Accenture MDR Quick Start Guide for Sybase®
- KS
This quick start guide will help Accenture MDR customers configure Sybase® to allow log collection from the Log Collection Platform (LCP).
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found at Accenture MDR Portal.
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
LCP | Sybase | Microsoft SQL DB: 1433 (TCP) Windows: 5000 (TCP) Linux and Unix: 4112 (TCP) | Default port based on the Operating System |
Configuring Sybase
Create a read-only database user account for Sybase.
An installation script, called 4_create_symc_audit.sql, creates a read-only user in symc_audit and grants SELECT rights on symc_audit_t. While this script is running, do not create any read-only user accounts.
2. Configure the Sybase audit system.
Sybase restricts the use of the sybsecurity database. The collector accesses this data by creating a database and copying the data to the new database by a stored procedure. The new database name is symc_audit_db and the collector reads from that database. The database creation and database population require running scripts that are supplied with the collector. These scripts should be edited before they are run to be sure that they have the correct path and system information. These scripts are included in the utils/scripts sub-directory of the collector installation files. The utils/scripts/win32 sub-directory contains the scripts for Sybase running on Windows systems and the utils/scripts/linux sub-directory contains the scripts for Sybase running on Linux and UNIX systems. You should examine each script before it is run to verify device names, paths, and threshold settings.
Note: Audit data is deleted from the audit table after it is copied to symc_audit_db. Audit data in symc_audit_db is periodically deleted by the sp_droprows procedure. The sp_droprows procedure removes the first 5,000 rows from the symc_audit_db.dbo.symc_audit_t table.
Audit values for the threshold action have the actual Sybase server @@pagesize=2K. If your Sybase database has a different pagesize you must recalculate the values to prevent data loss. In some cases, the Sybase tempdb database default size is too small. If the tempdb database is too small, the sensor query can fail. In this case, the DBA should manually increase the size of the tempdb database.
If the audit events flow is very high, over 500EPS, the Sybase threshold mechanism can occasionally skip execution of the threshold procedure. If you have this issue, you should try to reduce the audit flow or configure the symc_audit_thresh threshold procedure on two or more threshold values. You must change the path for the devices, if necessary.
To configure the Sybase audit system, follow the steps below.
In Sybase Central, select Tools > Adaptive Server Enterprise > Open Interactive SQL. A text editor opens.
In the text editor, enter the following commands:
use master
go
sp_configure ‘number of devices’, 20
go
Note: The go commands must be executed on a new line, and then run the live update for the collector.
3. Execute the 1_create_audit_subsystem.sql script.
4. Execute the 2_run_script_and_restart_server.sql script.
5. Execute the 3_setup_audit_options.sql script.
6. Execute the 4_create_symc_audit.sql script.
7. Execute the 5_backup_trigger.sql script.
8. Execute the 6_determining_thresholds.sql script
9. Execute the 7_setup_audit_events.sql script.
LCP Configuration Parameters
Table 1-2: The Sybase event collector (Database – 3372) properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Database URL | Windows: jdbc:sybase:Tds:<server>:5000/symc_audit_db
Linux and UNIX: jdbc:sybase:Tds:<server>:4112/symc_audit_db
Microsoft SQL Server database: jdbc:sqlserver://<hostname>:1433;DatabaseName=<databasename> | The database URL string that needs to be configured on the collector by MDR. The port number varies based on the operating system: IP Address or Hostname - Hostname or IP address of the database. Database name - The name of the database in which the Sybase events are stored. 5000 /1433/4112 (TCP port) - The default port number for DB connectivity. Note: If the database is configured to use a different port number, please advise the Accenture MDR onboarding team. |
User Name | Custom Value | The username for the database account mentioned in the Pre-Installation Questionnaire (PIQ). |
Password | Custom Value | The password for the database account mentioned in the PIQ. |
Legal Notice
Copyright © 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.