loglogic siem - cisco€¦ · the loglogic logging, security, and it search products shown in...
TRANSCRIPT
LogLogic SIEM Partner Guide
Revision: H2CY10
Using this SIEM Partner Guide
Using this SIEM Partner Guide
This document is for the reader who:
• HasreadtheCisco Security Information and Event Management Deployment Guide and the Internet Edge Deployment Guide
• WantstoconnectBorderlessNetworkstoaLogLogicSIEMsolution
• WantstogainageneralunderstandingoftheLogLogicSIEMsolution
• HasalevelofunderstandingequivalenttoaCCNA® certification
• Wantstosolvecomplianceandregulatoryreportingproblems
• Wantstoenhancenetworksecurityandoperations
• WantstoimproveIToperationalefficiency
• Wantstheassuranceofavalidatedsolution
Related Documents
Before reading this guide
Design Overview
InternetEdgeDeploymentGuide
Internet Edge Configuration Guide
SIEMDeploymentGuide
LogLogic SIEM Partner Guide
Design Overview
Internet Edge Configuration Guide
Foundation DeploymentGuides
Network ManagementGuides
SIEM DeploymentGuide
Design Guides Deployment Guides
You are Here
Supplemental Guides
Internet EdgeDeployment Guide
TableofContents
ALLDESIGNS,SPECIFICATIONS,STATEMENTS,INFORMATION,ANDRECOMMENDATIONS(COLLECTIVELY,"DESIGNS")INTHISMANUALAREPRESENTED"ASIS,"WITHALLFAULTS.CISCOANDITSSUPPLIERSDISCLAIMALLWARRANTIES,INCLUDING,WITHOUTLIMITATION,THEWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE.INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUTLIMITA-TION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHEDESIGNS,EVENIFCISCOORITSSUPPLIERSHAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THEDESIGNSARESUBJECTTOCHANGEWITHOUTNOTICE.USERSARESOLELYRESPONSIBLEFORTHEIRAPPLICATIONOFTHEDESIGNS.THEDESIGNSDONOTCONSTITUTETHETECHNICALOROTHERPROFESSIONALADVICEOFCISCO,ITSSUPPLIERSORPARTNERS.USERSSHOULDCONSULTTHEIROWNTECHNICALADVISORSBEFOREIMPLEMENTINGTHEDESIGNS.RESULTSMAYVARYDEPENDINGONFACTORSNOTTESTEDBYCISCO.
AnyInternetProtocol(IP)addressesusedinthisdocumentarenotintendedtobeactualaddresses.Anyexamples,commanddisplayoutput,andfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesinillustrativecontentisunintentionalandcoincidental.CiscoUnifiedCommunicationsSRND(BasedonCiscoUnifiedCommunicationsManager7.x)
©2010CiscoSystems,Inc.Allrightsreserved.
TableofContents
Cisco SBA for Large Agencies—Borderless Networks . . . . . . . . . . . . . . . . . . . .1
Agency Benefits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
LogLogic Open Log Management Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Deploying Loglogic MX Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Sending Logs from Cisco Devices to a LogLogic MX Appliance . . . . . . . . . . . 9
Searching and Generating Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .14
LogLogic Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17
Products Verified with Cisco SBA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .18
Appendix A: SBA for Large Agencies Document System . . . . . . . . . . . . . . . . .19
1CiscoSBAforLargeAgencies
CiscoSBAforLargeAgencies—BorderlessNetworks
TheCiscoSmartBusinessArchitecture(SBA)forGovernmentLargeAgencies—BorderlessNetworksofferspartnersandcustomersvaluablenetworkdesignanddeploymentbestpractices,helpingagenciesdeliversuperiorend-userexperiencethatincludeswitching,routing,securityandwirelesstechnologiescombinedwithcomprehensivemanagementcapabili-tiesfortheentiresystem.CustomerscanusetheguidanceprovidedinthearchitectureanddeploymentguidestomaximizethevalueoftheirCisconetworkinasimple,fast,affordable,scalableandflexiblemanner.
Themodulardesignofthearchitecturemeansthattechnologiescanbeaddedwhentheagencyisreadytodeploythem.ThearchitecturealsoprovidesCisco-testedconfigurationsandtopologies,whichCCNA-levelengineerscanusefordesignandinstallation,andtosupportagencyneeds.
Ciscooffersanumberofoptionstoprovidesecuritymanagementcapabili-ties.ThisguideisfocusedonourpartnershipwithLoglogicandtheirMXSeriesSecurityInformationandEventManager(SIEM)product.
