RSA Security Analytics Netflow Collection Configuration Guide

Similar documents
RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Virtual Appliance Setup Guide

RSA SecurID Software Token Security Best Practices Guide

BlackShield ID Agent for Remote Web Workplace

RSA Security Analytics

How To Secure An Rsa Authentication Agent

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

RSA SecurID Software Token 1.0 for Android Administrator s Guide

RSA Security Analytics

RSA Security Analytics. S4 Broker Setup Guide

BlackShield ID MP Token Guide. for Java Enabled Phones

RSA Security Analytics

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

RSA Authentication Manager 8.1 Help Desk Administrator s Guide

RSA Security Analytics

RSA Authentication Manager 7.1 to 8.1 Migration Guide: Upgrading RSA SecurID Appliance 3.0 On Existing Hardware

RSA Security Analytics

RSA envision Windows Eventing Collector Service Deployment Overview Guide

RSA Authentication Manager 7.1 Basic Exercises

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

CA VPN Client. User Guide for Windows

LANDesk Management Suite 8.7 Extended Device Discovery

Flow Publisher v1.0 Getting Started Guide. Get started with WhatsUp Flow Publisher.

RSA Authentication Manager 8.1 Help Desk Administrator s Guide. Revision 1

Deltek Touch Time & Expense for Vision 1.3. Release Notes

MDM Mass Configuration Tool User s Manual

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

Lab 05: Deploying Microsoft Office Web Apps Server

Technical Notes. EMC NetWorker Performing Backup and Recovery of SharePoint Server by using NetWorker Module for Microsoft SQL VDI Solution

RSA Security Analytics Security Analytics System Overview

Administration Guide. Novell Storage Manager for Active Directory. Novell Storage Manager for Active Directory Administration Guide

BlackBerry Desktop Manager Version: User Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

MobileStatus Server Installation and Configuration Guide

DME-N Network Driver Installation Guide for LS9

RSA Security Analytics

Document Exchange Server 2.5

CA Spectrum and CA Embedded Entitlements Manager

RSA Security Analytics

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

DME-N Network Driver Installation Guide for M7CL/LS9/DSP5D

Exchange 2003 Standard Journaling Guide

ACCELERATOR 6.4 CISCO UNITY 3.1/4.1 INTEGRATION GUIDE

Dell Spotlight on Active Directory Server Health Wizard Configuration Guide

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

We are focused on providing you the very best service including all the tools necessary to establish and maintain a successful website.

XenClient Enterprise Synchronizer Installation Guide

User Document. Adobe Acrobat 7.0 for Microsoft Windows Group Policy Objects and Active Directory

BlackBerry Web Desktop Manager. Version: 5.0 Service Pack: 4. User Guide

Oracle Enterprise Manager

RSA SecurID Software Token 1.3 for iphone and ipad Administrator s Guide

Oracle Enterprise Manager

RackConnect User Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

EMC ViPR Controller. Version 2.4. User Interface Virtual Data Center Configuration Guide REV 01 DRAFT

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

HP LaserJet MFP Analog Fax Accessory 300 Send Fax Driver Guide

Dell Statistica Statistica Enterprise Installation Instructions

Oracle Enterprise Manager. Description. Versions Supported

SSL Management Reference

Oracle Enterprise Manager. Description. Versions Supported. Prerequisites

EventTracker: Support to Non English Systems

Spotlight on Messaging. Evaluator s Guide

Exchange 2010 Journaling Guide

formerly Help Desk Authority HDAccess Administrator Guide

RSA Security Analytics

Install MS SQL Server 2012 Express Edition

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

Oracle Enterprise Manager. Description. Versions Supported

RSA Authentication Agent 7.2 for Microsoft Windows Installation and Administration Guide

EMC Data Domain Operating System Retention Lock Software User s Guide

VPN Client User s Guide Issue 2

Bentley CONNECT Dynamic Rights Management Service

User Guide for Avaya Scopia Add-in for Microsoft Outlook for Aura Collaboration Suite

NETWRIX FILE SERVER CHANGE REPORTER

Oracle Enterprise Manager. Description. Versions Supported

Track and Trace. Administration Guide

HP A-IMC Firewall Manager

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Embedded Document Accounting Solution (edas) for Cost Recovery. Administrator's Guide

