Symantec Event Collector 4.3 for SNARE for Windows Quick Reference

Symantec Event Collector 4.3 for SNARE for Windows Quick Reference

Symantec Event Collector for SNARE for Windows Quick Reference The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Legal Notice Copyright 2008 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Mail Security, Symantec Backup Exec, Symantec NetBackup, Symantec Endpoint Protection, Symantec Scan Engine, Symantec Control Compliance Suite, Symantec Critical System Protection, Symantec Enterprise Security Manager, Symantec Intruder Alert, Symantec Sygate Enterprise Protection, Symantec Mail Security, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation 20330 Stevens Creek Blvd. Cupertino, CA 95014 USA http://www.symantec.com

Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: www.symantec.com/techsupp/ Contacting Technical Support Customers with a current maintenance agreement may access Technical Support information at the following URL: www.symantec.com/techsupp/ Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem. When you contact Technical Support, please have the following information available: Product release level Hardware information

Available memory, disk space, and NIC information Operating system Version and patch level Network topology Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes Licensing and registration Customer service If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: www.symantec.com/techsupp/ Customer service information is available at the following URL: www.symantec.com/techsupp/ Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

Maintenance agreement resources Additional Enterprise services If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: contractsadmin@symantec.com Europe, Middle-East, and Africa: semea@symantec.com North America and Latin America: supportsolutions@symantec.com Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs. To access more information about Enterprise services, please visit our Web site at the following URL: www.symantec.com Select your country or language from the site index.

Contents Technical Support... 4 Chapter 1 Introducing Symantec Event Collector for SNARE for Windows... 9 About this quick reference... 9 Compatibility requirements for SNARE for Windows Event Collector... 10 System requirements for the SNARE for Windows Event Collector computer... 10 About the installation sequence for SNARE for Windows Event Collector... 11 Configuring SNARE or Lasso to work with the collector... 12 Sensor properties for SNARE for Windows Event Collector... 13 About syslog event forwarding... 14 About Syslog Director... 14 Running LiveUpdate for collectors... 15 Chapter 2 Implementation notes... 19 Product ID for SNARE for Windows Event Collector... 19 Event example... 19 Schema packages... 20 Event mapping for Information Manager... 20 Chapter 3 Event filtering and aggregation... 27 Event filtering and aggregation for SNARE for Windows Event Collector... 27

8 Contents

Chapter 1 Introducing Symantec Event Collector for SNARE for Windows This chapter includes the following topics: About this quick reference Compatibility requirements for SNARE for Windows Event Collector System requirements for the SNARE for Windows Event Collector computer About the installation sequence for SNARE for Windows Event Collector Configuring SNARE or Lasso to work with the collector Sensor properties for SNARE for Windows Event Collector About Syslog Director Running LiveUpdate for collectors About this quick reference This quick reference includes information that is specific to Symantec Event Collector for SNARE for Windows. General knowledge about installing and configuring collectors is assumed, as well as basic knowledge of SNARE for Windows. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration Guide. For information on SNARE for Windows, see your product documentation.

10 Introducing Symantec Event Collector for SNARE for Windows Compatibility requirements for SNARE for Windows Event Collector Compatibility requirements for SNARE for Windows Event Collector The collector is compatible with the following products: Intersect Alliance SNARE 2.4 for Windows and later LogLogic Project Lasso 4.0 and later The collector runs on the following operating systems: Microsoft Windows 2000 with Service Pack 4 or later Microsoft Windows Advanced Server 2000 with Service Pack 4 or later Microsoft Windows Server 2003 Enterprise Edition with Service Pack 1 or later You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows Server 2003. You can install version 4.2 collectors only on the 32-bit version of Windows Server 2003. Microsoft Windows Server 2003 Standard Edition with Service Pack 1 or later Windows XP with Service Pack 2 or later You can install version 4.3 collectors on both 32-bit and 64-bit versions of Windows XP. Red Hat Enterprise Linux AS 3.0 Red Hat Enterprise Linux AS 4.0 System requirements for the SNARE for Windows Event Collector computer Minimum system requirements for a remote collector installation are as follows: Intel Pentium-compatible 133-MHz processor (up to and including Xeon-class) 512 MB minimum, 1 GB of memory recommended for the Symantec Event Agent 35 MB of hard disk space for collector program files 95 MB of hard disk space to accommodate the Symantec Event Agent, the JRE, and the collector TCP/IP connection to a network from a static IP address

