Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 Administration Manual
  1. Manuals
  2. Brands
  3. Juniper Manuals
  4. Software
  5. SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV...
  6. Administration manual
Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 Administration Manual

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 Administration Manual

Strm log management administration guide
Hide thumbs Also See for SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Manual
Security Threat Response Manager
STRM Log Management Administration
Guide
Release 2008.2 R2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-027298-01, Revision 1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1

Summary of Contents for Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1

  • Page 1 Security Threat Response Manager STRM Log Management Administration Guide Release 2008.2 R2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 408-745-2000 www.juniper.net Part Number: 530-027298-01, Revision 1...
  • Page 2 Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.

  • Page 3: Table Of Contents

    ONTENTS BOUT UIDE Audience Conventions Technical Documentation Contacting Customer Support VERVIEW About the Interface Accessing the Administration Console Using the Interface Deploying Changes Viewing STRM Log Management Audit Logs Logged Actions Viewing the Log File ANAGING SERS Managing Roles Creating a Role Editing a Role Managing User Accounts Creating a User Account...
  • Page 4 Starting and Stopping STRM Log Management Accessing the Embedded SNMP Agent Configuring Access Settings Configuring Firewall Access Updating Your Host Set-up Configuring Interface Roles Changing Passwords Updating System Time ANAGING ACKUP AND ECOVERY Managing Backup Archives Viewing Back Up Archives Importing an Archive Deleting a Backup Archive Backing Up Your Information...
  • Page 5 Q1 L NDEX...

  • Page 7: Bout His Uide

    Documentation directly from the Juniper Networks support web site at https://juniper.net/support. Once you access the Juniper Networks support web site, locate the product and software release for which you require documentation. Your comments are important to us. Please send your e-mail comments about this guide or any of the Juniper Networks documentation to: documentation@juniper.net.

  • Page 8: Contacting Customer Support

    STRM Log Management, you can contact Customer Support as follows: Log a support request 24/7: https://juniper.net/support/ • For access to the Juniper Networks support web site, please contact Customer Support. Access Juniper Networks support and Self-Service support using e-mail: •...

  • Page 9: Overview

    VERVIEW This chapter provides an overview of the STRM Log Management Administration Console and STRM Log Management administrative functionality including: • About the Interface Accessing the Administration Console • Using the Interface • Deploying Changes • Viewing STRM Log Management Audit Logs •...

  • Page 10: Accessing The Administration Console

    VERVIEW Accessing the You can access the STRM Log Management Administration Console through the Administration main STRM Log Management interface. Also, you can create a shortcut on your Console desktop that allows you to access the Administration Console directly. To access the Administration Console, click Config in the main STRM Log Management interface.

  • Page 11: Deploying Changes

    Deploying Changes Table 1-1 Administrative Console Menu Options (continued) Menu Option Sub-Menu Description STRM Stop Stops the STRM Log Management application. STRM Restart Restarts the STRM Log Management application. Help Help and Support Opens user documentation. About STRM Displays version information. The Administration Console provides several toolbar options including: Table 1-2 Administration Console Toolbar Options Icon...

  • Page 12: Logged Actions

    VERVIEW Logged Actions STRM Log Management logs the following categories of actions in the audit log file: Table 1-3 Logged Actions Category Action User Authentication Log in to STRM Log Management User Authentication Log out of STRM Log Management Administrator Authentication Log in to the STRM Log Management Administration Console Administrator Authentication...

  • Page 13: Viewing The Log File

    Viewing STRM Log Management Audit Logs Table 1-3 Logged Actions Category Action Sensor Device Extension Adding an sensor device extension Editing the sensor device extension Deleting a sensor device extension Uploading a sensor device extension Uploading a sensor device extension successfully Downloading a sensor device extension Reporting a sensor device extension...
  • Page 14 VERVIEW is the date and time of the activity in the format: Month Date <date_time> HH:MM:SS. is the host name of the Console where this activity was logged. <host name> is the name of the user that performed the action. <user>...

  • Page 15: Managing Users

    ANAGING SERS This chapter provides information on managing STRM Log Management users including: • Managing Roles Managing User Accounts • Authenticating Users • You can add or remove user accounts for all users that you wish to access STRM Log Management. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM Log Management.
  • Page 16 ANAGING SERS Enter values for the parameters. You must select at least one permission to Step 4 proceed. Table 2-1 Create Roles Parameters Parameter Description Role Name Specify the name of the role. The name can be up to 15 characters in length and must only contain integers and letters.

