Symantec Event Collector for SELinux Integration Guide

Transcription

1 Symantec Event Collector for SELinux Integration Guide

2 Symantec Event Collector for SELinux Integration Guide The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement. Documentation version 4.0 Legal Notice Copyright 2006 Symantec Corporation. All rights reserved. Federal acquisitions: Commercial Software - Government Users Subject to Standard License Terms and Conditions. Symantec, the Symantec logo, SESA, LiveUpdate, Symantec AntiVirus, Symantec Enterprise Security Architecture, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Microsoft, Windows, and Window 2000 are trademarks or registered trademarks of Microsoft Corporation. This product includes software that was developed by the Apache Software Foundation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. The Licensed Software and Documentation are deemed to be "commercial computer software" and "commercial computer software documentation" as defined in FAR Sections and DFARS Section Symantec Corporation Stevens Creek Blvd. Cupertino, CA USA

3 Technical Support Contacting Technical Support Symantec Technical Support maintains support centers globally. Technical Support s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates. Symantec s maintenance offerings include the following: A range of support options that give you the flexibility to select the right amount of service for any size organization A telephone and web-based support that provides rapid response and up-to-the-minute information Upgrade insurance that delivers automatic software upgrade protection Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program Advanced features, including Technical Account Management For information about Symantec s Maintenance Programs, you can visit our Web site at the following URL: Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using. Customers with a current maintenance agreement may access Technical Support information at the following URL: Select your region or language under Global Support. Before contacting Technical Support, make sure you have satisfied the system requirements that are listed in your product documentation. Also, you should be at the computer on which the problem occurred, in case it is necessary to recreate the problem.

4 When you contact Technical Support, please have the following information available: Product release level Hardware information Available memory, disk space, and NIC information Operating system Version and patch level Network topology Licensing and registration Customer service Router, gateway, and IP address information Problem description: Error messages and log files Troubleshooting that was performed before contacting Symantec Recent software configuration changes and network changes If your Symantec product requires registration or a license key, access our technical support Web page at the following URL: Select your region or language under Global Support, and then select the Licensing and Registration page. Customer service information is available at the following URL: Select your country or language under Global Support. Customer Service is available to assist with the following types of issues: Questions regarding product licensing or serialization Product registration updates such as address or name changes General product information (features, language availability, local dealers) Latest information about product updates and upgrades Information about upgrade insurance and maintenance contracts Information about the Symantec Value License Program

5 Advice about Symantec's technical support options Nontechnical presales questions Maintenance agreement resources Additional Enterprise services Issues that are related to CD-ROMs or manuals If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows: Asia-Pacific and Japan: Europe, Middle-East, and Africa: North America and Latin America: Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following: Symantec Early Warning Solutions Managed Security Services Consulting Services Educational Services These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats. Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources. Educational Services provide a full array of technical training, security education, security certification, and awareness communication programs.

6 To access more information about Enterprise services, please visit our Web site at the following URL: Select your country or language from the site index.

7 Contents Technical Support Chapter 1 Chapter 2 Introducing Symantec Event Collector for Security-Enhanced Linux About collectors... 9 Components of collectors How collectors work How collectors process events What you can do with collectors Where to find more information about Information Manager Accessing Help for the console Installing Symantec Event Collector for Security-Enhanced Linux Integration checklists for SELinux Collector Preinstallation checklist Installation checklist Configuration checklist Post-installation checklist Before you install the collector Updating the hosts file Installing the SIP, Agent, and collector component Installing the SIP Installing the Agent Installing the collector component Configuring your third-party security product and collector sensor About configuring your third-party security product to work with the collector Configuring the collector sensor to receive security events Viewing general information Configuring event filtering Configuring event aggregation After you install the collector Launching Symantec Security Information Manager... 36

8 8 Contents Testing the collector installation About viewing reports About creating custom reports Uninstalling the collector Uninstalling the collector component Uninstalling the Agent Uninstalling the Symantec Integration Package Appendix A Appendix B Appendix C Quick reference for SELinux Collector Compatibility and system requirements Compatibility requirements for Security-Enhanced Linux System requirements for the collector machine Preinstallation requirements for SELinux Collector Configuring your security product to work with the collector Sensor information Sensor settings for SELinux Collector Recommended collector configurations Creating collector configurations Collector configuration scenarios Scenario 1 - One-for-All configuration Scenario 2 - One-to-Many configuration Scenario 3 - One-to-One configuration Scenario 4 - One-per-Type configuration Creating collector configurations Adding, deleting, and disabling sensors Implementation notes Implementation notes for SELinux Collector Method of data collection Schema packages Example data Event mapping Index

