SEC Integration Guide SSIM 46
-
Upload
henrique-oliveira -
Category
Documents
-
view
220 -
download
0
Transcript of SEC Integration Guide SSIM 46
-
7/31/2019 SEC Integration Guide SSIM 46
1/106
Symantec Event Collectors
Integration Guide forSymantec Security
Information Manager 4.6
-
7/31/2019 SEC Integration Guide SSIM 46
2/106
Symantec Event Collectors Integration Guide forSymantec Security Information Manager 4.6
Thesoftware described in this book is furnished under a license agreement and may be used
only in accordance with the terms of the agreement.
Documentation version 4.5
Legal Notice
Copyright 2008 Symantec Corporation.
Symantec, the Symantec logo, LiveUpdate, Symantec AntiVirus, and Symantec Security
Response are trademarks or registered trademarks of Symantec Corporation or its affiliates
in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,
copying, distribution, and decompilation/reverse engineering. No part of this document
may be reproduced in any form by any means without prior written authorization of
Symantec Corporation and its licensors, if any.
THEDOCUMENTATION IS PROVIDED"ASIS" ANDALL EXPRESS OR IMPLIED CONDITIONS,
REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO
BE LEGALLY INVALID.SYMANTEC CORPORATION SHALLNOT BELIABLE FORINCIDENTAL
OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED
IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
TheLicensed Software andDocumentation aredeemed to be "commercial computer software"
and "commercial computer software documentation" as defined in FARSections12.212 and
DFARS Section 227.7202.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino, CA 95014 USA
http://www.symantec.com
http://www.symantec.com/http://www.symantec.com/ -
7/31/2019 SEC Integration Guide SSIM 46
3/106
Technical Support
Symantec Technical Support maintains support centers globally. Technical
Supports primary role is to respond to specific queries about product feature and
function, installation, and configuration. The Technical Support group alsoauthors
content for our online Knowledge Base. The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion. For example, the Technical Support group works
with Product Engineering and Symantec Security Response to provide alerting
services and virus definition updates.
Symantecs maintenance offerings include the following:
A range of support options that give you the flexibility to select the right
amount of service for any size organization A telephone and web-based support that provides rapid response and
up-to-the-minute information
Upgrade insurance that delivers automatic software upgrade protection
Global support that is available 24 hours a day, 7 days a week worldwide.
Support is provided in a variety of languages for those customers that are
enrolled in the Platinum Support program
Advanced features, including Technical Account Management
For information about Symantecs Maintenance Programs, you can visit our Web
site at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support. The specific features that
are available may vary based on the level of maintenance that was purchased and
the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support
information at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language under Global Support.
Before contacting Technical Support, make sure you have satisfied the system
requirements that are listed in your product documentation. Also, you should be
at the computer on which the problem occurred, in case it is necessary to recreate
the problem.
http://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.html -
7/31/2019 SEC Integration Guide SSIM 46
4/106
When you contact Technical Support, please have the following information
available:
Product release level
Hardware information
Available memory, disk space, and NIC information
Operating system
Version and patch level
Network topology
Router, gateway, and IP address information
Problem description:
Error messages and log files
Troubleshooting that was performed before contacting Symantec
Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registrationor a license key, accessourtechnical
support Web page at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language under Global Support, and thenselect the Licensingand Registration page.
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
Questions regarding product licensing or serialization
Product registration updates such as address or name changes
General product information (features, language availability, local dealers)
Latest information about product updates and upgrades
Information about upgrade insurance and maintenance contracts
Information about the Symantec Value License Program
http://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.htmlhttp://www.symantec.com/techsupp/ent/enterprise.html -
7/31/2019 SEC Integration Guide SSIM 46
5/106
Advice about Symantec's technical support options
Nontechnical presales questions
Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration team for your region
as follows:
Asia-Pacific and Japan: [email protected]
Europe, Middle-East, and Africa: [email protected]
North America and Latin America: [email protected]
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your
investment in Symantec products and to develop your knowledge, expertise, and
global insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
These solutions provide early warning of cyber
attacks, comprehensive threat analysis, and
countermeasuresto prevent attacks before theyoccur.
Symantec Early Warning Solutions
These services remove the burden of managing andmonitoring security devices and events, ensuring
rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site
technical expertise from Symantec and its trusted
partners.Symantec Consulting Services offer a variety
of prepackaged and customizable options thatinclude
assessment, design, implementation, monitoring and
management capabilities,eachfocusedon establishing
and maintaining the integrity and availability of your
IT resources.
Consulting Services
Educational Services provide a full array of technical
training, security education, security certification,
and awareness communication programs.
Educational Services
http://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected]://localhost/var/www/apps/conversion/current/tmp/scratch764/[email protected] -
7/31/2019 SEC Integration Guide SSIM 46
6/106
To access more information about Enterprise services, please visit our Web site
at the following URL:
www.symantec.com
Select your country or language from the site index.
http://www.symantec.com/http://www.symantec.com/ -
7/31/2019 SEC Integration Guide SSIM 46
7/106
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 1 Introducing Symantec Event Collectors . . . . . . . . . . . . . . . . . . . . . . . . . 11
About the Symantec Event Collectors Integration Guide ... . . . . . . . . . . . . . . . . . . . 11
About Symantec Event Collectors and Symantec Security Information
Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Major components of collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12Where to find more information about Information Manager ... . . . . . . . . . . . . 13
Accessing Help for the console ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 2 Installing Symantec Event Collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Before you install collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Requirements for point products and the collectors ... . . . . . . . . . . . . . . . . . . . 15
Updating the hosts file ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Installation and configuration tasks for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Registering Collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Installing Symantec Event Agents ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Verifying Symantec Event Agent installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Verifying Symantec Event Agent operation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Starting andstoppingSymantec Event Agentservices or daemons
.... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Installing the collector on a remote computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Installing collectors on an Information Manager appliance ... . . . . . . . . . . . . . . . 26
Verifying collector installation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Chapter 3 Configuring point products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
About configuring the point product to work with the collector ... . . . . . . . . . 29
Chapter 4 Configuring collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Creating and configuring sensors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Creating a new sensor configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring the collector sensor to receive security events ... . . . . . . . . . . . . . . . 33
Adding, renaming, deleting, and disabling sensors ... . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Importing and exporting sensor properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Contents
-
7/31/2019 SEC Integration Guide SSIM 46
8/106
Globally updating sensor properties ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
About sensor properties for common sensor types ... . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Sensor properties for the syslog sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Sensor properties for the database sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38Sensor properties for the log and syslog file sensor ... . . . . . . . . . . . . . . . . . . . 42
Sensor properties for the log file sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Sensor properties for the Windows Event Log sensor ... . . . . . . . . . . . . . . . . . 44
Sensor properties for the OPSEC LEA sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configuring collector raw event logging .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Verifying collector configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Chapter 5 Configuring collectors for event filtering andaggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Configuring event filtering .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51Configuring event aggregation .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Chapter 6 Configuring Syslog Director . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
About Syslog Director 4.3 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Configuring Syslog Director with syslog collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Chapter 7 LiveUpdate for collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Running LiveUpdate for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Appendix A About installing collectors that use a databasesensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Installing collectors that use a database sensor ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Setting the SQL Server security mode to mixed authentication .... . . . . . . . . . 71
Downloading database drivers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Installing database drivers on an Information Manager
appliance ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Installing database drivers on a remote computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Creating read-only database users ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Creating a read-only database user account for IBM DB2 .... . . . . . . . . . . . 74Creating a read-only database user account for Microsoft SQL
Server 2000 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Creating a read-only database user account for Microsoft SQL
Server 2005 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Creating a read-only database user account for Microsoft SQL
Server 2000 Desktop Engine (MSDE) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Creating a read-only database user account for MySQL .... . . . . . . . . . . . . . 78
Contents8
-
7/31/2019 SEC Integration Guide SSIM 46
9/106
Creating a read-only database user for Oracle ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Importing sensor settings ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Configuring the SQL Server instance to listen on a non-dynamic
port ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configuring an SSL connection for the Microsoft SQL Server 2005
JDBC driver 1.2 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Appendix B About collector configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Collector configuration scenarios ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Scenario 1 - One-for-All configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Scenario 2 - One-to-Many configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Scenario 3 - One-to-One configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Scenario 4 - One-per-Type configuration .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Appendix C Uninstalling collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Uninstalling the collector and its components ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Unregistering the collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Uninstalling the Symantec Event Agent ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
Uninstalling the collector component ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Appendix D Deploying many collectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Deploying many collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
Sensor property names for common sensor types ... . . . . . . . . . . . . . . . . . . . . 101
Contents
-
7/31/2019 SEC Integration Guide SSIM 46
10/106
Contents10
-
7/31/2019 SEC Integration Guide SSIM 46
11/106
Introducing Symantec EventCollectors
This chapter includes the following topics:
About the Symantec Event Collectors Integration Guide
About Symantec Event Collectors and Symantec Security Information Manager
Major components of collectors
Where to find more information about Information Manager
Accessing Help for the console
About the Symantec Event Collectors IntegrationGuide
The Symantec Event Collector Guide provides general information and procedures
to aid in the installation and the troubleshooting of collectors.
