Enterasys Security Information and Event Manager (SIEM) Configuration Manual
  1. Manuals
  2. Brands
  3. Enterasys Manuals
  4. Software
  5. Security Information and Event Manager...
  6. Configuration manual
Enterasys Security Information and Event Manager (SIEM) Configuration Manual

Enterasys Security Information and Event Manager (SIEM) Configuration Manual

Dsms configuration guide
Hide thumbs
1
2
3
4
5
6
7
8
Table Of Contents
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
Table of Contents

Advertisement

Quick Links

Download this manual
Enterasys
®
Security Information and Event Manager (SIEM)
Configuring DSMs
Release 7.7.0
P/N 9034592-05

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Security Information and Event Manager (SIEM) and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Enterasys Security Information and Event Manager (SIEM)

Summary of Contents for Enterasys Security Information and Event Manager (SIEM)

  • Page 1 Enterasys ® Security Information and Event Manager (SIEM) Configuring DSMs Release 7.7.0 P/N 9034592-05...
  • Page 3 Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made.
  • Page 4 (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Enterasys’ prior written consent, and in no event shall You operate more than one copy of the Licensed Software.
  • Page 5 Licensed Materials to ensure that no unauthorized personnel shall have access thereto and that no unauthorized copy, publication, disclosure, or distribution, in whole or in part, in any form shall be made, and You agree to notify Enterasys of any unauthorized use thereof.
  • Page 6 Enterasys in good faith determines that the media and proof of payment of the license fee are returned to Enterasys or the dealer from whom it was obtained within ninety (90) days of the date of payment of the license fee.
  • Page 7 (g) Enterasys’ waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations, statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall supersede this Agreement.

  • Page 9: Table Of Contents

    ONTENTS BOUT UIDE Audience ............1 Conventions .
  • Page 10 Enterasys HiPath Wireless Controller ........91...
  • Page 11 Enterasys Matrix K/N/S Series Switch ........
  • Page 12 IBM IMS ............151 ISC B MPERVA ECURE...
  • Page 13 Microsoft IIS Server ..........214 Microsoft ISA .
  • Page 14 Oracle DB Listener ..........274 Oracle Audit Vault.
  • Page 15 QUID ROXY TARENT ETWORKS TONESOFT ANAGEMENT ENTER OLARIS Sun Solaris............341 Sun Solaris DHCP .
  • Page 16 RIPWIRE ROPOS ONTROL NIVERSAL 360 DSM ERICEPT ONTENT EBSENSE ERIES Websense V-Series Data Security Suite ....... . .383 Websense V-Series Content Gateway .

  • Page 17: About This Guide

    Indicates that the information is critical. A warning alerts you to potential dangers, threats, or potential personal injury. Read any and all warnings carefully before proceeding. Related For more information, refer to the Enterasys Extranet to obtain the latest Enterasys Documentation SIEM documentation including: Installation Guide •...

  • Page 18: Contacting Customer Support

    Enterasys Networks using one of the following methods: World Wide Web http://www.enterasys.com/support Phone 1-800-872-8440 (toll-free in U.S. and Canada) or 1-978-684-1000 For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support Email support@enterasys.com To expedite your message, please type [dragon] in the subject line.

  • Page 19: Overview

    Administration Guide. NOTE Information found in this documentation about configuring Device Support Modules (DSMs) is based on the latest RPM files located on the Enterasys Extranet, located at http://extranet.enterasys.com/downloads. To configure SIEM to receive events from devices, you must: Configure the device to send events to SIEM.

  • Page 21: Installing Dsms

    NSTALLING The Enterasys Extranet contains RPM files that allow you to install new or update existing DSMs. Updated DSMs contain improved event parsing for network security products and enhancements for event categorization in the SIEM Identification Map (QIDmap). To install a DSM, perform the following steps: Download the file to your system hosting SIEM.

  • Page 23: Om 8800 Series Switch

    8800 S ERIES WITCH A SIEM 3Com 8800 Series Switch DSM accepts events using syslog. SIEM records all relevant status and network condition events. Before configuring a 3Com 8800 Series Switch device in SIEM, you must configure your device to send syslog events to SIEM.

  • Page 25: Ambiron Trust Wave Ip Angel

    MBIRON RUST NGEL A SIEM Ambiron TrustWave ipAngel DSM accepts events using syslog. SIEM records all Snort-based events from the ipAngel console. Before you configure SIEM to integrate with ipAngel, you must forward your cache and access logs to your SIEM system. For information on forwarding device logs to SIEM, see your vendor documentation.

  • Page 27: Apache Http Server

    HTTP S PACHE ERVER A SIEM Apache HTTP Server DSM accepts Apache events using syslog or syslog-ng. SIEM records all relevant HTTP status events. The procedure in this section applies to Apache DSMs operating on UNIX/Linux platforms only. Select one of the following configuration methods: •...

  • Page 28: Configuring Apache Using Syslog-Ng

    HTTP S PACHE ERVER For example, CustomLog “|/usr/bin/logger -t httpd -p local1.info” MyApacheLogs Type the following command to disabled hostname lookup: Step 5 HostnameLookups off Save the Apache configuration file. Step 6 Edit the syslog configuration file. Step 7 /etc/syslog.conf Add the following information to your syslog configuration file: Step 8 <facility>.<priority>...
  • Page 29 Configuring Apache Using Syslog-ng LogLevel info The LogLevel may already be configured to the info level depending on your Apache installation. Add the following to the Apache configuration file to specify the custom log format: Step 4 LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" <log format name> Where is a variable name you provide to define the custom <log format name>...
  • Page 30 HTTP S PACHE ERVER SIEM automatically detects syslog-ng events from an Apache HTTP Server. However, if you want to manually configure SIEM to receive events from Apache:  From the Log Source Type drop-down list box, select Apache HTTP Server. For more information on Apache, see http://www.apache.org/.

  • Page 31: Apple Mac Os

    OS X PPLE A SIEM Apple Mac OS X DSM accepts events using syslog. SIEM records all relevant firewall, web server access, web server error, privilege escalation, and informational events. Before you configure SIEM to integrate with Mac OS X, you must: Log in to your Mac OS X device, as a root user.

  • Page 33: Aruba Mobility Controllers

    RUBA OBILITY ONTROLLERS The SIEM Aruba Mobility Controllers DSM accepts events using syslog. SIEM records all relevant events. Before configuring an Aruba Mobility Controller device in SIEM, you must configure your device to send syslog events to SIEM. To configure the Aruba Wireless Networks (Mobility Controller) device to forward syslog events to SIEM: Log in to the Aruba Mobility Controller user interface.

  • Page 35: Array Networks Ssl Vpn

    SSL VPN RRAY ETWORKS The SIEM Array Networks SSL VPN DSM collects events from an ArrayVPN appliance using syslog. For details of configuring ArrayVPN appliances for remote syslog, please consult Array Networks documentation. Once you configure syslog to forward events to SIEM, you are now ready to configure the log source in SIEM.

  • Page 37: Bit 9 Parity

    ARITY The SIEM Bit9 Parity DSM accepts events using the Log Enhanced Event Format (LEEF), enabling SIEM to record all relevant events. Before configuring a Bit9 Parity DSM in SIEM, you must configure your Bit9 Parity device to send events to SIEM.

  • Page 39: Blue Coat Sg

    A Blue Coat SG DSM allows you to integrate SIEM with a Blue Coat SG appliance. SIEM records all relevant and available information from the event. The Blue Coat SG DSM supports the following formats: Custom Format • SQUID • NCSA •...
  • Page 40 Type a format name for the custom format. Step 4 Select Custom format string. Step 5 Type the following custom format for SIEM: Step 6 Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|ds tport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmtti me)|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(cs- method)|time-taken=$(time-taken)|sc-bytes=$(sc-bytes)|cs-bytes= $(sc-bytes)|cs-uri-scheme=$(cs-uri-scheme)|cs-host=$(cs-host)|c s-uri-path=$(cs-uri-path)|cs-uri-query=$(cs-uri-query)|cs-uri-e xtension=$(cs-uri-extension)|cs-auth-group=$(cs-auth-group)|s-h ierarchy=$(s-hierarchy)|rs(Content-Type)=$(rs(Content-Type))|cs (User-Agent)=$(cs(User-Agent))|cs(Referer)=$(cs(Referer))|sc-fi lter-result=$(sc-filter-result)|filter-category=$(sc-filter-cat egory)|cs-uri=$(cs-uri) Select Log Last Header from the drop-down list box. Step 7 Click OK.
  • Page 41 Creating a Custom Format Enabling Access To enable access logging on your Blue Coat SG device: Logging Select Configuration > Access Logging > General. Step 1 The Default Logging tab is displayed. Select the Enable Access Logging check box. Step 2 If the Enable Access Logging check box is not selected, logging is disabled globally for all of the formats listed.
  • Page 42 To configure SIEM to receive events from a Blue Coat SG device: From the Log Source Type drop-down list box, select the Bluecoat SG Step 1 Appliance option. From the Protocol Configuration drop-down list box, select the Log File option. Step 2 When configuring your BlueCoat device to use the Log File protocol configuration, make sure the hostname or IP address configured in the BlueCoat device is the...

  • Page 43: Custom Format Addition Key-Value Pairs

    Custom Format Addition Key-Value Pairs For more information about configuring syslog, see your Bluecoat SG vendor documentation. Custom Format The custom format allows you to forward specific Blue Coat data or events to SIEM Addition Key-Value using the Extended Log File Format (ELFF). The custom format is a series of pipe Pairs delimited fields starting with and containing...

  • Page 45: Bridgewater

    RIDGEWATER The SIEM Bridgewater System DSM accepts events using syslog. SIEM records all relevant events. Before configuring a Bridgewater Systems device in SIEM, you must configure your device to send syslog events to SIEM. To configure the device to send syslog events to SIEM: Log in to your Bridgewater Systems device command line interface (CLI).
  • Page 46 RIDGEWATER You are now ready to configure the log source in SIEM. Step 9 To configure SIEM to receive events from a Bridgewater Systems device:  From the Log Source Type drop-down list box, select the Bridgewater Systems AAA Service Controller option. For more information on configuring log sources, see the Log Sources User Guide.

  • Page 47: Ca Technologies

    Pulling Data Using Log File Protocol Configuring CA ACF2 To integrate CA ACF2 with SIEM: to Integrate with SIEM From the Enterasys Extranet website, download the following compressed file: Step 1 qexacf2_bundled.tar.gz On a Linux-based operating system, extract the file: Step 2...
  • Page 48 CA T ECHNOLOGIES tar -zxvf qexacf2_bundled.tar.gz The following files are contained in the archive: QexACF2.JCL.txt - Job Control Language file QexACF2.load.trs - Compressed program library (requires IBM TRSMAIN) trsmain sample JCL.txt - Job Control Language for TRSMAIN to decompress the .trs file Load the files onto the IBM mainframe using the following methods: Step 3...
  • Page 49 CA ACF2 The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the program as a member. QexACF2 You can STEPLIB to this library or choose to move the program to one of the Step 5 LINKLIBs that are in LINKLST.
  • Page 50 CA T ECHNOLOGIES //PRESCAN EXEC PGM=ACFRPTPP //SYSPRINT DD SYSOUT=* //SYSUDUMP DD SYSOUT=* //RECMAN1 DD DISP=SHR,DSN=&SMFIN //SMFFLT DD DSN=&SMFOUT,SPACE=(CYL,(100,100)),DISP=(,CATLG), // DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960), // UNIT=SYSALLDA //************************************************************ //* execute QEXACF2 //************************************************************ //EXTRACT EXEC PGM=QEXACF2,DYNAMNBR=10, // TIME=1440 //STEPLIB DD DISP=SHR,DSN=Q1JACK.C.LOAD //SYSTSIN DD DUMMY //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //CFG DD DUMMY //ACFIN DD DISP=SHR,DSN=&SMFOUT...
  • Page 51 CA ACF2 Where: is the IP address or host name of the interim FTP server to receive <IPADDR> the output file. is the user name required to access the interim FTP server. <USER> is the password required to access the interim FTP server. <PASSWORD>...

  • Page 52: Ca Top Secret

    • Configuring CA Top To integrate CA Top Secret with SIEM: Secret to Integrate with SIEM From the Enterasys Extranet website, download the following compressed file: Step 1 qextops_bundled.tar.gz On a Linux-based operating system, extract the file: Step 2 tar -zxvf qextops_bundled.tar.gz The following files are contained in the archive: qextops_jcl.txt...
  • Page 53 CA Top Secret qextopsloadlib.trs qextops_trsmain_JCL.txt Load the files onto the IBM mainframe using any terminal emulator file transfer Step 3 method. Upload the sample files qextops_trsmain_JCL.txt qextops_jcl.txt using the TEXT protocol. Upload the file using a BINARY mode transfer. The qextopsloadlib.trs file is a tersed file containing the executable (the qextopsloadlib.trs...
  • Page 54 CA T ECHNOLOGIES You can STEPLIB to this library or choose to move the program to one of the Step 5 LINKLIBs that are in the LINKLST. The program does not require authorization. After uploading, copy the program to an existing link listed library or add a Step 6 STEPLIB DD statement with the correct dataset name of the library that will contain the program.
  • Page 55 CA Top Secret //EARLOUT DD DSN=&TSSOUT, DISP=(NEW,CATLG),UNIT=SYSDA, SPACE=(CYL,(200,100),RLSE), DCB=(RECFM=VB,LRECL=456,BLKSIZE=27816) //UTILIN DD * NOLEGEND REPORT EVENT(ALL) //************************************************************ //EXTRACT EXEC PGM=QEXTOPS,DYNAMNBR=10, TIME=1440 //STEPLIB DISP=SHR,DSN=Q1JACK.C.LOAD //SYSTSIN DUMMY //SYSTSPRT SYSOUT=* //SYSPRINT SYSOUT=* //CFG DUMMY //EARLIN DISP=SHR,DSN=&TSSOUT //EARLOUT DISP=SHR,DSN=&EARLOUT //************************************************************ //FTP EXEC PGM=FTP,REGION=3800K //INPUT DD * <IPADDR>...
  • Page 56 CA T ECHNOLOGIES is the user name required to access the interim FTP server. <USER> is the password required to access the interim FTP server. <PASSWORD> is the destination of the mainframe or <THEIPOFTHEMAINFRAMEDEVICE> interim FTP server receiving the output. For example: PUT 'Q1JACK.QEXTOPS.OUTPUT.C320' /192.168.1.101/CA/QEXTOPS.OU TPUT.C320...
  • Page 57 CA Top Secret For more information on configuring log sources and protocols, see the Log Sources User Guide. Configuring DSMs...

