About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management... 5. How to forward logs...



Similar documents
Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Sophos UTM. Remote Access via IPsec Configuring Remote Client

Volume SYSLOG JUNCTION. User s Guide. User s Guide

Sophos UTM. Remote Access via PPTP Configuring Remote Client

Tracking Network Changes Using Change Audit

NMS300 Network Management System

Astaro Deployment Guide High Availability Options Clustering and Hot Standby

Support Guide: Managing the Subject machine s Firewall.

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

If you have questions or find errors in the guide, please, contact us under the following address:

EventSentry Overview. Part I About This Guide 1. Part II Overview 2. Part III Installation & Deployment 4. Part IV Monitoring Architecture 13

StrikeRisk v6.0 IEC/EN Risk Management Software Getting Started

Network Probe User Guide

Tunnels and Redirectors

Knowledge Base Articles

Security Correlation Server Quick Installation Guide

1. Installation Overview

RPM Utility Software. User s Manual

GFI Product Manual. Administrator Guide

GFI Product Manual. Administrator Guide

The data between TC Monitor and remote devices is exchanged using HTTP protocol. Monitored devices operate either as server or client mode.

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

Release Notes for Websense Security v7.2

NEFSIS DEDICATED SERVER

NetFlow Analytics for Splunk

Cisco Setting Up PIX Syslog

Quick Start Guide.

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

ReadyNAS Remote. User Manual. June East Plumeria Drive San Jose, CA USA

Novell ZENworks Asset Management 7.5

Security Correlation Server Quick Installation Guide

Deploying BitDefender Client Security and BitDefender Windows Server Solutions

Running custom scripts which allow you to remotely and securely run a script you wrote on Windows, Mac, Linux, and Unix devices.

Advanced Event Viewer Manual

WhatsUp Event Alarm v10.x Listener Console User Guide

Operation Error Management

SSL SSL VPN

VPN: Installing the IPSec client

Sophos UTM. Remote Access via IPsec. Configuring UTM and Client

Cloudfinder for Office 365 User Guide. November 2013

Network/Floating License Installation Instructions

REQUIREMENTS AND INSTALLATION OF THE NEFSIS DEDICATED SERVER

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Installation Overview

Lab Configuring Access Policies and DMZ Settings

LifeCyclePlus Version 1

AlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals

F-SECURE MESSAGING SECURITY GATEWAY

Ekran System Help File

How To Connect To Ecs.Org From A Pc Or Mac Or Ipad (For A Laptop) With A Network Connection (For Mac) With The Ipad Or Ipa (For Pc Or Ipac) With An Ipa Or Ip

Magaya Software Installation Guide

FortyCloud Installation Guide. Installing FortyCloud Gateways Using AMIs (AWS Billing)

GETTING STARTED GUIDE 4.5. FileAudit VERSION.

DiskPulse DISK CHANGE MONITOR

Troubleshooting Tools to Diagnose or Report a Problem February 23, 2012

Getting Started Guide

SonicWALL GMS Custom Reports

Viewing and Troubleshooting Perfmon Logs

How to Program a Commander or Scout to Connect to Pilot Software

Cisco S380 and Cisco S680 Web Security Appliance

REUTERS/TIM WIMBORNE SCHOLARONE MANUSCRIPTS COGNOS REPORTS

Enterprise Manager. Version 6.2. Installation Guide

CostsMaster. CostsMaster Dongle Server User Guide

GFI Product Manual. Deployment Guide

Net Services: File System Monitor

Network Printing In Windows 95/98/ME

GETTING STARTED GUIDE. FileAudit VERSION.

Table of Contents INTRODUCTION - FIREWALL ANALYZER DISTRIBUTED EDITION ADMIN SERVER... 3

NAS 272 Using Your NAS as a Syslog Server

mbits Network Operations Centrec

freesshd SFTP Server on Windows

Network Setup Guide. Introduction. Setting up for use over LAN

Hamline University Administrative Computing Page 1

Upgrade ProTracker Advantage Access database to a SQL database

Important Notes for WinConnect Server VS Software Installation:

NETGEAR genie Apps. User Manual. 350 East Plumeria Drive San Jose, CA USA. August v1.0

Using Remote Desktop with the Cisco AnyConnect VPN Client in Windows Vista

How To Connect To A University Of Cyprus Vpn 3000 From Your Computer To A Computer With A Password Protected Connection

Virtual Private Server Manual

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

System Administration Training Guide. S100 Installation and Site Management

VPN AND CITRIX INSTALLATION GUIDE

Where can I install GFI EventsManager on my network?