For information specific to a particular collector, see the quick reference guide
for that particular collector.
About Symantec Event Collectors and SymantecSecurity Information Manager
Security products and operating systems generate many kinds of events. Some
events are informational, such as a user logging on, and others may indicate a
security threat, such as antivirus software being disabled.
1Chapter
-
7/31/2019 SEC Integration Guide SSIM 46
12/106
SymantecEvent Collectors gather, filter, and aggregate these events and forward
both the raw and the processed events to Symantec Security Information
Manager.
Event collectors collect information from security devices, critical applications,and services, such as the following product types:
Firewalls
Routers, switches, and VPNs
Enterprise Antivirus
Intrusion detection and intrusion prevention
Vulnerability scanners
Authentication servers
Windows and UNIX system logs
Information Manager stores the event data in event archives and correlates the
events with threat and asset information. If a security event triggers a correlation
rule, Information Manager creates a security incident.
Information Manager provides real-time event correlation and data archiving to
protect against security threats and to preserve critical security data.
Major components of collectors
Table 1-1 Major components of collectors
DescriptionComponent
Refers to the Symantec Security Information Manager where
events are processed, filtered, and stored. Allows for the
centralized collection, classification, and normalization of
events to enable alerts and reports across managed security
products.
Information Manager
Refers to the Java application that performs the
communication functions for the Information Managercomponents on the system on which it is installed.
Symantec Event Agent
Refers to an application that collects events from security
products, processes them, and passes them to the Agent.
Collector
Introducing Symantec Event CollectorsMajor components of collectors
12
-
7/31/2019 SEC Integration Guide SSIM 46
13/106
Table 1-1 Major components of collectors (continued)
DescriptionComponent
Refers to the component that reads events from a file,database, syslog, Windows event log, or other medium. The
sensor then passes the events to the remaining collector
components. The information is then delivered to the Agent
for transmission to Information Manager.
Sensor
Refers to the software product, such as a firewall, anti-virus
software,or an operatingsystem. Thesecurityproduct ensures
that data is not vulnerable to unauthorized use or access and
is the source of events to the collector.
Security or Point product
Figure 1-1 Collector component overview
Where to find more information about Information
ManagerFor more information about Information Manager, a knowledge base is available
on the Symantec Technical Support Web site at the following URL:
www.symantec.com/techsupp/enterprise
The knowledge base link is listed under Technical Support. You can find the
Information Manager knowledge base that is listed under Security Management.
Introducing Symantec Event CollectorsWhere to find more information about Information Manager
http://www.symantec.com/techsupp/enterprisehttp://www.symantec.com/techsupp/enterprise -
7/31/2019 SEC Integration Guide SSIM 46
14/106
In the Downloads section of the site, you can obtain updated versions of the
documentation, which includes the following guides:
Symantec Security Information Manager Administrator's Guide
Symantec Security Information Manager Installation Guide
Accessing Help for the consoleSymantec Security Information Manager provides context-sensitive help for the
console and for each of the views that are available in the View menu.
To access Help for the console
In any window, press F1.
Introducing Symantec Event CollectorsAccessing Help for the console
14
-
7/31/2019 SEC Integration Guide SSIM 46
15/106
Installing Symantec EventCollectors
This chapter includes the following topics:
Before you install collectors
Installation and configuration tasks for collectors
Registering Collectors
Installing Symantec Event Agents
Installing the collector on a remote computer
Installing collectors on an Information Manager appliance
Verifying collector installation
Before you install collectorsYou must perform the following tasks before you install the collector:
Meet requirements for both the point product and the collector
See Requirements for point products and the collectors on page 15.
Update the hosts fileSee Updating the hosts file on page 16.
Run LiveUpdate before upgrading an earlier collector
See Running LiveUpdate for collectors on page 65.
Requirements for point products and the collectors
Each collector is compatible with specific versions of a point product.
2Chapter
-
7/31/2019 SEC Integration Guide SSIM 46
16/106
Depending on the collector, a collector canrun on the following operating systems:
Microsoft Windows 2000 with Service Pack 4 or later
Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later
Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2 or later
Microsoft Windows Server 2003 Standard Edition with Service Pack 2 or later
Windows XP with Service Pack 2 or later
Red Hat Enterprise Linux AS 3.0
Red Hat Enterprise Linux AS 4.0
Red Hat Enterprise Linux AS 5.0
Sun Solaris (SPARC) 8.0, 9.0, and 10.0
Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions of
Windows Server 2000/2003. You can install version 4.2 collectors only on the
32-bit version of Windows Server 2000/2003.
See the quick reference guide for the collector.
Minimum system requirements for a remote collector installation are as follows:
Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class),or
SPARC IIIi or later
512 MB minimum, 1 GB of memory recommended for the Symantec Event
Agent
35 MB of hard disk space for collector program files
95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE,
and the collector
TCP/IP connection to a network from a static IP address
Updating the hosts file
The hosts file contains IP address and host name mapping information. You must
manually update the hosts file if there is no fully-qualified domain name for the
Information Manager appliance. You must also manually update the hosts file if
you do not use a Domain Name System (DNS) server. You must add the IP address
and host name information that is relevant to Information Manager and to the
Installing Symantec Event CollectorsBefore you install collectors
16
-
7/31/2019 SEC Integration Guide SSIM 46
17/106
collectors that collect event data. Host names must be fully-qualified domain
names.
See Before you install collectors on page 15.
To update the hosts file
1 Navigate to the directory of the hosts file as follows:
On Windows, the hosts file is located in
C:\WINDOWS\system32\drivers\etc folder.
On UNIX, the hosts file is located in the /etc directory.
2 Use a text editor, such as Notepad for Windows, or vi for UNIX, to open the
hosts file.
3 Add the IP address and host name entries for the Information Manager
appliance. Follow the instructions that are provided in the hosts file to add
IP address and host name mapping information to the file.
Use a tab between the IP address and host name.
4 After you have added the IP address and host name, save and close the file.
You should ensure that the text editor that you use did not add a file extension.