  • Page 59: Check Point

    HECK OINT This section provides information on the following DSMs: Check Point FireWall-1 • Check Point Provider-1 • Check Point You can configure SIEM to integrate with a Check Point FireWall-1 device using FireWall-1 one of the following methods: Integrating Check Point FireWall-1 Using Syslog •...
  • Page 60 HECK OINT $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 & Where: is a Syslog facility, for example, <facility> local3 is a Syslog priority, for example, <priority> info For example: $FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &...
  • Page 61 Check Point FireWall-1 For more information on configuring log sources, see the Log Sources User Guide. For more information about Check Point FireWall-1, see the Check Point FireWall-1 documentation. Integrating Check This section describes how to ensure that the SIEM Check Point FireWall-1 DSM Point FireWall-1 accepts events using Open Platform for Security (OPSEC/LEA).
  • Page 62 HECK OINT Creating an OPSEC Application Object To create the OPSEC Application Object: Open the Check Point SmartDashboard user interface. Step 1 Select Manage > Servers and OPSEC applications > New > OPSEC Step 2 Application Properties. Assign a name to the OPSEC Application Object. Step 3 For example: SIEM-OPSEC...
  • Page 63 Check Point FireWall-1 NOTE You must know if the Check Point Log Host is a separate object in your configuration from the Check Point Management Server. In most cases, the Check Point Log Host is the same object as the Check Point Management Server. Click Edit.
  • Page 64 HECK OINT Server IP - Type the IP address of the Check Point host or Check Point Management Server IP. Server Port - Type the port used for OPSEC/LEA. The default is 18184. You must ensure the existing firewall policy permits the LEA/OPSEC connection from your SIEM host or SIEM Event Processor.
  • Page 65 Check Point FireWall-1 Depending on your Check Point SmartCenter Server’s operating system, open the Step 2 following file: In Linux: $FWDIR\conf\fwopsec.conf In Windows: %FWDIR%\conf\fwopsec.conf The default contents of this file are as follows: # The VPN-1/FireWall-1 default settings are: sam_server auth_port sam_server port...

  • Page 66: Check Point Firewall-1

    HECK OINT Remove the hash ( ) marks from both lines. Step 5 For example: lea_server auth_port lea_server port 18184 Save and close the file. Step 6 Type the following command to start the firewall services: Step 7 cpstart You are now ready to configure the log source in SIEM. Step 8 To configure SIEM to receive events from a Check Point Firewall-1 device: From the Log Source Type drop-down list box, select Check Point FireWall-1.
  • Page 67 Check Point Provider-1 mdsenv <customer name> Type the following command: Step 5 # nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> 2>&1 & Where: is a Syslog facility, for example, local3. <facility> is a Syslog priority, for example, info. <priority> You are now ready to configure the log source in SIEM.
  • Page 68 HECK OINT The name you type must be different than the name used in Step From the Host drop-down menu, select the SIEM host object that you just created. Step 7 From Application Properties, select User Defined as the Vendor type. Step 8 From Client Entries, select LEA.

  • Page 69: Cisco

    ISCO This section provides information on the following DSMs: Cisco ACE Firewall • Cisco Aironet • • Cisco ACS • Cisco ASA Cisco CatOS for Catalyst Switches • Cisco CSA • Cisco FWSM • Cisco IDS/IPS • Cisco IronPort • •...

  • Page 70: Cisco Aironet

    ISCO Type the hostname or IP address of the destination host and port in the First Step 4 Syslog Server field. Click OK. The system restarts with new settings. When finished, the Syslog server window displays the host you have configured. Click OK.

  • Page 71: Cisco Acs

    Cisco ACS Enable timestamp on log messages: Step 7 service timestamp log datatime Return to privileged EXEC mode: Step 8 View your entries: Step 9 show running-config Save your entries in the configuration file: Step 10 copy running-config startup-config You are now ready to configure the log source in SIEM. Step 11 To configure SIEM to receive events from a Cisco ACS device: ...
  • Page 72 ISCO Nas-IP-Address • • Authen-Failure-Code Caller-ID • NAS-Port • • Author-Data Group-Name • Filter Information • • Logged Remotely Configure the following syslog parameters: Step 7 IP - Type the IP address of SIEM. • • Port - Type the syslog port number of SIEM. The default is port 514. Max message length (Bytes) - Type 1024 as the maximum syslog message •...

  • Page 73: Cisco Asa

    Cisco ASA Add the following Logged Attributes: Step 6 Message-Type • User-Name • • Nas-IP-Address Authen-Failure-Code • Caller-ID • • NAS-Port Author-Data • Group-Name • • Filter Information Logged Remotely • Configure a time frame for Cisco ACS to generate a new csv file. Step 7 Click Submit.
  • Page 74 ISCO Integrating Cisco This section describes how to configure Cisco ASA to forward syslog events. ASA Using Syslog Log in to the Cisco ASA device. Step 1 Type the following command to access privileged EXEC mode: Step 2 enable Type the following command to access global configuration mode: Step 3 conf t Enable logging:...
  • Page 75 Cisco ASA For more information on forwarding NetFlow to SIEM, see your vendor documentation. Integrating Cisco This section describes how to configure Cisco ASA to forward NetFlow events ASA for NetFlow using NSEL. using NSEL Log in to the Cisco ASA device command line interface (CLI). Step 1 Type the following command to access privileged EXEC mode: Step 2...

  • Page 76: Cisco Catos For Catalyst Switches

    ISCO Type the following command to define a class for the flow-export action: Step 9 class flow_export_class Type the following command to configure the flow-export action: Step 10 flow-export event-type all destination <IP address> Where <IP address> is the IP address of SIEM. NOTE If you are using a version of Cisco ASA prior to v8.3 you may skip Step 10...

  • Page 77: Cisco Csa

    Cisco CSA set logging timestamp enable Type the IP address of the SIEM server: Step 4 set logging server <IP address> Limit messages that are logged by selecting a severity level: Step 5 set logging server severity <server severity level> Configure the facility level that should be used in the message.

  • Page 78: Cisco Fwsm

    ISCO Click Save. Step 9 For more information on forwarding logs to SIEM, see your vendor documentation. You are now ready to configure the log source in SIEM. Step 10 To configure SIEM to receive events from a Cisco CSA device: ...

  • Page 79: Cisco Ironport

    Cisco IronPort only supports direct SDEE connections to the device and not the management software, which controls the device. NOTE You must have security access or web authentication on the device before connecting to SIEM. Once you configure your Cisco IDS/IPS device, you must configure the SDEE protocol in SIEM.

  • Page 80: Cisco Nac

    ISCO Log Name - Type a log name. • • File Name - Use the default configuration value. Maximum File Size - Use the default configuration value. • Log Level - Select Information (Default). • Retrieval Method - Select Syslog Push. •...

  • Page 81: Cisco Ios

    Cisco IOS Before configuring a Cisco NAC device in SIEM, you must configure your device to send syslog events to SIEM. To configure the device to send syslog events to SIEM: Log in to the Cisco NAC user interface. Step 1 In the Monitoring section, select Event Logs.

  • Page 82: Cisco Pix

    ISCO logging trap warning logging console warning Where is the priority setting for the logs. warning Configure the syslog facility: Step 5 logging facility syslog Save and exit the file. Step 6 Copy running-config to startup-config: Step 7 copy running-config startup-config You are now ready to configure the log source in SIEM.

  • Page 83: Cisco Vpn 3000 Concentrator

    Cisco VPN 3000 Concentrator To integrate Cisco Pix: Log into the Cisco PIX using a console connection, telnet, or SSH. Step 1 Type the following command to access Privileged mode: Step 2 enable Type the following command to access Configuration mode: Step 3 conf t Enable logging and timestamp the logs:...

  • Page 84: Cisco Wireless Services Module

    ISCO set logging server facility server_facility_parameter set logging server severity server_severity_level You are now ready to configure the log source in SIEM. Step 5 To configure SIEM to receive events from a Cisco VPN Concentrator device:  From the Log Source Type drop-down list box, select Cisco VPN 3000 Series Concentrator.
  • Page 85 Cisco Wireless Services Module Mail - Facility level 2 • System Daemons - Facility level 3 • Authorization - Facility level 4 • • Syslog - Facility level 5 (default value) Line Printer - Facility level 6 • USENET - Facility level 7 •...
  • Page 86 ISCO to Warnings (severity level 4), only those messages whose severity is between 0 and 4 are logged. Select the File Info check box if you want the message logs to include information Step 8 about the source file. The default value is enabled. Select the Proc Info check box if you want the message logs to include process Step 9 information.

  • Page 87: Citrix Net Scaler

    ITRIX CALER A SIEM Citrix NetScaler DSM accepts events using syslog. SIEM records all relevant audit log events from Citrix NetScaler. Before you configure SIEM to integrate with Citrix NetScaler, you must: Log in to your Citrix NetScaler device as a root user. Step 1 Type the following command to add a remote syslog server: Step 2...
  • Page 88 ITRIX CALER For example: bind system global policy-SIEM -priority 30 When multiple policies have priority assigned to them as a numeric value the lower priority value is evaluated before the higher value. Type the following command to save the Citrix NetScaler configuration. Step 5 save config Type the following command to verify the policy is saved in your configuration:...

  • Page 89: Cryptoc Ard Crypto-Shield

    CRYPTOC CRYPTO-S HIELD The SIEM CRYPTOCard CRYPTO-Shield DSM accepts events using syslog. SIEM records all relevant events. Before configuring a CRYPTOCard CRYPTO-Shield device in SIEM, you must configure your device to send syslog events to SIEM. To configure the device to send syslog events to SIEM, you must: Configure the following System Configuration parameters: Step 1 NOTE...

  • Page 91: Cyber -Ark Vault

    YBER AULT The SIEM Cyber-Ark Vault DSM accepts events using the Log Enhanced Event Protocol (LEEF). SIEM records both user activities and safe activities from the Cyber-Ark Vault in the audit log events. Cyber-Ark Vault integrates with SIEM to forward audit logs using syslog to create a complete audit picture of privileged account activities in SIEM.

  • Page 93: Cyber Guard Firewall /Vpn Appliance

    /VPN YBER UARD IREWALL PPLIANCE A SIEM CyberGuard Firewall VPN Appliance DSM accepts CyberGuard events using syslog. SIEM records all relevant CyberGuard events. SIEM supports the CyberGuard KS series of appliances. Before you configure SIEM to integrate with a CyberGuard device, you must: Log in to the CyberGuard user interface.

  • Page 95: Emc Vmw Are

    EMC VMW The SIEM EMC VMWare DSM accepts events from virtual environments using either the VMWare protocol or syslog. SIEM records all relevant events from the VMWare Web service. Select one of the following configuration methods: • Configuring Syslog for VMWare Configuring the VMWare Protocol •...
  • Page 96 You are now ready to configure the log source in SIEM. SIEM automatically detects syslog events from your EMC VMWare server. However, if you want to manually configure SIEM to receive events from your VMWare ESX server:  From the Log Source Type drop-down list box, select EMC VMWare. Configuring the When configuring the EMC VMWare DSM to use the VMWare protocol, we VMWare Protocol...
  • Page 97 Configuring the VMWare Protocol Click Add. Step 6 Click OK. Step 7 You are now ready to set the account permission for the user you created. Configuring Account For security reasons, we recommend you configure your SIEM user account as a Permissions member of your root or admin group, but select an assigned role of read-only permissions.
  • Page 98 EMC VMW Table 19-3 VMWare Parameters Parameter Description Log Source Identifier Type the IP address or hostname for the log source. This value must match the value configured in the ESX IP field. ESX IP Type the IP address of the VMWare server. User Name Type the username required to access the VMWare server.

  • Page 99: Enterasys

    A SIEM Enterasys Dragon DSM accepts Enterasys events using either syslog or SNMPv3. SIEM records all relevant Enterasys Dragon events. Before you configure SIEM to integrate with Enterasys Dragon, you must create an Alarm Tool policy using either an SNMPv3 or Syslog notification rule.
  • Page 100 NTERASYS To configure Enterasys Dragon with an Alarm Tool policy using an SNMPv3 notification rule: Log in to the Enterasys Dragon EMS. Step 1 Click the Alarm Tool icon. Step 2 Configure the Alarm Tool Policy: Step 3 In the Alarm Tool Policy View > Custom Policies menu tree, right-click and select Add Alarm Tool Policy.
  • Page 101 Type values for the following parameters: - Name - Type Enterasys Networks-Alarm - Type - Select Real Time. - Event Group - Select Dragon-Events. - Notification Rule - Select the Enterasys Networks-Rule check box. Click OK. Click Commit. Navigate to the Enterprise View. Step 9 Right-click on the Alarm Tool and select Associate Alarm Tool Policy.
  • Page 102 Dragon Network Defense when the notification rate is very high or when IPv6 addresses are displayed. If you prefer not to use syslog notifications in LEEF format, refer to your Enterasys IPS documentation for more information. NOTE Use SNMPv3 notification rules if you need to transfer PDATA, which is a binary data element.
  • Page 103 Click the Notification Rules tab. Click New. In the name field, type Enterasys Networks-RuleSys Click OK. In the Notification Rules panel, select the newly created Enterasys Networks-RuleSys item. Click the Syslog tab. Click New. The Syslog Editor is displayed. Update the following values: - Facility - Using the Facility drop-down list box, select a facility.
  • Page 104 Configuring SIEM You are now ready to configure the log source within SIEM: To configure SIEM to receive events from the Enterasys Dragon device, you must Step 1 select the Enterasys Dragon Network IPS from the Log Source Type drop-down list box.
  • Page 105 The Enterasys Dragon EMS configuration is complete. Step 7 Configuring syslogd Using Enterasys Dragon EMS v7.4.0 and below If your Dragon Enterprise Management Server (EMS) is using a version earlier than v7.4.0 on the appliance, you must use syslogd for forwarding events to a Security and Information Manager such as SIEM.
  • Page 106 The Enterasys Dragon EMS configuration is complete. Step 4 Enterasys HiGuard The Enterasys HiGuard Wireless IPS DSM accepts events using syslog. SIEM Wireless IPS records all relevant events. Before configuring the Enterasys HiGuard Wireless IPS device in SIEM, you must configure your device to send syslog events to SIEM.
  • Page 107 Step 6 You are now ready to configure the log source in SIEM. Step 7 To configure SIEM to receive events from the Enterasys HiGuard Wireless IPS device:  From the Log Source Type drop-down list box, select the Enterasys HiGuard option.
  • Page 108 To configure SIEM to receive events from the Enterasys HiPath Wireless Controller device:  From the Log Source Type drop-down list box, select the Enterasys HiPath option. For more information on configuring log sources, see the Log Sources User Guide.
  • Page 109 You are now ready to configure the log source in SIEM. Step 3 To configure SIEM to receive events from an Enterasys Stackable and Standalone Switch device:  From the Log Source Type drop-down list box, select one of the following...
  • Page 110 Step 3 To configure SIEM to receive events from an Enterasys Matrix device:  From the Log Source Type drop-down list box, select Enterasys Matrix E1 Switch. For more information on configuring log sources, see the Log Sources User Guide.
  • Page 111 Step 13 You are now ready to configure the log source in SIEM. Step 14 To configure SIEM to receive events from an Enterasys NetSight Automatic Security Manager device:  From the Log Source Type drop-down list box, select Enterasys NetsightASM.
  • Page 112 NTERASYS Enterasys Matrix A SIEM Enterasys Matrix Series DSM accepts events using syslog. SIEM records K/N/S Series Switch all relevant Matrix K-Series, N-Series, or S-Series standalone device events. Before you configure SIEM to integrate with a Matrix K-Series, N-Series, or S-Series, you must: Log in to your Enterasys Matrix device command line interface (CLI).

  • Page 113: Enterasys Nac

    Enterasys NAC To configure SIEM to receive events from an Enterasys Matrix Series device:  From the Log Source Type drop-down list box, select Enterasys Matrix K/N/S Series Switch. For information on configuring log sources, see the Log Sources User Guide.

