symantec Event Collector 4.3 For Snare® For Windows€¦ · Symantec™ Event Collector for...

Symantec™ Event Collector4.3 for SNARE® for WindowsQuick Reference

Symantec™ Event Collector for SNARE® for WindowsQuick Reference

The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.

Legal NoticeCopyright © 2008 Symantec Corporation.

All rights reserved.

Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Mail Security,Symantec Backup Exec, Symantec NetBackup, Symantec Endpoint Protection, SymantecScan Engine, Symantec Control Compliance Suite, Symantec Critical System Protection,SymantecEnterpriseSecurityManager, Symantec IntruderAlert, SymantecSygateEnterpriseProtection, Symantec Mail Security, and Symantec Security Response are trademarks orregistered trademarks of Symantec Corporation or its affiliates in the U.S. and othercountries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.

THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS ANDWARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.

The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.

Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014 USA

http://www.symantec.com

Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product feature andfunction, installation, andconfiguration.TheTechnical Support groupalso authorscontent for our online Knowledge Base. The Technical Support group workscollaboratively with the other functional areas within Symantec to answer yourquestions in a timely fashion. For example, the Technical Support group workswith Product Engineering and Symantec Security Response to provide alertingservices and virus definition updates.

Symantec’s maintenance offerings include the following:

■ A range of support options that give you the flexibility to select the rightamount of service for any size organization

■ A telephone and web-based support that provides rapid response andup-to-the-minute information

■ Upgrade insurance that delivers automatic software upgrade protection

■ Global support that is available 24 hours a day, 7 days a week worldwide.Support is provided in a variety of languages for those customers that areenrolled in the Platinum Support program

■ Advanced features, including Technical Account Management

For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:

www.symantec.com/techsupp/

Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:


Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich the problem occurred, in case it is necessary to recreatethe problem.

When you contact Technical Support, please have the following informationavailable:

■ Product release level

■ Hardware information



■ Available memory, disk space, and NIC information

■ Operating system

■ Version and patch level

■ Network topology

■ Router, gateway, and IP address information

■ Problem description:

■ Error messages and log files

■ Troubleshooting that was performed before contacting Symantec

■ Recent software configuration changes and network changes

Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:


Customer serviceCustomer service information is available at the following URL:


Customer Service is available to assist with the following types of issues:

■ Questions regarding product licensing or serialization

■ Product registration updates such as address or name changes

■ General product information (features, language availability, local dealers)

■ Latest information about product updates and upgrades

■ Information about upgrade insurance and maintenance contracts

■ Information about the Symantec Value License Program

■ Advice about Symantec's technical support options

■ Nontechnical presales questions

■ Issues that are related to CD-ROMs or manuals



Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:

■ Asia-Pacific and Japan: [email protected]

■ Europe, Middle-East, and Africa: [email protected]

■ North America and Latin America: [email protected]

Additional Enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.Enterprise services that are available include the following:

These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.

SymantecEarlyWarningSolutions

These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.

Managed Security Services

Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation, monitoring and management capabilities, each focused onestablishing andmaintaining the integrity and availability of your IT resources.

Consulting Services

Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.

Educational Services

To access more information about Enterprise services, please visit our Web siteat the following URL:

www.symantec.com

Select your country or language from the site index.

[email protected]

[email protected]

[email protected]

www.symantec.com

Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Chapter 1 Introducing Symantec Event Collector for SNAREfor Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

About this quick reference .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Compatibility requirements for SNARE for Windows Event

Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System requirements for the SNARE for Windows Event Collector

computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10About the installation sequence for SNARE for Windows Event

Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configuring SNARE or Lasso to work with the collector ... . . . . . . . . . . . . . . . . . . . . 12Sensor properties for SNARE for Windows Event Collector ... . . . . . . . . . . . . . . . 13

About syslog event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About Syslog Director ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Running LiveUpdate for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Product ID for SNARE for Windows Event Collector ... . . . . . . . . . . . . . . . . . . . . . . . . 19Event example ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Schema packages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Event mapping for Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Chapter 3 Event filtering and aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Event filtering and aggregation for SNARE for Windows EventCollector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Contents

Contents8

IntroducingSymantecEventCollector for SNARE forWindows

This chapter includes the following topics:

■ About this quick reference

■ Compatibility requirements for SNARE for Windows Event Collector

■ System requirements for the SNARE for Windows Event Collector computer

■ About the installation sequence for SNARE for Windows Event Collector

■ Configuring SNARE or Lasso to work with the collector

■ Sensor properties for SNARE for Windows Event Collector

■ About Syslog Director

■ Running LiveUpdate for collectors

About this quick referenceThis quick reference includes information that is specific to Symantec™ EventCollector for SNARE® for Windows. General knowledge about installing andconfiguring collectors is assumed, as well as basic knowledge of SNARE forWindows.

For detailed information on how to install and configure event collectors, pleasesee the Symantec Event Collectors Integration Guide.

For information on SNARE for Windows, see your product documentation.

1Chapter

Compatibility requirements for SNARE for WindowsEvent Collector

The collector is compatible with the following products:

■ Intersect Alliance SNARE 2.4 for Windows and later

■ LogLogic Project Lasso 4.0 and later

The collector runs on the following operating systems:

■ Microsoft Windows 2000 with Service Pack 4 or later

■ Microsoft Windows Advanced Server 2000 with Service Pack 4 or later

■ MicrosoftWindowsServer 2003Enterprise Editionwith Service Pack 1 or laterYou can install version 4.3 collectors on both 32-bit and 64-bit versions ofWindows Server 2003. You can install version 4.2 collectors only on the 32-bitversion of Windows Server 2003.

■ MicrosoftWindows Server 2003 Standard Edition with Service Pack 1 or later

■ Windows XP with Service Pack 2 or laterYou can install version 4.3 collectors on both 32-bit and 64-bit versions ofWindows XP.

■ Red Hat Enterprise Linux AS 3.0

■ Red Hat Enterprise Linux AS 4.0

System requirements for the SNARE for WindowsEvent Collector computer

Minimum system requirements for a remote collector installation are as follows:

■ Intel Pentium-compatible 133-MHzprocessor (up to and includingXeon-class)

■ 512 MB minimum, 1 GB of memory recommended for the Symantec EventAgent

■ 35 MB of hard disk space for collector program files

■ 95MB of hard disk space to accommodate the Symantec Event Agent, the JRE,and the collector

■ TCP/IP connection to a network from a static IP address

Introducing Symantec Event Collector for SNARE for WindowsCompatibility requirements for SNARE for Windows Event Collector

10

About the installation sequence for SNARE forWindows Event Collector

The collector is preinstalled on the Information Manager 4.6 appliance. You canalso install this collector on a remote computer or on an Information Manager4.5 appliance.

The collector installation sequence is as follows:

■ Configure SNARE or Lasso to work with the collector.

■ Close the Symantec Security Information Manager Client console.

■ Register the collector for all off-appliance collector installations.If you use InformationManager 4.6, the collector has been pre-registered. Youdo not have to register it.

■ Install the Symantec Event Agent on the collector computer.You must install the agent for all remote installations.Symantec Event Agent 4.5.0 build 12 or later is required.

■ Run LiveUpdate on earlier collectors.If you install a 4.3 collector on a computer that has an earlier collector on it,you must first run LiveUpdate on all components of the earlier version of thecollector. You must update the earlier collector before you install the 4.3collector.See “Running LiveUpdate for collectors” on page 15.

■ Install the collector component.The collector is preinstalled on the InformationManager 4.6 appliance. If youwant to use the collector on a remote computer, you must install it on theremote computer.You can install the collector on the Information Manager 4.5 appliance.However, you must first apply Information Manager 4.5.1 with MaintenanceRelease 1 (or later) upgrade package on the appliance.

■ Configure the sensor.

■ Configure Syslog Director, optional.See “About Syslog Director” on page 14.

■ Run LiveUpdate.See “Running LiveUpdate for collectors” on page 15.