9 Chapter 1 Introducing Symantec Event Collector for Security-Enhanced Linux This chapter includes the following topics: About collectors Components of collectors How collectors work How collectors process events What you can do with collectors Where to find more information about Information Manager About collectors Collectors enable centralized cross-tier logging, alerting, and reporting between Symantec Security Information Manager and third-party security products such as firewalls and intrusion-detection sensor software. Collectors retrieve events that are logged by a third-party security product and forward these events to Information Manager. These events are stored in the Information Manager database, where you can view them in reports, use them as the basis for configuring alert notifications and incident creation, and configure them as raw data for report generation. You can also configure collectors to selectively filter events and aggregate events that you want to forward to Information Manager.

10 10 Introducing Symantec Event Collector for Security-Enhanced Linux Components of collectors After you install collectors, your third-party security product is integrated with Symantec Security Information Manager. When a product is integrated with Information Manager, you can use Information Manager to view the events that it has received from the third-party security product. Information Manager provides a central location in which to view and manage the reporting of event data across multiple Information Manager-integrated security products. Components of collectors When you install a collector, you install three separate components: the Symantec Integration Package (SIP) file, the Agent, and the collector component. The SIP extends the Information Manager tables and fields so that it can receive collected events from third-party security product data sources. SIPs of some collectors also add additional reports for viewing the collected events in Symantec Security Information Manager. The Agent is a Java application that performs communication functions for the Information Manager components or the third-party security products on which it is installed. The collector component collects events from the third-party security products. Figure 1-1 shows an overview of the Symantec Event Collector components. Figure 1-1 Collector component overview Table 1-1 describes the major components of collectors.

11 Introducing Symantec Event Collector for Security-Enhanced Linux How collectors work 11 Table 1-1 Component Major components of collectors Description Information Manager SIP Agent Collector Sensor Third-party security product Refers to the Symantec Security Information Manager where event processing, such as filtering and storing, resides. Allows for the centralized collection, classification, and normalization of events to enable alerting and reporting across managed security products. Refers to the Symantec Integration Package, which is installed on the Symantec Security Information Manager machine, and extends the Information Manager tables and fields so it can receive collected events from third-party security software (SIP not shown). Refers to the Java application that performs communication functions for the Information Manager components on the system on which it is installed. Refers to an application that collects events from third-party security products, processes them and passes them to the Agent. Refers to the component that reads in events from a file, database, syslog, event log, or other medium, and then passes the events to the remaining collector components. The information is then delivered to the Agent for transmission to Information Manager. Refers to the software product, such as a firewall, that ensures data is not vulnerable to unauthorized use or access, and is the source of events to the collector. How collectors work Collectors read data from a third-party security product's data source and compile the data into a Symantec Security Information Manager-compatible format. The Agent logs the events that it receives from the third-party product to Symantec Security Information Manager. When the Information Manager is unavailable, the Agent queues messages for later delivery, up to a configurable maximum queue size. The default maximum queue size is 20 MB. You can change this queue size by using Information Manager. For more information, refer to the Symantec Security Information Manager online help.

12 12 Introducing Symantec Event Collector for Security-Enhanced Linux How collectors process events How collectors process events Collectors translate third-party security events into Symantec Security Information Manager events using translator and SES Processor rules, and then applies filtering and aggregation rules on translated events. Collectors determine how to classify the events by examining the contents of key fields within the third-party security product's data source. Table 1-2 shows the event categories that collectors assign to each event. Table 1-2 Category Security Application Event categories Description Events that are generated by the security product's data source Events that are generated by collectors (for example, when the application starts or stops) Table 1-3 shows the event severities that collectors assign to each event. Table 1-3 Severity 1 - Informational 2 - Warning 3 - Minor 4 - Major 5 - Critical 6 - Fatal Event severities Description Events that represent expected behavior Events that represent suspicious behavior Events that could require attention Events that require attention now Events that require attention now with a broad range of application to the enterprise Events that require attention now and that will result in fatal consequences to the enterprise In the Symantec Security Information Manager environment, events that arrive from an Agent are generally understood to be events that are generated by the system on which the Agent is installed. However, because collectors collect events from a data source that may receive events from multiple computers, the event data is structured to preserve the identity of the originating computer. Events from collectors are logged as if they originated from the computer that originally logged the message. Therefore, collected events display the machine name of the computer that logs the event, rather than the machine name of the computer on which the collector resides.