  • Page 115: Extreme Networks Extreme Ware

    XTREME ETWORKS XTREME A SIEM ExtremeWare DSM accepts Extreme events from using syslog. SIEM records all relevant events from Extreme Networks ExtremeWare and Extremeware XOS devices. Before you configure SIEM to integrate with an ExtremeWare device, you must configure syslog within your Extreme device. You are now ready to configure the log source in SIEM.

  • Page 117: F5 Networks

    F5 N ETWORKS This section provides information on the following DSMs: • F5 Networks BIG-IP LTM F5 Networks BIG-IP ASM • F5 Networks BIG-IP APM • F5 Networks FirePass • F5 Networks BIG-IP The SIEM F5 Networks BIG-IP Local Traffic Manager (LTM) DSM collects networks security events from a BIG-IP device using syslog.
  • Page 118 F5 N ETWORKS bigpipe syslog remote server {BIGIPsyslog {host 10.100.100.100}} Save the configuration changes: Step 3 bigpipe save NOTE F5 Networks modified the syslog output format in BIG-IP v10.x to include the use before the hostname in the syslog header. The syslog header format local/ containing is not supported in SIEM, but a workaround is available to...
  • Page 119 F5 Networks BIG-IP ASM F5 Networks BIG-IP The SIEM F5 Networks BIG-IP Application Security Manager (ASM) DSM collects web application security events from a BIG-IP ASM device using syslog. Before receiving events in SIEM, you must configure your F5 Networks ASM device with a logging profile to forward application events to SIEM.
  • Page 120 F5 N ETWORKS You are now ready to configure the log sources and protocol in SIEM. Step 7 To configure SIEM to receive events from an F5 Networks BIG-IP ASM device:  From the Log Source Type drop-down list box, select the F5 Networks BIG-IP ASM option For more information on configuring log sources, see the Log Sources User Guide.
  • Page 121 F5 Networks FirePass must configure your F5 Networks FirePass device to forward system events to SIEM as a remote syslog server. To configure a remote syslog server: Log in to the F5 Networks FirePass Admin Console. Step 1 In the navigation pane, select Device Management > Maintenance > Logs. Step 2 The Logging Option is displayed.

  • Page 123: Fair Warning

    ARNING A SIEM Fair Warning DSM retrieves event files from a remote source using the log file protocol source. SIEM records event categories from the Fair Warning log files about user activity related to patient privacy and security threats to medical records.

  • Page 125: Fire Eye

    The SIEM FireEye DSM accepts rsyslog events in Log Event Extended Format (LEEF). This DSM applies to FireEye MPS, eMPS and MA appliances. SIEM records all relevant notification alerts sent by FireEye appliances. Before configuring a FireEye appliance in SIEM, you must configure your device to send events to SIEM.
  • Page 126 Configuring DSMs...

  • Page 127: Fore Scout Counter Act

    COUT OUNTER A SIEM ForeScout CounterACT DSM accepts CounterACT events using syslog. SIEM records all relevant and available information from the event. Before configuring a CounterACT device in SIEM, you must configure your device to send syslog to your SIEM installation. For more information on configuring your CounterACT device, consult your vendor documentation.

  • Page 129: Fortinet Forti Gate

    ORTINET ORTI A SIEM Fortinet FortiGate DSM accepts FortiGate IPS/Firewall events using syslog. SIEM records all relevant events. Before you configure SIEM to integrate with the device, you must configure syslog within your FortiGate device. For more information on configuring a Fortinet FortiGate device, see your vendor documentation.

  • Page 131: Foundry Fast Iron

    OUNDRY You can integrate a Foundry FastIron device with SIEM. A Foundry FastIron device accepts events using syslog. Before you configure SIEM to integrate with a Foundry FastIron RX device, you must: Log in to the Foundry FastIron device command line interface (CLI). Step 1 Type the following command to enable logging: Step 2...

  • Page 133: Generic Firewall

    ENERIC IREWALL A SIEM generic firewall server DSM accepts events using syslog. SIEM records all relevant events. Before you configure SIEM to integrate with generic firewall, you must: Forward all firewall logs to your SIEM system. Step 1 For information on forwarding firewall logs from your generic firewall to SIEM, see your firewall vendor documentation.
  • Page 134 ENERIC IREWALL For example, if your device generates the following log messages for accepted packets: Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp The pattern for accepted packets is Packet accepted Add the following to the file: Step 6...
  • Page 135 destination_port_pattern=<destination port pattern> protocol_pattern=<protocol pattern> Where <source ip pattern>, <source port pattern>, <destination , and ip pattern>, <destination port pattern> <protocol pattern> are the corresponding patterns identified in Step NOTE Patterns are case insensitive and you can add multiple patterns. For multiple patterns, separate using a # symbol.

  • Page 137: Generic Authorization Server

    ENERIC UTHORIZATION ERVER A SIEM generic authorization server DSM accepts events using syslog. SIEM records all relevant events. Before you configure SIEM to integrate with generic authorization server, you must: Forward all authentication server logs to your SIEM system. Step 1 For information on forwarding authentication server logs to SIEM, see your generic authorization server vendor documentation.
  • Page 138 ENERIC UTHORIZATION ERVER For example, if your authentication server generates the following log message for accepted packets: Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2 The pattern for successful login is Accepted password Add the following entry to the file: Step 6 login_success_pattern=<login success pattern>...
  • Page 139 For example, if your authentication server generates the following log message: Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2 The pattern for source IP address is and the pattern for source port is from port Add an entry to the file for source IP address and source port: Step 12...

  • Page 141: Hp Procurve

    This section provides information on the following DSMs: HP ProCurve • HP Tandem • • Hewlett Packard UNIX (HP-UX) HP ProCurve You can integrate an HP ProCurve device with SIEM. An HP ProCurve switch DSM accepts events using syslog. Before you configure SIEM to integrate with an HP ProCurve device, you must: Log into the HP ProCurve device.

  • Page 142: Hewlett Packard Unix (Hp-Ux)

    A log file protocol source allows SIEM to retrieve archived log files from a remote host. The HP Tandem DSM supports the bulk loading of log files using the log file protocol source. When configuring your HP Tandem device to use the log file protocol, make sure the hostname or IP address configured in the HP Tandem device is the same as configured in the Remote Host parameter in the Log File Protocol configuration.
  • Page 143 Hewlett Packard UNIX (HP-UX) Type the following command to ensure that syslogd enforces the changes to the Step 5 syslog.conf file. kill -HUP ‘cat /var/run/syslog.pid‘ NOTE The above command is surrounded with back quotation marks. You are now ready to configure the log source in SIEM. Step 6 To configure SIEM to receive events from an HP-UX device: ...

  • Page 145: Ibm

    This section provides information on the following DSMs: IBM AIX • • IBM AS/400 iSeries • IBM Lotus Domino • IBM Proventia Management SiteProtector IBM ISS Proventia • IBM RACF • IBM DB2 • IBM WebSphere Application Server • IBM Informix Audit •...
  • Page 146 Where is the IP address of the SIEM system. <IP address> Save and exit the file. Step 4 Restart syslog: Step 5 refresh -s syslogd For example, a typical /etc/syslog.conf file can resemble the following: ##### begin /etc/syslog.conf mail.debug /var/adm/maillog mail.none /var/adm/maillog auth.notice /var/adm/authlog lpr.debug /var/adm/lpd-errs...

  • Page 147: Ibm As/400 Iseries

    IBM AS/400 iSeries Type the path to the Remote Directory. Step 4 This is the default directory path storing your IBM AIX log files. Type the FTP File Pattern. Step 5 The FTP File Pattern parameter must use a regular expression that matches the log files of your IBM AIX server.
  • Page 148 Pulling Data Using Log File Protocol. Configuring an IBM iSeries to Integrate with SIEM To integrate an IBM iSeries with SIEM: From the Enterasys Extranet website, download the following files: Step 1 AJLIB.SAVF Copy the file onto a computer or terminal that has FTP access to the Step 2 AJLIB.SAVF...
  • Page 149 IBM AS/400 iSeries The execution of the setup function sets a default start date and time for data collection from the Audit Journal to 08:00:00 of the current day. NOTE To preserve your previous start date and time information for a previous installation you must run Record the previous start date and AJLIB/DATETIME.

  • Page 150: Ibm Lotus Domino

    SIEM to read iSecurity events using the Log Enhanced Event Protocol (LEEF). Before configuring your device in SIEM, you must: Configure the Raz-Lee iSecurity user interface to forward syslog events to SIEM. For more information, see Configuring iSecurity to Forward Syslog Events.
  • Page 151 IBM Lotus Domino Set up the SNMP servers. See Setting Up SNMP Services. • Start the Domino Server add-in tasks. See Starting the Domino Server Add-in • Tasks. Configure the SNMP services. See Configuring SNMP Services • Setting Up SNMP To set up the SNMP services on the IBM Lotus Domino server: Services Install the Lotus Domino SNMP Agent as a service.
  • Page 152 Configuring SNMP To configure SNMP services: Services NOTE Configurations may vary depending on your environment. See your vendor documentation for more information. Open the Domino Administrator utility and authenticate with administrative Step 1 credentials. Click on the Files tab, and the Monitoring Configuration (events4.nsf) document. Step 2 Expand the DDM Configuration Tree and select DDM Probes By Type.

  • Page 153: Ibm Proventia Management Siteprotector

    IBM Proventia Management SiteProtector To configure SIEM to receive events from as IBM Lotus Domino device:  From the Log Source Type drop-down list box, select the IBM Lotus Domino option. For more information on configuring log sources, see the Log Sources User Guide. For more information about IBM Lotus Domino see your vendor documentation.
  • Page 154 Table 31-4 JDBC Parameters Parameter Description Log Source Type the identifier for the log source. Type the log source identifier Identifier in the following format: <database>@<hostname> Where: <database> is the database name, as defined in the Database Name parameter. The database name is a required parameter. <hostname>...
  • Page 155 IBM Proventia Management SiteProtector Table 31-4 JDBC Parameters (continued) Parameter Description Database If you select MSDE as the Database Type and you have multiple Instance SQL server instances on one server, define the instance to which you want to connect. Note: If you use a non-standard port in your database configuration, or have blocked access to port 1434 for SQL database resolution, you must leave the Database Instance...
  • Page 156 Table 31-4 JDBC Parameters (continued) Parameter Description Polling Interval Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds. You may define a longer polling interval by appending H for hours or M for minutes to the numeric value.

  • Page 157: Ibm Racf

    IBM RACF Select Services. Step 3 The Service Configuration page is displayed. Click the SNMP tab. Step 4 Select SNMP Traps Enabled. Step 5 In the Trap Receiver field, type the IP address of your SIEM system you wish to Step 6 monitor incoming SNMP traps.
  • Page 158 • Configuring IBM To integrate an IBM mainframe RACF with SIEM: RACF to Integrate with SIEM From the Enterasys Extranet website, download the following compressed file: Step 1 qexracf_bundled.tar.gz On a Linux-based operating system, extract the file: Step 2 tar -zxvf qexracf_bundled.tar.gz The following files are contained in the archive: qexracf_jcl.txt...
  • Page 159 IBM RACF You must update the file with your installation specific information for parameters, such as, jobcard, data set naming conventions, output destinations, retention periods, and space requirements. The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN.
  • Page 160 //************************************************************* //IRRADU00 EXEC PGM=IFASMFDP //SYSPRINT DD SYSOUT=* //ADUPRINT DD SYSOUT=* //OUTDD DD DSN=&SMFOUT,SPACE=(CYL,(100,100)),DISP=(,CATLG), DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960), UNIT=SYSALLDA //SMFDATA DD DISP=SHR,DSN=&SMFIN //SMFOUT DD DUMMY //SYSIN DD * INDD(SMFDATA,OPTIONS(DUMP)) OUTDD(SMFOUT,TYPE(30:83)) ABEND(NORETRY) USER2(IRRADU00) USER3(IRRADU86) //EXTRACT EXEC PGM=QEXRACF,DYNAMNBR=10, TIME=1440 //*STEPLIB DISP=SHR,DSN=<the loadlib containing the QEXRACF program if not in LINKLST> //SYSTSIN DUMMY //SYSTSPRT...

  • Page 161: Ibm Db2

    IBM DB2 configured to serve files through FTP or SFTP, or allow SCP, then no interim server is required and SIEM can pull those files directly from the mainframe. If an interim FTP server is needed, SIEM requires a unique IP address for each IBM RACF log source or they will be joined as one system.
  • Page 162 If you are using DB2 v9.5 and above, see Extracting Audit Data: DB2 v9.5 and • Above. • If you are using DB2 v8.x to v9.4, see Extracting Audit Data: DB2 v8.x to v9.4 Use the log file protocol source to pull the output instance log file and send that Step 3 information back to SIEM on a scheduled basis.
  • Page 163 IBM DB2 Move the .del files to a storage location where SIEM can pull the file. The Step 5 movement of the comma-delimited (.del) files should be synchronized with the file pull interval in SIEM. You are now ready to configure SIEM to receive DB2 log files. See Pulling Data Using Log File Protocol.

  • Page 164: Ibm Websphere Application Server

    configured in the Remote Host parameter in the Log File protocol configuration. For more information, see the Log Sources User Guide. You are now ready to configure the log source and protocol within SIEM: To configure SIEM to receive events from an IBM DB2, you must select the IBM Step 1 DB2 option from the Log Source Type drop-down list box.
  • Page 165 IBM WebSphere Application Server Description - Type a description for the variable (optional). • Value - Type a directory path for the log files. • For example: {SIEM_LOG_ROOT} = /opt/IBM/WebSphere/AppServer/profiles/Custom01/logs/SIEM NOTE You must create the target directory specified in Step 5 before proceeding.
  • Page 166 NOTE If the JVM Logs changes affect the cell, you must restart all of the WebSphere Application Servers in the cell before you continue. You are now ready to import the file into SIEM using the Log File Protocol, see Pulling Data Using Log File Protocol.

