Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER REV1 Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER...
  6. Manual
Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER REV1 Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER REV1 Manual

Strm adaptive log exporter
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Security Threat Response Manager
STRM Adaptive Log Exporter
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-023497-01, Revision 1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER REV1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER REV1

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER REV1

  • Page 1 Security Threat Response Manager STRM Adaptive Log Exporter Release 2008.2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-023497-01, Revision 1...
  • Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

  • Page 3: Table Of Contents

    About This Guide 3 Conventions 3 Technical Documentation 3 Documentation Feedback 3 Requesting Support 4 Overview 5 Integrating Device Support Modules (DSMs) with STRM 5 Using the Adaptive Log Exporter 6 Using the Menu 6 Using the Toolbar 6 Deploying Changes 7 Installing the Adaptive Log Exporter 9 Before You Begin 9 Installing the Adaptive Log Exporter 9...
  • Page 4 Configuring the Cisco CSA Device 45 Configuring the File Forwarder Device 47 Configuring the Juniper SBR Device 49 Configuring the Windows Event Log Device 51 Configuring the Microsoft DHCP Device 53 Configuring the Trend Micro InterScan VirusWall Device 55 Configuring the Microsoft Exchange Server Device 57 Forwarding OWA Logs 57 Forwarding SMTP Logs 58 Configuring the Microsoft SQL Server Device 59...

  • Page 5: About This Guide

    Information that alerts you to potential personal injury. Technical You can access technical documentation, technical notes, and release notes Documentation directly from the Juniper networks Support Web site at http:// www.juniper.net/support • Documentation We encourage you to provide feedback, comments, and suggestions so that we Feedback can improve the documentation.

  • Page 6: Requesting Support

    BOUT UIDE Requesting • Open a support case using the Case Management link at Support or call 1-888-314-JTAC (from the United States, http://www.juniper.net/support/ Canada, or Mexico) or 1-408-745-9500 (from elsewhere). STRM Adaptive Log Exporter...

  • Page 7: Overview

    VERVIEW The Adaptive Log Exporter is a stand-alone application that allows you to integrate devices/applications with STRM or STRM Log-Only. This chapter includes: Integrating Device Support Modules (DSMs) with STRM • Using the Adaptive Log Exporter • • Deploying Changes Note: Unless otherwise noted, all references to STRM refer to both STRM and STRM Log-Only.

  • Page 8: Using The Adaptive Log Exporter

    VERVIEW Using the Adaptive The Adaptive Log Exporter provides menu and tool bar options. This section Log Exporter provides information on the available options including: • Using the Menu Using the Toolbar • Using the Menu The menu options include: Table 1-1 Adaptive Log Exporter Menu Options Menu Sub-Menu...

  • Page 9: Deploying Changes

    Deploying Changes Table 1-2 Toolbar Options (continued) Icon Description Allows you to edit the settings for a currently saved device. Allows you to edit the mapping destination for a device. Allows you to deploy all changes made during the current session. Allows you to install all available devices.

  • Page 11: Installing The Adaptive Log Exporter

    NSTALLING THE DAPTIVE XPORTER This chapter provides information on installing and uninstalling your Adaptive Log Exporter including: Before You Begin • Installing the Adaptive Log Exporter • • Un-installing the Adaptive Log Exporter Before You Begin Before you install the Adaptive Log Exporter, make sure you have the following: Windows 2000 or Windows 2003 software installed.
  • Page 12 NSTALLING THE DAPTIVE XPORTER Click Next. Step 4 The Select Destination Location window appears. Specify the location you wish to install the Adaptive Log Exporter. To browse your Step 5 system for a particular location, click Browse. Click Next. Step 6 The Start Menu Folder window appears.
  • Page 13 Installing the Adaptive Log Exporter Specify the name of the menu option in your Start menu. If you do not wish to Step 7 include a menu option in your Start menu, select the Don’t create a Start Menu folder check box. Click Next.
  • Page 14 NSTALLING THE DAPTIVE XPORTER Run service now — If you wish to run the Adaptive Log Exporter immediately • after installation, select the Run service now check box. Click Next. Step 10 The Ready to Install window appears. Click Install. Step 11 The Competing the Setup Wizard appears when the installation is complete.

