configuring dsms

Enterasys

Security Information and Event Manager (SIEM)

Configuring DSMsRelease 7.7.1

P/N 9034720

NoticeEnterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.

The hardware, firmware, or software described in this document is subject to change without notice.

IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES.

Enterasys Networks, Inc.50 Minuteman RoadAndover, MA 01810

2012 Enterasys Networks, Inc. All rights reserved.Part Number: 9034720 October 2012

ENTERASYS, ENTERASYS NETWORKS, ENTERASYS DRAGON, ENTERASYS NETSIGHT, and any logos associated therewith, are trademarks or registered trademarks of Enterasys Networks, Inc. in the United States and other countries. For a complete list of Enterasys trademarks, see http://www.enterasys.com/company/trademarks.aspx.

Celeron, Intel, and Pentium II are trademarks or registered trademarks of Intel Corporation.

Linux is a trademark of Linus Torvalds.

UNIX is a registered trademark of The Open Group.

Java and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates.

Enterasys SIEM contains a proprietary operating system based on Linux.

All other product names mentioned in this document may be trademarks or registered trademarks of their respective companies.

Support Site URL: http://www.enterasys.com/support

Documentation URL: http://extranet.enterasys.com/downloads/

Enterasys Networks, Inc. Software License AgreementThis document is an agreement (Agreement) between You, the end user, and Enterasys Networks, Inc. on behalf of itself and its Affiliates (Enterasys) that sets forth your rights and obligations with respect to the software contained in CD-ROM or other media. Affiliates means any person, partnership, corporation, limited liability company, or other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. BY INSTALLING THE ENCLOSED PRODUCT, YOU ARE AGREEING TO BECOME BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE AND THE LIMITATION OF WARRANTY AND DISCLAIMER OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE UNOPENED PRODUCT TO ENTERASYS OR YOUR DEALER, IF ANY, WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT FOR A FULL REFUND.

IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT ENTERASYS NETWORKS, INC. (978) 684-1000. Attn: Legal Department.

Enterasys will grant You a non-transferable, non-exclusive license to use the machine-readable form of software (the Licensed Software) and the accompanying documentation (the Licensed Software, the media embodying the Licensed Software, and the documentation are collectively referred to in this Agreement as the Licensed Materials) on one single computer if You agree to the following terms and conditions:

1. TERM. This Agreement is effective from the date on which You open the package containing the Licensed Materials. You may terminate the Agreement at any time by destroying the Licensed Materials, together with all copies, modifications and merged portions in any form. The Agreement and your license to use the Licensed Materials will also terminate if You fail to comply with any term or condition herein.

2. GRANT OF SOFTWARE LICENSE. The license granted to You by Enterasys when You open this sealed package authorizes You to use the Licensed Software on any one, single computer only, or any replacement for that computer, for internal use only. A separate license, under a separate Software License Agreement, is required for any other computer on which You or another individual or employee intend to use the Licensed Software. YOU MAY NOT USE, COPY, OR MODIFY THE LICENSED MATERIALS, IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT.

3. RESTRICTION AGAINST COPYING OR MODIFYING LICENSED MATERIALS. Except as expressly permitted in this Agreement, You may not copy or otherwise reproduce the Licensed Materials. In no event does the limited copying or reproduction permitted under this Agreement include the right to decompile, disassemble, electronically transfer, or reverse engineer the Licensed Software, or to translate the Licensed Software into another computer language.

The media embodying the Licensed Software may be copied by You, in whole or in part, into printed or machine readable form, in sufficient numbers only for backup or archival purposes, or to replace a worn or defective copy. However, You agree not to have more than two (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Enterasys prior written consent, and in no event shall You operate more than one copy of the Licensed Software. You may not copy or reproduce the documentation. You agree to maintain appropriate records of the location of the original media and all copies of the Licensed Software, in whole or in part, made by You. You may modify the machine-readable form of the Licensed Software for (1) your own internal use or (2) to merge the Licensed Software into other program material to form a modular work for your own use, provided that such work remains modular, but on termination of this Agreement, You are required to completely remove the Licensed Software from any such modular work. Any portion of the Licensed Software included in any such modular work shall be used only on a single computer for internal purposes and shall remain subject to all the terms and conditions of this Agreement.

You agree to include any copyright or other proprietary notice set forth on the label of the media embodying the Licensed Software on any copy of the Licensed Software in any form, in whole or in part, or on any modification of the Licensed Software or any such modular work containing the Licensed Software or any part thereof.

4. TITLE AND PROPRIETARY RIGHTS. (a) The Licensed Materials are copyrighted works and are the sole and exclusive property of Enterasys, any company or a

division thereof which Enterasys controls or is controlled by, or which may result from the merger or consolidation with Enterasys (its Affiliates), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion thereof, to any other party.

(b) You further acknowledge that in the event of a breach of this Agreement, Enterasys shall suffer severe and irreparable damages for which monetary compensation alone will be inadequate. You therefore agree that in the event of a breach of this Agreement, Enterasys shall be entitled to monetary damages and its reasonable attorneys fees and costs in enforcing this Agreement, as well as injunctive relief to restrain such breach, in addition to any other remedies available to Enterasys.

5. PROTECTION AND SECURITY. In the performance of this Agreement or in contemplation thereof, You and your employees and agents may have access to private or confidential information owned or controlled by Enterasys relating to the Licensed Materials supplied hereunder including, but not limited to, product specifications and schematics, and such information may contain proprietary details and disclosures. All information and data so acquired by You or your employees or agents under this Agreement or in contemplation hereof shall be and shall remain Enterasys exclusive property, and You shall use your best efforts (which in any event shall not be less than the efforts You take to ensure the confidentiality of your own proprietary and other confidential information) to keep, and have your employees and agents keep, any and all such information and data confidential, and shall not copy, publish, or disclose it to others, without Enterasys prior written approval, and shall return such information and data to Enterasys at its request. Nothing herein shall limit your use or dissemination of information not actually derived from Enterasys or of information which has been or subsequently is made public by Enterasys, or a third party having authority to do so.

You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without limitation the object or source code (if provided) of the Licensed Software, to any party other than Enterasys or its employees, except for purposes specifically related to your use of the Licensed Software on a single computer as expressly provided in this Agreement, without the prior written consent of Enterasys. You agree to use your best efforts and take all reasonable steps to safeguard the Licensed Materials to ensure that no unauthorized personnel shall have access thereto and that no unauthorized copy, publication, disclosure, or distribution, in whole or in part, in any form shall be made, and You agree to notify Enterasys of any unauthorized use thereof. You acknowledge that the Licensed Materials contain valuable confidential information and trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Enterasys or its Affiliates and/or its/their software suppliers.

6. MAINTENANCE AND UPDATES. Updates and certain maintenance and support services, if any, shall be provided to You pursuant to the terms of a Enterasys Service and Maintenance Agreement, if Enterasys and You enter into such an agreement. Except as specifically set forth in such agreement, Enterasys shall not be under any obligation to provide Software Updates, modifications, or enhancements, or Software maintenance and support services to You.

7. DEFAULT AND TERMINATION. In the event that You shall fail to keep, observe, or perform any obligation under this Agreement, including a failure to pay any sums due to Enterasys, or in the event that You become insolvent or seek protection, voluntarily or involuntarily, under any bankruptcy law, Enterasys may, in addition to any other remedies it may have under law, terminate the License and any other agreements between Enterasys and You.

(a) Immediately after any termination of the Agreement or if You have for any reason discontinued use of Software, You shall return to Enterasys the original and any copies of the Licensed Materials and remove the Licensed Software from any modular works made pursuant to Section 3, and certify in writing that through your best efforts and to the best of your knowledge the original and all copies of the terminated or discontinued Licensed Materials have been returned to Enterasys.

