From Newsgroup: comp.sys.unisys

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide. Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).
I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?
Barry.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Friday, June 9, 2023 at 10:03:47rC>AM UTC-7, barry....@gmail.com wrote:

On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Barry -
That sounds very much on target. If you can pull that up, it would be very much appreciated.
SIEM is Security Incident Event Manager.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:

On Friday, June 9, 2023 at 10:03:47rC>AM UTC-7, barry....@gmail.com wrote:

On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote: >>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries? >>>
Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Barry -

That sounds very much on target. If you can pull that up, it would be very much appreciated.

SIEM is Security Incident Event Manager.

Metalogic CopyWriteNT can extract and convert files from a number of MCP
media types, including Logical Disk .asd files. See:

http://www.metalogic.eu.com/Main/Products/CopyWrite.html

Paul

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Friday, June 9, 2023 at 6:58:30rC>PM UTC+1, Paul Kimpel wrote:

On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:

On Friday, June 9, 2023 at 10:03:47rC>AM UTC-7, barry....@gmail.com wrote:

On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote: >>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Barry -

That sounds very much on target. If you can pull that up, it would be very much appreciated.

SIEM is Security Incident Event Manager.

Metalogic CopyWriteNT can extract and convert files from a number of MCP media types, including Logical Disk .asd files. See:

http://www.metalogic.eu.com/Main/Products/CopyWrite.html

Paul

Thanks Paul -- Copywrite is indeed a very useful tool. But I remembered that I also have a working (and more recent) Dev Studio environment, which also happens to contain a copy of the code (albeit version 1.0.0).
I'm just working out the best way to get that from there to here, and then I'll post some snippets. I have been a little lazy in my decoding, in that I only seem to extract the usercode, and not the detail; but at least it's a start...
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Saturday, June 10, 2023 at 2:15:58rC>PM UTC+1, barry....@gmail.com wrote:

On Friday, June 9, 2023 at 6:58:30rC>PM UTC+1, Paul Kimpel wrote:

On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:

On Friday, June 9, 2023 at 10:03:47rC>AM UTC-7, barry....@gmail.com wrote:

On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Barry -

That sounds very much on target. If you can pull that up, it would be very much appreciated.

SIEM is Security Incident Event Manager.

Metalogic CopyWriteNT can extract and convert files from a number of MCP media types, including Logical Disk .asd files. See:

http://www.metalogic.eu.com/Main/Products/CopyWrite.html

Paul

Thanks Paul -- Copywrite is indeed a very useful tool. But I remembered that I also have a working (and more recent) Dev Studio environment, which also happens to contain a copy of the code (albeit version 1.0.0).
I'm just working out the best way to get that from there to here, and then I'll post some snippets. I have been a little lazy in my decoding, in that I only seem to extract the usercode, and not the detail; but at least it's a start...

OK - this is what I have. I'm using Report_Log_Entries to get the log records that I'm interested in, and then writing them to a remote Windows server.
There is a big Case statement on Major type, then similar case statements on Minor type within each.
For Maj 6, Min 9 I have:
9: Begin % Userdata Change
Pu:=Pointer(U);
StandardtoDisplay(Log_0609_UPtr,Pu);
Replace P:P by
Log_06_UDfunc for * digits, comma,
Log_06_UDop for * digits, comma,
Pointer(U[0]) + 4 until = Nul, comma;
End Min 9;
U is just a temporary array for the result of the StandardtoDisplay call; Pu is a pointer to it. P is a pointer to the output record.
Defines are as follows:
RLE_Pfx = 5 #,
LinkIxF = [19:20] #,
LengthF = [23:08] #,
Log_06_UDfunc = Qmsg[RLE_Pfx + 4].[3:4] #,
Log_06_UDcopy = Qmsg[RLE_Pfx + 6].[15:16] #,
Log_06_UDop = Qmsg[RLE_Pfx + 4].[11:4] #,
Log_0609_UInx = Qmsg[RLE_Pfx + 5].LinkIxF + RLE_Pfx #,
Log_0609_ULen = Qmsg[Log_0609_UInx].LengthF #,
Log_0609_UPtr = Pointer(Qmsg[Log_0609_UInx]) #,
Qmsg is a large array for the messages received on the Queue used by Report_Log_Entries.
Hope that might be of some use...
Barry.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Friday, June 9, 2023 at 10:58:30rC>AM UTC-7, Paul Kimpel wrote:

On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:

On Friday, June 9, 2023 at 10:03:47rC>AM UTC-7, barry....@gmail.com wrote:

On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote: >>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Barry -

That sounds very much on target. If you can pull that up, it would be very much appreciated.

SIEM is Security Incident Event Manager.