  • Page 17: Editing A Role

    Managing Roles Table 2-1 Create Roles Parameters (continued) Parameter Description Reporting Select the check box if you wish to grant this user access to Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following: Distribute Reports via Email - Select the check box if •...

  • Page 18: Managing User Accounts

    ANAGING SERS Managing User You can create a STRM Log Management user account, which allows a user Accounts access to selected network components using the STRM Log Management interface. You can also create multiple accounts for your system that include administrative privileges.

  • Page 19: Editing A User Account

    Managing User Accounts Table 2-2 User Details Parameters (continued) Parameter Description Role Using the drop-down list box, select the role you wish this user to Managing Roles assume. For information on roles, see . If you select Admin, this process is complete. Click Next.

  • Page 20: Disabling A User Account

    ANAGING SERS The Manage Users window appears. In the Manage Users area, click the user account you wish to edit. Step 3 The User Details window appears. Update values (see Table 2-2), as necessary. Step 4 Click Next. Step 5 If you are editing a non-administrative user account, the Selected Network Objects window appears.

  • Page 21: Authenticating Users

    Authenticating Users Authenticating You can configure authentication to validate STRM Log Management users and Users passwords. STRM Log Management supports the following user authentication types: System Authentication - Users are authenticated locally by STRM Log • Management. This is the default authentication type. RADIUS Authentication - Users are authenticated by a Remote Authentication •...
  • Page 22 ANAGING SERS From the Authentication Module drop-down list box, select the authentication type Step 3 you wish to configure. Configure the selected authentication type: Step 4 If you selected System Authentication, go to Step 5 If you selected RADIUS Authentication, enter values for the following parameters: Table 2-3 RADIUS Parameters Parameter...
  • Page 23 Authenticating Users Table 2-4 TACACS Parameters (continued) Parameter Description Authentication Specify the type of authentication you wish to perform. The Type options are: PAP (Password Authentication Protocol) - Sends clear text • between the user and the server. CHAP (Challenge Handshake Authentication Protocol) - •...

  • Page 25: Setting U Pstrm Log Management

    STRM L ETTING ANAGEMENT This chapter provides information on setting up STRM Log Management including: Managing Your License Keys • Creating Your Network Hierarchy • Scheduling Automatic Updates • Configuring System Settings • Configuring System Notifications • Configuring the Console Settings •...

  • Page 26: Updating Your License Key

    STRM L ETTING ANAGEMENT Updating your For your STRM Log Management Console, a default license key provides you License Key access to the interface for 5 weeks. Choose one of the following options for assistance with your license key: For a new or updated license key, please contact your local sales •...

  • Page 27: Exporting Your License Key Information

    Managing Your License Keys Once you locate and select the license key, click Open. Step 5 The Current License Details window appears. Click Save. Step 6 A message appears indicating the license key was successfully updated. Note: If you wish to revert back to the previous license key, click Revert to Deployed.

  • Page 28: Creating Your Network Hierarchy

    STRM L ETTING ANAGEMENT Click Export Licenses. Step 3 The export window appears. Select one of the following options: Step 4 Open - Opens the license key data in an Excel spreadsheet. • Save - Allows you to save the file to your desktop. •...

  • Page 29: Defining Your Network Hierarchy

    Creating Your Network Hierarchy Note: that you do not configure a network group with more than 15 We recommend objects. This may cause you difficulty in viewing detailed information for each group. You may also wish to define an all encompassing group so when you define new networks, the appropriate policies and behavioral monitors are applied.
  • Page 30 STRM L ETTING ANAGEMENT Click Re-Order. Step 8 The Reorder Group window appears. Order the network objects in the desired order. Step 9 Click Save. Step 10 Note: that you consider adding key servers as individual objects We recommend and grouping other major but related servers into multi-CIDR objects. Accepted CIDR Values Table 3-2 provides a list of the CIDR values that STRM Log Management accepts:...
  • Page 31 Creating Your Network Hierarchy Table 3-2 Accepted CIDR Values (continued) CIDR Number of Length Mask Networks Hosts 255.255.255.224 8 subnets 255.255.255.240 16 subnets 255.255.255.248 32 subnets 255.255.255.252 64 subnets 255.255.255.254 none none 255.255.255.255 1/256 C For example, a network is called a supernet when the prefix boundary contains fewer bits than the network's natural (such as, classful) mask.

  • Page 32: Scheduling Automatic Updates

    STRM Log Management interface to make sure your configuration files contain the latest network security information. The updates, located on the Juniper Networks support web site, include threats, vulnerabilities, and geographic information from various security related web sites.