  • Page 167: Ibm Informix Audit

    IBM Informix Audit IBM Informix Audit The IBM Informix Audit DSM allows you to integrate IBM Informix audit logs into SIEM for analysis. SIEM retrieves the IBM Informix archived audit log files from a remote host using the Log File protocol configuration. SIEM records all configured IBM Informix Audit events.
  • Page 168 Pulling Data Using Log File Protocol • Configuring IBM IMS To integrate IBM IMS with SIEM: to Integrate with SIEM From the Enterasys Extranet, download the following compressed file: Step 1 QexIMS_bundled.tar.gz On a Linux-based operating system, extract the file: Step 2 tar -zxvf qexims_bundled.tar.gz...
  • Page 169 IBM IMS //TRSMAIN JOB (yourvalidjobcard),Q1labs, MSGCLASS=V //DEL EXEC PGM=IEFBR14 //D1 DISP=(MOD,DELETE),DSN=<yourhlq>.QEXIMS.TRS UNIT=SYSDA, SPACE=(CYL,(10,10)) //TRSMAIN EXEC PGM=TRSMAIN,PARM='UNPACK' //SYSPRINT DD SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA) //INFILE DD DISP=SHR,DSN=<yourhlq>.QEXIMS.TRS //OUTFILE DD DISP=(NEW,CATLG,DELETE), DSN=<yourhlq>.LOAD, SPACE=(CYL,(1,1,5),RLSE),UNIT=SYSDA The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN.
  • Page 170 DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144) //EXTRACT EXEC PGM=QEXIMS,DYNAMNBR=10, TIME=1440 //STEPLIB DISP=SHR,DSN=Q1JACK.C.LOAD //SYSTSIN DUMMY //SYSTSPRT SYSOUT=* //SYSPRINT SYSOUT=* //IMSIN DISP=SHR,DSN=&IMSIN //IMSOUT DISP=SHR,DSN=&IMSOUT //*FTP EXEC PGM=FTP,REGION=3800K //*INPUT DD * //*<target server> //*<USER> //*<PASSWORD> //*ASCII //*PUT '<IMSOUT>' /TARGET DIRECTORY>/<IMSOUT> //*QUIT //*OUTPUT DD SYSOUT=* //*SYSPRINT DD SYSOUT=* After the output file is created, you must choose one of the following options: Step 7 Schedule a job to transfer the output file to an interim FTP server.
  • Page 171 IBM IMS PUT 'Q1JACK.QEXIMS.OUTPUT.C320' /192.168.1.101/IMS/QEXIMS.OUT PUT.C320 NOTE You must remove commented lines beginning with //* for the script to properly forward the output file to the interim FTP server. You are now ready to configure the Log File protocol. See Pulling Data Using Log File Protocol.

  • Page 173: Isc Bind

    ISC B You can integrate an Internet System Consortium (ISC) BIND device with SIEM. An ISC BIND device accepts events using syslog. Before you configure SIEM to integrate with an ISC BIND device, you must: Log in to the ISC BIND device. Step 1 Open the following file to add a logging clause: Step 2...
  • Page 174 ISC B For Example: logging { channel SIEM { syslog local3; severity info; category queries { SIEM; category notify { SIEM; category network { SIEM; category client { SIEM; Save and exit the file. Step 3 Edit the syslog configuration to log to your SIEM system using the facility you Step 4 selected in Step...
  • Page 175 To configure SIEM to receive events from an ISC BIND device:  From the Log Source Type drop-down list box, select the ISC BIND option. For more information on configuring log sources, see the Log Sources User Guide. For more information about ISC BIND, see your vendor documentation. Configuring DSMs...
  • Page 176 ISC B Configuring DSMs...

  • Page 177: Imperva Secure Sphere

    MPERVA ECURE PHERE The SIEM Imperva SecureSphere DSM accepts events using syslog. SIEM records all relevant events. Before configuring an Imperva SecureSphere device in SIEM, you must configure your device to send syslog events to SIEM. To configure the device to send syslog events to SIEM: Log in to your SecureSphere device user interface using administrative privileges.
  • Page 178 MPERVA ECURE PHERE Go to Policies > Security > Firewall Policy. Select the policy you want to edit to use the alert action. Click the Policy tab. From the Followed Action drop-down list box, select your new action. Ensure your policy is configured as enabled and is applied to the appropriate server groups.
  • Page 179 You are now ready to configure the log source in SIEM. Step 8 To configure SIEM to receive events from a SecureSphere device:  From the Log Source Type drop-down list box, select the Imperva SecureSphere option. For more information on configuring log sources, see the Log Sources User Guide. For more information about your Imperva SecureSphere device, see your vendor documentation.

  • Page 181: Infoblox Nios

    NIOS NFOBLOX The SIEM Infoblox NIOS DSM accepts events using syslog, enabling SIEM to record all relevant events from an Infoblox NIOS device. Before configuring SIEM, you must configure your Infoblox NIOS device to send syslog events to SIEM. For more information on configuring logs on your Infoblox NIOS device, see your Infoblox NIOS vendor documentation.

  • Page 183: Itron Smart Meter

    TRON MART ETER The SIEM Itron Smart Meter DSM collects events from an Itron Openway Smart Meter using syslog. The Itron Openway Smart Meter sends syslog events to SIEM using Port 514. For details of configuring your meter for syslog, see your Itron Openway Smart Meter documentation.

  • Page 185: Juniper Networks

    UNIPER ETWORKS This section provides information on the following DSMs: Juniper Networks AVT • Juniper DX Application Acceleration Platform • • Juniper EX-Series Ethernet Switch • Juniper NetScreen IDP Juniper Networks Secure Access • Juniper Infranet Controller • Juniper Networks Firewall and VPN •...
  • Page 186 UNIPER ETWORKS Where is the IP address of the Event Collector you want to <IP address> connect to the database. Reload the Postgres service: Step 4 su - nsm -c "pg_ctl reload -D /var/netscreen/DevSvr/pgsql/data" As the Juniper Networks NSM user, create the view: Step 5 create view strm_avt_view as SELECT a.name, a.category, v.srcip,v.dstip,v.dstport, v."last", u.name as userinfo, v.id,...

  • Page 187: Juniper Ex-Series Ethernet Switch

    Juniper DX Application Acceleration Platform Juniper DX The Juniper DX Application Acceleration Platforms off-load core networking and Application I/O responsibilities from web and application servers to improve the performance Acceleration of web-based applications, increasing productivity of local, remote, and mobile Platform users.
  • Page 188 UNIPER ETWORKS is the IP address of your SIEM system. <IP address> is info, error, warning, or any, <level> is one of the following options from Table 36-5. <option> Table 36-5 Juniper Networks Ex-Series Switch Options Option Description All facilities authorization Authorization system change-log...

  • Page 189: Juniper Netscreen Idp

    Juniper NetScreen IDP Juniper NetScreen A SIEM NetScreen IDP DSM accepts NetScreen IDP events using syslog. SIEM records all relevant NetScreen IDP events. To integrate SIEM with a Juniper NetScreen IDP device, you must: Configuring the IDP Sensor • Configuring SIEM to Collect IDP Events •...
  • Page 190 UNIPER ETWORKS Configuring SIEM to Juniper NSM is a central management server for Juniper IDP. You can configure Collect IDP Events SIEM to collect and represent the Juniper IDP alerts as coming from a central NSM, or SIEM can collect syslog from the individual Juniper IDP device. To configure SIEM to receive events from Juniper Networks Secure Access device: ...

  • Page 191: Juniper Networks Secure Access

    Juniper Networks Secure Access In the Server name/IP field, type the name or IP address of the syslog server. From the Facility drop-down list box, select the facility. From the Filter drop-down list box, select WELF:WELF. Click Add, then click Save Changes. Configure syslog server information for user access: Step 3 If a WELF:WELF file is configured, go to Step e.
  • Page 192 UNIPER ETWORKS Click New Filter. Select WELF. Click Save Changes. From the left pane, select System > Log/Monitoring > Client Logs > Settings. From the Select Events to Log pane, select the events that you wish to log. In the Server name/IP field, type the name or IP address of the syslog server. From the Facility drop-down list box, select the facility.

  • Page 193: Juniper Infranet Controller

    Juniper Infranet Controller From the left pane, select System > Log/Monitoring > Client Logs > Settings. From the Select Events to Log section, select the events that you wish to log. In the Server name/IP field, type the name or IP address of the syslog server. You are now ready to configure the log source in SIEM.

  • Page 194: Juniper Networks Network And Security Manager

    UNIPER ETWORKS Type the IP address of your SIEM system hosting the Event Collector. Step 4 Click Apply. Step 5 You are now ready to configure the log source in SIEM. Step 6 To configure SIEM to receive events from a Juniper Networks Firewall and VPN device: ...

  • Page 195: Juniper Junos

    Juniper JunOS Configuring Juniper To configure SIEM to integrate with a Juniper Networks NSM device: Networks NSM in SIEM From the Log Source Type drop-down list box, select Juniper Networks Step 1 Network and Security Manager. From the Protocol Configuration drop-down list box, select Juniper NSM. Step 2 Configure the following values for the Juniper NSM protocol: Step 3...
  • Page 196 UNIPER ETWORKS For information on configuring PCAP data using a Juniper Networks SRX-series appliance, see Configuring Juniper Networks SRX-series PCAP Protocol. NOTE For more information about structured-data syslog, see RFC 5424 at the Internet Engineering Task Force: http://www.ietf.org/ Before you configure SIEM to integrate with a Juniper device, you must forward data to SIEM using syslog or structured-data syslog to SIEM.
  • Page 197 Juniper JunOS Table 36-1 List of Syslog Configuration Setting Variables (continued) Parameter Description Facility <severity> Define the severity of the messages that belong to the named facility with which it is paired. Valid severity levels are: • • none • emergency •...
  • Page 198 Step 4 The Log Sources window is displayed. NOTE You must install the latest PCAP Protocol from the Enterasys Extranet before configuring the PCAP log source. For information on installing a protocol, see the Log Sources User Guide. Click Add.

  • Page 199: Juniper Steel-Belted Radius

    Juniper Steel-Belted Radius The Add a log source window is displayed. From the Log Source Type drop-down list box, select Juniper SRX-series Step 6 Services Gateway. From the Protocol Configuration drop-down list box, select PCAP Syslog Step 7 Combination. Type the Log Source Identifier. Step 8 Type the Incoming PCAP Port.
  • Page 200 UNIPER ETWORKS Configuring Juniper To integrate a Juniper Steel-Belted Radius DSM with SIEM using the Adaptive Log Steel-Belted Radius Exporter: for the Adaptive Log Exporter From the Start menu, select Start > Programs > Adaptive Log Exporter > Step 1 Configure Adapter Log Exporter.

  • Page 201: Juniper Networks Vgw Virtual Gateway

    Juniper Networks vGW Virtual Gateway Configuring Juniper To integrate a Juniper Steel-Belted Radius DSM with SIEM using syslog on a Steel-Belted Radius Linux-based operating system: for Syslog Using SSH log in to your Juniper Steel-Belted Radius device, as a root user. Step 1 Edit the following file: Step 2...
  • Page 202 UNIPER ETWORKS If you select the option Send Syslog from vGW management server, all events forwarded to SIEM contain the IP address of the vGW management server. • Send Syslog from Firewalls - Distribute logging with each Firewall Security VM providing syslog events. Type values for the following parameters: Step 5 Syslog Server - Type the IP address of your vGW management server if you...

  • Page 203: Lieberman Random Password Manager

    IEBERMAN ANDOM ASSWORD ANAGER The SIEM Lieberman Random Password Manager DSM allows you to integrate SIEM with Lieberman Enterprise Random Password Manager and Lieberman Random Password Manager software using the LEEF protocol. The Lieberman Random Password Manager sends syslog events in the LEEF protocol to SIEM using Port 514.

  • Page 205: Linux

    INUX This section provides information on the following DSMs: Linux DHCP • Linux IPtables • • Linux OS Linux DHCP A SIEM Linux DHCP Server DSM accepts DHCP events using syslog. SIEM records all relevant events from a Linux DHCP Server. Before you configure SIEM to integrate with a Linux DHCP Server, you must configure syslog within the server.
  • Page 206 INUX -A INPUT -i eth0 --dport 31337 -j DENY Insert a matching rule immediately before each rule you want to log: Step 3 -A INPUT -i eth0 --dport 31337 -j DENY -A INPUT -i eth0 --dport 31337 -j DENY Update the target of the new rule to LOG for each rule you want to log. For Step 4 example: -A INPUT -i eth0 --dport 31337 -j LOG...
  • Page 207 Linux OS To configure SIEM to receive events from Linux IPtables:  From the Log Source Type drop-down list box, select Linux iptables Firewall. For more information on configuring log sources, see the Log Sources User Guide. For more information on Linux IPtables, see the IPtables documentation. Linux OS A SIEM Linux OS DSM records Linux operating system events and forwards the events to SIEM using syslog or syslog-ng.
  • Page 208 INUX For more information on syslog, see your Linux operating system documentation. Configuring Linux OS To configure Linux OS using the syslog-ng protocol: Using Syslog-ng Log in to your Linux OS device, as a root user. Step 1 Open the file.

  • Page 209: C Afee

    This section provides information on the following DSMs: McAfee Intrushield • McAfee ePolicy Orchestrator • • McAfee Application / Change Control • McAfee Web Gateway McAfee Intrushield A SIEM McAfee Intrushield DSM accepts events using syslog. SIEM records all relevant events. Before you configure SIEM to integrate with a McAfee Intrushield device, you must: Log in to the McAfee Intrushield Manager user interface.
  • Page 210 If you are using a version of McAfee Intrushield that has patches applied from 3.x and above, type the following to customize the message string: |$IV_ALERT_ID$|$IV_ALERT_TYPE$|$IV_ATTACK_TIME$|"$IV_ATTACK_ NAME$"|$IV_ATTACK_ID$|$IV_ATTACK_SEVERITY$|$IV_ATTACK_ SIGNATURE$|$IV_ATTACK_CONFIDENCE$|$IV_ADMIN_DOMAIN$|$IV_ SENSOR_NAME$|$IV_INTERFACE$|$IV_SOURCE_IP$|$IV_SOURCE_PORT$| $IV_DESTINATION_IP$|$IV_DESTINATION_PORT$| The custom message string must be entered as a single line, no carriage returns.
  • Page 211 McAfee ePolicy Orchestrator Using the Protocol Configuration drop-down list box, select JDBC. Step 6 The JDBC protocol parameters are displayed. NOTE You must refer to the Configure Database Settings on your ePO Management Console to configure the McAfee ePolicy Orchestrator DSM in SIEM. Configure the following values: Step 7 Table 39-2 McAfee ePO JDBC Parameters...
  • Page 212 Table 39-2 McAfee ePO JDBC Parameters (continued) Parameter Description Authentication If you select MSDE as the Database Type and the database is Domain configured for Windows, you must define the Window Authentication Domain. Otherwise, leave this parameter blank. Database Optional. Type the database instance, if you have multiple SQL Instance server instances on your database server.
  • Page 213 McAfee ePolicy Orchestrator Table 39-2 McAfee ePO JDBC Parameters (continued) Parameter Description Use Named Pipe Clear the Use Named Pipe Communications check box. Communication When using a Named Pipe connection, the username and password must be the appropriate Windows authentication username and password and not the database username and password.
  • Page 214 DNS Name - Type the DNS name of SIEM. IPv4 - Type the IPv4 address of SIEM. IPv6 - Type the IPv6 address of SIEM. From the SNMP Version drop-down list box, select the SNMP version to use with Step 7 SIEM.
  • Page 215 McAfee ePolicy Orchestrator From the list of SNMP servers, select the SNMP server you registered in Step From the Available Types drop-down list box, select List of All Values. Click >> to add to the following Select Types window from Table 39-3based on your McAfee ePolicy Orchestrator version.
  • Page 216 Configuring the Log Source in SIEM You are now ready to configure the log source and protocol in SIEM: To configure SIEM to receive events from a McAfee ePO device, you must select Step 1 the McAfee ePolicy Orchestrator option from the Log Source Type drop-down list box.
  • Page 217 McAfee Application / Change Control Table 39-4 McAfee Application / Change Control JDBC Parameters Parameter Description Log Source Type the identifier for the log source. Type the log source identifier Identifier in the following format: <McAfee Change Control Database>@<Change Control Database Server IP or Host Name>...
  • Page 218 Table 39-4 McAfee Application / Change Control JDBC Parameters (continued) Parameter Description Table Name Type SCOR_EVENTS as the name of the table or view that includes the event records. Select List Type * for all fields from the table or view. You may use a comma-separated list to define specific fields from tables or views, if required for your configuration.
  • Page 219 McAfee Web Gateway NOTE Selecting a value for the Credibility parameter greater than 5 will weight your McAfee Application / Change Control log source with a higher importance compared to other log sources in SIEM. Click Save. Step 9 On the Admin tab, click Deploy Changes. Step 10 For more information on configuring log sources, see the Log Sources User Guide.
  • Page 220 Importing the Syslog Log Handler To Import a policy rule set for the syslog handler: From the Enterasys Extranet, download the following compressed file: Step 1 log_handlers.tar.gz Extract the file. Step 2 This will give you the syslog handler file required to configure your McAfee Web Gateway appliance.
  • Page 221 McAfee Web Gateway This will give you the access handler file required to configure your McAfee Web Gateway appliance. access_log_file_loghandler.xml Log in to your McAfee Web Gateway console. Step 3 Using the menu toolbar, click Policy. Step 4 NOTE If there is an existing access log configuration in your McAfee Web Gateway appliance, you must delete the existing access log from the Rule Set Library before adding access_log_file_loghandler.xml.
  • Page 222 Pulling Data Using the Log File Protocol A log file protocol source allows SIEM to retrieve archived log files from a remote host. The McAfee Web Gateway DSM supports the bulk loading of access.log files using the log file protocol source. The default directory for the McAfee Web Gateway access logs are You are now ready to configure the log source and protocol in SIEM: To configure SIEM to receive events from a McAfee Web Gateway appliance,...

