Web Security Service. Near Real-Time Log Sync Solution Brief. Version /OCT

Similar documents
Office 365 Best Practices: Protocols

Blue Coat ProxySG First Steps Solution for Controlling HTTPS SGOS 6.7

Blue Coat ProxySG First Steps Transparent Proxy Deployments SGOS 6.7

IPv6 Classification. PacketShaper 11.8

Blue Coat Security First Steps Solution for Controlling HTTPS

Data Insight Feature Briefing Box Cloud Storage Support

Symantec Cloud Workload Protection on AWS Marketplace. Buyer's Guide for Getting Started

Symantec Control Compliance Suite Express Security Content Update for Microsoft Windows Server 2008 R2 (CIS Benchmark 2.1.

Partner Information. Integration Overview. Remote Access Integration Architecture

Creating New MACHINEGUID and Disk UUID Using the PGPWdeUpdateMachineUUID.exe Utility

Enterprise Vault.cloud Archive Migrator Guide. Archive Migrator versions 1.2 and 1.3

Blue Coat ProxySG First Steps Solution for Exception Pages SGOS 6.7

Symantec Enterprise Vault

Symantec Managed PKI. Integration Guide for AirWatch MDM Solution

Symantec Ghost Solution Suite Web Console - Getting Started Guide

Altiris Symantec Endpoint Protection Integration Component 7.1 SP1 Release Notes

Symantec Validation and ID Protection. VIP Credential Development Kit Release Notes. Version May 2017

PGP NetShare FlexResponse Plug-In for Data Loss Prevention

NetBackup Copilot for Oracle Configuration Guide. Release 2.7.1

Partner Information. Integration Overview Authentication Methods Supported

Symantec Workflow 7.1 MP1 Release Notes

Symantec Protection Center Getting Started Guide. Version 2.0

Symantec Validation and ID Protection. VIP Credential Development Kit Release Notes. Version January 2017

Using Kerberos Authentication in a Reverse Proxy Environment

Symantec Enterprise Vault

Migrating to a New ProxySG Appliance. ProxySG 900/9000 to ProxySG S400/500

Symantec Control Compliance Suite Express Security Content Update for JBoss Enterprise Application Platform 6.3. Release Notes

Configuring Symantec Protection Engine for Network Attached Storage for Hitachi Unified and NAS Platforms

Symantec Managed PKI. Integration Guide for ActiveSync

Enterprise Vault.cloud CloudLink Google Account Synchronization Guide. CloudLink to 4.0.3

Symantec NetBackup Appliance Fibre Channel Guide

SGOS on KVM Deployment Guide

Veritas SaaS Backup for Office 365

Veritas System Recovery 18 Management Solution Administrator's Guide

VeriSign Managed PKI for SSL and Symantec Protection Center Integration Guide

Configuring Symantec. device

Symantec Patch Management Solution for Windows 8.5 powered by Altiris technology User Guide

Veritas SaaS Backup for Salesforce

Symantec Drive Encryption Evaluation Guide

Veritas NetBackup for Microsoft SQL Server Administrator's Guide

Symantec Workflow Solution 7.1 MP1 Installation and Configuration Guide

Veritas NetBackup Vault Operator s Guide

NetBackup Self Service Release Notes

Enterprise Vault Migrating Data Using the Microsoft Azure Blob Storage Migrator or later

Symantec ediscovery Platform

Security Content Update Release Notes for CCS 12.x

Oracle Intelligent Policy

Cisco Meeting Management

Veritas System Recovery 16 Management Solution Administrator's Guide

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Symantec NetBackup Vault Operator's Guide

Configuring Symantec Protection Engine for Network Attached Storage. Compuverde vnas Cluster

Symantec Enterprise Vault

Security Content Update Release Notes for CCS 12.x

Veritas NetBackup for Lotus Notes Administrator's Guide

Message Manager Administrator Guide for ZA

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 3.1 and 3.1.1

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.2

Veritas NetBackup for Microsoft Exchange Server Administrator s Guide

Symantec NetBackup for Lotus Notes Administrator's Guide. Release 7.6

Veritas NetBackup Copilot for Oracle Configuration Guide. Release 2.7.3

Configuring Symantec Protection Engine for Network Attached Storage. Dell FluidFS 5.0

