# Multiple emitters can be used by seperating them using commas on # the "dest" line and including both emitter configurations in this file. # # e.g. # mfaudit.dest = auditfile,snmp # # mfaudit.emitter.auditfile#collectionsize = 5 # mfaudit.emitter.auditfile#location = c:\logs # mfaudit.emitter.auditfile#maxfilesize = 1 # mfaudit.dest = snmp # The primary SNMP emitter module is snmpaudit.dll (or .so on UNIX/Linux) mfaudit.emitter.snmp = snmpaudit # Tell the SNMP emitter which SNMP agent to use, either Windows or Net-SNMP. # To switch between SNMP V2 providers simply switch this line. # NOTE: SNMP V3 is only supported by Net-SNMP installations. # Windows SNMP: mfaudit.emitter.snmp#agent = mf_audit_win_snmp # Net-SNMP: mfaudit.emitter.snmp#agent = mf_audit_net_snmp mfaudit.emitter.snmp#agent = mf_audit_net_snmp # Emitters cannot use Micro Focus CTF trace facilities, so # a basic alternative logging method has been provided. # # Logging can go to file and screen, or just to file. # # mfaudit.emitter.snmp#agent.log_emitter options # # on - enable all logging options # off - do not log anything # errors - log only errors # flow - log module process flow # content - log audit message (partial) content # errors_flow - log errors and logic flow # errors_flow_content - log errors and logic flow and content mfaudit.emitter.snmp#agent.log_emitter = errors # mfaudit.emitter.snmp#agent.log_to_screen options # on - log to console screen # off - do not log to screen, log to file mfaudit.emitter.snmp#agent.log_to_screen = on # mfaudit.emitter.snmp#agent.logfilename options # if screen logging is disabled log to file name given here mfaudit.emitter.snmp#agent.logfilename = c:\snmpemitter.log # Generic SNMP configuration # hostname is the target system that will receive our Trap messages # the hostname can be textural (DNS name) or dotted decimal format # only one target destination may be specified. mfaudit.emitter.snmp#agent.hostname = target_name.domain.location # SNMP Traps default port is 162 mfaudit.emitter.snmp#agent.port = 162 # snmpv can be either "2" or "3". If v3 extra parameters are also required, see below # snmpv default is "2" mfaudit.emitter.snmp#agent.snmp_version = 2 # Transport options are UDP or TCP. The default is UDP. mfaudit.emitter.snmp#agent.transport = UDP # SNMP community in which to send Trap events. mfaudit.emitter.snmp#agent.community = public # default event level is to exclude the events 0,2,3,4,5,6, the example below excludes # events with a category >9 mfaudit.emitter.snmp#agent.exclude.events=>9 # SNMP v3 configuration options are as follows:- # Privilege # Context Engine ID # Context string # Username # Security Engine ID # Hash method (MD5 or SHA1) # authentication password # Cipher (DES or AES128) # cipher password # privilege determines authentication and privacy (cipher usage) settings # Options are :- # "AuthPriv" Authenticate and use private (encrypted) data # "AuthNoPriv" Authenticate user with no encryption of data # "NoAuth" No authentication or encyption of data. mfaudit.emitter.snmp#agent.privilege = NoAuth # Each context is identified by a text name and hex EngineID in a similar # pairing to that of the Security EngineID and Security Username options. # You must configure either a context_engineID, or a security_engineID, or both # Context Engine ID. # Context engine ID is a hex string of the format "0x0102030405" mfaudit.emitter.snmp#agent.context_engineID # Context name is a text string. mfaudit.emitter.snmp#agent.context_name # An engine ID is a hex string of the format "0x0102030405" - see # below for further details. mfaudit.emitter.snmp#agent.security_engineID= 0x0102030405 # All V3 Traps must be sent by a known user mfaudit.emitter.snmp#agent.security_username = username # The two passphrases must be at least 8 characters in length # spacey pass phrases may be use, they must be enclosed in quotes. # Non-spacey pass phrases may omit the quotes. # Both passwords are independently specified. For greater security # both passwords should be different in live instalations. mfaudit.emitter.snmp#agent.auth_passphrase = "auth password" mfaudit.emitter.snmp#agent.cipher_passphrase = "crypt password" # hmac can be MD5 or SHA1; Default is MD5 mfaudit.emitter.snmp#agent.hmac = MD5 # cipher can be DES or AES (AES128): Default