  • Page 223: Meta Info Meta Ip

    A SIEM MetaInfo MetaIP DSM accepts MetaIP events using syslog. SIEM records all relevant and available information from the event. Before configuring a MetaIP device in SIEM, you must configure your device to send syslog to SIEM. For more information about your MetaInfo MetaIP device, see your vendor documentation. You are now ready to configure the log source in SIEM.

  • Page 225: Microsoft

    ICROSOFT This section provides information on the following DSMs: Microsoft Exchange Server • Microsoft IAS Server • • Microsoft DHCP Server • Microsoft IIS Server Microsoft ISA • Microsoft SQL Server • Microsoft Windows Security Event Log • Microsoft Operations Manager •...
  • Page 226 ICROSOFT Table 41-1 Microsoft Exchange Format and Method of Configuration Version Mail Protocol Method of Import Microsoft Exchange 2003 Outlook Web Adaptive Log Exporter Access (OWA) Microsoft Exchange 2003 SMTP Adaptive Log Exporter Microsoft Exchange 2007 Adaptive Log Exporter Windows Exchange Protocol SMTP Windows Exchange Protocol Microsoft Exchange 2010...
  • Page 227 Microsoft Exchange Server From the list of properties, select all properties that you want to apply to the Step 7 Microsoft Exchange Server DSM. The selected properties must include the following: Select the Method (cs-method) check box. Select the Protocol Version (cs-version) check box. Click OK.
  • Page 228 ICROSOFT You are now ready to configure SIEM to receive events from a Microsoft Exchange Step 7 Server. To configure SIEM to receive events from the Microsoft Exchange Server:  From the Log Source Type drop-down list box, select the Microsoft Exchange Server option, or configure the Adaptive Log Exporter.
  • Page 229 Microsoft IAS Server  From the Log Source Type drop-down list box, select the Microsoft Exchange Server option, or configure the Adaptive Log Exporter. For information about the Adaptive Log Exporter, see the Adaptive Log Exporter Users Guide. For information about the Microsoft Exchange Protocol, see the Log Sources User Guide.

  • Page 230: Microsoft Iis Server

    ICROSOFT Table 41-2 Microsoft DHCP Log File Examples Log Type Example IPv4 DhcpSrvLog-Mon.log IPv6 DhcpV6SrvLog-Wed.log By default Microsoft DHCP is configured to write audit logs to the %WINDIR%\system32\dhcp\ directory. Restart the DHCP service. Step 5 You are now ready to configure the log source and protocol in SIEM: To configure SIEM to receive events from a Microsoft DHCP Server, you must Step 1 select the Microsoft DHCP Server option from the Log Source Type drop-down...
  • Page 231 Microsoft IIS Server Table 41-1 Microsoft IIS Supported Log Types (continued) Supported Log Version Type Method of Import for SIEM Microsoft IIS 6.0 SMTP, NNTP, Adaptive Log Exporter or Snare FTP, HTTP Microsoft IIS 7.0 HTTP IIS Protocol Microsoft IIS 7.0 SMTP, NNTP, Adaptive Log Exporter or Snare FTP, HTTP...
  • Page 232 ICROSOFT Table 41-2 Required Properties for IIS Event Logs IIS 6.0 Required Properties IIS 7.0 Required Properties User Name (cs-username) User Name (cs-username) Server IP Address (s-ip) Server IP Address (s-ip) Server Port (s-port) Server Port (s-port) Method (cs-method) Method (cs-method) URI Stem (cs-uri-stem) URI Stem (cs-uri-stem) URI Query (cs-uri-query)
  • Page 233 Microsoft IIS Server Table 41-3 Microsoft IIS Protocol Parameters (continued) Parameter Description Domain Type the domain required to access the Microsoft IIS server. Folder Path Type the directory path to access the IIS log files. The default is /WINDOWS/system32/LogFiles/W3SVC1/ Parameters that support file paths allow you to define a drive letter with the path information.
  • Page 234 ICROSOFT Right-click on Default Web Sites and select Properties. Step 4 The Default Web Site Properties window is displayed. Select the Web Site tab. Step 5 Select the Enable logging check box. Step 6 From the Active Log Format drop-down list box, select W3C Extended Log File Step 7 Format.
  • Page 235 Microsoft IIS Server In the Target Host field, type the IP address of your SIEM installation. Step 5 In the Log Directory field type the IIS file location: Step 6 \%SystemRoot%\System32\LogFiles\ By default Snare for IIS is configured to look for logs in C:\WINNT\System32\LogFiles\ For Destination, select Syslog.

  • Page 236: Microsoft Isa

    ICROSOFT Configuring The Adaptive Log Exporter is a stand-alone application that allows you to integrate Microsoft IIS Using device logs or application event data with SIEM. The Adaptive Log Export supports the Adaptive Log NCSA, IIS, and W3C active log formats. Exporter To integrate the Adaptive Log Exporter with Microsoft IIS, perform the following steps:...

  • Page 237: Microsoft Sql Server

    Microsoft SQL Server For more information about your server, see your vendor documentation. Microsoft SQL A SIEM Microsoft SQL Server DSM accepts SQL audit events using syslog. You Server can integrate Microsoft SQL Server with SIEM using the Adaptive Log Exporter. For more information on the Adaptive Log Exporter, see the Adaptive Log Exporter Users Guide.
  • Page 238 ICROSOFT you must configure the firewall to allow DCOM communication. This includes configuring the firewall to permit port 135 to be accessible on the host, as well as permitting DCOM ports (generally random ports above 1024). If necessary, you can also configure specific ports to be accessible to DCOM. This depends on the version of Windows.

  • Page 239: Microsoft Operations Manager

    Microsoft Operations Manager You are now ready to configure the log source in SIEM: To configure SIEM to receive events from Windows security event logs, you must Step 1 select the Microsoft Windows Security Event Log option from the Log Source Type drop-down list box.
  • Page 240 ICROSOFT Table 41-6 Microsoft Operations Manager JDBC Parameters Parameter Description Log Source Type the identifier for the log source. Type the log source identifier Identifier in the following format: <MOM Database>@<MOM Database Server IP or Host Name> Where: <MOM Database> is the database name, as entered in the Database Name parameter.
  • Page 241 Microsoft Operations Manager Table 41-6 Microsoft Operations Manager JDBC Parameters (continued) Parameter Description Select List Type * for all fields from the table or view. You may use a comma-separated list to define specific fields from tables or views, if required for your configuration. The list must contain the field defined in the Compare Field parameter.

  • Page 242: Microsoft System Center Operations Manager

    ICROSOFT Click Save. Step 7 On the Admin tab, click Deploy Changes. Step 8 For more information on configuring log sources, see the Log Sources User Guide. Microsoft System A SIEM Microsoft System Center Operations Manager (SCOM) DSM accepts Center Operations SCOM events by polling the OperationsManager database allowing SIEM to Manager record the relevant events.
  • Page 243 Microsoft System Center Operations Manager Table 41-7 Microsoft SCOM JDBC Parameters Parameter Description Log Source Type the identifier for the log source. Type the log source identifier Identifier in the following format: <SCOM Database>@<SCOM Database Server IP or Host Name> Where: <SCOM Database>...
  • Page 244 ICROSOFT Table 41-7 Microsoft SCOM JDBC Parameters (continued) Parameter Description Select List Type * for all fields from the table or view. You may use a comma-separated list to define specific fields from tables or views, if required for your configuration. The list must contain the field defined in the Compare Field parameter.
  • Page 245 Microsoft System Center Operations Manager Click Save. Step 7 On the Admin tab, click Deploy Changes. Step 8 For more information on configuring log sources, see the Log Sources User Guide. Configuring DSMs...

  • Page 247: Motorola Symbol Ap

    OTOROLA YMBOL The SIEM Symbol AP DSM accepts events using syslog. SIEM records all relevant events. Before configuring a Symbol AP device in SIEM, you must configure your device to send syslog events to SIEM. To configure the device to send syslog events to SIEM, perform the following steps: Log in to your Symbol AP device user interface.
  • Page 248 OTOROLA YMBOL You are now ready to configure the log source in SIEM. Step 9 To configure SIEM to receive events from a Symbol AP device:  From the Log Source Type drop-down list box, select the Motorola SymbolAP option. For more information on configuring log sources, see the Log Sources User Guide.

  • Page 249: Net App Data Ontap

    ONTAP A SIEM NetApp Data ONTAP DSM accepts syslog events from a client running the SIEM Adaptive Log Exporter utility. The Adaptive Log Exporter NetApp Data ONTAP plug-in reads and processes event log messages generated from Common Internet File System (CIFS) auditing on the NetApp Data ONTAP device. The NetApp Data ONTAP plug-in for the Adaptive Log Exporter only supports CIFS.

  • Page 251: Name Value Pair

    ALUE The Name Value Pair (NVP) DSM allows you to integrate SIEM with devices that may not natively send logs using syslog. The NVP DSM provides a log format that allows you to send logs to SIEM. For example, for a device that does not export logs natively with syslog, you can create a script to export the logs from a device that SIEM does not support, format the logs in the NVP log format, and send the logs to SIEM using syslog.
  • Page 252 ALUE Table 44-1 NVP Log Format Tags (continued) Description EventName Type the event name that you want to use to identity the event in the Events interface when using the Event Mapping functionality. For more information on mapping events, see the SIEM Users Guide. This is a required parameter.

  • Page 253: Examples

    Examples Table 44-1 NVP Log Format Tags (continued) Description Identity Type TRUE or FALSE to indicate whether you wish this event to generate an identity event. An identity event is generated if the log message contains the SourceIp (if the IdentityUseSrcIp parameter is set to TRUE) or DestinationIp (if the IdentityUseSrcIp parameter is set to FALSE) and one of the following parameters: UserName,...
  • Page 254 ALUE SourceIp=172.15.210.113 DestinationIp=172.16.10.10 UserName=root Example 3 The following example provides identity using the source IP address: DeviceType=NVP EventName=Test EventCategory=Accept DeviceTime=2007/12/14 09:53:49 SourcePort=5014 Identity=TRUE IdentityUseSrcIp=TRUE SourceMAC=AA:15:C5:BF:C4:9D SourceIp=172.15.210.113 DestinationIp=172.16.10.10 DestinationMAC=00:41:C5:BF:C4:9D UserName=root Example 4 The following example provides an entry with no identity: DeviceType=NVP EventName=Test EventCategory=Accept...

  • Page 255: Niksun

    IKSUN A SIEM Niksun DSM accepts Niksun events using syslog. SIEM records all relevant Niksun events. You can integrate NetDetector/NetVCR2005, version 3.2.1sp1_2 with SIEM. Before you configure SIEM to integrate with a Niksun device, you must configure syslog within your Niksun device. For more information on configuring Niksun, consult your Niksun documentation.

  • Page 257: Nokia Firewall

    OKIA IREWALL A SIEM Nokia Firewall DSM accepts events using the following methods: Integrating Nokia Firewall Using Syslog • Integrating Nokia Firewall Using OPSEC • You can integrate Nokia Firewall version NG AI R55 with SIEM. Integrating Nokia This method ensures the SIEM Nokia Firewall DSM accepts Nokia events using Firewall Using syslog.
  • Page 258 OKIA IREWALL To configure SIEM to receive events from an Nokia Firewall device using syslog:  From the Log Source Type drop-down list box, select Check Point FireWall-1. For more information on configuring log sources, see the Log Sources User Guide. Integrating Nokia This method ensures the SIEM Check Point FireWall-1 DSMs accepts FireWall-1 Firewall Using...
  • Page 259 Integrating Nokia Firewall Using OPSEC Select Communication and enter an activation key to configure the Secure Step 10 Internal Communication (SIC) certificate. Select OK and then select Close. Step 11 To install the policy on your firewall, select Policy > Install > OK. Step 12 Configuring DSMs...

  • Page 261: Nortel Networks

    ORTEL ETWORKS This section provides information on the following DSMs: Nortel Multiprotocol Router • Nortel Application Switch • • Nortel Contivity • Nortel Ethernet Routing Switch 2500/4500/5500 Nortel Ethernet Routing Switch 8300/8600 • Nortel Secure Router • Nortel Secure Network Access Switch •...
  • Page 262 ORTEL ETWORKS Type the following command to access syslog configuration: Step 4 syslog Type the following commands: Step 5 log-host address <IP address> Where is the IP address of your SIEM system. <IP address> View current default settings for your SIEM system: Step 6 info For example:...
  • Page 263 Nortel Multiprotocol Router fault-map critical info-map info name WILDCARD severity-mask {fault warning info trace debug} slot-lower-bound 0 slot-upper-bound 1 state enabled trace-map debug warning-map warning View the currently configured settings for the syslog filters: Step 13 show syslog filters When the syslog and filter parameters are correctly configured, the Operational State indicates For example: syslog# show syslog filters...
  • Page 264 ORTEL ETWORKS exit Exit the command line session: logout You are now ready to configure the log source in SIEM. Step 16 To configure SIEM to receive events from a Nortel Multiprotocol Router device:  From the Log Source Type drop-down list box, select the Nortel Multiprotocol Router option.
  • Page 265 Nortel Contivity For more information on configuring log sources, see the Log Sources User Guide. For more information about the Nortel Application Switch, see http://www.nortel.com/support. Nortel Contivity A SIEM Nortel Contivity DSM accepts Nortel Contivity events using syslog. SIEM records all relevant events. Before you configure SIEM to integrate with a Nortel Contivity device, you must: Log in to the Nortel Contivity command line interface (CLI).
  • Page 266 ORTEL ETWORKS config term Type as the severity level for the logs you wish to send to the Step 3 informational remote server: logging remote level {critical|informational|serious|none} Where sends all logs to the syslog server. informational Enable the host: Step 4 host enable Type the remote logging address: Step 5...

