CLIP is delivered with a configuration file named SYSDAT.CLIP.<ver> and installed together with the CLIP subsystem. This file must be adapted to the respective configuration. Changes to the configuration only take effect after restarting the CLIP subsystem.
When the CLIP subsystem is loaded, the configuration file is read and evaluated. If errors are found in the configuration file, the loading process continues and default values are applied.
Exceptions to this are syntactically incorrect IP address entries or unreachable IP addresses. In these cases, meaningful operation of CLIP is not possible, and the subsystem startup is terminated with an error.
- If the IP address is syntactically incorrect, the message GLP1020 is output to the console and the CLIP subsystem is terminated:
% GLP1020 READING IP ADDRESS FROM CONFIG FILE FAILED- If the configured IP address is unreachable, the CLIP subsystem will terminate after a timeout expires.
Original configuration file
The configuration file SYSDAT.CLIP.<ver> is delivered as a template with the following content:
**********************************************************************
* *
* Template file: SYSDAT.CLIP.210 *
* This file defines necessary parameters for the operation of *
* the CLIP subsystem. *
* Additionally, the events to be forwarded to the syslog server *
* can also be configured here. *
* More information about this file can be found in the CLIP manual *
* "Chapter 3.3.5: Parameter file". *
* *
**********************************************************************
***MANDATORY CONFIG PARAMETERS***
LOGSERVER xxx.xxx.xxx.xxx
***REST OF CONFIG PARAMETERS***
*PORT 514
*PROTOCOL TCP ONLY VALID OPTION
*HOSTNAME TESTPROC
*TIMEOUT 30
*OVERFLOW 0
***CONFIGURATION FOR LOGFILTER***
*SATT MODE BLOCK/ACCEPT
*SATT EVENTID FAIL/SUCC/BOTH
***CONFIGURATION FOR ACCOUNTING FILTER***
*ACCT MODE BLOCK/ACCEPT
*ACCT RECORDTYPE
Syntax of configuration file:
- Lines beginning with ‘*’ are interpreted as comment lines.
- Some parameters have default values and do not need to be specified. The only mandatory parameter is the server address (LOGSERVER), which must be provided by the system administrator.
- Parameters are interpreted regardless of their order.
- Parameter names and their values are case-insensitive and internally converted to uppercase.
- Related parameters must be specified on the same line, separated by at least one space.
- Anything appearing after the last required parameter on a line, separated by at least one space, is treated as a comment.
The JSON format for the base parameters of the configuration file is supported one last time for compatibility reasons only.
Description of Base Parameters:
- "LOGSERVER" (mandatory)
Specifies the syslog server to which messages are sent. The value can be an IPv4/IPv6 address or a Fully Qualified Domain Name (FQDN).- IPv4 must follow the format xxx.xxx.xxx.xxx (e.g., 192.168.1.99), where each segment is a number between 0 and 255.
- IPv6 supports both full and abbreviated notations (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334 and 2001:db8:85a3::8a2e:370:7334).
- If an invalid value is provided, the CLIP program issues an error message and terminates, since a valid server configuration is required.
- "PORT"
Specifies the port used for communication with the external Syslog server. This must be a valid open port in the range 1 – 65535 on the Syslog server, enabled for the BS2000 server. The parameter defaults to the standard Syslog port 514 (commented out). - "PROTOCOL"
Specifies the data transmission protocol between the BS2000 system and the Syslog server. Currently, only TCP is supported. If an incorrect value is entered or the parameter is omitted, the default value "TCP" applies. - "HOSTNAME"
Optional, as CLIP automatically determines it if not specified. This parameter defines the BS2000 system’s name and is used to identify the BS2000 system when sending events to the Syslog server. Alphanumeric characters are supported. - "TIMEOUT"
Optional; specifies how long CLIP tries to restore the connection in case of disconnection. The value is given in seconds; the default is 30 seconds. If the connection cannot be restored within this period, the CLIP subsystem terminates and must be restarted manually if needed. - "OVERFLOW"
Optional; specifies whether CLIP should discard messages if the buffer fills up during a connection loss. A value of 0 (default) causes the subsystem to terminate in this case. If set to 1, the oldest messages in the buffer are overwritten. In both cases, buffered messages are sent once the connection is restored. Whether the subsystem terminates (and thus messages are lost) depends solely on the TIMEOUT value.
Description of Parameters for Filtering Functions
To improve performance and to supply the SIEM environment only with relevant information from the user's perspective, CLIP offers a filtering function. This filter applies independently to SATLOG and ACCOUNTING events.
Filter Function for SATLOG Events:
- "SATT MODE"
Configures whether the SATLOG events listed in this configuration file are not ("BLOCK") or only ("ACCEPT") forwarded to the Syslog server. If omitted or an invalid value is entered, for compatibility reasons the default "BLOCK" applies.- SATT MODE BLOCK (default): All SATLOG events are forwarded to the rSyslog server. Only the SATLOG events listed in this file are filtered out and not forwarded.
- SATT MODE ACCEPT: SATLOG events are filtered out and not forwarded, except those explicitly listed in this configuration file, which are forwarded to the rSyslog server.
- "SATT <eventid> <result>"
Adds the event <eventid> to the list defined by "SATT MODE" depending on the result <result>. The event result is interpreted as success ("SUCC"), failure ("FAIL"), or both ("BOTH"). An overview of the SAT events can be found in the SECOS manual in the section "SAT - Logging and Evaluation of Security-Relevant Events".
Filter Function for ACCOUNTING Events:
- "ACCT MODE"
Configures whether the ACCOUNTING events listed in this configuration file are not ("BLOCK") or only ("ACCEPT") forwarded to the Syslog server. If omitted or an invalid value is entered, the default "BLOCK" applies.- ACCT MODE BLOCK (default): All ACCOUNTING events are forwarded to the rSyslog server. Only the ACCOUNTING events listed in this file are filtered out and not forwarded.
- ACCT MODE ACCEPT: ACCOUNTING events are filtered out and not forwarded, except those explicitly listed here, which are forwarded.
- "ACCT <recordtype>"
Adds the accounting record <recordtype> to the list defined by "ACCT MODE". All accounting records of the specified type are considered. All event types are listed in the "Accounting-Logs" section.
Example Configuration for the Filter Function:
SATT MODE BLOCK
SATT JED SUCC
SATT UCK SUCC
SATT FRS BOTH
In this example, BLOCK mode for SATLOG events is enabled. The three subsequent entries specify SATLOG events to be filtered out and therefore not forwarded to the Syslog server:
The event "JED" is filtered only in case of failure.
The event "UCK" is also filtered only in case of failure.
The event "FRS" is filtered in both success and failure cases and therefore never forwarded.
All other events are forwarded without restriction.
If the mode were switched to ACCEPT (SATT MODE ACCEPT), only the events JED and UCK (in success cases only) and the event FRS (in all cases) would be forwarded; all others would be ignored.
Since no ACCOUNTING events are defined, ACCT MODE BLOCK is set automatically. However, because the block list is empty, no ACCOUNTING records are filtered, and all are forwarded to the Syslog server.