SEC Integration Guide SSIM 46

7/31/2019 SEC Integration Guide SSIM 46

1/106

Symantec Event Collectors

Integration Guide forSymantec Security

Information Manager 4.6


2/106

Symantec Event Collectors Integration Guide forSymantec Security Information Manager 4.6

Thesoftware described in this book is furnished under a license agreement and may be used

only in accordance with the terms of the agreement.

Documentation version 4.5

Legal Notice

Copyright 2008 Symantec Corporation.

Symantec, the Symantec logo, LiveUpdate, Symantec AntiVirus, and Symantec Security

Response are trademarks or registered trademarks of Symantec Corporation or its affiliates

in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use,

copying, distribution, and decompilation/reverse engineering. No part of this document

may be reproduced in any form by any means without prior written authorization of

Symantec Corporation and its licensors, if any.

THEDOCUMENTATION IS PROVIDED"ASIS" ANDALL EXPRESS OR IMPLIED CONDITIONS,

REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF

MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,

ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO

BE LEGALLY INVALID.SYMANTEC CORPORATION SHALLNOT BELIABLE FORINCIDENTAL

OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,

PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED

IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

TheLicensed Software andDocumentation aredeemed to be "commercial computer software"

and "commercial computer software documentation" as defined in FARSections12.212 and

DFARS Section 227.7202.

Symantec Corporation

20330 Stevens Creek Blvd.

Cupertino, CA 95014 USA

http://www.symantec.com
http://www.symantec.com/http://www.symantec.com/


3/106

Technical Support

Symantec Technical Support maintains support centers globally. Technical

Supports primary role is to respond to specific queries about product feature and

function, installation, and configuration. The Technical Support group alsoauthors

content for our online Knowledge Base. The Technical Support group works

collaboratively with the other functional areas within Symantec to answer your

questions in a timely fashion. For example, the Technical Support group works

with Product Engineering and Symantec Security Response to provide alerting

services and virus definition updates.

Symantecs maintenance offerings include the following:

A range of support options that give you the flexibility to select the right

amount of service for any size organization A telephone and web-based support that provides rapid response and

up-to-the-minute information

Upgrade insurance that delivers automatic software upgrade protection

Global support that is available 24 hours a day, 7 days a week worldwide.

Support is provided in a variety of languages for those customers that are

enrolled in the Platinum Support program

Advanced features, including Technical Account Management

For information about Symantecs Maintenance Programs, you can visit our Web

site at the following URL:

www.symantec.com/techsupp/ent/enterprise.html

Select your country or language under Global Support. The specific features that

are available may vary based on the level of maintenance that was purchased and

the specific product that you are using.

Contacting Technical Support

Customers with a current maintenance agreement may access Technical Support

information at the following URL:


Select your region or language under Global Support.

Before contacting Technical Support, make sure you have satisfied the system

requirements that are listed in your product documentation. Also, you should be

at the computer on which the problem occurred, in case it is necessary to recreate

the problem.
http://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.html


4/106

When you contact Technical Support, please have the following information

available:

Product release level

Hardware information

Available memory, disk space, and NIC information

Operating system

Version and patch level

Network topology

Router, gateway, and IP address information

Problem description:

Error messages and log files

Troubleshooting that was performed before contacting Symantec

Recent software configuration changes and network changes

Licensing and registration

If your Symantec product requires registrationor a license key, accessourtechnical

support Web page at the following URL:


Select your region or language under Global Support, and thenselect the Licensingand Registration page.

Customer service

Customer service information is available at the following URL:


Select your country or language under Global Support.

Customer Service is available to assist with the following types of issues:

Questions regarding product licensing or serialization

Product registration updates such as address or name changes

General product information (features, language availability, local dealers)

Latest information about product updates and upgrades

Information about upgrade insurance and maintenance contracts

Information about the Symantec Value License Program
http://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.html


5/106

Advice about Symantec's technical support options

Nontechnical presales questions

Issues that are related to CD-ROMs or manuals

Maintenance agreement resources

If you want to contact Symantec regarding an existing maintenance agreement,

please contact the maintenance agreement administration team for your region

as follows:

Asia-Pacific and Japan: [email protected]

Europe, Middle-East, and Africa: [email protected]

North America and Latin America: [email protected]

Additional Enterprise services

Symantec offers a comprehensive set of services that allow you to maximize your

investment in Symantec products and to develop your knowledge, expertise, and

global insight, which enable you to manage your business risks proactively.

Enterprise services that are available include the following:

These solutions provide early warning of cyber

attacks, comprehensive threat analysis, and

countermeasuresto prevent attacks before theyoccur.

Symantec Early Warning Solutions

These services remove the burden of managing andmonitoring security devices and events, ensuring

rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site

technical expertise from Symantec and its trusted

partners.Symantec Consulting Services offer a variety

of prepackaged and customizable options thatinclude

assessment, design, implementation, monitoring and

management capabilities,eachfocusedon establishing

and maintaining the integrity and availability of your

IT resources.

Consulting Services

Educational Services provide a full array of technical

training, security education, security certification,

and awareness communication programs.

Educational Services
http://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]


6/106

To access more information about Enterprise services, please visit our Web site

at the following URL:

www.symantec.com

Select your country or language from the site index.
http://www.symantec.com/http://www.symantec.com/


7/106

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 1 Introducing Symantec Event Collectors . . . . . . . . . . . . . . . . . . . . . . . . . 11

About the Symantec Event Collectors Integration Guide ... . . . . . . . . . . . . . . . . . . . 11

About Symantec Event Collectors and Symantec Security Information

Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Major components of collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Where to find more information about Information Manager ... . . . . . . . . . . . . 13

Accessing Help for the console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Chapter 2 Installing Symantec Event Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Before you install collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Requirements for point products and the collectors ... . . . . . . . . . . . . . . . . . . . 15

Updating the hosts file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Installation and configuration tasks for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Registering Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Installing Symantec Event Agents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Verifying Symantec Event Agent installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Verifying Symantec Event Agent operation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Starting andstoppingSymantec Event Agentservices or daemons

.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Installing the collector on a remote computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Installing collectors on an Information Manager appliance ... . . . . . . . . . . . . . . . 26

Verifying collector installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Chapter 3 Configuring point products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

About configuring the point product to work with the collector ... . . . . . . . . . 29

Chapter 4 Configuring collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Creating and configuring sensors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Creating a new sensor configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Configuring the collector sensor to receive security events ... . . . . . . . . . . . . . . . 33

Adding, renaming, deleting, and disabling sensors ... . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Importing and exporting sensor properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Contents


8/106

Globally updating sensor properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

