Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1, Security Threat Response Manager User Manual

Download

Page 1

Security Threat Response Manager

Configuring DSMs

Release 2008.2

Juniper Networks, Inc.

1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000

www.juniper.net

Part Number: 530-025608-01, Revision 1

Page 2

Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to chang e without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publicati on without notice.

FCC Statement

The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, i t may cause interference wi th radio and tele vision reception. This equip ment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipmen t does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: Reorient or relocate the receiving antenna. Increase the separation between the equipme nt and receive r. Consult t he dealer o r an experienced ra dio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to this product could void the user's warrant y and authority to operate this device.

Disclaimer

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.

Configuring DSMs

The information in this document is current as of the date listed in the revision history.

2 

Page 3

1 About This Guide 1 3 Overview 3 5 3Com 8800 Series Switch 5 7 Ambiron TrustWave ipAngel 7 9 Apache HTTP Server 9 11 Apple Mac OS X 11 13 Array Network SSL VPN 13 15 F5 Networks BigIP 15 17 Blue Coat SG 17 19 Check Point FireWall-1 19 25 Check Point Provider-1 25 29 Cisco ACS 29 31 Cisco ASA 31 33 Cisco CatOS for Catalyst Switches 33 35 Cisco CSA 35 37 Cisco FWSM 37 39 Cisco IDS/IPS 39 41 Cisco NAC Device 41 43 Cisco IOS 43 45 Cisco Pix 45 47 Cisco VPN 3000 Concentrator 47 49 CyberGuard Firewall/VPN Appliance 49 51

 1

Page 4

Enterasys Dragon 51 55 Enterasys Matrix Router 55 57 Enterasys Matrix N-Series 57 59 Extreme Networks ExtremeWare 59 61 ForeScout CounterACT 61 63 Fortinet FortiGate 63 65 Generic Authorization Server 65 69 Generic Firewall 69 73 IBM AIX 5L 73 75 IBM Proventia Management SiteProtector 75 77 ISS Proventia 77 79 Juniper DX Application Acceleration Platform 79 81 Juniper EX-Series Ethernet Switch 81 83 Juniper NetScreen IDP 83 85 Juniper Networks Secure Access 85 89 Juniper Infranet Controller 89 91 Juniper NetScreen Firewall 91 93 Juniper NSM 93 95 Juniper Router 95 97 Juniper Steel-Belted RADUIS 97 99 Linux DHCP 99 101 Linux IPtables 101 103 Linux Login Messages 103

2 

Page 5

105 McAfee Intrushield 105 107 McAfee ePolicy Orchestrator 107 109 MetaInfo MetaIP 109 111 Microsoft Exchange Server 111 113 Microsoft DHCP Server 113 115 Microsoft IAS Server 115 117 Microsoft IIS 117 119 Microsoft SQL Server 119 121 Microsoft Windows Security Event Log 121 123 Niksun 123 125 Nokia Firewall 125 129 Nortel ARN 129 131 Nortel Application Switch 131 133 Nortel Contivity 5000 133 135 Nortel Contivity Firewall/VPN 135 137 Nortel Switched Firewall 5100 137 141 Nortel Switched Firewall 6000 141 145 Nortel VPN Gateway 145 147 OpenBSD 147 149 Open Source SNORT 149 151 Oracle Audit Records 151 155 Oracle DB Listener 155 159

 3

Page 6

ProFTPd 159 161 Samhain 161 165 Secure Computing Sidewinder 165 167 Sun Solaris 167 169 Sun Solaris DHCP 169 171 SonicWALL 171 173 Sun Solaris Sendmail 173 175 Sourcefire Intrusion Sensor 175 177 Squid Web Proxy 177 179 Symantec SGS 179 181 Symantec System Center 181 183 Symark PowerBroker 183 185 Tipping Point Intrusion Prevention System 185 187 TippingPoint X505/X506 Device 187 189 TopLayer 189 191 Trend Micro InterScan VirusWall 191 193 Tripwire 193 195 Universal DSM 195 207 Vericept Content 360 DSM 207 209 Supported DSMs 209

4 

Page 7

ABOUT THIS GUIDE

The Configuring DSMs Guide provides you with information for configuring sensor devices (DSMs) and integrating the DSMs with STRM or STRM Log Management.

Conventions Table 1 lists conventions that are used throughout this guide.

Table 1 Icons

Icon Type Description

Information note Information that describes important features or

instructions.

Caution Information that alerts you to potential loss of

data or potential damage to an application, system, device, or network.

Warning Information that alerts you to potential personal

injury.

Technical Documentation

Documentation Feedback

You can access technical documentation, technical notes, and release notes directly from the Juniper networks Support Web site at

www.juniper.net/support/.

http://

We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send your comments to

techpubs-comments@juniper.net, or fill out the documentation feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html. If you are using e-mail, be

sure to include the following information with your comments:

• Document name

• Document part number

• Page number

• Software release version

Configuring DSMs

Page 8

2 ABOUT THIS GUIDE

Requesting Support

• Open a support case using the Case Management link at

http://www.juniper.net/support/ or call 1-888-314-JTAC (from the United States,

Canada, or Mexico) or 1-408-745-9500 (from elsewher e).

Configuring DSMs

Page 9

OVERVIEW

You can configure STRM or STRM Log Management to log and correlate events received from external sources such as security equipment (for example, firewalls), and network equipment (for example, switches and routers). Device Support Modules (DSMs) allows you to integrate STRM or STRM Log Management with these external devices. Unless otherwise noted, all references to STRM refer to both STRM and STRM Log Management.

You can configure the Event Collector to collect security events from various types of security devices in your network. The Event Collector gathers events from local and remote devices. The Event Collector then normalizes and bundles the events and sends the events to the Event Processor.

All events are correlated and security and policy offenses are created based on correlation rules. These offenses are displayed is the Offense Manager. For more information on the Offense Manager interface, see the STRM Users Guide.

Note: Before you configure STRM to collect security information from devices, you must set-up your deployment, including off-site sources or targets, using the deployment editor. For more information on the deplo yment editor, see the STRM Administration Guide.

To config ure STRM to receive events from devices, you must:

Step 1 Configure the device to send events to STRM. Step 2 Configure STRM to receive events from specific devices. For more information,

see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 10

Page 11

3COM 8800 SERIES SWITCH

A STRM 3Com 8800 Series Switch DSM accepts events using syslog. STRM records all relevant status and network condition events. Before configuring a 3Com 8800 Series Switch device in STRM, you must configure your device to send syslog events to STRM.

To configure the device to send syslog events to STRM:

Step 1 Log in to the 3Com 8800 Series Switch interface. Step 2 Enable the information center.

info-center enable

Step 3 Configure the host with the IP address of your STRM system as the loghost, the

severity level threshold value as informational, and the output language to English.

info-center loghost <ip_address> facility <severity> language english

Where:

<ip_address> is the IP address of your STRM system. <severity> is the facility severity.

Step 4 Configure the ARP and IP information modules to log.

info-center source arp channel loghost log level informational info-center source ip channel loghost log level informational

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a 3Com 8800 Series Switch, you must select the 3Com 8800 Series Switch option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 12

Page 13

AMBIRON TRUSTWAVE ipANGEL

A STRM Ambiron TrustWave ipAngel DSM accepts events using syslog. STRM records all Snort-based events from the ipAngel console.

Before you configure STRM to integrate with ipAngel, you must forward your cache and access logs to your STRM system. For information on forwarding device logs to STRM, see your vendor documentation.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a ipAngle device, choose one of the following options, depending on which version of STRM you are using:

• Select ATW IpAngel from the Sensor Device Type drop-down list box.

• Select Ambiron T rustW ave ipAngel Intrusion Prevention System (IPS) from

the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 14

Page 15

APACHE HTTP SERVER

A STRM Apache HTTP Server DSM accepts Apache events using syslog. Y ou can integrate Apache versions 1.3 and above with STRM. STRM records all relevant HTTP status events.

Note: The procedure in this section applies to Apache DSMs operating on a Unix/Linux platforms only.

Before you configure STRM to integrate with Apache, you must:

Step 1 Open the Apache configuration file. Step 2 Add the following below the log format definitions:

LogFormat "%h %A %l %u %t \"%r\" %>s %p %b" qradar

Step 3 Add the following line below the LogFormat entry to write to syslog:

CustomLog “|/usr/bin/logger -t httpd -p <facility>.<priority>” qradar

Where:

<facility> is a syslog facility, for example, local0. <priority> is a syslog priority, for example, info or notice.

For example:

CustomLog “|/usr/bin/logger -t httpd -p local1.info” qradar

Note: Verify that the hostname lookups is disabled. To verify, enter

HostnameLookups off

Step 4 Open the syslog.conf file. Step 5 Add the following line:

Where:

<facility> is the syslog facility , for example, local0. This value must match the

value entered in Step 3.

<priority> is the syslog priority, for example, info or notice. This value must

match the value entered in Step 3.

<TAB> indicates you must press the TAB key. <host> indicates the STRM managed host.

Configuring DSMs Guide

Page 16

10 APACHE HTTP SERVER

Step 6 Restart syslog:

Step 7 Restart Apache.

/etc/init.d/syslog restart

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Apache device, you must select the Open Source Apache Webserver option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information on Apache, see http://www.apache.org/.

