×
 
 
  •  
$helper.renderConfluenceMacro('{bmc-global-announcement:$space.key}')
BMC Defender Plug-ins and Adapters Monitoring messages and processes plug-ins and adapters

BMC Defender Session Correlation Monitor plug-in

This section provides a detailed description of the BMC Defender Correlation Monitor plug-in software. It is an optional set of files and executables added to the BMC Defender Server to track user logins (and other sessions) that are delimited by a well-defined start and stop messages, such as login and logout messages.

This section provides information on installation and usage of this software, as well as a detailed description of screens, and certain features not documented elsewhere within the BMC Defender documentation set.

The BMC Defender Correlation Monitor consists of a new screen that adds to the system, located in the Correlation > Sessions tab. This new screen provides special capabilities to configure match patterns that identify the start and stop points for messages, such as when you log on to a platform and then log out of the platform, it provides a special capability to see what sessions are active, what users might be available, and what sessions might conduct during a security event.

This section is intended for BMC Defender users who might operate the system, as well as for system administrators responsible for installing the software components. This information can also be of interest to program developers and administrators who want to extend the range of the BMC Defender system's role within an enterprise to include special alerting of sessions, including special logon management.

Background information

The BMC Defender Correlation Monitor software operates on an abstract session, that is a series of messages delimited by a start and stop message. This idea of a session relates directly to system logons, but might also apply to other abstractions, such as VPN sessions, maintenance sessions, or other time-interval spans that have a well-defined start and stop points. Two items identify each session:

  • Session IP Address—A session (as defined by BMC Software) is always related to an IP address that sends the start and stops messages. 

    Example

    This is the IP address of the device that you access by the login and logout operations. The IP address can also be related to VPN gateways or other network-based devices.

  • Session ID—A session (as defined by BMC Defender) has a certain session ID that parses from the start message, and later used to identify the stop message. This session ID might be a user name, an IP address, or any single word or phrase that contains in both the start and stop messages.

Any two messages that have the above criteria are sufficient to create and maintain a BMC Defender session. If necessary, the Session IP Address might be further created using the IP address override function (discussed elsewhere); the session ID is generally known through simple inspection of the session start and stop messages, as discussed in Using BMC Defender Session Correlation Monitor Plug-in.

Session Monitor operation

The plug-in simplifies the analysis of sessions by recording their states, collecting data related to the session running state, and maintaining a history of sessions. The Session Monitor, therefore, simplifies a common activity of the operator, that is to determine what users might be on a set of network devices at the time of a particular event.

The BMC Defender operator creates one or more session monitors via the Correlation > Sessions tab, that is a standard and familiar BMC Defender dialogue. Once created by the operator, each session monitor function operates as follows:

  1. The BMC Defender program looks for a start session message with a particular pattern, such as a login message, but possibly some other type of startup message (such as a connection message).
  2. When the start message is received, the program parses a particular word from the message (such as a user name) and records this value as the session id for the session, along with the IP address for the start message. This value is available for use in the other fields through the special $sessid value.
  3. The program then looks for an end message containing a particular pattern and the session id that parses previously.
  4. While the program is awaiting the end message, the Session Monitor can tabulate other messages of interest (by default all messages with the specified session ID from the IP address, but potentially other messages as well).
  5. When the end message is received, the session information is recorded and stored in history for later review, and a message is sent back to BMC Defender for further correlation and reporting.

Using this technique, the operator can see what sessions are currently active and can review the session history, providing an easy technique to determine.

Example

It shows what users log currently into the system, how long they have been logged in, and what users get logged into the system at a particular past point in time.

Process overview

The Session Monitor consists of a single background process that operates independently of the other standard processes. It is the CO-sess.exe process, that appears in the Windows Task Manager of the BMC Defender Server when the process installs, and this process must run to support the anomaly detection, and normally starts using the System > Schedule screen, as described in Installing BMC Defender Session Correlation Monitor plug-in.

  • The CO-sess.exe process monitors the received logs (in a fashion similar to the standard CO-catlog.exe and CO-devlog.exe processes). 
  • The process parses each message looking for a start message that matches a particular pattern. 
  • When a message is detected that contains this start pattern, the message is parsed to obtain the Session ID
  • The process records the start message time and begins looking for an end message that matches an end pattern and Session ID, indicating the end of the session. 
  • When the end message gets found, the session is recorded and added to the session history.
  • While the CO-sess.exe program is waiting for the end message, additional messages can be tabulated, providing a degree of statistical awareness about the session, such as the number of messages that match other patterns.

  • The list of current and historical sessions can be viewed using a new screen added as part of this plug-in.

    Note

    Click the Correlation > Sessions tab to view the different types of sessions and can drill down into a session to view the actual keywords and counts.

  • The session data gets stored in textual format within the stat/sess.stt file of the BMC Defender Server system. 
  • This file is updated within a few seconds of any change to the session data and is ready for further scripting, such as using the Custom Alerts facility or other custom processes.

Note

The only required component of the system is the Configuration screen. Other information on the BMC Defender Server can be found in the standard user manual, including operation and application notes that can be of assistance in processing the alerts and tickets generated by the program, and received by the BMC Defender Server receiver process.

This section contains information about the following topics:

Related topic

Monitoring messages and processes plug-ins and adapters


Was this page helpful? Yes No Submitting... Thank you
Last modified by Sara Kamen on Feb 03, 2020
getting_started

Comments

Log in or register to comment.

BMC Defender MT Correlation Processor adapter
Installing BMC Defender Session Correlation Monitor plug-in
© Copyright 2013 - 2022 BMC Software, Inc.
Legal notices

Powered by Atlassian Confluence and Scroll Viewport

© Copyright 2005-2024 BMC Software, Inc. Use of this site signifies your acceptance of BMC’s Terms of Use . BMC, the BMC logo, and other BMC marks are assets of BMC Software, Inc. These trademarks are registered and may be registered in the U.S. and in other countries.