Installation and configuration tasks for collectors
Collector installation and configuration includes the following major tasks: Completion of the preinstallation requirements
See Requirements for point products and the collectors on page 15.
See Updating the hosts file on page 16.
Registration of the collector
See Registering Collectors on page 18.
Installation of the Symantec Event Agent
See Installing Symantec Event Agents on page 19.
Installation of the collector component
See Installing the collector on a remote computer on page 25.
See Installing collectors on an Information Manager appliance on page 26.
Configuration of the point product
See About configuring the point product to work with the collector
on page 29.
Configuration of the collector
See Configuring collector raw event logging on page 49.
Installing Symantec Event CollectorsInstallation and configuration tasks for collectors
-
7/31/2019 SEC Integration Guide SSIM 46
18/106
See Configuring event filtering on page 51.
See Configuring event aggregation on page 54.
See Creating and configuring sensors on page 31.
The following tasks depend on various factors:
A collector that uses a database sensorto collect events requires the completion
of additional tasks.
See Installing collectors that use a database sensor on page 69.
A collector that uses a syslog sensor can possibly use Syslog Director.
See About Syslog Director 4.3 on page 59.
You can run LiveUpdate to receive collector updates such as support for new
events and query updates
See Running LiveUpdate for collectors on page 65.
If you need to configure many collectors at once, you can create a csv-formatted
file
See Deploying many collectors on page 99.
You can uninstall the collector and its components
See Uninstalling the collector and its components on page 95.
Registering CollectorsThe Information Manager configuration Web site provides a page to register and
to unregister the configuration settings and event schema. The Information
Manager appliance requires these settings and schema to recognize and to log
events from the point product.
You must register the collector for all remote installations. If you use a collector
that resides on the Information Manager appliance, you do not have to install the
agent.
See Installation and configuration tasks for collectors on page 17.
To register a collector
1Launch the Information Manager Web site at the following URL:
https://Information_Manager_IP_address
If you have the SSIM Client console open, you should close it.
2 From the Information Manager configuration Web site, click Collector
Registration.
3 On the page that appears, click Register a collector.
Installing Symantec Event CollectorsRegistering Collectors
18
-
7/31/2019 SEC Integration Guide SSIM 46
19/106
4 In the box provided, type (or select) the path to the collector_name.SIP file
that was provided with your collector.
Thedefault location for this file is thesip/ subdirectory of the collectorinstall.
5 Click BeginRegistration.
Installing Symantec Event AgentsThe Symantec Event Agent sends the data that is collected by the collector to the
Information Manager appliance. The Agent is always installed on the same
computer as the collector component. You must sometimes install Agents on the
same computer as the security product for which it collects events; in other cases
you can install the collector on a separate computer from the security product
for which it collects events. This computer must have network access to theInformation Manager appliance.
See Installation and configuration tasks for collectors on page 17.
Note: When you install the Symantec Event Agent, you may receive the following
error:
bootstrap- Symc_ConfigProvider: Server returned authorization error
This error generally occurs when Information Manager is under heavy load. The
installation program continues to try to communicate with Information Manager
until it succeeds. The installation may take several hours or more depending onthe load conditions. No user action is required.
Note: Java Runtime Environment (JRE) 1.6 is automatically installed along with
the Agent into a subdirectory of the installation directory that is specified at
installation. By default, the directory is C:\Program Files\Symantec\Event
Agent\jre on Windows and /opt/Symantec/sesa/Agent/jre on UNIX. Only the
collector component and the Agent use the JRE; it does not interfere with any
other JRE that is installed on the computer.
If you install more than one collector on the same computer, you only need toinstall the Symantec Event Agent once.
Before you install the Symantec Event Agent, you should complete the following
steps in the order presented:
Uninstall any previous version of the agent
See Uninstalling the Symantec Event Agent on page 96.
Installing Symantec Event CollectorsInstalling Symantec Event Agents
-
7/31/2019 SEC Integration Guide SSIM 46
20/106
Ensure that there is network connectivity between the system where the agent
will be installed and the Information Manager appliance
If there is a firewall between the agent computer and the Information Manager
appliance, ensure that the following ports are open:
TCP 5998
TCP 8086
TCP 443
TCP 80
When you complete the Symantec Event Agent operation, you can verify
installation by completing the following procedures:
Verify Symantec Event Agent installation
See Verifying Symantec Event Agent installation on page 22.
Verify Symantec Event Agent operation
See Verifying Symantec Event Agent operation on page 23.
Starting and stopping Symantec Event Agent services and daemons
See Starting and stopping Symantec Event Agent services or daemons
on page 24.
To install the Symantec Event Agent on a computer that runs Windows
1 Launch the Information Manager Configuration Web site at the following
URL:https:// Information_Manager_IP_address
2 From the Information Manager Configuration Web site, click Downloads.
3 ClickDownloadSymantecEventAgentInstallerforWindows , and save the
file to a directory on the computer where you want to install the Symantec
Event Agent.
This option downloads a file that is named install.exe
4 To install the Symantec Event Agent, double-click the install.exe that you
downloaded in step 3, and then follow the prompts.
To install the Symantec Event Agent on a computer that runs Linux
1 Launch the Information Manager Configuration Web site at the following
URL:
https:// Information_Manager_IP_address
2 From the Information Manager Configuration Web site, click Downloads.
Installing Symantec Event CollectorsInstalling Symantec Event Agents
20
-
7/31/2019 SEC Integration Guide SSIM 46
21/106
3 ClickDownloadSymantecEventAgentInstallerforLinux, and save the file
to a directory on the computer where you want to install the Symantec Event
Agent.
This option downloads a file that is named symevtagent_4.5.0.12.tar
4 Navigate to the directory where you downloaded the .tar file in step 3.
5 At the command prompt, type the following command:
tar -xvf symevtagent_4.5.0.12.tar
This command creates a subdirectory that is named Agent, and then unpacks
the Event Agent installation files into that directory.
6 At the command prompt, to run the install script, type the following
commands:
cd Agent
sh ./install.sh
7 At the prompts, enter the appropriate information.
To install the Symantec Event Agent on a computer that runs Solaris
1 Launch the Information Manager Configuration Web site at the following
URL:
https:// Information_Manager_IP_address
2 From the Information Manager Configuration Web site, click Downloads.
3 ClickDownloadSymantecEventAgent Installer forSolaris, and save the
file to a directory on the computer where you want to install the Symantec
Event Agent.
This option downloads a file that is named symevtagent_4.5.0.13.tar
4 Navigate to the directory where you downloaded the .tar file in step 3.
5 At the command prompt, type the following command:
tar -xvf symevtagent_4.5.0.13.tar
This command creates a subdirectory that is named Agent, and then unpacks
the Event Agent installation files into that directory.
6 At the command prompt, to run the install script, type the following
commands:
cd Agent
sh ./install.sh
7 At the prompts, enter the appropriate information.
Installing Symantec Event CollectorsInstalling Symantec Event Agents
-
7/31/2019 SEC Integration Guide SSIM 46
22/106
Verifying Symantec Event Agent installation
To verify installationof the Symantec Event Agent, you can perform the following
tasks in the order presented:
Verify Symantec Event Agent connectivity from Information Manager.
SeeTo verify Symantec Event Agent connectivity from InformationManager
on page 22.
Verify the Information Manager IP address and Symantec Event Agent port.
See To verify the Information Manager IP address and the Symantec Event
Agent port on page 22.
To verify Symantec Event Agent connectivity from Information Manager
1 From a Windows computer that has the SSIM Client installed, log on with an
Information Manager user account with sufficient rights to view events.The Information Manager user must belong to a role that has rights to the
Information Manager-integrated collector.