Configuring DSMs Guide

Page 17

APPLE MAC OS X

A STRM Apple Mac OS X DSM accepts events using syslog. STRM records all relevant firewall, web server access, web server error, privilege escalation, and informational events.

Before you configure STRM to integrate with Mac OS X, you must:

Step 1 Log in as a root user. Step 2 Open the /etc/syslog.conf file. Step 3 Add the following line to the top of the file. Make sure all other lines remain intact:

*.*@<IP address>

Where <IP address> is the IP address of the STRM system.

Step 4 Save and exit the file. Step 5 Send a hang-up signal to the syslog daemon to make sure all changes are

enforced:

sudo killall - HUP syslogd

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Mac OS X server, you must select the Mac OS X option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

See your Mac OS X documentation for more information.

Configuring DSMs Guide

Page 18

Page 19

ARRAY NETWORK SSL VPN

The STRM Array Networks SSL VPN DSM collects events from an ArrayVPN appliance using syslog. For details of configuring ArrayVPN appliances for remote syslog, please consult Array Networks documentation.

Once you configure syslog to forward events to STRM, you are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Array Networks SSL VPN device, choose one of the following options:

• If you are using STRM 6.0, you must select ArrayNetworks SSL VPN from the

Sensor Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, you must select Array Networks SSL

VPN Access Gateway from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 20

Page 21

F5 NETWORKS BIGIP

The STRM F5 Networks BigIP DSM collects events from a BigIP load balancer using syslog. For details on configuring remote syslog with th e BigIP switch, please consult the vendor documentation.

Once you configure syslog to forward events to STRM, you are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a F5 Network BigIP device, you must select the F5 Networks BigIP option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 22

Page 23

BLUE COAT SG

A STRM Blue Coat SG DSM accepts syslog events from a Blue Coat SG Appliance. STRM records all relevant and available information from the event. Before configuring a Blue Coat SG device in STRM, you must configure your device to send syslog to STRM.

For more information regarding your Blue Coat SG Appliance, see your vendor documentation.

To configure your Blue Coat SG device to send syslog to STRM:

Step 1 Using a web browser, log in to the Blue Coat Management Console. Step 2 From the menu, select Access Logging > General > Default > Default Logging. Step 3 Make sure the Enable Access Logging check box is selected. Step 4 Select the Protocol you wish to use for logging to STRM. Click Edit. Step 5 From the Default Logging Policy option, select Streaming, which is used for

streaming protocols.

Step 6 Click Apply. Step 7 From the menu, select Access Logging > Formats > Streaming. Step 8 Click Edit. Step 9 Make sure that the W3C Extended File Format (ELFF) string is enabled with the

default:

c-ip date time c-dns cs-uri-scheme cs-host cs-uri-port cs-uri-path cs-uri-query c-starttime x-duration c-rate c-status c-playerid c-playerversion c-playerlanguage cs(User-Agent) cs(Referer) c-hostexe c-hostexever c-os c-osversion c-cpu filelength filesize avgbandwidth protocol transport audiocodec videocodec channelURL sc-bytes c-bytes s-pkts-sent c-pkts-received c-pkts-lost-client c-pkts-lost-net c-pkts-lost-cont-net c-resendreqs c-pkts-recovered-ECC c-pkts-recovered-resent c-buffercount c-totalbuffertime c-quality s-ip s-dns s-totalclients s-cpu-util x-cache-user x-cache-info x-client-address

Configuring DSMs Guide

Page 24

18 BLUE COAT SG

Note: The Format tab allows you to create a format to use for your log facilities. Although several log formats ship with the SGOS software, STRM requires that the streaming log format use the default ELFF log format.

Step 10 Make sure the Multiple-valued header policy option is set to Log last header. Click

OK.

Step 11 Click Apply. Step 12 Configure the log format:

a From the menu, select Access Logging > Logs. b Click the General Settings tab. c Using the Log: drop-down list box, select streaming. d Verify the Log Format is set to squid.

Note: STRM requires that the Squid log format be selected to ensure that the ELFF formatted logs are properly transferred to STRM in the expected Squid format.

Step 13 Configure the host you wish to send logs:

a From the menu, select Access Logging > Logs. b Click the Upload Client tab. c Using the Log: drop-down list box, select streaming. d From the Client type drop-down list box, select Custom Client. e Click Settings. f For the host to which you wish to send logs to STRM, configure the host and

port. The STRM default for syslog is 514.

g Click Ok. h In the Save the log file parameter, make sure the text file option is selected.

Step 14 Configure the appropriate access:

a From the menu, select Access Logging > Logs. b Click the Upload Schedule tab. c Using the Log: drop-down list box, select streaming. d In the Upload the access log parameter, make sure the continuously option is

selected.

e Click Apply.

You are now ready to configure the sensor device within the STRM Console. To configure STRM to receive events from a Blue Coat SG device, you must select the Blue Coat SG Appliance option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 25

CHECK POINT FIREWALL-1

You can configure STRM to integrate with a Check Point FireWall-1 device using one of the following methods:

• Integrating Check Point FireWall-1 Using Syslog

• Integrating CheckPoint FireWall-1 Using OPSEC

Note: Depending on your Operating System, the procedures for the Check Point FireWall-1 device may vary. The following procedures are based on the Check Point SecurePlatform Operating system.

Integrating Check Point FireWall-1 Using Syslog

Step 1 Enter the following command to access the Check Point console as an expert

Step 2 Enter your expert console password. Press Enter. Step 3 Open the following file:

Step 4 Add the following lines:

This section describes how to ensure that the STRM Check Point FireWall-1 DSMs accepts FireWall-1 events using syslog.

Note: If Check Point SmartCenter is installed on Microsoft Windows, you must use the Integrating CheckPoint FireWall-1 Using OPSEC method.

Before you configure STRM to integrate with a Check Point FireWall-1 device:

user:

expert

A password prompt appears.

/etc/rc.d/rc3.d/S99local

$FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &

Where:

<facility> is a Syslog facility , for example, local3. <priority> is a Syslog priority, for example, info.

For example:

Configuring DSMs Guide

Page 26

20 CHECK POINT FIREWALL-1

$FWDIR/bin/fw log -ftn | /usr/bin/logger -p local3.info > /dev/null 2>&1 &

Step 5 Save and close the file. Step 6 Open the syslog.conf file. Step 7 Add the following line:

< Where: < value entered in Step 4. < match the value entered in Step 4. < <

Step 8 Save and close the file. Step 9 Depending on your operating system, enter the following command to restart

syslog:

facility>.<priority> <TAB><TAB>@<host>

facility> is the syslog facility, for example, local3. This value must match the

priority> is the syslog priority, for example, info or notice. This value must

TAB> indicates you must press the TAB key. host> indicates the STRM managed host.

In Linux: In Solaris:

service syslog restart /etc/init.d/syslog start

Step 10 Enter the following command:

nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> > /dev/null 2>&1 &

Where:

<facility> is a Syslog facility, for example, local3. This value must match the

value entered in Step 4.

<priority> is a Syslog priority, for example, info. This value must match the

value entered in Step 4. You are now ready to configure the sensor device within the STRM interface. To

configure STRM to receive events from a Check Point Firewall-1 device using syslog, choose one of the following options:

• If you are using STRM 6.0, select CheckPoint Firewall-1 Devices via Syslog

from the Sensor Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, select CheckPoint Firewall-1 from the

Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information regarding Check Point FireWall-1, see the Check Point FireWall-1 documentation.

Configuring DSMs Guide

Page 27

Integrating CheckPoint FireWall-1 Using OPSEC 21

Integrating CheckPoint FireWall-1 Using OPSEC

Enabling CheckPoint

Firewall-1 and STRM

Step 1 Reconfigure Check Point FireWall-1 SmartCenter. See Reconfiguring CheckPoint

Step 2 Verify and change, if necessary, the OPSEC communication configuration. Step 3 In the STRM interface, configure the OPSEC LEA protocol.

This section describes how to ensure that the STRM Check Point FireWall-1 DSM accepts FireWall-1 events using Open Platform for Security (OPSEC).

Note: The method used for integrating Check Point Firewall-1 into STRM using OPSEC is dependent on the version of STRM you are running.

This section includes the following information:

• Enabling CheckPoint Firewall-1 and STRM

• Reconfiguring CheckPoint FireWall-1 SmartCenter

This section describes how to enable CheckPoint Firewall to integrate with STRM. To enable Check Point FireWall-1 and STRM integration:

FireWall-1 SmartCenter.

To configure STRM to receive events from a Check Point device using OPSEC LEA, you must select the LEA option from the Protocol drop-down list box when configuring your protocol configuration. For more information, see Configuring Protocols in Managing Sensor Devices.

Step 4 Configure the sensor device within the STRM interface.

Reconfiguring

CheckPoint

FireWall-1

SmartCenter

Step 1 Create a host object:

To configure STRM to receive events from an Check Point Firewall-1 device using OPSEC, you must select CheckPoint Firewall-1 from the Sensor Device Type drop-down list box and LEA::<protocol_name> from the Protocol Configuration drop-down list box.

For more information on configuring sensor devices, see Managing Sensor Devices Guide.

This section describes how to reconfigure the Check Point FireWall-1 SmartCenter. In the Check Point FireWall-1 SmartCenter, create a host object representing the STRM system. The leapipe is the connection between the Check Point FireWall-1 and STRM.

