IBM Tivoli Risk Manager, Version 4.1 Warehouse Enablement …publib.boulder.ibm.com/tividd/td/TRM/GC32-1301-01/en_US/... · 2006-11-10 · IBM Tivoli Risk Manager Warehouse Pack Implementation

IBM Tivoli Risk Manager, Version 4.1

Warehouse Enablement Pack, Version 1.1

Implementation Guide

SC32-1301-01

IBM Tivoli Risk Manager Warehouse Pack Implementation Guide

2

Note: Before using this information and the product it supports, read the information in "Notices" on page 39.

Second Edition (October 2003)

This edition applies to version 4, release 1 of IBM® Tivoli® Risk Manager and to all subsequent releases and modifications until otherwise indicated in new editions.

© Copyright IBM Corporation 2003. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

ISO 9001 Certification

This product was developed using an ISO 9001 certified quality system.

Certification has been awarded by Bureau Veritas Quality International (BVQI) (Certification No. BVQI - 92086 / A).

BVQI is a world leader in quality certification and is currently recognized by more than 20 accreditation bodies.


3

Contents

IBM Tivoli Risk Manager, Version 4.1 ................................................................................................1 Warehouse Enablement Pack, Version 1 .1 Implementation Guide ...........................................1 1 About this document ....................................................................................................................6

1.1 Related documentation...............................................................................................................6 1.1.1 IBM Tivoli Risk Manager 4.1.............................................................................................................................................6 1.1.2 IBM Tivoli Risk Manager 4.2.............................................................................................................................................6 1.1.3 Tivoli Enterprise Data Warehouse...................................................................................................................................7 1.1.4 IBM DB2, DB2 Data Warehouse Center, and DB2 Warehouse Manager................................................................8

2 Overview ..........................................................................................................................................9 2.1 Overview of Tivoli Enterprise Data Warehouse.......................................................................9 2.2 Overview of IBM Tivoli Risk Manager warehouse enablement pack ..................................10

2.2.1 Detailed mapping..............................................................................................................................................................11 3 Installing and configuring.........................................................................................................12

3.1 Prerequisites..............................................................................................................................12 3.2 Supported hardware and software..........................................................................................12 3.3 Database sizing considerations..............................................................................................12 3.4 Data sources and targets .........................................................................................................13 3.5 Pre-installation procedures......................................................................................................14 3.6 Installation procedure...............................................................................................................14 3.7 Post-installation procedures....................................................................................................14

4 Maintaining....................................................................................................................................15 4.1 Backing up and restoring.........................................................................................................15 4.2 Pruning .......................................................................................................................................15

4.2.1 Central data warehouse..................................................................................................................................................15 4.2.2 Data mart...........................................................................................................................................................................15

4.3 Miscellaneous utilities..............................................................................................................16 4.3.1 hrm_cdw_classcat_data.sql............................................................................................................................................16 4.3.2 hrm_cdw_reset_data.sql.................................................................................................................................................16 4.3.3 hrm_mart_reset_data.sql and hrm_cdw_reset_etl2_extctl.sql.................................................................................17 4.3.4 hrm_cdw_drop_data.sql..................................................................................................................................................17

5 ETL processes..............................................................................................................................18 5.1 HRM_c05_Load_CDW_Process...............................................................................................18

5.1.1 HRM_c05_s010_Extract .................................................................................................................................................18 5.1.2 HRM_c05_s020_Transform............................................................................................................................................18 5.1.3 HRM_c05_s030_Load_Comp........................................................................................................................................19 5.1.4 HRM_c05_s040_Load_Msmt.........................................................................................................................................19 5.1.5 Exception handling...........................................................................................................................................................19

5.2 HRM_m05_Build_Mart_Process..............................................................................................20 5.2.1 HRM_m05_s010_Pre_Extract........................................................................................................................................20


4

5.2.2 HRM_m05_s020_Extract................................................................................................................................................20 5.2.3 HRM_m05_s030_Load....................................................................................................................................................21 5.2.4 HRM_m05_s040_Rollup.................................................................................................................................................22 5.2.5 HRM_m05_s050_Prune..................................................................................................................................................22 5.2.6 HRM_m05_s060_Run_Report.......................................................................................................................................22

6 Central data warehouse schema implementation ..............................................................23 6.1 Component configuration ........................................................................................................23

6.1.1 Component type (table CompTyp) ................................................................................................................................23 6.1.2 Component (table Comp)................................................................................................................................................23 6.1.3 Component relationship type (table RelnTyp) .............................................................................................................24 6.1.4 Component relationship rule (table RelnRul)...............................................................................................................24 6.1.5 Component relationship (table CompReln)..................................................................................................................24 6.1.6 Attribute type (table AttrTyp)...........................................................................................................................................25 6.1.7 Attribute rule (table AttrRul) ............................................................................................................................................25 6.1.8 Attribute domain (table AttrDom) – This table is not used by Tivoli Risk Manager...............................................25 6.1.9 Component attribute (table CompAttr)..........................................................................................................................26

6.2 Component measurement........................................................................................................27 6.2.1 Measurement group type (table MGrpTyp)..................................................................................................................27 6.2.2 Measurement group (table MGrp) .................................................................................................................................27 6.2.3 Measurement group member (table MGrpMbr)...........................................................................................................27 6.2.4 Measurement unit category (table MUnitCat)..............................................................................................................27 6.2.5 Measurement unit (table MUnit).....................................................................................................................................27 6.2.6 Time summary (table TmSum).......................................................................................................................................28 6.2.7 Measurement source (table MSrc) ................................................................................................................................28 6.2.8 Measurement type (table MsmtTyp)..............................................................................................................................28 6.2.9 Component measurement rule (table MsmtRul).........................................................................................................28 6.2.10 Measurement (table Msmt).............................................................................................................................................28

6.3 Helper tables..............................................................................................................................29 6.3.1 Event category descriptions (table HRM.ClassCatDesc)..........................................................................................29

6.4 Exception tables........................................................................................................................30 6.4.1 Exception log (table HRM.Exception_Log)..................................................................................................................30 6.4.2 Error messages (table HRM.Error_Message).............................................................................................................30

6.5 Incremental extraction..............................................................................................................31 7 Data mart schema information.................................................................................................32

7.1 Star schemas .............................................................................................................................32 7.1.1 HRM hourly Tivoli Risk Manager event star schema.................................................................................................32

7.1.1.1 Fact table HRM.F_Event_Hour................................................................................................................................32 7.1.2 HRM daily Tivoli Risk Manager event star schema....................................................................................................32

7.1.2.1 Fact table HRM.F_Event_Day..................................................................................................................................33 7.1.3 HRM weekly Tivoli Risk Manager event star schema................................................................................................33

7.1.3.1 Fact table HRM.F_Event_Week...............................................................................................................................33 7.1.4 HRM monthly Tivoli Risk Manager event star schema..............................................................................................33

7.1.4.1 Fact table HRM.F_Event_Month ..............................................................................................................................34 7.2 Metric dimension tables...........................................................................................................34

7.2.1 HRM.D_Event_Metric ......................................................................................................................................................34 7.3 Dimension tables.......................................................................................................................34


5

7.3.1 Dimension table HRM.D_CLASSCAT ...........................................................................................................................34 7.3.2 Dimension table HRM.D_DST_HOST..........................................................................................................................34 7.3.3 Dimension table HRM.D_SRC_HOST..........................................................................................................................35

7.4 Data marts and reports.............................................................................................................35 7.4.1 Tivoli Risk Manager data mart ..................................................................................................................................35

7.4.1.1 Reports .........................................................................................................................................................................35 7.4.1.1.1 Events by destination host – last 30 days......................................................................................................35 7.4.1.1.2 Events by destination and category – last 30 days.......................................................................................36 7.4.1.1.3 Access/authentication events – last 30 days.................................................................................................36 7.4.1.1.4 Service compromise events – last 30 days....................................................................................................37 7.4.1.1.5 Infection events –last 30 days..........................................................................................................................37 7.4.1.1.6 Policy/configuration events –last 30 days ......................................................................................................37 7.4.1.1.7 Events by destination subnetwork – last 30 days .........................................................................................38

8 Notices............................................................................................................................................39 8.1 Trademarks ................................................................................................................................40


6

1 About this document This document describes the warehouse enablement pack for IBM® Tivoli Risk Manager. It covers the following topics:

• Installing and configuring the warehouse pack

• The data flow and data structures used by the warehouse pack

With this warehouse pack, you can load Tivoli Risk Manager event data into the central data warehouse.

1.1 Related documentation You can access many Tivoli® publications online using the Tivoli Information Center, which is available on the IBM Web site:

http://publib.boulder.ibm.com/tividd/td/tdprodlist.html

The following sets of documentation are available to help you understand, install, and manage this warehouse pack:

• IBM Tivoli Risk Manager (optional)

• Tivoli Enterprise™ Data Warehouse

• IBM DB2, DB2 Data Warehouse Center, and DB2 Warehouse Manager

The following sections list and briefly describe these libraries.

1.1.1 IBM Tivoli Risk Manager 4.1

The following Tivoli Risk Manager documents are useful for understanding the data that is generated and loaded into the Tivoli Enterprise Data Warehouse:

• IBM Tivoli Risk Manager Release Notes, GI11-0948

Provides the most up-to-date information about Tivoli Risk Manager, and lists hardware requirements and software prerequisites.

• IBM Tivoli Risk Manager User’s Guide, SC23-4822

Provides complete information about Tivoli Risk Manager administration and usage, including installation, configuration, operation, and database usage. Chapter 5, “Database”, describes in detail the database schema and database management used by Tivoli Risk Manager.

• IBM Tivoli Risk Manager Developer’s Guide, SC23-4821

Provides guidelines for developing new adapters that forward events to a Tivoli Risk Manager server, where the events are correlated and eventually stored in the database for future extraction to the warehouse.

• IBM Tivoli Risk Manager Adapters Guide, SC23-4823

Provides instructions to install, configure, and manage Tivoli Risk Manager adapters. Adapters are software programs that generate Risk Manager events that will eventually be stored in the Risk Manager archive and then loaded into the central data warehouse (CDW).