Symantec PGP Viewer for ios

Symantec Encryption Management Server and Symantec Data Loss Prevention. Integration Guide

Veritas Backup Exec Quick Installation Guide

Veritas Desktop and Laptop Option 9.2

Multi-Tenant Policy Deployment Guide

Message Manager Administrator Guide

Enterprise Vault Setting up Exchange Server and Office 365 for SMTP Archiving and later

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

StorageGRID Webscale NAS Bridge Management API Guide

Storage Foundation and High Availability Solutions HA and Disaster Recovery Solutions Guide for Microsoft SharePoint 2013

Testing and Restoring the Nasuni Filer in a Disaster Recovery Scenario

Clearwell ediscovery Platform

Veritas NetBackup Vault Administrator s Guide

Veritas NetBackup Appliance Fibre Channel Guide

SymantecTM Desktop and Laptop Option. Symantec DLO s Storage in Cloud (Amazon Web Services)

Cisco Terminal Services (TS) Agent Guide, Version 1.1

Configuring Symantec AntiVirus for BlueArc Storage System

Symantec ServiceDesk 7.1 SP1 Implementation Guide

Enterprise Vault.cloud Journaling Guide

Recovery Guide for Cisco Digital Media Suite 5.4 Appliances

Symantec Endpoint Protection Mobile - Admin Guide v3.2.1 May 2018

Dell PowerVault DL Backup to Disk Appliance and. Storage Provisioning Option

Symantec Enterprise Security Manager Modules for Oracle Release Notes

SymantecTM Desktop and Laptop Option. Symantec DLO s Storage in Cloud (Amazon Web Services)

Veritas NetBackup Upgrade Quick Start Guide

Enterprise Vault Versions of FSA Agent and Enterprise Vault Reporting or later

Secondary operation windows in SLPs

Veritas NetBackup Vault Operator's Guide

Metalogix Essentials for Office Creating a Backup

NetBackup Collection Quick Start Guide

VERITAS NetBackup 6.0 for Microsoft SharePoint Portal Server 2001

Cisco Terminal Services (TS) Agent Guide, Version 1.0

Veritas Deployment Manager User's Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange Version 3.1.3

RealPresence Platform Director

Enterprise Vault Guide for Outlook Users

Enterprise Vault.cloud Lync Connector Administration Guide. Lync Connector

Using Spectralink 84-Series Phones with Microsoft Lync Server 2010

Transcription:

Web Security Service Near Real-Time Log Sync Solution Brief Version 6.10.4.1/OCT.12.2018

Symantec Web Security Service/Page 2

Page 3 Copyrights Copyright 2018 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Blue Coat, and the Blue Coat logo are trademarks or registered trademarks of Symantec Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE. Symantec Corporation 350 Ellis Street Mountain View, CA 94043 www.symantec.com

Page 5 Near Real Time Access Log Sync This document describes the Symantec Web Security Service Sync API and how you can obtain near-real-time log data from the cloud service. "About Near-Real-Time Log Syncing" on page 6 "Create a User API Key" on page 9 "Modify Web Client Application" on page 10 "Sync API Examples" on page 11 "About Response Codes" on page 12

Symantec Web Security Service/Page 6 About Near-Real-Time Log Syncing The Symantec (Symantec products) Web Security Service offers two APIs (Download and Sync) for obtaining access log data from the cloud. The Download API restricts a client from receiving partial hour data, thus obtaining log data from the current hour is not possible with this API. The Sync API is an enhancement to the Download API. It allows a web client to obtain recently hardened log data from the cloud by downloading the current hour in smaller up-to-the-minute segments. You must provide the client utilities (scripts and programs) to facilitate both web download and subsequent log data processing. Then use Symantec Reporter or another third-party Security Information & Event Management (SIEM) engine to report on the log data. Topography The following is a brief description of the transaction. Subsequent sections provide greater detail. A IT Admin configures an on-premise client, with the Sync API and scripts, to communicate with the Web Security Service. Valid Web Security Service credentials are required. B Employees access web content and applications. The Web Security Service compiles data into Access Logs. C The on-premise client requests a sequence of log lines from a (possibly) unbounded time range. The Web Security Service sends a sequence of ZIP files.

