HowTo: Logging, reporting, log-analysis and log server setup Version 2007nx Release 3. Log server version 2.0

Similar documents
escan SBS 2008 Installation Guide

OCS Training Workshop LAB14. Setup

Setting Up Sharp MX-Color Imagers To Scan To

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

How-to: HTTP-Proxy and Radius Authentication and Windows IAS Server settings. Securepoint Security System Version 2007nx

F-SECURE MESSAGING SECURITY GATEWAY

Immotec Systems, Inc. SQL Server 2005 Installation Document

Integrating LANGuardian with Active Directory

Creating client-server setup with multiple clients

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Securepoint Security Systems

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

PineApp Surf-SeCure Quick

Management, Logging and Troubleshooting

1. Open Thunderbird. If the Import Wizard window opens, select Don t import anything and click Next and go to step 3.

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

Kaseya Server Instal ation User Guide June 6, 2008

TANDBERG MANAGEMENT SUITE 10.0

Advanced Settings. Help Documentation

Configuring the WT-4 for ftp (Ad-hoc Mode)

QUANTIFY INSTALLATION GUIDE

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

WebSpy Vantage Ultimate 2.2 Web Module Administrators Guide

Avira Update Manager User Manual

Crystal Reports Installation Guide

Reference and Troubleshooting: FTP, IIS, and Firewall Information

Installation Notes for Outpost Network Security (ONS) version 3.2

Scan to SMB(PC) Set up Guide

ArcMail Technology Defender Mail Server Configuration Guide for Microsoft Exchange Server 2003 / 2000

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

NAS 206 Using NAS with Windows Active Directory

WhatsUp Gold v16.1 Installation and Configuration Guide

F-Secure Messaging Security Gateway. Deployment Guide

Sophos Anti-Virus for NetApp Storage Systems startup guide

Docufide Client Installation Guide for Windows

How to Configure Outlook Client for Exchange

Scan to Quick Setup Guide

Releasing blocked in Data Security

RemoteTM LAN Server User Guide

File Management Utility User Guide

Spector 360 Deployment Guide. Version 7

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # )

StarWind iscsi SAN Software: Installing StarWind on Windows Server 2008 R2 Server Core

Sophos for Microsoft SharePoint startup guide

Palomar College Dial-up Remote Access

Basic Exchange Setup Guide

Installation Instruction STATISTICA Enterprise Small Business

Managing Qualys Scanners

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

Step-by-Step Setup Guide Wireless File Transmitter FTP Mode

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Installing the Microsoft Network Driver Interface

NETWRIX EVENT LOG MANAGER

Setting Up Scan to SMB on TaskALFA series MFP s.

WhatsUp Gold v16.3 Installation and Configuration Guide

Configuring Thunderbird for Flinders Mail at home.

Securepoint Security Systems

Configuration Information

STATISTICA VERSION 12 STATISTICA ENTERPRISE SMALL BUSINESS INSTALLATION INSTRUCTIONS

1. Set Daylight Savings Time Create Migrator Account Assign Migrator Account to Administrator group... 4

FTP, IIS, and Firewall Reference and Troubleshooting

HP Device Manager 4.6

1.6 HOW-TO GUIDELINES

Installing GFI MailSecurity

freesshd SFTP Server on Windows

Device Log Export ENGLISH

Upgrading User-ID. Tech Note PAN-OS , Palo Alto Networks, Inc.

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Manual Password Depot Server 8

Central Management Software CV3-M1024

You must have at least Editor access to your own mail database to run archiving.

TecLocal 4.0 MultiUser Database

CompleteView Admin Console Users Guide. Version Revised: 02/15/2008

Release Notes for Websense Security v7.2

Velocity Web Services Client 1.0 Installation Guide and Release Notes

User Guide Online Backup

WEBROOT ARCHIVING SERVICE. Getting Started Guide North America. The best security in an unsecured world. TM

Kaseya 2. User Guide. for Network Monitor 4.1

How To Use Gfi Mailarchiver On A Pc Or Macbook With Gfi From A Windows 7.5 (Windows 7) On A Microsoft Mail Server On A Gfi Server On An Ipod Or Gfi.Org (

LifeSize Control Installation Guide

User s Guide for OpenERP Microsoft Outlook Free Plug-in 1.0 By Axelor

Cox Business Premium Online Backup USER'S GUIDE. Cox Business VERSION 1.0

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

STATISTICA VERSION 9 STATISTICA ENTERPRISE INSTALLATION INSTRUCTIONS FOR USE WITH TERMINAL SERVER

Set Up Setup with Microsoft Outlook 2007 using POP3

Getting started with IMAP for Aggi What is IMAP?

