DSM Configuration Guide -

Add to my manuals
209 Pages

advertisement

DSM Configuration Guide - | Manualzz

Extreme Networks Security

DSM Configuration Guide

Addendum

9034855

Published July 2015

Copyright © 2005–2015 All rights reserved.

Legal Notice

Extreme Networks, Inc. reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made.

The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice.

Trademarks

Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of

Extreme Networks, Inc. in the United States and/or other countries.

All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners.

For additional information on Extreme Networks trademarks, please see: www.extremenetworks.com/company/legal/trademarks/

Support

For product support, including documentation, visit: www.extremenetworks.com/ documentation/

For information, contact:

Extreme Networks, Inc.

145 Rio Robles

San Jose, California 95134

USA

Table of Contents

About this DSM Configuration Guide Addendum................................................................. 8

Conventions.............................................................................................................................................................................8

Providing Feedback to Us................................................................................................................................................ 9

Getting Help...........................................................................................................................................................................10

Related Publications.......................................................................................................................................................... 10

Chapter 1: Event collection from third-party devices.........................................................12

Adding a single DSM..........................................................................................................................................................13

Installing a DSM bundle....................................................................................................................................................14

Adding a log source...........................................................................................................................................................14

Adding bulk log sources.................................................................................................................................................. 15

Adding a log source parsing order.............................................................................................................................16

Chapter 2: 3Com Switch 8800................................................................................................17

Configuring your 3COM Switch 8800 ..................................................................................................................... 18

Chapter 3: AccessData InSight...............................................................................................19

Configuring your AccessData InSight device to communicate with Extreme Security.................20

Adding an AccessData InSight log source on your Extreme Security Console................................. 20

Chapter 4: AhnLab Policy Center..........................................................................................22

Chapter 5: Amazon AWS CloudTrail.................................................................................... 24

Chapter 6: Ambiron TrustWave ipAngel .............................................................................26

Chapter 7: Arbor Networks Pravail....................................................................................... 28

Configuring your Arbor Networks Pravail system to send events to Extreme Security................29

Chapter 8: APC UPS................................................................................................................ 30

Configuring your APC UPS to forward syslog events...................................................................................... 31

Chapter 9: Barracuda Web Application Firewall................................................................ 32

Configuring Barracuda Web Application Firewall to send syslog events to Extreme Security

..................................................................................................................................................................................................... 33

Chapter 10: Bit9 Security Platform....................................................................................... 34

Configuring Bit9 Security Platform to communicate with Extreme Security...................................... 35

Chapter 11: Blue Coat SG........................................................................................................ 36

Creating a custom event format.................................................................................................................................38

Creating a log facility....................................................................................................................................................... 38

Enabling access logging................................................................................................................................................. 39

Configuring Blue Coat SG for log file protocol uploads................................................................................. 39

Configuring Blue Coat SG for syslog uploads.....................................................................................................40

Creating extra custom format key-value pairs................................................................................................... 40

Chapter 12: Cisco IronPort......................................................................................................42

Configuring the Cisco IronPort to send syslog events....................................................................................43

Chapter 13: Correlog Agent for IBM z/OS........................................................................... 45

Configuring your CorreLog Agent system for communication with Extreme Security.................46

Chapter 14: CloudPassage Halo ............................................................................................47

Extreme Networks Security DSM Configuration Guide Addendum 3

Table of Contents

Configuring CloudPassage Halo for communication with Extreme Security.......................................47

Configuring a CloudPassage Halo log source in Extreme Security.......................................................... 49

Chapter 15: DG Technology MEAS........................................................................................ 51

Configuring your DG Technology MEAS system for communication with Extreme Security.....52

Chapter 16: FireEye..................................................................................................................53

Configuring your FireEye system for communication with QRadar ® .......................................................54

Configuring a FireEye log source in Extreme Security................................................................................... 54

Chapter 17: FreeRADIUS......................................................................................................... 55

Configuring your FreeRADIUS device to communicate with Extreme Security................................56

Chapter 18: genua genugate.................................................................................................. 58

Configuring genua genugate to send events to Extreme Security...........................................................59

Chapter 19: HyTrust CloudControl........................................................................................60

Configuring HyTrust CloudControl to communicate with Extreme Security........................................61

Chapter 20: IBM AIX DSMs..................................................................................................... 62

IBM AIX Server DSM overview.....................................................................................................................................62

IBM AIX Audit DSM overview.......................................................................................................................................63

Chapter 21: IBM AS/400 iSeries event collection.............................................................. 69

Chapter 22: IBM AS/400 iSeries DSM.................................................................................. 70

Configuring an IBM iSeries device to communicate with Extreme Security..........................................71

Chapter 23: IBM Federated Directory Server ..................................................................... 73

Configuring IBM Federated Directory Server to monitor security events.............................................74

Chapter 24: IBM ® Fiberlink ® MaaS360 ® .................................................................................. 75

Manually installing an RPM.............................................................................................................................................75

Configuring your Fiberlink ® MaaS360 ® instance for communication with Extreme Security....... 76

Configuring an IBM ® Fiberlink ® MaaS360 ® log source in Extreme Security............................................76

Chapter 25: IBM Security Privileged Identity Manager......................................................78

Configuring IBM Security Privileged Identity Manager................................................................................... 79

Chapter 26: IBM RACF............................................................................................................. 81

Integrating RACF with Extreme Security Using Security zSecure............................................................. 81

Integrate RACF with Extreme Security using audit scripts.......................................................................... 86

Chapter 27: IBM ® Privileged Session Recorder................................................................... 90

Configuring IBM Privileged Session Recorder to communicate with Extreme Security................. 91

Chapter 28: IBM ® Security Network IPS................................................................................ 92

Configuring your Security Network IPS appliance for communication with Extreme Security

.....................................................................................................................................................................................................93

Configuring an IBM ® Security Network IPS log source in Extreme Security.........................................93

Chapter 29: IBM SmartCloud Orchestrator..........................................................................95

Installing IBM SmartCloud Orchestrator.................................................................................................................96

Configuring an IBM SmartCloud Orchestrator log source in QRadar......................................................96

Chapter 30: IBM Tivoli Endpoint Manager...........................................................................97

Chapter 31: IBM Security Trusteer Apex Advanced Malware Protection ......................99

Extreme Networks Security DSM Configuration Guide Addendum 4

Table of Contents

Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to Extreme Security

................................................................................................................................................................................................... 102

Configuring a Flat File Feed service....................................................................................................................... 102

Chapter 32: IBM WebSphere DataPower........................................................................... 104

Configuring IBM WebSphere DataPower to communicate with Extreme Security........................105

Chapter 33: Kaspersky Security Center.............................................................................106

Creating a database view for Kaspersky Security Center for JDBC event collection................... 108

Exporting syslog to Extreme Security from Kaspersky Security Center ............................................ 109

Chapter 34: Kisco Information Systems SafeNet/i............................................................110

Configuring Kisco Information Systems SafeNet/i to communicate with Extreme Security........111

Chapter 35: Lastline Enterprise............................................................................................ 113

Configuring Lastline Enterprise to communicate with Extreme Security............................................. 114

Chapter 36: McAfee ePolicy Orchestrator.......................................................................... 115

Configuring a McAfee ePO log source by using the JDBC protocol....................................................... 115

Configuring ePO to forward SNMP events........................................................................................................... 118

Chapter 37: LOGbinder EX event collection from Microsoft Exchange Server............122

Configuring your LOGbinder EX system to send Microsoft Exchange event logs to Extreme Security

....................................................................................................................................................................................................123

Chapter 38: LOGbinder SP event collection from Microsoft SharePoint...................... 124

Configuring your LOGbinder SP system to send Microsoft SharePoint event logs to Extreme Security

....................................................................................................................................................................................................125

Chapter 39: LOGbinder SQL event collection from Microsoft SQL Server................... 126

Configuring your LOGbinder SQL system to send Microsoft SQL Server event logs to Extreme Security

....................................................................................................................................................................................................127

Chapter 40: Microsoft Exchange Server.............................................................................128

Configuring Microsoft Exchange Server to communicate with Extreme Security.......................... 129

Configuring a log source for Microsoft Exchange........................................................................................... 130

Chapter 41: Microsoft ™ SQL Server...................................................................................... 133

Microsoft ™ SQL Server preparation for communication with Extreme Security.............................. 134

Configuring a Microsoft ™ SQL Server log source..............................................................................................135

Chapter 42: Microsoft ™ Windows ™ Security Event Log.................................................... 138

Enabling MSRPC on Windows hosts.......................................................................................................................138

Enabling a Snare Agent on Windows hosts......................................................................................................... 141

Enabling WMI on Windows hosts.............................................................................................................................142

Chapter 43: Netskope Active............................................................................................... 146

Configuring Extreme Security to collect events from your Netskope Active system................... 147

Chapter 44: OpenStack.........................................................................................................148

Configuring OpenStack to communicate with Extreme Security............................................................149

Chapter 45: Oracle Enterprise Manager.............................................................................. 151

Chapter 46: Palo Alto Networks.......................................................................................... 153

Creating a syslog destination on your Palo Alto device............................................................................... 154

Creating a forwarding policy on your Palo Alto device................................................................................ 156

Extreme Networks Security DSM Configuration Guide Addendum 5

Table of Contents

Chapter 47: RSA Authentication Manager......................................................................... 157

Configuring syslog for RSA..........................................................................................................................................157

Configuring the log file protocol for RSA.............................................................................................................158

Chapter 48: Riverbed SteelCentral NetProfiler (Cascade Profiler) Alert...................... 161

Configuring your Riverbed SteelCentral NetProfiler system to enable communication with Extreme Security

....................................................................................................................................................................................................162

Chapter 49: Salesforce Security Auditing.......................................................................... 163

Downloading the Salesforce audit trail file.......................................................................................................... 163

Configuring a Salesforce Security Auditing log source in Extreme Security..................................... 164

Chapter 50: Salesforce Security Monitoring......................................................................165

Configuring the Salesforce Security Monitoring server to communicate with Extreme Security

................................................................................................................................................................................................... 166

Configuring a Salesforce Security Monitoring log source in Extreme Security................................ 166

Chapter 51: Configuring Sun Solaris Sendmail to communicate with Extreme Security

...................................................................................................................................................168

Configuring a Sun Solaris Sendmail log source ................................................................................................168

Chapter 52: SSH CryptoAuditor........................................................................................... 172

Configuring an SSH CryptoAuditor appliance to communicate with Extreme Security.............. 173

Chapter 53: STEALTHbits StealthINTERCEPT.................................................................. 174

Configuring your STEALTHbits StealthINTERCEPT system for communication with Extreme Security

....................................................................................................................................................................................................175

Adding a STEALTHbits StealthINTERCEPT log source in Extreme Security......................................175

Chapter 54: STEALTHbits StealthINTERCEPT Alerts........................................................177

Collecting alerts logs from STEALTHbits StealthINTERCEPT....................................................................178

Chapter 55: STEALTHbits StealthINTERCEPT Analytics..................................................179

Collecting analytics logs from STEALTHbits StealthINTERCEPT............................................................ 180

Chapter 56: Symantec Critical System Protection.............................................................181

Chapter 57: Sourcefire Defense Center (DC).....................................................................183

Creating Sourcefire 4.x certificates......................................................................................................................... 184

Creating Sourcefire 5.x certificates......................................................................................................................... 184

Importing a Sourcefie certificate to Extreme Security.................................................................................. 185

Configuring a log source for Sourcefire Defense Center events.............................................................. 186

Chapter 58: Sourcefire Intrusion Sensor ............................................................................188

Configuring Sourcefire Intrusion Sensor............................................................................................................... 188

Configuring a log source for Sourcefire Defense Center events.............................................................. 188

Chapter 59: Trend Micro Deep Discovery Analyzer......................................................... 190

Configuring your Trend Micro Deep Discovery Analyzer instance for communication with Extreme Security

.....................................................................................................................................................................................................191

Chapter 60: WatchGuard Fireware OS............................................................................... 192

Configuring your WatchGuard Fireware OS appliance in Policy Manager for communication with Extreme Security

................................................................................................................................................................................................... 193

Configuring your WatchGuard Fireware OS appliance in Fireware XTM for communication with Extreme Security

................................................................................................................................................................................................... 193

Extreme Networks Security DSM Configuration Guide Addendum 6

Table of Contents

Configuring a WatchGuard Fireware OS log source in Extreme Security...........................................194

Chapter 61: Universal CEF.....................................................................................................195

Configuring event mapping for Universal CEF events.................................................................................. 196

Chapter 62: Extreme Security supported DSMs................................................................ 197

Extreme Networks Security DSM Configuration Guide Addendum 7

About this DSM Configuration Guide

Addendum

The Extreme Networks Security DSM Configuration Guide Addendum provides instructions about how to collect data from your third-party devices, also known as log sources. The addendum includes information only for Device Support Module (DSM) integrations that were introduced or upgraded after

Extreme Networks Security Analytics V7.2.2 was released and are supported by Extreme Security 7.1

and later. For information about previous DSMs, see the Extreme Networks Security DSM Configuration

Guide.

Intended audience

System administrators who are responsible for installing DSMs must be familiar with network security concepts and device configurations.

Statement of good security practices

IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise. Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. Extreme Networks ® systems, products and services are designed to be part of a lawful comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

EXTREME NETWORKS DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE

IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL

CONDUCT OF ANY PARTY.

Note

Use of this Program may implicate various laws or regulations, including those related to privacy, data protection, employment, and electronic communications and storage. Extreme

Networks Security Analytics may be used only for lawful purposes and in a lawful manner.

Customer agrees to use this Program pursuant to, and assumes all responsibility for complying with, applicable laws, regulations and policies. Licensee represents that it will obtain or has obtained any consents, permissions, or licenses required to enable its lawful use of Extreme Networks Security Analytics.

Conventions

This section discusses the conventions used in this guide.

Text Conventions

The following tables list text conventions that are used throughout this guide.

Extreme Networks Security DSM Configuration Guide Addendum 8

About this DSM Configuration Guide Addendum

Table 1: Notice Icons

Icon Notice Type

Note

Caution

Warning

New

Alerts you to...

Important features or instructions.

Risk of personal injury, system damage, or loss of data.

Risk of severe personal injury.

This command or section is new for this release.

Table 2: Text Conventions

Convention Description

Screen displays

This typeface indicates command syntax, or represents information as it appears on the screen.

The words enter and type

[Key] names

When you see the word “enter” in this guide, you must type something, and then press the Return or Enter key. Do not press the Return or Enter key when an instruction simply says “type.”

Key names are written with brackets, such as [Return] or [Esc]. If you must press two or more keys simultaneously, the key names are linked with a plus sign (+). Example:

Press [Ctrl]+[Alt]+[Del]

Words in italicized type Italics emphasize a point or denote new terms at the place where they are defined in the text. Italics are also used when referring to publication titles.

Terminology

When features, functionality, or operation is specific to a switch family, the family name is used.

Explanations about features and operations that are the same across all product families simply refer to the product as the "switch."

Providing Feedback to Us

We are always striving to improve our documentation and help you work better, so we want to hear from you! We welcome all feedback but especially want to know about:

• Content errors or confusing or conflicting information.

• Ideas for improvements to our documentation so you can find the information you need faster.

• Broken links or usability issues.

If you would like to provide feedback to the Extreme Networks Information Development team about this document, please contact us using our short online feedback form . You can also email us directly at

[email protected]

.

Extreme Networks Security DSM Configuration Guide Addendum 9

About this DSM Configuration Guide Addendum

Getting Help

If you require assistance, contact Extreme Networks Global Technical Assistance Center using one of the following methods:

Web

Phone

Email www.extremenetworks.com/support

1-800-872-8440 (toll-free in U.S. and Canada) or 1-603-952-5000

For the Extreme Networks support phone number in your country: www.extremenetworks.com/support/contact [email protected]

To expedite your message, enter the product name or model number in the subject line.

Before contacting Extreme Networks for technical support, have the following information ready:

• Your Extreme Networks service contract number

• A description of the failure

• A description of any action(s) already taken to resolve the problem (for example, changing mode switches or rebooting the unit)

• The serial and revision numbers of all involved Extreme Networks products in the network

• A description of your network environment (such as layout, cable type, other relevant environmental information)

• Network load and frame size at the time of trouble (if known)

• The device history (for example, if you have returned the device before, or if this is a recurring problem)

• Any previous Return Material Authorization (RMA) numbers

Related Publications

The Extreme Security product documentation listed below can be downloaded from http:// documentation.extremenetworks.com

.

Extreme Security Analytics Threat Protection

• Extreme Networks Security API Reference Guide

• Extreme Networks Security Application Configuration Guide

• Extreme Networks Security Ariel Query Language Guide

• Extreme Networks Security DSM Configuration Guide

• Extreme Security DSM Configuration Guide Addendum

• Extreme Networks Security Hardware Guide

• Extreme Networks Security Installation Guide

• Extreme Networks Security Juniper NSM Plug-in User Guide

• Extreme Networks Security Log Manager Administration Guide

• Extreme Networks Security Log Sources User Guide

• Extreme Networks Security Managing Log Sources Guide

• Extreme Networks Security Offboard Storage Guide

• Extreme Security Release Notes

Extreme Networks Security DSM Configuration Guide Addendum 10

About this DSM Configuration Guide Addendum

• Extreme Networks Security Risk Manager Adapter Configuration Guide

• Extreme Networks Security Risk Manager Getting Started Guide

• Extreme Networks Security Risk Manager Installation Guide

• Extreme Networks Security Risk Manager Migration Guide

• Extreme Networks Security Risk Manager User Guide

• Extreme Networks Security Troubleshooting System Notifications Guide

• Extreme Networks Security Upgrade Guide

• Extreme Networks Security Vulnerability Manager Release Notes

• Extreme Networks Security Vulnerability Manager User Guide

• Extreme Networks Security WinCollect User Guide

• Extreme Networks SIEM Administration Guide

• Extreme Networks SIEM Getting Started Guide

• Extreme Networks SIEM High Availability Guide

• Extreme Networks SIEM Troubleshooting Guide

• Extreme Networks SIEM Tuning Guide

• Extreme Networks SIEM Users Guide

• Migrating Extreme Security Log Manager to Extreme SIEM

Extreme Security Threat Protection

• Extreme Security Intrusion Prevention System Hardware Replacement Guide

• Extreme Security Threat Protection Release Notes

Extreme Networks Security DSM Configuration Guide Addendum 11

1

Event collection from third-party devices

Adding a single DSM

Installing a DSM bundle

Adding a log source

Adding bulk log sources

Adding a log source parsing order

To configure event collection from third-party devices, you need to complete configuration tasks on the third-party device, and your Extreme Security Console, Event Collector, or Event Processor. The key components that work together to collect events from third-party devices are log sources, DSMs, and automatic updates.

Log sources

A log source is any external device, system, or cloud service that is configured to either send events to your Extreme Networks Security Analytics system or be collected by your Extreme Security system.

Extreme Security shows events from log sources in the Log Activity tab.

To receive raw events from log sources, Extreme Security supports several protocols, including syslog from OS, applications, firewalls, IPS/IDS, SNMP, SOAP, JDBC for data from database tables and views.

Extreme Security also supports proprietary vendor-specific protocols such as OPSEC/LEA from

Checkpoint.

For more information about supported protocols, see the Extreme Networks Security Managing Log

Sources Guide.

DSMs

A Device Support Module (DSM) is a configuration file that parses received events from multiple log sources and coverts them to a standard taxonomy format that can be displayed as output. Each type of log source has a corresponding DSM. For example, the IBM Fiberlink MaaS360 DSM parses and normalizes events from an IBM Fiberlink MaaS360 log source.

Automatic Updates

Extreme Security provides daily and weekly automatic updates on a recurring schedule. The weekly automatic update includes new DSM releases, corrections to parsing issues, and protocol updates. For more information about managing automatic updates, see the Extreme Networks SIEM Administration

Guide.

Extreme Networks Security DSM Configuration Guide Addendum 12

Event collection from third-party devices

Third-party device installation process

To collect events from third-party device, you must complete installation and configuration steps on both the log source device and your Extreme Security system. For some third-party devices, extra configuration steps are needed, such as configuring a certificate to enable communication between that device and Extreme Security.

The following steps represent a typical installation process:

1 Read the specific instructions for how to integrate your third-party device.

2 Download and install the RPM for your third-party device. RPMs are available for download from the

IBM support website (http://www.ibm.com/support).

Tip

If your Extreme Security system is configured to accept automatic updates, this step might not be required.

3 Configure the third-party device to send events to Extreme Security.

After some events are received, Extreme Security automatically detects some third-party devices and creates a log source configuration. The log source is listed on the Log Sources list and contains default information. You can customize the information.

4 If Extreme Security does not automatically detect the log source, manually add a log source. The list of supported DSMs and the device-specific topics indicate which third-party devices are not automatically detected.

5 Deploy the configuration changes and restart your web services.

Universal DSMs for unsupported third-party log sources

After the events are collected and before the correlation can begin, individual events from your devices must be properly normalized. Normalization means to map information to common field names, such as event name, IP addresses, protocol, and ports. If an enterprise network has one or more network or security devices that Extreme Security does not provide a corresponding DSM, you can use the

Universal DSM. Extreme Security can integrate with most devices and any common protocol sources by using the Universal DSM.

To configure the Universal DSM, you must use device extensions to associate a Universal DSM to devices. Before you define device extension information in the Log Sources window in the Admin tab, you must create an extensions document for the log source. For more information, see the Extreme

Networks Security Managing Log Sources Guide.

For more information about Universal DSMs, see the IBM support website (http://www.ibm.com/ support).

Adding a single DSM

If your system is disconnected from the Internet, you might need to install a DSM RPM manually.

Restriction

Uninstalling a Device Support Module (DSM) is not supported in Extreme Security.

Extreme Networks Security DSM Configuration Guide Addendum 13

Event collection from third-party devices

1 Download the DSM RPM file from the IBM support website (http://www.ibm.com/support).

2 Copy the RPM file to your Extreme Security Console.

3 Using SSH, log in to the Extreme Security host as the root user.

4 Navigate to the directory that includes the downloaded file.

5 Type the following command: rpm -Uvh <rpm_filename>

6 Log in to the Extreme Security user interface.

7 On the Admin tab, click Deploy Changes.

8 On the Admin tab, selected Advanced > Restart Web Services.

Related Links

3Com Switch 8800

on page 17

The Extreme Networks Security Analytics DSM for 3Com Switch 8800 receives events by using syslog.

Installing a DSM bundle

You can download and install a DSM bundle that is updated daily to include the most recent DSM releases and updates.

1 Download the DSM bundle from the IBM support website (http://www.ibm.com/support).

2 Copy the bundle to your Extreme Security Console.

3 Using SSH, log in to the Extreme Security host as the root user.

4 Navigate to the directory that includes the downloaded file.

5 Type the following command to extract the contents of the bundle: tar -zxvf QRadar_bundled-DSM-your_qradar_version.tar.gz

6 Type the following command: for FILE in *Common*.rpm DSM-*.rpm; do rpm -Uvh "$FILE"; done

7 Log in to the Extreme Security user interface.

8 On the Admin tab, click Deploy Changes.

9 On the Admin tab, selected Advanced > Restart Web Services.

Adding a log source

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

The following table describes the common log source parameters for all log source types:

Extreme Networks Security DSM Configuration Guide Addendum 14

Event collection from third-party devices

Table 3: Log source parameters

Parameter Description

Log Source

Identifier

The IPv4 address or host name that identifies the log source.

If your network contains multiple devices that are attached to a single management console, specify the IP address of the individual device that created the event. A unique identifier for each, such as an IP address, prevents event searches from identifying the management console as the source for all of the events.

Enabled

Credibility

Target Event

Collector

Coalescing

Events

When this option is not enabled, the log source does not collect events and the log source is not counted in the license limit.

Credibility is a representation of the integrity or validity of events that are created by a log source. The credibility value that is assigned to a log source can increase or decrease based on incoming events or adjusted as a response to user-created event rules. The credibility of events from log sources contributes to the calculation of the offense magnitude and can increase or decrease the magnitude value of an offense.

Specifies the Extreme Security Event Collector that polls the remote log source.

Use this parameter in a distributed deployment to improve Console system performance by moving the polling task to an Event Collector.

Increases the event count when the same event occurs multiple times within a short time interval. Coalesced events provide a way to view and determine the frequency with which a single event type occurs on the Log Activity tab.

When this check box is clear, events are viewed individually and events are not bundled.

New and automatically discovered log sources inherit the value of this check box from the

System Settings configuration on the Admin tab. You can use this check box to override the default behavior of the system settings for an individual log source.

1 Click the Admin tab.

2 Click the Log Sources icon.

3 Click Add.

4 Configure the common parameters for your log source.

5 Configure the protocol-specific parameters for your log source.

6 Click Save.

7 On the Admin tab, click Deploy Changes.

Related Links

3Com Switch 8800

on page 17

The Extreme Networks Security Analytics DSM for 3Com Switch 8800 receives events by using syslog.

Adding bulk log sources

You can add up to 500 Microsoft ™ Windows ™ or Universal DSM log sources at one time. When you add multiple log sources at one time, you add a bulk log source in Extreme Security. Bulk log sources must share a common configuration.

1 Click the Admin tab.

2 Click the Log Sources icon.

3 From the Bulk Actions list, select Bulk Add.

Extreme Networks Security DSM Configuration Guide Addendum 15

Event collection from third-party devices

4 Configure the parameters for the bulk log source.

• File Upload - Upload a text file that has one host name or IP per line

• Manual - Enter the host name or IP of the host that you wish to add

5 Click Save.

6 Click Continue to add the log sources.

7 On the Admin tab, click Deploy Changes.

Adding a log source parsing order

You can assign a priority order for when the events are parsed by the target event collector.

You can order the importance of the log sources by defining the parsing order for log sources that share a common IP address or host name. Defining the parsing order for log sources ensures that certain log sources are parsed in a specific order, regardless of changes to the log source configuration.

The parsing order ensures that system performance is not affected by changes to log source configuration by preventing unnecessary parsing. The parsing order ensures that low-level event sources are not parsed for events before more important log source.

1 Click the Admin tab.

2 Click the Log Source Parsing Ordering icon.

3 Select a log source.

4 Optional: From the Selected Event Collector list, select the Event Collector to define the log source parsing order.

5 Optional: From the Log Source Host list, select a log source.

6 Prioritize the log source parsing order.

7 Click Save.

Extreme Networks Security DSM Configuration Guide Addendum 16

2

3Com Switch 8800

Configuring your 3COM Switch 8800

The Extreme Networks Security Analytics DSM for 3Com Switch 8800 receives events by using syslog.

