manualshive.com logo in svg

Enterasys Security Information and Event Manager, Руководство по настройке

Enterasys Security Information and Event Manager - продукт, обеспечивающий безопасность вашей сети. Вы можете скачать бесплатный конфигурационный руководство на manualshive.com. Этот ресурс поможет вам настроить и использовать продукт для оптимальной защиты данных и событий в вашей сети.

Поделиться
Скачать
background image

Configuring DSMs

170

J

UNIPER

 N

ETWORKS

Where 

<IP address> 

is the IP address of the Event Collector you want to 

connect to the database. 

Step 4

Reload the Postgres service:

su - nsm -c "pg_ctl reload -D /var/netscreen/DevSvr/pgsql/data"

Step 5

As the Juniper Networks NSM user, create the view:

create view strm_avt_view as SELECT a.name, a.category, 

v.srcip,v.dstip,v.dstport, v."last", u.name as userinfo, v.id, 

v.device, v.vlan,v.sessionid, v.bytecnt,v.pktcnt, v."first" FROM 

avt_part v JOIN app a ON v.app =a.id JOIN userinfo u ON 

v.userinfo = u.id;

The view is created. 

Step 6

You are now ready to configure the log source in SIEM. 

To configure SIEM to receive events from a Juniper Networks AVT device:

Step 1

From the 

Log Source Type

 drop-down list box, select 

Juniper Networks AVT

.

Step 2

You must also configure the JDBC protocol for the log source. Use the following 
parameters to configure the JDBC protocol:

a    

Database Type

 - From the 

Database Type

 drop-down list box, select 

Postgres

.

b    

Database Name

 - Type 

profilerDb

.

c    

IP or Hostname

 - Type the IP address of the Juniper Networks NSM system.

d    

Port

 - Type 

5432

.

e    

Username

 - Type the username for the profilerDb database. 

f    

Password

 - Type the password for profilerDB database. 

g    

Table Name

 - Type 

strm_avt_view

.

h    

Select List

 - Type 

*

 for the select list.

i    

Compare Field

 - Type 

id

 for the Compare Field.

j    

Use Prepared Statements

 -The 

Use Prepared Statements

 check box must be 

clear. The Juniper Networks AVT DSM does not support prepared statements. 

k    

Polling Interval

 - Type 

10

 for the Polling interval.

NOTE

The Database Name and Table Name parameters are case sensitive. 

For more information on configuring log sources and protocols, see the 

Log 

Sources User Guide

For more information about the Juniper Networks AVT device, see your vendor 
documentation.

Содержание Security Information and Event Manager

Страница 1: ...Enterasys Security Information and Event Manager SIEM Configuring DSMs Release 7 7 0 P N 9034592 05...

Страница 2: ......

Страница 3: ...DAMAGES Enterasys Networks Inc 50 Minuteman Road Andover MA 01810 2011 Enterasys Networks Inc All rights reserved Part Number 9034592 04 October 2011 ENTERASYS ENTERASYS NETWORKS ENTERASYS DRAGON ENTE...

Страница 4: ...MATERIALS Except as expressly permitted in this Agreement You may not copy or otherwise reproduce the Licensed Materials In no event does the limited copying or reproduction permitted under this Agree...

Страница 5: ...closure thereof are harmful to Enterasys or its Affiliates and or its their software suppliers 6 MAINTENANCE AND UPDATES Updates and certain maintenance and support services if any shall be provided t...

Страница 6: ...TED TO THE DURATION OF THE LIMITED WARRANTY SET FORTH ABOVE YOU ASSUME ALL RISK AS TO THE QUALITY FUNCTION AND PERFORMANCE OF THE LICENSED MATERIALS IN NO EVENT WILL ENTERASYS OR ANY OTHER PARTY WHO H...

Страница 7: ...ts and undertakings oral or written are hereby expressly superseded and canceled No purchase order shall supersede this Agreement h Should You have any questions regarding this Agreement You may conta...

Страница 8: ......

Страница 9: ...NG DSMS 3 3COM 8800 SERIES SWITCH 4 AMBIRON TRUSTWAVE IPANGEL 5 APACHE HTTP SERVER Configuring Apache Using Syslog 11 Configuring Apache Using Syslog ng 12 6 APPLE MAC OS X 7 ARUBA MOBILITY CONTROLLER...

Страница 10: ...IDS IPS 62 Cisco IronPort 63 Cisco NAC 64 Cisco IOS 65 Cisco Pix 66 Cisco VPN 3000 Concentrator 67 Cisco Wireless Services Module 68 15 CITRIX NETSCALER 16 CRYPTOCARD CRYPTO SHIELD 17 CYBER ARK VAULT...

Страница 11: ...ASM 103 F5 Networks FirePass 104 23 FAIR WARNING 24 FIREEYE 25 FORESCOUT COUNTERACT 26 FORTINET FORTIGATE 27 FOUNDRY FASTIRON 28 GENERIC FIREWALL 29 GENERIC AUTHORIZATION SERVER 30 HP HP ProCurve 125...

Страница 12: ...Juniper Networks Firewall and VPN 177 Juniper Networks Network and Security Manager 178 Juniper JunOS 179 Juniper Steel Belted Radius 183 Juniper Networks vGW Virtual Gateway 185 37 LIEBERMAN RANDOM P...

Страница 13: ...Using Syslog 241 Integrating Nokia Firewall Using OPSEC 242 47 NORTEL NETWORKS Nortel Multiprotocol Router 245 Nortel Application Switch 248 Nortel Contivity 249 Nortel Ethernet Routing Switch 2500 4...

Страница 14: ...SE 56 RSA AUTHENTICATION MANAGER 57 SAMHAIN LABS Using Syslog 299 Using JDBC 300 58 SENTRIGO HEDGEHOG 59 SECURE COMPUTING SIDEWINDER 60 SONICWALL 61 SOPHOS Sophos Enterprise Console 309 Sophos PureMes...

Страница 15: ...SM 343 67 SYBASE ASE 68 SYMANTEC Symantec Endpoint Protection 353 Symantec SGS 354 Symantec System Center 354 Symantec Data Loss Prevention DLP 358 69 SYMARK 70 TIPPINGPOINT TippingPoint Intrusion Pre...

Страница 16: ...73 TRIPWIRE 74 TROPOS CONTROL 75 UNIVERSAL DSM 76 VERICEPT CONTENT 360 DSM 77 WEBSENSE V SERIES Websense V Series Data Security Suite 383 Websense V Series Content Gateway 384 78 SUPPORTED DSMS INDEX...

Страница 17: ...ollowing conventions are used throughout this guide Indicates that the procedure contains a single instruction NOTE Indicates that the information provided is supplemental to the associated feature or...

Страница 18: ...support related to the product or this document contact Enterasys Networks using one of the following methods World Wide Web http www enterasys com support Phone 1 800 872 8440 toll free in U S and Ca...

Страница 19: ...e events to the Event Processor All events are correlated and security and policy offenses are created based on correlation rules These offenses are displayed on the Offenses tab For more information...

Страница 20: ......

Страница 21: ...lowing steps Step 1 Download the file to your system hosting SIEM Step 2 Using SSH log in to SIEM as the root user Username root Password password Step 3 Navigate to the directory that includes the do...

Страница 22: ......

Страница 23: ...he loghost the severity level threshold value as informational and the output language to English info center loghost ip_address facility severity language english Where ip_address is the IP address o...

Страница 24: ......

Страница 25: ...your cache and access logs to your SIEM system For information on forwarding device logs to SIEM see your vendor documentation You are now ready to configure the log source in SIEM To configure SIEM...

Страница 26: ......

Страница 27: ...g Apache as the root user Step 2 Edit the Apache configuration file httpd conf Step 3 Add the following information in the Apache configuration file to specify the custom log format LogFormat h A l u...

Страница 28: ...ress of the SIEM Console or Event Collector Step 9 Save the syslog configuration file Step 10 Type the following command to restart the syslog service etc init d syslog restart Step 11 Restart Apache...

Страница 29: ...mat name must match the log format defined in Step 4 Step 6 Save the Apache configuration file Step 7 Edit the syslog ng configuration file etc syslog ng syslog ng conf Step 8 Add the following inform...

Страница 30: ...y detects syslog ng events from an Apache HTTP Server However if you want to manually configure SIEM to receive events from Apache From the Log Source Type drop down list box select Apache HTTP Server...

Страница 31: ...the file Make sure all other lines remain intact IP address Where IP address is the IP address of the SIEM system Step 4 Save and exit the file Step 5 Send a hang up signal to the syslog daemon to ma...

Страница 32: ......

Страница 33: ...s menu select Add Step 6 Type the IP address of the SIEM server that you want to collect logs Step 7 Click Add Step 8 Optional Change the logging level for a module a Select the check box next to the...

Страница 34: ......

Страница 35: ...nce you configure syslog to forward events to SIEM you are now ready to configure the log source in SIEM To configure SIEM to receive events from a Array Networks SSL VPN device From the Log Source Ty...

Страница 36: ......

Страница 37: ...ration window is displayed Step 3 Click Server Status The Server Status window is displayed Step 4 Click Edit Step 5 In the Syslog address field type the IP address of your SIEM system Step 6 From the...

Страница 38: ......

Страница 39: ...eportermain_v1 bcreporterssl_v1 p2p SSL bcreportercifs_v1 CIFS MAPI For more information about your Blue Coat SG Appliance see your vendor documentation Creating a Custom Format A SIEM Blue Coat SG DS...

Страница 40: ...from the drop down list box Step 8 Click OK Step 9 Click Apply NOTE The custom format for SIEM supports additional key value pairs using the Blue Coat ELFF format For more information see Custom Forma...

Страница 41: ...ing FTP and the Log File Protocol To configure the Blue Coat upload client for FTP Step 1 Select Configuration Access Logging Logs Upload Client Step 2 From the Log drop down list box select the log c...

Страница 42: ...sent at all If you are sending to multiple syslog destinations a disruption in availability in one syslog destination may interrupt the stream of events to other syslog destinations from your Blue Coa...

