Enterasys Security Information and Event Manager Configuration Manual Download Page 188

Page: 188 / 426

Configuring DSMs

172

UNIPER

ETWORKS

<IP address>

is the IP address of your SIEM system.

<level>

is info, error, warning, or any,

<option>

is one of the following options from

Table 36-5

For example:

set system syslog host 10.77.12.12 firewall info

Configures the Juniper EX-Series Ethernet Switch to send info messages from
firewall filtering systems to your SIEM system.

Step 4

Repeat

Step 3

to configure any additional syslog destinations and options. Each

additional option must be identified using a separate syslog destination
configuration.

Step 5

You are now ready to configure the Juniper EX-Series Ethernet Switch in SIEM.

To configure SIEM to receive events from a Juniper EX-Series Ethernet Switch:



From the

Log Source Type

drop-down list box. select

Juniper EX-Series

Ethernet Switch

option.

For more information on configuring log sources, see the

Log Sources User Guide

For more information about your Juniper switch, see your vendor documentation.

Table 36-5

Juniper Networks Ex-Series Switch Options

Option

Description

any

All facilities

authorization

Authorization system

change-log

Configuration change log

conflict-log

Configuration conflict log

daemon

Various system processes

dfc

Dynamic flow capture

explicit-priority

Include priority and facility in messages

external

Local external applications

facility-override

Alternate facility for logging to remote host

firewall

Firewall filtering system

ftp

FTP process

interactive-commands Commands executed by the UI

kernel

Kernel

log-prefix

Prefix for all logging to this host

match

Regular expression for lines to be logged

pfe

Packet Forwarding Engine

user

User processes

Summary of Contents for Security Information and Event Manager

Page 1: ...Enterasys Security Information and Event Manager SIEM Configuring DSMs Release 7 7 0 P N 9034592 05...

Page 2: ......

Page 3: ...DAMAGES Enterasys Networks Inc 50 Minuteman Road Andover MA 01810 2011 Enterasys Networks Inc All rights reserved Part Number 9034592 04 October 2011 ENTERASYS ENTERASYS NETWORKS ENTERASYS DRAGON ENTE...

Page 4: ...MATERIALS Except as expressly permitted in this Agreement You may not copy or otherwise reproduce the Licensed Materials In no event does the limited copying or reproduction permitted under this Agree...

Page 5: ...closure thereof are harmful to Enterasys or its Affiliates and or its their software suppliers 6 MAINTENANCE AND UPDATES Updates and certain maintenance and support services if any shall be provided t...

Page 6: ...TED TO THE DURATION OF THE LIMITED WARRANTY SET FORTH ABOVE YOU ASSUME ALL RISK AS TO THE QUALITY FUNCTION AND PERFORMANCE OF THE LICENSED MATERIALS IN NO EVENT WILL ENTERASYS OR ANY OTHER PARTY WHO H...

Page 7: ...ts and undertakings oral or written are hereby expressly superseded and canceled No purchase order shall supersede this Agreement h Should You have any questions regarding this Agreement You may conta...

Page 8: ......

Page 9: ...NG DSMS 3 3COM 8800 SERIES SWITCH 4 AMBIRON TRUSTWAVE IPANGEL 5 APACHE HTTP SERVER Configuring Apache Using Syslog 11 Configuring Apache Using Syslog ng 12 6 APPLE MAC OS X 7 ARUBA MOBILITY CONTROLLER...

Page 10: ...IDS IPS 62 Cisco IronPort 63 Cisco NAC 64 Cisco IOS 65 Cisco Pix 66 Cisco VPN 3000 Concentrator 67 Cisco Wireless Services Module 68 15 CITRIX NETSCALER 16 CRYPTOCARD CRYPTO SHIELD 17 CYBER ARK VAULT...

Page 11: ...ASM 103 F5 Networks FirePass 104 23 FAIR WARNING 24 FIREEYE 25 FORESCOUT COUNTERACT 26 FORTINET FORTIGATE 27 FOUNDRY FASTIRON 28 GENERIC FIREWALL 29 GENERIC AUTHORIZATION SERVER 30 HP HP ProCurve 125...

Page 12: ...Juniper Networks Firewall and VPN 177 Juniper Networks Network and Security Manager 178 Juniper JunOS 179 Juniper Steel Belted Radius 183 Juniper Networks vGW Virtual Gateway 185 37 LIEBERMAN RANDOM P...

Page 13: ...Using Syslog 241 Integrating Nokia Firewall Using OPSEC 242 47 NORTEL NETWORKS Nortel Multiprotocol Router 245 Nortel Application Switch 248 Nortel Contivity 249 Nortel Ethernet Routing Switch 2500 4...

Page 14: ...SE 56 RSA AUTHENTICATION MANAGER 57 SAMHAIN LABS Using Syslog 299 Using JDBC 300 58 SENTRIGO HEDGEHOG 59 SECURE COMPUTING SIDEWINDER 60 SONICWALL 61 SOPHOS Sophos Enterprise Console 309 Sophos PureMes...

Page 15: ...SM 343 67 SYBASE ASE 68 SYMANTEC Symantec Endpoint Protection 353 Symantec SGS 354 Symantec System Center 354 Symantec Data Loss Prevention DLP 358 69 SYMARK 70 TIPPINGPOINT TippingPoint Intrusion Pre...

Page 16: ...73 TRIPWIRE 74 TROPOS CONTROL 75 UNIVERSAL DSM 76 VERICEPT CONTENT 360 DSM 77 WEBSENSE V SERIES Websense V Series Data Security Suite 383 Websense V Series Content Gateway 384 78 SUPPORTED DSMS INDEX...

Page 17: ...ollowing conventions are used throughout this guide Indicates that the procedure contains a single instruction NOTE Indicates that the information provided is supplemental to the associated feature or...

Page 18: ...support related to the product or this document contact Enterasys Networks using one of the following methods World Wide Web http www enterasys com support Phone 1 800 872 8440 toll free in U S and Ca...

Page 19: ...e events to the Event Processor All events are correlated and security and policy offenses are created based on correlation rules These offenses are displayed on the Offenses tab For more information...

Page 20: ......

Page 21: ...lowing steps Step 1 Download the file to your system hosting SIEM Step 2 Using SSH log in to SIEM as the root user Username root Password password Step 3 Navigate to the directory that includes the do...

Page 22: ......

Page 23: ...he loghost the severity level threshold value as informational and the output language to English info center loghost ip_address facility severity language english Where ip_address is the IP address o...

Page 24: ......

Page 25: ...your cache and access logs to your SIEM system For information on forwarding device logs to SIEM see your vendor documentation You are now ready to configure the log source in SIEM To configure SIEM...

Page 26: ......

Page 27: ...g Apache as the root user Step 2 Edit the Apache configuration file httpd conf Step 3 Add the following information in the Apache configuration file to specify the custom log format LogFormat h A l u...

Page 28: ...ress of the SIEM Console or Event Collector Step 9 Save the syslog configuration file Step 10 Type the following command to restart the syslog service etc init d syslog restart Step 11 Restart Apache...

Page 29: ...mat name must match the log format defined in Step 4 Step 6 Save the Apache configuration file Step 7 Edit the syslog ng configuration file etc syslog ng syslog ng conf Step 8 Add the following inform...

Page 30: ...y detects syslog ng events from an Apache HTTP Server However if you want to manually configure SIEM to receive events from Apache From the Log Source Type drop down list box select Apache HTTP Server...

Page 31: ...the file Make sure all other lines remain intact IP address Where IP address is the IP address of the SIEM system Step 4 Save and exit the file Step 5 Send a hang up signal to the syslog daemon to ma...

Page 32: ......

Page 33: ...s menu select Add Step 6 Type the IP address of the SIEM server that you want to collect logs Step 7 Click Add Step 8 Optional Change the logging level for a module a Select the check box next to the...

Page 34: ......

Page 35: ...nce you configure syslog to forward events to SIEM you are now ready to configure the log source in SIEM To configure SIEM to receive events from a Array Networks SSL VPN device From the Log Source Ty...

Page 36: ......

Page 37: ...ration window is displayed Step 3 Click Server Status The Server Status window is displayed Step 4 Click Edit Step 5 In the Syslog address field type the IP address of your SIEM system Step 6 From the...

Page 38: ......

Page 39: ...eportermain_v1 bcreporterssl_v1 p2p SSL bcreportercifs_v1 CIFS MAPI For more information about your Blue Coat SG Appliance see your vendor documentation Creating a Custom Format A SIEM Blue Coat SG DS...

Page 40: ...from the drop down list box Step 8 Click OK Step 9 Click Apply NOTE The custom format for SIEM supports additional key value pairs using the Blue Coat ELFF format For more information see Custom Forma...

Page 41: ...ing FTP and the Log File Protocol To configure the Blue Coat upload client for FTP Step 1 Select Configuration Access Logging Logs Upload Client Step 2 From the Log drop down list box select the log c...

Page 42: ...sent at all If you are sending to multiple syslog destinations a disruption in availability in one syslog destination may interrupt the stream of events to other syslog destinations from your Blue Coa...

Page 43: ...tarting with Bluecoat and containing Blue Coat ELFF Parameter Custom format fields for SIEM must be separated by the pipe character For example Bluecoat src c ip srcport c port dst cs uri address ds t...

Page 44: ......

Page 45: ...n logs oplog Step 4 To log error messages only change the local1 info WideSpan logs oplog line to the following local1 err WideSpan logs oplog NOTE RADIUS and Diameter system messages are stored in th...

