HP IMC User Behavior Auditor

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "HP IMC User Behavior Auditor"

Transcription

1 HP IMC User Behavior Auditor Administrator Guide Abstract This guide describes the User Behavior Auditor (UBA), an add-on service module of the HP Intelligent Management Center. UBA is designed for IMC administrators and other networking specialists who collect and analyze network user behaviors. * * HP Part Number: Published: May 2012 Edition: 1

2 Copyright 2012, Hewlett-Packard Development Company, L.P. Confidential computer software. Valid license from HP required for possession, use or copying. Consistent with FAR and , Commercial Computer Software, Computer Software Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor's standard commercial license. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Acknowledgments Intel, Itanium, Pentium, Intel Inside, and the Intel Inside logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. Microsoft, Windows, Windows XP, and Windows NT are U.S. registered trademarks of Microsoft Corporation. Adobe and Acrobat are trademarks of Adobe Systems Incorporated. Java and Oracle are registered trademarks of Oracle and/or its affiliates. UNIX is a registered trademark of The Open Group.

3 Contents 1 User Behavior Auditor overview...5 Introduction...5 UBA workflow...5 Network flow record collection...7 Device management...7 Probe management...7 Server management...8 Network flow record processing...9 User behavior audit task management...9 Filter strategy management...9 Application management UBA menus and commands...10 User Behavior Audit...10 Database Space Data Export...12 Settings...13 Device Management...14 Probe Management...15 Server Management...15 User Behavior Audit Management...17 Application Management...18 Parameters...19 Filter Strategy Configuring UBA for a traffic audit...20 Managing UBA data sources...20 Managing the UBA device list...20 Adding a device into the UBA devices list...20 Managing probes...21 Managing the UBA probe list...21 Adding a new probe...21 Managing UBA servers...22 Managing the UBA server list...22 Modifying a UBA server...22 Managing a filter strategy...24 Viewing the Filter Strategy List...24 Adding a new filter strategy...25 Managing applications...25 Managing the application list...26 Adding a user-defined application...26 Batch importing user-defined applications...27 Modifying an application...28 Setting parameters...29 Managing database storage space...30 Viewing the Database File Usage and Disk Usage...30 Viewing a target server database details Monitoring user behavior...31 User behavior audit conditions...31 Quick auditing...33 Task-oriented auditing...34 Contents 3

4 Managing the audit task list...34 Managing audit tasks...35 Viewing the audit result...36 Querying an audit result...36 Viewing audit results by group...36 Customizing the audit result list...36 Viewing additional audit result records...36 Exporting audit results Exporting UBA log files...38 Log file report overview...38 Data export workflow...38 Data export settings...39 Setting log lifetime...40 Setting trigger space alarm conditions...40 Checking log files...40 Configuring the log file audit UBA example...42 Scenario description...42 Task analysis...42 UBA deployment...43 UBA configuration...44 Auditing user behavior...46 Creating general audit tasks...47 Creating an NAT audit task...48 Creating an FTP audit task Troubleshooting...51 Prerequisites...51 Verify the UBA installation...51 Fail to add a new probe...52 No target log files are available...52 No audit task displays in the navigation tree...52 Database space usage color bar...53 Alarms Support and other resources...55 Contacting HP...55 Related information...55 Websites...55 Typographic conventions...55 Product feedback Documentation feedback...57 Glossary...58 Index Contents

5 1 User Behavior Auditor overview Introduction The following topics provide an overview of the User Behavior Auditor (UBA) service module, including features and workflow, network flow record collection, and the UBA processing mechanism. UBA (Figure 1) is an add-on service module of HP Intelligent Management Center (IMC). By integrating network Layer 4 to 7 monitoring into the IMC base platform, UBA provides a tool set for administrators to collect and analyze the information related to network user behaviors. Figure 1 User Behavior Auditor Network user behaviors are resolved as network flow data in network Layer 4 (transport layer). Generally, devices use logs to record the network flow during a certain time interval. UBA integrates the functions of a network log collector and a data analyzer, which enable UBA to extract network flow records from logs forwarded by the monitored devices. A network flow record at least includes the source and destination IP address, source and destination ports, and Layer-4 protocol (TCP, UDP or ICMP). UBA identifies and classifies the network user behaviors through log analysis, and presents the user behavior audit report in the IMC platform. UBA provides a strong basis for regulating network users and identifying each user s requirements to optimize network resources. For example, to improve network usage efficiency, a network administrator can create a UBA audit task to identify the current network usage features, such as frequently used applications (FTP, , and so on), and which users have accessed online games or visited banned websites. In UBA, you can define the strategies for retrieving logs and presenting user behavior records, that is, from which devices the logs are retrieved, how the data is analyzed and what data is presented. In addition, UBA provides a number of built-in settings for managing the UBA server, monitored device, and probe, as well as the ability to define filter strategy and applications, which help you customize audit tasks that meet your requirements. UBA workflow HP recommends that you use the following workflow (Figure 2) to perform a user behavior audit. Introduction 5

6 nl nl Figure 2 UBA workflow 1. Add a device or a network flow probe. Configure the source of network flow records, which can be a device or a network flow probe. 2. Create a filter strategy. A filter strategy defines which logs should be processed or discarded by UBA. You can skip this step if you want to use an existing strategy or not filter any data records. NOTE: Using a filter strategy, UBA can focus on the logs that you want to process, discarding unneeded or redundant data, which can improve the efficiency of the UBA server. HP recommends that you create a filter strategy based on your audit purpose, unless you want to process all network flow records. 3. Configure the UBA server. Establish communication paths between the UBA server and the devices or probe servers added in step 1. Assign a filter strategy to the UBA server. 4. Configure the audit task. Set the audit conditions according to your audit purpose. 5. View the UBA report. 6 User Behavior Auditor overview

7 Network flow record collection To perform a user behavior audit, you first need to develop a log collection plan to identify the following information: Areas of interest for which you want to capture network flow data. This can include business services, applications, or systems, and the underlying technologies that deliver these services, as well as network devices, interfaces, servers, storage, or other network resources. Devices that act as the log resources for the UBA task purpose. Whether the devices you chose in step 2 are capable of generating network flow records. UBA can analyze the following types of logs forwarded by devices: Flow log Supports protocols Flow 1.0/3.0 NAT (Network Address Translation) log Supports protocol NAT 1.0 NetStream log Supports protocol NetStream v5/v9 sflow log Supports protocol sflow v5 NetFlow log Supports protocol NetFlow v5/v9 For devices that are unable to generate the logs mentioned above, you can use probes to analyze the network flow data, and forward DIG logs to a UBA server. Based on a collection plan, you can configure the devices, probes, and the UBA server in the built-in UBA configuration modules, which are described in the following sections. Device management Device management enables you to manage the device, such as a switch, router, or gateway, which supports at least one of the following protocols: Flow 1.0/3.0 NAT 1.0 NetStream v5/v9 sflow v5 NetFlow v5/v9 In the device management, adding a device as a source of network flow records is the first step in creating a communication path between the device and the UBA server. This enables the device to regularly send the network logs to the UBA server. In addition, device management provides you the ability to view and modify the information of existing devices, or directly remove them. Probe management Network flow probe is an alternative solution for collecting network flow records from devices that do not support the Flow 1.0/3.0, NAT 1.0, NetStream v5/v9, sflow v5, or NetFlow v5/v9 protocols. As shown in Figure 3, a UBA DIG server, which is also called a probe in UBA, is deployed to analyze the network flow mirrored from a router or switch, and then forward the DIG logs to a UBA server via FTP. During DIG logs forwarding, the UBA server acts as an FTP server, and the probe acts as a FTP client that regularly sends the DIG logs to the UBA server. Network flow record collection 7

8 Figure 3 Collect network flow records from a probe Probe management enables you to add a probe as a source of network flow records. You can also view and modify probe information, or directly remove a probe. Probe configuration sets the probe information, including probe name, IP address, probe password, and so forth, in Probe Management. Server management The UBA server integrates the features of a network log collector and a data analyzer. The UBA server can collect and analyze the Flow logs, NAT logs, NetStream logs, sflow logs, and NetFlow logs sent from devices, as well as DIG logs sent from a probe via FTP. All the logs are aggregated and analyzed in the UBA server based on the audit tasks requirements, and finally are presented as a user behavior audit report. As an add-on service module, the UBA server can be installed on the IMC base platform server, or on a remote server in a master/subordinate relationship to the base platform server. Based on the actual IMC deployment, you can install one or more UBA servers to perform a user behavior audit. Each UBA server is added to the server list when the UBA server is installed. When installing the UBA service module, you need to set its IP address, which cannot be modified in the Server Management. Server Management provides the following configurations: Server configuration Set the basic information about the UBA server, such as server name, listening ports, FTP settings, filter policy. User behavior audit configuration Create communication paths between devices/probes and the UBA server Configure the intranet network segment information for network flow monitoring and license control For more information, see Configuring UBA for a traffic audit. 8 User Behavior Auditor overview

9 Network flow record processing UBA provides multiple configurations for defining how to process the logs and present an audit report, including: User behavior audit tasks management Filter strategy management Application management User behavior audit task management A user behavior audit task defines the purpose of network flow records processing. That is, UBA enables you to define the audit conditions according to your purpose. The general audit conditions include source and destination IP addresses and ports, protocol, application, and device. UBA extracts the data from the collected logs according to audit conditions. Then, UBA analyzes the extracted data packets and summarizes user behavior features in an audit report. UBA provides multiple audit types to address various user behavior audit demands. Besides the general audit, you can use the following special audits to audit different types of user behaviors: NAT audit Query the information about users who access the Internet. Web visiting audit Query the information about users who access the specified website. FTP audit Query the information about users who use the FTP service. Mail audit Query the information about users who use the mail service. For more information, see Monitoring user behavior. Filter strategy management A filter strategy defines whether the logs that UBA receives are processed or directly discarded by UBA. Usually, devices generate many logs for recording the network flow. Excessive data greatly affects UBA processing efficiency. In a filter strategy, you can choose to process or discard logs based on the source/destination IP address or source/destination Layer 4 port number of data packets. You can also choose to process or discard TCP, UDP, ICMP, or IPv6 ICMP data packets. Only after you assign a filter strategy to a UBA server can a UBA server use it to collect or discard logs. If you use a DIG logs probe to collect network flow records, the UBA server delivers the filter strategy to the probe, which filters the DIG logs before forwarding them to the UBA server. For more information, see Configuring UBA for a traffic audit. Application management UBA can use the applications previously defined to identify user behaviors. In UBA, an application is defined with the used protocol and port. When configuring a UBA task, you can select an application as an audit condition. In this way, UBA queries the network flow consistent with the definition of the specified application, and identifies the IP address and other information about the users of the specified application. UBA includes many pre-defined applications for you to configure audit tasks. You also can customize a user-defined application. Application management provides the ability to view and modify the definition of an application. You can remove user-defined applications only. You cannot remove pre-defined applications. For more information, see Configuring UBA for a traffic audit. Network flow record processing 9

10 2 UBA menus and commands This section describes menus and commands in the UBA module. To open the UBA navigation tree (Figure 4), and display UBA options, click Service > Traffic Analysis and Audit. Figure 4 UBA navigation tree User Behavior Audit The User Behavior Audit menu (Figure 5) displays audit conditions, which you can use for log flow processing. It is applicable to any audit condition you need. Figure 5 User Behavior Audit Table 1 lists available commands in the User Behavior Audit menu and information for using them. Table 1 User Behavior Audit menu options Command Server Start/End Time Audit Condition Options :35 Source Destination Description Select the target server from the drop list. Specify audit starting/ending time. Specify the source IP address that you want to audit. It can be a single IP address or IP segment. Specify the destination IP address that you want to audit. It can be a single IP address or IP segment. 10 UBA menus and commands

