Symantec Event Collector 3.6 for Blue Coat Proxy Quick Reference
Symantec Event Collector for Blue Coat Proxy Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Legal Notice Copyright 2007 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Mail Security, Symantec Backup Exec, Symantec NetBackup, Symantec Endpoint Protection, Symantec Scan Engine, Symantec Control Compliance Suite, Symantec Critical System Protection, Symantec Enterprise Security Manager, Symantec Intruder Alert, Symantec Sygate Enterprise Protection, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Microsoft, Windows, Windows 2000, Windows 2003, and Windows XP are trademarks or registered trademarks of Microsoft Corporation. This product includes software that was developed by the Apache Software Foundation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Blue Coat Proxy is a trademark of Blue Coat Systems, Incorporated. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com
Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information
Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Managed Security Services Consulting Services Educational Services These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Contents Technical Support Chapter 1 Chapter 2 Introducing Symantec Event Collector for Blue Coat Proxy About this quick reference... 9 Compatibility requirements... 10 Compatibility requirements for the event collector... 10 System requirements for the collector computer... 10 Preinstallation requirements for Blue Coat Proxy Event Collector... 10 Configuring your security product to work with the collector... 11 Configuring Blue Coat Proxy to work with the collector... 11 About the installation sequence for Blue Coat Proxy Event Collector... 11 Sensor configuration for Blue Coat Proxy Event Collector... 12 Sensor settings for Blue Coat Proxy Event Collector... 13 About LiveUpdate... 14 Implementation notes Implementation notes for Blue Coat Proxy Event Collector... 15 Product ID... 15 Schema packages... 15 Example event data... 15 Event mapping for Information Manager version 4.0x... 15 Index
8 Contents
Chapter 1 Introducing Symantec Event Collector for Blue Coat Proxy This chapter includes the following topics: About this quick reference Compatibility requirements Preinstallation requirements for Blue Coat Proxy Event Collector Configuring your security product to work with the collector About the installation sequence for Blue Coat Proxy Event Collector Sensor configuration for Blue Coat Proxy Event Collector About LiveUpdate About this quick reference This quick reference includes information that is specific to Symantec Event Collector for Blue Coat Proxy. General knowledge on installing and configuring collectors is assumed, as well as basic knowledge of Blue Coat Proxy. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide. For information on Blue Coat Proxy, see your product documentation.
10 Introducing Symantec Event Collector for Blue Coat Proxy Compatibility requirements Compatibility requirements The collector is compatible with specific versions of the security product and is compatible with certain operating systems. Compatibility requirements for the event collector The collector is compatible with Blue Coat Proxy SG appliances that run SGOS version 4.x. The collector runs on the following operating systems: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows 2000 Advanced Server with Service Pack 4 or later Microsoft Windows 2003 Server Enterprise Edition with Service Pack 1 or later Microsoft Windows 2003 Server Standard Edition with Service Pack 1 or later Microsoft Windows XP with Service Pack 2 or later Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 System requirements for the collector computer The computer on which you install the collector must meet the following minimum system requirements: Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class) 512 MB minimum, 1 GB of memory recommended for the Symantec Event Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE, and the collector TCP/IP connection to a network with a fixed IP address Preinstallation requirements for Blue Coat Proxy Event Collector The collector does not have preinstallation requirements.
Introducing Symantec Event Collector for Blue Coat Proxy Configuring your security product to work with the collector 11 Configuring your security product to work with the collector After you have installed the necessary collector components, you must configure Blue Coat Proxy so that the event information is available to the collector. For detailed information on configuring Blue Coat Proxy, see your security product documentation. Configuring Blue Coat Proxy to work with the collector Before you install the collector, you must modify the logging format of the Blue Coat Proxy logs to include all required fields. You must also add the <port> field. By using either the Blue Coat management console or Command Line Tools, you must add the <port> field and change the logging format to the following predefined <main> log format: #Fields: date time time-taken c-ip sc-status s-action sc-bytes cs-bytes cs-method cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query cs-username cs-auth-group s-hierarchy s-supplier-name rs(content-type) cs(user-agent) sc-filter-result cs-category x-virus-id s-ip s-sitename About the installation sequence for Blue Coat Proxy Event Collector The collector installation sequence is as follows: Close the Symantec Security Information Manager Client console. Register the Symantec Information Package (SIP). Install the Symantec Event Agent. Install the collector component. Blue Coat Proxy logs are compressed in GZIP format and must be unpacked before they are processed by the collector. A script to unpack the Blue Coat logs is provided in the utils folder of the collector installation package and is named managegzs.cmd. The default Windows directory for the managegzs.cmd file is C:\Program Files\collectors\bluecoat_proxy\utils
12 Introducing Symantec Event Collector for Blue Coat Proxy Sensor configuration for Blue Coat Proxy Event Collector The default Linux directory for the managegzs.cmd file is../collectors/bluecoat_proxy/utils You can edit the managegzs.cmd script by setting the following directory location variables: Set the BLUECOAT_GZ_FILE_DIR directory to the location of the compressed BlueCoat logs. Set the GZIP_OUTPUT directory to the location that stores the uncompressed logs. You should schedule the managegzs.cmd script to run frequently enough so that the uncompressed logs are always available for the collector. For more information, see the Symantec Event Collectors Integration Guide. Sensor configuration for Blue Coat Proxy Event Collector The collector uses a sensor that you must configure to receive security events. After you configure the sensor, distribute the settings to the collectors on the target computers. Whether or not you can use the default configuration depends on the following condition: This collector is not preinstalled on the appliance. The default configuration may be used. The collector includes the following features: Raw events Sensor statistics and audit messages Import and export of sensor settings, and filtering and aggregation rules Global update of sensor settings Auditing events for event log batch processing Collector statistics for the aggregate of all the collector's sensors Auditing events that monitor Symantec Security Information Manager and the collector sensors For more information, see the Symantec Event Collectors Integration Guide.
Introducing Symantec Event Collector for Blue Coat Proxy Sensor configuration for Blue Coat Proxy Event Collector 13 Sensor settings for Blue Coat Proxy Event Collector The collector uses a log sensor. The sensor has the following properties: Log File Directory Specify the path to the log file on the security product computer. The default log file directory is /logs Log File Name Specify the static, non-changing part of the dynamic log file name. In most cases, this is.log File Name Dynamic Specify whether or not the log file name is dynamic. This option should be checked, because Blue Coat Proxy creates dynamically named log files. File Encoding Leave this value as UTF-8. UTF-8 is the default value and should not be changed. End of File Marker Specify EOF or NULL (hexadecimal 00) as the end-of-file character. EOF is the default marker. Start Reading From Specify where to start reading the log file when the collector restarts. BEGINNING Specifies that the log file is read from the beginning of the most recent file in the directory. BEGINNING is the default position. END Specifies that the log file is read from the end of the file. Only the events that are written to the log file after the collector starts are read. Last Position Keeps track of which line the collector reads from in the log file, and then continues reading from this position if the collector is interrupted and restarted. End of Record Marker Specify the delimiter that is used at the end of each message. ENDOFLINE
14 Introducing Symantec Event Collector for Blue Coat Proxy About LiveUpdate Refers to the end of a line as a message delimiter (CR/LF on a Windows platform; LF on a Linux/UNIX platform). ENDOFLINE is the default delimiter. BLANKLINE Refers to a blank line as a message delimiter. You must specify two successive ENDOFLINE characters. NULL Refers to hexadecimal 00. Monitor in Real Time Select this property to monitor the log file in real time. Monitoring the log file in real time is the default setting. About LiveUpdate This collector does not support LiveUpdate. See Symantec Event Collectors Integration Guide for more information on LiveUpdate.
Chapter 2 Implementation notes This chapter includes the following topics: Implementation notes for Blue Coat Proxy Event Collector Implementation notes for Blue Coat Proxy Event Collector This section describes the implementation details for the collector. Product ID The product ID for the collector is 3206. Schema packages The collector uses the following schema package: Firewall events Example event data 2006-01-30 16:06:28 10 192.168.143.233 403 TCP_DENIED 169 220 CONNECT tcp www.google.be / - - NONE - - "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.1.4322)" PROXIED unlicensed - 192.168.143.19 SG-HTTP-Service - - Event mapping for Information Manager version 4.0x Table 2-1 shows the event class schema used by Symantec Event Collector for Blue Coat Proxy.
