RSA Authentication Manager



Similar documents
Accellion Secure File Transfer

F5 Local Traffic Manager

A10 Networks Load Balancer

Barracuda Networks Web Application Firewall

Microsoft Internet Information Services (IIS)

RSA Security Analytics

McAfee Enterprise Security Manager. Data Source Configuration Guide. Infoblox NIOS. Data Source: September 2, Infoblox NIOS Page 1 of 8

RSA Event Source Configuration Guide. McAfee Firewall Enterprise

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

F-SECURE MESSAGING SECURITY GATEWAY

Knowledge Base Articles

After you have created your text file, see Adding a Log Source.

Wireless Installation Checklist for Novell GroupWise Environments

Security Correlation Server Quick Installation Guide

Pandora FMS 3.0 Quick User's Guide: Network Monitoring. Pandora FMS 3.0 Quick User's Guide

McAfee SIEM Alarms. Setting up and Managing Alarms. Introduction. What does it do? What doesn t it do?

RSA Event Source Configuration Guide. McAfee Database Security

Syslog Monitoring Feature Pack

Basic Exchange Setup Guide

Management, Logging and Troubleshooting

Network Load Balancing

EventTracker: Integrating Imperva SecureSphere

Configuring an ArcSight Smart- Connector to collect events from Kaspersky Admin Kit 8.0

Alarms. Understanding Alarms CHAPTER

Nexio Connectus Cluster Set Up with SQL Server Backend

IBM Security QRadar SIEM Version MR1. Administration Guide

User Guide to the Snare Agent Management Console in Snare Server v7.0

Integrating with IBM Tivoli TSOM

User Management Guide

Server Manager Help 10/6/2014 1

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

Installing and Configuring Active Directory Agent

Veritas Cluster Server

Setting up Microsoft Office 365

McAfee Asset Manager Console

SYSLOG 1 Overview... 1 Syslog Events... 1 Syslog Logs... 4 Document Revision History... 5

LogLogic Trend Micro OfficeScan Log Configuration Guide

RSA Event Source Configuration Guide

Syslog Server Configuration on Wireless LAN Controllers (WLCs)

USER GUIDE. Snow Inventory Data Receiver Version 2.1 Release date Installation Configuration Document date

Security Correlation Server Quick Installation Guide

Audit Management Reference

E- SPIN's IPSwitch WhatsUp Gold Network Management System System Administration Advanced Training (5 Day)

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Lieberman Software Corporation Enterprise Random Password Manager

Setting up DCOM for Windows XP. Research

Introduction Installation firewall analyzer step by step installation Startup Syslog and SNMP setup on firewall side firewall analyzer startup

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

NETWRIX ACCOUNT LOCKOUT EXAMINER

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

NSi Mobile Installation Guide. Version 6.2

RoomWizard Synchronization Software Manual Installation Instructions

Quick Start Guide for VMware and Windows 7

Dell PowerVault MD Storage Array Management Pack Suite Version 6.0 for Microsoft System Center Operations Manager Installation Guide

Acronis Backup & Recovery 11

Upgrade Guide BES12. Version 12.1

LT Auditor Windows Assessment SP1 Installation & Configuration Guide

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

Idera SQL Diagnostic Manager Management Pack Guide for System Center Operations Manager. Install Guide. Idera Inc., Published: April 2013

Device Integration: Citrix NetScaler

Setting up Microsoft Office 365

User's Guide - Beta 1 Draft

F-Secure Messaging Security Gateway. Deployment Guide

McAfee Enterprise Security Manager 9.3.2

Quick Start Guide for Parallels Virtuozzo

IDENTIKEY Appliance Administrator Guide

Troubleshooting pcanywhere plug-in Deployment

Advanced Event Viewer Manual

About Archiving for Microsoft Exchange Server

Technical Notes P/N Rev 01

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

4. Getting started: Performing an audit

Citrix EdgeSight for NetScaler Rapid Deployment Guide

TANDBERG MANAGEMENT SUITE 10.0

PineApp Surf-SeCure Quick

IBM Security QRadar SIEM Version MR1. Log Sources User Guide

Smart Cloud Integration Pack. For System Center Operation Manager. v User's Guide

SOLARWINDS ORION. Patch Manager Evaluation Guide for ConfigMgr 2012

Immotec Systems, Inc. SQL Server 2005 Installation Document

Managing Software Updates with System Center 2012 R2 Configuration Manager

Monitoring Oracle Enterprise Performance Management System Release Deployments from Oracle Enterprise Manager 12c

LifeSize Transit Deployment Guide June 2011

Novar Database Mail Setup Guidelines


McAfee Security Information Event Management (SIEM) Administration Course 101

Chapter 9 Monitoring System Performance

Windows Firewall must be enabled on each host to allow Remote Administration. This option is not enabled by default

Application Notes for Configuring Dorado Software Redcell Enterprise Bundle using SNMP with Avaya Communication Manager - Issue 1.

Using RADIUS Agent for Transparent User Identification

Dell Server Management Pack Suite Version 6.0 for Microsoft System Center Operations Manager User's Guide

Getting Started With Delegated Administration

Adaptive Log Exporter Users Guide

ACTIVE DIRECTORY DEPLOYMENT

SyAM Software Management Utilities. Creating Templates

CA Nimsoft Monitor Snap

PIM SOFTWARE TR50. Configuring the Syslog Feature TECHNICAL REFERENCE page 1

Protected Trust Setup Guide for Brother MFC Devices

Device Integration: CyberGuard SG565

Transcription:

McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: RSA Authentication Manager February 26, 2015 RSA Authentication Manager Page 1 of 9

Important Note: The information contained in this document is confidential and proprietary. Please do not redistribute without permission. RSA Authentication Manager Page 2 of 9

Table of Contents 1 Introduction 4 2 Prerequisites 4 3 Specific Data Source Configuration Details 5 3.1 RSA Authentication Manager 7.1 SP2 and later Configuration for Windows 5 3.2 RSA Authentication Manager 7.1 SP2 and later Configuration for Linux 6 3.3 RSA Authentication Manager 8 and later Configuration from the Security Console 6 3.4 McAfee Event Receiver Configuration 7 4 Data Source Event to McAfee Field Mappings 8 4.1 Mappings 8 5 Appendix A - Generic Syslog Configuration Details 9 6 Appendix B - Troubleshooting 9 RSA Authentication Manager Page 3 of 9

1 Introduction This guide details how to configure RSA Authentication Manager to send syslog data in the proper format to the McAfee Event Receiver. 2 Prerequisites McAfee Enterprise Security Manager Version 8.4.2 and above. In order to configure the RSA Authentication Manager syslog service, appropriate administrative level access is required to perform the necessary changes documented below. RSA Authentication Manager Page 4 of 9

3 Specific Data Source Configuration Details 3.1 RSA Authentication Manager 7.1 SP2 and later Configuration for Windows 1. Edit the following file with a text editor: \Program Files\RSASecurity\RSAAuthenticationManager\utils \Resources\ims.properties 2. Edit the following lines in that file (if they don t exist, add them): ims.logging.audit.admin.syslog_host = 192.0.2.1 ims.logging.audit.admin.use_os_logger = true ims.logging.audit.runtime.syslog_host = 192.0.2.1 ims.logging.audit.runtime.use_os_logger = true ims.logging.system.syslog_host = 192.0.2.1 ims.logging.system.use_os_logger = true (Where 192.0.2.1 is the IP address of the McAfee Event Receiver) 3. Save and close the file. 4. Restart the RSA Authentication Manager by navigating to Start > Administrator Tools > Computer Management > Services and Applications > Services. 5. Select RSA Authentication Manager. 6. Click Restart. 7. Open the Authentication Manager Security Console and click Setup > Instances. 8. Right-click the server instance and select Logging. 9. In the Log Data Destination section, select Send system messages to OS system log. RSA Authentication Manager Page 5 of 9