2 In the Information Manager console, in the left pane, click System.
3 On the Administrationtab,expand the treeuntil yousee Organizational Units.
4 ExpandOrganizationalUnits >Default.
5 Verify that the name of the collector computer is listed.
6 Right-click the computer name, and then click Properties.
7 In the Computer Properties dialog box, on the Services tab, verify that theAgent Service displays Yes in the Started column.
To verify the Information Manager IP address and the Symantec Event Agent port
1 From the collector computer, navigate to the Symantec Event Agent
installation folder.
On Windows, the default location is C:\Program Files\Symantec\Event Agent
On UNIX, the default location is /opt/Symantec/sesa/Agent
On UNIX, you must become superuser.
2 In a text editor, such as Notepad on Windows or vi on UNIX, open theconfigprovider.cfg file.
3 Verify that the following options contain the correct settings for the collector
product to which you want to send events:
MgmtServercontains the correct Symantec Security InformationManager
IP address.
Installing Symantec Event CollectorsInstalling Symantec Event Agents
22
-
7/31/2019 SEC Integration Guide SSIM 46
23/106
MgmtPortcontainsthe correct Symantec Event Agent portnumber (default
value is 443).
Verifying Symantec Event Agent operationYou can verify that the Symantec Event Agent is operating correctly by running
the Show Agent Status script.
See Verifying Symantec Event Agent installation on page 22.
To run the Show Agent Status script Symantec Event Agent operation
1 On the collector computer, navigate to the Agent directory as follows:
On Windows, the default location is C:\Program Files\Symantec\Event
Agent.
On UNIX, the default location is /opt/Symantec/sesa/Agent.
On UNIX, you must become superuser.
2 To access the Collector and Agent Management scripts, at the command
prompt, do one of the following steps:
On Windows, type the following command:
agentmgmt.bat
On UNIX, type the following command:
./agentmgmt.sh
3 At the SSIM Collector / Agent Management Scripts menu, select thefollowingoption:
1. Show Agent Status
If the Agent is not running, the following message appears:
The agent command cannot be executed.
Failed to make a connection to the agent.
The Symantec Event Agent is possibly not running.
If the Agent is running, something imilar to the following message appears:
Symantec Event Agent (v 4.5.0.12) - Copyright(c) - Symantec Corporat
Symantec Event Agent status: running
Listening on: 172.16.0.1:8086
SSL: Off
SESA Manager URL: https://172.16.0.1:443/sesa/servlet/
Outbound Thread State: CONNECTED
Java Version 1.6.0
Installing Symantec Event CollectorsInstalling Symantec Event Agents
-
7/31/2019 SEC Integration Guide SSIM 46
24/106
Queue Status
Total events accepted: 502
Total events forwarded: 502
Entries waiting in queue: 0Direct events accepted: 0
Queue File: .\agent.que
Flush Size (KB): 2000
Flush Count: 1000
Flush Time (sec): 4
Spool Size (KB): 20000
Max Queue Size (KB): 80000
Forwarding Provider: Symc_SESAEventForwardingProvider
Post failures due to unexpected response code: 6
Total number of post failures: 0
Event Acceptor HTTP ThreadPool:
Thread 0 state = IDLE
Thread 1 state = IDLE
Thread 2 state = IDLE
Thread 3 state = IDLE
Last state update time: Mon Apr 28 18:24:17 PDT 2008
Last configuration download request time:
Mon Apr 28 18:24:17 PDT 2008
Last configuration update invocation time:
Mon Apr 28 18:24:17 PDT 2008
Last configuration update completion time:
Mon Apr 28 18:24:17 PDT 2008
Starting and stopping Symantec Event Agent services or daemons
If you install the collector on a Windows computer, the Symantec Event Agent
runs as a service. If you install the collector on a UNIX computer, the Symantec
Event Agent runs as a daemon. To start and stop the Symantec Event Agent, you
start and stop the services or daemons as necessary.
To start and stop the Symantec Event Agent service
1 On the collector computer, navigate to the Agent directory as follows:
On Windows, the default location is C:\Program Files\Symantec\Agent.
On UNIX, the default location is /opt/Symantec/sesa/Agent.
Installing Symantec Event CollectorsInstalling Symantec Event Agents
24
-
7/31/2019 SEC Integration Guide SSIM 46
25/106
On UNIX, you must become superuser.
2 To accessthe CollectorandAgent Management Scripts, do oneof the following
steps:
On Windows, type the following command:
agentmgmt.bat
On UNIX, type the following command:
./agentmgmt.sh
3 At the SSIM Collector / Agent Management Scripts menu, select one of the
following options:
10. Start the Agent
11. Stop the Agent
Installing the collector on a remote computerThe collector component reads the data from the security product, formats the
data, and forwards it to the Symantec Event Agent. The collector computer must
have access to the product that you want to monitor.
Before you install the collector component, you must complete the following tasks
in the order shown:
Register the collector
See Registering Collectors on page 18.
Install the Symantec Event Agent
See Installing Symantec Event Agents on page 19.
Note: You must install the agent for all remote installations. If you use a
collector that resides on the Information Manager appliance, you do not have
to install the agent.
See Installation and configuration tasks for collectors on page 17.
When you have completed the installation of the collector on a remote computer,
you should verify that the Symantec Event Agent and collector are running.
See Verifying collector installation on page 27.
Installing Symantec Event CollectorsInstalling the collector on a remote computer
-
7/31/2019 SEC Integration Guide SSIM 46
26/106
To install the collector on a remote computer
1 On the collector computer, navigate to install subdirectory of the collector
installation files. The installation files are located in a temporary directory.
You must install some collectors on the same computer as the product for
which it collects events.
See the quick reference guide for the specific collector for more information.
2 At a command prompt, do one of the following steps:
On Windows, type the following command:
install.bat
On UNIX, type the following command:
sh ./install.sh
3 Follow the installation wizard prompts.
Installing collectors on an Information Managerappliance
Youcaninstall most 4.3 collectors on the Information Manager 4.5 or 4.6 appliance.
If you install the collector on the appliance, you do not need to register thecollector
nor install the Symantec Event Agent.
See Installation and configuration tasks for collectors on page 17.
To install a 4.3 collector on an Information Manager appliance
1 Contact Symantec for the collector 4.3 installation package.
2 Unzip the installation package onto your Information Manager client
computer.
The installation package includes a subdirectory that is named appliance.
The appliance subdirectory contains a file that is named as follows:
install-collector_namecollector.jar
where collector_namerepresents the name of the collector.
3 From a Web browser, navigate to the Information Manager Administrator
Web page, and then log in with administrator credentials.
The URL is as follows:
https://Information_Manager_IP_address
4 From the list on the left, click SystemUpdates.
Installing Symantec Event CollectorsInstalling collectors on an Information Manager appliance
26
-
7/31/2019 SEC Integration Guide SSIM 46
27/106
5 From Options, click Install, and then browse to the appliance directory where
you unzipped the installation package (see step 2).
6 Select the install-collector_namecollector.jarfile andclickUploadand
Install.
7 In the Confirm Installation page, click Continue.
The status of the install process is displayed.
8 When done, close the Information Manager Administrator Web page.
Verifying collector installationTo verify the collector installation, you must complete the following procedures
in the order presented:
On the collector computer, verify that the appropriate services or daemons
are started.
On a Windows computer, you verify that services have started. On a UNIX
computer, you verify that daemons have started.
See To verify that the appropriate services have started on Windows
on page 27.
SeeTo verify that theappropriate daemonshave started on UNIXon page 27.
Verify that the Symantec Event Agent and collector are running.
See To verify that the Symantec Event Agent and collector are running
on page 28.
To verify that the appropriate services have started on Windows
1 On the collector computer, from the Start menu, click Settings> Control
Panel.