The following table identifies the specifications for the 3Com Switch 8800 DSM:

Specification

Manufacturer

DSM name

RPM file name

Supported versions

Protocol

Extreme Security recorded events

Automatically discovered?

Includes identity?

Includes custom event properties?

More information

Value

3Com

Switch 8800 Series

DSM-3ComSwitch_qradar-

version_build-number.noarch.rpm

v3.01.30

Syslog

Status and network condition events

Yes

No

No

3Com website (http://www.3com.com)

To send 3COM Switch 8800 events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent 3COM Switch 8800

RPM on your Extreme Security Console.

2 Configure each 3COM Switch 8800 instance to communicate with Extreme Security.

3 If Extreme Security does not automatically discover the DSM, create a log source on the Extreme

Security Console for each 3COM Switch 8800 instance. Configure all the required parameters, and use the following table for specific values:

Parameter

Log Source Type

Protocol Configuration

Description

3COM Switch 8800

Syslog

Related Links

Adding a single DSM

on page 13

Configuring your 3COM Switch 8800

on page 18

Configure your 3COM Switch 8800 to forward syslog events to Extreme Networks Security

Analytics.

Adding a log source

on page 14

Extreme Networks Security DSM Configuration Guide Addendum 17

3Com Switch 8800

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your 3COM Switch 8800

You can configure your 3COM 8800 Series Switch to forward syslog events to Extreme Security.

1 Log in to 3COM Switch 8800.

2 To enable the information center, type the following command: info-center enable

3 To configure the log host, type the following command: info-center loghost QRadar_ip_address facility informational language english

4 To configure the ARP and IP information modules, type the following commands.

info-center source arp channel loghost log level informational info-center source ip channel loghost log level informational

Extreme Networks Security DSM Configuration Guide Addendum 18

3

AccessData InSight

Configuring your AccessData InSight device to communicate with Extreme Security

Adding an AccessData InSight log source on your Extreme Security Console

The AccessData InSight DSM for Extreme Networks Security Analytics collects event logs from your

AccessData InSight device.

The following table identifies the specifications for the AccessData InSight DSM:

Table 4: AccessData InSight DSM specifications

Specification Value

Manufacturer AccessData

DSM name

RPM file name

AccessData InSight

DSM-AccessDataInSight-

build_number.noarch.rpm

Supported versions

Event format

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

V2

Log file

Volatile Data

Memory Analysis Data

Memory Acquisition Data

Collection Data

Software Inventory

Process Dump Data

Threat Scan Data

Agent Remediation Data

No

No

AccessData website (http://www.accessdata.com/)

To send events from AccessData InSight to Extreme Security, use the following steps:

1 If automatic updates are not enabled, download the most recent versions of the following RPMs.

• LogFileProtocol

• DSMCommon

• AccessData InSight DSM

2 Configure your AccessData InSight device to communicate with Extreme Security.

3 Create an AccessData InSight log source on the Extreme Security Console.

Related Links

Adding a single DSM

on page 13

Configuring your AccessData InSight device to communicate with Extreme Security

on page 20

Extreme Networks Security DSM Configuration Guide Addendum 19

AccessData InSight

To collect AccessData InSight events, you must configure your third-party device to generate event logs in LEEF format. You must also create an FTP site for AccessData InSight to transfer the LEEF files. Extreme Security can then pull the logs from the FTP server.

Adding an AccessData InSight log source on your Extreme Security Console on page 20

Extreme Security does not automatically discover the AccessData InSight log source. You must manually add the log source.

Configuring your AccessData InSight device to communicate with

Extreme Security

To collect AccessData InSight events, you must configure your third-party device to generate event logs in LEEF format. You must also create an FTP site for AccessData InSight to transfer the LEEF files.

Extreme Security can then pull the logs from the FTP server.

1 Log in to your AccessData InSight device.

2 Open the

ADGIntegrationServiceHost.exe.config

file, which is in the

C:\Program

Files\AccessData\eDiscovery\Integration Services

directory.

3 Change the text in the file to match the following lines:

<Option Name="Version" Value="2.0" />

<Option Name="Version" Value="2.0" />

<Option Name="OutputFormat" Value="LEEF" />

<Option Name="LogOnly" Value="1" />

<Option Name="OutputPath" Value="C:\CIRT\logs" />

4 Restart the AccessData Third-Party Integration service.

5 Create an FTP site for the

C:\CIRT\logs

output folder: a Open Internet Information Services Manager (IIS).

b Right-click the Sites tab and click Add FTP Site.

c Name the FTP site, and enter

C:\CIRT\logs

as the location for the generated LEEF files.

d Restart the web service.

Adding an AccessData InSight log source on your Extreme

Security Console

Extreme Security does not automatically discover the AccessData InSight log source. You must manually add the log source.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 In the Log Source Identifier field, type the IP address or host name of the AccessData InSight device.

7 From the Log Source Type list, select AccessData InSight.

8 From the Protocol Configuration list, select Log File.

9 Configure the remaining parameters.

Extreme Networks Security DSM Configuration Guide Addendum 20

10 Click Save.

AccessData InSight

Extreme Networks Security DSM Configuration Guide Addendum 21

4

AhnLab Policy Center

The Extreme Networks Security Analytics DSM for AhnLab Policy Center retrieves events from the DB2 database that AhnLab Policy Center uses to store their log.

The following table identifies the specifications for the AhnLab Policy Center DSM:

Table 5: AhnLab Policy Center DSM specifications

Specification Value

Manufacturer AhnLab

DSM

RPM file names

AhnLab Policy Center

DSM-AhnLabPolicyCenter-QRadar-

Release_Build-Number.noarch.rpm

Supported versions

Protocol

Extreme Security recorded events

Automatically discovered?

Includes identity

More information

4.0

AhnLabPolicyCenterJdbc

Spyware detection, Virus detection, Audit

No

Yes

Ahnlab website (https://global.ahnlab.com/)

To integrate AhnLab Policy Center DSM with Extreme Security, complete the following steps:

1 Download and install the most recent versions of the following RPMs on your Extreme Security

Console:

• JDBC protocol RPM

• AhnLabPolicyCenterJdbc protocol RPM

• AhnLab Policy Center RPM

Tip

For more information, see your DB2 documentation.

2 Ensure that your AhnLab Policy Center system meets the following criteria:

• The DB2 Database allows connections from Extreme Security.

• The port for AhnLabPolicyCenterJdbc Protocol matches the listener port of the DB2 Database.

• Incoming TCP connections on the DB2 Database are enabled to communicate with Extreme

Security.

3 For each AhnLab Policy Center server you want to integrate, create a log source on the Extreme

Security Console. The following table identifies Ahnlab-specific protocol values:

Extreme Networks Security DSM Configuration Guide Addendum 22

AhnLab Policy Center

Parameter

Log Source Type

Protocol Configuration

Access credentials

Log Source Language

Value

AhnLab Policy Center APC

AhnLabPolicyCenterJdbc

Use the access credentials of the DB2 server.

If you use Extreme Security v7.2 or later, you must select a log source language.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 23

5

Amazon AWS CloudTrail

The Extreme Networks Security Analytics DSM for Amazon AWS CloudTrail collects audit events from your Amazon AWS CloudTrail S3 bucket.

The following table lists the specifications for the Amazon AWS CloudTrail DSM:

Table 6: Amazon AWS CloudTrail DSM specifications

Specification Value

Manufacturer Amazon

DSM

RPM name

Amazon AWS CloudTrail

DSM-AmazonAWSCloudTrail-

QRadar_version-

Build_number.noarch.rpm

Supported versions

Protocol

Extreme Security recorded events

Automatically discovered?

Includes identity?

Includes custom properties?

More information

1.0

Amazon AWS S3

All events

No

No

No

Amazon Cloud Trail documentation (http:// docs.aws.amazon.com/awscloudtrail/latest/userguide/ whatisawscloudtrail.html)

To integrate Amazon AWS CloudTrail with Extreme Security, complete the following steps:

1 Obtain and install a certifica../ variables_qradar_gen.dita#ariables_qradar_gen.dita#variables_general/qradar_short_name" class="- topic/ph "/> to communicate with the Amazon AWS CloudTrail S3 bucket.

2 Install the most recent version of the following ../ variables_qradar_gen.dita#ariables_qradar_gen.dita#variables_general/qradar_short_name" class="- topic/ph "/> Console or Event Collector.

• Amazon REST API Protocol RPM

• Amazon AWS CloudTrail DSM RPM

3 Configure the Amazon AWS CloudTrail Extreme Security. Configure all required parameters and use the following table to help you determine values for Amazon AWS CloudTrail parameters:

Extreme Networks Security DSM Configuration Guide Addendum 24

Amazon AWS CloudTrail

Table 7: Amazon AWS CloudTrail log source parameters

Parameter Description

Log Source Type Amazon AWS CloudTrail

Protocol Configuration

Bucket Name

Amazon AWS S3

The name of the AWS CloudTrail S3 bucket where the log files are stored.

Public Key

Access Key

Use Proxy

Directory Prefix

Recurrence

The public access key that is required to access the

AWS CloudTrail S3 bucket.

The private access key that is required to access the

AWS CloudTrail S3 bucket.

When a proxy is configured, all traffic for the log source travels through the proxy for Extreme Security to access the Amazon AWS S3 buckets.

Configure the Proxy Server, Proxy Port, Proxy

Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the

Proxy Username and Proxy Password fields blank.

The root directory location on the AWS CloudTrail S3 bucket from which the files are retrieved, for example,

\user_account_name

How often the Log File Protocol connects to the

Amazon cloud API, checks for new files, and retrieves them if they exist. Every access to an AWS S3 bucket incurs a cost to the account that owns the bucket.

Therefore, a smaller recurrence value increases the cost.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 25

6

Ambiron TrustWave ipAngel

The Extreme Networks Security Analytics DSM for Ambiron TrustWave ipAngel receives Snort-based events from the ipAngel console.

The following table identifies the specifications for the Ambiron TrustWave ipAngel DSM:

Table 8: Ambiron TrustWave ipAngel DSM specifications

Specification Value

Manufacturer Ambiron

DSM name

RPM file name

Ambiron TrustWave ipAngel

DSM-AmbironTrustwaveIpAngel-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

V4.0

Syslog

Snort-based events

No

No

No

Ambiron website (http://www.apache.org)

To send Ambiron TrustWave ipAngel events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the Ambiron

TrustWave ipAngel DSM RPM on your Extreme Security Console.

2 Configure your Ambiron TrustWave ipAngel device to forward your cache and access logs to

Extreme Security. For information on forwarding device logs to Extreme Security, see your vendor documentation.

3 Add an Ambiron TrustWave ipAngel log source on the Extreme Security Console. The following table describes the parameters that require specific values that are required for Ambiron TrustWave ipAngel event collection:

Table 9: Ambiron TrustWave ipAngel log source parameters

Parameter Value

Log Source type

Protocol Configuration

Ambiron TrustWave ipAngel Intrusion Prevention

System (IPS)

Syslog

Related Links

Extreme Networks Security DSM Configuration Guide Addendum 26

Ambiron TrustWave ipAngel

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 27

7

Arbor Networks Pravail

Configuring your Arbor Networks Pravail system to send events to Extreme Security

The Extreme Networks Security Analytics DSM for Arbor Networks Pravail receives event logs from your Arbor Networks Pravail servers.

The following table identifies the specifications for the Arbor Networks Pravail DSM:

Table 10: Arbor Networks Pravail DSM specifications

Specification Value

Manufacturer

DSM

RPM file name

Arbor Networks

Arbor Networks Pravail

DSM-ArborNetworksPravail-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded events

Automatically discovered?

Includes identity?

Includes custom properties?

More information v3.1 and later

Syslog

All relevant events

Yes

No

No

Arbor Networks website (www.arbornetworks.com)

To send Arbor Networks Pravail DSM events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent Arbor Networks Pravail

DSM RPM on your Extreme Security Console.

2 Configure each Arbor Networks Pravail system to send events to Extreme Security.

3 If Extreme Security does not automatically discover the Arbor Networks Pravail system, create a log source on the Extreme Security Console. Configure the required parameters, and use the following table for the Arbor Networks Pravail specific parameters:

Parameter

Log Source Type

Protocol Configuration

Related Links

Adding a single DSM

on page 13

Value

Arbor Networks Pravail

Syslog

Extreme Networks Security DSM Configuration Guide Addendum 28

Arbor Networks Pravail

Configuring your Arbor Networks Pravail system to send events to Extreme Security on page 29

To collect all audit logs and system events from Arbor Networks Pravail, you must add a destination that specifies Extreme Networks Security Analytics as the syslog server.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your Arbor Networks Pravail system to send events to Extreme Security

To collect all audit logs and system events from Arbor Networks Pravail, you must add a destination that specifies Extreme Security as the syslog server.

1 Log in to your Arbor Networks Pravail server.

2 Click Settings & Reports.

3 Click Administration > Notifications.

4 On the Configure Notifications page, click Add Destinations.

5 Select Syslog.

6 Configure the following parameters:

Parameter

Host

Port

Severity

Alert Types

Description

The IP address of the Extreme Security Console.

514

Info

The alert types that you want to send to the Extreme

Security Console.

7 Click Save.

Extreme Networks Security DSM Configuration Guide Addendum 29

8

APC UPS

Configuring your APC UPS to forward syslog events

The Extreme Networks Security Analytics DSM for APC UPS accepts syslog events from the APC

Smart-Uninterruptible Power Supply (UPS) family of products.

Restriction

Events from RC-Series Smart-UPS are not supported.

The following table identifies the specifications for the APC UPS DSM:

Table 11: APC UPS DSM specifications

Specification

Manufacturer

DSM name

RPM file name

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

Value

APC

APC UPS

DSM-APCUPS-Qradar_version-

build_number.noarch.rpm

Syslog

UPS events

Battery events

Bypass events

Communication events

Input power events

Low battery condition events

SmartBoost events

SmartTrim events

No

No

No

APC website (http://www.apc.com)

To send APC UPS events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the APC UPS

DSM RPM on your Extreme Security Console.

2 Create an APC UPS log source on the Extreme Security Console. Configure all the required parameters, and use the following table to configure the specific values that are requiredto collect

APC UPS events:

Extreme Networks Security DSM Configuration Guide Addendum 30

APC UPS

Table 12: APC UPS log source parameters

Parameter Value

Log Source type APC UPS

Protocol Configuration Syslog

3 Configure your APC UPS device to forward syslog events to Extreme Security.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your APC UPS to forward syslog events on page 31

To collect events from your APC UPS, you must configure the device to forward syslog events to Extreme Networks Security Analytics.

Configuring your APC UPS to forward syslog events

You can configure syslog event forwarding on your APC UPS.

1 Log in to the APC Smart-UPS web interface.

2 In the navigation menu, click Network > Syslog.

3 From the Syslog list, select Enable.

4 From the Facility list, select a facility level for your syslog messages.

5 In the Syslog Server field, type the IP address of your Extreme Security Console or Event Collector.

6 From the Severity list, select Informational.

7 Click Apply.

Extreme Networks Security DSM Configuration Guide Addendum 31

9

Barracuda Web Application

Firewall

Configuring Barracuda Web Application Firewall to send syslog events to Extreme

Security

The Extreme Networks Security Analytics DSM for Barracuda Web Application Firewall collects syslog

LEEF and custom events from Barracuda Web Application Firewall devices.

The following table identifies the specifications for the Barracuda Web Application Firewall DSM:

Table 13: Barracuda Web Application Firewall DSM specifications

Specification Value

Manufacturer Barracuda

DSM name

RPM file name

Supported versions

Protocol type

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

Web Application Firewall

DSM-BarracudaWebApplicationFirewall-

QRadar_version-build_number

.noarch.rpm

V7.0.x and later

Syslog

System

Web

Access

Audit

If LEEF-formatted payloads, the log source is automatically discovered.

If custom-formatted payloads, the log source is not automatically discovered.

Yes

Barracuda Networks website (https:// www.barracudanetworks.com)

To collect syslog events from Barracuda Web Application Firewall, use the following steps:

1 If automatic updates are not enabled, download the most recent version of the following RPMs on your Extreme Security Console:

• Barracuda Web Application Firewall DSM RPM

• DSMCommon RPM

2 Configure your Barracuda Web Application Firewall device to send syslog events to Extreme

Security.

3 Add a Barracuda Web Application Firewall log source on the Extreme Security Console. The following table describes the parameters that require specific values that are required for Barracuda

Web Application Firewall event collection:

Extreme Networks Security DSM Configuration Guide Addendum 32

Barracuda Web Application Firewall

Table 14: Barracuda Web Application Firewall log source parameters

Parameter Value

Log Source type Barracuda Web Application Firewall

Protocol Configuration Syslog

Configuring Barracuda Web Application Firewall to send syslog events to Extreme Security

Configure your Barracuda Web Application Firewall appliance to send syslog events to Extreme

Networks Security Analytics.

Verify that firewalls between the Barracuda appliance and Extreme Security allow UDP traffic on port

514.

1 Log in to the Barracuda Web Application Firewall web interface.

2 Click the Advanced tab.

3 From the Advanced menu, select Export Logs.

4 Click Add Syslog Server.

5 Configure the parameters:

Option

Name

Syslog Server

Port

Description

The name of the Extreme Security Console or Event Collector

The IP address of your Extreme Security Console or Event Collector.

The port that is associated with the IP address of your Extreme Security

Console or Event Collector.

If syslog messages are sent by UDP, use the default port, 514.

Connection Type The connection type that transmits the logs from the Barracuda Web Application

Firewall to the Extreme Security Console or Event Collector. UDP is the default protocol for syslog communication.

Validate Server

Certificate

No

6 In the Log Formats pane, select a format from the list box for each log type.

• If you are using newer versions of Barracuda Web Application Firewall, select LEEF 1.0 (QRadar).

• If you are using older versions of Barracuda Web Application Firewall, select Custom Format.

7 Click Save Changes.

Extreme Networks Security DSM Configuration Guide Addendum 33

10

Bit9 Security Platform

Configuring Bit9 Security Platform to communicate with Extreme Security

Use the Extreme SIEM DSM for Bit9 Security Platform to collect events from Bit9 Parity devices.

The following table identifies the specifications for the Bit9 Security Platform DSM:

Table 15: DSM specifications for Bit9 Security Platform

Specification Value

Manufacturer Bit9

DSM name

RPM file name

Bit9 Security Platform

DSM-Bit9Parity-

build_number.noarch.rpm

Supported versions

Event format

Supported event types

Automatically discovered?

Included identity?

More information

V6.0.2 and up

Syslog

All events

Yes

Yes

Bit9 website (http://www.bit9.com)

To integrate Bit9 Security Platform with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download the most recent version of the Bit9 Security

Platform DSM RPM.

2 Configure your Bit9 Security Platform device to enable communication with Extreme Security. You must create a syslog destination and forwarding policy on the Bit9 Security Platform device.

3 If Extreme Security does not automatically detect Bit9 Security Platform as a log source, create a

Bit9 Security Platform log source on the Extreme Security Console. Use the following Bit9 Security

Platform values to configure the log source parameters:

Log Source Identifier

Log Source Type

Protocol Configuration

The IP address or host name of the Bit9 Security

Platform device

Bit9 Security Platform

Syslog

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 34

Bit9 Security Platform

Configuring Bit9 Security Platform to communicate with Extreme

Security

Configure your Bit9 Security Platform device to forward events to Extreme Networks Security

Analytics in LEEF format.

1 Log in to the Bit9 Security Platform console with Administrator or PowerUser privileges.

2 From the navigation menu, select Administration > System Configuration.

3 Click Server Status and click Edit.

4 In the Syslog address field, type the IP address of your Extreme Security Console or Event Collector.

5 From the Syslog format list, select LEEF (Q1Labs).

6 Select the Syslog enabled check box and click Update.

Extreme Networks Security DSM Configuration Guide Addendum 35

11

Blue Coat SG

Creating a custom event format

Creating a log facility

Enabling access logging

Configuring Blue Coat SG for log file protocol uploads

Configuring Blue Coat SG for syslog uploads

Creating extra custom format key-value pairs

The Extreme Networks Security Analytics DSM for Blue Coat SG collects events from Blue Coat SG appliances.

The following table lists the specifications for the Blue Coat SG DSM:

Table 16: Blue Coat SG DSM specifications

Specification

Manufacturer

DSM name

RPM file name

Value

Blue Coat

Blue Coat SG

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

DSM-BlueCoatProxySG-Qradar_version-

build_number.noarch.rpm

SG v4.x and later

Syslog

Log File Protocol

All events

No

No

Yes

Blue Coat website (http://www.bluecoat.com)

To send events from Blue Coat SG to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the Blue Coat

SG DSM RPM on your Extreme Security Console.

2 Configure your Blue Coat SG device to communicate with Extreme Security. Complete the following steps:

• Create a custom event format.

• Create a log facility.

Extreme Networks Security DSM Configuration Guide Addendum 36

Blue Coat SG

• Enable access logging.

• Configure Blue Coat SG for Log File protocol or syslog uploads.

3 Add an Blue Coat SG log source on the Extreme Security Console. Configure all the required parameters, but use the following table to configure the parameters that are required to collect Blue

Coat SG events:

Table 17: Blue Coat SG log source parameters

Parameter Value

Log Source type

Protocol Configuration

Bluecoat SG Appliance

Log File

Syslog

The instructions provided describe how to configure Blue Coat SG using a custom name-value pair format, however, Extreme Security also supports the following formats:

• Custom Format

• SQUID

• NCSA

• main

• IM

• Streaming

• smartreporter

• bcereportermain_v1

• bcreporterssl_v1

• p2p

• SSL

• bcreportercifs_v1

• CIFS

• MAPI

Related Links

Creating a custom event format

on page 38

To collect events from Blue Coat SG, create a custom event format.

Creating a log facility

on page 38

To use the custom log format that you created for Extreme Networks Security Analytics, you must associate the custom log format to a facility.

Enabling access logging on page 39

You must enable access logging on your Blue Coat SG device.

Creating extra custom format key-value pairs on page 40

Configuring Blue Coat SG for log file protocol uploads

on page 39

To collect the log file protocol events, configure the Blue Coat SG upload client to use the

FTP client.

Configuring Blue Coat SG for syslog uploads

on page 40

To allow syslog event collection, you must configure your Blue Coat SG appliance to forward syslog events to Extreme Networks Security Analytics.

Extreme Networks Security DSM Configuration Guide Addendum 37

Blue Coat SG

Creating a custom event format

The Blue Coat SG DSM for Extreme Security accepts custom formatted events from a Blue Coat SG appliance.

1 Log in to the Blue Coat Management Console.

2 Select Configuration > Access Logging > Formats.

3 Select New.

4 Type a format name for the custom format.

5 Select Custom format string.

6 Type the following custom format:

Attention

The line breaks that in these examples will cause this configuration to fail. Copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom

Format column.

Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)

|dstport=$(cs-uri-port)|username=$(cs-username)|devicetime=$(gmttime)

|s-action=$(s-action)|sc-status=$(sc-status)|cs-method=$(cs-method)

|time-taken=$(time-taken)|sc-bytes=$(sc-bytes)|cs-bytes=$(cs-bytes)

|cs-uri-scheme=$(cs-uri-scheme)|cs-host=$(cs-host)|cs-uri-path=$(cs-uripath)

|cs-uri-query=$(cs-uri-query)|cs-uri-extension=$(cs-uri-extension)

|cs-auth-group=$(cs-auth-group)|rs(Content-Type)=$(rs(Content-Type))

|cs(User-Agent)=$(cs(User-Agent))|cs(Referer)=$(cs(Referer))

|sc-filter-result=$(sc-filter-result)|filter-category=$(sc-filter-category)

|cs-uri=$(cs-uri)

7 Select Log Last Header from the list.

8 Click OK.

9 Click Apply.

Note

The custom format for Extreme Security supports more key-value pairs by using the Blue

Coat ELFF format. For more information, see

Creating extra custom format key-value pairs

on page 40.

You are ready to create a log facility on your Blue Coat device.

Related Links

Creating a log facility

on page 38

To use the custom log format that you created for Extreme Networks Security Analytics, you must associate the custom log format to a facility.

Creating a log facility

To use the custom log format created for Extreme Security, you must associate the custom log format for QRadar to a facility.

Extreme Networks Security DSM Configuration Guide Addendum 38

Blue Coat SG

1 Select Configuration > Access Logging > Logs.

2 Click New.

3 Configure the following parameters:

Parameter

Log Name

Log Format

Description

4 Click OK.

5 Click Apply.

Description

A name for the log facility.

The custom format you that created.

A description for the log facility.

Related Links

Enabling access logging on page 39

You must enable access logging on your Blue Coat SG device.

Enabling access logging

You must enable access logging on your Blue Coat SG device.

1 Select Configuration > Access Logging > General.

2 Select the Enable Access Logging check box.

3 Optional: If you use Blue Coat SGOS 6.2.11.2 Proxy Edition, complete the following steps: a Select Config > Policy > VisualPolicy Manager.

b In the Policy section, add Web Access Layer for Logging.

c Select Action > Edit and enable logging to the log facility.

4 Click Apply.

Related Links

Creating extra custom format key-value pairs on page 40

Configuring Blue Coat SG for log file protocol uploads

To use FTP, you must configure the Blue Coat upload client.

1 Select Configuration > Access Logging > Logs > Upload Client.

2 From the Log list, select the log that contains your custom format.

3 From the Client type list, select FTP Client.

4 Select the text file option.

5 Click Settings.

6 From the Settings For list, select Primary FTP Server.

Extreme Networks Security DSM Configuration Guide Addendum 39

Blue Coat SG

7 Configure the following values:

Parameter

Host

Port

Path

Username

Description

The IP address of the FTP server that you want to forward the Blue Coat events.

The FTP port number.

The directory path for the log files.

The user name to access the FTP server.

8 Click OK.

9 Select the Upload Schedule tab.

10 From the Upload the access log option, select Periodically.

11 Configure the Wait time between connect attempts option.

12 Select to upload the log file to the FTP daily or on an interval.

13 Click Apply.

Configuring Blue Coat SG for syslog uploads

To allow syslog event collection, you must configure your Blue Coat appliance to forward syslog events.

When you send syslog events to multiple syslog destinations, a disruption in availability in one syslog destination might interrupt the stream of events to other syslog destinations from your Blue Coat SG appliance.