About sensor properties for common sensor types ... . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Sensor properties for the syslog sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Sensor properties for the database sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Sensor properties for the log and syslog file sensor ... . . . . . . . . . . . . . . . . . . . 42

Sensor properties for the log file sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Sensor properties for the Windows Event Log sensor ... . . . . . . . . . . . . . . . . . 44

Sensor properties for the OPSEC LEA sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Configuring collector raw event logging .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Verifying collector configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Chapter 5 Configuring collectors for event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51

Configuring event filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Configuring event aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Chapter 6 Configuring Syslog Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

About Syslog Director 4.3 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Configuring Syslog Director with syslog collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Chapter 7 LiveUpdate for collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Running LiveUpdate for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Appendix A About installing collectors that use a databasesensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Installing collectors that use a database sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69

Setting the SQL Server security mode to mixed authentication .... . . . . . . . . . 71

Downloading database drivers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Installing database drivers on an Information Manager

appliance ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Installing database drivers on a remote computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Creating read-only database users ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Creating a read-only database user account for IBM DB2 .... . . . . . . . . . . . 74Creating a read-only database user account for Microsoft SQL

Server 2000 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Creating a read-only database user account for Microsoft SQL

Server 2005 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Creating a read-only database user account for Microsoft SQL

Server 2000 Desktop Engine (MSDE) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

Creating a read-only database user account for MySQL .... . . . . . . . . . . . . . 78

Contents8


9/106

Creating a read-only database user for Oracle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Importing sensor settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Configuring the SQL Server instance to listen on a non-dynamic

port ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configuring an SSL connection for the Microsoft SQL Server 2005

JDBC driver 1.2 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Appendix B About collector configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Collector configuration scenarios ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Scenario 1 - One-for-All configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Scenario 2 - One-to-Many configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Scenario 3 - One-to-One configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

Scenario 4 - One-per-Type configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Appendix C Uninstalling collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Uninstalling the collector and its components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Unregistering the collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Uninstalling the Symantec Event Agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96

Uninstalling the collector component ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Appendix D Deploying many collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Deploying many collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Sensor property names for common sensor types ... . . . . . . . . . . . . . . . . . . . . 101

Contents


10/106

Contents10


11/106

Introducing Symantec EventCollectors

This chapter includes the following topics:

About the Symantec Event Collectors Integration Guide

About Symantec Event Collectors and Symantec Security Information Manager

Major components of collectors

Where to find more information about Information Manager

Accessing Help for the console

About the Symantec Event Collectors IntegrationGuide

The Symantec Event Collector Guide provides general information and procedures

to aid in the installation and the troubleshooting of collectors.

For information specific to a particular collector, see the quick reference guide

for that particular collector.

About Symantec Event Collectors and SymantecSecurity Information Manager

Security products and operating systems generate many kinds of events. Some

events are informational, such as a user logging on, and others may indicate a

security threat, such as antivirus software being disabled.

1Chapter


12/106

SymantecEvent Collectors gather, filter, and aggregate these events and forward

both the raw and the processed events to Symantec Security Information

Manager.

Event collectors collect information from security devices, critical applications,and services, such as the following product types:

Firewalls

Routers, switches, and VPNs

Enterprise Antivirus

Intrusion detection and intrusion prevention

Vulnerability scanners

Authentication servers

Windows and UNIX system logs

Information Manager stores the event data in event archives and correlates the

events with threat and asset information. If a security event triggers a correlation

rule, Information Manager creates a security incident.

Information Manager provides real-time event correlation and data archiving to

protect against security threats and to preserve critical security data.

Major components of collectors

Table 1-1 Major components of collectors

DescriptionComponent

Refers to the Symantec Security Information Manager where

events are processed, filtered, and stored. Allows for the

centralized collection, classification, and normalization of

events to enable alerts and reports across managed security

products.

Information Manager

Refers to the Java application that performs the

communication functions for the Information Managercomponents on the system on which it is installed.

Symantec Event Agent

Refers to an application that collects events from security

products, processes them, and passes them to the Agent.

Collector

Introducing Symantec Event CollectorsMajor components of collectors

12


13/106

Table 1-1 Major components of collectors (continued)

DescriptionComponent

Refers to the component that reads events from a file,database, syslog, Windows event log, or other medium. The

sensor then passes the events to the remaining collector

components. The information is then delivered to the Agent

for transmission to Information Manager.

Sensor

Refers to the software product, such as a firewall, anti-virus

software,or an operatingsystem. Thesecurityproduct ensures

that data is not vulnerable to unauthorized use or access and

is the source of events to the collector.

Security or Point product

Figure 1-1 Collector component overview

Where to find more information about Information

ManagerFor more information about Information Manager, a knowledge base is available

on the Symantec Technical Support Web site at the following URL:

www.symantec.com/techsupp/enterprise

The knowledge base link is listed under Technical Support. You can find the

Information Manager knowledge base that is listed under Security Management.

Introducing Symantec Event CollectorsWhere to find more information about Information Manager
http://www.symantec.com/techsupp/enterprisehttp://www.symantec.com/techsupp/enterprise


14/106

In the Downloads section of the site, you can obtain updated versions of the

documentation, which includes the following guides:

Symantec Security Information Manager Administrator's Guide

Symantec Security Information Manager Installation Guide

Accessing Help for the consoleSymantec Security Information Manager provides context-sensitive help for the

console and for each of the views that are available in the View menu.

To access Help for the console

In any window, press F1.

Introducing Symantec Event CollectorsAccessing Help for the console

14


15/106

Installing Symantec EventCollectors


Before you install collectors

Installation and configuration tasks for collectors

Registering Collectors

Installing Symantec Event Agents

Installing the collector on a remote computer

Installing collectors on an Information Manager appliance

Verifying collector installation

Before you install collectorsYou must perform the following tasks before you install the collector:

Meet requirements for both the point product and the collector

See Requirements for point products and the collectors on page 15.

Update the hosts fileSee Updating the hosts file on page 16.

Run LiveUpdate before upgrading an earlier collector

See Running LiveUpdate for collectors on page 65.

Requirements for point products and the collectors

Each collector is compatible with specific versions of a point product.

2Chapter


16/106

Depending on the collector, a collector canrun on the following operating systems:

Microsoft Windows 2000 with Service Pack 4 or later

Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later

Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2 or later

Microsoft Windows Server 2003 Standard Edition with Service Pack 2 or later

Windows XP with Service Pack 2 or later

Red Hat Enterprise Linux AS 3.0



Sun Solaris (SPARC) 8.0, 9.0, and 10.0

Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions of

Windows Server 2000/2003. You can install version 4.2 collectors only on the

32-bit version of Windows Server 2000/2003.

See the quick reference guide for the collector.