  • Page 267: Nortel Secure Router

    Nortel Secure Router host <ID> facility local0 Where is the ID specified in Step <ID> Enable the host: Step 5 host enable Type the severity level for which syslog messages are sent: Step 6 host <ID> severity info Where is the ID specified in Step <ID>...
  • Page 268 ORTEL ETWORKS To configure the device to send syslog events to SIEM: Log in to the Nortel Secure Router command line interface (CLI). Step 1 Type the following to access global configuration mode: Step 2 config term Type the following command: Step 3 system logging syslog Type the IP address of the syslog server (SIEM system):...

  • Page 269: Nortel Secure Network Access Switch

    Nortel Secure Network Access Switch qos: warning hdlc: warning local7: warning vpn: warning firewall: warning You are now ready to configure the log source in SIEM. Step 7 To configure SIEM to receive events from a Nortel Secure Router device: ...

  • Page 270: Nortel Switched Firewall 5100

    ORTEL ETWORKS Nortel Switched A SIEM Nortel Switched Firewall 5100 DSM accepts events using either syslog or Firewall 5100 OPSEC. SIEM records all relevant events. Before configuring a Nortel Switched Firewall device in SIEM, you must configure your device to send events to SIEM. This section provides information on configuring a Nortel Switched Firewall using one the following methods: Integrating Nortel Switched Firewall Using Syslog...
  • Page 271 Nortel Switched Firewall 5100 Integrating Nortel This method ensures the SIEM Nortel Switched Firewall 5100 DSM accepts Check Switched Firewall Point FireWall-1 events using OPSEC. Using OPSEC NOTE Depending on your Operating System, the procedures for the Check Point SmartCenter Server may vary. The following procedures are based on the Check Point SecurePlatform Operating system.

  • Page 272: Nortel Switched Firewall 6000

    ORTEL ETWORKS Configure the Log Source within SIEM You are now ready to configure the log source in SIEM. To configure SIEM to receive events from a Nortel Switched Firewall 5100 device Step 1 using OPSEC, you must select the Nortel Switched Firewall 5100 option from the Log Source Type drop-down list box.
  • Page 273 Nortel Switched Firewall 6000 To configure SIEM to receive events from an Nortel Switched Firewall 6000 using syslog:  From the Log Source Type drop-down list box, select the Nortel Switched Firewall 6000 option. For more information on configuring log sources, see the Log Sources User Guide. For more information, see http://www.nortel.com/support.

  • Page 274: Nortel Threat Protection System

    ORTEL ETWORKS Select Close. Step 4 To create the OPSEC connection, select Manage > Servers and OPSEC Step 5 applications > New > OPSEC Application Properties. Type the Name and optional Comment. Step 6 The name you type must be different than the name in Step From the Host drop-down menu, select the host object you have created in Step...

  • Page 275: Nortel Vpn Gateway

    Nortel VPN Gateway For more information on configuring log sources, see the Log Sources User Guide. For more information about Nortel TPS, see http://www.nortel.com/support. Nortel VPN A SIEM Nortel VPN Gateway DSM accepts events using syslog. SIEM records all Gateway relevant operating system (OS), system control, traffic processing, startup, configuration reload, AAA, and IPsec events.

  • Page 277: Novell E Directory

    OVELL E IRECTORY A SIEM Novell eDirectory DSM accepts audit events from Novell eDirectory using syslog. To use the Novell eDirectory DSM, you must have the following components installed: • Novell eDirectory v8.8 with service pack 6 (sp6) Novell iManager v2.7 •...
  • Page 278 OVELL E IRECTORY log4j.appender.S=org.apache.log4j.net.SyslogAppender To configure the IP address for the syslog destination, remove the comment Step 5 marker (#) and edit the following lines: log4j.appender.S.Host=<IP address> log4j.appender.S.Port=<Port> Where, is the IP address or hostname of SIEM. <IP address> is the port number for the UDP or TCP protocol. The default port for syslog <Port>...
  • Page 279 auditing. For information on configuring event auditing, see Configuring Event Auditing Using Novell iManager. Loading the XDASv2 on a Linux Operating System Log in to your Linux server hosting Novell eDirectory, as a root user. Step 1 Type the following command: Step 2 ndstrace -c "load xdasauditds"...
  • Page 280 OVELL E IRECTORY The Audit Configuration panel is displayed. In the NPC Server name field, type the name of your NPC Server. Step 4 Click OK. Step 5 The Audit Configuration for the NPC Server is displayed. Configure the following parameters: Step 6 On the Components panel, select one or both of the following: - DS - Select this check box to audit XDASv2 events for an eDirectory object.
  • Page 281 Configuring SIEM SIEM automatically detects syslog events from Novell eDirectory. However, if you with Novell want to manually configure SIEM to receive events from Novell eDirectory: eDirectory  From the Log Source Type drop-down list box, select Novell eDirectory. For more information on configuring log sources, see the Log Sources User Guide. For more information about Novell eDirectory, Novell iManager, or XDASv2, see your vendor documentation.

  • Page 283: Open Bsd

    A SIEM OpenBSD DSM accepts events using syslog. SIEM records all relevant informational, authentication, and system level events. Before you configure SIEM to integrate with OpenBSD, you must: Log in to your OpenBSD device, as a root user. Step 1 Open the file.

  • Page 285: Open Source Snort

    SNORT OURCE A SIEM Open Source SNORT DSM accepts SNORT events using syslog. SIEM records all relevant SNORT events. SourceFire’s VRT certified rules for registered SNORT users are supported, however, Bleeding Edge, Emerging Threat, and other third-party rule sets may not be fully supported by the Open Source SNORT DSM.
  • Page 286 SNORT OURCE Where is the system to which you want logs sent. <IP Address> Save and exit the file. Step 11 Restart syslog: Step 12 /etc/init.d/syslog restart You are now ready to configure the log source in SIEM. Step 13 To configure SIEM to receive events from a SNORT device: ...

  • Page 287: Oracle

    RACLE This section provides information on configuring the following DSMs: Oracle Audit Records • • Oracle DB Listener • Oracle Audit Vault • Oracle OS Audit Oracle BEA WebLogic • Oracle Audit Oracle databases track auditing events, such as, user login and logouts, Records permission changes, table creation, and deletion and database inserts.
  • Page 288 RACLE To configure an Oracle Audit device to write audit logs to SIEM, see Integrating Oracle Audit Device with SIEM. If your system includes a large Oracle audit table (greater than 1 GB), see Improving Performance With Large Audit Tables. Integrating Oracle To configure the device to write audit logs: Audit Device with...
  • Page 289 Oracle Audit Records If you are using Oracle v9i or Oracle v10g Release 1, you must create a view, Step 7 using SQLplus to enable the SIEM integration. If you are using Oracle 10g Release 2 or later, you may skip this step: CREATE VIEW SIEM_audit_view AS SELECT CAST(dba_audit_trail.timestamp AS TIMESTAMP) AS SIEM_time, dba_audit_trail.* FROM dba_audit_trail;...

  • Page 290: Oracle Db Listener

    RACLE To create an index and a new view: From the Enterasys Extranet, download the appropriate file for your version of Step 1 Oracle: If you are using Oracle 9i or 10g Release 1, download the following file: oracle_9i_dba_audit_view.sql If you are using Oracle v10g Release 2 and v11g, download the following file: oracle_alt_dba_audit_view.sql...
  • Page 291 Oracle DB Listener Collecting Events The Oracle Database Listener protocol source allows SIEM to monitor log files Using the Oracle generated from an Oracle Listener database. Before you configure the Oracle Database Listener Database Listener protocol to monitor log files for processing, you must obtain the Protocol directory path to the Oracle Listener database log files.
  • Page 292 Perl scripts written for Oracle DB listener work on Linux/UNIX servers only. Windows Perl script is not supported. To install and configure the Perl script: Access the Enterasys Extranet: Step 1 http://extranet.enterasys.com/downloads/ Download the script to forward the Oracle DB Listener events.
  • Page 293 Oracle DB Listener Copy the Perl script to the server that hosts the Oracle server. Step 4 NOTE Perl 5.8 must be installed on the device that hosts the Oracle server. Log in to the Oracle server using an account that has read/write permissions for Step 5 file and the directory.

  • Page 294: Oracle Audit Vault

    RACLE Table 51-1 Command Parameters (continued) Parameters Description The -I parameter defines the directory name where you wish to create the lock file. The default is /var/lock. This parameter is ignored if -D is specified. For example, to monitor the listener log on an Oracle 9i server with an IP address of 182.168.12.44 and forward events to SIEM with the IP address of 192.168.1.100, type the following: oracle_dblistener_fwdr.pl –t “tail –f...
  • Page 295 Oracle Audit Vault event can be mapped to a high-level and low-level category (or QID). Using the Oracle Audit Vault DSM, category mapping can be done by mapping your high or low category alerts directly to an alert name (ALERT_NAME field) in the payload. For information about the Events interface, see the SIEM Users Guide.

  • Page 296: Oracle Os Audit

    To avoid errors, do not delete log files you are actively monitoring unless the script is stopped, or processing is complete. To integrate the Oracle OS Audit DSM with SIEM: Access the Enterasys Extranet: Step 1 http://extranet.enterasys.com/downloads/ Download the following Oracle OS Audit DSM files: Step 2 oracle_osauditlog_fwdr.pl.gz...
  • Page 297 Oracle OS Audit /var/lock/ /var/run/ Restart the Oracle database instance. Step 10 Start the OS Audit DSM script: Step 11 oracle_osauditlog_fwdr.pl -t target_host -d logs_directory Table 51-2 Oracle OS Audit Command Parameters Parameters Description The -t parameter defines the remote host that receives the audit log files.

  • Page 298: Oracle Bea Weblogic

    RACLE For more information about your Oracle Audit Record, see your vendor documentation. Oracle BEA The Oracle BEA WebLogic DSM allows SIEM to retrieve archived server logs and WebLogic audit logs from any remote host, such as your Oracle BEA WebLogic server. SIEM uses the log file protocol to retrieve events from your Oracle BEA WebLogic server and provide information on application events that occur in your domain or on a single server.
  • Page 299 Oracle BEA WebLogic Click Save. Step 4 You are now ready to configure application logging for the server. Configuring To configure application logging for Oracle BEA WebLogic: Application Logging From your Oracle WebLogic console, select Server > Logging > General. Step 1 From the Log file name parameter, type the directory path and file name for the Step 2...
  • Page 300 RACLE Click the Log Sources icon. Step 4 The Log Sources window is displayed. From the Log Source Type drop-down list box, select Oracle BEA WebLogic. Step 5 Using the Protocol Configuration drop-down list box, select Log File. Step 6 Configure the following parameters: Step 7 Table 51-3 Log File Parameters...
  • Page 301 Oracle BEA WebLogic Table 51-3 Log File Parameters (continued) Parameter Description FTP File Pattern If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) required to filter the list of files specified in the Remote Directory.
  • Page 302 RACLE Table 51-3 Log File Parameters (continued) Parameter Description Ignore Previously Select the check box to track files that have already been Processed File(s) processed and you do not want the files to be processed a second time. This only applies to FTP and SFTP Service Types.

  • Page 303: Palo Alto Networks

    ETWORKS The SIEM Palo Alto PA Series DSM accepts events using syslog. SIEM records syslog threat events forwarded from Palo Alto PA Series firewalls that have been classified into critical, high, medium, low and informational event categories. Before you configure SIEM to integrate with a Palo Alto PA Series firewall, you must: Log in to the Palo Alto Networks user interface.
  • Page 304 ETWORKS Click OK. Step 11 This saves the candidate configuration, but you must commit your changes to the active configuration. Click the Device tab. Step 12 The Device options menu is displayed. Click Commit from the top of the page to update your Palo Alto PA Series firewall Step 13 with the active configuration.

  • Page 305: Pro Ftpd

    FTPd SIEM can collect events from a ProFTP server through syslog. By default, ProFTPd logs authentication related messages to the local syslog using the auth (or authpriv) facility. All other logging is done using the daemon facility. To log ProFTPd messages to SIEM, use the SyslogFacility directive to change the default facility.

  • Page 307: Radware Defense Pro

    ADWARE EFENSE A SIEM Radware DefensePro DSM accepts events using syslog. Event traps can also be mirrored to a syslog server. Before you configure SIEM to integrate with a Radware DefensePro device, you must configure your Radware DefensePro device to integrate with SIEM. You must configure the appropriate information using the Device >...

  • Page 309: Redback Ase

    EDBACK The SIEM Redback ASE DSM accepts events using syslog. The Redback ASE device can send log messages to the Redback device console or to a log server that is integrated with SIEM to generate deployment specific reports. Before configuring a Redback ASE device in SIEM, you must configure your device to send syslog events to SIEM.
  • Page 310 EDBACK asp security default log server 10.172.55.55 log source 10.192.22.24 You are now ready to configure the log sources SIEM. Step 7 To configure SIEM to receive events from a Redback ASE device:  From the Log Sources Type drop-down list box, select the Redback ASE option.

  • Page 311: Rsa Authentication Manager

    RSA A UTHENTICATION ANAGER An RSA Authentication Manager DSM allows you to integrate SIEM with an RSA Authentication Manager using syslog, or using the log file protocol. Before you configure SIEM to integrate with RSA Authentication Manager, select your configuration preference: Configuring RSA Using Syslog •...
  • Page 312 RSA A UTHENTICATION ANAGER Where is the IP address or hostname of SIEM. <IP address> Save the files. Step 4 ims.properties Open the following file for editing: Step 5 /etc/syslog.conf Type the following command to add SIEM as a syslog entry: Step 6 *.* @<IP address>...
  • Page 313 To configure SIEM to receive events from your RSA Authentication Manager:  From the Log Source Type drop-down list box, select the RSA Authentication Manager option. For more information, see the Log Sources User Guide. For more information on configuring syslog forwarding, see your RSA Authentication Manager documentation.
  • Page 314 RSA A UTHENTICATION ANAGER You are now ready to configure the log sources and protocol within SIEM: To configure SIEM to receive events from a RSA device, you must select the RSA Step 1 Authentication Manager option from the Log Source Type drop-down list box. To configure the log file protocol, you must select the Log File option from the Step 2 Protocol Configuration drop-down list box.

  • Page 315: Samhain Labs

    AMHAIN The Samhain Labs Host-Based Intrusion Detection System (HIDS) monitors changes to files on the system. The Samhain HIDS DSM supports Samhain version 2.4 when used for File Integrity Monitoring (FIM). You can configure the Samhain HIDS DSM to accept one of the following log types: •...
  • Page 316 AMHAIN Restart syslog: Step 8 /etc/init.d/syslog restart Samhain sends logs using syslog to SIEM. You are now ready to configure Samhain HIDS DSM in SIEM. Step 9 To configure SIEM to receive events from Samhain:  From the Log Source Type drop-down list box, select the Samhain HIDS option.
  • Page 317 Using JDBC Compare Field: log_index IP or Hostname: < Samhain SetDBHost> Port: <Default Port> Username: < Samhain SetDBUser> Password: < Samhain SetDBPassword> Polling Interval: <Default Interval> Where: is the database type used by Samhain (see your <Samhain Database Type> Samhain system administrator). is the database name specified in the samhainrc file.