1 Select Configuration > Access Logging > Logs > Upload Client.

2 From the Log list, select the log that contains your custom format.

3 From the Client type list, select Custom Client.

4 Click Settings.

5 From the Settings For list, select Primary Custom Server.

6 In the Host field, type the IP address for your Extreme Security system.

7 In the Port field, type

514

.

8 Click OK.

9 Select the Upload Schedule tab.

10 From the Upload the access log list, select Continuously.

11 Click Apply.

Creating extra custom format key-value pairs

Use the Extended Log File Format (ELFF) custom format to forward specific Blue Coat data or events to Extreme Networks Security Analytics.

The custom format is a series of pipe-delimited fields that start with the

Bluecoat|

field and contains the

$(Blue Coat ELFF)

parameter.

For example:

Extreme Networks Security DSM Configuration Guide Addendum 40

Blue Coat SG

Bluecoat|src=$(c-ip)|srcport=$(c-port)|dst=$(cs-uri-address)|dstport=$

(cs-uri-port)|username=$(cs-username)|devicetime=$(gmttime)|s-action=$(saction)|sc-status=$(sc-status)|cs-method=$(cs-method)

Table 18: Custom Format examples

Blue Coat ELFF Parameter sc-bytes rs(Content-type)

Custom Format Example

$(sc-bytes)

$(rs(Content-Type))

For more information about available Blue Coat ELFF parameters, see your Blue Coat appliance documentation.

Extreme Networks Security DSM Configuration Guide Addendum 41

12

Cisco IronPort

Configuring the Cisco IronPort to send syslog events

The Extreme Networks Security Analytics DSM for Cisco IronPort provides event information for email spam, web content filtering, and corporate email policy enforcement.

The following table identifies the specifications for the Cisco IronPort DSM:

Table 19: Cisco IronPort DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

Cisco

Cisco IronPort

DSM-CiscoIronport-Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

V5.5

V6.5

V7.1

V7.5 (adds support for access logs)

Syslog

Log File Protocol

Mail (syslog)

System (syslog)

Access (syslog)

Web content filtering (Log File)

No

No

No

Cisco website (http://www.cisco.com)

To collect events from Cisco IronPort, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the Cisco

IronPort DSM RPM on your Extreme Security Console.

2 Configure Cisco IronPort to communicate with Extreme Security. Select one of the following options:

Mail, system, and access event logs

Use the syslog protocol to send mail, system, and access events to Extreme Security. See

Configuring the Cisco IronPort to send syslog events

on page 43.

Extreme Networks Security DSM Configuration Guide Addendum 42

Cisco IronPort

Web content filtering logs

Use the Log File Protocol to retrieve web content filtering events in W3C format from a remote source. Ensure that your Extreme Security system is running the most recent version of log file protocol. To configure your Cisco IronPort device to send web content filter events, you must configure a log subscription for the web content filter.

Monitoring a directory that has a large volume of files might lead to a delay in processing individual files. To improve monitoring performance, keep the remote directory clean and reduce the number of files in it.

For more information about configuring a log subscription, see your Cisco IronPort documentation.

3 Add a Cisco IronPort log source on the Extreme Security Console. Configure all required parameters and use the following table to determine specific values for Cisco IronPort event collection:

Table 20: Cisco IronPort log source parameters

Parameter Value

Log Source type Cisco IronPort

Protocol Configuration

Event Generator

FTP File Pattern

Syslog (for mail, system, and access event logs

Log File (Web content filtering logs)

W3C

Configure this parameter if you select Log File in the

Protocol Configuration list.

Must use a regular expression that matches the log files that the web content filter logs generates.

Configure this parameter if you select Log File in the

Protocol Configuration list.

Configuring the Cisco IronPort to send syslog events

The Extreme Security Cisco IronPort DSM accepts events using syslog.

1 Log in to Cisco IronPort.

2 Select System Administration > Log Subscriptions.

3 Define a log subscription for each log type that you want to forward to Extreme Security: a Click Add Log Subscription.

b From the Log Type list, select the type of log that you want to configure.

c In the Log Name field, type a name.

The appliance uses this name for the directory that will contain the log file.

d If you are creating a subscription for access logs, select Squid from the Log style list and type dst %k dstPort %p

in the Custom Fields (optional) field.

e From the Retrieval Method list, select Syslog Push.

f In the Hostname field, type the IP address or server name of your Extreme Security system.

g From the Protocol list, select UDP or TCP.

h From the Facility list, select the facility you want to use.

Tip

You can use syslog only for text-based logs.

Extreme Networks Security DSM Configuration Guide Addendum 43

4 Save the subscription.

Cisco IronPort

Extreme Networks Security DSM Configuration Guide Addendum 44

13

Correlog Agent for IBM z/OS

Configuring your CorreLog Agent system for communication with Extreme Security

The CorreLog Agent for IBM z/OS DSM for Extreme Networks Security Analytics can collect event logs from your IBM z/OS servers.

The following table identifies the specifications for the CorreLog Agent for IBM z/OS DSM:

Specification

Manufacturer

DSM name

RPM file name

Value

CorreLog

CorreLog Agent for IBM z/OS

DSM-CorreLogzOSAgent_qradar-

version_build-number.noarch.rpm

Supported versions

Protocol

Extreme Security recorded events

Automatically discovered

Includes identity

Includes custom event properties

More information

7.1

7.2

Syslog LEEF

All events

Yes

No

No

Correlog website (https://correlog.com/solutions-andservices/sas-correlog-mainframe.html)

To integrate CorreLog Agent for IBM z/OS DSM with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent CorreLog Agent for IBM z/OS RPM on your Extreme Security Console.

2 For each CorreLog Agent instance, configure your CorreLog Agent system to enable communication with Extreme Security.

3 If Extreme Security does not automatically discover the DSM,, create a log source on the Extreme

Security Console for each CorreLog Agent system you want to integrate. Configure all the required parameters, but use the following table for specific Correlog values:

Parameter

Log Source Type

Protocol Configuration

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

Description

CorreLog Agent for IBM zOS

Syslog

Extreme Networks Security DSM Configuration Guide Addendum 45

Correlog Agent for IBM z/OS

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your CorreLog Agent system for communication with

Extreme Security

For the procedure to configure your Correlog Agent system for communication with Extreme Security, see the CZA - CorreLog Agent for z/OS manual that you received from CorreLog with your Agent for z/OS software distribution.

Use the following sections of the CZA - CorreLog Agent for z/OS manual:

• General considerations in Section 1: Introduction.

• Procedure in Section 2: Installation.

• Procedure in the Section 3: Configuration.

Ensure that you complete the Tailoring the Installation for a Proprietary Syslog Extension/IBM

Security QRadar instructions.

When you start the CorreLog agent, if Extreme Security does not collect z/OS events, see the

Troubleshooting topic in Section 3.

• If you want to customize the optional CorreLog Agent parameter file, review QRadar normalized event attributes in Appendix G: Fields.

Extreme Networks Security DSM Configuration Guide Addendum 46

14

CloudPassage Halo

Configuring CloudPassage Halo for communication with Extreme Security

Configuring a CloudPassage Halo log source in Extreme Security

The CloudPassage Halo DSM for Extreme Networks Security Analytics can collect event logs from the

CloudPassage Halo account.

The following table identifies the specifications for the CloudPassage Halo DSM:

Table 21: CloudPassage Halo DSM Specifications

Specification Value

Manufacturer CloudPassage

DSM name

RPM file name

Supported versions

Event format

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

CloudPassage Halo

DSM-CloudPassageHalobuild_number

.noarch.rpm

All

Syslog, Log file

All events

Yes

No

CloudPassage website (www.cloudpassage.com)

To integrate CloudPassage Halo with Extreme Security, use the following steps:

1 If automatic updates are not enabled, download the latest versions of the following RPMs:

• DSMCommon RPM

• CloudPassage Halo RPM

2 Configure your CloudPassage Halo to enable communication with Extreme Security.

3 If Extreme Security does not automatically detect CloudPassage Halo as a log source, create a

CloudPassage Halo log source on the Extreme Security Console.

Configuring CloudPassage Halo for communication with Extreme

Security

To collect CloudPassage Halo events, download and configure the CloudPassage Halo Event Connector script to send syslog events to Extreme Security.

Before you can configure the Event Connector, you must create a read-only CloudPassage API key. To create a read-only key, log in to your CloudPassage Portal and click Add New Key on the Site

Administration window.

Extreme Networks Security DSM Configuration Guide Addendum 47

CloudPassage Halo

The Event Connector script requires Python 2.6 or later to be installed on the host on which the Event

Connector script runs. The Event Connector makes calls to the CloudPassage Events API, which is available to all Halo subscribers.

Note

You can configure the CloudPassage Halo Event Collect to write the events to file for

Extreme Security to retrieve by using the Log File Protocol, however, this method is not recommended.

1 Log in to the CloudPassage Portal.

2 Go to to Settings > Site Administration.

3 Click the API Keys tab.

4 Click Show for the key you want to use.

5 Copy the key ID and secret key into a text file.

Ensure that the file contains only one line, with the key ID and the secret key separated by a vertical bar/pipe (|), for example, your_key_id|your_secret_key

. If you want to retrieve events from multiple Halo accounts, add an extra line for each account.

6 Save the file as haloEvents.auth

.

7 Download the Event Connector script and associated files from https://github.com/cloudpassage/ halo-event-connector-python .

8 Copy the following files to a Linux ™ or Windows ™ system that has Python 2.6 (or later) installed:

• haloEvents.py

• cpapi.py

• cputils.py

• remote_syslog.py (use this script only if you deploy the Event Connector on Windows ™ and you want to send events through syslog)

• haloEvents.auth

9 Set the environment variables on the Linux ™ or Windows ™ system:

• On Linux ™ , include the full path to the Python interpreter in the PATH environment variable.

• On Windows ™ , set the following variables:

• Set the PATH variable to include the location of haloEvents.py and the Python interpreter.

• Set the PYTHONPATH variable to include the location of the Python libraries and the Python interpreter.

10 To send events through syslog with the Event Connector is deployed on a Windows ™ system, run the haloEvents.py script with the

--leefsyslog=<QRadar IP

> switch: haloEvents.py --leefsyslog=1.2.3.4

By default, the Event Connector retrieves existing events on initial connection and then retrieves onlynew events thereafter. To start event retrieval from a specific date, rather than retrieving all historical events on startup, use the

--starting=<date>

switch, where date is in the YYYY-MM-

DD format: haloEvents.py --leefsyslog=1.2.3.4 --starting=2014-04-02

Extreme Networks Security DSM Configuration Guide Addendum 48

CloudPassage Halo

11 To send events through syslog and deploy the Event Connector on a Linux ™ system, configure the local logger daemon.

a To check which logger the system uses, type the following command: ls -d /etc/*syslog*

Depending on what Linus distribution you have, the following files might be listed:

• • rsyslog.conf

• syslog-ng.conf

• syslog.conf

b Edit the appropriate .conf file with relevant information for your environment.

Example configuration for syslog-ng: source s_src {

file("/var/log/leefEvents.txt");

}; destination d_qradar {

udp("qradar_hostname" port(514));

}; log {

source(s_src); destination(d_qradar);

}; c To run the

haloEvents.py

script with the leeffile=<filepath>

switch, type the following command: haloEvents.py --leeffile=/var/log/leefEvents.txt

You can include

--starting=YYYY-MM-DD

switch to specify the date from which you want events to be collected for on initial startup.

Notice

As an alternative to using syslog, you can write events to a file for Extreme Security to retrieve by using the Log File protocol. For Windows ™ or Linux ™ to write the events to a file instead, use the

--leeffile=<filename>

switch to specify the file to write to.

Configuring a CloudPassage Halo log source in Extreme Security

To collect CloudPassage Halo events, configure a log source in Extreme Security.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select CloudPassage Halo.

7 From the Protocol Configuration list, select Syslog or Log File.

8 Configure the remaining parameters:

9 Click Save.

Extreme Networks Security DSM Configuration Guide Addendum 49

10 On the Admin tab, click Deploy Changes.

CloudPassage Halo

Extreme Networks Security DSM Configuration Guide Addendum 50

15

DG Technology MEAS

Configuring your DG Technology MEAS system for communication with Extreme

Security

The Extreme Networks Security Analytics DSM for DG Technology MEAS can collect event logs from your DG Technology MEAS servers.

The following table identifies the specifications for the DG Technology MEAS DSM:

Table 22: DSM Specifications for DG Technology MEAS

Specification Value

Manufacturer DG Technology

Log source type

RPM file name

DG Technology MEAS

DSM-DGTechnologyMEAS-

build_number.noarch.rpm

Supported versions

Protocol configuration

Supported event types

Automatically discovered?

Includes identity?

Includes custom event properties

More information

8.x

LEEF Syslog

Mainframe events

Yes

No

No

DG Technology website (http://www.dgtechllc.com)

To integrate DG Technology MEAS DSM with Extreme Security, use the following procedures:

1 If automatic updates are not enabled, download and install the most recent DG Technology MEAS

RPM on your Extreme Security Console.

2 For each instance of DG Technology MEAS, configure your DG Technology MEAS system to enable communication with Extreme Security.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 51

DG Technology MEAS

Configuring your DG Technology MEAS system for communication with Extreme Security

To collect all audit logs and system events from DG Technology MEAS, you must specify Extreme

Security as the syslog server.

1 Log in to your DG Technology MEAS server.

2 Type the following command: java meas/MeasServer 41000 m=qwl lo=IP_address_of_QRadar_host

When Extreme Security receives events from your DG Technology MEAS, a log source is automatically created and listed on the Log Sources window.

Extreme Networks Security DSM Configuration Guide Addendum 52

16

FireEye

Configuring your FireEye system for communication with QRadar

Configuring a FireEye log source in Extreme Security

The Extreme Networks Security Analytics DSM for The FireEye accepts syslog events in Log Event

Extended Format (LEEF) and Common Event Format (CEF).

This DSM applies to FireEye CMS, MPS, EX, AX, NX, FX, and HX appliances. Extreme Security records all relevant notification alerts that are sent by FireEye appliances.

The following table identifies the specifications for the FireEye DSM.

Table 23: FireEye DSM specifications

Specification

Manufacturer

DSM name

Supported versions

RPM file name

Protocol

Extreme Security recorded event types

Auto discovered?

Includes identity?

More information

Value

FireEye

FireEye MPS

CMS, MPS, EX, AX, NX, FX, and HX

DSM-FireEyeMPS-

QRadar_version-

Build_number

.noarch.rpm

Syslog

All relevant events

Yes

No

FireEye website (www.fireeye.com)

To integrate FireEye with Extreme Security, use the following procedures:

1 If automatic updates are not enabled, download and install the DSM Common and FireEye MPS RPM on your Extreme Security Console.

2 For each instance of FireEye in your deployment, configure the FireEye system to forward events to

Extreme Security.

3 For each instance of FireEye, create an FireEye log source on the Extreme Security Console.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 53

FireEye

Configuring your FireEye system for communication with

QRadar

®

To enable FireEye to communicate with Extreme Security, you must configure your FireEye appliance to forward syslog events.

1 Log in to the FireEye appliance by using the CLI.

2 To activate configuration mode, type the following commands: enable configure terminal

3 To enable rsyslog notifications, type the following command: fenotify rsyslog enable

4 To add Extreme Security as an rsyslog notification consumer, type the following command: fenotify rsyslog trap-sink QRadar

5 To specify the IP address for the Extreme Security system that you want to receive rsyslog trap-sink notifications, type the following command: fenotify rsyslog trap-sink QRadar address QRadar_IP_address

6 To define the rsyslog event format, type the following command: fenotify rsyslog trap-sink QRadar prefer message format leef

7 To save the configuration changes to the FireEye appliance, type the following command: write memory

Configuring a FireEye log source in Extreme Security

Extreme Security automatically creates a log source after your Extreme Security Console receives

FireEye events. If Extreme Security does not automatically discover FireEye events, you can manually add a log source for each instance from which you want to collect event logs.

1 Log in to Extreme Security

2 Click the Admin tab.

3 On the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select FireEye.

7 Using the Protocol Configuration list, select Syslog.

8 In the Log Source Identifier field, type the IP address or host name of the FireEye appliance.

9 Configure the remaining parameters.

10 Click Save.

11 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 54

17

FreeRADIUS

Configuring your FreeRADIUS device to communicate with Extreme Security

The Extreme Networks Security Analytics DSM for FreeRADIUS collects events from your FreeRADIUS device.

The following table lists the specifications for the FreeRADIUS DSM:

Table 24: FreeRADIUS DSM specifications

Specification

Manufacturer

DSM name

RPM file name

Value

FreeRADIUS

FreeRADIUS

Supported versions

Event format

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

DSM-FreeRADIUS-Qradar_version-

build_number.noarch.rpm

V2.x

Syslog

All events

Yes

Yes

No

FreeRADIUS website (http://freeradius.org)

To send logs from FreeRADIUS to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the

FreeRADIUS DSM RPM on your Extreme Security Console.

2 Configure your FreeRADIUS device to send syslog events to Extreme Security.

3 If Extreme Security does not automatically detect the log source, add a FreeRADIUS log source on the Extreme Security Console. The following table describes the parameters that require specific values for FreeRADIUS event collection:

Table 25: FreeRADIUS log source parameters

Parameter Value

Log Source type

Protocol Configuration

FreeRADIUS

Syslog

Extreme Networks Security DSM Configuration Guide Addendum 55

FreeRADIUS

Configuring your FreeRADIUS device to communicate with

Extreme Security

Configure FreeRADIUS to send logs to the syslog daemon of the host and configure the daemon to send events to Extreme Security.

You must have a working knowledge of syslog configuration and the Linux ™ distribution.

FreeRADIUS has multiple distributions. Some files might not be in the same locations that are described in this procedure. For example, the location of the FreeRADIUS startup script is based on distribution.

Conceptually, the configuration steps are the same for all distributions.

1 Log in to the system that hosts FreeRADIUS.

2 Edit the

/etc/freeradius/radius.conf

file.

3 Change the text in the file to match the following lines: logdir = syslog

Log_destination = syslog log{

destination = syslog

syslog_facility = daemon

stripped_names = no

auth = yes

auth_badpass = no

auth_goodpass = no

}

4 Edit the

/etc/syslog.conf

file.

5 To configure log options, add the following text.

# .=notice logs authentication messages

(L_AUTH).

# <facility_name>.=notice

@<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>

# .=err

logs module errors for FreeRADIUS.

#<facility_name>.=err

@<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>

# .*

logs messages to the same target.

# <facility_name>.*

@<IP_address_of_QRadar_Event_Collector_or_QRadar_Console>

An example syslog facility name is local1

. You can rename it.

To configure a log option, remove the comment tag (

#

) from one of the active lines that contains an

@

symbol.

Extreme Networks Security DSM Configuration Guide Addendum 56

FreeRADIUS

6 If the configuration change does not load automatically, restart the syslog daemon. The method to restart the syslog daemon depends on the distribution that is used. The following table lists possible methods.

Operating system distribution

Red Hat Enterprise Linux ™

Debian Linux ™ or Ubuntu Linux ™

Command to restart daemon service syslog restart

/etc/init.d/syslog

restart

FreeBSD operating system

/etc/rc.d/syslogd

restart

7 Add the following options to the FreeRADIUS startup script:

-l syslog

-g <facility_name>

The

-g

value must match the facility name in Step 5.

8 Restart FreeRADIUS.

Extreme Networks Security DSM Configuration Guide Addendum 57

18

genua genugate

Configuring genua genugate to send events to Extreme Security

The Extreme Networks Security Analytics DSM for genua genugate collects events from a genua genugate device.

genua genugate produces logs from third-party software such as openBSD and sendMail. The genua genugate DSM provides basic parsing for the logs from these third-party devices. To achieve more specify parsing for these logs, install the specific DSM for that device.

The following table lists the specifications for the genua genugate DSM:

Table 26: genua genugate DSM specifications

Specification Value

Manufacturer genua

DSM name

RPM file name genua genugate

DSM-GenuaGenugate-Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

8.2 and later

Syslog

General error messages

High availability

General relay messages

Relay-specific messages genua programs/daemons

EPSI

Accounting Daemon - gg/src/acctd

Configfw

FWConfig

ROFWConfig

User-Interface

Webserver

Yes

Yes

No genua website (https://www.genua.de/en/solutions/ high-resistance-firewall-genugate.html)

To send genua genugate events to Extreme Security, complete the following steps:

Extreme Networks Security DSM Configuration Guide Addendum 58

genua genugate

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• genua genugate DSM RPM

2 Configure your genua genugate device to send syslog events to Extreme Security.

3 If Extreme Security does not automatically detect the log source, add a genua genugate log source on the Extreme Security Console. Configure all required parameters and use the following table to identify specific values for genua genugate:

Table 27: genua genugate log source parameters

Parameter Value

Log Source type genua genugate

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Configuring genua genugate to send events to Extreme Security on page 59

Configure genua genugate to send events to Extreme Networks Security Analytics.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring genua genugate to send events to Extreme Security

Configure genua genugate to send events to Extreme Networks Security Analytics.

1 Log in to genua genugate.

2 Click System > Sysadmin > Logging page.

3 In the IP Address field, type the IP address of your Extreme Security Console or Event Collector.

4 Select the Accounting to External check box.

5 Click OK.

Extreme Networks Security DSM Configuration Guide Addendum 59

19

HyTrust CloudControl

Configuring HyTrust CloudControl to communicate with Extreme Security

The Extreme Networks Security Analytics DSM for HyTrust CloudControl collects events from HyTrust

CloudControl devices.

The following table lists the specifications for the HyTrust CloudControl DSM:

Table 28: HyTrust CloudControl DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

Hytrust

HyTrust CloudControl

DSM-HyTrustCloudControl-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

V3.0.2 through V3.6.0

Syslog

All events

Yes

Yes

No

Hytrust web site (http://www.hytrust.com)

To collect HyTrust CloudControl events, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• HyTrust CloudControl DSM RPM

2 Configure your HyTrust CloudControl device to send syslog events to Extreme Security.

3 If Extreme Security does not automatically detect the log source, add a HyTrust CloudControl log source on the Extreme Security Console. The following table describes the parameters that require specific values that are required for HyTrust CloudControl event collection:

Extreme Networks Security DSM Configuration Guide Addendum 60

HyTrust CloudControl

Table 29: HyTrust CloudControl log source parameters

Parameter Value

Log Source type HyTrust CloudControl

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Configuring HyTrust CloudControl to communicate with Extreme Security on page 61

To collect HyTrust CloudControl events, you must configure your third-party device to send events to Extreme Networks Security Analytics

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring HyTrust CloudControl to communicate with Extreme

Security

To collect HyTrust CloudControl events, you must configure your third-party device to send events to

Extreme Networks Security Analytics

1 Log in to HyTrust CloudControl.

2 From the HTA Management Console, select Configuration > Logging.

3 From the HTA Logging Aggregation options, select External.

4 From the Logging Aggregation Template Type options, select either Proprietary or CEF.

5 In the HTA Syslog Servers field, type the IP address for Extreme Security.

Extreme Networks Security DSM Configuration Guide Addendum 61

20

IBM AIX DSMs

IBM AIX Server DSM overview

IBM AIX Audit DSM overview

Extreme Networks Security Analytics provides the IBM AIX Audit and IBM AIX Server DSMs to collect and parse audit or operating system events from IBM AIX devices.

IBM AIX Server DSM overview

The IBM AIX Server DSM collects operating system and authentication events using syslog for users that interact or log in to your IBM AIX appliance.

The following table identifies the specifications for both IBM AIX DSM Server:

Table 30: IBM AIX Server DSM specifications

Specification Value

Manufacturer

DSM names

IBM

IBM AIX Server

RPM file names

DSM-IBMAIXServer-QRadar_version-

build_number.noarch.rpm

Supported versions

Protocol type

Extreme Security recorded event types

Automatically discovered?

Includes identity?

More information

V5.X, V6.X, and V7.X

Syslog

Login or logoff events

Session opened or session closed events

Accepted password and failed password events

Operating system events

Yes

Yes

IBM website (http://www.ibm.com/)

To integrate IBM AIX Server events with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download the latest version of the IBM AIX Server DSM.

2 Configure your IBM AIX Server device to send syslog events to Extreme Security.

3 Configure a syslog-based log source for your IBM AIX Server device. Use the following protocolspecific parameters:

Parameter

Log Source Type

Protocol Configuration

Description

IBM AIX Server

Syslog

Extreme Networks Security DSM Configuration Guide Addendum 62

IBM AIX DSMs

Related Links

Adding a single DSM

on page 13

Configuring your IBM AIX Server device to send syslog events to Extreme Security on page 63

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your IBM AIX Server device to send syslog events to Extreme

Security

1 Log in to your IBM AIX appliance as a root user.

2 Open the

/etc/syslog.conf

file.

3 To forward the system authentication logs to QRadar, add the following line to the file: auth.info @QRadar_IP_address

A tab must separate auth.info and the IP address of Extreme Security.

For example:

##### begin /etc/syslog.conf mail.debug /var/adm/maillog mail.none /var/adm/maillog auth.notice /var/adm/authlog lpr.debug /var/adm/lpd-errs kern.debug /var/adm/messages

*.emerg;*.alert;*.crit;*.warning;*.err;*.notice;*.info /var/adm/messages auth.info @<10.100.100.1>

##### end /etc/syslog.conf

4 Save and exit the file.

5 Restart the syslog service: refresh -s syslogd

IBM AIX Audit DSM overview

The IBM AIX Audit DSM collects detailed audit information for events that occur on your IBM AIX appliance.

The following table identifies the specifications for the IBM AIX Audit DSM:

Table 31: IBM AIX Audit DSM specifications

Specification Value

Manufacturer IBM

DSM names

RPM file names

IBM AIX Audit

DSM-IBMAIXAudit-QRadar_version-

build_number.noarch.rpm

Extreme Networks Security DSM Configuration Guide Addendum 63

IBM AIX DSMs

Table 31: IBM AIX Audit DSM specifications (continued)

Specification Value

Supported versions V6.1 and V7.1

Protocol type

Extreme Security recorded event types

Automatically discovered?

Includes identity?