16 Implementation notes Implementation notes for Blue Coat Proxy Event Collector Table 2-1 Event class schema Event class symc_firewall_network symc_fw_conn_stats symc_network Comment The most important events that are translated by the collector belong to firewall event class (Connection Dropped/Denied). Most of the events that are translated by the collector belong to the firewall connection statistics event class (Connection Accepted has number of bytes sent/received). This event class is included as a parent class for the previous class, and no events from the network class are sent. Table 2-2 shows mapping for general event types. Table 2-2 General event type mapping Information Manager field name category client_outbound_bytes destination_host_name destination_port Blue Coat Proxy field name N/A cs-bytes (220) cs-host (www.google.be) cs-uri-port (/) Comment Populated in translator. The category is always Application (3007601) for supported firewall events. Assigned for Firewall Statistics Events (when connection is accepted). Extracted in translator. Extracted in translator, then removed in SES-Processor if blank ( / ) or non-numeric. event_desc Starting with s-supplier-name until end of string ("Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;.NET CLR 1.1.4322)" PROXIED unlicensed - 192.168.143.19 SG-HTTP-Service - -) Populated in translator. Length is restricted to less than 100 characters in order to be correctly inserted into the database. event_detail_id N/A Assigned in translator according to event: Connection Rejected (517242) for TCP_DENIED (CONNECT), UDP_DENIED, DENIED, Get Denied and Put Denied for TCP_DENIED (GET) and TCP_DENIED (PUT). 517200 - No additional details for all other events.
Implementation notes Implementation notes for Blue Coat Proxy Event Collector 17 Table 2-2 General event type mapping (continued) Information Manager field name event_dt event_id EventClassName info1 info2 info3 info4 network_direction_id network_protocol_id rule Blue Coat Proxy field name date (2006-01-30 16:06:28) N/A N/A sc-status (403) sc-bytes (169) cs-bytes (220) sc-action (TCP_DENIED) N/A cs-uri-scheme (tcp) sc-action (TCP_DENIED) Comment Extracted in translator by using a relational before method for location. Populated in translator for different types of firewall rules Connection Rejected (512001) for TCP_DENIED (CONNECT, GET, PUT), UDP_DENIED, DENIED, Connection Dropped (512002) for TCP_ERR_MISS, FAILED. Connection Statistics (912001) events are sent when connection is accepted. symc_firewall_ network for dropped and denied events, symc_fw_conn_stats for accepted connection events. Extracted in translator. Usually contains network protocol code (HTTP). Extracted in translator. Assigned for Connection Dropped and Connection Failed Events. Not assigned for Firewall Statistics Events. Extracted in translator. Assigned for Connection Dropped and Connection Failed Events. Not assigned for Firewall Statistics Events. Populated in SES-Processor and should uniquely identify firewall action triggered. Blue Coat action field is used to populate this field. Populated in translator. Outbound (517101) for GET, PUT, and CONNECT. Not set for other situations. Initially extracted in translator, then reassigned in SES-Processor: TCP (167102) for TCP, HTTP, FTP operations, UDP (167103) for UDP operations. Extracted in translator. Defines exact type of event being reported.
18 Implementation notes Implementation notes for Blue Coat Proxy Event Collector Table 2-2 General event type mapping (continued) Information Manager field name server_outbound_bytes severity source_ip user_id target_resource target_operation Blue Coat Proxy field name sc-status (403) N/A c-ip (192.168.143.233) cs-username (NONE) cs-uri-path (-) cs-method (CONNECT) Comment Assigned for Firewall Statistics Events (when connection is accepted). Populated in the translator depending on event 3 for Connection Rejected (512001), 2 for Connection Dropped (512002), 1 for Connection Statistics (912001). Populated in translator. Extracted in translator, then removed in SES-Processor if NONE or -. Extracted in translator, then removed in SES-Processor if blank ( - ). Length is restricted to less than 100 characters in order to be correctly inserted into the database. Extracted in translator. Used for exact event identification.
Index B Blue Coat Proxy configuration 11 C compatibility requirements 10 configuring Blue Coat Proxy 11 sensor 12 I implementation notes 15 installation 11 L LiveUpdate 14 M mapping 15 P preinstallation requirements 10 R requirements compatibility 10 preinstallation 10 system 10 S sensor configuration 12 system requirements 10