• IBM Tivoli Risk Manager Problem Determination Guide, SC23-4824

Provides problem determination processes and scenarios to assist in determining why Tivoli Risk Manager is malfunctioning.

1.1.2 IBM Tivoli Risk Manager 4.2

The following Tivoli Risk Manager documents are useful for understanding the data that is generated and loaded into the Tivoli Enterprise Data Warehouse:


7

• IBM Tivoli Risk Manager Release Notes, GI11-4214-00

Provides the most up-to-date information about Tivoli Risk Manager, and lists hardware requirements and software prerequisites.

• IBM Tivoli Risk Manager Administrator’s Guide, GC32-1323-00

Provides information on how to configure, and manage Tivoli Risk Manager. This guide also provides an overview for each Tivoli Risk Manager component.

• IBM Tivoli Risk Manager Installation Guide , GC32-1321-00

Provides information on planning your product deployment, including topics such as network topology and installing prerequisite software and describes how to install and configure the Tivoli Risk Manager product and components.

• IBM Tivoli Risk Manager Adapters Guide, GC32-1324-00

Provides instructions to install, configure, and manage Tivoli Risk Manager adapters. Adapters are software programs that generate Risk Manager events that will eventually be stored in the Risk Manager archive and then loaded into the central data warehouse (CDW).

• IBM Tivoli Risk Manager Problem Determination Guide, GC32-1322-00

Provides problem determination processes and scenarios to assist in determining why Tivoli Risk Manager is malfunctioning.

• IBM Tivoli Risk Manager Command Reference, GC32-1320-00

Provides information on commands used to administer Tivoli Risk Manager

1.1.3 Tivoli Enterprise Data Warehouse

The following Tivoli Enterprise Data Warehouse documents are available on the Tivoli Enterprise Data Warehouse Documentation CD:

• Tivoli Enterprise Data Warehouse Release Notes, GI11-0857

Provides late-breaking information about Tivoli Enterprise Data Warehouse and lists hardware requirements and software prerequisites.

• Installing and Configuring Tivoli Enterprise Data Warehouse , GC32-0744

Describes how Tivoli Enterprise Data Warehouse fits into your enterprise, explains how to plan for its deployment, and gives installation and configuration instructions. It provides an introduction to the built-in program for creating and running reports, and contains maintenance procedures and troubleshooting information.

• Enabling an Application for Tivoli Enterprise Data Warehouse, GC32-0745

Provides information about connecting an application to Tivoli Enterprise Data Warehouse. This book is for application programmers who use Tivoli Enterprise Data Warehouse to store and report on their application’s data, data warehousing experts who import Tivoli Enterprise Data Warehouse data into business intelligence applications, and customers who use their local data in the warehouse.

The following Tivoli Enterprise Data Warehouse Redbook is available from the IBM Redbooks Web site (http://www.redbooks.ibm.com ):

• Introduction to Tivoli Enterprise Data Warehouse, SG24-6607

Provides a broad understanding of the Tivoli Enterprise Data Warehouse. Some of the topics that are covered in this redbook are: concepts, architecture, installation, tips for using the Reporting Interface, ETL, best practices in creating Data Marts, integration with major OLAP tools (such as, Brio, Business Objects and Cognos PowerPlay), multi-customer


8

(Service Provider) environments, operational considerations, and troubleshooting. Most of the topics are explained using real customer implementations.

1.1.4 IBM DB2, DB2 Data Warehouse Center, and DB2 Warehouse Manager

The DB2 library contains important information about the database and data warehousing technology provided by IBM DB2, DB2 Data Warehouse Center, and DB2 Warehouse Manager. Refer to the DB2 library for help in installing, configuring, administering, and troubleshooting DB2. The DB2 library is available on the IBM Web site:

http://www-3.ibm.com/software/data/db2/library/

After you install DB2, its library is also available on your system.

The following DB2 documents are particularly relevant for people working with Tivoli Enterprise Data Warehouse:

• IBM DB2 Universal Database for Windows Quick Beginnings, GC09-2971

Guides you through the planning, installation, migration (if necessary), and setup of a partitioned database system using the IBM DB2 product on Microsoft Windows.

• IBM DB2 Universal Database for UNIX Quick Beginnings, GC09-2970

Guides you through the planning, installation, migration (if necessary), and setup of a partitioned database system using the IBM DB2 product on UNIX.

• IBM DB2 Universal Database Administration Guide: Implementation, SC09-2944

Covers the details of implementing your database design. Topics include creating and altering a database, database security, database recovery, and administration using the Control Center, a DB2 graphical user interface.

• IBM DB2 Universal Database Data Warehouse Center Administration Guide, SC26-9993

Provides information on how to build and maintain a data warehouse using the Data Warehouse Center.

• IBM DB2 Warehouse Manager Installation Guide, GC26-9998

Provides the information to install the following Warehouse Manager components: Information Catalog Manager, warehouse agents, and warehouse transformers.

• IBM DB2 Universal Database and DB2 Connect Installation and Configuration Supplement, GC09-2957

Provides advanced installation considerations and guides you through the planning, installation, migration (if necessary), and set up a platform-specific DB2 client. After the DB2 client is installed, you then configure communications for both the client and server, using the DB2 GUI tools or the Command Line Processor. This supplement also contains information on binding, setting up communications on the server, the DB2 GUI tools, DRDA™ AS, distributed installation, the configuration of distributed requests, and accessing heterogeneous data sources.

• IBM DB2 Universal Database Message Reference Volume 1 , GC09-2978 and IBM DB2 Universal Database Message Reference Volume 2 , GC09-2979

A list of the messages and codes issued by DB2, the Information Catalog Manager, and the Data Warehouse Center, and describes the actions you should take.


9

2 Overview The following sections provide an overview of Tivoli Enterprise Data Warehouse and the IBM Tivoli Risk Manager warehouse pack.

2.1 Overview of Tivoli Enterprise Data Warehouse

Tivoli Enterprise Data Warehouse provides the infrastructure for the following:

• Extract, transform, and load (ETL) processes through the IBM DB2 Data Warehouse Center tool

• Schema generation of the central data warehouse

• Historical reporting

As shown in Figure 1, Tivoli Enterprise Data Warehouse consists of a centralized data store where historical data from many management applications can be stored, aggregated, and correlated.

Figure 1. Tivoli Enterprise Data Warehouse overview

The central data warehouse uses a generic schema that is the same for all applications. As new components or new applications are added, more data is added to the database; however, no new tables or columns are added in the schema.

A data mart is a subset of a data warehouse that contains data tailored and optimized for the specific reporting needs of a department or team.

The central data warehouse ETL reads the data from the operational data stores of the application that collects it, verifies the data, makes the data conform to the schema, and places the data into the central data warehouse.

The data mart ETL extracts a subset of data from the central data warehouse, transforms it, and loads it into one or more star schemas, which can be included in data marts to answer specific business questions.

A program that provides these ETLs is called a warehouse enablement pack , or warehouse pack .


10

The ETLs are typically scheduled to run periodically, usually during non-peak hours. If an ETL encounters data that it cannot correctly transform, it creates an entry in an exception table. Exception tables are described in “Exception tables ” on page 30.

2.2 Overview of IBM Tivoli Risk Manager warehouse enablement pack The IBM Tivoli Risk Manager warehouse pack aggregates event data from the Tivoli Risk Manager Archive Table (see the database chapter in the IBM Tivoli Risk Manager Administrator’s Guide). The warehouse pack aggregates events based on the same three key attributes (archive table column names in parentheses) used in Tivoli Risk Manager correlation:

• Event category (CLASS_CAT)

• Event source token (SRC_TOKEN), hostname (SRC_HOSTNAME) or IP address (SRC_IPADDR)

• Event target hostname (DST_HOSTNAME) or IP address (DST_IPADDR)

Every Tivoli Risk Manager event contains a value for the three attributes listed above. Each event is mapped to a host component in the central data warehouse, which has a parent-child relationship to an event component. Each event component has a measurement consisting of the number of events that occurred for that event against the parent host in a given hour.

The host component for an event is determined from the DST_HOSTNAME and DST_IPADDR archive columns. The event component is determined from the combination of CLASS_CAT and SRC_TOKEN. The event measurement is determined from the REPEAT_COUNT archive column, plus one, and then summed for all events matching on host component and event component over a full hour. In addition, host and event components are assigned attributes from the hostname and IP address values associated with each host and event.

The Tivoli Enterprise Data Warehouse data model for Tivoli Risk Manager events can be summarized as follows:

Host Component

or

or

IP_HOST

Attributes: LAST_IP_ADDRESS

HRM_HOST

IP_INTERFACE

Attributes: HRM_DST_HOSTNAME

Event Component

HRM_EVENT

Attributes: HRM_CLASSCAT HRM_SRC_HOSTNAME HRM_SRC_IPADDR

PCHILDrelationship


11

2.2.1 Detailed mapping

Tivoli Risk Manager elements created in the central data warehouse tables are listed in Section 6, Generic schema implementation. Refer to that section while reading the following narrative description of how events are mapped into the central data warehouse:

1. If the target hostname is a fully qualified hostname, then it maps to a warehouse host component of type IP_HOST, with the component name coming from the archive column DST_HOSTNAME. Column DST_IPADDR, if not null, is assigned to attribute LAST_IP_ADDRESS.

a. If the above condition is not true, but the target IP address is a syntactically valid IP address, then the destination host maps to warehouse host component type IP_INTERFACE, with the component name coming from archive column DST_IPADDR. Column DST_HOSTNAME, if not null, is assigned to attribute HRM_DST_HOSTNAME.

b. If neither of the above conditions is true, but the target hostname is a syntactically valid short hostname, then it maps to warehouse host component type HRM_HOST, with component name coming from archive column DST_HOSTNAME.

2. For each unique host component in the warehouse, one or more event components of type HRM_EVENT are created, with the component name derived from the combination of CLASS_CAT and SRC_TOKEN columns in the archive table. SRC_TOKEN is simply the value of SRC_HOSTNAME, if not null; otherwise, the value of SRC_IPADDR. In addition, the columns CLASS_CAT, SRC_HOSTNAME and SRC_IPADDR, if not null, are assigned to HRM_EVENT attributes. The uniqueness of a HRM_EVENT component is determined from its component name (CLASS_CAT + SRC_TOKEN), and the parent host component ID in the Comp_Corr_ID column of the component record.

