Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - ADAPTIVE LOG EXPORTER REV1, Security Threat Response Manager User Manual

Security Threat Response Manager

STRM Adaptive Log Exporter

Release 2008.2

Juniper Networks, Inc.

1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000

www.juniper.net

Part Number: 530-023497-01, Revision 1

Copyright Notice

Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to chang e without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publicati on without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

STRM Adaptive Log Exporter

Release 2008.2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
18 April 2008—Revision 1

The information in this document is current as of the date listed in the revision history.

2 

3
About This Guide 3
Conventions 3
Technical Documentation 3
Documentation Feedback 3
Requesting Support 4
5
Overview 5
Integrating Device Support Modules (DSMs) with STRM 5
Using the Adaptive Log Exporter 6
Using the Menu 6
Using the Toolbar 6
Deploying Changes 7
9
Installing the Adaptive Log Exporter 9
Before You Begin 9
Installing the Adaptive Log Exporter 9
Un-installing the Adaptive Log Exporter 13
15
Setting Up the Adaptive Log Exporter 15
Using the Preferences Window 15
Managing Updates 16
Configuring Adaptive Log Exporter Updates 16
Scheduling Automatic Updates 19
Configuring the Update Site 21
Configuring Updates for Off-line Sites 22
25
Managing Devices 25
Installing Device Types 25
Updating Devices 27
Configuring Devices 29
Adding a Device 29
Editing a Device 31
Deleting a Device 32
35
Managing Destinations 35
Configuring Destinations 35
Adding a Destination 35
Editing a Destination 37
Deleting a Destination 39
Mapping to a Destination 40
Creating a Mapping 40
Removing a Mapping 41
43
Configuring the Cisco ACS Device 43

 1

45
Configuring the Cisco CSA Device 45
47
Configuring the File Forwarder Device 47
49
Configuring the Juniper SBR Device 49
51
Configuring the Windows Event Log Device 51
53
Configuring the Microsoft DHCP Device 53
55
Configuring the Trend Micro InterScan VirusWall Device 55
57
Configuring the Microsoft Exchange Server Device 57
Forwarding OWA Logs 57
Forwarding SMTP Logs 58
59
Configuring the Microsoft SQL Server Device 59
61
Configuring the Microsoft IIS Device 61
63
Collecting Windows Event Logs 63
Collecting Logs Without an Agent 64
Configuring the Adaptive Log Exporter 65
Collecting Logs With an Agent 67
Configuring the Adaptive Log Exporter 68
Configuring STRM To Accept Logs 71

2 

ABOUT THIS GUIDE

The STRM Adaptive Log Exporter Users Guide provides you with information for
integrating Device Support Modules (DSMs) with STRM or STRM Log-Only using
the Adaptive Log Exporter.

Conventions Table 1 lists conventions that are used throughout this guide.

Table 1 Icons

Icon Type Description

Information note Information that describes important features or

instructions.

Caution Information that alerts you to potential loss of

data or potential damage to an application,
system, device, or network.

Warning Information that alerts you to potential personal

injury.

Technical
Documentation

Documentation
Feedback

You can access technical documentation, technical notes, and release notes
directly from the Juniper networks Support Web site at

www.juniper.net/support/.

http://

•

We encourage you to provide feedback, comments, and suggestions so that we
can improve the documentation. Send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at
http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be

sure to include the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version

STRM Adaptive Log Exporter

4 ABOUT THIS GUIDE

Requesting
Support

• Open a support case using the Case Management link at

http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,

Canada, or Mexico) or 1-408-745-9500 (from elsewher e).

STRM Adaptive Log Exporter

1

OVERVIEW

The Adaptive Log Exporter is a stand-alone application that allows you to integrate
devices/applications with STRM or STRM Log-Only. This chapter includes:

• Integrating Device Support Modules (DSMs) with STRM

• Using the Adaptive Log Exporter

• Deploying Changes

Note: Unless otherwise noted, all references to STRM refer to both STRM and
STRM Log-Only.

Integrating Device
Support Modules
(DSMs) with STRM

Step 1 Install available device types.

Step 2 Add and configure the required devices.

Step 3 Add and configure the required device destinations.

Step 4 Map the device to the desired destination, such as syslog or a log file.

Step 5 Deploy all changes.

STRM can log and correlate events received from external sources such as
security equipment and network equipment. The Adaptive Log Exporter enables
you to forward data from Windows-based devices and applications to STRM for
processing. Using the Adaptive Log Exporter, you can easily integrate
Windows-based devices with STRM.

To integrate device/applications with STRM:

For more information, see Chapter 4 Managing Devices, Installing Device T y pes.

For more information, see Chapter 4 Managing Devices, Configuring Devices.

For more information, see Chapter 5 Managing Destinations, Configuring

Destinations.

For more information, see Chapter 5 Managing Destinations, Mapping to a

Destination.

