RSA Security Analytics



Similar documents
RSA Security Analytics

RSA Security Analytics

RSA Security Analytics

RSA Security Analytics

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

RSA Event Source Configuration Guide. McAfee Database Security

RSA Security Analytics

RSA Security Analytics

RSA Security Analytics

RSA Event Source Configuration Guide. EMC Avamar

RSA Event Source Configuration Guide. RSA Data Loss Prevention Suite

How do I set up a branch office VPN tunnel with the Management Server?

EventTracker: Integrating Imperva SecureSphere

How do I Configure, Enable, and Schedule Reports?

Integrate ExtraHop with Splunk

Device Integration: CyberGuard SG565

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

RSA Event Source Configuration Guide. Microsoft Dynamic Host Configuration Protocol Server

Microsoft Outlook 2003 Module 1

Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

User Guide to the Snare Agent Management Console in Snare Server v7.0

RSA Event Source Configuration Guide. Microsoft Internet Information Services

Device Integration: Citrix NetScaler

RSA Event Source Configuration Guide. McAfee Firewall Enterprise

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

vcenter Operations Management Pack for SAP HANA Installation and Configuration Guide

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

EMC Smarts Integration Guide

HDA Integration Guide. Help Desk Authority 9.0

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

How to set up your Secure in Outlook 2010*

Fireware How To Logging and Notification

Sage Accpac ERP 5.6A. CRM Analytics for SageCRM I User Guide

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

WatchDox Administrator's Guide. Application Version 3.7.5

RSA Event Source Configuration Guide. Citrix Xenmobile Mobile Device Manager

Windows Service Monitoring

RSA Event Source Configuration Guide

Aventail Connect Client with Smart Tunneling

How to Program a Commander or Scout to Connect to Pilot Software

EMC ViPR Controller. Version 2.4. User Interface Virtual Data Center Configuration Guide REV 01 DRAFT

CONSOLEWORKS WINDOWS EVENT FORWARDER START-UP GUIDE

Quickstart Guide. First Edition, Published September Remote Administrator / NOD32 Antivirus 4 Business Edition

disect Systems Logging Snort alerts to Syslog and Splunk PRAVEEN DARSHANAM

Outlook 2010 Setup Guide (POP3)

Integrating Symantec Endpoint Protection

Lieberman Software Corporation Enterprise Random Password Manager

uh6 efolder BDR Guide for Veeam Page 1 of 36

This is a training module for Maximo Asset Management V7.1. In this module, you learn to use the E-Signature user authentication feature.

Note: With v3.2, the DocuSign Fetch application was renamed DocuSign Retrieve.

Monetra Payment Software

Avigilon Control Center System Integration Guide

RSA Event Source Configuration Guide. Microsoft Exchange Server

VMware vcenter Operations Manager Administration Guide

Flow Publisher v1.0 Getting Started Guide. Get started with WhatsUp Flow Publisher.

StarWind iscsi SAN Software: Configuring High Availability Storage for VMware vsphere and ESX Server

Lab Configure Cisco IOS Firewall CBAC

Network Setup Guide. 1 Glossary. 2 Operation. 1.1 Static IP. 1.2 Point-to-Point Protocol over Ethernet (PPPoE)

NETWRIX EVENT LOG MANAGER

Monitoring VMware ESX Virtual Switches

Integrate Astaro Security Gateway

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

Administrator s Plus. Backup Process. A Get Started Guide

After you have created your text file, see Adding a Log Source.

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Pandora FMS 3.0 Quick User's Guide: Network Monitoring. Pandora FMS 3.0 Quick User's Guide

Setting up Microsoft Office 365

Setting up Hyper-V for 2X VirtualDesktopServer Manual

LepideAuditor Suite for File Server. Installation and Configuration Guide

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

SYSLOG 1 Overview... 1 Syslog Events... 1 Syslog Logs... 4 Document Revision History... 5

IBM Security QRadar SIEM Version MR1. Administration Guide

Orientation Course - Lab Manual

Quick Start Guide. Hybrid DVR DS-9000 Series Hybrid DVR DS-7600 Series Hybrid DVR. NVR DS-9600 Series NVR

SENDING S & MESSAGES TO GROUPS

StarWind iscsi SAN Software: Using StarWind with VMware ESX Server

This is a training module for Maximo Asset Management V7.1. It demonstrates how to use the E-Audit function.

Adobe Marketing Cloud Bloodhound for Mac 3.0

XStream Remote Control: Configuring DCOM Connectivity

Professional Fire Software Control Center. Fire Training Module Training Manual

A-AUTO 50 for Windows Setup Guide

Hyperoo 2.0 A (Very) Quick Start

StarWind iscsi SAN Software: Using StarWind with MS Cluster on Windows Server 2008

Installation Guide for Windows May 2016

Using Check Boxes and Radio Buttons

Remote Access for Cisco Unity 8.x

Configuring and Monitoring Event Logs

Basic Setup Guide. Remote Administrator 4 NOD32 Antivirus 4 Business Edition Smart Security 4 Business Edition

SHIPSTATION / MIVA MERCHANT SETUP GUIDE

Novell ZENworks Asset Management 7.5

WebSphere Business Monitor V6.2 KPI history and prediction lab

Accounts Payable Workflow Guide. Version 12.0

Centran Version 4 Getting Started Guide KABA MAS. Table Of Contents

Dell SonicWALL Aventail Connect Tunnel User Guide

Autotask Service Tickets with WhatsUp Gold

Intel Active Management Technology with System Defense Feature Quick Start Guide

Transcription:

