Symantec Universal Event Collectors 4.4 for Symantec Security Information Manager 4.7 Implementation Guide

Transcription

1 Symantec Universal Event Collectors 4.4 for Symantec Security Information Manager 4.7 Implementation Guide

2 Symantec Universal Event Collectors 4.4 for Symantec Security Information Manager 4.7 Implementation Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version: 1.0 Legal Notice Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR and subject to restricted rights as defined in FAR Section "Commercial Computer Software - Restricted Rights" and DFARS , "Rights in Commercial Computer Software or Commercial Computer Software Documentation", as applicable, and any successor regulations. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.

3 Symantec Corporation 350 Ellis Street Mountain View, CA

4 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product features and functionality. The Technical Support group also creates content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s support offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization Telephone and/or Web-based support that provides rapid response and up-to-the-minute information Upgrade assurance that delivers software upgrades Global support purchased on a regional business hours or 24 hours a day, 7 days a week basis Premium service offerings that include Account Management Services For information about Symantec s support offerings, you can visit our Web site at the following URL: All support services will be delivered in accordance with your support agreement and the then-current enterprise technical support policy. Customers with a current support agreement may access Technical Support information at the following URL: Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to replicate the problem. When you contact Technical Support, please have the following information available: Product release level

5 Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Customer service information is available at the following URL: Customer Service is available to assist with non-technical questions, such as the following types of issues: Questions regarding product licensing or serialization Product registration updates, such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade assurance and support contracts Information about the Symantec Buying Programs Advice about Symantec's technical support options Nontechnical presales questions Issues that are related to CD-ROMs or manuals

6 Support agreement resources If you want to contact Symantec regarding an existing support agreement, please contact the support agreement administration team for your region as follows: Asia-Pacific and Japan Europe, Middle-East, and Africa North America and Latin America

7 Contents Technical Support... 4 Chapter 1 Introducing Universal Event Collectors... 9 About Universal Event Collectors... 9 Installing Universal Event Collectors Downloading and installing Universal Event Collectors on a remote computer Configuring the Universal Event Collectors Defining custom event translation rules with the Web Configuration console Creating and configuring a matching Universal Event Collector sensor with the Information Manager console Preparing the test environment Sending the test events to Symantec Security Information Manager About analyzing an event Configuring custom mapping to interpret the log data Testing the custom mapping Deleting the test environment Appendix A Help with configuration Tips and tricks on configuration About date and timestamp mapping Appendix B Sensor properties for the Universal Event Collectors Sensor properties for the Universal Log File Collector Sensor properties for the Universal Syslog Collector Sensor properties for the Universal Windows Collector Sensor properties for the Universal Windows Vista Collector... 35

8 8 Contents Appendix C Appendix D Using Syslog Director with the Universal Syslog Event Collector About Syslog Director Configuring Syslog Director to work with the Universal Syslog Event Collector Implementation notes for the Universal Event Collectors Product IDs for the Universal Event Collectors Schema packages for the Universals Collectors Event mapping for the Universal Event Collectors... 42

9 Chapter 1 Introducing Universal Event Collectors This chapter includes the following topics: About Universal Event Collectors Installing Universal Event Collectors Downloading and installing Universal Event Collectors on a remote computer Configuring the Universal Event Collectors Defining custom event translation rules with the Web Configuration console Creating and configuring a matching Universal Event Collector sensor with the Information Manager console Preparing the test environment Sending the test events to Symantec Security Information Manager About analyzing an event Configuring custom mapping to interpret the log data Testing the custom mapping Deleting the test environment About Universal Event Collectors Universal Event Collectors let you collect events from a point product when a Symantec Event Collector is not available for that point product. You define a

10 10 Introducing Universal Event Collectors Installing Universal Event Collectors custom event parsing definition so that Information Manager can interpret the events. You configure a Universal collector like you configure all other collectors: by creating a sensor configuration and defining sensor properties. You then set up a custom event parsing definition. The following mapping types let you set up a custom event parsing definition: Direct mapping When you receive events from a Universal collector sensor, direct mapping lets you set the value of an Information Manager field by using the value of another Information Manager field. For example, you can store the sensor name in the Option1 field. Literal mapping When you receive events from a Universal collector sensor, literal mapping determines which Information Manager field to populate with a specified value. For example, if you are collecting events from an accounting package such as Peachtree, you can populate the Configuration Name field with the value "Peachtree." Pattern mapping With pattern mapping, you load an event, and then determine which characters make up a single input field. You then map the input fields to Information Manager fields. For example, if a delimiter is present, you can specify it, and pattern mapping will let you use that delimiter to separate the event into fields. You can then map these fields to Information Manager fields. If no delimiter is present, you can mark groups of characters as input fields, and then use pattern mapping to map these fields to Information Manager fields. Installing Universal Event Collectors The following Universal Event Collectors are preinstalled on the Information Manager 4.7 server. You can also download them for installation on a remote computer. Universal Event Collector for Microsoft Windows Vista Collects events from Microsoft Windows Vista event logs. Universal LogFile Event Collector Collects events from products that generate log files.

