>Fieldname</para>
3719 <para>Fieldtype</para>
3725 <para>Remarks</para>
3730 <para>objectid</para>
3739 <para>Reference to the object</para>
3744 <para>system_username</para>
3753 <para>Username on the object/system.</para>
3758 <para>can_login</para>
3761 <para>Boolean</para>
3767 <para>Can this user login (T = Yes / F = No)?</para>
3772 <para>can_be_root</para>
3775 <para>Boolean</para>
3781 <para>Can this user become root (T = Yes / F = No)?</para>
3788 <heading>The indexes.</heading>
3791 The table is indexed on the following fields:
3796 <para>Indexname</para>
3802 <para>Characteristics</para>
3810 <para>objectid</para>
3813 <para>Primary key</para>
3821 <para>system_username</para>
3824 <para>Primary key</para>
3829 <para>osu_objectid</para>
3832 <para>objectid</para>
3840 <para>osu_system_username</para>
3843 <para>system_username</para>
3853 <heading>The relationships.</heading>
3856 Relationships with other tables:
3858 <table cpos='llp{8cm}'>
3861 <para>Fieldname</para>
3864 <para>Remote Table</para>
3867 <para>Remarks</para>
3872 <para>ObjectID</para>
3878 <para>Reference to the object (which object does this apply to).</para>
3883 <para>System_username</para>
3889 <para>Log entries can refer to the system username.</para>
3893 <para>In the model this look like this:</para>
3897 <picture src="erd-objsysusr.png" eps="erd-objsysusr"/>
3903 <heading>object_user</heading>
3906 This table will enable users to get access to the information belonging to an object.
3907 Also this table is mainly used for data retrieval and will rely on the indexes.
3910 <heading>The fields.</heading>
3913 The fields of <emph>object_user</emph> are listed below:
3916 <table cpos='lllp{6cm}'>
3919 <para>Fieldname</para>
3922 <para>Fieldtype</para>
3928 <para>Remarks</para>
3933 <para>Objectid</para>
3942 <para>Reference to the <emph>object</emph></para>
3947 <para>Username</para>
3956 <para>Username in gnucomo. A reference to <emph>user</emph>.</para>
3961 <para>Security_level</para>
3970 <para>The security-level granted to this user.</para>
3977 <heading>The indexes.</heading>
3979 The indices of the <emph>object_user</emph> table:
3984 <para>Indexname</para>
3990 <para>Characteristics</para>
3998 <para>objectid</para>
4001 <para>Primary key</para>
4009 <para>username</para>
4012 <para>Primary key</para>
4017 <para>ous_objectid</para>
4020 <para>objectid</para>
4028 <para>ous_username</para>
4031 <para>username</para>
4039 <para>ous_security_level</para>
4042 <para>ous_security_level</para>
4052 <heading>The relationships.</heading>
4055 Relationships with other tables:
4058 <table cpos='llp{8cm}'>
4061 <para>Fieldname</para>
4064 <para>Remote Table</para>
4067 <para>Remarks</para>
4072 <para>objectID</para>
4078 <para>Reference to the object (which object does this apply to).</para>
4083 <para>username</para>
4089 <para>Reference to the user.</para>
4094 <para>In the model this look like this:</para>
4095 <picture src="erd-objusr.png" eps="erd-objusr"/>
4101 <heading>parameter</heading>
4103 The parameter table stores the operational parameters of a monitored object.
4104 The parameters of an object describe the object's resources and configurations.
4105 For each object, a large set of parameters can be defined. They range from
4106 anything like file systems and installed packages to the system's users.