3. Finally, for each HRM_EVENT component, one or more measurements are created, which measure the number of times the event was targeted at a single host component in a single hour.


12

3 Installing and configuring For detailed instructions to install this warehouse pack see the installing data warehouse section of the IBM Tivoli Risk Manager 4.2 Installation Guide or the Tivoli Risk Manager Data Warehouse Readme file in this warehouse pack. Also, become familiar with section “Installing warehouse packs ” from Installing and Configuring Tivoli Enterprise Data Warehouse (GC32-0744).

3.1 Prerequisites • IBM DB2 Universal Database 7.2, plus the following fixes:

• IBM DB2 UDB 7.2 Fix Pack 6

• Tivoli Enterprise Data Warehouse 1.1 Patch 2 (1.1-TDW-0002) – which replaces DB2 files

• IBM Tivoli Risk Manager 4.1 or 4.2, Event Server component

• Tivoli Enterprise Data Warehouse 1.1, plus the following fixes and patches:

• Tivoli Enterprise Data Warehouse 1.1 Fix Pack 2 (1.1-TDW-FP02)

3.2 Supported hardware and software IBM Tivoli Risk Manager Warehouse Enablement Pack, Version 1.1, supports IBM Tivoli Risk Manager, Version 4.1 and 4.2. It supports specific versions of DB2, Microsoft SQL Server, Oracle, and Sybase database products as documented in the IBM Tivoli Risk Manager 4.2 Administrator’s Guide and IBM Tivoli Risk Manager 4.1 and 4.2 Release Notes.

For information about the hardware and software requirements of Tivoli Enterprise Data Warehouse, see the Tivoli Enterprise Data Warehouse Release Notes.

3.3 Database sizing considerations Ensure that you have sufficient space in the central data warehouse (CDW) database for the historical data collected by this warehouse pack. The amount of data in the CDW database can vary greatly from one Tivoli Risk Manager installation to another. The greatest impact on how much data you will collect is the number and variety of Tivoli Risk Manager adapters feeding into your Tivoli Risk Manager server. The more events from several different adapters wil l mean more measurements in the database.

To help determine database capacity requirements, first estimate the following parameters:

• The number of unique hosts in your enterprise, for example all the distinct dst_hostname and dst_ipaddr values in your archive table. These values will map to new or existing IP_HOST/IP_INTERFACE components in the CDW. The upper limit for this number should be the number of managed hosts in your enterprise, as in the number of hosts with Risk Manager adapters monitoring events.

• The number of unique combinations of class_cat + src_token, for each destination host/IP in your archive table. These values will map to HRM_EVENT components in the CDW. As an example, if all the adapters in your enterprise are antivirus adapters, then the event category (class_cat) for every event will be the same: VIRUS. The source host (src_token) for each VIRUS event will be the same as the destination host, which means that for each destination host in the archive table, there will be at most one unique combination of class_cat + src_token. If you have a Web server with a Web IDS adapter generating Tivoli Risk Manager events, then you would have an additional event category (WEB) to consider. In this case, the destination host would usually be the same for every event, but the number of unique source hosts for those Web events would depend on how many different hosts access this Web server. For a departmental Web server, the number would be relatively small (<20); for a public Internet server, the number is potentially very large (>1000). Therefore, you would need to add the number of estimated source hosts for this Web server to the HRM_EVENT parameter estimate.


13

• The number of hours in the day when an event combining a unique destination host, source host and event category occurs. These values will map to measurements in the CDW. The range for this number is between 0 and 24. For the antivirus adapter events, this number is likely to be small (1 or 2) because most viruses are detected in a single hour of the day when a virus scan is performed. For Web IDS events, the number would likely be higher because Web requests (and potential IDS events) occur throughout the day.

Use the values you found above in the table below to arrive at the total number of components and measurements stored in the database. The values given in the table below are sample values for an enterprise with six managed hosts, all with antivirus adapters, and one host with a Web IDS adapter.

Parameter Value Components Measurements per

Day

Tivoli Risk Manager destination hosts

6 6 (IP_HOST, IP_INTERFACE,

HRM_HOST)

N/A

Tivoli Risk Manager event category plus source host combinations (one for each applicable destination host)

6 (VIRUS) +

100 (WEB)

106 (HRM_EVENT) N/A

Hours in the day (0-24) when a unique event occurs

2 (VIRUS)

22 (WEB)

N/A 12 (VIRUS) +

2200 (WEB)

Totals 112 2212

To translate the above numbers to bytes of database storage, use the following multipliers:

• For each destination host: 150 bytes (Comp table) + 150 (CompAttr table)

• For each event category + source host combination: 150 bytes (Comp table) + 300 (CompAttr table) + 100 (CompReln table)

• For each daily measurement: 100 bytes (Msmt table) * Number of days of storage

Using the sample table above, the total storage required would be:

• Components (including attributes, relationships): 6 * 300 + 106 * 550 = 60 KB

• Measurements (for 6 months of data): 2212 * 100 * 6 * 30 = 39,816 KB

For practical purposes, the storage required for measurements far exceeds (several orders of magnitude) the storage required for components. The total database capacity required for the sample numbers given above would be approximately 40 MB.

3.4 Data sources and targets

The data source for the Tivoli Risk Manager warehouse pack is the Tivoli Risk Manager Archive Table. The table is named rm_t_arc41 and is typically created in database tec. Note that the table and database name is in lowercase, which is significant only if the source database platform is Sybase. For the other database platforms, you may specify the table and database in uppercase or lowercase.

The Tivoli Risk Manager warehouse pack accesses the Tivoli Risk Manager Archive Table through an ODBC data source name (DSN). The pack requires that the DSN be named RMDB. If the Tivoli Risk Manager Reports (Crystal Reports) component is installed on the same system as the Tivoli Risk Manager warehouse pack, you may use the same RMDB DSN


14

as that defined for the reports. If you need ODBC drivers, it is best to use the ones provided by the database vendor with the client software for the version of the database you are using.

3.5 Pre-installation procedures 1. Make sure that the Tivoli Enterprise Data Warehouse is installed. For instructions on installing the Tivoli Enterprise Data

Warehouse, refer to Installing and Configuring Tivoli Enterprise Data Warehouse.

2. Make sure that all required product fix packs and patches are applied. See the IBM Tivoli Risk Manager 4.2 Installation Guide or the Tivoli Risk Manager Data Warehouse Readme file in this warehouse pack for details.

3. Make sure that IBM Tivoli Risk Manager is installed, and the RMDB data source is available.

3.6 Installation procedure

For general warehouse pack instructions, read the section “Installing warehouse packs ” from Installing and Configuring Tivoli Enterprise Data Warehouse.

For deviations from the general instructions and more specific instructions to install the Tivoli Risk Manager Warehouse Enablement Pack, refer to the IBM Tivoli Risk Manager 4.2 Installation Guide or the Tivoli Risk Manager Data Warehouse Readme file in this warehouse pack.

3.7 Post-installation procedures Read the section about getting started with Tivoli Enterprise Data Warehouse in the Installing and Configuring Tivoli Enterprise Data Warehouse guide to become familiar with the steps required to configure and schedule reports for a warehouse enablement pack. Before trying to run any warehouse pack processes, perform the following steps:

1. Change the database user ID and password for your source and target databases.

• From the Data Warehouse Center user interface, expand the Warehouse Sources and Warehouse Targets nodes in the left pane. You will see a list of HRM Source and Target databases. For each one:

• Right click the source or target, and select Change User ID and Password.

• Change the user ID and password, if necessary, and then click OK.

2. Schedule the Tivoli Risk Manager ETL processes to run, by following the instructions in the IBM Tivoli Risk Manager 4.2 Installation Guide or the Tivoli Risk Manager Data Warehouse Readme file in this warehouse pack. Also see the section on scheduling your ETL steps in the Installing and Configuring Tivoli Enterprise Data Warehouse guide.

See the IBM Tivoli Risk Manager 4.2 Installation Guide or the Tivoli Risk Manager Data Warehouse Readme file in this warehouse pack for step-by-step post-installation procedures.


15

4 Maintaining 4.1 Backing up and restoring

When backing up the central data warehouse database (TWH_CDW), be sure to back up the following warehouse pack tables:

• HRM.ClassCatDesc

• HRM.Cust_Lookup

• HRM.Centr_Lookup

• HRM.Extract_Latency

• HRM.Error_Message

• HRM.Exception_Log

4.2 Pruning For a complete discussion of pruning issues, see the section on removing old data from the central data warehouse in Installing and Configuring Tivoli Enterprise Data Warehouse .

4.2.1 Central data warehouse

Pruning of old measurements in the central data warehouse (TWH_CDW) is performed using the following enterprise data warehouse process:

• CDW_c05_PurgeMsmt_Process

You must schedule this process to run in order to prune old data. The process is not scheduled by default.

The age of Tivoli Risk Manager data to be pruned is determined by an entry in the TWG.Prune_Msmt_Control table in the TWH_CDW database. To display the current pruning threshold, execute the following SQL against the TWH_CDW database:

select pmsmtc_age_in_days from TWG.Prune_Msmt_Control where MSrc_Cd = ‘HRM’ and TmSum_Cd = ‘H’;

The value returned is a string that represents a date duration whose format is yyyymmdd. The default value for the Tivoli Risk Manager warehouse pack is ‘10000’, which represents one year.