11 Introducing Universal Event Collectors Downloading and installing Universal Event Collectors on a remote computer 11 Universal Syslog Event Collector Collects events from products that log events by using the Syslog protocol. The following Universal collector is available by download only. You can only use this collector on a remote computer that runs Microsoft Windows. Universal Event Collector for Microsoft Windows Collects events from Microsoft Windows event logs. Table 1-1 Installation steps for remote computer installations Task To use the pre-installed Universal Event Collectors: To use the Universal Event Collectors on a remote computer: Where to find more information Configure the Universal Event Collectors. See Configuring the Universal Event Collectors on page 12. Download and install the Symantec Event Agent on the remote computer. See Downloading and installing Universal Event Collectors on a remote computer on page 11. Download and install the Universal collector on the remote computer. See Downloading and installing Universal Event Collectors on a remote computer on page 11. Configure the Universal Event Collectors. See Configuring the Universal Event Collectors on page 12. Downloading and installing Universal Event Collectors on a remote computer When you install the Universal collector on a remote computer, you must complete the following tasks in the order shown: Download and install the Symantec Event Agent on the remote computer. The Symantec Event Agent sends the data that is collected by the collector to Information Manager. For detailed information, see the Symantec Event Agent 4.7 Implementation Guide. Download and install the Universal Event Collector on the remote computer. See To download and install Universal Event Collectors on a remote computer on page 12.

12 12 Introducing Universal Event Collectors Configuring the Universal Event Collectors To download and install Universal Event Collectors on a remote computer 1 On the remote computer, launch the Information Manager Configuration Web site at the following URL, and then log on: Information_Manager_host_name_or_IP_address 2 From the Information Manager Configuration Web page, click Downloads. 3 Click one of the following options, and then save the.zip file to a directory on the remote computer: Universal Collector for Windows Universal Collector for Windows Vista Universal Collector for Syslog Universal Collector for Log File 4 Extract the files. 5 Navigate to the install directory, and then complete the following steps: For Windows-based computers, double-click install.bat, and then click Run. For UNIX-based computers, at a command prompt, type the following command: sh install.sh. 6 Follow the installation wizard prompts. See Installing Universal Event Collectors on page 10. Configuring the Universal Event Collectors Symantec recommends that you create a test environment while you are configuring a Universal collector. Table 1-2 Configuring the Universal Event Collectors Step Step 1 Task Create and configure a matching collector configuration and sensor with the Information Manager console. See Creating and configuring a matching Universal Event Collector sensor with the Information Manager console on page 14.

13 Introducing Universal Event Collectors Configuring the Universal Event Collectors 13 Table 1-2 Configuring the Universal Event Collectors (continued) Step Step 2 Task Prepare a test environment, as follows: Create an Information Manager test archive to temporarily store your test events. Create an Information Manager test query to isolate your test events and store them in your test archive. See Preparing the test environment on page 16. Step 3 Send the events to Symantec Security Information Manager, as follows: Stop the Symantec Event Agent. Delete the contents of the test archive, if any. Delete the collector's last position file. Restart the Symantec Event Agent. Run the test query and view the events. See Sending the test events to Symantec Security Information Manager on page 18. Step 4 Analyze the event. See About analyzing an event on page 22. Step 5 Define custom event translation rules with the Web Configuration console. See Defining custom event translation rules with the Web Configuration console on page 14. Step 6 Configure custom mapping to interpret the log data, as follows: Configure direct mapping. Configure literal mapping. Configure pattern mapping. See Configuring custom mapping to interpret the log data on page 23. Step 7 Test the custom mapping, as follows: Delete the contents of the archive. Repeat steps 4 through 6 until the mapping is satisfactory. See Testing the custom mapping on page 25. Step 8 Deleting the test environment. See Deleting the test environment on page 26. Step 9 If you use the Universal Syslog Collector that is preinstalled on the Information Manager server, you can also use Syslog Director. See About Syslog Director on page 37.