For all procedures that are not covered in the quick reference, see the SymantecEvent Collectors Integration Guide.

11Introducing Symantec Event Collector for SNARE for WindowsAbout the installation sequence for SNARE for Windows Event Collector

ConfiguringSNAREor Lasso toworkwith the collectorYoumust enable SNARE forWindows to send syslog messages to the collector asfollows:

■ If you are using this collector with SNARE:See “To enable SNARE to send syslog messages to the collector” on page 12.

Note: The collector receives events directly from SNARE for Windows.

■ If you are using this collector with Lasso:See “To enable Lasso to send syslog messages to the collector” on page 12.

To enable SNARE to send syslog messages to the collector

1 Start SNARE.

2 Depending on the version of SNARE for Windows, do one of the followingsteps:

■ In SNARE for Windows 2.4, from the Setup menu, click AuditConfiguration

■ In SNARE for Windows 2.6 and later, from the Setup menu, click SNARENetwork Configuration

3 Fill out the following fields with the appropriate information:

Leave this field blank.Override detected DNS Name with

Type the IP address of the collectorcomputer.

Destination SNARE Server address

Type the port number of thecollector computer.

The default port number of thecollector sensor is 10514.

Destination port

4 Check Enable SYSLOGheader.

5 Click OK.

To enable Lasso to send syslog messages to the collector

1 From the Lasso host computer, navigate to the C:\Program Files\Lassodirectory.

2 Use a text editor such as Notepad or Wordpad, to open the Lasso.ini file.

Introducing Symantec Event Collector for SNARE for WindowsConfiguring SNARE or Lasso to work with the collector

12

3 Edit the Lasso.ini configuration file so it follows the following format:

LogAppliance,IP_Address,Port_Number,udp

■ LogAppliance is a reserved keyword and must be the first parameter.

■ IP_Address is the IP address of the collector computer. You must specifythe IP address.

■ Port_Number is the port number used for syslog communication. Thedefault syslog port is 514. If you do not use port 514, you can specify adifferent port as the third parameter. The default port number of thecollector sensor is 10514. The port number of the collector sensor mustmatch the port number that is entered in this field.

■ You must specify UDP as the protocol.For example, if the collector computer's address is 192.168.22.199, andthe syslog port is 10514, then the corresponding line in the Lasso.ini fileis as follows:

LogAppliance,192.168.22.199,10514,udp

4 Save and close the Lasso.ini configuration file.

5 Restart the Lasso service.

Sensor properties for SNARE for Windows EventCollector

Table 1-1 shows the sensor properties for the syslog sensor.

Table 1-1 Syslog sensor properties

DescriptionSensor properties

Specify UDP as the syslog protocol that SNARE for Windows uses to send events. TCP isnot supported.

Protocol

Specify the IP addresses or names of the host computers that the collector monitors.

Specify * (or any) to allow any host to send events to the collector, or specify multiplehost names. Separate multiple host names with commas or semicolons.

Host Names

Specify the port number towhich youhave configured SNARE forWindows to send syslogmessages.

The default port number is 10514. You can use 10514, 6161, or 514.

Port Number

13Introducing Symantec Event Collector for SNARE for WindowsSensor properties for SNARE for Windows Event Collector

Table 1-1 Syslog sensor properties (continued)

DescriptionSensor properties

Specify a time offset to convert timestamps of all logged events to the time zone of thecollector computer.

You can use a time offset value if the following statements are true:

■ The time zone of the collector computer and the point product are different

■ The timestamps in the point product data are not Coordinated Universal Time (UTC).

You do not need to use this property if the collector and the point product computers arein the same time zone.

Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM,where HH is the number of hours(-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.

For example, if Pacific Standard Time (PST) is the time zone of the collector computer,you can specify -3 to convert incoming events with an Eastern Standard Time (EST) toPacific Standard Time. You can specify +3 to convert incoming events with aHawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time.

If you enter and distribute an erroneous time zone offset, the collector automaticallyresets the offset value to the default value of +00:00. An error message is posted in thecollector’s log.

Time Offset

About syslog event forwardingIf you forward events to a standard syslog server, you can use a syslog forwarderon that server rather than change the settings on your security device. A syslogforwarder can receive and forward events to both InformationManager and yourexisting syslog server.

About Syslog DirectorIf you use the collector on the InformationManager appliance, you can set up thiscollector to use Syslog Director. Syslog Director accepts syslog events from anydevice or application that sends events to the standard port for syslog messages,UDP port 514. (You can also configure Syslog Director to listen on other UDP andTCP ports.) Syslog Director identifies the incoming events by their signatures(specific patterns that identify each collector) and redirects the events that arereceived to the appropriate collector. All events that are not identified by asignature are sent to the Generic Syslog Collector.

You can upgrade Syslog Director 4.2 to Syslog Director 4.3 on your SymantecSecurity Information Manager 4.5 appliance.

For a detailed procedure, see the Symantec Event Collectors Integration Guide.

Introducing Symantec Event Collector for SNARE for WindowsAbout Syslog Director

14

Note: In all deployments, you must list the Generic Syslog Collector last, and youmust leave its Collector Signature empty.

The default Syslog Director settings for this collector are as follows:

Snare for Windows Event CollectorCollector name

MSWinEventLogCollector signature

10529Default port

For detailed procedures on Syslog Director, see the Symantec Event CollectorsIntegration Guide.

Running LiveUpdate for collectorsYou can run LiveUpdate to receive collector updates such as support for newevents and query updates.

If you install a collector on Information Manager 4.5, you must complete thefollowing procedures in the order presented:

■ RunLiveUpdate for collectors added to the InformationManager 4.5 applianceSee “To run LiveUpdate for collectors added to the Information Manager 4.5appliance” on page 16.

■ Verify that LiveUpdate ran successfully on Information Manager 4.5See “To verify that LiveUpdate ran successfully on InformationManager 4.5”on page 17.

If you install a collector on InformationManager 4.6, or if you use a collector thatis preinstalled on Information Manager 4.6, you must complete the followingprocedures in the order presented:

■ Use the Administrator Web page to run LiveUpdate

■ Use the Administrator Web page to verify that LiveUpdate ran successfully

See “To run LiveUpdate from the Administrator Web page” on page 16.

If you installed the collector on a separate computer, you must complete thefollowing tasks in the order presented:

■ Run LiveUpdate for a collector installed on a separate computer.See “To run LiveUpdate for a collector installed on a separate computer”on page 17.

15Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors

■ Verify that LiveUpdate ran successfully for a collector installed on a separatecomputer.See “To verify that LiveUpdate ran successfully for a collector installed on aseparate computer” on page 17.

To run LiveUpdate from the Administrator Web page

1 From aWeb browser, navigate to the Information Manager AdministratorWeb page, and then log in with administrator credentials.

2 From the list on the left, click LiveUpdate.

3 In the list of products, to select the items to update, in the correspondingcheck box, check Update.

At the bottom of the page, you can also click CheckAll.

4 At the bottom of the page, click Update.

If LiveUpdate runs successfully, the status column in the Summary pagedisplays Success.

5 To troubleshoot a problem with LiveUpdate, under Session Log, click ViewLog File.

To run LiveUpdate for collectors added to the Information Manager 4.5 appliance

1 Connect to the Information Manager 4.5 appliance, and log in as root.

2 Navigate to the Symantec Event Agent directory.

The default directory is /opt/Symantec/sesa/Agent/collectors/snarewin

3 At the command prompt, type the following command:

sh ./runliveupdate.sh

4 To stop the Symantec Event Agent, type the following command:

service sesagentd stop

5 To change the ownership of the updated collector files, type the followingcommand:

chown -R sesuser.ses *

6 To restart the Symantec Event Agent, type the following command:

service sesagentd start

Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors

16

To verify that LiveUpdate ran successfully on Information Manager 4.5

1 Connect to the Information Manager 4.5 appliance, and log in as root.

2 Navigate to the collectors subdirectory of theSymantecEventAgent directory.

The default directory is as follows:

cd /opt/Symantec/sesa/Agent/collectors/snarewin

3 Verify that a file named LiveUpdate-Collector.txt exists.

This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.