11 Table 1 User Behavior Audit menu options (continued) Command Special Audit Options Source Port Destination Port Protocol Application Device NAT Condition Web Visiting Audit FTP Audit Mail Audit Description Specify one or more source port numbers that you want to audit. Specify one or more destination port numbers that you want to audit. UBA supports four types of protocol: TCP UDP ICMP IPV6 - ICMP Select one or more applications from the list as an audit condition. Specify IP address for target device. Specify NAT audit conditions: NAT IP NAT Port Operator Specify Web visiting audit conditions: Web Site Title URL Specify FTP audit conditions: FTP User File Transfer Mode Specify mail audit conditions: Sender Receiver Title Database Space In the Database Space Usage menu (Figure 6), you can check current database disk usage and usage trend statistics over a specified time period. Figure 6 Database Space Table 2 lists the available commands in the Database Space Usage menu and a description for using each command. Database Space 11

12 Table 2 Database Space Usage menu Command Refresh Options n/a Description Click to refresh the server list. Click to view space usage details When you select the specific server name, the Database Space Details page displays, as shown in Figure 7. Table 3 lists the available commands in the menu. Figure 7 Database Space details menu Table menu Command Query Database Space Usages Database Space Usage Trend Details Options Time Start Time End Time Query Reset n/a n/a Description Select a query time period. Specify the query starting and ending time if you select Customer in the Time drop list. Start query process according to the conditions. Reset query condition. Display database storage space trends by a diagram. Display database storage statistics. Data Export After the UBA module receives log files, you can export them by using the Data Export function. Figure 8 shows the Data Export Management menu. Table 4 lists the available commands in the Data Export Management menu and a description for using each command. 12 UBA menus and commands

13 Figure 8 Data Export Management Table 4 Data Export Management menu Command Log File Audit Data Export Log Modify Options n/a Date of Exported Data Custom Enable Data Export Trigger Data Export by Data Space Alarm Path of Exported File Description Click to open the Log File Audit window. Set the time period of data export. Open column list to choose the specific display item in the Date of Export Data table. Select to enable the data export function. Select to enable the data export when the received log packets overflow space limitation and cause a data space alarm. Specify data export path. Settings The Settings page (Figure 9) displays a typical UBA workflow as an example of a traffic analysis and audit configuration. Figure 9 Settings Available menus: Guide to Quick Traffic Analysis And Audit Configuration Device Management Probe Management Settings 13

14 Server Management User Behavior Audit Management Settings Database Space Application Management Parameters Filter Strategy Device Management The Device Management page provides optional commands to perform routine operations on each device. Figure 10 shows how to add a new device to UBA. The Modify Device menu has the same options. Click Device Resource Info to open the device details page for checking detail parameters of the target device. Table 5 lists the available commands in the Add Device menu and a description for using each command. Figure 10 The Add Device page Table 5 Add a Device description Page Command Options Description Device Management Basic Information Device IP Select the target device from the pop-up device list. Name Specify a name for the device. Description Describe the device. SNMP Community Align SNMP community with the device. NOTE: If you specify an incorrect community, a log file collection faliure may occur. SNMP Port Specify the SNMP port value. Log Source IP Specify the source IP address of log. NetStream Statistics Identifier Validate the NetStream statistics identifier. NetStream New Feature Enable the NetStream function. 14 UBA menus and commands

15 Probe Management The Probe Management page provides the Layer 7 application traffic collection function for auditing purposes. In this page, you can add, modify, and delete a probe. Figure 11 shows how to add a new probe. Table 6 lists the available commands in the Add Probe menu and a description for using each command. Figure 11 Add Probe Table 6 Probe Management menu Command Basic Information Options Name IP Description Enable Layer 7 Application Identification Probe Password Description Specify a name for probe. Specify an IP address for probe. Describe the probe. Select whether or not to enable the layer 7 application identifier, which can be used to analyze seven-layer traffic in each log file. Input the password, which is configured in advance in the device probe. Server Management The UBA module collects log files and sends management messages through local servers. Server Management allows you to configure server parameters for traffic analysis and user behavior audits. Figure 12 shows how to modify server configurations. Table 7 lists the available commands in the Server Configuration menu and a description for using each command. Probe Management 15

16 Figure 12 Server Configuration Table 7 Server Configuration using the Server Management menu Command Basic Information Options Server Name Server Description Server IP Listening Port FTP Main Directory FTP Username FTP Password Traffic Analysis Log Aggregation Policy Filter Policy Description Specify a name for the server. Describe the server. Specify the IP address of the server. Specify the port number, which is used for receiving log packets from the device. Specify the FTP main directory. NOTE: When the configured probe collects log packets, it uses FTP to share them with the UBA server. Specify an FTP username. Specify an FTP password. Select a proper strategy for analyzing revived log files. Available options: Aggregation (Rough Granularity) Aggregation (Standard) No Aggregation (Best Report Timeliness) NOTE: When No Aggregation is selected, source log packets are not processed by UBA. As a result, the unfiltered log size can grow to a point where the UBA server can fail. Specify whether to enable a filter policy. 16 UBA menus and commands

17 Table 7 Server Configuration using the Server Management menu (continued) Command Traffic Analysis Options Usage Threshold of the Database Disk (1 95%) When Database Disk Usage Reaches Threshold Device Information Probe Information Intranet Monitor Information Description Specify a usage threshold for the database disk. Select a proper strategy for dealing with the overflowing data. Available options: Stop Receiving Logs Delete Logs to Release Space NOTE: For more information, see Configuring UBA for a traffic audit. Select the target device that you want to monitor. Select the proper probe to use. Specify an intranet IP address. User Behavior Audit Management User Behavior Audit Management provides five typical audit models for setting corresponding conditions. Figure 13 shows five audit types. Table 8 lists the available commands in the Select Audit Type menu and a description of each command. Figure 13 Select Audit type Table 8 User Behavior Audit Management menu Command General Audit Options Add Custom General Audit Audit Condition Description Specify general information for the audit. Available options: Name Server Reader Specify the audit conditions. Available options: Source Destination Source Port Destination Port Protocol Application Device NOTE: For more information, see Configuring UBA for a traffic audit. User Behavior Audit Management 17

18 Table 8 User Behavior Audit Management menu (continued) Command Options Description NAT Audit Web Visiting Audit FTP Audit Mail Audit NAT Condition Web Visiting Condition FTP Condition Mail Condition Specify the NAT audit conditions. Available options: NAT IP NAT Port Operator Specify the web audit conditions. Available options: Web Site Title URL Specify the FTP audit conditions. Available options: FTP User File Transfer Specify the mail audit conditions. Available options: Sender Receiver Title Application Management The Application Management page (Figure 14) provides the capability to add an application model for auditing. The system provides five types of applications by default. You can also define applications according to your requirements. Table 9 lists available commands in the Application Management menu and a description of each command. Figure 14 Application Management 18 UBA menus and commands

19 Table 9 Application Management menu Command Application Application List Options Application Protocol Port Application Type Pre-defined Add Import Refresh Description Specify an application name. Select a protocol which used in the application. Specify the port value. Select to which layer the application belongs. Specify if the application is a pre-defined one. Add a new application for UBA. Import an existing application. Refresh the application list. Parameters You can set parameters for traffic analysis and audit in the Parameters menu. The two available options are: Log Lifetime The number of days that you want to retain UBA logs. Max Displayed Entries for Audit The maximum number of logs to display in the log list. Filter Strategy Filter strategy in UBA (Figure 15) enables you to define whether the logs that UBA receives are processed or discarded in the next step. You can process, analyze, or discard the logs at your option. Table 10 describes the commands in the Filter Strategy menu. Figure 15 Add Filter Strategy Table 10 Add Filter Strategy menu Command Options Command Basic Information Filter Condition List Options Name Description Default Policy Add Description Specify a filter strategy name. Describe the filter strategy. Discard or receive log flow. Add a new strategy by completing the conditions below: Policy Source Host Source Port Destination Host Destination Port Protocol Parameters 19

20 3 Configuring UBA for a traffic audit This section provides instructions on how to set up effective UBA monitoring, which includes configuring devices and probes to forward network source log flow to the UBA module. UBA filters log packets according to user-defined strategies. In addition, UBA allows you to specifically tune UBA log analysis and presentation. You can configure the UBA module by following this configuration order: Managing UBA data sources Managing probes Managing UBA servers Managing filter strategy Managing applications Setting parameters Managing database storage space Managing UBA data sources The two types of data source logs are: Basic source logs Record key information of Layer 4, and collected by devices. Application source logs Take Layer 7 datagram information, and collected by probes. Using Device Management, you can view, add, modify, or remove devices that serve as network flow data sources in UBA. Devices that support Flow1.0/3.0, NAT1.0, Netflow v5/v9, sflow, and NetStream v5/v9 can be data sources in UBA. Managing the UBA device list The UBA Device List contains all devices that could be added to UBA as a potential source of network log packets. Adding a device to UBA establishes communication between UBA as the network log packets collector and the devices that generate log packets. To view the device list: 1. Click Service > Traffic Analysis and Audit > Settings. 2. Click the Device Management icon in the settings portion of the Traffic Analysis and Audit page to open the Device Management page. The available devices appear in the Device List pane. To view Device Resource Info: Click the Details icon to open the Device Details page and set the device parameters. For more information, see HP Intelligent Management Center Base Platform Administrator Guide. To modify a device: Click the Modify icon to open the Modify Device page. Then specify the parameters, as described in Adding a device into the UBA devices list. To delete a device: Click the Delete icon. Adding a device into the UBA devices list To add a new device: 20 Configuring UBA for a traffic audit

21 1. In the Device Management page, click Add to open the Add Device page. 2. Complete the following information: Device IP Click Select to open the device resource lists, and select the target device through IP View, Device View, or Custom View. Name After you select the Device IP, the IP address displays automatically in the Name field. Specify a name for the device. Description Describe the device. SNMP Community Align the SNMP community value with the device. SNMP Port Input the port number that is used to communicate and receive data from the device. Log Source IP Input the IP address of the device that sends logs. NetStream Statistics Identifier Make the NetStream statistics identifier valid. NetStream New Feature Enable the NetStream function. This feature is only for HP A series/h3c devices with Comware V5. 3. Click OK. Managing probes Using Probe Management, you can collect and analyze DIG flows. Using the DIG log probe, you can mirror traffic flow from a router or switch port to a dedicated UBA DIG sever that collects and analyzes the traffic before forwarding as network flow records to a UBA server. Managing the UBA probe list The UBA Probe List contains all probes that could be added to UBA as a potential DIG log source. Adding a probe to UBA establishes communication between the UBA server and DIG log server. To view the probe list: 1. Click Service > Traffic Analysis and Audit > Settings. 2. To open the Probe Management page, in the settings portion of the Traffic Analysis and Audit page click the Probe Management icon. The available probes appear in the Probe List page. To modify a probe: Click the Modify icon to open the Modify Probe page, and specify the parameters, which are described in Adding a new probe. To delete a probe: Click the Delete icon. Adding a new probe To add a new probe: 1. In the Probe Management page, click Add to open the Add Probe page. 2. Complete the information for the following parameters in this page: Name Specify a name for the probe. IP Specify the probe IP address. Description Describe the probe. Managing probes 21