Minimum system requirements for a remote collector installation are as follows:

Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class),or

SPARC IIIi or later

512 MB minimum, 1 GB of memory recommended for the Symantec Event

Agent

35 MB of hard disk space for collector program files

95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE,

and the collector

TCP/IP connection to a network from a static IP address

Updating the hosts file

The hosts file contains IP address and host name mapping information. You must

manually update the hosts file if there is no fully-qualified domain name for the

Information Manager appliance. You must also manually update the hosts file if

you do not use a Domain Name System (DNS) server. You must add the IP address

and host name information that is relevant to Information Manager and to the

Installing Symantec Event CollectorsBefore you install collectors

16


17/106

collectors that collect event data. Host names must be fully-qualified domain

names.

See Before you install collectors on page 15.

To update the hosts file

1 Navigate to the directory of the hosts file as follows:

On Windows, the hosts file is located in

C:\WINDOWS\system32\drivers\etc folder.

On UNIX, the hosts file is located in the /etc directory.

2 Use a text editor, such as Notepad for Windows, or vi for UNIX, to open the

hosts file.

3 Add the IP address and host name entries for the Information Manager

appliance. Follow the instructions that are provided in the hosts file to add

IP address and host name mapping information to the file.

Use a tab between the IP address and host name.

4 After you have added the IP address and host name, save and close the file.

You should ensure that the text editor that you use did not add a file extension.

Installation and configuration tasks for collectors

Collector installation and configuration includes the following major tasks: Completion of the preinstallation requirements

See Requirements for point products and the collectors on page 15.

See Updating the hosts file on page 16.

Registration of the collector

See Registering Collectors on page 18.

Installation of the Symantec Event Agent

See Installing Symantec Event Agents on page 19.

Installation of the collector component

See Installing the collector on a remote computer on page 25.

See Installing collectors on an Information Manager appliance on page 26.

Configuration of the point product

See About configuring the point product to work with the collector

on page 29.

Configuration of the collector

See Configuring collector raw event logging on page 49.

Installing Symantec Event CollectorsInstallation and configuration tasks for collectors


18/106

See Configuring event filtering on page 51.

See Configuring event aggregation on page 54.

See Creating and configuring sensors on page 31.

The following tasks depend on various factors:

A collector that uses a database sensorto collect events requires the completion

of additional tasks.

See Installing collectors that use a database sensor on page 69.

A collector that uses a syslog sensor can possibly use Syslog Director.

See About Syslog Director 4.3 on page 59.

You can run LiveUpdate to receive collector updates such as support for new

events and query updates

See Running LiveUpdate for collectors on page 65.

If you need to configure many collectors at once, you can create a csv-formatted

file

See Deploying many collectors on page 99.

You can uninstall the collector and its components

See Uninstalling the collector and its components on page 95.

Registering CollectorsThe Information Manager configuration Web site provides a page to register and

to unregister the configuration settings and event schema. The Information

Manager appliance requires these settings and schema to recognize and to log

events from the point product.

You must register the collector for all remote installations. If you use a collector

that resides on the Information Manager appliance, you do not have to install the

agent.

See Installation and configuration tasks for collectors on page 17.

To register a collector

1Launch the Information Manager Web site at the following URL:

https://Information_Manager_IP_address

If you have the SSIM Client console open, you should close it.

2 From the Information Manager configuration Web site, click Collector

Registration.

3 On the page that appears, click Register a collector.

Installing Symantec Event CollectorsRegistering Collectors

18


19/106

4 In the box provided, type (or select) the path to the collector_name.SIP file

that was provided with your collector.

Thedefault location for this file is thesip/ subdirectory of the collectorinstall.

5 Click BeginRegistration.

Installing Symantec Event AgentsThe Symantec Event Agent sends the data that is collected by the collector to the

Information Manager appliance. The Agent is always installed on the same

computer as the collector component. You must sometimes install Agents on the

same computer as the security product for which it collects events; in other cases

you can install the collector on a separate computer from the security product

for which it collects events. This computer must have network access to theInformation Manager appliance.


Note: When you install the Symantec Event Agent, you may receive the following

error:

bootstrap- Symc_ConfigProvider: Server returned authorization error

This error generally occurs when Information Manager is under heavy load. The

installation program continues to try to communicate with Information Manager

until it succeeds. The installation may take several hours or more depending onthe load conditions. No user action is required.

Note: Java Runtime Environment (JRE) 1.6 is automatically installed along with

the Agent into a subdirectory of the installation directory that is specified at

installation. By default, the directory is C:\Program Files\Symantec\Event

Agent\jre on Windows and /opt/Symantec/sesa/Agent/jre on UNIX. Only the

collector component and the Agent use the JRE; it does not interfere with any

other JRE that is installed on the computer.

If you install more than one collector on the same computer, you only need toinstall the Symantec Event Agent once.

Before you install the Symantec Event Agent, you should complete the following

steps in the order presented:

Uninstall any previous version of the agent

See Uninstalling the Symantec Event Agent on page 96.

Installing Symantec Event CollectorsInstalling Symantec Event Agents


20/106

Ensure that there is network connectivity between the system where the agent

will be installed and the Information Manager appliance

If there is a firewall between the agent computer and the Information Manager

appliance, ensure that the following ports are open:

TCP 5998

TCP 8086

TCP 443

TCP 80

When you complete the Symantec Event Agent operation, you can verify

installation by completing the following procedures:

Verify Symantec Event Agent installation

See Verifying Symantec Event Agent installation on page 22.

Verify Symantec Event Agent operation

See Verifying Symantec Event Agent operation on page 23.

Starting and stopping Symantec Event Agent services and daemons

See Starting and stopping Symantec Event Agent services or daemons

on page 24.

To install the Symantec Event Agent on a computer that runs Windows

1 Launch the Information Manager Configuration Web site at the following

URL:https:// Information_Manager_IP_address

2 From the Information Manager Configuration Web site, click Downloads.

3 ClickDownloadSymantecEventAgentInstallerforWindows , and save the

file to a directory on the computer where you want to install the Symantec

Event Agent.

This option downloads a file that is named install.exe

4 To install the Symantec Event Agent, double-click the install.exe that you

downloaded in step 3, and then follow the prompts.

To install the Symantec Event Agent on a computer that runs Linux


URL:

https:// Information_Manager_IP_address



20


21/106

3 ClickDownloadSymantecEventAgentInstallerforLinux, and save the file

to a directory on the computer where you want to install the Symantec Event

Agent.

This option downloads a file that is named symevtagent_4.5.0.12.tar

4 Navigate to the directory where you downloaded the .tar file in step 3.

5 At the command prompt, type the following command:

tar -xvf symevtagent_4.5.0.12.tar

This command creates a subdirectory that is named Agent, and then unpacks

the Event Agent installation files into that directory.

