TM

Troubleshooting Guide
Version 2.0
Internet Security Systems, Inc.
6303 Barfield Road
Atlanta, Georgia 30328-4233
United States
(404) 236-2600
http://www.iss.net
© Internet Security Systems, Inc. 1994-2003. All rights reserved worldwide. Customers may make reasonable numbers of copies
of this publication for internal use only. This publication may not otherwise be copied or reproduced, in whole or in part, by any
other person or entity without the express prior written consent of Internet Security Systems, Inc.

SiteProtector Version 2.0, Patent pending.

Internet Security Systems, the Internet Security Systems logo, The Power To Protect, X-Force, ADDME, Internet Scanner, System
Scanner, Database Scanner, ActiveAlert, X-Press Update, FlexCheck, SecurePartner, SecureU, Secure Steps, SiteProtector, and
RealSecure are trademarks and service marks, and SAFEsuite a registered trademark, of Internet Security Systems, Inc.
Network ICE, ICEpac, and ICEcap are trademarks, and BlackICE is a licensed trademark, of Network ICE Corporation, a
wholly owned subsidiary of Internet Security Systems, Inc. SilentRunner is a registered trademark of Raytheon Company.
Acrobat and Adobe are registered trademarks of Adobe Systems Incorporated. Certicom is a trademark and Security Builder is
a registered trademark of Certicom Corp. Check Point, FireWall-1, OPSEC, Provider-1, and VPN-1 are registered trademarks of
Check Point Software Technologies Ltd. or its affiliates. Cisco and Cisco IOS are registered trademarks of Cisco Systems, Inc.
HP-UX and OpenView are registered trademarks of Hewlett-Packard Company. IBM and AIX are registered trademarks of IBM
Corporation. Intel and Pentium are registered trademarks of Intel. Lucent is a trademark of Lucent Technologies, Inc. ActiveX,
Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation. Net8, Oracle,
Oracle8, SQL*Loader, and SQL*Plus are trademarks or registered trademarks of Oracle Corporation. Seagate Crystal Reports,
Seagate Info, Seagate, Seagate Software, and the Seagate logo are trademarks or registered trademarks of Seagate Software
Holdings, Inc. and/or Seagate Technology, Inc. Secure Shell and SSH are trademarks or registered trademarks of SSH
Communications Security. iplanet, Sun, Sun Microsystems, the Sun Logo, Netra, SHIELD, Solaris, SPARC, and UltraSPARC are
trademarks or registered trademarks of Sun Microsystems, Inc. in the United States and other countries. All SPARC trademarks
are used under license and are trademarks or registered trademarks of SPARC International, Inc. in the United States and other
countries. Adaptive Server, SQL, SQL Server, and Sybase are trademarks of Sybase, Inc., its affiliates and licensers. Tivoli is a
registered trademark of Tivoli Systems Inc. UNIX is a registered trademark in the United States and other countries, licensed
exclusively through X/Open Company, Ltd. All other trademarks are the property of their respective owners and are used here
in an editorial context without intent of infringement. Specifications are subject to change without notice.

Copyright © Sax Software (terminal emulation only).

Disclaimer: The information contained in this document may change without notice, and may have been altered or changed if
you have received it from a source other than ISS or the X-Force. Use of this information constitutes acceptance for use in an
“AS IS” condition, without warranties of any kind, and any use of this information is at the user’s own risk. ISS and the X-Force
disclaim all warranties, either expressed or implied, including the warranties of merchantability and fitness for a particular
purpose. In no event shall ISS or the X-Force be liable for any damages whatsoever, including direct, indirect, incidental,
consequential or special damages, arising from the use or dissemination hereof, even if ISS or the X-Force has been advised of
the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental
damages, so the foregoing limitation may not apply.

Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Internet Security Systems,
Inc. The views and opinions of authors expressed herein do not necessarily state or reflect those of Internet Security Systems,
Inc., and shall not be used for advertising or product endorsement purposes.

Links and addresses to Internet resources are inspected thoroughly prior to release, but the ever-changing nature of the Internet
prevents Internet Security Systems from guaranteeing the content or existence of the resource. When possible, the reference
contains alternate sites or keywords that could be used to acquire the information by other methods. If you find a broken or
inappropriate link, please send an email with the topic name, link, and its behavior to support@iss.net.

January 2003
Contents
Why Should I Read This Manual? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
How to use RealSecure SiteProtector Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Chapter 1: Solutions to Common Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1
Common Questions and Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Installation/Uninstallation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Operational Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Chapter 2: Log File Diagnostics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Installation Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Database Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
X-Press Update Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Setting Logging Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Viewing log4j RealSecure Application Server and RealSecure Sensor Controller Logs . . . . . . . . . . . . . . 23
RealSecure Application Server Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
RealSecure Sensor Controller Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
RealSecure Sensor Controller Event Collector Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
RealSecure Sensor Controller Internet Scanner Log Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
RealSecure Sensor Controller Internet Scanner Databridge Log Files. . . . . . . . . . . . . . . . . . . . . . . . . 31
RealSecure Sensor Controller Network Sensor Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
RealSecure Sensor Controller Server Sensor Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
RealSecure Sensor Controller RealSecure Site Database Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
RealSecure Sensor Controller SiteProtector Core Log Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

Chapter 3: Diagnostic and Debugging Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Starting as a Java Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Setting up Runtime Logging for the SiteProtector Sensor Controller Service . . . . . . . . . . . . . . . . . . . . 39
Setting up Run-Time Logging for the SiteProtector Application Server Service . . . . . . . . . . . . . . . . . . . 40

Chapter 4: Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Grouping Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Command and Control Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Site Analysis Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
X-Force Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Metrics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
ITSRO Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Statistics Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Sensor Data Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Site Filters Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Staging Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Auditing Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Application Security Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Complete Database Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

iii
Contents

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

iv
Why Should I Read This Manual?

Overview
Introduction This manual describes the diagnostic capabilities of SiteProtector. The diagnostic
capabilities are provided by the Sensor Controller Diagnostics console and the debug logs
for each component. The Sensor Controller Diagnostics console uses the log files
generated by the SiteProtector components.

Scope The following table lists and describes the purpose of each chapter in this manual:

Chapter Purpose

Chapter 1: Solutions to Explains ways of responding to specific problems

Common Issues that you might encounter

Chapter 2: Log File Explains the options for setting up the Sensor
Diagnostics Controller Diagnostics console and how to activate
run-time debugging for the RealSecure sensor
controller and the RealSecure application server

Chapter 3: Diagnostic Explains how to use the Sensor Controller

and Debugging Setup Diagnostics console

Chapter 4: Database Displays the SiteProtector Database schema

Schema

Audience This Guide is for network or security administrators or any other individuals responsible
for installing SiteProtector and managing network security.

v
Why Should I Read This Manual?

How to use RealSecure SiteProtector Documentation

Related publications RealSecure SiteProtector relies on ISS’ proven technology, such as the Internet Scanner
application and RealSecure network and server sensors, to detect vulnerabilities and
intrusion events.

If you do not already have these products installed, you can install them after you have
installed SiteProtector. The installation and user guides for the products are either n the
SiteProtector box and on the SiteProtector CD, or they are also available for download as
.pdf files from ISS’ Web site at http://www.iss.net/customer_care/
resource_center/online_doc.

The following is a list of the publications included with SiteProtector.

Title or type of Description

documentation

RealSecure SiteProtector Provides information about installing SiteProtector.

Installation and Configuration
Guide

RealSecure Network Sensor Provides information about installing RealSecure network

Installation Guide sensors.

RealSecure Server Sensor Provides information about installing RealSecure server sensors.
Installation Guide

RealSecure Network Sensor Discusses policies available for RealSecure network sensors.
Policy Guide

RealSecure Server Sensor Discusses policies available for RealSecure server sensors.
Policy Guide

Internet Scanner Installation Provides installation procedures and information for the Internet
Guide Scanner application.

Internet Scanner User Guide Explains how to configure and use the Internet Scanner
application to detect security vulnerabilities on your network.

Online documentation SiteProtector documentation includes the System Requirements.

Other online documentation describes specific tasks and
procedures for SiteProtector, the Internet Scanner application,
and RealSecure network and server sensors.

vi
Chapter 1

Solutions to Common Issues

Overview
Introduction This chapter provides descriptions and solutions for some of the issues you may
encounter when working with SiteProtector. If the solutions provided in this chapter do
not address your issue, contact ISS Technical Support at support@iss.net or (1) (888)
447-4861.

In this chapter This chapter contains the following topics:

Topic Page

Common Questions and Issues 2

Installation/Uninstallation Issues 8

Operational Issues 10

1
Chapter 1: Solutions to Common Issues

Common Questions and Issues

Introduction This topic provides descriptions and fixes for some common issues reported by
RealSecure SiteProtector customers. There can be a number of reasons why your system
malfunctions in a certain way. This section provides only some of the reasons, and
corresponding solutions.

Reference: For a detailed list of issues that SiteProtector customers have reported, see the
ISS Knowledgebase: http://iss.custhelp.com/cgi-bin/iss/login

Issue #1 Description: Why does the following error message appear?

Get files failed on Sensor #<sensor number>. 0 of 1 files transferred.

Get file <file name> failed. The current session user does not have
permission to perform the specified operation on the specified path.
Please edit the access control file on the remote server and add the
necessary permissions for the session.This problem is due to an incorrect
permission contained in the iss.access file of the sensor’s daemon.

SiteProtector issues an error message when you attempt to download logs on a network
sensor that is running on a Unix operating system. The error message also appears for
server sensor running on various operating systems.

Solution: To correct this issue:

1. Access the iss.access file in the issDaemon folder, and then modify the following
section in the file:
Note: The following text is only an example. The path on your computer may be
slightly different.

Before [\Paths\opt\ISS\issSensors\network_sensor_1\Logs\];
Edit ACL1 =S Role=Default FilePerms=RD
DirPerms=R;

After Edit [\Paths\opt\ISS\issSensors\network_sensor_1\Logs\];

ACL1 =S Role=Default FilePerms=RD DirPerms=R Recursive;

2. Stop, and then restart the issDaemon service.

Issue #2 Why do I get an “Out of Memory” error when I try to edit the global application list?

Description: If you import an application list with more than 8000-10000 entries into the
global application list or a policy, then an out of memory error can appear when you
attempt to edit the global application list.

Solution: Perform the following procedure:

1. Select Start! Run.

The Run window appears.
2. Type regedit in the Open box.
The Registry Editor application opens.

2
 Common Questions and Issues

3. In the left pane, navigate the following path:

HKEY_LOCAL_MACHINE\SOFTWARE\ISS\CPE\Parameters
4. Edit the string value for MaxHeap to reflect the following:
-Xmx<size in megabytes>M
Note: ISS recommends that you start with a value of 128, and then increase if
necessary until the application runs. For example, type -Xmx128M to set the heap size
to 128 megabytes.

Issue #3 Why do my updates fail when I attempt to update policies?

Description: Using Named Instances within SQL Server 2000 can cause some updates to
fail if you are running a Custom Installation of SiteProtector. (Policy updates for Internet
Scanner, network sensor, and server sensor are most susceptible to this type of failure.)
When this happens, SiteProtector produces error messages, which state that the database
could not be reached or that the login failed.

Solution: To avoid this issue:

1. On the Application Server computer, open the Control Panel, and then double-click
Administrative Tools-! Data Sources (ODBC).
The ODBC Data Source Administrator window opens.
2. Select the System DSN tab.
3. Click Add.
The Create New Data Source window opens.
4. Select SQL Server, and then click Finish.
The Create a New Data Source to SQL Server window opens.
5. In the Name field, type the following:
SiteProtectorAppServer
6. In the Server field, type your DNS Server name and instance using the following
format:
DBSERVER\InstanceName
7. Click Next.
8. Select With SQL Server authentication using a login ID and password entered by
user.
9. Type your user name in the Login ID field, and then type your password in the
Password field.
10. Click Next.
11. Select the Change Default Database to: check box, and then select RealSecureDB
from the drop down list.
12. Click Next, and then click Finish.
13. Click Test Connection to verify that the selected DSN works.
14. Click OK to complete the procedure.

Issue #4 How do I retrieve vulnerability information from a Deployment Manager that is located
outside my site?

3
Chapter 1: Solutions to Common Issues

Description: You can change the location from which the SiteProtector Console retrieves
vulnerability information by editing the Console preferences.

Solution: Perform the following steps to retrieve vulnerability information from a

Deployment Manager that is located outside your site:

1. On the menu bar of the SiteProtector Console, select Connection! Preferences!

Documentation.
2. Select Remote URL, and then type the following in the text box:
http://<server name>/ISS/rsspvuln/
3. Click OK.

Issue # 5 Why won’t my network and/or server sensor communicate with SiteProtector?

Description: Although there can be many reasons for this, it may be due to the fact that
network sensor 6.0/6.5 and server sensor 6.0/6.0.1/6.5 will not communicate wih
SiteProtector if any of the SiteProtector Databridge sensors/scanners are installed. The
event log creates the following message when attempting to communicate with these
sensors:

ns60_ivysaur_w2k) - OnError from 172.16.3.69: The currently selected

provider does not support the requested cryptographic algorithm at the
selected strength/length. [ID=0xc7280003]

Solution: To avoid this issue, install network sensor 6.0/6.5 and server sensor 6.0/6.0.1/6.5
before you install Internet Scanner Databridge, ICEcap Databridge, or System Scanner
Databridge.

Issue #6 Why won’t my Desktop Controller Service start?

Description: Communication between your Desktop Controller and the SiteProtector

database requires a password. SiteProtector generates the original password at installation
time. If this password is changed, your SiteProtector database and Desktop Controller will
no longer be able to communicate.

Solution: The Desktop Controller password utility allows you to create a new password if
the original password is accidentally changed, deleted, or if your company policy requires
you to change your passwords periodically.

To change the password for your Desktop Controller:

1. Double-click DCLogin.exe.
DCLogin.exe resides on the computer where your Desktop Controller is installed,
and it is usually in the following location: C:\Program Files\ISS\RealSecure
SiteProtector\Desktop Controller
2. Type the login name into the Login box.
Note: This field already contains the current login name for the Desktop Controller. If
you don't plan to change the login name with the password, you can leave this field as
is.
3. Type the password into the Password box.
4. Type the password again into the Confirm box.

4
 Common Questions and Issues

5. Click Save.
6. In the Site Manager, stop, and then restart the Desktop Controller.

Issue #7 Why won’t my Application Server Service and/or my Sensor Controller Service start?

Description: Communication between your Application Server/Sensor Controller and the

SiteProtector database requires a password. SiteProtector generates the original password
at installation time. If this password is changed, your SiteProtector database and
Application Server (and/or Sensor Controller) cannot communicate.

Solution: The Application Server password utility allows you to create a new password if
the original password is accidentally changed, deleted, or if your company policy requires
you to change your passwords periodically.

To change the password for your Sensor Controller and Application Server:

1. Select Start! Settings! Control Panel! Administrative tools! Services.

The Component Services window appears.
2. Right-click RealSecure SiteProtector Application Service, and then click Stop on the
pop-up menu.
3. Right-click RealSecure SiteProtector Sensor Controller Service, and then click Stop
on the pop-up menu.
4. Select Start! Programs! Accessories! Command Prompt.
The Command Prompt window appears.
5. Change to the "bin" directory under the directory where the Application Server is
installed.
For example, if the Application Server is installed in the default location, you should
type the following, and then press ENTER:
cd "C:\Program Files\ISS\RealSecure SiteProtector\Application
Server\bin"
6. At the command prompt, type the following command:
instutil.bat -p <your new password>
7. Select Start! Settings! Control Panel! Administrative tools! Services.
The Component Services window appears.
8. Right-click RealSecure SiteProtector Application Service, and then click Start on the
pop-up menu.
9. Right-click RealSecure SiteProtector Sensor Controller Service, and then click Start
on the pop-up menu.

Issue #8 Why can’t I see my Desktop Protection agent in the SiteProtector Console?

Description: On the target computer (computer where your Desktop Protector agent is
installed), verify that the executable, blackd.exe, is running. You verify this under the
Processes tab in Windows Task Manager. If this process is not listed, you may need to limit
the final subdirectory in your Desktop Protection agent installation path to 17 characters
or less.

5
Chapter 1: Solutions to Common Issues

Solution: To limit the final subdirectory in your Desktop Protector agent installation path
to 17 characters or less:

1. Navigate to the root of the directory where the Desktop Protection agent is installed.
The default location is: \Program Files\ISS\issSensors\DesktopProtection
2. Double-click AgentRemove.exe.
3. In the Site Manager, select Sensor! Manage! Policy.
The Manage Policy window opens.
4. Select the appropriate policy.
This is the policy that was selected for the target computer.
5. Click View/Edit.
The Policy window opens.
6. Select Installation Configuration.
7. In the following fields, limit the final subdirectory in your Desktop Protector agent
installation path to 17 characters or less:
■ WinNT/2000 Install Path
■ Win 9x Install Path
8. Close the Policy window, saving the policy.
9. Right-click the group that contains the malfunctioning Desktop Protection agent, and
then select Desktop Protection! Generate Desktop Protection Build.
The Generate Desktop Protection Build window opens.
10. In the drop down menu, select the desired Desktop Controller, and then type a
description in the Description box.
11. Click OK.
12. After the Desktop Protection build is completed, navigate to the Desktop Protection
Build page in the target computer’s Web browser.
By default, this page is located on port 8085 of the computer where the Desktop
Controller resides.
13. Select the newly generated Desktop Protection build.
14. Select Open on the Download window.
The new agent build is installed.