STRM Adaptive Log Exporter

6 OVERVIEW

Using the Adaptive
Log Exporter

The Adaptive Log Exporter provides menu and tool bar options. This section
provides information on the availa ble options including:

• Using the Menu

• Using the Toolbar

Using the Menu The menu options include:

Table 1-1 Adaptive Log Exporter Menu Options

Menu Sub-Menu Description

File Save Allows you to save current changes.

Edit Edit Device Allows you to edit the settings for a currently

Window Show Views Allows you to view the Destination or Devices

Help Software

Save All Allows you to save all changes made during the

current session.

Deploy Allows you to deploy all changes made during

the current session.

Preferences Allows you to configure Adaptive Log Exporter

preferences. For more information, see.

Chapter 3 Setting Up the Adaptive Log
Exporter

.

Exit Allows you to exit the application.

saved device. For more information, see

Chapter 4 Managing Devices.

Edit Destination Allows you to edit the mapping destination for a

device. For more information, see

Chapter 4

Managing Devices.

tabs.
Allows you to check for software updates. For

Updates

more information, see Chapter 4 Managing

Devices

.

About Allows you to access information about the

version of Adaptive Log Exporter you are using.

Using the Toolbar The toolbar options include:

Table 1-2 Toolbar Options

Icon Description

Allows you to save current changes.

Allows you to save all changes made during the current session.

STRM Adaptive Log Exporter

Deploying Changes 7

Table 1-2 Toolbar Options (continued)

Icon Description

Allows you to edit the settings for a currently saved device .

Allows you to edit the mapping destination for a device.

Allows you to deploy all changes made during the current session.

Allows you to install all available devices.

Deploying Changes Once you configure your devices using the Adaptive Log Exporter, you must save

your changes to the staging area using the Save or Save All option. Then, you
must either manually deploy all changes using the Deploy menu option or, upon
exit, a window appears prompting you to deploy changes before you exit. All
deployed changes are then enforced.

STRM Adaptive Log Exporter

INSTALLING THE ADAPTIVE LOG

2

E

XPORTER

This chapter provides information on installing and uninstalling your Adaptive Log
Exporter including:

• Before You Begin

• Installing the Adaptive Log Exporter

• Un-installing the Adaptive Log Exporter

Before You Begin Before you install the Adaptive Log Exporter, make sure you have the following:

• Windows 2000 or Windows 2003 software installed.

• Your system includes at least 200 MB of disk space available.

• Appropriate access to STRM. For more information regarding STRM, see the

STRM Users Guide.

• Appropriate access to all devices and servers you wish to configure. For more

information, see your vendor documentation.

Installing the
Adaptive Log
Exporter

To install the Adaptive Log Exporter:

Step 1 Download the Adaptive Log Exporter by selecting Software > Adaptive Log

Exporter from the following website:

http://downloads.q1labs.com/windowsagent/

Step 1 Click the Management Software link and Login. Go to the Security Threat

Response Manager Link to download the ALE software.

Step 2 Close all other active applications before installing the Adaptive Log Exporter.
Step 3 Double-click the Adaptive Log Exporter executable.

The Welcome window appears.

STRM Adaptive Log Exporter

10 INSTALLING THE ADAPTIVE LOG EXPORTER

Step 4 Click Next.

The Select Destination Location window appears.

Step 5 Specify the location you wish to install the Adaptive Log Exporter. To browse your

system for a particular location, click Browse.

Step 6 Click Next.

The Start Menu Folder window appears.

STRM Adaptive Log Exporter

Installing the Adaptive Log Exporter 11

Step 7

Specify the name of the menu option in your Start menu. If you do not wish to
include a menu option in your Start menu, select the Don’t create a Start Menu

folder check box.

Step 8 Click Next.

The Select Additional Tasks window appears.

Step 9 Configure the available options:

• Create a desktop icon — Select the check box if you wish to create an icon on

your desktop for the Adaptive Log Exporter. You can also select one of the
following options:

- For all users

- For the current user only

• Create a Quick Launch icon — Select the check box if you wish to create an

icon on your Quick Launch toolbar.

STRM Adaptive Log Exporter

12 INSTALLING THE ADAPTIVE LOG EXPORTER

• Run service now — If you wish to run the Adaptive Log Exporter immediately

after installation, select the Run service now check box.

Step 10 Click Next.

The Ready to Install window appears.

Step 11 Click Install.

The Competing the Setup Wizard appears when the installation is complete.

Step 12 Click Finish.

The installation process is complete.
When the installation process completes, you must configure

Adaptive Log Exporter uses for updates. For more information, see

Update Site

the location that the

Configuring the

.

STRM Adaptive Log Exporter

Un-installing the Adaptive Log Exporte r 13

Un-installing the
Adaptive Log
Exporter

To un-install the Adaptive Log Expor ter:

Step 1 From your desktop, select Start > Programs > AdaptiveLogExporter > Utility >

Uninstall AdapterLogExporter.

A confirmation messages appears.

Step 2 Click Yes to continue.

Once the process is complete, a message appears when the uninstall is complete.

Step 3 Click Ok.