2 In the Control Panel window, select AdministrativeTools.
3 In the Administrative Tools window, select Services.
4 In the Services dialog box, verify that the AgentStart Service is listed and is
started.
To verify that the appropriate daemons have started on UNIX
1 On the collector computer, become superuser.
2 At the command prompt, type the following command:
ps -ef | grep sesagentd
3 Verify that the sesagentd process exists.
Installing Symantec Event CollectorsVerifying collector installation
-
7/31/2019 SEC Integration Guide SSIM 46
28/106
To verify that the Symantec Event Agent and collector are running
1 On the collector computer, navigate to the Agent directory as follows:
On Windows, the default location is C:\Program Files\Symantec\Agent
On UNIX, the default location is /opt/Symantec/sesa/Agent
On UNIX, you must become superuser.
2 To access the Collector and Agent Management scripts, at the command
prompt, do one of the following steps:
On Windows, type the following command:
agentmgmt.bat
On UNIX, type the following command:
./agentmgmt.sh
3 At the SSIM Collector / Agent Management Scripts menu, selectthe following
option:
1. Show Agent Status
Installing Symantec Event CollectorsVerifying collector installation
28
-
7/31/2019 SEC Integration Guide SSIM 46
29/106
Configuring point products
This chapter includes the following topics:
About configuring the point product to work with the collector
About configuring the point product to work with thecollector
After you have installed the necessary collector components, you may need to
configure the point product to make the event information available to the
collector.
For example, if the collector uses a syslog sensor, you must configure the point
product to send syslog events to the collector.
For more information, see the quick reference guide for the specific collector.
3Chapter
-
7/31/2019 SEC Integration Guide SSIM 46
30/106
Configuring point productsAbout configuring the point product to work with the collector
30
-
7/31/2019 SEC Integration Guide SSIM 46
31/106
Configuring collectors
This chapter includes the following topics:
Creating and configuring sensors
Creating a new sensor configuration
Configuring the collector sensor to receive security events
Adding, renaming, deleting, and disabling sensors
Importing and exporting sensor properties
Globally updating sensor properties
About sensor properties for common sensor types
Configuring collector raw event logging
Verifying collector configuration
Creating and configuring sensorsYou must create a new sensor configuration for each collector.
The creation of sensor configurations includes the following tasks:
Creating a new sensor configuration
See Creating a new sensor configuration on page 32.
Configuring the collector sensor to receive security events
See Configuring the collector sensor to receive security events on page 33.
Adding, renaming, deleting, and disabling sensors
See Adding, renaming, deleting, and disabling sensors on page 33.
Configuring sensor properties
4Chapter
-
7/31/2019 SEC Integration Guide SSIM 46
32/106
See About sensor properties for common sensor types on page 36.
Importing and exporting sensor properties, optional
See Importing and exporting sensor properties on page 34.
Globally updating sensor properties
See Globally updating sensor properties on page 35.
Creating a new sensor configurationCollectors usesensors that youmust configure to receive security events. Sensors
are grouped by sensor configurations. Collectors include a sensor configuration
named Default. You can not use this configuration; you must create a new one.
See Creating and configuring sensors on page 31.
See Configuring the collector sensor to receive security events on page 33.
To create a new sensor configuration
1 In the Information Manager console, in the left pane, click System.
2 From the Product Configurations tab, expand the tree until you see the
collector name.
3 Right-click the collector name, and then choose New.
4 On the Create a New Configuration wizard page, click Next.
5 On theGeneral page, enter a name and a description for the new configuration,and then click Next.
6 On the Computers page, do the following steps in the order given:
ClickAdd.
Under the Available computers column, click a system from the list, then
clickAdd.
In order for a computer to be listed, the Symantec Event Agent must be
installed on this computer.
ClickOK, then clickNext.
7 On the Configuration summary panel, make changes to any of your previous
selections.
8 Click Finish, and then click Close.
Configuring collectorsCreating a new sensor configuration
32
-
7/31/2019 SEC Integration Guide SSIM 46
33/106
Configuring the collector sensor to receive securityevents
Before you configure a sensor, you must create a sensor configuration.
See Creating a new sensor configuration on page 32.
After you create a sensor configuration, you must configure its sensor or sensors
to receive security events.
After the sensors are configured, or when a change is made to sensor properties,
you must distribute the sensor properties to the collector computers.
See Creating and configuring sensors on page 31.
To configure the collector sensor to receive security events
1 In the Information Manager console, in the left pane, click System.
2 Select the Product Configurations tab, and then expand the tree until you see
the collector name.
3 In the left pane, select the appropriate configuration.
4 In the right pane, on the sensor tab, under the list of sensors, click the sensor.
You can rename the sensor, add new sensors, and delete sensors.
See Adding, renaming, deleting, and disabling sensors on page 33.
5 In the sensor property table under the Value column, change any of the
information.
See About sensor properties for common sensor types on page 36.
For specific sensor settings, see the quick reference guide for the collector.
6 Click Save.
7 In the left pane, right-click the appropriate configuration, and then click
Distribute.
8 When you are prompted to distribute the configuration, click Yes.
9 In the Configuration Viewer window, click Close.
Adding, renaming, deleting, and disabling sensorsWhen you create a new sensor configuration, a sensor is automatically created
for you. You may create additional sensors, rename the sensor, delete the sensor,
or disable the sensor.
See Creating a new sensor configuration on page 32.
Configuring collectorsConfiguring the collector sensor to receive security events
-
7/31/2019 SEC Integration Guide SSIM 46
34/106
See Creating and configuring sensors on page 31.
To add, rename, delete, or disable a sensor
1 In the Information Manager console, in the left pane, click System.
2 Select the Product Configurations tab, and then expand the tree until you see
the collector name.
3 In the left pane, select the appropriate configuration.
4 In the right pane, select the sensor tab, and then, under the list of sensors,
do any of the following:
To add a sensor, click the plus (+) button.
By default, the sensors that you create are named Sensor 1, Sensor 2,
Sensor 3, and so on.
To rename a sensor, double-click in the sensor name box, and type in anew name.
To delete a sensor, click the minus (-) button.
You cannot delete the default sensor.
To delete all sensors, click the trash can button.
To disable a sensor, but not delete it, uncheck the sensor.
5 Click Save.
6 In the left pane, right-click the appropriate Default folder, and then click
Distribute to update the collector on the target computer withnew properties.
7 When you are prompted to distribute the configuration, click Yes.
Importing and exporting sensor propertiesYou can both import sensor properties from an XML file and export sensor
properties to an XML file.
See Creating and configuring sensors on page 31.
An example XML file for syslog sensor properties is as follows:
UDP
*
514
Configuring collectorsImporting and exporting sensor properties
34
-
7/31/2019 SEC Integration Guide SSIM 46
35/106
To import and export sensor properties
1 In the Information Manager console, in the left pane, click System.
2 Select the Product Configurations tab, and then expand the tree until you see
the collector name.
3 In the left pane, select the appropriate configuration.
4 In the right pane, on the sensor tab, do one of the following tasks:
If you want to import a configuration from an XML file, click the Import
Sensors button, and then, in the Import Configuration From File window
that appears, specify the XML file from which you want to import the
configuration.
If you want to export the selected configuration to an XML file, click the
Export Sensors button, and then, in the Export Configuration to File
window that appears, specify a filename to which to export the
configuration.
Globally updating sensor propertiesYou can copy selected sensor properties to other sensors that are within the same
configuration. This feature is particularly useful if you have many sensors that
you need to update.
See Configuring the collector sensor to receive security events on page 33.
See Creating and configuring sensors on page 31.