Page 46: ...eive events from a Bridgewater Systems device From the Log Source Type drop down list box select the Bridgewater Systems AAA Service Controller option For more information on configuring log sources s...

Page 47: ...events and fields from the previous day in raw SMF format 3 The QexACF2 load trs program pulls data from the SMF formatted file The QexACF2 load trs program only pulls the relevant events and fields...

Page 48: ...ata line by line QexACF2 adds a header to each record containing event information for example record descriptor the date and time The program places each field into the output record suppresses trail...

Page 49: ...is a text file containing a sample JCL You must configure the job card to meet your configuration The QexACF2_jcl txt sample file includes QEXACF2 JOB T JXPO JKSD0093 DEV NOTIFY Q1JACK MSGCLASS P REG...

Page 50: ...C PGM FTP REGION 3800K INPUT DD IPADDR USER PASSWORD PUT ACFOUT EARL_ THEIPOFTHEMAINFRAMEDEVICE ACFOUT QUIT OUTPUT DD SYSOUT SYSPRINT DD SYSOUT Step 8 After the output file is created you must choose...

Page 51: ...e files through FTP SFTP or allow SCP then no interim FTP server is required and SIEM can pull the output file directly from the mainframe The following text must be commented out using or deleted fro...

Page 52: ...Secret data is extracted from the live repository using the SMF dump utility The SMF file contains all of the events and fields from the previous day in raw SMF format 3 The qextopsloadlib program pul...

Page 53: ...cter This output file is formatted for SIEM and the blank suppression reduces network traffic to SIEM This program does not consume CPU or I O disk resources Step 4 Customize the qextops_trsmain_JCL t...

Page 54: ...Y Q1JACK MSGCLASS P REGION 0M QEXTOPS JCL version 1 0 September 2010 Change below dataset names to sites specific datasets names SET1 SET TSSOUT Q1JACK EARLOUT ALL EARLOUT Q1JACK QEXTOPS PROGRAM OUTPU...

Page 55: ...INFRAMEDEVICE EARLOUT QUIT OUTPUT DD SYSOUT SYSPRINT DD SYSOUT Step 8 After the output file is created you must choose one of the following options a Schedule a job to a transfer the output file to an...

Page 56: ...INPUT DD IPADDR USER PASSWORD PUT EARLOUT EARL_ THEIPOFTHEMAINFRAMEDEVICE EARLOUT QUIT OUTPUT DD SYSOUT SYSPRINT DD SYSOUT You are now ready to configure the Log File protocol See Pulling Data Using L...

Page 57: ...Configuring DSMs CA Top Secret 41 For more information on configuring log sources and protocols see the Log Sources User Guide...

Page 58: ......

Page 59: ...form Operating system Integrating Check Point FireWall 1 Using Syslog This section describes how to ensure that the SIEM Check Point FireWall 1 DSMs accepts FireWall 1 events using syslog NOTE If Chec...

Page 60: ...press the Tab key host indicates the SIEM managed host Step 8 Save and close the file Step 9 Depending on your operating system type the following command to restart syslog In Linux service syslog re...

Page 61: ...See Adding a Check Point FireWall 1 Host Add an OPSEC application to Check Point Firewall 1 See Creating an OPSEC Application Object Locate the Log Source Secure Internal Communications DN See Locate...

Page 62: ...d used to generate the SIC DN When you configure your Check Point log source in SIEM the activation key is typed into the Pull Certificate Password parameter f Click Initialize The window updates the...

Page 63: ...ore information see your Check Point Command Line Interface Guide You must now install the Security Policy from the Check Point SmartDashboard user interface Step 5 Select Policy Install OK You are no...

Page 64: ...application requesting a certificate For example If the value is CN SIEM OPSEC O cpmodule tdfaaz the OPSEC Application value is SIEM OPSEC For more information on the OPSEC LEA parameters see the Log...

Page 65: ...nother port number Step 4 Remove the hash mark from that line For example lea_server auth_port 18888 lea_server port 0 Step 5 Save and close the file Step 6 Type the following command to start the fir...

Page 66: ...configure SIEM to integrate with a Check Point Provider 1 device using one of the following methods Integrating Check Point Provider 1 Using Syslog Integrating Check Point Provider 1 Using OPSEC NOTE...

Page 67: ...events using OPSEC To enable Check Point Provider 1 and SIEM integration you must 1 Configure Check Point Provider 1 SmartCenter For more information see Reconfiguring Check Point Provider 1 SmartCen...

Page 68: ...al Communication SIC certificate click Communication and enter an activation key Step 11 Select OK and then Close Step 12 To install the Policy on your firewall select Policy Install OK Configuring th...

Page 69: ...o ACE firewall DSM accepts events using syslog SIEM records all relevant events Before you configure SIEM to integrate with an ACE firewall you must forward all device logs to your SIEM system To forw...

Page 70: ...ype drop down list box select the Cisco ACE Firewall option For more information on configuring log sources see the Log Sources User Guide For more information on forwarding logs to SIEM see your vend...

Page 71: ...available information from the event You can integrate Cisco ACS with SIEM using one of the following methods Configure your Cisco ACS device to directly send syslog to SIEM Cisco ACS software versio...

Page 72: ...ou want to manually configure SIEM to receive events from Cisco ACS From the Log Source Type drop down list box select the Cisco ACS option For more information on configuring log sources see the Log...

Page 73: ...rter SIEM automatically detects the Cisco ACS events from the Adaptive Log Exporter However if you want to manually configure SIEM to receive events from Cisco ACS From the Log Source Type drop down l...

Page 74: ...address Where interface is the name of the Cisco Adaptive Security Appliance interface IP address is the IP address of SIEM NOTE Using the command show interfaces displays all available interfaces for...

Page 75: ...low collector ipv4 address or hostname is the IP address or host name of the Cisco ASA device with the NetFlow collector application udp port is the UDP port number to which NetFlow packets are sent N...

Page 76: ...configure SIEM to receive events from a Cisco ASA device using NetFlow Step 1 From the Log Source Type drop down list box select Cisco Adaptive Security Appliance ASA Step 2 From the Protocol Configur...

Page 77: ...Log Sources User Guide Cisco CSA You can integrate a Cisco Security Agent CSA server with SIEM The Cisco CSA DSM accepts events using syslog SNMPv1 and SNMPv2 SIEM records all configured Cisco CSA ale...

Page 78: ...logging logging on Step 3 Change the logging level logging trap level 1 7 By default the logging level is set to 3 error Step 4 Designate SIEM as a host to receive the messages logging host interface...

Page 79: ...m a Cisco IDS IPS device From the Log Source Type drop down list box select the Cisco Intrusion Prevention System IPS option For more information on configuring devices see the Log Sources User Guide...

Page 80: ...te source using the log file protocol Your system must be running the latest version of log file protocol to integrate with a Cisco IronPort device To configure your Cisco IronPort device to push web...

Page 81: ...from a Cisco NAC device From the Log Source Type drop down list box select Cisco NAC Appliance For more information on configuring log sources see the Log Sources User Guide Cisco IOS You can integrat...

Page 82: ...ces Router The following devices are auto discovered by SIEM as Cisco IOS devices Cisco 12000 Series Routers Cisco 6500 Series Switches Cisco 7600 Series Routers Cisco Carrier Routing System Cisco Int...

Page 83: ...sco PIX device From the Log Source Type drop down list box select the Cisco PIX Firewall option For more information on configuring log sources see the Log Sources User Guide For more information abou...

Page 84: ...Configuration window is displayed Step 3 In the Syslog Server IP Address field type the IP address of the SIEM host to which you want to send the syslog messages Click Add Step 4 Using the Syslog Leve...

Page 85: ...y level 19 Local Use 4 Facility level 20 Local Use 5 Facility level 21 Local Use 6 Facility level 22 Local Use 7 Facility level 23 Step 6 Click Apply Step 7 From the Buffered Log Level and the Console...

Page 86: ...Step 10 Select the Trace Info check box if you want the message logs to include traceback information The default value is disabled Step 11 Click Apply to commit your changes Step 12 Click Save Config...

Page 87: ...m For example add audit syslogAction action SIEM 10 10 10 10 serverPort 514 logLevel Info dateFormat DDMMYYYY Step 3 Type the following command to add an audit policy add audit syslogPolicy PolicyName...

Page 88: ...licy is saved in your configuration sh system global NOTE For information on configuring syslog using the Citrix NetScaler user interface see http support citrix com article CTX121728 or your vendor d...

Page 89: ...his parameter type the following org apache log4j net SyslogAppender log4j appender protocol SyslogHost IP address Type the IP address or hostname of the syslog server where protocol is the type of lo...

Page 90: ......

Page 91: ...MessageCodeFilter Configure which message codes are sent from the Cyber Ark Vault to SIEM You can define specific message numbers or a range of numbers By default all message codes are sent for user a...

Page 92: ......

Page 93: ...terface Step 2 Select the Advanced page Step 3 Under System Log select Enable Remote Logging Step 4 Type the IP address of SIEM Step 5 Click Apply Step 6 You are now ready to configure the log source...

Page 94: ......

Page 95: ...Step 1 Log in to your VMWare vSphere Client Step 2 Select the host managing your VMWare inventory Step 3 Click the Configuration tab Step 4 From the Software panel click Advanced Settings The Advanced...

Page 96: ...account permissions for the SIEM user For more information see Configuring Account Permissions 3 Configure the VMWare protocol in SIEM For more information see Configuring SIEM CAUTION Creating a user...

