Symantec Event Collectors Integration Guide for Symantec Security Information Manager 4.7

Transcription

1 Symantec Event Collectors Integration Guide for Symantec Security Information Manager 4.7

2 Symantec Event Collectors Integration Guide for Symantec Security Information Manager 4.7 The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 5.1 Legal Notice Copyright 2010 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo, LiveUpdate, Symantec AntiVirus, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation 350 Ellis Street Mountain View, CA

4 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level

5 Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America

7 Contents Technical Support... 4 Chapter 1 Introducing Symantec Event Collectors About the Symantec Event Collectors Integration Guide About Symantec Event Collectors and Symantec Security Information Manager About Universal Event Collectors Major components of Information Manager and collectors Where to find more information about Information Manager Accessing Help for the console Chapter 2 Installing Symantec Event Collectors Before you install collectors Requirements for point products and the collectors Updating the hosts file on a computer that hosts collectors Installation and configuration tasks for collectors Registering Collectors Installing the collector on a remote computer Installing collectors on an Information Manager server Verifying Symantec Event Agent and collector installation Installing queries on Information Manager Chapter 3 Configuring point products About configuring the point product to work with the collector Chapter 4 Configuring collectors Creating collector configurations and configuring sensors Creating a new collector configuration Configuring the collector sensor to receive security events Adding, renaming, deleting, and disabling sensors Importing and exporting sensor properties Globally updating sensor properties About sensor properties for common sensor types Sensor properties for the DB sensor... 37

8 8 Contents Sensor properties for the LogFile sensor Sensor properties for the LotusNotesDB sensor Sensor properties for the OpsecLea sensor Sensor properties for the SNMP sensor Sensor properties for the SysLog sensor Sensor properties for the SyslogFile sensor Sensor properties for the Windows EventLog sensor Sensor properties for the WS-Management sensor Configuring collector raw event logging Verifying collector configuration Chapter 5 Configuring collectors for event filtering and aggregation Configuring event filtering Configuring event aggregation Chapter 6 Configuring Syslog Director About Syslog Director Configuring Syslog Director with syslog collectors Chapter 7 LiveUpdate for collectors Running LiveUpdate for collectors Appendix A About installing collectors that use a database sensor Installing collectors that use a database sensor Setting the SQL Server security mode to mixed authentication Downloading database drivers Transferring database drivers to an Information Manager server Installing database drivers on a remote computer Creating read-only database users Creating a read-only database user account for Microsoft SQL Server Creating a read-only database user account for MySQL Creating a read-only database user for Oracle Creating a read-only database user account for IBM DB Importing sensor settings Configuring the SQL Server instance to listen on a non-dynamic port... 91

9 Contents 9 Configuring an SSL connection for the Microsoft SQL Server 2005 JDBC driver Appendix B About collector configurations Collector configuration scenarios Scenario 1 - One-for-All configuration Scenario 2 - One-to-Many configuration Scenario 3 - One-to-One configuration Scenario 4 - One-per-Type configuration Appendix C Uninstalling collectors Uninstalling the collector and its components Unregistering the collector Uninstalling the collector component Appendix D Configuring many sensors for collectors Configuring many sensors for collectors Sensor property names for common sensor types

10 10 Contents

11 Chapter 1 Introducing Symantec Event Collectors This chapter includes the following topics: About the Symantec Event Collectors Integration Guide About Symantec Event Collectors and Symantec Security Information Manager About Universal Event Collectors Major components of Information Manager and collectors Where to find more information about Information Manager Accessing Help for the console About the Symantec Event Collectors Integration Guide The Symantec Event Collector Guide provides general information and procedures to aid in the installation and the troubleshooting of collectors. For information specific to a particular collector, see the quick reference guide for that particular collector.