  • Page 33: Configuring System Settings

    Configuring System Settings In the Frequency list box, select the frequency of the updates in the Frequency list Step 4 box: • Daily - Updates are downloaded every day at 1 am. Weekly - Updates are downloaded every Sunday at 1 am. •...
  • Page 34 STRM L ETTING ANAGEMENT Table 3-3 System Settings Parameters (continued) Parameter Description Audit Log Enable Enables or disables the ability to collect audit logs. You can view audit log information using the Event Viewer. The default is Yes. Coalescing Events Enables or disables the ability for a sensor device to coalesce (bundle) events.
  • Page 35 Configuring System Settings Table 3-3 System Settings Parameters (continued) Parameter Description Reporting Execution Time Specify the maximum amount of time, in seconds, you Limit wish a reporting query to process before a time out occurs. The default is 57600 seconds. Command Line Execution Specify the maximum amount of time, in seconds, you Time Limit...
  • Page 36 STRM L ETTING ANAGEMENT Table 3-3 System Settings Parameters (continued) Parameter Description Destination Port Specify the port to which you wish to send SNMP notifications. The default is 162. Community (V2) Specify the SNMP community, such as public. This parameter only applies if you are using SNMPv2. User Name Specify the name of the user you wish to access SNMP related properties.

  • Page 37: Configuring System Notifications

    Configuring System Notifications Configuring You can configure global system performance alerts for thresholds using the System STRM Log Management Administration Console. This section provides Notifications information for configuring your global system thresholds. To configure global system thresholds: In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears.
  • Page 38 STRM L ETTING ANAGEMENT Table 3-4 Global System Notifications Parameters (continued) Parameter Description Kilobytes of memory used Specify the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel. Percentage of memory Specify the threshold percentage of used memory. used Kilobytes of cache swap Specify the threshold amount of memory, in kilobytes,...

  • Page 39: Configuring The Console Settings

    Configuring the Console Settings Table 3-4 Global System Notifications Parameters (continued) Parameter Description Dropped Transmit Specify the threshold number of transmitted packets that packets are dropped per second due to a lack of space in the buffers. Transmit carrier errors Specify the threshold number of carrier errors that occur per second while transmitting packets.
  • Page 40 STRM L ETTING ANAGEMENT Enter values for the parameters: Step 3 Table 3-5 STRM Log Management Console Management Parameters Parameter Description Console Settings Enable 3D graphs in the Using the drop-down list box, select one of the following: user interface Yes - Displays Dashboard graphics in 3-dimensional •...

  • Page 41: Starting And Stopping Strm Log Management

    Starting and Stopping STRM Log Management Table 3-5 STRM Log Management Console Management Parameters (continued) Parameter Description Login Message File Specify the location and name of a file that includes content you wish to appear on the STRM Log Management log in window. This file may be in text or HTML format and the contents of the file appear below the current log in window.

  • Page 42: Configuring Access Settings

    STRM L ETTING ANAGEMENT In the View Agent column, click View Agent for the SNMP agent you wish to Step 3 access. The SNMP Agent appears. Configuring The System Configuration tab provides access the web-based system Access Settings administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time.
  • Page 43 Configuring Access Settings In the Device Access box, you must include any STRM Log Management systems Step 6 you wish to have access to this managed host. Only managed hosts listed will have access. For example, if you enter one IP address, only that one IP address will be granted access to the managed host.

  • Page 44: Updating Your Host Set-Up

    STRM L ETTING ANAGEMENT Click Apply Access Controls. Step 8 Wait for the interface to refresh before continuing. Step 9 Updating Your Host You can use the web-based system administration interface to configure the mail Set-up server you wish STRM Log Management to use, the global password for STRM Log Management configuration, and the IP address for the STRM Log Management Console: To configure your host set-up:...

  • Page 45: Configuring Interface Roles

    Configuring Access Settings distribute alerts and event messages. To use the mail server provided with STRM Log Management, enter localhost. In the Enter the global configuration password, enter the password you wish to Step 8 use to access the host. Confirm the entered password. Note: The global configuration password must be the same throughout your deployment.

