LogLogic Cisco IPS Log Configuration Guide



Similar documents
LogLogic General Database Collector for Microsoft SQL Server Log Configuration Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide

LogLogic Cisco NetFlow Log Configuration Guide

LogLogic Symantec Endpoint Protection Log Configuration Guide

Juniper Secure Access SSL VPN Log Configuration Guide

LogLogic Blue Coat ProxySG Syslog Log Configuration Guide

LogLogic Microsoft Dynamic Host Configuration Protocol (DHCP) Log Configuration Guide

LogLogic Microsoft Domain Name System (DNS) Log Configuration Guide

LogLogic Cisco NetFlow Log Configuration Guide

LogLogic Juniper Networks Intrusion Detection and Prevention (IDP) Log Configuration Guide

LogLogic Microsoft Internet Information Services (IIS) Log Configuration Guide

LogLogic Apache Web Server Log Configuration Guide

Microsoft Active Directory (AD) Service Log Configuration Guide

LogLogic Microsoft SQL Server Log Configuration Guide

LogLogic Check Point Management Station Log Configuration Guide

LogLogic Juniper Networks JunOS Log Configuration Guide

LogLogic IBM i5/os Collector Guide

LogLogic McAfee Firewall Enterprise (Sidewinder) Log Configuration Guide

LogLogic Blue Coat ProxySG Log Configuration Guide

LogLogic Microsoft Windows Server 2000/2003 Log Configuration Guide

RoomWizard Synchronization Software Manual Installation Instructions

SOA Software API Gateway Appliance 7.1.x Administration Guide

NSi Mobile Installation Guide. Version 6.2

OneLogin Integration User Guide

Copyright 2012 Trend Micro Incorporated. All rights reserved.

CA Nimsoft Service Desk

Installing and Configuring vcenter Support Assistant

User Identification and Authentication

Polycom RSS 4000 / RealPresence Capture Server 1.6 and RealPresence Media Manager 6.6

Content Filtering Client Policy & Reporting Administrator s Guide

Quick Start Guide. for Installing vnios Software on. VMware Platforms

Adeptia Suite 6.2. Application Services Guide. Release Date October 16, 2014

EMC Data Domain Management Center

RealPresence Platform Director

NETWRIX EVENT LOG MANAGER

Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

Plesk for Windows Copyright Notice

Secure Web Service - Hybrid. Policy Server Setup. Release Manual Version 1.01

TIBCO LogLogic Log Management Intelligence (LMI) Configuration and Upgrade Guide

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Dynamic DNS How-To Guide

F-Secure Messaging Security Gateway. Deployment Guide

Installing Microsoft Exchange Integration for LifeSize Control

Interworks. Interworks Cloud Platform Installation Guide

Server Installation Guide ZENworks Patch Management 6.4 SP2

SWsoft, Inc. Plesk File Server. Administrator's Guide. Plesk 7.5 Reloaded

Upgrading from Call Center Reporting to Reporting for Contact Center. BCM Contact Center

Cisco UCS Director Payment Gateway Integration Guide, Release 4.1

Parallels Plesk Control Panel

TIBCO LogLogic. SOX and COBIT Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

BASIC CLASSWEB.LINK INSTALLATION MANUAL

Installing and Configuring vcloud Connector

Polycom RealPresence Resource Manager System Getting Started Guide

MobileStatus Server Installation and Configuration Guide

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

Legal and Copyright Notice

Patented hosting technology protected by U.S.Patents 7,0909,948; 7,076,633. Patents pending in the U.S.