To update the pruning threshold to 6 months, for example, execute the following SQL command:

update TWG.Prune_Msmt_Control set pmsmtc_age_in_days = ‘0600’ where MSrc_Cd = ‘HRM’ and TmSum_Cd = ‘H’;

4.2.2 Data mart

Pruning of old measurements in the data mart (TWH_MART) is performed automatically during the Tivoli Risk Manager load data mart process:

• HRM_m05_Load_Mart_Process

The age of the Tivoli Risk Manager data to be pruned is determined by entries in the HRM.Prune_Mart_Control table in the TWH_MART database. The table contains one entry for each time-based fact table (hourly, daily, weekly, monthly). To display the current pruning thresholds, execute the following SQL against the TWH_MART database:

select * from HRM.Prune_Mart_Control;

The resulting output, with default values, should be similar to the following:


16

TABLE_NAME PMARTC_DURATION

HRM.F_EVENT_HOUR 00000300

HRM.F_EVENT_DAY 00010000

HRM.F_EVENT_WEEK 00010000

HRM.F_EVENT_MONTH 00030000

The value returned in the PMARTC_DURATION column is a string that represents a date duration whose format is yyyymmdd.

The default prune control thresholds are: hourly – 3 months, daily – 1 year, weekly – 1 year, monthly – 3 years.

To update the pruning threshold for hourly data to 6 months, for example, execute the following SQL command:

update HRM.Prune_Mart_Control set PMartC_Duration = ‘0600’ where Table_Name = ‘HRM.F_EVENT_HOUR’;

Table HRM.Prune_Mart_Log can be examined to see when and how many facts were pruned from each of the fact tables.

4.3 Miscellaneous utilities A set of miscellaneous database utilities is provided with this warehouse pack. These utilities are SQL command scripts that are located in the subdirectory <TWH_TOPDIR>/apps/hrm/v110/misc, where <TWH_TOPDIR> is the data warehouse installation directory. These utilities are not required for proper operation of the Tivoli Risk Manager warehouse enablement pack, but they are provided to help with database administration tasks.

Each script runs against either the central data warehouse (CDW) or the data mart database. To execute a script, you must first open a DB2 command window. From the Windows Start menu, select Programs -> IBM DB2 -> Command Window. Next, you must connect to the desired database (TWH_CDW or TWH_MART), using the following command (user ID and password may be different): db2 connect to TWH_CDW user db2admin using password

To execute the script, enter the following command from the DB2 command window: db2 –tvf <script-file-name>

You will see each statement of the script displayed in the window, followed by a DB2 message indicating success or failure of the statement. If you see any errors, refer to IBM DB2 Universal Database Message Reference, Volume 1.

A description of each utility is contained in the following sections.

4.3.1 hrm_cdw_classcat_data.sql

This script initializes the event category description table (HRM.ClassCatDesc) in database TWH_CDW. It is not necessary to run this script during normal operations because the table will be populated as events are loaded into the CDW. However, normal operations will create entries only for event categories contained in the loaded events, which might not include all known categories. This script initializes the description table with all of the predefined Tivoli Risk Manager event categories.

You may also modify and run this script if you want to use non-English descriptions, or alternate English descriptions, for the event class categories. Do not modify the event category name field (CC_Name) in the script or you will encounter errors.

4.3.2 hrm_cdw_reset_data.sql

This script resets the central data warehouse database (TWH_CDW) by removing all Tivoli Risk Manager generated data, including measurements, component attributes, component relationships and HRM_EVENT and HRM_HOST components. Only the IP_HOST and IP_INTERFACE components that came from the Tivoli Risk Manager source database are not removed, as these cannot be uniquely associated with Tivoli Risk Manager and might have originated from another Tivoli


17

Enterprise Data Warehouse application. This script also returns the extract control parameters for the CDW to the initial, post-installation state.

Use this script when you are testing the operation of the warehouse process HRM_c05_Load_CDW_Process.

4.3.3 hrm_mart_reset_data.sql and hrm_cdw_reset_etl2_extctl.sql

The first script resets the data m art database (TWH_MART) by removing all Tivoli Risk Manager generated data, including facts, dimension data, and all staging data. The second script resets the extract control parameters for the data mart ETL back to the initial, post-installation state. This script must be run against the CDW database (TWH_CDW) because that database is where the extract control parameters are stored. Running these two scripts returns the data mart database to the initial, post-installation state.

Use these two scripts when you are testing the operation of warehouse process HRM_m05_Build_Mart_Process.

4.3.4 hrm_cdw_drop_data.sql

This script removes all Tivoli Risk Manager static data from the central data warehouse (TWH_CDW). It puts the CDW into a state that existed before the Tivoli Risk Manager warehouse pack was installed. To reinitialize the Tivoli Risk Manager static data in the CDW, execute script hrm_cdw_data.sql in subdirectory <TWH_TOPDIR>/apps/hrm/v110/cdw/dml, where <TWH_TOPDIR> is the data warehouse installation directory.


18

5 ETL processes This warehouse pack has the following processes:

• HRM_c05_Load_CDW_Process – loads the central data warehouse (CDW) with component and event data from the Tivoli Risk Manager archive table.

• HRM_m05_Build_Mart_Process – builds a data mart with four star schemas based on the Tivoli Risk Manager event counts aggregated hourly, daily, weekly and monthly.

5.1 HRM_c05_Load_CDW_Process This process performs the complete central data warehouse ETL, loading all new Tivoli Risk Manager event data measurements into the central data warehouse. The process runs in four steps that are described below. The process is configured automatically to start with the first step and run each succeeding step if and only if the preceding step succeeds.

Run this process once after installing the warehouse pack and on a regular scheduled basis, typically once a day, during off-peak hours.

This process has the following steps:

5.1.1 HRM_c05_s010_Extract

Source: RMDB – archive table rm_t_arc41

Target: TWH_CDW – staging table HRM.Extract_Archive

This step transfers Tivoli Risk Manager event data from the Tivoli Risk Manager source database archive table (rm_t_arc41) to the central data warehouse (CDW) staging table, HRM.Extract_Archive. This step uses table TWG.Extract_Control to limit transfer of events to those events generated later than the time of the last extract. Table HRM.Extract_Latency is used to adjust the extract window so that the most recent events are not extracted if they fall within the latency value, in hours.

The archive table columns that are copied to the warehouse include: timestamp32, class_cat, class_cat_desc, src_token,src_hostname, src_ipaddr, dst_hostname, dst_ipaddr, repeat_count.

After events are transferred to the staging table, select columns are normalized:

• All leading and trailing blanks are removed from the event category, token, hostname and IP address fields

• All hostname and IP address fields are set to NULL if they contain an empty string or the value ‘N/A’

• Dst_IPAddr field is set to NULL if it contains the value ‘0.0.0.0’

• Src_Token field is assigned the value of Src_Hostnam e or Src_IPAddr, whichever is non-NULL

5.1.2 HRM_c05_s020_Transform

Source: TWH_CDW – staging table HRM.Extract_Archive

Targets: TWH_CDW – permanent table HRM.ClassCatDesc, staging tables HRM.Transform_Archive, HRM.Transform_Hosts, HRM.Transform_Events, HRM.Event_Msmts

This step converts staged Tivoli Risk Manager event data from HRM.Extract_Archive into several staging tables in preparation for loading into the CDW schema. The target staging tables are the following:


19

• HRM.Transform_Archive – contains one record for each raw Tivoli Risk Manager event, with new columns added to store the values of computed target and source component names, plus the date and hour of the event.

• HRM.Transform_Hosts – contains one record for each distinct destination host in all the processed Tivoli Risk Manager events. Each record maps to an IP_HOST, IP_INTERFACE or HRM_HOST component. Also stores the host component name and attributes as computed by this step.

• HRM.Transform_Events – contains one record for each distinct event category and source host in all the processed Tivoli Risk Manager events. Each record maps to a HRM_EVENT component. Also stores the source component name and attributes as computed by this step.

• HRM.Event_Msmts – contains one record for each new measurement to be added to the CDW. Measurements are aggregated by source and target components, as well as by hour.

In addition, this step updates the permanent event category description table (HRM.ClassCatDesc – see 6.3.1) with any new class categories that may have been received since the last time this step was executed.

During this step, events that contain insufficient data to store in the CDW are flagged and stored in the exception log table. Those same events are excluded from further processing and are output in the log file created by this step.

5.1.3 HRM_c05_s030_Load_Comp

Source: TWH_CDW – staging tables HRM.Transform_Hosts, HRM.Transform_Events

Target: TWH_CDW – tables TWG.Comp, TWG.CompReln, TWG.CompAttr

This step loads all staged component data into the CDW component tables. Each insert uses 'where not is' logic to ensure that duplicate components or attributes are not inserted.

5.1.4 HRM_c05_s040_Load_Msmt

Source: TWH_CDW – staging table HRM.Event_Msmts

Target: TWH_CDW – table TWG.Msmt

This step loads all staged measurement data into the CDW measurement table: TWG.Msmt. If successful, it drops the staging table and updates the Extract Control table so that the next execution of this process will start with subsequently generated events.

5.1.5 Exception handling

Occasionally, Tivoli Risk Manager events might contain insufficient information in the DST_HOSTNAME or DST_IPADDR columns to classify the target host component of an event. In these cases, there is no way to assign a measurement, so these events are handled as exceptions. The ETL process writes key fields of the invalid events into the exception log, HRM.Exception_Log, and then removes the events from staging table, HRM.Extract_Archive.

Analyze the data in table HRM.Exception_Log and take corrective actions, if possible. Column Error_Code in the table indicates how the destination host attributes failed processing. One of 3 values is possible:

• NULL_DST_HOST – when the DST_HOSTNAME and DST_IPADDR columns are both NULL

• INV_DST_HOST – when the DST_IPADDR column is NULL and DST_HOSTNAME column does not begin with an alphabetic character

• INV_DST_IP – when the DST_HOSTNAME column is NULL and the DST_IPADDR column has an invalid IP address: ‘N/A’, ‘0.0.0.0’, non-numeric or not containing any decimal points.


20

The timestamp32 column in the exception table contains the latest value of timestamp32 in the Tivoli Risk Manager archive table for all invalid events that match the same event category, source, and destination host/IP parameters. There might be many source events that match these parameters, but they are not all stored in the exception table, although they are all deleted from the staging table, HRM.Extract_Archive.

If it is possible to modify the DST_HOSTNAME or DST_IPADDR columns in the source archive table, rm_t_arc41, then modify these columns so that they contain valid host component values. Contact your database administrator for assistance in performing this function. In the long run, it is advisable to correct the Tivoli Risk Manager adapter/sensor that is generating the invalid destination host data.