To globally update sensor properties
1 In the Information Manager console, in the left pane, click System.
2 Select the Product Configurations tab, and then expand the tree until you see
the collector name.
3In the left pane, select the appropriate configuration.
4 In the right pane, on the sensor tab, select a sensor so that it appears
highlighted.
5 In the right pane, on the lower right, click Global Update.
6 In the Select Properties for Global Update window, place a checkmark next
to the property whose value you want to propagate to all other sensors within
the same configuration.
Configuring collectorsGlobally updating sensor properties
-
7/31/2019 SEC Integration Guide SSIM 46
36/106
7 ClickOK to complete the global update process.
8 Proceed to change the sensor properties as needed.
For sensor properties, see the quick reference guide for the collector.
9 In the left pane, right-click the configuration, and then click Distribute.
10 When you are prompted to distribute the configuration, click Yes.
About sensor properties for common sensor typesThe most common sensor types are as follows:
Syslog sensor
See Sensor properties for the syslog sensor on page 36.
Database sensor
See Sensor properties for the database sensor on page 38.
Log sensor
See Sensor properties for the log and syslog file sensor on page 42.
Syslog file sensor
See Sensor properties for the log and syslog file sensor on page 42.
Log file sensor
See Sensor properties for the log file sensor on page 43.
Windows Event Log sensorSee Sensor properties for the Windows Event Log sensor on page 44.
OPSEC Lea
See Sensor properties for the OPSEC LEA sensor on page 45.
For properties of a custom sensor, or specific settings for a particular collector,
see the quick reference guide for the collector.
Sensor properties for the syslog sensor
Table 4-1 Syslog sensor properties
DescriptionSensor properties
Specify UDP or TCP. UDP is thesyslog standard protocol andis fasterthan TCP; however,
UDP provides few error recovery services, and there is no guarantee that events are
delivered. TCP is slower than UDP, but it guarantees event delivery by establishing a
connection.
Protocol
Configuring collectorsAbout sensor properties for common sensor types
36
-
7/31/2019 SEC Integration Guide SSIM 46
37/106
Table 4-1 Syslog sensor properties (continued)
DescriptionSensor properties
Specify the IP addresses or names of the host computers that the collector monitors.
Specify * (or any) to allow any host to send events to the collector, or specify multiple
host names. Separate multiple host names with commas or semicolons.
Host Names
Specify the port number to which you have configured the point product to send syslog
messages.
Port Number
Specify a time offset to convert timestamps of all logged events to the time zone of the
collector computer.
You can use a time offset value if both of the following statements are true:
The time zone of the collector computer and the point product are different
The timestamps in the point product data are not Coordinated Universal Time (UTC).
You do not need to use this property if the collector and the point product computers are
in the same time zone.
Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM, where HH is the number of hours
(-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.
For example, if Pacific Standard Time (PST) is the time zone of the collector computer,
you can specify -3 to convert incoming events with an Eastern Standard Time (EST) to
Pacific Standard Time. You can specify +3 to convert incoming events with a
Hawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time.
If you enter and distribute an erroneous time zone offset, the collector automaticallyresets the offset value to the default value of +00:00. An error message is posted in the
collectors log.
Time Offset
Configuring collectorsAbout sensor properties for common sensor types
-
7/31/2019 SEC Integration Guide SSIM 46
38/106
Sensor properties for the database sensor
Table 4-2 Database sensor properties
DescriptionSensor property
Specify the path where the database driver is installed.
If the collector is installed on the Information Manager 4.6 appliance, the default directory
is one of the following paths:
For Sybase, the path is as follows:
/opt/Symantec/simserver/collectors/drivers/jConnect-6_0
For MS SQL Server, the paths are as follows:
/opt/Symantec/simserver/collectors/drivers/mssqljdbc_2005/enu
/opt/Symantec/simserver/collectors/drivers/mssqljdbc_2000/lib
For MySQL, the path is as follows:/opt/Symantec/simserver/collectors/drivers/mysql-connector-java-5.0.7
For PostgreSQL, the path is as follows:
/opt/Symantec/simserver/collectors/drivers/postgresql-8.2-504
For IBM DB2, the path is as follows:
/opt/Symantec/simserver/collectors/drivers/v9fp2_db2driver_for_jdbc_sqlj
JDBC Drivers
Directory
Configuring collectorsAbout sensor properties for common sensor types
38
-
7/31/2019 SEC Integration Guide SSIM 46
39/106
Table 4-2 Database sensor properties (continued)
DescriptionSensor property
The collector includes a default database URL that can include any of the following items:
Type of database driver that is used
Instance name
Host name
TCP port
Database name
Example database URL formats are as follows:
If you use a Microsoft SQL Server database, the database URL format is as follows:
jdbc:microsoft:sqlserver://host_name_or_IP_address_of_the_database_server:
1433;DatabaseName=database_name
For example, to connect to a Microsoft SQL Server database named MyDatabase on the
localhost server, with the SQL Serverlistening for connections on thedefaultport number
1433, you would use the following URL:
jdbc:microsoft:sqlserver://192.168.255.234:1433;DatabaseName=MyDatabase
If you use a MySQL database, the database URL format is as follows:
jdbc:mysql://ip_address:port_number/DatabaseName=database_name
For example, to connect to a MySQL database named MyDatabase on the server at
192.168.255.234, with the MySQL server listening for connections on the default port
number 3306, you would use the following URL:
jdbc:mysql://192.168.255.234:3306/DatabaseName=MyDatabase
If you use a Sybase database, the database URL format is as follows:jdbc:sybase:Tds:host:port
For example, to connect to a Sybase database on the server at 192.168.255.234, with the
Sybase server listening for connections on the default port number 2638, you would use
the following URL:
jdbc:sybase:Tds:192.168.255.234:2638
If you use an Oracle database, the database URL format is as follows:
jdbc:oracle:thin:@ip_address:1521:System_Identifier_(SID)
For example, to connect to an Oracle database named MyDatabase on the server at
192.168.255.234, with the Oracle server listening for connections on the default port
number 1521, you would use the following URL:
jdbc:oracle:thin:@192.168.255.234:1521:MyDatabase
Note: If you are not using thedefault port number, youmust replace thedefault port number
in the URL.
Database URL
Specify the read-only database user account name for the database.User Name
Specify the password for the database user account name for the database.Password
Configuring collectorsAbout sensor properties for common sensor types
-
7/31/2019 SEC Integration Guide SSIM 46
40/106
Table 4-2 Database sensor properties (continued)
DescriptionSensor property
Specify from where to start reading the database upon restart of the collector as follows:
BEGINNING
Specifies that the database is read from the beginning.
END
Specifies that the database is read from the end. Only events that are written to the
database after the collector starts are read.
Start Reading From
Configuring collectorsAbout sensor properties for common sensor types
40
-
7/31/2019 SEC Integration Guide SSIM 46
41/106
Table 4-2 Database sensor properties (continued)
DescriptionSensor property
Specify the scheduled time to send events to the Symantec Security Information Managerappliance, or leave this field blank if you want to collect events in real time.
Time is entered in 24-hour clock time. You can schedule the collector to send events on a
specific day, every day at a specified time, every week, or on a specified number of weeks.
Thetime that is specified in theExecution Time field must usethe same time zone and system
clock as the collector computer.
If the first batch has not finished before the second batch needs to start, the second batch is
skipped.
Execution Time syntax is as follows:
On at ,,
at ,
Examples are as follows:
5:00:00
Send events every day at 5:00 a.m.
5:0:0,17:0:0
Send events every day at 5:00 a.m. and 5:00 p.m.
Every day at 7:0:0,19:0:0
Send events every day at 7:00 a.m. and 7:00 p.m.
Every 2 days at 0:0:0,12:0:0
Send events every other day at midnight and noon.
If a specified time has not passed, events are sent on the same day; if a specified time has
already passed, events are sent in 2 days.
On Sun, Wed at 8:30:0,20:30:0
Send events on Sunday and Wednesday at 8:30 a.m. and 8:30 p.m.
(This value is the same as Every Week on Sun, Wed at 8:30,20:30.)
Every week on Mon, Fri at 7:0:0,14:0:0
Send events on Monday and Friday at 7:00 a.m. and 2:00 p.m.
(This value is the same as On Mon, Fri at 7:0:0,14:0:0.)
Every 2 weeks on Tue, Sat at 7:0:0,19:0:0Send events every 2 weeks on Tuesday and Saturday at 7:00 a.m. and 7:00 p.m.
Every 3 weeks on Thu at 7:0:0, Tue at 7:0:0,14:0:0
Send events every 3 weeks on Thursday at 7:00 a.m. and on Tuesday at both 7:00 a.m. and
2:00 p.m.
Execution Time
Configuring collectorsAbout sensor properties for common sensor types
-
7/31/2019 SEC Integration Guide SSIM 46
42/106
Sensor properties for the log and syslog file sensor
Table 4-3 Sensor properties
DescriptionSensor property
Specify the path to the log file on the security product computer.Log File Directory
Specify the non-changing part of the log file name.Log File Name
Check this field if the point product creates dynamically named log files; otherwise, leave
this field unchecked.
File Name Dynamic
This value is either UTF-8 or UTF-16.File Encoding
Specify EOF or NULL (hexadecimal 00) as the end-of-file character.End of File Marker
Specify from where to start reading the log file when the collector restarts, as follows:
BEGINNING
Specifies that thelog file is read from thebeginningof themost recent file in thedirectory.
END
Specifies that the log file is read from the end of the most recent file. Only events that are
written to the log file after the collector starts are read.
Last Position
Keeps track of which line the collector is reading from in the current log file, and then
continues reading from this position if the collector is interrupted and restarted.
Start Reading From
Specify the delimiter that is used at the end of each message, as follows: ENDOFLINE
Refers to the end of a line as a message delimiter (CR/LF on a Windows platform; LF on a
UNIX platform).
ENDOFLINE is the default delimiter.
BLANKLINE
Refers to a blank line as a message delimiter. Youmust specify twosuccessive ENDOFLINE
characters.
NULL
Refers to hexadecimal 00.
End of RecordMarker
Leave this property enabled to monitor the log file in real time.
You should not disable this property unless requested to do so by Symantec support.
Monitor in RealTime
Configuring collectorsAbout sensor properties for common sensor types
42
-
7/31/2019 SEC Integration Guide SSIM 46
43/106
Table 4-3 Sensor properties (continued)
DescriptionSensor property
Specifya time offset to convert timestamps ofall logged events to the time zone of the collectorcomputer.
You can use a time offset value if both of the following statements are true:
The time zone of the collector computer and the point product are different
The timestamps in the point product data are not Coordinated Universal Time (UTC).
You can use this property when the log file does not contain time zone information and the
collector and the point product computer are in different time zones.
Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM, where HH is thenumber of hours (-99
to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.
For example, if Pacific Standard Time (PST) is the time zone of the collector computer, youcan specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific
Standard Time. Youcan specify +3 to convert incoming events with a Hawaii-AleutianStandard
Time (HST) standard to Pacific Standard Time.
If you enter and distribute an erroneous time zone offset, the collector automatically resets
the offset value to the default value of +00:00. An error message is posted in the collectors
log.
Time Offset
Sensor properties for the log file sensor
Table 4-4 shows the sensor properties for the log file sensor.
Table 4-4 Log file sensor properties
DescriptionSensor property
Specify the path to the log file on the security product computer.
Your installation directory may differ from the default that is provided.
Log file directory
Specify the name of the log file.Log File Name
Specify whether the collector checks for new log files after reaching the end of the current
log file or waits for new events to be added to the current log file.
Reading Mode
Specify Beginning to read the log file from the beginning of the file upon the restart of the
collector.
Specify End to read the log file from the end of the file upon the restart of the collector.
Specify Last Position for the collector to keep track of which line the collector is reading in
the log file. If thecollector is interrupted and restarted, reading continuesfrom this position.
When the collector is started for the first time, the collector reads all events in all files.
Start Reading From
Configuring collectorsAbout sensor properties for common sensor types
-
7/31/2019 SEC Integration Guide SSIM 46
44/106
Table 4-4 Log file sensor properties (continued)
DescriptionSensor property
Specifya time offset to convert timestamps of alllogged events to the time zone of the collectorcomputer.
You can use a time offset value if both of the following statements are true:
The time zone of the collector computer and the point product are different
The timestamps in the point product data are not Coordinated Universal Time (UTC).
You can use this property when the log file does not contain time zone information and the
collector and the point product computer are in different time zones.
Acceptable formats are: +HH, -HH, +HH:MM, and -HH:MM, where HH is the number of hours
(-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.
For example, if Pacific Standard Time (PST) is the time zone of the collector computer, youcan specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific
Standard Time. Youcan specify +3 to convert incoming events with a Hawaii-AleutianStandard
Time (HST) standard to Pacific Standard Time.
If you enter and distribute an erroneous time zone offset, the collector automatically resets
the offset value to the default value of +00:00. An error message is posted in the collectors
log.
Time Offset
Sensor properties for the Windows Event Log sensor
Table 4-5 Windows Event Log sensor properties
DescriptionSensor properties
Specify thename of the computer from which thecollector is to collect events. IP address
127.0.0.1 or localhost are valid entries if events are collected from the same computer
on which the collector is installed. If the computer is different, then the host name or IP
address can be specified.
Monitored host name
Specify the path to the account name; for example, DomainName\AccountName for a
computer that is locatedin a Windows domain or HostName\AccountNamefor a computer
that is not located in a Windows domain. The account that is used must have local
administrator rights to read the event log from the remote computer in the domain.
If theMonitored host name is localhostor 127.0.0.1, leave this field blank;the credentials
for the account that runs the Symantec Event Agent process will be used automatically.
Monitored host account
name
Specify a password for the monitored host account.
If theMonitored host name is localhostor 127.0.0.1, leave this field blank;the credentials
for the account that runs the Symantec Event Agent process will be used automatically.
Account password
Configuring collectorsAbout sensor properties for common sensor types
44
-
7/31/2019 SEC Integration Guide SSIM 46
45/106
Table 4-5 Windows Event Log sensor properties (continued)
DescriptionSensor properties
Specify the number of days for which the sensor retrieves events. For example, if thesensor is configured for 30 days, the sensor goes back 30 days from the first sensor
initialization to retrieve events.
Note: This property is used only for the initial start of the sensor. If the sensor was
correctly shut down and created the last position file, this property is ignored during
subsequent runs.
Number of days to loadhistory events
Select which event logs to audit. You can select a number of options to audit through the
pop-up screen. You can also add other options by selecting Add.
Event logs to audit
Sensor properties for the OPSEC LEA sensorTable 4-6 OPSEC LEA sensor properties
DescriptionSensor properties
Name of the OPSEC Application that is created in the Check Point
SmartDashboard Console.
For Check Point FireWall-1 installation, set this field as follows:
For a remoteinstallation, specify thename of theOPSEC Application that
is created for the collector computer.
For a local installation, this property is not required. For a distributed installation, specify the name of the OPSEC application
that is created for the collector computer.
For Check Point Provider-1 installations, set this field as follows:
If a global OPSEC Application for all CMAs was created, specify the name
of that Application.