12 12 Introducing Symantec Event Collectors About Symantec Event Collectors and Symantec Security Information Manager About Symantec Event Collectors and Symantec Security Information Manager Security products and operating systems generate many kinds of events. Some events are informational, such as a user logging on, and others may indicate a security threat, such as antivirus software being disabled. Symantec Event Collectors gather, filter, and aggregate these events and forward both the raw and the processed events to Symantec Security Information Manager. Event collectors collect information from security devices, critical applications, and services, such as the following product types: Firewalls Routers, switches, and VPNs Enterprise Antivirus Intrusion detection and intrusion prevention Vulnerability scanners Authentication servers Windows and UNIX system logs Information Manager stores the event data in event archives and correlates the events with threat and asset information. If a security event triggers a correlation rule, Information Manager creates a security incident. Information Manager provides real-time event correlation and data archiving to protect against security threats and to preserve critical security data. About Universal Event Collectors Universal Event Collectors let you collect events from a point product when a Symantec Event Collector is not available for that point product. You define a custom event parsing definition so that Information Manager can interpret the events. You configure a Universal collector like you configure all other collectors: by creating a sensor configuration and defining sensor properties. You then set up a custom event parsing definition. The following Universal Event Collectors are available: Universal LogFile Event Collector Collects events from products that log to text files.

13 Introducing Symantec Event Collectors Major components of Information Manager and collectors 13 Universal Syslog Event Collector Collects events from products that log events by using the Syslog protocol. Universal Event Collector for Microsoft Windows Collects events from Microsoft Windows event logs. Universal Event Collector for Microsoft Windows Vista Collects events from Microsoft Windows Vista, Windows Server 2008, and Windows 7 event logs. For detailed information on installation and configuration, see the Symantec Universal Event Collectors 4.4 for Symantec Security Information Manager 4.7 Implementation Guide. Major components of Information Manager and collectors Table 1-1 Component Major components of Information Manager and collectors Description Information Manager Symantec Event Agent Collector Sensor Security or Point product Refers to the Symantec Security Information Manager where events are processed and stored. Allows for the centralized collection, classification, and normalization of events to enable alerts and reports across managed security products. Refers to the Java application that performs the communication functions for the Information Manager components on the system on which it is installed. Refers to an application that collects events from security products, processes them, and passes them to the Agent. Refers to the component of the collector that reads events from a file, database, syslog, Windows event log, or other medium. The sensor then passes the events to the collector components. The information is then delivered to the Agent for transmission to Information Manager. Refers to the software product, such as a firewall, anti-virus software, or an operating system. The security product ensures that data is not vulnerable to unauthorized use or access and is the source of events to the collector.

14 14 Introducing Symantec Event Collectors Where to find more information about Information Manager Figure 1-1 Collector component overview See About Symantec Event Collectors and Symantec Security Information Manager on page 12. Where to find more information about Information Manager For more information about Information Manager, a knowledge base is available on the Symantec Technical Support Web site at the following URL: The knowledge base link is listed under Technical Support. You can find the Information Manager knowledge base that is listed under Security Management. In the Downloads section of the site, you can obtain updated versions of the documentation, which includes the following guides: Symantec Security Information Manager Administrator's Guide Symantec Security Information Manager Installation Guide See About Symantec Event Collectors and Symantec Security Information Manager on page 12.

15 Introducing Symantec Event Collectors Accessing Help for the console 15 Accessing Help for the console Symantec Security Information Manager provides context-sensitive help for the console and for each of the views that are available in the View menu. To access Help for the console In any window, press F1.

16 16 Introducing Symantec Event Collectors Accessing Help for the console

17 Chapter 2 Installing Symantec Event Collectors This chapter includes the following topics: Before you install collectors Installation and configuration tasks for collectors Registering Collectors Installing the collector on a remote computer Installing collectors on an Information Manager server Verifying Symantec Event Agent and collector installation Installing queries on Information Manager Before you install collectors You must perform the following tasks before you install the collector: Meet requirements for both the point product and the collector See Requirements for point products and the collectors on page 18. Update the hosts file See Updating the hosts file on a computer that hosts collectors on page 19. Run LiveUpdate before upgrading an earlier collector See Running LiveUpdate for collectors on page 75.

18 18 Installing Symantec Event Collectors Before you install collectors Note: When you unregister a Symantec event collector from an Information Manager server, all of the collector configurations are removed. When upgrading collectors, in order to move your Symantec event collector configurations from a previous version, run the update package. Do not upgrade collectors manually. Requirements for point products and the collectors Each collector is compatible with specific versions of a point product. See Before you install collectors on page 17. Depending on the collector, a collector can run on the following operating systems: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 2 or later Microsoft Windows Server 2003 Standard Edition with Service Pack 2 or later Microsoft Windows XP with Service Pack 2 or later Microsoft Windows Server 2008 with Service Pack 1 or later Microsoft Windows Vista with Service Pack 1 or later Microsoft Windows 7 Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 Red Hat Enterprise Linux AS 5.0 Sun Solaris (SPARC) 8.0, 9.0, and 10.0 SuSE Linux Enterprise 10 Note: Home Editions of Microsoft client operating systems are not supported. Note: You can install version 4.3 or later collectors on both 32-bit and 64-bit versions of Windows Server 2000/2003/2008. You can install version 4.2 collectors only on the 32-bit version of Windows Server 2000/2003/2008.