TREND series H.264 DVR Central Management System Quick User Guide

Management, Logging and Troubleshooting

User Manual. Onsight Management Suite Version 5.1. Another Innovation by Librestream

Teacher References archived classes and resources

MERLIN SERVER. The Quick Start Guide for collaborative project management ProjectWizards GmbH, Melle, Germany. All rights reserved.

Network Setup Instructions

This chapter describes how to set up and manage VPN service in Mac OS X Server.

Desktop Surveillance Help

Upgrading MySQL from 32-bit to 64-bit

Allworx OfficeSafe Operations Guide Release 6.0

A-AUTO 50 for Windows Setup Guide

Emerald. Network Collector Version 4.0. Emerald Management Suite IEA Software, Inc.

Remote PC Guide for Standalone PC Implementation

ilaw Installation Procedure

Identity-Based Traffic Logging and Reporting

TRIM: Web Tool. Web Address The TRIM web tool can be accessed at:

User's Manual. Intego VirusBarrier Server 2 / VirusBarrier Mail Gateway 2 User's Manual Page 1

Transcription:

Connect With Confidence Astaro Log Management Getting Started Guide About this Getting Started Guide To use Astaro Log Management, logs need to be transferred from individual systems to the cloud. This document describes the steps needed to transfer logs from various systems including Windows, Cisco, and Linux as well as how to enable Log Management on your existing Astaro Security Gateway. Contents Enabling Log Management... 2 Applying a License... 4 Using Log Management... 5 a) The Dashboard... 6 b) The Relational Browser... 7 c) Charts... 9 d) Events... 10 e) Devices... 12 f) Settings... 13 g) Reports... 15 h) Search... 16 How to forward logs... 17 a) Windows... 18 b) Linux... 20 c) Cisco... 20 Astaro GmbH & Co. KG a Sophos company Amalienbadstr. 41/Bau 52 76227 Karlsruhe T: +49 721 255 16 0 F: +49 721 255 16 200 www.astaro.com

Enabling Log Management Astaro Log Management is a service available to all Astaro Security Gateway customers. To enable Log Management on your Astaro Security Gateway, make sure you are running version 8.203 or above, and then open the WebAdmin user interface for managing the Security Gateway. On the left, you will see a menu. Click Log Management in the left menu, and click the Settings menu. Then click the Enable button at the top. 2

If this is the only Astaro Security Gateway in your organization, you can continue to the section labelled Using Log Management If you have multiple Astaro Security Gateways in your organization (branch offices, multiple gateways, dedicated mail security gateways etc.), enable Log Management as described above on one of the Security Gateways, and then make a note of the unique identification code and join code displayed in the interface once Log Management has been activated. On subsequent Astaro Security Gateways, simply provide these codes when you enable Log Management. This will ensure that all your logs are centrally collected and analysed across your devices, regardless of location. For instructions on how to apply a license and how to disable and enable devices for logging, please see the section Applying a License. 3

Applying a License A free trial license is automatically activated when you enable Log Management on an ASG. To install a full license, open WebAdmin and go to the Log Management menu. Choose the Settings submenu, and choose the License Status tab. From this page you can apply the license code as well as see the status of the current license. If you are sending log data from more devices than you have a license for, the Log Management system will stop receiving data from the devices that exceed your license limit. You can select which devices to receive data from by going to the Device menu in the Log Management portal. See more details in the section Devices. 4

Using Log Management As soon as Log Management has been enabled and activated, the WebAdmin interface will show a page like this: After the activation, all logs from your Astaro Security Gateway will automatically be analysed and stored. To send logs from other devices like servers, workstations, network devices etc., please follow the instructions in the chapter How to forward logs. You will be able to manage, search and view all your logs when following the link to the Log Management Portal in WebAdmin (see picture above). The following section will describe each feature in the Log Management portal and help you get started. 5

a) The Dashboard The Dashboard is an overview page. It shows you the last week s log volume in a graph as well as the most important events in a scrollable timeline. Clicking an event in the timeline opens the event details, while clicking any point on the graph will open the Charts page and zoom in on that particular time span. The Dashboard also offers two subpages search and relational browser. Search is simply a link to the central search function also accessible by clicking the search icon in the top right corner. See the Search chapter below for details. The Relational Browser provides a graphical way to navigate the relations between the most important events. It starts by showing you the Top devices. These are the devices that have reported the most events in the last 24 hours. 6

b) The Relational Browser Clicking one of the devices will show the top events sorted by priority from that device. Again, clicking the event enables you to see the variables identified within the event such as user names, IP addresses etc. 7