4 Navigate to the LiveUpdate directory navigate to the following directory:

/opt/Symantec/LiveUpdate

5 To view the last 100 lines of the liveupdt.log file, type the following command:

tail -100 liveupdt.log | more

The first part of the log is in text format; the second part of the log repeatsthe information in XML format.

If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.

For example, Status = Failed (return code - 2001).

To run LiveUpdate for a collector installed on a separate computer

1 On the collector computer, navigate to the collector directory as follows:

■ OnWindows, the default directory is as follows:C:\Program Files\Symantec\Event Agent\collectors\snarewin

■ On UNIX, the default directory is as follows:/opt/Symantec/sesa/Agent/collectors/snarewin

2 At a command prompt, do one of following tasks:

■ OnWindows, type the following command:runliveupdate.bat

■ On UNIX, as the root user, type the following command:runliveupdate.sh

To verify that LiveUpdate ran successfully for a collector installed on a separatecomputer

1 On the collector computer, navigate to the collector directory as follows:

■ OnWindows, the default directory is as follows:

17Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors

C:\Program Files\Symantec\sesa\Agent\collectors\snarewin

■ On UNIX, the default directory is as follows:/opt/Symantec/sesa/Agent/collectors/snarewin

2 Verify that a file named LiveUpdate-Collector.txt exists.

This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.

3 Navigate to the LiveUpdate directory as follows:

■ OnWindows, the default LiveUpdate directory is as follows:C:\Documents and Settings\All Users\Application Data\Symantec\JavaLiveUpdate

■ On UNIX, the default LiveUpdate directory is as follows:/opt/Symantec/LiveUpdate

4 To view the liveupdt.log file, do one of the following tasks:

■ OnWindows, use a text editor such as Notepad to view the liveupdt.logfile.

■ On UNIX, to view the last 100 lines of the liveupdt.log file, type thefollowing command:tail -100 liveupdt.log | more

The first part of the log is in text format; the second part of the log repeatsthe information in XML format.

If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.

For example, Status = Failed (return code - 2001).

Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors

18

Implementation notes


■ Product ID for SNARE for Windows Event Collector

■ Event example

■ Schema packages

■ Event mapping for Information Manager

Product ID for SNARE for Windows Event CollectorThe product ID of the collector is 3241.

Event exampleThe following is an example event:

Jul 10 17:18:44 SIMANET2000-2 MSWinEventLog 1 Application 2 Mon

Jul 10 17:18:36 2006 105 SNARE Unknown User N/A Information

SIMANET2000-2 None The service was started. 1

The event is in Microsoft Windows Server Update Services (WSUS) database fileformat. The structure is as follows:

Syslog Header (Date\Hostname\EventLog type)0

Criticality1

SourceName2

SNARE/Lasso Event Counter3

2Chapter

DateTime4

EventID5

SourceName6

UserName7

SIDType8

EventLogType9

ComputerName10

CategoryString11

DataString12

ExpandedString13

MD5 Checksum (optional)14

Schema packagesThe collector uses the following schema packages:

■ symc_base_classFor catch-all events

■ symc_windows_eventlog_classFor Windows events

Event mapping for Information ManagerTable 2-1 show the event mapping for the collector.

Table 2-1 Event mapping

CommentSNARE for Windows field nameInformation Manager field name

30007601 - Application

30007606 - Security

Category ID

Windows computer nameComputerNameComputer Name

Windows computer nameComputerNameDestination Host Name

Implementation notesSchema packages

20

Table 2-1 Event mapping (continued)


Count of the events from source eventor 1

Event Count

Description of the eventDescription

Contains the expanded data stringsExpandedDataStringDescription Message

Category of the audit event, as definedby theWindows event logging system

CategoryStringEvent Category

Date and time of the eventDateTimeEvent Date

Windows Event ID that identifies theevent type

EventIDEvent ID

Based on the internal SNARE eventcounter

SNARE Event CounterEvent Record Number

First occurrence of this field indicatesthe log file from which event data istaken

