Note:
Before
using
this
information
and
the
product
it
supports,
read
the
information
in
“Notices,”
on
page
45.
First
Edition
(October
2003)
This
edition
applies
to
version
4,
release
2,
of
Tivoli
Risk
Manager
and
to
all
subsequent
releases
and
modifications
until
otherwise
indicated
in
new
editions.
©
Copyright
International
Business
Machines
Corporation
2003.
All
rights
reserved.
US
Government
Users
Restricted
Rights
–
Use,
duplication
or
disclosure
restricted
by
GSA
ADP
Schedule
Contract
with
IBM
Corp.
Contents
Preface
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
Who
Should
Read
This
Book
.
.
.
.
.
.
.
.
. v
What
This
Book
Contains
.
.
.
.
.
.
.
.
.
. v
Publications
.
.
.
.
.
.
.
.
.
.
.
.
.
. v
IBM
Tivoli
Risk
Manager
Library
.
.
.
.
.
. v
Prerequisite
Publications
.
.
.
.
.
.
.
.
. vi
Related
Publications
.
.
.
.
.
.
.
.
.
. vi
Accessing
Publications
Online
.
.
.
.
.
.
. vii
IBM
Tivoli
Risk
Manager
Product
Information
vii
Accessibility
.
.
.
.
.
.
.
.
.
.
.
.
.
. vii
Contacting
Software
Support
.
.
.
.
.
.
.
. viii
Conventions
Used
in
This
Book
.
.
.
.
.
.
. viii
Typeface
Conventions
.
.
.
.
.
.
.
.
. viii
Naming
Conventions
.
.
.
.
.
.
.
.
.
. viii
Operating
System
Differences
.
.
.
.
.
.
. ix
Tivoli
Risk
Manager
Commands
.
.
.
. 1
Command
Syntax
Conventions
.
.
.
.
.
.
.
. 1
checkrules
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 3
getpdinfo
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 5
nids
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 7
rma_webids
.
.
.
.
.
.
.
.
.
.
.
.
.
. 10
rmagent
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 12
rmcorr_cfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 13
rmt_corrstatus
.
.
.
.
.
.
.
.
.
.
.
.
. 16
rmt_corrupdate
.
.
.
.
.
.
.
.
.
.
.
.
. 17
rmt_corruninstall
.
.
.
.
.
.
.
.
.
.
.
. 18
startnids
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 19
stopnids
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 20
validateAdvisorRules
.
.
.
.
.
.
.
.
.
.
. 21
viewer
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 23
webids
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 25
wlsesvrcfg
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 26
wrmadmin
.
.
.
.
.
.
.
.
.
.
.
.
.
. 27
wrmdbclear
.
.
.
.
.
.
.
.
.
.
.
.
.
. 29
wrmdbclose
.
.
.
.
.
.
.
.
.
.
.
.
.
. 31
wrmdns
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 33
wrmfmt2xml
.
.
.
.
.
.
.
.
.
.
.
.
.
. 35
wrmikeyman
.
.
.
.
.
.
.
.
.
.
.
.
.
. 37
wrmqueue
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 38
wrmsendmsg
.
.
.
.
.
.
.
.
.
.
.
.
.
. 40
wrmstashpw
.
.
.
.
.
.
.
.
.
.
.
.
.
. 42
Appendix.
Notices
.
.
.
.
.
.
.
.
.
. 45
Trademarks
.
.
.
.
.
.
.
.
.
.
.
.
.
. 46
Index
.
.
.
.
.
.
.
.
.
.
.
.
.
.
. 49
©
Copyright
IBM
Corp.
2003
iii
Preface
This
book
describes
commands
used
in
IBM®
Tivoli®
Risk
Manager.
Who
Should
Read
This
Book
You
should
have
prior
knowledge
of
the
Tivoli
Management
Framework
and
the
Tivoli
Enterprise
Console,
and
of
installing
and
using
third-party
intrusion-detection
applications.
IBM
Tivoli
Risk
Manager
is
an
implementer
of
network
security
policies,
specifically
intrusion-detection
systems
(IDS).
You
need
a
working
knowledge
of
network
security
and
a
solid
grasp
of
Transmission
Control
Protocol/Internet
Protocol
(TCP/IP),
fundamental
networking
concepts,
and
routed
networks.
What
This
Book
Contains
See
the
IBM
Tivoli
Risk
Manager
Release
Notes
for
changes
to
the
product
and
this
guide.
v
“Tivoli
Risk
Manager
Commands,”
on
page
1
lists
Tivoli
Risk
Manager
commands.
Publications
This
section
includes
the
following
Publication
information:
v
Tivoli
Risk
Manager
Library
v
Prerequisite
Publications
v
Related
Publications
v
Accessing
Publications
Online
v
Tivoli
Risk
Manager
Online
Information
Read
the
descriptions
of
the
Tivoli
Risk
Manager
library,
the
prerequisite
publications,
and
the
related
publications
to
determine
which
publications
you
might
find
helpful.
After
you
determine
the
publications
you
need,
refer
to
the
instructions
for
accessing
publications
online.
IBM
Tivoli
Risk
Manager
Library
The
publications
in
the
Tivoli
Risk
Manager
library
are:
v
The
IBM
Tivoli
Risk
Manager
Command
Reference
Version
4.2
describes
commands
used
to
administer
Tivoli
Risk
Manager.
v
The
IBM
Tivoli
Risk
Manager
Administrator’s
Guide
Version
4.2
describes
how
to
configure,
and
manage
Tivoli
Risk
Manager.
This
guide
also
provides
an
overview
for
each
Tivoli
Risk
Manager
component.
v
The
IBM
Tivoli
Risk
Manager
Adapters
Guide
Version
4.2
provides
detailed
descriptions
for
the
currently
available
IBM
Tivoli
Risk
Manager
adapters.
v
The
IBM
Tivoli
Risk
Manager
Installation
Guide
Version
4.2
contains
information
on
planning
your
product
deployment,
including
topics
such
as
network
topology
and
installing
prerequisite
software
and
describes
how
to
install
and
configure
the
Tivoli
Risk
Manager
product
and
components.
©
Copyright
IBM
Corp.
2003
v
v
The
IBM
Tivoli
Risk
Manager
Problem
Determination
Guide
Version
4.2
contains
consistent,
complete,
and
clear
problem
determination
processes
and
examples
to
assist
in
determining
why
Tivoli
Risk
Manager
is
malfunctioning.
v
The
IBM
Tivoli
Risk
Manager
Read
Me
First
Card
Version
4.2
directs
you
on
how
to
access,
and
the
intended
purpose
and
audience
of
the
Tivoli
Risk
Manager
documentation.
v
The
IBM
Tivoli
Risk
Manager
Release
Notes
Version
4.2
contains
last
minute
information
on
the
installation
and
administration
of
the
Tivoli
Risk
Manager
product.
Prerequisite
Publications
To
use
the
information
in
this
book
effectively,
you
must
have
some
prerequisite
knowledge,
which
you
can
obtain
from
the
following
publications:
v
Tivoli
Management
Framework
Planning
for
Deployment
Guide,
Tivoli
Management
Framework
Enterprise
Installation
Guide,
Tivoli
Management
Framework
User’s
Guide,
and
Tivoli
Management
Framework
Reference
Manual
These
books
provide
detailed
information
about
the
desktop,
managed
nodes,
administrators,
policy
regions,
profiles,
notices,
tasks,
scheduling,
and
command-line
interface
(CLI)
commands.
v
IBM
Tivoli
Enterprise
Console
User’s
Guide
This
guide
provides
detailed
information
about
using
the
Tivoli
Enterprise
Console.
Related
Publications
Information
related
to
Tivoli
Risk
Manager
is
available
in
the
following
publications:
v
IBM
Tivoli
Enterprise
Console
Rule
Builder’s
Guide
This
guide
provides
detailed
information
about
how
to
write
and
integrate
new
rules.
v
Tivoli
Event
Integration
Facility
User’s
Guide
This
guide
discusses
how
to
develop
your
own
event
adapters
using
the
Event
Integration
Facility
(EIF).
These
event
adapters
are
tailored
to
your
network
environment
and
your
specific
needs.
v
IBM
Tivoli
Enterprise
Console
Reference
Manual
This
book
provides
details
on
the
command-line
commands.
v
IBM
Tivoli
Enterprise
Console
Adapters
Guide
This
guide
provides
detailed
descriptions
for
the
currently
available
Tivoli
Enterprise
Console
adapters.
v
Tivoli
Management
Framework
4.1
Task
Library
Language
Developer’s
Guide
This
guide
provides
detailed
information
on
how
to
create
and
customize
tasks.
v
The
Tivoli
Software
Library
provides
a
variety
of
Tivoli
publications
such
as
white
papers,
datasheets,
demonstrations,
redbooks,
and
announcement
letters.
The
Tivoli
Software
Library
is
available
on
the
Web
at:
http://www.ibm.com/software/tivoli/library/
v
The
Tivoli
Software
Glossary
includes
definitions
for
many
of
the
technical
terms
related
to
Tivoli
software.
The
Tivoli
Software
Glossary
is
available,
in
English
only,
from
the
Glossary
link
on
the
left
side
of
the
Tivoli
Software
Library
Web
page
http://www.ibm.com/software/tivoli/library/
vi
IBM
Tivoli
Risk
Manager:
Command
Reference
Accessing
Publications
Online
The
publications
for
this
product
are
available
online
in
Portable
Document
Format
(PDF)
or
Hypertext
Markup
Language
(HTML)
format,
or
both
in
the
Tivoli
software
library:
http://www.ibm.com/software/tivoli/library
To
locate
product
publications
in
the
library,
click
the
Product
manuals
link
on
the
left
side
of
the
Library
page.
Then,
locate
and
click
the
name
of
the
product
on
the
Tivoli
software
information
center
page.
Product
publications
include
release
notes,
installation
guides,
user’s
guides,
administrator’s
guides,
and
developer’s
references.
Note:
To
ensure
proper
printing
of
publications,
select
the
Fit
to
page
check
box
in
the
Adobe
Acrobat
window
(which
is
available
when
you
click
File
→Print).
IBM
Tivoli
Risk
Manager
Product
Information
IBM®
Tivoli®
customers
can
find
online
information
for
Tivoli
security
products
and
for
Tivoli
Risk
Manager.
Tivoli
Risk
Manager
Adapters
are
now
available
to
customers
through
the
Tivoli
Risk
Manager
Support
Website
and
are
no
longer
included
on
the
product
CD.
This
allows
new
and
improved
adapters
to
be
distributed
independently
from
new
releases
of
Tivoli
Risk
Manager
and
allows
customers
to
download
only
the
adapters
they
require.
For
Tivoli
Risk
Manager
Adapters,
up-to-date
product
updates
including
sensor
signatures,
and
service
information
about
Tivoli
Risk
Manager,
go
to:
http://www.ibm.com/software/sysmgmt/products/
support/IBMTivoliRiskManager.html
For
information
about
the
Tivoli
Risk
Manager
product,
go
to:
http://www.ibm.com/software/sysmgmt/products/risk-mgr.html
For
information
about
other
Tivoli
security
management
products,
go
to:
http://www.ibm.com/software/sysmgmt/
Accessibility
Accessibility
features
help
a
user
who
has
a
physical
disability,
such
as
restricted
mobility
or
limited
vision,
to
use
software
products
successfully.