Issue #9 How do I edit access permissions for the SiteProtector Console?

Description: When you install the SiteProtector Console, the file structure and the
application registry may not be accessible for some users and groups that have limited
access privileges.

Solution: To change SiteProtector Console access permission on (Windows 2000):

Note: You must be an administrator or user with access privileges that allow
modifications to the security settings for the SiteProtector Console installation.

6
 Common Questions and Issues

Specifically, you must be able to change the file systems and registry settings that are
described in the following procedure:

1. Open Windows Explorer.

2. Navigate to the the location where the SiteProtector Console is installed.
The default location is:
<drive letter>:\Program Files\ISS\RealSecure SiteProtector\Console
3. Right-click the Console folder, and then select Properties.
The folder’s properties window appears.
4. Select the Security tab.
5. Click Add.
The Select Users, Computers, or Groups window opens.
6. Select the users and/or groups for which you want to add permissions, and then click
Add.
7. Click OK.
The Select Users, Computers, or Groups window closes.
8. Select each user and/or group you added, and then ensure that they have, at least, the
following permissions:
For file folders:
■ Write
■ Read
■ List & Execute
■ Modify
For registry folders:
■ Read
9. Click Apply, and then click OK.
10. Open the registry editor program, regedt32.exe.
11. Select the window titled HKEY_LOCAL_MACHINE on Local Machine, and then
navigate the following path:
HKEY_LOCAL_MACHINE\Software\ISS\SiteProtector
12. Select the Console folder, and then select Security! Permissions on the menu bar.
The Permissions for Console window opens.
13. Click Add.
The Select Users, Computers, or Groups window opens.
14. Select the users and/or groups for which you want to add permissions, and then click
Add.
15. Click OK.
16. The Select Users, Computers, or Groups window closes.
17. Click OK to complete the operation.

7
Chapter 1: Solutions to Common Issues

Installation/Uninstallation Issues
Introduction This topic provides solutions to issues that you might encounter when installing or
uninstalling RealSecure SiteProtector components.

Installing Description: Installing SiteProtector manually.

SiteProtector
manually Solution: You can install SiteProtector manually rather than installing SiteProtector with
the Basic or Custom installation method. The individual packages for install are found in
the Setup folder, which is located at the root of the RealSecure SiteProtector CD.

Install the packages in the following order:

● EnterpriseDatabase
● EventCollector
● ApplicationServer
● Console

issApp login already Description: While installing the RealSecure application server, an error states that the
exists Application Server login issApp already exists; then, the installation process is
terminated.

Explanation: This usually occurs when you attempt to install the RealSecure application
server over an unsuccessful uninstallation. If the RealSecure application server or
RealSecure sensor controller services cannot be stopped during the uninstallation process,
the issApp login is still in use and cannot be deleted from the database.

Solution: To fix this problem, do the following:

1. Make sure both services (or applications, if running as such) are stopped.
2. Use SQL Server 2000 Enterprise Manager to manually delete the existing issApp
login, which is located in the /Security folder for the RealSecure Site database.

Event collector login Description: While uninstalling the event collector, an error states that the
cannot be deleted EventCollector_<machine> login cannot be deleted because the service is running; then,
the uninstallation process terminates.

Solution: The two ways to handle this are as follows:

● If you are uninstalling the RealSecure Site database, ignore this message and uninstall
the database; then, repeat the uninstallation process for the event collector.
● If you are not uninstalling the RealSecure Site database, stop the issDaemon service
and repeat the event collector uninstallation process. If the uninstallation process
proceeds, but you are warned that the login still exists, use the SQL Server 2000
Enterprise Manager to manually delete the existing EventCollector_<machine>
login, located in the Security folder for the RealSecure Site database.

Additional event Description: When you install an additional event collector, the encryption is not initially
collector encryption set.

8
 Installation/Uninstallation Issues

Solution: After installing an additional event collector, you must stop, and then restart it to
set encryption.

To stop, and then restart an event collector:

1. Select the root group in the Site Manager group tree.

2. Select the Sensor tab.
3. Set the Show/Hide subtree button to Show if it is not already set.
4. Right-click the event collector you want to restart.
A pop-up menu appears.
5. Select Event Collector! Stop.
When the event collector is stopped, the value in the Status column reads Stopped.
6. Right-click the event collector after it stops.
A pop-up menu appears.
7. Select Event Collector! Start.
When the event collector starts, the value in the Status column reads Active.

Can’t stop the Description: You have removed the application server and the console, but can’t stop the
event collector event collector.

Solution: The two ways to handle this are as follows:

■ Remove the RealSecure database first.

■ If you aren’t removing the RealSecure database, contact ISS Technical Support for
assistance with manually stopping the event collector.

Database in use Description: While uninstalling the RealSecure Site database, an error states that the
error database is in use.

Solution: Use the SQL Server 2000 Enterprise Manager to manually kill all processes
associated with the RealSecure Site database; then, proceed with uninstalling the
database.

9
Chapter 1: Solutions to Common Issues

Operational Issues
Introduction This topic provides solutions to issues that you might encounter when operating
RealSecure SiteProtector.

Cannot log into Description: When I try to log on to SiteProtector, the following Certificate
SiteProtector Incompatibility window appears before I am prompted for my username and password.
What should I do?

Explanation: The Certificate Incompatibility window appears when a user attempts to

connect to the server and the certificate validation process determines a discrepancy in the
certificate assigned to the server.

Solution: Record the information displayed in the Certificate Incompatibility window

and contact your System Administrator to determine if the certificates have been updated.

● If your System Administrator confirms that they have updated the certificates, click
Valid. The newly-updated certificate will replace the previous certificate in the key
store for that server.
● If your System Administrator verifies that they have not updated certificates, then
click Invalid. The System Administrator should then contact ISS Technical Support
for assistance.

Warning: The purpose of certificates is to alert you to attacks. Accepting an unknown

certificate could make you vulnerable to attacks.

Software query on Description: After adding a host, querying the host for software returns no entries.
host returns no
entries Solution: Check to make sure the signature verification for the sensor is not failing. The
sensor should appear in the Application log portion of the Event Viewer for the
issDaemon on the host where the sensor is located.

Missing or invalid Description: After you add a license key through the SiteProtector console, the features do
license key errors not appear; but errors related to a missing or invalid license key appear.

10
 Operational Issues

Explanation: The RealSecure sensor controller polls for license changes every 60 seconds,
so the change may not appear immediately.

Solution: Wait 60 seconds and then open the Add License window again to see if the
feature columns are populated. If the feature columns are populated, the license key has
been successfully imported.

Note: If you add license keys through the Sensor Controller Diagnostics console, the
effect is immediately apparent.

SiteProtector is not Description: You reinstalled Internet Scanner, and you are no longer collecting data.
collecting scanner
data Solution: You must also reinstall the Internet Scanner Databridge because the Internet
Scanner Databridge registers some of the Internet Scanner DLLs.

Your Event Description: Your event collector username/password was accidentally deleted, changed,
Collector password or has expired. The encryption authentication between the event collector and the site
was deleted or has database is no longer valid.
expired
Solution: You must generate a new set of keys by re-generating the user account. Contact
ISS Technical Support for assistance.

Sensor status is Description: The SiteProtector console displays an “Unknown” or “Not Responding”
“Unknown” or “Not status for one or more sensors.
Responding”
Under normal conditions, a sensor's status should be “Active” or “Stopped” if the sensor
is not assigned to an event collector. If the sensor is assigned to an event collector, the
status should be “Active” (if the sensor is currently connected to an event collector) or
“Offline” (if the event collector is unable to connect to the sensor).

Solution: This is probably the result of a missing or invalid SiteProtector authentication

key on the sensor computer. To verify that this is the problem, go to the Keys folder on the
sensor computer. Typical folders include the following:

Product Folder

Internet Scanner C:\Program Files\ISS\Scanner6\Keys

Internet Scanner C:\Program Files\ISS\issSensors\

Databridge Internet_Scanner_DataBridge\Keys

Network sensor C:\Program Files\ISS\issSensors\network_sensor_1\Keys

Server sensor C:\Program Files\ISS\issSensors\server_sensor_1\Keys

Desktop controller C:\Program Files\ISS\Realsecure Siteprotector\Desktop

Controller\Keys

ICEcap Databridge C:\Program Files\ISS\issSensors\ICEcap_Databridge\Keys

System Scanner C:\Program

Databridge Files\ISS\issSensors\System_Scanner_Databridge\Keys

Deployment Manger C:\Program Files\ISS\RealSecure SiteProtector\Deployment

Manager\Keys

11
Chapter 1: Solutions to Common Issues

Important: You need to examine both the Internet Scanner and Internet Scanner
Databridge folders for Internet Scanner installations.

Each Keys folder can contain subfolders for each key provider present (e.g. \RSA or
\CerticomNRA). At least one of these key provider subfolders should contain the
SiteProtector authentication key, which looks like
sp_con_<ApplicationServerDNS>_<####>.PubKey.

For example, if the RealSecure application server is present on a computer with the DNS
“bob”, then the computer containing a network sensor installation should have a file
called C:\Program
Files\ISS\issSensors\server_sensor_1\Keys\RSA\sp_con_bob_239.PubKey
(assuming RSA encryption. If this file is not present, or if the date does not match the date
of the corresponding key on the RealSecure application server computer, then you must
force the key to be pushed from the RealSecure application server to the local sensor.

The RealSecure application server authentication keys for SiteProtector are located in the
C:\Program Files\ISS\RealSecure SiteProtector\Application
Server\Keys\<key provider>\ folders.

Important: Make sure you compare keys in similar key provider subfolders. In the
example above, compare the sensor's RSA key folder to the Application Server's RSA key
folder.

To push the RealSecure application server’s authentication keys to the sensor:

1. Search for, then delete sp_con*.PubKey in the C:\Program Files\ISS folder and
below.
2. From a command prompt, type net stop issdaemon.
3. Edit C:\Program Files\ISS\issDaemon\crypt.policy file by changing the
“allowfirstconnection=<tab>L<tab>0;” string to
“allowfirstconnection<tab> =L<tab>1;”,
4. Save the file.
5. From a command prompt, type net start issdaemon.
6. From the SiteProtector console, issue a Start command to the sensor so that it will
attempt to connect. This should change the sensor status, though it may take a minute
or so. Verify that the key was pushed as described above.

Sensor status is Description: The SiteProtector console displays the status for one or more sensors as
“Offline” “Offline.”

Explanation: This could be the result of a missing or invalid event collector authentication
key on the sensor computer.

Solution: To verify that this is the problem, go to the Keys folder on the sensor computer.
Typical folders include the following:

Product Folder

Internet Scanner C:\Program Files\ISS\Scanner6\Keys

Internet Scanner C:\Program Files\ISS\issSensors\

Databridge Internet_Scanner_DataBridge\Keys

12
 Operational Issues

Product Folder

Network sensor C:\Program Files\ISS\issSensors\network_sensor_1\Keys

Server sensor C:\Program Files\ISS\issSensors\server_sensor_1\Keys

Desktop controller C:\Program Files\ISS\Realsecure Siteprotector\Desktop

Controller\Keys

ICEcap Databridge C:\Program Files\ISS\issSensors\ICEcap_Databridge\Keys

System Scanner C:\Program

Databridge Files\ISS\issSensors\System_Scanner_Databridge\Keys

Deployment Manger C:\Program Files\ISS\RealSecure SiteProtector\Deployment

Manager\Keys

Important: You only need to examine the Internet Scanner Databridge folder for Internet
Scanner installations

Each Keys folder can contain subfolders for each key provider present (e.g., \RSA or
\CerticomNRA). At least one of these key provider subfolders should contain the event
collector authentication key, which looks like
rs_eng_<EventCollectorDNS>_<####>.PubKey.

For example, if the event collector is present on a computer with the DNS “bob”, then the
computer containing a network sensor installation should have a file called C:\Program
Files\ISS\issSensors\server_sensor_1\Keys\RSA\rs_eng_bob_239.PubKey
(assuming RSA encryption). If this file is not present, or if the date does not match the date
of the corresponding key on the event collector host, then you must force the key to be
pushed from the event collector to the local sensor.

The event collector computer’s authentication keys are located in the C:\Program
Files\ISS\RealSecure SiteProtector\Event Collector\Keys\<key provider>\
folders.

Important: Make sure you compare keys in similar key provider subfolders. In our
example above, compare the sensor’s RSA key folder to the event collector’s RSA key
folder.

To push the event collector’s authentication keys to the sensor:

1. From the SiteProtector console, issue a Stop command to the event collector, and wait
until its status changes to Stopped.
2. Select the sensor, right-click the sensor, and then select View/Edit from the pop-up
menu.
3. Change the Event Collector box to None, and then click OK.
4. Issue a Start command to the event collector, and then wait until its status changes to
either “Offline” or “Online.”
5. Select the sensor, right-click the sensor, and then select View/Edit from the pop-up
menu.
6. Change the Event Collector box from None to the appropriate event collector, and
then click OK.
This should change the sensor status to “Online” though it may take a minute or so.
Verify that the key was pushed as described previously.

13
Chapter 1: Solutions to Common Issues

14
Chapter 2

Log File Diagnostics

Overview
Introduction This chapter describes the extensive logging features that SiteProtector provides for each
component. These logs can help you identify problems with components or sensors.

For each type of log and configuration file, the following information is provided:

● the path of the file

● what the file contains
● how to change logging levels
● how to view the log

Viewing logs Most log files are text files that you can open with a standard text file editor. If a different
method is needed for a particular log file, it is explained with the description of that log.

Important: Be sure to use a text editor that can handle large files.

In this chapter This chapter contains the following topics:

Topic Page

Installation Logs 17

Database Logs 19

X-Press Update Logs 20

Setting Logging Levels 21

Viewing log4j RealSecure Application Server and RealSecure 23

Sensor Controller Logs

RealSecure Application Server Logs 24

RealSecure Sensor Controller Logs 26

RealSecure Sensor Controller Event Collector Log Files 28

RealSecure Sensor Controller Internet Scanner Log Files 29

RealSecure Sensor Controller Internet Scanner Databridge Log 31

Files

15
Chapter 2: Log File Diagnostics

Topic Page

RealSecure Sensor Controller Network Sensor Log Files 32

RealSecure Sensor Controller Server Sensor Log Files 33

RealSecure Sensor Controller RealSecure Site Database Log File 34

RealSecure Sensor Controller SiteProtector Core Log Files 35

16
 Installation Logs

Installation Logs
Introduction The SiteProtector installation process generates a log file for each SiteProtector component
installed. It also creates a detailed log file for each bulk copy of data loaded into a
particular table on the RealSecure Site database. The log files contain a line of text for each
action taking place.

Location of log files Table 1 provides the path of the log files on the computer where each component is
installed:

Log Files Folder

Component log files for <system drive>\temp\iss

installation

RealSecure Site database <system drive>\temp\iss\bulk

table bulk copy log files copy logs

Table 1: Location of general and RealSecure Site database log files

Component log files The log files created during installation depend on the type of installation (Basic or
for installation Custom). Table 2 contains the installation log files that may be generated during
installation, depending on the type of installation:

This Log File... Created by...

Application_Server_Setup_Log.txt Application Server installation

Console_Setup_Log.txt Console installation

Site_Database_Setup_Log.txt Database installation

Event_Collector_Setup_Log.txt Event Collector installation

SiteProtector_Deployment_Manager_setup_log.txt Deployment Manager installation

Group_Setup_Controller_ALL_Log.txt Group Setup Control (GCS) program for a

Basic installation from CD

Group_Setup_Controller_BASIC_Log.txt Group Setup Control (GCS) program for a

Basic installation

Group_Setup_Controller_UI_Log.txt Group Setup Control (GCS) program for

installation of the Console

Group_Setup_Controller_CUSTOM1_Log.txt Group Setup Control (GCS) program for

part 1 of the Custom installation

Group_Setup_Controller_Custom2_Log.txt Group Setup Control (GCS) program for

part 2 of the Custom installation

All_Components_Log.txt User clicking Yes to the “Do you want to

view the log file?” prompt on the message
box.

Table 2: Log files that may be created at installation

17
Chapter 2: Log File Diagnostics

Component log files Log files are always created when you uninstall SiteProtector. The names of the log files
for uninstallation are the same as those created during installation, but the contents are overwritten with the
uninstall process information if the original log files still exist.

Note: If errors or warnings occur during the installation process and you want to save the
exact messages for troubleshooting, rename the log files before invoking the uninstall
process.

Viewing the If an error or warning occurs during the installation or uninstallation process in normal
component log files mode, the View Log File check box on the Finish window at the end of the process will be
checked by default. This enables you to easily view the log file contents to determine the
reason for the error or warning.

To view the component installation logs:

1. Click the OK button on the Finish window.

The Finish window closes and Notepad launches, displaying the contents of the
installation/uninstallation log file.
2. View the errors and/or warnings in the log file to determine how to resolve the
problem.

RealSecure Site Approximately 50 pairs of log files are generated for each bulk copy that is created and
database table bulk populated for the RealSecure Site database. Table 3 describes those pairs of log files:
copy log files
Table Name Description

<tablename>_ statistics related to bulk copy

Table_BulkCopy_Log.txt process used to create the
database table (e.g., source,
destination, number of rows
copied, duration)

<tablename> file will be empty unless errors

Table_BulkCopy_ErrorLog.txt occurred

Table 3: RealSecure Site database log descriptions

Note: Statistics for the number of rows copied for every bulk copy file that was installed/
uninstalled are included in the Enterprise_Database_Setup_Log.txt file. This file enables
you to go to one source to quickly determine which error messages/warnings occurred.