13 Introducing Symantec Event Collector for Security-Enhanced Linux What you can do with collectors 13 What you can do with collectors After collectors are installed and enabled, your events are inserted into Information Manager. From Symantec Security Information Manager, you can then view, manage, and create reports that are based on the event data. With Symantec Security Information Manager and the collector, you can do the following: View reports. See About viewing reports on page 43. Create custom reports. See About creating custom reports on page 43. Configure collectors to filter events. See Configuring event filtering on page 29. Configure collectors to aggregate events. See Configuring event aggregation on page 32. Where to find more information about Information Manager For more information about Information Manager, a knowledge base is available on the Symantec Technical Support Web site at the following URL: The knowledge base link is listed under Technical Support. You can find the Information Manager knowledge base listed under Security Management. In the Downloads section of the site, you can obtain updated versions of the documentation, including the following: Symantec Security Information Manager Administrator's Guide Symantec Security Information Manager Installation Guide Accessing Help for the console Symantec Security Information Manager provides context-sensitive help for the console and each of the views that are available in the View menu. To access Help for the console In any window, press F1.

14 14 Introducing Symantec Event Collector for Security-Enhanced Linux Where to find more information about Information Manager

15 Chapter 2 Installing Symantec Event Collector for Security-Enhanced Linux This chapter includes the following topics: Integration checklists for SELinux Collector Before you install the collector Installing the SIP, Agent, and collector component Configuring your third-party security product and collector sensor After you install the collector Uninstalling the collector Integration checklists for SELinux Collector You can use checklists to guide you through the following tasks that are required to integrate and configure collectors. Preinstallation tasks for Symantec Event Collector for Security-Enhanced Linux See Table 2-1 on page 16. Installation tasks for Symantec Event Collector for Security-Enhanced Linux See Table 2-2 on page 16. Configuration tasks for Symantec Event Collector for Security-Enhanced Linux See Configuring the collector sensor to receive security events on page 26.

16 16 Installing Symantec Event Collector for Security-Enhanced Linux Integration checklists for SELinux Collector Preinstallation checklist See Sensor information on page 50. Post-installation tasks for Symantec Event Collector for Security-Enhanced Linux See Table 2-4 on page 17. Table 2-1 covers tasks that are required before installing the collector. Table 2-1 Preinstallation checklist Preinstallation tasks Meet compatibility requirements for both the third-party security product and the collector. See Compatibility and system requirements on page 49. Some collectors may require specific tasks to be completed before installing the collector. See Preinstallation requirements for SELinux Collector on page 50. Ensure network connectivity by executing a ping command or by running a test Telnet session. Installation checklist Table 2-2 covers installation tasks that are required for the collector. Table 2-2 Installation checklist Installation tasks Update the hosts file. See Updating the hosts file on page 18. Install the Symantec Integration Package (SIP). See Installing the SIP on page 19. Install the Agent. See Installing the Agent on page 22. Install the collector component. See Installing the collector component on page 24.

17 Installing Symantec Event Collector for Security-Enhanced Linux Integration checklists for SELinux Collector 17 Configuration checklist Table 2-3 covers configuration tasks that may be required for the collector and the third-party security product. Table 2-3 Configuration checklist Configuration tasks Configure Security-Enhanced Linux, if necessary. See Configuring your security product to work with the collector on page 50. Configure the collector sensor. See Configuring the collector sensor to receive security events on page 26. See Sensor information on page 50. Configure the collector for additional configurations, if necessary. See Recommended collector configurations on page 51. See Collector configuration scenarios on page 53. See Creating collector configurations on page 61. Configure event filtering and event aggregation. See Configuring event filtering on page 29. See Configuring event aggregation on page 32. Post-installation checklist Table 2-4 covers post-installation tasks that are required after you install the collector. Table 2-4 Post-installation checklist Post-installation tasks Launch Symantec Security Information Manager. See Launching Symantec Security Information Manager on page 36. Test the collector installation. See Testing the collector installation on page 37. Start and stop the Agent services or daemons, if necessary. See Starting and stopping Agent services or daemons on page 42.