5.2 HRM_m05_Build_Mart_Process This process performs the complete data mart ETL. It extracts new Tivoli Risk Manager measurements from the central data warehouse (CDW) and converts the measurements to facts in the Tivoli Risk Manager data mart database. The process also extracts new Tivoli Risk Manager host and event components, plus their attributes, from the CDW and converts the data to dimensions in the data mart. Finally, it prunes old facts from the data mart and runs any prepackaged reports that have been configured to run automatically. The process runs in six steps that are described below. The process is configured to start with the first step and run each succeeding step if and only if the preceding step succeeds.

This process is linked to the previous process (HRM_c05_Load_CDW_Process) through a warehouse shortcut, so that it will automatically start if the previous process completed successfully. Therefore, scheduling HRM_c05_Load_CDW_Process is sufficient to causing this process to run at the appropriate time.

This process has the following steps:

5.2.1 HRM_m05_s010_Pre_Extract

Source: TWH_CDW – tables TWG.MsmtTyp, TWG.MSrc

Target: TWH_CDW – staging table HRM.Event_Metric

This step reinitializes staging table HRM.Event_Metric in the CDW, creating a row for each Tivoli Risk Manager measurement type. The staging table has the same structure as the metric dimension table in the data mart database. This step by default enables minimum, maximum, average and total metrics for all measurements. In the hourly fact table, all measurement values for any hour are the same, but in the daily, weekly and monthly fact tables, the minimum, maximum and average values might be different from the total value.

5.2.2 HRM_m05_s020_Extract

Source: TWH_CDW – staging table HRM.Event_Metric, private table HRM.ClassCatDesc, warehouse tables TWG.Msmt, TWG.Comp, TWG.CompAttr

Target: TWH_MART – translation dimension tables HRM.T_Event_Metric, HRM.T_Dst_Host, HRM.T_Src_Host, and staging tables HRM.Stage_ClassCat, HRM.Stage_F_Event_Hour

This step adds new Tivoli Risk Manager event data from the central data warehouse (CDW) to staging tables and translation dimension tables in the Tivoli Risk Manager data mart. The staging tables are dropped and re-created each time this step is run. The translation dimension tables are permanent and have a structure exactly the same as their corresponding data mart dimension tables, but in addition contain information to identify the CDW (in a multi-CDW environment) where the data originated, as well as the original component and measurement IDs. Translation dimension tables are used to track IDs from the original CDW into the star schema so you can tell where the data actually came from when looking at a star schema.

The target staging and translation dimension tables are the following:


21

• HRM.Stage_ClassCat – contains all Tivoli Risk Manager event category descriptions defined in CDW table HRM.ClassCatDesc.

• HRM.T_Event_Metric – contains all Tivoli Risk Manager measurement types expressed as data mart metrics. Currently, Tivoli Risk Manager has only one metric – Event Count.

• HRM.T_Dst_Host – contains one record for each distinct destination host in all the processed Tivoli Risk Manager events. Each record maps from an IP_HOST, IP_INTERFACE or HRM_HOST component in the CDW. Each record also stores the hostname and IP address values from the LAST_IP_ADDRESS or HRM_DST_HOSTNAME attributes, if they exist. Finally, the table contains, for each host, the IP address represented as an integer, plus strings for the subnets represented by each portion of the dotted decimal IP address. Three source database (CDW) views and several staging/intermediate tables are used in this step to populate this table.

• HRM.T_Src_Host – contains one record for each distinct source host in all the processed Tivoli Risk Manager events. Each record maps from a HRM_EVENT component, and its corresponding HRM_SRC_HOSTNAME or HRM_SRC_IPADDR attribute, in the CDW.

• HRM.Stage_F_Event_Hour – contains one record for each new measurement added to the CDW. Each record contains foreign key integer fields pointing to the metric, event category, destination, and source host translation dimension tables.

Extract control is achieved by using the component and measurement IDs from the CDW tables. The ExtCtl_To_IntSeq value is set to the maximum ID currently in the CDW, as defined by an appropriate view. After the extraction is complete, this value is copied into ExtCtl_From_IntSeq to be used for the next extraction. The following table shows which tables and ID columns are used for extract control.

Target Tables (TWH_MART)

Source Tables (TWH_CDW)

Source Table Views (TWH_CDW)

Source Table Columns used for Extract Control (TWH_CDW)

Source Table Extract Control Views (TWH_CDW)

HRM.T_Event_Metric HRM.Event_Metric HRM.VD_Event_Metric Metric_ID HRM.VE_Event_Metric

HRM.T_Dst_Host TWG.Comp, TWG.CompAttr

HRM.VD_Host_Dst_IP, HRM.VD_Host_Dst_NoIP, HRM.VD_Host_Dst_Name

Comp_ID HRM.VE_Dst_Host

HRM.T_Src_Host TWG.Comp, TWG.CompAttr

HRM.VD_Host_Src Comp_ID HRM.VE_Src_Host

HRM.Stage_F_Event_Hour TWG.Msmt, TWG.Comp, TWG.CompAttr

HRM.VF_Stg_Evt_Hour Msmt_ID HRM.VE_Event_Hour

5.2.3 HRM_m05_s030_Load

Source: TWH_MART – staging tables HRM.Stage_ClassCat, HRM.Stage_F_Event_Hour; translation dimension tables HRM.T_Event_Metric, HRM.T_Dst_Host, and HRM.T_Src_Host


22

Target: TWH_MART – fact table HRM.F_Event_Hour; dimension tables HRM.D_ClassCat, HRM.D_Event_Metric, HRM.D_Dst_Host, HRM.D_Src_Host

This step loads the dimension tables and hourly fact table with Tivoli Risk Manager data from the translation dimension tables and a staging fact table. Translation dimension tables are used to track IDs from the original CDW into the star schema so you can tell where the data actually came from when looking at a star schema. Each insert uses 'where not is' logic to ensure that duplicate dimensions or facts are not inserted.

5.2.4 HRM_m05_s040_Rollup

Source: TWH_MART – tables HRM.Stage_F_Event_Hour, HRM.F_Event_Hour; TWH_MD – table IWH.STARSCHEMA

Target: TWH_MD – table RPI.SSUPDATED; TWH_MART – tables HRM.F_Event_Day, HRM.F_Event_Week, HRM.F_Event_Month

This step rolls up new hourly facts from the staging fact table into the daily, weekly, and monthly fact tables. Timestamps for daily/weekly/monthly facts are converted from GMT to local time to comply with the expectation of the Tivoli Enterprise Data Warehouse reporting interface (RPI). If new data is rolled up for any of the above tables, the appropriate star schema (hourly, daily, weekly, monthly) is indicated as updated in table RPI.SSUPDATED, which enables any prepackaged reports based on the updated schema to be automatically regenerated.

5.2.5 HRM_m05_s050_Prune

Source: TWH_MART – table HRM.Prune_Mart_Control

Target: TWH_MART – tables HRM.F_Event_Hour, HRM.F_Event_Day, HRM.F_Event_Week, HRM.F_Event_Month, HRM.Prune_Mart_Log

This step deletes facts from the hourly, daily, weekly, and monthly fact tables if the fact date is older than the prune control values. Prune control values are held in table HRM.Prune_Mart_Control and can be adjusted by the customer as desired. For the hourly fact table, adjustment is made for GMT but the other fact tables are in local time. The number of records deleted from each fact table is stored in permanent table HRM.Prune_Mart_Log.

5.2.6 HRM_m05_s060_Run_Report

Source: TWH_MART – table HRM.Stage_F_Event_Hour

Target: TWH_MD – table RPI.SSUPDATED

This step runs a user-defined program named runReport.sh, which is installed by Tivoli Enterprise Data Warehouse. The runReport.sh program looks for records inserted by the rollup step into the RPI.SSUPDATED table. If a record exists that identifies a star schema that has been updated, then the report execution engine runs all scheduled reports that have been created from that star schema. You can remove this step if you do not want the scheduled reports to run.


23

6 Central data warehouse schema implementation Before reading this section, read about the generic schema for the Tivoli Enterprise Data Warehouse central data warehouse, which is described in Enabling an Application for Tivoli Enterprise Data Warehouse. That document defines the content of each table and explains the relationships between the tables in this document. Shaded columns in the following tables contain data that is translated. Installing and Configuring Tivoli Enterprise Data Warehouse contains instructions for installing support for additional languages.

6.1 Component configuration

6.1.1 Component type (table CompTyp)

CompTyp_Cd CHAR(17)

CompTyp_Parent_Cd CHAR(17)

CompTyp_Nm * VARCHAR(120)

CompTyp_Strt_DtTm TIMESTAMP

CompTyp_End_DtTm TIMESTAMP

IP_HOST NULL IP Host 2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

IP_INTERFACE NULL IP Interface 2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

HRM_HOST NULL Unqualified Tivoli Risk Manager Host

2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

HRM_EVENT NULL Tivoli Risk Manager Event

2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

6.1.2 Component (table Comp)

Comp_ID INTEGER

CompTyp_Cd CHAR (17)

Centr_Cd CHAR(6)

Cust_ID INTEGER

Comp_Corr_ID INTEGER

Comp_Nm VARCHAR (254)

Comp_Corr_Val VARCHAR (254)

Comp_Strt_DtTm TIMESTAMP

Comp_End_DtTm TIMESTAMP

Comp_Ds VARCHAR (254)

1 IP_HOST CDW 1 joe.ibm.com

2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

2 IP_INTERFACE

CDW 1 4.4.4.4 2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

3 HRM_HOST

CDW 1 ted 2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

7 HRM_EVENT

CDW 1 1 WEB-bob.ibm.com

2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

9 HRM_EVENT

CDW 1 2 DOS-bob.ibm.com

2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000


24

Comp_ID INTEGER

CompTyp_Cd CHAR (17)

Centr_Cd CHAR(6)

Cust_ID INTEGER

Comp_Corr_ID INTEGER

Comp_Nm VARCHAR (254)

Comp_Corr_Val VARCHAR (254)