2CiscoSBA
Figure 1 . LogLogicMXSeriesApplianceIntegratedintoSBAforLargeAgencies—BorderlessNetworks
3AgencyBenefits
AgencyBenefits
LogLogicoffersacomprehensivesuiteoflogandsecuritymanagementproductsthathelplargeagenciesto:
• Achieveregulatorycompliance
• Protectvaluablecustomerinformation
• ImprovetheefficiencyofIToperations
TheLogLogiclogging,security,andITsearchproductsshowninFigure2providesupportforabroadrangeofCisconetworking,security,communi-cationandinfrastructureproducts.
Figure 2 . ComponentsoftheLogLogicLogManagementPlatform
Compliance Reporting Benefits
LogLogicprovidessupportforanumberofcompliancemandates,includingPCI,SOX/COBIT,HIPAA,FISMA,ITIL,ISO,andNERC.LogLogiccompliancereportingsolutionsareeasilyinstalledontopofthelogmanagementinfra-structure,andimmediatelybeginproducingdetailedcompliancereportsforkeyCiscosecurityandnetworkingproducts.
Compliance Management Solutions & Benefits
LogLogic’sComplianceManagerprovidesauditingandworkflowsolutionsforPCIandSOX/COBITcompliancereports.Thisincludesthefollowingkeybenefits:
• Ensureandprovecompliancereviewtimeliness
• Accesstop-downexecutiveviewsofcomplianceposture
• Dramaticallyimproveauditspeedandaccuracy
• Reducethecostofcompliance
• Mapdataagainstagencypolicies
• AutomateITcompliancefunctions
Security Benefits
UsingLogLogic’sextensiveloggingandITSearchcapabilities,agenciescanimprovetheirsecuritypostureandprovidedetailedforensicssupportforsecurityincidents.SecuritybenefitsoftheLogLogicsolutionincludethefollowing:
• TheLogLogic Open Log Managementplatformprovidesfirst-levelalert-ingthroughpatternmatchingandloglearningtechnology.LogLogic’sOpenLogManagementplatformalsoprovidesrapidsearchesagainstacompleterecordofuserandsystemactivity.
• LogLogic Security Event Manageraddssophisticatedcorrelationandcontextualanalysisforadvancedthreatmonitoringandfrauddetection,helpingtoautomatetheincidentmanagementandresponseprocess.
• LogLogic Database Security Managerprovidesin-depthdatabasethreatandactivitymonitoringandcanprotect,amongstothers,againstSQLinjectionattacks.LogLogicDatabaseSecurityManagercanalsoblocksuspiciousactivitiesinreal-time.
4AgencyBenefits
IT Operations and Performance Management Benefits
LogLogic’sscalablelogcollection,indexing,searching,andbehavioralanalyticssolutionsallowITorganizationstogainvisibilityandcontrolovertheirvaluableassetsandresources.Thisallowstheseorganizationstoincreasenetworkandapplicationperformance,availability,andaccountabil-ity.Additionalbenefitsincludethefollowing:
• The LogLogic Open Log Management platformmonitorssystembehaviorinrealtime.Advancedbehavioralalgorithmsdetectdegrada-tioninperformancebeforeitcausesdowntime.LogLogic’sadvancedalertingandsearchfeaturesalsodetectobscureerrorconditionsastheyhappen,andhelptoidentifytherootcause.
• The LogLogic Open Log Managementplatformincludesafreereport-ingpackagefortheITInfrastructureLibrary(ITIL),makingiteasiertoimplementbestpracticesintheareaofservicedeskmanagementandchangemanagement.
• The LogLogic Open Log Management platformcanmonitoruserandsystemactivityofvirtualapplicationsandcross-correlateinformationfromvariousapplications.
5LogLogicOpenLogManagementProducts
LogLogicOpenLogManagement Products
TheLogLogicproductfamilyincludestheMX,LX,andSTLogManagementIntelligence(LMI)appliances.TheseproductsallworkinconjunctionwithCiscoproductstoprovideadvancedlogcollection,storage,archival,alert-ing,complianceandreportingsolutions.TheLogLogicproductfamilyisdesignedforscalability,performance,andtobequicklyinstalledwithrapidaccesstoinformationandreports.
