This class of events relates to the use of services and applications. They typically map to the execution of a program or a procedure and manipulation of the processing environment.
Table 5-5 Service or Application Utilization Events Taxonomy
Event Name |
Event Identifier |
Corresponding eDir Event |
Description |
Use |
---|---|---|---|---|
Invoke Service |
0.0.4.0 |
DSE_START_UPDATE_SCHEMA |
Invoke a service or application |
This event is reported when a security-relevant service is invoked. |
Terminate Service |
0.0.4.1 |
DSE_END_UPDATE_SCHEMA |
Terminate a service or application |
This event is reported when a service is terminated. |
Modify Process Context |
0.0.4.3 |
DSE_CHANGE_TREE_NAME DSE_LDAP_MODLDAPSERVER DSE_MERGE_TREE DSE_PART_STATE_CHG_REQ DSE_REPAIR_TIME_STAMPS DSE_RESET_DS_COUNTERS DSE_SERVER_ADDRESS_CHANGE DSE_SERVER_RENAME DSE_SET_NEW_MASTER DSE_SYNTHETIC_TIME |
Modify processing context |
This event is reported when any attributes of a process context are modified – this event is somewhat specific to operating systems, but some use can be found in other domain-specific applications. |
The following sections include examples for service or application utilization events.
Click Invoke Service to generate an event for invoking a service, as shown in the following example:
Jan 08 10:18:37 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"Name" : "dc=Events"}},"Action" : {"Event" : {"Id" : "0.0.4.0","Name" : "INVOKE_SERVICE","CorrelationID" : "eDirectory#0#a23fbaea-c482-4d6b-a98c-eaba3fa282c4","SubEvent" : "DSE_PURGE_START"},"Time" : {"Offset" : 1389847717},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Terminate Service to generate an event for terminating a service, as shown in the following example:
Jan 08 10:18:37 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Target" : {"Data" : {"Name" : "CN=SLES11-SP2-164,O=mycom"}},"Action" : {"Event" : {"Id" : "0.0.4.1","Name" : "TERMINATE_SERVICE","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_SYNC_SVR_OUT_END"},"Time" : {"Offset" : 1389847717},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}
Click Modify Process Context to generate an event when any attributes of a process context are modified, as shown in the following example:
Jan 08 10:30:18 eDirectory : INFO {"Source" : "eDirectory#DS","Observer" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "100.1.2.164","SysName" : "SLES11-SP2-164"}},"Initiator" : {"Account" : {"Domain" : "MYTREE","Name" : "CN=SRV1,O=mycom"},"Entity" : {"SysAddr" : "0.0.0.0:0"}},"Action" : {"Event" : {"Id" : "0.0.4.3","Name" : "MODIFY_PROCESS_CONTEXT","CorrelationID" : "eDirectory#0#","SubEvent" : "DSE_SET_BINDERY_CONTEXT"},"Time" : {"Offset" : 1389848418},"Log" : {"Severity" : 7},"Outcome" : "0","ExtendedOutcome" : "0"}}