18
 Database Logs

Database Logs
Introduction Database log information, such as errors, number of rows loaded, number of rows
rejected, and reason for row rejected, is logged to the messagelog table in the RealSecure
Site database.

Viewing database Use Microsoft SQL Server Enterprise Manager or Query Analyzer to view the
logs messagelog table.

Default logging level The default logging level is set to Warn Trace, which logs a limited set of significant
events.

Changing the You can change the logging level detail using the Sensor Controller Diagnostics console.
logging level See “Running commands on sensors” on page 52 for more information.

Recommendations Increasing the logging levels for an extended period of time can quickly fill the database.
for increased Use the following recommendations when increasing logging detail:
logging detail
● Increase the logging levels (i.e., setting the logging level to Full Trace) for short
intervals as needed to gather detailed information.
● Reset the trace level to Warn Trace after you finish collecting detailed information.
● Truncate this table after extended debugging, as well as during normal tracing if the
table becomes too large.

19
Chapter 2: Log File Diagnostics

X-Press Update Logs

Introduction You can generate log files to track the details of X-Press Update activities for the
RealSecure application server and the RealSecure sensor controller.

Contents of the log The X-Press Update log file contains details of X-Press Update download activity and the
overall X-Press Update status. The log file includes the following:

● This high-level log file contains details about XPU activity.

● The file is overwritten each time the RealSecure application server or the RealSecure
sensor controller restarts.
● The amount of detail depends on current trace level.
Note: This file can quickly become large when logging level is high.

Location of log files Table 4 provides the paths of the X-Press update log files:

Component X-Press Update Log File Path and Name

RealSecure C:\Program Files\ISS\RealSecure

application server SiteProtector\Application
Server\temp\AppServer\Xpu.txt

RealSecure sensor C:\Program Files\ISS\RealSecure

controller SiteProtector\Application
Server\temp\Sensor Controller\Xpu.txt

Table 4: X-Press Update log file locations

Changing the To change the logging level for the X-Press Update log file:
X-Press Update
logging level 1. On the Options menu, select XPU Logging Level.
2. Select the logging level you want.

20
 Setting Logging Levels

Setting Logging Levels

Introduction The RealSecure application server generate logs using the log4j logging tool. This topic
explains how to change logging levels for log4j logs. These logging levels are separate and
distinct from the logging levels available in the Sensor Controller Diagnostics console’s
Set Logging Level menu.

Note: Methods for viewing the log4j logs are explained in “Viewing log4j RealSecure
Application Server and RealSecure Sensor Controller Logs” on page 23.

Logging levels The log4j tool provides five priority levels of logging detail. (See documentation at http:/
/jakarta.apache.org/log4j/docs/manual.html.) The default logging level is set to
fatal, which only logs very serious errors.

The priority levels, in decreasing order of logging detail, consist of the following:

● DEBUG
● INFO
● WARN
● ERROR
● FATAL

Recommendations Increasing the logging levels for an extended period of time can quickly fill the log file.
for logging detail Follow these recommendations when increasing logging detail:

● Increase the logging levels for short intervals as needed to gather detailed
information.
● Delete the log files at any time, as they can quickly become large when logging details.
■ Delete the app_server.log, and then restart the RealSecure application server.
■ Delete the sensor_ctl.log, and then restart the RealSecure sensor controller.
● Read the log4j documentation for procedures for automatically rolling up the logs
into manageable sizes.

Where the logging The logging level is set in a properties file for each component. The properties file path
level is set and file name for the RealSecure application server are:

C:\Program Files\ISS\RealSecure SiteProtector\Application

Server\config\log.properties

Important: The file must be present before any logging takes place.

Changing the To change the logging level:

logging level
1. In Notepad or an equivalent text editor, open the properties file for the RealSecure
application server (log.properties).
2. Look for the line that contains the following:
log4j.rootCategory=logging_level
where logging_level is one of the five possible logging level values.

21
Chapter 2: Log File Diagnostics

3. Replace the logging level with one of the five available logging levels.
Example: Change the logging level from FATAL to DEBUG.
4. Save the file.
Important: You must restart both the RealSecure application server before the logging
change takes effect.

22
 Viewing log4j RealSecure Application Server and RealSecure Sensor Controller Logs

Viewing log4j RealSecure Application Server and RealSecure

Sensor Controller Logs
Introduction You can view the RealSecure application server and RealSecure sensor controller log4j
logs in the following ways:

● a text file in a standard text editor

● Windows 2000 Event Viewer Application Log
● run-time debug log in a Command Prompt window

Location of log files Table 5 provides the paths of the run-time logs on the computer that hosts the RealSecure
application server and RealSecure sensor controller.

Component Properties File Path and File Name

RealSecure C:\Program Files\ISS\RealSecure

application server SiteProtector\Application
Server\log\app_server.log

RealSecure sensor C:\Program Files\ISS\RealSecure

controller SiteProtector\Application
Server\log\sensor_ctl.log

Table 5: log4j log file locations

Viewing from a text To view the log:

file
● Open the log file for RealSecure application server (app_server.log) or the
RealSecure sensor controller (sensor_ctl.log) with any standard text file editor that
is capable of editing large files.

Viewing from the Events generated by the RealSecure application server and the RealSecure sensor
Event Viewer controller are logged to the Application Log in the Windows 2000 Event Viewer. The
Source names for the events are issSPAppService and issSPSenCtlService.

To view the events from the Windows 2000 Event Viewer Application Log:

1. Click Start on the taskbar, and then select Programs! Administrative Tools.
2. Double-click the Event Viewer icon.
3. In the left pane, select the application log.
4. In the right pane in the Source column, look for issSPAppService and
issSPSenCtlService.
Tip: Click the Source column to sort the list.

Viewing run-time To view run-time debug log:

debug logs
● Locate the Command Prompt window that contains the debug log.
Important: You must first set up the RealSecure application server and the RealSecure
sensor controller to enable run-time logging.

23
Chapter 2: Log File Diagnostics

RealSecure Application Server Logs

Introduction This topic introduces log and configuration files that the RealSecure application server
uses:

● RealSecure application server log files

● issDaemon logs (See page 26.)

How it works When you issue a command that involves displaying or modifying a property, response,
or policy file for an ISS Sensor or SiteProtector core component, copies of the remote
configuration and log files are placed on the computer where the RealSecure application
server is running.

Location of log files The path of the log files is C:\Program Files\ISS\RealSecure
SiteProtector\Application Server\temp\AppServer.

Changing logging To change logging levels for the RealSecure application server logs:
levels
● In the Sensor Controller Diagnostics console, right-click the SP Core component in the
Sensor window.
Important: The RealSecure application server does not use dynamic logging, so
changes to the logging levels are not in effect until you restart the RealSecure
application server service.

RealSecure The following common characteristics apply to all the RealSecure application server log
application server files:
logs
● The log file is overwritten each time RealSecure sensor controller restarts.
● The amount of detail collected depends on the current trace level.

Note: The log files can quickly become very large when the logging level is high.

Description of log Table 6 describes the RealSecure application server logs:

files
Table Name Description

Issdk.txt logs high-level activity detailing RealSecure

application server interaction with all issDaemons

IssdkComm.txt logs low-level communication activity between

RealSecure application server and issDaemons

IssdkInterface.txt logs low-level RealSecure application server activity

Table 6: RealSecure application server logs

Location of log files Additional logging for each issDaemon that the RealSecure application server
communicates with is also available. The path of the configuration files pertinent to the
issDaemon located at the given IP address is C:\Program Files\ISS\RealSecure
SiteProtector\Application Server\temp\Sensor
Controller\daemon@xxx.xxx.xxx.xxx.

24
 RealSecure Application Server Logs

Note: The issDaemon log files are always available regardless of the trace level.

Description of log Table 7 describes the issDaemon log files:

files
File Name Description

daemon@xxx.xxx.xxx.xxx.access copy of iss.access located at

specified IP address

daemon@xxx.xxx.xxx.xxx.common copy of common.policy located at

specified IP address

daemon@xxx.xxx.xxx.xxx.daemon copy of issDaemon.policy located at

specified IP address

Table 7: issDaemon and RealSecure application server communication logs

25
Chapter 2: Log File Diagnostics

RealSecure Sensor Controller Logs

Introduction This topic introduces log and configuration files that the RealSecure sensor controller
uses:

● the log files for the RealSecure sensor controller

● the configuration and log files of sensors and SiteProtector components that the
RealSecure sensor controller communicates with:
■ Event Collector (See page 28)
■ Internet Scanner (See page 29)
■ Internet Scanner jobs (See page 29)
■ Internet Scanner Databridge (See page 31)
■ Network sensor (See page 32)
■ Server sensor (See page 33)
■ RealSecure Site database (See page 34)
■ SiteProtector core (See page 35)

How it works When you issue a command that involves displaying or modifying a property, response,
or policy file for an ISS Sensor or SiteProtector core components, copies of the remote
configuration and log files are placed on the computer where the RealSecure sensor
controller is running.

Location of log files The path of the files is C:\Program Files\ISS\RealSecure

SiteProtector\Application Server\temp\Sensor Controller.

Dynamic logging Dynamic logging is in effect for the RealSecure sensor controller. That is, changes to the
levels logging levels go into effect immediately without restarting the RealSecure sensor
controller service.

RealSecure sensor The following common characteristics apply to all RealSecure sensor controller log files:
controller log files
● The log file is overwritten each time the RealSecure sensor controller restarts. This is
true only if the logging level is less than full. If the logging level is full then it will
append.
● The amount of detail collected depends on current trace level.

Note: The log files can quickly become large when the logging level is high.

Description of log Table 8 describes the log files for the RealSecure sensor controller.
files
Log File Name Description

Issdk.txt logs high-level activity detailing RealSecure sensor

controller interaction with all sensors and core
components

Table 8: RealSecure sensor controller dynamic log files

26
 RealSecure Sensor Controller Logs

Log File Name Description

IssdkComm.txt logs low-level communication activity between

RealSecure sensor controller and sensors

IssdkInterface.txt logs low-level RealSecure sensor controller activity

Table 8: RealSecure sensor controller dynamic log files (Continued)

Changing logging To change the log levels:

levels for sensors
1. In the Sensors window, right-click the sensor.
2. Select Details.
3. Select a desired logging level.
Note: To retrieve the current log, select Get Sensor Controller Log.

27
Chapter 2: Log File Diagnostics

RealSecure Sensor Controller Event Collector Log Files

Location of log files The path of configuration files for the event collector at the given IP address is
C:\Program Files\ISS\RealSecure SiteProtector\Application
Server\temp\Sensor Controller\EventCollector_<DNS>@xxx.xxx.xxx.xxx. The
default installation path of the event collector is C:\Program Files\ISS\RealSecure
SiteProtector\Event Collector.

Description of log Table 9 describes the event collector log files:

files
Log File Names Description

EventCollector_ • copy of common.policy located at specified IP

<DNS>@xxx.xxx.xxx.xxx.common address
• always available
• independent of logging level

EventCollector_ • copy of issDaemon.policy located at specified IP

<DNS>@xxx.xxx.xxx.xxx.daemon address
• always available
• independent of logging level

EventCollector_ • copy of current.policy located at specified IP

<DNS>@xxx.xxx.xxx.xxx.policy address
• always available
• independent of logging level

EventCollector_ • copy of ec_status.policy located at specified IP

<DNS>@xxx.xxx.xxx.xxx.status address that details the Event Collector control
list and status info
• always available
• independent of logging level

EventCollector_ • generated file containing runtime configuration

<DNS>@xxx.xxx.xxx.xxx.prop information
• overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

EventCollector_ • cached file of user modifications to properties

<DNS>@xxx.xxx.xxx.xxx.propert • overwritten each time RealSecure sensor
ies controller restarts but is independent of logging
level

EventCollector_ • generated file containing runtime debug

<DNS>@xxx.xxx.xxx.xxx.txt information detailing interaction between
RealSecure sensor controller and event collector
• overwritten each time RealSecure sensor
controller restarts
• amount of detail depends on current logging
level

Table 9: Event Collector log files

28
 RealSecure Sensor Controller Internet Scanner Log Files

RealSecure Sensor Controller Internet Scanner Log Files

Introduction You can see log files for Internet Scanner and for specific Internet Scanner jobs.

Location of log files The path of the configuration and log files for the Internet Scanner located at the given IP
address is C:\Program Files\ISS\RealSecure SiteProtector\Application
Server\temp\Sensor Controller\Internet_Scanner@xxx.xxx.xxx.xxx. The default
installation path of Internet Scanner is C:\Program Files\ISS\Scanner6.

Description of Table 10 describes the Internet Scanner configuration and log files:
configuration and
log files File Name Description

Internet_Scanner@xxx.xxx.xxx.xx • located at specified IP address

x.policy • always available
• independent of logging level

Internet_Scanner@xxx.xxx.xxx.xx • generated file containing runtime configuration

x.prop information
• overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

Internet_Scanner@xxx.xxx.xxx.xx • cached file of user modifications to properties

x.properties • overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

Internet_Scanner@xxx.xxx.xxx.xx • generated file containing runtime debug

x.txt information detailing interaction between
RealSecure sensor controller and Internet
Scanner
• overwritten each time RealSecure sensor
controller restarts
• and amount of detail depends on current logging
level

Table 10: Internet Scanner log files

Location of Internet The path of the log files related to specific jobs (launched scans) for Internet Scanner is
Scanner job-specific C:\Program Files\ISS\RealSecure SiteProtector\Application
log files Server\temp\Sensor Controller\Internet_Scanner@xxx.xxx.xxx.xxx. The files
are located in subfolders according to the job name. By default, the path of configuration
files is C:\Program Files\ISS\Scanner6 on the computer the Internet Scanner is
hosted. The general form is as follows:

● Job_x – folder containing files related to job number “x”

29
Chapter 2: Log File Diagnostics

Description of Table 11 describes the job-specific log files:

Internet Scanner
job-specific log files Log File Name Description

hosts.hst IP range of hosts to be scanned

iss.key license key that limits IP range that can be scanned

*.policy policy file used by Internet Scanner during scan

(e.g., L1 Inventory.policy)

Table 11: Internet Scanner job-specific log files

30
 RealSecure Sensor Controller Internet Scanner Databridge Log Files

RealSecure Sensor Controller Internet Scanner Databridge Log

Files
Location of log files The path of the log files for the Internet Scanner Databridge at the given IP address is
C:\Program Files\ISS\RealSecure SiteProtector\Application
Server\temp\Sensor
Controller\Internet_Scanner_DataBridge@xxx.xxx.xxx.xxx. The default
installation path for the Internet Scanner Databridge is C:\Program
Files\ISS\issSensors\Internet_Scanner_DataBridge.

Description of log Table 12 describes the Internet Scanner Databridge log files:
files
File Names Description

Internet_Scanner_DataBridge@xxx • copy of current.policy located at specified IP

.xxx.xxx.xxx.policy address
• always available
• independent of logging level

Internet_Scanner_DataBridge@xxx • generated file containing runtime configuration

.xxx.xxx.xxx.prop information
• overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

Internet_Scanner_DataBridge@xxx • cached file of user modifications to properties

.xxx.xxx.xxx.properties • overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

Internet_Scanner_DataBridge@xxx • generated file containing runtime debug

.xxx.xxx.xxx.txt information detailing interaction between
RealSecure sensor controller and Internet
Scanner Databridge
• overwritten each time RealSecure sensor
controller restarts
• amount of detail depends on current logging
level

Table 12: Internet Scanner Databridge log files

31
Chapter 2: Log File Diagnostics

RealSecure Sensor Controller Network Sensor Log Files

Location of log files The RealSecure network sensor log files contain information pertinent to the RealSecure
network sensor located at the given IP address. The path of the log files is <system
drive>\Program Files\ISS\RealSecure SiteProtector\Application
Server\temp\Sensor Controller\network_sensor_1@xxx.xxx.xxx.xxx.

If a job is successful, the following files are removed from the path list above:

● \<job #>\x.policy
● \<job #>\x.prop
● \<job #>\x.properties
● \<job #>\x.txt

Description of log Table 13 describes the RealSecure network sensor log files:
files
Log File Names Description

network_sensor_1@xxx.xxx.xxx.xx • copy of current.policy located at specified IP

x.policy address
• always available
• independent of logging level

network_sensor_1@xxx.xxx.xxx.xx • generated file containing runtime configuration

x.prop information
• overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

network_sensor_1@xxx.xxx.xxx.xx • cached file of user modifications to properties

x.properties • overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

network_sensor_1@xxx.xxx.xxx.xx • generated file containing runtime debug

x.txt information detailing interaction between
RealSecure sensor controller and network
sensor
• overwritten each time RealSecure sensor
controller restarts
• amount of detail depends on current logging
level

Table 13: Network sensor log files

Note: All logging is saved for successful jobs, unless the logging level is turned off.

32
 RealSecure Sensor Controller Server Sensor Log Files

RealSecure Sensor Controller Server Sensor Log Files

Location of log files The RealSecure server sensor log files contain information pertinent to the RealSecure
server sensor located at the given IP address. The path of the log files is C:\Program
Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor
Controller\server_sensor_1@xxx.xxx.xxx.xxx.