(b) Sections 4, 5, 7, 8, 9, 10, 11, and 12 shall survive termination of this Agreement for any reason.

8. EXPORT REQUIREMENTS. You understand that Enterasys and its Affiliates are subject to regulation by agencies of the U.S. Government, including the U.S. Department of Commerce, which prohibit export or diversion of certain technical products to certain countries, unless a license to export the product is obtained from the U.S. Government or an exception from obtaining such license may be relied upon by the exporting party.

If the Licensed Materials are exported from the United States pursuant to the License Exception CIV under the U.S. Export Administration Regulations, You agree that You are a civil end user of the Licensed Materials and agree that You will use the Licensed Materials for civil end uses only and not for military purposes.

If the Licensed Materials are exported from the United States pursuant to the License Exception TSR under the U.S. Export Administration Regulations, in addition to the restriction on transfer set forth in Section 4 of this Agreement, You agree not to (i) reexport or release the Licensed Software, the source code for the Licensed Software or technology to a national of a country in Country Groups D:1 or E:2 (Albania, Armenia, Azerbaijan, Belarus, Cambodia, Cuba, Georgia, Iraq, Kazakhstan, Kyrgyzstan, Laos, Libya, Macau, Moldova, Mongolia, North Korea, the Peoples Republic of China, Russia, Tajikistan,

Turkmenistan, Ukraine, Uzbekistan, Vietnam, or such other countries as may be designated by the United States Government), (ii) export to Country Groups D:1 or E:2 (as defined herein) the direct product of the Licensed Software or the technology, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List, or (iii) if the direct product of the technology is a complete plant o r any major component of a plant, export to Country Groups D:1 or E:2 the direct product of the plant or a major component thereof, if such foreign produced direct product is subject to national security controls as identified on the U.S. Commerce Control List or is subject to State Department controls under the U.S. Munitions List.

9. UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The Licensed Materials (i) were developed solely at private expense; (ii) contains restricted computer software submitted with restricted rights in accordance with section 52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Enterasys and/or its suppliers. For Department of Defense units, the Licensed Materials are considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein. 10. LIMITED WARRANTY AND LIMITATION OF LIABILITY. The only warranty Enterasys makes to You in connection with this license of the Licensed Materials is that if the media on which the Licensed Software is recorded is defective, it will be replaced without charge, if Enterasys in good faith determines that the media and proof of payment of the license fee are returned to Enterasys or the dealer from whom it was obtained within ninety (90) days of the date of payment of the license fee.

NEITHER ENTERASYS NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED "AS IS". THE LIMITED WARRANTY AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID. ONLY TO THE EXTENT SUCH EXCLUSION OF ANY IMPLIED WARRANTY IS NOT PERMITTED BY LAW, THE DURATION OF SUCH IMPLIED WARRANTY IS LIMITED TO THE DURATION OF THE LIMITED WARRANTY SET FORTH ABOVE. YOU ASSUME ALL RISK AS TO THE QUALITY, FUNCTION AND PERFORMANCE OF THE LICENSED MATERIALS. IN NO EVENT WILL ENTERASYS OR ANY OTHER PARTY WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION OR DELIVERY OF THE LICENSED MATERIALS BE LIABLE FOR SPECIAL, DIRECT, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF DATA OR PROFITS OR FOR INABILITY TO USE THE LICENSED MATERIALS, TO ANY PARTY EVEN IF ENTERASYS OR SUCH OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL ENTERASYS OR SUCH OTHER PARTY'S LIABILITY FOR ANY DAMAGES OR LOSS TO YOU OR ANY OTHER PARTY EXCEED THE LICENSE FEE YOU PAID FOR THE LICENSED MATERIALS.

Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation and exclusion may not apply to You. This limited warranty gives You specific legal rights, and You may also have other rights which vary from state to state.

11. JURISDICTION. The rights and obligations of the parties to this Agreement shall be governed and construed in accordance with the laws and in the State and Federal courts of the Commonwealth of Massachusetts, without regard to its rules with respect to choice of law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980 United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement.

12. GENERAL.(a) This Agreement is the entire agreement between Enterasys and You regarding the Licensed Materials, and all prior

agreements, representations, statements, and undertakings, oral or written, are hereby expressly superseded and canceled.

(b) This Agreement may not be changed or amended except in writing signed by both parties hereto.

(c) You represent that You have full right and/or authorization to enter into this Agreement.

(d) This Agreement shall not be assignable by You without the express written consent of Enterasys, The rights of Enterasys and Your obligations under this Agreement shall inure to the benefit of Enterasys assignees, licensors, and licensees.

(e) Section headings are for convenience only and shall not be considered in the interpretation of this Agreement.

(f) The provisions of the Agreement are severable and if any one or more of the provisions hereof are judicially determined to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions of this Agreement shall nevertheless be binding on and enforceable by and between the parties hereto.

(g) Enterasys waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations, statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall supersede this Agreement.

(h) Should You have any questions regarding this Agreement, You may contact Enterasys at the address set forth below. Any notice or other communication to be sent to Enterasys must be mailed by certified mail to the following address: ENTERASYS NETWORKS, INC., 50 Minuteman Road, Andover, MA 01810 Attn: Manager - Legal Department.

CONTENTS

ABOUT THIS GUIDEAudience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1Contacting Customer Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

1 OVERVIEW

2 INSTALLING DSMSScheduling Automatic Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Viewing Pending Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6Installing a DSM Manually . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

3 3COM 8800 SERIES SWITCH

4 AMBIRON TRUSTWAVE IPANGEL

5 APACHE HTTP SERVERConfiguring Apache Using Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Configuring Apache Using Syslog-ng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

6 APC UPS

7 APPLE MAC OS X

8 APPLICATION SECURITY DBPROTECT

9 ARUBA MOBILITY CONTROLLERS

10 ARRAY NETWORKS SSL VPN

11 BALABIT IT SECURITYConfiguring BalaBIt IT Security for Microsoft Windows Events . . . . . . . . . . . . . . . . .31Configuring BalaBit IT Security for Microsoft ISA or TMG Event Files . . . . . . . . . . . .34

12 BARRACUDABarracuda Spam & Virus Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41Barracuda Web Application Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

13 BIT9 PARITY

14 BLUE COAT SGCreating a Custom Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .47Custom Format Addition Key-Value Pairs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51

15 BRIDGEWATER

16 CA TECHNOLOGIESCA ACF2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55CA SiteMinder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69CA Top Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71

17 CHECK POINTCheck Point FireWall-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85Check Point Provider-1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93

18 CISCOCisco ACE Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97Cisco Aironet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98Cisco ACS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99Configuring Syslog for Cisco ACS v5.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100Configuring Syslog for Cisco ACS v4.x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .102

Configuring Cisco ACS for the Adaptive Log Exporter . . . . . . . . . . . . . . . . . . . . . . 103Cisco ASA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104Cisco CallManager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Cisco CatOS for Catalyst Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Cisco CSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Cisco FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110Cisco IDS/IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111Cisco IronPort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112Cisco NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113Cisco Nexus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Cisco IOS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114Cisco Pix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115Cisco VPN 3000 Concentrator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Cisco Wireless Services Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117Cisco Wireless LAN Controllers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

19 CITRIX NETSCALER

20 CRYPTOCARD CRYPTO-SHIELD

21 CYBER-ARK VAULT

22 CYBERGUARD FIREWALL/VPN APPLIANCE

23 DAMBALLA FAILSAFE

24 DIGITAL CHINA NETWORKS (DCN)

25 EMC VMWAREConfiguring Syslog for VMWare. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Configuring the VMWare Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

26 ENTERASYSEnterasys Dragon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143Enterasys HiGuard Wireless IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150Enterasys HiPath Wireless Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Enterasys Stackable and Standalone Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Enterasys XSR Security Router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Enterasys Matrix Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153Enterasys NetSight Automatic Security Manager . . . . . . . . . . . . . . . . . . . . . . . . . . 154Enterasys Matrix K/N/S Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155Enterasys NAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

27 EXTREME NETWORKS EXTREMEWARE

28 F5 NETWORKSF5 Networks BIG-IP APM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161F5 Networks BIG-IP ASM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163F5 Networks BIG-IP LTM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165F5 Networks FirePass . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167

29 FAIR WARNING

30 FIREEYE

31 FORESCOUT COUNTERACT

32 FORTINET FORTIGATE

33 FOUNDRY FASTIRON

34 GENERIC FIREWALL

35 GENERIC AUTHORIZATION SERVER

36 GREAT BAY BEACON

37 HBGARY ACTIVE DEFENSE

38 HPHP ProCurve . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193HP Tandem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .193Hewlett Packard UNIX (HP-UX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .194

39 HUAWEIHuawei AR Series Router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197Huawei S Series Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .199

40 IBMIBM AIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .203IBM AS/400 iSeries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .205IBM CICS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209IBM Lotus Domino . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .213

IBM Proventia Management SiteProtector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216IBM ISS Proventia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220IBM RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220IBM DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233IBM WebSphere Application Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243IBM Informix Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249IBM IMS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249IBM Guardium . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254IBM Tivoli Access Manager for e-business . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257IBM z/OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

41 ISC BIND

42 IMPERVA SECURESPHERE

43 INFOBLOX NIOS

44 IT-CUBE AGILESIConfiguring agileSI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277Configuring an agileSI Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

45 ITRON SMART METER

46 JUNIPER NETWORKSJuniper Networks AVT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283Juniper DX Application Acceleration Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Juniper EX-Series Ethernet Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285Juniper NetScreen IDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287Juniper Networks Secure Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288Juniper Infranet Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Juniper Networks Firewall and VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291Juniper Networks Network and Security Manager. . . . . . . . . . . . . . . . . . . . . . . . . . 292Juniper JunOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Juniper Steel-Belted Radius. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297Juniper Networks vGW Virtual Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Juniper Security Binary Log Collector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

47 LIEBERMAN RANDOM PASSWORD MANAGER

48 LINUXLinux DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Linux IPtables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Linux OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309

49 MCAFEEMcAfee Intrushield . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311McAfee ePolicy Orchestrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312McAfee Application / Change Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

50 METAINFO METAIP

51 MICROSOFTMicrosoft Exchange Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331Microsoft IAS Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335Microsoft DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .335Microsoft IIS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .336Microsoft ISA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .342Microsoft SQL Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .343Microsoft SharePoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348Microsoft Windows Security Event Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .352Microsoft Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354Microsoft System Center Operations Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . .357

52 MOTOROLA SYMBOL AP

53 NETAPP DATA ONTAP

54 NAME VALUE PAIRNVP Log Format. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367

55 NIKSUN

56 NOKIA FIREWALLIntegrating Nokia Firewall Using Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371Integrating Nokia Firewall Using OPSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374

57 NORTEL NETWORKSNortel Multiprotocol Router. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .377Nortel Application Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380Nortel Contivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381Nortel Ethernet Routing Switch 2500/4500/5500 . . . . . . . . . . . . . . . . . . . . . . . . . . .381Nortel Ethernet Routing Switch 8300/8600 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382Nortel Secure Router . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .383Nortel Secure Network Access Switch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385Nortel Switched Firewall 5100 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .386

Nortel Switched Firewall 6000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 388Nortel Threat Protection System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390Nortel VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391

58 NOVELL EDIRECTORY

59 OPENBSD

60 OPEN LDAP

61 OPEN SOURCE SNORT

62 ORACLEOracle Audit Records. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409Oracle DB Listener. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413Oracle Audit Vault . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417Oracle OS Audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418Oracle BEA WebLogic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

63 PALO ALTO NETWORKS

64 PROFTPD

65 RADWARE DEFENSEPRO

66 REDBACK ASE

67 RSA AUTHENTICATION MANAGER

68 SAMHAIN LABSUsing Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441Using JDBC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

69 SENTRIGO HEDGEHOG

70 SECURE COMPUTING SIDEWINDER

71 SOLARWINDS ORION

72 SONICWALL

73 SOPHOSSophos Enterprise Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .453Sophos PureMessage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .459Sophos Astaro Security Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .466Sophos Web Security Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .467

74 SOURCEFIRESourcefire Intrusion Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .469Sourcefire Defense Center (DC) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .470

75 SQUID WEB PROXY

76 STARENT NETWORKS

77 STONESOFT MANAGEMENT CENTER

78 SUN SOLARISSun Solaris . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .487Sun Solaris DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488Sun Solaris Sendmail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .488Sun Solaris Basic Security Mode (BSM) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .489

79 SYBASE ASE

80 SYMANTECSymantec Endpoint Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .499Symantec SGS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500Symantec System Center. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .500Symantec Data Loss Prevention (DLP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .504

81 SYMARKConfiguring Symark PowerBroker . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .507Manually Configuring a Symark Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .509

82 TIPPINGPOINTTippingPoint Intrusion Prevention System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511TippingPoint X505/X506 Device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

83 TOP LAYER IPS

84 TREND MICROTrend Micro InterScan VirusWall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517Trend Micro Control Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517Trend Micro Office Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518Trend Micro Deep Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

85 TRIPWIRE

86 TROPOS CONTROL

87 UNIVERSAL DSM

88 UNIVERSAL LEEFConfiguring a Universal LEEF Log Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533Sending Events to SIEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537Creating a Universal LEEF Event Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 538

89 VERICEPT CONTENT 360 DSM

90 WEBSENSE V-SERIESWebsense TRITON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543Websense V-Series Data Security Suite . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 545Websense V-Series Content Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

91 SUPPORTED DSMS

INDEX

Configuring DSMs

ABOUT THIS GUIDE

The Enterasys SIEM Configuring DSMs Guide provides you with information for managing SIEM functionality requiring administrative access.

Note that Enterasys SIEM was previously referred to as Dragon Security Command Console under Dragon Network Defense.

Audience This guide is intended for the system administrator responsible for setting up SIEM in your network. This guide assumes that you have SIEM administrative access and a knowledge of your corporate network and networking technologies.

Conventions The following conventions are used throughout this guide:

Indicates that the procedure contains a single instruction.

NOTEIndicates that the information provided is supplemental to the associated feature or instruction.

CAUTIONIndicates that the information is critical. A caution alerts you to potential loss of data or potential damage to an application, system, device, or network.

WARNINGIndicates that the information is critical. A warning alerts you to potential dangers, threats, or potential personal injury. Read any and all warnings carefully before proceeding.

Related Documentation

For more information, refer to the Enterasys Extranet to obtain the latest Enterasys SIEM documentation including: Installation Guide

Hardware Installation Guide

Configuring DSMs

2 ABOUT THIS GUIDE

Administration Guide

Users Guide

Configuring DSMs

Upgrading to SIEM 7.7.1

Tuning Guide

Adaptive Log Exporter

SIEM 7.7.1 Release Notes

Contacting Customer Support

For additional support related to the product or this document, contact Enterasys Networks using one of the following methods:

World Wide Web http://www.enterasys.com/supportPhone 1-800-872-8440 (toll-free in U.S. and Canada)

or 1-978-684-1000For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support

Email [email protected] expedite your message, please type [dragon] in the subject line.

Configuring DSMs

1 OVERVIEW

You can configure SIEM to log and correlate events received from external sources such as security equipment (for example, firewalls), and network equipment (for example, switches and routers). Device Support Modules (DSMs) allows you to integrate SIEM with these external devices.

You can configure the Event Collector to collect security events from various types of security devices in your network. The Event Collector gathers events from local and remote devices. The Event Collector then normalizes and bundles the events and sends the events to the Event Processor.

All events are correlated and security and policy offenses are created based on correlation rules. These offenses are displayed on the Offenses tab. For more information, see the SIEM Users Guide.

NOTEBefore you configure SIEM to collect security information from devices, you must set-up your deployment, including off-site sources or targets, using the deployment editor. For more information on the deployment editor, see the SIEM Administration Guide.

NOTEInformation found in this documentation about configuring Device Support Modules (DSMs) is based on the latest RPM files located on the Enterasys Extranet, located at https://extranet.enterasys.com/downloads.

To configure SIEM to receive events from devices, you must:

1 Configure the device to send events to SIEM. 2 Configure SIEM to receive events from specific devices. For more information, see

the Log Sources User Guide.

Configuring DSMs

2 INSTALLING DSMS

SIEM is preconfigured to perform weekly automatic software updates. This includes DSMs, protocols, and scanner module updates. If no updates are displayed in the Updates window, either your system has not been in operation long enough to retrieve the weekly updates or no updates have been issued. If this occurs, you can manually check for new updates. For more information on scheduling pending updates, see the SIEM Administration Guide.

After Device Support Modules (DSMs) or protocols are installed, either through the auto update process or using the command-line, the SIEM Console provides the DSM and protocol updates to its managed hosts after the configuration changes are deployed. If you are using high availability (HA), DSMs, protocols, and scanners are installed during replication between the primary and secondary host. During this installation process, the secondary displays the status Upgrading. For more information, see Managing High Availability in the SIEM Administration Guide.

This section includes the following topics:

Scheduling Automatic Updates

Viewing Pending Updates

Installing a DSM Manually

CAUTIONUninstalling a Device Support Module (DSM) is not supported in SIEM. If you need technical assistance, contact Customer Support. For more information, see Contacting Customer Support.

Scheduling Automatic Updates

SIEM performs automatic updates on a recurring schedule according to the settings on the Update Configuration page; however, if you want to schedule an update or a set of updates to run at a specific time, you can schedule an update using the Schedule the Updates window. This is useful when you want to schedule a large update to run during off-peak hours, thus reducing any performance impacts on your system.

Configuring DSMs

6 INSTALLING DSMS

For detailed information on each update, select the update. A description and any error messages are displayed in the right pane of the window.

To schedule an update:

Step 1 Click the Admin tab. Step 2 On the navigation menu, click System Configuration.

The System Configuration pane is displayed.

Step 3 Click the Auto Update icon. The Updates window is displayed.

Step 4 Optional. If you want to schedule specific updates, select the updates you want to schedule.

Step 5 From the Schedule list box, select the type of update you want to schedule. Options include:

All Updates

Selected Updates DSM, Scanner, Protocol Updates

Minor Updates

NOTEProtocol updates installed automatically require you to restart Tomcat. For more information on manually restarting Tomcat, see the Log Sources User Guide.

The Schedule the Updates window is displayed.Step 6 Using the calendar, select the start date and time of when you want to start your

scheduled updates. Step 7 Click OK.

The selected updates are now scheduled.

Viewing Pending Updates

If you are having an issues with DSM events identified with a low level category of stored in the Log Activity tab, the DSM parsing the event might need to be updated. You can view any pending software updates for SIEM through the Admin tab in SIEM. You can select and install a pending update from the Auto Update window.

To view your pending updates:Step 1 Click the Admin tab. Step 2 On the navigation menu, click System Configuration.

The System Configuration pane is displayed.

Step 3 Click the Auto Update icon. The Updates window is displayed. The window automatically displays the Check for Updates page, providing the following information:

Configuring DSMs

Viewing Pending Updates 7

The Check for Updates page toolbar provides the following functions:

Table 2-1 Check for Updates Window Parameters

Parameter DescriptionUpdates were installed

Specifies the date and time the last update was installed.

Next Update install is scheduled

Specifies the date and time the next update is scheduled to be installed. If there is no date and time indicated, the update is not scheduled to run.

Name Specifies the name of the update.Type Specifies the type of update. Types include:

DSM, Scanner, Protocol Updates Minor Updates

Status Specifies the status of the update. Status types include: New - The update is not yet scheduled to be installed. Scheduled - The update is scheduled to be installed. Installing - The update is currently installing. Failed - The updated failed to install.

Date to Install Specifies the date on which this update is scheduled to be installed.

Table 2-2 Check for Updates Page Parameters Toolbar Functions

Function DescriptionHide Select one or more updates, and then click Hide to remove the

selected updates from the Check for Updates page. You can view and restore the hidden updates on the Restore Hidden Updates page. For more information, see the SIEM Administrator Guide.

Install From this list box, you can manually install updates. When you manually install updates, the installation process starts within a minute. For more information, see the SIEM Administrator Guide.

Schedule From this list box, you can configure a specific date and time to manually install selected updates on your Console. This is useful when you want to schedule the update installation during off-peak hours. For more information, see the SIEM Administrator Guide.

Unschedule From this list box, you can remove preconfigured schedules for manually installing updates on your Console. For more information, see the SIEM Administrator Guide.

Search By Name In this text box, you can type a keyword and then press Enter to locate a specific update by name.

Configuring DSMs

8 INSTALLING DSMS

Step 4 To view details on an update, select the update.

The description and any error messages are displayed in the right pane of the window.

Installing a DSM Manually

The Enterasys Extranet contains RPM files that allow you to install new or updated DSMs. Updated DSMs contain improved event parsing for network security products and enhancements for event categorization in the SIEM Identification Map (QIDmap).

This section includes the following topics: Installing a Single DSM

Installing a DSM Bundle

CAUTIONUninstalling a Device Support Module (DSM) is not supported in SIEM. If you need technical assistance, contact Customer Support. For more information, see Contacting Customer Support.

Installing a SingleDSM

To install an RPM file for a DSM using the command-line:

Step 1 Download the DSM file to your system hosting SIEM.

Step 2 Using SSH, log in to SIEM as the root user.Username: rootPassword:

Step 3 Navigate to the directory that includes the downloaded file. Step 4 Type the following command:

rpm -Uvh Where is the name of the downloaded file. For example:rpm -Uvh DSM-CheckPointFirewall-7.0-209433.noarch.rpm

Next Refresh This counter displays the amount of time until the next automatic refresh. The list of updates on the Check for Updates page automatically refreshes every 60 seconds. The timer is automatically paused when you select one or more updates.

Pause Click this icon to pause the automatic refresh process. To resume automatic refresh, click the Play icon.

Refresh Click this icon to manually refresh the list of updates.

Table 2-2 Check for Updates Page Parameters Toolbar Functions (continued)

Function Description

Configuring DSMs

Installing a DSM Manually 9

Step 5 Log in to SIEM.

https://Where is the IP address of the SIEM Console or Event Collector.

Step 6 On the Admin tab, click Deploy Changes.

Installing a DSMBundle

The Enterasys Extranet contains a DSM bundle that is updated daily with the latest DSM versions.

To install the DSM bundle using the command line:Step 1 Download the DSM bundle from the Enterasys Extranet to your system hosting

SIEM. Step 2 Using SSH, log in to SIEM as the root user.

Username: rootPassword:

Step 3 Navigate to the directory that includes the downloaded file.

Step 4 Type the following command to extract the DSM bundle:

tar -zxvf SIEM_bundled-DSM-.tar.gzWhere is your version of SIEM.

Step 5 Type the following command:

for FILE in *Common*.rpm DSM-*.rpm; do rpm -Uvh "$FILE"; doneThe installation of the DSM bundle can take several minutes to complete.


https://Where is the IP address of the SIEM system.

Step 7 On the Admin tab, click Deploy Changes.

Configuring DSMs

10 INSTALLING DSMS

Configuring DSMs

3 3COM 8800 SERIES SWITCH

A SIEM 3Com 8800 Series Switch DSM accepts events using syslog. SIEM records all relevant status and network condition events. Before configuring a 3Com 8800 Series Switch device in SIEM, you must configure your device to send syslog events to SIEM.

To configure the device to send syslog events to SIEM:

Step 1 Log in to the 3Com 8800 Series Switch user interface.Step 2 Enable the information center.

info-center enableStep 3 Configure the host with the IP address of your SIEM system as the loghost, the

severity level threshold value as informational, and the output language to English.

info-center loghost facility language englishWhere: is the IP address of your SIEM system. is the facility severity.

Step 4 Configure the ARP and IP information modules to log.info-center source arp channel loghost log level informationalinfo-center source ip channel loghost log level informational

Step 5 You now are ready to configure the log source in SIEM.

To configure SIEM to receive events from a 3Com 8800 Series Switch:

From the Log Source Type list box, select the 3Com 8800 Series Switch option.

For more information on configuring log sources, see the Log Sources User Guide.

Configuring DSMs

4 AMBIRON TRUSTWAVE ipANGEL

A SIEM Ambiron TrustWave ipAngel DSM accepts events using syslog. SIEM records all Snort-based events from the ipAngel console.

Before you configure SIEM to integrate with ipAngel, you must forward your cache and access logs to your SIEM system. For information on forwarding device logs to SIEM, see your vendor documentation.

You are now ready to configure the log source in SIEM.

To configure SIEM to receive events from a ipAngle device:

From the Log Source Type list box, select the Ambiron TrustWave ipAngel Intrusion Prevention System (IPS) option.


Configuring DSMs

5 APACHE HTTP SERVER

A SIEM Apache HTTP Server DSM accepts Apache events using syslog or syslog-ng. SIEM records all relevant HTTP status events. The procedure in this section applies to Apache DSMs operating on UNIX/Linux platforms only.

Select one of the following configuration methods: Configuring Apache Using Syslog

Configuring Apache Using Syslog-ng

CAUTIONDo not run both syslog and syslog-ng at the same time.

Configuring Apache Using Syslog

To configure Apache using the syslog protocol:

Step 1 Log in to the server hosting Apache, as the root user.

Step 2 Edit the Apache configuration file httpd.conf.Step 3 Add the following information in the Apache configuration file to specify the custom

log format:

LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" Where is a variable name you provide to define the log format.

Step 4 Add the following information in the Apache configuration file to specify a custom path for the syslog events:CustomLog |/usr/bin/logger -t httpd -p .

Where:

is a syslog facility, for example, local0. is a syslog priority, for example, info or notice. is a variable name you provide to define the custom log format. The log format name must match the log format defined in Step 4.

Configuring DSMs


For example,

CustomLog |/usr/bin/logger -t httpd -p local1.info MyApacheLogs

Step 5 Type the following command to disabled hostname lookup:HostnameLookups off

Step 6 Save the Apache configuration file.

Step 7 Edit the syslog configuration file./etc/syslog.conf

Step 8 Add the following information to your syslog configuration file:

. @Where:

is the syslog facility, for example, local0. This value must match the value you typed in Step 4. is the syslog priority, for example, info or notice. This value must match the value you typed in Step 4. indicates you must press the Tab key. is the IP address of the SIEM Console or Event Collector.

Step 9 Save the syslog configuration file.

Step 10 Type the following command to restart the syslog service:

/etc/init.d/syslog restart Step 11 Restart Apache to complete the syslog configuration.

Step 12 You are now ready to configure the log source in SIEM.

For more information on Apache, see http://www.apache.org/.

Configuring Apache Using Syslog-ng

To configure Apache using the syslog-ng protocol:

Step 1 Log in to the server hosting Apache, as the root user.

Step 2 Edit the Apache configuration file.

/etc/httpd/conf/httpd.confStep 3 Add the following information to the Apache configuration file to specify the

LogLevel:LogLevel infoThe LogLevel might already be configured to the info level depending on your Apache installation.

Step 4 Add the following to the Apache configuration file to specify the custom log format:

Configuring DSMs

Configuring Apache Using Syslog-ng 17

LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" Where is a variable name you provide to define the custom log format.

Step 5 Add the following information to the Apache configuration file to specify a custom path for the syslog events:

CustomLog "|/usr/bin/logger -t 'httpd' -u /var/log/httpd/apache_log.socket" The log format name must match the log format defined in Step 4.

Step 6 Save the Apache configuration file.

Step 7 Edit the syslog-ng configuration file.

/etc/syslog-ng/syslog-ng.confStep 8 Add the following information to specify the destination in the syslog-ng

configuration file:source s_apache {

unix-stream("/var/log/httpd/apache_log.socket"max-connections(512)keep-alive(yes));

};destination auth_destination { ("" port(514)); };log{

source(s_apache);destination(auth_destination);

};

Where:

is the IP address of the SIEM Console or Event Collector. is the protocol you select to forward the syslog event.

Step 9 Save the syslog-ng configuration file.

Step 10 Type the following command to restart syslog-ng:

service syslog-ng restartStep 11 You are now ready to configure the log source in SIEM.

SIEM automatically detects syslog-ng events from an Apache HTTP Server. However, if you want to manually configure SIEM to receive events from Apache:

From the Log Source Type list box, select Apache HTTP Server.

Configuring DSMs


For more information on Apache, see http://www.apache.org/.

Configuring DSMs

6 APC UPS

The APC UPS DSM accepts syslog events from the APC Smart-UPS family of products. Events from the RC-Series Smart-UPS are not supported. Before you can receive events in SIEM, you must configure a log source in SIEM, then configure your APC UPS to forward syslog events. SIEM can receive syslog events on port 514 for both TCP and UDP.


Configuring a Log Source in SIEM

Configuring Syslog Event Forwarding for APC Smart-UPS

Configuring a LogSource in SIEM

SIEM does not automatically discover or create log sources for syslog events from APC Smart-UPS series appliances. To integrate Smart-UPS events with SIEM, you must manually create a log source to receive syslog events.

To configure a log source:


Step 2 Click the Admin tab. Step 3 On the navigation menu, click Data Sources.

The Data Sources panel is displayed.

Step 4 Click the Log Sources icon. The Log Sources window is displayed.

Step 5 Click Add. The Add a log source window is displayed.

Step 6 In the Log Source Name field, type a name for your log source.Step 7 In the Log Source Description field, type a description for the log source.Step 8 From the Log Source Type list box, select APC UPS.Step 9 Using the Protocol Configuration list box, select Syslog.

The syslog protocol configuration is displayed.

Step 10 Configure the following values:

Configuring DSMs

20 APC UPS

Step 11 Click Save. Step 12 On the Admin tab, click Deploy Changes.

The log source is added to SIEM. You are now ready to configure your APC Smart-UPS to forward syslog events to SIEM.

Configuring SyslogEvent Forwarding for

APC Smart-UPS

To configure syslog forwarding for your APC UPS:

Step 1 Log in to the APC Smart-UPS web interface.Step 2 In the navigation menu, select Network > Syslog.Step 3 From the Syslog list box, select Enable.Step 4 From the Facility list box, select a facility level for your syslog messages.Step 5 In the Syslog Server field, type the IP address of your SIEM Console or Event

Collector.Step 6 From the Severity list box, select Informational.Step 7 Click Apply.

The syslog configuration is complete. Events forwarded to SIEM by your APC UPS are displayed on the Log Activity tab of SIEM.

Table 6-3 Syslog Parameters

Parameter DescriptionLog Source Identifier Type the IP address or host name for the log source as an

identifier for events from your APC Smart-UPS series appliance.

Configuring DSMs

7 APPLE MAC OS X

A SIEM Apple Mac OS X DSM accepts events using syslog. SIEM records all relevant firewall, web server access, web server error, privilege escalation, and informational events.

Before you configure SIEM to integrate with Mac OS X, you must:Step 1 Log in to your Mac OS X device, as a root user.

Step 2 Open the /etc/syslog.conf file. Step 3 Add the following line to the top of the file. Make sure all other lines remain intact:

*.* @Where is the IP address of the SIEM system.

Step 4 Save and exit the file. Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are

enforced: sudo killall - HUP syslogd

Step 6 You are now ready to configure the log source in SIEM.

To configure SIEM to receive events from a Mac OS X server:

From the Log Source Type list box, select the Mac OS X option. For more information on configuring log sources, see the Log Sources User Guide.

For more information on Mac OS X, see your Mac OS X vendor documentation.

Configuring DSMs

8 APPLICATION SECURITY DBPROTECTThe Application Security DbProtect DSM accepts syslog events from DbProtect devices installed with the Log Enhanced Event Format (LEEF) Service. The LEEF Relay module for DbProtect translates the default events messages to Log Enhanced Event Format (LEEF) messages for SIEM, enabling SIEM to record all relevant DbProtect events. Before you can receive events in SIEM, you must install and configure the LEEF Service for your DbProtect device to forward syslog events to SIEM.


Installing the DbProtect LEEF Relay Module Configuring the DbProtect LEEF Relay

Configuring a Log Source in SIEM

Installing theDbProtect LEEF

Relay Module

The DbProtect LEEF Relay module for DbProtect must be installed on the same server as the DbProtect console. This allows the DbProtect LEEF Relay to work alongside an existing installation using the standard hardware and software prerequisites for a DbProtect console. The DbProtect LEEF Relay requires that you install the .NET 4.0 Framework, which is bundled with the LEEF Relay installation.

NOTEWindows 2003 hosts require the Windows Imaging Components (wic_x86.exe). The Windows Imaging Components are located on the Windows Server Installation CD and must be installed before you continue. For more information, see your Windows 2003 Operating System documentation.

To install the DbProtect LEEF Relay module:Step 1 Download the DbProtect LEEF Relay module for DbProtect from the Application

Security, Inc. customer portal.http://www.appsecinc.com

Step 2 Save the setup file to the same host as your DbProtect console.

Step 3 Double click setup.exe to start the DbProtect LEEF Relay installation.The Microsoft .NET Framework 4 Client Profile is displayed.

Configuring DSMs


Step 4 Click Accept, if you agree with the Microsoft .NET Framework 4 End User License Agreement.

The Microsoft .NET Framework 4 is installed on your DbProtect console. After the installation is complete, the DbProtect LEEF Relay module installation Wizard is displayed.

Step 5 Click Next.The Installation Folder window is displayed.

Step 6 To select the default installation path, click Next.If you change the default installation directory, make note of the file location as it is required later. The Confirm Installation window is displayed.

Step 7 Click Next.The DbProtect LEEF Relay module is installed.

Step 8 Click Close.You are now ready to configure the DbProtect LEEF Relay module.

Configuring theDbProtect LEEF

Relay

After the installation of the DbProtect LEEF Relay is complete, you can configure the service to forward events to SIEM.

NOTEThe DbProtect LEEF Relay must be stopped before you edit any configuration values.

To configure the DbProtect LEEF Relay:

Step 1 Navigate to the DbProtect LEEF Relay installation directory.

C:\Program Files (x86)\AppSecInc\AppSecLEEFConverter Step 2 Edit the AppSec LEEF Converter configuration file:

AppSecLEEFConverter.exe.configStep 3 Configure the following values:

Table 8-1 AppSec LEEF Converter Configuration Parameters

Parameter DescriptionSyslogListenerPort Optional. Type the listen port number the DbProtect LEEF

Relay uses to listen for syslog messages from the DbProtect console. By default, the DbProtect LEEF Relay listens on port 514.

SyslogDestinationHost Type the IP address of your SIEM Console or Event Collector.

SyslogDestinationPort Type 514 as the destination port for LEEF formatted syslog messages forwarded to SIEM.

Configuring DSMs

25

Step 4 Save the configuration changes to the file.Step 5 On your desktop of the DbProtect console, select Start > Run.

The Run window is displayed.

Step 6 Type the following:services.msc

Step 7 Click OK.The Services window is displayed.

Step 8 In the details pane, verify the DbProtect LEEF Relay is started and set to automatic startup.

Step 9 To change a service property, right-click on the service name, and then click Properties.

Step 10 Using the Startup type list box, select Automatic.Step 11 If the DbProtect LEEF Relay is not started, click Start.

You are now ready to configure alerts for your DbProtect console.

ConfiguringDbProtect Alerts

To configure alerts for your DbProtect console:

Step 1 Log in to your DbProtect console.

Step 2 Click the Activity Monitoring tab.Step 3 Click the Sensors tab.Step 4 Select a sensor and click Reconfigure.

Any database instances that are configured for your database are displayed.

Step 5 Select any database instances and click Reconfigure.Step 6 Click Next until the Sensor Manager Policy window is displayed.Step 7 Select the Syslog check box and click Next.Step 8 The Syslog Configuration window is displayed.

Step 9 In the Send Alerts to the following Syslog console field, type the IP address of your DbProtect console.

Step 10 In the Port field, type the port number you configured in the SyslogListenerPort field of the DbProtect LEEF Relay.

LogFileName Optional. Type a file name for the DbProtect LEEF Relay to write debug and log messages. The LocalSystem user account that runs the DbProtect LEEF Relay service must have write privileges to the file path you specify.

Table 8-1 AppSec LEEF Converter Configuration Parameters (continued)

Parameter Description

Configuring DSMs


By default, 514 is the default Syslog listen port for the DbProtect LEEF Relay. For more information, see Configuring the DbProtect LEEF Relay, Step 3.

Step 11 Click Add.Step 12 Click Next until you reach the Deploy to Sensor window.Step 13 Click Deploy to Sensor.

The configuration is complete.

Events forwarded to SIEM by your DbProtect console are added as a log source to SIEM automatically and displayed on the Log Activity tab.

Configuring a LogSource in SIEM

SIEM automatically discovers and creates a log source for syslog events in LEEF format from DbProtect devices. However, you can manually create a log source for SIEM to receive syslog events. These configuration steps are optional.

To manually configure a log source for DbProtect:Step 1 Log in to SIEM.





Step 6 In the Log Source Name field, type a name for your log source.Step 7 In the Log Source Description field, type a description for the log source.Step 8 From the Log Source Type list box, select Application Security DbProtect.Step 9 Using the Protocol Configuration list box, select Syslog.




The log source is added to SIEM.


Parameter DescriptionLog Source Identifier Type the IP address or host name for the log source as an

identifier for events from your Application Security DbProtect device.

Configuring DSMs

9 ARUBA MOBILITY CONTROLLERS

The SIEM Aruba Mobility Controllers DSM accepts events using syslog. SIEM records all relevant events. Before configuring an Aruba Mobility Controller device in SIEM, you must configure your device to send syslog events to SIEM.

To configure the Aruba Wireless Networks (Mobility Controller) device to forward syslog events to SIEM:

Step 1 Log in to the Aruba Mobility Controller user interface. Step 2 From the top menu, select Configuration. Step 3 From the Switch menu, select Management. Step 4 Click the Logging tab. Step 5 From the Logging Servers menu, select Add. Step 6 Type the IP address of the SIEM server that you want to collect logs.

Step 7 Click Add. Step 8 Optional. Change the logging level for a module:

a Select the check box next to the name of the logging module.

b Choose the logging level you want to change from the list box that is displayed at the bottom of the window.

Step 9 Click Done. Step 10 Click Apply. Step 11 You are now ready to configure the log source in SIEM.

To configure SIEM to receive events from an Aruba Mobility Controller device:

From the Log Source Type list box, select the Aruba Mobility Controller option.


For more information about your Aruba Mobility Controller device, see your vendor documentation.

Configuring DSMs

10 ARRAY NETWORKS SSL VPN

The SIEM Array Networks SSL VPN DSM collects events from an ArrayVPN appliance using syslog. For details of configuring ArrayVPN appliances for remote syslog, please consult Array Networks documentation.

After you configure syslog to forward events to SIEM, you are now ready to configure the log source in SIEM.

To configure SIEM to receive events from a Array Networks SSL VPN device:

From the Log Source Type list box, select Array Networks SSL VPN Access Gateways.


For more information about configuring your Array Networks SSL VPN, see your vendor documentation.

Configuring DSMs

11 BALABIT IT SECURITY

The BalaBit Syslog-ng Agent application can collect and forward syslog events for the Microsoft Security Event Log DSM and the Microsoft ISA DSM in SIEM. Events forwarded by the Syslog-ng Agent use the Log Extended Event Format (LEEF). Before you can configure SIEM, you must configure your BalaBit IT Security agent to collect and forward the events to SIEM.To configure a BalaBIt IT Security agent, select a configuration:

Configuring BalaBIt IT Security for Microsoft Windows Events

Configuring BalaBit IT Security for Microsoft ISA or TMG Event Files

Configuring BalaBIt IT Security for Microsoft Windows Events

The Microsoft Windows Security Event Log DSM in SIEM can accept events from BalaBits Syslog-ng Agent. The BalaBit Syslog-ng Agent reads Windows-based security, application, system, DNS, DHCP, and custom container event logs and forwards syslog events to SIEM using the Log Extended Event Format (LEEF).

To configure the BalaBit Syslog-ng Agent, you must:

1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information, see your BalaBit Syslog-ng Agent documentation.

2 Configure Syslog-ng Agent Events. For more information, see Configuring the Syslog-ng Agent Event.

3 Configure SIEM as a destination for the Syslog-ng Agent. For more information, see Configure a Syslog Destination.

4 Restart the Syslog-ng Agent service. For more information, see Restarting the Syslog-ng Agent Service.

5 Optional. Configure the log source in SIEM. For more information, see Configuring a Log Source for BalaBit Syslog-ng Events.

Configuring theSyslog-ng Agent

Event

Before you can forward events to SIEM, you must specify what Windows-based events the Syslog-ng Agent collects.

Configuring DSMs


To configure the event types collected:

Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows > Configure syslog-ng Agent for Windows.The Syslog-ng Agent window is displayed.

Step 2 Expand the syslog-ng Agent Settings pane, and select Eventlog Sources.Step 3 Double-click on Event Containers.

The Event Containers Properties window is displayed.Step 4 From the Event Containers pane, select the Enable radio button.Step 5 Select a check box for each event type you want to collect:

Application - Select this check box if you want the device to monitor the Windows application event log.

Security - Select this check box if you want the device to monitor the Windows security event log.

System - Select this check box if you want the device to monitor the Windows system event log.

NOTEBalaBits Syslog-ng Agent supports additional event types, such as DNS or DHCP events using custom containers. For more information, see your BalaBit Syslog-ng Agent documentation.

Step 6 Click Apply, and then click OK.The event configuration for your BalaBit Syslog-ng Agent is complete. You are now ready to configure SIEM as a destination for Syslog-ng Agent events.

Configure a SyslogDestination

The Syslog-ng Agent allows you to configure multiple destinations for your Windows-based events. To configure SIEM as a destination, you must specify the IP address for SIEM, and then configure a message template for the LEEF format.

To configure a destination for the Syslog-ng Agent:


Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations.Step 3 Double-click on Add new sever.

The Server Property window is displayed.

Step 4 On the Server tab, click Set Primary Server.Step 5 Configure the following parameters:

a Server Name - Type the IP address of your SIEM Console or Event Collector.b Server Port - Type 514 as the TCP port number for events forwarded to SIEM.

Step 6 Click the Messages tab.

Configuring DSMs

Configuring BalaBIt IT Security for Microsoft Windows Events 33

Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol.Step 8 In the Template field, define a custom template message for the protocol by

typing:

${BSDDATE} ${HOST} LEEF:${MSG}The information typed in this field is space delimited.

Step 9 From the Event Message Format pane, in the Message Template field, type the following to define the format for the LEEF events:

1.0|Microsoft|Windows|2k8r2|${EVENT_ID}|devTime=${R_YEAR}-${R_MONTH}-${R_DAY}T${R_HOUR}:${R_MIN}:${R_SEC}GMT${TZOFFSET} devTimeFormat=yyyy-MM-dd'T'HH:mm:ssz cat=${EVENT_TYPE}sev=${EVENT_LEVEL} resource=${HOST} usrName=${EVENT_USERNAME} application=${EVENT_SOURCE} message=${EVENT_MSG}

NOTEThe LEEF format uses tab as a delimiter to separate event attributes from each other. However, the delimiter does not start until after the last pipe character for {Event_ID}. The following fields must include a tab before the event name: devTime, devTimeFormat, cat, sev, resource, usrName, application, and message.

You might need to use a text editor to copy and paste the LEEF message format into the Message Template field.

Step 10 Click OK.The destination configuration is complete. You are now ready to restart the Syslog-ng Agent service.

Restarting theSyslog-ng Agent

Service

Before the Syslog-ng Agent can forward LEEF formatted events, you must restart the Syslog-ng Agent service on the Windows host.

To restart the Syslog-ng Agent:

Step 1 From the Start menu, select Start > Run.The Run window is displayed.

Step 2 Type the following:

services.mscStep 3 Click OK.

The Services window is displayed.

Step 4 In the Name column, right-click on Syslog-ng Agent for Windows, and select Restart.After the Syslog-ng Agent for Windows service restarts, the configuration is complete. Syslog events from the BalaBit Syslog-ng Agent are automatically discovered by SIEM. The Windows events that are automatically discovered are displayed as Microsoft Windows Security Event Logs on the Log Activity tab.

Configuring DSMs


Configuring a LogSource for BalaBitSyslog-ng Events

SIEM automatically discovers and creates a log source for syslog events from LEEF formatted messages. However, you can manually create a log source for SIEM to receive Windows events. These configuration steps for creating a log source are optional.

To manually create a log source for BalaBit:Step 1 Log in to SIEM.





Step 6 In the Log Source Name field, type a name for your BalaBit Syslog-ng Agent log source.

Step 7 In the Log Source Description field, type a description for the log source.Step 8 From the Log Source Type list box, select Microsoft Windows Security Event

Log.Step 9 Using the Protocol Configuration list box, select Syslog.




The configuration is complete.

Configuring BalaBit IT Security for Microsoft ISA or TMG Event Files

The BalaBit Syslog-ng Agent application can collect and forward syslog events for the Microsoft Security Event Log DSM and the Microsoft ISA DSM in SIEM. Events forwarded by the Syslog-ng Agent use the Log Extended Event Format (LEEF). Before you can configure SIEM, you must configure the Syslog-ng Agent to collect and forward the events to SIEM.

A SIEM Microsoft Internet and Acceleration (ISA) DSM accepts syslog events from Microsoft ISA and Microsoft Threat Management Gateway (TMG) using BalaBits Syslog-ng Agent for Windows and BalaBits Syslog-ng PE to parse and forward


Parameter DescriptionLog Source Identifier Type the IP address or hostname for the log source as an

identifier for events from the BalaBit Syslog-ng Agent.

Configuring DSMs

Configuring BalaBit IT Security for Microsoft ISA or TMG Event Files 35

events to SIEM. The BalaBit Syslog-ng Agent reads Microsoft ISA or Microsoft TMG event logs and forwards syslog events using the Log Extended Event Format (LEEF).

To configure the BalaBit Syslog-ng Agent, you must:

1 Install the BalaBit Syslog-ng Agent in your Windows host. For more information, see your BalaBit Syslog-ng Agent vendor documentation.

2 Configure the BalaBit Syslog-ng Agent. For more information, see Configuring the BalaBit Syslog-ng Agent.

3 Install a BalaBit Syslog-ng PE for Linux or Unix in relay mode to parse and forward events to SIEM. For more information, see your BalaBit Syslog-ng PE vendor documentation.

4 Configure syslog for BalaBit Syslog-ng PE. For more information, see Configuring a BalaBit Syslog-ng PE Relay.

5 Optional. Configure the log source in SIEM. For more information, see Configuring a Log Source for BalaBit Syslog-ng Events.

Configuring theBalaBit Syslog-ng

Agent

Before you can forward events to SIEM, you must specify what Microsoft ISA or Microsoft TMG event source the Syslog-ng Agent collects.


Configuring File Sources

Configuring a Syslog Destination Filtering the Log File for Comment Lines

Configuring FileSources

File sources allow you to define the base log directory and files monitored by the Syslog-ng Agent. If your Microsoft ISA or Microsoft TMG appliance is generating event files for the Web Proxy Server and the Firewall Service, both files can be added.

To configure a File Source Property:Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >

Configure syslog-ng Agent for Windows.The Syslog-ng Agent window is displayed.

Step 2 Expand the syslog-ng Agent Settings pane, and select File Sources.Step 3 Select the Enable radio button.Step 4 Click Add to add your Microsoft ISA and TMG event files.Step 5 From the Base Directory field, click Browse and select the folder for your

Microsoft ISA or Microsoft TMG log files. Step 6 From the File Name Filter field, click Browse and select a log file containing your

Microsoft ISA or Microsoft TMG events.

Configuring DSMs


NOTEThe File Name Filter field supports the wildcard (*) and question mark (?) characters to follow log files that are replaced after reaching a specific file size or date.

Step 7 In the Application Name field, type a name to identify the application.Step 8 From the Log Facility list box, select Use Global Settings.Step 9 Click OK.

Step 10 To add additional file sources, click Add and repeat this process from Step 4.Microsoft ISA and TMG store Web Proxy Service events and Firewall Service events in individual files.

Step 11 Click Apply, and then click OK.The event configuration is complete. You are now ready to configure a syslog destinations and formatting for your Microsoft TMG and ISA events.

Configuring a Syslog DestinationThe Syslog-ng Agent allows you to configure multiple destinations for your Windows-based events. The event logs captured by Microsoft ISA or TMG cannot be parsed by the BalaBit Syslog-ng Agent for Windows, so you must forward your logs to a BalaBit Syslog-ng Premium Edition (PE) for Linux or Unix. To forward your TMG and ISA event logs, you must specify the IP address for your PE relay and configure a message template for the LEEF format. The BalaBit Syslog-ng PE acts as an intermediate syslog server to parse the events and forward the information to SIEM.

To configure a syslog destination:Step 1 From the Start menu, select All Programs > syslog-ng Agent for Windows >

Configure syslog-ng Agent for Windows.The Syslog-ng Agent window is displayed.

Step 2 Expand the syslog-ng Agent Settings pane, and click Destinations.Step 3 Double-click on Add new sever.

The Server Property window is displayed.

Step 4 On the Server tab, click Set Primary Server.Step 5 Configure the following parameters:

a Server Name - Type the IP address of your BalaBit Syslog-ng PE relay.b Server Port - Type 514 as the TCP port number for events forwarded to your

BalaBit Syslog-ng PE relay.Step 6 Click the Messages tab.Step 7 From the Protocol list box, select Legacy BSD Syslog Protocol.Step 8 From the File Message Format pane, in the Message Template field, type the

following format command:

Configuring DSMs


${FILE_MESSAGE}${TZOFFSET}Step 9 Click Apply, and then click OK.

The destination configuration is complete. You are now ready to filter comment lines from the event log.

Filtering the Log File for Comment LinesThe event log file for Microsoft ISA or Microsoft TMG can contain comment markers, these comments must be filtered from the event message.

To filter comment lines from the event message:


Step 2 Expand the syslog-ng Agent Settings pane, and select Destinations.Step 3 Right-click on your SIEM syslog destination and select Event Filters > Properties.

The Global event filters Properties window is displayed.

Step 4 Configure the following values: From the Global file filters pane, select Enable. From the Filter Type pane, select Black List Filtering.

Step 5 Click OK.Step 6 From the filter list menu, double-click Message Contents.

The Message Contents Properties window is displayed.

Step 7 From the Message Contents pane, select the Enable radio button.Step 8 In the Regular Expression field, type the following regular expression:

^#Step 9 Click Add.

Step 10 Click Apply, and then click OK.The event messages containing comments are no longer forwarded.

NOTEYou might be required to restart Syslog-ng Agent for Windows service to begin syslog forwarding. For more information, see your BalaBit Syslog-ng Agent documentation.

Configuring a BalaBitSyslog-ng PE Relay

The BalaBit Syslog-ng Agent for Windows sends Microsoft TMG and ISA event logs to a Balabit Syslog-ng PE installation, which is configured in relay mode. The relay mode installation is responsible for receiving the event log from the BalaBit Syslog-ng Agent for Windows, parsing the event logs in to the LEEF format, then forwarding the events to SIEM using syslog.

Configuring DSMs


To configure your BalaBit Syslog-ng PE Relay, you must:

1 Install BalaBit Syslog-ng PE for Linux or Unix in relay mode. For more information, see your BalaBit Syslog-ne PE vendor documentation.

2 Configure syslog on your Syslog-ng PE relay. For more information, see Configuring Syslog-ng.

NOTEFor a sample syslog.conf file you can use to configure Microsoft TMG and ISA logs using your BalaBit Syslog-ng PE relay, see https://extranet.enterasys.com/downloads/.

Configuring Syslog-ngThe BalaBit Syslog-ng PE formats the TMG and ISA events in the LEEF format based on the configuration of your syslog.conf file. The syslog.conf file is responsible for parsing the event logs and forwarding the events to SIEM.

To edit the syslog configuration file for your BalaBit Syslog-ng PE relay:

Step 1 Using SSH, log in to your BalaBit Syslog-ng PE relay command-line interface (CLI).

Step 2 Edit the following file:

/etc/syslog-ng/etc/syslog.conf Step 3 From the destinations section, add an IP address and port number for each relay

destination.For example,

####### destinationsdestination d_messages { file("/var/log/messages"); };destination d_remote_tmgfw { tcp("SIEM_IP" port(SIEM_PORT) log_disk_fifo_size(10000000) template(t_tmgfw)); };destination d_remote_tmgweb { tcp("SIEM_IP" port(SIEM_PORT) log_disk_fifo_size(10000000) template(t_tmgweb)); };Where:SIEM_IP is the IP address of your SIEM Console or Event Collector.SIEM_PORT is the port number required for SIEM to receive syslog events. By default, SIEM receives syslog events on port 514.

Step 4 Save the syslog configuration changes.

Step 5 Restart Syslog-ng PE to force the configuration file to be read.

The BalaBit Syslog-ng PE configuration is complete. Syslog events forwarded from the BalaBit Syslog-ng relay are automatically discovered by SIEM as Microsoft Windows Security Event Log on the Log Activity tab. For more information, see the SIEM Users Guide.

Configuring DSMs


NOTEWhen using multiple syslog destinations, messages are considered delivered after they successfully arrived at the primary syslog destination.

Configuring a LogSource for BalaBitSyslog-ng Events

SIEM automatically discovers and creates a log source for syslog events from LEEF formatted messages provided by your Ba

configuring dsms

Documents