  • Page 319: Sentrigo Hedgehog

    ENTRIGO EDGEHOG You can integrate a Sentrigo Hedgehog device with SIEM. A Sentrigo Hedgehog device accepts LEEF events using syslog. Before you configure SIEM to integrate with a Sentrigo Hedgehog device, you must: Log in to the Sentrigo Hedgehog command line interface (CLI). Step 1 Open the following file for editing: Step 2...
  • Page 320 ENTRIGO EDGEHOG Stop and restart your Sentrigo Hedgehog service to implement the log.format Step 5 changes. You are now ready to configure the log source in SIEM. Step 6 To configure SIEM to receive events from a Sentrigo Hedgehog device: ...

  • Page 321: Secure Computing Sidewinder

    ECURE OMPUTING IDEWINDER A SIEM Sidewinder DSM accepts Sidewinder events using syslog. SIEM records and processes all Sidewinder events. Before you configure SIEM to integrate with a Sidewinder device, you must configure syslog within your Sidewinder device. When configuring the Sidewinder device to forward syslog to SIEM, make sure that the logs are exported in Sidewinder Export format (SEF).

  • Page 323: Sonic Wall

    WALL ONIC A SIEM SonicWALL UTM/Firewall/VPN Appliance DSM accepts events using syslog. SIEM records all relevant events from SonicOS software. Before you configure SIEM to integrate with a SonicWALL UTM/Firewall/VPN device, you must configure syslog within the appliance. Once you configure SonicWall to forward events to SIEM, you are ready to configure the log source in SIEM.

  • Page 325: Sophos

    OPHOS This section provides information on the following: Sophos Enterprise Console • • Sophos PureMessage • Sophos Astaro Security Gateway • Sophos Web Security Appliance Sophos Enterprise SIEM has two options for gathering events from a Sophos Enterprise Console Console using JDBC.
  • Page 326 OPHOS Click the Log Sources icon. Step 4 The Log Sources window is displayed. Click Add. Step 5 The Add a log source window is displayed. From the Log Source Type drop-down list box, select Sophos Enterprise Step 6 Console. From the Protocol Configuration drop-down list box, select Sophos Enterprise Step 7 Console JDBC.
  • Page 327 Sophos Enterprise Console Table 61-4 Sophos Enterprise Console JDBC Parameters (continued) Parameter Description Password Type the password required to access the database. The password can be up to 255 characters in length. Confirm Confirm the password required to access the database. The Password confirmation password must be identical to the password entered in the Password parameter.
  • Page 328 OPHOS Table 61-4 Sophos Enterprise Console JDBC Parameters (continued) Parameter Description Use Named Pipe Clear the Use Named Pipe Communications check box. Communication When using a Named Pipe connection, the username and password must be the appropriate Windows authentication username and password and not the database username and password.
  • Page 329 Sophos Enterprise Console Once you have created your custom view, you must configure SIEM to receive event information using the JDBC protocol. To configure the Sophos Enterprise Console DSM with SIEM, see Configure SIEM to Receive Events. Configure SIEM to To configure SIEM to access the Sophos database using the JDBC protocol: Receive Events Log in to SIEM.
  • Page 330 OPHOS Table 61-5 Sophos Enterprise Console JDBC Parameters (continued) Parameter Description Database Type From the drop-down list box, select MSDE. Database Name Type the exact name of the Sophos database. IP or Hostname Type the IP address or host name of the Sophos SQL Server. Port Type the port number used by the database server.

  • Page 331: Sophos Puremessage

    Sophos PureMessage Table 61-5 Sophos Enterprise Console JDBC Parameters (continued) Parameter Description Use Prepared Select the check box to use prepared statements. Statements Prepared statements allows the JDBC protocol source to setup the SQL statement once, and then execute the SQL statement many times with different parameters.
  • Page 332 OPHOS Sophos PureMessage for Linux - Stores events in a PostgreSQL database • specified as pmx_quarantine. This section provides information on the following: Integrating SIEM with Sophos PureMessage for Microsoft Exchange • Integrating SIEM with Sophos PureMessage for Linux • Integrating SIEM with To integrate SIEM with Sophos PureMessage for Microsoft Exchange: Sophos...
  • Page 333 Sophos PureMessage From the Log Source Type drop-down list box, select Sophos PureMessage. Step 6 From the Protocol Configuration drop-down list box, select JDBC. Step 7 NOTE You must refer to the database configuration settings on your Sophos PureMessage device to define the parameters required to configure the Sophos PureMessage DSM in SIEM.
  • Page 334 OPHOS Table 61-1 Sophos PureMessage JDBC Parameters (continued) Parameter Description Confirm Confirm the password required to access the database. The Password confirmation password must be identical to the password entered in the Password parameter. Authentication If you select MSDE as the Database Type and the database is Domain configured for Windows, you must define a Window Authentication Domain.
  • Page 335 Sophos PureMessage Table 61-1 Sophos PureMessage JDBC Parameters (continued) Parameter Description Use Named Pipe Clear the Use Named Pipe Communications check box. Communication When using a Named Pipe connection, the username and password must be the appropriate Windows authentication username and password and not the database username and password.
  • Page 336 OPHOS Configure SIEM to Receive Events From Sophos PureMessage for Microsoft Exchange To configure SIEM to access the Sophos PureMessage database using the JDBC protocol: Log in to SIEM. Step 1 Click the Admin tab. Step 2 In the navigation menu, click Data Sources. Step 3 The Data Sources panel is displayed.
  • Page 337 Sophos PureMessage Table 61-2 Sophos PureMessage JDBC Parameters (continued) Parameter Description Port Type the port number used by the database server. The default port is 1532. The JDBC configuration port must match the listener port of the Sophos database. The Sophos database must have incoming TCP connections enabled to communicate with SIEM.

  • Page 338: Sophos Astaro Security Gateway

    OPHOS Table 61-2 Sophos PureMessage JDBC Parameters (continued) Parameter Description Polling Interval Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds. You may define a longer polling interval by appending H for hours or M for minutes to the numeric value.

  • Page 339: Sophos Web Security Appliance

    Sophos Web Security Appliance POP3 Proxy - Select this check box. Packet Filter - Select this check box. Intrusion Prevention System - Select this check box. Content Filter(HTTPS) - Select this check box. High availability - Select this check box. FTP Proxy - Select this check box.
  • Page 340 OPHOS TCP - Encrypted - TCP Encrypted is an unsupported protocol for SIEM. • Click Apply. Step 8 You are now ready to configure the Sophos Web Security Appliance DSM in SIEM. Step 9 SIEM automatically detects syslog data from a Sophos Web Security Appliance. To manually configure SIEM to receive events from Sophos Web Security Appliance: ...

  • Page 341: Sourcefire

    OURCEFIRE This section provides information on the following DSMs: Sourcefire Intrusion Sensor • Sourcefire Defense Center (DC) • Sourcefire A SIEM Sourcefire Intrusion Sensor DSM accepts Snort based intrusion and Intrusion Sensor prevention syslog events from Sourcefire devices. SIEM records all relevant Sourcefire events.
  • Page 342 Sourcefire Defense Center. Before You Begin Before you can integrate SIEM with Sourcefire Defense Center, you must download and install the latest rpm files from the Enterasys Extranet: • Sourcefire Defense Center DSM For more information about installing DSMs, see Installing DSMs.
  • Page 343 Sourcefire Defense Center (DC) - If you are using a remote Event Collector to collect eStreamer events, type the IP address or hostname for the remote Event Collector. - If you are using HA, type the virtual IP address. Leave the password field blank. Click Save.
  • Page 344 OURCEFIRE Table 62-3 Sourcefire Defense Center Import Script Parameters (continued) Parameter Description The -o parameter allows you to overrides the default estreamer name for the keystore and truststore files. The -o parameter is required when using multiple Sourcefire Defense Center devices, as unique key file names are required.
  • Page 345 Sourcefire Defense Center (DC) Table 62-4 Sourcefire Defense Center Estreamer Parameters Parameter Description Log Source Identifier Type the IP address or hostname to identify the log source. The information in the Log Source Identifier field must be unique to the log source type. Server Address Type the IP address or hostname of the Sourcefire Defense Center device.

  • Page 347: Squid Web Proxy

    QUID ROXY A SIEM Squid Web Proxy DSM accepts events using syslog. SIEM records all cache and access log events. Before you configure SIEM to integrate with Squid Web Proxy, you must forward your cache and access logs to SIEM. To configure Squid to forward your logs using syslog: Log into the Squid device command line interface (CLI).
  • Page 348 QUID ROXY is the IP address or hostname of your SIEM system. <SIEM_IP_address> For example: info.local4 @172.16.210.50 Squid httpd log emulation must be turned off in syslog.conf. Step 8 For example: emulate_httpd_log off Save and close the file. Step 9 Type the following command to restart the syslog daemon: Step 10 /etc/init.d/syslog restart...
  • Page 349 TARENT ETWORKS The SIEM Starent Networks DSM accepts Event, Trace, Active, and Monitor events. SIEM records all relevant events. Before configuring a Starent Networks device in SIEM, you must configure your device to send syslog events to SIEM. To configure the device to send syslog events to SIEM: Log in to your Starent Networks device.

  • Page 350: Starent Networks

    TARENT ETWORKS Table 64-1 Syslog Server Parameters (continued) Parameter Description pdu-data <format> Type the output format for the PDU when logged as one of following formats: none - Displays results in raw or unformatted text. • hex - Displays results in hexadecimal format. •...
  • Page 351 The following table provides the necessary parameters: Table 64-3 Active Log Parameters Parameter Description facility <facility> Type the facility message level. A facility is a protocol or task that is in use by the system. The local facility defines which logging options shall be applied for processes running locally.
  • Page 352 TARENT ETWORKS Configure the monitor log targets: Step 6 logging monitor {msid <ms_id>|username <username>} The following table provides the necessary parameters: Table 64-4 Monitor Log Parameters Parameter Description msid <md_id> Type an msid to define that a monitor log is generated for a session identified using the Mobile Station Identification (MDID) number.

  • Page 353: Stonesoft Management Center

    TONESOFT ANAGEMENT ENTER The SIEM Stonesoft Management Center DSM accepts events using syslog. SIEM records all relevant LEEF formatted syslog events. Before configuring SIEM, you must configure your Stonesoft Management Center to export LEEF formatted syslog events. This document includes the steps required to edit LogServerConfiguration.txt file. Configuring the text file allows Stonesoft Management Center to export event data in LEEF format using syslog to SIEM.
  • Page 354 TONESOFT ANAGEMENT ENTER Table 65-1 Log Server Configuration Options Parameter Value Description SYSLOG_EXPORT_FORMAT LEEF Type LEEF as the export format to use for syslog. SYSLOG_EXPORT_ALERT YES | NO Type one of the following values: Yes - Exports alert entries to SIEM using syslog. •...
  • Page 355 Select the type of policy to modify: Step 2 Firewall - Select Firewall Policies > Edit Firewall Policy. • IPS - Select IPS Policies > Edit Firewall Policy. • Add an IPv4 Access rule with the following values to the firewall policy: Step 3 Source - Type the IPv4 address of your Stonesoft Management Center Log Server.

  • Page 357: Sun Solaris

    OLARIS This section provides DSM configuration information on the following: Sun Solaris • Sun Solaris DHCP • • Sun Solaris Sendmail • Sun Solaris Basic Security Mode (BSM) Sun Solaris A SIEM Sun Solaris DSM accepts Solaris authentication events using syslog. SIEM records all relevant events.

  • Page 358: Sun Solaris Sendmail

    OLARIS Sun Solaris DHCP A SIEM Sun Solaris DHCP DSM accepts Solaris DHCP events using syslog. SIEM records all relevant events. Before you configure SIEM to integrate with Solaris DHCP, you must: Log in to the Sun Solaris command line interface. Step 1 Open the file.

  • Page 359: Sun Solaris Basic Security Mode (Bsm)

    Sun Solaris Basic Security Mode (BSM) mail.*; @<IP address> Where is the IP address of the SIEM system. Use tabs instead of <IP address> spaces to format the line. NOTE Depending on the version of Solaris you are running, you may need to add additional log types to the file.
  • Page 360 OLARIS The bsmconv script enables Solaris Basic Security Mode and starts the auditing service auditd. Type the following command to open the audit control log for editing: Step 4 vi /etc/security/audit_control Edit the audit control file to contain the following information: Step 5 dir:/var/audit flags:lo,ad,ex,-fw,-fc,-fd,-fr...
  • Page 361 Sun Solaris Basic Security Mode (BSM) FILES=$(ls -lrt | tr -s " " | cut -d" " -f9 | grep -v "not_terminated") # We just created a new audit log by doing 'audit -n', so we can # be sure that the last file in the list will be the latest # archived binary log file.
  • Page 362 OLARIS vi cronfile Add the following information to your cronfile: Step 3 0 0 * * * /etc/security/newauditlog.sh Save the change to the cronfile. Step 4 Type the following command to add the cronfile to crontab: Step 5 crontab cronfile You are now ready to configure the log source in SIEM to retrieve the Sun Solaris Step 6 BSM audit log files.
  • Page 363 Sun Solaris Basic Security Mode (BSM) Table 66-2 Log File Parameters (continued) Parameter Description Remote Port Type the TCP port on the remote host that is running the selected Service Type. If you configure the Service Type as FTP, the default is 21. If you configure the Service Type as SFTP or SCP, the default is 22.
  • Page 364 OLARIS Table 66-2 Log File Parameters (continued) Parameter Description FTP Transfer Mode This option only appears if you select FTP as the Service Type. The FTP Transfer Mode parameter allows you to define the file transfer mode when retrieving log files over FTP. From the drop-down list box, select the transfer mode you want to apply to this log source: Binary - Select Binary for log sources that require binary...
  • Page 365 Sun Solaris Basic Security Mode (BSM) Table 66-2 Log File Parameters (continued) Parameter Description Event Generator From the Event Generator drop-down list box, select LINEBYLINE. Click Save. Step 8 Configuring DSMs...

  • Page 367: Sybase Ase

    YBASE You can integrate a Sybase Adaptive Server Enterprise (ASE) device with SIEM. A Sybase ASE accepts events using JDBC. Before you configure SIEM to integrate with a Sybase ASE device, you must: Configure Sybase auditing. Step 1 For information about configuring Sybase auditing, see your Sybase documentation.
  • Page 368 YBASE union select audit_event_name(event) as event_name, * from sysaudits_03, union select audit_event_name(event) as event_name, * from sysaudits_04 You are now ready to configure the log source SIEM. Step 6 To configure SIEM to receive events from a Sybase ASE device: Log in to SIEM.

  • Page 369: Symantec

    YMANTEC This section provides information on the following DSMs: Symantec Endpoint Protection • Symantec SGS • • Symantec System Center • Symantec Data Loss Prevention (DLP) Symantec Endpoint A SIEM Symantec Endpoint Protection DSM accepts events using syslog. SIEM Protection records all Audit and Security log events.