4110 <heading>The fields</heading>
4112 The fields of the <emph>parameter</emph> table are listed below:
4114 <table cpos='lllp{6cm}'>
4116 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
4117 <col> Remarks </col>
4120 <col>paramid</col><col>bigserial</col><col>8</col>
4121 <col>Uniquely identifies the parameter. Used in property and history tables.</col>
4124 <col>objectid</col><col>bigint</col><col>8</col>
4125 <col>The object of which this is a parameter. Refers to the object table.</col>
4128 <col>name</col><col>text</col><col> </col>
4129 <col>Name of the parameter to identify the resource</col>
4132 <col>class</col><col>text</col><col> </col>
4133 <col>Similar parameters are in the same class</col>
4136 <col>description</col><col>text</col><col> </col>
4137 <col>A verbose description of the parameter</col>
4143 The combination of objectid, name and class must be unique.
4148 <heading>Sample data</heading>
4151 The table below lists a few examples of parameters
4153 <table cpos='lllll'>
4155 <col>paramid</col><col>objectid</col><col>name</col><col>class</col><col>description</col>
4158 <col>1</col><col>1</col><col>/</col><col>filesystem</col><col>The root filesystem</col>
4161 <col>2</col><col>1</col><col>/home</col><col>filesystem</col><col>Our users' homedirs</col>
4164 <col>3</col><col>1</col><col>glibc</col><col>package</col><col>The standard C library</col>
4167 <col>4</col><col>1</col><col>arjen</col><col>user</col><col>Arjen Baart</col>
4174 <heading>priority</heading>
4177 The priority table contains information on the levels that are recognized by the system.
4178 Mainly data retrieval so depending on indexing.
4179 It needs to be said that most likely only a couple of states will exist<footnote>By default
4180 we will use five states, but many states can be given to enable all
4181 types of differentiation.</footnote>.
4185 <heading>The fields.</heading>
4188 The fields of the <emph>priority</emph> table are listed below:
4191 <table cpos='lllp{6cm}'>
4194 <para>Fieldname</para>
4197 <para>Fieldtype</para>
4203 <para>Remarks</para>
4208 <para>priority</para>
4217 <para>Priority</para>
4222 <para>send_mail</para>
4225 <para>Boolean</para>
4231 <para>Send an e-mail if this priority is set? Yes = T / No = F</para>
4236 <para>send_sms</para>
4239 <para>Boolean</para>
4245 <para>Send a sms message if this priority is set? Yes = T / No = F</para>
4250 <para>send_fax</para>
4253 <para>Boolean</para>
4259 <para>Send a fax if this priority is set? Yes = T / No = F</para>
4264 <para>repeat_notification</para>
4267 <para>Boolean</para>
4273 <para>Repeat this notification if no action occurs since the notification. Yes = T / No = F</para>
4278 <para>interval_for_repeat</para>
4287 <para>Time interval that is set to wait for a response.</para>
4294 <heading>The indexes.</heading>
4297 The table is indexed on the following fields:
4303 <para>Indexname</para>
4309 <para>Characteristics</para>
4317 <para>priority</para>
4320 <para>Primary key</para>
4327 <heading>The relationships.</heading>
4330 Relationships with other tables:
4332 <table cpos='llp{8cm}'>
4335 <para>Fieldname</para>
4338 <para>Remote Table</para>
4341 <para>Remarks</para>
4346 <para>priority</para>
4349 <para>object_priority</para>
4352 <para>Reference to the object (which object does this apply to). </para>
4357 <para>In the model this look like this:</para>
4359 <picture src="erd-prior.png" eps="erd-prior"/>
4365 <heading>property</heading>
4367 The property table stores the actual values of the properties of
4368 operational parameters of a monitored object.