14 14 Introducing Universal Event Collectors Defining custom event translation rules with the Web Configuration console Defining custom event translation rules with the Web Configuration console You create custom event translation rules to which to apply to events that are collected by a specific sensor. You then create and configure a matching Universal Event Collector sensor from the Information Manager console. See Creating and configuring a matching Universal Event Collector sensor with the Information Manager console on page 14. To define custom event translation rules with the Web Configuration console 1 On the remote computer, launch the Information Manager Configuration Web site at the following URL, and then log on: Information_Manager_host_name_or_IP_address The user account used to log in to the Web Configuration console must be a member of the Domain Administrator role on the Information Manager server that is being accessed. For more information about user roles, refer to the Symantec Security Information Manager 4.7 Administrator Guide. 2 In the Information Manager Configuration Web page, click Settings > Custom Logs. 3 In the left pane, select one of the Universal Event Collectors, and then in the right pane, click New. 4 Specify the sensor name of the Universal Event Collector sensor which collects the events for which you want to define field mappings. As a best practice, name the sensor with the application or the data source name. 5 In the right pane, click Save. Creating and configuring a matching Universal Event Collector sensor with the Information Manager console You must create a matching Universal collector sensor by using the Information Manager console by completing the following procedures: Create a matching Universal Event Collector collector configuration.

15 Introducing Universal Event Collectors Creating and configuring a matching Universal Event Collector sensor with the Information Manager console 15 See To create a matching Universal Event Collector collector configuration on page 15. Create and configure the matching Universal Event Collector sensor to receive security events. See To create and configure the matching Universal Event Collector sensor to receive security events on page 15. When you have created the matching sensor, you must distribute the sensor properties to the Universal collector. When you have configured a Universal collector sensor, you should test that Information Manager receives the events. To create a matching Universal Event Collector collector configuration 1 Launch the Information Manager console, and then log on. 2 In the left pane, click System. 3 From the Product Configurations tab, expand the tree until you see the collector name which corresponds to the collector sensor that you created with the Information Manager console. See Defining custom event translation rules with the Web Configuration console on page Right-click the collector name, and then choose New. 5 On the Create a New Configuration wizard page, follow the prompts to create a new sensor configuration. 6 Click Finish, and then click Close. To create and configure the matching Universal Event Collector sensor to receive security events 1 In the Information Manager console, select the configuration that you created in the previous procedure. 2 Select the Product Configurations tab, and then expand the tree until you see the collector name which corresponds to the collector sensor that you created with the Information Manager console. See Defining custom event translation rules with the Web Configuration console on page In the left pane, select the appropriate collector configuration. 4 In the right pane, on the sensor tab, under the list of sensors, click the sensor.

16 16 Introducing Universal Event Collectors Preparing the test environment 5 In the sensor property table under the Value column, change the sensor name. Name the sensor with the same name that you used when you created the sensor using the Web Configuration console. See Appendix A, Sensor properties for the Universal Collectors. 6 Click Save. 7 In the left pane, right-click the appropriate configuration, and then click Distribute. 8 When you are prompted to distribute the configuration, click Yes. 9 In the Configuration Viewer window, click Close. Preparing the test environment Symantec recommends that you create a test environment so that the test events are kept separate from regular events that are gathered by other collectors. When you have successfully custom mapped the Universal collector, you can delete the test environment. See Deleting the test environment on page 26. To prepare the test environment, complete the following tasks in the order shown: Create an Information Manager test archive to store your test events. You must reorder the archives so that the default archive is the last archive in the list. See To create a test archive to store your test events on page 16. Create an Information Manager test query to isolate your test events and store them in your test archive. See To create a test query to isolate your test events on page 17. To create a test archive to store your test events 1 Launch the SSIM Console, and then log on. 2 In the left pane, click System. 3 In the middle pane, click the Server Configurations tab, and then expand the tree. 4 Click Event Storage Rules. 5 To add a new archive, click Add (+).

17 Introducing Universal Event Collectors Preparing the test environment 17 6 In the Archive Rule Properties dialog, complete the following fields: Rule name Archive Path Type a name for the rule. Type the same name that you entered for the rule. 7 To create an inclusion filter so that only your test events are stored in the archive, complete the following steps: Click + (plus). Click the first field, and then choose a product in the list. Click the next field to the right, and then select =. Click the next field to the right, and then select Universal Logfile Event Collector. Click + (plus). Click the first field, and then from the list, select Collector Sensor. Click the next field to the right, and then select =. Click the next field to the right and type the collector's sensor name. Click + (plus). Click the field field, and then select Category ID. Click the next field to the right, and then select /=. Click the next field to the right, and then select Diagnostic. 8 Click OK. 9 To reorder the archives so that the default archive is last, complete the following steps:. In the right pane, in the table, select Default Archive. In the toolbar, click the down arrow (the last icon). 10 Click Apply, and then in the toolbar, click Distribute the selected rule. To create a test query to isolate your test events 1 Launch the SSIM Console, and then log on. 2 In the left pane, click Events. 3 In the middle pane, expand My Queries.

18 18 Introducing Universal Event Collectors Sending the test events to Symantec Security Information Manager 4 In the toolbar, click Query Wizard, and create a query as follows: Event Query Type Selection Select Event Query. Click Next. Under Event Query Type, select Event Details. Under Archives, uncheck Prompt at run-time, expand the Information Manager server name, and select the Event archive that you created in To create a test archive to store your test events. Click Next. Filter Criteria Create filters to narrow down the events. For example, Collector Sensor = Sensor_Name Product = Universal Logfile Event Collector Category ID!= Diagnostic Available Columns Query Name Click Add All. Type a name for the test query. 5 When you are done, click Finish. 6 In the right pane, select the test archive that you created. See To create a test archive to store your test events on page Click Save As, and then enter the test query name that you created in step 4 Sending the test events to Symantec Security Information Manager Collectors that were developed and released by Symantec go through a process that is called content mapping. Content mapping is the process of mapping point-product event fields to Information Manager fields. When you first send events to Information Manager from a Universal collector, the event string from each collected event populates the Description field. You analyze the events, and then custom map the events so that they populate Information Manager fields in a meaningful way. To the test events to Symantec Security Information Manager, you complete the following tasks in the order shown:

19 Introducing Universal Event Collectors Sending the test events to Symantec Security Information Manager 19 Stop the Symantec Event Agent. See To start and stop the Symantec Event Agent on page 19. Delete the contents of the test archive. You must stop the Event Service before you delete the contents of the test archive. See To delete the contents of the test archive on page 20. Delete the Universal Event Collector's last position file. The last position file is created when you stop the Symantec Event Agent. See To delete the collector's last position file on page 20. Restart the Symantec Event Agent. See To start and stop the Symantec Event Agent on page 19. Run the test query and view the events. See Run the test query and view the events on page 21. To start and stop the Symantec Event Agent 1 On the computer where the collector is installed, navigate to the Agent directory, as follows: On Windows, the default location is C:\Program Files\Symantec\Event Agent. On UNIX, the default location is /opt/symantec/sesa/agent. On UNIX, you must become superuser. 2 To access the Collector and Agent Management Scripts, type one of the following commands: On Windows: On UNIX: agentmgmt.bat./agentmgmt.sh 3 From the SSIM Collector / Agent Management Script menu, select one of the following options: 10. Start the Agent 11. Stop the Agent 4 Keep this window open while you test your custom mapping.

20 20 Introducing Universal Event Collectors Sending the test events to Symantec Security Information Manager To delete the contents of the test archive 1 Use ssh to log in to the Information Manager server as an administrator. 2 At the prompt, type the following command: su - 3 Enter the root password when prompted. 4 To stop the Event Service, remove the contents of the archive, and to restart the Event Service, at the prompt, type the following commands : service sesevents stop rm -rf /eventarchive/archive_name/yyyy service sesevents start where Archive_Name is the test archive that you created, and YYYY is the current year. See Preparing the test environment on page 16. To delete the collector's last position file 1 On the collector computer, navigate to the following directory: Universal LogFile Event Collector Universal Microsoft Windows Event Collector On Windows, the default location is C:\Program Files\Symantec\Event Agent\collectors\ ulogfile On UNIX, the default location is /opt/symantec/ sesa/agent/collectors/ collector_name/ C:\Program Files\Symantec\Event Agent\collectors\uwindows Delete the last position file. (*.dat)

21 Introducing Universal Event Collectors Sending the test events to Symantec Security Information Manager 21 Universal Event Collector for Microsoft Windows Vista On Windows, the default location is C:\Program Files\Symantec\Event Agent\collectors\uvista On UNIX, the default location is /opt/symantec/sesa/ Agent/ collectors/uvista/ 2 Delete the last position file. Note: Universal Event Collector for Syslog does not use a last position file. Universal LogFile Event Collector Universal Microsoft Windows Event Collector The last position file is named with the sensor name that you created by using the Information Manager console. The last position file is named with an extension of.dat. (*.dat) Universal Event Collector for Microsoft Windows Vista The last position file is named as follows: last_position_hostname See Creating and configuring a matching Universal Event Collector sensor with the Information Manager console on page 14. Run the test query and view the events 1 Launch the SSIM Console and log on. 2 In the left pane, click Events. 3 In the middle pane, expand My Queries. 4 Select the test query that you created. See Preparing the test environment on page In the right pane, click Run Query. 6 In the results, double-click an event. Before you custom map, all collected events will have an Event Type ID field value of Generic Base. 7 In the Event Details pane, the event string is placed in the Description field.

22 22 Introducing Universal Event Collectors About analyzing an event About analyzing an event Determine what you know about the events, as follows: What is the delimiter that separates the fields? What do the fields represent? After you have mapped an event, assess the results again, as follows: Do the field assignments look right? Are there any fields that can be more granular? Are there events that are not being translated and require another pattern to be defined? Note: You cannot map field values to Information Manager ID fields. Information Manager ID fields are predefined to receive specific values. For example, you can use the ~ (tilde character) as the delimiter in the log. Table 1-3 shows the mapping of the example log. Table 1-3 Analyzing an event Field Content Description Pattern mapping :22 Timestamp Option Storefront ID Option Audit Trail ID Audit Client Session Audit Event ID Option 3 5 Edit Slot Audit Event Name Vendor Signature 6 48 Sequence Audit Information :00: Audit Date Option :22: Audit Transaction Date Option User ID Option 6

23 Introducing Universal Event Collectors Configuring custom mapping to interpret the log data 23 Table 1-3 Analyzing an event (continued) Field Content Description Pattern mapping 10 WEarp User Name Username 11 0 Location ID Target Resource 12 2 Application ID Option 7 13 Arizona Jack AppName Audit Primary Object Name 14 Tslot Revision : 3 -> 4 Comments Intrusion Data Configuring custom mapping to interpret the log data Before you set up custom mapping, you need to analyze the events to determine which fields you want to map. You use the Web Configuration console to set up custom mapping for logs. The following mapping types are available: Direct mapping When you receive events from a Universal collector sensor, direct mapping puts the information into another Information Manager field. In the following direct mapping example, the Intrusion Vendor Name field is populated with the name of the Universal collector sensor that you created. See Creating and configuring a matching Universal Event Collector sensor with the Information Manager console on page 14. Collector Sensor maps to Intrusion Vendor Name Literal mapping When you receive events from a Universal collector sensor, literal mapping determines which Information Manager fields to populate with a specified value. In the following literal mapping example, the Category ID field is populated with the value "Application," the Severity ID field is populated with the value "2 - Warning," and the Event Type ID field is populated with the value "Generic Content."

24 24 Introducing Universal Event Collectors Configuring custom mapping to interpret the log data Category ID Severity ID Event Type ID = = = Application 2 - Warning Generic Content Pattern mapping With pattern mapping, you load an event, and then determine which characters pertain to a single input field. You then map the input fields to Information Manager fields. If a delimiter is available, you can use it to automatically parse the fields. If a delimiter is not available, you can manually parse the fields by selecting the characters that make up a field, and then marking it as field. See About analyzing an event on page 22. Note: You cannot map field values to Information Manager ID fields. Information Manager ID fields are predefined to receive specific values. To configure mapping to interpret the log data 1 From a remote computer, launch the Information Manager Configuration Web site at the following URL, and then log on: Information_Manager_host_name_or_IP_address 2 From the Information Manager Configuration Web page, click Settings > Custom Logs. 3 In the left pane, select one of the Universal Event Collectors, and then click the sensor you created. See Defining custom event translation rules with the Web Configuration console on page To add direct mappings, do the following tasks: In the right pane, under Direct Mapping, click Add Mapping. In the first-drop list, select a Universal Event Collector field. In the second drop-down list, select an Information Manager field to map to. The value of the first field that you choose is placed in the second field that you choose. 5 To add literal mappings, do the following tasks: In the right pane, under Literal Mapping, click Add Mapping.