Page 97: ...Groups window click Add The Select Users and Groups window is displayed Step 4 Select your SIEM user and click Add Step 5 Click OK The Add Permissions window is displayed Step 6 From the Assigned Rol...

Page 98: ...VMWare ESX server see your vendor documentation Table 19 3 VMWare Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source This value must match the v...

Page 99: ...g either an SNMPv3 or Syslog notification rule To configure your SIEM Enterasys Dragon DSM you must 1 Choose one of the following a Create an Alarm Tool policy using an SNMPv3 notification rule See Cr...

Page 100: ...ct the policy name you entered from Step b Step 4 To configure the event group a Click the Events Group tab b Click New The Event Group Editor is displayed c Select the event group or individual event...

Page 101: ...the Main tab c Make sure that Concatenate Events is not selected Step 7 Configure the SNMP options a Click the Global Options tab b Click the SNMP tab c Type the IP address of the EMS server sending S...

Page 102: ...3 notification rules if you need to transfer PDATA which is a binary data element Do not use a Syslog notification rule To configure Enterasys Dragon with an Alarm Tool policy using a syslog notificat...

Page 103: ...ox select LEEF LEEF Version 1 0 Vendor Product ProductVersion eventID devTime proto src sensor dst srcPort dstPort direction eventData NOTE The LEEF message format delineates between fields using a pi...

Page 104: ...u can map a normalized or raw event to a high level and low level category or QID However you cannot map combination Dragon messages using the event mapping tool For more information see the SIEM User...

Page 105: ...1 and you want to use syslog port of 514 type destination siem tcp 10 10 1 1 port 514 Step 5 Add a log statement for the notification rule log source s_local filter filt_facility_local1 filter filt_le...

Page 106: ...g Configuration panel is displayed Step 3 In the System Integration Status section enable syslog integration This allows the management server to send messages to the configured syslog servers By defa...

Page 107: ...ents using syslog SIEM records all relevant events Before configuring the Enterasys HiPath Wireless Controller device in SIEM you must configure your device to send syslog events to SIEM To configure...

Page 108: ...IP address facility facility severity severity descr description port port state enable disable Where index is the server table index number 1 to 8 for this server ip address is the IP address of the...

Page 109: ...terasys B3 Series Enterasys C2 Series Enterasys C3 Series Enterasys D Series Enterasys G Series or Enterasys I Series For more information on configuring log sources see the Log Source Users Guide For...

Page 110: ...gging server server number description description facility facility ip_addr ip address port port severity severity Where server number is the server number 1 to 8 description is a description of the...

Page 111: ...If a rule is currently configured highlight the rule Click Edit b To create a new rule click Create Step 5 Select the Notifications check box Step 6 Click Edit The Edit Notifications window is display...

Page 112: ...el 8 set logging application System level 8 set logging application RtrFe level 8 set logging application Trace level 8 set logging application RtrLSNat level 8 set logging application FlowLimt level...

Page 113: ...C DSM accepts events using syslog SIEM records all relevant events For details on configuring your Enterasys NAC appliances for syslog consult your vendor documentation You are now ready to configure...

Page 114: ......

Page 115: ...n ExtremeWare device you must configure syslog within your Extreme device You are now ready to configure the log source in SIEM To configure SIEM to receive events from your ExtremeWare device From th...

Page 116: ......

Page 117: ...slog events choose your BIG IP LTM software version Configuring Remote Syslog for F5 BIG IP LTM 10 x and above Configuring Remote Syslog for F5 BIG IP LTM 9 4 2 to 9 4 8 For more information on adding...

Page 118: ...remote syslog sources see your F5 Networks BIG IP LTM product documentation Configuring Remote Syslog for F5 BIG IP LTM 9 4 2 to 9 4 8 To configure syslog for F5 BIG IP LTM 9 4 2 to 9 4 8 Step 1 Log...

Page 119: ...layed Step 6 Configure the following parameters a Type a Profile Name For example SIEM b Optional Type a Profile Description NOTE If you do not want data logged locally as well as remotely you must cl...

Page 120: ...r F5 BIG IP device Step 2 Type the following command to add a single remote syslog server bigpipe syslog remote server Name host IP Address Where Name is the name of the F5 BIG IP APM syslog source IP...

Page 121: ...he IP address or hostname of your SIEM Console or Event Collector Step 6 From the Log Level drop down list box select Information The Log Level parameter monitors application level system messages Ste...

Page 122: ......

Page 123: ...onfigured in the Remote Host parameter in the Log File Protocol configuration You are now ready to configure the log source and protocol in SIEM To configure SIEM to receive events from a Fair Warning...

Page 124: ......

Page 125: ...rsyslog notification consumer fenotify rsyslog trap sink SIEM Step 5 Type the IP address for the SIEM system receiving rsyslog trap sink notifications fenotify rsyslog trap sink SIEM address IP addre...

Page 126: ...Configuring DSMs 110 FIREEYE...

Page 127: ...st configure your device to send syslog to your SIEM installation For more information on configuring your CounterACT device consult your vendor documentation You are now ready to configure the log so...

Page 128: ......

Page 129: ...ure syslog within your FortiGate device For more information on configuring a Fortinet FortiGate device see your vendor documentation You are now ready to configure the log source in SIEM To configure...

Page 130: ......

Page 131: ...Emergencies Debugging are logged Up to 50 messages are retained in the local syslog buffer No syslog server is specified Step 3 Type the following command to define an IP address for the syslog serve...

Page 132: ......

Page 133: ...expressions are disabled For example regex_enabled false When you set the regex_enabled property to false the system generates regular expressions based on the tags you entered while attempting to re...

Page 134: ...5 2005 08 30 00 Packet denied Source IP 192 168 1 1 Source Port 21 Destination IP 192 168 1 2 Destination Port 21 Protocol tcp The pattern for denied packets is Packet denied Step 8 Add the following...

Page 135: ...ase insensitive and you can add multiple patterns For multiple patterns separate using a symbol Step 11 Save and exit the file Step 12 You are now ready to configure the log source inSIEM To configure...

Page 136: ......

Page 137: ...default regular expressions are disabled For example regex_enabled false When you set the regex_enabled property to false the system generates regular expressions regex based on the tags you entered w...

Page 138: ...led password for root from 10 100 100 109 port 1849 ssh2 The pattern for login failures is Failed password Step 8 Add the following to the file login_failed_pattern login failure pattern Where login f...

Page 139: ...or example source_ip_pattern from source_port_pattern port Step 13 Review the file to determine if a pattern exists for username For example Jun 27 12 11 21 expo sshd 19926 Accepted password for root...

Page 140: ......

Page 141: ...d to logging syslog ip addr Where syslog ip addr is the IP address of the SIEM host Step 4 To exit config mode press CTRL Z Step 5 Type write mem to save the current configuration to the startup confi...

Page 142: ...the log source and protocol in SIEM Step 1 From the Log Source Type drop down list box select HP Tandem Step 2 To configure the log file protocol from the Protocol Configuration drop down list box se...

Page 143: ...ve command is surrounded with back quotation marks Step 6 You are now ready to configure the log source in SIEM To configure SIEM to receive events from an HP UX device From the Log Source Type drop d...

Page 144: ......

Page 145: ...cepted failed password events If you are using syslog on a UNIX host we recommend that you upgrade the standard syslog to a more recent version such as syslog ng To configure the IBM AIX for syslog ev...

Page 146: ...rce in SIEM To configure SIEM to receive events from an IBM AIX server From the Log Source Type drop down list box select the IBM AIX Server option For more information on configuring log sources see...

Page 147: ...above using the LogAgent for System i software Once you have your LogAgent for System i software configured use the Log File protocol source to pull the syslog CEF messages For more information see yo...

Page 148: ...sis For more information on configuring log sources and protocols see Pulling Data Using Log File Protocol Configuring an IBM iSeries to Integrate with SIEM To integrate an IBM iSeries with SIEM Step...

Page 149: ...start time for AJLIB DATETIME to update the gather time and the end time is set to blank If the FTP transfer fails the export file is erased and no updates are made to the gather date or time Pulling...

Page 150: ...tep 5 Configure the following parameters a Send SYSLOG message Select Yes b Destination address Type the IP address of SIEM c Facility to use Type a facility level d Severity range to auto send Type a...

Page 151: ...t the Traps tab Step 6 In the Community name section type the following in the space available and click add to list public Step 7 In the Traps destinations section select Add and type the IP address...

Page 152: ...ult Filter Step 6 Apply the DDM Filter to enhanced and simple events Choose to log all event types Step 7 Depending on the environment you can choose to apply the filter to all servers in a domain or...

Page 153: ...to store SiteProtector events which is defined during protocol configuration Although creating this account is not required it is recommended for your protection Record the username and password for...

Page 154: ...Hostname Type the IP address or hostname of the database server Port Type the port number used by the database server The default that is displayed depends on the selected Database Type The valid rang...

Page 155: ...can be up to 255 alphanumeric characters in length Also the list may include the following special characters dollar sign number sign underscore _ en dash and period Compare Field Type SensorDataRowID...

Page 156: ...ll relevant events Before you configure SIEM to integrate with IBM Proventia you must Step 1 In the Proventia Manager user interface navigation pane expand the System node Step 2 Select System Polling...

Page 157: ...ows you to integrate with an IBM zOS mainframe using IBM RACF for auditing transactions SIEM records all relevant and available information from the event To integrate the IBM RACF events into SIEM 1...