18 18 Installing Symantec Event Collector for Security-Enhanced Linux Before you install the collector Table 2-4 Post-installation checklist (continued) Post-installation tasks View reports. Refer to the Symantec Security Information Manager online help for information on viewing reports. Create custom reports. Refer to the Symantec Security Information Manager online help for information on creating reports. Before you install the collector Updating the hosts file The following tasks must be performed before installing the collector: Update the hosts file. See Updating the hosts file on page 18. Perform any preinstallation tasks that are specific for SELinux Collector. See Preinstallation requirements for SELinux Collector on page 50. The hosts file contains IP address and host name mapping information. If there is no fully-qualified domain name for the Information Manager computer, or you are not using a Domain Name System (DNS) server, the hosts file must be manually updated to reflect the IP address and host name information that is relevant to Information Manager and to the collectors that harvest event data. Host names must be fully-qualified domain names. To update the hosts file 1 Navigate to the directory of the hosts file. On Windows, the hosts file is located in C:\WINDOWS\system32\drivers\etc folder. On Linux/Solaris, the hosts file is located in the /etc directory. 2 Using a text editor, open the hosts file.

19 Installing Symantec Event Collector for Security-Enhanced Linux Installing the SIP, Agent, and collector component 19 3 Add the IP address and host name entries for the Information Manager appliance. Follow the instructions that are provided in the hosts file for adding IP address and host name mapping information to the file. Use a tab between the IP address and host name. 4 After you have added the IP address and host name, save and close the file. You should ensure that the text editor that you are using does not add a file extension. Installing the SIP, Agent, and collector component Installing the SIP Collectors gather security information from your third-party security product and send the information through the Agent to the Symantec Security Information Manager. After you have completed the preinstallation procedures, the general collector installation sequence is as follows: Install the Symantec Integration Package (SIP) on Information Manager. If you are installing collectors to more than one computer that is being managed by the same Information Manager, you only need to install the SIP once. See Installing the SIP on page 19. Install the Agent on the target computer. See Installing the Agent on page 22. Install the collector component on the target computer. See Installing the collector component on page 24. The Information Manager Web configuration interface provides a link that you can use to download and install the Symantec Integration Wizard. The wizard installs the Symantec Integration Package (SIP) for the collector. Each SIP contains the configuration settings and event schemas that Information Manager requires to recognize and log events from a product. The Symantec Integration Wizard must run on a computer that has network access to the Information Manager appliance and the computer on which you copy the SIP. The computer on which you copy the SIP must be running on one of the following computer platforms: Windows 2000 Server Service Pack 4 Windows 2000 Advanced Server Service Pack 4 Windows 2003 Server Standard Edition Service Pack 1

20 20 Installing Symantec Event Collector for Security-Enhanced Linux Installing the SIP, Agent, and collector component Windows 2003 Server Enterprise Edition Service Pack 1 Microsoft Windows XP with Service Pack 2 You must complete the following tasks in the order listed to install the SIP for the collector with Information Manager: Download and install the Symantec Integration Wizard. See To download and install the Symantec Integration Wizard on page 20. Install the Symantec Integration Package. See To install the Symantec Integration Package on page 20. To download and install the Symantec Integration Wizard 1 In a Web browser, type the IP address of the Symantec Security Information Manager. The following is an example of an Information Manager IP address: 2 Click Configure Appliance, and enter the SSIM administrator login information. 3 On the Security Information Manager welcome page, click Register SIPs. 4 On the Register SIPs page, click Download SIP Integration Wizard. 5 When prompted, specify the path of the Windows computer to which you would like to download the SIP Integration Wizard installation file. 6 On the Windows computer, double-click SIPI.zip, and unpack it to the desired folder. To install the Symantec Integration Package 1 On a Windows computer, at the command prompt, change to the folder in which you unpacked SIPI.zip. 2 To launch the Symantec Integration Wizard, type the following: registersip_linux.bat 3 In the Welcome to the Symantec Integration Wizard panel, click Next. 4 In the Symantec Integration Requirements panel, click Next. The Java Virtual Machine (JVM) is configured to support Secure Sockets Layer (SSL). For more information, refer to the Symantec Security Information Manager online help. 5 In the Directory Domain Administrator Information panel, specify information in the following text boxes:

21 Installing Symantec Event Collector for Security-Enhanced Linux Installing the SIP, Agent, and collector component 21 Directory Domain Administrator Name Directory Domain Administrator Password Log on to domain (in dotted notation) Host Name or IP Address of SESA Directory Secure Directory Port Type the name for the Domain Administrator account. This account provides access to its associated Information Manager administrative domain. Type the Directory Domain Administrator password. Type the administrative domain. An example of dotted notation is: NorthAmerica.SES Do one of the following: If Information Manager is using default, anonymous SSL communications, type the IP address of the Information Manager computer. If Information Manager is using authenticated SSL communication, type the host name of the Information Manager computer. For example, mycomputer.com. For more information on the SESA default, anonymous SSL, and upgrading to authenticated SSL, refer to the Symantec Security Information Manager online help. Type the number of the Information Manager Directory SSL port (by default, 636). 6 In the Symantec Integration Package to Install panel, type or browse to the location in which the SIP is located. The SIP is located on the collector CD in the..\collectors\<third-party>\sip folder, where <third-party> is an abbreviated name of your third-party security product. SIP files have the extension.sip. 7 In the Request Immediate Deployment/Removal of SIP panel, check one of the following: Deploy or remove the SIP at a scheduled time Installs the SIP at the time that is specified in the Deploy time option in Symantec Security Information Manager. The default setting for Deploy time is every Saturday and Sunday at 2:00 P.M. GMT. You can change the default time by modifying the Product Installation Service Deploy Time configuration option. For instructions on changing the default setting, see the Symantec Security Information Manager Administration Help.

22 22 Installing Symantec Event Collector for Security-Enhanced Linux Installing the SIP, Agent, and collector component Installing the Agent Queue the SIP for immediate deployment or removal Queues the SIP for immediate installation to the Information Manager and event database. To restart the Web services after the deployment to the Information Managers, check If necessary, restart the Web server. The Web server needs to be restarted for the Information Managers to recognize the Manager Extensions that are deployed with the SIP. In the Select the Domains panel, check the administrative domains to which you want to deploy the SIP. To deploy to all available domains, check the top-level Available Domains check box. 8 In the Select the Managers panel, check the Information Managers to which you want to deploy the SIP Manager Extensions. To deploy to all Information Managers, check the top-level Available Managers check box. 9 Follow the on-screen instructions until you reach the Integration Successful panel. 10 To complete the Symantec Integration Wizard, click Finish. Troubleshooting the SIP installation The SIP may take up to 15 minutes to deploy before you can see the product represented in the Symantec Security Information Manager. If you receive a warning during SIP deployment that reports the Master SIP Servlet is not found, an Information Manager appliance was not installed in the domain or subdomain you selected. An Information Manager appliance that is installed to a top-level domain is never installed to any subdomains. Ensure that all top-level domains and subdomains that you select for SIP deployment have an Information Manager installed before you deploy a SIP. A warning message that reports Unable to ping Master SIP Servlet means that the network connection has failed. In this case, you should restore network connectivity to the Information Manager appliance where the Master SIP Servlet resides, and retry the deployment. The Agent sends the data that is harvested by the collector component to the Information Manager. The Agent is installed on the same target computer as the collector component, and must have network access to the Information Manager.

23 Installing Symantec Event Collector for Security-Enhanced Linux Installing the SIP, Agent, and collector component 23 Note: JRE 1.5 is automatically installed along with the Agent into a subdirectory of the installation directory that is specified at installation. By default, the directory is C:\Program Files\Symantec\SESA\Agent\ jre on Windows, and /opt/symantec/sesa/agent/jre on Linux/Solaris. The JRE is used by the collector component and the Agent only. It does not interfere with any other JRE that is installed on the computer. If you are installing more than one collector on the same computer, you only need to install the Agent once. Make sure you have performed the following tasks in the order in which they are listed before installing the Agent: Contact your Symantec support engineer for the collector and Agent installation files, and then copy and extract the installation files to a temporary installation directory on the computer on which you will install the Agent and collector component. Install the Symantec Integration Package (SIP). See To install the Symantec Integration Package on page 20. To install the Agent on Windows 1 On the computer on which you will install the collector, from the command line, navigate to the temporary installation directory, and then navigate to the AgtInst folder. 2 Type the following: setup.exe -s<ip address> [-p<port_number>] [-i<inst_path>] [-debug] where <IP address> corresponds to the IP address of Information Manager, the optional -p parameter may be used to specify a port number other than 443, and the optional -i parameter may be used to specify an installation path other than C:\Program Files\Symantec\SESA\Agent. The installation is completely silent unless the optional -debug parameter is added. 3 After the installation completes, verify that the Agent is running. See To verify that the Agent and collector are running on page 25. To install the Agent on Linux/Solaris 1 On the computer on which you will install the collector, become superuser. 2 From the command line, navigate to the temporary installation directory that contains the following file: Unix.tar.gz