  • Page 46: Changing Passwords

    STRM L ETTING ANAGEMENT For each interface listed, select the role you wish to assign to the interface using Step 6 the Role list box. Click Save Configuration. Step 7 Wait for the interface to refresh before continuing. Step 8 Changing Passwords To change the passwords: In the Administration Console, click the System Configuration tab.
  • Page 47 Configuring Access Settings Update the passwords and confirm: Step 6 Note: Make sure you record the entered values. • New Root Password - Specify the root password necessary to access the web-based system administration interface. Confirm New Root Password - Re-enter the password for confirmation. •...
  • Page 48 STRM L ETTING ANAGEMENT In the Time Zone box, select the time zone in which this managed host is located Step 6 using the Change timezone to list box. Click Save. In the Time Server box, you must specify the following options: Step 7 Timeserver hostnames or addresses - Specify the time server hostname or •...
  • Page 49 Configuring Access Settings Configuring Time Settings For Your System To update the time settings for your system: From the System View, use the right mouse button (right-click) on the managed Step 1 host you wish to update the time settings and select Config Management. The web-based system administration interface login appears.
  • Page 50 STRM L ETTING ANAGEMENT In the Time Zone box, select the time zone in which this managed host is located Step 4 using the Change timezone to list box. Click Save. In the System Time box, you must specify the current date and time you wish to Step 5 assign to the managed host.

  • Page 51: Managing Backup And Recovery

    ANAGING ACKUP AND ECOVERY Using the Administration Console, you can backup and recover configuration information and data for STRM Log Management. You can backup and recover the following information for your system: License key information • Configuration database information • User profile information •...

  • Page 52: Importing An Archive

    ANAGING ACKUP AND ECOVERY The list of archives includes backup files that exist in the database. If a backup file is deleted, it is removed from the disk and from the database. Also, the entry is removed from this list and an audit event is generated to indicate the removal. If a backup is in progress, a status window appears to indicate the duration of the current backup, which user/process initiated the backup, and provides you with the option to cancel the backup.

  • Page 53: Deleting A Backup Archive

    Managing Backup Archives In the Upload Archive field, click Browse. Step 3 The File Upload window appears. Select the archive file you wish to upload. Click Open. Step 4 Click Upload. Step 5 Deleting a Backup To delete a backup archive: Archive Note: To delete a backup archive file, the backup archive file and the Host Context component must reside on the same system.

  • Page 54: Backing Up Your Information

    ANAGING ACKUP AND ECOVERY Backing Up Your You can backup your configuration information and data using the Backup Information Recovery Configuration window. You can backup your configuration information using a manual process. Also, you can also backup your configuration information and data using a scheduled process.

  • Page 55: Initiating A Backup

    Backing Up Your Information Table 4-7 Backup Recovery Configuration Parameters (continued) Parameter Description Backup Specifies the location you wish to store your backup file. This Repository Path path must exist before the backup process is initiated. If this path does not exist, the backup process aborts. The default is /store/backup.

  • Page 56: Restoring Your Configuration Information

    ANAGING ACKUP AND ECOVERY Click On Demand Backup. Step 3 The Create a Backup window appears. Enter values for the following parameters: Step 4 • Name - Specify a unique name you wish to assign to this backup file. The name must be a maximum of 100 alphanumeric characters.
  • Page 57 Restoring Your Configuration Information Note: The restore process only restores your configuration information. For assistance in restoring your data, contact Q1 Labs Customer Support. In the Administration Console, click the System Configuration tab. Step 1 The System Configuration panel appears. Click the Backup Recovery icon.

  • Page 59: Using The Deployment Editor

    SING THE EPLOYMENT DITOR The deployment editor allows you to manage the individual components of your STRM Log Management deployment. Once you configure your Event, and System Views, you can access and configure the individual components of each managed host. Note: The Deployment Editor requires Java Runtime Environment.

  • Page 60: About The Deployment Editor

    SING THE EPLOYMENT DITOR About the You can access the deployment editor using the STRM Log Management Deployment Editor Administration Console. You can use the deployment editor to create your deployment, assign connections, and configure each component. The deployment editor provides the following views of your deployment: System View - Allows you to assign software components to systems •...

  • Page 61: Accessing The Deployment Editor

    About the Deployment Editor Accessing the In the Administration Console, click the deployment editor icon. The Deployment Editor deployment editor appears. Once you update your configuration settings using the deployment editor, you must save those changes to the staging area. You must either manually deploy all changes using the Administration Console Deploy menu option or, upon exiting the Administration Console, a window appears prompting you to deploy changes before you exit.
  • Page 62 SING THE EPLOYMENT DITOR Table 5-1 Deployment Editor Menu Options (continued) Menu Option Sub Menu Option Description Configure Configure a STRM Log Management components. This option is only available when Event Collector or Event Processor is selected. Assign Assigns a component to a managed host. This option is only available when Event Collector or Event Processor is selected.