Configuring and Monitoring Event Logs

Managed Services PKI 60-day Trial Quick Start Guide

ez Agent Administrator s Guide

REMOTE KEY MANAGEMENT (RKM) ENABLEMENT FOR EXISTING DOCUMENTUM CONTENT SERVER DEPLOYMENTS

Business Portal for Microsoft Dynamics GP Key Performance Indicators

Configuring Jet Express for Microsoft Dynamics NAV 2013

NETWRIX EVENT LOG MANAGER

HP IMC Firewall Manager

Project management integrated into Outlook

EMC ViPR Controller Add-in for Microsoft System Center Virtual Machine Manager

Accounting Manager. User Guide A31003-P1030-U

Software Distribution Reference

HP IMC User Behavior Auditor

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

Using Entrust certificates with Microsoft Office and Windows

MadCap Software. Upgrading Guide. Pulse

Citrix XenServer Workload Balancing Quick Start. Published February Edition

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

Symantec AntiVirus Corporate Edition Patch Update

Transcription:

RSA Security Analytics Netflow Collection Configuration Guide

Copyright 2010-2015 RSA, the Security Division of EMC. All rights reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of EMC trademarks, go to www.emc.com/legal/emc-corporation-trademarks.htm. License Agreement This software and the associated documentation are proprietary and confidential to EMC, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by EMC. Third-Party Licenses This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file. Note on Encryption Technologies This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product. Distribution Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED "AS IS." EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 2

Netflow Collection Configuration Guide Contents Netflow Collection Configuration Guide 4 The Basics 5 Procedures 9 Step 1: Configure Netflow Event Sources in Security Analytics 10 Step 2: Configure Netflow Event Sources to Send Events to Security Analytics 15 Step 3: Start Service for Configured Netflow Collection Protocol 16 Step 4: Verify That Netflow Collection Is Working 18 References - Netflow Collection Configuration Parameters 19 Troubleshoot Netflow Collection 23 3

Overview Netflow Collection Configuration Guide Overview This guide tells you how to configure the Netflow collection protocol. This protocol collects events from Netflow v5 and Netflow v9. Prerequisites You must deploy Log Collection before you can configure the Netflow collection protocol. Last Modified: July 15 2015, 7:20PM 4

Overview The Basics Overview This guide tells you how to configure Netflow collection protocol which accepts events from Netflow v5 and Netflow v9. You use this protocol to accept events for security purposes, not for network performance purposes. This means that you should choose to accept events from select key strategic points in your network only (not everywhere). How Netflow Collection Works The Log Collector service collects events from Netflow v5 and Netflow v9. Deployment Scenario The following figure illustrates how you deploy the Netflow Collection Protocol in Security Analytics. Last Modified: July 01 2015, 12:17PM 5

Configure Netflow Collection Protocol in Security Analytics Configure Netflow Collection Protocol in Security Analytics You configure to the Log Collector to use Netflow collection for an event source in the event Source tab of the Log Collector parameter view. The following figure the basic workflow for configuring an event source for Netflow Collection in Security Analytics. Please refer to: Step 1 - Configure Netflow Event Sources in Security Analytics for step-by-step instructions on how to configure events sources in Security Analytics that use the Netflow Collection protocol. References - Netflow Collection Configuration Parameters for a detailed description of each Netflow Collection Protocol parameter. Last Modified: July 01 2015, 12:17PM 6

Configure Netflow Collection Protocol in Security Analytics Access the Services view. Select a Log Collection service. Click under Actions and select View > Config to display the Log Collection configuration parameter tabs. Click the Event Sources tab. Select Netflow as the collection protocol and select Config. Click and select netflow as the event source category. The event source category is part of the content you downloaded from LIVE. Last Modified: July 01 2015, 12:17PM 7

Configure Event Sources to Use Netflow Collection Protocol Select netflow as the category and click. Specify the basic parameters required for the Netflow event source. Click and specify additional parameters that enhance how the Netflow protocol handles event collection for the event source. Configure Event Sources to Use Netflow Collection Protocol You need to configure each event source that uses the Netflow Collection protocol to communicate with Security Analytics (see Step 2 - Configure Netflow Event Sources to Send Events to Security Analytics ). Last Modified: July 01 2015, 12:17PM 8