24 24 Installing Symantec Event Collector for Security-Enhanced Linux Installing the SIP, Agent, and collector component 3 To decompress and extract the file, type the following: tar zxvf Unix.tar.gz 4 Navigate to the AgtInst directory and type the following: Installing the collector component./install.sh -s<ip address> [-p<port_number>] [-i<inst_path>] [-debug] where the -s parameter is the IP address of Information Manager, the optional -p parameter may be used to specify a port number other than 443, and the optional -i parameter may be used to specify an installation path other than /opt/symantec/sesa/agent. The installation is completely silent unless the optional -debug parameter is added. The collector component reads the data from the third-party security product, formats the data, and forwards it to the Agent. The computer on which you install the collector component must have access to the third-party security product that you want to monitor. Make sure you performed the following tasks in the order in which they are listed before installing the collector component: Contact your Symantec support engineer for the collector and Agent installation files, and then copy or extract the installation files to a temporary installation directory on the computer on which you will install the Agent and collector component. Install the Symantec Integration Package (SIP). See Installing the SIP on page 19. Install the Agent. See Installing the Agent on page 22. To install the collector component 1 On the computer on which you will install the collector, from the command line, navigate to the temporary installation directory, and then the install directory. 2 From the command line, type the following: On Windows, install.bat On Linux/Solaris, sh./install.sh

25 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor 25 3 Follow the on-screen instructions. When prompted whether or not to run Java LiveUpdate for the collector, type N unless you have a LiveUpdate server on your network, and you would like to update the collector at this time. Symantec Event Collector for Security-Enhanced Linux does not support LiveUpdate. 4 After the installation completes, verify that the Agent and collector component are running. To verify that the Agent and collector are running 1 At the command prompt, do one of the following: On Windows, navigate to the default Agent installation folder on C:\Program files\symantec\sesa\agent, and type the following command: \ jre\bin\ java -jar agentcmd.jar -status On Linux/Solaris, navigate to the default installation directory /opt/symantec/sesa/agent, and type the following command:./jre/bin/java -jar agentcmd.jar -status 2 In the output that appears, verify the following statement: SESA Agent status: running Outbound Thread state: CONNECTED 3 If the Agent is not running, restart the server on which the Agent is installed. Configuring your third-party security product and collector sensor After you have installed the necessary collector components, the following configuration tasks may need to be performed: Configure your third-party security product. See Configuring your security product to work with the collector on page 50. Configure the collector sensor. See Configuring the collector sensor to receive security events on page 26. Create a new collector configuration, if necessary. See Creating collector configurations on page 61. Configure collectors for event filtering. See Configuring event filtering on page 29. Configure collectors for event aggregation.

26 26 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor See Configuring event aggregation on page 32. About configuring your third-party security product to work with the collector After you have installed the necessary collector components, your third-party security product may need configuring to make the event information available to the collector. See Configuring your security product to work with the collector on page 50. Configuring the collector sensor to receive security events The collector uses a sensor that must be configured to receive security events. After the sensor is configured, or when a change has been made to a sensor setting, the settings must be distributed to the collectors on the target computers. Sensor configuration includes the following actions: Configuring the collector sensor. See To configure the collector sensor to receive security events on page 27. Importing and exporting sensor settings, optional. Collectors let you import and export sensor settings. Sensor settings will be exported in an XML file format, and must be imported in the same XML file format. The XML file for sensor settings should be in the following format: <?xml version="1.0" encoding="utf-8"?> <sensors> <sensor enabled="true" name="sensor" uid="26c9cb11: e89:-7fff"> <property encrypted="false" name="protocol">udp</property> <property encrypted="false" name="hosts">*</property> <property encrypted="false" name="port">514</property> </sensor> </sensors> See To import and export sensor settings on page 27. Globally updating sensor settings, optional. You can copy selected sensor settings to other sensors that are within the same configuration. This is particularly useful if you have many sensors that need updating. See To globally update sensor settings on page 28.

27 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor 27 To configure the collector sensor to receive security events 1 In the Information Manager console, on the View menu, click Other Services > Configuration Viewer. 2 In the Configuration Viewer window, in the left pane, expand the top-level domain, and then expand the collector name twice. 3 Click Default. A default configuration (named Default) is provided upon installation. 4 In the right pane, on the sensor tab, select a sensor. 5 In the sensor property table under the Value column, change any of the information. See Sensor information on page Click Save. 7 In the left pane, right-click the appropriate configuration, and then click Distribute. 8 When you are prompted to distribute the configuration, click Yes. 9 In the Configuration Viewer window, click Close. To import and export sensor settings 1 In Symantec Security Information Manager, on the View menu, click Other Services > Configuration Viewer. 2 In the Configuration Viewer window, in the left pane, expand the top-level domain, and then expand the collector name twice. 3 Click the appropriate configuration. A configuration called Default is provided upon installation. See Adding, deleting, and disabling sensors on page In the right pane, on the sensor tab: If you are importing, click Imports configuration from XML file. If you are exporting, click Exports configuration to XML file. 5 If you are importing: In the Import Definitions From File window that appears, specify the XML file you wish to import into the collector. If you are exporting: In the Export Definitions to File window that appears, specify a filename for which to export the configurations.

28 28 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor To globally update sensor settings Viewing general information 1 In Symantec Security Information Manager, on the View menu, click Other Services > Configuration Viewer 2 In the Configuration Viewer window, in the left pane, expand the top-level domain, and then expand the collector name twice. 3 Click the appropriate configuration. A configuration called Default is provided upon installation. 4 In the right pane, on the sensor tab, select a sensor so that it appears highlighted. 5 In the right pane, on the lower right, click Global Update. 6 In the Select Properties for Global Update window, place a checkmark next to the property for which you want to propagate its value to all other sensors within the same configuration. 7 Click OK to complete the global update process. 8 Proceed to make changes that may be unique to each sensor. See To configure the collector sensor to receive security events on page In the left pane, right-click the configuration, and then click Distribute. 10 When you are prompted to distribute the configuration, click Yes. 11 In the Configuration Viewer window, click Close. You can view basic information for any collector that is enabled on Symantec Security Information Manager, such as configuration names and last modified dates. To view general information 1 In Symantec Security Information Manager, on the View menu, click Other Services > Configuration Viewer. 2 In the Configuration Viewer window, in the left pane, expand the top-level domain, and then expand the collector name twice. 3 Select the appropriate configuration. A configuration called Default is provided upon installation. See Adding, deleting, and disabling sensors on page In the right pane, on the General tab, view the following information:

29 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor 29 Configuration name Description Last modified on 5 In the Configuration Viewer window, click Close. Configuring event filtering Collectors include a feature that lets you exclude events from being forwarded to Symantec Security Information Manager. Event filtering provides you with the flexibility to reduce the event traffic, and the number of events that are stored in the event database, by filtering out data that may be less important to your organization s security. Collectors also let you import and export filtering configurations. Filtering configurations will be exported in an XML file format, and must be imported in the same XML file format. The XML file for filtering should be in the following format: <?xml version="1.0" encoding="utf-8"?> <filter> <filter-spec enabled="false" index="0" name="specification 0"> <filter-field comparator="eq" name="queue_product_id">1</filter-field> </filter-spec> <filter-spec enabled="true" index="1" name="specification 1"> <filter-field comparator="eq" name="server">33</filter-field> </filter-spec> </filter> For guidelines on setting up event filtering rules, see the Symantec Security Information Manager Deployment Planning Guide. Event filtering configuration consists of the following actions: Adding and enabling event filtering rules See To add and enable event filtering rules on page 30. Changing existing event filtering rules See To change existing event filtering rules on page 31. Importing and exporting event filtering rules See To import and export event filtering rules on page 32. Event filtering rules are not configured by default. You must add rules before you can enable or configure them.