Introducing Symantec Event Collector for SNARE for Windows About the installation sequence for SNARE for Windows Event Collector 11 About the installation sequence for SNARE for Windows Event Collector The collector is preinstalled on the Information Manager 4.6 appliance. You can also install this collector on a remote computer or on an Information Manager 4.5 appliance. The collector installation sequence is as follows: Configure SNARE or Lasso to work with the collector. Close the Symantec Security Information Manager Client console. Register the collector for all off-appliance collector installations. If you use Information Manager 4.6, the collector has been pre-registered. You do not have to register it. Install the Symantec Event Agent on the collector computer. You must install the agent for all remote installations. Symantec Event Agent 4.5.0 build 12 or later is required. Run LiveUpdate on earlier collectors. If you install a 4.3 collector on a computer that has an earlier collector on it, you must first run LiveUpdate on all components of the earlier version of the collector. You must update the earlier collector before you install the 4.3 collector. See Running LiveUpdate for collectors on page 15. Install the collector component. The collector is preinstalled on the Information Manager 4.6 appliance. If you want to use the collector on a remote computer, you must install it on the remote computer. You can install the collector on the Information Manager 4.5 appliance. However, you must first apply Information Manager 4.5.1 with Maintenance Release 1 (or later) upgrade package on the appliance. Configure the sensor. Configure Syslog Director, optional. See About Syslog Director on page 14. Run LiveUpdate. See Running LiveUpdate for collectors on page 15. For all procedures that are not covered in the quick reference, see the Symantec Event Collectors Integration Guide.

12 Introducing Symantec Event Collector for SNARE for Windows Configuring SNARE or Lasso to work with the collector Configuring SNARE or Lasso to work with the collector You must enable SNARE for Windows to send syslog messages to the collector as follows: If you are using this collector with SNARE: See To enable SNARE to send syslog messages to the collector on page 12. Note: The collector receives events directly from SNARE for Windows. If you are using this collector with Lasso: See To enable Lasso to send syslog messages to the collector on page 12. To enable SNARE to send syslog messages to the collector 1 Start SNARE. 2 Depending on the version of SNARE for Windows, do one of the following steps: In SNARE for Windows 2.4, from the Setup menu, click Audit Configuration In SNARE for Windows 2.6 and later, from the Setup menu, click SNARE Network Configuration 3 Fill out the following fields with the appropriate information: Override detected DNS Name with Destination SNARE Server address Destination port Leave this field blank. Type the IP address of the collector computer. Type the port number of the collector computer. The default port number of the collector sensor is 10514. 4 Check Enable SYSLOG header. 5 Click OK. To enable Lasso to send syslog messages to the collector 1 From the Lasso host computer, navigate to the C:\Program Files\Lasso directory. 2 Use a text editor such as Notepad or Wordpad, to open the Lasso.ini file.

Introducing Symantec Event Collector for SNARE for Windows Sensor properties for SNARE for Windows Event Collector 13 3 Edit the Lasso.ini configuration file so it follows the following format: LogAppliance,IP_Address,Port_Number,udp LogAppliance is a reserved keyword and must be the first parameter. IP_Address is the IP address of the collector computer. You must specify the IP address. Port_Number is the port number used for syslog communication. The default syslog port is 514. If you do not use port 514, you can specify a different port as the third parameter. The default port number of the collector sensor is 10514. The port number of the collector sensor must match the port number that is entered in this field. You must specify UDP as the protocol. For example, if the collector computer's address is 192.168.22.199, and the syslog port is 10514, then the corresponding line in the Lasso.ini file is as follows: LogAppliance,192.168.22.199,10514,udp 4 Save and close the Lasso.ini configuration file. 5 Restart the Lasso service. Sensor properties for SNARE for Windows Event Collector Table 1-1 shows the sensor properties for the syslog sensor. Table 1-1 Syslog sensor properties Sensor properties Protocol Host Names Description Specify UDP as the syslog protocol that SNARE for Windows uses to send events. TCP is not supported. Specify the IP addresses or names of the host computers that the collector monitors. Specify * (or any) to allow any host to send events to the collector, or specify multiple host names. Separate multiple host names with commas or semicolons. Port Number Specify the port number to which you have configured SNARE for Windows to send syslog messages. The default port number is 10514. You can use 10514, 6161, or 514.