Overview Procedures Overview This topic provides an overview of the end-to-end sequential configuration procedure for the Netflow Collection protocol with a checklist that contains each configuration step. Context Configuration steps for the Netflow collection protocol must occur in the specific sequence listed in the table below. Netflow Collection Configuration Checklist Note: The steps in this list are in the order in which you must complete them. Step Description 1 Configure Netflow Event Sources in Security Analytics. 2 Configure Netflow Event Sources to Send Events to Security Analytics. 3 Start service for configured Netflow collection protocol. 4 Verify that Netflow Collection is working. Last Modified: July 01 2015, 12:20PM 9

Overview Step 1: Configure Netflow Event Sources in Security Analytics Overview This topic tells you how to configure Netflow event source sources for the Log Collector. Context After completing this procedure, you will have... Configured a Netflow event source. Modified a Netflow event source. Return to Netflow Collection Configuration Checklist Configure a Netflow Event Source To configure a Netflow event source: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Log Collector service. 3. Click under Actions and select View > Config. 4. In the Log Collector Event Sources tab, select Netflow/Config from the drop-down menu. Last Modified: June 29 2015, 5:41PM 10

Configure a Netflow Event Source 5. In the Event Categories panel toolbar, click. 6. Select an event source type (for example, netflow) and click OK. The newly added event source type is displayed in the Event Categories panel. Last Modified: June 29 2015, 5:41PM 11

Modify a Netflow Event Source 7. Select the new type in the Event Categories panel and click in the Sources toolbar. The Add Source dialog is displayed. 8. Specify the port, modify any other parameters that require changes, and click OK. Note: Security Analytics opens the 2055, 4739, 6343, and 9995 ports on the firewall by default. You can open other ports for Netflow if required. The new event source is displayed in the list. Modify a Netflow Event Source To modify an event source: 1. In the Security Analytics menu, select Administration > Services. Last Modified: June 29 2015, 5:41PM 12

Modify a Netflow Event Source 2. In the Services grid, select a Log Collector service. 3. Click under Actions and select View > Config. 4. In the Log Collector Event Sources tab, select Netflow/Config from the drop-down menu. 5. Select netflow for the event source type from the Event Categories panel and click OK. 6. In the Sources panel, select an event source and click. The Edit Source dialog is displayed. 7. Modify the parameters that require changes and click OK. Security Analytics applies the parameter changes to the selected event source. Last Modified: June 29 2015, 5:41PM 13

Parameters: Parameters: Netflow Event Source Configuration Parameters Last Modified: June 29 2015, 5:41PM 14

Overview Step 2: Configure Netflow Event Sources to Send Events to Security Analytics Overview Download and configure the rsaflow or cef parser from Live. Context Verify that you downloaded the rsaflow or cef parser from LIVE to the Log Decoder and enabled it. Verify that you downloaded the correct parser (for example, rsaflow) from LIVE to the Log Decoder and enabled it. Last Modified: June 29 2015, 5:41PM 15

Overview Step 3: Start Service for Configured Netflow Collection Protocol Overview This topic tells you how to start a stopped NetFlow collection service. Return to Netflow Collection Configuration Checklist Start a Collection Service The following figure shows you how to start a collection service. See Enable Automatic Start of Individual Services if you want the service to start automatically. Select a Log Collector service and click under Actions. System. Click View > Last Modified: June 29 2015, 5:41PM 16

Start a Collection Service Click Collection > Netflow and click Start. Last Modified: June 29 2015, 5:41PM 17

Overview Step 4: Verify That Netflow Collection Is Working Overview This topic tells you what to check in Security Analytics to verify that you have configured Netflow Collection correctly. Return to Netflow Collection Configuration Checklist Verify That Netflow Collection Is Working The following figure illustrates how you can verify that Netflow collection is working from the Administration > Health & Wellness > Event Source Monitoring tab. Access the Event Source Monitoring tab from the Administration > Health & Wellness view. Find the Log Decoder, Event Source, and Event Source Type (that is, rsaflow). Look for activity in the Count column to verify that Netflow collection is accepting events. Last Modified: July 01 2015, 12:20PM 18

Overview References - Netflow Collection Configuration Parameters Overview This topic describes the user interface for configuring Netflow Collection. Context Use this section when you are looking for descriptions of the Netflow Collection user interface and definitions of the features of the user interface. Screen Captures How to Access The required permission to access this view is Manage Services. 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Log Collector service. Last Modified: July 01 2015, 12:37PM 19

Event Categories Panel 3. Click under Actions and select View > Config. 4. In the Log Collector Event Sources tab, select Netflow/Config from the drop-down menu. Event Categories Panel In the Event Categories panel, you can add or delete Netflow event source types. Feature Description Displays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters. Deletes the selected event source types from the Event Categories panel. Selects event source types. Name Displays the name of the event source types that you have added. Available Event Sources Types Dialog The Available Event Source Types dialog displays the list of supported event source types. Feature Description Selects the event source type that you want to add. Name Cancel OK Display the event source types that are available to add. Closes the dialog without adding an event source type. Adds the selected event source type to the Event Categories panel. Sources Panel Use this panel to review, add, modify, and delete event source parameters for the event source type you selected in the Event Categories panel. Tool bar Option Description Last Modified: July 01 2015, 12:37PM 20

Sources Panel Opens the Add Source dialog in which you add a file directory for the event source type that you selected in the Event Categories panel. Deletes the selected file directories. Opens the Edit Source dialog in which you modify the configuration parameters for the selected file directory. When you select multiple event sources, opens the Bulk Edit Source dialog in which you can edit the parameters values for the selected file directories. Refer to import, export, and edit event sources in bulk for detailed steps on how to use this function. Opens the Bulk Add Option dialog in which you can import event source file directory parameters in bulk from a comma-separated values (CSV) file. The Bulk Add Option dialog has the following two options. Refer to import, export, and edit event sources in bulk for detailed steps on how to use this function. Creates a.csv file that contains the parameters for the selected file directories. Refer to import, export, and edit event sources in bulk for detailed steps on how to use this function. Add or Modify Source Dialog In this dialog, you add or modify a file directory for the selected event source. Feature Netflow Source Parameters Cancel OK Description Lists the Netflow event source parameters populated with the default values. Enter or modify the appropriate values. Closes the dialog without adding a file directory or saving the parameter values for the selected file directory. In the Add Source dialog, adds the file directory and its parameters. In the Edit Source dialog, applies the parameter value changes for the selected file directory. Netflow Source Parameters Name Description Basic Port Specify the port number configured for the Netflow event source. Security Analytics opens the 2055, 4739, 6343, and 9995 ports for Netflow by default. You can open other ports for Netflow if required. Last Modified: July 01 2015, 12:37PM 21

Tasks: Enabled Select the check box to enable the event source configuration to start collection. The check box is selected by default. Advanced Establishes a threshold that, when reached, Security Analytics generates a log message to help you resolve event flow issues. The Threshold is the size of the netflow event messages currently flowing from the event source to Security Analytics. InFlight Publish Log Threshold Valid values are: 0 (default) - disables the log message 100-100000000 - generates a log message when this log collector has processed the specified number of netflow events. For example, if you set this value to 100, Security Analytics generates a log message when 100 netflow events of the specific netflow version (v5 or v9) have been processed. Caution: Only enable debugging (set this parameter to On or Verbose) if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector. Enables/disables debug logging for the event source. Debug Valid values are: Off = (default) disabled On = enabled Verbose = enabled in verbose mode adds thread information and source context information to the messages. This parameter is designed to debug and monitor isolated event source collection issues. The debug logging is verbose, so limit the number of event sources to minimize performance impact. If you change this value, the change takes effect immediately (no restart required). Cancel OK Closes the dialog without making adding an event source type. Adds the parameters for the event source. Tasks: Configure Netflow Event Sources in Security Analytics Configure Netflow Event Sources to Send Events to Security Analytics Last Modified: July 01 2015, 12:37PM 22

Overview Troubleshoot Netflow Collection Overview This topic highlights possible problems that you may encounter with Netflow Collection and provides suggested solutions to these problems. Troubleshoot Netflow Collection Issues In general, you receive more robust log messages by disabling SSL. Log Message/ Problem Log Collector is not receiving Netflow traffic. Possible Cause Configured the wrong port. Solution Make sure that you configured the correct firewall port (that is, 2055, 4739, 6343, or 9995). Log Message/ Problem Log Collector issues log messages that tell you there was an incompatible or mismatched header or version number. Possible Cause Netflow v10 event information was sent to log collector. Solution Ignore - Netflow v10 is not supported in Security Analytics 10.4. Netflow Collection only accepts events from Netflow v5 and Netflow v9. Last Modified: July 15 2015, 7:20PM 23

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information