The
major
accessibility
features
in
this
product
enable
users
to
do
the
following:
v
Use
assistive
technologies,
such
as
screen-reader
software
and
a
digital
speech
synthesizer,
to
hear
what
is
displayed
on
the
screen.
Consult
the
product
documentation
of
the
assistive
technology
for
details
on
using
those
technologies
with
this
product.
v
Magnify
what
is
displayed
on
the
screen.
In
addition,
the
product
documentation
has
been
modified
to
include
features
to
aid
accessibility:
v
All
documentation
is
available
in
both
HTML
and
convertible
formats
to
give
the
maximum
opportunity
for
users
to
apply
screen-reader
software.
Preface
vii
v
All
images
in
the
documentation
are
provided
with
alternative
text
so
that
users
with
vision
impairments
can
understand
the
contents
of
the
images.
Contacting
Software
Support
Before
contacting
IBM
Tivoli
Software
support
with
a
problem,
refer
to
the
IBM
Tivoli
Software
support
Web
site
at:
http://www.ibm.com/software/sysmgmt/products/support/
If
you
need
additional
help,
contact
software
support
by
using
the
methods
described
in
the
IBM
Software
Support
Guide
at
the
following
Web
site:
http://techsupport.services.ibm.com/guides/handbook.html
The
guide
provides
the
following
information:
v
Registration
and
eligibility
requirements
for
receiving
support
v
Telephone
numbers,
depending
on
the
country
in
which
you
are
located
v
A
list
of
information
you
should
gather
before
contacting
customer
support
Conventions
Used
in
This
Book
In
this
book,
a
Windows®
system
is
a
computer
system
that
uses
the
Windows
NT®,
Windows
2000,
or
the
Windows
XP
operating
systems.
A
UNIX
system
is
a
computer
system
that
uses
a
UNIX™
operating
system
such
as
the
AIX®,
Linux,
HP-UX,
or
the
Solaris
Operating
Environment
(hereinafter
referred
to
as
Solaris)
operating
systems.
Typeface
Conventions
The
following
typeface
conventions
are
used
in
this
reference:
Bold
Lowercase
commands
or
mixed
case
commands
that
are
difficult
to
distinguish
from
surrounding
text,
keywords,
parameters,
options,
and
objects
are
in
bold.
Italics
Variables,
titles
of
publications,
and
special
words
or
phrases
that
are
emphasized
are
in
italic.
Monospace
Code
examples,
command
lines,
screen
output,
file
and
directory
names
that
are
difficult
to
distinguish
from
surrounding
text,
system
messages,
text
that
the
user
must
type,
and
values
for
arguments
or
command
options
are
in
monospace.
Naming
Conventions
The
following
naming
conventions
are
used
in
this
book:
Linux
for
PowerPC
Term
used
when
you
are
running
Linux
on
iSeries
and
pSeries
hardware
systems.
RMINSTDIR
The
Tivoli
Risk
Manager
installation
location
that
includes
the
RISKMGR
subdirectory
on
your
system.
For
example,
on
a
Solaris
system,
the
default
installation
directory
would
be
/opt/RISKMGR
Solaris
Operating
Environment
Referred
to
as
Solaris.
viii
IBM
Tivoli
Risk
Manager:
Command
Reference
UNIX-based
Term
used
when
referring
to
AIX,
HP-UX,
and
Solaris
systems.
Tivoli
Risk
Manager
Agent
Referred
to
as
the
agent.
Tivoli
Risk
Manager
Client
Referred
to
as
the
client.
Tivoli
Risk
Manager
Distributed
Correlation
Server
Referred
to
as
the
distributed
correlation
server.
Tivoli
Risk
Manager
Gateway
Referred
to
as
the
gateway.
Tivoli
Risk
Manager
Event
Server
Referred
to
as
the
event
server.
Tivoli
Risk
Manager
Event
Monitor
Referred
to
as
the
event
monitor.
Tivoli
Enterprise
Console
user
interface
Referred
to
as
the
event
console.
Operating
System
Differences
This
book
uses
the
UNIX
convention
for
specifying
environment
variables
and
for
directory
notation.
When
using
the
Windows
command
line,
replace
$variable
with
%variable%
for
environment
variables
and
replace
each
forward
slash
(/)
with
a
backslash
(\)
in
directory
paths.
If
you
are
using
the
bash
shell
on
a
Windows
system,
you
can
use
the
UNIX
conventions.
Preface
ix
Tivoli
Risk
Manager
Commands
The
following
lists
Tivoli
Risk
Manager
commands.
Command
Syntax
Conventions
Table
1
shows
the
command
syntax
conventions
used
in
this
appendix.
Table
1.
Command
Syntax
Conventions
Syntax
Convention
Description
Example
Name
of
command
The
first
word
or
set
of
consecutive
characters.
wrmadmin
Brackets
([
])
The
information
enclosed
in
brackets
([
])
is
optional.
Anything
not
enclosed
in
brackets
must
be
specified.
[-h
host_location]
Braces
({
})
Braces
({
})
identify
a
set
of
mutually
exclusive
options,
when
one
option
is
required.
{-i
IP_address
|
–n
host_name}
Underscore
(
_
)
An
underscore
(
_
)
connects
multiple
words
in
a
variable.
config_filename
Vertical
bar
(
|
)
Mutually
exclusive
options
are
separated
by
a
vertical
bar
(
|
).
You
can
enter
one
of
the
options
separated
by
the
vertical
bar,
but
you
cannot
enter
multiple
options
in
a
single
use
of
the
command.
A
vertical
bar
can
be
used
to
separate
optional
or
required
options.
{-i
IP_address
|
–n
host_name}
Bold
Bold
text
designates
literal
information
that
must
be
entered
on
the
command
line
exactly
as
shown.
This
applies
to
command
names
and
non-variable
options.
nids–c
config_filename
Italic
Italic
text
is
variable
and
must
be
replaced
by
whatever
it
represents.
In
the
example
to
the
right,
the
user
would
replace
file_name
with
the
name
of
the
specific
file.
file_name
©
Copyright
IBM
Corp.
2003
1
Table
1.
Command
Syntax
Conventions
(continued)
Syntax
Convention
Description
Example
Ellipsis
(...)
An
ellipsis
(...)
indicates
that
the
previous
option
can
be
repeated
multiple
times
with
different
values.
It
can
be
used
inside
or
outside
of
brackets.
[–x
files]...
Ellipsis
outside
brackets
indicates
that
–x
file
is
optional
and
may
be
repeated
as
follows:
–x
file1
–x
file2
–x
file3[–x
file...]
Ellipsis
inside
brackets
indicates
–x
file
is
optional,
and
the
file
variable
can
be
repeated
as
follows:–x
file1
file2
file3–x
file
[–x
file]...
Indicates
that
you
must
specify
–x
file
at
least
once.
Double
straight
quotes
(″
″)
Double
straight
quotation
marks
(″
″)
around
an
option
ensure
that
it
is
read
as
a
single
option.
These
allow
variable
substitution.
–L
″–p
9495″
Single
straight
quotes
(’
’)
Single
straight
quotation
marks
(’
’)
around
an
option
ensure
that
it
is
read
as
a
single
options.
Single
quotation
marks
do
not
allow
variable
substitution.
The
command
ls
’part
1’
is
read
as
the
ls
command
followed
by
the
single
option
’part
1’.
Without
the
straight
quotation
marks,
the
command
would
be
interpreted
to
list
the
file
part
and
then
the
file
1.
2
IBM
Tivoli
Risk
Manager:
Command
Reference
checkrules
Used
to
validate
the
contents
of
a
customized
rule
file.
Syntax
Linux
and
UNIX-based
systems:
checkrules
filename
...
Windows
system:
checkrules.cmd
filename
...
Description
This
command
validates
the
contents
of
a
customized
rules
file,
for
example,
incident
rules
and
summarization
rules.
Validate
the
rules
file
syntax
before
activating
changes.
Options
filename
The
file
name
of
the
file
containing
the
rules
to
validate.
Up
to
nine
rule
files
can
be
specified.
Notes
The
checkrules
utility
is
a
shell
script
on
Linux
and
UNIX-based
systems
and
a
command
file
on
a
Windows
system.
You
can
specify
as
many
as
nine
rule
files
when
using
the
checkrules
utility.
The
checkrules
utility
creates
an
instance
of
the
correlation
engine
and
passes
the
rule
file
to
the
correlation
engine
for
parsing.
Any
error
messages
that
are
displayed
are
generated
by
the
correlation
engine,
which
is
a
component
of
Tivoli
Enterprise
Console
EIF.
For
details
of
the
syntax
of
the
rules
file,
see
the
Tivoli
Event
Integration
Facility
User’s
Guide.
Examples
1.
The
following
command
is
used
to
show
a
usage
statement
for
the
command.
checkrules
USAGE:
checkrules
rule_file_name
2.
The
following
command
is
used
to
show
the
output
when
the
input
file
contains
valid
syntax.
checkrules
test
Checking
syntax
of
rules
in
file,
C:\rmadhome\bin\test.
No
problems
found.
3.
The
following
command
is
used
to
show
some
of
the
possible
syntax
error
messages.
checkrules
test
Checking
syntax
of
rules
in
file,
C:\rmadhome\bin\test.
An
error
has
been
found
at
or
near
line
5.
Details:
ECOZC1016E
There
was
an
error
when
reading
the
State
Correlation
XML
Configuration
file.
The
following
specified
predicate
is
not
valid
trueMispelled.
Encountered
"trueMispelled
<EOF>"
at
line
1,
column
1.
Tivoli
Risk
Manager
Commands
3
checkrules
test
Checking
syntax
of
rules
in
file,
C:\rmadhome\bin\test.
An
error
has
been
found
at
or
near
line
5.
Details:
ECOZC1010E
There
was
a
syntax
error
when
reading
the
State
Correlation
XML
Configuration
file.
ECOZC1006E
There
was
an
internal
error
when
State
Correlation
was
initializing
an
action.
The
following
action
class
com.tivoli.zce.actions.libs.RMSummaryDoesNotExist
and
function
RMSummaryDoesNotExist
are
invalid.
See
Also
validateAdvisorRules
4
IBM
Tivoli
Risk
Manager:
Command
Reference
getpdinfo
Used
to
gather
Problem
Determination
data.
Syntax
getpdinfo
[–a]
[–c]
[–d]
[–e]
[–f]
[–i]
[–j]
[–m]
[–n]
[–p]
[–s]
[–t]
[–T]
[–w]
[–v]
Description
Used
to
gather
data
(configuration
files,
log
files,
tracing
information,
and
so
on)
from
various
locations
and
adds
them
to
one
central
location
for
easy
collection,
packaging,
retrieval,
and
analysis.
Options
–a
Agent
–
retrieves
all
agent
configuration
files.
–c
Core
–
collects
all
core
files
(Linux
and
UNIX-based
systems
only).
–d
Database
utilities
–
gathers
configuration
and
log
files.
–e
Environment
–
displays
information
such
as,
disk
usage,
memory
statistics,
and
so
on.
–f
Web
Application–
gathers
configuration
and
log
files.