More information

Syslog

Log File Protocol

Audit events

Yes

No

IBM website (http://www.ibm.com/)

To integrate IBM AIX Audit events with Extreme Security, complete the following steps:

1 Download the latest version of the IBM AIX Audit DSM.

2 For syslog events, complete the following steps:

a Configure your IBM AIX Audit device to send syslog events to Extreme Security. See Configuring

IBM AIX Audit DSM to send syslog events to Extreme Security on page 66.

b If Extreme Security does not automatically discover the log source, add an IBM AIX Audit log source. Use the following IBM AIX Audit-specific values in the log source configuration:

Parameter

Log Source Type

Value

IBM AIX Audit

Protocol Configuration Syslog

3 For log file protocol events, complete the following steps: a Configure your IBM AIX Audit device to convert audit logs to the log file protocol format.

b Configure a log file protocol-based log source for your IBM AIX Audit device. Use the following protocol-specific values in the log source configuration:

Parameter

Log Source Type

Protocol Configuration

Service Type

Remote Port

Value

IBM AIX Audit

Log File

The protocol to retrieve log files from a remote server.

Important

If you select the SCP and SFTP service type, ensure that the server that is specified in the Remote IP or Hostname parameter has the SFTP subsystem enabled.

If the host for your event files uses a non-standard port number for FTP, SFTP, or SCP, adjust the port value.

Extreme Networks Security DSM Configuration Guide Addendum 64

IBM AIX DSMs

Parameter

SSH Key File

Remote Directory

Value

If you select SCP or SFTP as the Service Type, use this parameter to define an SSH private key file.

When you provide an SSH Key File, the Remote

Password parameter is ignored.

The directory location on the remote host where the files are retrieved. Specify the location relative to the user account you are using to log in.

Restriction

For FTP only. If your log files are in a remote user home directory, leave the remote directory blank to support operating systems where a change in the working directory (CWD) command is restricted.

FTP File Pattern

FTP Transfer Mode

Processor

Change Local Directory?

Event Generator

The FTP file pattern must match the name that you assigned to your AIX audit files with the

-n parameter in the audit script. For example, to collect files that start with AIX_AUDIT and end with your time stamp value, type

AIX_Audit_*

.

ASCII is required for text event logs that are retrieved by the log file protocol by using FTP.

NONE

Leave this check box clear.

LineByLine

The Event Generator applies more processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.

Related Links

Adding a single DSM

on page 13

Configuring IBM AIX Audit DSM to send syslog events to Extreme Security on page 66

To collect syslog audit events from your IBM AIX Audit device, redirect your audit log output from your IBM AIX device to the Extreme Networks Security Analytics Console or Event

Collector.

Configuring IBM AIX Audit DSM to send log file protocol events to Extreme Security

on page 66

Configure the audit.pl script to run each time that you want to convert your IBM AIX audit logs to a readable event log format for Extreme Security.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 65

IBM AIX DSMs

Configuring IBM AIX Audit DSM to send syslog events to Extreme Security

To collect syslog audit events from your IBM AIX Audit device, redirect your audit log output from your

IBM AIX device to the Extreme Networks Security Analytics Console or Event Collector.

On an IBM AIX appliance, you can enable or disable classes in the audit configuration. The IBM AIX default classes capture a large volume of audit events. To prevent performance issues, you can tune your IBM AIX appliance to reduce the number of classes that are collected. For more information about audit classes, see your IBM AIX appliance documentation.

1 Log in to your IBM AIX appliance.

2 Open the audit configuration file:

/etc/security/audit/config

3 Edit the Start section to disable the binmode

element and enable the streammode

element: binmode = off streammode = on

4 Edit the Classes section to specify which classes to audit.

5 Save the configuration changes.

6 Open the streamcmds

file:

/etc/security/audit/streamcmds

7 Add the following line to the file:

/usr/sbin/auditstream | auditpr -h eclrRdi | /usr/bin/logger -p local0.debug

8 Save the configuration changes.

9 Edit the syslog configuration file to specify a debug entry and the IP address of the Extreme

Security Console or Event Collector:

*.debug @ip_address

Tip

A tab must separate *.debug from the IP address.

10 Save the configuration changes.

11 Reload your syslog configuration: refresh -s syslogd

12 Start the audit script on your IBM AIX appliance: audit start

The IBM AIX Audit DSM automatically discovers syslog audit events that are forwarded from IBM AIX to

Extreme Security and creates a log source. If the events are not automatically discovered, you can manually configure a log source.

Configuring IBM AIX Audit DSM to send log file protocol events to Extreme

Security

Configure the audit.pl script to run each time that you want to convert your IBM AIX audit logs to a readable event log format for Extreme Security.

Extreme Networks Security DSM Configuration Guide Addendum 66

IBM AIX DSMs

To use the audit script, you are required to install a version of Perl 5.8 or above on your IBM AIX appliance

This procedure requires you to configure two files:

Audit configuration file

Audit script

The audit configuration file identifies the event classes that are audited and the location of the event log file on your IBM AIX appliance. The IBM AIX default classes capture many audit events.

To prevent performance issues, you can configure the classes in the audit configuration file. For more information about configuring audit classes, see your IBM AIX documentation.

The audit script uses the audit configuration file to identify which audit logs to read and converts the binary logs to single-line events that Extreme Security can read. The log file protocol can then retrieve the event log from your IBM AIX appliance and import the events to

Extreme Security. The audit script uses the audit.pr file to convert the binary audit records to event log files Extreme Security can read.

Run the audit script each time that you want to convert your audit records to readable events. You can use a cron job to automate this process. for example, you can add

0

* * * * /audit.pl

to allow the audit script to run hourly. For more information, see your system documentation.

1 Log in to your IBM AIX appliance.

2 Configure the audit configuration file: a Open the audit configuration file: etc/security/audit/config b Edit the Start section to enable the binmode

element.

binmode = on c In the Start section, edit the configuration to determine which directories contain the binary audit logs.

The default configuration for IBM AIX auditing writes binary logs to the following directories: trail = /audit/trail bin1 = /audit/bin1 bin2 = /audit/bin2 binsize = 10240 cmds = /etc/security/audit/bincmds

In most cases, you do not have to edit the binary file in the bin1 and bin2 directories.

d In the Classes section, edit the configuration to determine which classes are audited. For information on configuring classes, see your IBM AIX documentation.

e Save the configuration changes.

3 Start auditing on your IBM AIX system: audit start

4 Install the audit script: a Access the IBM Support website (http://www.ibm.com/support).

b Download the audit.pl.gz

file.

c Copy the audit script to a folder on your IBM AIX appliance.

Extreme Networks Security DSM Configuration Guide Addendum 67

IBM AIX DSMs d Extract the file: tar -zxvf audit.pl.gz

e Start the audit script:

./audit.pl

You can add the following parameters to modify the command:

Parameter

-r

-n

-l

-m

-t

Description

Defines the results directory where the audit script writes event log files for Extreme Security.

If you do not specify a results directory, the script writes the events to the following

/audit/ results/

directory. The results directory is used in the Remote Directory parameter in the log source configuration uses this value. To prevent errors, verify that the results directory exists on your IBM

AIX system.

Defines a unique name for the event log file that is generated by audit script. The FTP File Pattern parameter in the log source configuration uses this name to identify the event logs that the log source must retrieve in Extreme Security

Defines the name of the last record file.

Defines the maximum number of audit files to retain on your IBM AIX system. By default, the script retains 30 audit files. When the number of audit files exceeds the value of the

-m

parameter, the script deletes the audit file with the oldest time stamp.

Defines the directory that contains the audit trail file. The default directory is

/audit/trail

.

The IBM AIX Audit DSM automatically discovers log file protocol audit events that are forwarded from

IBM AIX to Extreme Security and creates a log source. If the events are not automatically discovered, you can manually configure a log source.

Extreme Networks Security DSM Configuration Guide Addendum 68

21

IBM AS/400 iSeries event collection

Extreme Networks Security Analytics has multiple options for how to collect events from an IBM

AS/400 (or IBM OS/400) iSeries device.

You can use one of the following software products to configure Extreme Security to retrieve events from an IBM AS/400 (or IBM OS/400) iSeries device:

IBM AS/400 iSeries DSM

LogAgent for

System i

The IBM AS/400 iSeries DSM uses the DSPJRN command to write audit journal records to a database file. The database file is uploaded to an FTP server for Extreme Security to retrieve.

Extreme Security uses the Log File protocol to retrieve the database file.

The LogAgent for System i accepts all Common Event Format (CEF) formatted syslog messages. You can integrate an IBM OS/400 device and then use the LogAgent for System i software. After you configure your LogAgent for System i software, use the Log File protocol source to retrieve the syslog CEF messages.

PowerTech

Interact

Raz-Lee iSecurity

DSM

For more information, see your Patrick Townsend Security Solutions LogAgent for

System i documentation.

PowerTech Interact accepts all Common Event Format (CEF) formatted syslog messages.

After you configure your PowerTech Interact software, use the Log File protocol source to pull the syslog CEF messages.

You can also use the Raz-Lee iSecurity DSM to retrieve events from an IBM AS/400 (or IBM

OS/400) iSeries device.

For more information, see the Frequently Asked Questions webpage on the IBM Support webpage.

Related Links

IBM AS/400 iSeries DSM

on page 70

The Extreme Networks Security Analytics DSM for IBM AS/400 iSeries collects audit records and event information from IBM AS/400 iSeries devices.

Extreme Networks Security DSM Configuration Guide Addendum 69

22

IBM AS/400 iSeries DSM

Configuring an IBM iSeries device to communicate with Extreme Security

The Extreme Networks Security Analytics DSM for IBM AS/400 iSeries collects audit records and event information from IBM AS/400 iSeries devices.

The following table identifies the specifications for the IBM AS/400 iSeries DSM:

Table 32: IBM AS/400 iSeries DSM specifications

Specification Value

Manufacturer

DSM name

Supported versions

IBM

IBM AS/400 iSeries

V5R4 and later

RPM file name

DSM-IBMiSeries-Qradar_version-

build_number.noarch.rpm

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

Log File Protocol syslog

Audit records and events

No

Yes

No

IBM website (http://www.ibm.com/)

To collect events from IBM AS/400 iSeries devices, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the IBM

AS/400 iSeries DSM RPM on your Extreme Security Console.

2 Configure your IBM AS/400 iSeries device to communicate with Extreme Security.

3 Add an IBM AS/400 iSeries log source on the Extreme Security Console. Configure all the required parameters, but use the following table to configure the parameters that are required to collect IBM

AS/400 iSeries events:

Extreme Networks Security DSM Configuration Guide Addendum 70

IBM AS/400 iSeries DSM

Table 33: IBM AS/400 iSeries log source parameters

Parameter Value

Log Source Type IBM AS/400 iSeries

Protocol Configuration Log File

Note

If you are using the PowerTech Interact or

LogAgent for System i software to collect

CEF formatted syslog messages, you must select the Syslog option

Service Type Secure File Transfer Protocol (SFTP)

Related Links

Configuring an IBM iSeries device to communicate with Extreme Security

on page 71

For Extreme Networks Security Analytics to be able to collect IBM iSeries events, you need to configure your IBM iSeries device to communicate with your Extreme Security device.

Configuring an IBM iSeries device to communicate with Extreme Security

on page 71

For Extreme Networks Security Analytics to be able to collect IBM iSeries events, you need to configure your IBM iSeries device to communicate with your Extreme Security device.

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring an IBM iSeries device to communicate with Extreme

Security

For Extreme Networks Security Analytics to be able to collect IBM iSeries events, you need to configure your IBM iSeries device to communicate with your Extreme Security device.

The IBM AS/400 iSeries DSM uses an agent that manages, gathers, and transfers event information.

The agent uses the

DSPJRN

command to write audit journal records to a database file. These records are reformatted and forwarded to an FTP server where Extreme Security can retrieve the records.

The IBM iSeries system records and writes security events in the Audit Journal and the QHST logs.

QHST logs are stored in the Audit Journal as TYPE5 messages.

1 From the IBM support website (http://www.ibm.com/support), download the

AJLIB.SAVF

file.

2 Copy the

AJLIB.SAVF

file to a computer or terminal that has FTP access to the IBM AS/400 iSeries device.

3 Using FTP on the computer or terminal, replace the iSeries generic

SAVF

file with the

AJLIB.SAVF

file. Type the following commands: cd qgpl quote site namefmt 1 bin lcd c:\

Extreme Networks Security DSM Configuration Guide Addendum 71

IBM AS/400 iSeries DSM put ajlib.savf

quit

If you transfer your

SAVF

file from another iSeries device, send the file with the BINARY FTP subcommand mode before the GET or PUT statement.

4 To restore the AJLIB library on the IBM iSeries device, type the following command:

RSTLIB SAVLIB(AJLIB) DEV(*SAVF) SAVF(AJLIB)

5 To restore the IFS directory, type the following command:

RST DEV('/qsys.lib/ajlib.lib/ajifs.file') OBJ(('/ajlib'))

6 To configure the data collection start date and time for the Audit Journal Library (AJLIB), type the following command:

ADDLIBLE AJLIB

AJLIB/SETUP

You are prompted for a user name and password. If you start the Audit Journal Collector, a failure message is sent to QSYSOPR. The setup function sets a default start date and time for data collection from the Audit Journal to 08:00:00 of the current day.

Tip

To preserve your previous start date and time information for a previous installation, you must run

AJLIB/DATETIME

. Record the previous start date and time, and then type those values when you run

AJLIB/SETUP

command. The start date and time must contain a valid date and time in the six character system date and system time format.

The end date and time must be a valid date and time or left blank.

7 If you changed the start date and time, type the following command to update the IBM AS/400 iSeries device:

AJLIB/DATETIME

8 To launch the Audit Journal Collection program to gather and send records to your remote FTP server, type the following command:

AJLIB/AUDITJRN

The process Audit Journal Collection program is typically automated by an iSeries Job Scheduler to collect records periodically.

If the FTP transfer is successful, the current date and time information is written into the start time for

AJLIB/DATETIME

to update the gather time and the end time is set to blank. If the FTP transfer fails, the export file is erased and no updates are made to the gather date or time and a message is sent to

QSYSOPR.

Extreme Networks Security DSM Configuration Guide Addendum 72

23

IBM Federated Directory Server

Configuring IBM Federated Directory Server to monitor security events

The Extreme Networks Security Analytics DSM collects events from IBM Federated Directory Server systems.

The following table identifies the specifications for the IBM Federated Directory Server DSM:

Table 34: IBM Federated Directory Server DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

IBM

IBM Federated Directory Server

DSM-IBMFederated DirectoryServer-

Qradar_version-

build_number.noarch.rpm

Supported versions

Event format

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

V7.2.0.2 and later

LEEF

FDS Audit

Yes

No

No

Security Directory Server information in the IBM

Knowledge Center ((http://www-01.ibm.com/support/ knowledgecenter/SSVJJU/welcome)

To send events from IBM Federated Directory Server to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download the most recent version of the following RPMs on your Extreme Security Console:

• DSMCommon RPM

• IBM Federated Directory Server DSM RPM

2 Configure Extreme Security monitoring on your IBM Federated Directory Server device.

3 If Extreme Security does not automatically detect the log source, add an IBM Federated Directory

Server log source on the Extreme Security Console. The following table describes the parameters that require specific values for IBM Federated Directory Server event collection:

Extreme Networks Security DSM Configuration Guide Addendum 73

IBM Federated Directory Server

Table 35: IBM Federated Directory Serve log source parameters

Parameter Value

Log Source type IBM Federated Directory Server

Protocol Configuration

Log Source Identifier

Syslog

The source IP or host name of the IBM Federated

Directory Server.

Related Links

Adding a single DSM

on page 13

Configuring IBM Federated Directory Server to monitor security events on page 74

Configure IBM Federated Directory Server to monitor security events, which are generated when an entry is added, modified, or deleted in the target

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring IBM Federated Directory Server to monitor security events

Configure IBM Federated Directory Server to monitor security events, which are generated when an entry is added, modified, or deleted in the target

1 Log in to your IBM Federated Directory Server.

2 In the navigation pane, under Common Settings, click Monitoring.

3 On the Monitoring page, click the QRadar tab.

4 To indicate that you want to monitor security events, on the QRadar page, select Enabled .

5 Configure the parameters

6 In the Map file field, specify the path and file name of the map file that configures the various

Extreme Security LEEF attributes for the event.

7 Click Select to browse for the map file. The default value points to the

LDAPSync/QRadar.map

file.

8 In the Date format mask field, specify a standard Java

SimpleDateFormat

mask to use for date values that are written in mapped LEEF attributes.

This value controls both the value of the devTimeFormat attribute and the formatting of date values in the event. The default value is the ISO 8601 standard mask,

MMM dd yy HH:mm:ss

, which creates a string,

Oct 16 12 15:15:57

.

Extreme Networks Security DSM Configuration Guide Addendum 74

24

IBM

®

Fiberlink

®

MaaS360

®

Manually installing an RPM

Configuring your Fiberlink MaaS360 instance for communication with Extreme

Security

Configuring an IBM Fiberlink MaaS360 log source in Extreme Security

The IBM ® Fiberlink ® MaaS360 ® DSM for Extreme Networks Security Analytics can collect event logs from the Fiberlink ® MaaS360 ® console.

The following table identifies the specifications for the IBM ® Fiberlink ® MaaS360 ® DSM:

Table 36: IBM ® Fiberlink ® MaaS360 ® DSM Specification

Specification Value

Manufacturer IBM ®

DSM name

RPM file name

Supported versions

Event format

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

IBM ® Fiberlink ® MaaS360 ®

DSM-IBMFiberlinkMaaS360

N/A

LEEF

Compliance rule events

No

No

Fiberlink ® MaaS360 ® website (http:// www.maas360.com/)

To integrate IBM ® Fiberlink ® MaaS360 ® with Extreme Security, use the following steps:

1 If automatic updates are not enabled, download the latest versions of the following RPMs:

• DSMCommon RPM

• IBM ® FiberLink REST API Protocol RPM

• IBM ® Fiberlink ® MaaS360 ® RPM

2 Configure your Fiberlink ® MaaS360 ® instance to enable communication with Extreme Security.

3 Create an IBM ® Fiberlink ® MaaS360 ® log source on the Extreme Security Console.

Manually installing an RPM

If automatic updates are not enabled on your Extreme Security Console or if the Console is restricted from the Internet, you can download DSM, protocol, and scanner RPMs from the IBM ® support website.

Then you can install the RPM by using the command-line interface. To uninstall an RPM, contact

Customer Support.

Extreme Networks Security DSM Configuration Guide Addendum 75

IBM ® Fiberlink ® MaaS360 ®

1 Access the IBM ® support website (http://www.ibm.com/support).

2 Download the RPM file to the system that hosts your Extreme Security Console.

3 Using SSH, log in to Extreme Security as the root user.

4 Go to the directory that includes the downloaded file.

5 Type the following command: rpm -Uvh filename

6 Log in to theExtreme Security user interface.

7 On the Admin tab, click Deploy Changes.

Attention

For protocol RPM installations, follow the post installation steps that are provided on the

Console output where the installation is run from.

Configuring your Fiberlink

®

MaaS360

®

instance for communication with Extreme Security

To allow Extreme Security communication, you need to enable the REST API and copy the public certificate from the Fiberlink ® MaaS360 ® instance to the Extreme Security Console.

1 To enable the REST API for your Fiberlink ® MaaS360 ® account, contact Fiberlink ® customer service.

2 Copy the public certificate from the Fiberlink ® login server to the

/opt/qradar/conf/ trusted_certificates

directory on your Extreme Security Console.

Ensure that the following conditions are met:

• The certificate is DER encoded.

• The file name extension is .DER. The extension is case-sensitive.

Configuring an IBM

®

Security

Fiberlink

®

MaaS360

®

log source in Extreme

To collect IBM ® Fiberlink ® MaaS360 ® events, configure a log source in Extreme Security.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select IBM Fiberlink MaaS360.

7 From the Protocol Configuration list, select IBM Fiberlink REST API.

Extreme Networks Security DSM Configuration Guide Addendum 76

IBM ® Fiberlink ® MaaS360 ®

8 Configure the following IBM ® Fiberlink ® REST API parameters:

Parameter

Login URL

Secret Key

App ID

Billing ID

Platform

App Version

Description

The URL for the Fiberlink ® MaaS login server.

The secret key that is provided by Fiberlink ® Customer

Service when you enabled the REST API.

The App ID that was provided by Fiberlink ® Customer

Service when you enabled the REST API.

The Billing ID for your Fiberlink ® MaaS360 ® account.

The platform version of the Fiberlink ® MaaS360 ® console.

The App Version of the application that corresponds to your REST API account.

9 Configure the remaining parameters.

10 Click Save.

11 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 77

25

IBM Security Privileged Identity

Manager

Configuring IBM Security Privileged Identity Manager

The Extreme Networks Security Analytics DSM for IBM Security Privileged Identity Manager collects events from IBM Security Privileged Identity Manager devices.

The following table identifies the specifications for the IBM Security Privileged Identity Manager DSM:

Table 37: IBM Security Privileged Identity Manager DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

IBM

IBM Security Privileged Identity Manager

DSM-

IBMSecurityPrivilegedIdentityManage r-Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

V2.0

JDBC

Audit

Authentication

System

No

No

No

IBM Security Privileged Identity Manager website

(http://www-03.ibm.com/software/products/en/pim/)

To collect events from IBM Security Privileged Identity Manager, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• JDBC Protocol RPM

• IBM Security Privileged Identity Manager DSM RPM

2 Collect information from the IBM Security Privileged Identity Manager web user interface.

3 Add an IBM Security Privileged Identity Manager log source on the Extreme Security Console. The following table describes the parameters that require specific values for IBM Security Privileged

Identity Manager event collection:

Extreme Networks Security DSM Configuration Guide Addendum 78

IBM Security Privileged Identity Manager

Table 38: IBM Security Privileged Identity Manager log source parameters

Parameter Value

Log Source type IBM Security Privileged Identity Manager

Protocol Configuration

Log Source Identifier

Database Type

Database Name

IP or Hostname

Port

Username

Predefined Query

Table Name

Select List

Compare Field

Use Prepared Statements

Start Date and Time

Polling Interval

EPS Throttle

JDBC

<DATABASE@HOSTNAME>

DB2

Must match the value in the Database name field in

IBM Security Privileged Identity Manager.

Must match the value in the Hostname field in IBM

Security Privileged Identity Manager.

Must match the value in the Port field in IBM Security

Privileged Identity Manager.

Must match the value in the Database administrator

ID field in IBM Security Privileged Identity Manager.

None

DB2ADMIN

.V_PIM_AUDIT_EVENT

Replace

DB2ADMIN

with the actual database schema name as identified in the Database Administrator ID parameter in IBM Security Privileged Identity

Manager.

*

TIMESTAMP

Select this check box.

Initial date/time for the JDBC retrieval.

10

20000

Configuring IBM Security Privileged Identity Manager

To configure a log source in Extreme Networks Security Analytics, you must record some information from IBM Security Privileged Identity Manager.

To communicate with Extreme Security, the IBM Security Privileged Identity Manager DB2 database must have incoming TCP connections enabled.

1 Log in to IBM Security Privileged Identity Manager.

2 Click the Configure Privileged Identity Manager tab.

3 In the Manage External Entities pane, select Database Server Configuration.

4 Double-click the Identity data store row in the Database Server Configuration column.

Extreme Networks Security DSM Configuration Guide Addendum 79

IBM Security Privileged Identity Manager

5 Record the values for the following parameters:

• Host name

• Port

• Database name

• Database Administrator ID

6 To create a view in IBM Security Privileged Identity Manager DB2 database in the same schema as identified in the Database Administrator ID parameter, run the following SQL statement:

CREATE view V_PIM_AUDIT_EVENT

AS

SELECT ae.ID, ae.itim_event_category as event_category, ae.ENTITY_NAME, service.NAME service_name, ae.ENTITY_DN, ae.ENTITY_TYPE, ae.ACTION, ae.INITIATOR_NAME, ae.INITIATOR_DN, ae.CONTAINER_NAME, ae.CONTAINER_DN, ae.RESULT_SUMMARY, ae.TIMESTAMP, lease.POOL_NAME, lease.LEASE_DN, lease.LEASE_EXPIRATION_TIME, lease.JUSTIFICATION, ae.COMMENTS, ae.TIMESTAMP2, ae.WORKFLOW_PROCESS_ID

FROM AUDIT_EVENT ae

LEFT OUTER JOIN AUDIT_MGMT_LEASE lease ON (ae.id = lease.event_id)

LEFT OUTER JOIN SA_EVALUATION_CREDENTIAL cred ON (LOWER(ae.entity_dn) =

LOWER(cred.DN))

LEFT OUTER JOIN V_SA_EVALUATION_SERVICE service ON (LOWER(cred.service_dn) =

LOWER(service.dn));

Adding a log source

on page 14

Extreme Networks Security DSM Configuration Guide Addendum 80

26

IBM RACF

Integrating RACF with Extreme Security Using Security zSecure

Integrate RACF with Extreme Security using audit scripts

Extreme Security includes two options for integrating event from RACF.

See the following options:

Integrating RACF with Extreme Security Using Security zSecure

on page 81

Integrate RACF with Extreme Security using audit scripts

on page 86

Integrating RACF with Extreme Security Using Security zSecure

The IBM RACF DSM allows you to integrate events from an IBM z/OS mainframe using IBM Security zSecure.

Using a zSecure process, events from the System Management Facilities (SMF) are recorded to an event file in the Log Enhanced Event format (LEEF). IBM Security QRadar retrieves the LEEF event log files using the log file protocol and processes the events. You can schedule to retrieve events on a polling interval, which allows QRadar to retrieve the events on the schedule you have defined.

To integrate IBM RACF LEEF events:

1 Confirm your installation meets any prerequisite installation requirements. For more information,

see Before You Begin on page 81.

2 Configure your IBM z/OS image to write events in LEEF format. For more information, see the IBM

Security zSecure Suite: CARLa-Driven Components Installation and Deployment Guide.

3 Create a log source in QRadar for IBM RACF to retrieve your LEEF formatted event logs. For more information, see

Create an RACF log source

on page 82.

4 Optional. Create a custom event property for IBM RACF in QRadar. For more information, see the

IBM Security QRadar Custom Event Properties for IBM z/OS technical note.

Before You Begin

Before you can configure the data collection process, you must complete the basic zSecure installation process.

The following prerequisites are required:

• You must ensure parmlib member IFAPRDxx is not disabled for IBM Security zSecure Audit on your z/OS image.

• The SCKRLOAD library must be APF-authorized.

• You must configure a process to periodically refresh your CKFREEZE and UNLOAD data sets.

Extreme Networks Security DSM Configuration Guide Addendum 81

IBM RACF

• You must configure an SFTP, FTP, or SCP server on your z/OS image for QRadar to download your

LEEF event files.

• You must allow SFTP, FTP, or SCP traffic on firewalls located between QRadar and your z/OS image.

After installing the software, you must also perform the post-installation activities to create and modify the configuration. For instructions on installing and configuring zSecure, see the IBM Security zSecure

Suite: CARLa-Driven Components Installation and Deployment Guide.

Create an RACF log source

The Log File protocol allows IBM Security QRadar to retrieve archived log files from a remote host.

Log files are transferred, one at a time, to Extreme Security for processing. The log file protocol can manage plain text event logs, compressed files, or archives. Archives must contain plain-text files that can be processed one line at a time. Multi-line event logs are not supported by the log file protocol. IBM

RACF integrated with Extreme Security, using audit scripts, writes log files to a specified directory as plain text files. Extreme Security processes the events, which are written as one event per line in the file. Extreme Security extracts the archive and processes the events, which are written as one event per line in the file.

To retrieve these events, you must create a log source using the Log File protocol. Extreme Security requires credentials to log in to the system hosting your event files and a polling interval.

1 Click the Admin tab.

2 Click the Log Sources icon.

3 Click Add.

4 In the Log Source Name field, type a name for the log source.

5 In the Log Source Description field, type a description for the log source.

6 From the Log Source Type list, select IBM Resource Access Control Faclilty (RACF).

7 From the Protocol Configuration list, select Log File.

Extreme Networks Security DSM Configuration Guide Addendum 82

IBM RACF

8 Configure the following values:

Table 39: IBM RACF log file protocol parameters

Parameter Description

Log Source Identifier Type an IP address, host name, or name to identify the event source. IP addresses or host names are recommended as they allow Extreme Security to identify a log file to a unique event source.

For example, if your network contains multiple devices, such as multiple z/OS images or a file repository containing all of your event logs, you should specify a name, IP address, or hostname for the image or location that uniquely identifies events for the IBM RACF log source. This allows events to be identified at the image or location level in your network that your users can identify.

Service Type

Remote IP or Hostname

From the list, select the protocol you want to use when retrieving log files from a remote server. The default is SFTP.

SFTP - SSH File Transfer Protocol

FTP - File Transfer Protocol

SCP - Secure Copy

The underlying protocol used to retrieve log files for the SCP and SFTP service type requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.

Type the IP address or host name of the device storing your event log files.

Remote Port

Remote User

Type the TCP port on the remote host that is running the selected Service Type. The valid range is 1 to

65535.

The options include:

FTP - TCP Port 21

SFTP - TCP Port 22

SCP - TCP Port 22

If the host for your event files is using a non-standard port number for FTP, SFTP, or SCP, you must adjust the port value accordingly.

Type the user name or userid necessary to log in to the host containing your event files.

If your log files are located on your IBM z/OS image, type the userid necessary to log in to your

IBM z/OS. The userid can be up to 8 characters in length.

If your log files are located on a file repository, type the user name necessary to log in to the file repository. The user name can be up to 255 characters in length.

Remote Password

Confirm Password

Type the password necessary to log in to the host.

Confirm the password necessary to log in to the host.

Extreme Networks Security DSM Configuration Guide Addendum 83

IBM RACF

Table 39: IBM RACF log file protocol parameters (continued)

Parameter Description

SSH Key File

Remote Directory

Recursive

FTP File Pattern

If you select SCP or SFTP as the Service Type, this parameter allows you to define an SSH private key file. When you provide an SSH Key File, the Remote

Password field is ignored.

Type the directory location on the remote host from which the files are retrieved, relative to the user account you are using to log in.

For FTP only. If your log files reside in the remote user’s home directory, you can leave the remote directory blank. This is to support operating systems where a change in the working directory (CWD) command is restricted.

Select this check box if you want the file pattern to search sub folders in the remote directory. By default, the check box is clear.

The Recursive option is ignored if you configure SCP as the Service Type.

If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression

(regex) required to filter the list of files specified in the Remote Directory. All matching files are included in the processing.

The FTP file pattern you specify must match the name you assigned to your event files. For example, to collect files starting with zOS and ending with .gz, type the following:

Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/ javase/tutorial/essential/regex/

FTP Transfer Mode This option only displays if you select FTP as the

Service Type.

From the list, select the transfer mode you want to apply to this log source:

Binary - Select Binary for log sources that require binary data files or compressed zip, gzip, tar, or tar+gzip archive files.

ASCII - Select ASCII for log sources that require an

ASCII FTP file transfer.

SCP Remote File

Start Time

If you select SCP as the Service Type you must type the file name of the remote file.

Type the time of day you want the processing to begin. For example, type 00:00 to schedule the Log

File protocol to collect event files at midnight.

This parameter functions with the Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24 hour clock, in the following format: HH:MM.

Extreme Networks Security DSM Configuration Guide Addendum 84

IBM RACF

Table 39: IBM RACF log file protocol parameters (continued)

Parameter Description

Recurrence

Run On Save

EPS Throttle

Processor

Ignore Previously Processed File(s)

Change Local Directory?

Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D).

For example, type 2H if you want the remote directory to be scanned every 2 hours from the start time. The default is 1H.

Select this check box if you want the log file protocol to run immediately after you click Save.

After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule.

Selecting Run On Save clears the list of previously processed files for the Ignore Previously Processed

File parameter.

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 to 5000.

None.

Select this check box to track and ignore files that have already been processed by the log file protocol.

QRadar examines the log files in the remote directory to determine if a file has been previously processed by the log file protocol. If a previously processed file is detected, the log file protocol does not download the file for processing. All files that have not been previously processed are downloaded.

This option only applies to FTP and SFTP Service

Types.

Select this check box to define a local directory on your QRadar system for storing downloaded files during processing.

We recommend that you leave this check box clear.

When this check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files.

Event Generator From the Event Generator list, select LineByLine.

The Event Generator applies additional processing to the retrieved event files. Each line of the file is a single event. For example, if a file has 10 lines of text, 10 separate events are created.

9 Click Save.

10 On the Admin tab, click Deploy Changes.

The IBM RACF configuration is complete. If your IBM RACF requires custom event properties, see the IBM Security QRadar Custom Event Properties for IBM z/OS technical note.

Extreme Networks Security DSM Configuration Guide Addendum 85

IBM RACF

Integrate RACF with Extreme Security using audit scripts

The IBM Resource Access Control Facility (RACF) DSM for Extreme Security allows you to integrate with an IBM z/OS mainframe using IBM RACF for auditing transactions.

Extreme Security records all relevant and available information from the event.

Note zSecure integration is the only integration that provides custom events to the log source.

Custom events may be displayed even when you collect events by using the Native

QEXRACF integration.

To integrate the IBM RACF events into Extreme Security:

1 The mainframe system records all security events as Service Management Framework (SMF) records in a live repository.

2 At midnight, the RACF data is extracted from the live repository using the SMF dump utility. The

RACFICE utility IRRADU00 (an IBM utility) creates a log file containing all of the events and fields from the previous day in a SMF record format.

3 The QEXRACF program pulls data from the SMF formatted file, as described above. The program only pulls the relevant events and fields for Extreme Security and writes that information in a condensed format for compatibility. The information is also saved in a location accessible by

Extreme Security.

4 Extreme Security uses the log file protocol source to pull the QEXRACF output file and retrieves the information on a scheduled basis. Extreme Security then imports and process this file.

Configure IBM RACF to integrate with QRadar

You can integrate an IBM mainframe RACF with IBM Security QRadar:

1 From the IBM support website ( http://www.ibm.com/support) , download the following compressed file: qexracf_bundled.tar.gz

2 On a Linux-based operating system, extract the file: tar -zxvf qexracf_bundled.tar.gz

The following files are contained in the archive: qexracf_jcl.txt

qexracfloadlib.trs

qexracf_trsmain_JCL.txt

Extreme Networks Security DSM Configuration Guide Addendum 86

IBM RACF

3 Load the files onto the IBM mainframe using any terminal emulator file transfer method.

Upload the qexracf_trsmain_JCL.txt

and qexracf_jcl.txt

files using the TEXT protocol.

Upload the

QexRACF loadlib.trs

file using binary mode and append to a pre-allocated data set. The

QexRACF loadlib.trs

file is a tersed file containing the executable (the mainframe program QEXRACF). When you upload the .trs file from a workstation, pre-allocate a file on the mainframe with the following DCB attributes: DSORG=PS, RECFM=FB, LRECL=1024, BLKSIZE=6144.

The file transfer type must be binary mode and not text.

4 Customize the qexracf_trsmain_JCL.txt

file according to your installation-specific requirements.

The

qexracf_trsmain_JCL.txt

file uses the IBM utility Trsmain to uncompress the program stored in the

QexRACF loadlib.trs

file.

An example of the qexracf_trsmain_JCL.txt

file includes:

//TRSMAIN JOB (yourvalidjobcard),Q1labs, // MSGCLASS=V //DEL EXEC

PGM=IEFBR14 //D1 DD DISP=(MOD,DELETE),DSN=<yourhlq>.QEXRACF.TRS //

UNIT=SYSDA, // SPACE=(CYL,(10,10)) //TRSMAIN EXEC

PGM=TRSMAIN,PARM='UNPACK' //SYSPRINT DD

SYSOUT=*,DCB=(LRECL=133,BLKSIZE=12901,RECFM=FBA) //INFILE DD

DISP=SHR,DSN=<yourhlq>.QEXRACF.TRS //OUTFILE DD

DISP=(NEW,CATLG,DELETE), // DSN=<yourhlq>.LOAD, // SPACE=(CYL,

(10,10,5),RLSE),UNIT=SYSDA //

You must update the file with your installation specific information for parameters, such as, jobcard, data set naming conventions, output destinations, retention periods, and space requirements.

The .trs input file is an IBM TERSE formatted library and is extracted by running the JCL, which calls the TRSMAIN. This tersed file, when extracted, creates a PDS linklib with the QEXRACF program as a member.

5 You can STEPLIB to this library or choose to move the program to one of the LINKLIBs that are in the LINKLST. The program does not require authorization.

6 After uploading, copy the program to an existing link listed library or add a STEPLIB DD statement with the correct dataset name of the library that will contain the program.

Extreme Networks Security DSM Configuration Guide Addendum 87

IBM RACF

7 The qexracf_jcl.txt

file is a text file containing a sample JCL deck to provide you with the necessary JCL to run the IBM IRRADU00 utility. This allows QRadar to obtain the necessary IBM

RACF events. Configure the job card to meet your local standards.

An example of the qexracf_jcl.txt

file includes:

//QEXRACF JOB (<your valid jobcard>),Q1LABS, // MSGCLASS=P, //

REGION=0M //* //*QEXRACF JCL version 1.0 April 2009 //* //

************************************************************* //*

Change below dataset names to sites specific datasets names * //

************************************************************* //SET1

SET SMFOUT='<your hlq>.CUSTNAME.IRRADU00.OUTPUT', // SMFIN='<your SMF dump ouput dataset>', // QRACFOUT='<your hlq>.QEXRACF.OUTPUT' //

************************************************************* //*

Delete old datasets * //

************************************************************* //DEL

EXEC PGM=IEFBR14 //DD2 DD DISP=(MOD,DELETE),DSN=&QRACFOUT, //

UNIT=SYSDA, // SPACE=(TRK,(1,1)), // DCB=(RECFM=FB,LRECL=80) //

************************************************************* //*

Allocate new dataset *

//************************************************************* //

ALLOC EXEC PGM=IEFBR14 //DD1 DD DISP=(NEW,CATLG),DSN=&QRACFOUT, //

SPACE=(CYL,(1,10)),UNIT=SYSDA, //

DCB=(RECFM=VB,LRECL=1028,BLKSIZE=6144) //

************************************************************ //*

Execute IBM IRRADU00 utility to extract RACF smf records * //

************************************************************* //

IRRADU00 EXEC PGM=IFASMFDP //SYSPRINT DD SYSOUT=* //ADUPRINT DD

SYSOUT=* //OUTDD DD DSN=&SMFOUT,SPACE=(CYL,

(100,100)),DISP=(,CATLG), //

DCB=(RECFM=FB,LRECL=8192,BLKSIZE=40960), // UNIT=SYSALLDA //SMFDATA DD

DISP=SHR,DSN=&SMFIN //SMFOUT DD DUMMY //SYSIN DD *

     INDD(SMFDATA,OPTIONS(DUMP))Â

     OUTDD(SMFOUT,TYPE(30:83))      ABEND(NORETRY)

     USER2(IRRADU00)      USER3(IRRADU86) /* //EXTRACT EXEC

PGM=QEXRACF,DYNAMNBR=10, // TIME=1440 //*STEPLIB DD DISP=SHR,DSN=<the loadlib containing the QEXRACF program if not in LINKLST> //SYSTSIN DD

DUMMY //SYSTSPRT DD SYSOUT=* //SYSPRINT DD SYSOUT=* //RACIN DD

DISP=SHR,DSN=&SMFOUT //RACOUT DD DISP=SHR,DSN=&QRACFOUT // //

************************************************************* //* FTP

Output file from C program (Qexracf) to an FTP server * //* QRadar will go to that FTP Server to get file             * //*

Note you need to replace <user>, <password>,<serveripaddr>* //*

<THEIPOFTHEMAINFRAMEDEVICE> and <QEXRACFOUTDSN>

          * //

************************************************************* //*FTP

EXEC PGM=FTP,REGION=3800K //*INPUT DD * //*<FTPSERVERIPADDR> //

*<USER> //*<PASSWORD> //*ASCII //*PUT '<QEXRACFOUTDSN>' /

<THEIPOFTHEMAINFRAMEDEVICE>/<QEXRACFOUTDSN> //*QUIT //*OUTPUT DD

SYSOUT=* //*SYSPRINT DD SYSOUT=* //* //*

Extreme Networks Security DSM Configuration Guide Addendum 88

IBM RACF

8 After the output file is created, you must send this file to an FTP server. This ensures that every time you run the utility, the output file is sent to a specific FTP server for processing at the end of the above script. If the z/OS platform is configured to serve files through FTP or SFTP, or allow SCP, then no interim server is required and QRadar can pull those files directly from the mainframe. If an interim FTP server is needed, QRadar requires a unique IP address for each IBM RACF log source or they will be joined as one system.

Extreme Networks Security DSM Configuration Guide Addendum 89

27

IBM

®

Privileged Session

Recorder

Configuring IBM Privileged Session Recorder to communicate with Extreme Security

The Extreme Networks Security Analytics DSM for IBM ® Privileged Session Recorder can collect event logs from your Privileged Session Recorder device.

The following table lists the specifications for the Privileged Session Recorder DSM.

Table 40: Privileged Session Recorder specifications

Specification Value

Manufacturer

DSM name

RPM filename

IBM ®

Privileged Session Recorder

DSM-IBMPrivilegedSessionRecorder

Protocol

Extreme Security recorded event types

Automatically discovered?

Includes identity?

More information

JDBC

Command Execution Audit Events

No

No

IBM ® website (http://www.ibm.com/)

To collect Privileged Session Recorder events, use the following procedures:

1 If automatic updates are not enabled, download and install the following RPMs on your Extreme

Security Console:

• Protocol-JDBC RPM

• IBM ® Privileged Session Recorder DSM RPM

2 On the IBM Security Privileged Identity Manager dashboard, obtain the database information for the

Privileged Session Recorder data store and configure your IBM Privileged Session Recorder DB2 database to allow incoming TCP connections.

3 For each instance of IBM ® Privileged Session Recorder, create an IBM ® Privileged Session Recorder log source on the Extreme Security Console. Use the following table to define the Imperva

SecureSphere parameters:

Table 41: IBM Privileged Session Recorder log source parameters

Parameter Description

Log Source Type

Protocol Configuration

IBM Privileged Session Recorder

JDBC

Log Source Identifier

DATABASE

@

HOSTNAME

Extreme Networks Security DSM Configuration Guide Addendum 90

IBM ® Privileged Session Recorder

Table 41: IBM Privileged Session Recorder log source parameters (continued)

Parameter Description

Database Type DB2

Database Name

IP or Hostname

Port

Username

Password

Predefined Query

Use Prepared Statements

Start Date and Time

The Session Recorder data store name that you configured on the IBM Privileged Identity Manager dashboard.

The Session Recorder database server address.

The port that is specified on IBM Privileged Identity

Manager dashboard.

The DB2 database user name

The DB2 database password

IBM Privileged Session Recorder

This option must be selected.

The initial date and time for the JDBC retrieval.

Related Links

Adding a single DSM

on page 13

Configuring IBM Privileged Session Recorder to communicate with Extreme Security

on page 91

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring IBM Privileged Session Recorder to communicate with Extreme Security

Before you can configure a log source in IBM Privileged Session Recorder for Extreme Networks

Security Analytics, obtain the database information for the Privileged Session Recorder data store. You must also configure your IBM Privileged Session Recorder DB2 database to allow incoming TCP connections from Extreme Security.

IBM Privileged Session Recorder is a component of IBM Security Privileged Identity Manager.

1 Log in to the IBM Security Privileged Identity Manager web user interface.

2 Select the Configure Privileged Identity Manager tab.

3 Select Database Server Configuration in the Manage External Entities section.

4 In the table, double-click the Session Recording data store row in the Database Server Configuration column.

5 5. Record the following parameters to use when you configure a log source in Extreme Security:

IBM Privileged Session Recorder Field

Hostname

Port

Database name

Database administrator ID

Extreme Security Log Source Field

IP or Hostname

Port

Database Name

Username

Extreme Networks Security DSM Configuration Guide Addendum 91

28

IBM

®

Security Network IPS

Configuring your Security Network IPS appliance for communication with Extreme

Security

Configuring an IBM Security Network IPS log source in Extreme Security

The IBM ® Security Network IPS DSM for IBM ® Security Extreme Security collects LEEF-based events from IBM ® Security Network IPS appliances by using the syslog protocol.

The following table identifies the specifications for the IBM ® Security Network IPS DSM:

Parameter

Manufacturer

DSM

RPM file name

Supported versions

Protocol

Extreme Security recorded events

Value

IBM ®

Security Network IPS

DSM-IBMSecurityNetworkIPS-

QRadar_version

-

Build_number

.noarch.rpm

v4.6 and later (UDP) v4.6.2 and later (TCP) syslog (LEEF)

Automatically discovered?

Includes identity?

Security alerts (including IPS and SNORT)

Health alerts

System alerts

IPS events (Including security, connection, user defined, and

OpenSignature policy events)

Yes

No

To integrate the IBM ® Security Network IPS appliance with Extreme Security, use the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the IBM ®

Security Network IPS RPMs on your Extreme Security Console.

2 For each instance of IBM ® Security Network IPS, configure your IBM ® Security Network IPS appliance to enable communication with Extreme Security.

3 If Extreme Security does not automatically discover the log source, create a log source for each instance of IBM ® Security Network IPS on your network.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

Extreme Networks Security DSM Configuration Guide Addendum 92

IBM ® Security Network IPS

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your Security Network IPS appliance for communication with Extreme Security

To collect events with Extreme Security, you must configure your Security Network IPS appliance to enable syslog forwarding of LEEF events.

Ensure that no firewall rules block the communication between your Security Network IPS appliance and Extreme Security.

1 Log in to your IPS Local Management Interface.

2 From the navigation menu, select Manage System Settings > Appliance > LEEF Log Forwarding.

3 Select the Enable Local Log check box.

4 In the Maximum File Size field, configure the maximum file size for your LEEF log file.

5 From the Remote Syslog Servers pane, select the Enable check box.

6 In the Syslog Server IP/Host field, type the IP address of your Extreme Security Console or Event

Collector.

7 In the TCP Port field, type

514

as the port for forwarding LEEF log events.

Note

If you use v4.6.1 or earlier, use the UDP Port field.

8 From the event type list, enable any event types that are forwarded to Extreme Security.

9 If you use a TCP port, configure the crm.leef.fullavp

tuning parameter: a From the navigation menu, select Manage System Settings > Appliance > Tuning Parameters.

b Click Add Tuning Parameters.

c In the Name field, type crm.leef.fullavp

.

d In the Value field, type true

.

e Click OK.

Configuring an IBM

®

Security Network IPS log source in Extreme

Security

Extreme Security automatically discovers and creates a log source for syslog events from IBM ® Security

Network IPS appliances. However, you can manually create a log source for Extreme Security to receive syslog events.

1 Click the Admin tab.

2 Click the Log Sources icon.

3 Click Add.

4 In the Log Source Name field, type a name for your log source.

5 From the Log Source Type list, select IBM Security Network IPS (GX).

6 Using the Protocol Configuration list, select Syslog.

Extreme Networks Security DSM Configuration Guide Addendum 93

IBM ® Security Network IPS

7 Configure the parameters:

Parameter

Log Source Identifier

Credibility

Coalescing Events

Incoming Event Payload

8 Click Save.

9 On the Admin tab, click Deploy Changes.

Description

The IP address or host name for the log source as an identifier for events from your IBM ® Security Network

IPS appliance.

The credibility indicates the integrity of an event or offense as determined by the credibility rating from the source devices. Credibility increases if multiple sources report the same event.

Enables the log source to coalesce (bundle) events.

The incoming payload encoder for parsing and storing the logs.

Extreme Networks Security DSM Configuration Guide Addendum 94

29

IBM SmartCloud Orchestrator

Installing IBM SmartCloud Orchestrator

Configuring an IBM SmartCloud Orchestrator log source in QRadar

The Extreme Networks Security Analytics DSM for IBM SmartCloud Orchestrator collects audit logs from the SmartCloud Orchestrator system.

The following table identifies specifications for the IBM SmartCloud Orchestrator DSM.

Table 42: IBM SmartCloud Orchestrator specifications

Specification Value

Manufacturer IBM

DSM name

RPM file name

SmartCloud Orchestrator

DSM-IBMSmartCloudOrchestrator-

Qradar_version_build

number.noarch.rpm

Supported versions

Protocol type

Extreme Security recorded event types

Log source type in the Extreme Security UI

Automatically discovered?

Includes identity?

Includes custom properties

More information

V2.3 FP1 and later

IBM SmartCloud Orchestrator REST API

Audit Records

IBM SmartCloud Orchestrator

No

Yes

No http://ibm.com

To integrate IBM SmartCloud Orchestrator with QRadar, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMS on your QRadar Console:

• IBM SmartCloud Orchestrator RPM

• IBM SmartCloud Orchestrator RESTAPI protocol RPM

2 Create an IBM SmartCloud Orchestrator log source on the QRadar Console. Use the following values for the SmartCloud-specific parameters:

Parameter

Log Source Type

Protocol Configuration

IP or Hostname

Description

IBM SmartCloud Orchestrator.

IBM SmartCloud Orchestrator REST API

The IP address or server name of the SmartCloud

Orchestrator.

Extreme Networks Security DSM Configuration Guide Addendum 95

IBM SmartCloud Orchestrator

No action is required on the IBM SmartCloud Orchestrator system. After you create the log source,

Extreme Security starts collecting logs from IBM SmartCloud Orchestrator.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Installing IBM SmartCloud Orchestrator

Integrate SmartCloud Orchestrator with Extreme Networks Security Analytics

1 Download and install the latest DSMCommon RPM on your QRadar Console. If automatic updates are configured to install DSM updates, this step is not necessary.

2 Download and install the latest IBM SmartCloud Orchestrator RESTAPI Protocol RPM on to your

QRadar Console.

3 Download and install the latest IBM SmartCloud Orchestrator RPM on your QRadar Console. If automatic updates are configured to install DSM updates, this step is not necessary.

Configuring an IBM SmartCloud Orchestrator log source in

QRadar

To enable IBM SmartCloud Orchestrator integration with Extreme Networks Security Analytics, add a log source.

1 Log in to QRadar.

2 Select the Admin tab.

3 On the navigation menu, click Data Sources.

4 Click the Log Sources icon and then click Add.

5 From the Log Source Type list, select IBM SmartCloud Orchestrator.

6 From the Protocol Configuration list, select IBM SmartCloud Orchestrator REST API.

7 Configure the parameters:

Option Description

IP or Hostname The IP address or server name of the SmartCloud Orchestrator.

Username The user name of the SmartCloud Orchestrator console user.

Password The password of the SmartCloud Orchestrator console user.

Confirm Password This option confirms that the password was entered correctly.

EPS Throttle

Recurrence

The maximum number of events per second for this log source (default 5000).

How often this log source attempts to obtain data. Can be in Minutes, Hours, Days (default

5 minutes).

Extreme Networks Security DSM Configuration Guide Addendum 96

30

IBM Tivoli Endpoint Manager

The Extreme Networks Security Analytics DSM for IBM Tivoli Endpoint Manager retrieves system events in Log Extended Event Format (LEEF). Extreme Security uses the IBM Tivoli Endpoint Manager

SOAP protocol to retrieve events in 30-second intervals.

The following table lists the specifications for the IBM Tivoli Endpoint Manager DSM:

Table 43: IBM Tivoli Endpoint Manager specifications

Specification Value

Manufacturer

DSM name

RPM file name

IBM

IBM Tivoli Endpoint Manager

DSM-IBMTivoliEndpointManager-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

8.2.x and later

Use the most current version that is available.

SOAP

System events

No

Yes

No

IBM website (http://www.ibm.com)

To collect events from IBM Tivoli Endpoint Manager events, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the IBM Tivoli

Endpoint Manager RPM on your Extreme Security Console.

2 Configure your Tivoli Endpoint Manager server to communicate with Extreme Security: a Install the Web Reports application on the Tivoli Endpoint Manager server.

b Create a user account that Extreme Security can use to access the Relevance database in the

Web Reports application.

Note

For more information, see your IBM Tivoli Endpoint Manager documentation.

3 Create a log source on the Extreme Security Console. Use the following table to help you configure the parameters that are specific to IBM Tivoli Endpoint Manager:

Extreme Networks Security DSM Configuration Guide Addendum 97

IBM Tivoli Endpoint Manager

Table 44: IBM Tivoli Endpoint Manager log source parameters

Parameter Description

Log Source Type IBM Tivoli Endpoint Manager

Protocol Configuration

Port

Use HTTPS

IBM Tivoli Endpoint Manager SOAP

Use Port 80. If you use HTTPS, use port 443.

Username

If certificates are required, copy them to the

/opt/ qradar/conf/trusted_certificates directory on your Extreme Security Console or Event

Collector.

Extreme Security supports certificates that have the following file extensions:

.crt

,

.cert

, or

.der

.

The user account must have access to the Relevance database in the Web Reports application.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 98

31

IBM Security Trusteer Apex

Advanced Malware Protection

Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to Extreme Security

Configuring a Flat File Feed service

The IBM Security Trusteer Apex Advanced Malware Protection DSM collects event data from a

Trusteer Apex Advanced Malware Protection system.

Extreme Networks Security Analytics can either collect:

• Syslog events directly from the Trusteer Apex Advanced Malware Protection system.

• Log files from an intermediary server that hosts flat feed files from the Trusteer Apex Advanced

Malware Protection system.

The following table lists the specifications for the IBM Security Trusteer Apex Advanced Malware

Protection DSM:

Table 45: IBM Security Trusteer Apex Advanced Malware Protection DSM specifications

Specification Value

Manufacturer

DSM name

IBM

IBM Security Trusteer Apex Advanced Malware

Protection

RPM file name

DSM-TrusteerApex-Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Apex Local Manager V2.0.34 and later for the syslog/

LEEF event collection.

The LEEF version is ver_1303.1

and later

V1 and later for Flat File Feed

Syslog/LEEF

Log File

Extreme Networks Security DSM Configuration Guide Addendum 99

IBM Security Trusteer Apex Advanced Malware Protection

Table 45: IBM Security Trusteer Apex Advanced Malware Protection DSM specifications (continued)

Specification Value

Recorded event types

Automatically discovered?

Includes identity?

Malware Detection

Exploit Detection

Data Exfiltration Detection

Lockdown for Java Event

File Inspection Event

Apex Stopped Event

Apex Uninstalled Event

Policy Changed Event

ASLR Violation Event

ASLR Enforcement Event

Password Protection Event

Yes

No

Includes custom properties?

More information

No

IBM Security Trusteer Apex Advanced Malware

Protection website (http://www-03.ibm.com/software/ products/en/trusteer-apex-adv-malware)

To configure IBM Security Trusteer Apex Advanced Malware Protection event collection, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• Log File Protocol RPM

• IBM Security Trusteer Apex Advanced Malware Protection DSM RPM

2 Choose one of the following options:

To send syslog events to Extreme Security, see Configuring IBM Security Trusteer Apex

Advanced Malware Protection to send syslog events to Extreme Security on page 102.

• To collect log files from IBM Security Trusteer Apex Advanced Malware Protection through an

intermediary server, see Configuring a Flat File Feed service

on page 102.

3 If Extreme Security does not automatically discover the log source, add an IBM Security Trusteer

Apex Advanced Malware Protection log source on the Extreme Security Console.

The following table describes the parameters that require specific values for IBM Security Trusteer

Apex Advanced Malware Protection syslog event collection:

Extreme Networks Security DSM Configuration Guide Addendum 100

IBM Security Trusteer Apex Advanced Malware Protection

Table 46: IBM Security Trusteer Apex Advanced Malware Protection log source parameters for syslog

Parameter Value

Log Source type IBM Security Trusteer Apex Advanced Malware

Protection

Protocol Configuration

Log Source Identifier

Syslog

The IP address or host name from in syslog header. If the syslog header does not contain an IP address or host name, use the packet IP address.

The following table describes the parameters that require specific values for IBM Security Trusteer

Apex Advanced Malware Protection Log File collection:

Table 47: IBM Security Trusteer Apex Advanced Malware Protection log source parameters for Log File Protocol

Parameter Value

Log Source type

Protocol Configuration

Log Source Identifier

Service Type

Remote IP or Hostname

IBM Security Trusteer Apex Advanced Malware

Protection

Log File

The IP address or host name of the server that hosts the flat feed files.

SFTP

The IP address or host name of the server that hosts the flat feed files..

Remote Port

22

Remote User

SSH Key File

Remote Directory

Recursive

FTP File Pattern

The user name that you created for Extreme Security on the server that hosts the flat feed files.

If you use a password, you can leave this field blank.

The log file directory where the flat feed files are stored.

Do not select this option.

Start Time

Recurrence

Run On Save

Processor

Ignore Previously Processed Files

Event Generator

File Encoding

"trusteer_feeds_.*?_[0-9]

{8}_[0-9]*?\.csv"

The time that you want your log file protocol to start log file collection.

The polling interval for log file retrieval.

Must be enabled.

None

Must be enabled.

LINEBYLINE

UTF-8

Extreme Networks Security DSM Configuration Guide Addendum 101

IBM Security Trusteer Apex Advanced Malware Protection

Related Links

Adding a single DSM

on page 13

Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to

Extreme Security

on page 102

Configure IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to Extreme Networks Security Analytics.

Configuring a Flat File Feed service

on page 102

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring IBM Security Trusteer Apex Advanced Malware

Protection to send syslog events to Extreme Security

Configure IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to Extreme

Networks Security Analytics.

Install an Apex Local Manager on your Trusteer Management Application (TMA).

For more information about configuring your IBM Security Trusteer Apex Advanced Malware

Protection to communicate with Extreme Security, use the following documentation from the Extreme

Networks ® Knowledge Center:

• IBM Security Trusteer Apex Advanced Malware Protection Local Manager - Hybrid Solution

Reference Guide

• IBM Security Trusteer Apex Advanced Malware Protection Feeds Reference Guide

SSL/TLS authentication is not supported.

1 Log in to Trusteer Management Application (TMA).

2 Select Apex Local Manager & SIEM Settings.

3 Optional: If the Apex Local Manager wizard does not automatically display, click Add.

4 Type the name of the Apex Local Manager.

5 Check the Enable box and click Next.

6 Type the server settings for Extreme Security and click Next.

7 Optional: If you use a separate syslog server for the Apex Local Manager system events, type the settings.

8 Click Finish.

Configuring a Flat File Feed service

For Extreme Networks Security Analytics to retrieve log files from IBM Security TrusteerApex

Advanced Malware Protection, you must set up a flat file feed service on an intermediary SFTPenabled server. The service enables the intermediary server to host the flat files that it receives from IBM Security TrusteerApex Advanced Malware Protection and allows for connections from external devices so that Extreme Security can retrieve the log files.

Extreme Networks Security DSM Configuration Guide Addendum 102

IBM Security Trusteer Apex Advanced Malware Protection

To configure IBM Security TrusteerApex Advanced Malware Protection to send flat file feed to the intermediary server, contact IBM Trusteer support.

Flat File Feeds use a CSV format. Each feed item is written to the file on a separate line, which contains several comma-separated fields. Each field contains data that describes the feed item. The first field in each feed line contains the feed type.

1 Enable an SFTP-enabled server and ensure that external devices can reach it.

2 Log on to the SFTP-enabled server.

3 Create a user account on the server for IBM Security Trusteer Apex Advanced Malware Protection.

4 Create a user account for Extreme Security.

5 Optional: Enable SSH key-based authentication.

After you set up the intermediary server, record the following details:

• Target SFTP server name and IP addresses

• SFTP server port (standard port is 22)

• The file path for the target directory

• SFTP user name if SSH authentication is not configured

• Upload frequency (from 1 minute to 24 hours)

• SSH public key in RSA format

IBM Trusteer support uses the intermediary server details when they configure IBM Security

TrusteerApex Advanced Malware Protection to send flat feel files..

Extreme Networks Security DSM Configuration Guide Addendum 103

32

IBM WebSphere DataPower

Configuring IBM WebSphere DataPower to communicate with Extreme Security

The IBM Security QRadar DSM collects event logs from your IBM WebSphere DataPower system.

The following table identifies the specifications for the IBM WebSphere DataPower DSM.

Table 48: IBM WebSphere DataPower DSM specifications

Specification Value

Manufacturer IBM

DSM Name

RPM file name

WebSphere DataPower

DSM-IBMWebSphereDataPower-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Extreme Security recorded event types

Log source type in Extreme Security UI

Auto discovered?

Includes identity?

Includes custom properties?

For more information

FirmwareV6 and V7

Syslog

All Events

IBM WebSphere DataPower

Yes

No

No

IBM web page (http://www.ibm.com/)

To send events from IBM WebSphere DataPower to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the IBM

WebSphere DataPower DSM on your Extreme Security Console.

2 For each instance of IBM WebSphere DataPower, configure the IBM WebSphere DataPower system to communicate with Extreme Security.

3 If Extreme Security does not automatically discover IBM WebSphere DataPower, create a log source for each instance of IBM WebSphere DataPower on the Extreme Security Console. Use the following

IBM Websphere DataPower specific values:

Parameter

Log Source Type

Protocol Configuration

Value

IBM WebSphere DataPower

Syslog

Related Links

Adding a single DSM

on page 13

Configuring IBM WebSphere DataPower to communicate with Extreme Security

on page 105

Extreme Networks Security DSM Configuration Guide Addendum 104

IBM WebSphere DataPower

To collect IBM WebSphere DataPower events, configure your third-party system to send events to Extreme Networks Security Analytics.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring IBM WebSphere DataPower to communicate with

Extreme Security

To collect IBM WebSphere DataPower events, configure your third-party system to send events to

Extreme Networks Security Analytics.

Review the DataPower logging documents to determine which logging configuration changes are appropriate for your deployment. See IBM Knowledge Center (http://www-01.ibm.com/support/ knowledgecenter/SS9H2Y_7.0.0/com.ibm.dp.xi.doc/logtarget_logs.html?lang=en).

1 Log in to your IBM WebSphere DataPower system.

2 In the search box on the left navigation menu, type

Log Target

.

3 Select the matching result.

4 Click Add.

5 In the Main tab, type a name for the log target.

6 From the Target Type list, select syslog.

7 In the Local Identifier field, type an identifier to be displayed in the Syslog event payloads parameter on the Extreme Security user interface.

8 In the Remote Host field, type the IP address or host name of your Extreme Security Console or

Event Collector.

9 In the Remote Port field, type

514

.

10 Under Event Subscriptions, add a base logging configuration with the following parameters:

Value Parameter

Event Category

Minimum Event Priority all warning

Important

To prevent a decrease in system performance, do not use more than one word for the Minimum Event Priority parameter.

11 Apply the changes to the log target.

12 Review and save the configuration changes.

Extreme Networks Security DSM Configuration Guide Addendum 105

33

Kaspersky Security Center

Creating a database view for Kaspersky Security Center for JDBC event collection

Exporting syslog to Extreme Security from Kaspersky Security Center

The Extreme Networks Security Analytics DSM for Kaspersky Security Center can retrieve events directly from a database on your Kaspersky Security Center appliance or receive events from the appliance by using syslog.

The following table identifies the specifications for the Kaspersky Security Center DSM:

Table 49: Kaspersky Security Center DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

Kaspersky

Kaspersky Security Center

DSM-KasperskySecurityCenter-

Qradar_version-

build_number.noarch.rpm

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

JDBC: Versions 9.2-10.1

Syslog LEEF: Version 10.1 and later

Antivirus

Server

Audit

No, if you use the JDBC protocol

Yes, if you use the syslog protocol

Yes

No

Kaspersky website (http://www.kaspersky.com)

To send Kaspersky Security Center events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• Kaspersky Security Center DSM

2 Choose one of the following options:

• If you use syslog, configure your Kaspersky Security Center to forward events to Extreme

Security.

• If you use the JDBC protocol, create a database view on your Kaspersky Security Center device.

Extreme Networks Security DSM Configuration Guide Addendum 106

Kaspersky Security Center

3 Create a Kaspersky Security Center log source on the Extreme Security Console. Configure all required parameters, and use the following tables to configure the specific values that are required for Kaspersky Security Center event collection.

• If you use syslog, configure the following parameters:

Table 50: Kaspersky Security Center syslog log source parameters

Parameter Value

Log Source type Kaspersky Security Center

Protocol Configuration Syslog

• If you use JDBC, configure the following parameters:

Table 51: Kaspersky Security Center JDBC log source parameters

Parameter Value

Log Source type Kaspersky Security Center

Protocol Configuration

Log Source Identifier

JDBC

Use the following format:

<Kaspersky_Database>@<Server_Addr ess>

Where the

<Server_Address>

is the IP address or host name of the Kaspersky database server.

Database Type

Database Name

IP or Hostname

Port

Table Name

MSDE

KAV

The IP address or host name of the SQL server that hosts the Kaspersky Security Center database.

The default port for MSDE is 1433. You must enable and verify that you can communicate by using the port you specified in the Port field.

The JDBC configuration port must match the listener port of the Kaspersky database. To be able to communicate with Extreme Security, the

Kaspersky database must have incoming TCP connections enabled .

If you define a database instance that uses MSDE as the database type, you must leave the Port parameter blank in your configuration.

dbo.events

For more information about the JDBC protocol parameters, see the Extreme Networks Security

Managing Log Sources Guide

Related Links

Adding a single DSM

on page 13

Exporting syslog to Extreme Security from Kaspersky Security Center

on page 109

Configure Kaspersky Security Center to forward syslog events to your Extreme Networks

Security Analytics Console or Event Collector.

Creating a database view for Kaspersky Security Center for JDBC event collection on page 108

Extreme Networks Security DSM Configuration Guide Addendum 107

Kaspersky Security Center

To use the JDBC protocol to collect audit event data, you must create a database view on your Kaspersky server that Extreme Networks Security Analytics can access.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Creating a database view for Kaspersky Security Center for JDBC event collection

To collect audit event data, you must create a database view on your Kaspersky server that is accessible to Extreme Security.

Create a Kaspersky Security Center user for Extreme Security who can poll the database for events.

Ensure that Extreme Security can poll the database for events on TCP port 1433 or the port that is configured for your log source. Protocol connections are often disabled on databases by default and extra configuration steps might be required to allow connections for event polling. Configure any firewalls that are located between Kaspersky Security Center and Extreme Security to allow traffic for event polling.

1 Download the klsql2.zip

file from the Kaspersky Labs (http://support.kaspersky.com/9284) website.

2 Copy the klsql2.zip

file to your Kaspersky Security Center Administration Server.

3 Extract the klsql2.zip

file to a directory.

4 In any text editor, edit the src.sql

file to clear the contents.

5 Type the following statement to create the database view:

Tip

If you copy and paste this statement, ensure that you remove any line breaks from your pasted text.

create view dbo.events as select e.nId, e.strEventType as 'EventId', e.wstrDescription as 'EventDesc', e.tmRiseTime as 'DeviceTime', h.nIp

as 'SourceInt', e.wstrPar1, e.wstrPar2, e.wstrPar3, e.wstrPar4, e.wstrPar5, e.wstrPar6, e.wstrPar7, e.wstrPar8, e.wstrPar9 from dbo.v_akpub_ev_event e, dbo.v_akpub_host h where e.strHostname = h.strName;

6 Save the src.sql

file.

7 Go to the directory that contains the klsql2

files.

8 To create the database view on your Kaspersky Security Center appliance, type the following command: klsql2 -i src.sql -o result.xml

The database view is named dbo.events

. You will use this value when you configure a Kaspersky

Security Center log source in Extreme Security.

Related Links

Adding a log source

on page 14

Extreme Networks Security DSM Configuration Guide Addendum 108

Kaspersky Security Center

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Exporting syslog to Extreme Security from Kaspersky Security

Center

Configure Kaspersky Security Center to forward syslog events to your Extreme Networks Security

Analytics Console or Event Collector.

Kaspersky Security Center can forward events that are registered on the Administration Server,

Administration Console, and Network Agent appliances.

1 Log in to Kaspersky Security Center.

2 In the console tree, expand the Reports and notifications folder.

3 Right-click Events and select Properties.

4 In the Exporting events pane, select the Automatically export events to SIEM system database check box.

5 In the SIEM system list, select QRadar.

6 Type the IP address and port for the Extreme Security Console or Event Collector.

7 Optional: To forward historical data to Extreme Security, click Export archive to export historical data.

8 Click OK.

Extreme Networks Security DSM Configuration Guide Addendum 109

34

Kisco Information Systems

SafeNet/i

Configuring Kisco Information Systems SafeNet/i to communicate with Extreme

Security

The Extreme Networks Security Analytics DSM for Kisco Information Systems SafeNet/i collects event logs from IBM iSeries systems.

The following table identifies the specifications for the Kisco Information Systems SafeNet/i DSM:

Table 52: Kisco Information Systems SafeNet/i DSM specifications

Specification Value

Manufacturer Kisco Information Systems

DSM name

RPM file name

Kisco Information Systems SafeNet/i

DSM-

KiscoInformationSystemsSafeNetI-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

V10.11

Log File

All events

No

No

No

Kisco Information Systems website (http:// www.kisco.com/safenet/summary.htm)

To collect Kisco Information Systems SafeNet/i events, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• Log File Protocol RPM

• Kisco Information Systems SafeNet/i DSM RPM

2 Configure your Kisco Information Systems SafeNet/i device to communicate with Extreme Security.

Extreme Networks Security DSM Configuration Guide Addendum 110

Kisco Information Systems SafeNet/i

3 Add a Kisco Information Systems SafeNet/i log source on the Extreme Security Console. The following table describes the parameters that require specific values for Kisco Information Systems

SafeNet/i event collection:

Table 53: Kisco Information Systems SafeNet/i log source parameters

Parameter Value

Log Source type

Protocol Configuration

Service Type

Kisco Information Systems SafeNet/i

Log File

FTP

Remote IP or Hostname

Remote Port

Remote User

The IP or host name of Kisco Information systems

SafeNet/i device.

21

The iSeries User ID that you created for Extreme

Security in Kisco Information Systems SafeNet/i.

Leave this field empty.

Remote Directory

FTP File Pattern

FTP Transfer Mode

Processor

Event Generator

File Encoding

.*

BINARY

NONE

LINEBYLINE

US-ASCII

Related Links

Adding a single DSM

on page 13

Configuring Kisco Information Systems SafeNet/i to communicate with Extreme Security on page 111

To collect SafeNet/i events, configure your IBM iSeries system to accept FTP GET requests from your Extreme Security through Kisco Information Systems SafeNet/i.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring Kisco Information Systems SafeNet/i to communicate with Extreme Security

To collect SafeNet/i events, configure your IBM iSeries system to accept FTP GET requests from your

Extreme Security through Kisco Information Systems SafeNet/i.

Use the following table when you configure the FTP access settings:

Table 54: FTP access settings

Parameter

Initial Name Format

Initial List Format

Value

*PATH

*UNIX

Extreme Networks Security DSM Configuration Guide Addendum 111

Kisco Information Systems SafeNet/i

Table 54: FTP access settings (continued)

Parameter

Initial Library

Initial Home Directory Path

Value

*USRPRF

The IFS directory

1 Create an IFS directory on your IBM iSeries system.

a Log in to your IBM iSeries system.

b Create an IFS Directory to hold the Kisco Information Systems SafeNet/i Extreme Security alert files.

Example:

/SafeNet/QRadar/ c Set up a user profile for Extreme Security to use to FTP into the IFS Directory through SafeNet/i.

Example:

QRADARUSER

2 Configure FTP access for the Extreme Security user profile.

a Log in to Kisco Information Systems SafeNet/i.

b Type GO SN7 and select Work with User to Server Security.

c Type the user profile name that you created for Extreme Security, for example,

QRADARUSER

.

d Type

1

for the FTP Server Request Validation *FTPSERVER and FTP Server Logon *FTPLOGON3 servers.

e Press F3 and select Work with User to FTP Statement Security and type the user profile name again.

f Type

1

for the List Files and Receiving Files FTP operations.

g Press F4 and configure FTP access parameters for the user. See Table 54: FTP access settings

on page 111.

h Press F3 and select Work with User to Long Paths.

i Press F6 and provide the path to the IFS directory.

Ensure that the path is followed by an asterisk, for example,

/SafeNet/QRadar/* j Type

X

under the R column.

k Press F3 to exit.

3 Type

CHGRDRSET

and then press F4.

4 Configure the following parameters:

Paramter

Activate QRADAR Integration

This Host Identifier

IFS Path to QRADAR Alert File

5 Type

CHGNOTIFY

and press F4.

6 Configure the following parameters:

Value

Yes

The IP address or host name of the IBM iSeries device.

Use the following format:

/SafeNet/QRadar/

Parameter

Alert Notification Status

Summarized Alerts?

Value

On

Yes

Extreme Networks Security DSM Configuration Guide Addendum 112

35

Lastline Enterprise

Configuring Lastline Enterprise to communicate with Extreme Security

The Extreme Networks Security Analytics DSM for Lastline Enterprise receives anti-malware events from Lastline Enterprise systems.

The following table identifies the specifications for the Lastline Enterprise DSM:

Table 55: Lastline Enterprise DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

Lastline

Lastline Enterprise

DSM-LastlineEnterprise-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

6.0

LEEF

Anti-malware

Yes

No

No

Lastline website (http://www.lastline.com/platform/ enterprise)

To send Lastline Enterprise events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• Lastline Enterprise DSM RPM

2 Configure your Lastline Enterprise device to send syslog events to Extreme Security.

3 If Extreme Security does not automatically detect the log source, add a Lastline Enterprise log source on the Extreme Security Console. The following table describes the parameters that require specific values that are required for Lastline Enterprise event collection:

Extreme Networks Security DSM Configuration Guide Addendum 113

Lastline Enterprise

Table 56: Lastline Enterprise log source parameters

Parameter Value

Log Source type Lastline Enterprise

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Configuring Lastline Enterprise to communicate with Extreme Security

on page 114

On the Lastline Enterprise system, use the SIEM settings in the notification interface to specify a SIEM appliance where Lastline can send events.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring Lastline Enterprise to communicate with Extreme

Security

On the Lastline Enterprise system, use the SIEM settings in the notification interface to specify a SIEM appliance where Lastline can send events.

1 Log in to your Lastline Enterprise system.

2 On the sidebar, click Admin.

3 Click Reporting > Notifications.

4 To add a notification, click the Add a notification (+) icon.

5 From the Notification Type list, select SIEM.

6 In the SIEM Server Settings pane, configure the parameters for your Extreme Security Console or

Event Collector. Ensure that you select LEEF from the SIEM Log Format list.

7 Configure the triggers for the notification: a To edit existing triggers in the list, click the Edit trigger icon, edit the parameters, and click

Update Trigger.

b To add a trigger to the list, click the Add Trigger (+) icon, configure the parameters, and click

Add Trigger.

8 Click Save.

Extreme Networks Security DSM Configuration Guide Addendum 114

36

McAfee ePolicy Orchestrator

Configuring a McAfee ePO log source by using the JDBC protocol

Configuring ePO to forward SNMP events

The Extreme Networks Security Analytics for McAfee ePolicy Orchestrator can collect event logs from your McAfee ePolicy Orchestrator device.

The following table identifies the specifications for the McAfee ePolicy Orchestrator DSM:

Table 57: McAfee ePolicy Orchestrator

Specification

Manufacturer

DSM name

RPM file name

Supported versions

Protocol type

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

Value

McAfee

McAfee ePolicy Orchestrator

DSM-McAfeeEpo-

QRadar_versionbuild_number

.noarch.rpm

V3.5 to V5.x

JDBC

SNMPv2

SNMPv3

AntiVirus events

No

No http://www.mcafee.com

(http://www.mcafee.com)

To integrate McAfee ePolicy Orchestrator with Extreme Security, use the following steps:

1 If automatic updates are not enabled, download the most recent version of the McAfee ePolicy

Orchestrator DSM RPM.

2 Configure your McAfee ePolicy Orchestrator DSM device to enable communication with Extreme

Security. Use one of the following options:

• To integrate

3 Create an McAfee ePolicy Orchestrator DSM log source on the Extreme Security Console.

Configuring a McAfee ePO log source by using the JDBC protocol

Configure Extreme Security to access the ePO database by using the JDBC protocol.

1 Click the Admin tab.

2 Click the Log Sources icon.

3 Click Add.

Extreme Networks Security DSM Configuration Guide Addendum 115

McAfee ePolicy Orchestrator

4 In the Log Source Name field, type a name for your McAfee ePolicy Orchestrator log source.

5 From the Log Source Type list, select McAfee ePolicy Orchestrator.

6 From the Protocol Configuration list, select JDBC.

Extreme Networks Security DSM Configuration Guide Addendum 116

McAfee ePolicy Orchestrator

7 Configure the following log source parameters:

Option Description

Log Source Identifier The identifier for the log source in the following format:

<McAfee ePO Database>@

<McAfee ePO Database Server IP or Host Name>

Database Type

Database Name

IP or Hostname

Port

When you define a name for your log source identifier, you must use the values of the McAfee ePO Database and Database Server IP address or hostname from the ePO Management Console.

MSDE

The name of the McAfee ePolicy Orchestrator database.

The IP address or host name of the McAfee ePolicy Orchestrator SQL Server.

The port number that the database server uses The port must match the listener port of the McAfee ePolicy Orchestrator database. The McAfee ePolicy Orchestrator database must have incoming TCP connections enabled to communicate with

Extreme Security.

Authentication

Domain

Authentication

Domain

Database Instance

Table Name

If you select MSDE from the Database Type list, leave the Port parameter blank.

If you select MSDE from the Database Type list and the database is configured for

Windows, you must define this parameter. Otherwise, leave this parameter blank.

If you select MSDE from the Database Type list and the database is configured for

Windows, you must define this parameter. Otherwise, leave this parameter blank.

Optional. The database instance, if you have multiple SQL server instances on your database server. If you use a non-standard port in your database configuration, or have blocked access to port 1434 for SQL database resolution, you must leave the

Database Instance parameter blank in your configuration.

Type a table or view that includes the event records as follows:

For ePO 3.x, type Events.

For ePO 4.x, type EPOEvents.

For ePO 5.x, type EPOEvents

Select List

Compare Field To identify new events added between queries to the table, type AutoID.

Start Date and Time Optional. Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm with HH specified using a 24 hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

Use Prepared

Statements

Type * for all fields from the table or view. You can use a comma-separated list to define specific fields from tables or views, if required for your configuration. The list must contain the field defined in the Compare Field parameter.

Polling Interval

EPS Throttle

Prepared statements allow the JDBC protocol source to set up the SQL statement once, and then run the SQL statement many times with different parameters. For security and performance reasons, use prepared statements. If you clear this check box, use an alternative query method that does not use pre-compiled statements.

The polling interval, which is the amount of time between queries to the event table.

The default polling interval is 10 seconds. To define a longer polling interval, append H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values entered without an H or M poll in seconds.

The number of Events Per Second (EPS) that you do not want this protocol to exceed.

Use Named Pipe

Communication

Clear the Use Named Pipe Communications check box.

Extreme Networks Security DSM Configuration Guide Addendum

Name

If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

117

McAfee ePolicy Orchestrator

8 Click Save.

9 On the Admin tab, click Deploy Changes.

Configuring ePO to forward SNMP events

To configure ePO to forward SNMP events, you must configure your McAfee ePolicy Orchestrator device to send SNMP trap notifications and Extreme Security to receive them.

1 Add a registered server.

2 Configure the SNMP trap notifications on your ePO device.

3 Configure the log source and protocol in Extreme Security.

4 Optional: Install the Java Cryptography Extension for high-level SNMP decryption algorithms.

Adding a registered server to McAfee ePO

To configure ePO to forward SNMP events, you must add a registered server to McAfee EPO.

1 Log in to your McAfee ePolicy Orchestrator console.

2 Select Menu > Configuration > Registered Servers.

3 Click New Server.

4 From the Server Type menu, select SNMP Server.

5 Type the name and any additional notes about the SNMP server, click Next.

6 From the Address list, select the type of server address that you are using and type the name or IP address.

7 From the SNMP Version list, select the SNMP version to use:

• If you use SNMPv2c, you must provide the Community name.

• If you use SNMPv3, you must provide the SNMPv3 Security details.

8 To verify the SNMP configuration, click Send Test Trap.

9 Click Save.

Configuring ePO to forward SNMP events

To configure ePO to forward SNMP events, you must configure your McAfee ePolicy Orchestrator device to send SNMP trap notifications and Extreme Security to receive them.

1 Add a registered server.

2 Configure the SNMP trap notifications on your ePO device.

3 Configure the log source and protocol in Extreme Security.

4 Optional: Install the Java Cryptography Extension for high-level SNMP decryption algorithms.

Configuring a McAfee ePO log source by using the SNMP protocol

Configure Extreme Security to access the ePO database by using the SNMP protocol.

Extreme Networks Security DSM Configuration Guide Addendum 118

McAfee ePolicy Orchestrator

1 Click the Admin tab.

2 Click the Log Sources icon.

3 Click Add.

4 In the Log Source Name field, type a name for your McAfee ePolicy Orchestrator log source.

5 From the Log Source Type list, select McAfee ePolicy Orchestrator.

6 From the Protocol Configuration list, select either SNMPv2 or SNMPv3.

7 If you chose SNMPv2, configure the following log source parameters:

Option

Log Source Identifier

Community

Description

The unique IP address for the log source.

The SNMP community string for the SNMPv2 protocol, such as

Public.

Include OIDs in Event Payload Select this check box to allow the McAfee ePO event payloads to be constructed by using name-value pairs instead of the standard event payload format.

8 If you chose SNMPv3, configure the following log source parameters:

Option

Log Source Identifier

Authentication Protocol

Description

The unique IP address for the log source.

The algorithm that you want to use to authenticate SNMPv3 traps:

SHA uses Secure Hash Algorithm (SHA) as your authentication protocol.

MD5 uses Message Digest 5 (MD5) as your authentication protocol.

Include OIDs in Event Payload

Authentication Password

Decryption Protocol

Decryption Password

User

Include OIDs in Event Payload

Select this check box to allow the McAfee ePO event payloads to be constructed by using name-value pairs instead of the standard event payload format.

The password to authenticate SNMPv3. Your authentication password must include a minimum of 8 characters.

The algorithm to decrypt the SNMPv3 traps:

DES

• AES128

AES192

• AES256

If you select AES192 or AES256 as your decryption algorithm, you must install the Java Cryptography

Extension. For more information, see Installing the Java

Cryptography Extension.

The password to decrypt SNMPv3 traps. Your decryption password must include a minimum of 8 characters.

The user access for this protocol.

Select this check box to allow the McAfee ePO event payloads to be constructed as name-value pairs instead of the standard event payload format. Including OIDs in the event payload is required for processing SNMPv2 or SNMPv3 events for McAfee ePO.

9 Click Save.

Extreme Networks Security DSM Configuration Guide Addendum 119

McAfee ePolicy Orchestrator

10 On the Admin tab, click Deploy Changes.

Installing the Java Cryptography Extension on McAfee ePO

The Java ™ Cryptography Extension (JCE) is a Java framework that is required for Extreme Security to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your McAfee ePO appliance.

1 Download the latest version of the Java Cryptography Extension from the following website: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

The JavaTM Cryptography Extension version must match the version of the Java™ installed on your

McAfee ePO appliance.

2 Copy the JCE compressed file to the following directory on your McAfee ePO appliance:

<installation path to McAfee ePO>/jre/lib/security

Installing the Java Cryptography Extension on Extreme Security

The Java™ Cryptography Extension (JCE) is a Java framework that is required for Extreme Security to decrypt advanced cryptography algorithms for AES192 or AES256. The following information describes how to install Oracle JCE on your Extreme Security appliance.

1 Download the latest version of the JavaTM Cryptography Extension from the following website: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=jcesdk

The JavaTM Cryptography Extension version must match the version of the Java™ installed on

Extreme Security.

2 Extract the JCE file.

The following Java archive (JAR) files are included in the JCE download:

• local_policy.jar

• US_export_policy.jar

3 Log in to your Extreme Security Console or Event Collector as a root user.

4 Copy the JCE jar files to the following directory on your Extreme Security Console or Event

Collector:

/usr/java/latest/jre/lib/

The JCE jar files are only copied to the system that receives the AES192 or AE256 encrypted files from

McAfee ePolicy Orchestrator.

Supported parameters for event detection

The following event detection parameters are available, based on your version of McAfee ePolicy

Orchestrator.

Extreme Networks Security DSM Configuration Guide Addendum 120

McAfee ePolicy Orchestrator

Table 58: Supported event detection parameters

Available Types Selected Types

Detected UTC {lisOfDetectedUTC}

Received UTC

Detecting Prodcut IPv4 Address

Detecting Product IPV6 Address

Detecting Product MAC Address

Source PV4 Address

Source IPv6 Address

Source MAC Address

Source User Name

Target IPv4 Address

Target IPv6 Address

Target MAC

Target Port

Threat Event ID

Threat Severity

SourceComputers

AffectedComputerIPs

EventIDs

TimeNotificationSent

{listOfReceivedUTC}

{listOfAnalyzerIPV4}

{listOfAnalyzerIPV6}

{listOfAnalyzerMAC}

{listOfSourceIPV4}

{listOfSourceIPV6}

{listOfSourceMAC}

{listOfSoureUserName}

{listOfTargetIPV4}

{listOfTargetIPV6}

{listOfTargetMAC}

{listOfTargetPort}

{listOfThreatEventID}

{listOfThreatSeverity}

4.5

4.5

4.0

4.0

4.0

4.0

4.5

4.5

4.5

4.5

4.5

4.5

4.5

4.5

ePO version

4.5

4.5

4.5

4.5

4.5

Extreme Networks Security DSM Configuration Guide Addendum 121

37

LOGbinder EX event collection from Microsoft Exchange Server

Configuring your LOGbinder EX system to send Microsoft Exchange event logs to

Extreme Security

The Extreme Networks Security Analytics DSM for Microsoft Exchange Server can collect LOGbinder

EX V2.0 events.

The following table identifies the specifications for the Microsoft Exchange Server DSM when the log source is configured to collect LOGbinder EX events:

Table 59: LOGbinder for Microsoft Exchange Server

Specification Value

Manufacturer

DSM name

RPM file name

Microsoft

Microsoft Exchange Server

DSM-MicrosoftExchange-

QRadar_versionbuild_number

.noarch.rpm

Supported versions

Protocol type

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

LOGbinder EX V2.0

Syslog

LEEF

Admin

Mailbox

Yes

No

Microsoft Exchange website (http:// www.office.microsoft.com/en-us/exchange/)

The Microsoft Exchange Server DSM can collect other types of events. For more information on how to configure for other Microsoft Exchange Server event formats, see the Microsoft Exchange Server topic in the Extreme Networks Security DSM Configuration Guide.

To collect LOGbinder events from Microsoft Exchange Server, use the following steps:

1 If automatic updates are not enabled, download the most recent version of the following RPMs:

• DSMCommon RPM

• Microsoft Exchange Server DSM RPM

2 Configure your LOGbinder EX system to send Microsoft Exchange Server event logs to Extreme

Security.

Extreme Networks Security DSM Configuration Guide Addendum 122

LOGbinder EX event collection from Microsoft Exchange Server

3 If the log source is not automatically created, add a Microsoft Exchange Server DSM log source on the Extreme Security Console. The following table describes the parameters that require specific values that are required for LOGbinder EX event collection:

Table 60: Microsoft Exchange Server log source parameters for LOGbinder event collection

Parameter Value

Log Source type Microsoft Exchange Server

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your LOGbinder EX system to send Microsoft

Exchange event logs to Extreme Security

To collect Microsoft Exchange LOGbinder events, you must configure your LOGbinder EX system to send events to Extreme Networks Security Analytics.

Configure LOGbinder EX to collect events from your Microsoft Exchange Server. For more information, see your LOGbinder EX documentation.

1 Open the LOGbinder EX Control Panel.

2 Double-click Output in the Configure pane.

3 Choose one of the following options:

• Configure for Syslog-Generic output:

1 In the Outputs pane, double-click Syslog-Generic.

2 Select the Send output to Syslog-Generic check box, and then enter the IP address and port of your Extreme Security Console or Event Collector.

• Configure for Syslog-LEEF output:

1 In the Outputs pane, double-click Syslog-LEEF.

2 Select the Send output to Syslog-LEEF check box, and then enter the IP address and port of your Extreme Security Console or Event Collector.

4 Click OK.

5 To restart the LOGbinder service, click the Restart icon.

Extreme Networks Security DSM Configuration Guide Addendum 123

38

LOGbinder SP event collection from Microsoft SharePoint

Configuring your LOGbinder SP system to send Microsoft SharePoint event logs to

Extreme Security

The Extreme Networks Security Analytics DSM for Microsoft SharePoint can collect LOGbinder SP events.

The following table identifies the specifications for the Microsoft SharePoint DSM when the log source is configured to collect LOGbinder SP events:

Table 61: LOGbinder for Microsoft SharePoint specifications

Specification Value

Manufacturer

DSM name

RPM file name

Microsoft

Microsoft SharePoint

DSM-MicrosoftSharePoint-

QRadar_version-

build_number.noarch.rpm

Supported versions

Protocol type

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

LOGbinder SP V4.0

Syslog

LEEF

All events

Yes

No http://office.microsoft.com/en-sg/sharepoint/ (http:// office.microsoft.com/en-sg/sharepoint/) http://www.logbinder.com/products/logbindersp/

(http://www.logbinder.com/products/logbindersp/)

The Microsoft SharePoint DSM can collect other types of events. For more information about other

Microsoft SharePoint event formats, see the Microsoft SharePoint topic in the Extreme Networks

Security DSM Configuration Guide.

To collect LOGbinder events from Microsoft SharePoint, use the following steps:

1 If automatic updates are not enabled, download the most recent version of the following RPMs:

• DSMCommon RPM

• Microsoft SharePoint DSM RPM

2 Configure your LOGbinder SP system to send Microsoft SharePoint event logs to Extreme Security.

Extreme Networks Security DSM Configuration Guide Addendum 124

LOGbinder SP event collection from Microsoft SharePoint

3 If the log source is not automatically created, add a Microsoft SharePoint DSM log source on the

Extreme Security Console. The following table describes the parameters that require specific values that are required for LOGbinder event collection:

Table 62: Microsoft SharePoint log source parameters for LOGbinder event collection

Parameter Value

Log Source type Microsoft SharePoint

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Configuring your LOGbinder SP system to send Microsoft SharePoint event logs to Extreme Security on

page 125

To collect Microsoft SharePoint LOGbinder events, you must configure your LOGbinder SP system to send events to Extreme Networks Security Analytics.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your LOGbinder SP system to send Microsoft

SharePoint event logs to Extreme Security

To collect Microsoft SharePoint LOGbinder events, you must configure your LOGbinder SP system to send events to Extreme Networks Security Analytics.

1 Open the LOGbinder SP Control Panel.

2 Double-click Output in the Configure pane.

3 Choose one of the following options:

• Configure for Syslog-Generic output:

1 In the Outputs pane, double-click Syslog-Generic.

2 Select the Send output to Syslog-Generic check box, and then enter the IP address and port of your Extreme Security Console or Event Collector.

• Configure for Syslog-LEEF output:

1 In the Outputs pane, double-click Syslog-LEEF.

2 Select the Send output to Syslog-LEEF check box, and then enter the IP address and port of your Extreme Security Console or Event Collector.

4 Click OK.

5 To restart the LOGbinder service, click the Restart icon.

Extreme Networks Security DSM Configuration Guide Addendum 125

39

LOGbinder SQL event collection from Microsoft SQL Server

Configuring your LOGbinder SQL system to send Microsoft SQL Server event logs to

Extreme Security

The Extreme Networks Security Analytics DSM for Microsoft SQL Server can collect LOGbinder SQL events.

The following table identifies the specifications for the Microsoft SQL Server DSM when the log source is configured to collect LOGbinder SQL events:

Table 63: LOGbinder for Microsoft SQL Server specifications

Specification Value

Manufacturer

DSM name

RPM file name

Microsoft

Microsoft SQL Server

DSM-MicrosoftSQL-QRadar_version-

build_number.noarch.rpm

Supported versions

Protocol type

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

LOGBinder SQL V2.0

Syslog

All events

Yes

Yes

LogBinder SQL website (http://www.logbinder.com/ products/logbindersql/)

Microsoft SQL Server website (http:// www.microsoft.com/en-us/server-cloud/products/sqlserver/)

The Microsoft SQL Server DSM can collect other types of events. For more information about other

Microsoft SQL Server event formats, see the Microsoft SQL Server topic in the Extreme Networks

Security DSM Configuration Guide.

To collect LOGbinder events from Microsoft SQL Server, use the following steps:

1 If automatic updates are not enabled, download the most recent version of the following RPMs:

• DSMCommon RPM

• Microsoft SQL Server DSM RPM

2 Configure your LOGbinder SQL system to send Microsoft SQL Server event logs to Extreme

Security.

Extreme Networks Security DSM Configuration Guide Addendum 126

LOGbinder SQL event collection from Microsoft SQL Server

3 If the log source is not automatically created, add a Microsoft SQL Server DSM log source on the

Extreme Security Console. The following table describes the parameters that require specific values that are required for LOGbinder event collection:

Table 64: Microsoft SQL Server log source parameters for LOGbinder event collection

Parameter Value

Log Source type Microsoft SQL Server

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your LOGbinder SQL system to send Microsoft SQL

Server event logs to Extreme Security

To collect Microsoft SQL Server LOGbinder events, you must configure your LOGbinder SQL system to send events to Extreme Networks Security Analytics.

Configure LOGbinder SQL to collect events from your Microsoft SQL Server. For more information, see your LOGbinder SQL documentation.

1 Open the LOGbinder SQL Control Panel.

2 Double-click Output in the Configure pane.

3 Choose one of the following options:

• Configure for Syslog-Generic output:

1 In the Outputs pane, double-click Syslog-Generic.

2 Select the Send output to Syslog-Generic check box, and then enter the IP address and port of your Extreme Security Console or Event Collector.

• Configure for Syslog-LEEF output:

1 In the Outputs pane, double-click Syslog-LEEF.

2 Select the Send output to Syslog-LEEF check box, and then enter the IP address and port of your Extreme Security Console or Event Collector.

4 Click OK.

5 To restart the LOGbinder service, click the Restart icon.

Extreme Networks Security DSM Configuration Guide Addendum 127

40

Microsoft Exchange Server

Configuring Microsoft Exchange Server to communicate with Extreme Security

Configuring a log source for Microsoft Exchange

The Extreme Networks Security Analytics DSM for Microsoft Exchange Server collects Exchange events by polling for event log files.

The following table identifies the specifications for the Microsoft Exchange Server DSM:

Table 65: Microsoft Exchange Server

Specification

Manufacturer

DSM name

RPM file name

Supported versions

Protocol type

Extreme Security recorded event types

Automatically discovered?

Included identity?

More information

Value

Microsoft

Exchange Server

DSM-MicrosoftExchange-

QRadar_versionbuild_number

.noarch.rpm

Microsoft Exchange 2003

Microsoft Exchange 2007

Microsoft Exchange 2010

WinCollect for Microsoft Exchange 2003

Microsoft Exchange protocol for Microsoft Exchange

2007 and 2010

Outlook Web Access events (OWA)

Simple Mail Transfer Protocol events (SMTP)

Message Tracking Protocol events (MSGTRK)

No

No

Microsoft website (http://www.microsoft.com)

To integrate Microsoft Exchange Server with Extreme Security, use the following steps:

1 If automatic updates are not enabled, download the most recent version of the Microsoft Exchange

Server DSM RPM.

2 Configure your Microsoft Exchange Server DSM device to enable communication with Extreme

Security.

3 Create an Microsoft Exchange Server DSM log source on the Extreme Security Console.

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 128

Microsoft Exchange Server

Configuring Microsoft Exchange Server to communicate with

Extreme Security

Ensure that the firewalls that are located between the Exchange Server and the remote host allow traffic on the following ports:

• TCP port 13 for Microsoft Endpoint Mapper.

• UDP port 137 for NetBIOS name service.

• UDP port 138 for NetBIOS datagram service.

• TCP port 139 for NetBIOS session service.

• TCP port 445 for Microsoft Directory Services to transfer files across a Windows share.

1 Configure OWA logs.

2 Configure SMTP logs.

3 Configure MSGTRK logs.

Configuring OWA logs on your Microsoft Exchange Server

To prepare your Microsoft Exchange Server to communicate with Extreme Networks Security

Analytics, configure Outlook Web Access (OWA) event logs.

1 Log into your Microsoft Internet Information System (IIS) Manager.

2 On the desktop, select Start > Run.

3 Type the following command: inetmgr

4 Click OK.

5 In the menu tree, expand Local Computer.

6 If you use IIS 6.0 Manager for Microsoft Server 2003, complete the following steps: a Expand Web Sites.

b Right-click Default Web Site and select Properties.

c From the Active Log Format list, select W3C.

d Click Properties.

e Click the Advanced tab.

f From the list of properties, select the Method (cs-method) and Protocol Version (cs-version) check boxes g Click OK.

7 If you use IIS 7.0 Manager for Microsoft Server 2008 R2, complete the following steps: a Click Logging.

b From the Format list, select W3C.

c Click Select Fields.

d From the list of properties, select the Method (cs-method) and Protocol Version (cs-version) check boxes e Click OK.

Extreme Networks Security DSM Configuration Guide Addendum 129

Microsoft Exchange Server

Enabling SMTP logs on your Microsoft Exchange Server

To prepare your Microsoft Exchange Server 2007 and 2010 to communicate with Extreme Networks

Security Analytics, enable SMTP event logs.

1 Start the Exchange Management Console.

2 To configure your receive connector, choose one of the following options:

• For edge transport servers, select Edge Transport in the console tree and click the Receive

Connectors tab.

• For hub transport servers, select Server Configuration > Hub Transport in the console tree, select the server, and then click the Receive Connectors tab.

3 Select your receive connector and click Properties.

4 Click the General tab.

5 From the Protocol logging level list, select Verbose.

6 Click Apply.

7 Click OK.

8 To configure your send connector, choose one of the following options:

• For edge transport servers, select Edge Transport in the console tree and click the Send

Connectors tab.

• For hub transport servers, select Organization Configuration > Hub Transport in the console tree, select your server, and then click the Send Connectors tab.

9 Select your send connector and click Properties.

10 Click the General tab.

11 From the Protocol logging level list, select Verbose.

12 Click Apply.

13 Click OK.

Configuring a log source for Microsoft Exchange

Extreme Networks Security Analytics does not automatically discover Microsoft Exchange events. To integrate Microsoft Exchange event data, you must create a log source for each instance from which you want to collect event logs.

If a log folder path on the Exchange Server contains an administrative share (C$), ensure that users with NetBIOS access have local or domain administrator permissions.

The folder path fields for OWA, SNMP, and MSGTRK define the default file path with a drive letter and path information. If you changed the location of the log files on the Microsoft Exchange Server, ensure that you provide the correct file paths in the log source configuration. The Microsoft Exchange Protocol can read subdirectories of the OWA, SMTP, and MSGTRK folders for event logs.

Directory paths can be specified in the following formats:

• Correct - c$/LogFiles/

• Correct -

LogFiles/

• Incorrect - c:/LogFiles

• Incorrect - c$\LogFiles

Extreme Networks Security DSM Configuration Guide Addendum 130

Microsoft Exchange Server

1 Click the Admin tab.

2 On the navigation menu, click Data Sources.

3 Click the Log Sources icon.

4 In the Log Source Name field, type a name for the log source.

5 In the Log Source Description field, type a description for the log source.

6 From the Log Source Type list, select Microsoft Exchange Server.

7 From the Protocol Configuration list, select Microsoft Exchange.

8 Configure the following parameters:

Option

Log Source Identifier

Server Address

SMTP Log Folder Path

Description

The IP address or host name to identify the Windows Exchange event source in the Extreme Security user interface.

The IP address of the Microsoft Exchange server.

The directory path to access the SMTP log files. Use one of the following directory paths:

For Microsoft Exchange 2003, use c$/Program Files/

Microsoft/Exchange Server/TransportRoles/

Logs/ProtocolLog/

.

For Microsoft Exchange 2007, use c$/Program Files/

Microsoft/Exchange Server/TransportRoles/

Logs/ProtocolLog/

.

For Microsoft Exchange 2010, use c$/Program Files/

Microsoft/Exchange Server/V14/

TransportRoles/Logs/ProtocolLog/

.

OWA Log Folder Path

MSGTRK Log Folder Path

The directory path to access the OWA log files. Use one of the following directory paths:

For Microsoft Exchange 2003, use c$/WINDOWS/system32/

LogFiles/W3SVC1/

.

For Microsoft Exchange 2007, use c$/WINDOWS/system32/

LogFiles/W3SVC1/

.

For Microsoft Exchange 2010, use c$/inetpub/logs/

LogFiles/W3SVC1/

.

The directory path to access message tracking log files. Message tracking is only available on Microsoft Exchange 2007 servers assigned the Hub Transport, Mailbox, or Edge Transport server role. Use one of the following directory paths:

For Microsoft Exchange 2007, use c$/Program Files/

Microsoft/Exchange Server/TransportRoles/

Logs/MessageTracking/

.

For Microsoft Exchange 2010, use c$/Program Files/

Microsoft/Exchange Server/V14/

TransportRoles/Logs/MessageTracking/

.

Force File Read Forces the protocol to read the log file. By default, the check box is selected. If the check box is cleared, the log file is read when the log file modified time or file size attributes change.

9 Configure the remaining parameters.

10 Click Save.

Extreme Networks Security DSM Configuration Guide Addendum 131

11 On the Admin tab, click Deploy Changes.

Microsoft Exchange Server

Extreme Networks Security DSM Configuration Guide Addendum 132

41

Microsoft

SQL Server

Microsoft SQL Server preparation for communication with Extreme Security

Configuring a Microsoft SQL Server log source

The Extreme Networks Security Analytics DSM for Microsoft ™ SQL Server collect SQL events by using the syslog, WinCollect Microsoft ™ SQL, or JDBC protocol.

The following table identifies the specifications for the Microsoft ™ SQL Server DSM:

Table 66: Microsoft ™ SQL Server DSM

Specification

Manufacturer

DSM name

RPM file name

Supported versions

Event format

Extreme Security recorded event types

Automatically discovered?

Includes identity?

More information

Value

Microsoft ™

SQL Server

DSM-MicrosoftSQL-

QRadar-version-

Build_number

.noarch.rpm

2008, 2012, and 2014 (Enterprise editions only) syslog, JDBC, WinCollect

SQL error log events

Yes

Yes

Microsoft ™ website (http://www.microsoft.com/en-us/ server-cloud/products/sql-server/)

You can integrate Microsoft ™ SQL Server with Extreme Security by using one of the following methods:

JDBC Microsoft ™ SQL Server Enterprise can capture audit events by using the JDBC protocol. The audit events are stored in a table view. Audit events are only available in Microsoft ™ SQL Server 2008, 2012, and 2014 Enterprise.

WinCollect You can integrate Microsoft ™ SQL Server 2000, 2005, 2008, 2012, and 2014 with Extreme Security by using WinCollect to collect ERRORLOG messages from the databases that are managed by your

Microsoft ™ SQL Server. For more information, see your WinCollect documentation.

To integrate the Microsoft ™ SQL Server DSM with Extreme Security, use the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the

Microsoft ™ SQL Server RPM on your Extreme Security Console.

2 For each instance of Microsoft ™ SQL Server, configure your Microsoft ™ SQL Server appliance to enable communication with Extreme Security.

3 If Extreme Security does not automatically discover the Microsoft ™ SQL Server log source, create a log source for each instance of Microsoft ™ SQL Server on your network.

Related Links

Extreme Networks Security DSM Configuration Guide Addendum 133

Microsoft ™ SQL Server

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Microsoft

SQL Server preparation for communication with

Extreme Security

To prepare Microsoft ™ SQL Server for communication with Extreme Security, you must create an audit object, audit specification, and database view.

Creating a Microsoft

SQL Server auditing object

Create an auditing object to store audit events.

1 Log in to your Microsoft ™ SQL Server Management Studio.

2 From the navigation menu, select Security > Audits.

3 Right-click Audits and select New Audit.

4 In the Audit name field, type a name for the new audit file.

5 From the Audit destination list, select File.

6 From the File path field, type the directory path for your Microsoft ™ SQL Server audit file.

7 Click OK.

8 Right-click your audit object and select Enable Audit.

Creating a Microsoft

SQL Server audit specification

Create an audit specification to define the level of auditing events that are written to an audit file.

You must create an audit object. See Creating a Microsoft SQL Server auditing object on page 134.

You can create an audit specification at the server level or at the database level. Depending on your requirements, you might require both a server and database audit specification.

1 From the Microsoft ™ SQL Server Management Studio navigation menu, select one of the following options:

• Security > Server Audit Specifications

• <Database> > Security >

Database Audit Specifications

2 Right-click Server Audit Specifications, and then select one of the following options:

• New Server Audit Specifications

• New Database Audit Specifications

3 In the Name field, type a name for the new audit file.

4 From the Audit list, select the audit object that you created.

5 In the Actions pane, add actions and objects to the server audit.

6 Click OK.

Extreme Networks Security DSM Configuration Guide Addendum 134

Microsoft ™ SQL Server

7 Right-click your server audit specification and select one of the following options:

• Enable Server Audit Specification

• Enable Database Audit Specification

Creating a Microsoft

SQL Server database view

Create the dbo.AuditData database view to allow Extreme Security to poll for audit events from a database table by using the JDBC protocol. The database view contains the audit events from your server audit specification and database audit specification.