6 At the command prompt, to run the install script, type the following

commands:

cd Agent

sh ./install.sh

7 At the prompts, enter the appropriate information.

To install the Symantec Event Agent on a computer that runs Solaris


URL:

https:// Information_Manager_IP_address


3 ClickDownloadSymantecEventAgent Installer forSolaris, and save the

file to a directory on the computer where you want to install the Symantec

Event Agent.

This option downloads a file that is named symevtagent_4.5.0.13.tar

4 Navigate to the directory where you downloaded the .tar file in step 3.


tar -xvf symevtagent_4.5.0.13.tar

This command creates a subdirectory that is named Agent, and then unpacks

the Event Agent installation files into that directory.

6 At the command prompt, to run the install script, type the following

commands:

cd Agent

sh ./install.sh

7 At the prompts, enter the appropriate information.



22/106

Verifying Symantec Event Agent installation

To verify installationof the Symantec Event Agent, you can perform the following

tasks in the order presented:

Verify Symantec Event Agent connectivity from Information Manager.

SeeTo verify Symantec Event Agent connectivity from InformationManager

on page 22.

Verify the Information Manager IP address and Symantec Event Agent port.

See To verify the Information Manager IP address and the Symantec Event

Agent port on page 22.

To verify Symantec Event Agent connectivity from Information Manager

1 From a Windows computer that has the SSIM Client installed, log on with an

Information Manager user account with sufficient rights to view events.The Information Manager user must belong to a role that has rights to the

Information Manager-integrated collector.

2 In the Information Manager console, in the left pane, click System.

3 On the Administrationtab,expand the treeuntil yousee Organizational Units.

4 ExpandOrganizationalUnits >Default.

5 Verify that the name of the collector computer is listed.

6 Right-click the computer name, and then click Properties.

7 In the Computer Properties dialog box, on the Services tab, verify that theAgent Service displays Yes in the Started column.

To verify the Information Manager IP address and the Symantec Event Agent port

1 From the collector computer, navigate to the Symantec Event Agent

installation folder.

On Windows, the default location is C:\Program Files\Symantec\Event Agent

On UNIX, the default location is /opt/Symantec/sesa/Agent

On UNIX, you must become superuser.

2 In a text editor, such as Notepad on Windows or vi on UNIX, open theconfigprovider.cfg file.

3 Verify that the following options contain the correct settings for the collector

product to which you want to send events:

MgmtServercontains the correct Symantec Security InformationManager

IP address.


22


23/106

MgmtPortcontainsthe correct Symantec Event Agent portnumber (default

value is 443).

Verifying Symantec Event Agent operationYou can verify that the Symantec Event Agent is operating correctly by running

the Show Agent Status script.

See Verifying Symantec Event Agent installation on page 22.

To run the Show Agent Status script Symantec Event Agent operation

1 On the collector computer, navigate to the Agent directory as follows:

On Windows, the default location is C:\Program Files\Symantec\Event

Agent.

On UNIX, the default location is /opt/Symantec/sesa/Agent.


2 To access the Collector and Agent Management scripts, at the command

prompt, do one of the following steps:

On Windows, type the following command:

agentmgmt.bat

On UNIX, type the following command:

./agentmgmt.sh

3 At the SSIM Collector / Agent Management Scripts menu, select thefollowingoption:

1. Show Agent Status

If the Agent is not running, the following message appears:

The agent command cannot be executed.

Failed to make a connection to the agent.

The Symantec Event Agent is possibly not running.

If the Agent is running, something imilar to the following message appears:

Symantec Event Agent (v 4.5.0.12) - Copyright(c) - Symantec Corporat

Symantec Event Agent status: running

Listening on: 172.16.0.1:8086

SSL: Off

SESA Manager URL: https://172.16.0.1:443/sesa/servlet/

Outbound Thread State: CONNECTED

Java Version 1.6.0



24/106

Queue Status

Total events accepted: 502

Total events forwarded: 502

Entries waiting in queue: 0Direct events accepted: 0

Queue File: .\agent.que

Flush Size (KB): 2000

Flush Count: 1000

Flush Time (sec): 4

Spool Size (KB): 20000

Max Queue Size (KB): 80000

Forwarding Provider: Symc_SESAEventForwardingProvider

Post failures due to unexpected response code: 6

Total number of post failures: 0

Event Acceptor HTTP ThreadPool:

Thread 0 state = IDLE




Last state update time: Mon Apr 28 18:24:17 PDT 2008

Last configuration download request time:

Mon Apr 28 18:24:17 PDT 2008

Last configuration update invocation time:

Mon Apr 28 18:24:17 PDT 2008

Last configuration update completion time:

Mon Apr 28 18:24:17 PDT 2008

Starting and stopping Symantec Event Agent services or daemons

If you install the collector on a Windows computer, the Symantec Event Agent

runs as a service. If you install the collector on a UNIX computer, the Symantec

Event Agent runs as a daemon. To start and stop the Symantec Event Agent, you

start and stop the services or daemons as necessary.

To start and stop the Symantec Event Agent service


On Windows, the default location is C:\Program Files\Symantec\Agent.

On UNIX, the default location is /opt/Symantec/sesa/Agent.


24


25/106


2 To accessthe CollectorandAgent Management Scripts, do oneof the following

steps:


agentmgmt.bat


./agentmgmt.sh

3 At the SSIM Collector / Agent Management Scripts menu, select one of the

following options:

10. Start the Agent

11. Stop the Agent

Installing the collector on a remote computerThe collector component reads the data from the security product, formats the

data, and forwards it to the Symantec Event Agent. The collector computer must

have access to the product that you want to monitor.

Before you install the collector component, you must complete the following tasks

in the order shown:

Register the collector

See Registering Collectors on page 18.

Install the Symantec Event Agent

See Installing Symantec Event Agents on page 19.

Note: You must install the agent for all remote installations. If you use a

collector that resides on the Information Manager appliance, you do not have

to install the agent.


When you have completed the installation of the collector on a remote computer,

you should verify that the Symantec Event Agent and collector are running.

See Verifying collector installation on page 27.

Installing Symantec Event CollectorsInstalling the collector on a remote computer


26/106

To install the collector on a remote computer

1 On the collector computer, navigate to install subdirectory of the collector

installation files. The installation files are located in a temporary directory.

You must install some collectors on the same computer as the product for

which it collects events.

See the quick reference guide for the specific collector for more information.

2 At a command prompt, do one of the following steps:


install.bat


sh ./install.sh

3 Follow the installation wizard prompts.

Installing collectors on an Information Managerappliance

Youcaninstall most 4.3 collectors on the Information Manager 4.5 or 4.6 appliance.

If you install the collector on the appliance, you do not need to register thecollector

nor install the Symantec Event Agent.