25 Introducing Universal Event Collectors Testing the custom mapping 25 In the first-drop list, select an Information Manager field. In the second drop-down list, select or type a value for which to populate the first field that you chose. 6 When you are finished with the direct and literal mappings, click Save. Note: You cannot add a new pattern without first saving at least a direct or a literal mapping. 7 To add pattern mappings, click New Pattern. 8 To load a log for which to map, do the following steps: Click Load New Pattern. Type a name for this pattern. In the Load Sample Log Entry dialog, type in or copy-and-paste a sample log entry. You can copy-and-paste the sample from the Description field in the Event Viewer or directly from the source log, if you have it. See Sending the test events to Symantec Security Information Manager on page 18. To create input fields, do one of the following tasks: If a delimiter exists, check Auto-parse sample, type the delimiter, and then click OK. If there is no delimiter, click OK. In the Log Pattern section, highlight a field, and then click Mark Selection as Input Field. 9 In the Input Field Mapping section, map the input fields to Information Manager fields. 10 Click Save. Testing the custom mapping To test the custom mapping, you complete the following tasks:

26 26 Introducing Universal Event Collectors Deleting the test environment Step Task description Table 1-4 Testing the custom mapping Where to find more information Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Delete the contents of the archive. Stop the Symantec Event Agent. Delete the Universal Event Collector's last position file. Restart the Symantec Event Agent. Run the test query and view the events. Re-analyze the translated event. Adjust custom mapping, as necessary. See Sending the test events to Symantec Security Information Manager on page 18. See Sending the test events to Symantec Security Information Manager on page 18. See Sending the test events to Symantec Security Information Manager on page 18. See Sending the test events to Symantec Security Information Manager on page 18. See Sending the test events to Symantec Security Information Manager on page 18. See About analyzing an event on page 22. See Configuring custom mapping to interpret the log data on page 23. Deleting the test environment When you have finished configuring the Universal collector, you can delete the test archive and test query. See Preparing the test environment on page 16. To delete the test archive 1 Launch the SSIM Console, and then log on. 2 In the left pane, click System. 3 In the middle pane, click the Server Configurations tab, and then expand the tree. 4 Click Event Storage Rules. 5 Select the test archive that you created. 6 To delete the test archive, click - (Remove).

27 Introducing Universal Event Collectors Deleting the test environment 27 To delete the test query 1 In the SSIM Console, in the left pane, click Events. 2 In the middle pane, expand My Queries, and then select the test query that you created. See Preparing the test environment on page In the toolbar, click Delete Query.

28 28 Introducing Universal Event Collectors Deleting the test environment

29 Appendix A Help with configuration This appendix includes the following topics: Tips and tricks on configuration About date and timestamp mapping Tips and tricks on configuration Some tips and tricks that help with Universal Event Collector configuration, are as follows: For all event sources: Until you custom map, Collected events are placed in the Description field. You can copy and paste the contents of the Description field into the Load Sample Log Entry dialog to define a pattern mapping. Event Type ID = Generic Base Use this field, along with the Collector Sensor field, to create an event filter, as follows: Collector Sensor = sensor_name Event Type ID = Generic Base

30 30 Help with configuration About date and timestamp mapping For Microsoft Windows and Microsoft Windows Vista event sources: Until you custom map, collected events are partially translated. Many event fields are already mapped, and do not require custom mapping. See Event mapping for the Universal Event Collectors on page 42. To avoid duplicate events when the regular Microsoft Windows or Microsoft Windows Vista event collectors are also in use, use the Windows Event Source field. You can use this field to create event filters that you can apply to both the regular and the Universal collectors. For example, if Windows Event Source = SYMCScan, for the regular Microsoft Windows collector, then you can create the following filters: For the regular Microsoft Windows collector: Windows Event Source equal to SYMCScan For the Universal collector: Windows Event Source not equal to SYMCScan About date and timestamp mapping To map dates and times into the Event Date field, the format in the source log must conform to the following Java SimpleDateFormat class: mm/dd/yy hh:mm AM/PM switch You can read more about Java data formats at the following URL: If the date in the custom log is not in the Java short date format as shown, the Symantec Event Agent assigns a value to the Event Date field that matches the Created Date field. You can map the event field to an Option field. The Option field retains the date in the format that was originally retained by the log file. You can then use the corresponding Option Type field to specify that the Option field contains the original event timestamp.

31 Appendix B Sensor properties for the Universal Event Collectors This appendix includes the following topics: Sensor properties for the Universal Log File Collector Sensor properties for the Universal Syslog Collector Sensor properties for the Universal Windows Collector Sensor properties for the Universal Windows Vista Collector Sensor properties for the Universal Log File Collector Table B-1 shows the sensor properties for the LogFile sensor. Table B-1 LogFile sensor properties Sensor property Description Log File Directory Log File Name

32 32 Sensor properties for the Universal Event Collectors Sensor properties for the Universal Log File Collector Table B-1 LogFile sensor properties (continued) Sensor property Reading Mode Description Monitor Dynamic Log Waits for new events to be added to the new log file Monitor Single File Log Waits for new events to be added to the current log file Using this setting, the collector checks for new log files matching the static part of the log filename (defined in the Log File Name property) after reaching the end of the current log file. Specify Monitor Single File Log for the collector to wait for new events to be added to the current log file. Specify Monitor Dynamic Log for the collector to check for a new log file to read. Start Reading From Specify Beginning to read the log file from the beginning of the file upon the restart of the collector. Specify End to read the log file from the end of the file upon the restart of the collector. Specify Last Position for the collector to keep track of which line the collector is reading in the log file. If the collector is interrupted and restarted, reading continues from this position. When the collector is started for the first time, the collector reads all events in all files. Note: If the file for which a last position was saved no longer exists, the collector starts reading from the log file with the timestamp that is later than, but nearest to, the file for which the last position was saved.

33 Sensor properties for the Universal Event Collectors Sensor properties for the Universal Syslog Collector 33 Table B-1 LogFile sensor properties (continued) Sensor property End of Record Marker Description The Universal Log File Collector saves its log files in UNIX file format, even when it reads its logs from a Microsoft Windows operating system. To accommodate the UNIX file format, the default value for End of Record Marker is set to the hexadecimal equivalent of the end-of-line for UNIX systems. This value should not be changed. Specify the delimiter that is used at the end of each message. ENDOFLINE Refers to the end of a line as a message delimiter (CR/LF on a Windows platform; LF on a Linux/UNIX platform). ENDOFLINE is the default delimiter. Note: Leave ENDOFLINE as the End of Record Marker. Any other value for the End of Record Marker is not recommended. BLANKLINE Refers to a blank line as a message delimiter. You must specify two successive ENDOFLINE characters. NULL Refers to hexadecimal 00. End of Data Marker Specify one of the following values that specifies the end of data in the log files: EOF: End of file NULL The default value is EOF. Sensor properties for the Universal Syslog Collector Note: Do not use the special characters such as <, &, and ' (single quotes) while naming a sensor.

34 34 Sensor properties for the Universal Event Collectors Sensor properties for the Universal Windows Collector Table B-2 SysLog sensor properties Sensor property Protocol Host Names Description Specify UDP or TCP. UDP is the syslog standard protocol and is faster than TCP; however, UDP provides few error recovery services, and there is no guarantee that events are delivered. TCP is slower than UDP, but it guarantees event delivery by establishing a connection. Specify the IP addresses or names of the host computers that the collector monitors. Specify * (or any) to allow any host to send events to the collector, or specify multiple host names. Separate multiple host names with commas or semicolons. Port Number Specify the port number to which you have configured the point product to send syslog messages. The default port number is Time Offset Specify a time offset to convert timestamps of all logged events to the time zone of the collector computer. You can use a time offset value if both of the following statements are true: The time zone of the collector computer and the point product are different The timestamps in the point product data are not Coordinated Universal Time (UTC). You do not need to use this property if the collector and the point product computers are in the same time zone. For example, if Pacific Standard Time (PST) is the time zone of the collector computer, you can specify -3 to convert incoming events with an Eastern Standard Time (EST) to Pacific Standard Time. You can specify +3 to convert incoming events with a Hawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time. If you enter and distribute an invalid time zone offset, the collector automatically resets the offset value to the default value of +00:00. An error message is posted in the collector s log. Sensor properties for the Universal Windows Collector Note: Do not use the special characters such as <, &, and ' (single quotes) while naming a sensor.

35 Sensor properties for the Universal Event Collectors Sensor properties for the Universal Windows Vista Collector 35 Table B-3 Windows EventLog sensor properties Sensor properties Monitored Host Name Monitored Host Account Name Account Password Description Specify the name of the computer from which the collector is to collect events, if events are collected from the same computer on which the collector is installed. The host to monitor must be a domain controller. IP address or localhost are valid entries. If the computer is different, then the host name or IP address can be specified. Specify the account name. For example, specify DomainName\AccountName for a computer that is located in a Windows domain. The account that is used must have domain administrator rights to read the event log from the domain controller. This field may be left blank if the monitored host name value is or localhost because the Symantec Event Agent and collector are run with local system privileges. Enter the user credentials as well as domain information as follows: DomainName\AccountName. This field must be left blank if you configure the collector to collect events from itself. Specify a password for the monitored host account. If the Monitored host name is localhost or , leave this field blank; the credentials for the account that runs the Symantec Event Agent process will be used automatically. Number of Days to Load History Events Event Logs to Audit In the absence of a last position file, which holds a timestamp of the last read event, the sensor will start reading the events which are not older than the current time (minus the number of days specified by this parameter). Note: This property is used only for the initial start of the sensor. If the sensor was correctly shut down and created the last position file, this property is ignored during subsequent runs. Select which event logs to audit. You can select a number of options to audit through the pop-up screen. You can also add other options by selecting Add. Sensor properties for the Universal Windows Vista Collector You must create a new collector configuration and a new sensor for all collectors. Table B-4 Universal Windows Vista sensor properties Sensor properties Monitored Host Name Description Specify the name of the computer from which the collector is to collect events. IP address or localhost are valid entries if events are collected from the same computer on which the collector is installed. If the computer is different, then the host name or IP address can be specified.

