Hi, Rob,
I elaborated an alert as you said, but it's not working, am I missing something ?
)DEFAULT )&?!¢}~
)CM
)SETF C2PXNAME = &STR(Access_UNIX)
)SETF C2PXMSG = &STR('UNIX Sensitive Access Files' ?
'('(V) |(V) unix_access_intent(0,V) |(V)) ?
'by'(V) user(0,V) 'on' /(WTO) unix_pathname(0))
)SETF C2PXDES = &STR('Sensitive UNIX file')
)CM Pass one query
)SEL &C2PEPASS = Y
)ENDSEL
)CM Alert condition
)SEL &C2PEPASS = N
)IM C2PSGNEW
select unix_function=(open) descriptor(success),
likelist=recent,
Unix_filename=('/u/A28192/pagent.conf'),
Unix_pathname=('/u/A28192/')
)CM EMAIL sortlist
)SEL &C2PERCTP = MAIL
sortlist,
recno(nd),
)IM C2PSFMSG
/ ' Alert id &c2pemem.',
/ ' Date and time'(18) date(9) time(11),
/ ' Path'(18,noretain) Unix_filename(0,wrap),
/ ' Access type'(18) event,
/ ' Intended access'(18) unix_access_intent(0) ,
/ ' User'(18) user(8) name,
/ ' Job name'(18) jobname,
/ ' System ID'(18) system,
/ ' Source terminal'(18,ne) terminal,
/ ' Source (IPv4)'(18,ne) terminal(0,hextoip),
/ ' Source user'(18,ne) utoken_source_userid,
/ ' Source node'(18,ne) utoken_source_system,
/ /
)ENDSEL
)CM SNMP sortlist
)SEL &C2PERCTP = SNMP
sortlist,
recno(nd),
'&c2pemem.' /,
'eventIntegral',
)IM C2PSFMSG
'eventWhen' datetime(datetimezone,0) /,
'onWhatUNIX-PATHNAME' Unix_filename(0,hor) /,
'whatEVENT' event(0) /,
'onWhatUNIX-ACCESS-INTENT' unix_access_intent(0) /,
'onWhatUNIX-ACCESS-ALLOWED' unix_access_allowed(0) /,
'whoUSERID' userid(0) /,
'whoNAME' name(0) /,
'whatJOBNAME' jobname(0) /,
'fromWhereTERMINAL' terminal(0) /,
'fromWhereSRCIP' terminal(0,hextoip) /,
'fromWhereUSER' utoken_source_userid /,
'fromWhereSYSTEM' utoken_source_system /,
'whereSYSTEM' system(0)
)ENDSEL
)CM WTO sortlist
)SEL &C2PERCTP = WTO
sortlist,
recno(nd),
)IM C2PSFMSG
)ENDSEL
)CM Action command
)IM C2PSACTX
)IM C2PSACTS
)ENDSEL