Description of log Table 14 describes the RealSecure server sensor log files:
files
Log File Name Description

server_sensor_1@xxx.xxx.xxx.xxx • copy of current.policy located at specified IP

.policy address
• always available
• independent of logging level

server_sensor_1@xxx.xxx.xxx.xxx • generated file containing runtime configuration

.prop information
• overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

server_sensor_1@xxx.xxx.xxx.xxx • cached file of user modifications to properties

.properties • overwritten each time RealSecure sensor
controller restarts but is independent of logging
level

server_sensor_1@xxx.xxx.xxx.xxx • generated file containing runtime debug

.txt information detailing interaction between
RealSecure sensor controller and server sensor
• overwritten each time RealSecure sensor
controller restarts
• amount of detail depends on current logging
level

Table 14: Server sensor log files

33
Chapter 2: Log File Diagnostics

RealSecure Sensor Controller RealSecure Site Database Log

File
Location of log files The RealSecure Site database files contain information pertinent to the RealSecure Site
database located at the given IP address. The path of the log file is C:\Program
Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor
Controller\Site Protector Database@xxx.xxx.xxx.xxx.

Description of log Table 15 describes the RealSecure server sensor log file:
files
Log File Name Description

Site Protector • low-level log file detailing RealSecure sensor

Database@127.0.0.1.txt controller interaction with RealSecure Site
database component (i.e. XPU activity)
• overwritten each time RealSecure sensor
controller restarts
• and amount of detail depends on current logging
level

Table 15: RealSecure Site database log files

34
 RealSecure Sensor Controller SiteProtector Core Log Files

RealSecure Sensor Controller SiteProtector Core Log Files

Location of log files The SiteProtector core log files contain information pertinent to the RealSecure sensor
controller located at the given IP address. The path of the log files is C:\Program
Files\ISS\RealSecure SiteProtector\Application Server\temp\Sensor
Controller\server_sensor_1@xxx.xxx.xxx.xxx.

Description of log Table 16 describes the SiteProtector core log files:

files
Log File Name Description

server_sensor_1@xxx.xxx.xxx.xxx • generated file containing runtime configuration

.prop information
• overwritten each time RealSecure sensor
controller service restarts but is independent of
logging level

server_sensor_1@xxx.xxx.xxx.xxx • generated file containing runtime debug

.txt information detailing interaction between
RealSecure sensor controller and server sensor
• overwritten each time RealSecure sensor
controller service restarts
• amount of detail depends on current logging
level

Table 16: SiteProtector core log files

35
Chapter 2: Log File Diagnostics

36
Chapter 3

Diagnostic and Debugging Setup

Overview
Introduction This chapter explains the options for setting up the Sensor Controller Diagnostics console
and how to activate run-time debugging for the RealSecure sensor controller and the
RealSecure application server.

Options for the By default, the RealSecure sensor controller runs as a service without the Sensor
RealSecure sensor Controller Diagnostics console. When you run the Sensor Controller Diagnostics console,
controller you can run the RealSecure sensor controller either as a service or as a Java application.

● If you are only interested in logging data for sensors, you can use either method.
● If you are unable to start the RealSecure sensor controller as a service, you may start it
as a Java application. Starting it as a Java application is also the quicker way of setting
up run-time logging.

Log information For information about the debug logs for the RealSecure sensor controller and the
RealSecure application server, see the following:

● “Setting Logging Levels” on page 21

● “Viewing log4j RealSecure Application Server and RealSecure Sensor Controller
Logs” on page 23

Where to find the The Sensor Controller Diagnostics console is installed along with the RealSecure sensor
Sensor Controller controller and the RealSecure application server. The instructions for setting up the Sensor
Diagnostics console Controller Diagnostics console reference the default installation paths. If you installed
SiteProtector components to other paths, you must use those instead.

In this section This section contains the following topics:

Topic Page

Starting as a Java Application 38

Setting up Runtime Logging for the SiteProtector Sensor 40

Controller Service

Setting up Run-Time Logging for the SiteProtector Application 40

Server Service

37
Chapter 3: Diagnostic and Debugging Setup

Starting as a Java Application

Introduction When you run the RealSecure sensor controller as a Java application, you start the Sensor
Controller Diagnostics console and the run-time debug log together from a command
prompt window.

Note: When you set up the Sensor Controller Diagnostics console, you also activate the
run-time debug logs for the RealSecure sensor controller.

Starting the To start the RealSecure sensor controller from a command prompt window:
RealSecure Sensor
Controller from a 1. Click Start on the taskbar, and then select Settings! Control Panel.
command prompt
2. Double-click the Administrative Tools icon, and then double-click the Services icon.
3. Select the RealSecure SiteProtector Sensor Controller Service, and then click the Stop
button.
4. Click Start on the taskbar, and then select Programs! Accessories! Command
prompt.
5. Change directories to C:\Program Files\ISS\RealSecure
SiteProtector\Application Server\bin.
6. Type ccengine –debug, and then press ENTER.
A command prompt window appears, displaying logging information, and the
Sensor Controller Diagnostics console appears.

38
 Setting up Runtime Logging for the SiteProtector Sensor Controller Service

Setting up Runtime Logging for the SiteProtector Sensor

Controller Service
Introduction When you use the Sensor Controller Diagnostics console with the RealSecure sensor
controller as a service, the run-time debug log appears in a separate Command Prompt
window.

Task overview Starting the Sensor Controller Diagnostics console with the RealSecure sensor controller
as a service is a four-task procedure:

● Stop the RealSecure SiteProtector sensor controller service using the Services
Administrative Tool.
● Edit the properties of the service (on the Log On tab) to enable the Allow service to
interact with desktop check box.
● Change the setting of the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\issSPSenCtlServic
e\Parameters\ConsoleTrace registry key from N to Y.
● From a Command Prompt window, change directories to C:\Program
Files\ISS\RealSecure SiteProtector\Application Server\bin, and then run the
ccengine –debug command.

Procedure To start run-time logging with the RealSecure sensor controller as a service:

1. Click Start on the taskbar, and then select Settings! Control Panel.
2. Double-click the Administrative Tools icon, and then double-click the Services icon.
3. Select the RealSecure SiteProtector Sensor Controller Service, and then click the
Stop button.
4. Right-click the RealSecure SiteProtector Sensor Controller Service, and then select
Properties from the pop-up menu.
5. Select the Log On tab, and select the Allow service to interact with desktop check
box, and then click OK.
Tip: Do not close the Services window.
6. Click Start on the taskbar, and then select Run.
7. Type regedit, and then press ENTER.
The Registry Editor appears.
8. In the left pane, select HKEY_LOCAL_MACHINE! SYSTEM!
CurrentControlSet! Services! issSPAppService! Parameters.
9. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then
click OK.
10. In Services, select the RealSecure SiteProtector Sensor Controller Service, and then
click the Start button.

39
Chapter 3: Diagnostic and Debugging Setup

Setting up Run-Time Logging for the SiteProtector Application

Server Service
Introduction When you enable run-time logging for the RealSecure application server, the RealSecure
application server still runs as a service. The run-time logging information appears in a
separate Command Prompt window.

Procedure To set up run-time logging for the RealSecure application server:

1. Click Start on the taskbar, and then select Settings! Control Panel.
2. Double-click the Administrative Tools icon, and then double-click the Services icon.
3. Select the RealSecure SiteProtector Application Service service, and then click the
Stop button.
4. Right-click the RealSecure SiteProtector Application Service service, and then select
Properties from the pop-up menu.
5. Select the Log On tab, and select the Allow service to interact with desktop check
box, and then click OK.
Tip: Do not close the Services window.
6. Click Start on the taskbar, and then select Run.
7. Type regedit, and then press ENTER.
The Registry Editor appears.
8. In the left pane, select HKEY_LOCAL_MACHINE! SYSTEM!
CurrentControlSet! Services! issSPAppService! Parameters.
9. In the right pane, double-click ConsoleTrace, type Y in the Value data box, and then
click OK.
10. In Services, select the RealSecure SiteProtector Application Service service, and then
click the Start button.

40
Chapter 4

Database Schema

Overview
Introduction This chapter contains the SiteProtector database schema.

In this chapter This chapter contains the following topics:

Topic Page

Grouping Schema 42

Command and Control Schema 43

Site Analysis Schema 44

X-Force Schema 45

Metrics Schema 46

ITSRO Schema 47

Statistics Schema 48

Sensor Data Schema 49

Site Filters Schema 50

Staging Schema 51

Auditing Schema 52

Application Security Schema 53

Complete Database Schema 54

41
42
GroupsParentChild
ParentID: int NULL (FK)
ChildID: int NOT NULL (FK)
Groups
GroupID: int IDENTITY (AK1.2)
GroupName: nvarchar(64) NOT NULL
GroupDesc: nvarchar(255) NULL
RoleID: int NULL (FK)
GroupViewID: int NULL (FK)
Deleted: tinyint NULL
SiteID: int NULL (FK)
GroupTypeID: int NULL (FK)
SPGroupID: int NULL
ParentGroupID: int NULL (FK) (AK1.1)
RuleID: int NULL (FK)
GroupTypes
GroupTypeID: int IDENTITY
Name: nvarchar(64) NULL (AK1.1)
Descr: nvarchar(255) NULL
Sites
SiteID: int IDENTITY(2,1)
Name: nvarchar(60) NOT NULL
Descr: nvarchar(255) NULL
IpAddress: varchar(47) NOT NULL
Port: int NOT NULL
LastDataLoadAt: datetime NULL
Deleted: tinyint NULL
GroupView
GroupViewID: int IDENTITY (IE1.1)
GroupViewName: nvarchar(64) NOT NULL
Deleted: tinyint NULL
Schema
Chapter 4: Database Schema
Hosts
UnGroupedHosts
HostID: int IDENTITY
HostID: int NOT NULL (FK)
HostIpAddress: varchar(47) NULL
UnGroupedStatus: tinyint NULL (FK)
Grouping Schema
GroupPolicy HostDNSName: NVARCHAR(254) NULL
UnGroupedDetails: nvarchar(254) NULL
GroupID: int NOT NULL (FK) HostNBName: NVARCHAR(16) NULL
LastModifiedAt: datetime NULL
RoleID: int NOT NULL (FK) HostNBDomain: nvarchar(16) NULL
HostOSName: nvarchar(64) NULL
PolicyID: int NOT NULL (FK) HostOSVersion: nvarchar(32) NULL
HostOSRevisionLevel: varchar(32) NULL
HostOwner: nvarchar(50) NULL
DateHostAdded: datetime NOT NULL
GroupHostLinks GUID: varchar(36) NULL UnGroupedStatus
GroupID: int NOT NULL (FK) HostIPNbr: numeric(10) NOT NULL (IE1.1) UnGroupedStatus: tinyint NOT NULL
HostID: int NOT NULL (FK) MacAddress: char(17) NULL
DateHostUpdated: datetime NOT NULL (IE1.2) UnGroupedStatusDesc: nvarchar(60) NULL
OSGroupID: int NULL (FK)
ISScanDate: datetime NULL (IE2.1)
StatNameID: int NULL (IE2.2)
HostCounts
CountDate: datetime NOT NULL
GroupID: int NOT NULL (FK) GroupRuleType
HostCount: int NOT NULL RuleType: tinyint NOT NULL
Description: nvarchar(60) NOT NULL
Component
GroupRule ComponentID: int IDENTITY
RuleID: int IDENTITY RoleID: int NULL (FK) (AK1.3)
RuleType: tinyint NOT NULL (FK) LastPushedPolicyID: int NULL (FK)
RuleValue: ntext NOT NULL PropertyFileID: int NULL (FK)
Description: nvarchar(254) NULL HostID: int NULL (FK) (AK1.1)
LastModifiedAt: datetime NULL Priority: numeric NOT NULL
Status: numeric NOT NULL
LastModifiedBy: nvarchar(60) NULL
LastModifiedAt: datetime NULL
Deleted: numeric NOT NULL
Role EventSourcePort: int NULL
RoleID: int NOT NULL EventPort: int NULL
Version: varchar(20) NULL
RoleName: varchar(20) NOT NULL
SensorName: nvarchar(100) NULL (AK1.2)
ProductID: int NULL (FK)
Policy: nvarchar(434) NULL
ClassName: varchar(255) NOT NULL (AK1.1)
Master: varchar(30) NULL
Namespace: varchar(255) NULL
AvailableXPU: varchar(40) NULL
The following diagram displays the Grouping schema:
LastInstalledXPU: varchar(40) NULL
LoggingLevel: tinyint NULL
LicenseState: smallint NULL
XPUState: smallint NULL
StateDescription: nvarchar(500) NULL
UnexpectedConfigChange: tinyint NULL
ModifiedBySensorController: tinyint NOT NULL
Products DaemonPort: int NULL
ProductID: int NOT NULL EventLogOption: tinyint NULL
SiteID: int NULL (FK)
ProdName: nvarchar(40) NULL LastPushedResponseID: int NULL (FK)
XPUDate: datetime NULL
SiteRange Response: nvarchar(434) NULL
SiteRangeID: smallint IDENTITY PolicyGroupID: int NULL (FK)
LastHeartBeat: datetime NULL
StartIPNbr: numeric(10) NULL GUID: varchar(36) NULL (IE1.1)
EndIPNbr: numeric(10) NULL LicenseID: int NULL (FK)
Description: nvarchar(64) NULL PolicyChangedFlag: tinyint NOT NULL
Deleted: tinyint NOT NULL FCPEventPort: int NULL
FCPEventSourcePort: int NULL
ECStatus: tinyint NULL
ECStateDescription: nvarchar(500) NULL
OptionFlags: int NULL
EventCollectorID: int NULL (FK)
 Schema

Component
Policy ComponentID: int IDENTITY
PolicyVersion PolicyID: int IDENTITY RoleID: int NULL (FK) (AK1.3)
RoleID: int NOT NULL (FK)
Name: nvarchar(150) NOT NULL LastPushedPolicyID: int NULL (FK) Hosts
Version: varchar(100) NOT NULL
Description: nvarchar(80) NULL PropertyFileID: int NULL (FK)
HostID: int IDENTITY
DisplayVersion: varchar(100) NULL FileName: nvarchar(255) NULL HostID: int NULL (FK) (AK1.1)
Version: varchar(100) NULL Priority: numeric NOT NULL HostIpAddress: varchar(47) NULL
RoleID: int NULL (FK) Status: numeric NOT NULL HostDNSName: NVARCHAR(254) NULL
BinaryDataID: int NULL (FK) LastModifiedBy: nvarchar(60) NULL HostNBName: NVARCHAR(16) NULL
ResponseVersion
Deleted: numeric NOT NULL LastModifiedAt: datetime NULL HostNBDomain: nvarchar(16) NULL
RoleID: int NOT NULL (FK) Deleted: numeric NOT NULL HostOSName: nvarchar(64) NULL
LastModifiedAt: datetime NULL
Version: varchar(100) NOT NULL EventSourcePort: int NULL HostOSVersion: nvarchar(32) NULL
LastModifiedBy: nvarchar(60) NULL
DisplayVersion: varchar(100) NULL ReadOnly: tinyint NULL EventPort: int NULL HostOSRevisionLevel: varchar(32) NULL
EditorKey: varchar(50) NOT NULL Version: varchar(20) NULL HostOwner: nvarchar(50) NULL
Valid: tinyint NOT NULL SensorName: nvarchar(100) NULL (AK1.2) DateHostAdded: datetime NOT NULL
Policy: nvarchar(434) NULL GUID: varchar(36) NULL
Master: varchar(30) NULL HostIPNbr: numeric(10) NOT NULL (IE1.1)
AvailableXPU: varchar(40) NULL MacAddress: char(17) NULL
LastInstalledXPU: varchar(40) NULL DateHostUpdated: datetime NOT NULL (IE1.2)
Role LoggingLevel: tinyint NULL OSGroupID: int NULL (FK)
RoleID: int NOT NULL LicenseState: smallint NULL ISScanDate: datetime NULL (IE2.1)
RoleName: varchar(20) NOT NULL XPUState: smallint NULL StatNameID: int NULL (IE2.2)
ProductID: int NULL (FK) StateDescription: nvarchar(500) NULL
ClassName: varchar(255) NOT NULL (AK1.1) UnexpectedConfigChange: tinyint NULL
Namespace: varchar(255) NULL ModifiedBySensorController: tinyint NOT NULL
DaemonPort: int NULL
EventLogOption: tinyint NULL
Products SiteID: int NULL (FK)
ProductID: int NOT NULL LastPushedResponseID: int NULL (FK)
XPUDate: datetime NULL Sites
Command and Control Schema

ProdName: nvarchar(40) NULL Response: nvarchar(434) NULL SiteID: int IDENTITY(2,1)