36 36 Sensor properties for the Universal Event Collectors Sensor properties for the Universal Windows Vista Collector Table B-4 Universal Windows Vista sensor properties (continued) Sensor properties Monitored Host Realm Connection Port Description Realm (FQ domain name) of the monitored host computer. This property is used for Kerberos/Negotiate authentication. Specify the port that is used by the WS-Management service. The default value is 80. Connection Protocol Specify the protocol for the WS-Management service connection. Possible values are as follows: HTTP The default value is HTTP. HTTPS Monitored Host Account Name Specify the acccount name used for WS-Management service connection. Note: Due to Java limitations, the sensor does not support national accounts for basic authentication. The default value is Administrator. Account Password Event Logs to Audit Specify the password for WS-Management service connection. Select which event logs to audit. You can select a number of options to audit through the pop-up screen. You can also add other options by clicking Add. The following logs are read by default: Security Application System Start Reading From This setting is used the first time that the collector is run. After that, a reference to the last record read by the collector is stored in a last position file. If the collector is restarted, the collector resumes reading from the WinRM at that last record. If the last position file gets deleted or becomes invalid, this setting is used to start reading from the WinRM again. Specify from where to start reading the Windows Event Log as follows: BEGINNING To read from the first event that is available in the Event Log. The default value is BEGINNING. END To only read events that were logged after the sensor started reading.

37 Appendix C Using Syslog Director with the Universal Syslog Event Collector This appendix includes the following topics: About Syslog Director Configuring Syslog Director to work with the Universal Syslog Event Collector About Syslog Director Syslog Director accepts syslog events from any device or application that sends events to the standard port for syslog messages, UDP port 514. (You can also configure Syslog Director to listen on other UDP or TCP ports.) Syslog Director identifies the incoming events by their signatures (specific patterns that identify each collector) and redirects the events that are received to the appropriate collector. All events that are not identified by a signature are sent to the Generic Syslog Collector. Some restrictions to consider when using Syslog Director are as follows: Syslog Director cannot use the same port number to listen for both UDP and TCP. However, it can listen for UDP and TCP using two different ports. For example, if Syslog Director is set to listen on port for UDP, it cannot also listen for TCP on port However, Syslog Director can listen on port for UDP and port for TCP. Syslog Director can only forward events by using the UDP protocol. All collectors to which Syslog Director forwards must have sensors configured to listen to on UDP ports.

38 38 Using Syslog Director with the Universal Syslog Event Collector Configuring Syslog Director to work with the Universal Syslog Event Collector Syslog Director can redirect to only one port per collector. If you use the Universal Syslog Collector with Syslog Director, port is recommended. For additional sensors for other syslog collectors, configure the point products to send events directly to ports that are higher than See Configuring Syslog Director to work with the Universal Syslog Event Collector on page 38. Configuring Syslog Director to work with the Universal Syslog Event Collector A collector signature is a specific pattern that identifies a collector. If the syslog events includes a specific pattern, you can use Syslog Director with the Universal Syslog Event Collector. You complete the following procedures to configure Syslog Director to work with the Universal Syslog Event Collector: Create a Syslog Director sensor configuration. See To create a Syslog Director sensor configuration on page 38. Enable the Universal Syslog Event Collector to receive syslog events from Syslog Director. See To enable the Universal Syslog Collector to receive syslog events from Syslog Director on page 39. Add a collector signature to Syslog Director. See To add collector signatures to Syslog Director on page 40. The default Syslog Director settings for the Universal Syslog Event Collector are as follows: Collector name Default port Universal Syslog Event Collector Note: You can redirect syslog events to one sensor only. You cannot redirect syslog events to multiple sensors. To create a Syslog Director sensor configuration 1 Launch the Information Manager console, and then log on. 2 In the left pane, click System.