Log Sync API/Page 7 D IT/HR specialists are able to generate and view reports from near real-time data using Reporter or an SIEM engine. About Access Log Delivery and Tokens Log Delivery The Web Security Service delivers a ZIP archive that contains a collection of compressed text-based log lines (GZIPs). The Download API only provides whole hour files, thus it uses a simpler file naming convention that specified only the year, month, day and hour of each GZIP hour file (the hour, minute, and second fields are still provided in the name, but comprised of zeros). The Sync API might download only a portion of any hour file in a given ZIP archive; therefore, in addition to these fields, its file naming convention also populates the hour, minute, and second fields of the file name. The Sync naming convention assures unique file names for any incremental hour download. Do not mix files obtained with both Download and Sync APIs as you might end up with apparently different filenames containing identical log data. To prevent overload, any given sync download might limit the amount of data returned for a single request. For example, it is not necessary to stream previous weeks or months of data in a single response. The response status notifies the client if additional data is immediately available or if the entire request was satisfied. The Web Security Service might also delay an aggressive client with a 429 too-many-requests response code that informs the client not to send another request until waiting for an additional retry-after number of seconds. An overaggressive client is defined as one that is polling for any new data in the current hour more often than is reasonable. The Web Security Service might also return a serviceunavailable when an internal component is under maintenance. The initial Sync API requires start and end times. The start date allows the client to start a Sync Stream at any archived hour. When the sync begins, the client uses the token returned in the previous response to receive contiguous log data. The client might also limit the range of any download by narrowing the start and end dates. The end date allows the client to stop a download at a given archive hour. Tokens The Sync API response introduces a token and status, which allows the client to resume a previous Sync session without data loss or duplication. The client receives the token and status following the compressed data in the successfully-downloaded zip file. The client then provides this token in the next Sync request to resume contiguous log downloads. If the client loses the token, it can no longer expect contiguous log data. The Web Security Service does not maintain a record of the token content given to a client. The token is simply used like an API handle. The Web Security Service sends the ZIP archive file appended with the token and status. If the client receives all requested log lines, the status is done. If log lines are still available with the time range, the status is more. The client might repeat the request, which includes a new sync token. Most ZIP archive decompression tools (such as Winzip) ignore the appended token and status at the end of the archive file. The given start and end dates always override the token. The token helps the client obtain contiguous access log data and assists with the warning to the client about possible data loss. A token which falls within the given range is always honored, and a token which falls outside the given range, including expired dates, is always rejected. About File Names As previously discussed, the Sync API returns a set of compressed GZIP log hour files wrapped in a single ZIP archive file. Your web client must be able to name the ZIP archive file as it downloads the archive. To prevent name duplication,

Symantec Web Security Service/Page 8 you might elect to use a date-based archive file name. For example: cloud_archive_yyyymmddhhmmss.zip The Web Security Service names the GZIP hour files inside the archive. They always have date-based names. For example, a log file for hour 14 on January 23, 2017 is named: cloud_54321_2017012314000001.log.gz If that hour file was part of an incremental download, the next segment is named: cloud_54321_2017012314000002.log.gz And this naming convention continues. Sync API Request Syntax Example: The Sync API Request Syntax that you use on the local client to pull access logs from the Web Security Service. https://portal.threatpulse.com/reportpod/logs/sync?startdate=start_date&enddate=end_date&token=token All three parameters are required, but dates can be zero and token can be none. The date is GMT. Tip: The GMT date details are discussed in the API examples section later in this document. Next Step Proceed to "Create a User API Key" on page 9.