Comp_Strt_DtTm TIMESTAMP

Comp_End_DtTm TIMESTAMP

Comp_Ds VARCHAR (254)

10 HRM_EVENT

CDW 1 2 TROJ-jim

2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

12 HRM_EVENT

CDW 1 2 VIRUS-sally

2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

17 HRM_EVENT

CDW 1 1 DOS-fred.ibm.com

2002-11-01-08.46.10.000000

9999-01-01-12.00.00.000000

6.1.3 Component relationship type (table RelnTyp)

RelnTyp_Cd CHAR(6)

RelnTyp_Nm * VARCHAR(120)

PCHILD Parent Child Relation

6.1.4 Component relationship rule (table RelnRul)

CompTyp_Source_Cd CHAR(17)

CompTyp_Target_Cd CHAR(17)

RelnTyp_Cd CHAR(6)

RelnRul_Strt_DtTm TIMESTAMP

RelnRul_End_DtTm TIMESTAMP

IP_HOST HRM_EVENT PCHILD 2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

IP_INTERFACE HRM_EVENT PCHILD 2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

HRM_HOST HRM_EVENT PCHILD 2002-09-27-16.00.00.000000

9999-01-01-12.00.00.000000

6.1.5 Component relationship (table CompReln)

CompReln_ID INTEGER

Comp_Source_ID INTEGER

Comp_Target_ID INTEGER

RelnTyp_Cd CHAR(6)

CompReln_Strt_DtTm TIMESTAMP

CompReln_End_DtTm TIMESTAMP

1 1 7 PCHILD 2002-11-01-08.46.10.000000

9999-01-01-12.00.00.000000

2 2 9 PCHILD 2002-11-01-08.48.30.000000

9999-01-01-12.00.00.000000

3 2 10 PCHILD 2002-11-01-08.49.30.000000

9999-01-01-12.00.00.000000


25

CompReln_ID INTEGER

Comp_Source_ID INTEGER

Comp_Target_ID INTEGER

RelnTyp_Cd CHAR(6)

CompReln_Strt_DtTm TIMESTAMP

CompReln_End_DtTm TIMESTAMP

4 2 12 PCHILD 2002-11-01-08.49.42.000000

9999-01-01-12.00.00.000000

5 1 17 PCHILD 2002-11-01-08.46.42.000000

9999-01-01-12.00.00.000000

6.1.6 Attribute type (table AttrTyp)

AttrTyp_Cd CHAR(17)

AttrTyp_Nm * VARCHAR(120)

LAST_IP_ADDRESS Last IP Address

HRM_CLASSCAT Tivoli Risk Manager Event Category

HRM_SRC_HOSTNAME Tivoli Risk Manager Event Source Hostname

HRM_SRC_IPADDR Tivoli Risk Manager Event Source IP Address

HRM_DST_HOSTNAME Tivoli Risk Manager Event Destination Hostname

6.1.7 Attribute rule (table AttrRul)

CompTyp_Cd CHAR(17)

AttrTyp_Cd CHAR(17)

AttrRul_Strt_DtTm TIMESTAMP

AttrRul_End_DtTm TIMESTAMP

AttrRul_Dom_Ind CHAR

IP_HOST LAST_IP_ADDRESS 2002-10-25-16.45.30.000000

9999-01-01-12.00.00.000000

N

HRM_EVENT HRM_SRC_HOSTNAME 2002-10-25-16.45.30.000000

9999-01-01-12.00.00.000000

N

HRM_EVENT HRM_SRC_IPADDR 2002-10-25-16.45.30.000000

9999-01-01-12.00.00.000000

N

HRM_EVENT HRM_CLASSCAT 2002-10-25-16.45.30.000000

9999-01-01-12.00.00.000000

N

IP_INTERFACE HRM_DST_HOSTNAME 2002-10-25-16.45.30.000000

9999-01-01-12.00.00.000000

N

6.1.8 Attribute domain (table AttrDom) – This table is not used by Tivoli Risk Manager

AttrDom_ID INTEGER

CompTyp_Cd CHAR(17)

AttrTyp_Cd CHAR(17)

AttrDom_Strt_DtTm TIMESTAMP

AttrDom_End_DtTm TIMESTAMP

AttrDom_Val VARCHAR(254)

AttrDom_Ds VARCHAR(254)


26

6.1.9 Component attribute (table CompAttr)

CompAttr_ID INTEGER

Comp_ID INTEGER

AttrTyp_Cd CHAR(17)

CompAttr_Strt_DtTm TIMESTAMP

CompAttr_End_DtTm TIMESTAMP

CompAttr_Val VARCHAR(254)

1 1 LAST_IP_ADDRESS 2002-11-01-08.45.30.000000

9999-01-01-12.00.00.000000

1.1.1.1

2 2 HRM_DST_HOSTNAME 2002-11-01-08.45.40.000000

9999-01-01-12.00.00.000000

sally

3 7 HRM_SRC_IPADDR 2002-11-01-08.46.10.000000

9999-01-01-12.00.00.000000

2.2.2.2

4 7 HRM_SRC_HOSTNAME 2002-11-01-08.46.10.000000

9999-01-01-12.00.00.000000

bob.ibm.com

5 7 HRM_CLASSCAT 2002-11-01-08.46.10.000000

9999-01-01-12.00.00.000000

WEB

6 9 HRM_SRC_IPADDR 2002-11-01-08.48.30.000000

9999-01-01-12.00.00.000000

2.2.2.2

7 9 HRM_SRC_HOSTNAME 2002-11-01-08.48.30.000000

9999-01-01-12.00.00.000000

bob.ibm.com

8 9 HRM_CLASSCAT 2002-11-01-08.48.30.000000

9999-01-01-12.00.00.000000

DOS

9 10 HRM_SRC_HOSTNAME 2002-11-01-08.49.30.000000

9999-01-01-12.00.00.000000

Jim

10 10 HRM_SRC_IPADDR 2002-11-01-08.49.30.000000

9999-01-01-12.00.00.000000

5.5.5.5

11 10 HRM_CLASSCAT 2002-11-01-08.49.30.000000

9999-01-01-12.00.00.000000

TROJ

12 12 HRM_SRC_HOSTNAME 2002-11-01-08.49.42.000000

9999-01-01-12.00.00.000000

sally


27

CompAttr_ID INTEGER

Comp_ID INTEGER

AttrTyp_Cd CHAR(17)

CompAttr_Strt_DtTm TIMESTAMP

CompAttr_End_DtTm TIMESTAMP

CompAttr_Val VARCHAR(254)

13 12 HRM_SRC_IPADDR 2002-11-01-08.49.42.000000

9999-01-01-12.00.00.000000

4.4.4.4

14 12 HRM_CLASSCAT 2002-11-01-08.49.42.000000

9999-01-01-12.00.00.000000

VIRUS

6.2 Component measurement 6.2.1 Measurement group type (table MGrpTyp)

MGrpTyp_Cd CHAR(6)

MGrpTyp_Nm * VARCHAR(120)

CATEG Category

GROUP Aggregate Types or Group Functions

STATE State

6.2.2 Measurement group (table MGrp)

MGrp_Cd CHAR(6)

MGrpTyp_Cd CHAR(6)

MGrp_Parent_Cd CHAR(6)

MGrp_Nm * VARCHAR(120)

TOT_E GROUP NULL Total Value Exists

6.2.3 Measurement group member (table MGrpMbr)

MGrp_Cd CHAR(6)

MGrpTyp_Cd CHAR(6)

MsmtTyp_ID INTEGER

TOT_E GROUP 1

6.2.4 Measurement unit category (table MUnitCat)

MunitCat_Cd CHAR(6)

MunitCat_Nm * VARCHAR(120)

QTY Quantity

6.2.5 Measurement unit (table MUnit)

MUnit_Cd CHAR(6)

MUnitCat_Cd CHAR(6)

Munit_Nm * VARCHAR(120)

QTY QTY Quantity


28

6.2.6 Time summary (table TmSum)

The period over which a measurement may be summarized.

TmSum_Cd CHAR

TmSum_Nm * VARCHAR(120)

H Hourly

D Daily

W Weekly

M Monthly

6.2.7 Measurement source (table MSrc)

MSrc_Cd CHAR(6)

MSrc_Parent_Cd CHAR(6)

MSrc_Nm * VARCHAR(120)

Tivoli NULL Tivoli Application

HRM Tivoli IBM Tivoli Risk Manager

6.2.8 Measurement type (table MsmtTyp)

MsmtTyp_ID INTEGER

MUnit_Cd CHAR(6)

MSrc_Cd CHAR (6)

MsmtTyp_Nm * VARCHAR(120)

MsmtTyp_Ds * VARCHAR(254)

1 QTY HRM Event Count Number of Tivoli Risk Manager events.

6.2.9 Component measurement rule (table MsmtRul)

CompTyp_Cd CHAR(17)

MsmtTyp_ID INTEGER

HRM_EVENT 1

6.2.10 Measurement (table Msmt)

Msmt_ ID BIGINT

Comp_ ID INTEGER

MsmtTyp_ID INTEGER

TmSum _Cd CHAR

Msmt_Strt_Dt DATE

Msmt_Strt_Tm TIME

Msmt_Min_ Val FLOAT

Msmt_ Max_Val FLOAT

Msmt_ Avg_Val FLOAT

Msmt_ Tot_ Val FLOAT

Msmt_ Smpl_ Cnt INTEGER

Msmt_ Err_Cnt INTEGER

1 7 1 H 2002-11-01

12:00 2.0

2 9 1 H 2002-11-01

12:00 1.0

3 10 1 H 2002-11-01

12:00 2.0

4 12 1 H 2002-11-01

12:00 1.0

5 17 1 H 2002-11-01

12:00 1.0


29

6.3 Helper tables 6.3.1 Event category descriptions (table HRM.ClassCatDesc)

This table stores Event Category descriptions, mapped from the Event Category short name, which is an attribute of each HRM_EVENT component. This table will be useful to reporting applications to display a more descriptive string for each event class category.

