Remote Syslog Shipping IBM Security Guardium

Transcription

1 Remote Syslog Shipping IBM Security Guardium IBM Security support Open Mic To hear the WebEx audio, select an option in the Audio Connection dialog or by access the Communicate > Audio Connection menu option. To ask a question by voice, you must either Call In or have a microphone on your device. Once connected (at least on PC), you should see this in the bottom right corner: For more information, visit: WebExOverview_SupportOpenMic 1 st December, IBM Security NOTICE: By participating in this call, you give your Irrevocable consent to IBM to record any statements that you may make during the call, as well as to IBM s use of such Recording in any and all media, including for video postings on YouTube. If you object, please do not connect to this call.

2 Panelists Name Ravi Subramani Guardium Support Jack Kerbert Guardium Support Greg Holmes Guardium Support Ian Kelly Guardium Support Avram Walerius Guardium Support Andy McCarl Moderator Knowledge Manager, IBM Security 2 IBM Security

3 Goal of session 1. How to configure remote syslog shipping in Guardium 2. Basic troubleshooting issues 3 IBM Security

4 Remote Syslog Shipping 4 IBM Security

5 Overview of Remote Syslog Shipping A process to transport Guardium syslog to remote Security Information and Event Management (SIEM) systems. Each SIEM requires information input in specific formats. For example: a. Common Event Format (CEF) b. Log Event Extended Format (LEEF) A flexible message formatting facility that an SIEM might require - Customizable key-value pairs CEF:0 Guardium Guardium 7.0 %%ruleid %%ruledescription 5 rt=%%receipttimemills cs1=%%severity cs1label=severity cs2=%%servertype cs2label=server Type cs3=%%classification 5 IBM Security

6 6 IBM Security

7 Transport Mechanisms An SIEM system can ingest information from Guardium in one of these ways: a. Syslog shipping using rsyslog the most common mechanism b. scp or ftp of CEF/CSV files to an external repository - The SIEM product must gather these files and ingest them c. External Feed directly to the remote database d. Custom alerter In this session, we will concentrate on syslog shipping 7 IBM Security

8 Syslog Transport Configuration - Overview 1. Determine message format - Create a template if necessary 2. Create message events - Real time alerts generated by the Inspection-core a.k.a the sniffer - Audit process results - Threshold/Correlation alert 3. Configure rsyslog - Encrypted traffic to SIEM - Unencrypted traffic to SIEM 4. Generate payload and verify 8 IBM Security

9 Configuration Message Format Determine the format and create a template in Guardium if it does not exist 9 IBM Security

10 Configuration Create Message Events Real Time alerts generated by the sniffer based on policy rules 1. Configure policy rule action to an alert 2. Set severity of the rule this is also the syslog message priority 3. Select the message template 4. Set Alert Receiver to syslog 10 IBM Security

11 Configuration Create Message Events Audit Process Results 1. Configure syslog as the receiver 2. Select the message template 11 IBM Security

12 Configuration Create Message Events Threshold/Correlation Alerts 1. Set the severity 2. Select the message template 3. Configure syslog as the receiver 12 IBM Security

13 Configure RSYSLOG 13 IBM Security

14 14 IBM Security

15 15 IBM Security

16 Configure RSYSLOG Syslog facilities used by Guardium 1. user facility Used by the sniffer to send real time alerts Prior to v10 p4019: ALERT_ONLY action v10 p4019: All alert actions Sample syslog output: Nov 26 07:46:05 g91064coll1 GuardiumSniffer[4829]: subject "SQLGUARD ALERT", "LEEF:1.0 IBM Guardium 9.0 Alert Only - object guardium 2. daemon facility - Used by the sniffer to send other ALERT actions prior to v10 p Used by audit results and threshold alerts. Sample syslog output: Nov 26 07:47:19 g91064coll1 guard_sender[4838]: LEEF:1.0 IBM Guardium 9.0 Log Full All ruleid=20003 ruledesc=log Full All severity=info devtime= :50:52 servertype=oracle classification= category 16 IBM Security