You can then click these variables to see other correlating events. This way, you can quickly see all the events that include for instance the IP address from the event you were concerned about. It is a very quick way to pivot around variables across systems. 8

c) Charts The Charts page shows log volumes over time. Using the drawers in the left, it is possible to filter the view. By selecting a single device (or several programs or applications) you can quickly get an overview of how the log volume changes over time for specific resources. Finding all the error logs for instance from the SQL server is just a few clicks away. Clicking the graph points means zooming in and redrawing the graph. Once you get to the minute level, clicking the graph will switch to the search view, which reveals all the logs represented by the graph. This view is also available at any time by clicking View Log Messages in the top right corner. 9

d) Events The Events tab reveals two views the event list and the Timeline. The Timeline is an expanded version of the one on the Dashboard. It is possible to drag the timeline in 3 depths hours, days, or months. Simply click on the graph and drag your mouse left or right. As with the Log Volume page, the drawers on the left will dynamically update the Timeline with the filters you specify. Clicking any of the events on the graph will show the logs represented by the event as well as allow for simple event tracking in a ticketing system. Events can be Accepted or Closed and will remain in the New category until an operator evaluates the event. Clicking the List tab shows the same events as in the Timeline, but in list form. The drawers for filtering are the same, and any changes to the drawers are carried over from the Timeline to the Event list. See an example below. 10

The list can be sorted by ID, time, Severity, Owner, or Status, and at any time it is possible to export the list to an XML file. It is also possible to search the list of events for specific keywords. Note that this is different from searching raw log messages. 11

e) Devices The Devices tab shows a list of all devices from which we have received log data. From here, the devices can be renamed (this is very useful for clarity in reporting, alerting, and events). It is also possible to see when the device sent logs for the first time (First Seen), when the latest log was received (Last Seen), adjust the time offset (to support multiple time zones) and to disable a device. Disabling a device is done by right clicking a device name. This will stop log processing for the device and free up a license for use by another device. Double-clicking the device reveals the live log viewer as seen here. This shows logs as they are coming in (in real-time) which is useful when troubleshooting a specific device or to check the flow of logs when setting up log forwarding. 12

f) Settings In the Settings menu, it is possible to define the rule set being used to analyse the logs, as well as setting up and managing users. The rules list lists all the available rules and shows whether they are active or disabled. By clicking a rule, you can edit the rule details, as well as change alerting options. You can choose to be alerted by email every time a rule is triggered, or have digests sent out every hour, 2 hours, 3 hours, 6 hours, 12 hours or daily. It is also possible to create new rules using a simple rule builder shown below. 13

Messages follow the operator AND or OR as chosen at the top, and you can add as many rule details as you wish. Other options in the Settings menu relates to user management. You can change your own user settings (email address etc.) as well as define when you want the weekly report. In the Admin Accounts page, you can set up new users (each can define their individual alerting settings, report settings etc) or manage existing users. Finally, it is from the Settings tab you download the Windows agent. See the next section for details on forwarding logs from Windows systems. 14

g) Reports Each user can receive a weekly summary report of recent activity by email. This is set up in the Settings tab for each user. Reports give an overview of all devices and events that have happened over the past week as opposed to alerts which alert you to specific events typically for single devices. However, it is also possible to request a report to be generated for any given date in the Reports tab. Simply select a date or select from the top predefined choices, and the report will be generated on the fly. The report is in PDF format and can be saved directly from this view. 15

h) Search Search allows you to search all the logs ever collected by the Log Management service. Full-text searching is available and works much like Google searching. Writing admin in the search field will reveal all log messages containing the word admin. Writing admin joe will find all logs containing both the word admin and the word joe. You can use the normal operators like - for excluding a word (so admin joe will find all logs containing admin but not joe ) and +. The date selector allows you to narrow your search to a specific date or time (default search window is 24 hours). If you do not change the end date, it is automatically updated to the current date and time. This allows you to search again and again without needing to update the end date to the current time. The drawers allow selection of meta data like Programs, Devices or Levels. As soon as a selection is made in the drawers (you can select multiple items in each drawer), the search results will automatically update to reflect the selections. You can export the search results to JSON or XML. If it is a long list, this could take some time as the complete log contents are exported. 16