–i
Install
–
gathers
log
and
history
files
related
to
the
installation.
–j
Java
–
displays
the
version
of
Java
you
are
using.
–m
Message
–
collects
message
logs.
–n
Network
IDS
–
collects
all
configuration
and
rules
files
for
Network
IDS.
–p
Perl
–
displays
the
version
of
Perl
you
are
using.
–s
Security
–
gathers
secure
password
and
stash
files.
–t
Trace
–
collects
trace
logs.
Tivoli
Risk
Manager
Commands
5
–T
Tivoli
Enterprise
Console
–
collects
rules,
tasks,
and
dumps
the
event
reception
log.
–w
Web
IDS
–
all
configuration
and
rules
files.
–v
Verbose
–
gathers
all
information,
run
all
options
with
the
exception
of
–s.
Authorization
Administrator
authorization
required.
Notes
If
no
parameters
are
given,
the
command
usage
is
displayed.
The
–v
option
will
retrieve
problem
determination
for
every
component
with
the
exception
of
the
password
and
stash
files,
which
must
be
requested
separately
with
the
–s
option
specified
last.
Environment
Variables
To
run
the
getpdinfo
command
you
must
have
your
PATH
environment
variable
set
to
/usr/ibm/tivoli/common/HRM/scripts
for
Linux
and
UNIX-based
systems
and
%systemdrive%\Program
Files\ibm\tivoli\common\HRM\scripts
for
a
Windows
system.
Files
The
results
are
deposited
in
/usr/ibm/tivoli/common/HRM/service
for
Linux
and
UNIX-based
systems
and
%systemdrive%\Program
Files\ibm\tivoli\common\HRM\service
for
a
Windows
system.
Along
with
collecting
files,
the
getpdinfo
command
also
generates
a
SUMMARY.doc
file
in
the
service
directory.
Examples
1.
The
following
command
is
used
to
gather
all
Problem
Determination
data
including
the
secure
password
and
stash
files.
getpdinfo
-v
-s
2.
The
following
command
is
used
to
gather
all
Problem
Determination
data
including
the
agent
configuration
files.
getpdinfo
-a
See
Also
None
6
IBM
Tivoli
Risk
Manager:
Command
Reference
nids
Used
to
manually
start
Network
IDS.
Syntax
nids
[–a]
[–c
config_filename]
[–d]
[–e]
[–f
filename]
[–i
interface]
[–m
msgfile]
[–o
outfile]
[–q]
[–y]
[–r
sigfile
]
[–s
char]
[–v
value]
[–M
size]
[–K]
[–P]
[–S
num_packets]
[–R]
[–T]
[–V]
Description
This
command
is
used
to
manually
start
Network
IDS
with
any
of
the
available
command
options.
Options
–a
Displays
the
medium
access
control
(MAC)
address
for
Ethernet
or
Token
Ring
traffic.
The
default
value
is
OFF.
Typically,
Network
IDS
prints
out
the
source
and
destination
Internet
Protocol
(IP)
level
address.
This
option
adds
printing
of
the
MAC
(physical
level
addresses).
–c
config_filename
Specifies
an
alternate
configuration
file
name.
The
default
name
is
./ids.cfg.
–d
Specifies
that
the
process
should
not
run
as
a
daemon.
By
not
running
as
a
daemon,
the
process
will
not
have
automatic
restart
capability
when
the
process
dies
or
is
stopped.
–e
Specifies
EIF
mode,
where
alerts
are
sent
to
the
Tivoli
Risk
Tivoli
Risk
Manager
Commands
7
Manager
EIF.
For
normal
use
with
Tivoli
Risk
Manager
EIF,
theids.cfg
file
is
set
to
specify
that
alerts
are
to
be
sent
to
the
Tivoli
Risk
Manager
EIF.
–f
filename
Enables
Network
IDS
to
read
data
from
a
file
instead
of
by
sniffing
the
network.
Network
IDS
can
read
standard
tcpdump
output
files,
or
packets
that
are
dumped
when
you
use
the
nids
–o
option.
It
then
processes
them
for
intrusion
signatures.
–i
interface
Specifies
the
interface
that
you
want
to
use.
The
default
is
a
first
non-loopback
interface.
Network
IDS
can
listen
on
the
loopback
as
well
as
any
Ethernet
or
Token
Ring
interface.
If
a
host
has
multiple
interfaces,
you
can
run
multiple
copies
of
Network
IDS,
one
for
each
network
interface
that
you
want
to
monitor.
–m
msgfile
Specifies
an
alternate
alert
messages
file.
The
default
message
file
is
./ids.msg.
The
ids.msg
file
provides
the
output
message
strings
for
the
built-in
alerts.
Network
IDS
specifies
the
message
strings
for
signature-based
alerts
in
the
ids.rules
file;
however,
you
cannot
edit
the
ids.rules
file.
–o
outfile
Specifies
a
packet
logging
file
name.
The
default
is
not
to
do
any
packet
logging.
You
can
process
a
packet
log
file
later
by
using
the
nids
–f
option.
–q
Specifies
the
quiet
mode,
where
no
alerts
are
sent
to
standard
out
(STDOUT).
The
default
mode
is
to
alerts
to
standard
out.
–y
Specifies
the
syslog
mode,
where
alerts
are
sent
to
syslog.
The
default
is
not
to
send
alerts
to
syslog.
For
use
with
the
Tivoli
Enterprise
Console
adapter,
use
the
ids.cfg
file
to
specify
that
alerts
are
to
be
sent
to
the
syslog.
The
behavior
specified
in
ids.cfg
overrides
the
default
action.
–r
sigfile
Specifies
an
alternate
rules
file
name.
The
default
rules
file
is
ids.rules,
or
the
file
that
is
specified
in
the
ids.cfg
file.
The
rules
file
specifies
the
variable
signature-based
alert
rules
and
also
specifies
the
output
messages.
–s
char
Specifies
the
alert
field
separator
(for
example:
\n
\t
\0x0a
and
so
on).
The
default
separator
is
\n.
–v
value
Prints
to
console
alerts
(>=
value).
The
default
value
is
0,
meaning
that
Network
IDS
prints
the
alerts.
For
sensors
in
networks
under
frequent
scanning,
this
number
can
be
set
higher
to
reduce
the
volume
of
low
risk
alerts.
–M
size
Specifies
the
maximum
transfer
unit
(MTU)
of
the
interface.
The
default
value
is
1500
MTU.
–K
Kills
or
stops
Network
IDS
from
running
the
daemon
process
and
then
exits.
–P
Runs
in
nonpromiscuous
mode.
The
default
is
to
run
in
promiscuous
mode.
Normally
you
run
Network
IDS
on
a
dedicated
machine
to
scan
the
network
traffic
in
the
promiscuous
mode.
You
can
also
run
Network
IDS
on
a
production
server
in
nonpromiscuous
mode.
In
this
case,
Network
IDS
examines
only
packets
to
or
from
the
local
host.
By
running
in
nonpromiscuous
mode,
Network
IDS
greatly
reduces
the
load
on
the
local
host.
8
IBM
Tivoli
Risk
Manager:
Command
Reference
–S
num_packets
Displays
the
device
statistics
when
running.
The
default
is
not
to
have
statistics
run.
–R
Restarts
the
Network
IDS
daemon
process.
If
a
Network
IDS
process
is
running
as
a
daemon,
running
the
nids
–R
command
again
will
cause
the
Network
IDS
daemon
process
to
restart
and
the
second
nids
command
will
then
exit.
–T
Use
to
force
Token
Ring
processing
because
the
default
value
is
not
to
force
Token
Ring
mode.
Normally
Network
IDS
automatically
determines
whether
an
interface
is
Token
Ring.
In
some
cases,
this
detection
might
not
work.
Therefore,
this
option
allows
you
to
force
the
processing.
–V
Use
to
display
the
Network
IDS
version
and
date
information.
Authorization
Administrator
authorization
required.
Examples
1.
The
following
command
is
used
to
restart
the
Network
IDS
daemon
process.
nids
-R
2.
The
following
command
is
used
to
kill
or
stop
the
Network
IDS
from
running
the
daemon
process
and
then
exits.
nids
-K
3.
The
following
is
used
to
specify
an
alternate
alert
message
file.
nids
-m
msgfile
4.
The
following
is
used
to
specify
an
alternate
rules
file
name.
nids
-r
sigfile
See
Also
startnids,
stopnids
Tivoli
Risk
Manager
Commands
9
rma_webids
Used
to
install
the
Web
IDS
Service
Stub
on
a
Windows
system.
Syntax
rma_webids
[-h
|
-v
|
-c
STRING
|
-i
service_name|
-r
service_name]
Description
After
installing
Tivoli
Risk
Manager,
the
Web
IDS
Service
Stub
must
be
installed
as
a
Windows
Service
and
configured
to
use
the
Web
IDS
configuration
file.
First,
install
the
Tivoli
Risk
Manager
EIF
and
verify
that
the
RMADHOME
variable
is
set
in
the
Windows
registry.
Also,
Tivoli
Risk
Manager’s
version
of
Perl,
the
Web
IDS
Perl
script
and
Web
IDS
configuration
must
also
be
installed
in
their
default
locations.
Options
–h
or
--help
Usage
and
help
text.
–v
or
--version
Reports
the
current
version
and
build.
–c
STRING
or
--config=STRING
Specifies
the
complete
path
and
file
name
to
Web
IDS
configuration
file.
where:
STRING
will
be
the
path
and
filename,
for
example
"f:\Program
Files\My
Web
Server\Config\webids.cfg".
Note:
This
command
is
not
needed
if
the
Web
IDS
configuration
file
is
in
the
Tivoli
Risk
Manager
/etc/
directory.
–i
service_name
Installs
the
adapter
as
a
Windows
NT
service.
–r
service_name
Removes
the
adapter
as
a
Windows
NT
service.
where:
service_name
will
be
the
service
name,
for
example
webids,
web1,
web2.
Authorization
Administrator
authorization
required.
Notes
The
service_name
associated
with
the
Windows
service
that
is
used
to
start,
stop,
and
remove
the
Web
IDS
Service
Stub.
Return
Values
The
command
string
returned
from
rma_webids
–i
can
be
used
to
debug
runtime
problems.
"e:\IBM\RISKMGR\perl\bin\perl.exe"
"e:\IBM\RISKMGR\bin\webids.bat"
-c
"e:\IBM\RISKMGR\etc\webids.cfg"
-t
-e
syslog
10
IBM
Tivoli
Risk
Manager:
Command
Reference
Files
The
following
changes
must
be
applied
to
the
Web
IDS
configuration
file.
The
Rollover
logfile
mechanism
must
be
used
to
specify
the
location
of
the
Web
Servers
HTTP
access
logs.
Also,
it
must
be
configured
to
use
the
Tivoli
Risk
Manager
EIF
to
send
events.
#
For
example,
the
following
are
common
values
#
to
support
Apache
on
Linux:
#
filePattern_value
=
log.*
filePath_value
=
f:\Web
Server
Logs\
fileMatch_value
=
1
#
Provides
the
fully
qualified
path
to
the
#
#
Risk
Manager
Event
Integration
Facility
#
#
library
files.
#
#
#
##############################################
librmad_value
=
1
librmadPath_value
=
path
to
rmad.dll
Examples
1.
The
following
command
is
used
to
install
the
Web
IDS
Service
Stub
as
a
Windows
Service.
f:\>rma_webids
-i
webids
HRMWS0007I:
Attempting
to
install
service:
webids
HRMWS0008I:
Service
installed:
webids
HRMWS0030I:
WebIDS
service
commands:
"e:\IBM\RISKMGR\perl\bin\perl.exe"
"e:\IBM\RISKMGR\bin\webids.bat"
-c
"e:\IBM\RISKMGR\etc\webids.cfg"
-t
-e
syslog
HRMWS0002I:
Exiting...
2.
The
following
command
is
used
to
remove
the
Web
IDS
Service
Stub.
rma_webids
–r
webids
f:\>rma_webids
-r
webids
HRMWS0008I:
Attempting
to
remove
service:
webids
HRMWS0011I:
Service
removed:
webids
HRMWS0002I:
Exiting...
See
Also
webids
Tivoli
Risk
Manager
Commands
11
rmagent
Used
to
run
the
agent
from
the
command
line.
Syntax
rmagent
[-i
|
-r]
Description
This
command
is
used
to
run
the
agent
from
the
command
line.
Options
–i
Used
to
install
the
agent
as
a
service
on
a
Windows
system.
–r
Used
to
remove
the
agent
as
a
service
on
a
Windows
system.
Authorization
Administrator
authorization
required.
Environment
Variables
On
Linux
and
UNIX-based
systems,
you
must
set
up
the
Tivoli
Risk
Manager
environment
by
running:
.
/etc/Tivoli/rma_eif_env.sh
Examples
1.
The
following
command
is
used
to
install
an
agent
as
a
service
on
a
Windows
system:
rmagent
-i
2.
The
following
command
is
used
to
remove
an
agent
as
a
service
on
a
Windows
system:
rmagent
-r
See
Also
wrmadmin
12
IBM
Tivoli
Risk
Manager:
Command
Reference
rmcorr_cfg
Used
to
configure
the
Tivoli
Enterprise
Console
Server
to
process
Tivoli
Risk
Manager
events
and
loads
the
Tivoli
Risk
Manager
Task
Library.
Note,
if
your
Tivoli
Enterprise
Console
Server
is
running
on
a
Windows
system,
you
will
need
to
invoke
the
script
using
bash.
Syntax
Linux
and
UNIX-based
systems:
rmcorr_cfg
[-delete
|
-install
|
-reconfig
|
-status
|
-tasklib
|
-uninstall]
Windows
system:
bash
rmcorr_cfg
[-delete
|
-install
|
-reconfig
|
-status
|
-tasklib
|
-uninstall]
Description
The
Tivoli
Risk
Manager
configuration
script,
rmcorr_cfg,
configures
the
Tivoli
Enterprise
Console
Server
to
process
Tivoli
Risk
Manager
events.
The
script
also
loads
the
Tivoli
Risk
Manager
Task
Library.
Options
–delete
Removes
Tivoli
Risk
Manager
components
from
the
current
rule
base.
Reloads
the
default
Tivoli
Enterprise
Console
rule
base.
–install
Installs
Tivoli
Risk
Manager
components
in
the
rule
base.
–reconfig
Activates
configuration
file
changes
and
restarts
the
event
server.
–status
Shows
the
status
of
Tivoli
Risk
Manager
components.
–tasklib
Compiles
the
Tivoli
Risk
Manager
task
library
and
creates
default
jobs.
–uninstall
Removes
the
Tivoli
Risk
Manager
components
from
the
rule
base
and
the
Tivoli
Risk
Manager
task
library.
–update
Updates
the
current
rule
base.
Use
this
option
after
changing
or
adding
BAROC
files.
If
you
specify
the
–install
option,
the
following
options
can
be
specified:
–exist
rulebase
Specifies
adding
Tivoli
Risk
Manager
components
to
the
existing
rule
base.
–new
rulebase
Specifies
that
the
rule
base
is
to
be
created.
–dir
directory
Specifies
the
directory
where
you
want
to
create
the
rule
base.
Note:
If
your
directory
name
contains
a
space
character,
be
sure
to
escape
the
space.
Tivoli
Risk
Manager
Commands
13
For
example,
if
your
directory
is:
C:\Program
Files\abc
specify
C:\\Program\
Files\abc
–trace
Specifies
to
enable
tracing
of
the
Tivoli
Risk
Manager
rules.
This
option
can
also
be
specified
with
–update.
Authorization
Administrator
authorization
required.
Notes
You
can
configure
Tivoli
Enterprise
Console
correlation
to
load
the
Tivoli
Risk
Manager
correlation
components
into
an
existing
rule
base
or
to
create
a
new
rule
base
that
contains
the
Tivoli
Risk
Manager
correlation
components.
If
you
are
creating
a
new
rule
base,
you
can
specify
an
optional
existing
rule
base
by
using
the
rmcorr_cfg
–exist
option.
In
this
case,
Tivoli
Risk
Manager
bases
the
new
rule
base
on
the
existing
rule
base
instead
of
the
Tivoli
Risk
Manager
default
rule
base
named
Default.
After
you
create
or
load
a
rule
base,
assign
the
Tivoli
Risk
Manager-specific
event
groups
to
an
administrator.
Refer
to
the
IBM
Tivoli
Enterprise
Console
User’s
Guide
for
more
information
about
administration
roles.
Examples
1.
The
following
command
is
used
to
create
a
new
rule
base
that
contains
the
Tivoli
Risk
Manager
processing.
rmcorr_cfg
-install
-new
testrulebase
-dir
/myrskmgrrulebases
where:
directory
Specifies
the
directory
where
you
want
to
place
the
new
rule
base
file.
Note:
If
your
directory
name
contains
a
space
character,
be
sure
to
escape
the
space.
For
example,
if
your
directory
is
C:\Program
Files\abc
specify
C:\\Program\
Files\abc.
rulebase_name
Specifies
the
name
of
the
newly
created
rule
base.2.
The
following
command
is
used
to
activate
Tivoli
Risk
Manager
processing
in
an
existing
rule
base.
rmcorr_cfg
-install
-dir
/myrskmgrrulebases
-exist
testrulebase
where:
directory
Specifies
the
rule
base
directory.
Note:
If
your
directory
name
contains
a
space
character,
be
sure
to
escape
the
space.
14
IBM
Tivoli
Risk
Manager:
Command
Reference
For
example,
if
your
directory
is
C:\Program
Files\abc
specify
C:\\Program\
Files\abc.
existing_rulebase
Specifies
the
name
of
the
existing
rule
base.3.
The
following
command
is
used
to
display
the
status
of
the
event
server.
rmcorr_cfg
–status
4.
The
following
command
is
used
to
activate
changes
you
made
on
the
event
server.
rmcorr_cfg
–reconfig
See
Also
rmt_corrstatus,
rmt_corrupdate,
rmt_corruninstall
Tivoli
Risk
Manager
Commands
15
rmt_corrstatus
Used
to
show
the
status
of
the
Tivoli
Risk
Manager
event
server
components.
This
command
invokes
rmcorr_cfg
–status.
Syntax
rmt_corrstatus
Description
This
command
is
used
to
check
the
event
server
component
status.
Authorization
Administrator
authorization
required.
Notes
This
command
wrappers
rmcorr_cfg
–status.
See
Also
rmcorr_cfg
16
IBM
Tivoli
Risk
Manager:
Command
Reference
rmt_corrupdate
Used
to
update
Tivoli
Risk
Manager
event
server
components
in
the
current
rule
base.
This
command
invokes
rmcorr_cfg
–update.
Syntax
rmt_corrupdate
Description
This
command
is
used
to
update
the
Tivoli
Risk
Manager
event
server
components
in
the
current
rule
base.
Authorization
Administrator
authorization
required.
Notes
This
command
wrappers
rmcorr_cfg
–update.
See
Also
rmcorr_cfg
Tivoli
Risk
Manager
Commands
17
rmt_corruninstall
Used
to
uninstall
Tivoli
Risk
Manager
event
server
components
from
the
current
rule
base.
This
command
invokes
rmcorr_cfg
–uninstall.
Syntax
rmt_corruninstall
Description
This
command
is
used
to
remove
the
Tivoli
Risk
Manager
event
server
components
from
the
current
rule
base.
Authorization
Administrator
authorization
required.
Notes
This
command
wrappers
rmcorr_cfg
–uninstall.
See
Also
rmcorr_cfg
18
IBM
Tivoli
Risk
Manager:
Command
Reference
startnids
Used
to
start
the
Network
IDS
daemon.
Syntax
startnids
Description
Network
IDS
provides
a
startup
script,
startnids,
that
writes
a
line
to
the
/etc/inittab
file
so
Network
IDS
will
start
automatically
even
if
it
dies
or
the
system
is
rebooted.
This
automatic
startup
capability
provides
some
level
of
security
to
the
user
in
knowing
that
Network
IDS
is
always
running
even
after
a
reboot.
Authorization
Administrator
authorization
required.
Files
Adds
an
entry
for
the
Network
IDS
daemon
into
the
/etc/inittab
file
to
provide
an
automatic
respawn
capability.
Examples
1.
The
following
command
is
used
to
start
the
Network
IDS
daemon.
startnids
See
Also
stopnids,
nids
Tivoli
Risk
Manager
Commands
19
stopnids
Used
to
stop
the
Network
IDS
daemon.
Syntax
stopnids
Description
Used
to
stop
the
Network
IDS
daemon.
Authorization
Administrator
authorization
required.
Files
Removes
the
entry
for
the
Network
IDS
daemon
from
the
/etc/inittab
file.
Examples
1.
The
following
command
is
used
to
stop
the
Network
IDS
daemon.
stopnids
See
Also
startnids,
nids
20
IBM
Tivoli
Risk
Manager:
Command
Reference
validateAdvisorRules
Used
to
validate
the
contents
of
customized
Advisor
Web
application
rule
files.
Syntax
Linux
and
UNIX-based
systems:
validateAdvisorRules
directory_of_jars
[-h]
-r
filename
...
Windows
system:
validateAdvisorRules.cmd
directory_of_jars
[-h]
-r
filename
...
Description
The
validateAdvisorRules
command
validates
the
contents
of
a
customized
rules
file,
for
example,
AdvisorRules.xml.
The
rules
file
syntax
should
be
validated
before
deploying
them
in
the
Advisor
Web
application.
Options
directory_of_jars
The
directory
which
contains
the
rmwebapp.jar,
rmwebapp_msg.jar,
xerces.jar,
xmlParserAPIs.jar,
and
wcl.jar
files.
–h
or
--help
Displays
the
help
files.
–r
or
--rules
The
file
names
containing
the
XML
rules.
filename
The
file
name
of
the
file
containing
the
rules
to
validate.
Up
to
eight
rule
files
can
be
specified.
Authorization
Administrator
authorization
required.
Notes
The
validateAdvisorRules
utility
is
a
shell
script
on
Linux
and
UNIX-based
systems
and
a
command
file
on
a
Windows
system.
The
validateAdvisorRules
utility
creates
an
instance
of
the
SAX
parser,
and
passes
the
rule
file
to
the
SAX
parser
for
parsing.
Any
error
messages
that
are
displayed
are
generated
by
the
SAX
parser.
Examples
1.
The
following
command
is
used
to
validate
the
AdvisorRules.xml
file.
Run
this
command
from
the
directory
where
you
have
installed
the
Web
Application.
C:\Program
Files\WebSphere\AppServer\installedApps\hostname\
IBMTivoliRiskManagerWebApp42.ear\rmwebapp42.war\WEB-INF
validateAdvisorRules
.\lib
-r
AdvisorRules.xml
where
the
.\lib
directory
is
a
sub-directory
from
the
Web
Application
installation
directory.
2.
The
following
command
is
used
to
show
syntax
error
messages
when
the
keyword
″classname″
is
misspelled
as
″classnam″
in
the
rules
file.
Run
this
command
from
the
directory
where
you
have
installed
the
Web
Application.
Tivoli
Risk
Manager
Commands
21
C:\Program
Files\WebSphere\AppServer\installedApps\hostname\
IBMTivoliRiskManagerWebApp42.ear\rmwebapp42.war\WEB-INF
validateAdvisorRules
.\lib
-r
AdvisorRules.xml
HRMWAG0973E
The
SAX
parser
encountered
a
syntax
error
in
file
AdvisorRules.xml
(line
104,
column
64):
org.xml.sax.SAXParseException:
Element
type
"classnam"
must
be
declared.
HRMWAG0973E
The
SAX
parser
encountered
a
syntax
error
in
file
AdvisorRules.xml
(line
105,
column
12):
org.xml.sax.SAXParseException:
The
content
of
element
type
"AND"
must
match
"(AND|OR|NOT|XOR|classname|attribute|login|eventtime)+".
HRMWAG0973E
The
SAX
parser
encountered
a
syntax
error
in
file
AdvisorRules.xml
(line
392,
column
29):
org.xml.sax.SAXParseException:
Attribute
"id"
is
required
and
must
be
specified
for
element
type
"rule".
See
Also
checkrules
22
IBM
Tivoli
Risk
Manager:
Command
Reference
viewer
Used
to
run
the
Log
XML
Viewer.
Syntax
Linux
and
UNIX-based
systems:
viewer.sh
[(-q
Query_String)
|
(-f
filename)]
[-s
(ascii
|
html)]
[-h]
input.xml
[input.xml*]
Windows
system:
viewer.bat
[(-q
Query_String)
|
(-f
filename)]
[-s
(ascii
|
html)]
[-h]
input.xml
[input.xml*]
Description
Tivoli
applications
support
a
common
XML
format
in
which
they
log
messages
and
traces.
This
common
format
is
called
LOG
XML.
This
viewer
processes
logs
in
that
format.
The
viewer
can
filter
messages
and
traces
by
time,
severity,
thread
ID,
component,
and
so
on.
It
also
correlates
messages
and
traces
produced
by
different
products,
and
converts
and
logged
messages
into
ASCII
or
HTML
for
presentation.
Visual
cues
are
associated
with
error
and
warning
messages.
The
viewer
is
a
Java
program
that
is
installed
with
the
Tivoli
Risk
Manager
base
files
during
installation.
The
viewer.sh
or
viewer.bat
file
will
be
in
the
RMINSTDIR/logviewer
directory.
Options
–f
Specifies
a
file
that
contains
a
query
string.
–h
Prints
the
usage
statement.
–q
Specifies
a
query
string.
–s
Allows
either
ASCII
or
HTML
output.
The
default
is
HTML.
Authorization
Administrator
authorization
required.
Notes
Only
one
of
–q
or
–f
can
be
specified.
Files
All
other
arguments
are
interpreted
as
log
XML
input
files.
When
multiple
input
files
are
given,
the
log
and
trace
records
will
be
merged
based
on
the
timestamp.
Examples
1.
The
following
command
is
used
to
show
the
default
field
list
of
all
message
and
trace
records
in
HTML,
to
sample.html.
viewer
sample.xml
>
sample.html
Tivoli
Risk
Manager
Commands
23
2.
The
following
command
is
used
to
select
for
display
all
fields
with
a
correlation
ID
of
12,
and
send
output
to
STDOUT.
viewer
-q"select
all
where
CorrelationId
=
12"
-sascii
sample.xml
3.
The
following
command
is
used
to
display
all
fields
with
a
timestamp
less
than
1007067881373.
viewer
-q"select
all
where
Millis
<
1007067881373"
-sascii
sample.xml
where
timestamp
is
the
only
column
name
that
takes
a
numeric
argument
instead
of
a
string.
Output
is
in
ASCII
format
and
written
to
STDOUT.
See
Also
None
24
IBM
Tivoli
Risk
Manager:
Command
Reference
webids
Used
to
start
Web
IDS
on
Linux
and
UNIX-based
systems
or
Windows
system.
Syntax
webids
[-d
|
-e
|
-h
|
-t
|
-v
|
-i
input_file
|
-c
configuration_file]
Description
Unlike
the
other
Tivoli
Risk
Manager
adapters
that
must
be
launched
as
a
daemon
or
as
a
Windows
NT
service,
you
launch
Web
IDS
by
running
a
Perl
script
file.
Options
–d
Prints
debug
information.
The
program
writes
to
standard
output
(STDOUT),
which
you
can
then
redirect
to
a
file.
–e
Prints
information
to
syslog
or
Tivoli
Risk
Manager
EIF
depending
on
the
value
of
librmad_value
in
the
configuration
file.
If
this
option
is
not
used,
Web
IDS
parsing
results
and
alerts
are
printed
to
STDOUT.
–h
Displays
help
information
about
Web
IDS.
–t
Used
to
continuously
monitor
the
Web
server
log.
–v
Prints
version
information.
–i
input_file
Specifies
the
fully
qualified
path
and
name
of
the
access
log
file.
–c
configuration_file
Specifies
the
fully
qualified
path
and
name
of
the
configuration
file.
The
default
is:
$RMADHOME/etc/webids.cfg
Authorization
Administrator
authorization
required.
Environment
Variables
On
Linux
and
UNIX-based
systems,
you
must
set
up
the
Tivoli
Risk
Manager
environment
by
running:
.
/etc/Tivoli/rma_eif_env.sh
Examples
1.
The
following
command
is
used
to
start
Web
IDS
on
Linux
and
UNIX-based
systems,
have
it
read
from
the
Web
server’s
access
log
(webserver.accesslog),
and
then
send
the
output
to
the
Tivoli
Enterprise
Console
event
log
adapter.
webids
-e
-i
webserver.accesslog
2.
The
following
command
is
used
to
start
Web
IDS
on
Windows
2000,
have
it
read
from
the
Web
server’s
access
log
(webserver.accesslog),
and
then
send
the
output
to
the
Tivoli
Enterprise
Console
event
log
adapter.
webids.bat
-e
-i
webserver.accesslog
See
Also
rma_webids
Tivoli
Risk
Manager
Commands
25
wlsesvrcfg
Used
to
list
the
configuration
parameters
for
a
running
Tivoli
Enterprise
Console
server.
The
command
is
described
here
primarily
for
determining
the
server’s
cache
size.
See
the
IBM
Tivoli
Enterprise
Console
Reference
Manual
for
more
information.
Syntax
wlsesvrcfg
-c
Description
In
the
Tivoli
Enterprise
Console
environment,
rules
are
applied
to
events
that
are
stored
in
an
event
cache.
When
the
cache
fills
up,
events
are
purged
or
they
are
no
longer
processed
by
the
rules.
A
full
event
cache
affects
correlation
results
so
check
the
size
of
the
event
cache.
Authorization
User
authorization
required.
Notes
The
recommended
value
for
the
size
of
the
Tivoli
Enterprise
Console
event
cache
size
is
3000
entries.
To
change
the
size
of
the
event
cache,
type
the
following:
wsetesvrcfg
-c
3000
If
your
event
cache
size
is
not
configured
properly,
the
Tivoli
Enterprise
Console
Server
may
clean
the
cache
to
allow
Tivoli
Risk
Manager
to
process
the
events
it
is
receiving.
When
Tivoli
Risk
Manager
cleans
the
cache
in
this
situation,
the
Tivoli
Enterprise
Console
Server
issues
a
TEC_Notice
event
with
the
message
field
set
to
″Rule
Cache
full:
forced
cleaning.″
When
a
forced
cache
cleaning
happens,
existing
Tivoli
Risk
Manager
situation
events
may:
v
Appear
to
stop
being
processed
by
the
rules.
This
occurs
if
an
existing
incident
group
does
not
receive
additional
events
to
contribute
to
the
process.
Because
the
existing
event
is
no
longer
in
the
cache,
the
decay
rules
will
not
be
applied
to
the
event.
v
Be
duplicated
in
your
event
repository.
Duplication
takes
place
if
additional
events
that
contribute
to
the
incident
group
fact
base
arrive
at
the
server.
This
duplication
happens
because
the
original
instance
of
the
situation
event
has
been
removed
from
the
cache
and
is
no
longer
being
processed
by
the
rules.
The
original
incident
group
will
not
be
updated
(see
the
previous
bullet).
Examples
1.
The
following
command
is
used
to
display
current
settings.
wlsesvrcfg
2.
The
following
command
is
used
to
change
the
size
of
the
event
cache.
wsetesvrcfg
-c
3000
See
Also
None
26
IBM
Tivoli
Risk
Manager:
Command
Reference
wrmadmin
Used
to
manage
the
agent.
Syntax
wrmadmin
[-i
]
[-r
component
name
...
]
[-s
component
name
...
[
-k]
Description
Use
this
command
to
manage
the
agent.
It
provides
the
capability
of
obtaining
status,
starting
and
stopping
individual
components,
and
terminating
and
restarting
the
agent.
See
the
rmagent.xml
file
for
specific
component
names.
For
more
information
on
this
file,
see
the
Agent
chapter
in
the
IBM
Tivoli
Risk
Manager
User’s
Guide.
Options
–i
or
–info
Displays
version
information
and
status
of
individual
agent
components
(active
or
inactive).
For
example,
when
using
the
–i
option
you
might
see
the
following
status
information
displayed
for
a
running
agent:
Tivoli
Risk
Manager
Component
Status
==========================================
Receivers
eif_receiver:
Running
heartbeat:
Stopped
Engines
correlation:
Unknown
Destinations
db_sender:
Failed
Retrying
eif_sender:
Instance
1
of
3:
Running
Instance
2
of
3:
Failed
Retrying
Instance
3
of
3:
Running
where:
Running
The
specified
Tivoli
Risk
Manager
component
is
running.
Stopped
The
specified
Tivoli
Risk
Manager
component
has
stopped.
Failed
Retrying
The
specified
Tivoli
Risk
Manager
component
has
encountered
an
error
in
processing
and
is
retrying.
Unknown
The
status
of
the
specified
Tivoli
Risk
Manager
component
is
unknown.
–r
component
name
or
–restart
component
name
Stops
and
then
restarts
one
or
more
of
the
agent
components.
If
there
is
no
component
name
specified,
the
agent
will
be
stopped
and
restarted.
This
option
is
used
to
activate
agent
configuration
changes.
The
–i
option
will
automatically
run
when
using
the
–r
option.
Tivoli
Risk
Manager
Commands
27
–s
component
name
or
–stop
component
name
Stops
one
or
more
of
the
agent
components.