STRM Adaptive Log Exporter

3

SETTING UP THE ADAPTIVE LOG
E

XPORTER

This chapter provides information on setting up your Adaptive Log Exporter
including:

• Using the Preferences Window

• Managing Updates

Using the
Preferences
Window

The Preferences window provides the following options:

Table 3-1 Preference Options

Menu Sub-Menu Description

Help We recommend that you use the default

values for the Help options.

Install/Update Allows you to configure your update options.

For more information, see

Adaptive Log Exporter Updates

Automatic Updates Allows you to schedule updates to your

Adaptive Log Exporter. For more information,
see

Scheduling Automatic Updates.

Update Site Allows you to configure the location that the

Adaptive Log Exporter uses for updates. For
more information, see

Update Site

Note: If you deviate from the default values of the Adaptive Log Exporter and you
wish to restore default values, click Restore Defaults in the Preferences window.

.

Configuring

.

Configuring the

STRM Adaptive Log Exporter

16 SETTING UP THE ADAPTIVE LOG EXPORTER

Managing Updates This section provides information on managing updates for your Adaptive Log

Exporter including:

• Configuring Adaptive Log Exporter Updates

• Scheduling Automatic Updates

• Configuring the Update Site

Configuring Adaptive

Log Exporter

Updates

Step 1 From the Start menu, select Start > Programs > AdaptiveLogExporter >

To configure the preferences for updates:

Configure Adapter Log Exporter .
The Adaptive Log Exporter appears.

Step 2 From the menu, select File > Preferences.

The Preferences window appears.

STRM Adaptive Log Exporter

Step 3 Click Install/Update.

The Install/Update parameters appear.

Managing Updates 17

Step 4 In the Maximum number of History configurations field, enter the number of

configuration changes you wish the system to maintain. The default is 100.

Step 5 To ensure greater security for your downloaded archives, select the Check digital

signatures of downloaded archives check box. By default, the check box is
selected.

Step 6 To determine the updates you wish your system to per form, choose one of the

following options:

STRM Adaptive Log Exporter

18 SETTING UP THE ADAPTIVE LOG EXPORTER

• equivalent — Includes updates that are equivalent with the other currently

running version of the Adaptive Log Exporter. Typically, this includes plug-ins
and updates.

• compatible — Includes updates that are available and include a new version of

the application. Typically, this includes a new release of the Ad aptive Log
Exporter.

Step 7 To specify a specific update policy, specify a URL in the Policy URL field.

This update policy is useful if your deployment includes many Adaptive Log
Exporters. If this is the case, you may need to schedule event uploads to minimize
the potential high load on the network. For assistance creating a custom update
policy, contact Q1 Labs Customer Support.

Step 8 To specify specific proxy settings for your updates:

a Select the Enable HTTP Proxy connection check box.

Additional fields are activated.

b In the HTTP proxy host address field, enter the IP address of the desired proxy

host.

c In the HTTP proxy host port field, enter the port number of the proxy host.

Step 9 Click Apply.

Step 10 Click OK.

STRM Adaptive Log Exporter

Managing Updates 19

Scheduling

Automatic Updates

Step 1 From the Start menu, select Start > Programs > AdaptiveLogExporter >

You can configure the Adaptive Log Exporter to automatically search for updates.
To schedule updates:

Configure Adapter Log Exporter.
The Adaptive Log Exporter appears.

Step 2 From the menu, select File > Preferences.

The Preferences window appears.

Step 3 In the left navigation pane, click the + sign next to Install/Update.

Additional menu options appear.

Step 4 Click Automatic Updates.

STRM Adaptive Log Exporter

20 SETTING UP THE ADAPTIVE LOG EXPORTER

The Automatic Updates parameters appear.

Step 5 Select the Automatically find new updates and notify me check box.

Additional options become active. When updates are available, a message
appears indicating the available updates.

Step 6 Select one of the following options to schedule automatic updates:

• Look for updates each time platform is started — Enables the system to

search for updates each time you start your Adaptive Log Exporter. This is the
default.

• Look for updates on the following schedule: — Allows you to use the

drop-down list boxes to schedule a specific time for searching for updates.

Step 7 Select one of the following options for downloading updates:

• Search for updates and notify me when they are available — Enables the

system to search for updates and provide notification when the updates are
available before downloading.

• Download new updates automatically and notify me when ready to install

them — Enables the system to search for new updates automatically and
notifies you when they are ready to install.

Step 8 Click Apply.
Step 9 Click OK.

STRM Adaptive Log Exporter

Managing Updates 21

Configuring the

Update Site

Step 1 From the Start menu, select Start > Programs > AdaptiveLogExporter >

To specify a specific location for the Adaptive Log Exporter to search for updates:

Configure Adapter Log Exporter.
The Adaptive Log Exporter appears.

Step 2 From the menu, select File > Preferences.

The Preferences window appears.

Step 3 In the left navigation pane, click the + sign next to Install/Update.

Additional menu options appear.

Step 4 Click Update Site.

STRM Adaptive Log Exporter