Docstoc

Network Security

Document Sample
Network Security Powered By Docstoc
					Document: Security Information Manager Guide




                                        Prepared for

                              Central Bank of Cyprus

                          Saturday, 3 December 2011

                                    Version 2.0 Draft



                                        Prepared by

                                   Pavlos Demetriou

                         Presales Network Consultant

                             p.demetriou@lgcom.net
 SYMANTEC SECURITY INFORMATION                        SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Change Record

                Date          Author         Version       Change Reference
         03/03/2011       Παύλος Δημητρίου   1.0     Final draft, submitted to HS-
                                                     Data
         12/07/2011       Παύλος Δημητρίου   1.1     Updated, added as build info +
                                                     new Collectors Details
         16/07/2011       Παύλος Δημητρίου   2.0     Added Basic Administration
                                                     Guide




 Logicom
                                                                                      Σελίδα 1
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                                                          SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Contents

         PURPOSE ............................................................................................................................................... 4
         DESIGN REQUIREMENTS ................................................................................................................. 4
         SYMANTEC SECURITY INFORMATION MANAGER SERVER INSTALLATION ................. 5
         CENTRAL BANK SETUP – AS BUILD .............................................................................................. 6
         DEVICES THAT WE ARE CURRENTLY COLLECTING LOGS ................................................. 7
         SYMANTEC SECURITY INFORMATION MANAGER CONSOLE GUIDE ............................... 8
         REQUIREMENTS FOR SETTING UP COLLECTION SERVERS, COLLECTION
         MACHINES .......................................................................................................................................... 10
         BASIC ADMINISTRATION GUIDE................................................................................................. 11
            SSIM ADMINISTRATION – BASIC TASKS ............................................................................................. 11

              Adding valid license keys ............................................................................................................... 11
              Registering a Collector in the Information Manager .................................................................... 11
              Adding a User ................................................................................................................................ 12
              Adding a User Group ..................................................................................................................... 12
              Adding Roles .................................................................................................................................. 13
              Adding an Event Storage Rule ....................................................................................................... 13
              Adding an Event Collector configuration ...................................................................................... 15
              Distributing Event Collector Configuration .................................................................................. 16
            SSIM AGENT ADMINISTRATION – BASIC TASKS................................................................................. 17

                 Collector installation ..................................................................................................................... 17
                 Agent Management ........................................................................................................................ 17
         COLLECTORS USED, CONFIGURATION GUIDE ...................................................................... 18
            SYMANTEC™ EVENT COLLECTOR 4.3 FOR CISCO IOS (CISCOIOS) ...................................................... 18

            SYMANTEC™ EVENT COLLECTOR 4.4 FOR CISCO IPS (CISCOIPS) ....................................................... 21

            SYMANTEC™ EVENT COLLECTOR 4.4 FOR CISCO ASA (CISCOASA) ................................................... 22

            SYMANTEC™ EVENT COLLECTOR 4.3 FOR SYMANTEC ENDPOINT PROTECTION 11.0 (SYMCEP)......... 24

            SYMANTEC™ EVENT COLLECTOR 4.3 FOR SYMANTEC ENDPOINT PROTECTION STATE 11.0

            (SYMCEPSTATE) .................................................................................................................................. 26

            SYMANTEC™ EVENT COLLECTOR 4.4 FOR MICROSOFT® VISTA AND MICROSOFT WINDOWS SERVER

            2008 (MSVISTA) .................................................................................................................................. 27

              SSIM Manager Sensor Configuration ............................................................................................ 28
              Custom Security Descriptor ........................................................................................................... 28
            SYMANTEC™ EVENT COLLECTOR 4.3 FOR MICROSOFT WINDOWS (WINDOWSEVENTLOG) ................ 30

            SYMANTEC™ EVENT COLLECTOR 4.3 FOR MICROSOFT DHCP (MSDHCP) .......................................... 31

            SYMANTEC™ EVENT COLLECTOR 4.4 FOR RSA AUTHENTICATION MANAGER (RSAAM) ................... 32

            SYMANTEC™ EVENT COLLECTOR 4.4 FOR UNIX (UNIXSYSLOG) ....................................................... 33

            SYMANTEC™ EVENT COLLECTOR 4.3 FOR SNARE (SNAREWIN) ....................................................... 34

 Logicom
                                                                                                                                                                     Σελίδα 2
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                                                             SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


            SYMANTEC™ UNIVERSAL SYSLOG EVENT COLLECTOR 4.4 FOR SSIM 4.7 (USYSLOG)....................... 35

            SYMANTEC™ UNIVERSAL LOG FILE EVENT COLLECTOR 4.4 FOR SSIM 4.7 (ULOGFILE) ................... 36

         APPENDIX ............................................................................................................................................. 1
            DASHBOARD ......................................................................................................................................... 2

            INTELLIGENCE....................................................................................................................................... 3

            INCIDENTS............................................................................................................................................. 4

            EVENTS ................................................................................................................................................. 5

            TICKETS ................................................................................................................................................ 6

            ASSETS.................................................................................................................................................. 7

            REPORTS ............................................................................................................................................... 8

            RULES ................................................................................................................................................... 9

            SYSTEM ............................................................................................................................................... 10

            STATISTICS ......................................................................................................................................... 12




 Logicom
                                                                                                                                                                          Σελίδα 3
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         PURPOSE

         This document describes basic installation steps of the Symantec Security
         Information Manager (SSIM) Server, as well as provides a basis on how to correctly
         install and configure the Log Collection Servers with the Appropriate Collectors.

         Also a brief introduction on the Security Information’s Manager Console is also
         included.

         A more detailed and thorough explanation for the above can be found in Symantec’s
         Official Manuals that are also included in our documentation for the Bank.


         DESIGN REQUIREMENTS

               High Availability – The current design does not include a High Availability
                mechanism neither on the SSIM appliance, nor at the Collection Servers.
               Service Scope – The scope of which devices are to be used for collecting logs
                was predefined at the tender.
               Compatibility with Technologies – This can be found on the official Symantec
                Collector Compatibility list.