  • Page 15: Un-Installing The Adaptive Log Exporter

    Un-installing the Adaptive Log Exporter Un-installing the To un-install the Adaptive Log Exporter: Adaptive Log Exporter From your desktop, select Start > Programs > AdaptiveLogExporter > Utility > Step 1 Uninstall AdapterLogExporter. A confirmation messages appears. Click Yes to continue. Step 2 Once the process is complete, a message appears when the uninstall is complete.

  • Page 17: Using The Preferences Window

    ETTING P THE DAPTIVE XPORTER This chapter provides information on setting up your Adaptive Log Exporter including: Using the Preferences Window • Managing Updates • Using the The Preferences window provides the following options: Preferences Table 3-1 Preference Options Window Menu Sub-Menu Description...

  • Page 18: Managing Updates

    ETTING P THE DAPTIVE XPORTER Managing Updates This section provides information on managing updates for your Adaptive Log Exporter including: • Configuring Adaptive Log Exporter Updates Scheduling Automatic Updates • Configuring the Update Site • Configuring Adaptive To configure the preferences for updates: Log Exporter Updates From the Start menu, select Start >...
  • Page 19 Managing Updates Click Install/Update. Step 3 The Install/Update parameters appear. In the Maximum number of History configurations field, enter the number of Step 4 configuration changes you wish the system to maintain. The default is 100. To ensure greater security for your downloaded archives, select the Check digital Step 5 signatures of downloaded archives check box.
  • Page 20 ETTING P THE DAPTIVE XPORTER equivalent — Includes updates that are equivalent with the other currently • running version of the Adaptive Log Exporter. Typically, this includes plug-ins and updates. • compatible — Includes updates that are available and include a new version of the application.

  • Page 21: Scheduling Automatic Updates

    Managing Updates Scheduling You can configure the Adaptive Log Exporter to automatically search for updates. Automatic Updates To schedule updates: From the Start menu, select Start > Programs > AdaptiveLogExporter > Step 1 Configure Adapter Log Exporter. The Adaptive Log Exporter appears. From the menu, select File >...
  • Page 22 ETTING P THE DAPTIVE XPORTER The Automatic Updates parameters appear. Select the Automatically find new updates and notify me check box. Step 5 Additional options become active. When updates are available, a message appears indicating the available updates. Select one of the following options to schedule automatic updates: Step 6 Look for updates each time platform is started —...

  • Page 23: Configuring The Update Site

    Managing Updates Configuring the To specify a specific location for the Adaptive Log Exporter to search for updates: Update Site From the Start menu, select Start > Programs > AdaptiveLogExporter > Step 1 Configure Adapter Log Exporter. The Adaptive Log Exporter appears. From the menu, select File >...

  • Page 24: Configuring Updates For Off-Line Sites

    ETTING P THE DAPTIVE XPORTER Update Site parameters appear. In the Update Site URL field, enter the location you wish the Adaptive Log Exporter Step 5 to use for searching for updates. Note: Adaptive Log Exporter supports both http and file protocols. For example, the following are valid locations: http://<update.server.com>/UpdateSite On a Windows server:...
  • Page 25 Managing Updates c:\updatesite Configure the update site using the Adaptive Log Exporter interface. See Step 5 Configuring the Update Site. Make sure you configure the update site to reflect the value entered in Step STRM Adaptive Log Exporter...
  • Page 26 ETTING P THE DAPTIVE XPORTER STRM Adaptive Log Exporter...

  • Page 27: Managing Devices

    ANAGING EVICES This chapter provides information on adding and managing devices using your Adaptive Log Exporter including: Installing Device Types • Updating Devices • • Configuring Devices Installing Device To install device types, such as a Cisco ACS, on your Adaptive Log Exporter: Types From the Start menu, select Start >...
  • Page 28 ANAGING EVICES Click the + sign to expand the menu tree. Step 3 The available devices appear. Choose one of the following options: Step 4 If you wish to install all available devices, select the check box of the top level menu option.

  • Page 29: Updating Devices

    Updating Devices Note: You must install your devices to the default location. Therefore, do not change the Install Location for your devices. Click Finish. Step 8 The Feature Verification window appears. Click Install All to install all chosen devices. Step 9 Updating Devices To update your device configuration in the Adaptive Log Exporter: From the Start menu, select Start >...
  • Page 30 ANAGING EVICES From the menu, select Help > Software Updates > Update Agent. Step 2 If any updates are available, the Updates window appears. If no updates are available, a message appears. Click the + sign to expand the menu tree. . Step 3 The available devices appear.

  • Page 31: Configuring Devices

    Configuring Devices Click Next. Step 7 The Installation Window appears. If you wish to change the location to which the devices will be installed: Step 8 Click Change Location. Click Add Location. Using the menu tree, select the location you wish to install the devices. Click OK.
  • Page 32 ANAGING EVICES Click the Devices tab. Step 2 For the device type to which you wish to add a device, use the right-mouse button Step 3 (right-click) on the device name and select Add Device. A new device appears below the main device name and configuration options appear.

  • Page 33: Editing A Device

    Configuring Devices Description — Specify a description for this device. The description can be up • to 100 characters in length. Device Address — Specify the IP address for this device. This is the IP • address this DSM uses to communicate with STRM. Click the arrow next to Advanced Configuration to reveal the configuration Step 5 parameters.

  • Page 34: Deleting A Device

    ANAGING EVICES For the device you wish to edit, use right-mouse button (right-click) on the device Step 4 name and select Edit Device. The configuration parameters for that device appears. Update the Basic Configuration, as necessary: Step 5 Name — Specify the name you wish to assign this device. The name can be up •...
  • Page 35 Configuring Devices Click the Devices tab. Step 2 For the device type that includes the device you wish to delete, click + to expand Step 3 the menu tree. For the device you wish to delete, use right-mouse button (right-click) on the Step 4 device name and select Delete Device.

  • Page 37: Managing Destinations

    ANAGING ESTINATIONS This chapter provides information on adding and managing your device destinations using your Adaptive Log Exporter including: Configuring Destinations • Mapping to a Destination • Configuring Using the Adaptive Log Exporter, you can, Destinations Adding a Destination • Editing a Destination •...
  • Page 38 ANAGING ESTINATIONS For the destination type to which you wish to add a new device, use the Step 3 right-mouse button (right-click) on the destination name and select Add Destination. A new destination appears below the main destination name and configuration options appear.

  • Page 39: Editing A Destination

    Configuring Destinations From the menu, select File > Save All. Step 10 From the menu, select File > Deploy. Step 11 Editing a Destination To edit a destination: From the Start menu, select Start > Programs > AdaptiveLogExporter > Step 1 Configure Adapter Log Exporter.
  • Page 40 ANAGING ESTINATIONS In the Basic Configuration area, update the values, as necessary: Step 5 Name — Specify the name you wish to assign this destination, composed only • of alphanumeric characters and the underscore (_). • Description — Specify a description for this device. Click the arrow next to Advanced Configuration to reveal the configuration Step 6 parameters.

  • Page 41: Deleting A Destination

    Configuring Destinations Deleting a To delete a destination: Destination From the Start menu, select Start > Programs > AdaptiveLogExporter > Step 1 Configure Adapter Log Exporter. The Adaptive Log Exporter appears. Click the Destination tab. Step 2 For the destination type that includes the destination that you wish to delete, click + Step 3 to expand the menu tree.

  • Page 42: Mapping To A Destination

    ANAGING ESTINATIONS Mapping to a Once you have configured your devices and destinations, you must map your Destination device to a destination. This section provides information on mapping a destination to a device including: Creating a Mapping • Removing a Mapping •...

  • Page 43: Removing A Mapping

    Mapping to a Destination Removing a Mapping To delete a mapping between a device and a destination: From the Start menu, select Start > Programs > AdaptiveLogExporter > Step 1 Configure Adapter Log Exporter. The Adaptive Log Exporter appears. Click the Destination tab. Step 2 For the destination type that includes the mapping you wish to remove, click + to Step 3...