To reconfigure the Check Point FireWall-1 SmartCenter:

a Open the Check Point SmartDashboard GUI b Select Manage > Network Objects > New > Node > Host. c Enter in the appropriate information in the Name, IP Address, and Comment

(optional) text fields for your host.

d Click OK.

Configuring DSMs Guide

Page 28

22 CHECK POINT FIREWALL-1

e Select Close.

Step 2 To create the OPSEC connection:

a Select Manage > Servers and OPSEC applications > New > OPSEC

b Enter the appropriate information in the Name and Comment (optional) text

Note: The name you enter must be different than the name entered in Step 1 c.

c From the Host drop-down list box, select the host object you created in Step 1. d From Application Properties drop-down list box, select User Defined as the

e From Client Entries drop-down list box, select LEA. f Click Communication to generate a Secure Internal Communication (SIC)

g Enter an activation key. h Click OK. i Click Close.

Application Properties.

fields.

vendor.

certificate.

Step 3 Select Policy > Install > OK to install the Security Policy on your firewall.

Verifying or Changing the OPSEC Communications Configuration

Changing the Default

Port on which

OPSEC LEA

Communicates

Step 1 At the command-line prompt of your Check Point SmartCenter Server, enter the

Step 2 Depending on your Check Point SmartCenter Server’s operating system, open the

This section describes how to modify your Check Point FireWall-1 configuration to allow OPSEC communications on non-standard ports, and in a clear text, un-authenticated stream.

This section includes the following information:

• Changing the Default Port on which OPSEC LEA Communicates

• Configuring OPSEC LEA for Un-Encrypted Communications

To change the default port on which OPSEC LEA communicates (that is, port

18184):

following command to stop the firewall services:

cpstop

following file:

In Linux: In Windows:

$FWDIR\conf\fwopsec.conf %FWDIR%\conf\fwopsec.conf

The default contents of this file are as follows:

Configuring DSMs Guide

Page 29

Verifying or Changing the OPSEC Communications Configuration 23

# The VPN-1/FireWall-1 default settings are: # # sam_server auth_port 0 # sam_server port 18183 # # lea_server auth_port 18184 # lea_server port 0 # # ela_server auth_port 18187 # ela_server port 0 # # cpmi_server auth_port 18190 # # uaa_server auth_port 19191 # uaa_server port 0 #

Step 3 Change the default lea_server auth_port from 18184 to another port number. Step 4 Remove the hash (#) mark from that line.

For example:

lea_server auth_port 18888 # lea_server port 0

Step 5 Save and close the file. Step 6 Start the firewall services by entering the following command:

Configuring OPSEC

LEA for

Un-Encrypted

Communications

Step 1 At the command-line prompt of your Check Point SmartCenter Server, stop the

Step 2 Depending on your Check Point SmartCenter Server’s operating system, open the

Step 3 Change the default lea_server auth_port from 18184 to 0. Step 4 Change the default lea_server port from 0 to 18184. Step 5 Remove the hash (#) marks from both lines.

cpstart

To configure the OPSEC LEA protocol for un-encrypted communications:

firewall services by entering the following command:

cpstop

following file:

In Linux: In Windows:

$FWDIR\conf\fwopsec.conf %FWDIR%\conf\fwopsec.conf

For example:

lea_server auth_port 0 lea_server port 18184

Configuring DSMs Guide

Page 30

24 CHECK POINT FIREWALL-1

Step 6 Step 7 Start the firewall services by entering the following command:

Save and close the file.

cpstart

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Check Point Firewall-1 device using OPSEC, select CheckPoint Firewall-1 from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see Managing Sensor Devices Guide.

For more information on configuring your Check Point Firewall-1, see your vendor documentation.

Configuring DSMs Guide

Page 31

CHECK POINT PROVIDER-1

You can configure STRM to integrate with a Check Point Provider-1 device using one of the following methods:

• Integrating Check Point Provider-1 Using Syslog

• Integrating Check Point Provider-1 Using OPSEC

Note: Depending on your Operating System, the procedures for the Check Point Provider-1 device may vary. The following procedures are based on the Check Point SecurePlatform Operating system.

Integrating Check Point Provider-1 Using Syslog

Step 1 Enter the following command to access the console as an expert user:

Step 2 Enter your expert console password. Press Enter. Step 3 Enter the following command:

Step 4 Select the desired customer logs:

Step 5 Enter the following command:

This method ensures the STRM Check Point Provider-1 DSM accepts Check Point Provider-1 events using syslog. STRM records all relevant Check Point Provider-1 events.

Before you configure STRM to integrate with a Check Point Provider-1 device, you must:

expert

A password prompt appears.

csh

mdsenv <customer name>

# nohup $FWDIR/bin/fw log -ftn | /usr/bin/logger -p <facility>.<priority> 2>&1 &

Where:

<facility> is a Syslog facility, for example, local3. <priority> is a Syslog priority, for example, info.

Configuring DSMs Guide

Page 32

26 CHECK POINT PROVIDER-1

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Check Point Provider-1 device using syslog, choose one of the following options:

• If you are using STRM 6.0, select CheckPoint Firewall-1 Devices via Syslog

• If you are using STRM 6.0.1 and above, select CheckPoint Firewall-1 from the

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding Check Point Provider-1, see the Check Point Provider-1 documentation.

from the Sensor Device Type drop-down list box.

Sensor Device Type drop-down list box.

Integrating Check Point Provider-1 Using OPSEC

Step 1 Reconfigure Check Point Provider-1 SmartCenter. See Reconfiguring Check Point

Step 2 Configure the OPSEC LEA protocol in th e STRM interface.

Step 3 Configure the sensor device within the STRM interface.

This method ensures the STRM Check Point Provider-1 DSM accepts Check Point Provider-1 events using OPSEC.

To enable Check Point Provider-1 and STRM 6.0 integration, you must:

Provider-1 SmartCenter.

To config ure STRM to receive event from a Check Point device using OPSEC LEA, you must select the LEA option from the Protocol drop-down list box when configuring your protocol configuration. For more information, see Configuring Protocols in the Managing Sensor Devices Guide.

To configure STRM to receive events from an Check Point Provider-1 device using OPSEC, you must select the CheckPoint Firewall-1 Devices via Syslog option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information, see your vendor documentation.

Reconfiguring Check Point Provider-1 SmartCenter

This section describes how to reconfigure the Check Point Provider-1 SmartCenter. In the Check Point Provider-1 Management Domain GUI (MDG), create a host object representing the STRM system. The leapipe is the connection between the Check Point Provider-1 and STRM.

To reconfigure the Check Point Provider-1 SmartCenter (MDG):

Step 1 To create a host object, open the Check Point SmartDashboard GUI and select

Manage > Network Objects > New > Node > Host.

Step 2 Enter in the Name, IP Address, and optional Comment for your host. Step 3 Click OK. Step 4 Select Close.

Configuring DSMs Guide

Page 33

Integrating Check Point Provider-1 Using OPSEC 27

Step 5

To create the OPSEC connection, select Manage > Servers and OPSEC Applications New > OPSEC Application Properties.

Step 6 Enter the Name and optional Comment.

Note: The name you enter must be different than the name entered in Step 2.

Step 7 From the Host drop-down menu, select the STRM host object that you just

created.

Step 8 From Application Properties, select User Defined as the Vendor type. Step 9 From Client Entries, select LEA.

Step 10 Configure the Secure Internal Communication (SIC) certificate, click

Communication and enter an activation key.

Step 11 Select OK and then Close. Step 12 To install the Policy on your firewall, select Policy > Install > OK.

Configuring DSMs Guide

Page 34

Page 35

CISCO ACS

A STRM Cisco Access Control Server (ACS) DSM accepts syslog ACS events using one of the following options:

• A server using the STRM Adaptive Log Exporter (Cisco ACS software version

3.x or later). For more infor mation on the Adaptive L og Expo rter, see the STRM Adaptive Log Exporter Users Guide.

• Syslog directly from the Cisco ACS device (Cisco ACS software version 4.1 and

later).

STRM records all relevant and available information from the event. Before configuring an ACS device in STRM, you must:

Step 1 Configure your device to send syslog to STRM using one of the following options:

a Configure your Cisco ACS device to directory send syslog to STRM. b Using the STRM Adaptive Log Exporter, configure the Cisco ACS device and

associated destination. When configuring your Cisco ACS device, you must also configure the Root Log Directory parameter, which is the location Cisco ACS stores the logs files. For more information regarding configuring your Cisco ACS device, see the STRM Adaptive Log Exporter Users Guide.

Step 2 Configure the sensor device within the STRM interface.

To configure STRM to receive events from a Cisco ACS device, you must select the Cisco ACS option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information regarding Cisco ACS, see your vendor documentation.

Configuring DSMs Guide

Page 36

30 CISCO ACS

Configuring DSMs Guide

Page 37

CISCO ASA

You can integrate a Cisco Adaptive Security Appliance (ASA) with STRM. A Cisco ASA DSM accepts events using syslog. STRM records all relevant events.

Before you configure STRM to integrate with a CSA server, you must forward all device logs to your STRM system. For more information on forwarding logs to STRM, see your vendor documentation.

To configure STRM to receive events from a Cisco ASA device, choose one of the following options:

• If you are using STRM 6.0, select Cisco ASA from the Select sensor device

type drop-down list box.