22 Enable Layer 7 Application Identification Select whether or not to enable Layer 7 application identification. If yes, it is applicable for the probe to identify the Layer 7 application logs. Probe Password Input the password that is deployed in the probe device. 3. Click OK. Managing UBA servers As the core component of the UBA service module, the UBA server collects and analyzes the logs forwarded from devices or probes, and presents the user behavior audit result. UBA provides you with the facilities for viewing and modifying the UBA server configuration, including the following information: Basic information Specify the basic information about the UBA server, such as server name, listening ports, and filter strategy. User behavior audit Specify from which devices or probes the UBA server can collect logs, and configure the intranet network segment for network flow monitoring and license control. Managing the UBA server list The UBA server list contains all servers you deployed in the UBA service module. In the Server Management page, you can view the server list and UBA details as shown in the following operations. To view the UBA server list: 1. Click Service > Traffic Analysis and Audit > Settings. 2. To open the Server Management page, in the settings portion of the Traffic Analysis and Audit page, click the Server Management icon. The available servers display in the Server List menu. To view the UBA server details: Click the server name of a UBA server to open the Server Details page, and then view the current configuration of the specified UBA server. To refresh the UBA server list: Click Refresh. To open the Configuration Deployment Result page and check the deployment result: Click the Deploy Configuration icon. Check whether the UBA server configurations are deployed in processor and receiver servers and whether the probes are deployed successfully. NOTE: You cannot remove a UBA server from the server list. Modifying a UBA server With UBA Server Management, you can modify the parameters of the specified UBA server. To modify a UBA server: 1. In the Server Management page, click the Modify icon in the Modify field of the UBA server that you want to modify. This opens the Server Configuration page. 2. In the Basic Information pane, specify the following parameters: Server Name Specify a name for the UBA server. By default, this field parameter is set as the IP address of the UBA server when the UBA service module is installed. Server Description Input a brief description of the UBA server. 22 Configuring UBA for a traffic audit

23 Listening Port Specify the ports that the UBA server uses to listen for logs forwarded by devices or probes. If you want to set multiple listening ports for the UBA server, the port numbers should be separated with a comma, for example, 1020, 1021, or FTP Main Directory Specify the root directory for the FTP service running on the UBA server. FTP Username Specify the username of the FTP account used by probes to upload data to the UBA server. FTP Password Specify the logon password of the FTP account used by probes to upload data to the UBA server. Traffic Analysis Log Aggregation Policy Specify the aggregation policy you want to apply to all logs processed by the UBA server. Select one of the following aggregation policies: No Aggregation (Best Report Timeliness) Indicates the UBA server does not aggregate data. This option is only suitable for environments that have a priority on report timeliness, and require the most disk space because of the huge number of logs that are generated. HP recommends that you select this option only when you have a critical requirement. Aggregation (Standard) Indicates that the UBA server aggregates data at short intervals (five minutes by default). This option is suitable for environments that have a medium number of logs generated. It requires less disk space than the No Aggregation mode and more disk space than the Aggregation (Rough Granularity) mode. Aggregation (Rough Granularity) Indicates that the UBA server aggregates data at long intervals (twenty minutes by default). This option is suitable for environments that have a small number of logs generated and requires the least disk space. Filter Policy Specify whether or not to apply a filtering policy to logs directed to the UBA server. Select No Filter or a defined filter strategy from the Filter Policy list. Usage Threshold of the Database Disk (1-95%) Specify a threshold for the percent of the UBA database disk utilization. The range for the usage threshold is 1% to 95%. Input a number from 1 to 95. The percent sign (%) is not required. When Database Disk Usage Reaches Threshold Select an action to be taken if the disk that the UBA database resides on reaches the threshold specified in the parameter Usage Threshold of the Database Disk (1-95%). Available options are as follows: Stop receiving logs No longer processes and stores logs until additional disk space is released or added to the database disk or volume. Delete logs to Release Space UBA deletes the existing logs, starting with the oldest, until the disk space usage drops below the threshold. 3. Configure device information. After you add a device to UBA using the steps described in Adding a device into the UBA devices list, select the device on the Server Management page. This enables UBA to collect and analyze the logs forwarded by the device. To specify this, click the check box to the left of the specified device in the Device Information pane. NOTE: You can also disable a device that has worked as a data source for a UBA server. To disable a device, click the check box to the left of the specified device. Managing UBA servers 23

24 nl nl 4. Configure probe information. After you add a probe to UBA using the steps described in Managing probes, select it on the Server Management page to enable it and to forward the DIG logs to UBA. In addition, DIG logs forwarded by probes can provide information about Layer 7, which allows UBA to identify the applications or services that a network user accessed. With probe information configured, you can enable special audits for typical services, such as FTP, mail, and web. After you enable one or more special audits, you can create a special audit task to identify which users access a specified service. NOTE: Only the probe with Layer 7 application identification enabled can support the special audits described above. For more information, see Managing probes. To configure probe information: a. In the Probe Information pane to the left of the specified probe, click the check box. b. In the Probe Information pane, to enable special audit items, click the check box in the Enable Special Audit field. After you enable a special audit, UBA provides the corresponding special audit for you to create an audit task. For example, if you select Web in the Enable Special Audit field, after the probe is deployed successfully, you can create a web visiting audit task to query which users have accessed the specified website or content. For more information, see Monitoring user behavior. NOTE: You can also disable a probe or a special audit. To disable a probe, click the check box to the left of the specified probe. To disable a special audit, click the check box to the left of a special audit in the Enable Special Audit field. 5. Configure intranet monitor information. Specify the intranet segment for flow data monitoring and license control. Input the IP segment of the intranet with standard IPv4 and IPv6 format (for example, a001:410:0:1::1/64, /24, or / ); then click Add. The IP segment appears in the Intranet Information list. NOTE: To remove an intranet segment from the Intranet Information list, click the Delete icon in the Delete field of the intranet segment you want to remove. 6. To open the Configuration Deployment Result page, click Deploy. In this page, you can check whether the UBA server configurations you modified are deployed in processor and receiver servers, and whether probes are successfully deployed. Managing a filter strategy After log packets are collected by the devices and probes, the UBA server processes them according to the user-defined filter strategy. This function causes UBA to respond at the start of the data-processing procedure. With specific filter strategies, the server discards target log packets without analyzing them, so that the server is protected from excessive log packet overload. UBA allows you a combination of IP address, port, and protocol for filtering log packets. Viewing the Filter Strategy List The filter strategy list contains all filter strategies that are defined by users. In this page, you can view, modify, and delete the target filter strategy. To view the Filter Strategy list: 1. Click Service > Traffic Analysis and Audit > Settings. 2. Click the Filter Strategy icon in the settings portion of the Traffic Analysis and Audit page. 24 Configuring UBA for a traffic audit

25 The available filter strategies appear in the Filter Strategy List page. To view filter strategy details: 1. To open the Filter Strategy Details page, click the filter name. 2. To quit, click Back. To modify a filter strategy: Click the Modify icon to open the Modify Filter Strategy page, and then specify the parameters, as described in Adding a new filter strategy. To delete a filter strategy: Click the Delete icon. Adding a new filter strategy To add a new filter strategy: 1. In the Filter Strategy List page, click Add to open the Add Filter Strategy page. 2. Complete the information for the following parameters: Name Specify a name for a filter strategy. Description Describe the filter strategy. Default Policy Select Discard or Receive as the UBA default action. 3. In the Filter Condition List pane, click Add to open the Filter Condition Configuration page. 4. Complete the information for the following parameters: Policy Select the filter policy. To discard means if received logs meet the filter strategy conditions, UBA discards those logs without analysis. To receive means if received logs meet the filter strategy conditions, UBA processes and audits them. Source Host Specify the source host IP address for a filter condition. It can be one or more IP addresses, also an IP segment. Source Port Specify the source port number for a filter condition. It can be one or more port numbers. Destination Host Specify the destination host IP address for a filter condition. It is can be one or more IP addresses, and an IP segment. Destination Port Specify the source port number for a filter condition. It can be one or more port numbers. Protocol Select the protocol type from TCP, UDP, ICMP, and IPv6-ICMP. 5. To return to the Add Filter Strategy page, click OK. NOTE: After adding a new filter strategy by following steps above, you must go to Server Configuration page to select this strategy in order to implement it. For more information, see Managing UBA servers. To sort the filter strategy priority: 1. In the Add Filter Strategy or Modify Filter Strategy page, in the Filter Condition List pane, locate the Sort column. 2. Click the Up or Down icon to move the target filter condition priority up or down. 3. Click OK. Managing applications Using UBA, you can view, add, modify, or remove any user-defined application. Likewise, you can view or modify pre-defined (default) applications; however you cannot remove them. Managing applications 25

26 Managing the application list The application list contains all default and user-defined applications. In the Application Management page, you can perform the following operations. To view the application list: 1. Click Service>Traffic Analysis and Audit>Settings. 2. To open the Application Management page, in the settings portion of the Traffic Analysis and Audit page, click Application Management. You can now see all applications as listed in the Application List page. To query applications: 1. Set the following criteria to query the applications you want to view: Application Input the partial or full name of the application you want to view. Protocol Select the Layer 4 transfer protocol, TCP, UDP, or TCP/UDP (both protocols) for the application. Port Input the TCP or UDP port number for the specified Layer 4 application. Application Type Specify the layer of the seven layer OSI Reference model in which this application operates. If the application is a Layer 4 application, select Layer 4. Otherwise, select Layer 7. Pre-defined Specify whether or not the specified application is pre-defined. 2. Click the Query button. To refresh the application list: Click the Refresh button. To view the application details: Click the Application field of an application. To remove a user-defined application: Click the Delete icon Adding a user-defined application for the target application. With Application Management, you can customize the following two types of user-defined applications: Layer 4 applications To create a Layer 4 application, you need to specify the port, or port and host IP address that UBA uses to compare the port and host IP address of every packet, thus identifying the application. Layer 7 applications To create a Layer 7 application, you need to specify a regular expression string that UBA uses to compare the information of every packet, such as IP header, thus identifying the application. To add a user-defined application: 1. In the Application Management page, click Add to open the Add Application page. 2. Complete the information for the following parameters: Application Input a name for the application. Description Input a brief description for the application. Protocol Specify the Layer transfer protocol the application uses. Select TCP, UDP, or TCP/UDP (both protocols) from the Protocol list. 26 Configuring UBA for a traffic audit

27 NOTE: If you select TCP/UDP, the system automatically creates two applications specified TCP protocol and UDP protocol. After adding the application successfully, you can view the two applications which have the same name, but different in transfer protocol in the Application List. 3. Select Layer 4 or Layer 7 from the Application Type list. If you select Layer 4, complete the information for the following parameters: Port Specify the TCP or UDP port number that the application uses. You can input a single port number (for example, 10) or a range of port numbers (for example, 10-20). Host IP Specify the host IP address that the application uses. Input a single IP address (for example, ) or IP segment (for example, *, a001:410:0:1::1/64) with standard IPv4 or IPv6 format, and then click Add to the right of Host IP. The IP segment displays in the Host IP List. NOTE: The IP addresses or address ranges you add to the host IP list cannot overlap. You can remove an IP address or segment from the Host IP list. To do this, select the IP address or IP segment you want to remove, and click the Delete icon to the right of Host IP List. If you select Layer 7, complete the information for the following parameters: Regular Expression Specify the regular expression string that UBA uses to identify the applications in the Layer 7 portion of each IP packet examined. Enable Specify whether or not to enable regular expression matching for the application. Select Yes if you want to enable UBA to compare the content of the IP header of every packet with the regular expression configured in this field. Otherwise, select No. For more information, see HP Intelligent Management Center Network Traffic Analyzer Administrator Guide. 4. Click OK to add the application. Batch importing user-defined applications With Application Management, you can import user-defined applications from CSV (Comma-Separated Values) files in batches. A CSV file can record information of applications in plain text, which are separated with a comma. Each line of the file defines one application, including the application name, description, protocol, and port number. To batch import user-defined applications: 1. In the Application Management page, click Import to open the Import Application page. 2. Click Browser. The Choose File to Upload dialog box displays. 3. Locate the application definition (CSV) file to import, and then click Open. 4. Click Upload File. UBA starts to resolve the file contents. The Import Application page is refreshed to display the resolution result in the Application List. Managing applications 27

28 Modifying an application With Application Management, you can modify different information for pre-defined and user-defined applications. For both types of applications, you cannot modify the protocol and application type. To modify a pre-defined application: 1. In the Application List, click the Modify icon in the Modify field of the target application. The Modify Application page displays. 2. If the application is a Layer 4 application, you can modify the following parameters: Application Input a name for the application. Description Input a brief description for the application. 3. If the application is a Layer 7 application, in addition to the parameters for Layer 4 application, you can also modify the following parameter: Enable Specify whether or not to enable regular expression matching for the application. Select Yes if you want to enable UBA to compare the content of the IP header of every packet with the regular expression configured in this field. Otherwise, select No. 4. Click OK. To modify a user-defined application: 28 Configuring UBA for a traffic audit