  • Page 370: Symantec Sgs

    YMANTEC Click OK. Step 8 You are now ready to configure the log source in SIEM. Step 9 To configure SIEM to receive events from a Symantec Endpoint Protection device:  From the Log Source Type drop-down list box, select the Symantec Endpoint Protection option.
  • Page 371 Symantec System Center dbo.actualaction.Actualaction AS [action], dbo.alerts.Alertdatetime AS [date], dbo.clientuser.Clientuser AS user_name FROM dbo.alerts INNER JOIN dbo.virus ON dbo.alerts.Virusname_Idx = dbo.virus.Virusname_Idx INNER JOIN dbo.inventory ON dbo.alerts.Computer_Idx = dbo.inventory.Computer_Idx INNER JOIN dbo.actualaction ON dbo.alerts.Actualaction_Idx = dbo.actualaction.Actualaction_Idx INNER JOIN dbo.clientuser ON dbo.alerts.Clientuser_Idx = dbo.clientuser.Clientuser_Idx Once you have created your custom view, you must configure SIEM to receive event information using the JDBC protocol.
  • Page 372 YMANTEC Table 68-3 Symantec System Center JDBC Parameters Parameter Description Log Source Type the identifier for the log source. Type the log source identifier Identifier in the following format: <SSC Database>@<SSC Database Server IP or Host Name> Where: <SSC Database> is the database name, as entered in the Database Name parameter.
  • Page 373 Symantec System Center Table 68-3 Symantec System Center JDBC Parameters (continued) Parameter Description Select List Type * for all fields from the table or view. You may use a comma separated list to define specific tables or views, if required for your configuration. The comma separated list can be up to 255 alphanumeric characters in length.

  • Page 374: Symantec Data Loss Prevention (Dlp)

    YMANTEC On the Admin tab, click Deploy Changes. Step 10 SIEMFor information on configuring the JDBC protocol, see the Log Sources User Guide. Symantec Data A SIEM Symantec Data Loss Protection (DLP) DSM accepts events from a Loss Prevention Symantec DLP appliance using syslog. Before configuring SIEM, you must (DLP) configure response rules on your Symantec DLP.
  • Page 375 Symantec Data Loss Prevention (DLP) On the Conditions panel, select the following conditions: Step 8 From the first drop-down list box, select Protocol or Endpoint Monitoring. • From the second drop-down list box, select Is Any Of. • • From the third drop-down list box, select SMTP. On the Actions panel, click Add Action.
  • Page 376 YMANTEC Click Add Condition. Step 6 On the Conditions panel, select the following conditions: Step 7 From the first drop-down list box, select Protocol or Endpoint Monitoring. • From the second drop-down list box, select Is Any Of. • • From the third drop-down list box, select None Of SMTP.

  • Page 377: Symark

    (TCP) logs to SIEM before you configure SIEM to integrate with PowerBroker. To configure Symark PowerBroker to forward syslog to SIEM: Access the Enterasys Extranet: Step 1 http://extranet.enterasys.com/downloads/ Download the Perl script for the Symark PowerBroker DSM: Step 2 pbforwarder.pl.gz...
  • Page 378 Table 69-1 Command Parameters (continued) Parameters Description The -h parameter defines the receiving syslog host (the Event Collector host name or IP address being used to receive the logs). The -p parameter defines the TCP port to be used for sending events. If nothing is specified, 514 is used.

  • Page 379: Tipping Point

    IPPING OINT This section provides information on the following DSMs: TippingPoint Intrusion Prevention System • TippingPoint X505/X506 Device • TippingPoint The SIEM TippingPoint Intrusion Prevention System (IPS) DSM accepts Intrusion TippingPoint events using syslog. SIEM records all relevant events from either a Prevention System Local Security Management (LMS) device or multiple devices with a Security Management System (SMS).
  • Page 380 IPPING OINT Log Type - Select SMS 2.0 / 2.1 Syslog format from the drop-down list box. Facility - Select Log Audit from the drop-down list box. Severity - Select Severity in Event from the drop-down list box. Delimiter - Select TAB as the delimiter for the generated logs. Include Timestamp in Header - Select Use original event timestamp.

  • Page 381: Tippingpoint X505/X506 Device

    TippingPoint X505/X506 Device NOTE If SIEM resides in a different subnet than your Tipping Point device, you may have to add static routes. For more information, see your vendor documentation. Click Save. Step 8 You are now ready to configure the action set for your LSM, see Configuring an Action Set for LSM.
  • Page 382 IPPING OINT TippingPoint X505/X506 device in SIEM, you must configure your TippingPoint device to send syslog events to SIEM. To configure the device to send system, audit, VPN, and firewall session log events to SIEM: Log in to the TippingPoint X505/X506 device. Step 1 From the LSM menu, select System >...

  • Page 383: Top Layer Ips

    AYER A SIEM Top Layer IPS DSM accepts Top Layer IPS events using syslog. SIEM records and processes Top Layer events. Before you configure SIEM to integrate with a Top Layer device, you must configure syslog within your Top Layer IPS device.

  • Page 385: Trend Micro

    REND ICRO This section provides information on the following DSMs: Trend Micro InterScan VirusWall • Trend Micro Control Manager • • Trend Micro Office Scan Trend Micro A SIEM Trend Micro InterScan VirusWall DSM accepts events using syslog. You InterScan VirusWall can integrate InterScan VirusWall logs with SIEM using the SIEM Adaptive Log Exporter.

  • Page 386: Trend Micro Office Scan

    REND ICRO You are now ready to configure events in the Event Center. Select Administration > Event Center. Step 1 From the Event Category list, expand Alert. Step 2 Click Recipients for an alert. Step 3 In Notification methods, select the SNMP Trap Notification check box. Step 4 Click Save.
  • Page 387 Trend Micro Office Scan Select Standard Notifications. Click the SNMP Trap tab. Select the Enable notification via SNMP Trap for Virus/Malware Detections check box. Type the following message in the field (this should be the default): Virus/Malware: %v Computer: %s Domain: %m File: %p Date/Time: %y...
  • Page 388 REND ICRO Click Save. You are now ready to configure the log sources in SIEM. Step 7 To configure the Trend Micro Office Scan device: From the Log Source Type drop-down list box, select the Trend Micro Office Step 1 Scan option.
  • Page 389 Trend Micro Office Scan Type the following message in the field: Virus/Malware: %v Spyware/Grayware: %T Computer: %s IP address: %i Domain: %m File: %p Date/Time: %y Result: %a User name: %n Click Save. Step 4 You must now configure Outbreak Notifications. See Configuring Outbreak Criteria and Alert Notifications.
  • Page 390 REND ICRO To configure the Trend Micro Office Scan device: From the Log Source Type drop-down list box, select the Trend Micro Office Step 1 Scan option. From the Protocol Configuration drop-down list box, select the SNMPv2 option. Step 2 For more information on configuring log sources, see the Log Sources User Guide.
  • Page 391 RIPWIRE A SIEM Tripwire DSM accepts resource additions, removal, and modification events using syslog. Before you configure SIEM to integrate with Tripwire, you must: Log in to the Tripwire interface. Step 1 In the left-hand navigation, click Actions. Step 2 Click New Action.
  • Page 393 ROPOS ONTROL The SIEM Tropos Control DSM accepts events using syslog, enabling SIEM to record all fault management, login and logout events, provisioning events, and device image upload events. Before configuring SIEM, you must configure your Tropos Control to send syslog events to SIEM. To configure Tropos Control to forward logs using syslog to SIEM: Using SSH log in to your Tropos Control device, as a root user.
  • Page 395 NIVERSAL SIEM collects and correlates events from network infrastructure and security devices. Once the events are collected and before the correlation can begin, the individual events from these devices must be properly parsed to determine the event name, IP addresses, protocol, and ports. For common network devices (such as, NetScreen Firewalls) predefined DSMs have been engineered into SIEM to properly parse all event messages from the respective devices.
  • Page 397 360 DSM ERICEPT ONTENT A SIEM Vericept Content 360 DSM accepts Vericept events using syslog. SIEM records all relevant and available information from the event. Before configuring a Vericept device in SIEM, you must configure your device to send syslog to SIEM. For more information on configuring your Vericept device, consult your vendor documentation.
  • Page 399 EBSENSE ERIES This section provides information on the following DSMs: Websense V-Series Data Security Suite • Websense V-Series Content Gateway • Websense V-Series The SIEM Websense V-Series Data Security Suite DSM supports Websense Data Security Suite V-Series appliances and the Data Security Suite (DSS) software. The SIEM Websense V-Series Data Security Suite DSM accepts events using syslog.
  • Page 400 EBSENSE ERIES To configure SIEM to receive events from a Websense V-Series appliance:  From the Log Source Type drop-down list box, select Websense V Series. For more information on configuring log sources, see the Log Sources User Guide. For more information on configuring your Websense V-Series appliance, consult your vendor documentation.
  • Page 401 Websense V-Series Content Gateway Click the Custom tab. Step 6 In the Custom Log File Definitions window, type the following text for the LEEF Step 7 format. <LogFormat> <Name = "leef"/> <Format = "LEEF:1.0|Websense|WCG|7.6|%<wsds>|cat=%<wc> src=%<chi> devTime= %<cqtn> devTimeFormat=dd/MMM/yyyy:HH:mm:ss http-username=%<caun> url=%<cquc> method=%<cqhm>...
  • Page 402 EBSENSE ERIES nohup /bin/bash –c “while [ 1 ] ; do tail -F /opt/WCG/logs/leef.log | nc <IP Address> 514; sleep 1; done” & NOTE You may need to type the logging command in Step 3 or copy the command to a text editor to interpret the quotation marks.
  • Page 403 Websense V-Series Content Gateway You are now ready to enable event logging for your Websense V-Series Content Gateway. For more information, see Pulling Data Using Log File Protocol. Pulling Data Using Log File Protocol When configuring your Websense V-Series DSM to use the log file protocol, make sure the hostname or IP address configured in the Websense V-Series is the same as configured in the Remote Host parameter in the Log File Protocol configuration.
  • Page 405 UPPORTED Table 78-1 provides information on the DSMs SIEM supports. SIEM integrates with many manufacturers and vendors of security products. Our list of supported DSMs and documentation is constantly growing. If your DSM doesn’t appear in this document, contact your sales representative. Table 78-1 Supported DSMs Events SIEM Recorded...
  • Page 406 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Bridgewater v8.2c1 Syslog All relevant events Bridgewater Systems AAA http://www.bridgewater Systems Service Controller systems.com Access v1.4 Log File All relevant events CA ACF2 http://www.ca.com Control...
  • Page 407 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information v7.x and Syslog All relevant events Cisco Adaptive Security http://www.cisco.com above Appliance (ASA) v7.x and NSEL All relevant events Cisco Adaptive Security http://www.cisco.com above Protocol...
  • Page 408 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information IOS, 12.2, Syslog All relevant events Cisco IOS or select your Yes* http://www.cisco.com 12.5, and specific device type: above Cisco 12000 Series •...
  • Page 409 All relevant Matrix Enterasys K/N/S Series http://www.enterasys.co Series Switch K-Series, N-Series Switch and S-Series device events Stackable and Syslog All relevant events Enterasys Stackable and http://www.enterasys.co Standalone Standalone Switches or Switches select your specific device type: Enterasys A-Series • Enterasys B2-Series •...
  • Page 410 Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information HiPath V2R2.0.30 Syslog All relevant events Enterasys HiPath http://www.enterasys.co Wireless Controller v3.2 and Syslog All relevant events Enterasys NAC http://www.enterasys.co v3.3 Extreme Extreme v7.7 and...
  • Page 411 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Tandem Log File Safe Guard Audit HP Tandem http://www.HP.com Protocol file events ProCurve K.14.52 Syslog All relevant events HP ProCurve http://www.HP.com v11.x and Syslog...
  • Page 412 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information v8.x and Log File All relevant events IBM DB2 http://www.ibm.com above Protocol WebSphere 5.0.x to Log File All relevant events IBM WebSphere http://www.ibm.com Application...
  • Page 413 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Juniper Secure Juniper Syslog All relevant events Juniper Networks Secure http://www.juniper.net Networks Access Access (SA) SSL VPN version 6.1R2 and Juniper IC...
  • Page 414 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information JunOS v7.x to Syslog or All relevant events Juniper JunOS Platform or Yes** http://www.juniper.net v10.x PCAP select your specific device Syslog*** type: Ex-Series...
  • Page 415 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information McAfee Intrushield v2.1.x and Syslog All relevant events McAfee IntruShield http://www.mcafee.com above Network IPS Appliance ePolicy v3.5 to JDBC All relevant McAfee ePolicy...
  • Page 416 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Microsoft 2000, Syslog or All relevant events Microsoft Windows http://www.microsoft.com Windows 2003, Microsoft Security Event Log Event 2008, XP, Windows Security Log...
  • Page 417 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Nokia Firewall NG FP1, Syslog or All relevant events Check Point Firewall-1 http://www.nokia.com FP2, FP3, OPSEC AI R54, AI R55, NGX on IPSO v3.8 and...
  • Page 418 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Ethernet v4.1 Syslog All relevant events Nortel Ethernet Routing http://www.nortel.com Routing Switch 8300/8600 Switch 8300 Ethernet v5.0 Syslog All relevant events Nortel Ethernet Routing http://www.nortel.com...
  • Page 419 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Oracle Audit Records v9i, v10g, Syslog All relevant Oracle Oracle RDBMS Audit http://www.oracle.com and v11g JDBC events Record Database v9i, v10g,...
  • Page 420 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Sophos Astaro v8.x Syslog All relevant events Sophos Astaro Security http://www.sophos.com Gateway Enterprise v4.5.1 Sophos All relevant events Sophos Enterprise http://www.sophos.com Console Enterprise...
  • Page 421 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Solaris v5.8, v5.9, Syslog All relevant events Solaris Operating System http://www.sun.com Sun OS Authentication Messages v5.8, v5.9 Solaris DHCP v2.8 Syslog All relevant events Solaris Operating System...
  • Page 422 Table 78-1 Supported DSMs (Continued) Events SIEM Recorded Auto Includes Manufacturer DSM Version Accepted Events Option in SIEM Discovered Identity For More Information Trend Micro InterScan v6.0 and Syslog All relevant events Trend InterScan VirusWall Yes http://www.trendmicro.co VirusWall above Control v5.0 SNMPv1, All relevant events Trend Micro Control...
  • Page 423 Enterasys Matrix Router 94 Numerics Enterasys Matrix Series 96 3Com 8800 Series Switch 7 Enterasys NAC 97 Enterasys NetSight Automatic Security Manager 95 Enterasys Stackable and Standalone Switches 92 Enterasys XSR Security Router 93 Extreme Networks ExtremeWare 99 Ambiron TrustWave ipAngel 9...
  • Page 424 NDEX Juniper JUNOS 179 Open Source SNORT 269 Juniper NetScreen IDP 173 OpenBSD 267 Juniper Networks AVT 169 Oracle Audit Records 271 Juniper Networks Firewall and VPN 177 Oracle Audit Vault 278 Juniper Networks NSM 178 Oracle BEA WebLogic 282 Juniper Networks Secure Access 174 Oracle DB Listener 274 Juniper Networks vGW 185...
  • Page 425 NDEX Authentication Server 394 Firewall 394 Syslog and SNMP 394 Vericept Content 360 381 Websense Content Gateway 384 Websense Data Security Suite 383 Configuring DSMs...

This manual is also suitable for:

Security information and event manager

Table of Contents