19 Installing Symantec Event Collectors Before you install collectors 19 Note: If you install a collector on a computer that runs Windows 7, Windows Vista, or Windows Server 2008, you must adhere to the following conditions: You must use Symantec Event Agent 4.7, and you must run the collector installer from an Administrator command prompt. See the quick reference guide for the collector. Minimum system requirements for a remote collector installation are as follows: Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class), or SPARC IIIi or later 512 MB minimum, 1 GB of memory recommended for the Symantec Event Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE, and the collector TCP/IP connection to a network from a static IP address Updating the hosts file on a computer that hosts collectors The hosts file contains IP address and host name mapping information. You must manually update the hosts file on computers where collectors are to be installed if there is no fully-qualified domain name for the Information Manager server. You must also manually update the hosts file if you do not use a Domain Name System (DNS) server. You must add the IP address and host name information that is relevant to Information Manager and to the collectors that collect event data. Host names must be fully-qualified domain names. See Before you install collectors on page 17. To update the hosts file 1 Navigate to the directory of the hosts file as follows: On Windows, the hosts file is located in C:\WINDOWS\system32\drivers\etc folder. On UNIX, the hosts file is located in the /etc directory. 2 Use a text editor, such as Notepad for Windows, or vi for UNIX, to open the hosts file.

20 20 Installing Symantec Event Collectors Installation and configuration tasks for collectors 3 Add the IP address and host name entries for the Information Manager server. Follow the instructions that are provided in the hosts file to add IP address and host name mapping information to the file. Use a tab between the IP address and host name. 4 After you have added the IP address and host name, save and close the file. You should ensure that the text editor that you use did not add a file extension. Installation and configuration tasks for collectors Collector installation and configuration includes the following major tasks: Preinstallation requirements. Depending on the collector, a collector can run on various operating systems. See the quick reference guide for the collector for specific operating system requirements. See Requirements for point products and the collectors on page 18. You must manually update the hosts file if there is no fully-qualified domain name or DNS server record for the Information Manager server. See Updating the hosts file on a computer that hosts collectors on page 19. Registration of the collector. For all off Information Manager collector installation, the Information Manager server requires you to register the collector for configuration settings and event schema. See Registering Collectors on page 23. Installation of the Symantec Event Agent. You must install the Symantec Event Agent on the same computer as the collector computer. You should also verify Symantec Event Agent installation and operation. For detailed information, see the Symantec Event Agent 4.7 Implementation Guide.

21 Installing Symantec Event Collectors Installation and configuration tasks for collectors 21 Installation of the collector component. You must install the collector component to read data from the security or point product. You can install all collectors on a remote computer. You can install most collectors on the Information Manager server itself. See Installing the collector on a remote computer on page 24. See Installing collectors on an Information Manager server on page 25. You should also verify collector installation. See Verifying Symantec Event Agent and collector installation on page 26. Configuration of the point product. See the quick reference guide for the collector for point product configuration instructions. See About configuring the point product to work with the collector on page 29.

22 22 Installing Symantec Event Collectors Installation and configuration tasks for collectors Configuration of the collector. Depending on the collector, you can configure the collector in the following ways: Create and configure the sensor. See Creating collector configurations and configuring sensors on page 31. Enable the collector to collect the entire raw event message from the point product as well as the parsed fields. When enabling raw event logging, the raw event (which is sent to the collector to be translated) is also sent to Information Manager. See Configuring collector raw event logging on page 55. Configure event filtering and aggregation. See Configuring event filtering on page 59. See Configuring event aggregation on page 63. You should also verify collector configuration. See Verifying collector configuration on page 56. The following installation and configuration tasks depend on various factors: A collector that uses a database sensor to collect events requires the completion of additional tasks. Before you use a database sensor collector, you must complete various installation and configuration tasks that are related to the database that is used. A collector that uses a syslog sensor to collect events can possibly use Syslog Director. See Installing collectors that use a database sensor on page 79. Syslog Director accepts syslog events from any point product that is installed on the Information Manager server. See About Syslog Director 4.3 on page 69.