If a Distributed Provider-1 with MDS/CMA exists on one computer, and
the MLM/CLM exists on a separate computer (where clear text
communication is the only option), this field must be BLANK.
If multiple OPSEC Applications were created, that is, one for each CMA,
then specify the name of a CMA-level OPSEC Application.Note: You must specify the name of each CMA-level OPSEC Application
for each sensor.
LEA opsec application name
The password that was specified when you created the OPSEC Application.
If a Distributed Provider-1 with MDS/CMA exists on one computer and the
MLM/CLM exists on a separate computer (where clear text communication
is the only option), you must set this field to BLANK.
The password specified when
creating the LEA opsec application
Configuring collectorsAbout sensor properties for common sensor types
-
7/31/2019 SEC Integration Guide SSIM 46
46/106
Table 4-6 OPSEC LEA sensor properties (continued)
DescriptionSensor properties
Location in the record file where the collector begins to collect data whenthe collector is first enabled. If you specify BEGINNING, reading starts from
the beginning of the log file and all data inthe Check Point database isreread
by the collector when the Agent or OPSEC LEA server is restarted. If you
specify END, reading starts from the end of the log file.
BEGINNING and END values only pertain when the collector is run for the
first time. After the collector's initial start, the last position (the last log
record read by the collector) is saved. When the collector restarts, it resumes
reading from the last position. The Initial Read Policy value has no effect.
Initial Read Policy
Whether the collector should monitor the record file in real time. Specify
True.
Monitor in RealTime
For Check Point FireWall-1 collector installation, set this field as follows:
For both remote installation and local installation, specify the IP address
of the Check Point LEA server from which events are collected.
For a distributed installation, specify the IP address of the Check Point
Log Server.
For Check Point Provider-1 installations with MDS/CMA/Log server all on
one computer, set this field to the IP address of the CMA.
For Distributed Provider-1 installations with MDS/CMA on one computer
and the MLM/CLM on a separate computer (where clear text communication
is the only option), set this field to the IP address of the CLM.
LEA server IP-address
Authentication port on the Check Point LEA server on which the LEA
application is running.
For Check Point FireWall-1 collector installations, set this field as follows:
For a remote installation, specify 18184 as the LEA server auth port.
For a local installation, specify 0 (zero) as the LEA server auth port.
For a distributed installation, specify 0 (zero) as the LEA server auth port.
For Check Point Provider-1 installations with MDS/CMA/Log server all on
one computer, set this field to 18184 as the LEA server auth port.
For Distributed Provider-1 installations with MDS/CMA on one computer
and the MLM/CLM on a separate computer (where clear text communication
is the only option), set this field to 0 (zero) as the LEA server auth port.
LEA server auth port
Configuring collectorsAbout sensor properties for common sensor types
46
-
7/31/2019 SEC Integration Guide SSIM 46
47/106
Table 4-6 OPSEC LEA sensor properties (continued)
DescriptionSensor properties
Authentication type that the Symantec Event Collector uses. For a localinstallation, specify local. For a remote installation, specify sslca in this field.
For Check Point FireWall-1 collector installations, set this field as follows:
For a remote installation, specify sslca as the LEA server auth type.
Forsslca, both clientand server must provide certificatesthat are created
and signed by a trusted certificate authority.
For a local installation, specify local as the LEA server auth type.
For a distributed installation, specify local as the LEA server auth type.
For Check Point Provider-1 installations with MDS/CMA/Log server all on
one computer, set this field to sslca as the LEA server auth type.
For Distributed Provider-1 installations with MDS/CMA on one computer
and the MLM/CLM on a separate computer (where clear text communication
is the only option), set this field to local as the LEA server auth type.
LEA server auth type
Communications port for the LEA server.
For Check Point FireWall-1 collector installations, set this field as follows:
For a remote installation, specify 0 (zero) as the LEA server port.
For a local installation, specify 18184 as the LEA server port.
For a distributed installation, specify 18184 as the LEA server port.
For Check Point Provider-1 installations with MDS/CMA/Log server all on
one computer, set this field to 0 (zero) as the LEA server port.
For Distributed Provider-1 installations with MDS/CMA on one computer
and the MLM/CLM on a separate computer (where clear text communication
is the only option), set this field to 18184 as the LEA server port.
LEA server port
Configuring collectorsAbout sensor properties for common sensor types
-
7/31/2019 SEC Integration Guide SSIM 46
48/106
Table 4-6 OPSEC LEA sensor properties (continued)
DescriptionSensor properties
Qualified name of the OPSEC management server, CMA, or CLM. Copy thename from the OPSEC Application on the Check Point SmartDashboard
Console.
For Check Point FireWall-1 collector installations, set this field as follows:
Fora remoteinstallation, specify thesic name of theOPSEC management
server.
For a local installation, this property is not required.
For a distributed installation, specify the sic name of the Check Point Log
Server.
For Check Point Provider-1 installations with MDS/CMA/LOG server all on
one computer, set this field to the sic name of the CMA.
For Distributed Provider-1 installations with MDS/CMA on one computer
and the MLM/CLM on a separate computer (where clear text communication
is the only option), you must set this field to BLANK.
LEA server opsec entity sic name
Sic name of the OPSEC Application. Copy the name from the OPSEC
Application on the Check Point SmartDashboard Console.
For Check Point FireWall-1 collector installations, set this field as follows:
For a remote installation, specify the sic name of the OPSEC Application.
For a local installation, this property is not required.
For a distributed installation, specify the sic name of the OPSECapplication that was created for the collector computer.
For Check Point Provider-1 installations, set this field as follows:
If a global OPSEC Application for all CMAs was created, specify the
qualified sic name of that Application.
If multiple OPSEC Applications were created (one for each CMA), then
specify the sic name of a CMA-level OPSEC Application.
Note: You must specify the name of each CMA-level OPSEC Application
for each sensor.
For Distributed Provider-1 installations with MDS/CMA on one computer
and the MLM/CLM on a separate computer (where clear text communication
is the only option), you must set this field to BLANK.
opsec sic name
Set this property to True if you want to collect events from the Check Point
Audit Log. These events include administrator logon and log off events and
any modifications to the Check Point rules and configuration.
Read audit log
Configuring collectorsAbout sensor properties for common sensor types
48
-
7/31/2019 SEC Integration Guide SSIM 46
49/106
Configuring collector raw event loggingYou can enable the collector to collect the entire raw event message from the
point product instead of the parsed fields. Raw event messages are useful forforensics, incident investigation, and log retention requirements. It also lets you
preserve unaltered event messages.
Note: Raw event logging substantially increases event sizes.
To configure collector options
1 In the Information Manager console, in the left pane, click System.
2 On the Product Configurations tab, in the middle pane, expand the tree until
you reach a sensor configuration of a collector.3 Select the appropriate configuration.
4 In the right pane, on the Options tab, check or uncheck
EnableRawEventLogging.
Enabling this option increases the amount of disk space that is consumed on
the Information Manager appliance because raw event data will be stored.
5 In the middle pane, right-click the configuration, and click Distribute.
Verifying collector configurationYou verify collector configuration by performing the following procedures in the
order shown:
View audit events
The audit events display whether or not a successful connection was made to
the data source.
You can view audit events again to troubleshoot a problem.
See To view audit events on page 49.
Verify that the Symantec Event Agent and sensor are up
See To verify that the Symantec Event Agent and sensor are up on page 50.
To view audit events
1 On a Windows computer that has the SSIM Client installed, start the SSIM
Client.
2 Log on with an administrator account.
3 In the Information Manager console, in the left pane, click Events.
Configuring collectorsConfiguring collector r