• If you are using STRM 6.0.1 and above, select Cisco Adaptive Security

Appliance (ASA) from the Select sensor device type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 38

Page 39

CISCO CATOS FOR CATALYST S

WITCHES

A STRM Cisco CatOS for Catalyst Switches DSM accepts events using syslog. STRM records all relevant device events. Before configuring a Cisco CatOS device in STRM, you must configure your device to send syslog events to STRM.

To configure the device to send syslog events to STRM:

Step 1 Log in to the Cisco CatOS interface and enter privileged EXEC mode. Step 2 Configure the system to timestamp messages:

set logging timestamp enable

Step 3 Specify the IP address of the STRM server:

set logging server <IP address>

Step 4 Limit messages that are logged by selecting a severity level:

set logging server severity <server severity level>

Step 5 Specify the facility level that should be used in the message. The default is local7.

set logging server facility <server facility parameter>

Step 6 Enable the switch to send syslog messages to the STRM server.

set logging server enable

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Cisco CatOS device, you must select the Cisco CatOS for Catalyst Switches option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the

Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 40

Page 41

CISCO CSA

You can integrate a Cisco Security Agent (CSA) server with STRM. A CSA DSM accepts events using syslog, and SNMPv2. You can integrate CSA versions 4.x and 5.x with STRM. STRM records all relevant events.

Before you configure STRM to integrate with a CSA server, you must:

Step 1 Open the CSA interface and select Security Agents. Step 2 Click the Monitor tab. Step 3 Click Alerts. Step 4 From the bottom of the window, select New. Step 5 Enter a name in the Name field and optional description in the description field. Step 6 Select the SNMP check box. Step 7 Enter a Community name (configured on STRM). Step 8 Enter the Manager IP address (STRM deployment). Step 9 From the drop-down list box, select the events on which you wish to alert.

Step 10 Click Save.

You are now ready to configure the sensor device and SNMP within the STRM interface. For information on configuring SNMP in the STRM interface, see the Managing Sensor Devices Guide. To configure STRM to receive events from a Cisco CSA device, choose one of the following options:

• If you are using STRM 6.0, select Cisco CSA from the Sensor Device Type

drop-down list box.

• If you are using STRM 6.0.1 and above, select Cisco Security Agent (CSA)

from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 42

Page 43

CISCO FWSM

You can integrate Cisco Firewall Service Module (FWSM) version 2.2 with STRM. A STRM FWSM DSM accepts FWSM events using syslog. STRM records all relevant Cisco FWSM events.

Before you configure STRM to integrate with Cisco FWSM, you must configure Cisco FWSM to forward logs to STRM:

Step 1 Using a Console connection, telnet, or SSH, log in to the Cisco FWSM. Step 2 Enable logging:

logging on

Step 3 Change the logging level:

logging trap level (1-7)

By default, the logging level is set to 3 (error).

Step 4 Designate STRM as a host to receive the messages:

logging host [interface] ip_address [tcp[/port] | udp[/port]] [format emblem]

For example:

logging host dmz1 192.168.1.5

Where 192.168.1.5 is the IP address of your STRM system. You are now ready to configure the sensor device within the STRM interface. To

configure STRM to receive events from a Cisco IDS device, choose one of the following options:

• If you are using STRM 6.0, select Cisco FWSM from the Sensor Device Type

drop-down list box.

• If you are using STRM 6.0.1 and above, select Cisco Firewall Services

Module (FWSM) from the Sensor Device drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding Cisco FWSM devices, see your Cisco documentation.

Configuring DSMs Guide

Page 44

Page 45

CISCO IDS/IPS

You can integrate a Cisco IDS/IPS server version 5.x and 6.x with STRM. A Cisco IDS/IPS DSM polls the Cisco IDS/IPS events using the Security Device Event Exchange (SDEE) protocol. SDEE specifies the message format and the protocol used to communicate the events generated by security devices. STRM only supports direct SDEE connections to the device and not the management software, which controls the device.

Note: You must have security access or web authentication on the device before connecting to STRM.

You are now ready to configure the SDEE protocol within the STRM interface. For more information, see the Managing Sensor Devices Guide. To configure STRM to receive events from a Cisco IDS/IPS device, choose one of the following options:

• If you are using STRM 6.0, select Cisco IDS from the Sensor Device Type

drop-down list box.

• If you are using STRM 6.0.1 and above, select Cisco Intrusion Prevention

System (IPS) from the Sensor Device Type drop-down list box.

For more information on configuring devices, see the Managing Sensor Devices Guide.

For more information regarding your Cisco IDS/IPS, see your vendor documentation.

Configuring DSMs Guide

Page 46

Page 47

CISCO NAC DEVICE

A STRM Cisco NAC DSM accepts events using syslog. STRM records all relevant audit, error, and failure events as well as quarantine and infected system events. Before configuring a Cisco NAC device in STRM, you must configure your device to send syslog events to STRM.

To configure the device to send syslog events to STRM:

Step 5 Log in to the Cisco NAC interface. Step 6 In the Monitoring section, select Event Logs. Step 7 Click the Syslog Settings tab. Step 8 In the Syslog Server Address field, enter the IP address of your STRM system. Step 9 In the Syslog Server Port field, enter the syslog po rt. The default is 512.

Step 10 In the System Health Log Interval field, enter the frequency, in minutes, for

system statistic log events.

Step 11 Click Update.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Cisco NAC device, you must select the Cisco NAC option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 48

Page 49

CISCO IOS

Y ou can integrate a Cisco IOS 12.2, 12.5 and above with STRM. A Cisco IOS DSM accepts Cisco IOS events using syslog. STRM records all relevant events.

Note: Make sure all Access Control Lists (ACLs) are set to LOG.

Before you configure STRM to integrate with a Cisco IOS server, you must:

Step 1 Log in to the router in privileged-exec mode and switch to configuration mode.

conf t

Step 2 Enter the following series of commands:

logging <ip address> logging source-interface <interface>

Where:

ip address> is the IP address hosting STRM and the SIM components.

<interface> is the name of the interface, for example, dmz, lan, ethernet0, or

ethernet1.

Step 3 Enter the following commands to configure the priority level:

logging trap warning logging console warning

Where warning is the priority setting for the logs.

Step 4 Configure the syslog facility:

logging facility syslog

Step 5 Save and exit the file. Step 6 Copy running-config to startup-config:

copy running-config startup-config

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Cisco IOS device, you must select one of the following options from the Sensor Device Type drop-down list box (depending on your system): Cisco IOS, Cisco 12000 Series, Cisco 6500 Series Router, Cisco 7600 Series Router, Cisco Carrier Routing Router, or Cisco Integrated

Configuring DSMs Guide

Page 50

44 CISCO IOS

Services Router. For more information on configuring sensor devices, see the

Managing Sensor Devices Guide. For more information regarding your Cisco IOS, see your Cisco IOS

documentation.

Configuring DSMs Guide

Page 51

CISCO PIX

You can integrate Cisco Pix versions 5.x and 6.3 with STRM. A Cisco Pix DSM accepts Cisco Pix events using syslog. STRM records all relevant Cisco Pix events.

Before you configure STRM to integrate with Cisco Pix, you must configure Cisco Pix to forward logs to STRM using the following command:

logging host <interface> <ip address>

Where:

<interface> is the name of the interface, for example, dmz, lan, ethernet0, or

ethernet1.

ip address> is the IP address hosting STRM and the SIM components.

< To integrate Cisco Pix:

Step 1 Log into the Cisco PIX using a console connection, telnet, or SSH. Step 2 Enter Privileged mode:

enable

Step 3 Enter Configuration mode:

conf t

Step 4 Enable logging and timestamp the logs:

logging on logging timestamp

Step 5 Set the log level:

logging trap warning

Step 6 Configure logging to STRM:

logging host <interface> <ip address>

Where:

interface> is the name of the interface, for example, dmz, lan, ethernet0, or

< ethernet1.

ip address> is the IP address hosting STRM and the SIM components.

Configuring DSMs Guide

Page 52

46 CISCO PIX

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Cisco PIX device, you must select the Cisco PIX Firewall option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information regarding Cisco Pix devices, see your Cisco documentation.

Configuring DSMs Guide

Page 53

CISCO VPN 3000 CONCENTRATOR

A STRM Cisco VPN 3000 Concentrator DSM accepts Cisco VPN Concentrator events using syslog. You can integrate Original VPN 3000 Concentrator versions VPN 3005 and L.1.7.H with STRM. STRM records all relevant events. Before you configure STRM to integrate with a Cisco VPN concentrator, you must:

Step 1 Log in to the Cisco VPN 3000 Concentrator interface. Step 2 Enter the following command to add a syslog server to your configuration:

set logging server <IP address>

Where <IP address> is the IP address of the Event Collector.

Step 3 Enable system message logging to the configured syslog servers:

set logging server enable

Step 4 Set the facility and severity level for syslog server messages:

set logging server facility server_facility_parameter set logging server severity server_severity_level

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Cisco VPN Concentrator device, choose one of the following options:

• If you are using STRM 6.0, select VPN 3000 Concentrator from the Sensor

Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, select Cisco VPN 3000 Series

Concentrator from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regar ding your C isco VPN Conc entrator, see your vendor documentation.