How to forward logs Logs can be forwarded from almost any network device, including Windows systems, Linux, Unix, Mac OSX, AIX, Astaro Security Gateways, Cisco devices and many, many more. Enabling Log Forwarding on the ASG To send logs from local servers, workstations and network devices, log forwarding must be configured on the ASG. This will allow the ASG to receive logs from the internal network. In the Allowed networks configuration dialogue, add the networks from which client devices will connect to the ASG to deliver their logs. You can also change the port that the ASG listens on. The ASG will always listen on both TCP and UDP on the specified port. A packet filter will automatically be created which allows incoming connections from the networks listed in Allowed Networks on the specified port (both TCP and UDP). Sending logs to the ASG To set up log forwarding from client devices, it is often sufficient to check the device documentation to enable sending logs in the syslog format to a local server. The destination IP is the IP address of the ASG interface that the client is connected to. In this section, we highlight how to send logs from Windows devices, Linux servers, and some Cisco devices. 17

a) Windows Astaro provides a lightweight agent that can be installed on Windows systems to transfer all Windows Event Logs to Astaro Log Management. Almost all Windows versions are supported: Windows 2000 Professional, Windows XP, Windows Vista, Windows 7 (both 32 and 64bit) Windows 2000 Server, 2003 Server, 2003R2, 2008, 2008R2 in both 32bit and 64bit editions. The Windows agent can be downloaded from the Log Management portal which is accessible from the ASG WebAdmin interface. Go to Settings, Download and you can download the agent directly. To install the agent, double-click the executable file you downloaded. You will see this window: Click next. 18

This window will appear: Select the destination folder and press next. The agent will now be installed and you should see this screen: That is it. No configuration needed. You should now see logs coming in from your Windows system. To install it on another Windows machine, run the installer again. The client tries to connect to IP 1.2.3.4. Every ASG on the default route of the client with Log Management turned on and log forwarding enabled will pick up the connection and accept the log data. If the ASG is not on the default route you need to change that IP address, either by editing the registry entry at HKLM\SOFTWARE\Wow6432Node\Astaro\Log Management Client or by placing a configuration file in the installation path of the client and restarting. The configuration file is a text file called config.txt containing ip=<ip> and port=<tcp-port> (no spaces and each one on a separate line) and will be removed after writing this into the registry. 19

b) Linux From most Linux systems, you can follow these steps: - Edit /etc/syslog.conf and add this line: *.* @10.10.10.10:10101 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management. 10101 is the default port number and must be included. This port can be changed in WebAdmin). - Ensure that syslogd is running by adding these lines to /etc/rc.conf if they do not exist: syslogd_enable = "yes" syslogd_flags = "-s vv" - Restart syslogd: /etc/rc.d/syslogd restart For more details, please see your Linux distribution s documentation on how to send logs to a syslog server. c) Cisco Most Cisco switches, routers, IOS devices, and PIX firewalls can be configured using the steps below. SSH or telnet to your device and execute the following commands: config terminal logging timestamp logging host 10.10.10.10 transport tcp port 10101 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management). logging trap 6 logging on For Cisco VPN Concentrators, you have to use the user interface. Navigate to Configuration System Events Syslog Servers Click Add Enter IP address 10.10.10.10 (where 10.10.10.10 is replaced by the IP address of your ASG. This can be found in the WebAdmin for the ASG under Log Management) and port number 10101. Click Add 20

Navigate to Configuration System Events General Select Severity to Syslog and choose a value (1-5 recommended) Click Apply Click the Save Needed button For other devices, please consult your device documentation regarding syslog configuration. Contact Astaro Europe, Middle East, Africa The Americas Asia Pacific Japan Astaro GmbH & Co. KG Astaro Corporation Astaro Asia Astaro K.K. A Sophos company A Sophos company A Sophos company A Sophos company Amalienbadstr. 41/Bau 52 3 Van de Graaff Drive 8 Eu Tong Sen Street 22F Shibuya Mark City West 76227 Karlsruhe Burlington, MA 01803 #12-99, The Central 1-12-1 Dogenzaka Germany USA Singapore 059818 Shibuya-ku Tokyo 150-0043 T: +49 721 255 16 0 T: +1 781-494-5800 T: +65 6227 2700 T: +81-3-4360-5506 emea@astaro.com americas@astaro.com apac@astaro.com apac@astaro.com 21