PolicyGroupID: int NULL (FK)
LastHeartBeat: datetime NULL Name: nvarchar(60) NOT NULL
GUID: varchar(36) NULL (IE1.1) Descr: nvarchar(255) NULL
Response IpAddress: varchar(47) NOT NULL
LicenseID: int NULL (FK)
ResponseID: int IDENTITY Port: int NOT NULL
PolicyChangedFlag: tinyint NOT NULL
Name: nvarchar(150) NOT NULL FCPEventPort: int NULL LastDataLoadAt: datetime NULL
Description: nvarchar(80) NULL FCPEventSourcePort: int NULL Deleted: tinyint NULL
FileName: nvarchar(255) NULL ECStatus: tinyint NULL GUID: varchar(512) NULL
Version: varchar(100) NULL ECStateDescription: nvarchar(500) NULL
RoleID: int NULL (FK) OptionFlags: int NULL
BinaryDataID: int NULL (FK) EventCollectorID: int NULL (FK)
Deleted: numeric NOT NULL Schedule
LastModifiedAt: datetime NULL ActionJob ScheduleID: int IDENTITY
LastModifiedBy: nvarchar(60) NULL ActionJobID: int IDENTITY
ReadOnly: tinyint NULL Description: varchar(1000) NULL
EditorKey: varchar(50) NOT NULL ActionDetailsID: int NOT NULL (FK) Enabled: numeric NOT NULL
Valid: tinyint NOT NULL ComponentID: int NULL (FK) FreqType: numeric NOT NULL
StartDateTime: datetime NOT NULL FreqInterval: numeric NOT NULL
License ActionState: numeric NOT NULL FreqSubType: numeric NULL
LicenseID: int IDENTITY Result: varchar(300) NULL FreqSubInterval: numeric NOT NULL
FreqRelativeInt: numeric NOT NULL
Name: nvarchar(50) NULL ActionDetails FreqRecurFactor: numeric NULL
BinaryDataID: int NULL (FK) ActionDetailsID: int IDENTITY ActiveStartDate: numeric NULL
Features: nvarchar(50) NULL
ItemID: int NULL ActiveEndDate: numeric NULL
FeatureDescription: nvarchar(100) NULL
HostID: int NULL (FK) ActiveStartTOD: numeric NULL
DeviceCount: int NULL
ComponentID: int NULL (FK) ActiveEndTOD: numeric NULL
MaintenanceDate: varchar(40) NULL
HostGroupID: int NULL (IE1.1) NumSchedScans: numeric NULL
ExpireDate: varchar(40) NULL
ScheduleID: int NULL (FK) Deleted: numeric NOT NULL
State: tinyint NULL
ActionType: numeric NOT NULL TimeZone: varchar(40) NULL
StateDescription: varchar(512) NULL
LicenseType: tinyint NOT NULL RoleID: int NULL (FK)
KeyString: varchar(50) NULL ScheduledBy: nvarchar(60) NOT NULL
LastModifiedBy: nvarchar(60) NULL GroupHostLinks
StatNameID: int NULL (FK)
LicContactInfoGUID: nvarchar(40) NULL (FK) LastModifiedAt: datetime NULL GroupID: int NOT NULL (FK)
LicGUID: nvarchar(40) NULL NextRunDate: datetime NULL HostID: int NOT NULL (FK)
Description: nvarchar(100) NULL Suspended: numeric NOT NULL
NewLicenseID: int NULL (FK) Deleted: numeric NOT NULL
ComponentGroupID: int NULL (FK)
Arguments: ntext NULL
The following diagram displays the Command and Control schema:

BinaryData
BinaryDataID: int IDENTITY
BinaryDataType: tinyint NULL (FK)
Value: image NULL
CheckSum: int NULL (IE1.1)
FileName: nvarchar(255) NULL
LastModifiedAt: datetime NULL
BinaryDataType
BinaryDataType: tinyint NOT NULL
BinaryDataTypeDesc: nvarchar(60) NOT NULL
Tasks
ControllerID: int NULL
Groups
GroupID: int IDENTITY (AK1.2)
GroupName: nvarchar(64) NOT NULL
GroupDesc: nvarchar(255) NULL
DesktopAgentVersion RoleID: int NULL (FK)
GUID: varchar(36) NOT NULL GroupViewID: int NULL (FK)
Version: varchar(20) NOT NULL Deleted: tinyint NULL
ReadmeFileID: int NULL (FK) SiteID: int NULL (FK)
GroupTypeID: int NULL (FK)
SPGroupID: int NULL
ParentGroupID: int NULL (FK) (AK1.1)
RuleID: int NULL (FK)
TaskID: int IDENTITY
JobTypeID: int NOT NULL (FK)
Name: varchar(60) NULL
Descr: varchar(255) NULL
LoadTableName: varchar(60) NULL
LoadStoredProcName: varchar(60) NULL
FormatFile: text NOT NULL
LoadSQLStatement: varchar(4000) NULL
JobTypes
JobTypeID: int IDENTITY
Descr: varchar(80) NOT NULL

43
Command and Control Schema
44
TargetHost
TargetID: <Hosts.HostID>
TargetIpAddress: <Hosts.HostIpNbr>
TargetDNSName: <Hosts.HostDNSName>
TargetOSName: <Hosts.HostOSName>
Hosts
HostID: int IDENTITY
HostIpAddress: varchar(47) NULL
HostDNSName: NVARCHAR(254) NULL
HostNBName: NVARCHAR(16) NULL
HostNBDomain: nvarchar(16) NULL
HostOSName: nvarchar(64) NULL
HostOSVersion: nvarchar(32) NULL
HostOSRevisionLevel: varchar(32) NULL
HostOwner: nvarchar(50) NULL
DateHostAdded: datetime NOT NULL
GUID: varchar(36) NULL
HostIPNbr: numeric(10) NOT NULL (IE1.1)
MacAddress: char(17) NULL
DateHostUpdated: datetime NOT NULL (IE1.2)
OSGroupID: int NULL (FK)
ISScanDate: datetime NULL (IE2.1)
StatNameID: int NULL (IE2.2)
SensorHost
SensorID: Component.ComponentID: int IDENTITY
SensorHostID: Hosts.HostID: int IDENTITY
SensorIPAddress: Hosts.HostIPNbr: numeric(10) NOT NULL
SensorDNSName: Hosts.HostDNSName: NVARCHAR(254) NULL
SensorOSName: Hosts.HostOSName: nvarchar(64) NULL
SensorName: Component.SensorName: nvarchar(100) NULL
Component
ComponentID: int IDENTITY
RoleID: int NULL (FK) (AK1.3)
LastPushedPolicyID: int NULL (FK)
PropertyFileID: int NULL (FK)
HostID: int NULL (FK) (AK1.1)
Priority: numeric NOT NULL
Status: numeric NOT NULL
LastModifiedBy: nvarchar(60) NULL
LastModifiedAt: datetime NULL
Deleted: numeric NOT NULL
EventSourcePort: int NULL
EventPort: int NULL
Version: varchar(20) NULL
SensorName: nvarchar(100) NULL (AK1.2)
Policy: nvarchar(434) NULL
Master: varchar(30) NULL
AvailableXPU: varchar(40) NULL
LastInstalledXPU: varchar(40) NULL
LoggingLevel: tinyint NULL
LicenseState: smallint NULL
XPUState: smallint NULL
StateDescription: nvarchar(500) NULL
UnexpectedConfigChange: tinyint NULL
ModifiedBySensorController: tinyint NOT NULL
DaemonPort: int NULL
EventLogOption: tinyint NULL
SiteID: int NULL (FK)
LastPushedResponseID: int NULL (FK)
XPUDate: datetime NULL
Response: nvarchar(434) NULL
PolicyGroupID: int NULL (FK)
LastHeartBeat: datetime NULL
GUID: varchar(36) NULL (IE1.1)
LicenseID: int NULL (FK)
PolicyChangedFlag: tinyint NOT NULL
FCPEventPort: int NULL
FCPEventSourcePort: int NULL
ECStatus: tinyint NULL
ECStateDescription: nvarchar(500) NULL
OptionFlags: int NULL
EventCollectorID: int NULL (FK)
SourceHost
SourceID: <Hosts.HostID>
SourceIpAddress: <Hosts.HostIpNbr>
SourceDNSName: <Hosts.HostDNSName>
SourceOSName: <Hosts.HostOSName>
ObservanceColumn
DisplayName: varchar(100) NOT NULL
QualifiedColName: varchar(100) NULL
TableName: varchar(100) NULL
ColName: varchar(100) NULL
PK_ColName: varchar(100) NULL
FK_ColName: varchar(100) NULL
FK_TableName: varchar(100) NULL
ColType: char(1) NULL
JoinType: varchar(15) NULL
FilterColName: varchar(100) NULL
Observances
ObservanceID: bigint NOT NULL
ObservanceType
ObservanceType: tinyint NOT NULL
ObservanceTypeDesc: nvarchar(30) NULL
VulnStatus
VulnStatus: tinyint NOT NULL
VulnStatusDesc: nvarchar(60) NULL
SortID: int NOT NULL
LastVulnStatus
VulnStatusDesc: VulnStatus.VulnStatusDesc: nvarchar(60) NULL
VulnStatus: VulnStatus.VulnStatus: tinyint NOT NULL
SiteFilterRules
SiteFilterRuleID: int IDENTITY
SiteFilterID: int NOT NULL (FK)
SiteFilterStartDate: datetime NULL
SiteFilterEndDate: datetime NULL
BeginSrcAddressInt: numeric(10,0) NULL (IE1.1)
EndSrcAddressInt: numeric(10,0) NULL (IE2.1)
BeginDestAddressInt: numeric(10,0) NULL (IE3.1)
EndDestAddressInt: numeric(10,0) NULL (IE4.1)
TagNameIn: varchar(900) NULL (IE5.1)
TagNameLike: varchar(60) NULL (IE6.1)
TargetObjectNameLike: varchar(200) NULL (IE7.1)
VulnStatusIn: varchar(900) NULL (IE8.1)
TargetObjectType: tinyint NULL (FK)
ObservanceSiteFilters
ObservanceID: bigint NOT NULL (IE1.1)
SiteFilterRuleID: int NOT NULL (FK)
SiteFilterID: int NOT NULL (FK)
ObservanceTime: datetime NOT NULL (IE10.1,IE8.1,IE9.1)
SecChkID: int NULL (FK) (IE9.4)
SensorID: int NOT NULL (IE4.1,IE9.5)
SourceID: int NOT NULL (IE10.3,IE6.1,IE9.3)
TargetID: int NOT NULL (IE10.2,IE5.1,IE9.2)
ObservanceCount: int NULL
ObjectID: int NULL (FK) (IE9.6)
SeverityID: tinyint NULL (FK) (IE9.7)
ClearedCount: int NULL
VulnStatus: tinyint NULL (FK) (IE9.9)
ObservanceType: tinyint NULL (FK) (IE9.8)
LastModifiedAt: datetime NULL (IE11.1)
Severity
SeverityID: tinyint NOT NULL
SeverityDesc: nvarchar(10) NULL
SiteFilters
SiteFilterID: int IDENTITY
SiteFilterTypeID: int NULL (FK)
SiteFilterName: nvarchar(60) NULL
SiteFilterDesc: ntext NULL
FusionIgnoreFlag: bit NOT NULL
Deleted: tinyint NULL
CreatedBy: varchar(60) NULL
DateModified: datetime NULL
Schema
Chapter 4: Database Schema
SecurityChecks
SecChkID: int NOT NULL
TagName: varchar(60) NOT NULL (AK1.1)
ChkName: varchar(40) NOT NULL
ChkBriefDesc: NVARCHAR(255) NULL
ChkDetailDesc: ntext NULL
ChkDateReported: datetime NULL
Site Analysis Schema
ChkDateEntered: datetime NULL
ChkDateChanged: datetime NULL
ItemAffected: nvarchar(255) NULL
Discoverer: nvarchar(255) NULL
ConseqName: varchar(20) NULL
ConseqBriefDesc: nvarchar(255) NULL
ConseqDetailDesc: ntext NULL
Obsolete: bit NOT NULL
ReplacedBy: int NULL
VulnStatus: bit NOT NULL
ObservancesPurge
ObservanceID: bigint NOT NULL
Object
ObjectID: int IDENTITY
ObjectType: tinyint NOT NULL (FK) (IE2.2)
ObjectName: nvarchar(200) NOT NULL (IE1.1,IE2.1)
ObjectView
ObjectID: Object.ObjectID: int IDENTITY
ObjectType: Object.ObjectType: tinyint NOT NULL
ObjectName: Object.ObjectName: nvarchar(200) NOT NULL
ObjectTypeDesc: ObjectType.ObjectTypeDesc: nvarchar(30) NOT NULL
ObjectType
ObjectType: tinyint NOT NULL
ObjectTypeDesc: nvarchar(30) NOT NULL
The following diagram displays the Site Analysis schema:
SiteFilterType
SiteFilterTypeID: int NOT NULL
SiteFilterType: char(2) NOT NULL (AK1.1)
SiteFilterName: nvarchar(80) NOT NULL
ObservanceSiteFiltersView
ObservanceID: ObservanceSiteFilters.ObservanceID: bigint NOT NULL
SiteFilterID: ObservanceSiteFilters.SiteFilterID: int NOT NULL
SiteFilterType: SiteFilterType.SiteFilterType: char(2) NOT NULL
SiteFilterName: SiteFilters.SiteFilterName: nvarchar(60) NULL
SiteFilterDesc: <convert(varchar(4000...>
CreatedBy: SiteFilters.CreatedBy: varchar(60) NULL