4372 <heading>The fields</heading>
4374 The fields of the <emph>property</emph> table are listed below:
4376 <table cpos='lllp{6cm}'>
4378 <col> Fieldname </col> <col> Fieldtype </col> <col> Size </col>
4379 <col> Remarks </col>
4382 <col>paramid</col><col>bigint</col><col>8</col>
4383 <col>The parameter to which this property belongs. Refers to the parameter table</col>
4386 <col>name</col><col>text</col><col> </col>
4387 <col>Name of the property</col>
4390 <col>value</col><col>text</col><col> </col>
4391 <col>The current value of the property</col>
4394 <col>type</col><col>enum</col><col> </col>
4395 <col>Dynamic or Static</col>
4398 <col>minimum</col><col>float</col><col>8</col>
4399 <col>The minimum value of the property (for numerical properties only)</col>
4402 <col>maximum</col><col>float</col><col>8</col>
4403 <col>The maximum value of the property (for numerical properties only)</col>
4410 <heading>Sample data</heading>
4413 The table below lists a few examples of properties
4415 <table cpos='llllll'>
4417 <col>paramid</col><col>name</col><col>value</col>
4418 <col>type</col><col>minimum</col><col>maximum</col>
4421 <col>1</col><col>size</col><col>400000</col>
4422 <col>STATIC</col><col>100000</col><col>999999999</col>
4425 <col>1</col><col>used</col><col>200000</col>
4426 <col>DYNAMIC</col><col>50000</col><col>400000</col>
4429 <col>2</col><col>size</col><col>3000000</col>
4430 <col>STATIC</col><col>100000</col><col>999999999</col>
4433 <col>2</col><col>used</col><col>2000000</col>
4434 <col>DYNAMIC</col><col>50000</col><col>2700000</col>
4437 <col>3</col><col>version</col><col>2.2.5-39</col>
4438 <col>STATIC</col><col>0</col><col>0</col>
4445 <heading>service</heading>
4448 The table <emph>service</emph> indicates the service that can be handled by the system.
4449 Out of the servicelist the administrator can indicate what services to expect.
4452 <heading>The fields.</heading>
4455 The fields are listed below:
4457 <table cpos='lllp{6cm}'>
4460 <para>Fieldname</para>
4463 <para>Fieldtype</para>
4469 <para>Remarks</para>
4474 <para>servicecode</para>
4483 <para>The code that is written for the service</para>
4488 <para>servicename</para>
4497 <para>The expanded name for the service</para>
4502 <para>default_priority</para>
4511 <para>The advised priority if these log-entries don't
4512 come in<footnote>Advised priorities can be changed in the object_service
4513 table per object. </footnote>.</para>
4518 <para>max_priority</para>
4527 <para>The maximum priority advised for this
4528 service<footnote>Advised priorities can be changed in the
4529 object_service table per object.</footnote>.</para>
4536 <heading>The indexes.</heading>
4539 The table is indexed on the following fields:
4544 <para>Indexname</para>
4550 <para>Characteristics</para>
4558 <para>servicecode</para>
4561 <para>Primary key</para>
4566 <para>ser_servicename</para>
4569 <para>servicename</para>
4579 <heading>The relationships.</heading>
4581 Relationships with other tables:
4583 <table cpos='llp{8cm}'>
4586 <para>Fieldname</para>
4589 <para>Remote Table</para>
4592 <para>Remarks</para>
4597 <para>servicecode</para>
4603 <para>What log entries have been tied to this type of service.</para>
4611 <para>object_service</para>
4614 <para>Settings for this service per object.</para>
4622 <para>unprocessed_log</para>
4625 <para>What unprocessed log entries have been tied to this type of service.</para>
4630 <para>In the model this look like this:</para>
4632 <picture src="erd-service.png" eps="erd-service"/>
4638 <heading>status.</heading>
4641 The table <emph>status</emph> contains the possible states that a notification can have.
4642 As with the table <emph>priority</emph> these statuses are limited in number by
4643 default but can be expanded. Also here retrieval prevails above data entry and
4644 therefor indexing is important.