The
–i
option
will
automatically
run
when
using
the
–s
option.
–k
or
–kill
Terminates
the
agent
daemon.
Use
this
option
for
a
shutdown.
Authorization
Administrator
authorization
required.
Notes
1.
See
the
rmagent.xml
file
for
specific
component
names.
For
more
information
on
this
file,
see
the
Agent
chapter
in
the
IBM
Tivoli
Risk
Manager
User’s
Guide.
2.
Component
name
refers
to
the
sources,
destination,
or
engine
name
defined
in
the
rmagent.xml
configuration
file.
3.
When
the
rmcorr_cfg
command
is
used
to
update
the
Tivoli
Risk
Manager
event
server
on
the
Tivoli
Enterprise
Console
server,
the
agent
will
be
automatically
restarted.
Both
the
Tivoli
Enterprise
Console
server
and
the
agent
are
stopped
and
restarted
when
the
–install,
–update
and
–reconfig
options
are
used
with
the
rmcorr_cfg
command.
Return
Values
This
command
returns
these
values:
0
Successful
completion.
non-zero
An
error
has
occurred.
Environment
Variables
On
Linux
and
UNIX-based
systems,
you
must
set
up
the
Tivoli
Risk
Manager
environment
by
running:
.
/etc/Tivoli/rma_eif_env.sh
Examples
1.
The
following
command
is
used
to
display
version
information
and
status
of
the
agent
(active
or
inactive).
wrmadmin
-i
2.
The
following
command
is
used
stop
and
restart
the
eif_sender
and
heartbeat
components.
wmradmin
–r
eif_sender
heartbeat
3.
The
following
command
is
used
to
stop
the
eif_sender
and
heartbeat
components.
wmradmin
–s
eif_sender
heartbeat
4.
The
following
command
is
used
to
terminate
the
agent
daemon.
wrmadmin
-k
See
Also
wrmqueue,
rmagent
28
IBM
Tivoli
Risk
Manager:
Command
Reference
wrmdbclear
Used
to
remove
all
closed
Tivoli
Risk
Manager
events
from
the
Tivoli
Enterprise
Console
and
Tivoli
Risk
Manager
databases.
Syntax
wrmdbclear
-t
hours
[-D]
[
-a
|
-e
]
[-b
records]
[-f]
[-c
configfile]
[RIM_object]
Description
The
wrmdbclear
command
is
used
to
remove
Tivoli
Risk
Manager
events
older
than
a
user-specified
time
threshold,
specified
in
hours.
You
are
prompted
for
confirmation
before
the
delete
operation
is
carried
out.
The
command
can
be
used
to
remove
events
from
both
the
Tivoli
Enterprise
Console
event
repository
as
well
as
the
Tivoli
Risk
Manager
archive
table,
but
not
at
the
same
time.
It
is
necessary
for
the
program
to
be
invoked
separately
to
remove
events
from
the
Tivoli
Enterprise
Console
event
repository
and
from
the
Tivoli
Risk
Manager
archive
table.
Options
–t
hours
Age
threshold;
events
must
be
older
than
the
number
of
hours
specified.
No
default.
Minimum
value
is
0
(hours).
For
events
in
the
archive
table
or
the
event
repository,
the
time
comparison
is
made
against
the
reception
time
of
the
event.
If
0
(zero)
is
specified,
all
events
older
than
the
current
time
when
you
run
the
command
are
removed.
–D
Debug;
outputs
debug
and
trace
information
to
STDOUT.
The
default
value
is
no
debugging.
–a
Only
events
in
the
Tivoli
Risk
Manager
archive
table
are
removed.
The
default
value
is
off.
–e
Only
Tivoli
Risk
Manager
events
in
the
Tivoli
Enterprise
Console
event
repository
are
removed.
The
default
value
is
on.
–b
records
Deprecated:
A
database
commit
is
performed
after
every
n
number
of
records
are
deleted.
The
default
value
is
100
records.
Specifying
this
option
has
no
effect
on
the
operation
of
the
command.
–f
Forces
removal;
does
not
display,
″Are
you
sure?″
prompt.
The
default
value
is
off.
–c
configfile
Allows
you
to
optionally
specify
a
configuration
file
that
contains
database
configuration
data
for
a
database
that
is
different
from
the
one
installed
and
configured
with
Tivoli
Risk
Manager.
The
data
in
the
file
must
be
in
the
same
format
as
the
db_sender.conf
file.
The
fully
specified
filename
must
be
entered
as
a
parameter.
If
this
parameter
is
not
specified,
the
version
of
the
db_sender.conf
file
in
the
RMADHOME/etc
directory
is
used
to
acquire
the
database
configuration
information.
RIM_object
Deprecated:
RIM
database
where
events
are
stored.
The
default
value
is
tec.
Specifying
this
option
has
no
effect
on
the
operation
of
the
command.
Tivoli
Risk
Manager
Commands
29
Return
Values
Returns
0
if
successful.
An
informational
message
is
also
displayed:
HRMDB0020I
–
No
events
to
remove.
HRMDB0021I
–
<Number>
events
removed.
If
an
error
is
encountered,
the
value
–1
is
returned.
An
error
message
will
be
displayed.
Authorization
Administrator
authorization
required.
Notes
Option
–t
hours
must
be
specified.
Options
–a
and
–e
cannot
both
be
specified
in
the
same
invocation
of
the
program.
Environment
Variables
RMADHOME
Directory
where
Tivoli
Risk
Manager
is
installed.
RMJDBCPATH
Directory
where
the
JDBC
driver
used
by
Tivoli
Risk
Manager
is
installed.
Examples
1.
The
following
command
is
used
to
remove
all
of
the
closed
Tivoli
Risk
Manager
events
older
than
24
hours
from
the
Tivoli
Enterprise
Console
database.
User
confirmation
is
required.
wrmdbclear
-t
24
2.
The
following
command
is
used
to
remove
all
of
the
Tivoli
Risk
Manager
sensor
events
older
than
72
hours
from
the
Tivoli
Risk
Manager
archive
table.
It
uses
the
force
option
to
bypass
user
confirmation.
wrmdbclear
-t
72
-a
-f
3.
The
following
command
is
used
to
remove
all
of
the
Tivoli
Risk
Manager
sensor
events
older
than
96
hours
from
the
Tivoli
Risk
Manager
archive
table.
The
testdb.conf
file
is
an
alternate
JDBC
configuration
file.
User
confirmation
is
required.
wrmdbclear
-t
96
-a
-c
testdb.conf
See
Also
wrmdbclose
30
IBM
Tivoli
Risk
Manager:
Command
Reference
wrmdbclose
Used
to
close
Tivoli
Risk
Manager
events
in
the
Tivoli
Enterprise
Console
database.
Syntax
wrmdbclose
-t
hours
[-D]
[-e
|
-g
|
-h
|
-i
|
-r
|
-s]
[-c
configfile]
[RIM_object]
Description
The
wrmdbclose
command
can
be
used
to
close
all
Tivoli
Risk
Manager
events
older
than
a
user-specified
threshold.
When
used
to
close
incident
group
events,
the
program
also
closes
all
contributing
incident
events.
In
addition,
it
sends
a
special
event,
for
example,
RM_CloseIncidentGroups,
to
the
event
server
so
that
any
existing
correlation
facts
pertaining
to
the
incident
groups
are
purged
from
the
Tivoli
Enterprise
Console
cache.
One
of
the
attributes
included
in
this
special
event
is
a
shared
secret
key
that
is
obtained
from
the
RMINSTDIR/etc/tec/rules/riskmgr_flush.dat
file.
Run
this
command
only
from
the
Tivoli
Enterprise
Console
server
because
it
must
have
access
to
the
file
containing
a
shared
secret.
Options
–t
hours
Age
threshold;
incidents
and
events
must
be
older
than
the
number
of
hours
specified.
No
default.
Minimum
value
is
0
(hours),
which
means
close
all
events.
For
incidents
and
incident
groups,
the
time
comparison
is
made
against
the
time
of
the
last
contributing
event
or
incident,
respectively.
For
sensor
events,
the
time
comparison
is
made
against
the
reception
time
of
the
event.
–D
Debug;
outputs
debug
and
trace
information
to
STDOUT.
The
default
value
is
no
debugging.
–e
Only
internal
error
events
(class
RM_Error)
are
closed.
–g
Only
incident
group
events
(class
RM_IncidentGroup)
and
their
contributing
incidents
(class
RM_Incident)
are
closed.
–h
Only
trusted
host
events
(class
RM_TrustedHost)
are
closed.
–i
Only
incident
events
(class
RM_Incident)
are
closed.
–r
Only
detected
sensor
host
events
(class
RM_Sensor)
are
closed.
–s
Only
sensor
events
(class
RM_SensorEvent)
are
closed.
–c
configfile
Allows
you
to
optionally
specify
a
configuration
file
that
contains
database
configuration
data
for
a
different
database
than
the
one
installed
and
configured
with
Tivoli
Risk
Manager.
The
data
in
the
file
must
be
in
the
same
format
as
the
db_sender.conf
file.
The
fully
specified
filename
must
be
entered
as
a
parameter.
If
this
parameter
is
not
specified,
the
version
of
the
db_sender.conf
file
in
the
RMADHOME/etc
directory
is
used
to
acquire
the
database
configuration
information.
RIM_object
Deprecated:
RIM
database
where
events
are
stored.
The
default
value
is
tec.
Specifying
this
option
has
no
effect
on
the
operation
of
the
command.
Tivoli
Risk
Manager
Commands
31
Authorization
Administrator
authorization
required.
Notes
Option
–t
hours
must
be
specified.
At
least
one
of
the
following
options
must
be
specified:
–e,
–g,
–h,
–i,
–r,
–s.
Return
Values
Returns
0
if
successful.
If
an
error
is
encountered,
the
value
–1
is
returned.
An
error
message
will
also
be
displayed.
Environment
Variables
RMADHOME
Directory
where
Tivoli
Risk
Manager
is
installed.
RMJDBCPATH
Directory
where
the
JDBC
driver
used
by
Tivoli
Risk
Manager
is
installed.
Files
The
wrmdbclose
command
requires
read-only
access
to
the
RMINSTDIR/etc/tec/rules/riskmgr_flush.dat
file.
Examples
1.
The
following
command
is
used
to
close
all
Tivoli
Risk
Manager
events
older
than
24
hours.
wrmdbclose
-t
24
-gierhs
2.
The
following
command
is
used
to
close
Tivoli
Risk
Manager
incident
group
events
and
corresponding
incident
events
that
have
not
been
updated
within
the
last
72
hours.
wrmdbclose
-t
72
-g
3.
The
following
command
is
used
to
close
Tivoli
Risk
Manager
sensor
events
older
than
96
hours.
wrmdbclose
-t
96
-s
See
Also
wrmdbclear
32
IBM
Tivoli
Risk
Manager:
Command
Reference
wrmdns
Used
to
make
temporary
changes
to
the
Tivoli
Risk
Manager
DNS
state
as
on
or
off
as
well
as
display
current
settings
and
statistics.
Syntax
wrmdns
[-listcache
|-clearcache
|-statistics
|-resolve
ipaddr
|
-on
|-off]
Description
The
wrmdns
command
provides
the
user
administration
capabilities
over
optional
reverse
DNS
resolution
performed
by
the
agent.
The
command
is
configured
in
the
incident_engine.conf
and
summary_engine.conf
configuration
files.
Performing
reverse
DNS
resolution
enhances
the
correlation
capabilities
for
Tivoli
Risk
Manager
and
satisfies
a
IBM
Tivoli
Enterprise
Data
Warehouse
reporting
tool
requirement
that
system
names
be
expressed
as
fully
qualified
host
names
in
order
for
the
various
reporting
mechanisms
to
aggregate
and
match
properly
on
system
names.
Options
-listcache
Lists
the
contents
of
the
DNS
cache.
-statistics
Displays
performance
statistics
from
the
DNS
cache
-clearcache
Clears
the
DNS
cache.
-resolve
ipaddr
Provides
DNS
resolution
on
a
single
IP
address
-on
Turns
on
DNS
resolution.
The
default
value
is
off.
-off
Turns
off
DNS
resolution.
Authorization
Administrator
authorization
required.
Examples
1.
The
following
command
is
used
to
dump
the
cache
contents
to
standard
out.
wrmdns
-listcache
testmachine.test.ibm.com
testingone.test.ibm.com
testingtwo.test.ibm.com
testingthree.test.ibm.com
testingfour.test.ibm.com
testingfive.test.ibm.com
2.
The
following
command
is
used
to
display
cache
statistics
to
standard
out.
wrmdns
-statistics
DNS
Resolution
:
Status
:
on
Object
TTL
:
300000
ms
Max
Cache
Size
:
10000
count
Performance
Statistics:
Filter
Hits
:
10
Cache
Hits
:
594
Tivoli
Risk
Manager
Commands
33
Server
Hits
:
6
Efficiency
Ratio
:
99.0
Failed
Lookups
:
0
Total
Requests
:
610
3.
The
following
command
is
used
to
display
the
interactive
DNS
resolution.
wrmdns
-resolve
198.35.25.227
testmachine.test.ibm.com
See
Also
wrmqueue
34
IBM
Tivoli
Risk
Manager:
Command
Reference
wrmfmt2xml
Used
to
convert
existing
Tivoli
Enterprise
Console
logfile
adapter
format
files
(.fmt
file)
into
a
new
XML-based
format.
Syntax
wrmfmt2xml
fmt
filename
[xml
filename]
Description
The
wrmfmt2xml
command
does
a
line-for-line
translation
of
a
format
file
(.fmt
file).
Comments
are
preserved
and
are
automatically
converted
to
XML-style
comments.
The
resulting
XML
file
will
generate
the
same
results
as
the
original
.fmt
file.
That
is,
if
a
log
entry
maps
to
a
certain
event
using
an
.fmt
file,
it
will
map
to
the
exact
same
event
when
processed
using
the
XML
file.
Advanced
features
that
are
available
only
with
the
XML
format,
such
as
prefiltering
and
indexing,
can
be
manually
added
to
the
XML
file
after
the
conversion
takes
place.
Options
fmt
filename
Specifies
the
name
of
a
single
.fmt
file
to
convert.
This
file
name
can
be
either
absolute
or
relative.
xml
filename
Specifies
the
name
of
the
file
that
wrmfmt2xml
will
write
the
resulting
XML
information
to.
If
this
parameter
is
not
used,
wrmfmt2xml
will
output
the
XML
to
STDOUT.
Authorization
Administrator
authorization
required.
Notes
On
a
Windows
system,
the
command
is
wrmfmt2xml.cmd,
and
on
Linux
and
UNIX-based
systems
the
command
is
wrmfmt2xml.
The
scripts
are
located
in
the
/bin
directory
of
a
Tivoli
Risk
Manager
installation.
This
command
assumes
that
the
.fmt
file
to
be
converted
is
valid
and
syntactically
correct.
Incorrect
.fmt
files
could
result
in
incorrect
XML
files.
Environment
Variables
On
Linux
and
UNIX-based
systems,
you
must
set
up
the
Tivoli
Risk
Manager
environment
by
running:
.
/etc/Tivoli/rma_eif_env.sh
RMADHOME
Directory
where
Tivoli
Risk
Manager
is
installed.
RMJREHOME
Directory
where
your
Java
Runtime
Environment
is
installed.
Examples
1.
This
command
is
used
to
convert
the
.fmt
file
to
an
XML
file
to
STDOUT.
wrmfmt2xml
webids.fmt
2.
This
command
is
used
to
convert
the
webids.fmt
file
to
a
defined
XML
file.
wrmfmt2xml
webids.fmt
webids.xml
Tivoli
Risk
Manager
Commands
35
wrmikeyman
Used
to
run
the
iKeyman
utility.
Syntax
Linux
and
UNIX-based
systems:
wrmikeyman
Windows
system:
wrmikeyman.cmd
Description
The
iKeyman
utility
is
a
tool
you
can
use
to
manage
your
digital
certificates.
With
iKeyman,
you
can
create
a
new
key
database
or
a
test
digital
certificate,
add
CA
roots
to
your
database,
copy
certificates
from
one
database
to
another,
request
and
receive
a
digital
certificate
from
a
CA,
set
default
keys,
and
change
passwords.
The
iKeyman
utility
is
a
part
of
the
IBM
Java
Secure
Socket
Extension
package
and
is
located
in
the
RMINSTDIR/etc/bin
directory.
Authorization
Administrator
authorization
required.
See
Also
See
the
Secure
Socket
Layer
Introduction
and
iKeyman
chapter
in
the
IBM
Tivoli
Risk
Manager
Administrator’s
Guide
for
more
information
on
Secure
Socket
Layer
and
digital
certificates.
Tivoli
Risk
Manager
Commands
37
wrmqueue
Used
to
manage
the
agent
queues.
Syntax
wrmqueue
[-h
|
-l
|
-p
|
-x]
queue_name
Description
Use
the
wrmqueue
command
to
monitor
and
manage
the
agent
queues.
Each
subcomponent
of
the
agent
that
is
referenced
in
the
rmagent.xml
file
as
a
to
setting
in
a
connector
has
an
a
queue
associated
with
its
processing.
Events
that
the
subcomponent
needs
to
process
are
put
on
the
associated
queue
by
the
subcomponent
specified
as
the
from
setting
in
the
connector.
The
processing
subcomponent
removes
the
events
from
the
queue
when
it
is
ready
to
process
events.
If
the
processing
subcomponent
is
not
able
to
keep
up
with
the
event
flow,
the
number
of
events
in
the
queue
will
grow.
Queue
information
is
maintained
in
the
following
directories:
v
RMINSTDIR/persistence/engines
(queues
for
any
engines)
v
RMINSTDIR/persistence/senders
(queues
for
any
sender
destinations)
Options
–h
or
–help
Displays
the
help
messages.
–l
or
–list
Lists
the
name,
number
of
events,
and
types
of
all
queues.
–p
or
–purge
Clears
one
specific
queue
(specified
on
the
command-line).
–x
or
–purgeall
Clears
the
queue.
Authorization
Administrator
authorization
required.
Notes
At
least
one
option
must
be
specified.
If
the
–p
option
is
specified,
it
must
be
accompanied
by
a
queue
name.
When
using
the
–p
and
–x
options
please
note
that
events
in
the
purged
queues
will
be
lost.
When
purging
a
queue
it
will
remove
all
unprocessed
events
from
the
queue.
Purged
events
will
no
longer
be
processed.
Return
Values
Returns
a
simple
text-based
table
detailing
the
results
of
the
request.
If
listing
queues,
the
table
consists
of
queue
names,
the
number
of
events
in
each
queue,
and
the
type
of
each
queue.
If
purging
queues,
the
table
consists
of
queue
names,
the
number
of
events
purged,
and
the
amount
of
time
it
took
to
purge
each
queue.
38
IBM
Tivoli
Risk
Manager:
Command
Reference
Environment
Variables
On
Linux
and
UNIX-based
systems,
you
must
set
up
the
Tivoli
Risk
Manager
environment
by
running:
.
/etc/Tivoli/rma_eif_env.sh
Files
The
command
connects
to
a
running
agent
on
the
command
port
specified
by
RmagentPort
in
the
rmad.conf
file.
It
determines
the
location
of
this
file
and
other
necessary
files
by
using
the
environment
variable
RMADHOME
as
a
base.
See
Also
wrmadmin,
wrmdns
Tivoli
Risk
Manager
Commands
39
wrmsendmsg
Used
to
forward
events
from
an
end
point
to
the
Tivoli
Enterprise
Console
event
server.
Syntax
wrmsendmsg
[-f]
[message_data]
Description
Use
the
wrmsendmsg
command
to
forward
an
event
to
the
Tivoli
Enterprise
Console
event
server.
This
command
accepts
event
message
information
in
two
formats:
v
A
formatted
string
that
includes
one
or
more
attribute=value
pairs.
v
A
string
of
raw
data
that
must
be
formatted
based
on
definitions
in
the
XML
files
used
for
formatting.
The
agent
formats
the
data
into
sets
of
attribute=value
pairs
prior
to
sending
the
event
to
the
Tivoli
Enterprise
Console
event
server.
Options
–f
Specifies
that
the
message
data
is
in
an
attribute=value
pair.
message_data
Specifies
the
event
data
to
be
sent
to
the
common
library
and
then
to
the
event
server.
If
the
message
data
is
not
specified
with
the
command,
it
is
expected
to
come
from
standard
input.
Authorization
Administrator
authorization
required.
Return
Values
This
command
returns
these
values:
0
Successful
completion.
non-zero
An
error
has
occurred.
Environment
Variables
On
Linux
and
UNIX-based
systems,
you
must
set
up
the
Tivoli
Risk
Manager
environment
by
running:
.
/etc/Tivoli/rma_eif_env.sh
Examples
1.
The
following
command
is
used
to
show
a
string
of
attribute=value
pairs.
Note
that
the
–f
option
indicates
that
the
string
is
formatted
and
the
first
value
in
the
string
is
the
Tivoli
Enterprise
Console
event
object
class
name.
wrmsendmsg
-f
"NIDS_DOS;rm_SensorIPAddr=11.34.65.99;rm_SourceHostname=hacker;\
rm_DestinationIPAddr=10.0.0.3;"
This
string
was
formatted
to
fit
the
page.
The
string
must
be
entered
as
one
continuous
line.
40
IBM
Tivoli
Risk
Manager:
Command
Reference
2.
The
following
is
an
example
of
an
unformatted
string.
The
agent
formats
the
string
by
parsing
the
string,
assigning
an
object
class
name,
and
assigning
values
to
the
appropriate
attributes
before
sending
the
event
to
the
Tivoli
Enterprise
Console.
wrmsendmsg
"Oct
3
12:22:23
2000
syslog
NIDS
mycompany.com
0x39d8e8ff
10.0.0.3;"
See
Also
wrmadmin,
wrmqueue
Tivoli
Risk
Manager
Commands
41
wrmstashpw
Used
to
convert
a
clear-text
password
into
an
obfuscated
form
and
to
store
it
in
a
file.
Syntax
wrmstashpw
filename
[password]
Description
Used
to
convert
a
clear-text
password
into
an
obfuscated
form
and
store
it
in
a
file.
It
is
also
used
to
stash
passwords
for
SSL,
JDBC,
the
Web
Application,
and
the
event
server.