3.2 RSA Authentication Manager 7.1 SP2 and later Configuration for Linux 1. Edit the following file with a text editor: /usr/local/rsasecurity/rsaauthenticationmanager/utils/resources /ims.properties 2. Edit the following lines in that file (if they don t exist add them): ims.logging.audit.admin.syslog_host = 192.0.2.1 ims.logging.audit.admin.use_os_logger = true ims.logging.audit.runtime.syslog_host = 192.0.2.1 ims.logging.audit.runtime.use_os_logger = true ims.logging.system.syslog_host = 192.0.2.1 ims.logging.system.use_os_logger = true (Where 192.0.2.1 is the IP address of the McAfee Event Receiver) 3. Save and close the file. 4. Edit the following file with a text editor: /etc/syslog.conf 5. Add the following line: *.* @192.0.2.1 (Where 192.0.2.1 is the IP address of the McAfee Event Receiver) 6. Restart the syslog daemon: service syslog restart 3.3 RSA Authentication Manager 8 and later Configuration from the Security Console 1. In the RSA Authentication Manager Security Console, navigate to Setup > System Settings. 2. In the Basic Settings section, select Logging. 3. Select the instance from which to collect logs, and click Next. 4. In the Log Levels section do the following: a. Set Administrative Audit Log to Success b. Set Runtime Audit Log to Success c. Set System Log to Warning. 5. In Log Data Destination, set all three fields to Save to remote database and internal Syslog at the following hostname or IP address, and enter the hostname or IP address of the McAfee Event Receiver. 6. Click Save to save changes. RSA Authentication Manager Page 6 of 9

3.4 McAfee Event Receiver Configuration After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Event Receiver in the ESM hierarchy. 1. Select the Receiver you are applying the data source setting to. 2. Select the Receiver properties. 3. From the Receiver Properties listing, select Data Sources. 4. Select Add Data Source. OR 1. Select the Receiver you are applying the data source setting to. 2. After selecting the Receiver, select the Add Data Source icon. Data Source Screen Settings 1. Data Source Vendor RSA 2. Data Source Model Authentication Manager (ASP) 3. Data Format Default 4. Data Retrieval SYSLOG (Default) 5. Enabled: Parsing/Logging/SNMP Trap Parsing 6. Name Name of data source 7. IP Address/Hostname The IP address and host name associated with the data source device. 8. Syslog Relay None 9. Mask 32 10. Require Syslog TLS Enable to require the Receiver to communicate over TLS. 11. Support Generic Syslogs Do nothing 12. Time Zone Time zone of data being sent Note Refer to Appendix A for details on the Data Source Screen options RSA Authentication Manager Page 7 of 9

4 Data Source Event to McAfee Field Mappings 4.1 Mappings The table below shows the mappings between the data source and McAfee ESM fields. Log Fields McAfee ESM Fields Date Time Severty First Time, Last Time Severity 1 st listed IP Address Source IP 2 nd listed IP Address Destination IP Event ID Signature ID RSA Authentication Manager Page 8 of 9

5 Appendix A - Generic Syslog Configuration Details Once you select the option to add a data source, you are taken to the Add Data Source menu. The general options for adding a data source are shown. As you select different options, additional parameters may show. Each of these parameters will be examined in more detail. 1. Use System Profiles System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism. 2. Data Source Vendor List of all supported vendors. 3. Data Source Model List of supported products for a vendor. 4. Data Format Data Format is the format the data is in. Options are Default, CEF, and MEF. Note If you choose CEF it will enable the generic rule for CEF and may not parse data source-specific details. 5. Data Retrieval Data Retrieval allows you to select how the Receiver is going to collect the data. Default is over syslog. 6. Enabled: Parsing/Logging/SNMP Trap Enables parsing of the data source, logging of the data source, and reception of SNMP traps from the data source. If no option is checked, the settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select Parsing. 7. Name This is the name that will appear in the Logical Device Groupings tree and the filter lists. 8. IP Address/Hostname The IP address and host name associated with the data source device. 9. Syslog Relay Syslog Relay allows data to be collected via relays and bucketed to the correct data source. Enable syslog relay on relay sources such as Syslog-NG. 10. Mask Enables you to apply a mask to an IP address so that a range of IP addresses can be accepted. 11. Require Syslog TLS Enable to require the receiver to communicate over TLS. 12. Support Generic Syslog Generic Syslog allows users to select Parse generic syslog or Log unknown syslog event. Both these options will create an alert for an auto-learned syslog event if there is no parsing rule. 13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the time zone of the data source so the date on the events can be set accordingly. 14. Interface Opens the receiver interface settings to associate ports with streams of information. 15. Advanced Opens advanced settings for the data source. 6 Appendix B - Troubleshooting If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver. If you see errors saying events are being discarded because the Last Time value is more than one hour in the future, or the values are incorrect, you may need to adjust the Time Zone setting. RSA Authentication Manager Page 9 of 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information