29 1. In the Application List, click the Modify icon in the Modify field of the target application. The Modify Application page displays. If the application is a Layer 4 application, you can modify the following parameters: Application Input a name for the application. Description Input a brief description for the application. Port Specify the TCP or UDP port number that the application uses. You can input a single port number (for example, 10) or a range of port numbers (for example, 10-20). Host IP Specify the host IP address that the application uses. Input a single IP address (for example, ) or IP segment (for example, *, a001:410:0:1::1/64) with standard IPv4 or IPv6 format, and then click Add to the right of Host IP. The IP segment displays in the Host IP List. NOTE: The IP addresses or address ranges you add in the Host IP list cannot overlap. You can remove an IP address or segment from the Host IP list. To do this, select an IP address or IP segment you want to remove, and then click the Delete icon to the right of the Host IP List. If it is a Layer 7 application, you can modify the following parameters: 2. Click OK. Setting parameters Application Input a name for the application. Description Input a brief description for the application. Regular Expression Specify the regular expression string that UBA uses to identify the application in the Layer 7 portion of each IP packet examined. Enable Specify whether or not to enable regular expression matching for the application. Select Yes if you want to enable UBA to compare the content of the IP header of every packet with the regular expression configured in this field. Otherwise, select No. UBA provides you with the ability to configure and tune system parameters that define how the logs are preserved and presented in UBA. To configure system parameters: 1. Click Service > Traffic Analysis and Audit > Settings. 2. Click the Parameter Management icon in the settings portion of the Traffic Analysis and Audit page to open the Parameter Management page. 3. In the Basic Settings pane, configure the Log Lifetime parameter. Log lifetime indicates for how many days UBA retains the collected logs before sending them to an export file. The logs directed to UBA are saved in the UBA database. This parameter is associated with the Data Export function. If the Data Export is enabled in the data export management, the UBA database sends the logs that have been saved longer than the log lifetime defined here to an export file. Then the database deletes the logs to release storage space. The range for log lifetime is 1 to 1,825 days (5 years). For more information, see Exporting UBA log files. 4. After configuring the Log Lifetime parameter, click OK. Setting parameters 29

30 5. In the Advanced Settings pane, configure the Max. Displayed Entries for Audit parameter. This parameter indicates how many results UBA displays for a given search or audit. The range for maximum displayed entries is 1 to 100, After configuring the Max. Displayed Entries for Audit parameter, click OK. Managing database storage space The database space function displays UBA database disk usage and usage trend statistics in a specific time range. You can select different time ranges as a condition to complete the query requirement. UBA provides a configurable database usage threshold in Server Management to trigger the database disk usage alarm. For more information, see Managing UBA servers. Viewing the Database File Usage and Disk Usage To view the Database File Usage and Disk Usage: 1. Click Service > Traffic Analysis and Audit > Settings. 2. Click the Database Space Usage icon in the settings portion of the Traffic Analysis and Audit page to open the Database Space Usage page. Data File Usage and Disk Usage data display in the Database Space Usage page. Viewing a target server database details To view a target server database details: 1. In the Database Space Usage page, click the server name to open its database space usage detail page. 2. Select the time period that you want to query. Available options are as follows: Last 24 hours Query the database space usage trend for the past 24 hours. Last 7 hours Query the database space usage trend for the past 7 hours. Last 30 hours Query the database space usage trend for the past 30 hours. Last 3 months Query the database space usage trend for the past 3 months. Custom Query the database space usage trend for a user defined time period. If you select this option, the Start Time and End Time are activated for time span setting. 3. Click Query. The results display in the Database Space Usage Trend pane. You can also check usage detail information in the Details pane. 4. Click Reset to go back to default for the next query. 30 Configuring UBA for a traffic audit

31 nl 4 Monitoring user behavior This information describes how to configure user behavior audit conditions according to your requirements and to view the audit result. For auditing purposes, UBA provides the following modes: Quick auditing Allows you to configure audit conditions and display results in the same page without retaining the audit record. If you want to perform a quick audit without the requirements that go with retaining the audit record, including the audit conditions and results, HP recommends that you select this mode. For more information, see Quick auditing. Task-oriented auditing Based on task management. Before you start an audit, you need to create an audit task used to define the audit conditions. UBA analyzes the network flow data according to the audit task, and then displays the audit result. Task-oriented auditing records the audit conditions and results in an audit task. Task management provides you with the ability to view, add, modify, or remove audit tasks. If you want to retain the condition configurations and result of a user behavior audit, select this mode. HP recommends that you create some typical audit tasks as templates in order to increase your efficiently in configuring audit conditions for the same types of audit tasks. For more information, see Task-oriented auditing. User behavior audit conditions For both auditing modes, UBA provides the following audits: General audit Analyze the basic information of flow data, such as source/destination IP address, ports, and transfer protocols. You also can specify one or more applications to identify which users accessed the specified applications. NAT audit Analyze the information about network address translation of flow data to identify which intranet users accessed the external applications. If you deploy a probe for network flow records collection and enable one or more special audits described below for the probe, you can use the enabled special audits to monitor the corresponding user behaviors: Web visiting audit Specify a website address or content to identify which users accessed the specified website or content. FTP audit Specify the related information about the FTP application, such as user, files, or transfer mode, to identify which users used the FTP service or transferred the specified files. Mail audit Specify the related information of a mail service, such as sender, receiver, or title, to identify which users used the mail service or who transferred the specified mail. For more information, see Configuring UBA for a traffic audit. Table 11 describes all audit conditions that you can use in a user behavior audit. Table 11 User behavior audit conditions Type Condition Description Value General Source Specify the source IP address of the data flow that is analyzed by the UBA server for user behavior reporting. Input a single IP address or IP segment. Format: IPv4 and IPv6 Examples: * a001:410:0:1::1 User behavior audit conditions 31

32 nl nl nl nl Table 11 User behavior audit conditions (continued) Type Condition Description Value a001:410:0:1::1/64 a001:410:0:1::1-a001:410:0:1::100 Destination Specify the destination IP address of the data flow that is analyzed by the UBA server for user behavior reporting. Input a single IP address or IP segment. Format: IPv4 and IPv6 Source port Specify the source port number of the data flow that is analyzed by the UBA server for user behavior reporting. Input a port number or the range of port numbers. Examples: Destination port Specify the destination port number of the data flow that is analyzed by the UBA server for user behavior reporting. Input a port number or the range of port numbers. Protocol Specify the protocol used for transferring data flow that is analyzed by the UBA server. Select a transfer protocol from the Protocol list. Value range: TCP, UDP, ICMP, or IPv6 ICMP Application Specify the applications with which UBA can analyze data flow to identify which users accessed the specified applications. Click Select to open the Query Applications pane. Input one or more of the following search criteria: Application Input a partial or complete name for the application(s) you want to search for. Pre-define Select Yes from the Pre-defined list to search the pre-defined applications; select No to search the user-defined applications. To search from all the applications, select Not limited. Click Query, and then view the applications that meet your search criteria in the Application List pane. Select the applications you want to add to the audit task, and click OK. NOTE: You can select up to five applications for an audit. Device Specify the IP address of the devices from which the flow data analyzed by the UBA server are forwarded. Input an IP address or IP segment with the standard protocol format of IPv4 or IPv6. NAT NAT IP Specify the IP address of the device for which the NAT is performed. Input an IP address or IP segment with the standard protocol format of IPv4 or IPv6. NAT Port Specify the port number of the device for which the NAT is performed. Input a port number or the range of port numbers. Examples: Operator Specify the operator used to identify the cause of terminating a network flow. Select an operator from the Operator list: Reserved Ended Normally Indicates the flow ends normally. Aged upon Timeout Indicates the flow is aged due to timeout. Aged upon Configuration Change Indicates the flow aged due to changing CLEAR/Configuration. 32 Monitoring user behavior

33 nl nl nl nl nl Table 11 User behavior audit conditions (continued) Type Condition Description Value Aged for Resource Insufficiency Indicates the flow aged due to the insufficient resource. NAT Mapping Indicates one-on-one NAT mapping. Only the source IP address, transferred IP address, and time fields are valid in the flow records. Long-lasting Indicates the intermediate forwarding records last a long time. Removed Due to Substitution Indicates the flow is removed due to substitution operation. Creation Records Indicates the records of creating a flow. Undefined Flows Indicates a flow that is not defined in the system. Others Other reasons that cause flow termination. Web visiting Web Site Specify an address or name of a website to identify who accessed the specified website. Input a partial or full address of a website. Example: Title Specify a title of a network resource to identify who accessed the specified resource. Input a partial or full title of a network resource. Example: news URI Specify the uniform resource identifier of a network resource to identify who accessed the specified resource. Input a URI of a network resource. Example: mc/style/top.css FTP FTP User Specify a user name of an FTP service to identify whether the specified user accessed to an FTP service. Input a partial or full user name for FTP logon. File Specify a file to identify who ever uploaded or downloaded the specified file via FTP. Input a partial or full file name. Transfer mode Specify the transfer mode of the FTP service. Select Upload or Download from the Transfer Mode list. Mail Sender Specify the address of the sender to query the details of the s sent from the specified address. Input partial or full address of an . Receiver Specify the address of the receiver to query the details of the s received by the specified address. Input partial or full address of an . Title Specify an title to query details of the corresponding , including sender, receiver, and so forth. Input partial or full title of an . Quick auditing You can use both general and special audit conditions to configure a user behavior audit that meets your requirements. To configure audit conditions: 1. Click Service > Traffic Analysis and Audit > User Behavior Audit. The User Behavior Audit page displays. Quick auditing 33

34 nl 2. Select the IP address or name of the UBA server from the Server list. If more than one UBA server is installed in your network environment, select the one collecting the logs from the devices you want to monitor. 3. Set the start and end times for the audit task. You can specify the start and end times by clicking the Select Date and Time icon calendar displays. Select the time from the calendar.. A pop-up 4. If you want to query all the data that meets any one of the audit conditions you configure, click Meet Any. Otherwise, leave the default setting as is. 5. Set the general audit conditions. Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the condition you select. For the descriptions and value ranges of the general conditions, see the general conditions listed in Table If you want to set special audit conditions, select the check box next to Special Audit to activate the special audit conditions. 7. Set the special audit conditions. Select the check box next to the special audit name to open the special audit configuration pane. Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the parameters you select. For more information, see Table Click Audit. The audit result displays in the Audit Result pane. For more information, see Viewing the audit result. Task-oriented auditing UBA uses an audit task to record the audit conditions and results. A typical audit task can be an audit template that enables you to perform the same types of audits without configuring the corresponding conditions. You can manage user behavior audit tasks and task lists. Managing the audit task list UBA classifies audit tasks in terms of audit type and purpose. In User Behavior Audit Management, you can view the audit task list and audit task details. To view the audit task list: 1. Click Service > Traffic Analysis and Audit > Settings. 2. Click the User Behavior Audit icon in the settings portion of the Traffic Analysis and Audit page. This opens the User Behavior Audit Management page. 3. View all created audit tasks listed in the Custom Audit List page. 4. Click the Refresh button to update the audit task list. This enables you to view audit tasks of a corresponding type so you can specify an audit type. 5. Click Service > Traffic Analysis and Audit. 6. From the navigation tree in the left pane, click one of the following type names: General Audit NAT Audit Web Visiting Audit 34 Monitoring user behavior