is DES # AES ciphers may not be supported in all systems. # DES is the default cipher for SNMP v3 mfaudit.emitter.snmp#agent.cipher = DES # NOTES: SNMPv3, users and engineIDs # TRAPs and INFORMs get a little more complex with respect to SNMPv3. The reason # behind it is how the user database is maintained. SNMPv1 and SNMPv2c community # based messages merely always display the message to the end user that shares the # same community ID. SNMPv3 mandates that the message is rejected unless the SNMPv3 # user sending the trap already exists in the user database. # This sounds simple enough, except for one small problem: The user database in a # SNMPv3 application is referenced by a combination of the user's name # (called a "security Name") and a identifier for the given SNMP application your # talking to (called an "engineID"). # Sometimes, when you use other snmp applications (snmpget, snmpwalk, ...) # the application "discovers" the remote engineID for you and then inserts the # username, engineID and passwords into user database based on this remote engineID. # Makes things all nice and simple when talking to a remote agent. # However the Micro Focus Audit Manager sits outside the general SNMP agent framework # and so the configuration of the security EngineID is held in this configuration # file. It is left to the user of the SNMP auditing engine to configure the # correct engineID and name in this file. # Here's what Net-SNMP have to say about the definitions of an EngineID: # An SNMP engine's administratively-unique identifier. # Objects of this type are for identification, not for addressing, even though it # is possible that an address may have been used in the generation of a specific # value. # The value for this object may not be all zeros or all 'ff'H or the empty (zero # length) string. # The initial value for this object may be configured via an operator console entry # or via an algorithmic function. In the latter case, the following example # algorithm is recommended. # In cases where there are multiple engines on the same system, the use of this # algorithm is NOT appropriate, as it would result in all of those engines ending # up with the same ID value. # 1) The very first bit is used to indicate how the rest of the data is composed. # 0 - as defined by enterprise using former methods that existed before SNMPv3. # See item 2 below. # 1 - as defined by this architecture, see item 3 below. # Note that this allows existing uses of the engineID (also known as AgentID # [RFC1910]) to co-exist with any new uses. # 2) The snmpEngineID has a length of 12 octets. # The first four octets are set to the binary equivalent of the agent's SNMP # management private enterprise number as assigned by the Internet Assigned # Numbers Authority (IANA). # For example, if Acme Networks has been assigned { enterprises 696 }, the first # four octets would be assigned '000002b8'H. # The remaining eight octets are determined via one or more enterprise-specific # methods. Such methods must be designed so as to maximize the possibility that # the value of this object will be unique in the agent's administrative domain. # For example, it may be the IP address of the SNMP entity, or the MAC address of # one of the interfaces, with each address suitably padded with random octets. # If multiple methods are defined, then it is recommended that the first # octet indicate the method being used and the remaining octets be a function of # the method. # 3) The length of the octet string varies. # The first four octets are set to the binary equivalent of the agent's SNMP # management private enterprise number as assigned by the Internet Assigned Numbers # Authority (IANA). # For example, if Acme Networks has been assigned { enterprises 696 }, the first # four octets would be assigned '000002b8'H. # The very first bit is set to 1. For example, the above value for Acme Networks # now changes to be '800002b8'H. # The fifth octet indicates how the rest (6th and following octets) are formatted. # The values for the fifth octet are: # 0 - reserved, unused. # 1 - IPv4 address (4 octets) lowest non-special IP address # 2 - IPv6 address (16 octets) lowest non-special IP address # 3 - MAC address (6 octets) lowest IEEE MAC address, canonical order # 4 - Text, administratively a string