TargetHost
TargetID: <Hosts.HostID>
TargetIpAddress: <Hosts.HostIpNbr>
TargetDNSName: <Hosts.HostDNSName>
TargetOSName: <Hosts.HostOSName>
Hosts
HostID: int IDENTITY
HostIpAddress: varchar(47) NULL
HostDNSName: NVARCHAR(254) NULL
HostNBName: NVARCHAR(16) NULL
HostNBDomain: nvarchar(16) NULL
HostOSName: nvarchar(64) NULL
HostOSVersion: nvarchar(32) NULL
HostOSRevisionLevel: varchar(32) NULL
HostOwner: nvarchar(50) NULL
DateHostAdded: datetime NOT NULL
GUID: varchar(36) NULL
HostIPNbr: numeric(10) NOT NULL (IE1.1)
MacAddress: char(17) NULL
DateHostUpdated: datetime NOT NULL (IE1.2)
OSGroupID: int NULL (FK)
ISScanDate: datetime NULL (IE2.1)
StatNameID: int NULL (IE2.2)
SensorHost
SensorID: Component.ComponentID: int IDENTITY
SensorHostID: Hosts.HostID: int IDENTITY
SensorIPAddress: Hosts.HostIPNbr: numeric(10) NOT NULL
SensorDNSName: Hosts.HostDNSName: NVARCHAR(254) NULL
SensorOSName: Hosts.HostOSName: nvarchar(64) NULL
SensorName: Component.SensorName: nvarchar(100) NULL
Component
ComponentID: int IDENTITY
RoleID: int NULL (FK) (AK1.3)
LastPushedPolicyID: int NULL (FK)
PropertyFileID: int NULL (FK)
HostID: int NULL (FK) (AK1.1)
Priority: numeric NOT NULL
Status: numeric NOT NULL
LastModifiedBy: nvarchar(60) NULL
LastModifiedAt: datetime NULL
Deleted: numeric NOT NULL
EventSourcePort: int NULL
EventPort: int NULL
Version: varchar(20) NULL
SensorName: nvarchar(100) NULL (AK1.2)
Policy: nvarchar(434) NULL
Master: varchar(30) NULL
AvailableXPU: varchar(40) NULL
LastInstalledXPU: varchar(40) NULL
LoggingLevel: tinyint NULL
LicenseState: smallint NULL
XPUState: smallint NULL
StateDescription: nvarchar(500) NULL
UnexpectedConfigChange: tinyint NULL
ModifiedBySensorController: tinyint NOT NULL
DaemonPort: int NULL
EventLogOption: tinyint NULL
SiteID: int NULL (FK)
LastPushedResponseID: int NULL (FK)
XPUDate: datetime NULL
Response: nvarchar(434) NULL
PolicyGroupID: int NULL (FK)
LastHeartBeat: datetime NULL
GUID: varchar(36) NULL (IE1.1)
LicenseID: int NULL (FK)
PolicyChangedFlag: tinyint NOT NULL
FCPEventPort: int NULL
FCPEventSourcePort: int NULL
ECStatus: tinyint NULL
ECStateDescription: nvarchar(500) NULL
OptionFlags: int NULL
EventCollectorID: int NULL (FK)
45
SourceHost
SourceID: <Hosts.HostID>
SourceIpAddress: <Hosts.HostIpNbr>
SourceDNSName: <Hosts.HostDNSName>
SourceOSName: <Hosts.HostOSName>
ObservanceColumn
DisplayName: varchar(100) NOT NULL
QualifiedColName: varchar(100) NULL
TableName: varchar(100) NULL
ColName: varchar(100) NULL
PK_ColName: varchar(100) NULL
FK_ColName: varchar(100) NULL
FK_TableName: varchar(100) NULL
ColType: char(1) NULL
JoinType: varchar(15) NULL
FilterColName: varchar(100) NULL
Observances
ObservanceID: bigint NOT NULL
ObservanceType
ObservanceType: tinyint NOT NULL
ObservanceTypeDesc: nvarchar(30) NULL
VulnStatus
VulnStatus: tinyint NOT NULL
VulnStatusDesc: nvarchar(60) NULL
SortID: int NOT NULL
LastVulnStatus
VulnStatusDesc: VulnStatus.VulnStatusDesc: nvarchar(60) NULL
VulnStatus: VulnStatus.VulnStatus: tinyint NOT NULL
SiteFilterRules
SiteFilterRuleID: int IDENTITY
SiteFilterID: int NOT NULL (FK)
SiteFilterStartDate: datetime NULL
SiteFilterEndDate: datetime NULL
BeginSrcAddressInt: numeric(10,0) NULL (IE1.1)
EndSrcAddressInt: numeric(10,0) NULL (IE2.1)
BeginDestAddressInt: numeric(10,0) NULL (IE3.1)
EndDestAddressInt: numeric(10,0) NULL (IE4.1)
TagNameIn: varchar(900) NULL (IE5.1)
TagNameLike: varchar(60) NULL (IE6.1)
TargetObjectNameLike: varchar(200) NULL (IE7.1)
VulnStatusIn: varchar(900) NULL (IE8.1)
TargetObjectType: tinyint NULL (FK)
ObservanceSiteFilters
ObservanceID: bigint NOT NULL (IE1.1)
SiteFilterRuleID: int NOT NULL (FK)
SiteFilterID: int NOT NULL (FK)
ObservanceTime: datetime NOT NULL (IE10.1,IE8.1,IE9.1)
SecChkID: int NULL (FK) (IE9.4)
SensorID: int NOT NULL (IE4.1,IE9.5)
SourceID: int NOT NULL (IE10.3,IE6.1,IE9.3)
TargetID: int NOT NULL (IE10.2,IE5.1,IE9.2)
ObservanceCount: int NULL
ObjectID: int NULL (FK) (IE9.6)
SeverityID: tinyint NULL (FK) (IE9.7)
ClearedCount: int NULL
VulnStatus: tinyint NULL (FK) (IE9.9)
ObservanceType: tinyint NULL (FK) (IE9.8)
LastModifiedAt: datetime NULL (IE11.1)
Severity
SeverityID: tinyint NOT NULL
SeverityDesc: nvarchar(10) NULL
SiteFilters
SiteFilterID: int IDENTITY
SiteFilterTypeID: int NULL (FK)
SiteFilterName: nvarchar(60) NULL
SiteFilterDesc: ntext NULL
FusionIgnoreFlag: bit NOT NULL
Deleted: tinyint NULL
CreatedBy: varchar(60) NULL
DateModified: datetime NULL
Schema
X-Force Schema
SecurityChecks
SecChkID: int NOT NULL
TagName: varchar(60) NOT NULL (AK1.1)
ChkName: varchar(40) NOT NULL
ChkBriefDesc: NVARCHAR(255) NULL
ChkDetailDesc: ntext NULL
ChkDateReported: datetime NULL
ChkDateEntered: datetime NULL
ChkDateChanged: datetime NULL
ItemAffected: nvarchar(255) NULL
Discoverer: nvarchar(255) NULL
ConseqName: varchar(20) NULL
ConseqBriefDesc: nvarchar(255) NULL
ConseqDetailDesc: ntext NULL
Obsolete: bit NOT NULL
ReplacedBy: int NULL
VulnStatus: bit NOT NULL
ObservancesPurge
ObservanceID: bigint NOT NULL
Object
ObjectID: int IDENTITY
ObjectType: tinyint NOT NULL (FK) (IE2.2)
ObjectName: nvarchar(200) NOT NULL (IE1.1,IE2.1)
ObjectView
ObjectID: Object.ObjectID: int IDENTITY
ObjectType: Object.ObjectType: tinyint NOT NULL
ObjectName: Object.ObjectName: nvarchar(200) NOT NULL
ObjectTypeDesc: ObjectType.ObjectTypeDesc: nvarchar(30) NOT NULL
The following diagram displays the X-Force schema:
ObjectType
ObjectType: tinyint NOT NULL
ObjectTypeDesc: nvarchar(30) NOT NULL
SiteFilterType
SiteFilterTypeID: int NOT NULL
SiteFilterType: char(2) NOT NULL (AK1.1)
SiteFilterName: nvarchar(80) NOT NULL
ObservanceSiteFiltersView
ObservanceID: ObservanceSiteFilters.ObservanceID: bigint NOT NULL
SiteFilterID: ObservanceSiteFilters.SiteFilterID: int NOT NULL
SiteFilterType: SiteFilterType.SiteFilterType: char(2) NOT NULL
SiteFilterName: SiteFilters.SiteFilterName: nvarchar(60) NULL
SiteFilterDesc: <convert(varchar(4000...>
CreatedBy: SiteFilters.CreatedBy: varchar(60) NULL
X-Force Schema
46
Severity
SeverityID: tinyint NOT NULL
SeverityDesc: nvarchar(10) NULL
Metrics
MetricsType
MetricsTypeID: int NOT NULL
Descr: nvarchar(30) NULL
MetricsDay
DayID: int NOT NULL
CurrentDate: datetime NOT NULL (AK1.1)
RejectMetrics
DayNbr: smallint NOT NULL
DayOfWeek: nvarchar(20) NOT NULL
Month: smallint NOT NULL
Quarter: smallint NOT NULL
Year: smallint NOT NULL
WeekEndFlag: smallint NOT NULL
HostCounts
GroupID: int NOT NULL (FK)
SeverityID: tinyint NOT NULL (FK)
Groups
MetricsTypeID: int NOT NULL (FK)
DayID: int NOT NULL (FK)
VulnStatus: tinyint NOT NULL (FK)
SecChkID: int NULL
Counts: int NOT NULL
SiteID: int NULL
SPGroupID: int NOT NULL
VulnStatus
SecChkID: int NOT NULL
SeverityID: int NOT NULL
MetricsTypeID: int NOT NULL
MetricsDay: datetime NOT NULL
VulnStatus: int NOT NULL
Counts: int NOT NULL
Schema
Chapter 4: Database Schema
Metrics Schema
CountDate: datetime NOT NULL
GroupID: int NOT NULL (FK)
HostCount: int NOT NULL
GroupID: int IDENTITY (AK1.2)
GroupName: nvarchar(64) NOT NULL
GroupDesc: nvarchar(255) NULL
RoleID: int NULL (FK)
GroupViewID: int NULL (FK)
Deleted: tinyint NULL
SiteID: int NULL (FK)
GroupTypeID: int NULL (FK)
SPGroupID: int NULL
ParentGroupID: int NULL (FK) (AK1.1)
RuleID: int NULL (FK)
The following diagram displays the Metrics schema:
VulnStatus: tinyint NOT NULL
VulnStatusDesc: nvarchar(60) NULL
SortID: int NOT NULL
 Schema
ITSRO Schema

CheckProducts
CheckProductID: int NOT NULL Algorithm
SecChkID: int NOT NULL (FK) AlgorithmID: int NOT NULL
ProdVerID: int NOT NULL (FK) AlgorithmNum: int NOT NULL
Comment: varchar(4000) NULL NameSpace: char(10) NULL
FalseNegative: ntext NULL
FalsePositive: ntext NULL
ProductCheckName: varchar(120) NULL
AlgorithmID: int NULL (FK)

AlgorithmRating
AlgorithmID: int NOT NULL (FK)
RatingID: int NOT NULL (FK)

Rating
RatingID: int NOT NULL

RatingSet
RatingID: int NOT NULL (FK)
RatingAttributeID: int NOT NULL (FK)
RatingOrder: int NOT NULL
RatingAttribute
RatingAttributeID: int NOT NULL
RatingAttributeCodeID: int NOT NULL (FK)
The following diagram displays the ITSRO schema:

AttributeValue: varchar(80) NULL

RatingAttributeCode
RatingAttributeCodeID: int NOT NULL
AttributeName: nvarchar(80) NOT NULL

47
ITSRO Schema
48
Schema
Chapter 4: Database Schema

Statistics Schema

StatAttribute
LicContactInfo
StatAttributeID: int NOT NULL
LicContactInfoGUID: nvarchar(40) NOT NULL
DataType: varchar(20) NOT NULL
Name: nvarchar(200) NOT NULL SubjectName: nvarchar(255) NOT NULL
Title: nvarchar(100) NULL
CompanyName: nvarchar(255) NULL
StatCatAtt Address1: nvarchar(255) NULL
StatAttributeID: int NOT NULL (FK) Address2: nvarchar(255) NULL
StatCategoryID: int NOT NULL (FK) City: nvarchar(100) NULL
State: nvarchar(50) NULL
PostCode: nvarchar(40) NULL
Country: nvarchar(60) NULL
Email: nvarchar(255) NULL
AdditionalInfo: nvarchar(255) NULL
StatCategory
StatCategoryID: int NOT NULL
LicConsqMessage
Name: nvarchar(200) NOT NULL

StatNameID: int NOT NULL

Phase: int NOT NULL
Mode: char(10) NOT NULL
Message: ntext NULL
License
LicenseID: int IDENTITY
Name: nvarchar(50) NULL
The following diagram displays the Statistics schema:

BinaryDataID: int NULL (FK)

Statistic Features: nvarchar(50) NULL
StatName FeatureDescription: nvarchar(100) NULL
StatCategoryID: int NOT NULL (FK)
StatNameID: int NOT NULL DeviceCount: int NULL
StatNameID: int NOT NULL (FK)
LMName: nvarchar(200) NOT NULL MaintenanceDate: varchar(40) NULL
StatAttributeID: int NOT NULL (FK)
DisplayName: nvarchar(200) NOT NULL ExpireDate: varchar(40) NULL
DateUpdated: datetime NULL State: tinyint NULL
Value: nvarchar(2000) NULL StateDescription: varchar(512) NULL
SiteID: int NULL LicenseType: tinyint NOT NULL
KeyString: varchar(50) NULL
StatNameID: int NULL (FK)
LicContactInfoGUID: nvarchar(40) NULL (FK)
LicGUID: nvarchar(40) NULL
Description: nvarchar(100) NULL
NewLicenseID: int NULL (FK)

SensorData
SensorDataUpdates
SensorDataID: bigint NOT NULL (FK)
AlertUpdateName: nvarchar(50) NULL
AlertUpdateOrder: int NULL
AlertUpdateDataType: varchar(30) NULL
AlertUpdateValue: nvarchar(2000) NULL
AlertUpdateBlob: TEXT NULL
AlertUpdateSection: int NULL
SensorDataAVP
SensorDataID: bigint NOT NULL (FK)
AttributeName: nvarchar(50) NULL
AttributeOrder: int NULL
AttributeDataType: varchar(30) NULL
AttributeValue: nvarchar(2000) NULL
AttributeBlob: TEXT NULL
AttributeSection: int NULL
SensorDataPurge
SensorDataID: bigint NOT NULL
ConsolidatedAlerts
SensorDataID: bigint NULL
AlertID: nvarchar(2000) NULL
49
SensorDataID: bigint NOT NULL
AlertDataID: int NOT NULL
AlertFormatVersion: int NULL
AlertNameType: int NULL
AlertName: nvarchar(60) NULL
AlertDateTime: datetime NULL (IE8.2)
LocalTimezoneOffset: int NULL
AlertTimePrecision: int NULL
AlertTimeSeqID: int NULL
AlertID: char(26) NULL
SensorAddress: varchar(60) NULL
SensorName: nvarchar(100) NULL
ProductID: int NULL
AlertTypeID: int NULL
AlertPriority: int NULL
AlertFlags: int NULL
SensorAddressInt: numeric(10) NULL
SrcAddressName: VARCHAR(60) NULL
SrcAddressInt: numeric(10) NULL
DestAddressName: VARCHAR(60) NULL
DestAddressInt: numeric(10) NULL
ProtocolID: int NULL
SourcePort: int NULL
ObjectName: nvarchar(2000) NULL
ObjectType: tinyint NULL
SourcePortName: nvarchar(60) NULL
DestPortName: nvarchar(60) NULL
AttackSuccessful: tinyint NULL
AttackFragmented: tinyint NULL
AttackOrigin: nvarchar(60) NULL
ResourceID: int NULL
ResourceSubID: varchar(60) NULL
Application: nvarchar(60) NULL
UserName: nvarchar(60) NULL
ProcessingFlag: int NULL (IE7.1)
Cleared: char(1) NULL (IE8.3)
HostGUID: varchar(36) NULL
StartTime: datetime NULL
StopTime: datetime NULL
HostDNSName: nvarchar(254) NULL
HostNBName: nvarchar(20) NULL
HostNBDomain: nvarchar(255) NULL
HostOSName: nvarchar(64) NULL
HostOSVersion: nvarchar(32) NULL
HostOSRevisionLevel: varchar(32) NULL
VulnStatus: tinyint NULL
AlertCount: int NOT NULL
ObservanceID: bigint NULL (IE8.1)
OSGroupID: int NULL
ComponentID: int NULL
SensorGUID: varchar(36) NULL
LicModule: varchar(100) NULL
Schema
SensorDataResponse
SensorDataID: bigint NOT NULL (FK)
wrk_SensorData
ResponseTypeName: varchar(32) NULL
ResponseName: nvarchar(32) NULL
Status: tinyint NULL
SensorDataID: bigint NOT NULL
Sensor Data Schema
SecChkID: int NULL
AlertName: nvarchar(60) NULL
AlertNameType: int NULL
AlertTypeID: int NULL
AlertCategory
ProductID: int NULL
AlertCategoryID: int NOT NULL AlertDateTime: datetime NULL
AlertCategoryName: varchar(20) NULL AlertPriority: int NULL
Description: varchar(80) NULL SrcAddressName: varchar(60) NULL
SrcAddressInt: numeric(10) NULL
DestAddressName: varchar(60) NULL
DestAddressInt: numeric(10) NULL
SensorAddress: varchar(100) NULL
SensorName: nvarchar(100) NULL
SensorAddressInt: numeric(10) NULL
AlertType ProcessingFlag: int NULL
AlertTypeID: int NOT NULL ObjectID: int NULL
SourcePort: int NULL
AlertTypeName: varchar(30) NULL
DestPortName: nvarchar(60) NULL
ObservanceType: tinyint NULL
HostDNSName: nvarchar(254) NULL
AlertCategoryID: int NULL (FK)
HostNBDomain: nvarchar(255) NULL
Description: varchar(80) NULL
HostNBName: nvarchar(20) NULL
HostOSName: nvarchar(64) NULL
HostOSVersion: nvarchar(32) NULL
HostGUID: varchar(36) NULL
SrcHostID: int NULL
DstHostID: int NULL
AlertTypeView ComponentID: int NULL
Cleared: char(1) NULL
AlertTypeID: AlertType.AlertTypeID: int NOT NULL VulnStatus: tinyint NULL
ObservanceType: AlertType.ObservanceType: tinyint NULL
RejectReason: varchar(200) NULL
ObservanceTypeDesc: ObservanceType.ObservanceTypeDesc: nvarchar(30) NU AlertCount: int NULL
ObjectType: tinyint NULL
ObjectName: nvarchar(200) NULL
AlertFlags: int NULL
ObservanceID: bigint NULL
OSGroupID: int NULL
SensorGUID: varchar(36) NULL
The following diagram displays the Sensor Data schema:
LicModule: varchar(100) NULL
stg_SensorData
SensorDataID: bigint IDENTITY
AlertDataID: int NULL
WorkingSetNbr: tinyint NULL
Sensor Data Schema
50
Observances
ObservanceID: bigint
Object ObservanceTime: datetime
SecChkID: int (FK)
ObjectID: int
SensorID: int
ObjectType: tinyint (FK) SourceID: int
ObjectName: nvarchar(200) TargetID: int
ObservanceCount: int
ObjectID: int (FK)
SeverityID: tinyint (FK)
ClearedCount: int
VulnStatus: tinyint (FK)
ObservanceType: tinyint (FK)
LastModifiedAt: datetime
ObservanceSiteFilters
ObservanceID: bigint
SiteFilterRuleID: int (FK)
SiteFilterID: int (FK)
SiteFilterRules
SiteFilterRuleID: int
SiteFilterID: int (FK)
SiteFilterStartDate: datetime
SiteFilterEndDate: datetime
BeginSrcAddressInt: numeric(10,0)
EndSrcAddressInt: numeric(10,0)
BeginDestAddressInt: numeric(10,0)
ObjectType
EndDestAddressInt: numeric(10,0)
ObjectType: tinyint
TagNameIn: varchar(900)
ObjectTypeDesc: nvarchar(30) TagNameLike: varchar(60)
TargetObjectNameLike: varchar(200)
VulnStatusIn: varchar(900)
TargetObjectType: tinyint (FK)
Schema
Chapter 4: Database Schema
SiteFilters
SiteFilterID: int
Site Filters Schema
SiteFilterTypeID: int (FK)
SiteFilterName: nvarchar(60)
SiteFilterDesc: ntext
FusionIgnoreFlag: bit
Deleted: tinyint
CreatedBy: varchar(60)
DateModified: datetime
SiteFilterType
SiteFilterTypeID: int
SiteFilterType: char(2)
SiteFilterName: nvarchar(80)
ObservanceSiteFiltersView
ObservanceID: ObservanceSiteFilters.ObservanceID: bigint NOT NULL
SiteFilterID: ObservanceSiteFilters.SiteFilterID: int NOT NULL
SiteFilterType: SiteFilterType.SiteFilterType: char(2) NOT NULL
SiteFilterName: SiteFilters.SiteFilterName: nvarchar(60) NULL
SiteFilterDesc: <convert(varchar(4000...>
CreatedBy: SiteFilters.CreatedBy: varchar(60) NULL
SiteFilterView
The following diagram displays the Site Filters schema:
SiteFilterID: SiteFilters.SiteFilterID: int IDENTITY
SiteFilterRuleID: SiteFilterRules.SiteFilterRuleID: int IDENTITY
SiteFilterTypeID: SiteFilters.SiteFilterTypeID: int NULL
SiteFilterType: SiteFilterType.SiteFilterType: char(2) NOT NULL
SiteFilterName: SiteFilters.SiteFilterName: nvarchar(60) NULL
SiteFilterStartDate: SiteFilterRules.SiteFilterStartDate: datetime NULL
SiteFilterEndDate: SiteFilterRules.SiteFilterEndDate: datetime NULL
BeginSrcAddressInt: SiteFilterRules.BeginSrcAddressInt: numeric(10,0) NULL
EndSrcAddressInt: SiteFilterRules.EndSrcAddressInt: numeric(10,0) NULL
BeginDestAddressInt: SiteFilterRules.BeginDestAddressInt: numeric(10,0) NULL
EndDestAddressInt: SiteFilterRules.EndDestAddressInt: numeric(10,0) NULL
TagNameIn: SiteFilterRules.TagNameIn: varchar(900) NULL
TagNameLike: SiteFilterRules.TagNameLike: varchar(60) NULL
TargetObjectNameLike: SiteFilterRules.TargetObjectNameLike: varchar(200) NULL
VulnStatusIn: SiteFilterRules.VulnStatusIn: varchar(900) NULL
TargetObjectType: SiteFilterRules.TargetObjectType: tinyint NULL