To install a 4.3 collector on an Information Manager appliance

1 Contact Symantec for the collector 4.3 installation package.

2 Unzip the installation package onto your Information Manager client

computer.

The installation package includes a subdirectory that is named appliance.

The appliance subdirectory contains a file that is named as follows:

install-collector_namecollector.jar

where collector_namerepresents the name of the collector.

3 From a Web browser, navigate to the Information Manager Administrator

Web page, and then log in with administrator credentials.

The URL is as follows:

https://Information_Manager_IP_address

4 From the list on the left, click SystemUpdates.

Installing Symantec Event CollectorsInstalling collectors on an Information Manager appliance

26


27/106

5 From Options, click Install, and then browse to the appliance directory where

you unzipped the installation package (see step 2).

6 Select the install-collector_namecollector.jarfile andclickUploadand

Install.

7 In the Confirm Installation page, click Continue.

The status of the install process is displayed.

8 When done, close the Information Manager Administrator Web page.

Verifying collector installationTo verify the collector installation, you must complete the following procedures

in the order presented:

On the collector computer, verify that the appropriate services or daemons

are started.

On a Windows computer, you verify that services have started. On a UNIX

computer, you verify that daemons have started.

See To verify that the appropriate services have started on Windows

on page 27.

SeeTo verify that theappropriate daemonshave started on UNIXon page 27.

Verify that the Symantec Event Agent and collector are running.

See To verify that the Symantec Event Agent and collector are running

on page 28.

To verify that the appropriate services have started on Windows

1 On the collector computer, from the Start menu, click Settings> Control

Panel.

2 In the Control Panel window, select AdministrativeTools.

3 In the Administrative Tools window, select Services.

4 In the Services dialog box, verify that the AgentStart Service is listed and is

started.

To verify that the appropriate daemons have started on UNIX

1 On the collector computer, become superuser.


ps -ef | grep sesagentd

3 Verify that the sesagentd process exists.

Installing Symantec Event CollectorsVerifying collector installation


28/106

To verify that the Symantec Event Agent and collector are running


On Windows, the default location is C:\Program Files\Symantec\Agent

On UNIX, the default location is /opt/Symantec/sesa/Agent


2 To access the Collector and Agent Management scripts, at the command

prompt, do one of the following steps:


agentmgmt.bat


./agentmgmt.sh

3 At the SSIM Collector / Agent Management Scripts menu, selectthe following

option:

1. Show Agent Status

Installing Symantec Event CollectorsVerifying collector installation

28


29/106

Configuring point products


About configuring the point product to work with the collector

About configuring the point product to work with thecollector

After you have installed the necessary collector components, you may need to

configure the point product to make the event information available to the

collector.

For example, if the collector uses a syslog sensor, you must configure the point

product to send syslog events to the collector.

For more information, see the quick reference guide for the specific collector.

3Chapter


30/106

Configuring point productsAbout configuring the point product to work with the collector

30


31/106

Configuring collectors


Creating and configuring sensors

Creating a new sensor configuration

Configuring the collector sensor to receive security events

Adding, renaming, deleting, and disabling sensors

Importing and exporting sensor properties

Globally updating sensor properties

About sensor properties for common sensor types

Configuring collector raw event logging

Verifying collector configuration

Creating and configuring sensorsYou must create a new sensor configuration for each collector.

The creation of sensor configurations includes the following tasks:

Creating a new sensor configuration

See Creating a new sensor configuration on page 32.

Configuring the collector sensor to receive security events

See Configuring the collector sensor to receive security events on page 33.

Adding, renaming, deleting, and disabling sensors

See Adding, renaming, deleting, and disabling sensors on page 33.

Configuring sensor properties

4Chapter


32/106

See About sensor properties for common sensor types on page 36.

Importing and exporting sensor properties, optional

See Importing and exporting sensor properties on page 34.

Globally updating sensor properties

See Globally updating sensor properties on page 35.

Creating a new sensor configurationCollectors usesensors that youmust configure to receive security events. Sensors

are grouped by sensor configurations. Collectors include a sensor configuration

named Default. You can not use this configuration; you must create a new one.



To create a new sensor configuration


2 From the Product Configurations tab, expand the tree until you see the

collector name.

3 Right-click the collector name, and then choose New.

4 On the Create a New Configuration wizard page, click Next.

5 On theGeneral page, enter a name and a description for the new configuration,and then click Next.

6 On the Computers page, do the following steps in the order given:

ClickAdd.

Under the Available computers column, click a system from the list, then

clickAdd.

In order for a computer to be listed, the Symantec Event Agent must be

installed on this computer.

ClickOK, then clickNext.

7 On the Configuration summary panel, make changes to any of your previous

selections.

8 Click Finish, and then click Close.

Configuring collectorsCreating a new sensor configuration

32


33/106

Configuring the collector sensor to receive securityevents

Before you configure a sensor, you must create a sensor configuration.


After you create a sensor configuration, you must configure its sensor or sensors

to receive security events.

After the sensors are configured, or when a change is made to sensor properties,

you must distribute the sensor properties to the collector computers.


To configure the collector sensor to receive security events


2 Select the Product Configurations tab, and then expand the tree until you see

the collector name.

3 In the left pane, select the appropriate configuration.

4 In the right pane, on the sensor tab, under the list of sensors, click the sensor.

You can rename the sensor, add new sensors, and delete sensors.

See Adding, renaming, deleting, and disabling sensors on page 33.

5 In the sensor property table under the Value column, change any of the

information.

See About sensor properties for common sensor types on page 36.

For specific sensor settings, see the quick reference guide for the collector.

6 Click Save.

7 In the left pane, right-click the appropriate configuration, and then click

Distribute.

8 When you are prompted to distribute the configuration, click Yes.

9 In the Configuration Viewer window, click Close.

Adding, renaming, deleting, and disabling sensorsWhen you create a new sensor configuration, a sensor is automatically created

for you. You may create additional sensors, rename the sensor, delete the sensor,

or disable the sensor.


Configuring collectorsConfiguring the collector sensor to receive security events


34/106


To add, rename, delete, or disable a sensor



the collector name.


4 In the right pane, select the sensor tab, and then, under the list of sensors,

do any of the following:

To add a sensor, click the plus (+) button.

By default, the sensors that you create are named Sensor 1, Sensor 2,

Sensor 3, and so on.

To rename a sensor, double-click in the sensor name box, and type in anew name.

To delete a sensor, click the minus (-) button.

You cannot delete the default sensor.

To delete all sensors, click the trash can button.

To disable a sensor, but not delete it, uncheck the sensor.

5 Click Save.

6 In the left pane, right-click the appropriate Default folder, and then click

Distribute to update the collector on the target computer withnew properties.


Importing and exporting sensor propertiesYou can both import sensor properties from an XML file and export sensor

properties to an XML file.


An example XML file for syslog sensor properties is as follows:

UDP

*

514

Configuring collectorsImporting and exporting sensor properties

34


35/106

To import and export sensor properties



the collector name.


4 In the right pane, on the sensor tab, do one of the following tasks:

If you want to import a configuration from an XML file, click the Import

Sensors button, and then, in the Import Configuration From File window

that appears, specify the XML file from which you want to import the

configuration.

If you want to export the selected configuration to an XML file, click the

Export Sensors button, and then, in the Export Configuration to File

window that appears, specify a filename to which to export the

configuration.

Globally updating sensor propertiesYou can copy selected sensor properties to other sensors that are within the same

configuration. This feature is particularly useful if you have many sensors that

you need to update.



To globally update sensor properties



the collector name.

3In the left pane, select the appropriate configuration.

4 In the right pane, on the sensor tab, select a sensor so that it appears

highlighted.

5 In the right pane, on the lower right, click Global Update.

6 In the Select Properties for Global Update window, place a checkmark next

to the property whose value you want to propagate to all other sensors within

the same configuration.

Configuring collectorsGlobally updating sensor properties


36/106

7 ClickOK to complete the global update process.

8 Proceed to change the sensor properties as needed.

For sensor properties, see the quick reference guide for the collector.

9 In the left pane, right-click the configuration, and then click Distribute.


About sensor properties for common sensor typesThe most common sensor types are as follows:

Syslog sensor

See Sensor properties for the syslog sensor on page 36.

Database sensor

See Sensor properties for the database sensor on page 38.

Log sensor

See Sensor properties for the log and syslog file sensor on page 42.

Syslog file sensor

See Sensor properties for the log and syslog file sensor on page 42.

Log file sensor

See Sensor properties for the log file sensor on page 43.

Windows Event Log sensorSee Sensor properties for the Windows Event Log sensor on page 44.

OPSEC Lea

See Sensor properties for the OPSEC LEA sensor on page 45.

For properties of a custom sensor, or specific settings for a particular collector,

see the quick reference guide for the collector.

Sensor properties for the syslog sensor

Table 4-1 Syslog sensor properties

DescriptionSensor properties

Specify UDP or TCP. UDP is thesyslog standard protocol andis fasterthan TCP; however,

UDP provides few error recovery services, and there is no guarantee that events are

delivered. TCP is slower than UDP, but it guarantees event delivery by establishing a

connection.

Protocol

Configuring collectorsAbout sensor properties for common sensor types

36


37/106

Table 4-1 Syslog sensor properties (continued)


Specify the IP addresses or names of the host computers that the collector monitors.

Specify * (or any) to allow any host to send events to the collector, or specify multiple

host names. Separate multiple host names with commas or semicolons.

Host Names

Specify the port number to which you have configured the point product to send syslog

messages.

Port Number

Specify a time offset to convert timestamps of all logged events to the time zone of the

collector computer.

You can use a time offset value if both of the following statements are true:

The time zone of the collector computer and the point product are different

The timestamps in the point product data are not Coordinated Universal Time (UTC).

You do not need to use this property if the collector and the point product computers are

in the same time zone.

Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM, where HH is the number of hours

(-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.

For example, if Pacific Standard Time (PST) is the time zone of the collector computer,

you can specify -3 to convert incoming events with an Eastern Standard Time (EST) to

Pacific Standard Time. You can specify +3 to convert incoming events with a

Hawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time.

If you enter and distribute an erroneous time zone offset, the collector automaticallyresets the offset value to the default value of +00:00. An error message is posted in the

collectors log.

Time Offset



38/106

Sensor properties for the database sensor

Table 4-2 Database sensor properties

DescriptionSensor property

Specify the path where the database driver is installed.

If the collector is installed on the Information Manager 4.6 appliance, the default directory

is one of the following paths:

For Sybase, the path is as follows:

/opt/Symantec/simserver/collectors/drivers/jConnect-6_0

For MS SQL Server, the paths are as follows:

/opt/Symantec/simserver/collectors/drivers/mssqljdbc_2005/enu

/opt/Symantec/simserver/collectors/drivers/mssqljdbc_2000/lib

For MySQL, the path is as follows:/opt/Symantec/simserver/collectors/drivers/mysql-connector-java-5.0.7

For PostgreSQL, the path is as follows:

/opt/Symantec/simserver/collectors/drivers/postgresql-8.2-504

For IBM DB2, the path is as follows:

/opt/Symantec/simserver/collectors/drivers/v9fp2_db2driver_for_jdbc_sqlj

JDBC Drivers

Directory


38


39/106

Table 4-2 Database sensor properties (continued)


The collector includes a default database URL that can include any of the following items:

Type of database driver that is used

Instance name

Host name

TCP port

Database name

Example database URL formats are as follows:

If you use a Microsoft SQL Server database, the database URL format is as follows:

jdbc:microsoft:sqlserver://host_name_or_IP_address_of_the_database_server:

1433;DatabaseName=database_name

For example, to connect to a Microsoft SQL Server database named MyDatabase on the

localhost server, with the SQL Serverlistening for connections on thedefaultport number

1433, you would use the following URL:

jdbc:microsoft:sqlserver://192.168.255.234:1433;DatabaseName=MyDatabase

If you use a MySQL database, the database URL format is as follows:

jdbc:mysql://ip_address:port_number/DatabaseName=database_name

For example, to connect to a MySQL database named MyDatabase on the server at

192.168.255.234, with the MySQL server listening for connections on the default port

number 3306, you would use the following URL:

jdbc:mysql://192.168.255.234:3306/DatabaseName=MyDatabase

If you use a Sybase database, the database URL format is as follows:jdbc:sybase:Tds:host:port

For example, to connect to a Sybase database on the server at 192.168.255.234, with the

Sybase server listening for connections on the default port number 2638, you would use

the following URL:

jdbc:sybase:Tds:192.168.255.234:2638

If you use an Oracle database, the database URL format is as follows:

jdbc:oracle:thin:@ip_address:1521:System_Identifier_(SID)

For example, to connect to an Oracle database named MyDatabase on the server at

192.168.255.234, with the Oracle server listening for connections on the default port

number 1521, you would use the following URL:

jdbc:oracle:thin:@192.168.255.234:1521:MyDatabase

Note: If you are not using thedefault port number, youmust replace thedefault port number

in the URL.

Database URL

Specify the read-only database user account name for the database.User Name

Specify the password for the database user account name for the database.Password



40/106



Specify from where to start reading the database upon restart of the collector as follows:

BEGINNING

Specifies that the database is read from the beginning.

END

Specifies that the database is read from the end. Only events that are written to the

database after the collector starts are read.

Start Reading From


40


41/106



Specify the scheduled time to send events to the Symantec Security Information Managerappliance, or leave this field blank if you want to collect events in real time.

Time is entered in 24-hour clock time. You can schedule the collector to send events on a

specific day, every day at a specified time, every week, or on a specified number of weeks.

Thetime that is specified in theExecution Time field must usethe same time zone and system

clock as the collector computer.

If the first batch has not finished before the second batch needs to start, the second batch is

skipped.

Execution Time syntax is as follows:

On at ,,

at ,

Examples are as follows:

5:00:00

Send events every day at 5:00 a.m.

5:0:0,17:0:0

Send events every day at 5:00 a.m. and 5:00 p.m.

Every day at 7:0:0,19:0:0

Send events every day at 7:00 a.m. and 7:00 p.m.

Every 2 days at 0:0:0,12:0:0

Send events every other day at midnight and noon.

If a specified time has not passed, events are sent on the same day; if a specified time has

already passed, events are sent in 2 days.

On Sun, Wed at 8:30:0,20:30:0

Send events on Sunday and Wednesday at 8:30 a.m. and 8:30 p.m.

(This value is the same as Every Week on Sun, Wed at 8:30,20:30.)

Every week on Mon, Fri at 7:0:0,14:0:0

Send events on Monday and Friday at 7:00 a.m. and 2:00 p.m.

(This value is the same as On Mon, Fri at 7:0:0,14:0:0.)

Every 2 weeks on Tue, Sat at 7:0:0,19:0:0Send events every 2 weeks on Tuesday and Saturday at 7:00 a.m. and 7:00 p.m.

Every 3 weeks on Thu at 7:0:0, Tue at 7:0:0,14:0:0

Send events every 3 weeks on Thursday at 7:00 a.m. and on Tuesday at both 7:00 a.m. and

2:00 p.m.

Execution Time



42/106

Sensor properties for the log and syslog file sensor

Table 4-3 Sensor properties


Specify the path to the log file on the security product computer.Log File Directory

Specify the non-changing part of the log file name.Log File Name

Check this field if the point product creates dynamically named log files; otherwise, leave

this field unchecked.

File Name Dynamic

This value is either UTF-8 or UTF-16.File Encoding

Specify EOF or NULL (hexadecimal 00) as the end-of-file character.End of File Marker

Specify from where to start reading the log file when the collector restarts, as follows:

BEGINNING

Specifies that thelog file is read from thebeginningof themost recent file in thedirectory.

END

Specifies that the log file is read from the end of the most recent file. Only events that are

written to the log file after the collector starts are read.

Last Position

Keeps track of which line the collector is reading from in the current log file, and then

continues reading from this position if the collector is interrupted and restarted.

Start Reading From

Specify the delimiter that is used at the end of each message, as follows: ENDOFLINE

Refers to the end of a line as a message delimiter (CR/LF on a Windows platform; LF on a

UNIX platform).

ENDOFLINE is the default delimiter.

BLANKLINE

Refers to a blank line as a message delimiter. Youmust specify twosuccessive ENDOFLINE

characters.

NULL

Refers to hexadecimal 00.

End of RecordMarker

Leave this property enabled to monitor the log file in real time.

You should not disable this property unless requested to do so by Symantec support.

Monitor in RealTime


42


43/106

Table 4-3 Sensor properties (continued)


Specifya time offset to convert timestamps ofall logged events to the time zone of the collectorcomputer.




You can use this property when the log file does not contain time zone information and the

collector and the point product computer are in different time zones.

Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM, where HH is thenumber of hours (-99

to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.

For example, if Pacific Standard Time (PST) is the time zone of the collector computer, youcan specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific

Standard Time. Youcan specify +3 to convert incoming events with a Hawaii-AleutianStandard

Time (HST) standard to Pacific Standard Time.

If you enter and distribute an erroneous time zone offset, the collector automatically resets

the offset value to the default value of +00:00. An error message is posted in the collectors

log.

Time Offset

Sensor properties for the log file sensor

Table 4-4 shows the sensor properties for the log file sensor.

Table 4-4 Log file sensor properties


Specify the path to the log file on the security product computer.

Your installation directory may differ from the default that is provided.

Log file directory

Specify the name of the log file.Log File Name

Specify whether the collector checks for new log files after reaching the end of the current

log file or waits for new events to be added to the current log file.

Reading Mode

Specify Beginning to read the log file from the beginning of the file upon the restart of the

collector.

Specify End to read the log file from the end of the file upon the restart of the collector.

Specify Last Position for the collector to keep track of which line the collector is reading in

the log file. If thecollector is interrupted and restarted, reading continuesfrom this position.

When the collector is started for the first time, the collector reads all events in all files.

Start Reading From



44/106

Table 4-4 Log file sensor properties (continued)


Specifya time offset to convert timestamps of alllogged events to the time zone of the collectorcomputer.




You can use this property when the log file does not contain time zone information and the

collector and the point product computer are in different time zones.

Acceptable formats are: +HH, -HH, +HH:MM, and -HH:MM, where HH is the number of hours

(-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.

For example, if Pacific Standard Time (PST) is the time zone of the collector computer, youcan specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific

Standard Time. Youcan specify +3 to convert incoming events with a Hawaii-AleutianStandard

Time (HST) standard to Pacific Standard Time.

If you enter and distribute an erroneous time zone offset, the collector automatically resets

the offset value to the default value of +00:00. An error message is posted in the collectors

log.

Time Offset

Sensor properties for the Windows Event Log sensor

Table 4-5 Windows Event Log sensor properties


Specify thename of the computer from which thecollector is to collect events. IP address

127.0.0.1 or localhost are valid entries if events are collected from the same computer

on which the collector is installed. If the computer is different, then the host name or IP

address can be specified.

Monitored host name

Specify the path to the account name; for example, DomainName\AccountName for a

computer that is locatedin a Windows domain or HostName\AccountNamefor a computer

that is not located in a Windows domain. The account that is used must have local

administrator rights to read the event log from the remote computer in the domain.

If theMonitored host name is localhostor 127.0.0.1, leave this field blank;the credentials

for the account that runs the Symantec Event Agent process will be used automatically.

Monitored host account

name

Specify a password for the monitored host account.

If theMonitored host name is localhostor 127.0.0.1, leave this field blank;the credentials

for the account that runs the Symantec Event Agent process will be used automatically.

Account password


44


45/106

Table 4-5 Windows Event Log sensor properties (continued)


Specify the number of days for which the sensor retrieves events. For example, if thesensor is configured for 30 days, the sensor goes back 30 days from the first sensor

initialization to retrieve events.

Note: This property is used only for the initial start of the sensor. If the sensor was

correctly shut down and created the last position file, this property is ignored during

subsequent runs.

Number of days to loadhistory events

Select which event logs to audit. You can select a number of options to audit through the

pop-up screen. You can also add other options by selecting Add.

Event logs to audit

Sensor properties for the OPSEC LEA sensorTable 4-6 OPSEC LEA sensor properties


Name of the OPSEC Application that is created in the Check Point

SmartDashboard Console.

For Check Point FireWall-1 installation, set this field as follows:

For a remoteinstallation, specify thename of theOPSEC Application that

is created for the collector computer.

For a local installation, this property is not required. For a distributed installation, specify the name of the OPSEC application

that is created for the collector computer.

For Check Point Provider-1 installations, set this field as follows:

If a global OPSEC Application for all CMAs was created, specify the name

of that Application.

If a Distributed Provider-1 with MDS/CMA exists on one computer, and

the MLM/CLM exists on a separate computer (where clear text

communication is the only option), this field must be BLANK.

If multiple OPSEC Applications were created, that is, one for each CMA,

then specify the name of a CMA-level OPSEC Application.Note: You must specify the name of each CMA-level OPSEC Application

for each sensor.

LEA opsec application name

The password that was specified when you created the OPSEC Application.

If a Distributed Provider-1 with MDS/CMA exists on one computer and the

MLM/CLM exists on a separate computer (where clear text communication

is the only option), you must set this field to BLANK.

The password specified when

creating the LEA opsec application



46/106

Table 4-6 OPSEC LEA sensor properties (continued)


Location in the record file where the collector begins to collect data whenthe collector is first enabled. If you specify BEGINNING, reading starts from

the beginning of the log file and all data inthe Check Point database isreread

by the collector when the Agent or OPSEC LEA server is restarted. If you

specify END, reading starts from the end of the log file.

BEGINNING and END values only pertain when the collector is run for the

first time. After the collector's initial start, the last position (the last log

record read by the collector) is saved. When the collector restarts, it resumes

reading from the last position. The Initial Read Policy value has no effect.

Initial Read Policy

Whether the collector should monitor the record file in real time. Specify

True.

Monitor in RealTime

For Check Point FireWall-1 collector installation, set this field as follows:

For both remote installation and local installation, specify the IP address

of the Check Point LEA server from which events are collected.

For a distributed installation, specify the IP address of the Check Point

Log Server.

For Check Point Provider-1 installations with MDS/CMA/Log server all on

one computer, set this field to the IP address of the CMA.

For Distributed Provider-1 installations with MDS/CMA on one computer

and the MLM/CLM on a separate computer (where clear text communication

is the only option), set this field to the IP address of the CLM.

LEA server IP-address

Authentication port on the Check Point LEA server on which the LEA

application is running.

For Check Point FireWall-1 collector installations, set this field as follows:

For a remote installation, specify 18184 as the LEA server auth port.

For a local installation, specify 0 (zero) as the LEA server auth port.

For a distributed installation, specify 0 (zero) as the LEA server auth port.


one computer, set this field to 18184 as the LEA server auth port.



is the only option), set this field to 0 (zero) as the LEA server auth port.

LEA server auth port


46


47/106



Authentication type that the Symantec Event Collector uses. For a localinstallation, specify local. For a remote installation, specify sslca in this field.


For a remote installation, specify sslca as the LEA server auth type.

Forsslca, both clientand server must provide certificatesthat are created

and signed by a trusted certificate authority.

For a local installation, specify local as the LEA server auth type.

For a distributed installation, specify local as the LEA server auth type.


one computer, set this field to sslca as the LEA server auth type.



is the only option), set this field to local as the LEA server auth type.

LEA server auth type

Communications port for the LEA server.


For a remote installation, specify 0 (zero) as the LEA server port.

For a local installation, specify 18184 as the LEA server port.

For a distributed installation, specify 18184 as the LEA server port.


one computer, set this field to 0 (zero) as the LEA server port.



is the only option), set this field to 18184 as the LEA server port.

LEA server port



48/106



Qualified name of the OPSEC management server, CMA, or CLM. Copy thename from the OPSEC Application on the Check Point SmartDashboard

Console.


Fora remoteinstallation, specify thesic name of theOPSEC management

server.

For a local installation, this property is not required.

For a distributed installation, specify the sic name of the Check Point Log

Server.

For Check Point Provider-1 installations with MDS/CMA/LOG server all on

one computer, set this field to the sic name of the CMA.




LEA server opsec entity sic name

Sic name of the OPSEC Application. Copy the name from the OPSEC

Application on the Check Point SmartDashboard Console.


For a remote installation, specify the sic name of the OPSEC Application.

For a local installation, this property is not required.

For a distributed installation, specify the sic name of the OPSECapplication that was created for the collector computer.

For Check Point Provider-1 installations, set this field as follows:

If a global OPSEC Application for all CMAs was created, specify the

qualified sic name of that Application.

If multiple OPSEC Applications were created (one for each CMA), then

specify the sic name of a CMA-level OPSEC Application.

Note: You must specify the name of each CMA-level OPSEC Application

for each sensor.




opsec sic name

Set this property to True if you want to collect events from the Check Point

Audit Log. These events include administrator logon and log off events and

any modifications to the Check Point rules and configuration.

Read audit log


48


49/106

Configuring collector raw event loggingYou can enable the collector to collect the entire raw event message from the

point product instead of the parsed fields. Raw event messages are useful forforensics, incident investigation, and log retention requirements. It also lets you

preserve unaltered event messages.

Note: Raw event logging substantially increases event sizes.

To configure collector options


2 On the Product Configurations tab, in the middle pane, expand the tree until

you reach a sensor configuration of a collector.3 Select the appropriate configuration.

4 In the right pane, on the Options tab, check or uncheck

EnableRawEventLogging.

Enabling this option increases the amount of disk space that is consumed on

the Information Manager appliance because raw event data will be stored.

5 In the middle pane, right-click the configuration, and click Distribute.

Verifying collector configurationYou verify collector configuration by performing the following procedures in the

order shown:

View audit events

The audit events display whether or not a successful connection was made to

the data source.

You can view audit events again to troubleshoot a problem.

See To view audit events on page 49.

Verify that the Symantec Event Agent and sensor are up

See To verify that the Symantec Event Agent and sensor are up on page 50.

To view audit events

1 On a Windows computer that has the SSIM Client installed, start the SSIM

Client.

2 Log on with an administrator account.

3 In the Information Manager console, in the left pane, click Events.

Configuring collectorsConfiguring collector r

SEC Integration Guide SSIM 46

Documents

Transcript of SEC Integration Guide SSIM 46