For example, application, security,system, directory service,DNS server,or file replication

SourceNameEvent Source

Possible values:

1912000 - Windows and NovellSecurity Event

1912001 -WindowsandNovell SystemEvent

1912002 - Windows and NovellApplication Event

1912003 - Windows and NovellExtended Event

Event Type ID

Facility value from the PRI part of theSyslog header (RFC 3164)

Only for events received by TCP

FacilityFacility

Windows computer nameComputerNameIP Destination Address

Computer that caused this eventSourceNameIP Source Address

21Implementation notesEvent mapping for Information Manager



Option 1 fieldOption 1









Option10 fieldOption10








IP address and host name of thecomputer where the SNARE/ProjectLasso product is installed

ProxyMachine, ProxyMachineIPProxy Machine, Proxy Machine IP

Based on EventLogType

Possible values:

1 - Informational

2 - Warning

3 - Minor

4 - Major

5 - Critical

Severity ID

Implementation notesEvent mapping for Information Manager

22



Computer that caused this eventSourceNameSource Computer Name

The second occurrence of the field inthe SNARE logs

For security, both fields are the same;for Application System, it is the nameof the particular application or systemcomponent.

SourceNameSource Eventlog

Computer that caused this eventSourceNameSource Host Name

Windows UserNameUserNameUser Name

Actual: 53Vendor Device

Severity of the logged event

Severity is defined as follows:

Critical=4

Priority=3

Warning=2

Informational=1

Clear=0

CriticalityVendor Severity

<EventLogType>:<EventID>Vendor Signature

Possible values:

Success Audit

Failure Audit

Error

Information

Warning

EventLogTypeWindows and Novell Event Type

Table 2-2 showsEventClassmappingandhow thewindows_source_eventlog fieldaffects the event_id field.


Table 2-2 EventClass mapping

Destination field(s)Source field

event_idwindows_source_eventlog

1912000 - Windows and Novell Security EventSecurity

1912001 - Windows and Novell System EventSystem

1912002 - Windows and Novell Application EventApplication

1912003 - Windows and Novell Extended EventDNS Server

1912003 - Windows and Novell Extended EventFile Replication Service

1912003 - Windows and Novell Extended EventDirectory Service

Table 2-3 shows severity mapping and how the windows_event_type field affectsthe severity field.

Table 2-3 Severity mapping

Destination field

severity

Source field

windows_event_type

1 – Informational (Default)Information

2 - WarningSuccess Audit

3 - MinorWarning

4 - MajorFailure Audit

5 - CriticalError

Table 2-4 shows category mapping and how the windows_source_eventlog fieldaffects the category_id field.

Table 2-4 Category mapping


category_idwindows_source_eventlog

30007606 - SecuritySecurity

30007601 - ApplicationSystem

30007601 - ApplicationApplication


24

Table 2-4 Category mapping (continued)


30007601 - ApplicationDNS Server

30007601 - ApplicationFile Replication Service

30007601 - ApplicationDirectory Service



26

Event filtering andaggregation


■ Event filtering and aggregation for SNARE for Windows Event Collector

Event filtering and aggregation for SNARE forWindows Event Collector

The collector includes a default filter called catch-all events. The filter removesevents when the field not_translated is equal to true. The filter is enabled bydefault. If you want all events processed by the collector, you can disable thisfilter rule.

Table 3-1 shows example filters and aggregation.

Table 3-1 Filtering and aggregation examples

DescriptionValueOperatorName

This filter removes informational eventswhile retaining error and warning events.

Informationequal toWindows and Novell EventType

This aggregationgroups events by theusername Smith.

Smithequal toWindows User Name

This aggregationgroups events for all userswho tried to access theWindows computer.

similar propertyWindows User Name

3Chapter

Event filtering and aggregationEvent filtering and aggregation for SNARE for Windows Event Collector

28

Date post:	26-May-2018
Category:	Documents
Upload:	nguyenphuc
View:	222 times
Download:	0 times