Log Types: VMSLog
Overview
OpenVMS (Virtual Memory System) is a multi-user, multiprocessing virtual memory-based operating system designed for use in time-sharing, batch processing, and transaction processing. It was first released by Digital Equipment Corporation in 1977 as VAX/VMS for its series of VAX minicomputers.
Collection
VMS Log data is generally written to files in a structured, multi-line format as shown below. The lines associated with each event should be joined together, prepended with the hostname, the string “VMSLog” and a criticality string. If sent to the Snare Central server on the default collection port (generally 6161), the VMS collection module will interpret the contents, and integrate the fields into the Snare Central server event archive.
Sample Events
Security alarm (SECURITY) and security audit (SECURITY) on JAGUAR, system id: 1785
Auditable event: Local interactive breakin detection
Event time: 22-NOV-2004 16:12:07.50
PID: 000002E5
Process name: DECW$LOGINOUT
Username: E_SEC_TEST
Password: TEST5
Terminal name: _WSA1:
Status: %LOGIN-F-INVPWD, invalid password
MyVMSBox VMSLog 1 Security alarm (SECURITY) and security audit (SECURITY) on JAGUAR, system id: 1785 Auditable event: Local interactive breakin detection Event time: 22-NOV-2004 16:12:07.50 PID: 000002E5 Process name: DECW$LOGINOUT Username: E_SEC_TEST Password: TEST5 Terminal name: _WSA1: Status: %LOGIN-F-INVPWD, invalid password
MyVMSBox VMSLog 1 Security alarm (SECURITY) and security audit (SECURITY) on JAGUAR, system id Auditable event: Local interactive breakin detection Event time: 22-NOV-2004 16:12:07.50 PID: 000002E5 Process name: DECW$LOGINOUT Username: E_SEC_TEST Password: TEST5 Terminal name: _WSA1: Status: %LOGIN-F-INVPWD, invalid password
MyVMSBox VMSLog 1 Unknown packet: Type: !, !security alarm (SECURITY) and security audit (SECURITY) on JAGUAR, system id: 1785 Auditable event: System UAF record copied Event time: 22-NOV-2004 16:04:20.93 PID: 000002D7 Process name: _FTA85: Username: ADMINISTRATE Process owner: [SYSTEM] Terminal name: FTA85: Image name: $100$DKA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE Object class name: FILE Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;1 User record: New: E_SEC_TEST Original: E_VMS_JAGUAR Password Date: New: (pre-expired) Original: 8-NOV-2004 13:41
MyVMSBox VMSLog 1 Unknown packet: Type: !, !security alarm (SECURITY) and security audit (SECURITY) on JAGUAR, system id: 1785 Auditable event: System UAF record copied Event time: 22-NOV-2004 16:04:20.93 PID: 000002D7, Process name: _FTA85: Username: ADMINISTRATE Process owner: [SYSTEM] Terminal name: FTA85: Image name: $100$DKA0:[SYS0.SYSCOMMON.][SYSEXE]AUTHORIZE.EXE Object class name: FILE Object name: SYS$COMMON:[SYSEXE]SYSUAF.DAT;1 User record: New: E_SEC_TEST Original: E_VMS_JAGUAR New: (pre-expired) Original: 8-NOV-2004 13:41
Fields
Field | Description |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | VMSLog |
EVENTID | Event ID, such as “Local interactive breakin detection” |
EVENTTYPE | Event type, such as “Security alarm (SECURITY) and security audit (SECURITY)” |
USERNAME | User name |
SYSTEMID | Generally a numeric ID such as 1785 |
PID | Process ID - zero padded hex - 8 characters |
TERMINALNAME | Terminal name, eg: _WSA1: |
PROCESSNAME | eg: DECW$LOGINOUT |
PROCESSOWNER | Process owner |
REMOTEUSERNAME | Remote username, if provided |
REMOTENODENAME | Remote node name, if provided |
IMAGENAME | Image name, if provided |
COMMANDLINE | Command line content, if provided |
OBJECTCLASSNAME | Object class name, if provided |
AUDITINGFLAGS | Auditing flags, if available |
ALARMFLAGS | Alarm flags, if available |
STATUS | Text format return information - eg: %LOGIN-F-INVPWD, invalid password |
DATA | Other elements that may not fit into existing fields |
Notes