Crystal Reports Installation Guide

Parallels Panel. Parallels Small Business Panel 10.2: User's Guide. Revision 1.0

MadCap Software. Upgrading Guide. Pulse


Hillstone StoneOS User Manual Hillstone Unified Intelligence Firewall Installation Manual

NMS300 Network Management System

QUICK START GUIDE. Cisco C170 Security Appliance

Integrate Cisco IronPort Web Security Appliance (WSA)

Sample Configuration: Cisco UCS, LDAP and Active Directory

Deploying the BIG-IP LTM system and Microsoft Windows Server 2003 Terminal Services

Adobe Marketing Cloud Bloodhound for Mac 3.0

Integrating CoroSoft Datacenter Automation Suite with F5 Networks BIG-IP

Using IIS Application Request Routing to Publish Lync Server 2013 Web Services

CA Spectrum and CA Service Desk

CONSOLEWORKS WINDOWS EVENT FORWARDER START-UP GUIDE

TIBCO LogLogic. HIPAA Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

Configuring the Avaya B179 SIP Conference Phone with Avaya Aura Communication Manager and Avaya Aura Session Manager Issue 1.0

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

Millennium Drive. Installation Guide

NAS 206 Using NAS with Windows Active Directory

Parallels Plesk Panel


Setting Up Scan to SMB on TaskALFA series MFP s.

Integrate Check Point Firewall

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Phone Inventory 1.0 (1000) Installation and Administration Guide

IBM Tivoli Network Manager 3.8

uh6 efolder BDR Guide for Veeam Page 1 of 36

Application Interface Services Server for Mobile Enterprise Applications Configuration Guide Tools Release 9.2

BlackShield ID Agent for Terminal Services Web and Remote Desktop Web

USER GUIDE WEB-BASED SYSTEM CONTROL APPLICATION. August 2014 Phone: Publication: , Rev. C

Blue Coat Security First Steps Solution for Deploying an Explicit Proxy

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

CA Spectrum. Microsoft MOM and SCOM Integration Guide. Release 9.4

Quick Scan Features Setup Guide

Polycom CMA System Upgrade Guide

BlackShield ID Agent for Remote Web Workplace

CA Nimsoft Service Desk

Multimedia Contact Center Setup and Operation Guide. BCM 4.0 Business Communications Manager

Application Notes for Calabrio Workforce Management Release 9.2(1) SR3 with Avaya Aura Contact Center Release 6.4 Issue 1.0

Introducing the BIG-IP and SharePoint Portal Server 2003 configuration

Managing Identities and Admin Access


Transcription:

LogLogic Cisco IPS Log Configuration Guide Document Release: March 2011 Part Number: LL600072-00ELS090000 This manual supports LogLogic Cisco IPS Release 1.0 and later, and LogLogic Software Release 4.9.1 and later until replaced by a new edition.

2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Ste 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 http://www.loglogic.com

Contents Preface About This Guide.........................................................5 Technical Support........................................................5 Documentation Support.................................................... 5 Conventions............................................................. 6 Chapter 1 Configuring LogLogic s Cisco IPS Log Collection Introduction to Cisco IPS................................................... 7 Prerequisites............................................................ 7 Enabling a Cisco IPS for SDEE.............................................. 7 Enabling the LogLogic Appliance to Capture Data............................... 8 Adding a Cisco IPS Device.............................................. 8 Verifying the Configuration................................................. 9 Chapter 2 How LogLogic Supports Cisco IPS How LogLogic Captures Cisco IPS Data...................................... 11 LogLogic Real-Time Reports............................................... 11 Appendix A Event Reference LogLogic Support for Cisco IPS Events...................................... 13 Cisco IPS Log Configuration Guide 3

4 Cisco IPS Log Configuration Guide

Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Cisco IPS enables LogLogic Appliances to capture logs from machines running Cisco IPS. Once the logs are captured and parsed, you can generate reports and create alerts on Cisco IPS s operations. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Cisco IPS Log Configuration Guide 5

Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Cisco IPS Log Configuration Guide

Chapter 1 Configuring LogLogic s Cisco IPS Log Collection This chapter describes the configuration steps involved to enable a LogLogic Appliance to request Cisco IPS logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Cisco IPS-related log data. Introduction to Cisco IPS.................................................... 7 Prerequisites............................................................. 7 Enabling a Cisco IPS for SDEE............................................... 7 Enabling the LogLogic Appliance to Capture Data................................ 8 Verifying the Configuration................................................... 9 Introduction to Cisco IPS The LogLogic Appliance support for the Cisco IPS Alert events is now available. The Cisco IPS signature library will consist of specific signatures enabled with logging. Prerequisites Prior to configuring Cisco IPS and the LogLogic Appliance, ensure that you meet the following prerequisites: Cisco IPS version 6.2 and 7.0 Proper access permissions to make configuration changes LogLogic Appliance running Release 4.9.1 or later with a Log Source Package that includes Cisco IPS support Administrative access on the LogLogic Appliance Enabling a Cisco IPS for SDEE You must configure the Cisco IPS to allow connections to SDEE prior to configuring the LogLogic Appliance. Note: This document does not describe all features and functionality within Cisco IPS regarding configuration. For more information on these areas, see Cisco IPS Product Documentation. To configure the Cisco IPS to allow connections to SDEE: 1. Launch a web browser. 2. Specify the IP address of the Cisco IDM sensor in the Address field. 3. If the dialog box shown, click on OK. Cisco IPS Log Configuration Guide 7

4. At the Prompt dialog, enter your username and password, and click OK. 5. On the left-most panel, select Sensor Setup Allowed Hosts. The Cisco IDM window displays the Allowed Hosts panel. 6. Add the IP address and Network Mask of the LogLogic Appliance. 7. Click Apply. The LogLogic Appliance will now be able to connect to the Cisco SDEE sensor. Note: TLS/SSL must be enabled and the Web Server Port must be set to 443 under Configuration > Sensor Setup > Network, Web Server Settings. Enabling the LogLogic Appliance to Capture Data The following sections describe how to enable the LogLogic Appliance to capture Cisco IPS SDEE log data. Adding a Cisco IPS Device If you do not want to utilize the auto-identification feature, you can manually add a Cisco IPS device to the LogLogic Appliance before you redirect the logs. To add Cisco IPS as a new device: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Cisco IPS device Description (optional) Description of the Cisco IPS device Device Type Select Cisco IPS from the drop-down menu Host IP IP address of the Cisco IPS appliance Enable Data Collection Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. SSL Port Cisco IPS Sensor SDEE port Polling Interval Collection Polling Interval UserID User name of account on Cisco IPS Sensor Password Password for User account 5. In the Cisco IPS Collector Configuration panel, enter a UserID and a Password, then click Test Connection to ensure that the connection does work. 6. Click Add. 8 Cisco IPS Log Configuration Guide

Figure 1 Add Device Tab 7. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Cisco IPS appliance, the LogLogic Appliance uses the device you just added if the hostname or IP match. Verifying the Configuration The section describes how to verify that the configuration changes made to Cisco IPS and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. 3. Locate the IP address for each Cisco IPS device. If the device name (Cisco IPS) appears in the list of devices, then the configuration is correct (Figure 2). Cisco IPS Log Configuration Guide 9

Figure 2 Verification of the Cisco IPS Configuration If the device does not appear in the Log Source Status tab, check the Cisco IPS logs to identify if any events are being generated. If events were detected, but are still not appearing on the LogLogic Appliance, please verify the Cisco IPS configuration and the LogLogic Appliance configuration. 10 Cisco IPS Log Configuration Guide

Chapter 2 How LogLogic Supports Cisco IPS This chapter describes LogLogic s support for Cisco IPS. LogLogic enables you to capture Cisco IPS log data to monitor events. LogLogic supports Cisco IPS logs. How LogLogic Captures Cisco IPS Data....................................... 11 LogLogic Real-Time Reports................................................ 11 How LogLogic Captures Cisco IPS Data Cisco IPS posts events using the SDEE (Security Device Event Exchange) format and protocol over SSL for the LogLogic Appliance to retrieve. Once the data is captured you can generate search reports or create alerts. For more information on creating reports and alerts, see the LogLogic Users Guide and LogLogic Online Help. Figure 3 Cisco IPS, SDEE, and Loglogic Architecture LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for log data. The following Real-Time Reports are available: All Unparsed Events Displays data for all events retrieved from the Microsoft Windows log for a specified time interval IDS/IPS Activity - Displays Source and Destination IP address, Destination port number, and Signature intrusion detection information for a specified time interval. To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. Cisco IPS Log Configuration Guide 11

2. Click Threat Management. The following Real-Time Reports are available: IDS/IPS Activity 3. Click Operational. The following Real-Time Reports are available: All Unparsed Events You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. 12 Cisco IPS Log Configuration Guide

Appendix A Event Reference This appendix lists the LogLogic-supported Cisco IPS events. The LogLogic Cisco IPS event table identifies event formats that can be analyzed through LogLogic Agile Reports, as well as a sample log message. LogLogic Support for Cisco IPS Events The following list describes the contents of each of the columns in the table below. Event ID Refers to an ID referencing the unique occurrence. Agile Reports/Search Defines whether the Cisco IPS event is available through the LogLogic Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Title Not Applicable (N/A). Event Category Category of event, such as Alert, System, Error. Event Type Type of event Traffic. Sample Log Message Sample Cisco IPS log messages. LogLogic supports all "evidsalert" eventtype, if enabled to log on the Cisco IPS device. These events are supported by the IDS Activity report. Example Event: eventtype="evidsalert",eventid="1265425594593088348",vendor="cisco",severity="informational ",originator_hostid="cisco_ips_4240",originator_appname="sensorapp",originator_appinstanc eid="396",time_offset="-480",time_timezone="gmt-08:00",time="2010-05-25 16:44:14.887257",signature_description="Net Flood Cisco IPS Log Configuration Guide 13

Table 1 Cisco IPS Events Event ID Agile/ Search Reports Title Event Category Event Type Sample Log Message 1 N/A Agile N/A Alert evidsalert eventtype="evidsalert",eventid="1265425594593088348",vendor="ci sco",severity="informational",originator_hostid="cisco_ips_4240", originator_appname="sensorapp",originator_appinstanceid="396",t ime_offset="-480",time_timezone="gmt-08:00",time="2010-05-25 16:44:14.887257",signature_description="Net Flood TCP",signature_id="6920",signature_version="S4",signature_type="a nomaly",signature_created="20010725",signature_subsigid="0",signa ture_marscategory="dos/network/ TCP",interfaceGroup="vs0",vlan="0",participants="",alertDetails="M axpps during this interval: 29 ;",riskratingvalue_targetvaluerating="medium",riskratingvalue="2 5",threatRatingValue="25",interface="sy0_0",protocol="tcp" 2 N/A Search N/A System evstatus eventtype="evstatus",eventid="1265405134507577854",vendor="cisc o",originator_hostid="cisco_ips_4240",originator_appname="cidw ebserver",originator_appinstanceid="325",time_offset="60",time_tim ezone="pacific",time="1271699008192750000",loginaction_action="lo ggedin",loginaction_description="user logged into HTTP server",loginaction_username="loglogic",loginaction_useraddress _port="60058",loginaction_useraddress="192.168.11.10" 3 N/A Search N/A Error everror eventtype="everror",eventid="1265405134507577859",vendor="cisc o",severity="warning",originator_hostid="cisco_ips_4240",originat or_appname="externalproductinterface",originator_appinstanceid= "325",time_offset="60",time_timeZone="Pacific",time="127169902103 1984000",errorMessage_name="errNotAvailable",errorMessage="Fail ure opening a subscription on the Management Center for Cisco Security Agents external interface at 10.60.0.134: Failed to parse the response's SOAP Envelope element" 14 Cisco IPS Log Configuration Guide

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information