 Logicom
                                                                                                Σελίδα 4
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         SYMANTEC SECURITY INFORMATION MANAGER SERVER INSTALLATION

         Minimum System Requirements

               Dual Core CPU or Better
               4GB Ram
               1 TB or higher available disk space
               Hardware is Red Hat EL 4 certified

         Recommendations

               RAID setup with two logical drives
               RAID 1 or 0+1 for first logical drive (boot)
               RAID 5 for second logical drive (data)




 Logicom
                                                                                          Σελίδα 5
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                               SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         CENTRAL BANK SETUP – AS BUILD

         SSIM Server Specifications

               HP DL380 G6
               Dual Intel Xeon E5520 QC CPUs
               18GB RAM
               200GB RAID 1 for Boot Drive
               1TB RAID 5 for Data Drive
               O/S: Hardened RedHat ES4 U8

         Other Details

         SSIM Server Name: erebus
         SSIM Server Domain: siem.cbc

         Connectivity

         IP Address: 172.16.51.16
         Subnet Mask: 255.255.255.0
         Gateway: 172.16.51.254

         Collection Servers Used

               Internal Collector Name: NYX
               DMZ Collector Name: HERAKLION

         Collector Servers Domain: intranet.centralbank.gov.cy

         Collection Servers Specs

               O/S: Windows 2008 R1 with SP2 x86
               State: Virtual Machine
               Host: Hyper-V
               Memory: 4GB Ram
               CPU: 2x Virtual Cores Assigned

         Collectors Used for this Project

               Cisco IOS Event collector
               Cisco IPS Event collector
               Cisco ASA Event collector
               Symantec Endpoint Event collector
               Symantec Endpoint State Event Collector
               Microsoft Windows Vista and Windows 2008 Event Collector
               Microsoft Windows Event Collector
               Microsoft DHCP Event Collector
               RSA Authentication Manager Event Collector
               Unix OS Event Collector
               Snare for Windows Event Collector
               Universal Syslog Event Collector
               Universal LogFile Collector


 Logicom
                                                                                        Σελίδα 6
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                            SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         DEVICES THAT WE ARE CURRENTLY COLLECTING LOGS

                DNS Name                     Role                Operating System
         EUROPA                  SEP Manager                  Windows 2008 R2
         HYDRA1                  DHCP Server                  Windows 2008 R2
         SOLON                   Directory Controller         Windows 2008 R2
         ZENON                   Directory Controller         Windows 2008 R2
         PHILIMON                Directory Controller         Windows 2008 R2
         CERBERUS                CSM Manager                  Windows 2003 SP2
         AMALTHEA                LMS Manager                  Windows 2008 R1
         ARGO1                   TMG Server                   Windows 2008 R2
         CALLISTO                SCVMM Server                 Windows 2008 R2
         GANYMEDE                Mcafee ePO server            Windows 2008 R1
         IASON                   FTP Server                   Windows 2008 R1
         CHANIA                  BBERY Server                 Windows 2008 R2
         IALYSOS                 BBERY Server                 Windows 2008 R2
         RETHYMNO                DNS Server                   Windows 2008 R2
         KAMEIROS                DNS Server                   Windows 2008 R2
         LASITHI                 UAG Server                   Windows 2008 R2
         LINDOS                  UAG Server                   Windows 2008 R2
         ESCB-MAIN1              HYPER-V Host                 Windows 2008 R2
         ESCB-MAIN2              HYPER-V Host                 Windows 2008 R2
         ESCB-DNS1               DNS Server                   Windows 2008 R2
         ESCB-DNS2               DNS Server                   Windows 2008 R2
         EXDI-GW                 EXDI Server                  Windows 2003
         A-EXDI-GW               EXDI Server                  Windows 2003
         SIEM_INTERNAL_FW        Firewall Internal Zone       CISCO IOS
         SIEM_ADMIN_FW           Firewall Admin Zone          CISCO IOS
         ESCB-FW-ACT             Firewall ESCB Zone           CISCO IOS
         ESCB-FW-STBY            Firewall ESCB Zone           CISCO IOS
         CSR-CORE                CORE Switch                  CISCO IOS
         CSR-D1                  L2 Switch                    CISCO IOS
         CSR-A1                  L2 Switch                    CISCO IOS
         CSR-A2                  L2 Switch                    CISCO IOS
         BCK-CORE                CORE Switch                  CISCO IOS
         COMM-A1                 L2 Switch                    CISCO IOS
         BCK-D1                  L2 Switch                    CISCO IOS
         COMM-A2                 L2 Switch                    CISCO IOS
         ESCB-SW-MAIN1           ESCB Switch                  CISCO IOS
         ESCB-SW-MAIN2           ESCB Switch                  CISCO IOS
         IDSM1                   IDS/IPS Module               CISCO IDS
         IDSM2                   IDS/IPS Module               CISCO IDS
         CASTOR                  RSA SecurID                  RedHat EL
         POLLUX                  RSA SecurID                  RedHat EL
         SIEM_External_FW        External Firewall            CISCO IOS
         IG_CABLENET             Internet Router              CISCO IOS
         IG_CYTA                 Internet Router              CISCO IOS
         SCYLLA1                 MAIL Gateway                 Hardened Linux
         SCYLLA2                 MAIL Gateway                 Hardened Linux
         CHARYBDIS1              WEB Gateway                  Hardened Linux
         CHARYBDIS2              WEB Gateway                  Hardened Linux
         NYX                     Intranet Collector           Windows 2008 R1
         HERAKLION               DMZ Collector                Windows 2008 R1




 Logicom
                                                                                     Σελίδα 7
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                    SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         SYMANTEC SECURITY INFORMATION MANAGER CONSOLE GUIDE

         The Symantec Security Information Manager Console consists of the following 10
         tabs (See Appendix for relevant Snapshots). Note that the full 10 tabs are displayed
         for the Global Administrator. These tabs can be customised/ limited per User or Per
         Group.

                1. Dashboard – This is the main dashboard. Here you can customise on which
                   information (Charts or Graphs) the user will see when he logs in. You can
                   select what information to be displayed either via the In-Box Queries, or via
                   customised queries.

                2. Intelligence – In this tab you can view latest information received from the
                   Global Intelligence Network (GIN) as well as Global statistics of vulnerabilities
                   currently discovered.

                3. Incidents – Here you can view the Alerts raised from the devices you are
                   collecting logs from. Apart from viewing the alerts you are also able to show
                   more detailed information, such as display the Target and Source of a
                   possible attack if applicable, show an Attack Diagram, display any relevant
                   Intelligence from the GIN network as well as create a ticket and assign it to
                   the appropriate user.

                4. Events – In this tab you are able to see the Pre-Defined as well as the self-
                   created custom Queries, that are used for presenting events gathered from all
                   the devices collected. Via this tab you also have the ability to create
                   customised Queries that can be used to sort the Event results as you see fit.

                5. Tickets – This tab is used for displaying tickets assigned to each user. Note
                   that the administrator is able to view all Tickets, but a normal user is able to
                   view only tickets assigned to him/her. (Note that ticketing is not in the scope
                   of this implementation)

                6. Assets – The Assets tab is used for setting up your devices and categorising
                   them accordingly. This is not done automatically and must be done manually.
                   You have the ability to also import assets from a CSV file if needed. Once the
                   assets are imported, then you are able to see relevant
                   Policies/Services/Incidents/Tickets and Vulnerabilities that concern the
                   specific asset.

                7. Reports – By default, Reports are generated from Queries (In-Box or Self
                   Made). You can generate a report so you can view it only when you log in to
                   the SSIM console, or you can publish a report and have the ability to send it
                   via e-mail to the appropriate personnel. Please read the Reporting Guide for
                   more information on creating reports.

                8. Rules – Rules are used to filter information gathered from the Collection
                   Devices. You can use an existing rule, and you can also create a custom rule.
                   Please read the Rules Guide for more information. (Note that creation of
                   customised rules is not in the scope of this implementation)

                9. System – Here you are able to administer your SSIM server. You can
                   manage everything, from User Roles, Groups, to SSIM server configuration
                   and Collector configurations.

 Logicom
                                                                                                   Σελίδα 8
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                    SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7



                10. Statistics – The Statistics tab is used for displaying information regarding the
                    SSIM server, such as is System Status. You are also able to see current
                    Correlations made, Filters and Rules currently in Place and information
                    regarding the Event Service.




 Logicom
                                                                                                   Σελίδα 9
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                   SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         REQUIREMENTS FOR SETTING UP COLLECTION SERVERS, COLLECTION
         MACHINES

         Please note the following prior to setting up a Collection Server,

               The Collection Server must not be a Windows Server 2008 R2 or a Windows 7
                machine as most of the Collector Engines are currently incompatible with the
                above two versions of Windows.
                If you are to collect data from Windows 2008, Vista, 2003 etc then the collector
                machine should be a Windows 2008 R1 x86 machine
               The following Ports must be allowed in the Windows Firewall as well as any other
                equipment filtering traffic
                     o 80 (Used for communication with SIM manager server)
                     o TCP Port 5985 (Outbound to Collection Machines) – Used for collection of
                        Logs via WinRM from Windows 2008 and 7 Devices
                     o TCP Port 80 (Outbound to SIM manager) – Used for communication with
                        the SIM manager server (heartbeat)
                     o TCP Port 443 (Outbound to SIM manager) – Used for management from
                        SIM manager server
                     o TCP Port 8086 (Inbound to SIM manager) – Event Log Listening Port on
                        SIM server
                     o TCP Port 5998 (Inbound to SIM manager) – Used for communication of
                        Event Agent with SIM manager server (configuration sync)
                     o UDP Port 514 (Inbound from Collection Machines) – Used for Syslog
                        Collection

         Also note that the following ports should be allowed for the Collection Machines

                   o   CISCO Devices : UDP port 514 (Outbound to Collection Server)
                   o   LINUX, UNIX, RSA SecureID if using SYSLOG : UDP port 514 (Outbound
                       to Collection Server)
                   o   Windows 2008 and 7 Machines: TCP Port 5985 (Inbound from Collection
                       Server)
                   o   Windows XP and 2003 Machines: Need an account with Local Admin
                       Rights (No ports need to be opened)




 Logicom
                                                                                                Σελίδα 10
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                   SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         BASIC ADMINISTRATION GUIDE

         SSIM Administration – Basic Tasks

         Adding valid license keys

         Symantec Security Information Manager, requires that a valid SIM as well as GIN
         license is installed on the box. To do this, the license keys, which were purchased
         from Symantec, need to be entered via the web interface, using the either the IP or
         the name of the SSIM server (https://172.16.51.16/ or https://erebus.siem.cbc/)

         See below for list of officially supported browsers,

               IE 6.x
               IE 7.x
               Firefox 3.x


         Registering a Collector in the Information Manager
         The Symantec Security Information Manager Software comes with a number of
         prebuild collectors already installed. If you are to collect logs using a different
         collector, you need first to Register that collector via the Information Manager Web
         Console; and then install that collector on the Information Manager Event Agent or an
         Off-box Event Agent. To do this, you first need to download the specified collector
         from the following website https://fileconnect.symantec.com/. Then after extracting
         the collector, you need to register its relevant SIP file (which is located under the /sip
         directory) via the Information Manager Web Console by clicking on SETTINGS/
         COLLECTOR REGISTRATION/REGISTER as shown below.




 Logicom
                                                                                                  Σελίδα 11
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                              SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Adding a User
         From the the SSIM Manager Client click on SYSTEM/USERS and then click the
         green plus sign (+) as shown below. The procedure from then own is straight
         forward, you just need to add the relevant user details




         Adding a User Group

         As above, you navigate to SYSTEMS/USER GROUPS and click on the green plus
         (+) sign. A user groups holds the user assignments. Note that a user group does not
         enforce any policies.




 Logicom
                                                                                           Σελίδα 12
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                              SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Adding Roles

         As above, you navigate to SYSTEMS/ROLES and click on the green plus (+) sign. A
         role holds the specific permissions given to a user. Please see administrator guide
         for more information




         Adding an Event Storage Rule

         Event storage rules let you group events into separate folders for easier
         management. You can create an Event Storage Rule by selecting SYSTEM/
         SERVER CONFIGURATIONS/CBC/SIEM/EREBUS/EVENT STORAGE RULES and
         clicking the plus sign (+) in the top left corner. See below for an example Event
         Storage Rule. The below rule creates a new Event folder that holds only the events
         coming from CISCO IOS devices. Also please note that you are able to choose a
         retention strategy here, and activate auto-purge for these logs. Here auto-purge is
         set to 365 days or 12 months.




 Logicom
                                                                                           Σελίδα 13
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                              SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Also note that for the above rule to work you need to add an exception rule in the
         existing Default Archive Storage, as the one shown below, as this Store takes
         precedence over any other event store.




 Logicom
                                                                                          Σελίδα 14
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Adding an Event Collector configuration

         Add an Event Collector configuration from the SYSTEM/PRODUCT
         CONFIGURATIONS and by expanding the relevant collector (i.e CISCO IOS Event
         Collector). You then Click the plus sign (+) on the top left corner. Here you can do the
         following
               Name the Configuration Name (i.e CISCO Routers)
               Copy the configuration from an existing CISCO IOS configuration (if any)
               Assign a Collection Computer/Server for the specified configuration
         After completing the steps above you can click in the newly created configuration,
         and you will be presented with the following information (note that information shown
         below may vary according to the Event Collector Selected.)




         The most useful information here is contained in the Sensor Tab, which is always the
         last tab in each event collector configuration. Here you set the parameters that are
         going to be pushed to the Collection Computer, and make it able to start collecting
         event logs. The selected event collector is using SYSLOG to communicate.
         Configuration on how to configure the specified collector is displayed in the
         Collectors Used, Configuration Guide chapter.




 Logicom
                                                                                                Σελίδα 15
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Note that can create multiple sensors per collector by clicking the plus sign (+) on the
         bottom left corner of the sensor tab.




         Distributing Event Collector Configuration

         After creating an Event Collector Configuration, you have to distribute it to the
         affected Collector Computers, in order for them to receive the configuration changes.

         You can do this using the following two methods

         1. By Clicking on the Distribute Button




         2. By Right Clicking on the Event Collector Configuration and Clicking Distribute




 Logicom
                                                                                                Σελίδα 16
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                  SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         SSIM Agent Administration – Basic Tasks

         The SSIM Agent is installed in each and every one of the Computers /Servers that
         you need to install a Collector. SSIM Agent management is done through command
         prompt.


         Collector installation

         Please note that the Agent needs to be installed prior to installing a Collector.

                   Open an Administrative Command Prompt and navigate to the install
                    directory of the specified collector
                   Run install.exe for windows and sh install.sh with su permissions for
                    Unix/Linux/Solaris


         Agent Management

         As explained above management of the SSIM Agent is done through the command
         prompt. Please see steps below

                   Open an administrative command prompt and navigate to the Event Agent
                    Folder (Default Path is c:\Program Files\Symantec\Event Agent for Windows
                    and /opt/Symantec/sesa/Agent for Unix/Linux and Solaris Machines.
                   Run agentmgmt.bat for Windows or sh agentmgmt.sh                       for
                    Unix/Linux/Solaris
                   Please see below for valid Options




 Logicom
                                                                                             Σελίδα 17
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                        SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         COLLECTORS USED, CONFIGURATION GUIDE

         Symantec™ Event Collector 4.3 for Cisco IOS (ciscoios)

         This collector is fairly easy to be configured as the configuration needed in the SIM
         manager console and the Cisco IOS device is minimal.

         The following fields as shown in the image below need to be filled under Sensor
         Properties:
          Protocol: Choose between TCP and UDP. Default is UDP
          Host Names: Enter either the DNS name of the IOS device or the IP address
          Port Number: Enter the Port that the IOS device was configured to send logs
            from. Default port is 10517. Most CISCO IOS devices send logs via port 514. This
            port can be changed via the CISCO configuration terminal.
          Time Offset: Here you can specify the time offset to convert timestamps of all
            logged events to the time zone of the collector computer. This value needs not to
            be changed if all equipment is located in the same time zone.




         See below for CISCO IOS device commands in order to enable SYSLOG.

         CISCO IOS Router

         Step    Command                              Purpose

         1       Router# configure terminal           Enters global configuration mode.

         2       Router(config)# service              Instructs the system to timestamp syslog messages;
                 timestamps type datetime [msec]      the options for the type keyword are debug and log.
                 [localtime] [show-timezone]

         3       Router(config)#logging host          Specifies the syslog server by IP address or host
                                                      name; you can specify multiple servers.

         4       Router(config)# logging trap level   Specifies the kind of messages, by severity level, to be
                                                      sent to the syslog server. The default is informational
                                                      and lower. The possible values for level are as follows:
                                                      Emergency: 0
                                                      Alert: 1
                                                      Critical: 2
                                                      Error: 3
                                                      Warning: 4
                                                      Notice: 5
                                                      Informational: 6
                                                      Debug: 7
                                                      Use the debug level with caution, because it can
                                                      generate a large amount of syslog traffic in a busy
                                                      network.

         5       Router(config)# logging facility     Specifies the facility level used by the syslog
                 facility-type                        messages; the default is local7. Possible values are
                                                      local0, local1, local2, local3, local4, local5, local6,
                                                      and local7.



 Logicom
                                                                                                                Σελίδα 18
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                         SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         6       Router(config)# End                   Returns to privileged EXEC mode.

         7       Router# show logging                  Displays logging configuration.


         Example Configuration (Router)
         Router#config terminal
         Enter configuration commands, one per line. End with CNTL/Z.
         Router(config)#logging 192.168.0.30
         Router(config)#service timestamps debug datetime localtime show-timezone msec
         Router(config)#service timestamps log datetime localtime show-timezone msec
         Router(config)#logging facility local3
         Router(config)#logging trap warning
         Router(config)#end


         CISCO CatOS Switch

         Step    Command                     Purpose

         1       Switch>(enable) set         Configures the system to timestamp messages.
                 logging timestamp
                 {enable | disable}

         2       Switch>(enable) set         Specifies the IP address of the syslog server; a maximum of
                 logging server ip-          three servers can be specified.
                 address

         3       Switch>(enable) set         Limits messages that are logged to the syslog servers by
                 logging server severity     severity level.
                 server_severity_level

         4       Switch>(enable) set         Specifies the facility level that would be used in the message.
                 logging server facility     The default is local7. Apart from the standard facility names
                 server_facility_parameter   listed in Table 4-1, Cisco Catalyst switches use facility names
                                             that are specific to the switch. The following facility levels
                                             generate syslog messages with fixed severity levels:
                                             5: System, Dynamic-Trunking-Protocol, Port-Aggregation-
                                             Protocol, Management, Multilayer Switching
                                             4: CDP, UDLD
                                             2: Other facilities

         5       Switch>(enable) set         Enables the switch to send syslog messages to the syslog
                 logging server enable       servers.

         6       Switch>(enable) Show        Displays the logging configuration.
                 logging


         Example Configuration (CatOS Switch)
         Console> (enable) set logging timestamp enable
         System logging messages timestamp will be enabled.
         Console> (enable) set logging server 192.168.0.30
         192.168.0.30 added to System logging server table.
         Console> (enable) set logging server facility local4
         System logging server facility set to <local4>
         Console> (enable) set logging server severity 4
         System logging server severity set to <4>
         Console> (enable) set logging server enable
         System logging messages will be sent to the configured syslog servers.


         CISCO PIX/ASA Firewall

         Step    Command                     Purpose



 Logicom
                                                                                                               Σελίδα 19
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                          SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         1       firewall# config terminal   Enters global configuration mode.

         2       firewall(config)#logging    Specifies that each syslog message should have a timestamp
                 timestamp                   value.

         3       firewall(config)#logging    Specifies a syslog server that is to receive the messages sent
                 host [interface connected   from the Cisco PIX Firewall. You can use multiple logging host
                 to syslog server]           commands to specify additional servers that would all receive the
                 ip_address [protocol /      syslog messages. The protocol is UDP or TCP. However, a
                 port]                       server can only be specified to receive either UDP or TCP, not
                                             both. A Cisco PIX Firewall only sends TCP syslog messages to
                                             the Cisco PIX Firewall syslog server.

         4       firewall(config)#logging    Specifies the syslog facility number. Instead of specifying the
                 facility facility           name, the PIX uses a 2-digit number, as follows:
                                             local0 - 16
                                             local1 - 17
                                             local2 - 18
                                             local3 - 19
                                             local4 - 20
                                             local5 - 21
                                             local6 - 22
                                             local7 - 23
                                             The default is 20.

         5       firewall(config)#logging    Specifies the syslog message level as a number or string. The
                 trap level                  level that you specify means that you want that level and those
                                             values less than that level. For example, if level is 3, syslog
                                             displays 0, 1, 2, and 3 messages. Possible number and string
                                             level values are as follows:
                                             0: Emergency; System-unusable messages
                                             1: Alert; Take immediate action
                                             2: Critical; critical condition
                                             3: Error; error message
                                             4: Warning; warning message
                                             5: Notice; normal but significant condition
                                             6: Informational: information message
                                             7: Debug; debug messages and log FTP commands and WWW
                                             URLs

         6       firewall(config)#logging    Starts sending syslog messages to all output locations.
                 on

         7       firewall(config)#no         Specifies a message to be suppressed.
                 logging message
                 <message id>

         8       firewall(config)#exit       Exits global configuration mode.


         Example Configuration (PIX/ASA Firewall)

         Firewall#
         Firewall# config terminal
         Firewall(config)# logging timestamp
         Firewall(config)# logging host 192.168.0.30
         Firewall(config)# logging facility 21
         Firewall(config)# logging trap 7
         Firewall(config)# logging on
         Firewall(config)# no logging message 111005
         Firewall(config)# exit




 Logicom
                                                                                                                 Σελίδα 20
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.4 for Cisco IPS (ciscoips)

         This collector requires two steps to be completed in order to collect logs

         Step 1 – Configure CISCO IPS to work with the collector

         1. Open your browser and log in to the Cisco IPS sensor using the Cisco IPS
            Device Manager (IDM) application.
         2. Click Configuration.
         3. Under Sensor Setup, click Network.
         4. Write down the displayed Web Server settings:
                 Transport protocol: EnableTLS/SSL is checked (this is the default
                    setting), the transport protocol for the collector configuration is https.
                 Web Server port: The default is 443. This port number will be used in the
                    collector configuration.
         5      Under Sensor Setup, click Allowed Hosts.
         6      On the Add Allowed Host screen, type the IP Address of the collector
                computer.
         7      Click OK.
         8      Under Sensor Setup, click Users.
         9      Click Add.
         10     On the Add User screen, do the following:
                 Type a user name in the Username field. This user name will be used in
                    the collector configuration.
                 Set User Role to Viewer.
                 Type in and confirm a user password. This password will be used in the
                    collector configuration.
         11     Click OK.

         Step 2 – Configure CISCO IPS Sensor

         As you can see below the configuration needed is the following

               Transport Protocol: Should be HTTPS as it’s the default setting for CISCO IPS.
               Server Address: IP Address of the Cisco IPS device.
               Port number: Default port is 443. This can be changed if needed.
               Auth User Name: User name that was created previously on the IPS device
               Auth Password: Password that was created for specific user.
               Number of days to Load History Events. Default is 11. Can be changed if needed.




 Logicom
                                                                                                 Σελίδα 21
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                          SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.4 for Cisco ASA (ciscoasa)

         This collector is the same as the CISCO IOS collector (uses syslog to collect logs),
         with the only difference that it can correlate more information gathered from ASA
         devices. Configuration is exactly the same as with CISCO IOS collector indicated
         above

         The following fields as shown in the image below need to be filled under Sensor
         Properties:
          Protocol: Choose between TCP and UDP. Default is UDP
          Host Names: Enter either the DNS name of the IOS device or the IP address
          Port Number: Enter the Port that the IOS device was configured to send logs
            from. Default port is 10517. Most CISCO IOS devices send logs via port 514. This
            port can be changed via the CISCO configuration terminal.
          Time Offset: Here you can specify the time offset to convert timestamps of all
            logged events to the time zone of the collector computer. This value needs not to
            be changed if all equipment is located in the same time zone.




         CISCO PIX/ASA Firewall

         Step    Command                     Purpose

         1       firewall# config terminal   Enters global configuration mode.

         2       firewall(config)#logging    Specifies that each syslog message should have a timestamp
                 timestamp                   value.

         3       firewall(config)#logging    Specifies a syslog server that is to receive the messages sent
                 host [interface connected   from the Cisco PIX Firewall. You can use multiple logging host
                 to syslog server]           commands to specify additional servers that would all receive the
                 ip_address [protocol /      syslog messages. The protocol is UDP or TCP. However, a
                 port]                       server can only be specified to receive either UDP or TCP, not
                                             both. A Cisco PIX Firewall only sends TCP syslog messages to
                                             the Cisco PIX Firewall syslog server.

         4       firewall(config)#logging    Specifies the syslog facility number. Instead of specifying the
                 facility facility           name, the PIX uses a 2-digit number, as follows:
                                             local0 - 16
                                             local1 - 17
                                             local2 - 18
                                             local3 - 19
                                             local4 - 20
                                             local5 - 21
                                             local6 - 22
                                             local7 - 23
                                             The default is 20.

         5       firewall(config)#logging    Specifies the syslog message level as a number or string. The
                 trap level                  level that you specify means that you want that level and those
                                             values less than that level. For example, if level is 3, syslog
                                             displays 0, 1, 2, and 3 messages. Possible number and string
                                             level values are as follows:
                                             0: Emergency; System-unusable messages


 Logicom
                                                                                                                 Σελίδα 22
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                        SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


                                            1: Alert; Take immediate action
                                            2: Critical; critical condition
                                            3: Error; error message
                                            4: Warning; warning message
                                            5: Notice; normal but significant condition
                                            6: Informational: information message
                                            7: Debug; debug messages and log FTP commands and WWW
                                            URLs

         6       firewall(config)#logging   Starts sending syslog messages to all output locations.
                 on

         7       firewall(config)#no        Specifies a message to be suppressed.
                 logging message
                 <message id>

         8       firewall(config)#exit      Exits global configuration mode.


         Example Configuration (PIX/ASA Firewall)

         Firewall#
         Firewall# config terminal
         Firewall(config)# logging timestamp
         Firewall(config)# logging host 192.168.0.30
         Firewall(config)# logging facility 21
         Firewall(config)# logging trap 7
         Firewall(config)# logging on
         Firewall(config)# no logging message 111005
         Firewall(config)# exit




 Logicom
                                                                                                      Σελίδα 23
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                  SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.3 for Symantec Endpoint Protection 11.0
         (symcep)

         For this collector to work the following must take place:
            1. Download the Sybase JDBC driver from here and save it on a folder in the
                 collector server (i.e C:\JDBC)

                2. Copy the config.xml file from the following symcep collector directory:
                   symcep\utils\SybaseMode to the collector directory located in the Event Agent
                   on the collector server. (Should be C:\Program Files\Symantec\Event
                   Agent\Collectors\symcep)

                3. Connect to the SEP server and navigate to the following directory C:\Program
                   Files\Symantec\Symantec Endpoint Protection Manager\ASA\win32 and run
                   the dbisqlc.exe file. This will open the following window




                   Enter DBA for User ID: and also enter the database password. Select the
                   Default Data Source name: and press enter.
                   We will now create a user called sepcollect with password sepsiem that will
                   have select only permissions to the events from the SEP database. Enter the
                   following commands in the Command Box

                   GRANT CONNECT TO "sepcollect" IDENTIFIED BY "sepsiem"

                   GRANT   SELECT ON "DBA"."V_AGENT_BEHAVIOR_LOG" TO "sepcollect" FROM
                   "DBA"
                   GRANT   SELECT ON "DBA"."V_AGENT_PACKET_LOG" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT ON "DBA"."V_AGENT_SECURITY_LOG" TO "sepcollect" FROM
                   "DBA"
                   GRANT   SELECT ON "DBA"."V_AGENT_TRAFFIC_LOG" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT ON "DBA"."V_AGENT_SYSTEM_LOG" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT ON "DBA"."V_ENFORCER_CLIENT_LOG" TO "sepcollect" FROM
                   "DBA"
                   GRANT   SELECT ON "DBA"."V_ENFORCER_SYSTEM_LOG" TO "sepcollect" FROM
                   "DBA"
                   GRANT   SELECT ON "DBA"."V_ENFORCER_TRAFFIC_LOG" TO "sepcollect" FROM
                   "DBA"
                   GRANT   SELECT ON "DBA"."V_SERVER_ADMIN_LOG" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT ON "DBA"."V_SERVER_SYSTEM_LOG" TO "sepcollect" FROM "DBA"



 Logicom
                                                                                                 Σελίδα 24
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                    SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7

                   GRANT   SELECT ON "DBA"."V_LAN_DEVICE_DETECTED" TO "sepcollect" FROM
                   "DBA"
                   GRANT   SELECT ON "DBA"."V_SERVER_CLIENT_LOG" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT ON "DBA"."V_SERVER_ENFORCER_LOG" TO "sepcollect" FROM
                   "DBA"
                   GRANT   SELECT   ON   "DBA"."V_SERVER_POLICY_LOG" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT   ON   "DBA"."V_ALERTS" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT   ON   "DBA"."V_SEM_COMPUTER" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT   ON   "DBA"."IDENTITY_MAP" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT   ON   "DBA"."VIRUS" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT   ON   "DBA"."SEM_AGENT" TO "sepcollect" FROM "DBA"
                   GRANT   SELECT   ON   "DBA"."PATTERN" TO "sepcollect" FROM "DBA"

                   GRANT GROUP to DBA
                   go
                   GRANT MEMBERSHIP IN GROUP "DBA" TO "sepcollect"

                4. Make the below changes in the symcep sensor




                   JDBC Drivers Directory: C:\JDBC\jConnect-6_05\jConnect-6_0\classes
                   Database URL: jdbc:sybase:Tds:localhost:2638
                   Username: sepcollect (the username created in step 3)
                   Password: sepsiem (the password created in step 3)

         If the database resides on a different server then make sure that on the SEP server
         the TCP port 2638 is open and change the localhost in the Database URL with the
         FQDN name of the target SEP machine (i.e europa.intranet.centralbank.gov.cy).




 Logicom
                                                                                               Σελίδα 25
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.3 for Symantec Endpoint Protection State 11.0
         (symcepstate)

         The procedure for configuring this collector is identical to the procedure of the
         previous collector (symcep). Steps are identical to the ones above, except from step
         2 which is altered as shown below

                2. Copy the config.xml file from the following symcepstate collector directory:
                   symcepstate\utils\SybaseMode to the collector directory located in the Event
                   Agent on the collector server. (Should be C:\Program Files\Symantec\Event
                   Agent\Collectors\symcepstate)




 Logicom
                                                                                              Σελίδα 26
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                  SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.4 for Microsoft® Vista and Microsoft Windows
         Server 2008 (msvista)

         The instructions that follow explain how to setup the msvista collector to be used with
         Windows Vista, 7, 2008, 2008 R2. The msvista collector uses the Windows Remote
         Management service (WinRM) in order to communicate data with the collector
         server.

         In order to collect Security logs from a target machine with HTTP, the following local
         ports, which are the default ports for Windows Remote Management on the following
         target machines, should be opened on the windows firewall:

               Windows Vista, Windows Server 2008 R1 – TCP Port: 80
               Windows 7, Windows 2008 R2 – TCP Port: 5985


         If you are to use HTTPS then the following ports should be opened on the windows
         firewall:

               Windows Vista, Windows Server 2008 R1 – TCP Port: 443
               Windows 7, Windows 2008 R2 – TCP Port: 5986 (Can be changed to 443)

         Following the above you must configure the Windows Remote Management service
         to

               Start listening on the relevant port.
               Allow Unencrypted communication (as we are not using a certificate this must be
                enabled)
               Allow Basic Authentication (This enables the use of Local Admin accounts to be
                used for gathering logs. This is not mandatory if we are using a Domain Admin
                account). If you are to use a Domain user account additional configuration must
                take place on the target machine (see below).

         To do the above, use the following commands

                1. winrm quickconfig –transport:http
                2. winrm set winrm/config/service @{AllowUnencrypted="true"}
                3. winrm set winrm/config/service/Auth @{Basic="true"}

         To verify that the winrm is listening and in which port use the following command
                   winrm enumerate winrm/config/Listener

         If you want to add an additional listener on a custom port use the following command
                   winrm create winrm/config/listener?Address=*+Transport=HTTP
                    @{Port="XXXX"}

         To delete all HTTP listeners use the following command
                   winrm delete winrm/config/listener?Address=*+Transport=HTTP




 Logicom
                                                                                                  Σελίδα 27
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                        SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         SSIM Manager Sensor Configuration

         The below image is extracted from the SSIM client msvista sensor properties for a
         Windows 7 PC. Notice the connection port that is 5985. This is the default HTTP
         listening port for Windows 7 as well as Windows 2008 R2.




         The below image is extracted from the SSIM client msvista sensor properties for a
         Windows Vista PC. Notice the connection port that is 80.




         Custom Security Descriptor

         The following applies in case you are using a Domain User account which by default does not
         have the ability to read security logs. In order for this user to gain access to the security logs
         the following must take place,

                1. Find the SID of the user to be used. If the user has logged in the computer
                   you are using then you can locate the SID of that user by using the Registry
                   Editor (regedit) and navigating to the following registry container

                   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
                   NT\CurrentVersion\ProfileList

                2. Expand this container and there you should see some more containers
                   starting with S-1-xxx. Click on each of these containers and on the right hand
                   window look at the ProfileImagePath key. When the ProfileImagePath
                   matches the Domain User to be used, the S-1-xx container name you are
                   currently on corresponds to the respective user’s SID (i.e S-1-5-21-
                   1602168410-835811666-1862565094-500 is a valid SID).

                3. Modify or create a Custom security descriptor on the target PC. To do that
                   open the registry editor and navigate to the following container

                   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security

                On the right hand window pane check if there is a CustomSD string value.




 Logicom
                                                                                                          Σελίδα 28
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                     SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


                   If the CustomSD string exists then edit it and add in the end the following
                    string (A;;0x1;;;SIDextracted on previous step). The string should look
                    something like this :
                    (A;;0x1;;;S-1-5-21-1602168410-835811666-1862565094-500)
                    The above command give read access to the Security event log of the target
                    machine to the specified Domain User.

                    If the CustomSD string does not exist right click on the right window pane and
                    select New/String Value. Name this CustomSD, edit it and add the following
                    prior to the above string
                    O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573). The
                    complete string should look similar to the one below
                    O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-
                    573)(A;;0x1;;;S-1-5-21-1602168410-835811666-1862565094-500).

         Extracting Logs from a Windows Server 2008 Domain Controller using a
         Domain User account

                    In the case of extracting logs from a Domain Controller the above gets more
                    complicated. It is recommended to use a Domain Admin account rather than
                    a Domain User Account.

                    In the event you are using a Domain User account the
                    (A;;0x1;;;SIDextracted) should also be added in the following CustomSD
                    strings located in the below containers
                   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Director
                    y Service

                   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\DNS
                    Server

                   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\File
                    Replication Service




 Logicom
                                                                                                  Σελίδα 29
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                              SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.3 for Microsoft Windows (windowseventlog)

         This collector is to be used for collecting logs from all versions of Windows 2000,
         Windows XP and Windows 2003 machines. This collector is not compatible with
         Windows Vista or Windows 2008. Unlike the Microsoft® Vista and Microsoft Windows
         Server 2008, this collector does not uses WinRM to gather logs. Instead it uses a
         Windows Logon Account (Local or Domain) with Local Admin rights. No additional
         configuration is needed on the host machine.

         Configuration is only on the SIM Sensor and is as follows:
          Monitored Host Name: Specify hostname of the Server that you are to collect logs
            from. IP addresses can also be used
          Monitored Host Account Name: Account with local admin rights that is to be used
            for log collection. Valid format that can be used is the DLLN (Down Level Logon
            Name) format. For example it can be either Hostname\AccountName for local
            users or DomainName\AccountName for Domain users.
          Account Password: Password of user that was used in the previous field
          Number of Days to Load History Events: Default is 10 days. This can be changed
            if needed
          Event Logs to Audit: Choose which Event Log Types to read. Default option is
            Security, System and Application Log. Others can be selected from the Pop-Up
            Screen (if this field is clicked with a mouse) or can be manually added.




 Logicom
                                                                                           Σελίδα 30
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                   SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.3 for Microsoft DHCP (msdhcp)

         This collector needs to be installed on the machine that is setup to be a DHCP
         server. This collector is officially compatible with Windows 2000 SP4 and Windows
         2003 SP1+. This collector is based in the Log File Collector.

         Configuration is only on the SIM Sensor and is as follows:
             Log File Directory: Specify the directory that the log files are located. Default
                Directory is C:\\WINDOWS\System32\Dhcp
             Log File Name: Specify Log File Names to be read.
             Reading Mode: Choose Between Dynamic Log reading and Static Log
                reading. If set to Static it will read only the Exact log files as specified in the
                Log File Name cell, id set to Dynamic it will also read all similar files (i.e
                DhcpSrvlog-Sun.log, DhcpSrvlog-Sun01012011.log, etc)
             Start Reading From: Choose whether to start reading from the beginning of
                the Document or from the Last Position that was left. Note that if reading the
                file for the first time, then the complete log file will be read. Default is start
                Reading for LastPosition. This is the recommended setting as if the collector
                is restarted then the log files will be read again from the beginning.
             Time Offset: Here you can specify the time offset to convert timestamps of all
                logged events to the time zone of the collector computer. This value needs
                not to be changed if all equipment is located in the same time zone.




 Logicom
                                                                                                  Σελίδα 31
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.4 for RSA Authentication Manager (rsaam)

         The RSA Authentication Manager collector is based on the Universal Syslog
         collector, its only difference being that it can correlate RSA events accordingly.
         Therefore configuration-wise this collector configuration is identical to the Universal
         Syslog and Unix OS Event Collector.

         See Universal Syslog Event Collector 4.4 for SSIM 4.7 for configuration parameters




 Logicom
                                                                                               Σελίδα 32
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                  SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.4 for UNIX (unixsyslog)

         This collector is also based on the Universal Syslog collector with its difference being
         that it can correlate Unix results more effectively.

         See Universal Syslog Event Collector 4.4 for SSIM 4.7 for configuration parameters




 Logicom
                                                                                                Σελίδα 33
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                               SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Event Collector 4.3 for SNARE (snarewin)

         The Snare collector also uses SYSLOG to broadcast events, but it requires that the
         SNARE Agent software is installed on the target machine that you are to collect logs
         from. Snare Agents can be installed on numerous Operating Systems and
         Application Servers, however for the purposes of this project we are using SNARE to
         collect logs from a Windows Machine.

         Configuration for SIM is the same as Universal Syslog Event Collector 4.4 for SSIM
         4.7.

         For details on downloading the SNARE agent for Windows as well as installation
         manuals see the following link,

         http://www.intersectalliance.com/projects/SnareWindows/index.html




 Logicom
                                                                                            Σελίδα 34
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                              SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Universal Syslog Event Collector 4.4 for SSIM 4.7 (usyslog)

         Configuration of this collector is the following:
             Protocol: Default Protocol is UDP. You can also select TCP as an option but
                this is not supported by the UNIX platform.
             Host Names: Enter the name of the Unix Syslog Server. You can leave this to
                “*” if you like to accept requests from any host.
             Port Number: This is by default 10525. You can change this to any port
                needed. Usually the default port for Syslog is port 514.
             Time Offset: Here you can specify the time offset to convert timestamps of all
                logged events to the time zone of the collector computer. This value needs
                not to be changed if all equipment is located in the same time zone.




 Logicom
                                                                                           Σελίδα 35
Solutions Ltd
 SYMANTEC SECURITY INFORMATION                                 SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7


         Symantec™ Universal Log File Event Collector 4.4 for SSIM 4.7 (ulogfile)

         The Universal Log File Collector, requires the installation of the Symantec Event
         Agent Software, as well as the installation of the collector to be made on the target
         machine..

         Configuration is the following:
             Log File Directory: Enter the directory on where the Log Files are located.
             Log File Name: Enter the Log File Name: If Dynamic Mode is to be selected
                in the Reading Mode below, then you need only to enter the first characters
                of the log file name. For example if you are to read ten (10) log files with the
                same prefix (i.e log_1_10may2011.log, log_2_10may2011.log, etc) then you
                could enter here only the prefix log. If Single File Log is selected then you
                must enter the exact name plus extension of the log file to be read
             Reading Mode: Choice between MonitorDynamicLog and
                MonitorSingleFileLog.
             Start Reading From: Choice between LastPostition and End. LastPosition
                resumes on where it stopped last time. This is helpful when you are already
                collecting logs and want to continue from where collection stopped. END is
                helpful in the event that you re-install a collector where no LastPosition was
                set and you do not want to start reading the Logs from the beginning
             End of Record Marker: Choice between ENDOFLINE, BLANKLINE and
                NULL. Please note that this Markers are valid for logs generated from UNIX
                machines. If logs are generated from Windows Machines you need to amend
                accordingy. For Example ENDOFLINE should be changed to 0x0D0A
             End of Data Marked: Choice between EOF and NULL
             File Encoding: Choice between several UTF formats including UTF-8, UTF-
                16, UTF-16BE, UTF-16LE




 Logicom
                                                                                                   Σελίδα 36
Solutions Ltd
 SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7




                APPENDIX


 Logicom
                                                            Σελίδα 1
Solutions Ltd
             SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
             MANAGER 4.7

Dashboard




             Logicom
                                                                        Σελίδα 2
            Solutions Ltd
                SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
                MANAGER 4.7

Intelligence




                Logicom
                                                                           Σελίδα 3
               Solutions Ltd
             SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
             MANAGER 4.7

Incidents




             Logicom
                                                                        Σελίδα 4
            Solutions Ltd
          SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
          MANAGER 4.7

Events




          Logicom
                                                                     Σελίδα 5
         Solutions Ltd
           SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
           MANAGER 4.7

Tickets




           Logicom
                                                                      Σελίδα 6
          Solutions Ltd
          SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
          MANAGER 4.7

Assets




          Logicom
                                                                     Σελίδα 7
         Solutions Ltd
           SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
           MANAGER 4.7

Reports




           Logicom
                                                                      Σελίδα 8
          Solutions Ltd
         SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
         MANAGER 4.7

Rules




         Logicom
                                                                    Σελίδα 9
        Solutions Ltd
          SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
          MANAGER 4.7

System




          Logicom
                                                                     Σελίδα 10
         Solutions Ltd
 SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
 MANAGER 4.7




 Logicom
                                                            Σελίδα 11
Solutions Ltd
              SYMANTEC SECURITY INFORMATION   SECURITY INFORMATION MANAGER GUIDE
              MANAGER 4.7

Statistics




              Logicom
                                                                         Σελίδα 12
             Solutions Ltd

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:12/3/2011
language:English
pages:49
liamei12345 liamei12345 http://
About