Page 158: ...trs file is a tersed file containing the executable the mainframe program QEXRACF When you upload the trs file from a workstation pre allocate a file on the mainframe with the following DCB attributes...

Page 159: ...ry that will contain the program Step 7 The qexracf_jcl txt file is a text file containing a sample JCL deck to provide you with the necessary JCL to run the IBM IRRADU00 utility This allows SIEM to o...

Page 160: ...SOUT SYSPRINT DD SYSOUT RACIN DD DISP SHR DSN SMFOUT RACOUT DD DISP SHR DSN QRACFOUT FTP Output file from C program Qexracf to an FTP server SIEM will go to that FTP Server to get file Note you need t...

Page 161: ...configure SIEM to receive events from an IBM mainframe RACF you must select the IBM RACF option from the Log Source Type drop down list box Step 2 To configure the log file protocol you must select t...

Page 162: ...semble the following AUD00001 Operation succeeded Step 3 Archive and move the active instance to a new location for future extraction db2audit archive For example an archive command response may resem...

Page 163: ...ded Step 4 Extract the data from the archived audit log and write the data to del files db2audit extract delasc For example an archive command response may resemble the following AUD00001 Operation su...

Page 164: ...configuring log sources and protocols see the Log Sources User Guide IBM WebSphere Application Server A SIEM IBM WebSphere Application Server DSM accepts events using the log file protocol source SIEM...

Page 165: ...n for the IBM WebSphere Application Server DSM see Customizing the Logging Option Customizing the Logging Option You must customize the logging option for each application server WebSphere uses and ch...

Page 166: ...ication Server option from the Log Source Type drop down list box Step 2 To configure the log file protocol you must select the Log File option from the Protocol Configuration drop down list box Your...

Page 167: ...nfiguration drop down list box Step 3 We recommend that you use a secure protocol for transferring files such as Secure File Transfer Protocol SFTP For more information on configuring log sources and...

Page 168: ...le the mainframe program QexIMS When you upload the trs file from a workstation pre allocate a file on the mainframe with the following DCB attributes DSORG PS RECFM FB LRECL 1024 BLKSIZE 6144 The fil...

Page 169: ...m as a member Step 5 You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in LINKLST The program does not require authorization Step 6 The qexims_jcl txt file...

Page 170: ...he output file to an interim FTP server Each time the job completes the output file is forwarded to an intermin FTP server You must configure the following parameters in the sample JCL to successfully...

Page 171: ...SOUT You are now ready to configure the Log File protocol See Pulling Data Using Log File Protocol Pulling Data Using Log File Protocol A log file protocol source allows SIEM to retrieve archived log...

Page 172: ......

Page 173: ...device you must Step 1 Log in to the ISC BIND device Step 2 Open the following file to add a logging clause named conf logging channel channel_name syslog syslog_facility severity critical error warni...

Page 174: ...the syslog configuration to log to your SIEM system using the facility you selected in Step 2 syslog_facility IP Address Where IP Address is the IP address of your SIEM system For example local3 192 1...

Page 175: ...e events from an ISC BIND device From the Log Source Type drop down list box select the ISC BIND option For more information on configuring log sources see the Log Sources User Guide For more informat...

Page 176: ...Configuring DSMs 160 ISC BIND...

Page 177: ...and the System Log action group d In the Action Name field type q1labs_syslog_alerts e Configure the following parameters Syslog host Type the IP address of the SIEM system to which you want to send e...

Page 178: ...to which you want to send events Syslog log level Select INFO Message Type the following message as a pipe seperated continuous string DeviceType ImpervaSecuresphere Event et Event eventType d c Secu...

Page 179: ...M to receive events from a SecureSphere device From the Log Source Type drop down list box select the Imperva SecureSphere option For more information on configuring log sources see the Log Sources Us...

Page 180: ......

Page 181: ...x NIOS device to send syslog events to SIEM For more information on configuring logs on your Infoblox NIOS device see your Infoblox NIOS vendor documentation You are now ready to configure the Infoblo...

Page 182: ......

Page 183: ...r meter for syslog see your Itron Openway Smart Meter documentation You are now ready to configure the log source in SIEM SIEM automatically discovers events from an Itron Openway Smart Meter If you w...

Page 184: ......

Page 185: ...DBC protocol SIEM records all relevant events To integrate with Juniper Networks NSM AVT data you must create a view in the database on the Juniper Networks NSM server You must also configure the Post...

Page 186: ...configure the JDBC protocol for the log source Use the following parameters to configure the JDBC protocol a Database Type From the Database Type drop down list box select Postgres b Database Name Typ...

Page 187: ...Log Delimiter format SIEM supports comma delimited logs only Step 6 In the Log Host section type the IP address of your SIEM system Step 7 In the Log Port section type the UDP port on which you wish t...

Page 188: ...urce Type drop down list box select Juniper EX Series Ethernet Switch option For more information on configuring log sources see the Log Sources User Guide For more information about your Juniper swit...

Page 189: ...dress category subcategory src zone src intface src addr src port nat src addr nat src port dstzone dst intface dst addr dst port nat dst addr nat dst port protocol rule domain rule domainVersion poli...

Page 190: ...with SIEM NOTE If your Juniper device is running release 5 5R3 HF2 6 1 or above we recommend that you use the WELF WELF format for logging See your vendor documentation to determine if your device an...

Page 191: ...list box select the facility i From the Filter drop down list box select WELF WELF j Click Add and click Save Changes Step 4 Configure syslog server information for administrator access a If a WELF WE...

Page 192: ...rate a Juniper Networks Secure Access device with SIEM using syslog Step 1 Log in to your Juniper device administration user interface https 10 xx xx xx admin Step 2 Configure syslog server informatio...

Page 193: ...tegrate with a Juniper Networks Infranet Controller you must configure syslog within the server For more information on configuring your Juniper Networks Infranet Controller consult your vendor docume...

Page 194: ...Networks NSM logs see your Juniper Networks vendor documentation To integrate a Juniper Networks NSM device with SIEM you must Configuring Juniper Networks NSM to Export Logs to Syslog Configuring SIE...

Page 195: ...Platform DSM accepts events using syslog structured data syslog or PCAP SRX Series only SIEM records all valid syslog or structured data syslog events The SIEM Juniper JunOS Platform DSM supports the...

Page 196: ...or structured data syslog to SIEM Step 1 Log in to your Juniper platform command line interface CLI Step 2 Include the following syslog statements at the set system hierarchy level set system syslog...

Page 197: ...erity Define the severity of the messages that belong to the named facility with which it is paired Valid severity levels are any none emergency alert critical error warning notice info Messages with...

Page 198: ...og Source with PCAP Configuring a New Juniper Networks SRX Log Source with PCAP The Juniper Networks SRX series appliance is auto discovered by SIEM as a Juniper JunOS Platform SIEM detects the syslog...

Page 199: ...delete log source confirmation window is displayed Step 13 Click Yes The JunOS syslog log source is deleted from the log source list You should now have the PCAP Syslog Combination protocol in your l...

Page 200: ...fy the device in syslog messages forwarded to SIEM This is the IP address or hostname that will appear in SIEM d Root Log Directory Type the location where Juniper SBR stores log files Report log file...

Page 201: ...adius From the Log Source Type drop down list box select the Juniper Steel Belted Radius option For more information on configuring log sources see the Log Sources User Guide For more information on c...

Page 202: ...7 From the NetFlow Configuration panel select the enable check box NetFlow does not support central logging from a vGW management server From the External Logging section you must select the option Se...

Page 203: ...ocol to SIEM using Port 514 SIEM records all relevant password management events You are now ready to configure the log source in SIEM SIEM automatically detects the Lieberman Random Password Manager...

Page 204: ......

Page 205: ...Log Sources User Guide For more information on configuring your Linux DHCP Server consult the man pages or associated documentation for your DHCP daemon Linux IPtables A SIEM Linux IPtables DSM accep...

Page 206: ...nt behavior Set the log prefix parameter to Q1Target rule Where rule is one of fw_accept fw_drop or fw_reject For example if the rule being logged targets DENY the log prefix setting should be Q1Targe...

Page 207: ...a more recent version such as syslog ng To integrate Linux OS with SIEM select one of the following syslog configurations for event collection Configuring Linux OS Using Syslog Configuring Linux OS Us...

Page 208: ...address port 514 log source Sourcename filter auth_filter destination auth_destination Where IP address is the IP address of the SIEM system Source name is the name of the source defined in the config...

Page 209: ...rder Step 5 Type the Syslog Server details a The Enable Syslog Forwarder must be configured as Yes b The Port must be configured to 514 Step 6 Click Edit Step 7 Choose one of the following a If you ar...

Page 210: ...S Appliance For more information on configuring log sources see the Log Sources User Guide For more information on McAfee Intrushield see your vendor documentation McAfee ePolicy Orchestrator A SIEM M...

Page 211: ...he McAfee ePO Database and Database Server IP address or hostname from the ePO Management Console Database Type From the drop down list box select MSDE Database Name Type the exact name of the McAfee...

Page 212: ...field is used to identify new events added between queries to the table Start Date and Time Optional Type the start date and time for database polling The Start Date and Time parameter must be formatt...

Page 213: ...M Adding a Registered Server to McAfee ePO Step 1 Log in to your McAfee ePolicy Orchestrator console Step 2 Select Menu Configuration Registered Servers Step 3 Click New Server The Registered Server B...