  • Page 63: Creating Your Deployment

    About the Deployment Editor Table 5-2 Toolbar Options (continued) Icon Description Zoom in. Zoom out. Creating Your To create your deployment, you must: Deployment Build your System View. See Managing Your System View. Step 1 Configure added components. See Configuring STRM Log Management Step 2 Components.

  • Page 64: Editing Deployment Editor Preferences

    SING THE EPLOYMENT DITOR Editing Deployment To edit the deployment editor preferences: Editor Preferences From the deployment editor main menu, select File > Edit Preferences. Step 1 The Deployment Editor Setting window appears. Enter values for the following parameters: Step 2 Presence Poll Frequency - Specify how often, in milliseconds, that the •...

  • Page 65: Adding Components

    Building Your Event View Rename the components so each component has a unique name. See Renaming Step 4 Components. Adding Components To add components to your Event View: In the deployment editor, click the Event View tab. Step 1 The Event View appears. In the Event Tools panel, select a component you wish to add to your deployment.

  • Page 66: Connecting Components

    SING THE EPLOYMENT DITOR From the Select a host to assign to list box, select a managed host to which you Step 4 wish to assign the new component. Click Next. Click Finish. Step 5 Repeat for each component you wish to add to your view. Step 6 From the main menu, select File >...

  • Page 67: Forwarding Normalized Events

    Building Your Event View Forwarding To forward normalized events, you must configure an off-site Event Collector Normalized Events (target) in your current deployment and the associated off-site Event Collector in the receiving deployment (source). You can add the following components to your Event View: Off-site Source - Indicates an off-site Event Collector from which you wish to •...
  • Page 68 SING THE EPLOYMENT DITOR In the Components panel, select either Add Off-site Source or Add Off-site Step 2 Target. The Adding a New Component Wizard appears. Specify a unique name for the source or target. The name can be up to 15 Step 3 characters in length and may include underscores or hyphens.

  • Page 69: Renaming Components

    Managing Your System View Encrypt traffic from off-site source - Select the check box if you wish to • encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target. Click Next.

  • Page 70: Setting Up Managed Hosts

    SING THE EPLOYMENT DITOR • Update the managed host port configuration. See Configuring a Managed Host. Assign a component to a managed host. See Assigning a Component to a • Host. Configure Host Context. See Configuring Host Context. • Setting Up Managed Using the deployment editor you can manage all hosts in your deployment Hosts including:...
  • Page 71 Managing Your System View Adding a Managed Host To add a managed host: From the menu, select Actions > Add a managed host. Step 1 The Add new host wizard appears. Click Next. Step 2 The Enter the host’s IP window appears. Enter values for the parameters: Step 3 Enter the IP of the server or appliance to add - Specify the IP address of the...
  • Page 72 SING THE EPLOYMENT DITOR • Confirm the root password of the host - Specify the password again, for confirmation. Host is NATed - Select the check box if you wish to use an existing Network • Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM Log Management.
  • Page 73 Managing Your System View Click Next. Step 3 The attributes window appears. Edit the following values, as necessary: Step 4 Host is NATed - Select the check box if you wish to use existing Network • Address Translation (NAT) on this managed host. For more information on NAT, see Using NAT with STRM Log Management.

  • Page 74: Using Nat With Strm Log Management

    SING THE EPLOYMENT DITOR If you selected the Host is NATed check box, the Configure NAT settings window appears. Go to Step 5. Otherwise, go to Step To select a NATed network, enter values for the following parameters: Step 5 Enter public IP of the server or appliance to add - Specify the public IP •...
  • Page 75 Managing Your System View You can add a non-NATed managed host using inbound NAT for the public IP address and dynamic for outbound NAT but are located on the same switch as the Console or managed host. However, you must configure the managed host to use the same IP address for the public and private IP addresses.
  • Page 76 SING THE EPLOYMENT DITOR Editing a NATed Network To edit a NATed network: In the deployment editor, click the NATed networks icon. Step 1 Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window. The Manage NATed Networks window appears.
  • Page 77 Managing Your System View Changing the NAT Status for a Managed Host To change your NAT status for a managed host, make sure you update the managed host configuration within STRM Log Management before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host.