30 30 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor To add and enable event filtering rules 1 In Symantec Security Information Manager, on the View menu, click Other Services > Configuration Viewer. 2 In the Configuration Viewer window, in the left pane, expand the top-level domain, and then expand the collector name twice. 3 Click the appropriate configuration. A configuration called Default is provided upon installation. See Adding, deleting, and disabling sensors on page In the right pane, on the Filter tab, click Add. 5 Double-click Specification n (where n is 0, 1, 2, and so on), type a name for the rule, and then click OK. 6 Under the rule properties table, click Add, and then do the following: In the Name column, type a name for the event filter property (for example, IP Destination Port) or double-click in the Name text box to bring up a Information Manager fields window. You can choose from the list of items presented in the expanded directories of the Information Manager fields window. In the Operator column, select an operator from the drop-down list (for example, equal to). In the Value column, type a value or select a preset value for the event filter property (for example, 80 for the port number). You can filter events by pattern by using a regular expression function. For example, to filter all events that contain "SUCCESS", enter the following in the Value column: regex(.*success.*) where all characters within the parentheses are part of the regular expression, and "." and "*" are both metacharacters. "." matches any character. "*" matches zero or more occurrences of the preceding element. Therefore, match zero or more occurrences of any character, followed by the literal string SUCCESS, followed by zero or more occurrences of any character. To rephrase, match the literal string SUCCESS anywhere within the field. 7 Repeat step 6 to add more event filtering information for the rule. All rules within a given specification will use the boolean AND to determine whether or not an event is a candidate for filtering. If there are multiple specifications, each specification will use the boolean OR.

31 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor 31 8 When you are finished adding information for the rule, in the filter list, check the filter name. 9 Click Save. 10 In the left pane, right-click the appropriate configuration, and then click Distribute. 11 When you are prompted to distribute the configuration, click Yes. 12 In the Configuration Viewer window, click Close. To change existing event filtering rules 1 In Symantec Security Information Manager, on the View menu, click Other Services > Configuration Viewer. 2 In the Configuration Viewer window, in the left pane, expand the top-level domain, and then expand the collector name twice. 3 Click the appropriate configuration. A configuration called Default is provided upon installation. 4 In the right pane, on the Filter tab, do any of the following: To add a specification, click Add. To delete a specification, select the specification, and then click Remove. To delete all specifications, click Remove All. 5 To determine the order in which Information Manager follows event filtering, next to the list of specifications, click the arrow keys. 6 To change the name of the specification, double-click the specification in the specification list, and then in the Name text box, type a new name. 7 To disable a specification, but not delete it, in the filter list, uncheck the filter name. 8 In the rule properties table, change the information in any of the following columns: Name Operator Value 9 Under the rule properties table, do any of the following: To add a rule property, click Add. To delete a rule property, select the rule property, and then click Remove.

32 32 Installing Symantec Event Collector for Security-Enhanced Linux Configuring your third-party security product and collector sensor To delete all rule properties, click Remove All. 10 Click Save. 11 In the left pane, right-click the appropriate Default folder, and then click Distribute. 12 When you are prompted to distribute the configuration, click Yes. 13 In the Configuration Viewer window, click Close. To import and export event filtering rules 1 In Symantec Security Information Manager, on the View menu, click Other Services > Configuration Viewer. 2 In the Configuration Viewer window, in the left pane, expand the top-level domain, and then expand the collector name twice. 3 Click the appropriate configuration. A configuration called Default is provided upon installation. See Adding, deleting, and disabling sensors on page In the right pane, on the Filter tab: If you are importing, click Imports configurations from XML file. If you are exporting, click Export configurations to XML file. 5 If you are importing: In the Import Configurations From File window that appears, specify the XML file you wish to import into the collector. If you are exporting: Configuring event aggregation In the Export Configurations to File window that appears, specify a filename for which to export the configurations. Collectors include a feature that lets you group similar events to reduce event traffic and the number of events that are stored in the event datastore. The first event of a given type is sent to Symantec Security Information Manager immediately. All subsequent events of the same type are sent as one aggregated event. Aggregated events contain start and end times, but all other event fields are taken from the first event in the aggregated set. Collectors also let you import and export aggregation configurations. Aggregation configurations will be exported in an XML file format, and must be imported in the same XML file format.