Configuring DSMs Guide

Page 54

Page 55

CYBERGUARD FIREWALL/VPN A

PPLIANCE

A STRM CyberGuard Firewall VPN Appliance DSM accepts CyberGuard events using syslog. STRM records all relevant CyberGuard events. STRM supports the CyberGuard KS series of appliances.

Before you configure STRM to integrate with a CyberGuard device, you must:

Step 1 Log in to the CyberGuard inte rface. Step 2 Select the Advanced page. Step 3 Under the System Log, select Enable Remote Logging. Step 4 Enter the IP address of the STRM system. Step 5 Click Apply.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a CyberGuard Firewall VPN device, choose one of the following options:

• If you are using STRM 6.0, select the CyberGuard FW/VPN KS Family from

the Sensor Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, select CyberGuard TSP Firewall/VPN

from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information on configuring your CyberGuard device, consult your CyberGuard documentation.

Configuring DSMs Guide

Page 56

Page 57

ENTERASYS DRAGON

You can integrate Enterasys Dragon versions 5.0, 6x, 7.1, and 7.2 with STRM. A STRM Enterasys Dragon DSM accepts Enterasys Dragon events using syslog, SNMPv1, and SNMPv3. STRM records all relevant Enterasys Dragon events.

Before you configure STRM to integrate with Enterasys Dragon, you must:

Step 1 Log in to the Enterasys Dragon console. Step 2 Click the Alarm Tool icon. Step 3 Configure the Alarm Tool Policy:

a In the Alarm Tool Policy View > Custom Policies menu tree, use the right

mouse button (right-click) and select Add Alarm Tool Policy. The Add Alarm Tool Policy window appears.

b In the Add Alarm Tool Policy field, enter the policy name Juniper Networks.

Click OK.

c In the menu tree, select the newly created Juniper Networks policy.

Step 4 To configure the Event Group:

a Click the Events Group tab. Click New. b In the Event Group Editor, select the Event Group or individual events to be

monitored and click Add. A prompt appears.

c Click Yes.

The Event Group Editor window appears.

d In the right column of the Event Group Editor, change the name of the new

Event Group to Dragon-Events.

e Click OK.

Step 5 Configure Notification Rules:

a Click the Notification Rules tab. Click New. b In the name field, enter Juniper Networks-Rule. Click OK. c In the Notification Rules panel, select the newly created Juniper

Networks-Rule item.

Configuring DSMs Guide

Page 58

52 ENTERASYS DRAGON

d Click the SNMP V3 tab. Click New.

The SNMP V3 Editor field appears.

e Update values, as necessary:

- Change the server IP address to that of the STRM server.

- Do not change the OID.

- Inform — Select the check box.

- Security Name — Specify the SNMPv3 username.

- Auth Password — Specify the appropriate password.

- Priv Password — Specify the appropriate password.

- Message — Enter the following:

Dragon Event: %DATE%,,%TIME%,,%NAME%,,%SENSOR%,,%PROTO%,,%SIP%,,%DIP%,,%SPORT%, ,%DPORT%,, %DIR%,,%DATA%,,<<<%PDATA%>>>

Note: Verify that the entered security passwords and protocols match data configured in the SNMP configuration.

f Click OK.

Step 6 Separate the Notification Events logged:

a Click the Global Options tab. b Click the Main tab. c Make sure that Concatenate Events is not selected.

Step 7 Configure the SNMP options:

a Click the Global Options tab. b Click the SNMP tab c Specify the IP address of the EMS server that will send the traps.

Step 8 Configure the alarm information:

a Click the Alarms tab. Click New. b Enter values for the parameters:

- Name — Enter a name of Juniper Networks-Alarm.

- Type — Select Real Time.

- Event Group — Select the newly created Event Group, Dragon-Events (see Step 4).

- Notification Rule — Select the check box for the Juniper Networks-Rule.

c Click Ok. d Click Commit.

Step 9 Navigate to the Enterprise View.

Step 10 Use the right mouse button (right-click) on Alarm T ool and select Associate Alarm

Tool Policy.

Configuring DSMs Guide

Page 59

Step 11 Step 12 In the Enterprise menu, use the right mouse button (right-click) and select Deploy.

Select the newly created Juniper Networks policy. Click OK.

You are now ready to configure the sensor device and SNMP within STRM . For information on configuring SNMP in STRM, see the Managing Sensor Devices Guide.

To configure STRM to receive events from an Enterasys Dragon device, choose one of the following options:

• If you are using STRM 6.0, select Enterasys Dragon IDS from the Sensor

Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, select Enterasys Dragon Network

IPS from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding Enterasys Dragon, see your Enterasys Dragon documentation.

Configuring DSMs Guide

Page 60

Page 61

ENTERASYS MATRIX ROUTER

A STRM Enterasys Matrix Router DSM accepts Enterasys Matrix events using SNMPv1, SNMPv2, SNMPv3, and syslog. You can integrate Enterasys Matrix Router version 3.5 with STRM. STRM records all SNMP events and syslog login, logout, and login failed events. Before you configure STRM to integrate with Enterasys Matrix, you must:

Step 1 Log in to the switch/router as a privileged user. Step 2 Enter the following command:

set logging server <server number> description <description> facility <facility> ip_addr <ip address> port <port> severity <severity>

Where:

<server number> is the server number 1 to 8. <description> is a description of the server . <facility> is a syslog facility, for example, local0. <ip address> is the IP address of the server you wish to send syslog messages. <port> is the default UDP port that the client uses to send messages to the

server. Use port 514 unless otherwise stated.

<severity> is the server severity level 1 to 9 where 1 indicates an emergency

and 8 is debug level. For example:

set logging server 5 description ourlogserver facility local0 ip_addr 1.2.3.4 port 514 severity 8

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Enterasys Matrix device, you must select the Enterasys Matrix E1 Switch option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information, see your vendor documentation.

Configuring DSMs Guide

Page 62

Page 63

ENTERASYS MATRIX N-SERIES

A STRM Enterasys Matrix N-Series DSM accepts N-Series events using syslog. STRM records all relevant Matrix N3, N5, N7, and N Standalone device events. Before you configure STRM to integrate with a Matrix N-Series, you must:

Step 1 Log in to the switch/router. Step 2 Enter the following command:

set logging server <index> ip-addr <IP address> facility <facility> severity <severity> descr <description> port <port> state <enable | disable>

Where:

<index> is the server table index number (1 to 8) for this server. <ip address> is the IP address of the server you wish to send syslog messages.

This is an optional field.

<facility> is a syslog facility. Valid values are local0 to local7. This is an

optional field.

<severity> is the server severity level 1 to 8. This is an optional field. Valid

values include:

- 1: Emergencies (system is unusable)

- 2: Alerts (immediate actio n required)

- 3: Critical conditions

- 4: Error conditions

- 5: Warning conditions

- 6: Notifications (significant conditions)

- 7: Informational messages

- 8: Debugging messages

<description> is a description of the server. This is an optional field. <port> is the default UDP port that the client uses to send messages to the

server. Use port 514 unless otherwise stated. This is an optional field.

<enable | disable> enables or disables this facility/server configuration. This is

an optional field.

Configuring DSMs Guide

Page 64

58 ENTERASYS MATRIX N-SERIES

For example, enter the command below if you wish to enable a syslog server configuration for the following:

• Index — 1

• IP address: 134.141.89.113

• Facility: local4

• Severity: Level 3 on port 514

set logging server 1 ip-addr 134.141.89.113 facility local4 severity 3 port 514 state enable

For more information on configuring the Matrix N-Series, consult your vendor documentation.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an Enterasys Matrix N-Series device, choose one of the following options:

• If you are using STRM 6.0, select Enterasys N Series Switch/Router from the

Sensor Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, select Enterasys N Series Switch

from the Sensor Device Type drop-down list box.

For information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 65

EXTREME NETWORKS E

XTREMEWARE

A STRM ExtremeWare DSM accepts Extreme events using syslog. STRM records all relevant events. Before you configure STRM to integrate with an ExtremeWare device, you must configure syslog within your Extreme device.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from your ExtremeWare device, choose one of the following options:

• If you are using STRM 6.0, select ExtremeWare from the Sensor Device Type

drop-down list box.

• If you are using STRM 6.0.1 and above, select Extreme Networks

ExtremeWare Operating System (OS) from the Sensor Devi ce Type drop-down list box.

For more information on configuring devices, see the Managing Sensor Devices Guide. For more information on configuring Extreme, consult your vendor documentation.

Configuring DSMs Guide

Page 66

Page 67

FORESCOUT COUNTERACT

A STRM ForeScout CounterACT DSM accepts CounterACT events using syslog. STRM records all relevant and available information from the event. Before configuring a CounterACT device in STRM, you must configure your device to send syslog to your STRM installation. For more information on configuring your CounterACT device, consult your vendor documentation.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a CounterACT device, you must select the Forescout CounterACT option from the Sensor Device Type drop-down list box. For more information on configuring devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 68

Page 69

FORTINET FORTIGATE

A STRM Fortinet FortiGate DSM accepts FortiGate IPS/Firewall events using syslog. STRM records all relevant events. Before you configure STRM to integrate with the device, you must configure syslog within your FortiGate device. For more information on configuring a Fortinet FortiGate device, see your vendor documentation.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from your FortiGate device, choose one of the following options, depending on which version of STRM you are using:

• Select Fortinet FortiGate from the Sensor Device Type drop-down list box.