  • Page 78: Configuring A Managed Host

    SING THE EPLOYMENT DITOR Configuring a To configure a managed host: Managed Host From the System View, use the right mouse button (right-click) on the managed Step 1 host you wish to configure and select Configure. The Configure host window appears. Enter values for the parameters: Step 2 Minimum port allowed - Specify the minimum port for which you wish to...

  • Page 79: Configuring Host Context

    Managing Your System View From the Select a host drop-down list box, select the host that you wish to assign Step 5 to this component. Click Next. Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM Log Management software.
  • Page 80 SING THE EPLOYMENT DITOR Enter values for the parameters: Step 5 Table 5-3 Host Context Parameters Parameter Description Disk Usage Sentinal Settings Warning Threshold When the configured threshold of disk usage is exceeded, an e-mail is sent to the administrator indicating the current state of disk usage.
  • Page 81 Managing Your System View Table 5-3 Host Context Parameters (continued) Parameter Description Recovery Threshold Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before STRM Log Management processes are restarted. The default is 0.90, therefore, processes will not be restarted until the disk usage is below 90%.

  • Page 82: Configuring Strm Log Management Components

    SING THE EPLOYMENT DITOR Configuring STRM This section provides information on configuring STRM Log Management Log Management components and includes: Components Configuring an Event Collector • Configuring an Event Processor • Configuring an Event The Event Collector collects security events from various types of security devices Collector in your network.

  • Page 83: Configuring An Event Processor

    Configuring STRM Log Management Components In the toolbar, click Advanced to display the advanced parameters. Step 4 The advanced configuration parameter appear. Enter values for the parameters: Step 5 Table 5-5 Event Collector Advanced Parameters Parameter Description Receives Flow Context Specifies the first Event Collector installed in your deployment.
  • Page 84 SING THE EPLOYMENT DITOR Enter values for the parameters: Step 3 Table 5-6 Event Processor Parameters Parameter Description Event Processor Server Specify the port that the Event Processor monitors for Listen Port incoming connections. The default range is from 32000 to 65535.

  • Page 85: Forwarding Syslog Data

    ORWARDING YSLOG STRM Log Management allows you to forward received log data to other products. You can forward syslog data (raw log data) received from devices as well as STRM Log Management normalized event data. You can forward data on a per Event Collector/ Event Processor basis and you can configure multiple forwarding destinations.

  • Page 86: Editing A Syslog Destination

    ORWARDING YSLOG Enter values for the parameters: Step 4 Forwarding Event Collector - Using the drop-down list box, select the • deployed Event Collector from which you wish to forward log data. • IP - Enter the IP address of the system to which you wish to forward log data. Port - Enter the port number on the system to which you wish to forward log •...

  • Page 87: Delete A Syslog Destination

    Delete a Syslog Destination Delete a Syslog To delete a syslog forwarding destination: Destination In the Administration Console, click the SIM Configuration tab. Step 1 The SIM Configuration panel appears. Click the Syslog Forwarding Destinations icon. Step 2 The Syslog Forwarding Destinations window appears. Select the entry you wish to delete.
  • Page 89 Q1 L This appendix provides information on the Q1 Labs Management Information Base (MIB). The Q1 Labs MIB allows you to send SNMP traps to other network management systems. The Q1 Labs OID is 1.3.6.1.4.1.20212. Note: For assistance with the Q1 Labs MIB, please contact Q1 Labs Customer Support.
  • Page 90 Q1 L SYNTAX DisplayString MAX-ACCESS read-only STATUS current DESCRIPTION "Notification Data" ::= { q1Labs 100 } q1Notifications OBJECT IDENTIFIER ::= { q1Labs 200 } q1CRENotification NOTIFICATION-TYPE STATUS current DESCRIPTION "QRADAR Custom Rule Engine Notification" ::= { q1Notifications 0 } q1EventRuleNotification NOTIFICATION-TYPE STATUS current DESCRIPTION "Notification Triggered by an Custom Event Rule"...
  • Page 91 NDEX using 55 device access 36 administration console device management 39 about 3 accessing 4 using 4 administrator role 10 encryption 60 Ariel database 78 Event Collector audience 1 about 58 audit log configuring 76 viewing 7 Event Processor audit logs 5 about 58 authentication configuring 77...
  • Page 92 NDEX removing 68 system settings 27 set-up 38 configuring 27 maximum real-time results 28 system thresholds 31 MIB 83 system time 41 system view about 54 assigning components 72 Host Context 73 managed host 72 editing 70 managing 63 enabling 68 removing 70 using with STRM Log Management 68 Network Address Translation.

Table of Contents