Figure 3 . LogLogicLXandSTAppliances
TheLogLogicMXsolutionisdesignedspecificallyforthemid-market,deliv-eringcomprehensiveassuranceforlogdatacompliancemandates.EachLogLogicMXapplianceincludesaLogLogicComplianceandControlSuitewithmorethan100customizablealertsandreportscoveringidentityandaccessmanagement,useractivity,change,security,operationalcontinuityandITperformance.Thesoftwareplatformonthissingleformfactorappli-ancealsoincorporatesone-yearon-boardlogarchivalandstoragecapabili-ties,aswellasindexedlogdataforfastGoogle-likesearch.Inaddition,eachapplianceincludesoneyearofLogLogicmaintenanceandsupport.
LogLogicMXappliancesintegratewiththeLogLogicComplianceSuitetocatertospecificmid-marketrequirements.Thismid-market,enterprise-gradefunctionalityincludes:
• Reporting, search, and collection performance—theabilitytoprocesscustomlogsourcesandeasilycustomizereportspreviouslyreservedforenterprisecustomers.
• Chain of custody features for built-in raw log archives—enterprise-gradelogdataarchivalprotectionthroughchecksummanagement.
• Open web services API and aftermarket applications—customportaldevelopmentandoperationalprocessautomationthroughafullyfea-turedSOAandwebservicesAPI.
Figure 4 . ComparisonofLogLogicAppliances
LogLogic Compliance Suites
LogLogicComplianceSuitesturnlogdataintoautomatedreportsandalertsformonitoringcontrolsandrequirementsforPCI,SOX/COBIT,HIPAA,HITECH,FISMA,ITIL,ISO,andNERC.EachComplianceSuiteisafieldinstall-ableoptiononMXproductlines.KeyfeaturesoftheComplianceSuitesinclude:
• Agile Log Reporting—Letsadministratorscreatehighlycustomizedreportsfromeasy-to-usetemplates.Letsadministratorscreatereportsfordifferentmandatesinsecondswithnovendorintervention.
• Log Learning—Powerfulandintelligentdynamiclearningletsadminis-tratorssetalertsbasedonchangestoindividualCiscodevices,groupsofCiscodevices,orthenetwork.
• Log Forensics—IndexingandGoogle-likesearchalgorithmsallownear-instantdataretrieval-searchterabytesofunaltered,unfiltereddatainseconds.
• Open Log Routing—Routesrawdata,reportsandalertstoexistingSIEM,networkmanagement,troubleticket,andLogLogicComplianceManagerproducts.
• Log Process Audit—Enablesnetworkactivityauditstoprovideproofofcomplianceorcriticalinformationforlegalproceedings.
6LogLogicOpenLogManagementProducts
Table 1 . ComparisonofLogLogicMX,ST,andLXAppliances
MX Appliance ST Appliance LX Appliances
Description All-in-onelogcollection,report-ing,managementandcompliancesolutionforSMB
Enterprisescal-ablelogcollection,storage,archive,search,andalerting
Enterprisescal-ableloganalytics,reporting,andcompliancereporting
Numberof Users (Admin)
unlimited unlimited unlimited
Events Per Second (eps)
1000eps 75,000–150,000eps
5,000–10,000eps
7DeployingLogLogicMXSolution
DeployingLoglogicMXSolution
ThissectionoutlinesthestepsrequiredtoconfiguretheLogLogicappli-ancestoprocesslogdatafromCiscodevices.
Setting up the LogLogic Appliance
ThissectionprovidesanoverviewonsettinguptheLogLogicapplianceusingtheGUI.Specifically,thissectiongoesoverthefollowingsteps:
1. Connectingtheappliancetoanetwork
2. Loggingintotheappliance
3. Configuringlogsourceauto-identification
4. Configuringnetworksettings
5. Settingthetimezoneandtime
Settinguptheapplianceisextremelyfastandsimple.
Step 1:ConnectingtheAppliancetoaNetwork
TheLogLogicapplianceinitiallyusesadefaultnetworkaddressof10.0.0.11withanetworkmaskof255.255.255.0.UseaswitchoranEthernetcrossovercabletomakeadirectconnectionbetweentheapplianceandaworkstationconfiguredwitha10.0.0.0/24address.
Step 2:LoggingintotheAppliance
1. Openawebbrowseronyourworkstationandconnecttotheappliancebyenteringhttps://10.0.0.11inthebrowseraddressline.
2. ClickYEStoacceptthecertificate.Aloginscreenappears,asshowninFigure5.
3. Enterthedefaultusername(admin)andpassword(admin).TheAppliancedisplaystheEndUserLicenseAgreement(EULA).
4. AccepttheEULA.TheApplianceasksyoutoenteranewpassword,whichmustcontainatleastonenumber.
5. Enteranewpassword.TheAppliancedisplaysthenavigationmenu,andawarningthatthetimeisnotyetsetontheAppliance.Youcanignorethiswarning;itisaddressedlaterinthisprocedure.
6. Createasecondaryadministrativeaccount.
Figure 5 . The Login Screen
Step 3:ConfiguringLogSourceAuto-Identification
Theauto-identificationfeatureallowstheappliancetoquicklydiscovertheactualCiscoproductnameandusethisasthenameofthedevice.Notalldevicescanbeauto-identified,butforthosethatcan,thisfeatureisextremelyhandyinhelpingtoeasilyidentifythedevice.
1. ExpandtheAdministrationoptionintheleftmarginofthebrowserwindow.
2. UnderAdministration,selectSystem Settings.TheGeneraltabappears.
3. NexttoAuto-identify Log Sources,selectYes.
4. IfyouwanttoenableSSHconnectionstotheappliance,nexttoEnable SSH Daemon at Startup,selectYes.
5. ClickUpdate.
8DeployingLogLogicMXSolution
Step 4: ConfiguringNetworkSettings
1. Under System Settings > Administration,selecttheNetworktab,showninFigure6.
2. ConfiguretheIPaddressinformationforyournetwork,thenclickUpdate.
3. SelectReboot Later.Thefollowingstep,inwhichyouconfiguretimesettings,willalsopromptforareboot,sobothnetworkandtimeset-tingscanbeappliedatthesametime.
Figure 6 . TheNetworkSettingsTab
Step 5: Setting the Time Zone and Time
1. Under Administration > System Settings,selecttheTimetab,showninFigure7.
2. SelecttheappropriatetimezonefromtheTime Zonedrop-downmenu.
3. SelectUpdate Timetodefinehowtosynchronizetheapplianceclockwithyourlocaltime.
4. CiscorecommendsusingtheNetworkTimeProtocol(NTP)toensurethatinformationisloggedwithconsistenttimestamps.SelectNTP Serverandprovidetheaddressofatimesourcethatisreachablefromyournetwork.
5. ClickUpdate.Whennotifiedthattheappliancewillberebootedtoapplythesettings,clickOK .
Figure 7 . ConfiguringSystemTimeandTimeZone
Reader Tip
Timezoneconfigurationisimportanttotheoperationoftheappliance.Ifyouselectanincorrecttimezone,yourreportsandCLIaccessmightnotfunctionproperly.Toensureconsistencyoflogtimestamps,makesurethattheNTPtimesourceusedbyyourapplianceisthesameoneusedbyyourrouters,firewalls,andothernetworkdevices.
9SendingLogsfromCiscoDevicestoaLogLogicMXApplicance
Sending Logs from Cisco DevicestoaLogLogicMXAppliance
Sending Syslog Messages from Cisco Routers and Firewalls to the LogLogic Appliance
ThissectiondescribesthestepsrequiredtoconfigureaCiscoASA5500SeriesAdaptiveSecurityApplianceoraCiscoIntegratedServicesRouter(ISR)tosendsyslogmessagestoaLogLogicappliance.
Configuring a Cisco ASA 5500 to Generate Syslog Events
Enterthefollowingglobal-configurationcommand:logging host inside ip-address-of-loglogic
Forexample,iftheLogLogicappliancehasIPaddress10.4.200.112,enter:logginghostinside10.4.200.112
Press Ctrl + Ztoexitconfigmode,andthentypethefollowingcommandtosave the configuration changes:
copy running-config startup-config
Configuring a Cisco ISR to Generate Syslog Events
Enterthefollowingglobal-configurationcommand:logging ip-address-of-loglogic
Forexample,iftheLogLogicappliancehasIPaddress10.4.200.112,enter:logging10.4.200.112
Press Ctrl + Ztoexitconfigmode,andthentypethefollowingcommandtosave the configuration changes:
copy running-config startup-config
NotethatnospecialconfigurationstepsarerequiredontheLogLogicappli-anceinordertoreceivesyslogmessages.
Retrieving Event Records from Cisco Intrusion Prevention System (IPS) Sensors
ThissectiondescribestheconfigurationstepsonaCiscoIPS4200SeriesdevicetoallowaLogLogicappliancetocollectsecurityeventsusingtheSecurityDeviceEventExchange(SDEE)protocol.
Configuring a Cisco IPS 4200 for SDEE
ToallowSDEEtofunctionproperly,theIPSmustallowaccesstoitsHTTPorHTTPSservice,andmustalsoprovideausernameandpasswordthattheLogLogicappliancecanusetoauthenticateitsrequests.TheviewerprivilegeissufficienttoretrieveSDEEevents,soagoodsecuritypracticeistocreateaseparateusernameforthispurposewiththeminimumprivilegelevelrequired.Forexample,tocreateausernamed“sensor”,typethefollow-ing configuration command on the IPS:
username sensor privilege viewer
TheIPSwillpromptyoutochoosethepasswordfortheuser.
Setting Up a LogLogic Universal Collector to Retrieve SDEE Events from Cisco IPS 4200 Series Sensors
ThissectionprovidesanoverviewonsettinguptheLogLogicUniversalCollector(UC)andUniversalCollectorManager(UCM)usingtheGUIinordertocollectCiscoIPSeventsviaSDEE.
PriortoconfiguringtheUCensurethatyoumeetthefollowingprerequisites:
• ProperUCMandUCapplicationupandrunning(pleaserefertotheLogLogicUCdocumentationfordetails)
• UserconfiguredontheCiscoIPSsensorwithatleastviewerprivilege
• HTTPorHTTPSserverrunningontheCiscoIPSsensor
Step 1: Log Source Settings
IntheUCGUI,gotoCollector Management > Add a log sourceandselectCisco IDS/IPS through SDEE.SpecifytheaddressoftheLogLogicLMIappliancetowhichthelogswillbeforwarded,andthencreatetheCiscoIPShostentry,makingsuretospecifytheIPaddress.
10SendingLogsfromCiscoDevicestoaLogLogicMXApplicance
Step 2: LogCollectorSettings
Selectthecollectoryouwanttouse(werecommendthatyouusearemotelogcollector),andthenselectthewaytheserverisconnectingtothelogcollector.
Step 3: Connection Settings
SpecifytheSDEEConnectionParametersoftheCiscoIPSsensor,includingIPaddress,loginname,password,andport.
Step 4: Summary
ConfirmtheconfigurationasshowninFigure8,andtheUCconfigurationwillbeupdatedautomatically.
Figure 8 . FinalStepofConfiguringUniversalCollectorforSDEE
Sending Cisco IronPort Email Security Appliance Logs to an Intermediate Host
ThissectiondescribestheconfigurationstepsinvolvedtosendlogsfromaCiscoIronPortEmailSecurityAppliancetoanFTPserveronyournetwork,fromwhichtheLogLogicappliancewillthenretrievethem.Therearenumer-ouslogsmaintainedbytheCiscoIronPortEmailSecurityAppliance;intheexamplebelow,wedemonstratehowtoexporttheIronPortTextMailLogs.
Configuring a Log Subscription for Mail Logs
1. IntheEmailSecurityAppliancewebmanagementinterface,gotoSystem Administration > Log SubscriptionsandclickAdd Log Subscription.
2. SelectIronPort Text Mail Logs from the Log Typedrop-downlist.
3. Provide a Log Name,whichwillbeusedtonamethedirectorycreatedontheFTPservertoholdthelogfiles,andaFile Name,whichwillbeusedasthebasisfortheindividuallogfilenameswithinthatdirectory.
4. NexttoRetrieval Method,selectFTP on Remote ServerandsupplytheFTPinformationforanintermediatehostonyournetwork,towhichtheCiscoIronPortEmailSecurityAppliancewillpushthelogfiles,asshowninFigure9.
Figure 9 . LogSubscriptionConfigurationontheCiscoIronPortEmailSecurityAppliance
11SendingLogsfromCiscoDevicestoaLogLogicMXApplicance
Sending Cisco IronPort Web Security Appliance Logs to an Intermediate Host
ThissectiondescribestheconfigurationstepsinvolvedtosendlogsfromaCiscoIronPortWebSecurityAppliancetoanFTPserveronyournetwork,fromwhichtheLogLogicappliancewillthenretrievethem.Therearenumer-ouslogsmaintainedbytheCiscoIronPortWebSecurityAppliance;intheexamplebelow,wedemonstratehowtoexportAccessLogs.
Configuring a Log Subscription for Access Logs
1. IntheWebSecurityAppliancemanagementinterface,gotoSystem Administration > Log Subscriptionsandclick Add Log Subscription.
2. SelectAccess Logs from the Log Typedrop-downlist.LeaveLogStylesettothedefaultvalueofSquid.
3. Provide a Log Name,whichwillbeusedtonamethedirectorycreatedontheFTPservertoholdthelogfiles,andaFile Name,whichwillbeusedasthebasisfortheindividuallogfilenameswithinthatdirectory.