• Select Fortinet FortiGate Security Gateway from the Sensor Device Type

drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 70

Page 71

GENERIC AUTHORIZATION SERVER

A STRM generic authorization server DSM accepts events using syslog. STRM records all relevant events. Before you configure STRM to integrate with generic authorization server, you must:

Step 1 Forward all authentication server logs to your STRM system.

Note: For information on forwarding authentication server logs to STRM, see your generic authorization server vendor documentation.

Step 2 Open the following file:

/opt/qradar/conf/genericAuthServer.conf

Note: Make sure you copy this file to systems hosting the Event Collector and the Console.

Step 3 Restart the Tomcat server:

service tomcat restart

A message appears indicating that the T o mcat server has restarted.

Step 4 Enable or disable regular expressions in your patterns by setting the

regex_enabled property accordingly. By default, regular expressions are disabled. For example:

regex_enabled=false

When you set the regex_enabled property to false, the system generates regular expressions (regex’s) based on the tags you entered while attempting to retrieve the corresponding data values from the logs.

When you set the regex_enabled property to true, you can define custom regex’s to control patterns. These regex are directly applied to the logs and the first captured group is returned. When defining custom regex patterns, you must adhere to regex rules, as defined by the Java programming language. For more information, see the following web site: http://java.sun.com/docs/books/tutorial/extra/regex/

To integrate the generic authorization server with STRM, make sure you specify the classes directly instead of using the predefined classes. For example, the digit

(/\d/) becomes /[0-9]/. Also, instead of using numeric qualifiers,

class re-write the expression to use the primitive qualifiers

(/?/,/*/ and /+/).

Configuring DSMs Guide

Page 72

66 GENERIC AUTHORIZATION SERVER

Step 5 Review the file to determine a pattern for successful login:

For example, if your authentication server generates the following log message for accepted packets:

Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

The pattern for successful login is Accepted password.

Step 6 Add the following entry to the file:

login_success_pattern=<login success pattern>

Where <login success pattern> is the pattern determined in Step 5. For example:

login_success_pattern=Accepted password

Note: All entries are case insensitive.

Review the file to determine a pattern for login failures. For example, if your authentication server generates the following log message for

Jun 27 12:58:33 expo sshd[20627]: Failed password for root from

10.100.100.109 port 1849 ssh2

The pattern for login failures is Failed password.

Step 7 Add the following to the file:

login_failed_pattern=<login failure pattern>

Where <login failure pattern> is the pattern determined for login failure. For example:

login_failed_pattern=Failed password

Note: All entries are case insensitive.

Step 8 Review the file to determine a pattern for logout:

For example, if your authentication server generates the following log message for logout:

Jun 27 13:00:01 expo su(pam_unix)[22723]: session closed for user genuser

The pattern for lookout is session closed.

Step 9 Add the following to the genericAuthServer.conf file:

logout_pattern=<logout pattern>

Where <logout pattern> is the pattern determined for logout in Step 8. For example:

logout_pattern=session closed

Note: All entries are case insensitive.

Configuring DSMs Guide

Page 73

Step 10

Review the file to determine a pattern, if present, for source IP address and source port.

For example, if your authentication server generates the following log message:

Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

The pattern for source IP address is from and the pattern for source port is port.

Step 11 Add an entry to the file for source IP address and source port:

source_ip_pattern=<source IP pattern> source_port_pattern=<source port pattern>

Where <source IP pattern> and <source port pattern> are the patterns identified in St ep 10 for source ip address and source port.

For example:

source_ip_pattern=from source_port_pattern=port

Step 12 Review the file to determine if a pattern exists for username.

For example:

Jun 27 12:11:21 expo sshd[19926]: Accepted password for root from 10.100.100.109 port 1727 ssh2

The pattern for username is for.

Step 13 Add an entry to the file for the username pattern:

For example:

user_name_pattern=for

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a generic authorization server, you must select the Configurable Authentication message filter option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide .

For more information regarding your firewall, see your vendor documentation.

Configuring DSMs Guide

Page 74

Page 75

GENERIC FIREWALL

A STRM generic firewall server DSM accepts events using syslog. STRM records all relevant events. Before you configure STRM to integrate with generic firewall, you must:

Step 1 Forward all firewall logs to your STRM system.

Note: For information on forwarding firewall logs from your generic firewall to STRM, see your firewall vendor documentation.

Step 2 Open the following file:

/opt/qradar/conf/genericFirewall.conf

Note: Make sure you copy this file to systems hosting the Event Collector and the Console.

Step 3 Restart the Tomcat server:

service tomcat restart

A message appears indicating that the Tomcat server has restarted.

Step 4 Enable or disable regular expressions in your patterns by setting the

regex_enabled property accordingly. By default, regular expressions are disabled. For example:

regex_enabled=false

To integrate a gener ic firewall with STRM, make sure you specify the classes directly instead of using the predefined classes. For example, the digit class

(/\d/)

expression to use the primitive qualifiers

Step 5 Review the file to determine a pattern for accepted packets.

becomes /[0-9]/. Also, instead of using numeric qualifiers, re-write the

(/?/,/*/ and /+/).

Configuring DSMs Guide

Page 76

70 GENERIC FIREWALL

Step 6 Add the following to the file:

Step 7 Review the file to determine a pattern for denied packets.

For example, if your device generates the following log messages for accepted packets:

Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp

The pattern for accepted packets is Packet accepted.

accept_pattern=<accept pattern>

Where <accept pattern> is the pattern determined in Step 5. For example:

accept pattern=Packet accepted

Note: Patterns are case insensitive.

For example, if your device generates the following log messages for denied packets:

Aug. 5, 2005 08:30:00 Packet denied. Source IP: 192.168.1.1 Source Port: 21 Destination IP: 192.168.1.2 Destination Port: 21 Protocol: tcp

The pattern for denied packets is Packet denied.

Step 8 Add the following to the file:

deny_pattern=<deny pattern>

Where <deny pattern> is the pattern determined in Step 7.

Note: Patterns are case insensitive.

Step 9 Review the file to determine a pattern, if present, for the following:

source ip source port destination ip destination port protocol For example, if your device generates the following log message:

Aug. 5, 2005 08:30:00 Packet accepted. Source IP: 192.168.1.1 Source Port: 80 Destination IP: 192.168.1.2 Destination Port: 80 Protocol: tcp

The pattern for source IP is Source IP.

Step 10 Add the following to the file:

source_ip_pattern=<source ip pattern> source_port_pattern=<source port pattern> destination_ip_pattern=<destination ip pattern>

Configuring DSMs Guide

Page 77

destination_port_pattern=<destination port pattern> protocol_pattern=<protocol pattern>

Where <source ip pattern>, <source port pattern>, <destination

ip pattern>, <destination port pattern>

are the corresponding patterns identified in Step 9.

Note: Patterns are case insensitive and you can add multiple patterns. For multiple patterns, separate using a # symbol.

Step 11 Save and exit the file.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a generic firewall, you must select the Configurable Firewall Filter option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information regarding your firewall, see your vendor documentation.

, and <protocol pattern>

Configuring DSMs Guide

Page 78

Page 79

IBM AIX 5L

A STRM IBM AIX 5L DSM accepts events using syslog. STRM records all relevant login, logoff, session opened, session closed, and accepted/failed password events.

Note: If you are using syslog on a Unix host, we recommend that you upgrade the standard syslog to a more recent version, such as, syslog-ng.

Before you configure STRM to integrate with IBM AIX, you must:

Step 1 Log in as a root user. Step 2 Open the /etc/syslog.conf file. Step 3 Forward the system’s authentication logs to STRM by adding the following line to

the file:

auth.*@<IP address>

Where <IP address> is the IP address of the STRM system.

Step 4 Save and exit the file. Step 5 Restart syslog:

refresh -s syslogd

For example, a typical /etc/syslog.conf fi le may res emble the following:

##### begin /etc/syslog.conf mail.debug /var/adm/maillog mail.none /var/adm/maillog auth.notice /var/adm/authlog

lpr.debug /var/adm/lpd-errs

kern.debug /var/adm/messages

*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages

auth* @123.234.234.123

##### end /etc/syslog.conf where 123.456.789.123 is the IP of the QRadar system.

Configuring DSMs Guide

Page 80

74 IBM AIX 5L

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from an IBM AIX 5L server, you must select the IBM AIX Server option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

See your authorization server manufacturer for configuration information.

Configuring DSMs Guide

Page 81

IBM PROVENTIA MANAGEMENT S

ITEPROTECTOR

A STRM IBM Proventia Management SiteProtector DSM accepts SiteProtector events by polling the SiteProtector database allowing STRM to record the relevant events. Yo u can integrate SiteProtecto r version 2.0 with STRM.

Before you configure STRM to integrate with SiteProtector, you should create a database user account and password. The defined user must have read permissions for the table used to store SiteProtector events, which is defined during protocol configuration. Although creating this account is not required, it is recommended for your protection. Record the username and password for use when configuring the SiteProtector DSM protocol configuration.

Note: Ensure that no firewall rules are blocking the communication between the SiteProtector console and STRM.

To configure STRM to receive SiteProtector events:

Step 1 In the STRM interface click Config. Step 2 Click Config in the main STRM Console.