ClassCat_Nm VARCHAR (16) ClassCat_Ds VARCHAR(64)

WEB Web Attack

SERV Service Attack

VIRUS Virus Activity

SECACCESS Access Control

SECACCESS.ALLOW Access Allowed

SECACCESS.DENY Access Denied

CONFIG Configuration Change

SECAUTH Authentication Activity

SECAUTH.ALLOW Authentication Allowed

SECAUTH.DENY Authentication Denied

SECPOLICY Security Policy

DOS Denial of Service

TROJ Trojan Horse

NETMAN Network Management Activity

EMAIL Email Activity

USER User-Level Activity

TDOS Targeted Denial of Service

SERVCMP Service Compromise

CMD Command Level Activity

IDSLEVEL IDS Level

NETLVL Network Level Attack

HOSTLVL Host-Level Activity

MISCLVL Miscellaneous Level

TOPLVL Category Top Level

STATECHG State Change

INSTALL Installation Activity

NOMAPPING Catchall Event, Uncategorized


30

RESOURCE Resource Alert

SYSERROR System Error

6.4 Exception tables Events with insufficient destination host data are logged in the exception log (HRM.Exception_Log) and then removed from the event-staging table, HRM.Extract_Archive. Column Error_Code in the exception log is an identifier indicating how the destination host information was invalid. Error_Code is a foreign key into the error messages table (HRM.Error_Message), which contains a fuller description of the error, along with recommended recovery action. The description and recovery action are printed out in the log generated by the Transform step of the central data warehouse ETL Process.

6.4.1 Exception log (table HRM.Exception_Log)

The exception log stores key fields of extracted events that have insufficient destination host data to assign the event to one of the host component types: IP_HOST, IP_INTERFACE, HRM_HOST.

The following columns are defined in this table:

• Reported_DtTm TIMESTAMP – time when exception was logged in the process step log file

• Process_Nm VARCHAR(120) – ETL process that detected exception

• Step_Nm VARCHAR(120) – ETL process step that detected exception

• Table_Nm VARCHAR(120) – staging table containing invalid data

• Error_DtTm TIMESTAMP – time when exception was written to the exception log

• Error_Code VARCHAR (17) – type of exception; foreign key to Error Message table

• timestamp32 INTEGER – latest timestamp for all invalid source events from archive table matching on fields below

• class_cat VARCHAR (16) – event category value of invalid event from archive table

• src_hostname VARCHAR (128) – source hostname value of invalid event from archive table

• src_ipaddr VARCHAR (32) – source IP address value of invalid event from archive table

• dst_hostname VARCHAR (128) – destination hostname value of invalid event from archive table

• dst_ipaddr VARCHAR (32) – destination IP address value of invalid event from archive table

6.4.2 Error messages (table HRM.Error_Message)

The error message table stores exception conditions with descriptions and recovery actions.

Error_Cd VARCHAR(17)

Error_Text VARCHAR(254) Error_Recovery VARCHAR(254)

NULL_DST_HOST Cannot resolve HOST component: NULL value in both dst_hostname and dst_ipaddr.

Events are ignored. Examine archive table (RM_T_ARC41) in source database to look for NULL, empty string, N/A, or 0.0.0.0 values in DST_HOSTNAME and DST_IPADDR columns. Correct at source, if possible, and rerun ETL.

INV_DST_HOST Invalid host name value in dst_hostname. Events are ignored. Examine archive table (RM_T_ARC41) in source database to look for invalid values in DST_HOSTNAME column, such as an IP address, or name beginning with number.


31

Correct at source, if possible, and rerun ETL.

INV_DST_IP Invalid IP address value in dst_ipaddr. Events are ignored. Examine archive table (RM_T_ARC41) in source database to look for invalid values in DST_IPADDR column. Only a dotted decimal string is permitted. Correct at source, if possible, and rerun ETL.

6.5 Incremental extraction The Tivoli Risk Manager warehouse pack uses timestamps for extract control. The extract control parameters are stored in warehouse table TWG.Extract_Control, where ExtCtl_Source equals 'RM_T_ARC41' and ExtCtl_Target equals ‘HRM.EXTRACT_ARCHIVE'. The timestamp of the last extract, stored in column ExtCtl_From_DtTm, is used to filter events for the next extract. The timestamp value is converted to epoch time value (number of seconds since 1/1/1970) and stored in column ExtCtl_From_IntSeq. Column ExtCtl_From_IntSeq is copied to a temporary table in the source database. The ETL process extracts only events whose date_reception column – representing the time when the event was written to the archive – is equal to or later than this ExtCtl_From_IntSeq.

This warehouse pack uses one additional table for extract control, other than the default TWG.Extract_Control table. Table HRM.Extract_Latency contains a single record with a single column, Num_Hours, which defines the minimum age (in hours) of events that are extracted from the Tivoli Risk Manager source archive table. The default latency value is four hours. Customers can modify this value, but it is recommended not to set it to a value less than one hour. This latency value is subtracted from the current time, and the new value is converted to epoch time and stored in column ExtCtl_To_IntSeq of table TWG.Extract_Control. The ETL process extracts only events whose date_reception column is earlier than the ExtCtl_To_IntSeq value.

After the successful extraction, the old ExtCtl_To_DtTm and ExtCtl_To_IntSeq become the new ExtCtl_From_DtTm and ExtCtl_From_IntSeq, respectively.


32

7 Data mart schema information The following sections contain the definition of star schemas, metric dimension tables, data marts, and reports provided with the IBM Tivoli Risk Manager warehouse pack.

Shaded columns in the following tables contain data that is translated. Installing and Configuring Tivoli Enterprise Data Warehouse contains instructions for installing support for additional languages.

7.1 Star schemas

Before using this section, read about the star schem as in Enabling an Application for Tivoli Enterprise Data Warehouse . That document defines the content of each table and explains the relationships between the tables in this document.

This warehouse pack provides the following star schemas.

7.1.1 HRM hourly Tivoli Risk Manager event star schema

The following table defines the star schema. The description of the star schema is translated.

Description of star schema (in IWH.STARSCHEMA)

Tivoli Risk Manager Event Hourly Data

Name of fact table HRM.F_Event_Hour

Name of metric dimension table HRM.D_Event_Metric

HRM.D_Dst_Host

HRM.D_Src_Host

Names of other dimension tables

HRM.D_ClassCat

7.1.1.1 Fact table HRM.F_Event_Hour

Metric_ID INTEGER

Src_Host_ID INTEGER

Dst_Host_ID INTEGER

ClassCat_ID INTEGER

Meas_hour TIMESTAMP

Min_value DOUBLE

Max_value DOUBLE

Avg_ value DOUBLE

Total_value DOUBLE

Sample_ count DOUBLE

7.1.2 HRM daily Tivoli Risk Manager event star schema



Tivoli Risk Manager Event Daily Data

Name of fact table HRM.F_Event_Day


HRM.D_Dst_Host

HRM.D_Src_Host


HRM.D_ClassCat


33

7.1.2.1 Fact table HRM.F_Event_Day

Metric_ID INTEGER

Src_Host_ID INTEGER

Dst_Host_ID INTEGER

ClassCat_ID INTEGER

Meas_date TIMESTAMP

Min_value DOUBLE

Max_value DOUBLE

Avg_ value DOUBLE

Total_value DOUBLE


7.1.3 HRM weekly Tivoli Risk Manager event star schema



Tivoli Risk Manager Event Weekly Data

Name of fact table HRM.F_Event_Week


HRM.D_Dst_Host

HRM.D_Src_Host


HRM.D_ClassCat

7.1.3.1 Fact table HRM.F_Event_Week

Metric_ID INTEGER

Src_Host_ID INTEGER

Dst_Host_ID INTEGER

ClassCat_ID INTEGER

Meas_date TIMESTAMP

Min_value DOUBLE

Max_value DOUBLE

Avg_ value DOUBLE

Total_value DOUBLE


7.1.4 HRM monthly Tivoli Risk Manager event star schema



Tivoli Risk Manager Event Monthly Data

Name of fact table HRM.F_Event_Month


HRM.D_Dst_Host

HRM.D_Src_Host


HRM.D_ClassCat


34

7.1.4.1 Fact table HRM.F_Event_Month

Metric_ID INTEGER

Src_Host_ID INTEGER

Dst_Host_ID INTEGER

ClassCat_ID INTEGER

Meas_date TIMESTAMP

Min_value DOUBLE

Max_value DOUBLE

Avg_ value DOUBLE

Total_value DOUBLE


7.2 Metric dimension tables This section describes the metric dimension tables used by the star schemas in this warehouse pack. Shaded columns in the following tables contain data that is translated. These column headings are also marked with an asterisk.

7.2.1 HRM.D_Event_Metric

Metric_ID INTEGER

Met_category * VARCHAR(254)

Met_desc * VARCHAR(254)

Met_name * VARCHAR(254)

Met_units * VARCHAR(254)

Min_exists CHAR(1)

Max_exists CHAR(1)

Avg_exists CHAR(1)

Total exists CHAR(1)

Msrc_nm * VARCHAR(254)

1 N/A Number of Tivoli Risk Manager sensor events

Event Count

QTY Y Y Y Y IBM Tivoli Risk Manager

7.3 Dimension tables

The following sections describe the dimension tables (other than metric dimension tables) used by the star schemas in this warehouse pack.

7.3.1 Dimension table HRM.D_CLASSCAT

The following columns are defined in this dimension table. This is the same information in CDW helper table HRM.ClassCatDesc.

• Class_Cat_ID INTEGER • Class_Cat_Name VARCHAR(16) • Class_Cat_Desc VARCHAR(64)

7.3.2 Dimension table HRM.D_DST_HOST

This dimension table contains attributes for each host identified as the target of a Tivoli Risk Manager event.

The following columns are defined in this dimension table. • Comp_ID INTEGER not null – foreign key to component table • Comp_Name VARCHAR(120) • Customer_Name VARCHAR(120) • Center_Name VARCHAR(120) • Hostname VARCHAR(128) • IP_Address VARCHAR(32) • IP_Number BIGINT default 0 – for sorting by IP address


35

• IP_A_Subnet VARCHAR(32) • IP_B_Subnet VARCHAR(32) • IP_C_Subnet VARCHAR(32)

7.3.3 Dimension table HRM.D_SRC_HOST

This dimension table contains attributes for each host identified as the source of a Tivoli Risk Manager event.