SensorDataRejected
stg_AlertData
AlertDataID: bigint NOT NULL (IE1.1)
AlertFormatVersion: int NULL
AlertDataID: int NOT NULL
AlertNameType: int NULL
AlertFormatVersion: int NULL
AlertName: nvarchar(60) NULL
AlertNameType: int NULL
AlertDateTime: datetime NULL
AlertName: nvarchar(60) NULL
LocalTimezoneOffset: int NULL
AlertDateTime: datetime NULL
AlertTimePrecision: int NULL
LocalTimezoneOffset: int NULL
AlertTimeSeqID: int NULL
AlertTimePrecision: int NULL
AlertID: varchar(26) NULL
AlertTimeSeqID: int NULL
SensorAddress: varchar(60) NULL
AlertID: char(26) NULL
SensorName: nvarchar(100) NULL
SensorAddress: varchar(60) NULL
ProductID: int NULL
SensorName: nvarchar(100) NULL
AlertTypeID: int NULL
ProductID: int NULL
AlertPriority: int NULL
AlertTypeID: int NULL
AlertFlags: int NULL
AlertPriority: int NULL
ProtocolID: int NULL
AlertFlags: int NULL
SourcePort: int NULL
ProtocolID: int NULL
SourcePortName: nvarchar(60) NULL
SourcePort: int NULL
DestPortName: nvarchar(60) NULL
ObjectName: nvarchar(2000) NULL
SrcAddressName: varchar(60) NULL
SourcePortName: nvarchar(60) NULL
SrcAddressInt: numeric(10) NULL
DestPortName: nvarchar(60) NULL
DestAddressName: varchar(60) NULL
SrcAddressName: varchar(60) NULL
DestAddressInt: numeric(10) NULL
SrcAddressInt: numeric(10) NULL
SensorAddressInt: numeric(10) NULL
DestAddressName: varchar(60) NULL
AttackSuccessful: tinyint NULL
DestAddressInt: numeric(10) NULL
AttackFragmented: tinyint NULL
SensorAddressInt: numeric(10) NULL
AttackOrigin: nvarchar(60) NULL
AttackSuccessful: tinyint NULL
ResourceID: int NULL
AttackFragmented: tinyint NULL
ResourceSubID: varchar(60) NULL
AttackOrigin: nvarchar(60) NULL
Application: nvarchar(60) NULL
ResourceID: int NULL
UserName: nvarchar(60) NULL
ResourceSubID: varchar(60) NULL
HostGUID: varchar(36) NULL
Application: nvarchar(60) NULL
StartTime: datetime NULL
UserName: nvarchar(60) NULL
StopTime: datetime NULL
HostGUID: varchar(36) NULL
HostDNSName: nvarchar(254) NULL
StartTime: datetime NULL
HostNBName: nvarchar(20) NULL
StopTime: datetime NULL
HostNBDomain: nvarchar(255) NULL
HostDNSName: nvarchar(254) NULL
HostOSName: nvarchar(64) NULL
HostNBName: nvarchar(20) NULL
HostOSVersion: nvarchar(32) NULL
HostNBDomain: nvarchar(255) NULL
HostOSRevisionLevel: varchar(32) NULL
HostOSName: nvarchar(64) NULL
VulnStatus: tinyint NULL
HostOSVersion: nvarchar(32) NULL
ProcessingFlag: smallint NULL
HostOSRevisionLevel: varchar(32) NULL
SensorDataID: bigint NULL
VulnStatus: tinyint NULL
Cleared: char(1) NULL
ProcessingFlag: smallint NULL
RejectReason: varchar(200) NULL
SensorDataID: int NULL
AlertCount: int NULL
Cleared: char(1) NULL
ObjectType: tinyint NULL
AlertCount: int NULL
ObjectName: nvarchar(2000) NULL
ObjectType: tinyint NULL
OSGroupID: int NULL
OSGroupID: int NULL
ComponentID: int NULL
SensorGUID: varchar(36) NULL
51
SDAVPRejected
stg_AlertAVP
AlertDataID: int NOT NULL
AttributeName: nvarchar(50) NULL
AttributeOrder: int NULL
AttributeDataType: varchar(30) NULL
AttributeValue: nvarchar(2000) NULL
AttributeBlob: TEXT NULL
AttributeSection: int NULL
stg_AlertUpdates
AlertDataID: int NOT NULL
AlertUpdateName: nvarchar(50) NULL
AlertUpdateOrder: int NULL
AlertUpdateDataType: varchar(30) NULL
AlertUpdateValue: nvarchar(2000) NULL
AlertUpdateBlob: text NULL
AlertUpdateSection: int NULL
stg_AlertResponse
SDResponseRejected
AlertDataID: int NOT NULL
ResponseTypeName: varchar(32) NULL
ResponseName: nvarchar(32) NULL
Status: tinyint NULL
RejectMetrics
SiteID: int NULL
SPGroupID: int NOT NULL
SecChkID: int NOT NULL
SeverityID: int NOT NULL
MetricsTypeID: int NOT NULL
MetricsDay: datetime NOT NULL
VulnStatus: int NOT NULL
Counts: int NOT NULL
StageObservances
SiteID: int NULL
RootGroupID: int NULL
GroupID: int NULL
GroupName: nvarchar(40) NULL
SecChkID: int NULL
SeverityID: int NULL
ObservanceType: int NULL
ObservanceTime: varchar(47) NULL
Counts: int NULL
wrk_SensorData
AlertDataID: bigint NOT NULL (IE1.1)
AlertID: varchar(26) NULL
AttributeName: nvarchar(50) NULL
AttributeOrder: int NULL
AttributeDataType: varchar(30) NULL
AttributeValue: nvarchar(2000) NULL
AttributeBlob: TEXT NULL
AttributeSection: int NULL
SDUpdatesRejected
AlertDataID: bigint NOT NULL (IE1.1)
AlertID: varchar(26) NULL
AlertUpdateName: nvarchar(50) NULL
AlertUpdateOrder: int NULL
AlertUpdateDataType: varchar(30) NULL
AlertUpdateValue: nvarchar(2000) NULL
AlertUpdateBlob: text NULL
AlertUpdateSection: int NULL
AlertDataID: bigint NOT NULL (IE1.1)
AlertID: varchar(26) NULL
ResponseTypeName: varchar(32) NULL
ResponseName: nvarchar(32) NULL
Status: tinyint NULL
wrk_Observances
ObsID: bigint NULL
ObsTime: datetime NULL
ObsType: tinyint NULL
ObsSecChkID: int NULL
StgWorkingSet
ObsSeverityID: tinyint NULL
ObsSensorID: int NULL
ObsSourceID: int NULL
ObsTargetID: int NULL
ObsObjectID: int NULL
ObsVulnStatus: tinyint NULL
Action: char(1) NULL
ObsCount: int NULL
ObsClearedCount: int NULL
stg_SensorData
Schema
Staging Schema
SensorDataID: bigint NOT NULL
SecChkID: int NULL
AlertName: nvarchar(60) NULL
AlertNameType: int NULL
AlertTypeID: int NULL
ProductID: int NULL
AlertDateTime: datetime NULL
AlertPriority: int NULL
SrcAddressName: varchar(60) NULL
SrcAddressInt: numeric(10) NULL
DestAddressName: varchar(60) NULL
DestAddressInt: numeric(10) NULL
SensorAddress: varchar(100) NULL
SensorName: nvarchar(100) NULL
SensorAddressInt: numeric(10) NULL
ProcessingFlag: int NULL
ObjectID: int NULL
SourcePort: int NULL
DestPortName: nvarchar(60) NULL
HostDNSName: nvarchar(254) NULL
HostNBDomain: nvarchar(255) NULL
HostNBName: nvarchar(20) NULL
HostOSName: nvarchar(64) NULL
HostOSVersion: nvarchar(32) NULL
HostGUID: varchar(36) NULL
SrcHostID: int NULL
DstHostID: int NULL
ComponentID: int NULL
Cleared: char(1) NULL
VulnStatus: tinyint NULL
RejectReason: varchar(200) NULL
AlertCount: int NULL
The following table displays the Staging schema:
ObjectType: tinyint NULL
ObjectName: nvarchar(200) NULL
AlertFlags: int NULL
ObservanceID: bigint NULL
OSGroupID: int NULL
SensorGUID: varchar(36) NULL
LicModule: varchar(100) NULL
SetID: smallint NOT NULL
EC_Host: varchar(60) NULL
EC_GUID: varchar(60) NULL
LastCount: int NULL
RowsToLoad: int NULL
Utilization: int NULL
SensorDataID: bigint IDENTITY
AlertDataID: int NULL
WorkingSetNbr: tinyint NULL
Staging Schema
52
AuditEventCMD
AuditEventCMDID: int IDENTITY
EventDesc: nvarchar(100) NULL
AuditTrail
AuditTrailID: int IDENTITY
AuditEventCMDID: int NULL (FK)
UserName: nvarchar(75) NULL
AuditTime: datetime NULL
AuditInfo
AuditInfoID: int IDENTITY
AuditTrailID: int NULL (FK)
ParamName: nvarchar(100) NULL
ParamValue: nvarchar(500) NULL
ParamDataType: nvarchar(60) NULL
ParamDesignator: nvarchar(10) NULL
UpdateStatus
UpdateStatusID: int IDENTITY
Name: varchar(100) NOT NULL
StartTime: datetime NOT NULL
Status: varchar(30) NULL
ActionJobID: int NULL
TotalSteps: int NULL
ErrorMessage
DBComponent
DBComponentID: smallint IDENTITY
Name: varchar(30) NULL
State: tinyint NULL
StateDescription: varchar(100) NULL
DBSubComponent
DBSubComponentID: smallint IDENTITY
DBComponentID: smallint NULL (FK)
ProcName: varchar(30) NULL
State: tinyint NULL
StateDateTime: datetime NULL
StateDescription: varchar(100) NULL
Version
AttributeName: nvarchar(40) NULL
AttributeValue: nvarchar(100) NULL
VersionUpdates
UpdateTag: char(40) NULL
UpdateType: tinyint NOT NULL
MajorVersion: int NOT NULL
MinorVersion: int NOT NULL
YearPointRelease: int NOT NULL
BuildNumber: int NOT NULL
UpdateCmdLine: varchar(255) NULL
UpdateFile: varchar(260) NULL
Deleted: tinyint NOT NULL
UpdateOperationStatus
UpdateOperationStatusID: int IDENTITY
TargetName: varchar(100) NOT NULL
Status: varchar(30) NULL
UpdateStatusID: int NULL (FK)
Duration: smalldatetime NULL
PctComplete: smallint NULL
Schema
Chapter 4: Database Schema
Auditing Schema
ErrorNumber: int NOT NULL
SeverityID: smallint NULL (FK)
MessageText: nvarchar(300) NULL
ErrorSeverity
SeverityID: smallint NOT NULL
Name: nvarchar(20) NOT NULL
Description: nvarchar(80) NULL
ReportToCaller: tinyint NOT NULL
SQLSeverity: char(2) NULL
LoggingLevel: tinyint NULL
MessageLog
MessageLogID: int IDENTITY
The following diagram displays the Auditing schema:
WhenOccurred: datetime NOT NULL
SeverityID: smallint NOT NULL (FK)
ErrorNumber: int NOT NULL
Message: nvarchar(300) NULL
ProcedureName: nvarchar(60) NULL
RelatesToErrorID: int NULL
UpdateStepStatus
UpdateStepStatusID: int IDENTITY
StepNbr: int NULL
TaskName: varchar(50) NULL
Description: varchar(1000) NULL
PctComplete: smallint NOT NULL
DBTime: datetime NOT NULL
ComponentTime: datetime NULL
Status: varchar(30) NULL
UpdateOperationStatusID: int NULL (FK)
 Schema

Groups
GroupID: int IDENTITY (AK1.2)
GroupName: nvarchar(64) NOT NULL
GroupDesc: nvarchar(255) NULL
RoleID: int NULL (FK)
GroupViewID: int NULL (FK)
Deleted: tinyint NULL
SiteID: int NULL (FK)
GroupTypeID: int NULL (FK)
SPGroupID: int NULL
ParentGroupID: int NULL (FK) (AK1.1) Sites
RuleID: int NULL (FK) SiteID: int IDENTITY(2,1)
Application Security Schema

Name: nvarchar(60) NOT NULL

Descr: nvarchar(255) NULL
UsersGroups IpAddress: varchar(47) NOT NULL
Port: int NOT NULL
UsersID: int NOT NULL (FK)
LastDataLoadAt: datetime NULL
GroupID: int NOT NULL (FK)
Deleted: tinyint NULL

UsersSites
UsersID: int NOT NULL (FK)
SiteID: int NOT NULL (FK)

Audit
Users ID: int IDENTITY
UsersID: int IDENTITY EntityID: int NOT NULL (IE1.1)
UserID: int NULL (FK)
Login: nvarchar(50) NOT NULL (AK1.1)
EntityName: varchar(60) NULL (IE1.2)
Domain: nvarchar(255) NOT NULL (AK1.2)
Descr: varchar(255) NULL
SID: varchar(50) NOT NULL (AK2.1)
Action: varchar(30) NULL
LastLogin: datetime NULL
SourceIP: varchar(47) NULL
The following diagram displays the Application Security schema:

LastLoginFailure: datetime NULL

Time: datetime NULL
NTGroup: nvarchar(30) NOT NULL

53
Application Security Schema
54
Schema
Chapter 4: Database Schema

DesktopAgentVersion
ObjectType
BinaryDataType LicContactInfo GroupsParentChild
ObjectView
BinaryData License HostCounts Users
GroupPolicy
PolicyVersion Response UsersGroups Audit ObservanceType
Object

UsersSites Severity
Policy Sites
Role GroupView Observances
LastVulnStatus PlatformTypes
VulnStatus
Groups
UnGroupedStatus
ResponseVersion CheckPlatforms
GroupTypes
Platforms
UnGroupedHosts Remedies
GroupHostLinks
Services
Complete Database Schema

Metrics SecurityChecks CheckServices

TagTranslation UDSecurityChecks
Hosts ActionDetails

MetricsDay CheckCategories AlertTypeView

TargetHost SourceHost Protocols ExternalReferences
GroupRule
MetricsType
Component
Categories
GroupRuleType SensorData AlertType
CorrelationInfo
Schedule
ActionJob
SensorHost
OSGroup CategoryGroup
CheckProducts
AlertCategory
CheckOSGroup

Products ProductVersions SensorDataResponse SensorDataAVP SensorDataUpdates

ConsolidatedAlerts ObservancesPurge StatName

LicConsqMessage
SiteFilterRules
stg_AlertResponse DBComponent ObservanceSiteFilters
wrk_SensorData StatAttribute
SDResponseRejected ObservanceColumn
SiteFilterView
stg_SensorData SDUpdatesRejected
stg_AlertUpdates SiteRange DBSubComponent StatCatAtt
StgWorkingSet
SensorDataRejected
stg_AlertAVP SiteFilters SiteFilterType

Tasks Statistic StatCategory

wrk_Observances SDAVPRejected Version
stg_AlertData
StageObservances RejectMetrics ObservanceSiteFiltersView
VersionUpdates
JobTypes
SensorDataPurge UpdateStatus
Algorithm
RatingAttribute

ErrorMessage UpdateOperationStatus
AlgorithmRating
ErrorSeverity MessageLog

AuditEventCMD AuditTrail Rating RatingSet RatingAttributeCode

AuditInfo UpdateStepStatus
The following diagram displays a high-level representation of the entire database schema:
Index

d l
debug logs logs, debug
installation 17 See debug logs
issDaemon 24
RealSecure application server 24–25
RealSecure application server, log4j 21 n
RealSecure sensor controller 26–35 network sensors
RealSecure sensor controller, log4j 21 debug logs 32
RealSecure Site database 19
RealSecure Site database, installation 18
See also Sensor Controller Diagnostics console
setting up 40
o
X-Press Update 20 online documentation (Help) vi
documentation
Internet Scanner Installation Guide vi
Internet Scanner User Guide vi
r
online documentation (Help) vi RealSecure application server
RealSecure Network Sensor Installation Guide vi debug logs 24–25
RealSecure Network Sensor Policy Guide vi RealSecure Network Sensor Installation Guide vi
RealSecure Server Sensor Installation Guide vi RealSecure Network Sensor Policy Guide vi
RealSecure Server Sensor Policy Guide vi RealSecure sensor controller
RealSecure SiteProtector Installation and Configuration debug logs 26–35
Guide Guide vi RealSecure Server Sensor Installation Guide vi
RealSecure Server Sensor Policy Guide vi

e RealSecure Site database

debug logs 19, 34
Event Collector installation logs 18
RealSecure SiteProtector Installation and Configuration
debug logs 28
Guide vi

i s
installation
Sensor Controller Diagnostics console
logs 17
Internet Scanner starting 38
server sensors
debug logs 29–30
Internet Scanner Databridge debug logs 33
debug logs 31
Internet Scanner Installation Guide
Internet Scanner User Guide vi
vi
t
troubleshooting ??–35

