SecurTrac Administration Guide

How to configure the Intrusion Detection Monitor

You can detect a possible intrusion / malicious event on your Domino server by using Intrusion Detection Monitor feature in SecurTrac^TM. The Intrusion Detection monitor scans the Domino Server console looking to match a certain string of keywords. To configure the Intrusion Detection Monitor, you need to open the SecurTrac Configuration Database (SCTCFG.NSF)

To create an Intrusion Detection Monitor:

Open the SecurTrac Configuration Database (SCTCFG.NSF).
In the left pane, select .
Click the button on the action bar.
Specify the preferred configuration settings and click the button.
Below is a table describing each of the available configurations within the Intrusion Detection Monitor.

Basics Tab:

Section

Field

Description

Server To Monitor

Server(s)

Either select "All in the Domain" or "Only the following" servers.

If you select "All in the Domain", intrusion detection events on all servers in the current domain will be monitored by SecurTrac^TM.

If you select "Only the following", a list box will be shown for you to select the specific server(s) in the current domain to be monitored. Click on the button to choose the server(s) you want to monitor.

Log Database

File name

Select

Log to the default database	The corresponding log will be stored in a Central Log Database (SctLog.nsf).
Log to the specified database	The corresponding log will be stored in the database you specified.

Server name

Select

Log to the server where the event occurred	The corresponding log will be created on the same server where the event occurred.
Log to the specified server	The corresponding log will be created on the server you specified. If you select this option, please make sure the originating server has sufficient access to the remote log database on this specified server.

Multiple Monitors Matched Handling

Single log entry

This is the default option. Select this option if you want SecurTrac^TM to generate one log entry only for all monitor(s) matched.

Multiple log entries

Select this option if you want SecurTrac^TM to generate a new log entry for each monitor matched.

Enablement

Disable this Intrusion Detection Monitor

If this field was checked, SecurTrac^TM will temporarily disable the monitoring of any intrusion detection events.

Monitor Tab:

Section	Field	Description
Event to match	Pre-defined Event	Click on the button next to 'Pre-defined Event' and a list of pre-defined events will be shown. Select the specific event that you want to monitor.
	Event Description	When a pre-defined event is selected, the event description will be automatically populated. If you decide to specify a custom event to monitor(wording(s) to be matched), you can manually specify the related event description.
	Wording(s) to be matched	When a pre-defined event is selected, this field will automatically be populated. If the event that you want to monitor is not listed in the pre-defined event list, SecurTrac^TM will allow you to type a keyword string in the "Wording(s) to be matched" field in order to log a specific event that appears on the Domino Server console. For example, you can add * WAS GRANTED FULL ADMINISTRATOR ACCESS to detect every time someone invokes the "Full Access Administration" privilege.
Notification List	Mailing Address	Select the person who will receive an e-mail notification immediately when the configured Intrusion Detection event occurs.
	Importance	You can set the importance of the e-mail notification.
	Delivery Priority	You can set the delivery priority of the e-mail notification.
	Customize E-Mail Notification Message	Select this option if you want to customize the subject and content of the e-mail notification message.
	Add field	Allows you to select predefined reserved fields.
Bulk Action Detection	Enable Bulk Action Detection	Select this option to generate a Bulk Action Log if the defined events occurred a defined no. of times within a defined period.
	Send e-mail notification to	Select the person(s) who will receive an e-mail notification immediately when there are events that match the defined bulk action criteria.
	Importance	You can set the importance of the e-mail notification.
	Delivery Priority	You can set the delivery priority of the e-mail notification.
	Customize E-Mail Notification Message	Select this option if you want to customize the subject and content of the e-mail notification message.
	Add field	Allows you to select predefined reserved fields.

Report Tab:

Section	Field	Description
Schedule	Run Frequency	Select the frequency of which the report is run. Daily, Weekly, Monthly.
	Run at time	Specify the time that the report should be run at.
	Days of week	Specify the days of the week that the report should run on.
Notification List	Mailing Address	Specify the mailing addresses of the people who should be notified of the reports.
	Importance	Specify the importance of the message.
	Delivery Priority	Specify the delivery priority of the message.
	Customize E-mail Notification Message	Option to customize the E-mail notification.
Enablement	Disable sending report	If this field is checked, SecurTrac^TM will temporarily disable the sending of any reports.

Administration Tab:

Section	Field	Description
Administration	Owner	Specify the owner of the monitor document.
	Administrators	Specify person(s) who can modify the current monitor document.
Settings Modification History	Date	Shows the date of modification for the current monitor document.
	Updated by	Shows the persons who have modified the current monitor document.

-------------------------------------------------------------------------------------------------------------------------------------------