RSA Security Analytics



Similar documents
RSA Security Analytics

RSA Security Analytics

RSA Security Analytics

RSA Security Analytics

RSA Security Analytics

RSA Authentication Manager

RSA Security Analytics

RSA Security Analytics

RSA Event Source Configuration Guide. EMC Avamar

RSA Security Analytics Netflow Collection Configuration Guide

RSA Security Analytics Netflow Collection Configuration Guide

RSA Event Source Configuration Guide

RSA Event Source Configuration Guide. McAfee Database Security

RSA Event Source Configuration Guide. RSA Data Loss Prevention Suite

uh6 efolder BDR Guide for Veeam Page 1 of 36

RSA Event Source Configuration Guide. McAfee Firewall Enterprise

User Guide to the Snare Agent Management Console in Snare Server v7.0

Snare Agent Management Console User Guide to the Snare Agent Management Console in Snare Server v6

Lieberman Software Corporation Enterprise Random Password Manager

Fireware How To Logging and Notification

RSA Event Source Configuration Guide. Microsoft Exchange Server

How do I set up a branch office VPN tunnel with the Management Server?

RSA Event Source Configuration Guide. Microsoft Internet Information Services

How to integrate RSA ACE Server SecurID Authentication with Juniper Networks Secure Access SSL VPN (SA) with Single Node or Cluster (A/A or A/P)

Shavlik Patch for Microsoft System Center

XStream Remote Control: Configuring DCOM Connectivity

Setting up DCOM for Windows XP. Research

Crystal Reports Installation Guide

LepideAuditor Suite for File Server. Installation and Configuration Guide

Moving the TRITON Reporting Databases

Sophos UTM. Remote Access via PPTP Configuring Remote Client

NSi Mobile Installation Guide. Version 6.2

JetAdvice Manager Data Collector v Date:

Migrating MSDE to Microsoft SQL 2008 R2 Express

Configuring Network Load Balancing with Cerberus FTP Server

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

RSA Event Source Configuration Guide. Microsoft Dynamic Host Configuration Protocol Server

Integrate ExtraHop with Splunk

Trend Micro PC-cillin Internet Security 2006

EMC ViPR Controller Add-in for Microsoft System Center Virtual Machine Manager

The cloud server setup program installs the cloud server application, Apache Tomcat, Java Runtime Environment, and PostgreSQL.

Dell Command Integration Suite for System Center Version 4.1. Installation Guide

BusinessObjects Enterprise XI Release 2

Monetra Payment Software

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

Lepide Software. LepideAuditor for File Server [CONFIGURATION GUIDE] This guide informs How to configure settings for first time usage of the software

Setting up Microsoft Office 365

DESlock+ Basic Setup Guide ENTERPRISE SERVER ESSENTIAL/STANDARD/PRO

Setting up Microsoft Office 365

Device Integration: Citrix NetScaler

Immotec Systems, Inc. SQL Server 2005 Installation Document

VoIPon Tel: +44 (0) Fax: +44 (0)

PRODUCT WHITE PAPER LABEL ARCHIVE. Adding and Configuring Active Directory Users in LABEL ARCHIVE

For Active Directory Installation Guide

Changing Your Cameleon Server IP

Installing SQL Express. For CribMaster 9.2 and Later

HELP DOCUMENTATION E-SSOM BACKUP AND RESTORE GUIDE

EventTracker: Integrating Imperva SecureSphere

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Upgrading from Call Center Reporting to Reporting for Contact Center. BCM Contact Center

WhatsUp Gold v16.2 Database Migration and Management Guide

Sophos Anti-Virus for NetApp Storage Systems user guide. Product version: 3.0

Sophos Anti-Virus standalone startup guide. For Windows and Mac OS X

IIS, FTP Server and Windows

How to - Install EventTracker and Change Audit Agent

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

GFI LANguard 9.0 ReportPack. Manual. By GFI Software Ltd.

HASP Troubleshooting Guide

WhatsUp Gold v16.1 Database Migration and Management Guide Learn how to migrate a WhatsUp Gold database from Microsoft SQL Server 2008 R2 Express

After you have created your text file, see Adding a Log Source.

Enterprise Manager. Version 6.2. Installation Guide

Configuring PPP And SIP

Enabling Backups for Windows and MAC OS X

RSA Event Source Configuration Guide. Citrix Xenmobile Mobile Device Manager

IBM Security QRadar SIEM Version MR1. Administration Guide

Configure your firewall for administrative access via RADIUS authentication

Pro-Watch Software Suite Installation Guide Honeywell Release 4.1

NetIQ Sentinel Quick Start Guide

RSA Authentication Manager 7.1 Basic Exercises

WhatsUp Gold v16.2 Installation and Configuration Guide

StarWind iscsi SAN Software: Tape Drives Using StarWind and Symantec Backup Exec

English ETERNUS CS800 S3. Backup Exec OST Guide

Sophos Endpoint Security and Control standalone startup guide

How do I Configure, Enable, and Schedule Reports?

WatchDox Administrator's Guide. Application Version 3.7.5

Acronis Backup & Recovery 11

Central Management System

EMC ViPR Controller. Version 2.4. User Interface Virtual Data Center Configuration Guide REV 01 DRAFT

Global VPN Client Getting Started Guide

Cloud Attached Storage

Setting up Hyper-V for 2X VirtualDesktopServer Manual

How To Test The Nms Adaptive Suite With An Ip Office On A Windows 2003 Server On A Nms Desktop On A Pnet 2.5 (Tapi) On A Blackberry 2.2 (Tapi) On An Ipo 2

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

McAfee epolicy Orchestrator 4.5 Cluster Installation Guide

Oracle Enterprise Manager. Description. Versions Supported

WhatsUp Gold v16.1 Installation and Configuration Guide

AlienVault. Unified Security Management 5.x Configuring a VPN Environment

IBM Security QRadar Version (MR1) WinCollect User Guide

White Paper. Fabasoft Folio Thin Client Support. Fabasoft Folio 2015 Update Rollup 2

Administration Guide. . All right reserved. For more information about Specops Gpupdate and other Specops products, visit

Transcription:

RSA Security Analytics Event Source Log Configuration Guide RSA Authentication Manager and User Credential Manager Last Modified: Friday, March 13, 2015 Event Source Product Information: Vendor: RSA, The Security Division of EMC Event Source: Authentication Manager, User Credential Manager Versions: 5.2, 6.0, 6.1, 7.1 SP2, 7.1 SP4 Patch 3, Patch 6, 8.0, 8.1 RSA Product Information: Supported On: Security Analytics 10.0 and later Event Source Log Parser: rsaacesrv Collection Method: Syslog Event Source Class.Subclass: Security.Access Control

To configure RSA Authentication Manager to work with RSA Security Analytics, perform the following tasks: I. Depending on your version of RSA Authentication Manager, perform one of the following tasks: Configure RSA Auth Manager 7.1 to Send Syslog, or Configure RSA Auth Manager 8.x to Send Syslog II. Configure Security Analytics for Syslog Collection 2

Configure RSA Authentication Manager 7.1 to Send Syslog Formatted Messages You can send Syslog formatted messages to the SA platform from RSA Authentication Manager 7.1 SP2 and later. To configure RSA Authentication Manager to send Syslog: 1. Install RSA Authentication Manager 7.1 SP2 or newer. Note: The patch contains a fix that is needed to send syslog format messages to the Security Analytics platform. 2. On each Authentication Manager server instance, edit the following lines in the RSA_home\utils\resources\ims.properties file so that they appear as follows: To send Admin audit events to the Security Analytics platform: ims.logging.audit.admin.syslog_host = SA_LogDecoder_or_ RemoteLogCollector_host ims.logging.audit.admin.use_os_logger = true To send Runtime audit events to thesecurity Analytics platform: ims.logging.audit.runtime.syslog_host = SA_LogDecoder_or_ RemoteLogCollector_host ims.logging.audit.runtime.use_os_logger = true To send System audit events to the Security Analytics platform: ims.logging.audit.system.syslog_host = SA_LogDecoder_or_ RemoteLogCollector_host ims.logging.audit.system.use_os_logger = true 3. To restart Authentication Manager 7.1, follow these steps: a. Click Start > Administrator Tools > Computer Management > Services and Applications > Services. b. Select RSA Authentication Manager. c. Click Restart. 4. Enable the sending of logs to the OS system log as follows: a. In the Authentication Manager Security Console, click Setup > Instances. b. Right-click the server instance, and select Logging. c. In the Log Data Destination section, select Send system messages to OS system log. Configure RSA Authentication Manager 7.1 to Send Syslog Formatted Messages 3

Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages To configure RSA Authentication Manager 8.0 to send Syslog: 1. Log on to the RSA Authentication Manager Security Console, and navigate to Setup > System Settings. 2. In the Basic Settings section, select Logging. 3. Select the instance from which you want to collect logs, and click Next. 4. In the Log Levels section, complete the fields as follows: Field Administrative Audit Log Runtime Audit Log System Log Action Select Success. Select Success. Select Warning. 5. In the Log Data Destination section, complete the fields as follows: Field Administrative Audit Log Data Runtime Audit Log Data System Log Data Action Select Save to remote database and internal Syslog at the following hostname or IP address, and enter the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. Select Save to remote database and internal Syslog at the following hostname or IP address, and enter the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. Select Save to remote database and internal Syslog at the following hostname or IP address, and enter the IP address for the Security Analytics Log Decoder or RSA Security Analytics Remote Log Collector. 6. Click Save to save changes. 4 Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages

Configure Security Analytics for Syslog Collection Note: You only need to configure Syslog collection the first time that you set up an event source that uses Syslog to send its output to Security Analytics. You should configure either the Log Decoder or the Remote Log Collector for Syslog. You do not need to configure both. To configure the Log Decoder for Syslog collection: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Log Decoder, and from the Actions menu, choose View > System. 3. Depending on the icon you see, do one of the following: If you see, click the icon to start capturing Syslog. If you see, you do not need to do anything; this Log Decoder is already capturing Syslog. 4. Ensure that the parser for your event source is enabled. a. From the System pull-down menu, select Config. b. In the Service Parsers Configuration panel, search for your event source. c. Ensure that the Config Value field for your event source is selected. To configure the Remote Log Collector for Syslog collection: 1. In the Security Analytics menu, select Administration > Services. 2. In the Services grid, select a Remote Log Collector, and from the Actions menu, choose View > Config > Event Sources. 3. Select Syslog/Config from the drop-down menu. The Event Categories panel displays the Syslog event sources that are configured, if any. 4. In the Event Categories panel toolbar, click +. The Available Event Source Types dialog is displayed. 5. Select either syslog-tcp or syslog-udp. You can set up either or both, depending on the needs of your organization. 6. Select the new type in the Event Categories panel and click + in the Sources panel toolbar. The Add Source dialog is displayed. Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages 5

7. Enter 514 for the port, and select Enabled. Optionally, configure any of the Advanced parameters as necessary. Click OK to accept your changes and close the dialog box. Once you configure one or both syslog types, the Remote Log Collector collects those types of messages from all available event sources. So, you can continue to add Syslog event sources to your system without needing to do any further configuration in Security Analytics. Copyright 2015 EMC Corporation. All Rights Reserved. Trademarks RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in the United States and/or other countries. All other trademarks used herein are the property of their respective owners. For a list of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. Published in the USA. 6 Configure RSA Authentication Manager 8.x to Send Syslog Formatted Messages