Page 214: ...Automation Automatic Responses Step 2 Click New Responses The Response Builder wizard is displayed Step 3 Configure the following values a Name Type a name for the response b Description Type a descr...

Page 215: ...Available Types Selected Types ePO Version Detected UTC listOfDetectedUTC 4 5 Received UTC listOfReceivedUTC 4 5 Detecting Product IPv4 Address listOfAnalyzerIPV4 4 5 Detecting Product IPv6 Address l...

Page 216: ...SIEM McAfee Application Change Control DSM accepts change control events using Java Database Connectivity JDBC SIEM records all relevant McAfee Application Change Control events This document include...

Page 217: ...r The default port for MSDE is 1433 The JDBC configuration port must match the listener port of the McAfee Application Change Control database The McAfee Application Change Control database must have...

Page 218: ...s with different parameters For security and performance reasons we recommend that you use prepared statements Note Clearing this check box requires you to use an alternative method of querying that d...

Page 219: ...ebWasher Configuring McAfee Web Gateway for Syslog To integrated McAfee Web Gateway with SIEM Step 1 Log in to your McAfee Web Gateway console Step 2 Using the toolbar click Configuration Step 3 Click...

Page 220: ...you downloaded in Step 1 and select syslog_loghandler xml as the file to import NOTE If the McAfee Web Gateway appliance detects any conflicts with the rule set you must resolve the conflict For more...

Page 221: ...s Log Configuration already exists in the current configuration and a conflict solution is presented Step 10 If the McAfee Web Gateway appliance detects that the Access Log Configuration already exist...

Page 222: ...d protocol in SIEM Step 1 To configure SIEM to receive events from a McAfee Web Gateway appliance select McAfee Web Gateway from the Log Source Type drop down list box Step 2 To configure the protocol...

Page 223: ...must configure your device to send syslog to SIEM For more information about your MetaInfo MetaIP device see your vendor documentation You are now ready to configure the log source in SIEM To configur...

Page 224: ......

Page 225: ...nabled in the Microsoft Exchange System Manager and requires administrator access If event logging is already enabled for your Microsoft Exchange Server you can determine the log file type in use by c...

Page 226: ...0 Manager menu tree expand Local Computer Step 2 Expand Web Sites Step 3 Right click on Default Web Site and select Properties The Web Sites Properties window is displayed Step 4 From the Active Log F...

Page 227: ...ers Guide For information about the Microsoft Exchange Protocol see the Log Sources User Guide For more information about your Microsoft Exchange Server see your vendor documentation Integrating with...

Page 228: ...change System Manager menu tree expand Servers Protocols SMTP Step 2 Right click on Default SMTP Virtual Server and select Properties The Default SMTP Virtual Server Properties window is displayed Ste...

Page 229: ...EM to receive events from a Microsoft Windows IAS Server From the Log Source Type drop down list box select the Microsoft IAS Server option For more information on configuring devices see the Log Sour...

Page 230: ...EM Microsoft Internet Information Services IIS Server DSM accepts FTP HTTP NNTP and SMTP events using syslog You can integrate a Microsoft IIS Server with SIEM using one of the following methods Confi...

Page 231: ...tes Step 4 Right click on Default Web Sites and select Properties The Default Web Site Properties window is displayed Step 5 Select the Web Site tab Step 6 Select the Enable logging check box Step 7 F...

Page 232: ...User Name cs username Server IP Address s ip Server IP Address s ip Server Port s port Server Port s port Method cs method Method cs method URI Stem cs uri stem URI Stem cs uri stem URI Query cs uri...

Page 233: ...nformation For example you can use c LogFiles for an administrative share or LogFiles for a public share folder path but not c LogFiles If a log folder path contains an administrative share C users wi...

Page 234: ...Access the InterSect Alliance website http www intersectalliance com projects SnareIIS Step 2 Download open source Snare Agent for IIS version 1 2 SnareIISSetup 1 2 exe Step 3 Install the open source...

Page 235: ...e Agent you must configure a Microsoft IIS log source using syslog To manually configure a Microsoft IIS log source in SIEM perform the following steps Step 1 Log in to SIEM Step 2 Click the Admin tab...

Page 236: ...Step 7 Click the Advanced tab Step 8 From the list of properties select all event properties that you want to apply to the Microsoft IIS event log The selected properties must include the following a...

Page 237: ...Event Log with SIEM using one of the following methods Use the SIEM Adaptive Log Exporter For more information on the Adaptive Log Exporter see the Adaptive Log Exporter Users Guide Use the Microsoft...

Page 238: ...s index html Step 2 On the navigation menu select Network Configuration Step 3 Type the IP address of the SIEM system in the Destination Snare Server address field Step 4 Select the Enable SYSLOG Head...

Page 239: ...you configure SIEM to integrate with the Microsoft Operations Manager you must ensure a database user account is configured with appropriate permissions to access the MOM OnePoint SQL Server database...

Page 240: ...st have incoming TCP connections enabled to communicate with SIEM Note If you define a Database Instance when using MSDE as the database type you must leave the Port parameter blank in your SIEM confi...

Page 241: ...he SQL statement once and then execute the SQL statement many times with different parameters For security and performance reasons we recommend that you use prepared statements Clearing this check box...

Page 242: ...e Security settings of the SQL Server properties For more information please see your Microsoft SCOM documentation NOTE Ensure that no firewall rules are blocking the communication between SIEM and th...

Page 243: ...coming TCP connections enabled to communicate with SIEM Note If you define a Database Instance when using MSDE as the database type you must leave the Port parameter blank in your SIEM configuration U...

Page 244: ...tement once and then execute the SQL statement many times with different parameters For security and performance reasons we recommend that you use prepared statements Clearing this check box requires...

Page 245: ...figuring DSMs Microsoft System Center Operations Manager 229 Step 7 Click Save Step 8 On the Admin tab click Deploy Changes For more information on configuring log sources see the Log Sources User Gui...

Page 246: ......

Page 247: ...Level drop down list box select the desired log level for tracking system events The options are 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info This is the default 7 Debug Step 4 T...

Page 248: ...configure SIEM to receive events from a Symbol AP device From the Log Source Type drop down list box select the Motorola SymbolAP option For more information on configuring log sources see the Log Sou...

Page 249: ...er only supports CIFS For information on configuring CIFS on your NetApp Data ONTAP device see your vendor documentation You are now ready to configure the log source in SIEM SIEM automatically detect...

Page 250: ......

Page 251: ...VP DSM is not automatically detected by SIEM The NVP DSM accepts events using syslog SIEM records all relevant events The log format for the NVP DSM must be a tab separated single line list of Name Pa...

Page 252: ...the destination IP address for the message DestinationPort Type the destination port for the message DestinationIpPreNAT Type the destination IP address for the message before NAT occurs DestinationI...

Page 253: ...OSName testbois DestinationMAC 00 41 C5 BF C4 9D EventCategory Accept DestinationPort 4444 GroupName testgroup SourceIpPreNAT 172 16 70 87UserName root DestinationIp 172 16 30 30 Example 2 The followi...

Page 254: ...5014 Identity TRUE IdentityUseSrcIp TRUE SourceMAC AA 15 C5 BF C4 9D SourceIp 172 15 210 113 DestinationIp 172 16 10 10 DestinationMAC 00 41 C5 BF C4 9D UserName root Example 4 The following example...

Page 255: ...rate with a Niksun device you must configure syslog within your Niksun device For more information on configuring Niksun consult your Niksun documentation You are now ready to configure the log source...

Page 256: ......

Page 257: ...guration pane click System Logging Step 4 In the Add new remote IP address to log to field type the IP address of your SIEM system Step 5 Click Apply Step 6 Click Save Step 7 Using SSH or a direct con...

Page 258: ...Guide 3 Configure the log source in SIEM To configure SIEM to receive events from an Check Point Provider 1 device using OPSEC you must select the Check Point FireWall 1 option from the Log Source Ty...

Page 259: ...ing OPSEC 243 Step 10 Select Communication and enter an activation key to configure the Secure Internal Communication SIC certificate Step 11 Select OK and then select Close Step 12 To install the pol...

Page 260: ......

Page 261: ...teway Nortel Multiprotocol Router A SIEM Nortel Multiprotocol Router DSM accepts Nortel Multiprotocol Router events using syslog SIEM records all relevant events Before you configure SIEM to integrate...

Page 262: ...lity local0 Step 9 Create a filter for the hardware slots to enable them to forward the syslog events Type the following command to create a filter with the name WILDCARD filter name WILDCARD entity a...

Page 263: ...gured syslog host information show syslog log host The host log is displayed with the number of packets being sent to the various syslog hosts For example syslog show syslog log host show syslog log h...

Page 264: ...configuring a Nortel Application Switch device in SIEM you must configure your device to send syslog events to SIEM To configure the device to send syslog events to SIEM Step 1 Log in to the Nortel Ap...

Page 265: ...ddress of the SIEM system Step 5 Type the following command to exit the command line exit Step 6 You are now ready to configure the log source in SIEM To configure SIEM to receive events from a Nortel...

Page 266: ...n For more information on configuring log sources see the Log Sources User Guide For more information about the Nortel ERS 2500 4500 5500 see http www nortel com support Nortel Ethernet Routing Switch...

Page 267: ...mapinfo info mapwarning warning maperror error mapfatal emergency severity info warning error fatal udp port 514 ERS 8606 5 config sys syslog host 1 Step 9 You are now ready to configure the log sourc...

Page 268: ..._ipaddr IP address Where IP address is the IP address of the SIEM system Step 5 Ensure that remote logging is enabled enable Step 6 Verify that the logging levels are configured as appropriate show sy...

Page 269: ...IEM you must Step 1 Log in to the Nortel SNAS user interface Step 2 Select the Config tab Step 3 Select Secure Access Domain and Syslog from the Navigation pane The Secure Access Domain window is disp...

Page 270: ...line interface CLI Step 2 Type the following command cfg sys log syslog add Step 3 Type the IP address of your SIEM system at the following prompt Enter IP address of syslog server A prompt is display...

Page 271: ...M system The leapipe is the connection between the Check Point SmartCenter Server and SIEM To reconfigure the Check Point SmartCenter Server Step 1 To create a host object open the Check Point SmartDa...

Page 272: ...ring a Nortel Switched Firewall 6000 device with SIEM using one of the following methods Integrating Nortel Switched Firewall Using Syslog Integrating Nortel Switched Firewall Using OPSEC Integrating...

Page 273: ...receive events from a Check Point SmartCenter Server using OPSEC LEA you must select the LEA option from the Protocol Configuration drop down list box when configuring LEA For more information see th...

Page 274: ...rtel TPS device in SIEM you must Step 1 Log in to the Nortel TPS user interface Step 2 Select Policy Response Intrusion Sensor Detection Prevention The Detection Prevention window is displayed Step 3...

Page 275: ...1 Log in to the Nortel VPN Gateway command line interface CLI Step 2 Type the following command cfg sys syslog add Step 3 At the prompt type the IP address of your SIEM system Enter new syslog host I...

Page 276: ......

Page 277: ...Event Auditing Using Novell iManager 4 Configure SIEM For more information see Configuring SIEM with Novell eDirectory Configuring XDASv2 to Forward Events By default XDASv2 is configured to log event...

Page 278: ...for events Step 8 To set the facility for logging events remove the comment marker from the following line log4j appender S Facility USER The default value of USER is the correct facility value for e...

Page 279: ...ng System If you installed Novell eDirectory to a different directory then the correct path is required Step 4 Click OK The Novell Directory Service console displays a list of available modules Step 5...

Page 280: ...nt is truncated c On the XDAS Events Configuration select the check boxes of the events you want XDAS to capture and forward to SIEM d Click Apply Step 7 On the XDAS tab click XDASRoles The XDAS Roles...

Page 281: ...r if you want to manually configure SIEM to receive events from Novell eDirectory From the Log Source Type drop down list box select Novell eDirectory For more information on configuring log sources s...

Page 282: ......

Page 283: ...SIEM system Step 4 Save and exit the file Step 5 Send a hang up signal to the syslog daemon to ensure all changes are applied kill HUP cat var run syslog pid NOTE The command above uses the backquote...

Page 284: ......

Page 285: ...ust Step 1 Configure SNORT on a remote system Step 2 Open the snort conf file Step 3 Uncomment the following line output alert_syslog LOG_AUTH LOG_INFO Step 4 Save and exit the file Step 5 Open the fo...

Page 286: ...tart Step 13 You are now ready to configure the log source in SIEM To configure SIEM to receive events from a SNORT device from the Log Source Type drop down list box select the Snort Open Source IDS...

Page 287: ...t tables When using a Microsoft Windows host verify database audit tables are enabled These procedures should be considered guidelines only We recommend that you have experience with Oracle DBA before...

Page 288: ...udit trails type the following command audit_trail DB b For syslog type the following command audit_trail os audit_syslog_level local0 info You must make sure the syslog daemon on the Oracle host is c...

Page 289: ...e drop down list box select the Oracle RDBMS Audit Record option For more information on configuring log sources see the Log Sources User Guide Improving Performance With Large Audit Tables The size o...

Page 290: ...the following command oracle_9i_dba_audit_view sql b If you are using Oracle v10g Release 2 and v11g type the following command oracle_alt_dba_audit_view sql Step 6 Make sure the database user config...

Page 291: ...dentifier Type the IP address or hostname for the log source Server Address Type the IP address of the Oracle Database Listener Domain Type the domain required to access the Oracle Database Listener T...

Page 292: ...orward the Oracle DB Listener events oracle_dblistener_fwdr pl txt Step 3 Rename the file to a Perl script Force File Read Select the check box to force the protocol to read the log file when the timi...

Page 293: ...og file monitors any new output from the listener The log file may be different across versions of the Oracle database some examples are provided below Oracle 9i install_directory product 9 2 network...

Page 294: ...Configuration drop down list box select syslog Step 3 In the Log Source Identifier field type the IP address of the Oracle Database you specified using the H option in Step 6 The configuration of the...

Page 295: ...down list box select Oracle Audit Vault Step 7 Using the Protocol Configuration drop down list box select JDBC Step 8 Configure the following values a Database Type Oracle b Database Name Audit Vault...

Page 296: ...pts written for Oracle OS Audit work on Linux UNIX servers only Windows Perl script is not supported NOTE To avoid errors do not delete log files you are actively monitoring unless the script is stopp...

Page 297: ...location of the DDL and DML log files H The H parameter defines the host name or IP address for the syslog header We recommend that this be the IP address of the Oracle server on which the script is r...

Page 298: ...uring an Audit Provider 5 Configure SIEM to pull log files from Oracle BEA WebLogic For more information see Pulling Data Using the Log File Protocol Enabling Event Logs on Oracle BEA WebLogic By defa...

Page 299: ...e Providers Auditing Step 2 Click New Step 3 Configure an audit provider a Type a name for the audit provider you are creating b From the Type drop down list box select DefaultAuditor c Click OK The S...

Page 300: ...ve files Remote Port Type the TCP port on the remote host that is running the selected Service Type If you configure the Service Type as FTP the default is 21 If you configure the Service Type as SFTP...

Page 301: ...parameter when using ASCII as the FTP Transfer Mode SCP Remote File If you select SCP as the Service Type you must type the file name of the remote file Start Time Type the time of day you want the pr...

Page 302: ...Select the check box to define the local directory on your SIEM system that you want to use for storing downloaded files during processing We recommend that you leave the check box clear When the chec...

Page 303: ...5 Configure the following options in the New Syslog Setting page Name Type the name of the syslog server Server Type the IP address of your SIEM system Port Type the port number the SIEM system to rec...

Page 304: ...age to update your Palo Alto PA Series firewall with the active configuration Step 14 You are now ready to configure the log source in SIEM To configure SIEM to receive events from your Palo Alto Netw...

Page 305: ...ollowing options AUTH or AUTHPRIV CRON DAEMON KERN LPR MAIL NEWS USER UUCP LOCAL0 LOCAL1 LOCAL2 LOCAL3 LOCAL4 LOCAL5 LOCAL6 or LOCAL7 Step 3 Save the file and exit Step 4 Open the etc syslog conf file...

Page 306: ......

Page 307: ...er defined value indicating the type of device used by the sender This criteria is applied when the device sends syslog messages The default value is 21 meaning Local Use 6 Severity indicates the impo...

Page 308: ......

Page 309: ...4 In ASP security default configuration mode configure the IP address of the log server and the optional transport protocol log server IP address transport udp port 9345 Where IP address is the IP add...

Page 310: ...10 192 22 24 Step 7 You are now ready to configure the log sources SIEM To configure SIEM to receive events from a Redback ASE device From the Log Sources Type drop down list box select the Redback A...

Page 311: ...ureID 3 0 appliance If you are using RSA Authentication Manager on Linux see Configuring Syslog on RSA Authentication Manager for Linux If you are using RSA Authentication Manager on Windows see Confi...

Page 312: ...configuring syslog forwarding see your RSA Authentication Manager documentation Configuring Syslog on RSA Authentication Manager for Windows To configure RSA Authentication Manager for syslog using Mi...

Page 313: ...re your RSA Authentication Manager v7 x device Step 1 Log in to the RSA Security Console Step 2 Click Administration Log Management Recurring Log Archive Jobs Step 3 In the Schedule section configure...

Page 314: ...atabase Administration For complete information on using SecurID see your vendor documentation Step 3 From the Log drop down list box select Automate Log Maintenance The Automatic Log Maintenance wind...

Page 315: ...ur SIEM system NOTE The following procedure is based on the default samhainrc file If the samhainrc file has been modified some values such as syslog facility may be different To configure Samhain HID...

Page 316: ...DBC driver you must download and install the platform independent MySQL Connector J from http dev mysql com downloads connector j For instruction on installing MySQL Connector J for the JDBC protocol...

Page 317: ...ied in the samhainrc file Samhain SetDBHost is the database host specified in the samhainrc file Samhain SetDBUser is the database user specified in the samhainrc file Samhain SetDBPassword is the dat...

Page 318: ......

Page 319: ...ng log format entry sentrigo comm ListenAddress 1996 log format body custom usrName osUser 20 duser execUser 20 sev severity identHostName sourceHost src sourceIP dst a gent ip devTime logonTime devTi...

Page 320: ...ow ready to configure the log source in SIEM To configure SIEM to receive events from a Sentrigo Hedgehog device From the Log Source Type drop down list box select the Sentrigo Hedgehog option For mor...

Page 321: ...evice to forward syslog to SIEM make sure that the logs are exported in Sidewinder Export format SEF For more information on configuring Sidewinder see your vendor documentation Once you configure sys...

Page 322: ......

Page 323: ...igure syslog within the appliance Once you configure SonicWall to forward events to SIEM you are ready to configure the log source in SIEM To configure SIEM to receive events from your SonicWALL appli...

Page 324: ......

Page 325: ...EM using the JDBC protocol For information on installing the Sophos Reporting Interface see your Sophos Enterprise Console documentation Configure SIEM Using the Sophos Enterprise Console Protocol A S...

Page 326: ...base name as entered in the Database Name parameter Sophos Database Server IP or Host Name is the hostname or IP address for this log source as entered in the IP or Hostname parameter Note When defini...

Page 327: ...configuration The list must contain the field defined in the Compare Field parameter The comma separated list can be up to 255 alphanumeric characters in length Also the list may include the followin...

Page 328: ...c IPAddress c DomainName c OperatingSystem c ServicePack t ThreatSubType t Priority t ThreatLocalID t ThreatLocalIDSource t ThreatName t FullFilePathCheckSum t FullFilePath t FileNameOffset t FileVer...

Page 329: ...the Protocol Configuration drop down list box select JDBC NOTE You must refer to the Configure Database Settings on your Sophos Enterprise Console to define the parameters required to configure the So...

Page 330: ...Type the database instance if you have multiple SQL server instances on your database server Note If you use a non standard port in your database configuration or have blocked access to port 1434 for...

Page 331: ...e prepared statements Clearing this check box requires you to use an alternative method of querying that does not use pre compiled statements Polling Interval Type the polling interval which is the am...

Page 332: ...siem_view as select Windows PureMessage as application id reason timecreated emailonly as sender filesize subject messageid filename from dbo quaritems dbo quaraddresses where ItemID ID and Field 76 G...

Page 333: ...ce identifier you must use the values of the Database and Database Server IP address or hostname of the Sophos PureMessage device Database Type From the drop down list box select MSDE Database Name Ty...

Page 334: ...dollar sign number sign underscore _ en dash and period Compare Field Type ID The Compare Field parameter is used to identify new events added between queries to the table Use Prepared Statements Sel...

Page 335: ...from_local h_from_domain m_global_id m_message_size outbound h_to c_subject_utf8 from message a m_reason b where a reason_id b reason_id Once you have created your SIEM view you must configure SIEM to...

Page 336: ...igure the Sophos PureMessage DSM in SIEM Step 8 Configure the following values Table 61 2 Sophos PureMessage JDBC Parameters Parameter Description Log Source Identifier Type the identifier for the log...

Page 337: ...se a comma separated list to define specific fields from tables or views if required for your configuration The list must contain the field defined in the Compare Field parameter The comma separated l...

Page 338: ...tatus window is displayed Step 4 From Syslog Servers panel click the icon The Add Syslog Server window is displayed Step 5 Configure the following parameters a Name Type a name for the syslog server b...

Page 339: ...aro Security Gateway For more information on configuring log sources see Log Sources User Guide Sophos Web Security Appliance The SIEM Sophos Web Security Appliance WSA DSM accepts events using syslog...

Page 340: ...phos Web Security Appliance DSM in SIEM SIEM automatically detects syslog data from a Sophos Web Security Appliance To manually configure SIEM to receive events from Sophos Web Security Appliance From...

Page 341: ...ion Step 3 Under Policy click Edit Step 4 In the list select your active policy Click Edit Step 5 Click Alerting The selected policy settings appear Step 6 For the State parameter select the On option...

Page 342: ...rce NOTE The Sourcefire Defense Center DSM uses the same SIEM identifiers QID information as the Snort DSM We recommend you download and install the latest Snort DSM from the Enterasys Extranet at htt...

Page 343: ...and any additional option parameters to import your pkcs12 file opt qradar bin estreamer cert import pl f file name options Where file name is the file name of the pkcs12 file created by your Sourcefi...

Page 344: ...errides the default estreamer name for the keystore and truststore files The o parameter is required when using multiple Sourcefire Defense Center devices as unique key file names are required For exa...

Page 345: ...e Sourcefire Defense Center device Server Port Type the port number SIEM uses to receive Sourcefire Defense Center Estreamer events The default is 8302 Keystore Filename Type the directory path and fi...

Page 346: ......

Page 347: ...is any valid syslog facility such as authpriv daemon local0 to local7 or user written in lowercase priority is any valid priority such as err warning notice info debug written in lowercase Step 4 Sav...

Page 348: ...following command to restart the syslog daemon etc init d syslog restart For more information on configuring Squid Web Proxy consult your vender documentation Step 11 Once you forward your cache and a...

Page 349: ...following table provides the necessary parameters Table 64 1 Syslog Server Parameters Parameter Description syslog IP address Type the IP address of the SIEM system facility facilities Type the local...

Page 350: ...luding min Provides minimal information about the event such as event name facility event ID severity level data and time concise Provides detailed information about the event but does not provide the...

Page 351: ...rate in a degraded date This level also logs events with a higher severity level warning Logs events that may indicate a potential problem This level also logs events with a higher severity level unus...

Page 352: ...or more information on configuring log sources see the Log Sources User Guide For more information about the device see your vendor documentation Table 64 4 Monitor Log Parameters Parameter Descriptio...

Page 353: ...Center with SIEM 1 Configuring the Log Server 2 Configuring a Traffic Rule for Syslog 3 Configuring the Log Source in SIEM Configuring the Log Server To configure Stonesoft Management Center perform...

Page 354: ...perform the following steps Step 1 From the Stonesoft Management Center select one of the following methods for modifying a traffic rule Firewall policies Select Configuration Configuration Firewall...

Page 355: ...end setting the logging value to None Logging syslog connections without configuring a syslog filter can create a loop For more information see the StoneGate Management Center Administrator s Guide St...

Page 356: ......

Page 357: ...g the following line to the file err auth notice auth info IP address Where IP address is the IP address of the SIEM system Use tabs instead of spaces to format the line NOTE Depending on the version...

Page 358: ...ess is the IP address of the SIEM system Use tabs instead of spaces to format the line Step 7 Save and exit the file Step 8 Type the following command kill HUP cat etc syslog pid Step 9 You are now re...

Page 359: ...l for system administrator to retrieve detailed auditing events from Sun Solaris systems SIEM retrieves Sun Solaris BSM events using the Log File protocol Before you configure SIEM to integrate with S...

Page 360: ...the binary Solaris Basic Security Mode logs to a human readable log format Converting Sun Solaris BSM Audit Logs SIEM cannot process binary files directly from Sun Solaris BSM and must convert the au...

Page 361: ...hange the default directory for the log files a AUDIT_DIR var audit The Audit directory must match the location specified by the audit control file you configured in Step 5 b LOG_DIR var log The log d...

Page 362: ...is displayed Step 4 Click the Log Sources icon The Log Sources window is displayed Step 5 From the Log Source Type drop down list box select Solaris BSM Step 6 Using the Protocol Configuration drop d...

Page 363: ...Directory Type the directory location on the remote host from which the files are retrieved By default the newauditlog sh script writes the human readable logs files to the var log directory Recursive...

Page 364: ...ple type 2H if you want the directory to be scanned every 2 hours The default is 1H Run On Save Select the check box if you want the log file protocol to run immediately after you click Save After the...

Page 365: ...ing DSMs Sun Solaris Basic Security Mode BSM 349 Step 8 Click Save Event Generator From the Event Generator drop down list box select LINEBYLINE Table 66 2 Log File Parameters continued Parameter Desc...

Page 366: ......

Page 367: ...to the security database use sybsecurity go Step 4 Create a view for SIEM create view audit_view as select audit_event_name event as event_name from audit_table_1 union select audit_event_name event...

Page 368: ...displayed Step 5 Click Add The Add a log source window is displayed Step 1 From the Log Source Type drop down list box select the Sybase ASE option Step 2 Using the Protocol Configuration drop down l...

Page 369: ...tion Manager Step 2 On the left panel click the Admin icon The View Servers option is displayed Step 3 From the bottom of the View Servers panel click Servers Step 4 From the View Servers panel click...

Page 370: ...ents from your SGS appliance From the Log Source Type drop down list box select the Symantec Gateway Security SGS Appliance option For more information on configuring devices see the Log Sources User...

Page 371: ...ustom view you must configure SIEM to receive event information using the JDBC protocol To configure Symantec System Center SSC DSM with SIEM see Configuring SIEM to Receive Events Configuring SIEM to...

Page 372: ...ming TCP connections enabled to communicate with SIEM Note If you define a Database Instance when using MSDE as the database type you must leave the Port parameter blank in your SIEM configuration Use...

Page 373: ...the SQL statement many times with different parameters For security and performance reasons we recommend that you use prepared statements Clearing this check box requires you to use an alternative met...

Page 374: ...MTP response rule For more information see Creating a None Of SMTP Response Rule 3 Configure SIEM For more information see Configuring SIEM with Symantec DLP Creating an SMTP Response Rule To configur...

Page 375: ...TH path PATH quarantineParentPath QUARANTINE_PAR ENT_PATH scan SCAN target TARGET d Level From this drop down list box select 6 Informational Step 12 Click Save You are now ready to configure your Non...

Page 376: ...um POLICY src SENDER dst REC IPIENTS rules RULES matchCount MATCH_COUNT blocked BLOC KED incidentID INCIDENT_ID incidentSnapshot INCIDENT_SNAP SHOT subject SUBJECT fileName FILE_NAME parentPath PARE N...

Page 377: ...ymark PowerBroker NOTE Perl 5 8 must be installed on the device that hosts Symark PowerBroker Step 5 Log in to the device that hosts Symark PowerBroker using an account that has read write execute per...

Page 378: ...Log Sources User Guide For more information about your Symark PowerBroker device see your vendor documentation h The h parameter defines the receiving syslog host the Event Collector host name or IP...

Page 379: ...for Events If you are using an LSM see Configuring the Notification Contacts for LSM Configuring SMS Remote Syslog for Events The SIEM TippingPoint DSM accepts remote events using syslog with all info...

Page 380: ...vice see your vendor documentation Configuring the Notification Contacts for LSM To configure LSM notification contacts Step 1 Log in to the TippingPoint system Step 2 From the LSM menu select IPS Act...

Page 381: ...must also select the desired rate Block Does not permit traffic TCP Reset When used with the Block action resets the source destination or both IP addresses of an attack This option resets blocked TC...

Page 382: ...r Tipping Point device you may have to add static routes For more information see your vendor documentation Step 4 You are now ready to configure the log source in SIEM To configure SIEM to receive ev...

Page 383: ...on on configuring Top Layer see your Top Layer documentation Once you configure syslog to forward events to SIEM you are ready to configure the log source SIEM To configure SIEM to receive events from...

Page 384: ......

Page 385: ...om the Log Source Type drop down list box select the Trend InterScan VirusWall option For more information on configuring devices see the Log Sources User Guide For more information about your Trend M...

Page 386: ...r Guide For more information on Trend Micro Control Manager see your vendor documentation Trend Micro Office Scan A Trend Micro Office Scan DSM accepts events using SNMPv2 SIEM records events relevant...

Page 387: ...tep 5 Click Save Step 6 Configure Outbreak Alert Notifications a Select Out Notifications b Click the SNMP Trap tab c Select the Enable notification via SNMP Trap for Virus Malware Outbreaks check box...

Page 388: ...d Alert Notifications Configuring General Settings To integrate a Trend Micro Office Scan 10 x device with SIEM Step 1 Log in to the Office Scan Administration interface Step 2 Select Notifications Ad...

Page 389: ...ages are sent to an administrator when the criteria exceeds the specified detection limit NOTE Trend Micro recommends using the default values for the detection number and detection period Step 4 Sele...

Page 390: ...Scan device Step 1 From the Log Source Type drop down list box select the Trend Micro Office Scan option Step 2 From the Protocol Configuration drop down list box select the SNMPv2 option For more in...

Page 391: ...tion Step 5 Select Rules and click on the desired rule you wish to monitor Step 6 Select the Actions tab Step 7 Make sure the new action is selected Step 8 Click OK Step 9 Repeat Step 5 to Step 8 for...

Page 392: ......

Page 393: ...log remove the comment marker from the following line log4j category syslog INFO syslog Step 4 To configure the IP address for the syslog destination edit the following line log4j appender syslog Sysl...

Page 394: ......

Page 395: ...s into offenses If an enterprise network has one or more network or security devices that are not officially supported no specific DSM for the device exists you can use the Universal DSM The Universal...

Page 396: ......

Page 397: ...e your device to send syslog to SIEM For more information on configuring your Vericept device consult your vendor documentation Once you configure syslog to forward events to SIEM you are ready to con...

Page 398: ......

Page 399: ...g Notification Template or create a new template Step 3 Click the General tab Step 4 Click Send Syslog Message Step 5 Select Options Settings Syslog to access the Syslog window The syslog window enabl...

Page 400: ...Log File Protocol for the Websense V Series Content Gateway Configuring Syslog for the Websense V Series Content Gateway The Websense V Series DSM supports Websense V Series appliances running the Web...

Page 401: ...and then cut and paste it into your web browser to retain the tab separations The definitions file ignores extra white space blank lines and all comments Step 8 Select Enabled to enable the custom log...

Page 402: ...a remote host The Websense V Series DSM supports the bulk loading of log files using the log file protocol to provide events on a scheduled interval To configure your Websense V Series Content Gatewa...

Page 403: ...IEM Step 1 To configure SIEM to receive events from the Websense V Series you must select the Websense V Series option from the Log Source Type drop down list box Step 2 To configure the log file prot...

Page 404: ......

Page 405: ...g Snort based events Ambiron TrustWave ipAngel Intrusion Prevention System IPS No No http www atwcorp com Apache HTTP Server v1 3 and above Syslog HTTP status Apache HTTP Server Yes No http www apache...

Page 406: ...I R55 R65 R70 NGX Syslog or OPSEC LEA All relevant events Check Point FireWall 1 Yes Yes http www checkpoint co m Provider 1 NG FP1 FP2 FP3 AI R54 AI R55 R65 R70 NGX Syslog or OPSEC LEA All relevant e...

Page 407: ...com IronPort v5 5 and v6 5 Syslog Log File Protocol All relevant events Cisco IronPort No No http www cisco com Firewall Service Module FWSM v2 1 and above Syslog All relevant events Cisco Firewall S...

Page 408: ...caler v9 3 Syslog All relevant events Citrix NetScaler Yes Yes http www citrix com CRYPTOCard CRYPTO Shield v6 3 Syslog All relevant events CRYPTOCard CRYPTO Shield No No http www cryptocard co m Cybe...

Page 409: ...rasys K N S Series Switch Yes No http www enterasys co m Stackable and Standalone Switches Syslog All relevant events Enterasys Stackable and Standalone Switches or select your specific device type En...

Page 410: ...arning FairWarning v2 9 2 Log File Protocol All relevant events Fair Warning No No http www fairwarningau dit com FireEye MPS eMPS and MA v5 1 patch level 5 Syslog All relevant events FireEye No No ht...

Page 411: ...wertech Interact V5R1 and above Syslog All CEF formatted messages IBM AS 400 iSeries Yes Yes http www ibm com http www powertech co m Raz Lee iSecurity Firewall 15 7 and Audit 11 7 Syslog All relevant...

Page 412: ...m com Imperva SecureSphere v6 2 and v7 x Release Enterprise Edition Syslog All relevant events Imperva SecureSphere Yes No http www imperva com Infoblox NIOS v6 x Syslog All relevant events Infoblox N...

Page 413: ...ntroller No Yes http www juniper net Firewall and VPN v5 5r3 and later Syslog All relevant NetScreen Firewall events Juniper Networks Firewall and VPN Yes Yes http www juniper net NetScreen IDP v4 0 v...

Page 414: ...al Gateway v4 5 Syslog All relevant firewall admin policy and IDS Log events Juniper vGW Yes No http www juniper net Lieberman Random Password Manager v4 8x Syslog All relevant events Lieberman Random...

Page 415: ...60 59 and above Syslog All relevant events Metainfo MetaIP Yes Yes http www metainfo com Microsoft IIS 6 0 and 7 0 Syslog HTTP status code events Microsoft IIS Webserver Logs Yes No http www microsof...

Page 416: ...ons Manager 2005 JDBC All relevant events Microsoft Operations Manager No No http www microsoft com System Center Operations Manager 2007 JDBC All relevant events Microsoft SCOM No No http www microso...

Page 417: ...vents Nortel Application Switch No Yes http www nortel com ARN v15 5 Syslog All relevant events Nortel Multiprotocol Router Yes No http www nortel com Ethernet Routing Switch 2500 v4 1 Syslog All rele...

Page 418: ...wall 5100 v2 4 Syslog or OPSEC All relevant events Nortel Switched Firewall 5100 Yes Yes http www nortel com Switched Firewall 6000 v4 2 Syslog or OPSEC All relevant events Nortel Switched Firewall 60...

Page 419: ...s http www proftpd org Radware DefensePro v4 23 and 5 01 Syslog All relevant events Radware DefensePro Yes No http www radware com Redback Networks ASE v6 1 5 Syslog All relevant events Redback ASE Ye...

Page 420: ...x Syslog All relevant Sourcefire events Snort Open Source IDS Yes No http www sourcefire co m Defense Center v4 8 0 2 and above Sourcefire Defense Center All relevant Sourcefire events Sourcefire Defe...

Page 421: ...events Symantec Gateway Security SGS Appliance Yes No http www symantec co m SSC v10 1 JDBC All relevant events Symantec System Center Yes No http www symantec co m Data Loss Prevention DLP v8 x and a...

Page 422: ...v5 2 and above Syslog Resource additions removal and modification events Tripwire Enterprise Yes No http www tripwire com Tropos Networks Tropos Control v7 7 Syslog All relevant fault management logi...

Page 423: ...reless Controller 91 394 Enterasys Matrix K N S Series Switch 96 393 Enterasys Matrix Router 94 393 Enterasys Matrix Series 96 Enterasys NAC 97 394 Enterasys NetSight Automatic Security Manager 95 393...

Page 424: ...Nortel Secure Network Access Switch 253 402 Nortel Secure Router 251 402 Nortel Switched Firewall 5100 254 402 Nortel Switched Firewall 6000 256 402 Nortel Threat Protection System 402 Nortel VPN Gat...

Page 425: ...Configuring DSMs INDEX 409 Authentication Server 394 Firewall 394 Syslog and SNMP 394 V Vericept Content 360 381 406 W Websense Content Gateway 384 406 Websense Data Security Suite 383 406...

Page 426: ......

Search results

Summary of Contents for Security Information and Event Manager

Reviews:

Related manuals for Security Information and Event Manager

Brands by name

Popular brands

Enterasys Security Information and Event Manager, Configuration Manual

Search results

Summary of Contents for Security Information and Event Manager

Reviews:

Related manuals for Security Information and Event Manager

Brands by name

Popular brands