The following columns are defined in this dimension table. • Comp_ID INTEGER not null – foreign key to component table • Comp_Name VARCHAR(120) • Hostname VARCHAR(128) • IP_Address VARCHAR(32)

7.4 Data marts and reports This warehouse pack provides the following data marts.

7.4.1 Tivoli Risk Manager data mart

This data mart uses the following star schemas:

• HRM Hourly Risk Manager Event Star Schema

• HRM Daily Risk Manager Event Star Schema

• HRM Weekly Risk Manager Event Star Schema

• HRM Monthly Risk Manager Event Star Schema

7.4.1.1 Reports

This data mart provides the following prepackaged reports.

7.4.1.1.1 Events by destination host – last 30 days

This extreme case report ranks all hosts by the number of Tivoli Risk Manager events over the last 30 days.

Group By: Destination Host (HRM.D_Dst_Host.Comp_Name)

Aggregate Function: Total

Metric: Event Count

Star Schema: HRM Event Daily Star Schema

Start/End Time: Last 30 days from current date/time

Order By: Output of aggregation function

Order Type: Descending

SQL: SELECT sum(total_value), HRM.D_DST_HOST.COMP_NAME FROM HRM.D_CLASSCAT, HRM.D_DST_HOST, HRM.D_EVENT_METRIC, HRM.D_SRC_HOST, HRM.F_EVENT_DAY WHERE HRM.F_Event_Day.meas_date between (timestamp(current date - 30 days, ’00.00.00’))and (timestamp(current date, ’00.00.00’)) AND HRM.D_SRC_HOST.COMP_ID = HRM.F_EVENT_DAY.SRC_HOST_ID AND HRM.D_CLASSCAT.CLASS_CAT_ID = HRM.F_EVENT_DAY.CLASSCAT_ID AND HRM.D_EVENT_METRIC.METRIC_ID = HRM.F_EVENT_DAY.METRIC_ID AND HRM.D_DST_HOST.COMP_ID = HRM.F_EVENT_DAY.DST_HOST_ID GROUP BY HRM.D_DST_HOST.COMP_NAME


36

ORDER BY 1 desc fetch first 25 rows only

7.4.1.1.2 Events by destination and category – last 30 days

This extreme case report ranks all host/event categories by the number of Tivoli Risk Manager events over the last 30 days.

Group By: (1) Destination Host (HRM.D_DST_HOST.Comp_Name), (2) Event Category Description (HRM.D_CLASSCAT.Class_Cat_Desc)


Metric: Event Count



Order By: Output of aggregation function

Order Type: Descending

SQL: SELECT sum(total_value), HRM.D_DST_HOST.COMP_NAME, HRM.D_CLASSCAT.CLASS_CAT_DESC FROM HRM.D_CLASSCAT, HRM.D_DST_HOST, HRM.D_EVENT_METRIC, HRM.D_SRC_HOST, HRM.F_EVENT_DAY WHERE HRM.F_Event_Day.meas_date between (timestamp(current date - 30 days, ’00.00.00’))and (timestamp(current date, ’00.00.00’)) AND HRM.D_SRC_HOST.COMP_ID = HRM.F_EVENT_DAY.SRC_HOST_ID AND HRM.D_CLASSCAT.CLASS_CAT_ID = HRM.F_EVENT_DAY.CLASSCAT_ID AND HRM.D_EVENT_METRIC.METRIC_ID = HRM.F_EVENT_DAY.METRIC_ID AND HRM.D_DST_HOST.COMP_ID = HRM.F_EVENT_DAY.DST_HOST_ID GROUP BY HRM.D_DST_HOST.COMP_NAME, HRM.D_CLASSCAT.CLASS_CAT_DESC ORDER BY 1 desc fetch first 25 rows only

7.4.1.1.3 Access/authentication events – last 30 days

This health check report compares the number of access and authentication events over the entire network, per day, over the last 30 days. There is one line (metric) in the graph for each of the following categories of events:

• SECAUTH.ALLOW

• SECACCESS.ALLOW

• SECAUTH.DENY

• SECACCESS.DENY

Group By: Event Category (HRM.D_CLASSCAT.Class_Cat_Name)


Metric: Event Count



SQL for Metric 1 (SECAUTH.ALLOW) (others are similar): select sum(total_value), meas_date from HRM.D_CLASSCAT, HRM.D_Event_Metric, HRM.F_Event_Day where HRM.F_Event_Day.Metric_ID = HRM.D_Event_Metric.Metric_ID and HRM.D_Event_Metric.met_name = ‘Event Count’ and HRM.F_Event_Day.ClassCat_ID = HRM.D_CLASSCAT.Class_Cat_ID and


37

HRM.D_CLASSCAT.Class_Cat_Name = ‘SECAUTH.ALLOW’ and HRM.F_Event_Day.meas_date between (timestamp(current date - 30 days, ’00.00.00’))and (timestamp(current date, ’00.00.00’)) group by meas_date order by meas_date ASC

7.4.1.1.4 Service compromise events – last 30 days

This health check report compares the number of service compromise events over the entire network, per day, over the last 30 days. There is one line for each of the following categories of events:

• WEB

• SERV

• SERVCMP

• DOS

• TDOS



Metric: Event Count



SQL: Similar to other health check reports for this data mart

7.4.1.1.5 Infection events –last 30 days

This health check report compares the number of infection events – viruses or “Trojan Horses” – over the entire network, per day, over the last 30 days. There is one line for each of the following categories of events:

• TROJ

• VIRUS



Metric: Event Count




7.4.1.1.6 Policy/configuration events –last 30 days

This health check report compares the number of policy, configuration, and state change events over the entire network, per day, over the last 30 days. There is one line for each of the following categories of events:

• CONFIG

• SECADMIN

• SECPOLICY

• STATECHG


38



Metric: Event Count




7.4.1.1.7 Events by destination subnetwork – last 30 days

This summary report breaks down all events by destination subnetworks and hosts, covering data from the last 30 days. The report shows both the total number of events within each grouping, as well as the peak (maximum) number of events for any hourly interval during the period covered by the report.

Group By:

• IP_A_Subnet

• IP_B_Subnet

• IP_C_Subnet

• IP_Number

• IP_Address

Aggregate Functions: total, max

Metric: Event Count



Order By: IP_Number

Order Type: Ascending

SQL: select max(max_value) as maxofmax_value, sum(total_value) as sumoftotal_value, HRM.D_Dst_Host.IP_A_Subnet, HRM.D_Dst_Host.IP_B_Subnet, HRM.D_Dst_Host.IP_C_Subnet, HRM.D_Dst_Host.IP_Number, HRM.D_Dst_Host.IP_Address, HRM.D_Event_Metric.met_name from HRM.D_Dst_Host,HRM.D_CLASSCAT, HRM.D_Event_Metric, HRM.F_Event_Day where HRM.F_Event_Day.Metric_ID = HRM.D_Event_Metric.Metric_ID and HRM.D_Event_Metric.met_name = ‘Event Count’ and HRM.F_Event_Day.Dst_Host_ID = HRM.D_Dst_Host.Comp_ID and HRM.F_Event_Day.meas_date between (timestamp(current date - 30 days, ’00.00.00’))and (timestamp(current date, ’00.00.00’)) group by HRM.D_Dst_Host.IP_A_Subnet, HRM.D_Dst_Host.IP_B_Subnet, HRM.D_Dst_Host.IP_C_Subnet, HRM.D_Dst_Host.IP_Number, HRM.D_Dst_Host.IP_Address, HRM.D_Event_Metric.met_name order by HRM.D_Dst_Host.IP_Number, HRM.D_Event_Metric.met_name


39

8 Notices

This information was developed for products and services offered in the U.S.A.

IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to:

IBM Director of Licens ing IBM Corporation North Castle Drive Armonk, NY 10504-1785 U.S.A.

For license inquiries regarding double-byte (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to:

IBM World Trade Asia Corporation Licensing 2-31 Roppongi 3-chome, Minato-ku Tokyo 106, Japan

The following paragraph does not apply to the United Kingdom or any other country where such provisions are inconsistent with local law: INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express or implied warranties in certain transactions; therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Any references in this information to non-IBM Web sites are provided for convenience only and do not in any manner serve as an endorsement of those Web sites. The materials at those Web sites are not part of the materials for this IBM product and use of those Web sites is at your own risk.

IBM may use or distribute any of the information you supply in any way it believes appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Corporation 2Z4A/101 11400 Burnet Road Austin, TX 78758 U.S.A.

Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.


40

The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us.

Any performance data contained herein was determined in a controlled environment. Therefore, the results obtained in other operating environments may vary significantly. Some measurements may have been made on development-level systems and there is no guarantee that these measurements will be the same on generally available systems. Furthermore, some measurement may have been estimated through extrapolation. Actual results may vary. Users of this document should verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products.

All statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only.

This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to the names and addresses used by an actual business enterprise is entirely coincidental.

8.1 Trademarks IBM, the IBM logo, Tivoli, the Tivoli logo, DB2, Tivoli Enterprise, Tivoli Enterprise Console, Tivoli Ready, and TME are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both.

Lotus is a registered trademark of Lotus Development Corporation and International Business Machines Corporation in the United States or other countries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and other countries.

C-bus is a trademark of Corollary, Inc. in the United States, other countries, or both.

ActionMedia, LANDesk, MMX, Pentium, and ProShare are trademarks of Intel Corporation in the United States, other countries, or both. For a complete list of Intel trademarks, see http://www.intel.com/sites/corporate/tradmarx.htm.

SET and the SET Logo are trademarks owned by SET Secure Electronic Transaction LLC.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries.

Other company, product, and service names may be trademarks or service marks of others.

---------------------- End of Document ----------------------

Documents

IBM Tivoli Risk Manager, Version 4.1 Warehouse Enablement …publib.boulder.ibm.com/tividd/td/TRM/GC32-1301-01/en_US/... · 2006-11-10 · IBM Tivoli Risk Manager Warehouse Pack Implementation