55
Index

x
X-Press Updates
debug logs 20

56
Internet Security Systems, Inc. Software License Agreement
THIS SOFTWARE IS LICENSED, NOT SOLD. BY INSTALLING THIS SOFTWARE, YOU AGREE TO ALL OF THE
PROVISIONS OF THIS SOFTWARE LICENSE AGREEMENT (“LICENSE”). IF YOU ARE NOT WILLING TO BE
BOUND BY THIS LICENSE, RETURN ALL COPIES OF THE SOFTWARE AND LICENSE KEYS TO ISS WITHIN FIF-
TEEN (15) DAYS OF RECEIPT FOR A FULL REFUND OF ANY PAID LICENSE FEE. IF THE SOFTWARE WAS
OBTAINED BY DOWNLOAD, YOU MAY CERTIFY DESTRUCTION OF ALL COPIES AND LICENSE KEYS IN LIEU OF
RETURN.
1. License - Upon payment of the applicable fees, Internet Security Systems, Inc. (“ISS”) grants to you as the only end user (“Licensee”) a
nonexclusive and nontransferable, limited license for the accompanying ISS software product in machine-readable form and the related
documentation (“Software”) and the associated license key for use only on the specific network configuration, for the number and type of
devices, and for the time period (“Term”) that are specified in Licensee’s purchase order, as accepted and invoiced by ISS. ISS limits use
of Software based upon the number and type of devices upon which it may be installed, used, gather data from, or report on, depending
upon the specific Software licensed. A device includes any network addressable device connected to Licensee’s network, including
remotely, including but not limited to personal computers, workstations, servers, routers, hubs and printers. Licensee may reproduce,
install and use the Software on multiple devices, provided that the total number and type are authorized in Licensee’s purchase order, as
accepted by ISS. Licensee acknowledges that the license key provided by ISS may allow Licensee to reproduce, install and use the Soft-
ware on devices that could exceed the number of devices licensed hereunder. Licensee shall implement appropriate safeguards and
controls to prevent loss or disclosure of the license key and unauthorized or unlicensed use of the Software. Licensee may make a rea-
sonable number of backup copies of the Software and the associated license key solely for archival and disaster recovery purposes.
2. Evaluation License - If ISS is providing Licensee with the Software and related documentation on an evaluation trial basis at no cost, such license Term is 30
days from installation, unless a longer period is agreed to in writing by ISS. ISS recommends using Software for evaluation in a non-production, test environ-
ment. The following terms of this Section 2 additionally apply and supercede any conflicting provisions herein. Licensee agrees to remove the Software from the
authorized platform and return the Software and documentation to ISS upon expiration of the evaluation Term unless otherwise agreed by the parties in writing.
ISS has no obligation to provide support, maintenance, upgrades, modifications, or new releases to the Software under evaluation. LICENSEE AGREES THAT
THIS SOFTWARE AND RELATED DOCUMENTATION ARE BEING DELIVERED “AS IS “ WITHOUT WARRANTIES OF ANY KIND, INCLUDING WITH-
OUT LIMITATION ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, TITLE OR NON-INFRINGEMENT.
IN NO EVENT WILL ISS BE LIABLE TO LICENSEE OR ANY OTHER PERSON FOR DAMAGES, DIRECT OR INDIRECT, OF ANY NATURE, OR
EXPENSES INCURRED BY LICENSEE IN CONNECTION WITH THE SOFTWARE LICENSED HEREUNDER. LICENSEE’S SOLE AND EXCLUSIVE REM-
EDY SHALL BE TO TERMINATE THIS EVALUATION LICENSE BY WRITTEN NOTICE TO ISS.
3. Covenants - ISS reserves all intellectual property rights in the Software. Licensee agrees: (i) the Software is owned by ISS and/or its licensors, is a valuable
trade secret of ISS, and is protected by copyright laws and international treaty provisions; (ii) to take all reasonable precautions to protect the Software from
unauthorized access, disclosure, copying or use; (iii) not to modify, adapt, translate, reverse engineer, decompile, disassemble, or otherwise attempt to discover
the source code of the Software; (iv) not to use ISS trademarks; (v) to reproduce all of ISS’ and its licensors’ copyright notices on any copies of the Software;
and (vi) not to transfer, lease, assign, sublicense, or distribute the Software or make it available for timesharing, service bureau, managed services offering, or
on-line use.
4. Support and Maintenance - During the term for which Licensee has paid the applicable support and maintenance fees, ISS will provide software maintenance
and support services that it makes generally available under its then current Maintenance and Support Policy. Support and maintenance include telephone sup-
port and electronic delivery to Licensee of error corrections and updates to the Software and documentation. The foregoing updates do not include new releases
or products that substantially increase functionality and are marketed separately by ISS to its customers in general.
5. Limited Warranty - The commencement date of this limited warranty is the date on which ISS furnishes to Licensee the license key for the Software. For a period
of ninety (90) days after the commencement date or for the Term (whichever is less), ISS warrants that the Licensed Software will conform to material opera-
tional specifications described in its then current documentation. However, this limited warranty shall not apply unless (i) the Software is installed, implemented,
and operated in accordance with all written instructions and documentation supplied by ISS, (ii) Licensee notifies ISS in writing of any nonconformity within the
warranty period, and (iii) Licensee has promptly and properly installed all corrections, new versions, and updates made available by ISS to Licensee. Further-
more, this limited warranty shall not apply to nonconformities arising from any of the following: (i) misuse of the Software, (ii) modification of the Software, (iii)
failure by Licensee to utilize compatible computer and networking hardware and software, or (iv) interaction with software or firmware not provided by ISS. If Lic-
ensee timely notifies ISS in writing of any such nonconformity, then ISS shall repair or replace the Software or, if ISS determines that repair or replacement is
impractical, ISS may terminate the applicable licenses and refund the applicable license fees, as the sole and exclusive remedies of Licensee for such noncon-
formity. THIS WARRANTY GIVES LICENSEE SPECIFIC LEGAL RIGHTS, AND LICENSEE MAY ALSO HAVE OTHER RIGHTS THAT VARY FROM JURIS-
DICTION TO JURISDICTION. ISS DOES NOT WARRANT THAT THE SOFTWARE WILL MEET LICENSEE’S REQUIREMENTS, THAT THE OPERATION
OF THE SOFTWARE WILL BE UNINTERRUPTED OR ERROR-FREE, OR THAT ALL SOFTWARE ERRORS WILL BE CORRECTED. LICENSEE UNDER-
STANDS AND AGREES THAT LICENSED SOFTWARE IS NO GUARANTEE AGAINST INTRUSIONS, VIRUSES, TROJAN HORSES, WORMS, TIME
BOMBS, CANCELBOTS OR OTHER SIMILAR HARMFUL OR DELETERIOUS PROGRAMMING ROUTINES AFFECTING LICENSEE’S NETWORK, OR
THAT ALL SECURITY THREATS AND VULNERABILITIES WILL BE DETECTED OR THAT THE PERFORMANCE OF THE LICENSED SOFTWARE WILL
RENDER LICENSEE’S SYSTEMS INVULNERABLE TO SECURITY BREACHES. THE REMEDIES SET OUT IN THIS SECTION 5 ARE THE SOLE AND
EXCLUSIVE REMEDIES FOR BREACH OF THIS LIMITED WARRANTY.
6. Warranty Disclaimer - EXCEPT FOR THE LIMITED WARRANTY PROVIDED ABOVE, THE SOFTWARE IS PROVIDED “AS IS” AND ISS HEREBY DIS-
CLAIMS ALL WARRANTIES, BOTH EXPRESS AND IMPLIED, INCLUDING IMPLIED WARRANTIES RESPECTING MERCHANTABILITY, TITLE, NONIN-
FRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. SOME JURISDICTIONS DO NOT ALLOW DISCLAIMERS OF IMPLIED WARRANTIES,
SO THE ABOVE LIMITATION MAY NOT APPLY TO LICENSEE. LICENSEE EXPRESSLY ACKNOWLEDGES THAT NO REPRESENTATIONS OTHER
THAN THOSE CONTAINED IN THIS LICENSE HAVE BEEN MADE REGARDING THE GOODS OR SERVICES TO BE PROVIDED HEREUNDER, AND
THAT LICENSEE HAS NOT RELIED ON ANY REPRESENTATION NOT EXPRESSLY SET OUT IN THIS LICENSE.
7. Proprietary Rights - ISS represents and warrants that ISS has the authority to license the rights to the Software that are granted herein. ISS shall defend and
indemnify Licensee from any final award of costs and damages against Licensee for any actions based on infringement of any U.S. copyright, trade secret, or
patent as a result of the use or distribution of a current, unmodified version of the Software; but only if ISS is promptly notified in writing of any such suit or claim,
and only if Licensee permits ISS to defend, compromise, or settle same, and only if Licensee provides all available information and reasonable assistance. The
foregoing is the exclusive remedy of Licensee and states the entire liability of ISS with respect to claims of infringement or misappropriation relating to the Soft-
ware.
8. Limitation of Liability - ISS’ ENTIRE LIABILITY FOR MONETARY DAMAGES ARISING OUT OF THIS LICENSE SHALL BE LIMITED TO THE AMOUNT OF
THE LICENSE FEES ACTUALLY PAID BY LICENSEE UNDER THIS LICENSE, PRORATED OVER A THREE-YEAR TERM FROM THE DATE LICENSEE
RECEIVED THE SOFTWARE. IN NO EVENT SHALL ISS BE LIABLE TO LICENSEE UNDER ANY THEORY INCLUDING CONTRACT AND TORT
(INCLUDING NEGLIGENCE AND STRICT PRODUCTS LIABILITY) FOR ANY SPECIAL, PUNITIVE, INDIRECT, INCIDENTAL OR CONSEQUENTIAL DAM-
AGES, INCLUDING, BUT NOT LIMITED TO, COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, DAMAGES FOR LOST PROFITS,
LOSS OF DATA, LOSS OF USE, OR COMPUTER HARDWARE MALFUNCTION, EVEN IF ISS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
DAMAGES.
9. Termination - Licensee may terminate this License at any time by notifying ISS in writing. All rights granted under this License will terminate immediately, with-
out prior written notice from ISS, at the end of the term of the license, if not perpetual. If Licensee fails to comply with any provisions of this License, ISS may
immediately terminate this License if such default has not been cured within ten (10) days following written notice of default to Licensee. Upon termination or
expiration of the License, Licensee shall cease all use of the Software and destroy all copies of the Software and associated documentation. Termination of this
License shall not relieve Licensee of its obligation to pay all fees incurred prior to such termination and shall not limit either party from pursuing any other reme-
dies available to it.
10. General Provisions - This License, together with the identification of the Software, pricing and payment terms stated in the applicable Licensee purchase order
as accepted by ISS constitute the entire agreement between the parties respecting its subject matter. Standard and other additional terms or conditions con-
tained in any purchase order or similar document are hereby expressly rejected and shall have no force or effect. This License will be governed by the substan-
tive laws of the State of Georgia, USA, excluding the application of its conflicts of law rules. This License will not be governed by the United Nations Convention
on Contracts for the International Sale of Goods, the application of which is expressly excluded. If any part of this License is found void or unenforceable, it will
not affect the validity of the balance of the License, which shall remain valid and enforceable according to its terms. This License may only be modified in writing
signed by an authorized officer of ISS.
11. Notice to United States Government End Users - Licensee acknowledges that any Software furnished under this License is commercial computer software and
any documentation is commercial technical data developed at private expense and is provided with RESTRICTED RIGHTS. Any use, modification, reproduc-
tion, display, release, duplication or disclosure of this commercial computer software by the United States Government or its agencies is subject to the terms,
conditions and restrictions of this License in accordance with the United States Federal Acquisition Regulations at 48 C.F.R. Section 12.212 and DFAR Subsec-
tion 227.7202-3 and Clause 252.227-7015 or applicable subsequent regulations. Contractor/manufacturer is Internet Security Systems, Inc., 6303 Barfield
Road, Atlanta, GA 30328, USA.
12. Export and Import Controls; Use Restrictions - Licensee will not transfer, export, or reexport the Software, any related technology, or any direct product of either
except in full compliance with the export controls administered by the United States and other countries and any applicable import and use restrictions. Lic-
ensee agrees that it will not export or reexport such items to anyone on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Com-
merce Department’s Denied Persons List or Entity List or such additional lists as may be issued by the U.S. Government from time to time, or to any country to
which the United States has embargoed the export of goods, or for use with chemical or biological weapons, sensitive nuclear end-uses, or missiles. Licensee
represents and warrants that it is not located in, under control of, or a national or resident of any such country or on any such list. Many ISS software products
include encryption and export outside of the United States or Canada is strictly controlled by U.S. laws and regulations. Please contact ISS’ Customer Opera-
tions for export classification information relating to the Software (customer_ops@iss.net). Licensee understands that the foregoing obligations are U.S. legal
requirements and agrees that they shall survive any term or termination of this License.
13. Authority - Because the Software is designed to test or monitor the security of computer network systems and may disclose or create problems in the operation
of the systems tested, Licensee and the persons acting for Licensee represent and warrant that: (a) they are fully authorized by the Licensee and the owners of
the computer network for which the Software is licensed to enter into this License and to obtain and operate the Software in order to test and monitor that com-
puter network; (b) the Licensee and the owners of that computer network understand and accept the risks involved; and (c) the Licensee shall procure and use
the Software in accordance with all applicable laws, regulations and rules.
14. Disclaimers - Licensee acknowledges that some of the Software is designed to test the security of computer networks and may disclose or create problems in
the operation of the systems tested. Licensee further acknowledges that the Software is not fault tolerant and is not designed or intended for use in hazardous
environments requiring fail-safe operation, including, but not limited to, aircraft navigation, air traffic control systems, weapon systems, life-support systems,
nuclear facilities, or any other applications in which the failure of the Licensed Software could lead to death or personal injury, or severe physical or property
damage. ISS disclaims any implied warranty of fitness for High Risk Use. Licensee accepts the risk associated with the foregoing disclaimers and hereby
waives all rights, remedies, and causes of action against ISS and releases ISS from all liabilities arising therefrom.
15. Confidentiality - “Confidential Information” means all information proprietary to a party or its suppliers that is marked as confidential. Each party acknowledges
that during the term of this Agreement, it will be exposed to Confidential Information of the other party. The obligations of the party (“Receiving Party”) which
receives Confidential Information of the other party (“Disclosing Party”) with respect to any particular portion of the Disclosing Party’s Confidential Information
shall not attach or shall terminate when any of the following occurs: (i) it was in the public domain or generally available to the public at the time of disclosure to
the Receiving Party, (ii) it entered the public domain or became generally available to the public through no fault of the Receiving Party subsequent to the time
of disclosure to the Receiving Party, (iii) it was or is furnished to the Receiving Party by a third parting having the right to furnish it with no obligation of confiden-
tiality to the Disclosing Party, or (iv) it was independently developed by the Receiving Party by individuals not having access to the Confidential Information of
the Disclosing Party. Each party acknowledges that the use or disclosure of Confidential Information of the Disclosing Party in violation of this License could
severely and irreparably damage the economic interests of the Disclosing Party. The Receiving Party agrees not to disclose or use any Confidential Information
of the Disclosing Party in violation of this License and to use Confidential Information of the Disclosing Party solely for the purposes of this License. Upon
demand by the Disclosing Party and, in any event, upon expiration or termination of this License, the Receiving Party shall return to the Disclosing Party all cop-
ies of the Disclosing Party’s Confidential Information in the Receiving Party’s possession or control and destroy all derivatives and other vestiges of the Disclos-
ing Party’s Confidential Information obtained or created by the Disclosing Party. All Confidential Information of the Disclosing Party shall remain the exclusive
property of the Disclosing Party.
16. Compliance - From time to time, ISS may request Licensee to provide a certification that the Licensed Software is being used in accordance with the terms of
this License. If so requested, Licensee shall verify its compliance and deliver its certification within forty-five (45) days of the request. The certification shall state
Licensee’s compliance or non-compliance, including the extent of any non-compliance. ISS may also, at any time, upon thirty (30) days prior written notice, at its
own expense appoint a nationally recognized independent auditor, to whom Licensee has no reasonable objection, to audit and examine records at Licensee
offices during normal business hours, solely for the purpose of confirming that Licensee’s use of the Licensed Software is in compliance with the terms of this
License. ISS will use commercially reasonable efforts to have such audit conducted in a manner such that it will not unreasonably interfere with the normal busi-
ness operations of Licensee. If such audit should reveal that use of the Licensed Software has been expanded beyond the scope of use and/or the number of
Authorized Devices or Licensee certifies such non-compliance, ISS shall have the right to charge Licensee the applicable current list prices required to bring Lic-
ensee in compliance with its obligations hereunder with respect to its current use of the Licensed Software. In addition to the foregoing, ISS may pursue any
other rights and remedies it may have at law, in equity or under this License.
Revised December 20, 2002