4648 <heading>The fields.</heading>
4651 The fields of the <emph>status</emph> table are listed below:
4654 <table cpos='lllp{6cm}'>
4657 <para>Fieldname</para>
4660 <para>Fieldtype</para>
4666 <para>Remarks</para>
4671 <para>statuscode</para>
4674 <para>Varchar</para>
4680 <para>The code for the status</para>
4685 <para>statusname</para>
4694 <para>What is the correct name for the status</para>
4699 <para>open_notification</para>
4702 <para>Boolean</para>
4708 <para>Is the notification still open when this status is set? Yes = T / No = F</para>
4713 <para>description</para>
4722 <para>Explanation of the code</para>
4729 <heading>The indexes.</heading>
4731 The table is indexed on the following fields:
4737 <para>Indexname</para>
4743 <para>Characteristics</para>
4751 <para>statuscode</para>
4754 <para>Primary key</para>
4759 <para>sta_statusname</para>
4762 <para>statusname</para>
4770 <para>sta_open_notification</para>
4773 <para>open_notification</para>
4783 <heading>The relationships.</heading>
4785 Relationships with other tables
4791 <para>Fieldname</para>
4794 <para>Remote Table</para>
4797 <para>Remarks</para>
4812 <para>In the model this look like this:</para>
4814 <picture src="erd-status.png" eps="erd-status"/>
4819 <heading>Default values.</heading>
4820 <para>The status values are default for the system and for that reason are predefined.</para>
4821 <table cpos='p{2cm}lp{1cm}p{6cm}'>
4824 <para>Statuscode</para>
4827 <para>Statusname</para>
4830 <para>Open Notification</para>
4841 <para>New entry</para>
4847 <para>Just detected nothing has been done yet.</para>
4861 <para>The notification has been displayed, but nothing has been done yet.</para>
4869 <para>Pending</para>
4875 <para>The notification is currently being worked on.</para>
4883 <para>Waiting for verification</para>
4889 <para>The notification has been worked on.
4890 After it has been verified the notification can be closed.</para>
4904 <para>The notification has been closed</para>
4912 <para>Rejected</para>
4918 <para>This was a false positive and has been rejected.</para>
4926 <para>Investigate</para>
4932 <para>The notification is under investigation and awaiting additional details.</para>
