Integrate Cisco IronPort Web Security Appliance (WSA)

Similar documents
Integrate Cisco IronPort Security Appliance (ESA)

Integrating Symantec Endpoint Protection

Integrate Websense Web Security Gateway (WSG)

Integrate Microsoft Windows Hyper V

Integrating Juniper Netscreen (ScreenOS)

Integrate Astaro Security Gateway

Integrating Barracuda Web Application Firewall

Enable File and Folder Auditing

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Integrate Check Point Firewall

EventTracker: Support to Non English Systems

EventTracker: Configuring DLA Extension for AWStats Report AWStats Reports

EventTracker: Configuring DLA Extension for AWStats report AWStats Reports

How To- Create Local Account and Active Directory Authentication EventTracker Enterprise

IIS Web Server Configuration Guide

Monitor Mobile Devices via ActiveSync Using EventTracker

IIS Web Server Configuration Guide

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Secure IIS Web Server with SSL

EventTracker: Integrating Imperva SecureSphere

How to Install MS SQL Server Express

Apache: Analyze Logs for Malicious Activities & Monitor Server Performance

EventTracker Knowledge Update

Pipeliner CRM Phaenomena Guide Sales Pipeline Management Pipelinersales Inc.

Upgrade Guide. Upgrading to EventTracker v6.0. Upgrade Guide Columbia Gateway Drive, Suite 250 Publication Date: Sep 20, 2007.

Pipeliner CRM Phaenomena Guide Add-In for MS Outlook Pipelinersales Inc.

Deploying the Workspace Application for Microsoft SharePoint Online

EventTracker Enterprise v7.3 Installation Guide

Monitor DHCP Logs. EventTracker. EventTracker Centre Park Drive Columbia MD Publication Date: July 16, 2009

How to - Install EventTracker and Change Audit Agent

Implementing and Supporting Windows Intune

Improving Performance of Microsoft CRM 3.0 by Using a Dedicated Report Server

Using Apple Remote Desktop to Deploy Centrify DirectControl

Pipeliner CRM Phaenomena Guide Sales Target Tracking Pipelinersales Inc.

Creating and Deploying Active Directory Rights Management Services Templates Step-by-Step Guide

Hardening Guide for EventTracker Server

Pipeliner CRM Phaenomena Guide Administration & Setup Pipelinersales Inc.

Office Language Interface Pack for Farsi (Persian) Content

File and Printer Sharing with Microsoft Windows

AD RMS Step-by-Step Guide

Business Portal for Microsoft Dynamics GP Field Service Suite

Pipeliner CRM Phaenomena Guide Opportunity Management Pipelinersales Inc.

Active Directory Provider User s Guide

Pipeliner CRM Phaenomena Guide Importing Leads & Opportunities Pipelinersales Inc.

Overview of Microsoft Office 365 Development

AvePoint SearchAll for Microsoft Dynamics CRM

BizTalk Server Business Activity Monitoring. Microsoft Corporation Published: April Abstract

AvePoint SearchAll for Microsoft Dynamics CRM

Monitoring Exchange Server Using EventTracker

How to Secure a Groove Manager Web Site

Project management integrated into Outlook

Project management integrated into Outlook

Microsoft Corporation. Status: Preliminary documentation

Integrating Business Portal 3.0 with Microsoft Office SharePoint Portal Server 2003: A Natural Fit

Technical Brief for Windows Home Server Remote Access

Sage HRMS 2014 Sage Employee Self Service Tech Installation Guide for Windows 2003, 2008, and October 2013

Business Portal for Microsoft Dynamics GP. Project Time and Expense Administrator s Guide Release 10.0

Xcalibur Global Version 1.2 Installation Guide Document Version 3.0

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

Business Portal for Microsoft Dynamics GP. Key Performance Indicators Release 10.0

Lab 02 Working with Data Quality Services in SQL Server 2014

Microsoft Dynamics GP SQL Server Reporting Services Guide

Introduction to DirectAccess in Windows Server 2012

Windows Azure Pack Installation and Initial Configuration

Troubleshooting File and Printer Sharing in Microsoft Windows XP

Pipeliner CRM Phaenomena Guide Getting Started with Pipeliner Pipelinersales Inc.

Customizing Remote Desktop Web Access by Using Windows SharePoint Services Stepby-Step

Windows Server Update Services 3.0 SP2 Step By Step Guide

Omniquad Exchange Archiving

IBM Rational Rhapsody Gateway Add On. CaliberRM Coupling Notes

Deploying Remote Desktop IP Virtualization Step-by-Step Guide

Microsoft Dynamics GP. Pay Steps for Human Resources Release 9.0

NTP Software File Auditor for Windows Edition

vcenter Operations Management Pack for SAP HANA Installation and Configuration Guide

Hyper-V Server 2008 Setup and Configuration Tool Guide

Installing and Configuring DB2 10, WebSphere Application Server v8 & Maximo Asset Management

Writers: Joanne Hodgins, Omri Bahat, Morgan Oslake, and Matt Hollingsworth

SQL Express to SQL Server Database Migration MonitorIT v10.5

Tool Tip. SyAM Management Utilities and Non-Admin Domain Users

FTP Server Configuration

Management Reporter Integration Guide for Microsoft Dynamics GP

DocAve 6 Service Pack 1 Job Monitor

Microsoft Dynamics GP Release

Microsoft Dynamics GP. Workflow Installation Guide Release 10.0

ADFS Integration Guidelines

Sage 200 Web Time & Expenses Guide

Setting up VMware ESXi for 2X VirtualDesktopServer Manual

IIS, FTP Server and Windows

Deciding When to Deploy Microsoft Windows SharePoint Services and Microsoft Office SharePoint Portal Server White Paper

SQL Express to SQL Server Database Migration Goliath Performance Monitor v11.5

Microsoft Dynamics GP. Engineering Data Management Integration Administrator s Guide

Introduction to Hyper-V High- Availability with Failover Clustering

CRM to Exchange Synchronization

Managing Linux Servers with System Center 2012 R2

LepideAuditor Suite for File Server. Installation and Configuration Guide

CRM to Exchange Synchronization

Module 1: Introduction to Active Directory Infrastructure

DEPLOYING EMC DOCUMENTUM BUSINESS ACTIVITY MONITOR SERVER ON IBM WEBSPHERE APPLICATION SERVER CLUSTER

Transcription:

Integrate Cisco IronPort Web Security Appliance (WSA) EventTracker v7.x Publication Date: June 2, 2014 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com

Abstract This guide provides instructions to configure Cisco IronPort Web Security Appliance (WSA) to send the events to EventTracker Enterprise. Scope The configurations detailed in this guide are consistent with EventTracker Enterprise version 7.X and later, and Cisco IronPort Web Security Appliance AsyncOS v7.1 and later. Audience Cisco IronPort Web Security Appliance users, who wish to forward events to EventTracker manager. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. 2014 Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

Table of Contents Abstract... 1 Scope... 1 Audience... 1 About Cisco WSA... 3 Prerequisites... 3 Send Cisco IronPort Web Security Appliance Logs to an Intermediate Host... 3 Configuration... 3 Enable Log File Monitoring in EventTracker... 5 EventTracker Knowledge Pack (KP)... 11 Import Cisco IronPort WSA Knowledge pack into EventTracker... 12 Import Category... 12 Import Alerts... 13 Import Tokens... 14 Import Flex Reports... 16 Verify Cisco IronPort WSA knowledge pack in EventTracker... 18 Verify IronPort WSA categories... 18 Verify Cisco IronPort WSA alerts... 18 Verify Cisco IronPort WSA Tokens... 19 Verify Cisco IronPort WSA Flex Reports... 20 2

About Cisco WSA Cisco WSA provides enhanced threat defense, malware protection, application visibility and control, insightful reporting, and secure mobility. The Cisco Web Security Appliance (WSA) is an appliance combining all of these forms of protection and more in a single solution. The WSA also helps to secure and control web traffic, while simplifying deployment and reducing costs. Prerequisites EventTracker should be installed FTP server should be installed & configured Send Cisco IronPort Web Security Appliance Logs to an Intermediate Host This section describes the configuration steps involved to send logs from a Cisco IronPort Web Security Appliance to an FTP server on your network, from which the EventTracker will then retrieve them. There are numerous logs maintained by the Cisco IronPort Web Security Appliance; in the example below, we demonstrate how to export Access Logs. Configuration Step 1: Configure a Log Subscription for Access Logs 1. In Web Security Appliance management interface, go to System Administration > Log Subscriptions and click Add Log Subscription. 2. Select Access Logs from the Log Type drop-down list. Leave Log Style set to the default value of Squid. 3

3. Provide a Log Name, which will be used to name the directory created on the FTP server to hold the log files, and a File Name, which will be used as the basis for the individual log file names within that directory. 4. Next to Retrieval Method, select FTP on Remote Server and supply the FTP information for an intermediate host on your network, to which the Cisco IronPort Web Security Appliance will push the log files. Please refer Figure 1. Figure 1 Step 2: Verify that your subscription looks like the information below. Figure 2: Configured Subscriptions 4

Enable Log File Monitoring in EventTracker To enable the EventTracker Agent to start retrieving events for access logs from FTP server, you will need to enable the Logfile Monitoring in EventTracker. 1. Select the Start button, select Prism Microsystems, and then select EventTracker Control Panel. 2. Select EventTracker Agent Configuration, and then select Logfile Monitor tab. 3. Select Logfile Monitor option. You can now add the access log that you would like to monitor. Figure 3 4. Click the Add File Name button. Enter File Name window displays. 5

Figure 4 5. Select Get All Existing Log Files option. 6. In Select Log File Type drop down, select the W3C option. 7. Select the Browse button. Select Folder/File Name window displays. 8. In Select Folder Name:, enter the path of the access logs of Cisco IronPort WSA. Select Show all the files option. Figure 5 9. Click the OK button. Enter File Name window displays. 6

Figure 6 10. Click the OK button. EventTracker Agent Configuration window displays. Figure 7 11. Click the Yes button. Search String window displays. 7

Figure 8 12. Click the Add String button. Enter Search String window displays. 13. In Select Field Name: drop down, leave the default date as it is. 14. In Enter Search String box, enter *, and then click the OK button. Figure 9 Search String window displays. 8

Figure 10 15. Click the OK button. Logfile monitor tab displays. 9

Figure 11 16. Click the Save button. 10

EventTracker Knowledge Pack (KP) Once logs are received in EventTracker, Alerts and reports can be configured. The following Knowledge Packs are available in EventTracker v7.x to support Cisco IronPort WSA monitoring: Categories:- Cisco IronPort WSA: User authentication failed: This category based report provides information related to user authentication failed. Cisco IronPort WSA: Web access allowed: This category based report provides information related to web access allowed. Cisco IronPort WSA: Web access blocked: This category based report provides information related to web access blocked. Alerts:- Cisco IronPort WSA: User authentication failed: This alert is generated when an user authentication fails from Cisco IronPort WSA. Cisco IronPort WSA: Web access blocked: This alert is generated when Web access blocked from Cisco IronPort WSA. 11

Import Cisco IronPort WSA Knowledge pack into EventTracker 1. Launch EventTracker Control Panel. 2. Double click Import Export Utility, and then click the Import tab. Import Category, Alert, Tokens and Flex Reports as given below. Import Category 1. Click Category option, and then click the browse button. Figure 12 2. Locate All Cisco IronPort WSA group of Categories.iscat file, and then click the Open button. 12

3. Click the Import button to import the categories. EventTracker displays success message. 4. Click OK, and then click the Close button. Figure 13 Import Alerts 1. Click Alert option, and then click the browse button. Figure 14 13

2. Locate All Cisco IronPort WSA group of Alerts.isalt file, and then click the Open button. 3. To import alerts, click the Import button. EventTracker displays success message. Figure 15 4. Click OK, and then click the Close button. Import Tokens 1. Click Token value option, and then click the browse button. 14

Figure 16 2. Locate All Cisco IronPort WSA group of Tokens.istoken file, and then click the Open button. 3. To import tokens, click the Import button. EventTracker displays success message. Figure 17 4. Click OK, and then click the Close button. 15

Import Flex Reports 1. Click Scheduled Report option, and then click the browse button. Figure 18 2. Locate All Cisco IronPort WSA group of Flex Report.issch file, and then click the Open button. 3. To import scheduled reports, click the Import button. EventTracker displays success message. 16

Figure 19 4. Click OK, and then click the Close button. 17

Verify Cisco IronPort WSA knowledge pack in EventTracker Verify IronPort WSA categories 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Categories. 3. In Category Tree, expand IronPort WSA group folder to view the imported categories. Figure 20 Verify Cisco IronPort WSA alerts 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Alerts. 3. In the Search field, enter Cisco IronPort WSA, and then click the Go button. Alert Management page will display all the imported Cisco IronPort WSA alerts. 18

Figure 21 4. To activate the imported alerts, select the respective checkbox in the Active column. EventTracker displays message box. Figure 22 Verify Cisco IronPort WSA Tokens 1. Logon to EventTracker Enterprise. 2. Click the Admin menu, and then click Parsing rules. Imported Cisco IronPort WSA tokens are added in Token-Value Groups list in Parsing Rule tab. 19

Figure 23 Verify Cisco IronPort WSA Flex Reports 1. Logon to EventTracker Enterprise. 2. Click the Reports menu, and then select Configuration. 3. In Reports Configuration pane, select Defined option. 4. In search box enter Cisco IronPort WSA, and then click the Search button. (OR) In Report groups pane, select Cisco IronPort WSA folder, and then select Defined option. EventTracker displays Flex reports of Cisco IronPort WSA. 20

Figure 24 Here you can find imported defined reports such as Cisco IronPort WSA Web access allowed, Web access blocked report. Sample Report Figure 25 21

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information