Страница 43: ...tarting with Bluecoat and containing Blue Coat ELFF Parameter Custom format fields for SIEM must be separated by the pipe character For example Bluecoat src c ip srcport c port dst cs uri address ds t...

Страница 44: ......

Страница 45: ...n logs oplog Step 4 To log error messages only change the local1 info WideSpan logs oplog line to the following local1 err WideSpan logs oplog NOTE RADIUS and Diameter system messages are stored in th...

Страница 46: ...eive events from a Bridgewater Systems device From the Log Source Type drop down list box select the Bridgewater Systems AAA Service Controller option For more information on configuring log sources s...

Страница 47: ...events and fields from the previous day in raw SMF format 3 The QexACF2 load trs program pulls data from the SMF formatted file The QexACF2 load trs program only pulls the relevant events and fields...

Страница 48: ...ata line by line QexACF2 adds a header to each record containing event information for example record descriptor the date and time The program places each field into the output record suppresses trail...

Страница 49: ...is a text file containing a sample JCL You must configure the job card to meet your configuration The QexACF2_jcl txt sample file includes QEXACF2 JOB T JXPO JKSD0093 DEV NOTIFY Q1JACK MSGCLASS P REG...

Страница 50: ...C PGM FTP REGION 3800K INPUT DD IPADDR USER PASSWORD PUT ACFOUT EARL_ THEIPOFTHEMAINFRAMEDEVICE ACFOUT QUIT OUTPUT DD SYSOUT SYSPRINT DD SYSOUT Step 8 After the output file is created you must choose...

Страница 51: ...e files through FTP SFTP or allow SCP then no interim FTP server is required and SIEM can pull the output file directly from the mainframe The following text must be commented out using or deleted fro...

Страница 52: ...Secret data is extracted from the live repository using the SMF dump utility The SMF file contains all of the events and fields from the previous day in raw SMF format 3 The qextopsloadlib program pul...

Страница 53: ...cter This output file is formatted for SIEM and the blank suppression reduces network traffic to SIEM This program does not consume CPU or I O disk resources Step 4 Customize the qextops_trsmain_JCL t...

Страница 54: ...Y Q1JACK MSGCLASS P REGION 0M QEXTOPS JCL version 1 0 September 2010 Change below dataset names to sites specific datasets names SET1 SET TSSOUT Q1JACK EARLOUT ALL EARLOUT Q1JACK QEXTOPS PROGRAM OUTPU...

Страница 55: ...INFRAMEDEVICE EARLOUT QUIT OUTPUT DD SYSOUT SYSPRINT DD SYSOUT Step 8 After the output file is created you must choose one of the following options a Schedule a job to a transfer the output file to an...

Страница 56: ...INPUT DD IPADDR USER PASSWORD PUT EARLOUT EARL_ THEIPOFTHEMAINFRAMEDEVICE EARLOUT QUIT OUTPUT DD SYSOUT SYSPRINT DD SYSOUT You are now ready to configure the Log File protocol See Pulling Data Using L...

Страница 57: ...Configuring DSMs CA Top Secret 41 For more information on configuring log sources and protocols see the Log Sources User Guide...

Страница 58: ......

Страница 59: ...form Operating system Integrating Check Point FireWall 1 Using Syslog This section describes how to ensure that the SIEM Check Point FireWall 1 DSMs accepts FireWall 1 events using syslog NOTE If Chec...

Страница 60: ...press the Tab key host indicates the SIEM managed host Step 8 Save and close the file Step 9 Depending on your operating system type the following command to restart syslog In Linux service syslog re...

Страница 61: ...See Adding a Check Point FireWall 1 Host Add an OPSEC application to Check Point Firewall 1 See Creating an OPSEC Application Object Locate the Log Source Secure Internal Communications DN See Locate...

Страница 62: ...d used to generate the SIC DN When you configure your Check Point log source in SIEM the activation key is typed into the Pull Certificate Password parameter f Click Initialize The window updates the...

Страница 63: ...ore information see your Check Point Command Line Interface Guide You must now install the Security Policy from the Check Point SmartDashboard user interface Step 5 Select Policy Install OK You are no...

Страница 64: ...application requesting a certificate For example If the value is CN SIEM OPSEC O cpmodule tdfaaz the OPSEC Application value is SIEM OPSEC For more information on the OPSEC LEA parameters see the Log...

Страница 65: ...nother port number Step 4 Remove the hash mark from that line For example lea_server auth_port 18888 lea_server port 0 Step 5 Save and close the file Step 6 Type the following command to start the fir...

Страница 66: ...configure SIEM to integrate with a Check Point Provider 1 device using one of the following methods Integrating Check Point Provider 1 Using Syslog Integrating Check Point Provider 1 Using OPSEC NOTE...

Страница 67: ...events using OPSEC To enable Check Point Provider 1 and SIEM integration you must 1 Configure Check Point Provider 1 SmartCenter For more information see Reconfiguring Check Point Provider 1 SmartCen...

Страница 68: ...al Communication SIC certificate click Communication and enter an activation key Step 11 Select OK and then Close Step 12 To install the Policy on your firewall select Policy Install OK Configuring th...

Страница 69: ...o ACE firewall DSM accepts events using syslog SIEM records all relevant events Before you configure SIEM to integrate with an ACE firewall you must forward all device logs to your SIEM system To forw...

Страница 70: ...ype drop down list box select the Cisco ACE Firewall option For more information on configuring log sources see the Log Sources User Guide For more information on forwarding logs to SIEM see your vend...

Страница 71: ...available information from the event You can integrate Cisco ACS with SIEM using one of the following methods Configure your Cisco ACS device to directly send syslog to SIEM Cisco ACS software versio...

Страница 72: ...ou want to manually configure SIEM to receive events from Cisco ACS From the Log Source Type drop down list box select the Cisco ACS option For more information on configuring log sources see the Log...

Страница 73: ...rter SIEM automatically detects the Cisco ACS events from the Adaptive Log Exporter However if you want to manually configure SIEM to receive events from Cisco ACS From the Log Source Type drop down l...

Страница 74: ...address Where interface is the name of the Cisco Adaptive Security Appliance interface IP address is the IP address of SIEM NOTE Using the command show interfaces displays all available interfaces for...

Страница 75: ...low collector ipv4 address or hostname is the IP address or host name of the Cisco ASA device with the NetFlow collector application udp port is the UDP port number to which NetFlow packets are sent N...

Страница 76: ...configure SIEM to receive events from a Cisco ASA device using NetFlow Step 1 From the Log Source Type drop down list box select Cisco Adaptive Security Appliance ASA Step 2 From the Protocol Configur...

Страница 77: ...Log Sources User Guide Cisco CSA You can integrate a Cisco Security Agent CSA server with SIEM The Cisco CSA DSM accepts events using syslog SNMPv1 and SNMPv2 SIEM records all configured Cisco CSA ale...

Страница 78: ...logging logging on Step 3 Change the logging level logging trap level 1 7 By default the logging level is set to 3 error Step 4 Designate SIEM as a host to receive the messages logging host interface...

Страница 79: ...m a Cisco IDS IPS device From the Log Source Type drop down list box select the Cisco Intrusion Prevention System IPS option For more information on configuring devices see the Log Sources User Guide...

Страница 80: ...te source using the log file protocol Your system must be running the latest version of log file protocol to integrate with a Cisco IronPort device To configure your Cisco IronPort device to push web...

Страница 81: ...from a Cisco NAC device From the Log Source Type drop down list box select Cisco NAC Appliance For more information on configuring log sources see the Log Sources User Guide Cisco IOS You can integrat...

Страница 82: ...ces Router The following devices are auto discovered by SIEM as Cisco IOS devices Cisco 12000 Series Routers Cisco 6500 Series Switches Cisco 7600 Series Routers Cisco Carrier Routing System Cisco Int...

Страница 83: ...sco PIX device From the Log Source Type drop down list box select the Cisco PIX Firewall option For more information on configuring log sources see the Log Sources User Guide For more information abou...

Страница 84: ...Configuration window is displayed Step 3 In the Syslog Server IP Address field type the IP address of the SIEM host to which you want to send the syslog messages Click Add Step 4 Using the Syslog Leve...

Страница 85: ...y level 19 Local Use 4 Facility level 20 Local Use 5 Facility level 21 Local Use 6 Facility level 22 Local Use 7 Facility level 23 Step 6 Click Apply Step 7 From the Buffered Log Level and the Console...

Страница 86: ...Step 10 Select the Trace Info check box if you want the message logs to include traceback information The default value is disabled Step 11 Click Apply to commit your changes Step 12 Click Save Config...

Страница 87: ...m For example add audit syslogAction action SIEM 10 10 10 10 serverPort 514 logLevel Info dateFormat DDMMYYYY Step 3 Type the following command to add an audit policy add audit syslogPolicy PolicyName...

Страница 88: ...licy is saved in your configuration sh system global NOTE For information on configuring syslog using the Citrix NetScaler user interface see http support citrix com article CTX121728 or your vendor d...

Страница 89: ...his parameter type the following org apache log4j net SyslogAppender log4j appender protocol SyslogHost IP address Type the IP address or hostname of the syslog server where protocol is the type of lo...

Страница 90: ......

Страница 91: ...MessageCodeFilter Configure which message codes are sent from the Cyber Ark Vault to SIEM You can define specific message numbers or a range of numbers By default all message codes are sent for user a...

Страница 92: ......

Страница 93: ...terface Step 2 Select the Advanced page Step 3 Under System Log select Enable Remote Logging Step 4 Type the IP address of SIEM Step 5 Click Apply Step 6 You are now ready to configure the log source...

Страница 94: ......

Страница 95: ...Step 1 Log in to your VMWare vSphere Client Step 2 Select the host managing your VMWare inventory Step 3 Click the Configuration tab Step 4 From the Software panel click Advanced Settings The Advanced...

Страница 96: ...account permissions for the SIEM user For more information see Configuring Account Permissions 3 Configure the VMWare protocol in SIEM For more information see Configuring SIEM CAUTION Creating a user...