Log Sync API/Page 9 Create a User API Key Create a User API Key that serves as the username and password in the Sync API syntax. 1. In Service Mode, select Account Maintenance > MDM, API Keys. 2. Create a username/password key. a. In the API section (bottom half of the screen), click Add API Key. b. Define a Username and Password. The username must be unique as it used by the Web Security Service. If the Web Security Service detects any other API with the same name, the service displays an error message and you must define another name. c. Click Add. Next Step "Modify Web Client Application" on page 10

Symantec Web Security Service/Page 10 Modify Web Client Application To accept the access logs, the web client application must be able to validate the SyncAPI from the Web Security Service. Because the API URL does not contain access credentials, you must modify the web client application to use two HTTPS header fields. How you add these headers depends on the Web/HTTPS client you use, such as curl or Wget. Furthermore, each client has its own syntax. With your preferred application, add the following header fields. You must know the API name and password that you created in "Create a User API Key" on page 9, which you enter as the variables below. X-APIUsername: api_name X-APIPassword: password After these are added, the HTTPS endpoint for the client's request, in this case the Web Security Service portal, searches the HTTPS header for these headers and matches the API credentials. Upon a successful match, the client begins receiving the access logs.

Log Sync API/Page 11 Sync API Examples A typical beginning Sync request to obtain all log data from a certain start date up to the present is similar to the following https://portal.threatpulse.com/reportpod/logs/sync?&startdate= / 1522843200000&endDate=0&token=none Date parameters can only be GMT on-the-hour boundaries in milliseconds-since-1970. All Symantec ProxySG appliance Access Log lines are GMT-based because of the global use of the product. If you live in an area where the time zones are not on GMT hour boundaries, you might need to adjust your date conversion algorithm accordingly. For example, your location is in the India Standard Time (IST), which differs from GMT by thirty minutes. The token=none directive is required when there is no token. Start and end dates are also required, although they can be set to 0. The client expects a 200 response code containing chunked data and an X-sync-status: more pair in the sync trailer if more data is available or X-sync-status: done if all available data was returned. For sequential downloads, the client obtains the token from the X-sync-token value from the sync trailer to use in the next request. The next Sync request might look similar to this https://portal.threatpulse.com/reportpod/logs/sync? / &startdate=1522843200000&enddate=0&token=4e0329aeb104a3625a6f7d26c41e735f While the X-sync-status continues to be more, the client might continue to request more data, updating the token each time with the value returned in the X-sync-token. When X-sync-status eventually changes to done, the client pauses for a reasonable amount of time before sending the next poll request. The Web Security Service might send 429 error codes to delay an overaggressive client until a reasonable amount of time has elapsed. The client cannot not discard its current token until a new token is obtained. For contiguous data downloads, the client application might store its token so that the application can obtain it after a reboot.

Symantec Web Security Service/Page 12 About Response Codes This section provides response code implications for Sync API transactions with the Symantec Web Security Service. Request Codes The client must be informed about various failures and possible recovery options. The Sync Token is associated with a specific set of hardened data. If that set ever becomes unavailable because of eventual data expiration or unexpected catastrophic failure, the token is no longer valid. Because Symantec expects neither of these cases to occur during normal usage, client recovery is kept intentionally simple and therefore might not entirely prevent duplicated or lost data. In both of these cases, the Web Security Service returns error 410 (Gone) to inform the client that the token is no longer valid and should be thrown away. The client might obtain a new token by sending a request with a new start date and no token. If the client had already obtained partial data for the start date, that data is duplicated in the new download. The association between dates and tokens create a number of possible conditions. The client might or might not provide a start date, end date, or token. And the token might fall before, within, or after the start or end dates. The following table provides the possible client request conditions and subsequent Web Security Service actions. Start and End No Token Token Before Token Within Token After 0,0 BAA,SAA NA RAT,SAA NA S,0 BAS,SAA 410 RAT,SAA NA 0,E BAA,SAE NA RAT,SAE 410 S,E BAS,SAE 410 RAT,SAE 410 BAS Return 200 and begin at start date RAT Return 200 and resume at token BAA Return 200 and begin at archive head SAA Stop at archive tail SAE Stop at end date NA Not Applicable 410 Return error code with no data The Web Security Service streams the log download using HTTP chunked transfer encoding. The initial response might be a 400- or 500-level error if the request is invalid or cannot be processed immediately. Otherwise, the Web Security Service replies with a 200-level response and begins streaming the download archive. The ZIP archive builds on the fly. In addition to the Sync Token, the Sync Trailer also contains a Sync Status. If some portion of building or streaming the archive fails, the Web Security Service attempts to note the failure in that status. Thus, the initial 200-level response in the first packet does not guarantee that the download produces a complete ZIP archive. The client must always check the final status in the trailer to know if the download completed successfully and if the chunked archive is expected to unpack correctly. All 500-level responses suggest that the client can repeat the last token when the service becomes available. 400-level responses require more scrutiny. A 410 (Gone) response means the token is no longer valid and should be discarded. The 429 (Too Many Requests) response means the Web Security Service is unwilling to service the client at the moment. The Web Security Service might throttle the client during maintenance, when failures occur, or when the client is polling too often within the current hour. The HTTP header provides a Retry-After field to indicate how many seconds the client pauses

Log Sync API/Page 13 until sending the next request. The default throttle is expected to be around five (5) minutes. Symantec/Symantec recommends that customers who create multiple copies of their cloud service archive data use a single download client and multiplex the data after it is downloaded. Thus, the Web Security Service imposes the throttle across all clients of the same customer regardless of client endpoint or API Key. The Sync Trailer and HTTP Codes The successful Sync API response is a compressed archive file with a small sync trailer appended to it. The sync trailer does not impact the decompression of the archive file, but contains two key-value pairs: X-sync-status and X-synctoken. The Sync Trailer is only sent in the final chunk encoding, and chunks are only returned when the initial response is 200. The client examines the token and status to discover the final status of the downloaded archive and to obtain the next token. The X-sync-token value is the token string that is used in the next request. It might match the previous token if no new data was available or if an internal failure occurred causing the archive to abort prematurely. The X-sync-status value is done, more, or abort. done The request was satisfied and no more data is currently available within the specified date range. more The archive was intentionally limited in size and another request with the new token would obtain more contiguous data immediately. abort The Web Security Service experienced a failure while building the archive. The archive might or might not contain usable data, although an aborted archive might still produce a number of valid log files before the archive fails to unpack completely. The final log file in any aborted archive is always discarded because of unknown missing data. A subsequent Sync request could drop the previous token and simply provide a new start date where the aborted archive left off. Otherwise, the entire archive could be discarded and the previous token could be used for a subsequent retry of the entire download. Different HTTP codes and Sync Trailer values allow the client to efficiently use the Sync API. HTTP Codes 200 OK X-sync-status: more X-sync-token: new_token 200 OK X-sync-status: done X-sync-token: new_token 200 OK X-sync-status: done X-sync-token: same_token 200 OK X-sync-status: abort X-sync-token: same_token Description Data was returned and more data is available. The Web Security Service chose to limit the amount of data returned in this response. The client knows that another request would obtain more data immediately. The client provides the new token in the next request. Data was returned and no more data is available. If an end date was given, the download is complete. If no end date was given, the client pauses before polling for new data. The client provides the new token in the next request. No data was returned and no more data is available. If a date range was given, the Web Security Service found no data within the range. If no end date was given, the client pauses before polling for new data. If polling, the client reuses the same token until a new token is provided. Data was returned and more data is available after the Web Security Service issue is resolved. The service experienced an internal issue while building the ZIP archive. Much of the download might be usable, except for the last file in the archive. The client might begin a new session by requesting a new start date without a token. Otherwise, the client reuses the same dates and token until the download is successful. 400 Bad Request The start date is later than the end date; bad syntax; or some other request error. The client verifies it is properly using the Sync API. 410 Gone The token is no longer within the given dates or the token references expired data and the token s associated Web Security Service data is no longer available. The token is no longer valid and is discarded. The client might obtain a new token by requesting a new start date without a token.

Symantec Web Security Service/Page 14 HTTP Codes Description 429 Too Many Requests The Web Security Service is unwilling to service the client until a reasonable time has elapsed. The Retry-After field shows the remaining wait period in seconds. The default is expected to be around five (5) minutes. 500 Internal Error An internal Web Security Service error prevented the download. The client might need to wait a while before repeating the request. 503 Service Unavailable No resources are currently available to service the request; or a Web Security Service component is temporarily offline. The service might restrict the total number of downloads currently in progress. The client waits before repeating the request.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback