Centrify for ArcSight Integration Guide

Transcription

1 Centrify for ArcSight Integration Guide November 2017 Centrify Corporation Abstract This integration guide is to help our Centrify Infrastructure Services customers easily integrate Centrify events into ArcSight. Centrify Corporation TEL (669) Tannery Way URL Santa Clara, CA 95054

2 Legal Notice This document and the software described in this document are furnished under and are subject to the terms of a license agreement or a non-disclosure agreement. Except as expressly set forth in such license agreement or non-disclosure agreement, Centrify Corporation provides this document and the software described in this document as is without warranty of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability or fitness for a particular purpose. Some states do not allow disclaimers of express or implied warranties in certain transactions; therefore, this statement may not apply to you. This document and the software described in this document may not be lent, sold, or given away without the prior written permission of Centrify Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or nondisclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of Centrify Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data. This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. Centrify Corporation may make improvements in or changes to the software described in this document at any time Centrify Corporation. All rights reserved. Portions of Centrify software are derived from third party or open source software. Copyright and legal notices for these sources are listed separately in the Acknowledgements.txt file included with the software. U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R (for Department of Defense (DOD) acquisitions) and 48 C.F.R and (for non-dod acquisitions), the government s rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement. Centrify, DirectControl, DirectAuthorize, DirectAudit, DirectSecure, and DirectControl Express are registered trademarks and Centrify User Suite, Centrify Server Suite, Centrify for Mobile, Centrify for SaaS, Centrify for Mac, DirectManage, Centrify Suite, Centrify Express, DirectManage Express, Centrify Identity Platform, Centrify Identity Service, and Centrify Privilege Service are trademarks of Centrify Corporation in the United States and other countries. Microsoft, Active Directory, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Centrify software is protected by U.S. Patents 7,591,005; 8,024,360; 8,321,523; 9,015,103; 9,112,846; 9,197,670; 9,442,962 and 9,378,391. The names of any other companies and products mentioned in this document may be the trademarks or registered trademarks of their respective owners. Unless otherwise noted, all of the names used as examples of companies, organizations, domain names, people and events herein are fictitious. No association with any real company, organization, domain name, person, or event is intended or should be inferred. CENTRIFY CORPORATION ALL RIGHTS RESERVED II

3 Contents Legal Notice... 1 Introduction... 1 Data Collection... 1 Data Collection from Windows Agent... 1 Data Collection from *Nix Agent... 2 SmartConnector Installation... 2 Installing SmartConnector on a Windows agent... 2 Installing SmartConnector on a *Nix agent... 4 Configuring FlexConnector for Data Normalization and Categorization... 6 Windows Application Logs... 6 *Nix syslogs... 7 Verification... 8 ESM Command Center... 8 ESM Console... 8 CENTRIFY CORPORATION ALL RIGHTS RESERVED III

4 Introduction This guide is used to help our Customers easily integrate Centrify Infrastructure Services events data into ArcSight. You can leverage the Centrify for ArcSight to normalize these events into ArcSight. The guide is applicable to following versions: ArcSight ESM Manager ESM Console Centrify Infrastructure Services Release 2016 Release Release Release 2017 Release Release Data Collection There are different types of SmartConnector used for data collection in Windows and *Nix. Data Collection from Windows Agent Centrify software logs events in Application logs on Windows machines. To capture the Application logs, we use Microsoft Windows Event Log-Unified Connector. While installing, please make sure you select only the Application Log check box to capture application logs. There are multiple possible ways to collect data from Windows machines. Following are some of the supported options: Data collection from a standalone Windows Machine. Application logs are collected on a standalone Windows machine and parsed using FlexConnector parser. Parsed event are forwarded to ArcSight ESM. Data Collection using the Windows Event Forwarding (WEF) feature. ArcSight Connector supports WEF to collect application logs forwarded by several Windows machines to a central machine. Users install ArcSight SmartConnector only on the central CENTRIFY CORPORATION ALL RIGHTS RESERVED 1

5 Windows machine that receives forwarded events, and enable the WEF while installing the Connector. Data Collection using AD Source ArcSight Connector supports Log collection for all the member machines from the Active Directory Source itself. Users install ArcSight Connector only on the AD server. During installation, users provide the Domain Controller name and its credentials. If credentials and domain name are correct, a list of all the member machines of that domain controller are seen in a new window. Users select only those Windows machines from which they want to collect application logs. Data Collection from *Nix Agent Centrify software logs events in the syslog directory on *Nix machines. To collect the *Nix syslog messages, the following approaches/connectors are supported: Data collection from standalone *Nix machine. To collect syslogs from Standalone *Nix machines, use the Syslog File type of connector. Users provide the directory location for syslog collection. Make sure users have access to the syslog directory to avoid the permission denied error. Data collection using Syslog Daemon on Centralize machine The Syslog Daemon type of Connector is a syslogd-compatible daemon designed to work in operating systems that have no syslog daemon in their default configuration, such as Microsoft Windows. The SmartConnector for Syslog Daemon implements a UDP receiver on port 514 (default; can also be configured) that can be used to receive syslog events. Use of the TCP protocol or a different port can be configured manually. Users can forward syslogs from multiple *Nix agents to single machine. For example, when configuring Syslog Daemon Connector on the 514 UDP port, users need to specify the receiving syslog port (514) and protocol (UDP). SmartConnector Installation This section provides detailed steps to install ArcSight SmartConnectors. Installation and deployment instructions for ArcSight SmartConnectors can be found in the HPE Security ArcSight Connectors SmartConnector User Guide: Installing SmartConnector on a Windows agent To install SmartConnector on a Windows agent: CENTRIFY CORPORATION ALL RIGHTS RESERVED 2

6 1. Execute the SmartConnector binary for Windows. 2. Choose an installation folder. The default is: C:\Programme Files\ArcSightSmartConnectors 3. Wait while installation completes. 4. When asked for Connector type, select Microsoft Windows Eventlog Unified and click Next. 5. Select Enable WEF if you want to use Windows Event Forwarding. Note: You can also provide your ActiveDirectory server parameters to get a list of all member VMs, and then select only those Windows machines from which you want to collect Application logs. For now, we are only installation on a standalone machine, so leave all these parameters blank. 6. Select Enter Devices Manually as the browser type (we do not use AD source here). 7. Enter your host details. Make sure you select only the Application Logs check box because Centrify Audit trail events are stored in Windows Application logs only. 8. Select ArcSight Manager (encrypted) as your destination type, because we are forwarding collected logs to ArcSight ESM Manager. CENTRIFY CORPORATION ALL RIGHTS RESERVED 3

7 9. Provide your ArcSight ESM Manager details. 10. Provide an appropriate name for your connector. 11. (Optional) Select Import Certificate from your ArcSight ESM manager if you want to use your ArcSight ESM manager certificate. 12. Specify whether you want to install the connector as a service or as a standalone application. Install as a Service is generally preferred. Installing SmartConnector on a *Nix agent Note: We recommend installing SmartConnector on *Nix as a non-root user. Then after installation is complete, you can start the service as a root user. To install SmartConnector on a *Nix agent: 1. Execute the SmartConnector binary for *Nix. 2. Use the default name for the home folder. 3. Wait for the installation to complete. 4. Select Syslog File as the Type of connector to configure. CENTRIFY CORPORATION ALL RIGHTS RESERVED 4

8 5. Enter the file/directory of the syslog that you want to monitor. 6. Select ArcSight Manager (encrypted) as your destination type, because we are forwarding collected logs to ArcSight ESM Manager. 7. Provide your ArcSight ESM Manager details 8. Provide a Name for your connector. CENTRIFY CORPORATION ALL RIGHTS RESERVED 5

9 9. (Optional) Select Import Certificate from your ArcSight ESM manager if you want to use your ArcSight ESM manager certificate. 10. After installation, you can check the status of ArcSight SmartConnector service using following command: /etc/init.d/arc_syslog_file status Configuring FlexConnector for Data Normalization and Categorization Once ArcSight SmartConnector is installed and configured to collect Centrify logs, these logs need to be parsed and categorized using a customized Centrify FlexConnector. This FlexConnector contains two files for each Windows and *Nix platform: a parser and a categorizer. You must place these files at specific locations depending on the OS you are using. Refer to the section below for your OS. Windows Application Logs The two files needed for parsing and categorizing Windows application logs are in the folder Centrify_windows_flexconnector: Categorizer file: centrify_suite.csv Parser file: application.centrify_audittrail_v2.sdkkeyvaluefilereader.properties CENTRIFY CORPORATION ALL RIGHTS RESERVED 6

10 To configure application logs for Windows: 1. Paste the Categorizer file centrify_suite.csv into the target location: $ARCSIGHT_HOME\current\user\agent\acp\categorizer\current\centrify\ 2. Paste the parser file application.centrify_audittrail_v2.sdkkeyvaluefilereader.properties into the target location for your OS as indicated in the following table: Microsoft OS Version Windows Server 2008 R2 Parser file location $ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2008 Windows 7 SP1 Windows Server 2012 $ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2012 Windows Server 2012 R2 Windows 8.1 Windows Server 2016 $ARCSIGHT_HOME\user\agent\fcp\windowsfg\windows_2016 Windows Restart the SmartConnector service from Windows Services. *Nix syslogs The two files needed for parsing and categorizing *Nix syslogs are in the folder Centrify_linux_flexconnector: Categorizer file - centrify_suite.csv Parser file - centrify.subagent.sdkrfilereader.properties To configure syslogs for *Nix: 1. Paste the categorizer file centrify_suite.csv into the target location $ARCSIGHT_HOME/current/user/agent/acp/categorizer/current/Centrify/ 2. Paste the parser file centrify.subagent.sdkrfilereader.properties into the target location $ARCSIGHT_HOME/user/agent/flexagent/syslog/ irrespective of *Nix OS version. 3. Restart the SmartConnector service from /etc/init.d CENTRIFY CORPORATION ALL RIGHTS RESERVED 7

11 Verification After you finish configuring flex connectors, we recommend that you verify your configuration to make sure that events from Centrify are parsed correctly via flex connectors. To verify your configuration, you will generate some login events and then look for them either in the ESM Command Center or ESM Console. ESM Command Center 1. Generate login events. 2. Log in to the ESM Command Center. 3. Go to Events Event Search. 4. Search for devicevendor= Centrify and deviceproduct= Centrify Suite You should see all the authentication events as shown below. ESM Console 1. Generate login events. 2. Login to the ESM Console. 3. Select Active Channels Shared All Active Channels Centrify Centrify Active Channels. You should see all the Centrify audit events as shown below. CENTRIFY CORPORATION ALL RIGHTS RESERVED 8

12 CENTRIFY CORPORATION ALL RIGHTS RESERVED 9