Secure Remote Access SonicOS Contents Overview...1 Server Requirements...2 Licensing and Activation...2 Installing and Upgrading...4 Collecting Dell SonicWALL Aventail Access Logs...8 Initial Setup of Dell SonicWALL Advanced Reports...10 Configuring Dell SonicWALL Advanced Reports...14 Automated Database Build...24 Multiple Aventail Appliances...26 DSAR User s Guide and Additional Documentation...26 Overview This document outlines the installation, configuration, and upgrading procedures for the Dell SonicWALL Advanced Reporting 8.6.2.1 product. Dell SonicWALL Advanced Reporting (DSAR) is built on the Sawmill Professional universal log file analysis and reporting product from Flowerfire: http://www.sawmill.net. Access log files from the Dell SonicWALL E-Class SRA series appliances are loaded onto the DSAR Server for processing and analysis. The two log files used (extraweb_access.log and extranet_access.log) provide detailed information about connection activity for both the Web Proxy and Network Tunnel services. Data included in the Tunnel access log: Session start and stop times Username and Realm information Internal resources accessed Bytes transferred Additional data is also provided in the Web access log: Explicit HTTP GET POST Page details In addition, a third log file called aar-report can be generated on the Dell SonicWALL E-Class SRA series appliance to provide detailed End Point Control (EPC) reports including Zone placements, failed Device Profile checks, and authentication results. In order for the aar-report log to be generated, a Configuration Extension must be utilized on the Dell SonicWALL E-Class SRA appliance to offload the required audit logs. System level performance reports such as uptime, CPU utilization, and network utilization are not included in the DSAR product. DSAR is focused on user access and auditing reports only. Other methods, such as SNMP, are available for system level reporting and analysis.
Server Requirements Dell SonicWALL Advanced Reporting runs on the following operating systems: Windows 2008 Windows 7 Windows 2003 Windows Vista Windows XP Red Hat Linux Basic system requirements are as follows: Memory a minimum of 2 GB of RAM, with 4 GB preferred Disk 500 MB of disk space for an average database Processor as much CPU power as possible Additional sizing details can be found in the Sawmill FAQs. Licensing and Activation Dell SonicWALL Advanced Reporting is available as a free download for 15 days from MySonicWALL: http://www.mysonicwall.com If you have purchased DSAR from your Dell SonicWALL reseller, you will be sent an activation code via email. Log into MySonicWALL and register DSAR as a new product with the activation code that you received: Activating Dell SonicWALL Advanced Reports To activate Dell SonicWALL Advanced Reports, perform the following: 1. Navigate to https://www.mysonicwall.com and log in with your username and password. 2
The MySonicWALL home page displays: 2. In the left-navigation menu, click the My Products drop-down menu, and then select Register Product. 3. Enter your activation code for the Dell SonicWALL Advanced Reporting in the Serial Number text-field, and then click the Submit button. Dell SonicWALL Advanced Reporting will now display in the My Products list on the My Products > Product Management page. Retrieving your Dell SonicWALL Advanced Reporting License To retrieve your Dell SonicWALL Advanced Reporting license, perform the following: 1. Navigate to the My Products > Product Management page on MySonicWALL, and then select Dell SonicWALL Advanced Reports from the list. 2. The license is located by clicking the Status button. It will appear to be a string of letters and numbers. Example: pro-7profile-psep-dsar7hf8e-3cb6 3
Installing and Upgrading This section details how to download and install or upgrade Dell SonicWALL Advanced Reporting. Downloading Dell SonicWALL Advanced Reporting Before installing Dell SonicWALL Advanced Reporting, you must download the setup file and copy it to the file system of your local computer. The file is delivered as a tar archive for Linux and a setup executable program for Windows and is available in both 32-bit and 64-bit versions. To obtain the DSAR installation file: 1. Log into MySonicWALL at: http://www.mysonicwall.com 2. In the left-navigation menu click the Downloads drop-down menu, and then select Free Downloads. 3. Click the Software Type drop-down menu, and then select Dell SonicWALL Advanced Reporting. 4. Select the appropriate DSAR installation package for your operating system. Upgrading Dell SonicWALL Advanced Reporting Before upgrading Dell SonicWALL Advanced Reporting, back up your existing LogAnalysisInfo folder located in the DSAR installation directory. This folder contains all the existing profile and customization settings. It is also important to stop the current Advanced Reports service that is running on your server. Do this from the Windows Control Panel > Administrative Tools > Services screen or from the Linux command line. Failure to perform this step may result in an unsuccessful upgrade. Perform a clean installation of DSAR of 8.6.2.1. Then, use the Import link in the Admin menu to load all settings from the old AAR 7.2 installation, including profiles and databases. Better results may be obtained by creating new profiles in 8.6.2.1 since there have been many improvements since 7.2 and these will not always be incorporated in a converted profile. For additional details, please see the Upgrading section on the Sawmill FAQ. 4
Installing Dell SonicWALL Advanced Reporting Install the Dell SonicWALL Advanced Reports executable files per your operating system as follows: Linux 1. Copy the installation tar file to the directory where you want to install Dell SonicWALL Advanced Reports. 2. From the command line, untar the installation file using the following command for 64-bit systems: tar xvfz sawmillswar8.6.2.1_x64_linux-es6.tar.gz This will result in a directory being created called DellSonicWALLAdvancedReports that contains the Dell SonicWALL Advanced Reports executable program called DellSonicWALLAdvancedReports. Dell SonicWALL Advanced Reports requires the libcrypto.so.10 and libssl.so.10 libraries to run, so this package may have to be installed on your Linux server. If you have a later version of libcrypto library installed on your system, a link can be defined for DSAR to use: # cd /usr/lib # ln -s libcrypto.so.0.9.8 libcrypto.so.10 # ln -s libssl.so.0.9.8 libssl.so.10 On Linux, you can start using Dell SonicWALL Advanced Reports immediately by executing the file DSAR7.2.16. Dell SonicWALL Advanced Reports will establish itself as a Web server on port 8988 (by default), and will print a message describing how to access it from your Web browser. To have Dell SonicWALL Advanced Reports startup automatically with the system and run as a daemon, you can add or modify a system init script to automatically start Dell SonicWALL Advanced Reports at system startup. Note: the startup script location will vary depending on the Linux distribution that you are using and that this information will need to be gathered from the Linux distribution documentation. Once you have accessed the Dell SonicWALL Advanced Reports web application, you can collect Aventail Access logs, perform the initial setup of Dell SonicWALL Advanced Reports, and configure Dell SonicWALL Advanced Reports. 5
Windows 1. Execute the file: sawmillswar8.6.2.1_x64_windows.exe The Readme file displays: 2. After reading it, click the Next button. The Choose Install Location screen displays: 3. Click the Browse button, and then select a place to install the DSAR or leave the default location. 6
4. Click the Next button. The Choose Components screen displays: 5. Select the Dell SonicWALL Advanced Reports and Dell SonicWALL Advanced Reports Service checkboxes, and then click the Install button. 6. Once the installation is complete, click the Finish button to access the DSAR Console. 7
Note the following: By default, a directory is created called C:\Program Files\Dell SonicWALL Advanced Reports 8 which contains the Advanced Reporting files. Dell SonicWALL Advanced Reports 8 will be installed as a service that starts automatically. A Dell SonicWALL Advanced Reports icon will also be created on the desktop to access the Advanced Reports Console. Collecting Dell SonicWALL Aventail Access Logs Dell SonicWALL Advanced Reporting relies on data from the Dell SonicWALL Aventail appliance. Since the Dell SonicWALL Aventail appliances are hardened by default, the only way to copy log files off the appliance is manually using SCP (Secure Copy) or by using an automated Configuration Extension which allows for a FTP or SFTP copy of the logs to the DSAR Server. Note: A Configuration Extension must be used in order for the system to generate the aar-report log for EPC reporting. On the Dell SonicWALL Aventail appliance, the access logs are located in the /var/log/aventail directory and are called extranet_access.log and extraweb_access.log. The extranet_access.log file is used for Network Tunnel connections while the extraweb_access.log file is used to log web access only. If the Configuration Extension is activated, the aar-report log will also be present that contains End Point Control and authentication data. Log rotation is enabled by default so there may be several logs in the /var/log/aventail directory named extranet_access.log.n or extraweb_access.log.n where n is a number indicating that a file has been rolled over. For a complete set of data, copy all of the files named extranet_access.log.*, extraweb_access.log.*, and aarreport.*. To enable SSH/SCP access to the Dell SonicWALL Aventail appliance: 1. Log in to Aventail Management Console 2. From the main menu, select Services 3. In the Network Services area click the Configure link for SSH. 4. Enable SSH by checking the Enable SSH check box. 5. Add a host or network from which you want to allow SSH access, select New, type the IP address and subnet mask (make sure to allow the host or network that the DSAR Server is on) To use the Configuration Extension to enable automated FTP or SFTP file transfers, please see the following Dell SonicWALL Knowledgebase article for more details: https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=10375 Enabling the Configuration Extension allows for automated log file transfers using a Push Logs script. This script allows the log files to be sent to an internal FTP or SFTP server using the following settings: AAR_URL=ftp://username:password@ftp.myhost.com/~/path AAR_URL=sftp://username:password@sftp.myhost.com/~/path AAR_FREQUENCY=1 AAR_URL can take 2 different types of URL's, FTP (ftp://) and Secure FTP (sftp://), which uses the SSH protocol for encryption: Example 1 (FTP): ftp://username:password@ftp.myhost.com/~/path Example 2 (SFTP): sftp://username:password@sftp.myhost.com/~/path 8
Note: A new directory based on the appliances hostname will be created under this path, which is where the log files will be uploaded to. The tilde (~) in the path is required for SFTP, and should probably be left in for FTP as well, especially if you are uploading files to a directory relative to the FTP or SFTP username's home directory. AAR_FREQUENCY denotes how often the log files are transferred. Must be any value between 0 and 6: 0, 1 or AAR_FREQUENCY undefined: Once per day at 00:05 2: Twice per day, or every 12 hours (00:05, 12:05) 3: Three times per day, or every 8 hours (00:05, 08:05, 16:05) 4: Four times per day, or every 6 hours (00:05, 06:05, 12:05, 18:05) 5: Five times per day, or every 5 hours (00:05, 05:05, 10:05, 15:05, 20:05) 6: Six times per day, or every 4 hours (00:05, 04:05, 08:05, 12:05, 16:05, 20:05) Activation instructions: 1. Log in to the Aventail Management Console 2. Click on Maintenance in the left-hand navigation menu. 3. In the URL, append "?advanced=1", and hit return. 4. Click on Configure under the new section Configuration extensions. 5. Click New 6. For the Key field, put in AAR_URL. 7. For the Value field, put in ftp://username:password@ftp.myhost/~/incoming. 8. Click OK. 9. Click New 10. For the Key field, put in AAR_FREQUENCY. 11. For the Value field, put in 1. 12. Click OK. 13. Click Save, 14. Apply Changes (this will force an apply-all, making the changes take effect). 9
Initial Setup of Dell SonicWALL Advanced Reports After the Dell SonicWALL Advanced Reports is installed, it runs as a local Web application on port 8988. It can be accessed using a Web browser with the URL: http://localhost:8988/ or http://127.0.0.1:8988 On Windows, the desktop icon can also be opened to access the DSAR Web application. If this is the first time you are accessing the Dell SonicWALL Advanced Reports, a Setup wizard displays. To setup the Dell SonicWALL Advanced Reports, please perform the following: 1. In the Dell SonicWALL Advanced Reports Setup initial page, click the Next button. The License Agreement page displays: 2. Read the license agreement carefully, and then select the I accept the terms in the license agreement radio button. 3. Click the Next button. 10
The Licensing page displays: 4. Select the Enter a License Key radio button, and then enter the license key obtained from you re MySonicWALL account in the text-field. Or Select the Try Dell SonicWALL Advanced Reports for 30 days radio button to use the 30 day free trail. 5. Click the Next button. The Root Administrator page displays: 6. Enter the username and password for the Dell SonicWALL Advanced Reports Administrator account. 7. Select the Next button. 11
The Email and SMTP Server page displays: 8. Define an email address and SMTP server to allow you to reset your password by email if necessary 9. Click the Next button. The Automated Feedback Agent page displays: 10. If you would like to allow Dell SonicWALL Advanced Reports to send information about the devices you are analyzing to the development team, select the checkbox. 11. Click the Next button. 12
The Antivirus Warning page displays: 12. Please make sure that any Antivirus scans on the system do not include the Dell SonicWALL Advanced Reports directory. 13. Click the Next button. The Complete Setup page displays: 14. Click the Finish button to complete the initial setup. 13
Configuring Dell SonicWALL Advanced Reports After you complete the initial setup, you will be logged into the main menu Profile page to create a new Profile. A Profile is a log data source that will be used as input into the Dell SonicWALL Advanced Reporting system. Note: the maximum number of data profiles supported is 6. Create a Network Tunnel client/server profile and a profile for Web Access logs: Creating a Network Tunnel client/server profile To create a new profile, perform the following: 1. In the Profiles page, select the Start here button. The New Profile Wizard displays: 14
2. Select the Browse button to browse the local hard drive and navigate to the folder where the Aventail access logs are stored locally. 3. For Tunnel logs, select a file (extranet_access.log) and then click the OK button. 4. Modify the pathname so all extranet_access.log files in the directory are retrieved by using a wildcard (e.g. extranet_access.log*) 5. Click the Show Matching Files button to make sure that all the extranet_access.log files are retrieved. 15
The Matching Files pop-up window displays: 6. If all the correct log files are retrieved, then close the Matching Log Source Files and select the Next button to go to the next step. Otherwise, go back and modify the Pathname field until the correct logs are retrieved. The Log Format Detected page displays: 7. DSAR will automatically detect the log file format. Leave the default of SonicWALL Aventail Client/server Access Log Format selected. 8. Click the Next button. 16
The Database Performance Options page displays: 9. Both Database Performance options are selected by default. Leave them selected, and then click the Next button. The Numerical Field Options page displays: 10. All the Numeric Field options are selected by default. Leave them all selected, and then click the Next button. 17
The Profile Name page displays: 11. Change the Profile name to reflect the type of reports that will be displayed. Example: Network Tunnel access 12. Select the Finish button to build the profile. Once the Profile is saved, a message box will allow you to process the data and view the reports. 18
19
Creating a Profile for Web Access Logs Once you have created the Network Tunnel client/server profile, you must add a new profile for the Web Access logs. Please perform the following: 1. In the main menu, select the Profiles link. 2. Click the Create new profile link. The New Profile Wizard launches and the Log Source page displays: 3. Browse to the correct directory and enter the log file name of extraweb_access*. 4. Click the Show Matching Files button. The Matching Files pop-up window displays: 5. Check the matched log file to make sure the Pathname is correct and all the files are retrieved. 6. Exit the Matching Files window and click the Next button. 20
The Log Format Detected page displays: 7. Select the Use Detected Log Format radio button, and then click the Next button. The Database Performance Options page displays: 8. Both options are selected by default. Please leave them selected and click the Next button. 21
The Numerical Field Options page displays: 9. All the Numerical Field options are selected by default. Please leave them selected and click the Next button. The Profile Name page displays: 10. Change the profile name to reflect the type of reports that will be displayed. Example: Web Access 11. Click the Finish button. 22
When the Profile is saved, a message box will allow you to process the data and view the reports: 12. Repeat the same profile building process for the aar-report log if necessary for EPC reports. 23
Automated Database Build Once the log files are copied to the Dell SonicWALL Advanced Reporting (DSAR) Server, they must be loaded into the database for subsequent analysis and reporting. DSAR has an internal scheduler system to allow a scheduled build of the database after the log files have been copied. To access the scheduler, perform the following: 1. In the DSAR main page, click the Admin drop-down menu, and then select Scheduler. The Scheduler page displays: 2. Click the New Schedule button. The New schedule options display: 24
Define the New Schedule time parameters, and then click the New Action link. The New Action pop-up window displays: 3. Click the Action drop-down menu, and then select Build database. 4. Click the Profile drop-down menu, and then select All profiles. 5. When finished, click the OK button. The new schedule populates in the Schedule list: 25
Multiple Aventail Appliances Since the log files on Aventail appliances all have the same names and are not unique, separate subdirectories must be created in the log file storage directory on the DSAR server. For example, under the C:\Logs directory, there would be a separate directory for each appliance: C:/Logs/node1 C:/Logs/node2 C:/Logs/node3 Copying the log files in their own directories will ensure that none of the files are overwritten. Dell SonicWALL Advanced Reports automatically collates the log files from the various appliances thereby providing a single view. If you would like separate views of each appliance, then create a profile for each appliance and log file directory combination. Every Aventail appliance has two sets of access logs: one for Tunnel client/server access auditing extranet_access.log and one for Web traffic auditing extraweb_access.log. Therefore, a single appliance will require two Profiles. Due to licensing limitations, a single DSAR server can support a maximum of six Profiles. If there is a requirement to analyze and report on logs from more than two Aventail appliances, the Sawmill package can be purchased directly from Flowerfire with no limits on the number of Profiles or log sources. DSAR User s Guide and Additional Documentation Numerous Knowledge Base articles covering additional topics on customization, reporting, and operation are available on the Dell SonicWALL Support Knowledge Portal: http://www.mysonicwall.com DSAR includes an online manual that covers everything from installation, the extensive option set, specific settings for various supported web servers, and suggestions for getting the most out of Sawmill. In addition, an online version of the documentation can be found on the Sawmill website: http://www.sawmill.net/cgibin/sawmill8/docs/sawmill.cgi?dp+docs.technical_manual.toc+webvars.username+samples+webvars.password+sa wmill Last updated: 9/18/2013 26