4. Nextto Retrieval Method,selectFTP on Remote ServerandsupplytheFTPinformationforanintermediatehostonyournetwork,towhichtheCiscoIronPortWebSecurityAppliancewillpushthelogfiles,asshowninFigure10.
Figure 10 . LogSubscriptionConfigurationontheCiscoIronPortWebSecurityAppliance
Configuring the LogLogic Appliance to Receive Logs from Cisco IronPort Web and Email Security Appliances
ThissectionshowshowtoconfigureLogLogictoimportthelogfilesfromtheintermediateFTPserver,configuredinthepreviousprocedure.UsetheAdd File Transfertabtoaddaremotelogsourcefromwhichyouintendtotransferfiles.Afteryouhaveaddedalltheremotelogsources,youcanspecifyrulesusingtheFile Transfer Rulesfeature.
Step 1: AddtheFTPServerasaNewDevice
1. IntheLogLogicwebmanagementinterface,gotoAdministration > Manage Devicesandselectthe Devices tab
2. ClickAdd New.
3. In the Namefield,typeanameforthelogsource.
4. TypeanoptionaldescriptionintheDescriptionfield.
5. FromtheDevice Type drop-downmenu,selectthetypeoflogstobetransferred;forexample,forAccessLogsfromaCiscoIronPortWebSecurityAppliance,selectSquid.
6. In the Host IPfield,typetheIPaddressoftheFTPserverfromwhichyouwanttotransferfiles.
7. Set Enable Data Collection to Yes.
8. ClickAdd.
Figure 11 . AddingaNewDevice
12SendingLogsfromCiscoDevicestoaLogLogicMXApplicance
Step 2:DefineaFileTransferRule
1. SelecttheFile Transfer Rule tab.
2. EnsurethatthedeviceyoucreatedinStep1isselected,andclickAdd Rule
3. IntheresultingAdd File Transfer Ruletab,enteranameforthisruleinthe Rule Namefield
4. Leave Protocol set to FTP,andentertheFTPconfigurationinformationin the User ID,Password,and Verify Passwordfields.
5. In the Filesfield,enterthepathandfilenameofthelogfilesontheFTPserver.NotethatthefilenamewillbethesameasthelogfilenameontheCiscoIronPortEmailorWebSecurityAppliance.
6. Under Collection Time,selectthedesiredfilecollectioninterval.
7. Set Enable to Yes.
8. ClickAdd.
Figure 12 . ConfiguringaFileTransferRule
Exporting Event Records from Cisco Security MARS to the LogLogic Appliance
ThissectiondescribestheconfigurationstepsinvolvedtoenablearchivefileexportonCiscoSecurityMARS.
Configuring Cisco Security MARS to Export Archive Files
TheCiscoSecurityMARSappliancecanexportarchivecopiesofevents,sessions,andrawmessages(ESfiles).Thearchivescanbesavedtoanexternalnetwork-attachedstorage(NAS)systemorotherhostusingtheNetworkFileSystem(NFS)orSecureFTP(SFTP)protocols.Raweventrecordsareexportedatten-minuteintervals.
You can use the same server to archive the data for more than one Cisco SecurityMARSappliance;however,youmustspecifyauniquedirectoryinthepathforeachappliancethatyouwantarchive.Ifyouusethesamebasedirectory,theappliancesoverwriteeachother’sdata,effectivelycorruptingtheimages.
Forinformationonenablingarchivefileexport,pleaseseethe”Backup,Recover,Restore,andStandbyServerOptions”chapteroftheCisco Security MARS Initial Configuration and Upgrade GuideatthefollowingURL: http://www.cisco.com/en/US/docs/security/security_management/cs-mars/6.0/initial/configuration/bckRstrSby.html#wp1270005.
Adding Devices Monitored by the LogLogic Appliance
ThisguideassumesthatyouhavealreadyconfiguredCiscoSecurityMARStoreceiveeventlogsfromtheotherCiscodevicesonyournetwork.ThoselogsarepassedalongfromCiscoSecurityMARStotheLogLogicapplianceintheraweventrecords,exactlyintheformtheywerereceived.ToloadtherecordsintoLogLogic,performthefollowingsteps.NotethatwhileCiscoSecurityMARSuseseitherNFSorSFTPtoexportitslogs,theLogLogicappliancecanuseanysupportedtransfermechanismtoimportthefiles.