Options
filename
Filename
where
obfuscated
password
is
stored.
password
A
clear
text
password.
If
not
supplied,
enter
a
new
password
at
prompt.
Authorization
Administrator
authorization
required.
Notes
Use
the
wrmstashpw
command
to
store
an
obfuscated
representation
of
a
password
in
a
stash
file.
The
agent
and
Web
Application
extracts
the
obfuscated
form
of
the
password
when
needed.
The
following
agent
components
support
the
use
of
a
stash
file
for
maintaining
a
password:
v
SSL
-
The
SSLKeystorePWFile
parameter
is
used
in
the
SSL
configuration
files
(eif_sender.conf
and
eif_receiver.conf)
to
reference
the
stash
file
for
accessing
the
SSL
keystore
file.
v
Database
Pusher
-
The
ArchiveDBPasswordFile
parameter
is
used
in
the
Database
Pusher
configuration
file
(db_sender.conf)
to
reference
the
stash
file
for
creating
a
JDBC
connection.
v
Tivoli
Management
Framework
Sender
-
The
TMEPasswordFile
parameter
is
used
in
the
sender
configuration
files
(incident_sender.conf
and
nonincident_sender.conf)
to
reference
the
stash
file
that
is
located
on
the
event
server
for
sending
events
from
the
agent
into
the
Tivoli
Enterprise
Console
server,
using
the
Tivoli
Management
Framework
protocol.
The
Web
Application
extracts
the
obfuscated
form
of
the
password
when
needed.
The
RmWeb.properties
file
references
the
stash
file
for
one
or
more
of
the
following
databases:
v
Tivoli
Enterprise
Console
database
v
Tivoli
Risk
Manager
archive
database
v
Tivoli
Configuration
Manager
database
Examples
1.
The
following
command
is
used
to
convert
your
clear-text
password
into
an
obfuscated
form
and
add
this
information
in
the
storepwd
file.
wrmstashpw
storepwd
testpassword
42
IBM
Tivoli
Risk
Manager:
Command
Reference
Appendix.
Notices
This
information
was
developed
for
products
and
services
offered
in
the
U.S.A.
IBM
may
not
offer
the
products,
services,
or
features
discussed
in
this
document
in
other
countries.
Consult
your
local
IBM
representative
for
information
on
the
products
and
services
currently
available
in
your
area.
Any
reference
to
an
IBM
product,
program,
or
service
is
not
intended
to
state
or
imply
that
only
that
IBM
product,
program,
or
service
may
be
used.
Any
functionally
equivalent
product,
program,
or
service
that
does
not
infringe
any
IBM
intellectual
property
right
may
be
used
instead.
However,
it
is
the
user’s
responsibility
to
evaluate
and
verify
the
operation
of
any
non-IBM
product,
program,
or
service.
IBM
may
have
patents
or
pending
patent
applications
covering
subject
matter
described
in
this
document.
The
furnishing
of
this
document
does
not
give
you
any
license
to
these
patents.
You
can
send
license
inquiries,
in
writing,
to:
IBM
Director
of
Licensing
IBM
Corporation
North
Castle
Drive
Armonk,
NY
10504-1785
U.S.A.
For
license
inquiries
regarding
double-byte
(DBCS)
information,
contact
the
IBM
Intellectual
Property
Department
in
your
country
or
send
inquiries,
in
writing,
to:
IBM
World
Trade
Asia
Corporation
Licensing
2-31
Roppongi
3-chome,
Minato-ku
Tokyo
106,
Japan
The
following
paragraph
does
not
apply
to
the
United
Kingdom
or
any
other
country
where
such
provisions
are
inconsistent
with
local
law:
INTERNATIONAL
BUSINESS
MACHINES
CORPORATION
PROVIDES
THIS
PUBLICATION
“AS
IS”
WITHOUT
WARRANTY
OF
ANY
KIND,
EITHER
EXPRESS
OR
IMPLIED,
INCLUDING,
BUT
NOT
LIMITED
TO,
THE
IMPLIED
WARRANTIES
OF
NON-INFRINGEMENT,
MERCHANTABILITY
OR
FITNESS
FOR
A
PARTICULAR
PURPOSE.
Some
states
do
not
allow
disclaimer
of
express
or
implied
warranties
in
certain
transactions,
therefore,
this
statement
may
not
apply
to
you.
This
information
could
include
technical
inaccuracies
or
typographical
errors.
Changes
are
periodically
made
to
the
information
herein;
these
changes
will
be
incorporated
in
new
editions
of
the
publication.
IBM
may
make
improvements
and/or
changes
in
the
product(s)
and/or
the
program(s)
described
in
this
publication
at
any
time
without
notice.
Any
references
in
this
information
to
non-IBM
Web
sites
are
provided
for
convenience
only
and
do
not
in
any
manner
serve
as
an
endorsement
of
those
Web
sites.
The
materials
at
those
Web
sites
are
not
part
of
the
materials
for
this
IBM
product
and
use
of
those
Web
sites
is
at
your
own
risk.
IBM
may
use
or
distribute
any
of
the
information
you
supply
in
any
way
it
believes
appropriate
without
incurring
any
obligation
to
you.
©
Copyright
IBM
Corp.
2003
45
Licensees
of
this
program
who
wish
to
have
information
about
it
for
the
purpose
of
enabling:
(i)
the
exchange
of
information
between
independently
created
programs
and
other
programs
(including
this
one)
and
(ii)
the
mutual
use
of
the
information
which
has
been
exchanged,
should
contact:
IBM
Corporation
2Z4A/101
11400
Burnet
Road
Austin,
TX
78758
USA
Such
information
may
be
available,
subject
to
appropriate
terms
and
conditions,
including
in
some
cases,
payment
of
a
fee.
The
licensed
program
described
in
this
information
and
all
licensed
material
available
for
it
are
provided
by
IBM
under
terms
of
the
IBM
Customer
Agreement,
IBM
International
Program
License
Agreement,
or
any
equivalent
agreement
between
us.
Any
performance
data
contained
herein
was
determined
in
a
controlled
environment.
Therefore,
the
results
obtained
in
other
operating
environments
may
vary
significantly.
Some
measurements
may
have
been
made
on
development-level
systems
and
there
is
no
guarantee
that
these
measurements
will
be
the
same
on
generally
available
systems.
Furthermore,
some
measurement
may
have
been
estimated
through
extrapolation.
Actual
results
may
vary.
Users
of
this
document
should
verify
the
applicable
data
for
their
specific
environment.
Information
concerning
non-IBM
products
was
obtained
from
the
suppliers
of
those
products,
their
published
announcements
or
other
publicly
available
sources.
IBM
has
not
tested
those
products
and
cannot
confirm
the
accuracy
of
performance,
compatibility
or
any
other
claims
related
to
non-IBM
products.
Questions
on
the
capabilities
of
non-IBM
products
should
be
addressed
to
the
suppliers
of
those
products.
All
statements
regarding
IBM’s
future
direction
or
intent
are
subject
to
change
or
withdrawal
without
notice,
and
represent
goals
and
objectives
only.
This
information
contains
examples
of
data
and
reports
used
in
daily
business
operations.
To
illustrate
them
as
completely
as
possible,
the
examples
include
the
names
of
individuals,
companies,
brands,
and
products.
All
of
these
names
are
fictitious
and
any
similarity
to
the
names
and
addresses
used
by
an
actual
business
enterprise
is
entirely
coincidental.
Trademarks
The
following
terms
are
trademarks
of
International
Business
Machines
Corporation
in
the
United
States,
other
countries,
or
both:
AIX
DB2
IBM
Tivoli
Tivoli
Enterprise
Tivoli
Enterprise
Console
Tivoli
Management
Framework
Tivoli
Management
Environment
46
IBM
Tivoli
Risk
Manager:
Command
Reference
TME
Tivoli
logo
Tivoli
Ready
zSeries
Microsoft,
Windows,
Windows
NT,
and
the
Windows
logo
are
trademarks
of
Microsoft
Corporation
in
the
United
States,
other
countries,
or
both.
Java
and
all
Java-based
trademarks
and
logos
are
trademarks
or
registered
trademarks
of
Sun
Microsystems,
Inc.
in
the
United
States
and
other
countries.
UNIX
is
a
registered
trademark
of
The
Open
Group
in
the
United
States
and
other
countries.
Intel,
Intel
Inside
(logos),
MMX
and
Pentium
are
trademarks
of
Intel
Corporation
in
the
United
States,
other
countries,
or
both.
SET
and
the
SET
logo
are
trademarks
owned
by
SET
Secure
Electronic
Transaction
LLC.
Crystal
Reports
is
the
technology
of
Crystal
Decisions,
Inc.
Check
Point
is
a
trademark
and
VPN-1
and
FireWall-1
are
registered
trademarks
of
Check
Point
Software
Technologies
Ltd.
Other
company,
product,
and
service
names
may
be
trademarks
or
service
marks
of
others.
Appendix.
Notices
47
Index
Aabout
this
guide
v
access
log
filesupdating
in
real
time
25
accessibility
vii
analyzingWeb
server
access
logs
25
Ccheckrules
3
command
reference
1
commandscheckrules
3
getpdinfo
5
nids
7
rma_webids
10
rmagent
12
rmcorr_cfg
13
rmt_corrstatus
16
rmt_corruninstall
18
rmt_corrupdate
17
startnids
19
stopnids
20
viewer
23
webids
25
wlsesvrcfg
26
wrmadmin
27
wrmdbclear
29
wrmdbclose
31
wrmdns
33
wrmikeyman
37
wrmqueue
38
wrmsendmsg
40
wrmstashpw
42
contents
of
this
book
v
conventionsnaming
viii
typeface
viii
Ddisability
vii
documentationdocuments
related
to
this
guide
vi
online
information
vii
Tivoli
Enterprise
Console
prerequisites
vi
Tivoli
Framework
prerequisites
vi
Tivoli
Risk
Manager
v
Ggetpdinfo
5
guide
organization
v
IiKeyman
overview
37
Nnaming
conventions
viii
nids
7
Ppreface
information
v
prerequisitesdocuments
for
using
this
guide
vi
product
updates
for
Tivoli
Risk
Manager
vii
publicationTivoli
Risk
Manager
v
Rreference,
command
1
related
documents
of
this
guide
vi
rma_webids
10
rmagent
12
rmcorr_cfg
13
rmt_corrstatus
16
rmt_corruninstall
18
rmt_corrupdate
17
Ssecurity
management
products
from
Tivoli
vii
software
support
viii
software,
customer
viii
startnids
19
stopnids
20
syntaxcommands
1
Ttypeface
conventions
viii
Uupdates
for
Tivoli
Risk
Manager
vii
URLssoftware
support
viii
Tivoli
Risk
Manager
product
vii
Tivoli
Risk
Manager
updates
and
service
vii
Tivoli
security
management
products
vii
Vviewer
23
WWeb
publicationsTivoli
Risk
Manager
vii
webids
25
wlsesvrcfg
26
wrmadmin
27
wrmdbclear
29
wrmdbclose
31
wrmdns
33
wrmikeyman
37
wrmqueue
38
wrmsendmsg
40
wrmstashpw
42
©
Copyright
IBM
Corp.
2003
49