  • Page 45: Configuring The Cisco Acs Device

    ONFIGURING THE ISCO EVICE This chapter provides information on configuring your Cisco ACS device. For information on adding or managing a device, see Chapter 4 Managing Devices. Configure the Cisco ACS device parameter to specify the Root Log Directory, which is the location Cisco ACS stores the logs files. STRM Adaptive Log Exporter...

  • Page 47: Configuring The Cisco Csa Device

    ONFIGURING THE ISCO EVICE Cisco Security Agents (CSA) provides security to your deployment to defend against the spread of attacks across networks and systems. These CSA devices enforce a set of policies provided by the Management Center (MC) for CSA devices and selectively applied to system nodes by the network administrator.
  • Page 48 CSA D ONFIGURING THE ISCO EVICE with a time stamp. A new file, using the same file name entered in the CSA MC Alerts Log file field, is then created. Events continue to be written to this new file until it reaches 1 MB. STRM Adaptive Log Exporter...

  • Page 49: Configuring The File Forwarder Device

    ONFIGURING THE ORWARDER EVICE This chapter provides information on configuring your File Forwarder device. For information on adding or managing a device, see Chapter 4 Managing Devices. Enter values the following parameters: Root Log Directory — Specify the location the File Forwarder device stores •...

  • Page 51: Configuring The Juniper Sbr Device

    ONFIGURING THE UNIPER EVICE This chapter provides information on configuring your Juniper SBR device. For information on adding or managing a device, see Chapter 4 Managing Devices. Configure the Juniper SBR parameter to specify the Root Log Directory, which is the location Juniper SBR stores the logs files.

  • Page 53: Configuring The Windows Event Log Device

    ONFIGURING THE INDOWS VENT EVICE In Microsoft Windows, an event is any significant occurrence in the system, a program that requires users to be notified, or an entry added to a log. The event log device records application, security, and system events in the strm Event Viewer.
  • Page 54 ONFIGURING THE INDOWS VENT EVICE or as a member of the administrators group to enable, use, and specify which events you wish to record in the security log. • System Log — Select the check box if you wish the device to monitor the system log.

  • Page 55: Configuring The Microsoft Dhcp Device

    ONFIGURING THE ICROSOFT DHCP D EVICE In the Microsoft Windows Server family, DHCP server log files use audit logging to permit log files to remain enabled without additional monitoring or administration. This allows you to manage log file growth or conserve disk resources. This chapter provides information on configuring your Microsoft DHCP device using the Adaptive Log Exporter.

  • Page 57: Configuring The Trend Micro Interscan Viruswall Device

    ONFIGURING THE REND ICRO NTER IRUS EVICE InterScan VirusWall (ISVW) 6 for Windows provides an all-in-one gateway, antivirus, anti-spam, and content management solution for your network. VirusWall’s real-time scanning services for SMTP VirusWall, POP3, VirusWall, FTP VirusWall, and HTTP VirusWall monitors for security threats in e-mail, the Internet, and in file transfers to and from the local area network (LAN).

  • Page 59: Configuring The Microsoft Exchange Server Device

    ONFIGURING THE ICROSOFT XCHANGE ERVER EVICE The Microsoft Exchange Server provides you with electronic mail, calendaring, contacts and tasks, and support for the mobile and web-based access to information, as well as supporting data storage. The Microsoft Exchange Server device allows you to forward Outlook Web Access (OWA) or SMTP logs to the Adaptive Log Exporter.

  • Page 60: Forwarding Smtp Logs

    ONFIGURING THE ICROSOFT XCHANGE ERVER EVICE Forwarding SMTP To forward SMTP logs to the Adaptive Log Exporter, select the Microsoft Exchange Logs Server SMTP device. For information on adding or managing a device, see Chapter 4 Managing Devices. Configure the Root Log Directory parameter, which is the location of the Microsoft Exchange Server SMTP log files.