Metalogic CopyWriteNT can extract and convert files from a number of MCP media types, including Logical Disk .asd files. See:

http://www.metalogic.eu.com/Main/Products/CopyWrite.html

Paul

Paul -
Thanks for the reference. However, we need to do this on-box.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Saturday, June 10, 2023 at 6:44:27rC>AM UTC-7, barry....@gmail.com wrote:

On Saturday, June 10, 2023 at 2:15:58rC>PM UTC+1, barry....@gmail.com wrote:

On Friday, June 9, 2023 at 6:58:30rC>PM UTC+1, Paul Kimpel wrote:

On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:

On Friday, June 9, 2023 at 10:03:47rC>AM UTC-7, barry....@gmail.com wrote:

On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Barry -

That sounds very much on target. If you can pull that up, it would be very much appreciated.

SIEM is Security Incident Event Manager.

Metalogic CopyWriteNT can extract and convert files from a number of MCP media types, including Logical Disk .asd files. See:

http://www.metalogic.eu.com/Main/Products/CopyWrite.html

Paul

Thanks Paul -- Copywrite is indeed a very useful tool. But I remembered that I also have a working (and more recent) Dev Studio environment, which also happens to contain a copy of the code (albeit version 1.0.0).
I'm just working out the best way to get that from there to here, and then I'll post some snippets. I have been a little lazy in my decoding, in that I only seem to extract the usercode, and not the detail; but at least it's a start...

OK - this is what I have. I'm using Report_Log_Entries to get the log records that I'm interested in, and then writing them to a remote Windows server.
There is a big Case statement on Major type, then similar case statements on Minor type within each.
For Maj 6, Min 9 I have:

9: Begin % Userdata Change
Pu:=Pointer(U);
StandardtoDisplay(Log_0609_UPtr,Pu);
Replace P:P by
Log_06_UDfunc for * digits, comma,
Log_06_UDop for * digits, comma,
Pointer(U[0]) + 4 until = Nul, comma;
End Min 9;

U is just a temporary array for the result of the StandardtoDisplay call; Pu is a pointer to it. P is a pointer to the output record.
Defines are as follows:
RLE_Pfx = 5 #,
LinkIxF = [19:20] #,
LengthF = [23:08] #,
Log_06_UDfunc = Qmsg[RLE_Pfx + 4].[3:4] #,
Log_06_UDcopy = Qmsg[RLE_Pfx + 6].[15:16] #,
Log_06_UDop = Qmsg[RLE_Pfx + 4].[11:4] #,
Log_0609_UInx = Qmsg[RLE_Pfx + 5].LinkIxF + RLE_Pfx #,
Log_0609_ULen = Qmsg[Log_0609_UInx].LengthF #,
Log_0609_UPtr = Pointer(Qmsg[Log_0609_UInx]) #,
Qmsg is a large array for the messages received on the Queue used by Report_Log_Entries.

Hope that might be of some use...
Barry.

Barry -
If I'm reading your code right, the only place you're looking at word 11 is via Log_06_UDcopy. Do you use that value anywhere?
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

-------- Original Message --------
Subject: Re: Decoding USERDATA Log Entries
From: mpe...@gmail.com <mperew@gmail.com>
To:
Date: Mon Jun 12 2023 14:39:29 GMT-0700 (Pacific Daylight Time)

On Friday, June 9, 2023 at 10:58:30rC>AM UTC-7, Paul Kimpel wrote:

On 6/9/2023 10:23 AM, mpe...@gmail.com wrote:

On Friday, June 9, 2023 at 10:03:47rC>AM UTC-7, barry....@gmail.com wrote: >>>> On Thursday, June 8, 2023 at 10:23:44rC>PM UTC+1, mpe...@gmail.com wrote: >>>>> I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

In a previous life (nearly 10 years ago!) I wrote a SIEM agent (I can't even remember what that acronym stands for now), which extracted important security-related stuff from the logfile and sent it to a third-party monitoring program which ran elsewhere. The data I extracted definitely included Major 6 / Minor 9 records (and specifically function 7 usercode Modify entries, which is what you have here).

I still have the source code, but it resides on an MCP Express environment which is currenlty turned off (and is no longer supported). It might take me a while to locate it, but I'd be happy to try if you think it might help?

Barry.

Barry -

That sounds very much on target. If you can pull that up, it would be very much appreciated.

SIEM is Security Incident Event Manager.

Metalogic CopyWriteNT can extract and convert files from a number of MCP
media types, including Logical Disk .asd files. See:

http://www.metalogic.eu.com/Main/Products/CopyWrite.html

Paul

Paul -

Thanks for the reference. However, we need to do this on-box.

That reference was intended to help Barry extract his code form the
inactive MCP Express environment, not process log records. As far as I
know, CopyWriteNT doesn't have anything to do with MCP system logs.
Sorry for the confusion.

Paul

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

If I'm reading your code right, the only place you're looking at word 11 is via Log_06_UDcopy. Do you use that value anywhere?