4940 <heading>type_of_issue.</heading>
4943 This table will contain a list of all available issues that can be detected.
4944 All issues have a suggested priority setting.
4945 This is typically data retrieval and good indexing is needed.</para>
4948 <heading>The fields.</heading>
4951 Fields of <emph>type_of_issue</emph> are:
4954 <table cpos='lllp{6cm}'>
4957 <para>Fieldname</para>
4960 <para>Fieldtype</para>
4966 <para>Remarks</para>
4971 <para>type_of_issueid</para>
4974 <para>Bigserial</para>
4980 <para>The sequential code for the issue.</para>
4994 <para>Name for the issue</para>
4999 <para>suggested_priority</para>
5008 <para>The advised priority setting.</para>
5013 <para>description</para>
5022 <para>Description of the method and how this can be set.</para>
5030 <para>Boolean</para>
5036 <para>Is this check currently being used in the system.</para>
5043 <heading>The indexes.</heading>
5045 The table is indexed on the following fields:
5051 <para>Indexname</para>
5057 <para>Characteristics</para>
5063 <para>(type_of_issue_type_of_issue_key)</para>
5066 <para>type_of_issueid</para>
5069 <para>Primary key</para>
5074 <para>toi_name</para>
5085 <para>toi_active</para>
5098 <heading>The relationships.</heading>
5102 <para>Fieldname</para>
5105 <para>Remote Table</para>
5108 <para>Remarks</para>
5113 <para>type_of_issueid</para>
5116 <para>object_issue</para>
5124 <para>In the model this look like this:</para>
5126 <picture src="erd-toi.png" eps="erd-toi"/>
5131 <heading>Default values.</heading>
5134 All checks are entered as code into the system.
5135 This table only works for the application only.
5136 The user can set specifics in the application only.
5138 <table cpos='lllll'>
5141 <para>Type_of_issueid</para>
5147 <para>Suggested_priority</para>
5150 <para>Description</para>
5161 <para>Manual entry</para>
5167 <para>A manual entry of a notification.</para>
5178 <heading>unprocessed_log</heading>
5181 The <emph>user</emph> table contains the users that can login the monitoring application.
5182 It will also store if the users maintains the system.
5183 Mainly used for retrieval so properly indexed.
5187 <heading>The fields.</heading>
5190 The fields are listed below:
5193 <table cpos='lllp{6cm}'>
5196 <para>Fieldname</para>
5199 <para>Fieldtype</para>
5205 <para>Remarks</para>
5210 <para>unprocessedid</para>
5213 <para>Bigserial</para>
5219 <para>Autonumber entry</para>
5224 <para>objectid</para>
5233 <para>Reference to the object</para>
5238 <para>servicecode</para>
5247 <para>The service that entered this data.</para>
5252 <para>logdata</para>
5261 <para>The data that comes from the file.</para>
5268 <heading>The indexes.</heading>
5270 The indices of the table:
5276 <para>Indexname</para>
5282 <para>Characteristics</para>
5288 <para>(unprocessed_l_unprocessedid_key)</para>
5291 <para>unprocessedid</para>
5294 <para>Primary key</para>
5301 <heading>The relationships.</heading>
5303 Relationships with other tables:
5306 <table cpos='llp{8cm}'>
5309 <para>Fieldname</para>
5312 <para>Remote Table</para>
5315 <para>Remarks</para>
5320 <para>objectid</para>
5326 <para>Reference to the object that is reporting the data</para>
5331 <para>servicecode</para>
5334 <para>service</para>
5337 <para>Reference to the servicecode that is mentioned in the filename.</para>
5341 <para>In the model this look like this:</para>
5343 <picture src="erd-unplog.png" eps="erd-unplog"/>
5348 <heading>Sample values.</heading>
5354 <heading>user_gnucomo</heading>
5357 The <emph>user</emph> table contains the users that can login the monitoring application.
5358 It will also store if the users maintains the system.
5359 Mainly used for retrieval so properly indexed.
5363 <heading>The fields.</heading>
5366 The fields are listed in the table below:
5369 <table cpos='lllp{6cm}'>
5372 <para>Fieldname</para>
5375 <para>Fieldtype</para>
5381 <para>Remarks</para>
5386 <para>username</para>
5395 <para>Name the user is known by</para>
5400 <para>password</para>
5409 <para>Password</para>
5414 <para>active_sessionid</para>
5423 <para>Sessionnumber currently used by user.
5424 If this is set to 0 a user is not present on the system.
5425 Only one session can be open at a time.</para>
5430 <para>account_active</para>
5433 <para>Boolean</para>
5439 <para>Is the account currently active?</para>
5444 <para>security_level</para>
5453 <para>Given securitylevel to this user</para>
5460 <heading>The indexes</heading>
5462 The table is indexed on the following fields:
5467 <para>Indexname</para>
5473 <para>Characteristics</para>
5481 <para>username</para>
5484 <para>Primary key</para>
5489 <para>usr_active_sessionid</para>
5492 <para>active_sessionid</para>
5502 <heading>The relationships.</heading>
5504 Relationships with other tables
5509 <para>Fieldname</para>
5512 <para>Remote Table</para>
5515 <para>Remarks</para>
5520 <para>ObjectID</para>
5526 <para>Link to the object</para>
5530 <para>In the model this look like this:</para>
5532 <picture src="erd-usr.png" eps="erd-usr"/>
5541 <heading>Warnings that can be detected.</heading>
5545 <heading>User Interface.</heading>
5547 <para>To be determined in the near future.</para>
5551 <heading>The installation process.</heading>
5554 Since the system must make maintenance and security easier to use,
5555 the burden of installation should as easy as possible.
5556 Where possible the installation script should take away as much work as possible.
5557 Where settings need to be done, this should be done through an interface.
5558 However at no point we take the user's right to understand and work with system.
5559 Configuration-files should be easy to understand and the choice must be there to do installation manually.
5560 For the time being, we will use the manual installation procedure outlined below:
5564 Since there is no binary package available for Gnucomo yet, you will need
5565 to compile and install Gnucomo from the source code.
5566 Before making the Gnucomo binaries, make sure you have the following
5569 <item>postgresql, postgresql-server, postgresql-develop</item>
5571 <item>libxml2, libxml2-develop</item>
5574 Make sure your PostgreSQL database server is up and running.
5575 If you also want to use the web interface, you will need Apache with PHP.
5576 The PHP module needs Postgresql and DOM-XML support.
5577 With all required packages installed, you should be able to go into
5578 the <emph>src</emph> directory and type <code>make</code> to create
5579 a binary <code>gcm_input</code>.
5583 To use gnucomo, you need to create a database and a configuration file.
5584 To make the database in your PostgreSQL server, log in as a DBA (DataBase
5585 Administrator, usually the user 'postgres') and create the database and a
5586 user who can use the database.
5596 If you also want to be able to use the test scripts, you will need to
5597 create the <code>gnucomo_test</code> database as well.
5598 The configuration file for Gnucomo is a rather simple XML file that
5599 states at least what database Gnucomo uses and the userid with which
5600 Gnucomo will log in to the database server.
5601 These parameters should be the same as the database and user you just
5602 created in your role of DBA.
5603 There is an example configuration file, <code>gnucomo.conf</code> in the
5604 <emph>src</emph> directory.
5605 You should copy this config file to one of the following places:
5607 <item><code>/etc/gnucomo.conf</code></item>
5608 <item><code>/usr/local/etc/gnucomo.conf</code></item>
5610 With the database and the configuration file in place, you should
5611 be able to run <code>gcm_input</code> to read log files and store
5612 log entries in the database.
5615 <heading>Supported platforms.</heading>
5617 <para>The following two Linux distributions have been selected to be actively supported:</para>
5620 <para>Debian GNU/Linux (.deb packages)</para>
5623 <para>RedHat Linux (.rpm packages)</para>
5626 <para>We will try and facilitate as many operating systems client-side and as many unices server-side, but efforts on testing out of the projects will be very minimalistic to ensure that the project keeps delivering new version and new features. </para>
5630 <heading>Installation on the server.</heading>
5632 <para>The following steps will be part of a script, that can automatically perform these steps:</para>
5636 <para>Create the user <emph>gnucomo</emph>.</para>
5639 <para>Make the directory as described in the chapter <emph>Sending messages to the central gnucomo system</emph> in the subchapter <emph>directories</emph>.(server-side).</para>
5645 <heading>Installation on a UNIX-client.</heading>
5647 <para>The following steps will be part of a script, that can automatically perform these steps:</para>
5650 <para>Create the user <emph>gcm_client</emph>.</para>
5653 <para>Make the directory as described in the chapter <emph>Sending messages to the central gnucomo system</emph> in the subchapter <emph>directories</emph> (client-side).</para>
5656 <para>Creation of the database user gcm_input. This user has only the right to enter data into the database. There are no deletion, update or select-permissions.</para>
5664 <heading>Dependency on other free software.</heading>
5666 <para>The following list is a set of applications that will be used on to make our application work:</para>
5667 <table cpos='lp{8cm}l'>
5670 <para>Application</para>
5673 <para>Needed for</para>
5676 <para>Client/Server</para>
5684 <para>The encryption of the information being transferred between the two systems.</para>
5693 <para>GNU/Linux</para>
5696 <para>The basic operating system. Allthough the system might work very well on all types on versions of Linux, FreeBSD, OpenBSD or any unices the main focus for distribution is given to: Debian GNU/Linux and RedHat Linux (the downloadable iso-version). </para>
5707 <para>The application enabling the sending of messages.</para>
5716 <para>openssh</para>
5719 <para>If e-mail is not used this application will deliver the file-copy</para>
5728 <para>PostgreSQL</para>
5731 <para>The database where all the signals from client will be stored.</para>
5739 <heading>Related projects</heading>
5742 There are a number of projects that can help <strong>Gnucomo</strong> or perform
5747 <reference href='http://crm114.sourceforge.net/'>CRM114</reference> - The Controllable
5756 <heading>Settings on the server machine.</heading>
5759 <heading>Required.</heading>
5761 <para>The following settings are required to ensure that the functionality is as much as expected.</para>
5764 <heading>Timezone in GMT (UTC).</heading>
5766 <para>Since all international traffic registers all entries in UTC (Universal Time Coordinate) this system will do so as well. Therefore the clock has to be adjusted to that as well as the system settings.</para>
5767 <para>These settings can found on a RedHat computer in the <code>/etc/sysconfig/clock-file</code>. On Debian this stored in the file <code>/etc/timezone</code>.</para>
5772 <heading>Suggested.</heading>
5775 <heading>Use NTP.</heading>
5777 <para>If a computer is running for some time the clocks tend to be off the correct time. This makes it harder to detect what exactly happened exactly at what moment in time and reduce value of log-entries. Especially considering that ultimately all data is gathered in one central system. To overcome this Network Time Protocol (NTP RFC 13025 March 1992) has been created that explains a protocol to synchronize clocks through the Internet. Many operating systems like Microsoft Windows 2000 Server and FreeBSD, OpenBSD and Linux support this. A ntp-server (or ntpd) can be found at: http://www.eecis.udel.edu/~ntp/ It is strongly recommended that you use this.</para>
5784 <heading>Settings on the client machine.</heading>
5787 <heading>Required.</heading>
5791 <heading>Suggested.</heading>
5794 <heading>Use NTP.</heading>
5796 <para>If a computer is running for some time the clocks tend to be off the correct time. This makes it harder to detect what exactly happened exactly at what moment in time and reduce value of log-entries. Especially considering that ultimately all data is gathered in one central system. To overcome this Network Time Protocol (NTP RFC 13025 March 1992) has been created that explains a protocol to synchronize clocks through the Internet. Many operating systems like Microsoft Windows 2000 Server and FreeBSD, OpenBSD and Linux support this. A ntp-server (or ntpd) can be found at: http://www.eecis.udel.edu/~ntp/ It is strongly recommended that you use this.</para>
5803 <heading>Appendices.</heading>
5806 <heading>Appendix A. GNU Public License Version 2, June 1991.</heading>
5808 <para>Copyright (C) 1989, 1991 Free Software Foundation, Inc.</para>
5809 <para>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</para>
5810 <para>Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.</para>
5813 <heading>Preamble</heading>
5814 <para>The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. </para>
5815 <para>When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things.</para>
5816 <para>To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it.</para>
5817 <para>For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights.</para>
5818 <para>We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. </para>
5819 <para>Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations.</para>
5820 <para>Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all.</para>
5821 <para>The precise terms and conditions for copying, distribution and modification follow.</para>
5822 <para>GNU GENERAL PUBLIC LICENSE</para>
5826 <heading>TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION</heading>
5830 <para>This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you".</para>
5831 <para>Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. </para>
5834 <para>You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program.</para>
5835 <para>You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.</para>
5838 <para>You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:</para>
5839 <para>a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change.</para>
5840 <para>b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License.</para>
5841 <para>c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.)</para>
5842 <para>These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.</para>
5843 <para>Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program.</para>
5844 <para>In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.</para>
5847 <para>You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following:</para>
5848 <para>a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, </para>
5849 <para>b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or,</para>
5850 <para>c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.)</para>
5851 <para>The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.</para>
5852 <para>If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code.</para>
5855 <para>You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.</para>
5858 <para>You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it.</para>
5861 <para>Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein.</para>
5862 <para>You are not responsible for enforcing compliance by third parties to this License.</para>
5865 <para>If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program.</para>
5866 <para>If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances.</para>
5867 <para>It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.</para>
5868 <para>This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.</para>
5871 <para>If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.</para>
5874 <para>The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.</para>
5875 <para>Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation.</para>
5878 <para>If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.</para>
5883 <heading>NO WARRANTY</heading>
5886 <para>BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVidE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.</para>
5889 <para>IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.</para>
5892 <para>END OF TERMS AND CONDITIONS</para>
5895 <heading>How to Apply These Terms to Your New Programs</heading>
5896 <para>If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. </para>
5897 <para>To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found.</para>
5898 <para><one line to give the program's name and a brief idea of what it does.> Copyright (C) <year> <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.</para>
5899 <para>This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.</para>
5900 <para>You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA</para>
5901 <para>Also add information on how to contact you by electronic and paper mail.</para>
5902 <para>If the program is interactive, make it output a short notice like this when it starts in an interactive mode:</para>
5903 <para>Gnomovision version 69, Copyright (C) year name of author</para>
5904 <para>Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.</para>
5905 <para>This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details.</para>
5907 <para>The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program.</para>
5908 <para>You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names:</para>
5909 <para>Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. </para>
5910 <para><signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice</para>
5911 <para>This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License.</para>
projects / gnucomo.git / blob