  • Page 61: Configuring The Microsoft Sql Server Device

    ONFIGURING THE ICROSOFT ERVER EVICE Microsoft SQL Server is a comprehensive, integrated, end-to-end data solution that provides a platform for enterprise data and BI applications. This chapter provides information on configuring your Microsoft SQL Server device using the Adaptive Log Exporter. For information on adding or managing a device, see Chapter 4 Managing Devices.
  • Page 62 SQL S ONFIGURING THE ICROSOFT ERVER EVICE retains backups of the previous six logs and provides each backup with an accrued number appended to the end of the name. For example, the most recent log backup is saved with the extension .1 and the second most recent with the extension .2.

  • Page 63: Configuring The Microsoft Iis Device

    ONFIGURING THE ICROSOFT EVICE Microsoft Internet Information Services (IIS) includes a broad range of administrative features for managing web sites. You can monitor attempts to access your sites, virtual folders, or files and determine whether attempts were made to read or write to your files. IIS log file formats allow you to record events independently for any site, virtual folder, or file.

  • Page 65: Collecting Windows Event Logs

    OLLECTING INDOWS VENT This appendix provides information about monitoring event logs from Windows-based servers and hosts. Typically, you can monitor your event logs with or without an agent. The Adaptive Log Exporter is an independent application that runs on a Windows host, commonly referred to as an agent. The Adaptive Log Exporter collects local and remote Windows logs supporting each method of monitoring event logs.

  • Page 66: Collecting Logs Without An Agent

    OLLECTING INDOWS VENT Collecting Logs To collect logs without an agent, you must install the Adaptive Log Exporter in your Without an Agent network. The Adaptive Log Exporter allows you to connect to remote Windows systems to return logs to STRM. Note: For more information on the Adaptive Log Exporter, see the Adaptive Log Exporter Users Guide.

  • Page 67: Configuring The Adaptive Log Exporter

    Collecting Logs Without an Agent Configuring the To configure the Adaptive Log Exporter to support a network without an agent: Adaptive Log Exporter Download and install the Adaptive Log Exporter on the system you wish to host the Step 1 Adaptive Log Exporter.
  • Page 68 OLLECTING INDOWS VENT Click the + sign to expand the menu tree. The available devices appear. Select the Windows Event Log plug-in. Click Next. The Feature License window appears. Read the license associated with the selected device. To continue, you must select the I accept the terms of the license agreement option.

  • Page 69: Collecting Logs With An Agent

    Collecting Logs With an Agent In the Windows Event Log Configuration area, enter values for the parameters: Step 6 Application Log — Select the check box if you wish the device to monitor the • application log. Security Log — Select the check box if you wish the device to monitor the •...

  • Page 70: Configuring The Adaptive Log Exporter

    OLLECTING INDOWS VENT Figure A-2 shows an example of a network collecting logs using an agent. Agent based Windows Log Collection Appliance QRadar Appliance The Adaptive Log Exporter The Adaptive Log Exporter communicates events f communicates events from all Windows machines back to Windows systems using syslog QRadar server via Syslog Monitored windows...
  • Page 71 Collecting Logs With an Agent From the menu, select Help > Software Updates > Add Extensions/Devices. Click the + sign to expand the menu tree. The available devices appear. Select the Windows Event Log plug-in. Click Next. The Feature License window appears. Read the license associated with the selected device.
  • Page 72 OLLECTING INDOWS VENT Note: You must install your devices to the default location. Therefore, do not change the Install Location for your devices. Click Finish. The Feature Verification window appears. Click Install All to install all chosen devices. In the Adaptive Log Exporter, click the Devices tab. Step 3 Using your right mouse button (right-click) the Windows Event Log and select Add Step 4...

  • Page 73: Configuring Strm To Accept Logs

    Configuring STRM To Accept Logs Configuring STRM Both methods of collecting logs (with or without an agent) results in information To Accept Logs being transmitted to STRM using syslog. By default, STRM collects information forwarded using syslog through the device discovery function. STRM automatically recognizes and normalizes Windows event logs.

This manual is also suitable for:

Security threat response manager

Table of Contents