35 nl FTP Audit Mail Audit IMPORTANT: The Web Visiting Audit, FTP Audit, and Mail Audit are special audits used to monitor Layer 7 applications. These special audit types display in the navigation tree only after you deploy a probe for DIG logs collection and enable the corresponding special audits for the probe. For more information, see Configuring UBA for a traffic audit. 7. View the audit task list of the specified type in the Custom Audit List page. To view audit task details: In the Custom Audit List page, click the Name field of an audit task to view details such as condition configurations and other information. Managing audit tasks To add an audit task: 1. In the Custom Audit List page, click the Add button to open the Select Audit Type page. 2. Click the radio button next to the type of audit task you want to create, and then click Next. 3. Configure the basic information for the audit task: Name Input a name for the audit task. Server Select the IP address or name of the UBA server from the Sever list. If more than one UBA server is installed in your network environment, select the one collecting the logs from the devices you want to monitor. Reader Specify the group in which the operators have permission to view the audit task and its result. Click Select to display the Operator Group List. Select the check box of the operator group to which you want to assign the reader authority, and then click OK. NOTE: You can delete one or more operator groups from the Reader list. Select the operator groups you want to delete from the Reader list, and then click Delete to cancel the reading permission of the users in the specified groups. For more information, see HP Intelligent Management Center Base Platform Administrator Guide. 4. Set the audit conditions. Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the conditions you select, see Table 11. For the general audit conditions, if you want to query all the data that meets any one of the audit conditions you configure, click Meet Any. Otherwise, leave the default setting as is. 5. After configuring audit conditions, click OK to add the audit task. To modify an audit task: 1. In the Custom Audit List page, click the Modify icon to open the Modify Custom Audit page. 2. Modify the basic information and audit conditions of the audit task. Select the check box to the left of the parameter that you want to set as an audit condition, and then specify a value or the value range for the conditions you select, see Table 11. For the general audit conditions, if you want to query all the data that meet any one of the audit conditions you have configured, click Meet Any. Otherwise, leave the default setting. 3. Click OK. To remove an audit task: In the Custom Audit List page, click the Delete icon to delete the desired audit task. Task-oriented auditing 35

36 nl Viewing the audit result The methods for viewing an audit result are different for a summary (quick) audit and a task-oriented audit. To view the result of a quick audit: Set the audit condition, and then click Audit to see the audit result records listed in the Audit Result pane. To view the result of a task-oriented audit (there are two ways): In the Custom Audit List page, click the Audit icon to open the Audit Result page for the specified audit task. or Click Service > Traffic Analysis and Audit > Settings. From the navigation tree in the left pane, click the Details icon next to the type name of the audit task that you want to view. The corresponding audit tasks are listed under the type name you clicked. Select the audit task you want to view, and then click the name of the audit task to open the Audit Result page for the specified audit task. Querying an audit result The audit result records of the last one hour display in the Audit Result page. You can set the audit time to query the audit result records generated in a specified period of time, as follows: 1. In the Audit Result pane, select a period of time for the audit result query. Last 1 hour View the audit result records generated in the last one hour. Last 2 hours View the audit result records generated in the last two hours. Custom Customize a period of time to query the audit result records. To do this, click Custom, and then populate the start and end times by clicking the Select Date and Time icon. In the pop-up calendar select the time. 2. Click Audit to view the audit result record generated in the period of time you specify. Viewing audit results by group In the Audit Result pane, from the Group list, select the parameters that you want to use to group the audit result records. The grouped audit result records display in the Audit Result pane. Customizing the audit result list 1. In the Audit Result pane, click Custom to open the Column List pane. 2. Select the check boxes of the columns that you want to display in the audit result list. 3. (optional) Reorganize the sequence of the columns displayed in the audit result list. If you want to reorganize the sequences of the columns displayed in the audit result list, click the Up or Down icon to change the sequence of the specified column. If you want to apply the default sequences to the columns, click Default. 4. Click OK. The selected columns display in the sequence that you specified. Viewing additional audit result records The Max.Displayed Entries for Audit parameter defines the maximum entries that can be displayed for a given search or audit. If the amount of audit result records for an audit exceeds the value of the system parameter, for example, 100,000, the system displays only 100,000 audit result records in the Audit Result pane. 36 Monitoring user behavior

37 If you want to view more audit result records, click Continue, and the system displays the records in excess of the 100,000 result records previously not displayed. For more information, see Configuring UBA for a traffic audit. Exporting audit results 1. Click the Save button in the bottom of the Audit Result pane. The UBA server creates a CSV file to save the logs displayed in the Audit Result pane. 2. The system prompts for the number of logs to save and the path for the directory for the CSV file. If you want to view the CSV file or save it to a directory you specify, click the Download icon at the end of the prompt to open a file download dialog box. 3. In the download dialog box, click Open to view the CSV file, or Save to specify a directory in which to save the CSV file. Exporting audit results 37

38 5 Exporting UBA log files Using the UBA log file exporting function, you can check and manage log files. In addition, log file export frees up server database storage space. Among the export policy settings available are those that allow you to configure UBA to export target log files automatically. This section provides an introduction to log file types and the export mechanism, and instructions for configuring data exports. Log file report overview The log files record user s access information to the external network, such as source IP address, destination IP address, source port, destination port, and protocol number. The UBA server receives various log files and analyzes them, then generates an audit report. By using log records, UBA can track and report accesses to the network, facilitating the availability and security of the network. UBA supports the following six types of log files: Flow 1.0/3.0 NAT 1.0 NetStream v5/v9 sflow v5 NetFlow v5/v9 DIG Data export workflow The following three prerequisites can trigger a data export procedure: The data export function is enabled. Log existing time exceeds log lifetime. Log files exceed the server storage space threshold. For information about configuring these conditions, see Data export settings. When data export is enabled, if the Data Space Alarm is triggered by overflowing data, UBA exports the log files automatically, and then deletes old logs to free up disk space. The data export process does not stop until Data Space Alarm is closed. For more information, see Troubleshooting. Every midnight, the system exports log files that exceed the log lifetime. Figure 16 shows an overview of the data export work flow. 38 Exporting UBA log files

39 Figure 16 Data Export Workflow To export log files, follow these steps: 1. Enable the data export. 2. Set the log lifetime. 3. Set the export trigger conditions. The exported log files are saved as.zip files at the destination path on the server disk that is configured by the user. The exported files are kept in the path for 90 days by default, and then UBA deletes them automatically. If you want to keep them longer, you should move these log files to local storage space. Then, UBA provides the log file audit function to read and audit log files. For more information, see Configuring the log file audit. NOTE: When the Network Behavior Analyzer Server program and database are installed separately, data export is not available, and log files with IPv6 address format cannot be exported using UBA. Data export settings To activate the data export function, first enable it as follows: 1. Click Service > Traffic Analysis and Audit > Data Export to open the Data Export Management page, as shown in Figure 17. Figure 17 Data Export Management Data export workflow 39

40 2. Click the Modify icon to open the Modify page. 3. Select Enable Data Export and Trigger Data Export by Data Space Alarm, and enter the Path of Exported File. The exported path must be a server disk, not a local disk. 4. Click OK. Setting log lifetime To set log lifetime: 1. Click Service > Traffic Analysis and Audit > Settings > Parameters to open the Parameter Management page. 2. Specify the Log Lifetime value, and then click OK. NOTE: If Enable Data Export is unavailable and received log files exceed server storage space, the system deletes the log files that exceed the log lifetime. Setting trigger space alarm conditions To set trigger space alarm conditions: 1. Click Service > Traffic Analysis and Audit > Settings > Server Management to open the Server Management page. 2. Click the Modify icon to open the Server Configuration page. 3. Specify the following items: Usage Threshold of the Database Disk (1-95%) Define a threshold for database storage usage limitation of the server disk. When the number of databases exceeds this threshold, the data space alarm alerts the user. When Database Disk Usage Reaches Threshold When database disk usage reaches the threshold, select one of the following policies for managing the exceeded log files: 4. Click Deploy. Checking log files To check log files: Stop Receiving Logs Delete Logs to Release Space 1. Click Service > Traffic Analysis and Audit > Data Export to open the Data Export page. 2. Click the Details icon to open the Data Export Log page. 3. Select the exported log time period, and then click Query. The query results appear in the Data Export Log pane. The query results are displayed in the Data Export Log pane. 4. To reorder the log file sequence, click Custom to open the Column List page. In this page, you can reorganize the column sequences by clicking the Up, and enable or disable a column display in the column list. 5. To keep default sequences, click Default. Configuring the log file audit or Down icon After log files are exported to the specific path, you can read and audit the logs by using the Log File Audit function. To open the Log File Audit page: 40 Exporting UBA log files

41 nl 1. Click Service > Traffic Analysis and Audit > Data Export > Log File Audit to open the Log File Audit page, as shown in Figure 18. NOTE: HP recommends that you install the latest JAVA components in order to open the program successfully. Figure 18 Log File Audit 2. Click File Path to load the exported log files. 3. Specify the Max Displayed Entries For Audit value to define the total number of logs to display. 4. Click Set. 5. Select the Query Time and Query Conditions from the Basic Conditions pane. For more information, see Monitoring user behavior. 6. Select a special condition from the Special Conditions pane, and specify the special condition details. NOTE: Make sure you correctly enter audit conditions for each type of special audit. An incorrectly inserted audit condition causes audit failure. 7. Click Query. The Audit Results page appears. 8. Click Save to save the audit results. Configuring the log file audit 41

42 6 UBA example This section provides a typical example of how to deploy and use the UBA service module to analyze the behaviors of network users. Scenario description As a network administrator of a corporation, you are assigned to investigate the behavior features of intranet users, especially the users in the finance department, to ensure network security and optimize the network resource. To achieve the investigating goal, you can deploy the IMC base platform with the UBA service module in your network infrastructure, and use UBA to: Identify the following behavior features of intranet users: Identify the applications or services that intranet users access most frequently. Check whether or not users accessed specified online games. Query the Internet access related information. Check the potential security risks in the finance department. Check whether or not users transfer sensitive files via FTP in the finance department. Figure 19 shows the corporate network architecture diagram. Figure 19 Network architecture diagram Task analysis 42 UBA example In this scenario, you can deploy an IMC base platform with the UBA service module to collect the logs from the main switches, and then identify the user behavior features through log analysis. HP recommends that you use the following workflow: 1. Deploy UBA. Deploy the UBA service module to collect logs from the core switch and Switch A.

43 nl 2. Configure UBA: a. Create the communication path between the core switch/switch A and the UBA server. b. Create the filter strategy to filter the logs collected by UBA. c. Define applications based on your network environment. 3. Audit user behavior. UBA deployment Create audit tasks according to your investigating goal, and then analyze the audit results to identify the user behavior features. Figure 20 shows a typical UBA deployment for this scenario. Figure 20 UBA deployment diagram As shown, you can create the following paths to collect logs: Communication path between the core switch and the UBA server If the core switch supports the Flow 1.0/3.0, NAT 1.0, NetStream v5/v9, sflow v5, or NetFlow v5/v9 protocols, you can import the core switch as a data source device to UBA. Communication path between Switch A and the UBA server You can use a probe to analyze the data flow and forward DIG logs to UBA if: You want to analyze the Layer 7 applications for the data flow transferred by the intranet users in the finance department Switch A does not support the Flow 1.0/3.0, NAT 1.0, NetStream v5/v9, sflow v5, or NetFlow v5/v9 protocols. NOTE: Using a probe, you can perform special audits to identify the specific user behaviors, such as accessing the FTP service, mail service, or specified websites. UBA deployment 43

44 UBA configuration According to the above deployment, you need to complete the following configuration to define log sources, analyze logs, and create audit tasks to audit user behaviors. For more information, see Configuring UBA for a traffic audit. To complete the UBA configuration: 1. Add the core switch as a device. In device management, import the core switch to UBA as a device, as shown in Figure 21. Figure 21 Import a device to UBA 2. Add a probe to collect logs from Switch A. After deploying a probe for analyzing the network flow mirrored from Switch A, add the probe to UBA. Figure 22 provides an example. Figure 22 Add Probe dialog box 3. Customize a filter strategy. A filter strategy helps you define whether the logs that UBA receives are processed or directly discarded. HP recommends that you customize a filter strategy according to the practical network environment, which reduces the useless logs and improves UBA efficiency. In this scenario, you can customize a filter strategy based on the following principles: If you want to arrange a large-scale investigation throughout the corporation, you can set the default policy to Receive, and then add a filter condition to discard the logs from the IP addresses or IP segment of the users or departments that are not involved in the user behavior investigation. If you want to direct the investigation to specific departments or users, you can set the default policy to Discard, and then add a filter condition to receive the logs from the IP 44 UBA example

45 addresses or IP segment of the users or departments that are involved in the user behavior investigation. Figure 23 shows a filter strategy example for discarding the logs from IP segment /24. Figure 23 Filter strategy example 4. Configure the UBA server. Modify the UBA server configuration to: Enable a filter strategy. In the Basic Information pane, select the filter strategy you want to customize for the investigation. Create the communication path between the core switch and the UBA server. In the Device Information pane, select the core device imported in step 1. Create the communication path between Switch A and the UBA server. In the Probe Information pane, select the probe imported in step 2. In addition, you need to enable the special audits according to the investigating goal. In this scenario, you want to identify whether or not the intranet users in the finance department transferred sensitive files via FTP. Therefore, you should enable the FTP Audit. To identify the intranet users, you should set the intranet IP segment. Set the intranet information. Figure 24 shows an example for the UBA server configuration. UBA configuration 45

46 Figure 24 UBA server configuration example 5. Configure applications. To identify whether or not users access specified online games through the intranet, create an application to define the protocol and port by which an intranet user can access the specified games. Assuming the host IP address and port used to access a game, for example, farm game, is and 16112, you can set the application farm game, as shown in Figure 25. Figure 25 Application example Auditing user behavior In this scenario, you can create general, NAT, and FTP audit tasks to achieve the investigating goal described in Scenario description. NOTE: This section introduces how to use different types of audit tasks to meet your requirements. For more information, see Monitoring user behavior. 46 UBA example

47 Creating general audit tasks In this scenario, you can use general audit tasks (Figure 26) to: Identify the applications or services that intranet users access most frequently. Figure 26 General audit task example 1 For querying the applications used by intranet users, you can view the result by grouping applications, as shown in Figure 27. The most frequently used application is HTTP. Figure 27 Group review audit result of general audit A Auditing user behavior 47

48 Check whether or not intranet users access a specified online game. To query which users accessed the online game farm game, which has been defined in UBA configuration, create the general audit task, as shown in Figure 28. Figure 28 General audit task example 2 In the audit result (Figure 29), the Source field provides the IP address of the intranet users who accessed the farm game. Figure 29 Audit result of audit for game Creating an NAT audit task Using an NAT audit task, you can query the Internet access information, which helps you identify which websites or online services intranet users access. In this scenario, set the NAT IP to be the IP address ( ) of the core switch that performs the NAT for the data flow transferred to the Internet, as shown in Figure UBA example

49 Figure 30 NAT audit task example To view audit result: In the audit result (Figure 31), the Destination field provides the IP addresses of the Internet applications or services that the intranet users access. Figure 31 Audit result of the NAT audit task Creating an FTP audit task Using an FTP audit task, you can check whether or not there are users transferred sensitive files via FTP in the finance department. In this scenario, you can set some keywords, such as accounts, or finance, to query the information about sensitive file transferring. Set the Device to be the IP address of the probe that is deployed for monitoring the data flow from the finance department, as shown in Figure 32. Auditing user behavior 49

50 Figure 32 FTP audit task example In the audit result (Figure 33), the Source field provides the IP addresses of intranet users who transferred the related files via FTP. Figure 33 Audit result of the FTP audit task 50 UBA example

51 7 Troubleshooting This section provides troubleshooting information for isolating and correcting common issues encountered during the operation and maintenance of UBA. The purpose is to define the most common issues and their corresponding corrective procedures. Prerequisites Before starting any procedure, make sure that the following conditions are met: Personnel working on the IMC platform must have the necessary education, training, competence, and authority. All related modules must be installed and deployed. Verify the UBA installation If the UBA module does not appear in the navigation tree in its initial use, check the following reasons: Ensure that the UBA module has been installed correctly Check the license status by left-clicking the About link to open the About window as shown in Figure 34. Check if the license has expired. Figure 34 About window Check whether UBA has been deployed correctly. Log on to the server and use Intelligent Deployment Monitoring Agent (Figure 35). Prerequisites 51

52 Figure 35 Intelligent Deployment Monitoring Agent Fail to add a new probe When the new probe fails to be added to the UBA server, check the following reasons: Ensure you installed a probe correctly in the remote server. Ensure the probe password is activated in the remote server. Ensure you entered a correct probe password. No target log files are available After receiving log files for a while, you can audit them by using the user behavior audit function. If you cannot find the target log audit results, check the following reasons: Ensure the network connection works normally. Ensure enough idle storage space remains for the server to receiving log files. For this purpose, go to the Database Space page to check the database space usage. Go to the Server Management page to make sure that the correct device and probe have been selected and deployed. Ensure the intranet user license reaches has not expired; if it has, contact HP support to purchase new licenses. No audit task displays in the navigation tree The configured audit tasks should appear in the navigation tree, as shown in Figure 36. After you add a corresponding audit task, the audit task group is displayed in the navigation tree. For more information, see Monitoring user behavior. 52 Troubleshooting

53 nl Figure 36 Audit tasks in the navigation tree Database space usage color bar To visually display the database space usage, UBA provides a color bar, as shown in Figure 37. The bar displays three colors: green, red, and white, each of which indicates a different status of server database space: Green Bar Means the server database space is sufficient. Red Bar Means that the database space usage is greater than the threshold. To solve this problem, export log files periodically and delete old log files to release server storage space. White Bar Means the server cannot get available data yet. You should check the network connection to determine if the device and probe have been deployed correctly. For more information, see Configuring UBA for a traffic audit. Figure 37 Database Space Usage Alarms UBA provides different levels of alarms to indicate UBA module work status. Table 12 lists the varying UBA levels and related alarm information. Table 12 UBA alarms Name Level Description Cause Probe failed to send a log file Major The probe of UBA server failed to send log files. Possible causes: FTP server is unavailable Server is not activated Network connection problem Load new config on probe Event The probe of UBA server uses a new configuration. N/A Probe loading config failed Major Failed to load a new configuration on the probe. Probe is busy and does not respond to load a new configuration. Database space usage color bar 53

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with

More information

HP Intelligent Management Center

HP Intelligent Management Center HP Intelligent Management Center Network Traffic Analyzer Administrator Guide Part number: 5998-1364 Software version: IMC NTA 5.2 (E0401) Document version: 5PW102-20121220 Legal and notice information

More information

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide Abstract This guide describes the Virtualization Monitor (vmon), an add-on service module of the HP Intelligent Management

More information

FTP Server Configuration

FTP Server Configuration FTP Server Configuration For HP customers who need to configure an IIS or FileZilla FTP server before using HP Device Manager Technical white paper 2 Copyright 2012 Hewlett-Packard Development Company,

More information

HP Device Manager 4.6

HP Device Manager 4.6 Technical white paper HP Device Manager 4.6 FTP Server Configuration Table of contents Overview... 2 IIS FTP server configuration... 2 Installing FTP v7.5 for IIS... 2 Creating an FTP site with basic authentication...

More information

HP A-IMC Firewall Manager

HP A-IMC Firewall Manager HP A-IMC Firewall Manager Configuration Guide Part number: 5998-2267 Document version: 6PW101-20110805 Legal and notice information Copyright 2011 Hewlett-Packard Development Company, L.P. No part of this

More information

HP SiteScope. HP Vertica Solution Template Best Practices. For the Windows, Solaris, and Linux operating systems. Software Version: 11.

HP SiteScope. HP Vertica Solution Template Best Practices. For the Windows, Solaris, and Linux operating systems. Software Version: 11. HP SiteScope For the Windows, Solaris, and Linux operating systems Software Version: 11.23 HP Vertica Solution Template Best Practices Document Release Date: December 2013 Software Release Date: December

More information

Traffic monitoring with sflow and ProCurve Manager Plus

Traffic monitoring with sflow and ProCurve Manager Plus An HP ProCurve Networking Application Note Traffic monitoring with sflow and ProCurve Manager Plus Contents 1. Introduction... 3 2. Prerequisites... 3 3. Network diagram... 3 4. About the sflow protocol...

More information

HP IMC Firewall Manager

HP IMC Firewall Manager HP IMC Firewall Manager Configuration Guide Part number: 5998-2267 Document version: 6PW102-20120420 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P. No part of this

More information

HP ALM Microsoft Word Add-in

HP ALM Microsoft Word Add-in HP ALM Microsoft Word Add-in Software Version: 12.20 User Guide Document Release Date: December 2014 Software Release Date: December 2014 Legal Notices Warranty The only warranties for HP products and

More information

HP Business Service Management

HP Business Service Management HP Business Service Management Software Version: 9.26 Windows operating system RUM for Citrix - Best Practices Document Release Date: September 2015 Software Release Date: September 2015 RUM for Citrix

More information

HPE Intelligent Management Center Virtualization Monitor Administrator Guide

HPE Intelligent Management Center Virtualization Monitor Administrator Guide HPE Intelligent Management Center Virtualization Monitor Administrator Guide Abstract This guide describes the Virtualization Monitor (vmon), an add-on service module of the HPE Intelligent Management

More information

HP ALM. Software Version: Business Views Microsoft Excel Add-in User Guide

HP ALM. Software Version: Business Views Microsoft Excel Add-in User Guide HP ALM Software Version: 12.20 Business Views Microsoft Excel Add-in User Guide Document Release Date: December 2014 Software Release Date: December 2014 Legal Notices Warranty The only warranties for

More information

HP Device Manager 4.7

HP Device Manager 4.7 Technical white paper HP Device Manager 4.7 LDAP Troubleshooting Guide Table of contents Introduction... 2 HPDM LDAP-related context and background... 2 LDAP in HPDM... 2 Full domain account name login...

More information

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1 Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1 This document supports the version of each product listed and supports all subsequent versions until the document

More information

Release Notes: Version P.1.8 Software. Related Publications. for HP ProCurve 1810G Switches

Release Notes: Version P.1.8 Software. Related Publications. for HP ProCurve 1810G Switches Release Notes: Version P.1.8 Software for HP ProCurve 1810G Switches Release P.1.8 supports the HP ProCurve 1810G-8 (J9449A) and 1810G-24 (J9450A) switches. These release notes include information on the

More information

HP ThinShell. Administrator Guide

HP ThinShell. Administrator Guide HP ThinShell Administrator Guide Copyright 2014 Hewlett-Packard Development Company, L.P. Microsoft and Windows are U.S. registered trademarks of the Microsoft group of companies. Confidential computer

More information

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream User Manual Onsight Management Suite Version 5.1 Another Innovation by Librestream Doc #: 400075-06 May 2012 Information in this document is subject to change without notice. Reproduction in any manner

More information

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent? What is Network Agent? Websense Network Agent software monitors all internet traffic on the machines that you assign to it. Network Agent filters HTTP traffic and more than 70 other popular internet protocols,

More information

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software Lepide Software LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software Lepide Software Private Limited, All Rights Reserved

More information

HP Application Lifecycle Management

HP Application Lifecycle Management HP Application Lifecycle Management Software Version: 12.20 Microsoft Excel Add-in Guide Document Release Date: December 2014 Software Release Date: December 2014 Legal Notices Warranty The only warranties

More information

Repository Management in HP Device Manager 4.5

Repository Management in HP Device Manager 4.5 Repository Management in HP Device Manager 4.5 Demonstrates how to install, configure, and use the new repository features of HP Device Manager 4.5 Technical white paper 2 Copyright 2012 Hewlett-Packard

More information

HP Device Manager 4.6

HP Device Manager 4.6 Technical white paper HP Device Manager 4.6 Disaster Recovery Guide Table of contents Overview... 2 General recovery process... 2 Recovering the HPDM Server... 5 Backing up the data... 5 Installing the

More information

HP Device Manager 4.6

HP Device Manager 4.6 Technical white paper HP Device Manager 4.6 LDAP Troubleshooting Guide Table of contents Introduction... 2 HPDM LDAP-related context and background... 2 LDAP in HPDM... 2 Configuring User Authentication...

More information

HP Business Service Management

HP Business Service Management HP Business Service Management For the Windows and Linux operating systems Software Version: 9.23 High Availability Fine Tuning - Best Practices Document Release Date: December 2013 Software Release Date:

More information

SSL VPN Technology White Paper

SSL VPN Technology White Paper SSL VPN Technology White Paper Keywords: SSL VPN, HTTPS, Web access, TCP access, IP access Abstract: SSL VPN is an emerging VPN technology based on HTTPS. This document describes its implementation and

More information

Novell ZENworks Asset Management 7.5

Novell ZENworks Asset Management 7.5 Novell ZENworks Asset Management 7.5 w w w. n o v e l l. c o m October 2006 USING THE WEB CONSOLE Table Of Contents Getting Started with ZENworks Asset Management Web Console... 1 How to Get Started...

More information

Customizing Asset Manager for Managed Services Providers (MSP) Software Asset Management

Customizing Asset Manager for Managed Services Providers (MSP) Software Asset Management HP Asset Manager Customizing Asset Manager for Managed Services Providers (MSP) Software Asset Management How To Manage Generic Software Counters and Multiple Companies Legal Notices... 2 Introduction...

More information

HP Web Jetadmin Database Connector Plug-in reference manual

HP Web Jetadmin Database Connector Plug-in reference manual HP Web Jetadmin Database Connector Plug-in reference manual Copyright notice 2004 Copyright Hewlett-Packard Development Company, L.P. Reproduction, adaptation or translation without prior written permission

More information

Minimizing Software stores in Asset Manager

Minimizing Software stores in Asset Manager HP Asset Manager Minimizing Software stores in Asset Manager Using Connect-It to Prevent Specific Software Detected by Enterprise Discovery from Being Stored in Asset Manager Legal Notices... 2 Business

More information

HP LeftHand SAN Solutions

HP LeftHand SAN Solutions HP LeftHand SAN Solutions Support Document Installation Manuals Installation and Setup Guide Health Check Legal Notices Warranty The only warranties for HP products and services are set forth in the express

More information

HP Quality Center. Software Version: 10.00. Microsoft Word Add-in Guide

HP Quality Center. Software Version: 10.00. Microsoft Word Add-in Guide HP Quality Center Software Version: 10.00 Microsoft Word Add-in Guide Document Release Date: February 2012 Software Release Date: January 2009 Legal Notices Warranty The only warranties for HP products

More information

HP Business Service Management

HP Business Service Management HP Business Service Management For the Windows and Linux operating systems Software Version: 9.23 HP NNMi - HP BSM Topology Integration Best Practices Document Release Date: December 2013 Software Release

More information

Network Agent Quick Start

Network Agent Quick Start Network Agent Quick Start Topic 50500 Network Agent Quick Start Updated 17-Sep-2013 Applies To: Web Filter, Web Security, Web Security Gateway, and Web Security Gateway Anywhere, v7.7 and 7.8 Websense

More information

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your computer.

More information

HP Real User Monitor. Release Notes. For the Windows and Linux operating systems Software Version: 9.21. Document Release Date: November 2012

HP Real User Monitor. Release Notes. For the Windows and Linux operating systems Software Version: 9.21. Document Release Date: November 2012 HP Real User Monitor For the Windows and Linux operating systems Software Version: 9.21 Release Notes Document Release Date: November 2012 Software Release Date: November 2012 Legal Notices Warranty The

More information

HP LaserJet MFP Analog Fax Accessory 300 Send Fax Driver Guide

HP LaserJet MFP Analog Fax Accessory 300 Send Fax Driver Guide HP LaserJet MFP Analog Fax Accessory 300 Send Fax Driver Guide Copyright and License 2008 Copyright Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written

More information

WhatsUpGold. v12.3.1. NetFlow Monitor User Guide

WhatsUpGold. v12.3.1. NetFlow Monitor User Guide WhatsUpGold v12.3.1 NetFlow Monitor User Guide Contents CHAPTER 1 WhatsUp Gold NetFlow Monitor Overview What is NetFlow?... 1 How does NetFlow Monitor work?... 2 Supported versions... 2 System requirements...

More information

HP 3PAR Recovery Manager 4.5.0 Software for Microsoft Exchange Server 2007, 2010, and 2013

HP 3PAR Recovery Manager 4.5.0 Software for Microsoft Exchange Server 2007, 2010, and 2013 HP 3PAR Recovery Manager 4.5.0 Software for Microsoft Exchange Server 2007, 2010, and 2013 Release Notes Abstract This release notes document is for HP 3PAR Recovery Manager 4.5.0 Software for Microsoft

More information

HP Device Manager 4.6

HP Device Manager 4.6 Technical white paper HP Device Manager 4.6 Installation and Update Guide Table of contents Overview... 3 HPDM Server preparation... 3 FTP server configuration... 3 Windows Firewall settings... 3 Firewall

More information

Tracking Network Changes Using Change Audit

Tracking Network Changes Using Change Audit CHAPTER 14 Change Audit tracks and reports changes made in the network. Change Audit allows other RME applications to log change information to a central repository. Device Configuration, Inventory, and

More information

How to configure remote and intelligent mirroring on ProCurve switches

How to configure remote and intelligent mirroring on ProCurve switches An HP ProCurve Networking Application Note How to configure remote and intelligent mirroring on ProCurve switches Contents 1. Introduction... 2 2. Prerequisites... 2 3. Network diagram... 2 4. Configuring

More information

Integrating HP Insight Management WBEM (WMI) Providers for Windows with HP System Insight Manager

Integrating HP Insight Management WBEM (WMI) Providers for Windows with HP System Insight Manager Integrating HP Insight Management WBEM (WMI) Providers for Windows with HP System Insight Manager Integration note, 4 th edition Introduction... 2 Utilizing HP WBEM Providers for Windows... 2 Security...

More information

Send to Network Folder. Embedded Digital Sending

Send to Network Folder. Embedded Digital Sending Send to Network Folder Embedded Digital Sending Embedded Digital Sending Legal Notice Copyright 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without

More information

HP Application Lifecycle Management

HP Application Lifecycle Management HP Application Lifecycle Management Software Version: 11.00 Microsoft Word Add-in Guide Document Release Date: November 2010 Software Release Date: October 2010 Legal Notices Warranty The only warranties

More information

WatchDox Administrator's Guide. Application Version 3.7.5

WatchDox Administrator's Guide. Application Version 3.7.5 Application Version 3.7.5 Confidentiality This document contains confidential material that is proprietary WatchDox. The information and ideas herein may not be disclosed to any unauthorized individuals

More information

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Collaboration Guide

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Collaboration Guide HP Service Manager Software Version: 9.40 For the supported Windows and Linux operating systems Collaboration Guide Document Release Date: December 2014 Software Release Date: December 2014 Legal Notices

More information

Configuring NetFlow Secure Event Logging (NSEL)

Configuring NetFlow Secure Event Logging (NSEL) 73 CHAPTER This chapter describes how to configure NSEL, a security logging mechanism that is built on NetFlow Version 9 technology, and how to handle events and syslog messages through NSEL. The chapter

More information

HP Project and Portfolio Management Center

HP Project and Portfolio Management Center HP Project and Portfolio Management Center Software Version: 9.20 RESTful Web Services Guide Document Release Date: February 2013 Software Release Date: February 2013 Legal Notices Warranty The only warranties

More information

HP BladeSystem Management Pack version 1.0 for Microsoft System Center Essentials Troubleshooting Assistant

HP BladeSystem Management Pack version 1.0 for Microsoft System Center Essentials Troubleshooting Assistant HP BladeSystem Management Pack version 1.0 for Microsoft System Center Essentials Troubleshooting Assistant Part Number 465399-001 November 2007 (First Edition) Copyright 2007 Hewlett-Packard Development

More information

Avaya Network Configuration Manager User Guide

Avaya Network Configuration Manager User Guide Avaya Network Configuration Manager User Guide May 2004 Avaya Network Configuration Manager User Guide Copyright Avaya Inc. 2004 ALL RIGHTS RESERVED The products, specifications, and other technical information

More information

HP Data Protector Integration with Autonomy IDOL Server

HP Data Protector Integration with Autonomy IDOL Server HP Data Protector Integration with Autonomy IDOL Server Introducing e-discovery for HP Data Protector environments Technical white paper Table of contents Summary... 2 Introduction... 2 Integration concepts...

More information

HP Service Manager. Collaboration Guide. For the Supported Windows and UNIX operating systems. Software Version: 9.31

HP Service Manager. Collaboration Guide. For the Supported Windows and UNIX operating systems. Software Version: 9.31 HP Service Manager For the Supported Windows and UNIX operating systems Software Version: 9.31 Collaboration Guide Document Release Date: October 2012 Software Release Date: October 2012 Legal Notices

More information

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide RSA Security Analytics Netflow Collection Configuration Guide Copyright 2010-2015 RSA, the Security Division of EMC. All rights reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks

More information

CA Nimsoft Monitor. Probe Guide for IIS Server Monitoring. iis v1.5 series

CA Nimsoft Monitor. Probe Guide for IIS Server Monitoring. iis v1.5 series CA Nimsoft Monitor Probe Guide for IIS Server Monitoring iis v1.5 series Legal Notices Copyright 2013, CA. All rights reserved. Warranty The material contained in this document is provided "as is," and

More information

NetFlow Auditor Manual Getting Started

NetFlow Auditor Manual Getting Started NetFlow Auditor Manual Getting Started Setting up NetFlow Check if your Routers or Switches Supports NetFlow. Almost all Cisco devices support NetFlow since its introduction in the 11.1 train of Cisco

More information

USING MANAGED PRINTER LISTS

USING MANAGED PRINTER LISTS USING MANAGED PRINTER LISTS for the HP Universal Print Driver with HP Web Jetadmin CONTENTS Introduction... 2 Operation overview... 2 Assumptions... 2 Exporting device Groups as XML Managed Printer Lists...

More information

RUNNING A HELPDESK CONTENTS. using HP Web Jetadmin

RUNNING A HELPDESK CONTENTS. using HP Web Jetadmin RUNNING A HELPDESK using HP Web Jetadmin CONTENTS Overview... 2 Helpdesk examples... 2 Viewing devices... 2 Quick Device Discovery... 3 Search... 3 Filters... 3 Columns... 4 Device Groups... 4 Troubleshooting

More information

Lab - Using Wireshark to Observe the TCP 3-Way Handshake

Lab - Using Wireshark to Observe the TCP 3-Way Handshake Topology Objectives Part 1: Prepare Wireshark to Capture Packets Select an appropriate NIC interface to capture packets. Part 2: Capture, Locate, and Examine Packets Capture a web session to www.google.com.

More information

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent?

Quick Start for Network Agent. 5-Step Quick Start. What is Network Agent? What is Network Agent? The Websense Network Agent software component uses sniffer technology to monitor all of the internet traffic on the network machines that you assign to it. Network Agent filters

More information

HP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Incident Management help topics for printing

HP Service Manager. Software Version: 9.34 For the supported Windows and UNIX operating systems. Incident Management help topics for printing HP Service Manager Software Version: 9.34 For the supported Windows and UNIX operating systems Incident Management help topics for printing Document Release Date: July 2014 Software Release Date: July

More information

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc. Emerald Network Collector Version 4.0 Emerald Management Suite IEA Software, Inc. Table Of Contents Purpose... 3 Overview... 3 Modules... 3 Installation... 3 Configuration... 3 Filter Definitions... 4

More information

HP Easy Tools. Administrator's Guide

HP Easy Tools. Administrator's Guide HP Easy Tools Administrator's Guide Copyright 2010 2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Microsoft and Windows are trademarks

More information

SAP BusinessObjects Business Intelligence platform Document Version: 4.0 Support Package Live Office User Guide

SAP BusinessObjects Business Intelligence platform Document Version: 4.0 Support Package Live Office User Guide SAP BusinessObjects Business Intelligence platform Document Version: 4.0 Support Package 8-2013-10-31 Table of Contents 1 About this document...5 1.1 Who should read this document....5 1.2 Document history....5

More information

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Application Setup help topics for printing

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Application Setup help topics for printing HP Service Manager Software Version: 9.40 For the supported Windows and Linux operating systems Application Setup help topics for printing Document Release Date: December 2014 Software Release Date: December

More information

HDA Integration Guide. Help Desk Authority 9.0

HDA Integration Guide. Help Desk Authority 9.0 HDA Integration Guide Help Desk Authority 9.0 2011ScriptLogic Corporation ALL RIGHTS RESERVED. ScriptLogic, the ScriptLogic logo and Point,Click,Done! are trademarks and registered trademarks of ScriptLogic

More information

HP Load Balancing Module

HP Load Balancing Module HP Load Balancing Module Load Balancing Configuration Guide Part number: 5998-2685 Document version: 6PW101-20120217 Legal and notice information Copyright 2012 Hewlett-Packard Development Company, L.P.

More information

Sample Configuration: Cisco UCS, LDAP and Active Directory

Sample Configuration: Cisco UCS, LDAP and Active Directory First Published: March 24, 2011 Last Modified: March 27, 2014 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS

More information

NMS300 Network Management System

NMS300 Network Management System NMS300 Network Management System User Manual June 2013 202-11289-01 350 East Plumeria Drive San Jose, CA 95134 USA Support Thank you for purchasing this NETGEAR product. After installing your device, locate

More information

BusinessObjects Enterprise XI Release 2 Publishing Guide

BusinessObjects Enterprise XI Release 2 Publishing Guide BusinessObjects Enterprise XI Release 2 Publishing Guide BusinessObjects Enterprise XI Release 2 Publishing Guide Patents Trademarks Copyright Third-party contributors Business Objects owns the following

More information

HP INTEGRATED ARCHIVE PLATFORM

HP INTEGRATED ARCHIVE PLATFORM You can read the recommendations in the user guide, the technical guide or the installation guide for HP INTEGRATED ARCHIVE PLATFORM. You'll find the answers to all your questions on the HP INTEGRATED

More information

TippingPoint Deployment Note: Threat Digital Vaccine (ThreatDV)

TippingPoint Deployment Note: Threat Digital Vaccine (ThreatDV) TippingPoint Deployment Note: Threat Digital Vaccine (ThreatDV) Reputation Digital Vaccine (RepDV) is now the Threat Digital Vaccine (ThreatDV), a premium subscription service that includes both the reputation

More information

Orientation Course - Lab Manual

Orientation Course - Lab Manual Orientation Course - Lab Manual Using the Virtual Managed Workplace site for the lab exercises Your instructor will provide the following information before the first lab exercise begins: Your numerical

More information

HP Enterprise Integration module for SAP applications

HP Enterprise Integration module for SAP applications HP Enterprise Integration module for SAP applications Software Version: 2.50 User Guide Document Release Date: May 2009 Software Release Date: May 2009 Legal Notices Warranty The only warranties for HP

More information

HP OpenView AssetCenter

HP OpenView AssetCenter HP OpenView AssetCenter Software version: 5.0 Integration with software distribution tools Build number: 50 Legal Notices Warranty The only warranties for HP products and services are set forth in the

More information

HP TippingPoint Security Management System User Guide

HP TippingPoint Security Management System User Guide HP TippingPoint Security Management System User Guide Version 4.0 Abstract This information describes the HP TippingPoint Security Management System (SMS) client user interface, and includes configuration

More information

CA Nimsoft Monitor Snap

CA Nimsoft Monitor Snap CA Nimsoft Monitor Snap Configuration Guide for Email Gateway emailgtw v2.7 series Legal Notices Copyright 2013, CA. All rights reserved. Warranty The material contained in this document is provided "as

More information

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Request Management help topics for printing

HP Service Manager. Software Version: 9.40 For the supported Windows and Linux operating systems. Request Management help topics for printing HP Service Manager Software Version: 9.40 For the supported Windows and Linux operating systems Request Management help topics for printing Document Release Date: December 2014 Software Release Date: December

More information

CHAPTER 1 WhatsUp Flow Monitor Overview. CHAPTER 2 Configuring WhatsUp Flow Monitor. CHAPTER 3 Navigating WhatsUp Flow Monitor

CHAPTER 1 WhatsUp Flow Monitor Overview. CHAPTER 2 Configuring WhatsUp Flow Monitor. CHAPTER 3 Navigating WhatsUp Flow Monitor Contents CHAPTER 1 WhatsUp Flow Monitor Overview What is Flow Monitor?... 1 How does Flow Monitor work?... 2 Supported versions... 2 System requirements... 2 CHAPTER 2 Configuring WhatsUp Flow Monitor

More information

Connectivity Pack for Microsoft Guide

Connectivity Pack for Microsoft Guide HP Vertica Analytic Database Software Version: 7.0.x Document Release Date: 2/20/2015 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements

More information

Network Scanner Tool R User s Guide Version

Network Scanner Tool R User s Guide Version Network Scanner Tool R2.7.5 User s Guide Version 2.7.5.01 Copyright 2000-2001 by Sharp Corporation. All rights reserved. Reproduction, adaptation or translation without prior written permission is prohibited,

More information

HP EMAIL ARCHIVING SOFTWARE FOR EXCHANGE

HP EMAIL ARCHIVING SOFTWARE FOR EXCHANGE You can read the recommendations in the user guide, the technical guide or the installation guide for HP EMAIL ARCHIVING SOFTWARE FOR EXCHANGE. You'll find the answers to all your questions on the HP EMAIL

More information

HP Operations Smart Plug-in for Virtualization Infrastructure

HP Operations Smart Plug-in for Virtualization Infrastructure HP Operations Smart Plug-in for Virtualization Infrastructure for HP Operations Manager for Windows Software Version: 1.00 Deployment and Reference Guide Document Release Date: October 2008 Software Release

More information

Configuring and Monitoring FTP Servers

Configuring and Monitoring FTP Servers Configuring and Monitoring FTP Servers eg Enterprise v5.6 Restricted Rights Legend The information contained in this document is confidential and subject to change without notice. No part of this document

More information

Content Filtering Client Policy & Reporting Administrator s Guide

Content Filtering Client Policy & Reporting Administrator s Guide Content Filtering Client Policy & Reporting Administrator s Guide Notes, Cautions, and Warnings NOTE: A NOTE indicates important information that helps you make better use of your system. CAUTION: A CAUTION

More information

Parallels Plesk Panel

Parallels Plesk Panel Parallels Plesk Panel Copyright Notice Parallels Holdings, Ltd. c/o Parallels International GMbH Vordergasse 49 CH8200 Schaffhausen Switzerland Phone: +41 526320 411 Fax: +41 52672 2010 Copyright 1999-2011

More information

Configuring Security for FTP Traffic

Configuring Security for FTP Traffic 2 Configuring Security for FTP Traffic Securing FTP traffic Creating a security profile for FTP traffic Configuring a local traffic FTP profile Assigning an FTP security profile to a local traffic FTP

More information

MULTIFUNCTIONAL DIGITAL SYSTEMS. Operator's Manual for TWAIN Driver/File Downloader

MULTIFUNCTIONAL DIGITAL SYSTEMS. Operator's Manual for TWAIN Driver/File Downloader MULTIFUNCTIONAL DIGITAL SYSTEMS Operator's Manual for TWAIN Driver/File Downloader 2008 KYOCERA MITA Corporation All rights reserved Preface Thank you for purchasing KYOCERA MITA Multifunctional Digital

More information

CA Nimsoft Monitor. Probe Guide for NT Event Log Monitor. ntevl v3.8 series

CA Nimsoft Monitor. Probe Guide for NT Event Log Monitor. ntevl v3.8 series CA Nimsoft Monitor Probe Guide for NT Event Log Monitor ntevl v3.8 series Legal Notices Copyright 2013, CA. All rights reserved. Warranty The material contained in this document is provided "as is," and

More information

HP Device Manager 4.7

HP Device Manager 4.7 Technical white paper HP Device Manager 4.7 FTPS Certificates Configuration Table of contents Overview... 2 Server certificate... 2 Configuring a server certificate on an IIS FTPS server... 2 Creating

More information

HP Server Management Packs for Microsoft System Center Essentials User Guide

HP Server Management Packs for Microsoft System Center Essentials User Guide HP Server Management Packs for Microsoft System Center Essentials User Guide Part Number 460344-001 September 2007 (First Edition) Copyright 2007 Hewlett-Packard Development Company, L.P. The information

More information

HP IDOL Search Optimizer

HP IDOL Search Optimizer HP IDOL Search Optimizer Software Version: 10.9 User Guide Document Release Date: April 2015 Software Release Date: April 2015 Legal Notices Warranty The only warranties for HP products and services are

More information

CA Nimsoft Monitor. Probe Guide for TCP/IP Proxy Service probe. tcp_proxy v1.1 series

CA Nimsoft Monitor. Probe Guide for TCP/IP Proxy Service probe. tcp_proxy v1.1 series CA Nimsoft Monitor Probe Guide for TCP/IP Proxy Service probe tcp_proxy v1.1 series Legal Notices Copyright 2013, CA. All rights reserved. Warranty The material contained in this document is provided "as

More information

NETWRIX EVENT LOG MANAGER

NETWRIX EVENT LOG MANAGER NETWRIX EVENT LOG MANAGER ADMINISTRATOR S GUIDE Product Version: 4.0 July/2012. Legal Notice The information in this publication is furnished for information use only, and does not constitute a commitment

More information

CA Nimsoft Monitor. Probe Guide for Active Directory Server. ad_server v1.4 series

CA Nimsoft Monitor. Probe Guide for Active Directory Server. ad_server v1.4 series CA Nimsoft Monitor Probe Guide for Active Directory Server ad_server v1.4 series Legal Notices Copyright 2013, CA. All rights reserved. Warranty The material contained in this document is provided "as

More information

HP AppPulse Active. Software Version: 2.2. Real Device Monitoring For AppPulse Active

HP AppPulse Active. Software Version: 2.2. Real Device Monitoring For AppPulse Active HP AppPulse Active Software Version: 2.2 For AppPulse Active Document Release Date: February 2015 Software Release Date: November 2014 Legal Notices Warranty The only warranties for HP products and services

More information

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide RSA Security Analytics Netflow Collection Configuration Guide Copyright 2010-2015 RSA, the Security Division of EMC. All rights reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks

More information

Nimsoft Monitor. ntevl Guide. v3.6 series

Nimsoft Monitor. ntevl Guide. v3.6 series Nimsoft Monitor ntevl Guide v3.6 series Legal Notices Copyright 2012, CA. All rights reserved. Warranty The material contained in this document is provided "as is," and is subject to being changed, without

More information

Widgets for SAP BusinessObjects Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.1

Widgets for SAP BusinessObjects Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.1 Widgets for SAP BusinessObjects Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.1 Copyright 2013 SAP AG or an SAP affiliate company. All rights reserved.

More information

HP Asset Manager. Software version: 5.20. Integration with software distribution and configuration management tools

HP Asset Manager. Software version: 5.20. Integration with software distribution and configuration management tools HP Asset Manager Software version: 5.20 Integration with software distribution and configuration management tools Document Release Date: 01 October 2009 Software Release Date: October 2009 Legal Notices

More information