Monitoring, maintenance, and availability

In this section, we discuss general monitoring and maintenance procedures for Tivoli Security Information and Event Manager to verify the overall state of the environment on a daily, weekly, and monthly basis.

Daily checks

On a daily basis, all logons to the system and the status of the collected data must be verified.

Logon

You login to the Tivoli Integrated Portal of the Tivoli Security Information and Event Manager by providing the following URL:

http://hostname/ibm/console or https://hostname/ibm/console

In the URL, host name is the name or the IP address of the system where Tivoli Security Information and Event Manager Server is installed. The Tivoli Integrated Portal supports both HTTP (Hypertext Transfer Protocol) and HTTPS (Hypertext Transfer Protocol Secure) for transmitting data to the Web browser.

The Tivoli Integrated Portal is displayed, as shown in Figure 5-12.

To successfully logon to the Tivoli Integrated Portal: 1. In the User ID field, enter your user ID.

2. In the Password field, type your password. 3. Click Log in.

If the logon was successful, the Tivoli Security Information and Event Manager Welcome Page is displayed. If logon was not successful, verify that you entered the correct user ID and password.

When you finish using Tivoli Security Information and Event Manager, log out and close your Web browser session to maintain the security of the information. Tivoli Security Information and Event Manager components and functions are protected by user roles, which govern the permissions that a user has. Specific user roles are required to view the user interfaces and perform administrative functions. If you do not have the appropriate user role, you cannot view certain Tivoli Security Information and Event Manager components or perform certain tasks.

Ask the administrator to verify that you have the necessary user roles. For more information about user roles, see the "Configuring Users" chapter in the IBM

Tivoli Security Information and Event Manager Administrators Guide Version 2.0,

SC23-9688.

The Tivoli Security Information and Event Manager user interface

The Tivoli Integrated Portal is organized into two sections:  The navigation panel is on the left side of the window.

 The main part of the window, on the right side, displays the Welcome page when you first log in to Tivoli Security Information and Event Manager. The navigation panel allows you to open separate tools and pages in Tivoli Security Information and Event Manager. You can expand topics that have a bold typeface by clicking the (+) icon. When a topic is expanded, the icon changes to a (-) icon.

You can collapse expanded topics by clicking the (-) icon. You can adjust the relative size of the navigation panel or the main panel by sliding the divider to the left or to the right.

You can close or open the navigation panel by clicking the arrow on the divider. Figure 5-13 on page 106 shows the Tivoli Security Information and Event Manager Welcome page.

Data collection

To verify the data collection, check the time stamp in the Last Collect column. Figure 5-14 shows how a possible list can look.

Figure 5-14 Tivoli Security Information and Event Manager data collection

The column shows the time of the oldest log record available in the last collected chunk. In normal conditions, the last collect time is a multiple of the collect schedule. Verify this information for each event source that has a collect schedule defined.

Database check

The database can be in one of the following four states, which you can check in the Management Console:

 Error  Loaded  Loading  Cleared

The failure message and database contents are in the Tivoli Integrated Portal, as shown in Figure 5-15.

Figure 5-15 Tivoli Security Information and Event Manager database status

The End time for each platform shown in the Tivoli Integrated Portal is close to the latest scheduled collect that is relative to the Last Load time stamp in the Database View, as shown in Figure 5-16. If this is not the case, either the event source failed to collect the latest log records or no log records were produced between the end time and the collection time for that platform.

Compare the time in the Last Load column with the Load Schedule frequency. The last load time stamp is a multiple of the load frequency defined in the load schedule and as close as possible to the current time.

Figure 5-16 Tivoli Security Information and Event Manager database load

Database load problems can occur during the three phases of preparing the reports in the GEM database:

 Mapping  Loading

Weekly checks

On a weekly basis, you must check disk space, Depot, and Tivoli Security Information and Event Manager services.

Disk space

The device where the Tivoli Security Information and Event Manager server is installed must have at least 25 GB of free space.

Depot

The time stamps of the latest collected chunks should be as close to the current time with relation to the defined collect schedules.

Services

All Tivoli Security Information and Event Manager services of startup type

Automatic must be running. The Tivoli Security Information and Event Manager

server service spawns additional tasks that you can see in the task manager. In very rare cases it might be necessary to stop and restart the Tivoli Security Information and Event Manager services. Refer to the IBM Tivoli Security

Information and Event Manager Version 2.0 Troubleshooting Guide, SC23-9690,

and the IBM Tivoli Security Information and Event Manager Version 2.0

Administrators Guide, SC23-9688 for further information about how to manage

services.

Configuration tasks

There are several tasks to be considered in a Tivoli Security Information and Event Manager environment.

Some of the tasks relate to synchronization between the Enterprise and the Standard Servers and others relate to the collection of data and generation of reports. The Standard Servers in a Tivoli Security Information and Event

Manager cluster are responsible for collecting the log files and generating reports and alerts. Both collection and report generation are normally scheduled and managed through the Tivoli Integrated Portal.

Before you can configure any of these tasks, you must, after the installation, register the Standard Servers with the Enterprise Server and configure the schedule for the Consolidation Server to aggregate data. By performing these tasks, you enable the Enterprise Server to consolidate the data from all the Standard Servers in the Tivoli Security Information and Event Manager cluster. You must register each Standard Server with the Enterprise Server so that the Enterprise Server can consolidate data from Standard Servers and perform centralized log management.

Before the Enterprise Server can consolidate data from the Standard Servers, the indexer and searcher processes in the Enterprise Server must have access to the depots of all Standard Servers in the cluster. Therefore, you must share the Depot of each Standard Server before you register that Standard Server with the Enterprise Server. Perform this step on the Enterprise Server for each Standard Server in the cluster.

Both, the IBM Tivoli Security Information and Event Manager Version 2.0 Users

Guide, SC23-9689 and the IBM Tivoli Security Information and Event Manager Version 2.0 Administrators Guide, SC23-9688, provide more details about how to

configure tasks, collect data, and generate reports.

Logs

In certain cases, you might not be able to solve a problem by troubleshooting the symptoms. In such cases, you must collect more diagnostic data. Before you begin to collect data for a problem report, install and run the IBM Support Assistant for best results. This troubleshooting tool includes a console that you can use to gather the required data. Refer to the IBM Tivoli Security Information

and Event Manager Version 2.0 Troubleshooting Guide, SC23-9690, on how to

install the IBM Support Assistant. This guide also shows you how to configure log file settings.

We discuss the following three types of log files, which are available when log tracing is enabled:

 Installation logs  Message logs  Trace logs

Installation logs

When Tivoli Security Information and Event Manager components are installed, the installation process creates log files.

The installation program creates log files in three locations:  The installation graphical user interface (GUI) logs are called

TSIEM_install-*.log. These logs are in the home folder of the user who installs Tivoli Security Information and Event Manager (for example, C:\Documents and Settings\Administrator\TSIEM_install-00.log.  The main log file of the installation engine is located in

%TSIEM_HOME%\_uninst\TSIEMInstall\plan\install\MachinePlan_localhost \logs. The name of the main log file starts with MachinePlan_localhost_ and is followed by a time stamp.

 When the installation program calls a subprogram, the resulting logs are written to %TSIEM_HOME%\log (for example, C:\IBM\TSIEM2010\log).

These installation logs are helpful in resolving any problems that you encounter during installation.

Message logs

Message logs are text files in which the operations of the system are recorded. The following types of messages are recorded by default:

Informational messages Indicates conditions that are worthy of noting but that do not require you to take any precautions or perform an action.

Warning messages Indicates that a condition was detected that you must be aware of but does not necessarily require that you take any action.

Error messages Indicates that a condition occurred that requires you to take action.

Using the Tivoli Integrated Portal, you can configure settings of the logs, such as the location, name, maximum size of the log files, and the levels of severity that you want to log.

By default JVM message logs are located in the following directory, where

install_location

is the location where Tivoli Security Information and Event

Manager is installed. By default this is c:\IBM\TSIEM:

install_location\tip\profiles\TIPProfile\logs\server_name\SystemOut.log

IBM Service Log logs are installed in the following default location, where

install_location is the location where Tivoli Security Information and Event

Manager is installed. By default this is c:\IBM\TSIEM:

install_location\tip\profiles\TIPProfile\logs\server_name\activity.log Console message logs are saved in the message log directories of the

WebSphere Application Server node where the administrative console is installed.

Trace logs

Trace logging, or tracing, provides you with additional information relating to the condition of the system at the time a problem occurred. In contrast to message logs, where records are made of noteworthy events that occurred, trace logs capture transient information about the current operating environment when a component or application fails to operate as intended.

Trace logging is not enabled by default because in certain circumstances it can cause large amounts of data to be collected in a short amount of time and might result in significant performance degradation.

By default, the trace log is located in the following directory, where

install_location is the location where Tivoli Security Information and Event

Manager is installed. By default this is c:\IBM\TSIEM:

install_location\tip\profiles\TIPProfile\logs\server_name\trace.log Console trace logs are saved in the trace log directories of the WebSphere Application Server node where the administrative console is installed.

Viewing logs

The format of the logs determines how they can be viewed:  JVM logs

To view the JVM logs, you can use the WebSphere Application Server administrative console, which supports viewing from a remote machine, or use a text editor on the machine where the log files are stored. In the WebSphere Application Server Information Center for more information, search on viewing JVM logs.

 IBM service logs

The service logs are written in binary format. To view the log, you can use tools that are part of WebSphere Application Server. In the WebSphere Application Server Information Center for more information, search on viewing the service log.

 Trace logs

Trace data is generated as plain text in basic, advanced, or log analyzer format. On an application server, trace data can be directed to a file or an in-memory circular buffer. If the circular buffer is used, the data must be dumped to a file before you can view it.

In document IT Security Compliance Management Design Guide (Page 124-132)