17 Configure RSYSLOG Configured using CLI 1. restart remotelog Restart rsyslog daemon 2. show remotelog Show current remote syslog configuration g91064coll1.sampoor.net> show remotelog Remote syslog is in non-encrypted mode. user.* daemon.* Standard rsyslog notation: = TCP = UDP 3. store remotelog clear Clear current configuration 17 IBM Security

18 Configure RSYSLOG store remotelog add non_encrypted Options: <facility.priority> <host[:port]> <tcp udp> Example: user.info :1514 tcp user.all udp Port number defaults to IBM Security

19 Configure RSYSLOG store remotelog add encrypted Options: <facility.priority> <host[:port]> <tcp> UDP cannot be used for encrypted mode Requirements: 1. The CA Certificate in PEM format 2. Copy the certificate (including BEGIN and END lines) - Execute from CLI store remotelog add encrypted <options> - Paste the certificate when requested as: Please paste your CA certificate, in PEM format. Include the BEGIN and END lines, and then press CTRL-D. - Repeat for each appliance required 19 IBM Security

20 Basic Troubleshooting ISSUE: Syslog not received by SIEM Messages missing in messages file a. No messages at all: - Real time alerts: - Is the sniffer running? - Policy rule(s) is the most common contributor - Audits and threshold alerts - Reports/threshold alerts may be empty - Alerter may be down. Execute restart alerter from cli b. Some messages missing: - Real time messages: - Validate the policy rules - Add logging actions to the rule(s) and create a report and check - Audits and threshold alerts: Verify that the reports produce results - Verify that the correct facility and priority are configured 20 IBM Security

21 Basic Troubleshooting ISSUE: Syslog not received by SIEM Messages in messages file, but not sent to SIEM - Check connectivity from CLI - ping <IP> g91064coll1.sampoor.net> ping PING ( ) 56(84) bytes of data. 64 bytes from : icmp_seq=1 ttl=64 time=0.250 ms - support show port open <IP> <port> g91064coll1.sampoor.net> support show port open Connection to port [tcp/*] succeeded! - Verify that the correct facility and priority are configured 21 IBM Security

22 Basic Troubleshooting ISSUE: Syslog not received by SIEM Messages in messages file, but not sent to SIEM - Restart rsyslogd from CLI using: restart remotelog - Run TCPDUMP in the appliance from CLI: support store tcpdump on <type> <period> <loglimit> [interface] [IP] [port] [protocol] Example: support store tcpdump on raw 3m The TCPDUMP output will be stored in the logdir as tcpdump.tar.gz. Download it using the fileserver Execute in a system that has tcpdump: tcpdump r tcpdump.log or a tool like wireshark Validate that packets are sent and acknowledged Run TCPDUMP on the SIEM server and validate that packets are arriving Involve the SIEM vendor to troubleshoot further 22 IBM Security

23 Questions for the panel Now is your opportunity to ask questions of our panelists. To ask a question now: Press *1 to ask a question over the phone or Type your question into the IBM Connections Cloud Meeting chat To ask a question after this presentation: You are encouraged to participate in our Forum on this topic - <link to IBM Security topic A in dw Answers Forum>. 23 IBM Security

24 Where do you get more information? Questions on this or other topics can be directed to the Guardium Forum More articles you can review: Technical notes: IBM Knowledge Center Technote for Shipping Guardium Syslog with template parameters IBM Guardium developerworks demos and articles IBM Knowledge Center: Useful links: Get started with IBM Security Support IBM Support Portal Sign up for My Notifications Follow us: 24 IBM Security

25 THANK YOU FOLLOW US ON: securityintelligence.com xforce.ibmcloud.com Copyright IBM Corporation All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express or implied. Any statement of direction represents IBM's current intent, is subject to change or withdrawal, and represent only goals and objectives. IBM, the IBM logo, and other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks or service marks of others. Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective. IBM does not warrant that any systems, products or services are immune from, or will make your enterprise immune from, the malicious or illegal conduct of any party. 25 IBM Security