14 Introducing Symantec Event Collector for SNARE for Windows About Syslog Director Table 1-1 Syslog sensor properties (continued) Sensor properties Time Offset Description Specify a time offset to convert timestamps of all logged events to the time zone of the collector computer. You can use a time offset value if the following statements are true: The time zone of the collector computer and the point product are different The timestamps in the point product data are not Coordinated Universal Time (UTC). You do not need to use this property if the collector and the point product computers are in the same time zone. Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM, where HH is the number of hours (-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00. For example, if Pacific Standard Time (PST) is the time zone of the collector computer, you can specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific Standard Time. You can specify +3 to convert incoming events with a Hawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time. If you enter and distribute an erroneous time zone offset, the collector automatically resets the offset value to the default value of +00:00. An error message is posted in the collector s log. About syslog event forwarding If you forward events to a standard syslog server, you can use a syslog forwarder on that server rather than change the settings on your security device. A syslog forwarder can receive and forward events to both Information Manager and your existing syslog server. About Syslog Director If you use the collector on the Information Manager appliance, you can set up this collector to use Syslog Director. Syslog Director accepts syslog events from any device or application that sends events to the standard port for syslog messages, UDP port 514. (You can also configure Syslog Director to listen on other UDP and TCP ports.) Syslog Director identifies the incoming events by their signatures (specific patterns that identify each collector) and redirects the events that are received to the appropriate collector. All events that are not identified by a signature are sent to the Generic Syslog Collector. You can upgrade Syslog Director 4.2 to Syslog Director 4.3 on your Symantec Security Information Manager 4.5 appliance. For a detailed procedure, see the Symantec Event Collectors Integration Guide.

Introducing Symantec Event Collector for SNARE for Windows Running LiveUpdate for collectors 15 Note: In all deployments, you must list the Generic Syslog Collector last, and you must leave its Collector Signature empty. The default Syslog Director settings for this collector are as follows: Collector name Collector signature Default port Snare for Windows Event Collector MSWinEventLog 10529 For detailed procedures on Syslog Director, see the Symantec Event Collectors Integration Guide. Running LiveUpdate for collectors You can run LiveUpdate to receive collector updates such as support for new events and query updates. If you install a collector on Information Manager 4.5, you must complete the following procedures in the order presented: Run LiveUpdate for collectors added to the Information Manager 4.5 appliance See To run LiveUpdate for collectors added to the Information Manager 4.5 appliance on page 16. Verify that LiveUpdate ran successfully on Information Manager 4.5 See To verify that LiveUpdate ran successfully on Information Manager 4.5 on page 17. If you install a collector on Information Manager 4.6, or if you use a collector that is preinstalled on Information Manager 4.6, you must complete the following procedures in the order presented: Use the Administrator Web page to run LiveUpdate Use the Administrator Web page to verify that LiveUpdate ran successfully See To run LiveUpdate from the Administrator Web page on page 16. If you installed the collector on a separate computer, you must complete the following tasks in the order presented: Run LiveUpdate for a collector installed on a separate computer. See To run LiveUpdate for a collector installed on a separate computer on page 17.

16 Introducing Symantec Event Collector for SNARE for Windows Running LiveUpdate for collectors Verify that LiveUpdate ran successfully for a collector installed on a separate computer. See To verify that LiveUpdate ran successfully for a collector installed on a separate computer on page 17. To run LiveUpdate from the Administrator Web page 1 From a Web browser, navigate to the Information Manager Administrator Web page, and then log in with administrator credentials. 2 From the list on the left, click LiveUpdate. 3 In the list of products, to select the items to update, in the corresponding check box, check Update. At the bottom of the page, you can also click Check All. 4 At the bottom of the page, click Update. If LiveUpdate runs successfully, the status column in the Summary page displays Success. 5 To troubleshoot a problem with LiveUpdate, under Session Log, click View Log File. To run LiveUpdate for collectors added to the Information Manager 4.5 appliance 1 Connect to the Information Manager 4.5 appliance, and log in as root. 2 Navigate to the Symantec Event Agent directory. The default directory is /opt/symantec/sesa/agent/collectors/snarewin 3 At the command prompt, type the following command: sh./runliveupdate.sh 4 To stop the Symantec Event Agent, type the following command: service sesagentd stop 5 To change the ownership of the updated collector files, type the following command: chown -R sesuser.ses * 6 To restart the Symantec Event Agent, type the following command: service sesagentd start

Introducing Symantec Event Collector for SNARE for Windows Running LiveUpdate for collectors 17 To verify that LiveUpdate ran successfully on Information Manager 4.5 1 Connect to the Information Manager 4.5 appliance, and log in as root. 2 Navigate to the collectors subdirectory of the Symantec Event Agent directory. The default directory is as follows: cd /opt/symantec/sesa/agent/collectors/snarewin 3 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 4 Navigate to the LiveUpdate directory navigate to the following directory: /opt/symantec/liveupdate 5 To view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log more The first part of the log is in text format; the second part of the log repeats the information in XML format. If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code - 2001). To run LiveUpdate for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows: On Windows, the default directory is as follows: C:\Program Files\Symantec\Event Agent\collectors\snarewin On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/snarewin 2 At a command prompt, do one of following tasks: On Windows, type the following command: runliveupdate.bat On UNIX, as the root user, type the following command: runliveupdate.sh To verify that LiveUpdate ran successfully for a collector installed on a separate computer 1 On the collector computer, navigate to the collector directory as follows: On Windows, the default directory is as follows:

18 Introducing Symantec Event Collector for SNARE for Windows Running LiveUpdate for collectors C:\Program Files\Symantec\sesa\Agent\collectors\snarewin On UNIX, the default directory is as follows: /opt/symantec/sesa/agent/collectors/snarewin 2 Verify that a file named LiveUpdate-Collector.txt exists. This text file shows the date of the last LiveUpdate and contains information about any defects that were addressed and any enhancements that were added. 3 Navigate to the LiveUpdate directory as follows: On Windows, the default LiveUpdate directory is as follows: C:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate On UNIX, the default LiveUpdate directory is as follows: /opt/symantec/liveupdate 4 To view the liveupdt.log file, do one of the following tasks: On Windows, use a text editor such as Notepad to view the liveupdt.log file. On UNIX, to view the last 100 lines of the liveupdt.log file, type the following command: tail -100 liveupdt.log more The first part of the log is in text format; the second part of the log repeats the information in XML format. If LiveUpdate was unsuccessful, a status message that notes the failure appears at the end of the log file. For example, Status = Failed (return code - 2001).

Chapter 2 Implementation notes This chapter includes the following topics: Product ID for SNARE for Windows Event Collector Event example Schema packages Event mapping for Information Manager Product ID for SNARE for Windows Event Collector The product ID of the collector is 3241. Event example The following is an example event: Jul 10 17:18:44 SIMANET2000-2 MSWinEventLog 1 Application 2 Mon Jul 10 17:18:36 2006 105 SNARE Unknown User N/A Information SIMANET2000-2 None The service was started. 1 The event is in Microsoft Windows Server Update Services (WSUS) database file format. The structure is as follows: 0 1 2 3 Syslog Header (Date\Hostname\EventLog type) Criticality SourceName SNARE/Lasso Event Counter

20 Implementation notes Schema packages 4 5 6 7 8 9 10 11 12 13 14 DateTime EventID SourceName UserName SIDType EventLogType ComputerName CategoryString DataString ExpandedString MD5 Checksum (optional) Schema packages The collector uses the following schema packages: symc_base_class For catch-all events symc_windows_eventlog_class For Windows events Event mapping for Information Manager Table 2-1 show the event mapping for the collector. Table 2-1 Information Manager field name Category ID Computer Name Destination Host Name Event mapping SNARE for Windows field name ComputerName ComputerName Comment 30007601 - Application 30007606 - Security Windows computer name Windows computer name

Implementation notes Event mapping for Information Manager 21 Table 2-1 Information Manager field name Event Count Description Description Message Event Category Event Date Event ID Event Record Number Event Source Event Type ID Facility IP Destination Address IP Source Address Event mapping (continued) SNARE for Windows field name ExpandedDataString CategoryString DateTime EventID SNARE Event Counter SourceName Facility ComputerName SourceName Comment Count of the events from source event or 1 Description of the event Contains the expanded data strings Category of the audit event, as defined by the Windows event logging system Date and time of the event Windows Event ID that identifies the event type Based on the internal SNARE event counter First occurrence of this field indicates the log file from which event data is taken For example, application, security, system, directory service, DNS server, or file replication Possible values: 1912000 - Windows and Novell Security Event 1912001 - Windows and Novell System Event 1912002 - Windows and Novell Application Event 1912003 - Windows and Novell Extended Event Facility value from the PRI part of the Syslog header (RFC 3164) Only for events received by TCP Windows computer name Computer that caused this event

22 Implementation notes Event mapping for Information Manager Table 2-1 Information Manager field name Option 1 Option 2 Option 3 Option 4 Option 5 Option 6 Option 7 Option 8 Option 9 Option10 Option11 Option12 Option13 Option14 Option15 Option16 Option17 Proxy Machine, Proxy Machine IP Severity ID Event mapping (continued) SNARE for Windows field name ProxyMachine, ProxyMachineIP Comment Option 1 field Option 2 field Option 3 field Option 4 field Option 5 field Option 6 field Option 7 field Option 8 field Option 9 field Option10 field Option11 field Option12 field Option13 field Option14 field Option15 field Option16 field Option17 field IP address and host name of the computer where the SNARE/Project Lasso product is installed Based on EventLogType Possible values: 1 - Informational 2 - Warning 3 - Minor 4 - Major 5 - Critical

Implementation notes Event mapping for Information Manager 23 Table 2-1 Information Manager field name Source Computer Name Source Eventlog Source Host Name User Name Vendor Device Vendor Severity Vendor Signature Windows and Novell Event Type Event mapping (continued) SNARE for Windows field name SourceName SourceName SourceName UserName Criticality EventLogType Comment Computer that caused this event The second occurrence of the field in the SNARE logs For security, both fields are the same; for Application System, it is the name of the particular application or system component. Computer that caused this event Windows UserName Actual: 53 Severity of the logged event Severity is defined as follows: Critical=4 Priority=3 Warning=2 Informational=1 Clear=0 <EventLogType>:<EventID> Possible values: Success Audit Failure Audit Error Information Warning Table 2-2 shows EventClass mapping and how the windows_source_eventlog field affects the event_id field.

24 Implementation notes Event mapping for Information Manager Table 2-2 EventClass mapping Source field windows_source_eventlog Security System Application DNS Server File Replication Service Directory Service Destination field(s) event_id 1912000 - Windows and Novell Security Event 1912001 - Windows and Novell System Event 1912002 - Windows and Novell Application Event 1912003 - Windows and Novell Extended Event 1912003 - Windows and Novell Extended Event 1912003 - Windows and Novell Extended Event Table 2-3 shows severity mapping and how the windows_event_type field affects the severity field. Table 2-3 Severity mapping Source field windows_event_type Information Success Audit Warning Failure Audit Error Destination field severity 1 Informational (Default) 2 - Warning 3 - Minor 4 - Major 5 - Critical Table 2-4 shows category mapping and how the windows_source_eventlog field affects the category_id field. Table 2-4 Category mapping Source field windows_source_eventlog Security System Application Destination field(s) category_id 30007606 - Security 30007601 - Application 30007601 - Application

Implementation notes Event mapping for Information Manager 25 Table 2-4 Category mapping (continued) Source field DNS Server File Replication Service Directory Service Destination field(s) 30007601 - Application 30007601 - Application 30007601 - Application

26 Implementation notes Event mapping for Information Manager

Chapter 3 Event filtering and aggregation This chapter includes the following topics: Event filtering and aggregation for SNARE for Windows Event Collector Event filtering and aggregation for SNARE for Windows Event Collector The collector includes a default filter called catch-all events. The filter removes events when the field not_translated is equal to true. The filter is enabled by default. If you want all events processed by the collector, you can disable this filter rule. Table 3-1 shows example filters and aggregation. Table 3-1 Filtering and aggregation examples Name Operator Value Description Windows and Novell Event Type equal to Information This filter removes informational events while retaining error and warning events. Windows User Name equal to Smith This aggregation groups events by the user name Smith. Windows User Name similar property This aggregation groups events for all users who tried to access the Windows computer.

28 Event filtering and aggregation Event filtering and aggregation for SNARE for Windows Event Collector