23 Installing Symantec Event Collectors Registering Collectors 23 Retrieval of support for new events and query updates. You can run LiveUpdate to receive collector updates such as support for new events and query updates. See Running LiveUpdate for collectors on page 75. Deploying many collectors. If you need to configure many collectors at once, you can create a csv-formatted file for deployment. See Configuring many sensors for collectors on page 107. Uninstallation of the collector and its components. You can uninstall the collector and its components. See Uninstalling the collector and its components on page 103. Registering Collectors The Information Manager configuration Web site provides a page to register and to unregister the configuration settings and event schema. The Information Manager server requires these settings and schema to recognize and to log events from the point product. You must register the collector for all remote installations. If you use a collector that resides on the Information Manager server, you do not need to install the agent and you do not need to register the collector. See Installation and configuration tasks for collectors on page 20. To register a collector 1 Launch the Information Manager Web site at the following URL: Symantec recommends that you use the Fully Qualified Domain Name of the Information Manager. If you have the SSIM Client console open, you should close it. 2 From the Information Manager configuration Web site, click Settings > Collector Registration. 3 On the page that appears, click Register.

24 24 Installing Symantec Event Collectors Installing the collector on a remote computer 4 In the first box provided, type (or click Browse to select) the path to the collector_name.sip file that was provided with your collector installation package. You can select paths for up to 5 files. The default location for this file is the sip/ subdirectory of the collector installation package. 5 Click Begin Registration. Installing the collector on a remote computer The collector component reads the data from the security product, formats the data, and forwards it to the Symantec Event Agent. The collector computer must have access to the product that you want to monitor. Before you install the collector component, you must complete the following tasks in the order shown: Register the collector See Registering Collectors on page 23. Install the Symantec Event Agent on the remote computer. Note: You must install the agent for all remote installations. If you use a collector that resides on the Information Manager server, you do not have to install the agent. See Installation and configuration tasks for collectors on page 20. When you have completed the installation of the collector on a remote computer, you should verify that the Symantec Event Agent and collector are running. See Verifying Symantec Event Agent and collector installation on page 26. To install the collector on a remote computer 1 On the collector computer, navigate to the install subdirectory of the collector installation files. You must install some collectors on the same computer as the product for which it collects events. See the quick reference guide for the specific collector for more information. 2 At a command prompt, do one of the following steps: On Windows, type the following command:

25 Installing Symantec Event Collectors Installing collectors on an Information Manager server 25 install.bat On Windows Vista, Windows Server 2008, and Windows 7, this command must be run from a command prompt which has Administrator privileges. On UNIX, type the following command: sh./install.sh 3 Follow the installation wizard prompts. Installing collectors on an Information Manager server You can install most 4.3 or later collectors on the Information Manager server. You can install most 4.3 collectors on the Information Manager server. If you install the collector on the Information Manager server, you do not need to register the collector nor install the Symantec Event Agent. See Installation and configuration tasks for collectors on page 20. To install a 4.3 or later collector on an Information Manager server 1 Contact Symantec for the collector 4.3 or later installation package. 2 Unzip the installation package onto your Information Manager client computer. The installation package includes a subdirectory that is named appliance. The appliance subdirectory contains a file that is named as follows: install-collector_namecollector.jar where collector_name represents the name of the collector. 3 From a Web browser, navigate to the Information Manager Administrator Web page, and then log in with administrator credentials. The URL is as follows: Symantec recommends that you use the Fully Qualified Domain Name of the Information Manager. 4 From the list on the left, click Maintenance > System Updates. 5 From Options, click Install, and then browse to the server directory where you unzipped the installation package (see step 2). 6 Select the install-collector_namecollector.jar file and click Upload and Install.

26 26 Installing Symantec Event Collectors Verifying Symantec Event Agent and collector installation 7 In the Confirm Installation page, click Continue. The status of the install process is displayed. 8 When done, close the Information Manager Administrator Web page. Verifying Symantec Event Agent and collector installation To verify the Symantec Event Agent and collector installation, you must complete the following procedures in the order presented: On the collector computer, verify that the appropriate services or daemons are started. On a Windows computer, you verify that services have started. On a UNIX computer, you verify that daemons have started. See To verify that the appropriate services have started on Windows on page 26. See To verify that the appropriate daemons have started on UNIX on page 26. Verify that the Symantec Event Agent and collector are running. See To verify that the Symantec Event Agent and collector are running on page 26. To verify that the appropriate services have started on Windows 1 On the collector computer, from the Start menu, click Settings > Control Panel. 2 In the Control Panel window, select Administrative Tools. 3 In the Administrative Tools window, select Services. 4 In the Services dialog box, verify that the Symantec Event Agent Manager and Symantec Event Agent services are listed and are started. To verify that the appropriate daemons have started on UNIX 1 On the collector computer, become superuser. 2 At the command prompt, type the following command: ps -ef grep sesagentd 3 Verify that the sesagentd process exists. To verify that the Symantec Event Agent and collector are running 1 On the collector computer, navigate to the Agent directory as follows: On Windows, the default location is C:\Program Files\Symantec\Agent

27 Installing Symantec Event Collectors Installing queries on Information Manager 27 On UNIX, the default location is /opt/symantec/sesa/agent On UNIX, you must become superuser. 2 To access the Collector and Agent Management scripts, at the command prompt, do one of the following steps: On Windows, type the following command: agentmgmt.bat On UNIX, type the following command: sh./agentmgmt.sh 3 At the SSIM Collector / Agent Management Scripts menu, select the following option: 1. Show Agent Status Installing queries on Information Manager Some collector packages include Information Manager queries. You can import these queries into Information Manager to provide detailed reporting on point product events. You can use queries as a template from which to create new queries. To find out if the collector includes queries, see the quick reference guide for the collector. You can launch the SSIM Client to view the new queries. The queries are listed in Events > System Queries > Product Queries > Collector_Name. Note: If you have multiple Information Manager servers, you must install the collector query package on the primary directory server for Information Manager. You must then replicate the queries from the primary directory server to all of the secondary Information Manager servers. See To replicate the queries to other servers on page 28. To install queries on Information Manager 1 On the collector computer, launch the Information Manager Configuration Web site at the following URL: Symantec recommends that you use the Fully Qualified Domain Name of the Information Manager. 2 In the toolbar, click Maintenance > System Updates.

28 28 Installing Symantec Event Collectors Installing queries on Information Manager 3 In the left pane, click Install. 4 In the right pane, click Browse to navigate to the <queriespackagename>.jar file that is located in the utils subdirectory of the collector installation directory: utils/queries Note: Some older collector queries packages are found in a.tar.gz file. Queries packages that are found in a.tar.gz file have different installation steps. These installation steps are found in the installqueries.readme file that is located near the.tar.gz file. 5 Click Upload and Install. 6 To verify that you have installed the queries package, click Status. To replicate the queries to other servers 1 Launch the Information Manager Configuration Web site at the following URL: Symantec recommends that you use the Fully Qualified Domain Name of the Information Manager. 2 In the toolbar, click Settings > Collector Registration. 3 In the left pane, click Synchronize. 4 Complete the following fields: Source Database Target Database Specify the primary directory server for Information Manager. Specify all secondary Information Manager servers. 5 Click Start.

29 Chapter 3 Configuring point products This chapter includes the following topics: About configuring the point product to work with the collector About configuring the point product to work with the collector After you have installed the necessary collector components, you may need to configure the point product to make the event information available to the collector. For example, if the collector uses a syslog sensor, you must configure the point product to send syslog events to the collector. For more information, see the quick reference guide for the specific collector.

30 30 Configuring point products About configuring the point product to work with the collector

31 Chapter 4 Configuring collectors This chapter includes the following topics: Creating collector configurations and configuring sensors Creating a new collector configuration Configuring the collector sensor to receive security events Adding, renaming, deleting, and disabling sensors Importing and exporting sensor properties Globally updating sensor properties About sensor properties for common sensor types Configuring collector raw event logging Verifying collector configuration Creating collector configurations and configuring sensors You must create a new collector configuration for each collector. The creation of configurations includes the following tasks: Creating a new configuration. All collectors include a collector configuration named Default that you cannot use. You must create a new one. See Creating a new collector configuration on page 33.

32 32 Configuring collectors Creating collector configurations and configuring sensors Configuring the collector sensor to receive security events. After you create a collector configuration, you create and configure the sensor. Adding, renaming, deleting, and disabling sensors. See Configuring the collector sensor to receive security events on page 33. You can add, rename, delete, and disable sensors. See Adding, renaming, deleting, and disabling sensors on page 34. Configuring sensor properties. Most collectors use one of the following sensor types, which you must configure: DB Sensor LogFile Sensor LotusNotesDB Sensor OpsecLea Sensor SDEE Sensor SNMP Sensor SysLog Sensor SyslogFile Sensor Windows EventLog Sensor WS-Management Sensor See About sensor properties for common sensor types on page 37. For specific sensor properties, see the quick reference guide for the collector. Importing and exporting sensor properties, optional. Some database sensor collectors are compatible with more than one type of database. An alternate sensor property file is provided. See Importing and exporting sensor properties on page 35. Globally updating sensor properties. If you have many sensors that are within the same configuration, you can update them all at once. See Globally updating sensor properties on page 36. See Installation and configuration tasks for collectors on page 20.

33 Configuring collectors Creating a new collector configuration 33 Creating a new collector configuration Collectors use sensors that you must configure to receive security events. Sensor properties are set within collector configurations. Collectors include a collector configuration named Default. You can not use this configuration; you must create a new one. Note: Do not use the special characters such as <, &, and ' (single quotes) while naming a sensor. See Creating collector configurations and configuring sensors on page 31. See Configuring the collector sensor to receive security events on page 33. To create a new collector configuration 1 In the Information Manager console, in the left pane, click System. 2 From the Product Configurations tab, expand the tree until you see the collector name. 3 Right-click the collector name, and then choose New. 4 On the Create a New Configuration wizard page, click Next. 5 On the General page, enter a name and a description for the new configuration, and then click Next. 6 On the Computers page, do the following steps in the order given: Click Add. Under the Available computers column, click a system from the list, then click Add. In order for a computer to be listed, the Symantec Event Agent must be installed on this computer. Click OK, then click Next. 7 On the Configuration summary panel, make changes to any of your previous selections. 8 Click Finish, and then click Close. Configuring the collector sensor to receive security events Before you configure a sensor, you must create a collector configuration.

34 34 Configuring collectors Adding, renaming, deleting, and disabling sensors See Creating a new collector configuration on page 33. After you create a collector configuration, you must configure its sensor or sensors to receive security events. After the collectors are configured, or when a change is made to sensor properties, you must distribute the collector configuration to the collector computers. See Creating collector configurations and configuring sensors on page 31. To configure the collector sensor to receive security events 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name. 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the sensor tab, under the list of sensors, click the sensor. You can rename the sensor, add new sensors, and delete sensors. See Adding, renaming, deleting, and disabling sensors on page In the sensor property table under the Value column, change any of the information. See About sensor properties for common sensor types on page 37. For specific sensor settings, see the quick reference guide for the collector. 6 Enable the sensor by checking the box next to the sensor name. 7 Click Save. 8 In the left pane, right-click the appropriate configuration, and then right-click Distribute. 9 When you are prompted to distribute the configuration, click Yes. 10 In the Configuration Viewer window, click Close. Adding, renaming, deleting, and disabling sensors When you create a new collector configuration, a sensor is automatically created for you. You may create additional sensors, rename the sensor, delete the sensor, or disable the sensor. See Creating a new collector configuration on page 33. See Creating collector configurations and configuring sensors on page 31.

35 Configuring collectors Importing and exporting sensor properties 35 To add, rename, delete, or disable a sensor 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name. 3 In the left pane, select the appropriate configuration. 4 In the right pane, select the sensor tab, and then, under the list of sensors, do any of the following: To add a sensor, click the plus (+) button. By default, the sensors that you create are named Sensor 1, Sensor 2, Sensor 3, and so on. To rename a sensor, double-click in the sensor name box, and type in a new name. To delete a sensor, click the minus (-) button. You cannot delete the default sensor. To delete all sensors, click the trash can button. To disable a sensor, but not delete it, uncheck the sensor. 5 Click Save. 6 In the left pane, right-click the appropriate configuration name, and then click Distribute to update the collector on the target computer with new properties. 7 When you are prompted to distribute the configuration, click Yes. Importing and exporting sensor properties You may want to back up and recover sensor properties for any sensor type. Also, some database sensor collectors are compatible with more than one type of database. An alternate sensor property file is provided. You can both import sensor properties from an XML file and export sensor properties to an XML file. See Creating collector configurations and configuring sensors on page 31. To import and export sensor properties 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name.

36 36 Configuring collectors Globally updating sensor properties 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the sensor tab, do one of the following tasks: If you want to import a configuration from an XML file, click the Import configuration from XML file button, and then, in the Import Configuration From File window that appears, specify the XML file from which you want to import the configuration. If you want to export the selected configuration to an XML file, click the Export configuration to XML file button, and then, in the Export Configuration to File window that appears, specify a filename to which to export the configuration. Globally updating sensor properties You can copy selected sensor properties to other sensors that are within the same configuration. This feature is particularly useful if you have many sensors that you need to update; for example, if a password changes. See Configuring the collector sensor to receive security events on page 33. See Creating collector configurations and configuring sensors on page 31. To globally update sensor properties 1 In the Information Manager console, in the left pane, click System. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name. 3 In the left pane, select the appropriate configuration. 4 In the right pane, on the sensor tab, select a sensor so that it appears highlighted. 5 In the right pane, on the lower right, click Global Update. 6 In the Select Properties for Global Update window, place a checkmark next to the property whose value you want to propagate to all other sensors within the same configuration. 7 Click OK to complete the global update process. 8 Proceed to change the sensor properties as needed. For sensor properties, see the quick reference guide for the collector. 9 In the left pane, right-click the configuration, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes.

37 Configuring collectors About sensor properties for common sensor types 37 About sensor properties for common sensor types The most common sensor types are as follows: DB Sensor See Sensor properties for the DB sensor on page 37. LogFile Sensor See Sensor properties for the LogFile sensor on page 42. LotusNotesDB Sensor See Sensor properties for the LotusNotesDB sensor on page 43. OpsecLea sensor See Sensor properties for the OpsecLea sensor on page 44. SNMP Sensor See Sensor properties for the SNMP sensor on page 48. SysLog Sensor See Sensor properties for the SysLog sensor on page 49. SyslogFile Sensor See Sensor properties for the SyslogFile sensor on page 49. Windows EventLog Sensor See Sensor properties for the Windows EventLog sensor on page 53. WS-Management Sensor See Sensor properties for the WS-Management sensor on page 53. For properties of a custom sensor, or specific settings for a particular collector, see the quick reference guide for the collector. Sensor properties for the DB sensor See About sensor properties for common sensor types on page 37.

38 38 Configuring collectors About sensor properties for common sensor types Table 4-1 DB sensor properties Sensor property JDBC Drivers Directory Description Specify the path where the database driver is installed. If the collector is installed on the Information Manager server, the default directory is one of the following paths: For Sybase, the path is as follows: /opt/symantec/simserver/collectors/drivers/jconnect-6_0 For Microsoft SQL Server, the paths are as follows: For Microsoft SQL Server 2005 JDBC Driver version 1.2: /opt/symantec/simserver/collectors/drivers/mssqljdbc_2005/enu For Microsoft SQL Server 2000 JDBC Driver SP3: /opt/symantec/simserver/collectors/drivers/mssqljdbc_2000/lib For Microsoft SQL Server JDBC Driver 2.0: /opt/symantec/simserver/collectors/drivers/sqljdbc_2.0/enu Note: The Microsoft SQL Server JDBC Driver 2.0 is only preinstalled on Information Manager and higher. For MySQL, the path is as follows: /opt/symantec/simserver/collectors/drivers/mysql-connector-java For PostgreSQL, the path is as follows: /opt/symantec/simserver/collectors/drivers/postgresql For IBM DB2, the path is as follows: /opt/symantec/simserver/collectors/drivers/v9fp2_db2driver_for_jdbc_sqlj

39 Configuring collectors About sensor properties for common sensor types 39 Table 4-1 DB sensor properties (continued) Sensor property Database URL Description The collector includes a default database URL that can include any of the following items: Type of database driver that is used Instance name Host name TCP port Database name Example database URL formats are as follows: If you use a Microsoft SQL Server 2005 JDBC Driver 1.2 or Microsoft SQL Server JDBC Driver 2.0, the database URL format is as follows: jdbc:sqlserver://host_name_or_ip_address_of_the_database_server:1433;databasename= database_name For example, to connect to a Microsoft SQL Server database named MyDatabase on the localhost server, with the SQL Server listening for connections on the default port number 1433, you would use the following URL: jdbc:sqlserver:// :1433;databasename=mydatabase If you use a Microsoft SQL Server 2000 database and JDBC Driver, the database URL format is as follows: jdbc:microsoft:sqlserver://host_name_or_ip_address_of_the_database_server: 1433;DatabaseName=database_name If you use a MySQL database, the database URL format is as follows: jdbc:mysql://ip_address:port_number/databasename=database_name For example, to connect to a MySQL database named MyDatabase on the server at , with the MySQL server listening for connections on the default port number 3306, you would use the following URL: jdbc:mysql:// :3306/databasename=mydatabase If you use a Sybase database, the database URL format is as follows: jdbc:sybase:tds:host:port For example, to connect to a Sybase database on the server at , with the Sybase server listening for connections on the default port number 2638, you would use the following URL: jdbc:sybase:tds: :2638 If you use an Oracle database, the database URL format is as follows: jdbc:oracle:thin:@ip_address:1521:system_identifier_(sid) For example, to connect to an Oracle database named MyDatabase on the server at , with the Oracle server listening for connections on the default port number 1521, you would use the following URL: jdbc:oracle:thin:@ :1521:mydatabase Note: If you are not using the default port number, you must replace the default port number in the URL.

40 40 Configuring collectors About sensor properties for common sensor types Table 4-1 DB sensor properties (continued) Sensor property User Name Password Start Reading From Description Specify the read-only database user account name for the database. Specify the password for the database user account name for the database. Specify from where to start reading the database upon the initial start of the collector as follows: BEGINNING Specifies that the database is read from the beginning. END Specifies that the database is read from the end. Only events that are written to the database after the collector starts are read. Note: This setting is only used the first time that the collector is run. After that, a reference to the last database record read by the collector is stored in a last position file. If the collector is restarted, the collector resumes reading from the database at that last record.

41 Configuring collectors About sensor properties for common sensor types 41 Table 4-1 DB sensor properties (continued) Sensor property Execution Time Description (Optional) This option is not supported by all collectors. Collectors that support this option are indicated in the collector documentation. Time is entered in 24-hour clock time. You can schedule the collector to send events on a specific day, every day at a specified time, every week, or on a specified number of weeks. The time that is specified in the Execution Time field must use the same time zone and system clock as the collector computer. If the first batch has not finished before the second batch needs to start, the second batch is skipped. Execution Time syntax is as follows: <Every day/every n days/every week/every n weeks> On <Sun/Mon/Tue/Wed/Thu/Fri/Sat> at <n:n:n>,<n:n:n>, <Sun/Mon/Tue/Wed/Thu/Fri/Sat> at <n:n:n>,<n:n:n> Examples are as follows: 5:00:00 Send events every day at 5:00 a.m. 5:0:0,17:0:0 Send events every day at 5:00 a.m. and 5:00 p.m. Every day at 7:0:0,19:0:0 Send events every day at 7:00 a.m. and 7:00 p.m. Every 2 days at 0:0:0,12:0:0 Send events every other day at midnight and noon. If a specified time has not passed, events are sent on the same day; if a specified time has already passed, events are sent in 2 days. On Sun, Wed at 8:30:0,20:30:0 Send events on Sunday and Wednesday at 8:30 a.m. and 8:30 p.m. (This value is the same as Every Week on Sun, Wed at 8:30,20:30.) Every week on Mon, Fri at 7:0:0,14:0:0 Send events on Monday and Friday at 7:00 a.m. and 2:00 p.m. (This value is the same as On Mon, Fri at 7:0:0,14:0:0.) Every 2 weeks on Tue, Sat at 7:0:0,19:0:0 Send events every 2 weeks on Tuesday and Saturday at 7:00 a.m. and 7:00 p.m. Every 3 weeks on Thu at 7:0:0, Tue at 7:0:0,14:0:0 Send events every 3 weeks on Thursday at 7:00 a.m. and on Tuesday at both 7:00 a.m. and 2:00 p.m.