Advanced Event Viewer Manual

Discovery Guide. Secret Server. Table of Contents

CIMHT_006 How to Configure the Database Logger Proficy HMI/SCADA CIMPLICITY

Configuring the WT-4 for ftp (Infrastructure Mode)

Cannot send Autosupport , error message: Unknown User

Client Configuration Guide

Magaya Software Installation Guide

SiteCount v2.0 Revised: 10/30/2009

Basic Exchange Setup Guide

Quick Scan Features Setup Guide. Scan to Setup. See also: System Administration Guide: Contains details about setup.

Case Closed Installation and Setup

To install the SMTP service:

Transcription:

Log server version 2.0

Contents 1 Setting up the log server for the appliance... 4 1.1 Registering the log server on the appliance... 4 1.2 Entering the Syslog server to the appliance... 6 2 Log server... 7 2.1 Installation on a Windows-computer with the Securepoint CDROM... 7 2.2 Basic configuration of the log server... 8 2.2.1 Starting the configuration surface of the log server... 8 2.2.2 Setting up users for the log server... 8 2.2.3 Preparing the Securepoint Security Manager to be linked to the log server... 9 2.2.4 Setting up appliances that may send log files to the Log server...10 2.3 Log server administration...11 2.3.1 Setup the database...11 2.3.2 Database archiving...12 2.3.3 Using the log file manager...12 2.4 Alerts...13 2.5 Reports...14 2.6 Event reporting...15 2.7 Log Services...16 2.8 Network Configuration...17 3 Trouble shooting...18 2

Securepoint log server An important part of the functions of the Securepoint Security appliance is represented by logging, reporting and log-analysis. The log-file contains the automatically generated protocol of certain actions and processes on a Securepoint Security appliance. Securepoint log server The task of the Securepoint log server is to collect and secure log-data of Securepointsystems. The log server also offers alert-functions. The appliance communicates with the Securepoint log server via the Syslog-protocol (see RFC 3164 and 3195). Because the protocol Syslog is used, Securepoint can also store the log files on another chosen Sys-log server. However, in that case the Securepoint Syslog client is unable to retrieve the data in order to conduct the graphic evaluation. In the following the configuration of the Securepoint log server is described. syslog log server on Windows server historical log data live log appliance Security Manager and Security Wizard for analysis fig. 1 relation between appliance, log server and Security Manager or Security Wizard Log data is not be stored on the firewall. If you want to analyze historical log data you have to use the log server. The firewall sends the log data via syslog over UDP port 514 to the log server. Therefore the appliance must know the IP-address of the log server. The manager must know the IPaddress too, to read the log data. The security manager and log server are communicating with each other over SSH (port 22 TCP). You have to log on to the SSH-daemon which runs at the log server with your Windows- user account. Note: The authentication differentiates between uppercase and lowercase! 3

1 Setting up the log server for the appliance 1.1 Registering the log server on the appliance In order for a log server to collect data from Securepoint Security appliances, the appliances have to know where to send the data. Therefore, the first step is to enter a log server on your appliance. Start a Securepoint Security Manager over: Start -> Programs -> Securepoint 2007nx -> Security Manager and insert your container-password. Confirm your entry by clicking OK. fig. 2 opening container Login on the appliance fig. 3 login on the appliance A connection to the selected appliance is established by double-clicking on the firewall-object in the selection list or by clicking with the right mouse-button on the firewall-object and selecting connect from the menu. Now click with the right mouse-button on an existing red firewall-symbol in the left window of the Security Manager and select properties (name of the firewall). For this appliance the manager is instructed from where it can retrieve the log files. Please note: Should there be no firewall-symbol, you have not yet set up an appliance for the Security Manager. However, this has to be done first. 4

In the firewall properties, two folders are available: Firewall and Logserver. Change to the folder Logserver and insert the following data: Activate the external logging. Now insert the IP-address on which the log server is running. Also enter the login and the password including the confirmation of the password so that the appliance can be authenticated on the log server. These login data either pertain to the local user or a user from the Windows-domain who is registered with the log server. fig. 4 firewall properties - folder Logserver entry fields Address IP-address of the log server Port port to connect the log server (default 22) Login The user-name configured on the log server. This is a local Windowsuser or a domain-user of the computer the log server runs on. Password Password for the configured user (Windows-user/-domain-password. Confirmation password confirmation Please note: Under Logserver a Securepoint log server is entered, on which the appliance files all log files. Only if all data is inserted correctly here, the log fileevaluation via the Securepoint Security Manager can be utilized. 5

1.2 Entering the Syslog server to the appliance You have to determine on the appliance to which IPs it is supposed to send your Syslogpackages. Click on the icon Network. Go to the folder Server properties. At Logging-Server click on Add. fig. 5 adding an IP-address of the log server In the dialogue window insert the IP of the log server. Save your configuration with OK. If several IPs are inserted, the firewall sends the log notifications to all IPs. 6

2 Log server 2.1 Installation on a Windows-computer with the Securepoint CDROM The Securepoint log server has to be installed on a Microsoft Windows operating system. The log server on the CDROM is in the folder: /programs/logserver.exe. Start this program for the installation under Windows. After the installation, the log server runs in the background. You can watch the status aif the Securepoint Logserver in den window services. start control panel performance and maintenance administrative tools services fig. 6 control Securepoint log server service 7

2.2 Basic configuration of the log server 2.2.1 Starting the configuration surface of the log server After the installation the configuration surface of the log server can be started over the created link on the start menu. In order to do this click on: Start -> Programs -> Securepoint 2007nx-> Logserver 2.2.2 Setting up users for the log server Under user administration, either local users or users from the windows-domain, that are allowed to connect with the log server, are entered. The users entered here have to have administration privileges. Procedure: Click on User administration and on the button Add. A new dialogue window opens. Now set up a user from the domain or the local computer by choosing them from the list and clicking on Add. The new user is placed in the table allowed users. fig. 7 adding a Windows user 8

2.2.3 Preparing the Securepoint Security Manager to be linked to the log server In addition to the user authentication it is determined which IP-addresses may connect with the log server. Both criteria have to be met in order to enable the retrieval as well as the evaluation of the log files. Under Allowed Security Manager the IP-addresses or nets of Security Managers are determined which may connect to the log server. fig. 8 adding the net of the Securepoint Security Manager 9

2.2.4 Setting up appliances that may send log files to the Log server On the Securepoint appliance, IP addresses of appliances are determined that may connect to the log server. fig. 9 adding IP-address of logging appliances 10

2.3 Log server administration Under Database administration it is determined how long data are to be kept and the maximum storage the log files may take up. In addition to that, one is shown how much of the database is already full. The Database administration is split into the sections administration and Database archiving. In the section administration you have to set how long the data will be stored and the disk capacity which is allocated by the log data. Furthermore you can see how much memory of the database is already used. The section archiving you can choose an interval in which the database will be compressed and stored in a separated folder. Under the point Log File Manager you can search for archived log data. Afterwards you can delete the found archives. fig. 10 database administration and archiving 2.3.1 Setup the database In the field storage time of entries you can set how long the data should be stored. If you want to archive the database the interval chosen for the archiving must be less the storage time. Example: If you choose storage time 1 day and archiving weekly, all 7 days the archiving function saves the log data of the last 24 hours. Older log has been already deleted. The examination period sets the interval in minutes to check the maximum database size and entries that are older as the storage time allows. The maximal database size is given in megabyte and has to been not less than 10 megabytes. You ought to consider that the size of the database depends on the storage time and the number and quality of services logged by the appliance. The database path declares the folder to store the database in. The figure actual database size shows the fill level of the database. With the button delete database you can delete the whole database. Note: Save your entries by clicking the button save on the right side. 11

2.3.2 Database archiving In the field Archiving folder you can set the path to the folder the compressed log data is saved. The button select shows you the directory structure where you can search the folder. The interval of the archiving is been chosen in the dropdown-box. Note: Save your entries by clicking the button save. fig. 11 database archiving 2.3.3 Using the log file manager The log file manager is made for deleting old archiving files. Define an interval by specify the date from and date to. Then click on find. If archives in the specified interval are found, you can click onto the text (fig. 13 searching - resultred box) to show a list of all found archives. Clicking the button delete will delete all found files. fig. 12 searching - set interval fig. 13 searching - result fig. 14 list of found archives 12

2.4 Alerts Attacks detected by the Intrusion Detection System (IDS) can be reported by the log server via e-mail or Windows Netsend. If you use Netsend the notice will appear on the screen of the given computer. For reporting via e-mail you can set the IP-address of a mail server. Note: The Windows Netsend can only be used if this service is activated on both Systems (log server system and host system). fig. 15 alerts via Windows Netsend or via e-mail 13

2.5 Reports If one or more administrators should get daily reports you have to set their e-mail addresses. You can set the IP-address of the mail server. The reports contain HTML-sheets with the most important information and statistics about the interfaces, alerts, IDS, malware and proxy. The Button Test Mail generates a test e-mail and sends it to the given addresses. Save your configuration when the test succeeded. fig. 16 settings for daily reports 14

2.6 Event reporting The log server can react directly if defined events occur and send an e-mail or a Message via Windows Netsend. Click on the button Add. The dialog Event will be opened. fig. 17 event reporting - dialog event insert fields Event name Give the event a meaningful name. Active You can deactivate defined events with this checkbox. Regex The database will be scanned for this regular expression. Method Reportig method: Netsend or email If you want to use both methods you have to create to events. Message Text with is send with the e-mail or show in the Netsend message. E-Mails E-Mail addresses of the recipients. (only method e-mail) NET SEND Hosts IP-addresses of the recipients. (only method Netsend) OK Button Saves the created event in the list. 15

2.7 Log Services In this section you can restrict the messages the log server should record. This Restriction can set for every appliance individually. Select an appliance of the table List of Hosts. Click on Edit and choose a service from the dropdown list. Click on Add. Repeat this for every service you want to log. Click Save to store your settings. Note: If you do not restrict the services to log all services will be record. fig. 18 restrict services to be logged 16

2.8 Network Configuration In the dialog network configuration you can set the port settings of the log server. fig. 19 network configuration insert fieldsr SSH Server Port Syslog Server Port Bind Syslog port to all IP-addresses Bind Syslog port to unique IP-address Changes the SSH port of the log server. Changes the Syslog port of the log server. The log server listens on the defined Syslog port at all IP-addresses. The log server listens on the defined Syslog port at one defined IPaddress. 17

3 Trouble shooting problem possible reason solution The log server is not running or does not log data. Log server service is not started. Check the status of the log server service and start the service if necessary. You can find the service on the logserver system under start all programs administrative tools services E-mail or report is not been sent. The log server does not listen on port 514. Is a mail server defined? Is the mail server declared right? Run following command in the Windows console (start run, Enter: cmd, button OK) netstat n a In the section protocol udp the port 514 should be listed. The port can be changed in the log server (section network configuration). No: The log server determines the mail server on the basis of the domain name. If the e-mail should be sent through the internet the log server must have access to the services DNS and SMTP. You can test your settings in the section reports. Has the log server rights to send e-mail? Run following command in the Windows console telnet ip-des-mailservers 25 The mail server must be reachable. With following commands you can send a test e-mail on the console: helo mydomain.de mail from:logserver@mydomain.de rcpt to:recipient@mydomain.de data TextOfTheTestMail. (The dot on the last line defines the end of the text!) If this e-mail is not been sent check your settings of the mail server. 18

problem possible reason solution You cannot reach the log server with the security manager. The log server is not reachable via SSH port 22. Run following command in the Windows console: telnet ip-des-logservers 22 If this check fails maybe a firewall on the log server system blocks the connection. The SSH port of the log server is not 22. You have no administrative rights. You can change the SSH port of the log server in the section network configuration. Check, if you could connect to the log server by a SSH client (for example PuTTY). Use your windows login and password. 19

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information