The STRM Administration Console appears.

Step 3 Click the SIM Configuration tab.

The SIM Configuration panel appears.

Step 4 Click the Protocol Configuration icon. Step 5 From the STRM Sensor Device Protocol Configurations window, select the JDBC

option from the Protocol drop-down list box. In the JDBC Configuration window, enter the following:

Database Type: Database Name: <RealSecureDB> Table Name: SensorData1 Select List: * Compare Field: Hostname: <SiteProtector IP Address> Port: <Default Port> Username: <Database Access Username>

MSDE

SensorDataRowID

Configuring DSMs Guide

Page 82

76 IBM PROVENTIA MANAGEMENT SITEPROTECTOR

Password: <Password> Polling Interval: <Default Interval>

Step 6 Click Save.

For more information on configuring protocols, see Configuring Protocols in the Managing Sensor Devices Guide.

Step 7 From the Administration Console, click the SIM Configuration tab.

The SIM Configuration panel appears.

Step 8 Click the Sensor Devices icon.

The Sensor Devices window appears.

Step 9 Click Add.

The Add a sensor device window appears.

Step 10 Enter values for the parameters:

Parameter Description

Sensor Device Type • If you are using STRM 6.0, select ISS SiteProtector

Protocol Configuration The protocol defined in Step 5 Device Hostname/IP The IP address of the SiteProtector

• If you are using STRM 6.0.1 or later, select IBM Proventia

Management SiteProtector

Step 11 Click Save. Step 12 From the Administration Console menu, select Configurations > Deploy

configuration changes.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information regarding your SiteProtector device, see your vendor documentation.

Configuring DSMs Guide

Page 83

ISS PROVENTIA

A STRM ISS Proventia DSM accepts ISS Proventia events using SNMP. STRM records all relevant events. Yo u can integrate ISS Proventia version M10 v2.1_2004.1122_15.13.53 with STRM. Before you configure STRM to integrate with ISS Proventia, you must:

Step 1 In the Proventia Manager inte rface navigation pane, expand the System node. Step 2 Select System. Step 3 Select Services.

The Service Configuration page appears.

Step 4 Click the SNMP tab. Step 5 Select SNMP Traps Enabled. Step 6 In the Trap Receiver field, enter the IP address of your STRM system you wish to

monitor incoming SNMP traps.

Step 7 In the Trap Community field, enter the appropriate community name. Step 8 From the Trap Version list, select the trap version. Step 9 Click Save Changes.

You are now ready to configure STRM to receive SNMP traps. For information on configuring SNMP in the STRM interface, see the Managing Sensor Devices Guide.

To configure STRM to receive events from an ISS Proventia device, choose one of the following options:

• If you are using STRM 6.0, select ISS Proventia Device from the Sensor

Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, select IBM Proventia Management

SiteProtector from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding your ISS Proventia device, see your vendor documentation.

Configuring DSMs Guide

Page 84

Page 85

JUNIPER DX APPLICATION A

CCELERATION PLATFORM

The Juniper DX Application Acceleration Platforms off-load core networking and I/O responsibilities from web and application servers to improve the performance of web-based applications, increasing productivity of local, remote, and mobile users. A STRM Juniper DX Ap plication Ac celeration Platfo rm DSM acce pts ev ents using syslog. STRM records all relevant status and network condition events. Before configuring a Juniper DX device in STRM, you must configure your device to send syslog events to STRM.

To configure the device to send syslog events to STRM:

Step 1 Log in to the Juniper DX interface. Step 2 Browse to the desired cluster configuration (Services – Cluster Name), Logging

section.

Step 3 Select the Enable Logging check box. Step 4 Select the desired Log Format.

Note: STRM supports Juniper DX logs using the common and perf2 formats only.

Step 5 Specify the desired Log Delimiter format.

Note: STRM supports comma delimited logs only.

Step 6 In the Log Host section specify the IP address of your STRM system. Step 7 In the Log Port section, specify the UDP port on which you wish to export logs.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a Juniper DX Application Acceleration Platform, you must select the Juniper DX Application Acceleration Platform option from the Sensor Device Type drop-down list box. For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 86

Page 87

JUNIPER EX-SERIES ETHERNET S

WITCH

A STRM Juniper EX-Series Ethernet Switch DSM accepts events using syslog. The STRM Juniper EX-Series Ethernet Switch DSM supports all Juniper EX-Series Ethernet Switches running JunOS 9.0. Before you configure STRM to integrate with a Juniper EX-Series Ethernet Switch, you must forward syslog to your STRM system.

To configure a Juniper EX-Series Ethernet Switch to forward syslog to STRM:

Step 1 Log in to the Juniper EX-Series Ethernet Switch. Step 2 Enter the following command:

configure

Step 3 Enter the following command:

set system syslog host <IP address> <option> <level>

Where:

<IP address> is the IP address of your STRM system <level> is info, error, warning, or any <option> is one of the following:

Option Description

any All facilities authorization Authorization system change-log Configuration change log conflict-log Configuration conflict log daemon Various system processes dfc Dynamic flow capture explicit-priority Include priority and facility in messages external Local external applications facility-override Alternate facility for logging to remote host firewall Firewall filtering system ftp FTP process interactive-commands Commands executed by the UI

Configuring DSMs Guide

Page 88

82 JUNIPER EX-SERIES ETHERNET SWITCH

Option Description

kernel Kernel log-prefix Prefix for all logging to this host match Regular expression for lines to be logged pfe Packet Forwarding Engine user User processes

For example:

set system syslog host 10.77.12.12 firewall info

Configures the Juniper EX-Series Ethernet Switch to send info messages from firewall filtering systems to your STRM system.

Step 4 Repeat Step 3 for any additional options for which you want to send data. Each

option must be identified using a separate command. You are now ready to configure the Juniper EX-Series Ethernet Switch within the

STRM interface. To configure STRM to receive events from a Juniper EX-Series Ethernet Switch, select Juniper EX-Series Ethernet Switch from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide.

For more information regarding your Juniper switch, see your vendor documentation.

Configuring DSMs Guide

Page 89

JUNIPER NETSCREEN IDP

A STRM NetScreen IDP DSM accepts NetScreen IDP events using syslog. STRM records all relevant NetScreen IDP events. To integrate STRM with a Juniper NetScreen IDP device, you must:

• Configuring the IDP Sensor

• Configuring STRM to Collect IDP Events

Configuring the IDP Sensor

Step 1 Log in to the Juniper NSM interface. Step 2 In NSM, edit the IDP device. Step 3 Select Report Settings. Step 4 Select Enable Syslog. Step 5 Enter the Syslog Server STRM IP address. Step 6 Click OK. Step 7 Use Update Device to load the new settings onto the Sensor.

To configure the IDP Sensor to send logs to a syslog server:

The format of the syslog message sent by the IDP Sensor is as follows:

Configuring DSMs Guide

Page 90

84 JUNIPER NETSCREEN IDP

For example:

[syslog@juniper.net dayId="20061012" recordId="0" timeRecv="2006/10/12 21:52:21" timeGen="2006/10/12 21:52:21" domain="" devDomVer2="0" device_ip="10.209.83.4" cat="Predefined" attack="TROJAN:SUBSEVEN:SCAN" srcZn="NULL" srcIntf="NULL" srcAddr="192.168.170.20" srcPort="63396" natSrcAddr="NULL" natSrcPort="0" dstZn="NULL" dstIntf="NULL" dstAddr="192.168.170.10" dstPort="27374" natDstAddr="NULL" natDstPort="0" protocol="TCP" ruleDomain="" ruleVer="5" policy="Policy2" rulebase="IDS" ruleNo="4" action="NONE" severity="LOW" alert="no" elaspedTime="0" inbytes="0" outbytes="0" totBytes="0" inPak="0" outPak="0" totPak="0" repCount="0" packetData="no" varEnum="31" misc="<017>'interface=eth2" user="NULL" app="NULL" uri="NULL"]

Configuring STRM to Collect IDP Events

Configuring Juniper

NSM Protocol

Step 1 Configure the Juniper NSM protocol in the STRM interface.

Step 2 Configure the sensor device within the STRM interface.

Configuring STRM to

Collect Syslog from

an IDP Device

Juniper NSM is a central management server for Juniper IDP. You can configure STRM to collect and represent the Juniper IDP alerts as coming from a central NSM, or STRM can collect syslog from the individual Juniper IDP device.

To configure STRM to Collect IDP events, you must:

• Configuring Juniper NSM Protocol

• Configuring STRM to Collect Syslog from an IDP Device

To configure STRM to integrate with a Juniper NSM device:

To configure STRM to receive events from a Juniper NSM device using Juniper NSM protocol, you must select the JuniperNSM option from the Protocol drop-down list box when configuring your protocol configuration. For more information, see Configuring Protocols in the Managing Sensor Devices Guide.

To configure STRM to receive events from a Juniper NSM device, select the Juniper Networks NetScreen-Security Manager (NSM) option from the Sensor Device Type drop-down list box.

To config ure STRM to receive events from a NetScreen IDP device, select the Juniper Networks Intrusion Detection and Prevention (IDP) option from the Sensor Device Type drop-down list box.

For more information on configuring devices, see the Managing Sensor Devices Guide.

For more information regarding NetScreen IDP, see your NetScreen-Security Manager documentatio n.

