©Copyright International Business Machines Corporation 2008. All rights reserved. U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
NOTE: Before using this information and the product it supports, read the general information under Notices in this document.
Date: 2008 March 28
This Fix Pack corrects problems in IBM Tivoli Compliance Insight Manager, Version 8.0.0.0. It requires that IBM Tivoli Compliance Insight Manager, Version 8.0.0.0, is installed. After installing this Fix Pack, your Tivoli Compliance Insight Manager installation will be at level 8.0.0.3.
This Fix Pack package contains:
This Fix Pack is distributed as an electronic download from the IBM Support Web Site.
This Fix Pack package supports the same operating system releases as the Tivoli Compliance Insight Manager release that are listed in the Hardware and software requirements document.
This Fix Pack supersedes the IBM AIX, Microsoft Windows, Sun Solaris and HP-UX parts of Fix Packs 8.0.0-TIV-TCIM-FP001 and 8.0.0-TIV-TCIM-FP002. Last zOS actuators Fix Pack is 8.0.0-TIV-TCIM-FP002.
Tivoli Compliance Insight Manager supports multiple platforms, for each platform requiring updates a separate package is installed. The package will contain the updates for all components installed on that platform.
The following problems are corrected by this Fix Pack. For more information about the APARs listed here, refer to the Tivoli Compliance Insight Manager Support site.
Please be aware of the following considerations before installing this Fix Pack:
Before installing the Fix Pack on a Microsoft Windows system:
To install the Fix Pack, run 8.0.0-TIV-TCIM-Win32-FP003.exe.
The Fix Pack installation program determines which Tivoli Compliance Insight Manager components are installed on the system and applies the necessary updates to those components. If you have previously installed one or more interim fixes to the system, the Fix Pack automatically detects them and applies the necessary fixes.
To apply the Fix Pack for Tivoli Compliance Insight Manager Actuator for AIX, follow these steps:
# gzip -dc 8.0.0-TIV-TCIM-AIXPPC32-FP003.tar.gz | tar xvf -# chmod 755 ./apply.sh# ./apply.sh /usr/lpp/IBM/TCIM/actuator# ps -ef | grep agentTo apply the Fix Pack for Tivoli Compliance Insight Manager Actuator for Solaris, follow these steps:
# gzip -dc 8.0.0-TIV-TCIM-SolarisSparc-FP003.tar.gz | tar xvf -# chmod 755 ./apply.sh# ./apply.sh /opt/IBM/TCIM/actuator# ps -ef | grep agentTo apply the Fix Pack for Tivoli Compliance Insight Manager Actuator for HP-UX, follow these steps:
# gzip -dc 8.0.0-TIV-TCIM-HPUXPARISC-FP003.tar.gz | tar xvf -# chmod 755 ./apply.sh# ./apply.sh /opt/IBM/TCIM/actuator# ps -ef | grep agentThis document contains some additional information which is missing in the IBM Tivoli Compliance Insight Manager (TCIM) version 8.0 and 8.5 user manuals.
The depot investigation tool works in 2 steps:
Therefore it is possible that the "Search summary" will list some block of events while the "Search results" doesn't contain any results.
This is illustrated by the following example:
This is explained by the fact that "Cleve400" is contained in the block of events, but NOT in the field "result".
Precedence of logical operators
The search query isn't case sensitive regarding the logical operators (for example "or" is the same "OR").
The query parser starts evaluating the search query from the right to the left and works by creating a (binary) tree of nodes.
Attention: This is not in line with some other logical parsers where the AND operator takes precedence over the OR operator.
Therefore it is recommended always to use parentheses in the search query in case of using more than a single logical operator.
The tree contains compound nodes (OR nodes and AND nodes) and single nodes that signify simple expressions.
For example the search query:
a OR b AND C
gets interpreted in the query parser as
OR[a, AND [b,c]]
Some additional examples :
| Search query | Equivalent to | Interpreted by parser |
|---|---|---|
| a | a | a |
| A | a | a |
| (a) | a | a |
| a or b | a OR b | OR[a, b] |
| a OR b OR c | a OR (b OR c) | OR[a, OR[b, c]] |
| a AND b | a AND b | AND[a, b] |
| a OR b AND c | a OR (b AND c) | OR[a, AND[b, c]] |
| (a OR b) AND c | (a OR b) AND c | OR[a, AND[b, c]] |
| (a OR b) AND (c OR d) | (a OR b) AND (c OR d) | AND[OR[a, b], OR[c, d]] |
| (a OR b) AND (c OR d OR e) | (a OR b) AND (c OR (d OR e)) | AND[OR[a, b], OR[c, OR[d, e]]] |
| a OR b AND c OR d OR e | a OR (b AND (c OR (d OR e))) | OR[a, AND[b, OR[c, [OR[d, e]]]]] |
Special characters and wildcards in search query
The Depot Investigation Tools handles also special characters like "@_&#$%/\:" in the search query.
Please note that using special characters doesn't work in combination with wildcard characters "*".
Prerequisites
Follow the steps described at the installation manual for remote SSH collection ("Chapter 9. Enabling collect using SSH event sources").
Installing Syslog NG
Many distributions offer packages that automatically install Syslog NG on a Linux system. For instance in Fedora Core, the following command can be used:
yum install syslog-ng
In Debian based distributions:
apt-get install syslog-ng
Use the automated method whenever it is available, as the necessary configuration is applied automatically. A source code distribution is also offered by Syslog NG manufacturer, which can be found at its Web site (http://www.balabit.com/downloads/files/syslog-ng/sources/stable/src/), which should work in most Linux distributions.
To use host names (and a DNS server is not set in the network), the "/etc/hosts" file needs to be modified to add any remote machine IP address. For instance, if we want to assign the host name "redhat" to the "192.168.116.40" IP address, we should add the following line:
192.168.116.40 redhat redhat
The Syslog NG configuration file (located at "/etc/syslog-ng/syslog-ng.conf") needs to be modified in order to place the procuded logs at the right place and with the right format. The following configuration data can be used:
source s_udp {
udp(ip(0.0.0.0) port(514));
};
filter f_ism_hosts { host("999.999.999.999"); };
destination d_ism {
file("/var/log/tcim/$HOST/syslog-$YEAR-$MONTH-$DAY.log"
template("<$PRI>$DATE $HOST $MSG\n")
create_dirs(yes)
owner(insight)
group(insight)
perm(0600)
dir_owner(insight)
dir_group(insight)
dir_perm(0700)
);
};
log { source(s_udp); filter(f_ism_hosts); destination(d_ism); };
Make sure to substitute "999.999.999.999" with the adequate IP address, if not using DNS, or host name, if it is. It was assumed that the created TCIM user name for SSH collection was "insight" (change if it's different). The default folder where logs are store is located at "/var/log/tcim", but any other folder may be used as long as the event source "Log dir" property at TCIM's Management Console is updated to reflect the right location.
In case that host names are preferred over IP addresses, change the value of the "use_dns" option to "yes" in the "options" section of the Syslog NG configuration file. It's important to keep in mind that host names are case sensitive in Linux, and it's recommended to always use lowercase.
In most cases, Linux will have an "iptables" firewall that will prevent the exchange of syslog messages. In order to allow it, add the following line to "/etc/sysconfig/iptables" (just before the line with "-j REJECT" on it):
-A RH-Firewall-1-INPUT -p udp -m udp --dport 514 -j ACCEPT
After the modifications are made, make sure to restart the modified services. To restart the network services:
/etc/rc.d/init.d/network restart
To restart Syslog NG:
/etc/rc.d/init.d/syslog-ng restart
To restart iptables firewall:
service iptables restart
If you install a Tivoli Compliance Insight Manager component to the system, such as the consolidation component, after the Fix Pack has been applied, you must reinstall the Fix Pack on that system, so that all components are at the same level.
After applying the fix for APAR IZ08467 (which will strip the @domain from the logonname and name) there might be some duplicates in the mapping due a non related mapper issue (this is being handled in internal defect QE070C006).
This information was developed for products and services offered in the U.S.A. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:
IBM Director of Licensing
IBM Corporation
North Castle Drive
Armonk, NY 10504-1785
U.S.A.
For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:
IBM World Trade Asia Corporation
Licensing
2-31 Roppongi 3-chome, Minato-ku
Tokyo 106, Japan
The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.
IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information that has been exchanged, should contact:
IBM Corporation
2Z4A/101
11400 Burnet Road
Austin, TX 78758
U.S.A.
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.
Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.
Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.
All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.
The following terms are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both:
AIX IBM IBM logo iSeries pSeries OS/390 Tivoli Tivoli logo xSeries zSeries z/OS
Adobe, Acrobat, Portable Document Format (PDF), and PostScript are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, other countries, or both.
Java and all Java-based trademarks and logos are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Other company, product, and service names may be trademarks or service marks of others.