RSA Security Analytics Event Source Log Configuration Guide Sourcefire Defense Center Last Modified: Thursday, July 30, 2015 Event Source Product Information: Vendor: Sourcefire Event Source: Defense Center Versions: 4.6, 4.8. 4.9, 4.10, 5.0, 5.1, 5.3.0.2, 5.4, 5.4.1 RSA Product Information: Supported On: Security Analytics 10.0 and later Event Source Log Parser: snort Collection Method: Syslog Event Source Class.Subclass: Security.IDS

Configure Sourcefire Defense Center To configure Sourcefire Defense Center, you must: I. Configure Security Analytics for Syslog Collection II. Configure Syslog Output on Sourcefire III. Configure Audit Logging IV. (Optional) Configure Health Monitoring Alerts Configure Security Analytics for Syslog Collection Note: You only need to configure Syslog collection the first time that you set up an event source that uses Syslog to send its output to Security Analytics. You should configure either the Log Decoder or the Remote Log Collector for Syslog. You do not need to configure both. To configure the Log Decoder for Syslog collection: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Log Decoder, and from the Actions menu, choose View > System. 3. Depending on the icon you see, do one of the following: If you see, click the icon to start capturing Syslog. If you see, you do not need to do anything; this Log Decoder is already capturing Syslog. 4. Ensure that the parser for your event source is enabled. a. From the System pull-down menu, select Config. b. In the Service Parsers Configuration panel, search for your event source. c. Ensure that the Config Value field for your event source is selected. To configure the Remote Log Collector for Syslog collection: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Remote Log Collector, and from the Actions menu, choose View > Config > Event Sources. 3. Select Syslog/Config from the drop-down menu. The Event Categories panel displays the Syslog event sources that are configured, if any. 4. In the Event Categories panel toolbar, click +. 2

The Available Event Source Types dialog is displayed. 5. Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization. 6. Select the new type in the Event Categories panel and click + in the Sources panel toolbar. The Add Source dialog is displayed. 7. Enter 514 for the port, and select Enabled. Optionally, configure any of the Advanced parameters as necessary. Click OK to accept your changes and close the dialog box. Once you configure one or both syslog types, the Log Decoder or Remote Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in Security Analytics. Configure Syslog Output on Sourcefire Perform the following procedure on the Sourcefire event source. To set up Syslog Output via Sourcefire Defense Center: 1. Configure the Sourcefire Sensor and Sourcefire Defense Center per the vendor s instructions. 2. Connect to the Defense Center web management console and log in. 3. Depending on your version of Source Fire Snort, do one of the following: For versions 4.6, 4.8, or 4.9, click Policy & Response > Responses > Alerts. For version 5.0 and higher, click Policies > Action > Alerts. 4. Click the Create Alert icon and set the following parameters in the Create Alert area: a. Select Syslog from the drop down box. Note: In version 5.0 and higher, select Create Syslog Alert from the drop down box. b. In the Name field, enter a name for the Alert (for example, Sourcefire48). c. In the Host field, enter the IP address of your RSA Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. d. In the Port field, type 514. e. In the Facility drop down list, select USER. 3

Configure Audit Logging f. In the Severity drop down list, select the level of alerts you want to send to RSA Security Analytics. g. In the Tag field, enter a tag name (for example, Sourcefire48). h. Check the Active check box. Note: In version 5.0 and higher, please skip 4h. There is no Activebox to be checked. i. Click Save to apply the changes. Note: If you choose to configure Health Monitoring alerts, use the name of the alert you created in this step. 5. Depending on your version of Source Fire Snort, do one of the following: For versions 4.6, 4.8, or 4.9, click Policy & Response > Responses > Impact Flag Alerts in the top menu bar. For version 5.0 and higher, click the Impact Flag Alerts tab adjacent to Alerts tab. The system displays the Syslog entry that you created above. 6. In the Impact Flag area, do the following: a. Check the Syslog Notification box for the alerts that you want to send (the box on the blue bar selects all). b. Click Save to apply the changes. 7. Depending on your version of Source Fire Snort, do one of the following: For versions 4.6, 4.8, or 4.9, click Policy & Response > Responses > RNA Event Alerts in the top menu bar. For version 5.0 and higher, click the Discovery Event Alerts tab adjacent to the Impact Flag Alerts tab. The system displays the Syslog entry that you created above. 8. In the Event area, do the following: a. Check the Syslog Notification box for the alerts that you want to send (the box on the blue bar selects all). b. Click Save to apply the changes. To pick up Admin Policy changes from the Sourcefire logs, perform the following steps. 4

To Configure Audit Logging: 1. Connect to the Defense Center web management console and log in. 2. In the top menu bar, click System > Local > System Policy. 3. Create a new policy, or edit an existing one. 4. Set the audit log settings as follows: Field Send Audit Log to Syslog Host Facility Severity Action Set to enabled. Enter the IP address of your RSA Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. Select AUTH or choose a value that fits the needs of your organization. Select INFO or choose a value that fits the needs of your organization. 5. Save the policy and exit. Configure Health Monitoring Alerts RSA SA can process Defense Center health alerts. If you want to configure Health Monitoring Alerts, perform the following steps. To Configure Health Monitoring Alerts: 1. Connect to the Defense Center web management console and log in. 2. In the top menu bar, click Policy & Response > Responses > Alerts. Note: For version 5.0 and up, hover over the Health tab in the top menu bar to show its options. 3. Click Health Monitor Alerts. 4. In the Health Alert Name field, enter the name for your health alert. 5. Select severity and modules based on kind of messages that you want to send to RSA Security Analytics. Note: Select all severities and modules to get the maximum set of messages. 6. From the Alert list select the alert you created in step 4 from the To set up Syslog Output via Sourcefire Defense Center procedure. 7. Click Save to apply the changes. 5

Copyright 2015 EMC Corporation. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. Published in the USA. 6