Sorry for the delay in replying - I forgot to check back.
I just did a search, and no - I don't use this value anywhere. It was a "quick & dirty" implementation to get something working to appease the security folks. The planned enhancements to provide more complete decoding never happened before the kit was scheduled for decommissioning. :(
Barry.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Thursday, June 8, 2023 at 4:23:44rC>PM UTC-5, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

There is a procedure exported by JOBFORMATTER called ANALYZETHELOG that will format most SUMLOG records.
Doug Dobson
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Thursday, July 6, 2023 at 11:29:03rC>AM UTC-7, Doug Dobson wrote:

On Thursday, June 8, 2023 at 4:23:44rC>PM UTC-5, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

There is a procedure exported by JOBFORMATTER called ANALYZETHELOG that will format most SUMLOG records.

Doug Dobson

I'm trying to dial out some specific user code change activities. I'd rather not convert the log into text to be scanned. The information is there, but there's no documentation on how to decode it.
The JOBFORMATTER code is a bit arcane. There are very few comments. The only comments in that area have 59 MarkIDs. At least someone figured out that a few breadcrumbs are helpful. Also, there are multiple defines that reference other defines. There are even GO TO statements inside a CASE block. It is headache inducing.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Friday, July 7, 2023 at 12:56:42rC>PM UTC-3, mpe...@gmail.com wrote:

On Thursday, July 6, 2023 at 11:29:03rC>AM UTC-7, Doug Dobson wrote:

On Thursday, June 8, 2023 at 4:23:44rC>PM UTC-5, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

There is a procedure exported by JOBFORMATTER called ANALYZETHELOG that will format most SUMLOG records.

Doug Dobson

I'm trying to dial out some specific user code change activities. I'd rather not convert the log into text to be scanned. The information is there, but there's no documentation on how to decode it.

The JOBFORMATTER code is a bit arcane. There are very few comments. The only comments in that area have 59 MarkIDs. At least someone figured out that a few breadcrumbs are helpful. Also, there are multiple defines that reference other defines. There are even GO TO statements inside a CASE block. It is headache inducing.

Looks like a list os userdata locators and the values of the different attributes between.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: comp.sys.unisys

On Thursday, June 8, 2023 at 5:23:44rC>PM UTC-4, mpe...@gmail.com wrote:

I'm having a heck of a time decoding a USERDATA entry in the SUMLOG. LOG_GET_ENTRY in SDASUPPORT is returning the Major 6, Minor 9 USERDATA Change entries that need to be decoded. Here's a snippet of the returned array row:

0(00000) 0 580000 010001 0 006000 91E117 ...... .-.j..
2(00002) 0 B0B4E8 431741 0 000A49 000BC1 ..Y... .....A
4(00004) 0 000000 000507 0 000000 50000B ...... ...&..
6(00006) 0 000000 00047C THRU 7(00007) .....@
8(00008) 0 000000 00001C 0 000000 000000 ...... ......
10(0000A) 0 000000 000000 0 000001 202030 ...... ......
12(0000C) 0 08C4E4 D4D4E8 0 E4C300 000000 .DUMMY UC....
14(0000E) 0 1B0000 20011F 0 000000 00000A ...... ......
16(00010) 0 000000 000000 THRU 23(00017) ......

Word 0-3 are the usual log entry words.
Word 4 has the expected data as documented in the System Log Programming Guide.
Word 5 is pointing at word 11 (hex b) for 5 words.
But, what the heck is in word 11?

I'm looking in the Security Administration Guide under USERDATAREBUILD, but the documentation is very opaque.

Does anyone out there have any familiarity with decoding these log entries?

Thanks.

This is from the System Log Programming Reference
Word[4].[03:04] = the USERDATA function that triggered the CHANGE record. In this case, that is a Create, modify, or delete entry.
Since that Word[4].[03:04] = 7, then the value in Word[4].[11:04] indicates which one of the three (Create, Modify or Delete). Here it is 5 so this is a Modify record.
Again according to the book, since the function is 7, the link will point to the Doings parameter passed to USERDATAREBUILD.
Info about USERDATAREBUILD can be found in the newly created HTML file for the Security SDK here: https://public.support.unisys.com/aseries/docs/ClearPath-MCP-21.0/26211060-015/WebHelp%20files/USERDATAREBUILD.htm but that does not show the DOINGS parameter so I cannot tell further without looking at the MCP source to see when it would pass DUMMYUC as the usercode which to act upon.
It is late so I could be reading this all wrong.
I do have an active program that dumps security-related SUMLOG records into SYSLOG records to send to our enterprise logging platform (ELP). If you have not found an answer yet,. I can check to see if I handle Major 6, minor 9.
If you do a LOG SECURITY at the time of this record (pulled from the header words), JOBFORMATTER does a good job of telling you what is in the records too for comparison.
Tom Schaefer
--- Synchronet 3.21d-Linux NewsLink 1.2