Configuring DSMs Guide

Page 91

JUNIPER NETWORKS SECURE A

CCESS

A STRM Juniper Networks Secure Access DSM accepts login and session information using syslog in WebTrends Enhanced Log File (WELF) format. You can integrate Juniper SA version 6.1 and Juniper IC version 2.1 with STRM.

Note: If your Juniper device is running release 5.5R3-HF2 - 6.1 or above, we recommend that you use the WELF:WELF format for logging. See your vendor documentation to determine if your device and license support logging in WELF:WELF format.

This document provides information for integrating a Juniper Secure Access device using one of the following formats:

• WELF:WELF (Recommended). See Using WELF:WELF Format.

• Syslog. See Using Syslog Format.

Using WELF:WELF Format

Step 1 Log in to your Juniper device administration interface:

Step 2 Configure syslog server information for events:

To integrate a Juniper Networks Secure Access device with STRM using the WELF:WELF format:

https://10.xx.xx.xx/admin

a If a WELF:WELF file is configured, go to Step e. Otherwise, go to Step b. b From the left panel, select System > Log/Monitoring > Events > Filter.

The Filter menu appears.

c Click New Filter. d Select WELF. Click Save Changes. e From the left panel, select System > Log/Monitoring > Events > Settings. f From the Select Events to Log section, select the events that you wish to log. g In the Server name/IP field, enter the name or IP address of the syslog server. h From the Facility drop-down list box, select the facility. i From the Filter drop-down list box, select WELF:WELF. Click Add and click

Save Changes.

Configuring DSMs Guide

Page 92

86 JUNIPER NETWORKS SECURE ACCESS

Step 3 Configure syslog server information for user access:

a If a WELF:WELF file is configured, go to Step e. Otherwise, go to Step b. b From the left panel, select System > Log/Monitoring > User Access > Filter.

The Filter menu appears.

c Click New Filter. d Select WELF. Click Save Changes. e From the left panel, select System > Log/Monitoring > User Access >

Settings.

f From the Select Events to Log section, select the events that you wish to log. g In the Server name/IP field, enter the name or IP address of the syslog server. h From the Facility drop-down list box, select the facility. i From the Filter drop-down list box, select WELF:WELF. Click Add and click

Save Changes.

Step 4 Configure syslog server information for administrator access:

a If a WELF:WELF file is configured, go to Step e. Otherwise, go to Step b. b From the left panel, select System > Log/Monitoring > Admin Access >

Filter.

The Filter menu appears.

c Click New Filter. d Select WELF. Click Save Changes. e From the left panel, select System > Log/Monitoring > Admin Access >

Settings.

Save Changes.

Step 5 Configure syslog server information for client logs:

a If a WELF:WELF file is configured, go to Step e. Otherwise, go to Step b. b From the left panel, select System > Log/Monitoring > Client Logs > Filter.

The Filter menu appears.

c Click New Filter. d Select WELF. Click Save Changes. e From the left panel, select System > Log/Monitoring > Client Logs >

Settings.

f From the Select Events to Log section, select the events that you wish to log.

Configuring DSMs Guide

Page 93

Using Syslog Format 87

g In the Server name/IP field, enter the name or IP address of the syslog server. h From the Facility drop-down list box, select the facility. i From the Filter drop-down list box, select WELF:WELF. Click Add and click

Save Changes.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from Juniper Networks Secure Access device, select Juniper Networks Secure Access (SA) SSL VPN from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding your Juniper device, see your vendor documentation.

Using Syslog Format

To integrate a Juniper Networks Secure Access device with STRM using syslog:

Step 1 Log in to your Juniper device administration interface:

https://10.xx.xx.xx/admin

Step 2 Configure syslog server information for events:

a From the left panel, select System > Log/Monitoring > Events > Settings. b From the Select Events to Log section, select the events that you wish to log. c In the Server name/IP field, enter the name or IP address of the syslog server.

Step 3 Configure syslog server information for user access:

a From the left panel, select System > Log/Monitoring > User Access >

Settings.

b From the Select Events to Log section, select the events that you wish to log. c In the Server name/IP field, enter the name or IP address of the syslog server.

Step 4 Configure syslog server information for administrator access:

a From the left panel, select System > Log/Monitoring > Admin Access >

Settings.

b From the Select Events to Log section, select the events that you wish to log. c In the Server name/IP field, enter the name or IP address of the syslog server.

Step 5 Configure syslog server information for client logs:

a From the left panel, select System > Log/Monitoring > Client Logs >

Settings.

b From the Select Events to Log section, select the events that you wish to log. c In the Server name/IP field, enter the name or IP address of the syslog server.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from Juniper Networks Secure Access device,

Configuring DSMs Guide

Page 94

88 JUNIPER NETWORKS SECURE ACCESS

select Juniper Networks Secure Access (SA) SSL VPN from the Sensor Device Type drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding your Juniper device, see your vendor documentation.

Configuring DSMs Guide

Page 95

JUNIPER INFRANET CONTROLLER

A STRM Juniper Networks Infranet Controller DSM accepts DHCP events using syslog. STRM records all relevant events from a Juniper Networks Infranet Controller. Before you configure STRM to integrate with a Juniper Networks Infranet Controller, you must configure syslog within the server. For more information on configuring your Juniper Networks Infranet Controller, consult your vendor documentation.

Once you have configured syslog, you are ready to configure the sensor device within the STRM interface. T o configure STRM to receive events from your Juniper Networks Infranet Controller, choose one of the following options:

• If you are using STRM 6.0, select Juniper InfranetController from the Sensor

Device Type drop-down list box.

• If you are using STRM 6.0.1 and above, select Juniper Networks Infranet

Controller from the Sensor Device Type drop-down list box.

For more information on configuring devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Page 96

Page 97

JUNIPER NETSCREEN FIREWALL

You can integrate NetScreen Firewall version 3.0 with STRM. A STRM NetScreen Firewall DSM accepts NetScreen Firewall events using syslog. STRM records all relevant NetScreen Firewall events. Before you configure STRM to integrate with NetScreen Firewall, you must:

Step 1 Login to your NetScreen Firewall user interface. Step 2 From the menu, select Configuration > Report Settings > Syslog. Step 3 Select the enable syslog messages check box. Step 4 Enter the IP address of your STRM system hosting the Event Collector. Step 5 Click Apply. Step 6 Click Policy. Step 7 Click Edit. Step 8 Select the Logging check box. Step 9 Click Save.

You are now ready to configure the sensor device within the STRM interface. To configure STRM to receive events from a NetScreen Firewall device, choose one of the following options, depending on which version of STRM you are using:

• Select NetScreen Firewall Appliance from the Sensor Device Type

drop-down list box.

• Select Juniper Networks NetScreen Firewall from the Sensor Device Type

drop-down list box.

For more information on configuring sensor devices, see the Managing Sensor Devices Guide. For more information regarding NetScreen Firewall, see the NetScreen Firewall documentation.

Configuring DSMs Guide

Page 98

Page 99

JUNIPER NSM

The STRM Juniper NSM DSM accepts Juniper SSG Appliance events using syslog. All other devices supported by Juniper NSM, such as Juniper IDP or Juniper NetScreen Firewall, should be forwarded to STRM. For more information on advanced filtering of NSM logs, see your NSM documentation.

To integrate a Juniper NSM device with STRM, you must STRM:

• Enabling NSM to Export Logs to Syslog

• Configuring Juniper NSM Protocol

Enabling NSM to Export Logs to Syslog

NSM uses the syslog server when exporting qualified log entries to syslog. Configuring the syslog settings for the management system only defines the syslog settings for the management system. It does not actually export logs from the individual devices.

To enable the management system to export logs to syslog:

Step 1 Log in to the NSM GUI. Step 2 From the Action Manager menu, select Action Parameters. Step 3 Enter the IP address for the syslog server to which you want to send qualified logs. Step 4 Enter the syslog server facility for the syslog server to which you want to send

qualified logs.

Step 5 From the Device Log Action Criteria node, Actions tab, select Syslog Enable for

Category, Severity, and Action.

Step 6 Log in to STRM, as root.

Juniper NSM is a central management server for many Juniper products including ScreenOS firewalls, ISG, and Juniper IDP. You can configure STRM to either collect and represent all device alerts as coming from a central NSM or to represent the individual Juniper security devices that are generating alerts to the NSM server.

Configuring DSMs Guide

Page 100

94 JUNIPER NSM

Configuring Juniper NSM Protocol

To configure STRM to integrate with a Juniper NSM device:

Step 1 Configure the Juniper NSM protocol in the STRM interface.

Note: In the STRM interface, the JuniperNSM protocol configuration enables you to use the Juniper NSM IP address by selecting the Use NSM Address for Event Source check box. If you wish to change the configuration to use the originating IP address (clear the check box), yo u mu st log in to STRM, as root, and restart IP tables using the following command:

Step 2 Configure the sensor device within the STRM interface.

service restart iptables

To configure STRM to receive events from a Juniper NSM device, you must select the Juniper Networks NetScreen-Security Manager (NSM) option from the Sensor Device Type drop-down list box. For more information on configuring devices, see the Managing Sensor Devices Guide.

Configuring DSMs Guide

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 - CONFIGURING DSMS REV 1, Security Threat Response Manager User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual