Symantec Event Collector 4.3 for Microsoft Windows Quick Reference
Symantec Event Collector for Microsoft Windows Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Mail Security, Symantec Backup Exec, Symantec NetBackup, Symantec Endpoint Protection, Symantec Scan Engine, Symantec Control Compliance Suite, Symantec Critical System Protection, Symantec Enterprise Security Manager, Symantec Intruder Alert, Symantec Sygate Enterprise Protection, Symantec Mail Security, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com
Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information
Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals
Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.
Contents Technical Support... 4 Chapter 1 Introducing Symantec Event Collector for Microsoft Windows... 9 About this quick reference... 9 Compatibility requirements for Microsoft Windows Event Collector... 10 About the installation sequence for Microsoft Windows Event Collector... 10 Sensor properties for Microsoft Windows Event Collector... 11 Running LiveUpdate for collectors... 11 Chapter 2 Implementation notes... 13 Product ID for Microsoft Windows Event Collector... 13 Schema packages... 13 Viewing event logs... 13 Event mapping for Information Manager... 14
8 Contents
Chapter 1 Introducing Symantec Event Collector for Microsoft Windows This chapter includes the following topics: About this quick reference Compatibility requirements for Microsoft Windows Event Collector About the installation sequence for Microsoft Windows Event Collector Sensor properties for Microsoft Windows Event Collector Running LiveUpdate for collectors About this quick reference This quick reference includes information that is specific to Microsoft Windows Event Collector. General knowledge about installing and configuring collectors is assumed, as well as basic knowledge of Microsoft Windows. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide. For information on Microsoft Windows, see your product documentation.
10 Introducing Symantec Event Collector for Microsoft Windows Compatibility requirements for Microsoft Windows Event Collector Compatibility requirements for Microsoft Windows Event Collector The collector runs on the following operating systems: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later Microsoft Windows Server 2003 Standard Edition with Service Pack 1 or later Windows XP with Service Pack 2 or later Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2000/2003. Note: This collector is not compatible with Vista or Windows Server 2008. Note: You can not install this collector on the Information Manager appliance. About the installation sequence for Microsoft Windows Event Collector The collector installation sequence is as follows: Configure Microsoft Windows to work with the collector. Configure the sensor. See Sensor properties for Microsoft Windows Event Collector on page 11. Run LiveUpdate. See Running LiveUpdate for collectors on page 11. For all procedures that are not covered in the quick reference, see the Symantec Event Collectors Integration Guide.
Introducing Symantec Event Collector for Microsoft Windows Sensor properties for Microsoft Windows Event Collector 11 Sensor properties for Microsoft Windows Event Collector Table 1-1 Windows Event Log sensor properties Sensor properties Monitored host name Monitored host account name Description Specify the name of the computer from which the collector is to collect events. IP address 127.0.0.1 or localhost are valid entries if events are collected from the same computer on which the collector is installed. If the computer is different, then the host name or IP address can be specified. Specify the path to the account name; for example, DomainName\AccountName for a computer that is located in a Windows domain or HostName\AccountName for a computer that is not located in a Windows domain. The account that is used must have local administrator rights to read the event log from the remote computer in the domain. If the Monitored host name is localhost or 127.0.0.1, leave this field blank; the credentials for the account that runs the Symantec Event Agent process will be used automatically. Account password Specify a password for the monitored host account. If the Monitored host name is localhost or 127.0.0.1, leave this field blank; the credentials for the account that runs the Symantec Event Agent process will be used automatically. Number of days to load history events Event logs to audit Specify the number of days for which the sensor retrieves events. For example, if the sensor is configured for 30 days, the sensor goes back 30 days from the first sensor initialization to retrieve events. Note: This property is used only for the initial start of the sensor. If the sensor was correctly shut down and created the last position file, this property is ignored during subsequent runs. Select which event logs to audit. You can select a number of options to audit through the pop-up screen. You can also add other options by selecting Add. The default options are System, Security, and Application. Running LiveUpdate for collectors You can run LiveUpdate to receive collector updates such as support for new events and query updates. For information about running LiveUpdate on internal LiveUpdate servers, see the Symantec LiveUpdate Administrator User's Guide.
12 Introducing Symantec Event Collector for Microsoft Windows Running LiveUpdate for collectors To run LiveUpdate for a collector installed on a separate computer 1 On the collector computer, navigate to the following collector directory: C:\Program Files\Symantec\Event Agent\collectors\windowseventlog 2 At a command prompt, type the following command: runliveupdate.bat To verify that LiveUpdate ran successfully for a collector installed on a separate computer 1 On the collector computer, navigate to the following directory: C:\Program Files\Symantec\sesa\Event Agent\collectors\windowseventlog 2 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 3 Navigate to the LiveUpdate directory. The default directory is as follows: C:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate 4 Use a text editor such as Notepad to view the liveupdt.log file. The first part of the log is in text format; the second part of the log repeats the information in XML format. If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code - 2001).
Chapter 2 Implementation notes This chapter includes the following topics: Product ID for Microsoft Windows Event Collector Schema packages Viewing event logs Event mapping for Information Manager Product ID for Microsoft Windows Event Collector Schema packages The product ID of the collector is 3105. The collector uses the following schema packages: symc_base_class symc_windows_eventlog_class symc_host_intrusion_class symc_intrusion_class symc_network_class Viewing event logs You may view the event logs that the collector reads. You can use Event Viewer to view the logs. An example log appears in Event Viewer as follows:
14 Implementation notes Event mapping for Information Manager Date: 6/12/2008 Source: Security Time: 8:41:35 PM Category: Logon/Logoff Type: SuccessAudit EventID: 528 User: NT AUTHORITY\NETWORK SERVICE Computer: L-L3LEZE7 Description: Successful Logon: User Name: Domain: Logon ID: Logon Type: 5 Logon Process: NETWORK SERVICE NT AUTHORITY (0x0,0x3E4) Advapi Authentication Package: Negotiate Workstation Name: Logon GUID: {00000000-0000-0000-0000-000000000000} To view the event logs From the Windows computer, click Start > Settings > Control Panel > Administrative Tools, and then double-click Event Viewer. Event mapping for Information Manager Table 2-1 describes the event mapping for the collector. Table 2-1 Information Manager field name Category ID Comment Event mapping 30007606 - Security Description Description Message Destination Host Name The message portion of the event as seen in the Event Viewer in Windows The host name of the system where the event was generated Device Action EventClassName Intrusion Action 1037213 - Login Intrusion Data Intrusion Intent 1027103 - Access
Implementation notes Event mapping for Information Manager 15 Table 2-1 Information Manager field name Intrusion Outcome Comment Event mapping (continued) Possible values are as follows: 1027203 - Succeeded 1027204 - Failed Intrusion Source Process Intrusion Source User Name Intrusion Target Type IP Destination Address IP Destination Port IP Source Address The process ID of the application, service, or session that generated the event The user that performed the action when multiple users are involved 1037104 - User Session The IP address of the system where the event was generated The port to which the activity was directed, on the system where the event was generated, where applicable The IP address of the system from which the activity originated For the events that originated on the system that is monitored, this field is the same as the destination_ip field IP Source Port lang Logging Device Name Logging User Network Protocol ID This field is used for internal processing only The host name of the system where the event was logged The user who logged the event Possible values are as follows: 167102 - TCP 167103 - UDP 167104 - ICMP not_translated Numeric IP Destination Address Numeric IP Source Address This field is used for internal processing only The integer IP address of the system where the event was generated The integer IP address of the system from which the activity originated option 1 option 2 option 3 option 4
16 Implementation notes Event mapping for Information Manager Table 2-1 Information Manager field name Comment Event mapping (continued) option 5 option 6 option 7 option 8 option9 option10 option11 option12 option13 option14 option15 parsing pretend_value This field is used for internal processing only process_id Protocol Proxy Machine The system from which the event is retrieved by the collector When log centralization or management tools are not used, this field is the same as the Logging Device Name field Proxy Machine IP Severity ID This field contains the IP address of the system from which the event is retrieved by the collector. Possible values are as follows: 1 - Informational 2 - Warning 3 - Minor 4 - Major 5 - Critical
Implementation notes Event mapping for Information Manager 17 Table 2-1 Information Manager field name Source Host Name Comment Event mapping (continued) The host name of the system from which the activity originated For the events that originated on the system that is monitored, this field is the same as the destination_host_name field Target Resource User Name Vendor Device ID Vendor Signature The user name of the user that was logged on when the event occurred 53 The vendor s identifier for the event In this case it is the Event Log s source that is prepended to the Event ID For example, Security:580 will_not_exist This field is used for internal processing only
18 Implementation notes Event mapping for Information Manager