Страница 97: ...Groups window click Add The Select Users and Groups window is displayed Step 4 Select your SIEM user and click Add Step 5 Click OK The Add Permissions window is displayed Step 6 From the Assigned Rol...

Страница 98: ...VMWare ESX server see your vendor documentation Table 19 3 VMWare Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source This value must match the v...

Страница 99: ...g either an SNMPv3 or Syslog notification rule To configure your SIEM Enterasys Dragon DSM you must 1 Choose one of the following a Create an Alarm Tool policy using an SNMPv3 notification rule See Cr...

Страница 100: ...ct the policy name you entered from Step b Step 4 To configure the event group a Click the Events Group tab b Click New The Event Group Editor is displayed c Select the event group or individual event...

Страница 101: ...the Main tab c Make sure that Concatenate Events is not selected Step 7 Configure the SNMP options a Click the Global Options tab b Click the SNMP tab c Type the IP address of the EMS server sending S...

Страница 102: ...3 notification rules if you need to transfer PDATA which is a binary data element Do not use a Syslog notification rule To configure Enterasys Dragon with an Alarm Tool policy using a syslog notificat...

Страница 103: ...ox select LEEF LEEF Version 1 0 Vendor Product ProductVersion eventID devTime proto src sensor dst srcPort dstPort direction eventData NOTE The LEEF message format delineates between fields using a pi...

Страница 104: ...u can map a normalized or raw event to a high level and low level category or QID However you cannot map combination Dragon messages using the event mapping tool For more information see the SIEM User...

Страница 105: ...1 and you want to use syslog port of 514 type destination siem tcp 10 10 1 1 port 514 Step 5 Add a log statement for the notification rule log source s_local filter filt_facility_local1 filter filt_le...

Страница 106: ...g Configuration panel is displayed Step 3 In the System Integration Status section enable syslog integration This allows the management server to send messages to the configured syslog servers By defa...

Страница 107: ...ents using syslog SIEM records all relevant events Before configuring the Enterasys HiPath Wireless Controller device in SIEM you must configure your device to send syslog events to SIEM To configure...

Страница 108: ...IP address facility facility severity severity descr description port port state enable disable Where index is the server table index number 1 to 8 for this server ip address is the IP address of the...

Страница 109: ...terasys B3 Series Enterasys C2 Series Enterasys C3 Series Enterasys D Series Enterasys G Series or Enterasys I Series For more information on configuring log sources see the Log Source Users Guide For...

Страница 110: ...gging server server number description description facility facility ip_addr ip address port port severity severity Where server number is the server number 1 to 8 description is a description of the...

Страница 111: ...If a rule is currently configured highlight the rule Click Edit b To create a new rule click Create Step 5 Select the Notifications check box Step 6 Click Edit The Edit Notifications window is display...

Страница 112: ...el 8 set logging application System level 8 set logging application RtrFe level 8 set logging application Trace level 8 set logging application RtrLSNat level 8 set logging application FlowLimt level...

Страница 113: ...C DSM accepts events using syslog SIEM records all relevant events For details on configuring your Enterasys NAC appliances for syslog consult your vendor documentation You are now ready to configure...

Страница 114: ......

Страница 115: ...n ExtremeWare device you must configure syslog within your Extreme device You are now ready to configure the log source in SIEM To configure SIEM to receive events from your ExtremeWare device From th...

Страница 116: ......

Страница 117: ...slog events choose your BIG IP LTM software version Configuring Remote Syslog for F5 BIG IP LTM 10 x and above Configuring Remote Syslog for F5 BIG IP LTM 9 4 2 to 9 4 8 For more information on adding...

Страница 118: ...remote syslog sources see your F5 Networks BIG IP LTM product documentation Configuring Remote Syslog for F5 BIG IP LTM 9 4 2 to 9 4 8 To configure syslog for F5 BIG IP LTM 9 4 2 to 9 4 8 Step 1 Log...

Страница 119: ...layed Step 6 Configure the following parameters a Type a Profile Name For example SIEM b Optional Type a Profile Description NOTE If you do not want data logged locally as well as remotely you must cl...

Страница 120: ...r F5 BIG IP device Step 2 Type the following command to add a single remote syslog server bigpipe syslog remote server Name host IP Address Where Name is the name of the F5 BIG IP APM syslog source IP...

Страница 121: ...he IP address or hostname of your SIEM Console or Event Collector Step 6 From the Log Level drop down list box select Information The Log Level parameter monitors application level system messages Ste...

Страница 122: ......

Страница 123: ...onfigured in the Remote Host parameter in the Log File Protocol configuration You are now ready to configure the log source and protocol in SIEM To configure SIEM to receive events from a Fair Warning...

Страница 124: ......

Страница 125: ...rsyslog notification consumer fenotify rsyslog trap sink SIEM Step 5 Type the IP address for the SIEM system receiving rsyslog trap sink notifications fenotify rsyslog trap sink SIEM address IP addre...

Страница 126: ...Configuring DSMs 110 FIREEYE...

Страница 127: ...st configure your device to send syslog to your SIEM installation For more information on configuring your CounterACT device consult your vendor documentation You are now ready to configure the log so...

Страница 128: ......

Страница 129: ...ure syslog within your FortiGate device For more information on configuring a Fortinet FortiGate device see your vendor documentation You are now ready to configure the log source in SIEM To configure...

Страница 130: ......

Страница 131: ...Emergencies Debugging are logged Up to 50 messages are retained in the local syslog buffer No syslog server is specified Step 3 Type the following command to define an IP address for the syslog serve...

Страница 132: ......

Страница 133: ...expressions are disabled For example regex_enabled false When you set the regex_enabled property to false the system generates regular expressions based on the tags you entered while attempting to re...

Страница 134: ...5 2005 08 30 00 Packet denied Source IP 192 168 1 1 Source Port 21 Destination IP 192 168 1 2 Destination Port 21 Protocol tcp The pattern for denied packets is Packet denied Step 8 Add the following...

Страница 135: ...ase insensitive and you can add multiple patterns For multiple patterns separate using a symbol Step 11 Save and exit the file Step 12 You are now ready to configure the log source inSIEM To configure...

Страница 136: ......

Страница 137: ...default regular expressions are disabled For example regex_enabled false When you set the regex_enabled property to false the system generates regular expressions regex based on the tags you entered w...

Страница 138: ...led password for root from 10 100 100 109 port 1849 ssh2 The pattern for login failures is Failed password Step 8 Add the following to the file login_failed_pattern login failure pattern Where login f...

Страница 139: ...or example source_ip_pattern from source_port_pattern port Step 13 Review the file to determine if a pattern exists for username For example Jun 27 12 11 21 expo sshd 19926 Accepted password for root...

Страница 140: ......

Страница 141: ...d to logging syslog ip addr Where syslog ip addr is the IP address of the SIEM host Step 4 To exit config mode press CTRL Z Step 5 Type write mem to save the current configuration to the startup confi...

Страница 142: ...the log source and protocol in SIEM Step 1 From the Log Source Type drop down list box select HP Tandem Step 2 To configure the log file protocol from the Protocol Configuration drop down list box se...

Страница 143: ...ve command is surrounded with back quotation marks Step 6 You are now ready to configure the log source in SIEM To configure SIEM to receive events from an HP UX device From the Log Source Type drop d...

Страница 144: ......

Страница 145: ...cepted failed password events If you are using syslog on a UNIX host we recommend that you upgrade the standard syslog to a more recent version such as syslog ng To configure the IBM AIX for syslog ev...

Страница 146: ...rce in SIEM To configure SIEM to receive events from an IBM AIX server From the Log Source Type drop down list box select the IBM AIX Server option For more information on configuring log sources see...

Страница 147: ...above using the LogAgent for System i software Once you have your LogAgent for System i software configured use the Log File protocol source to pull the syslog CEF messages For more information see yo...

Страница 148: ...sis For more information on configuring log sources and protocols see Pulling Data Using Log File Protocol Configuring an IBM iSeries to Integrate with SIEM To integrate an IBM iSeries with SIEM Step...

Страница 149: ...start time for AJLIB DATETIME to update the gather time and the end time is set to blank If the FTP transfer fails the export file is erased and no updates are made to the gather date or time Pulling...

Страница 150: ...tep 5 Configure the following parameters a Send SYSLOG message Select Yes b Destination address Type the IP address of SIEM c Facility to use Type a facility level d Severity range to auto send Type a...

Страница 151: ...t the Traps tab Step 6 In the Community name section type the following in the space available and click add to list public Step 7 In the Traps destinations section select Add and type the IP address...

Страница 152: ...ult Filter Step 6 Apply the DDM Filter to enhanced and simple events Choose to log all event types Step 7 Depending on the environment you can choose to apply the filter to all servers in a domain or...

Страница 153: ...to store SiteProtector events which is defined during protocol configuration Although creating this account is not required it is recommended for your protection Record the username and password for...

Страница 154: ...Hostname Type the IP address or hostname of the database server Port Type the port number used by the database server The default that is displayed depends on the selected Database Type The valid rang...

Страница 155: ...can be up to 255 alphanumeric characters in length Also the list may include the following special characters dollar sign number sign underscore _ en dash and period Compare Field Type SensorDataRowID...

Страница 156: ...ll relevant events Before you configure SIEM to integrate with IBM Proventia you must Step 1 In the Proventia Manager user interface navigation pane expand the System node Step 2 Select System Polling...

Страница 157: ...ows you to integrate with an IBM zOS mainframe using IBM RACF for auditing transactions SIEM records all relevant and available information from the event To integrate the IBM RACF events into SIEM 1...

Страница 158: ...trs file is a tersed file containing the executable the mainframe program QEXRACF When you upload the trs file from a workstation pre allocate a file on the mainframe with the following DCB attributes...

Страница 159: ...ry that will contain the program Step 7 The qexracf_jcl txt file is a text file containing a sample JCL deck to provide you with the necessary JCL to run the IBM IRRADU00 utility This allows SIEM to o...

Страница 160: ...SOUT SYSPRINT DD SYSOUT RACIN DD DISP SHR DSN SMFOUT RACOUT DD DISP SHR DSN QRACFOUT FTP Output file from C program Qexracf to an FTP server SIEM will go to that FTP Server to get file Note you need t...

Страница 161: ...configure SIEM to receive events from an IBM mainframe RACF you must select the IBM RACF option from the Log Source Type drop down list box Step 2 To configure the log file protocol you must select t...

Страница 162: ...semble the following AUD00001 Operation succeeded Step 3 Archive and move the active instance to a new location for future extraction db2audit archive For example an archive command response may resem...

Страница 163: ...ded Step 4 Extract the data from the archived audit log and write the data to del files db2audit extract delasc For example an archive command response may resemble the following AUD00001 Operation su...

Страница 164: ...configuring log sources and protocols see the Log Sources User Guide IBM WebSphere Application Server A SIEM IBM WebSphere Application Server DSM accepts events using the log file protocol source SIEM...

Страница 165: ...n for the IBM WebSphere Application Server DSM see Customizing the Logging Option Customizing the Logging Option You must customize the logging option for each application server WebSphere uses and ch...

Страница 166: ...ication Server option from the Log Source Type drop down list box Step 2 To configure the log file protocol you must select the Log File option from the Protocol Configuration drop down list box Your...

Страница 167: ...nfiguration drop down list box Step 3 We recommend that you use a secure protocol for transferring files such as Secure File Transfer Protocol SFTP For more information on configuring log sources and...

Страница 168: ...le the mainframe program QexIMS When you upload the trs file from a workstation pre allocate a file on the mainframe with the following DCB attributes DSORG PS RECFM FB LRECL 1024 BLKSIZE 6144 The fil...

Страница 169: ...m as a member Step 5 You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in LINKLST The program does not require authorization Step 6 The qexims_jcl txt file...

Страница 170: ...he output file to an interim FTP server Each time the job completes the output file is forwarded to an intermin FTP server You must configure the following parameters in the sample JCL to successfully...

Страница 171: ...SOUT You are now ready to configure the Log File protocol See Pulling Data Using Log File Protocol Pulling Data Using Log File Protocol A log file protocol source allows SIEM to retrieve archived log...

Страница 172: ......

Страница 173: ...device you must Step 1 Log in to the ISC BIND device Step 2 Open the following file to add a logging clause named conf logging channel channel_name syslog syslog_facility severity critical error warni...

Страница 174: ...the syslog configuration to log to your SIEM system using the facility you selected in Step 2 syslog_facility IP Address Where IP Address is the IP address of your SIEM system For example local3 192 1...

Страница 175: ...e events from an ISC BIND device From the Log Source Type drop down list box select the ISC BIND option For more information on configuring log sources see the Log Sources User Guide For more informat...

Страница 176: ...Configuring DSMs 160 ISC BIND...

Страница 177: ...and the System Log action group d In the Action Name field type q1labs_syslog_alerts e Configure the following parameters Syslog host Type the IP address of the SIEM system to which you want to send e...

Страница 178: ...to which you want to send events Syslog log level Select INFO Message Type the following message as a pipe seperated continuous string DeviceType ImpervaSecuresphere Event et Event eventType d c Secu...

Страница 179: ...M to receive events from a SecureSphere device From the Log Source Type drop down list box select the Imperva SecureSphere option For more information on configuring log sources see the Log Sources Us...

Страница 180: ......

Страница 181: ...x NIOS device to send syslog events to SIEM For more information on configuring logs on your Infoblox NIOS device see your Infoblox NIOS vendor documentation You are now ready to configure the Infoblo...

Страница 182: ......

Страница 183: ...r meter for syslog see your Itron Openway Smart Meter documentation You are now ready to configure the log source in SIEM SIEM automatically discovers events from an Itron Openway Smart Meter If you w...

Страница 184: ......

Страница 185: ...DBC protocol SIEM records all relevant events To integrate with Juniper Networks NSM AVT data you must create a view in the database on the Juniper Networks NSM server You must also configure the Post...

Страница 186: ...configure the JDBC protocol for the log source Use the following parameters to configure the JDBC protocol a Database Type From the Database Type drop down list box select Postgres b Database Name Typ...

Страница 187: ...Log Delimiter format SIEM supports comma delimited logs only Step 6 In the Log Host section type the IP address of your SIEM system Step 7 In the Log Port section type the UDP port on which you wish t...

Страница 188: ...urce Type drop down list box select Juniper EX Series Ethernet Switch option For more information on configuring log sources see the Log Sources User Guide For more information about your Juniper swit...

Страница 189: ...dress category subcategory src zone src intface src addr src port nat src addr nat src port dstzone dst intface dst addr dst port nat dst addr nat dst port protocol rule domain rule domainVersion poli...

Страница 190: ...with SIEM NOTE If your Juniper device is running release 5 5R3 HF2 6 1 or above we recommend that you use the WELF WELF format for logging See your vendor documentation to determine if your device an...

Страница 191: ...list box select the facility i From the Filter drop down list box select WELF WELF j Click Add and click Save Changes Step 4 Configure syslog server information for administrator access a If a WELF WE...

Страница 192: ...rate a Juniper Networks Secure Access device with SIEM using syslog Step 1 Log in to your Juniper device administration user interface https 10 xx xx xx admin Step 2 Configure syslog server informatio...

Страница 193: ...tegrate with a Juniper Networks Infranet Controller you must configure syslog within the server For more information on configuring your Juniper Networks Infranet Controller consult your vendor docume...

Страница 194: ...Networks NSM logs see your Juniper Networks vendor documentation To integrate a Juniper Networks NSM device with SIEM you must Configuring Juniper Networks NSM to Export Logs to Syslog Configuring SIE...

Страница 195: ...Platform DSM accepts events using syslog structured data syslog or PCAP SRX Series only SIEM records all valid syslog or structured data syslog events The SIEM Juniper JunOS Platform DSM supports the...

Страница 196: ...or structured data syslog to SIEM Step 1 Log in to your Juniper platform command line interface CLI Step 2 Include the following syslog statements at the set system hierarchy level set system syslog...

Страница 197: ...erity Define the severity of the messages that belong to the named facility with which it is paired Valid severity levels are any none emergency alert critical error warning notice info Messages with...

Страница 198: ...og Source with PCAP Configuring a New Juniper Networks SRX Log Source with PCAP The Juniper Networks SRX series appliance is auto discovered by SIEM as a Juniper JunOS Platform SIEM detects the syslog...

Страница 199: ...delete log source confirmation window is displayed Step 13 Click Yes The JunOS syslog log source is deleted from the log source list You should now have the PCAP Syslog Combination protocol in your l...

Страница 200: ...fy the device in syslog messages forwarded to SIEM This is the IP address or hostname that will appear in SIEM d Root Log Directory Type the location where Juniper SBR stores log files Report log file...

Страница 201: ...adius From the Log Source Type drop down list box select the Juniper Steel Belted Radius option For more information on configuring log sources see the Log Sources User Guide For more information on c...

Страница 202: ...7 From the NetFlow Configuration panel select the enable check box NetFlow does not support central logging from a vGW management server From the External Logging section you must select the option Se...

Страница 203: ...ocol to SIEM using Port 514 SIEM records all relevant password management events You are now ready to configure the log source in SIEM SIEM automatically detects the Lieberman Random Password Manager...

Страница 204: ......

Страница 205: ...Log Sources User Guide For more information on configuring your Linux DHCP Server consult the man pages or associated documentation for your DHCP daemon Linux IPtables A SIEM Linux IPtables DSM accep...

Страница 206: ...nt behavior Set the log prefix parameter to Q1Target rule Where rule is one of fw_accept fw_drop or fw_reject For example if the rule being logged targets DENY the log prefix setting should be Q1Targe...

Страница 207: ...a more recent version such as syslog ng To integrate Linux OS with SIEM select one of the following syslog configurations for event collection Configuring Linux OS Using Syslog Configuring Linux OS Us...

Страница 208: ...address port 514 log source Sourcename filter auth_filter destination auth_destination Where IP address is the IP address of the SIEM system Source name is the name of the source defined in the config...

Страница 209: ...rder Step 5 Type the Syslog Server details a The Enable Syslog Forwarder must be configured as Yes b The Port must be configured to 514 Step 6 Click Edit Step 7 Choose one of the following a If you ar...

Страница 210: ...S Appliance For more information on configuring log sources see the Log Sources User Guide For more information on McAfee Intrushield see your vendor documentation McAfee ePolicy Orchestrator A SIEM M...

Страница 211: ...he McAfee ePO Database and Database Server IP address or hostname from the ePO Management Console Database Type From the drop down list box select MSDE Database Name Type the exact name of the McAfee...

Страница 212: ...field is used to identify new events added between queries to the table Start Date and Time Optional Type the start date and time for database polling The Start Date and Time parameter must be formatt...

Страница 213: ...M Adding a Registered Server to McAfee ePO Step 1 Log in to your McAfee ePolicy Orchestrator console Step 2 Select Menu Configuration Registered Servers Step 3 Click New Server The Registered Server B...

Страница 214: ...Automation Automatic Responses Step 2 Click New Responses The Response Builder wizard is displayed Step 3 Configure the following values a Name Type a name for the response b Description Type a descr...

Страница 215: ...Available Types Selected Types ePO Version Detected UTC listOfDetectedUTC 4 5 Received UTC listOfReceivedUTC 4 5 Detecting Product IPv4 Address listOfAnalyzerIPV4 4 5 Detecting Product IPv6 Address l...

Страница 216: ...SIEM McAfee Application Change Control DSM accepts change control events using Java Database Connectivity JDBC SIEM records all relevant McAfee Application Change Control events This document include...

Страница 217: ...r The default port for MSDE is 1433 The JDBC configuration port must match the listener port of the McAfee Application Change Control database The McAfee Application Change Control database must have...

Страница 218: ...s with different parameters For security and performance reasons we recommend that you use prepared statements Note Clearing this check box requires you to use an alternative method of querying that d...

Страница 219: ...ebWasher Configuring McAfee Web Gateway for Syslog To integrated McAfee Web Gateway with SIEM Step 1 Log in to your McAfee Web Gateway console Step 2 Using the toolbar click Configuration Step 3 Click...

Страница 220: ...you downloaded in Step 1 and select syslog_loghandler xml as the file to import NOTE If the McAfee Web Gateway appliance detects any conflicts with the rule set you must resolve the conflict For more...

Страница 221: ...s Log Configuration already exists in the current configuration and a conflict solution is presented Step 10 If the McAfee Web Gateway appliance detects that the Access Log Configuration already exist...

Страница 222: ...d protocol in SIEM Step 1 To configure SIEM to receive events from a McAfee Web Gateway appliance select McAfee Web Gateway from the Log Source Type drop down list box Step 2 To configure the protocol...

Страница 223: ...must configure your device to send syslog to SIEM For more information about your MetaInfo MetaIP device see your vendor documentation You are now ready to configure the log source in SIEM To configur...

Страница 224: ......

Страница 225: ...nabled in the Microsoft Exchange System Manager and requires administrator access If event logging is already enabled for your Microsoft Exchange Server you can determine the log file type in use by c...

Страница 226: ...0 Manager menu tree expand Local Computer Step 2 Expand Web Sites Step 3 Right click on Default Web Site and select Properties The Web Sites Properties window is displayed Step 4 From the Active Log F...

Страница 227: ...ers Guide For information about the Microsoft Exchange Protocol see the Log Sources User Guide For more information about your Microsoft Exchange Server see your vendor documentation Integrating with...

Страница 228: ...change System Manager menu tree expand Servers Protocols SMTP Step 2 Right click on Default SMTP Virtual Server and select Properties The Default SMTP Virtual Server Properties window is displayed Ste...

Страница 229: ...EM to receive events from a Microsoft Windows IAS Server From the Log Source Type drop down list box select the Microsoft IAS Server option For more information on configuring devices see the Log Sour...

Страница 230: ...EM Microsoft Internet Information Services IIS Server DSM accepts FTP HTTP NNTP and SMTP events using syslog You can integrate a Microsoft IIS Server with SIEM using one of the following methods Confi...

Страница 231: ...tes Step 4 Right click on Default Web Sites and select Properties The Default Web Site Properties window is displayed Step 5 Select the Web Site tab Step 6 Select the Enable logging check box Step 7 F...

Страница 232: ...User Name cs username Server IP Address s ip Server IP Address s ip Server Port s port Server Port s port Method cs method Method cs method URI Stem cs uri stem URI Stem cs uri stem URI Query cs uri...

Страница 233: ...nformation For example you can use c LogFiles for an administrative share or LogFiles for a public share folder path but not c LogFiles If a log folder path contains an administrative share C users wi...

Страница 234: ...Access the InterSect Alliance website http www intersectalliance com projects SnareIIS Step 2 Download open source Snare Agent for IIS version 1 2 SnareIISSetup 1 2 exe Step 3 Install the open source...

Страница 235: ...e Agent you must configure a Microsoft IIS log source using syslog To manually configure a Microsoft IIS log source in SIEM perform the following steps Step 1 Log in to SIEM Step 2 Click the Admin tab...

Страница 236: ...Step 7 Click the Advanced tab Step 8 From the list of properties select all event properties that you want to apply to the Microsoft IIS event log The selected properties must include the following a...

Страница 237: ...Event Log with SIEM using one of the following methods Use the SIEM Adaptive Log Exporter For more information on the Adaptive Log Exporter see the Adaptive Log Exporter Users Guide Use the Microsoft...

Страница 238: ...s index html Step 2 On the navigation menu select Network Configuration Step 3 Type the IP address of the SIEM system in the Destination Snare Server address field Step 4 Select the Enable SYSLOG Head...

Страница 239: ...you configure SIEM to integrate with the Microsoft Operations Manager you must ensure a database user account is configured with appropriate permissions to access the MOM OnePoint SQL Server database...

Страница 240: ...st have incoming TCP connections enabled to communicate with SIEM Note If you define a Database Instance when using MSDE as the database type you must leave the Port parameter blank in your SIEM confi...

Страница 241: ...he SQL statement once and then execute the SQL statement many times with different parameters For security and performance reasons we recommend that you use prepared statements Clearing this check box...

Страница 242: ...e Security settings of the SQL Server properties For more information please see your Microsoft SCOM documentation NOTE Ensure that no firewall rules are blocking the communication between SIEM and th...

Страница 243: ...coming TCP connections enabled to communicate with SIEM Note If you define a Database Instance when using MSDE as the database type you must leave the Port parameter blank in your SIEM configuration U...

Страница 244: ...tement once and then execute the SQL statement many times with different parameters For security and performance reasons we recommend that you use prepared statements Clearing this check box requires...

Страница 245: ...figuring DSMs Microsoft System Center Operations Manager 229 Step 7 Click Save Step 8 On the Admin tab click Deploy Changes For more information on configuring log sources see the Log Sources User Gui...

Страница 246: ......

Страница 247: ...Level drop down list box select the desired log level for tracking system events The options are 0 Emergency 1 Alert 2 Critical 3 Errors 4 Warning 5 Notice 6 Info This is the default 7 Debug Step 4 T...

Страница 248: ...configure SIEM to receive events from a Symbol AP device From the Log Source Type drop down list box select the Motorola SymbolAP option For more information on configuring log sources see the Log Sou...

Страница 249: ...er only supports CIFS For information on configuring CIFS on your NetApp Data ONTAP device see your vendor documentation You are now ready to configure the log source in SIEM SIEM automatically detect...

Страница 250: ......

Страница 251: ...VP DSM is not automatically detected by SIEM The NVP DSM accepts events using syslog SIEM records all relevant events The log format for the NVP DSM must be a tab separated single line list of Name Pa...

Страница 252: ...the destination IP address for the message DestinationPort Type the destination port for the message DestinationIpPreNAT Type the destination IP address for the message before NAT occurs DestinationI...

Страница 253: ...OSName testbois DestinationMAC 00 41 C5 BF C4 9D EventCategory Accept DestinationPort 4444 GroupName testgroup SourceIpPreNAT 172 16 70 87UserName root DestinationIp 172 16 30 30 Example 2 The followi...

Страница 254: ...5014 Identity TRUE IdentityUseSrcIp TRUE SourceMAC AA 15 C5 BF C4 9D SourceIp 172 15 210 113 DestinationIp 172 16 10 10 DestinationMAC 00 41 C5 BF C4 9D UserName root Example 4 The following example...

Страница 255: ...rate with a Niksun device you must configure syslog within your Niksun device For more information on configuring Niksun consult your Niksun documentation You are now ready to configure the log source...

Страница 256: ......

Страница 257: ...guration pane click System Logging Step 4 In the Add new remote IP address to log to field type the IP address of your SIEM system Step 5 Click Apply Step 6 Click Save Step 7 Using SSH or a direct con...

Страница 258: ...Guide 3 Configure the log source in SIEM To configure SIEM to receive events from an Check Point Provider 1 device using OPSEC you must select the Check Point FireWall 1 option from the Log Source Ty...

Страница 259: ...ing OPSEC 243 Step 10 Select Communication and enter an activation key to configure the Secure Internal Communication SIC certificate Step 11 Select OK and then select Close Step 12 To install the pol...

Страница 260: ......

Страница 261: ...teway Nortel Multiprotocol Router A SIEM Nortel Multiprotocol Router DSM accepts Nortel Multiprotocol Router events using syslog SIEM records all relevant events Before you configure SIEM to integrate...

Страница 262: ...lity local0 Step 9 Create a filter for the hardware slots to enable them to forward the syslog events Type the following command to create a filter with the name WILDCARD filter name WILDCARD entity a...

Страница 263: ...gured syslog host information show syslog log host The host log is displayed with the number of packets being sent to the various syslog hosts For example syslog show syslog log host show syslog log h...

Страница 264: ...configuring a Nortel Application Switch device in SIEM you must configure your device to send syslog events to SIEM To configure the device to send syslog events to SIEM Step 1 Log in to the Nortel Ap...

Страница 265: ...ddress of the SIEM system Step 5 Type the following command to exit the command line exit Step 6 You are now ready to configure the log source in SIEM To configure SIEM to receive events from a Nortel...

Страница 266: ...n For more information on configuring log sources see the Log Sources User Guide For more information about the Nortel ERS 2500 4500 5500 see http www nortel com support Nortel Ethernet Routing Switch...

Страница 267: ...mapinfo info mapwarning warning maperror error mapfatal emergency severity info warning error fatal udp port 514 ERS 8606 5 config sys syslog host 1 Step 9 You are now ready to configure the log sourc...

Страница 268: ..._ipaddr IP address Where IP address is the IP address of the SIEM system Step 5 Ensure that remote logging is enabled enable Step 6 Verify that the logging levels are configured as appropriate show sy...

Страница 269: ...IEM you must Step 1 Log in to the Nortel SNAS user interface Step 2 Select the Config tab Step 3 Select Secure Access Domain and Syslog from the Navigation pane The Secure Access Domain window is disp...

Страница 270: ...line interface CLI Step 2 Type the following command cfg sys log syslog add Step 3 Type the IP address of your SIEM system at the following prompt Enter IP address of syslog server A prompt is display...

Страница 271: ...M system The leapipe is the connection between the Check Point SmartCenter Server and SIEM To reconfigure the Check Point SmartCenter Server Step 1 To create a host object open the Check Point SmartDa...

Страница 272: ...ring a Nortel Switched Firewall 6000 device with SIEM using one of the following methods Integrating Nortel Switched Firewall Using Syslog Integrating Nortel Switched Firewall Using OPSEC Integrating...

Страница 273: ...receive events from a Check Point SmartCenter Server using OPSEC LEA you must select the LEA option from the Protocol Configuration drop down list box when configuring LEA For more information see th...

Страница 274: ...rtel TPS device in SIEM you must Step 1 Log in to the Nortel TPS user interface Step 2 Select Policy Response Intrusion Sensor Detection Prevention The Detection Prevention window is displayed Step 3...

Страница 275: ...1 Log in to the Nortel VPN Gateway command line interface CLI Step 2 Type the following command cfg sys syslog add Step 3 At the prompt type the IP address of your SIEM system Enter new syslog host I...

Страница 276: ......

Страница 277: ...Event Auditing Using Novell iManager 4 Configure SIEM For more information see Configuring SIEM with Novell eDirectory Configuring XDASv2 to Forward Events By default XDASv2 is configured to log event...

Страница 278: ...for events Step 8 To set the facility for logging events remove the comment marker from the following line log4j appender S Facility USER The default value of USER is the correct facility value for e...

Страница 279: ...ng System If you installed Novell eDirectory to a different directory then the correct path is required Step 4 Click OK The Novell Directory Service console displays a list of available modules Step 5...

Страница 280: ...nt is truncated c On the XDAS Events Configuration select the check boxes of the events you want XDAS to capture and forward to SIEM d Click Apply Step 7 On the XDAS tab click XDASRoles The XDAS Roles...

Страница 281: ...r if you want to manually configure SIEM to receive events from Novell eDirectory From the Log Source Type drop down list box select Novell eDirectory For more information on configuring log sources s...

Страница 282: ......

Страница 283: ...SIEM system Step 4 Save and exit the file Step 5 Send a hang up signal to the syslog daemon to ensure all changes are applied kill HUP cat var run syslog pid NOTE The command above uses the backquote...

Страница 284: ......

Страница 285: ...ust Step 1 Configure SNORT on a remote system Step 2 Open the snort conf file Step 3 Uncomment the following line output alert_syslog LOG_AUTH LOG_INFO Step 4 Save and exit the file Step 5 Open the fo...

Страница 286: ...tart Step 13 You are now ready to configure the log source in SIEM To configure SIEM to receive events from a SNORT device from the Log Source Type drop down list box select the Snort Open Source IDS...

Страница 287: ...t tables When using a Microsoft Windows host verify database audit tables are enabled These procedures should be considered guidelines only We recommend that you have experience with Oracle DBA before...

Страница 288: ...udit trails type the following command audit_trail DB b For syslog type the following command audit_trail os audit_syslog_level local0 info You must make sure the syslog daemon on the Oracle host is c...

Страница 289: ...e drop down list box select the Oracle RDBMS Audit Record option For more information on configuring log sources see the Log Sources User Guide Improving Performance With Large Audit Tables The size o...

Страница 290: ...the following command oracle_9i_dba_audit_view sql b If you are using Oracle v10g Release 2 and v11g type the following command oracle_alt_dba_audit_view sql Step 6 Make sure the database user config...

Страница 291: ...dentifier Type the IP address or hostname for the log source Server Address Type the IP address of the Oracle Database Listener Domain Type the domain required to access the Oracle Database Listener T...

Страница 292: ...orward the Oracle DB Listener events oracle_dblistener_fwdr pl txt Step 3 Rename the file to a Perl script Force File Read Select the check box to force the protocol to read the log file when the timi...

Страница 293: ...og file monitors any new output from the listener The log file may be different across versions of the Oracle database some examples are provided below Oracle 9i install_directory product 9 2 network...

Страница 294: ...Configuration drop down list box select syslog Step 3 In the Log Source Identifier field type the IP address of the Oracle Database you specified using the H option in Step 6 The configuration of the...

Страница 295: ...down list box select Oracle Audit Vault Step 7 Using the Protocol Configuration drop down list box select JDBC Step 8 Configure the following values a Database Type Oracle b Database Name Audit Vault...

Страница 296: ...pts written for Oracle OS Audit work on Linux UNIX servers only Windows Perl script is not supported NOTE To avoid errors do not delete log files you are actively monitoring unless the script is stopp...

Страница 297: ...location of the DDL and DML log files H The H parameter defines the host name or IP address for the syslog header We recommend that this be the IP address of the Oracle server on which the script is r...

Страница 298: ...uring an Audit Provider 5 Configure SIEM to pull log files from Oracle BEA WebLogic For more information see Pulling Data Using the Log File Protocol Enabling Event Logs on Oracle BEA WebLogic By defa...

Страница 299: ...e Providers Auditing Step 2 Click New Step 3 Configure an audit provider a Type a name for the audit provider you are creating b From the Type drop down list box select DefaultAuditor c Click OK The S...

Страница 300: ...ve files Remote Port Type the TCP port on the remote host that is running the selected Service Type If you configure the Service Type as FTP the default is 21 If you configure the Service Type as SFTP...

Страница 301: ...parameter when using ASCII as the FTP Transfer Mode SCP Remote File If you select SCP as the Service Type you must type the file name of the remote file Start Time Type the time of day you want the pr...

Страница 302: ...Select the check box to define the local directory on your SIEM system that you want to use for storing downloaded files during processing We recommend that you leave the check box clear When the chec...

Страница 303: ...5 Configure the following options in the New Syslog Setting page Name Type the name of the syslog server Server Type the IP address of your SIEM system Port Type the port number the SIEM system to rec...

Страница 304: ...age to update your Palo Alto PA Series firewall with the active configuration Step 14 You are now ready to configure the log source in SIEM To configure SIEM to receive events from your Palo Alto Netw...

Страница 305: ...ollowing options AUTH or AUTHPRIV CRON DAEMON KERN LPR MAIL NEWS USER UUCP LOCAL0 LOCAL1 LOCAL2 LOCAL3 LOCAL4 LOCAL5 LOCAL6 or LOCAL7 Step 3 Save the file and exit Step 4 Open the etc syslog conf file...

Страница 306: ......

Страница 307: ...er defined value indicating the type of device used by the sender This criteria is applied when the device sends syslog messages The default value is 21 meaning Local Use 6 Severity indicates the impo...

Страница 308: ......

Страница 309: ...4 In ASP security default configuration mode configure the IP address of the log server and the optional transport protocol log server IP address transport udp port 9345 Where IP address is the IP add...

Страница 310: ...10 192 22 24 Step 7 You are now ready to configure the log sources SIEM To configure SIEM to receive events from a Redback ASE device From the Log Sources Type drop down list box select the Redback A...

Страница 311: ...ureID 3 0 appliance If you are using RSA Authentication Manager on Linux see Configuring Syslog on RSA Authentication Manager for Linux If you are using RSA Authentication Manager on Windows see Confi...

Страница 312: ...configuring syslog forwarding see your RSA Authentication Manager documentation Configuring Syslog on RSA Authentication Manager for Windows To configure RSA Authentication Manager for syslog using Mi...

Страница 313: ...re your RSA Authentication Manager v7 x device Step 1 Log in to the RSA Security Console Step 2 Click Administration Log Management Recurring Log Archive Jobs Step 3 In the Schedule section configure...

Страница 314: ...atabase Administration For complete information on using SecurID see your vendor documentation Step 3 From the Log drop down list box select Automate Log Maintenance The Automatic Log Maintenance wind...

Страница 315: ...ur SIEM system NOTE The following procedure is based on the default samhainrc file If the samhainrc file has been modified some values such as syslog facility may be different To configure Samhain HID...

Страница 316: ...DBC driver you must download and install the platform independent MySQL Connector J from http dev mysql com downloads connector j For instruction on installing MySQL Connector J for the JDBC protocol...

Страница 317: ...ied in the samhainrc file Samhain SetDBHost is the database host specified in the samhainrc file Samhain SetDBUser is the database user specified in the samhainrc file Samhain SetDBPassword is the dat...

Страница 318: ......

Страница 319: ...ng log format entry sentrigo comm ListenAddress 1996 log format body custom usrName osUser 20 duser execUser 20 sev severity identHostName sourceHost src sourceIP dst a gent ip devTime logonTime devTi...

Страница 320: ...ow ready to configure the log source in SIEM To configure SIEM to receive events from a Sentrigo Hedgehog device From the Log Source Type drop down list box select the Sentrigo Hedgehog option For mor...

Страница 321: ...evice to forward syslog to SIEM make sure that the logs are exported in Sidewinder Export format SEF For more information on configuring Sidewinder see your vendor documentation Once you configure sys...

Страница 322: ......

Страница 323: ...igure syslog within the appliance Once you configure SonicWall to forward events to SIEM you are ready to configure the log source in SIEM To configure SIEM to receive events from your SonicWALL appli...

Страница 324: ......

Страница 325: ...EM using the JDBC protocol For information on installing the Sophos Reporting Interface see your Sophos Enterprise Console documentation Configure SIEM Using the Sophos Enterprise Console Protocol A S...

Страница 326: ...base name as entered in the Database Name parameter Sophos Database Server IP or Host Name is the hostname or IP address for this log source as entered in the IP or Hostname parameter Note When defini...

Страница 327: ...configuration The list must contain the field defined in the Compare Field parameter The comma separated list can be up to 255 alphanumeric characters in length Also the list may include the followin...

Страница 328: ...c IPAddress c DomainName c OperatingSystem c ServicePack t ThreatSubType t Priority t ThreatLocalID t ThreatLocalIDSource t ThreatName t FullFilePathCheckSum t FullFilePath t FileNameOffset t FileVer...

Страница 329: ...the Protocol Configuration drop down list box select JDBC NOTE You must refer to the Configure Database Settings on your Sophos Enterprise Console to define the parameters required to configure the So...

Страница 330: ...Type the database instance if you have multiple SQL server instances on your database server Note If you use a non standard port in your database configuration or have blocked access to port 1434 for...

Страница 331: ...e prepared statements Clearing this check box requires you to use an alternative method of querying that does not use pre compiled statements Polling Interval Type the polling interval which is the am...

Страница 332: ...siem_view as select Windows PureMessage as application id reason timecreated emailonly as sender filesize subject messageid filename from dbo quaritems dbo quaraddresses where ItemID ID and Field 76 G...

Страница 333: ...ce identifier you must use the values of the Database and Database Server IP address or hostname of the Sophos PureMessage device Database Type From the drop down list box select MSDE Database Name Ty...

Страница 334: ...dollar sign number sign underscore _ en dash and period Compare Field Type ID The Compare Field parameter is used to identify new events added between queries to the table Use Prepared Statements Sel...

Страница 335: ...from_local h_from_domain m_global_id m_message_size outbound h_to c_subject_utf8 from message a m_reason b where a reason_id b reason_id Once you have created your SIEM view you must configure SIEM to...

Страница 336: ...igure the Sophos PureMessage DSM in SIEM Step 8 Configure the following values Table 61 2 Sophos PureMessage JDBC Parameters Parameter Description Log Source Identifier Type the identifier for the log...

Страница 337: ...se a comma separated list to define specific fields from tables or views if required for your configuration The list must contain the field defined in the Compare Field parameter The comma separated l...

Страница 338: ...tatus window is displayed Step 4 From Syslog Servers panel click the icon The Add Syslog Server window is displayed Step 5 Configure the following parameters a Name Type a name for the syslog server b...

Страница 339: ...aro Security Gateway For more information on configuring log sources see Log Sources User Guide Sophos Web Security Appliance The SIEM Sophos Web Security Appliance WSA DSM accepts events using syslog...

Страница 340: ...phos Web Security Appliance DSM in SIEM SIEM automatically detects syslog data from a Sophos Web Security Appliance To manually configure SIEM to receive events from Sophos Web Security Appliance From...

Страница 341: ...ion Step 3 Under Policy click Edit Step 4 In the list select your active policy Click Edit Step 5 Click Alerting The selected policy settings appear Step 6 For the State parameter select the On option...

Страница 342: ...rce NOTE The Sourcefire Defense Center DSM uses the same SIEM identifiers QID information as the Snort DSM We recommend you download and install the latest Snort DSM from the Enterasys Extranet at htt...

Страница 343: ...and any additional option parameters to import your pkcs12 file opt qradar bin estreamer cert import pl f file name options Where file name is the file name of the pkcs12 file created by your Sourcefi...

Страница 344: ...errides the default estreamer name for the keystore and truststore files The o parameter is required when using multiple Sourcefire Defense Center devices as unique key file names are required For exa...

Страница 345: ...e Sourcefire Defense Center device Server Port Type the port number SIEM uses to receive Sourcefire Defense Center Estreamer events The default is 8302 Keystore Filename Type the directory path and fi...

Страница 346: ......

Страница 347: ...is any valid syslog facility such as authpriv daemon local0 to local7 or user written in lowercase priority is any valid priority such as err warning notice info debug written in lowercase Step 4 Sav...

Страница 348: ...following command to restart the syslog daemon etc init d syslog restart For more information on configuring Squid Web Proxy consult your vender documentation Step 11 Once you forward your cache and a...

Страница 349: ...following table provides the necessary parameters Table 64 1 Syslog Server Parameters Parameter Description syslog IP address Type the IP address of the SIEM system facility facilities Type the local...

Страница 350: ...luding min Provides minimal information about the event such as event name facility event ID severity level data and time concise Provides detailed information about the event but does not provide the...

Страница 351: ...rate in a degraded date This level also logs events with a higher severity level warning Logs events that may indicate a potential problem This level also logs events with a higher severity level unus...

Страница 352: ...or more information on configuring log sources see the Log Sources User Guide For more information about the device see your vendor documentation Table 64 4 Monitor Log Parameters Parameter Descriptio...

Страница 353: ...Center with SIEM 1 Configuring the Log Server 2 Configuring a Traffic Rule for Syslog 3 Configuring the Log Source in SIEM Configuring the Log Server To configure Stonesoft Management Center perform...

Страница 354: ...perform the following steps Step 1 From the Stonesoft Management Center select one of the following methods for modifying a traffic rule Firewall policies Select Configuration Configuration Firewall...

Страница 355: ...end setting the logging value to None Logging syslog connections without configuring a syslog filter can create a loop For more information see the StoneGate Management Center Administrator s Guide St...

Страница 356: ......

Страница 357: ...g the following line to the file err auth notice auth info IP address Where IP address is the IP address of the SIEM system Use tabs instead of spaces to format the line NOTE Depending on the version...

Страница 358: ...ess is the IP address of the SIEM system Use tabs instead of spaces to format the line Step 7 Save and exit the file Step 8 Type the following command kill HUP cat etc syslog pid Step 9 You are now re...

Страница 359: ...l for system administrator to retrieve detailed auditing events from Sun Solaris systems SIEM retrieves Sun Solaris BSM events using the Log File protocol Before you configure SIEM to integrate with S...

Страница 360: ...the binary Solaris Basic Security Mode logs to a human readable log format Converting Sun Solaris BSM Audit Logs SIEM cannot process binary files directly from Sun Solaris BSM and must convert the au...

Страница 361: ...hange the default directory for the log files a AUDIT_DIR var audit The Audit directory must match the location specified by the audit control file you configured in Step 5 b LOG_DIR var log The log d...

Страница 362: ...is displayed Step 4 Click the Log Sources icon The Log Sources window is displayed Step 5 From the Log Source Type drop down list box select Solaris BSM Step 6 Using the Protocol Configuration drop d...

Страница 363: ...Directory Type the directory location on the remote host from which the files are retrieved By default the newauditlog sh script writes the human readable logs files to the var log directory Recursive...

Страница 364: ...ple type 2H if you want the directory to be scanned every 2 hours The default is 1H Run On Save Select the check box if you want the log file protocol to run immediately after you click Save After the...

Страница 365: ...ing DSMs Sun Solaris Basic Security Mode BSM 349 Step 8 Click Save Event Generator From the Event Generator drop down list box select LINEBYLINE Table 66 2 Log File Parameters continued Parameter Desc...

Страница 366: ......

Страница 367: ...to the security database use sybsecurity go Step 4 Create a view for SIEM create view audit_view as select audit_event_name event as event_name from audit_table_1 union select audit_event_name event...

Страница 368: ...displayed Step 5 Click Add The Add a log source window is displayed Step 1 From the Log Source Type drop down list box select the Sybase ASE option Step 2 Using the Protocol Configuration drop down l...

Страница 369: ...tion Manager Step 2 On the left panel click the Admin icon The View Servers option is displayed Step 3 From the bottom of the View Servers panel click Servers Step 4 From the View Servers panel click...

Страница 370: ...ents from your SGS appliance From the Log Source Type drop down list box select the Symantec Gateway Security SGS Appliance option For more information on configuring devices see the Log Sources User...

Страница 371: ...ustom view you must configure SIEM to receive event information using the JDBC protocol To configure Symantec System Center SSC DSM with SIEM see Configuring SIEM to Receive Events Configuring SIEM to...

Страница 372: ...ming TCP connections enabled to communicate with SIEM Note If you define a Database Instance when using MSDE as the database type you must leave the Port parameter blank in your SIEM configuration Use...

Страница 373: ...the SQL statement many times with different parameters For security and performance reasons we recommend that you use prepared statements Clearing this check box requires you to use an alternative met...

Страница 374: ...MTP response rule For more information see Creating a None Of SMTP Response Rule 3 Configure SIEM For more information see Configuring SIEM with Symantec DLP Creating an SMTP Response Rule To configur...

Страница 375: ...TH path PATH quarantineParentPath QUARANTINE_PAR ENT_PATH scan SCAN target TARGET d Level From this drop down list box select 6 Informational Step 12 Click Save You are now ready to configure your Non...

Страница 376: ...um POLICY src SENDER dst REC IPIENTS rules RULES matchCount MATCH_COUNT blocked BLOC KED incidentID INCIDENT_ID incidentSnapshot INCIDENT_SNAP SHOT subject SUBJECT fileName FILE_NAME parentPath PARE N...

Страница 377: ...ymark PowerBroker NOTE Perl 5 8 must be installed on the device that hosts Symark PowerBroker Step 5 Log in to the device that hosts Symark PowerBroker using an account that has read write execute per...

Страница 378: ...Log Sources User Guide For more information about your Symark PowerBroker device see your vendor documentation h The h parameter defines the receiving syslog host the Event Collector host name or IP...

Страница 379: ...for Events If you are using an LSM see Configuring the Notification Contacts for LSM Configuring SMS Remote Syslog for Events The SIEM TippingPoint DSM accepts remote events using syslog with all info...

Страница 380: ...vice see your vendor documentation Configuring the Notification Contacts for LSM To configure LSM notification contacts Step 1 Log in to the TippingPoint system Step 2 From the LSM menu select IPS Act...

Страница 381: ...must also select the desired rate Block Does not permit traffic TCP Reset When used with the Block action resets the source destination or both IP addresses of an attack This option resets blocked TC...

Страница 382: ...r Tipping Point device you may have to add static routes For more information see your vendor documentation Step 4 You are now ready to configure the log source in SIEM To configure SIEM to receive ev...

Страница 383: ...on on configuring Top Layer see your Top Layer documentation Once you configure syslog to forward events to SIEM you are ready to configure the log source SIEM To configure SIEM to receive events from...

Страница 384: ......

Страница 385: ...om the Log Source Type drop down list box select the Trend InterScan VirusWall option For more information on configuring devices see the Log Sources User Guide For more information about your Trend M...

Страница 386: ...r Guide For more information on Trend Micro Control Manager see your vendor documentation Trend Micro Office Scan A Trend Micro Office Scan DSM accepts events using SNMPv2 SIEM records events relevant...

Страница 387: ...tep 5 Click Save Step 6 Configure Outbreak Alert Notifications a Select Out Notifications b Click the SNMP Trap tab c Select the Enable notification via SNMP Trap for Virus Malware Outbreaks check box...

Страница 388: ...d Alert Notifications Configuring General Settings To integrate a Trend Micro Office Scan 10 x device with SIEM Step 1 Log in to the Office Scan Administration interface Step 2 Select Notifications Ad...

Страница 389: ...ages are sent to an administrator when the criteria exceeds the specified detection limit NOTE Trend Micro recommends using the default values for the detection number and detection period Step 4 Sele...

Страница 390: ...Scan device Step 1 From the Log Source Type drop down list box select the Trend Micro Office Scan option Step 2 From the Protocol Configuration drop down list box select the SNMPv2 option For more in...

Страница 391: ...tion Step 5 Select Rules and click on the desired rule you wish to monitor Step 6 Select the Actions tab Step 7 Make sure the new action is selected Step 8 Click OK Step 9 Repeat Step 5 to Step 8 for...

Страница 392: ......

Страница 393: ...log remove the comment marker from the following line log4j category syslog INFO syslog Step 4 To configure the IP address for the syslog destination edit the following line log4j appender syslog Sysl...

Страница 394: ......

Страница 395: ...s into offenses If an enterprise network has one or more network or security devices that are not officially supported no specific DSM for the device exists you can use the Universal DSM The Universal...

Страница 396: ......

Страница 397: ...e your device to send syslog to SIEM For more information on configuring your Vericept device consult your vendor documentation Once you configure syslog to forward events to SIEM you are ready to con...

Страница 398: ......

Страница 399: ...g Notification Template or create a new template Step 3 Click the General tab Step 4 Click Send Syslog Message Step 5 Select Options Settings Syslog to access the Syslog window The syslog window enabl...

Страница 400: ...Log File Protocol for the Websense V Series Content Gateway Configuring Syslog for the Websense V Series Content Gateway The Websense V Series DSM supports Websense V Series appliances running the Web...

Страница 401: ...and then cut and paste it into your web browser to retain the tab separations The definitions file ignores extra white space blank lines and all comments Step 8 Select Enabled to enable the custom log...

Страница 402: ...a remote host The Websense V Series DSM supports the bulk loading of log files using the log file protocol to provide events on a scheduled interval To configure your Websense V Series Content Gatewa...

Страница 403: ...IEM Step 1 To configure SIEM to receive events from the Websense V Series you must select the Websense V Series option from the Log Source Type drop down list box Step 2 To configure the log file prot...

Страница 404: ......

Страница 405: ...g Snort based events Ambiron TrustWave ipAngel Intrusion Prevention System IPS No No http www atwcorp com Apache HTTP Server v1 3 and above Syslog HTTP status Apache HTTP Server Yes No http www apache...

Страница 406: ...I R55 R65 R70 NGX Syslog or OPSEC LEA All relevant events Check Point FireWall 1 Yes Yes http www checkpoint co m Provider 1 NG FP1 FP2 FP3 AI R54 AI R55 R65 R70 NGX Syslog or OPSEC LEA All relevant e...

Страница 407: ...com IronPort v5 5 and v6 5 Syslog Log File Protocol All relevant events Cisco IronPort No No http www cisco com Firewall Service Module FWSM v2 1 and above Syslog All relevant events Cisco Firewall S...

Страница 408: ...caler v9 3 Syslog All relevant events Citrix NetScaler Yes Yes http www citrix com CRYPTOCard CRYPTO Shield v6 3 Syslog All relevant events CRYPTOCard CRYPTO Shield No No http www cryptocard co m Cybe...

Страница 409: ...rasys K N S Series Switch Yes No http www enterasys co m Stackable and Standalone Switches Syslog All relevant events Enterasys Stackable and Standalone Switches or select your specific device type En...

Страница 410: ...arning FairWarning v2 9 2 Log File Protocol All relevant events Fair Warning No No http www fairwarningau dit com FireEye MPS eMPS and MA v5 1 patch level 5 Syslog All relevant events FireEye No No ht...

Страница 411: ...wertech Interact V5R1 and above Syslog All CEF formatted messages IBM AS 400 iSeries Yes Yes http www ibm com http www powertech co m Raz Lee iSecurity Firewall 15 7 and Audit 11 7 Syslog All relevant...

Страница 412: ...m com Imperva SecureSphere v6 2 and v7 x Release Enterprise Edition Syslog All relevant events Imperva SecureSphere Yes No http www imperva com Infoblox NIOS v6 x Syslog All relevant events Infoblox N...

Страница 413: ...ntroller No Yes http www juniper net Firewall and VPN v5 5r3 and later Syslog All relevant NetScreen Firewall events Juniper Networks Firewall and VPN Yes Yes http www juniper net NetScreen IDP v4 0 v...

Страница 414: ...al Gateway v4 5 Syslog All relevant firewall admin policy and IDS Log events Juniper vGW Yes No http www juniper net Lieberman Random Password Manager v4 8x Syslog All relevant events Lieberman Random...

Страница 415: ...60 59 and above Syslog All relevant events Metainfo MetaIP Yes Yes http www metainfo com Microsoft IIS 6 0 and 7 0 Syslog HTTP status code events Microsoft IIS Webserver Logs Yes No http www microsof...

Страница 416: ...ons Manager 2005 JDBC All relevant events Microsoft Operations Manager No No http www microsoft com System Center Operations Manager 2007 JDBC All relevant events Microsoft SCOM No No http www microso...

Страница 417: ...vents Nortel Application Switch No Yes http www nortel com ARN v15 5 Syslog All relevant events Nortel Multiprotocol Router Yes No http www nortel com Ethernet Routing Switch 2500 v4 1 Syslog All rele...

Страница 418: ...wall 5100 v2 4 Syslog or OPSEC All relevant events Nortel Switched Firewall 5100 Yes Yes http www nortel com Switched Firewall 6000 v4 2 Syslog or OPSEC All relevant events Nortel Switched Firewall 60...

Страница 419: ...s http www proftpd org Radware DefensePro v4 23 and 5 01 Syslog All relevant events Radware DefensePro Yes No http www radware com Redback Networks ASE v6 1 5 Syslog All relevant events Redback ASE Ye...

Страница 420: ...x Syslog All relevant Sourcefire events Snort Open Source IDS Yes No http www sourcefire co m Defense Center v4 8 0 2 and above Sourcefire Defense Center All relevant Sourcefire events Sourcefire Defe...

Страница 421: ...events Symantec Gateway Security SGS Appliance Yes No http www symantec co m SSC v10 1 JDBC All relevant events Symantec System Center Yes No http www symantec co m Data Loss Prevention DLP v8 x and a...

Страница 422: ...v5 2 and above Syslog Resource additions removal and modification events Tripwire Enterprise Yes No http www tripwire com Tropos Networks Tropos Control v7 7 Syslog All relevant fault management logi...

Страница 423: ...reless Controller 91 394 Enterasys Matrix K N S Series Switch 96 393 Enterasys Matrix Router 94 393 Enterasys Matrix Series 96 Enterasys NAC 97 394 Enterasys NetSight Automatic Security Manager 95 393...

Страница 424: ...Nortel Secure Network Access Switch 253 402 Nortel Secure Router 251 402 Nortel Switched Firewall 5100 254 402 Nortel Switched Firewall 6000 256 402 Nortel Threat Protection System 402 Nortel VPN Gat...

Страница 425: ...Configuring DSMs INDEX 409 Authentication Server 394 Firewall 394 Syslog and SNMP 394 V Vericept Content 360 381 406 W Websense Content Gateway 384 406 Websense Data Security Suite 383 406...

Страница 426: ......

Отзывы:

Нет отзывов

Похожие инструкции для Security Information and Event Manager

IBM Nways 8260 Installation Instructions Manual preview
Nways 8260
Бренд: IBM Страницы: 25
Xerox Phaser 6115 Getting Started preview
Phaser 6115
Бренд: Xerox Страницы: 28
Avaya CPSEE_TSP500 User Manual preview
CPSEE_TSP500
Бренд: Avaya Страницы: 216
AVG ANTI-VIRUS 9 FREE - REV 90.15 User Manual preview
ANTI-VIRUS 9 FREE - REV 90.15
Бренд: AVG Страницы: 146
Waves Trans-X User Manual preview
Trans-X
Бренд: Waves Страницы: 8
Pfaff FILES AND FOLDERS Manual preview
FILES AND FOLDERS
Бренд: Pfaff Страницы: 8
VBrick Systems Portal Server ETV v4.1 Admin Manual preview
Portal Server ETV v4.1
Бренд: VBrick Systems Страницы: 140
MACROMEDIA DIRECTOR MX 2004-DIRECTOR SCRIPTING Reference preview
DIRECTOR MX 2004-DIRECTOR SCRIPTING
Бренд: MACROMEDIA Страницы: 1130
IBM PERFORMANCE MANAGEMENT FOR POWER SYSTEMS - GRAPH REFERENCE DOCUMENT... Reference preview
PERFORMANCE MANAGEMENT FOR POWER SYSTEMS - GRAPH REFERENCE DOCUMENT...
Бренд: IBM Страницы: 109
Tandberg Data B DLTSAGE INTEGRATION Integration Manual preview
B DLTSAGE INTEGRATION
Бренд: Tandberg Data Страницы: 36
Xerox FreeFlow 701P45570 Integration Manual preview
FreeFlow 701P45570
Бренд: Xerox Страницы: 12
Canon FS 2710 User Manual preview
FS 2710
Бренд: Canon Страницы: 80
Seagate 10K.3 - Savvio 300 GB Hard Drive Product Manual preview
10K.3 - Savvio 300 GB Hard Drive
Бренд: Seagate Страницы: 78
Garmin nRoute Quick Reference Manual preview
nRoute
Бренд: Garmin Страницы: 4
Quantum GoVault Software Manual preview
GoVault
Бренд: Quantum Страницы: 142
Cowon iAUDIO X5 20GB Supplementary Manual preview
iAUDIO X5 20GB
Бренд: Cowon Страницы: 10
ScanSoft PaperPort SE Getting Started Manual preview
PaperPort SE
Бренд: ScanSoft Страницы: 25
Sharp Display Manager Operation Manual preview
Display Manager
Бренд: Sharp Страницы: 28

Бренды по названию

Популярные бренды

Загрузить еще бренды