Step 1:AddtheFileServerasaNewDevice
1. IntheLogLogicwebmanagementinterface,gotoAdministration > Manage DevicesandselecttheDevicestab
2. ClickAdd New .
3. In the Namefield,typeanameforthelogsource.
4. TypeanoptionaldescriptionintheDescriptionfield.
5. FromtheDevice Typedrop-downmenu,selectOther File Device.
13SendingLogsfromCiscoDevicestoaLogLogicMXApplicance
6. In the Host IPfield,typetheIPaddressoftheserverfromwhichyouwanttotransferfiles.
7. Set Enable Data Collection to Yes.
8. ClickAdd.
Step 2: DefineaFileTransferRule
1. SelecttheFile Transfer Rule tab.
2. EnsurethatthedeviceyoucreatedinStep1isselected,andclickAdd Rule .
3. IntheresultingAdd File Transfer Ruletab,enteranameforthisruleinthe Rule Namefield
4. SelecttheappropriateProtocol,andentertherequiredconfiguration.
5. In the Filesfield,enterthe*/ES/rm-*tocollectalloftherawmessagefiles.
6. Under Collection Time,selectthedesiredfilecollectioninterval.RememberthatCiscoSecurityMARSexportsarchivefilesatten-minuteintervals,regardlessoftheLogLogicconfiguration.
7. Set Enable to Yes.
8. ClickAdd.
Figure 13 . FileTransferConfigurationforCiscoSecurityMARS
14SearchingandGeneratingReports
Searching and Generating Reports
LogLogic’ssearchingandreportingcapabilitiesenableuserstosearch,analyzeandmakesenseoflogdatafromawidevarietyofconnectedlogsourcesquicklyandeffectively.UserscanuseLogLogic’sreportingcapabili-tiestocreatecustomizablereal-timereports,sendinformationtoexecutivesatregularintervals,andperformad-hocsearchesfortroubleshootingorissueremediation.TheLogLogicsolutionshipswithbuilt-inintelligenceandreporttemplatesforaccesscontrol,useraccounting,networkconnectivityandpolicy,IDSandVPNactivity,andwebsurfingactivity.Reporttemplatescaneasilybecustomizedtosuittheend-user’sparticularreportingrequire-ments.Reportscanbegenerated,emailed,andexportedasPDForCSVfilesondemand.
Inaddition,LogLogicalsooffershigh-speedfull-textindexedrawlogdatasearchcapabilities.Thiscombineskeywordsearchfeatureswithdataqueryingfeaturesintooneoverallsearchprocess.ThekeywordsearchforlogmessagesusesBooleanexpressions;AND,OR,andNOTareappliedaslogicaloperatorstohelpusersfocussearchesonthemessagesofinterest.Dataqueryingsettingsassurethatallmessagessatisfyingspecifiedcriteria(notjustthoseassumedtobemostrelevant)aredelivered,sortedbytime.LogLogic’sindexsearchdeliversonlythosemessageswhichfullysatisfytheBooleansearchcriteria.Finally,advancedregularexpressionsearchesaddmorepowertosearches.
Generating Reports
Report Configuration
Real-timereportsarecanbeconfiguredandcustomizedfreely.LogLogic’sdynamicreportconfigurationpageprovidesoptionsfortheuserstocustomizeeverythingpertainingtothesummarizationandpresentationofthereports.Forexample,thefollowingfigureshowsthatuserscanchoosethedevicesordevicegroupsaswellasthetimeframeinwhichthereportsshouldberun.Userscanchoosetorunreportsforthelasthour,orspecifyatimerange,asillustratedinFigure14.
Figure 14 . ReportingActiveFirewallConnections
Report Results
Afterthereportconfigurationparametersarechosen,pressingtheRun buttononthelowerrightofthescreenwillcausethespecifiedreporttobeexecuted.AnexampleDenied ConnectionsreportisshowninFigure15.
Figure 15 . ASampleReport
15SearchingandGeneratingReports
Inaddition,byselectingtheCharttab,achartoftheassociatedreportwillbedisplayed.
Figure 16 . ASampleChart
Index Search
IndexsearchesareaccessedviatheSearch > IndexSearch navigation menuitem.AnexampleIndexSearchresultisshowinFigure17.
Figure 17 . IndexSearchExample
16SearchingandGeneratingReports
Compliance Reports
LogLogicComplianceSuitesdeliverautomatedprocessvalidation,report-ingandalertsbasedoninfrastructuredatatoevidence,andenforceagencyandITpoliciesrelatedtocompliance.ByautomatingcompliancereportingandalertingbasedoncriticalinfrastructuredatacollectedandstoredbyLogLogicAppliances,theLogLogicComplianceSuitesreducecomplexityandresourcerequirementsforimplementingcontrolframeworkslikePCI,COBIT/SOX,HIPAA,HITECH,FISMA,ITIL,ISO,andNERC.EachLogLogicComplianceSuitedelivers100+reportsand75+alerts—botheasilycus-tomizable—specificallytunedtoaparticularcontrolframework,forexecu-tiononLogLogicAppliances.
Figure 18 . CustomizedComplianceReports
17LogLogicExample
LogLogicExample
ThefollowingexamplescenarioshowshowanApplicationDistributionreport,usinglogsfromanagency’sCiscoASA5500Seriesfirewall,canrevealanomalouspatternsinnetworkusage,andhelptodetectmaliciousorotherundesirableactivity.
TheApplicationDistributionreportcanbeusedtovalidatethatcorporatenetworkpolicies,suchaspermissiblenetworkapplications,networkband-widthQoS,andsoon,arebeingfollowed.ThereportcanbeaccessedinthewebinterfacebygoingtoReal-Time Reports > Connectivity > Application Distribution.AnexamplereportisshowninFigure19.Theexampleshowsfairlycommonnetworktraffic,includingwebbrowsingonports80and443,emailtrafficonports25and110,domainlookups,andmanagementtraffic.However,notethehighlightedoutboundTCPsessiononport5190,associ-atedwithAOLInstantMessenger(AIM)traffic.Inourexample,thiscallsforcloserinvestigation,possiblybecausetheagency’snetworkpoliciesdonotpermitthischatclienttobeused.
Figure 19 . ApplicationDistributionReportExample
Clickingonthe5190portnumberintheApplicationDistributionreportshowsdetailsabouttheindividualconnections,andrevealsthatthereareanumberofinternalusersatIPaddress45.200.x.yinteractingwithAOLservers.Inthisexamplescenario,thisindicateswidespreadpolicyviolations,suggestingtheneedtoadjustoutgoingfirewallrules,andalsotoincreaseuserawarenessoftheacceptableusepolicyonthenetwork.
Figure 20 . DetailedInvestigationExample
18ProductsVerifiedwithCiscoSBA
ProductsVerifiedwithCiscoSBA
LogLogicMX3020Applianceversion4.9.0.1hasbeenverifiedwithCiscoSBAusingthefollowingsoftwareversions:
• CiscoASA5500Series8.2(1)
• CiscoIOSSoftwareRelease15.0(1)M2
• CiscoIOSXERelease2.6.1
• CiscoIntrusionPreventionSystem7.0.(2)E3
• CiscoIronPortAsyncOSVersion7.1forEmail
• CiscoIronPortAsyncOSVersion6.3forWeb
• CiscoSecurityMARS6.0.5
Contact Information
End Users
• SubmitaninquiryaboutLoglogicProductsandtheCiscoSBAforLargeAgencies—BorderlessNetworks
Resellers
• FormoreinformationonhowtobecomeaLogLogicreseller,pleasevisitthe Partner Section at http://www.loglogic.com
FormoreinformationontheLoglogicandCiscoPartnership,pleasevisithttp://www.cisco.com/go/securitypartners
19AppendixA
AppendixA: SBAforLargeAgenciesDocumentSystem
Design Overview
IPv6 AddressingGuide
LAN DeploymentGuide
LAN Configuration Guide
WAN DeploymentGuide
WAN Configuration Guide
Internet EdgeDeployment Guide
Internet Edge Configuration Guide
SolarWinds Deployment Guide
Foundation DeploymentGuides
Network ManagementGuides
Wireless CleanAirDeployment Guide
Data SecurityDeployment Guide
Nexus 7000 Deployment Guide
ArcSight SIEM Partner Guide
LogLogic SIEM Partner Guide
nFx SIEM Partner Guide
RSA SIEM Partner Guide
Splunk SIEM Partner Guide
CREDANT Data Security Partner Guide
Lumension Data Security Partner Guide
SIEM DeploymentGuide
Design Guides Deployment Guides
You are Here
Supplemental Guides
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco Website at www.cisco.com/go/offices.
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Americas HeadquartersCisco Systems, Inc.San Jose, CA
Asia Pacific HeadquartersCisco Systems (USA) Pte. Ltd.Singapore
Europe HeadquartersCisco Systems International BVAmsterdam, The Netherlands
SMARTBUSINESSARCHITECTURE
C07-641093-0012/10