1 From the Microsoft ™ SQL Server Management Studio toolbar, click New Query.

2 Type the following Transact-SQL statement: create view dbo.AuditData as

SELECT * FROM sys.fn_get_audit_file

('<Audit File Path and Name>',default,default);

GOa

For example: create view dbo.AuditData as

SELECT * FROM sys.fn_get_audit_file

('C:\inetpub\logs\SQLAudits*’,default,default);

GO

3 From the Standard toolbar, click Execute.

Configuring a Microsoft

SQL Server log source

Use this procedure if your Extreme Security Console did not automatically discover the Microsoft ™

Windows ™ Security Event log source.

1 Click the Admin tab.

2 On the navigation menu, click Data Sources.

3 Click the Log Sources icon.

4 Click the Add button.

5 From the Log Source Type list, select Microsoft SQL Server.

6 From the Protocol Configuration list, select JDBC or WinCollect.

Extreme Networks Security DSM Configuration Guide Addendum 135

Microsoft ™ SQL Server

7

Optional

. If you want to configure events for JDBC, configure the following Microsoft ™ SQL Server log source parameters:

Parameter Description

Log Source Identifier

Type the identifier for the log source in the following format:

Database Type

Database Name

IP or Hostname

Port

<SQL Database>@<SQL DB Server IP or Host Name>

Where:

<SQL Database>

is the database name, as entered in the Database Name parameter.

<SQL DB Server IP or Host Name> is the hostname or IP address for this log source, as entered in the IP or Hostname parameter.

From the list, select MSDE.

Type

Master

as the name of the Microsoft ™ SQL database.

Type the IP address or host name of the Microsoft ™ SQL server.

Type the port number that is used by the database server. The default port for

MSDE is 1433.

The JDBC configuration port must match the listener port of the Microsoft ™

SQL database. The Microsoft ™ SQL database must have incoming TCP connections that are enabled to communicate with Extreme Security.

Important

If you define a Database Instance when you are using MSDE as the

Database Type, you must leave the Port parameter blank in your configuration.

Username

Authentication

Domain

Database Instance

Type the user name to access the SQL database.

Password Type the password to access the SQL database.

Confirm Password Type the password to access the SQL database.

If you select MSDE as the Database Type and the database is configured for Windows ™ , you must define a Window Authentication Domain. Otherwise, leave this field blank.

Optional

If you have multiple SQL server instances on your database server, type the database instance.

Important

If you have a non-standard port in your database configuration, or access is blocked to port 1434 for SQL database resolution, you must leave the Database Instance parameter blank.

Table Name

Select List

Type dbo.AuditData

as the name of the table or view that includes the audit event records.

Type

*

for all fields from the table or view.

You can use a comma-separated list to define specific fields from tables or views. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be a maximum of 255 characters.

You can include the special characters, dollar sign ($), number sign (#),

136

Compare Field

Start Date and Time

Optional

Type the start date and time for database polling.

The Start Date and Time parameter must be formatted as yyyy-MM-dd

HH:mm

with

HH

specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

Use Prepared

Statements

Type event_time

in the Compare Field parameter. The Compare Field identifies new events that are added between queries, in the table.

Select this check box to use prepared statements

Prepared statements allow the JDBC protocol source to set up the SQL statement, and then run the SQL statement many times with different parameters. For security and performance reasons, you might want to use prepared statements.

Clearing this check box requires you to use an alternative method of querying that does not use pre-compiled statements.

Polling Interval

EPS Throttle

You can type a polling interval number. The polling interval is the amount of time between queries to the event table. The default polling interval is 10 seconds.

You can define a longer polling interval by appending

H

for hours or

M

for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an

H

or

M

, poll in seconds.

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

Use Named Pipe

Communication

Database Cluster

Name

Clear the Use Named Pipe Communications check box.

If you use a Named Pipe connection, the user name and password must be the appropriate Windows ™ authentication user name and password, and not the database user name and password. Also, you must use the default Named

Pipe.

If you select the Use Named Pipe Communication check box, the Database Cluster

Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name.

Microsoft ™ SQL Server

8

Optional

. If you want to configure events for WinCollect, see the Extreme Networks Security

WinCollect User Guide.

9 Click Save.

10 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 137

42

Microsoft

Windows

Security

Event Log

Enabling MSRPC on Windows hosts

Enabling a Snare Agent on Windows hosts

Enabling WMI on Windows hosts

The Extreme Networks Security Analytics DSM for Microsoft ™ Windows ™ Security Event Log accepts syslog events from Microsoft ™ Windows ™ systems.

For event collection from Microsoft ™ operating systems, Extreme Security supports the following protocols:

• MSRPC (Microsoft ™ Security Event Log over MSRPC)

• Syslog (Intended for Snare, BalaBit, and other third-party Windows ™ solutions)

• Common Event Format (CEF) is also supported.

• WMI ( Microsoft ™ Security Event Log). This is a legacy protocol.

• WinCollect. See the Extreme Networks Security WinCollect User Guide.

Related Links

Enabling MSRPC on Windows hosts

on page 138

To enable communication between your Windows host and Extreme Security over MSRPC, configure the Remote Procedure Calls (RPC) settings on the Windows host for the Microsoft

Remote Procedure Calls (MSRPC) protocol.

Enabling a Snare Agent on Windows hosts

on page 141

To enable communication between your Windows host and Extreme Networks Security

Analytics, you can use a Snare Agent to forward Windows events.

Enabling WMI on Windows hosts on page 142

Enabling MSRPC on Windows hosts

To enable communication between your Windows host and Extreme Security over MSRPC, configure the Remote Procedure Calls (RPC) settings on the Windows host for the Microsoft Remote Procedure

Calls (MSRPC) protocol.

You must be a member of the administrators group to enable communication over MSRPC between your Windows host and the Extreme Security appliance.

Based on performance tests on an Extreme Networks Security Analytics Event Processor 1628 appliance with 132 GB of RAM and 40 cores (Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80 GHz), a rate of

8500 events per second (eps) was achieved successfully, while simultaneously receiving and processing logs from other non-Windows systems. The log source limit is 500.

Extreme Networks Security DSM Configuration Guide Addendum 138

Specification

Manufacturer

Protocol type

Supported versions

Intended application

Maximum number of supported log sources

Maximum overall EPS rate of MSRPC

Special features

Required permissions

Supported event types

Windows service requirements

Microsoft ™ Windows ™ Security Event Log

Value

Microsoft

Microsoft Security Event Log over MSRPC

Windows Server 2003 (most recent)

Windows Server 2008 (most recent)

Windows 2012 (most recent)

Windows 7

Windows 8

Windows 8.1

Windows Vista

Agentless event collection for Windows operating systems that can support 100 EPS per log source.

500 MSRPC protocol log sources for each managed host (16xx or 18xx appliance)

8500 EPS for each managed host

Supports encrypted events by default.

The log source user must be a member of the Event

Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured.

Windows XP and 2003 operating systems users require read access to the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM

\CurrentControlSet\services\eventlog

HKEY_LOCAL_MACHINE\SYSTEM

\CurrentControlSet\Control\Nls\Language

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft

\Windows NT\CurrentVersion

Application

System

Security

DSN Server

File Replication

Directory Service logs

Directory Service logs

For Windows Vista and later: Remote Procedure Call

(RPC) and RPC Endpoint Mapper.

For Windows 2003: Remote Registry and Server.

Extreme Networks Security DSM Configuration Guide Addendum 139

Microsoft ™ Windows ™ Security Event Log

Specification

Windows port requirements

Automatically discovered?

Includes identity?

Includes custom properties?

Required RPM files

More information

Troubleshooting tools available

Value

Ensure that external firewalls between the Windows host and the Extreme Security appliance are configured to allow incoming and outgoing TCP connections on the following ports:

For Windows Vista and later:

TCP port 135

TCP port that is dynamically allocated for RPC, above 49152

For Windows 2003:

TCP port 445

TCP port 139

No, manual log source creation is required.

Yes

A security content pack with Windows custom event properties is available on IBM Fix Central.

PROTOCOL-WindowsEventRPC-

QRadar_release-

Build_number.noarch.rpm

DSM-MicrosoftWindows-

QRadar_release-

Build_number.noarch.rpm

DSM-DSMCommon-QRadar_release-

Build_number.noarch.rpm

Microsoft support (support.microsoft.com/)

Yes, an MSRPC test tool is available through IBM support.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 Click the Log Sources icon.

4 From the Log Source Type list, select Microsoft Windows Security Event Log.

5 From the Protocol Configuration list, select Microsoft Security Event Log over MSRPC.

6 From the Log Source Identifier list, type the IP address or the host name of the Windows system that you intend to poll for events. Host names must be entered as fully qualified domain names

(FQDN), such as myhost.example.com

.

7 From the Domain field, type the domain of the Windows system.

8 Configure the log source user name and password parameters.

9 Optional: Configure the Polling Interval field.

Note

The Polling Interval (Sec) field does not tune log source performance like with WinCollect log sources. To poll low event rate systems with limited bandwidth, you can increase the polling interval to reduce network usage.

10 Configure the Event Throttle field.

Extreme Networks Security DSM Configuration Guide Addendum 140

Microsoft ™ Windows ™ Security Event Log

11 Select at least one of the Standard Log Types check boxes.

Important

If you use the Microsoft Security Event Log or Microsoft Security Event Log over MSRPC protocol, select only the log types that are supported on the target Windows host.

12 Select at least one of the Event Types check boxes.

13 Click Save.

14 On the Admin tab, click Deploy Changes.

Enabling a Snare Agent on Windows hosts

To enable communication between your Windows host and Extreme Networks Security Analytics, you can use a Snare Agent to forward Windows events.

Syslog collection of Windows events can come from a number of different sources. The instructions provided in this guide outline configuration for the free version of Snare by Intersect Alliance. Several other third-party products can use the Syslog protocol.

Specification

Manufacturer

Protocol type

Supported versions

Products that commonly use this DSM

Supported event types

Intended application

Automatically discovered?

Includes identity?

Includes custom properties?

Required RPM files

More information

Troubleshooting tools available

Value

Microsoft

Syslog

See your vendor documentation.

Snare

Adaptive Log Exporter

BalaBit

Forwarded Splunk events

Snare Epilogue

Security

System, Application

DNS Server

File Replication

Directory Service

Agent solution for parsing and collection of Windows events from partner and third-party products.

Yes

Yes

A security content pack with Windows custom event properties is available on IBM Fix Central.

DSM-MicrosoftWindows-

QRadar_release-

Build_number.noarch.rpm

DSM-DSMCommon-QRadar_release-

Build_number.noarch.rpm

Microsoft support (support.microsoft.com/)

You can use tcpdump

utility on the QRadar appliance to confirm that events are being received.

Extreme Networks Security DSM Configuration Guide Addendum 141

Microsoft ™ Windows ™ Security Event Log

1 Log in to your Windows host.

2 Download and install the Snare Agent from the Snare website (http://www.intersectalliance.com/

SnareWindows/index.html).

3 On the navigation menu, select Network Configuration.

4 In the Destination Snare Server address field, type the IP address of the Extreme Security system.

5 Select the Enable SYSLOG Header check box.

6 Click Change Configuration.

7 On the navigation menu, select Objectives Configuration.

8 In the Identify the event types to be captured field, select check boxes to define the event types to forward to Extreme Security.

Tip

The DSM for Microsoft Windows Event Log supports Informational, Warning, Error,

Success Audit, and Failure Audit event types.

9 In the Identify the event logs field, select the check boxes to define the event logs to forward to

Extreme Security.

Tip

The Microsoft Windows Event Log DSM supports Security, System, Application, DNS

Server, File Replication, and Directory Service log types.

10 Click Change Configuration.

11 On the navigation menu, select Apply the Latest Audit Configuration.

12 Record the value in the override host name detection with field. The value must match the IP address or host name that is assigned to the device that is configured in the Extreme Security log source.

After Extreme Security receives approximately 35 events, a log source is automatically created and events are displayed on the Log Activity tab.

Enabling WMI on Windows hosts

To enable communication between your Windows host and Extreme Networks Security Analytics, you can use Windows Management Instrumentation (WMI).

You must be a member of the administrators group on the remote computer to configure WMI/DCOM

Windows host and the Extreme Security appliance.

The Microsoft Security Event Log protocol (WMI) is not recommended for event collection where more than 50 EPS is required or for servers over slow network connections, such as satellite or slow WAN networks. Network delays that are created by slow connections decrease the EPS throughput available to remote servers. Faster connections can use MSRPC as an alternative. If it is not possible to decrease your network round-trip delay time, we recommend that you use an agent, such as WinCollect.

Specification

Manufacturer

DSM name

Value

Microsoft

Windows Security Event Log

Extreme Networks Security DSM Configuration Guide Addendum 142

Specification

Supported versions

Special features

Intended application

Special configuration instructions

Windows port requirements

Windows service requirements

Microsoft ™ Windows ™ Security Event Log

Value

Windows Server 2003 (most recent)

Windows Server 2008 (most recent)

Windows 2012 (most recent)

Windows 7

Windows 8 (64-bit versions)

Windows Vista

Windows XP

Supports encrypted events by default.

Agentless event collection for Windows operating systems over WMI that is capable of 50 EPS per log source.

Important

This is a legacy protocol. In most cases, new log sources should be configured by using the Microsoft Security Event Log over

MSRPC protocol.

Configuring DCOM and WMI to Remotely Retrieve

Windows 7 Events (http://www.ibm.com/support/ docview.wss?uid=swg21678809)

Configuring DCOM and WMI to Remotely Retrieve

Windows 8 and Windows 2012 Events (http:// www.ibm.com/support/docview.wss?

uid=swg21681046)

You must ensure that external firewalls between the

Windows host and the Extreme Security appliance are configured to allow incoming and outgoing TCP connections on the following ports:

TCP port 135 (all operating system versions)

TCP port that is dynamically allocated above 49152

(required for Vista and above operating systems)

TCP port that is dynamically allocated above 1024

(required for Windows XP & 2003)

TCP port 445 (required for Windows XP & 2003)

TCP port 139 (required for Windows XP & 2003)

The following services must be configured to start automatically:

Remote Procedure Call (RPC)

Remote Procedure Call (RPC) Locator

RPC Endpoint Mapper

Remote Registry

Server

Windows Management Instrumentation

Extreme Networks Security DSM Configuration Guide Addendum 143

Microsoft ™ Windows ™ Security Event Log

Specification

Log source permissions

Supported event types

Automatically discovered?

Includes identity?

Includes custom properties?

Required RPM files

More information

Troubleshooting tools available

Value

The log source user must be a member of the Event

Log Readers group. If this group is not configured, then domain admin privileges are required in most cases to poll a Windows event log across a domain. In some cases, the Backup operators group can also be used depending on how Microsoft Group Policy Objects are configured.

The log source user must have access to following components:

Window event log protocol DCOM components

Windows event log protocol name space

Appropriate access to the remote registry keys

Application

System

Security

DNS Server

File Replication

Directory Service logs

No, manual log source creation is required

Yes

A security content pack with Windows custom event properties is available on IBM Fix Central.

PROTOCOL-WinCollectWindowsEventLog-

QRadar_release-

Build_number.noarch.rpm

DSM-MicrosoftWindows-

QRadar_release-

Build_number.noarch.rpm

DSM-DSMCommon-QRadar_release-

Build_number.noarch.rpm

Microsoft support (support.microsoft.com/)

Yes, a WMI test tool is available in

/opt/qradar/ jars

.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 Click the Log Sources icon.

4 From the Log Source Type list, select Microsoft Windows Security Event Log.

5 From the Protocol Configuration list, select Microsoft Security Event Log.

6 From the Log Source Identifier list, type the IP address or the host name of the Windows system that you intend to poll for events. Host names must be entered as fully qualified domain names

(FQDN), such as myhost.example.com

.

7 From the Domain field, type the domain of the Windows system.

8 Configure the log source user name and password parameters.

Extreme Networks Security DSM Configuration Guide Addendum 144

Microsoft ™ Windows ™ Security Event Log

9 Select at least one of the Standard Log Types check boxes.

Important

If you use the Microsoft Security Event Log or Microsoft Security Event Log over MSRPC protocol, select only the log types that are supported on the target Windows host.

10 Select at least one of the Event Types check boxes.

11 Click Save.

12 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 145

43

Netskope Active

Configuring Extreme Security to collect events from your Netskope Active system

The Extreme Networks Security Analytics DSM for Netskope Active collects events from your Netskope

Active servers.

The following table identifies the specifications for the Netskope Active DSM:

Table 67: Netskope Active DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

Netskope

Netskope Active

DSM-NetskopeActive-Qradar_version-

build_number.noarch.rpm

Protocol

Recorded event types

Automatically discovered?

Includes identity?

More information

Netskope Active REST API

Alert, All

No

Yes

Netskope Active website (www.netskope.com)

To integrate Netskope Active DSM with Extreme Security complete the following steps:

Note

If multiple DSM RPMs are required, the integration sequence must reflect the DSM RPM dependency.

1 If automatic updates are not enabled, download and install the most recent version of the following

DSMs on your Extreme Security Console.

• Netskope Active DSM RPM

• Netskope Active REST API Protocol RPM

• PROTOCOL-Common RPM

2 Configure the required parameters, and use the following table for the Netskope Active log source specific parameters:

Table 68: Netskope Active log source parameters

Parameter Value

Log Source type

Protocol Configuration

Netskope Active

Netskope Active REST API

Related Links

Extreme Networks Security DSM Configuration Guide Addendum 146

Netskope Active

Adding a single DSM

on page 13

Configuring Extreme Security to collect events from your Netskope Active system on page 147

To collect all audit logs and system events from Netskope Active servers, you must configure

Extreme Security to collect audit logs and system events from your Netskope Active system.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring Extreme Security to collect events from your

Netskope Active system

To collect all audit logs and system events from Netskope Active servers, you must configure Extreme

Security to collect audit logs and system events from your Netskope Active system.

The following table describes the parameters that are required to collect Netskope Active events:

Table 69: Netskope Active DSM log source parameters

Parameter Description

IP or Hostname partners.goskope.com

Authentication Token

Automatically Acquire

Server Certificates

Throttle

Recurrence

The authentication token is generated in the Netskope WebUI and is the only credential that is required for Netskope Active REST API usage. To access the token generation option in the Netskope WebUI, select Settings > REST API.

If you choose Yes from the drop-down list, Extreme Security automatically downloads the certificate and begins trusting the target server. The correct server must be entered in the IP or Hostname field.

The maximum number of events per second. The default is 5000.

You can specify when the log source attempts to obtain data. The format is M/H/D for Months/Hours/Days. The default is 1 M.

Collection Type

All Events Select to collect all events.

Alerts Only Select to collect only alerts.

1 Log in to Extreme Security.

2 Click Admin tab.

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select Netskope Active.

7 From the Protocol Configuration list, select Netskope Active REST API.

8 Configure the parameters.

9 Click Save.

10 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 147

44

OpenStack

Configuring OpenStack to communicate with Extreme Security

The Extreme Networks Security Analytics DSM for OpenStack collects event logs from your OpenStack device.

The following table identifies the specifications for the OpenStack DSM:

Table 70: OpenStack DSM specifications

Specification

Manufacturer

DSM name

RPM file name

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

Value

OpenStack

OpenStack

DSM-OpenStackCeilometer-

Qradar_version-

build_number.noarch.rpm

v 2014.1

HTTP Receiver

Audit event

No

No

No

OpenStack website (http://www.openstack.org/)

To send events from OpenStack to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• PROTOCOL-HTTPReceiver RPM

• OpenStack DSM RPM

2 Add an OpenStack log source on the Extreme Security Console. The following table describes the parameters that are required to collect OpenStack events:

Table 71: OpenStack log source parameters

Parameter Value

Log Source type

Protocol Configuration

OpenStack

HTTPReceiver

Communication Type HTTP

Extreme Networks Security DSM Configuration Guide Addendum 148

OpenStack

Table 71: OpenStack log source parameters (continued)

Parameter Value

Listen Port The port number that OpenStack uses to communicate with Extreme Security.

Important

Use a non-standard port. Make note of this port because it is required to configure your OpenStack device.

Message Pattern

^\{"typeURI

3 Configure your OpenStack device to communicate with Extreme Security.

Related Links

Configuring OpenStack to communicate with Extreme Security on page 149

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Adding a single DSM

on page 13

Configuring OpenStack to communicate with Extreme Security

To collect OpenStack events, you must configure your OpenStack device to allow connections from Extreme Security.

Important

OpenStack is an open source product with many different distributions that can be set up on many different operating systems. This procedure might vary in your environment.

1 Log in to your OpenStack device.

2 Edit the

/etc/nova/api-paste.ini

file.

3 At the end of the file, add the following text:

[filter:audit] paste.filter_factory = pycadf.middleware.audit:AuditMiddleware.factory

audit_map_file = /etc/nova/api_audit_map.conf

4 Review the

[composite:openstack_compute_api_v2]

settings and verify that the values match the following sample:

[composite:openstack_compute_api_v2] use = call:nova.api.auth:pipeline_factory noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 keystone = faultwrap sizelimit authtoken keystonecontext ratelimit audit osapi_compute_app_v2 keystone_nolimit = faultwrap sizelimit authtoken keystonecontext audit osapi_compute_app_v2

5 Copy the api_audit_map.conf

file to the

/etc/nova/

directory.

Extreme Networks Security DSM Configuration Guide Addendum 149

OpenStack

6 Restart the api service.

The command to restart the API service depends on what operating system your OpenStack node is hosted on. On Redhat Enterprise Linux systems, the command is service openstack-novaapi restart

.

7 Open the entry_points.txt

file in the egg-info

subdirectory of your OpenStack installation directory.

For PackStack installations, the file path resembles the following path:

/usr/lib/python2.7/ site-packages/ceilometer-2014.2-py2.7.egg-info/entry_points.txt.

8 Add the http dispatcher to the

[ceilometer.dispatcher]

section.

[ceilometer.dispatcher] file = ceilometer.dispatcher.file:FileDispatcher database = ceilometer.dispatcher.database:DatabaseDispatcher http = ceilometer.dispatcher.http:HttpDispatcher

9 Copy the supplied http.py

script to the dispatcher subdirectory of the Ceilometer installation directory.

The exact location depends on your operating system and OpenStack distribution. On the Redhat

Enterprise Linux Distribution of OpenStack, the directory is

/usr/lib/python2.7/sitepackages/ceilometer/dispatcher/

.

10 Edit the

/etc/ceilometer/ceilometer.conf

file.

11 Under the

[default]

section, add dispatcher=http

.

12 At the bottom of the file, add this section:

[dispatcher_http] target = http://<QRadar-IP>:<QRadar-Port> cadf_only = True

Use the port that you configured for OpenStack when you created the log source on your Extreme

Security system.

13 Restart the ceilometer collector and notification services.

The command to restart the ceilometer collector and notification services depends on what operating system your OpenStack device is hosted on. On devices that use the Redhat Enterprise

Linux operating system, use the following commands: service openstack-ceilometer-collector restart service openstack-ceilometer-notification restart

Extreme Networks Security DSM Configuration Guide Addendum 150

45

Oracle Enterprise Manager

The Extreme Networks Security Analytics DSM for Oracle Enterprise Manager collects events from an

Oracle Enterprise Manager device. The Real-time Monitoring Compliance feature of Oracle Enterprise

Manager generates the events.

The following table lists the specifications for the Oracle Enterprise Manager DSM:

Table 72: Oracle Enterprise Manager DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

Oracle

Oracle Enterprise Manager

DSM-OracleEnterpriseManager-

Qradar_version-

Buildbuild_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Oracle Enterprise Manager Cloud Control 12c

JDBC

Audit

Compliance

No Automatically discovered?

Includes identity?

Includes custom properties?

More information

Yes

No

Oracle Enterprise Manager (http://www.oracle.com/us/ products/enterprise-manager/index.html)

The original format of the events are rows in an Oracle

Enterprise Manager database view ( sysman.mgmt

$ccc_all_observations

). Extreme Security polls this view for new rows and uses them to generate events. For more information, see Compliance Views

(http://docs.oracle.com/cd/E24628_01/doc.121/ e57277/ch5_complianceviews.htm#BABBIJAA)

To collect events from Oracle Enterprise Manager, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the Oracle

Enterprise Manager DSM RPM on your Extreme Security Console.

2 Ensure that the Oracle Enterprise Manager system is configured to accept connections from external devices.

3 Add an Oracle Enterprise Manager log source on the Extreme Security Console. The following table describes the parameters that require specific values for Oracle Enterprise Manager event collection:

Extreme Networks Security DSM Configuration Guide Addendum 151

Oracle Enterprise Manager

Table 73: Oracle Enterprise Manager log source parameters

Parameter Description

Log Source type Oracle Enterprise Manager

Protocol Configuration

Database Type

Database Name

JDBC

Oracle

The Service Name of Oracle Enterprise Manager database.

To view the available service names, run the lsnrctl status

command on the Oracle host.

IP or Hostname

Port

Username

Predefined Query

Table Name

The IP address or host name of host for Oracle

Enterprise Manager database.

The port that is used by the Oracle Enterprise

Manager database.

The user name of the account that has right to access the sysman.mgmt$ccc_all_observations table.

none sysman.mgmt$ccc_all_observations

Select List

Compare Field

Use Prepared Statements

*

ACTION_TIME

True

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 152

46

Palo Alto Networks

Creating a syslog destination on your Palo Alto device

Creating a forwarding policy on your Palo Alto device

Use the Extreme SIEM DSM for Palo Alto PA Series to collect events from Palo Alto PA Series devices.

The following table identifies the specifications for the Palo Alto PA Series DSM:

Table 74: DSM specifications for Palo Alto PA Series

Specification Value

Manufacturer

DSM name

RPM file name

Palo Alto Networks

Palo Alto PA Series

DSM-PaloAltoPaSeries-

build_number.noarch.rpm

Supported versions

Event format

Extreme Security recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

PanOS v3.0 and later

Syslog

LEEF

All events

Yes

Yes

No

Palo Alto Networks website (http:// www.paloaltonetworks.com)

To send events from Palo Alto PA Series to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download the most recent version of the Palo Alto PA Series

DSM RPM.

2 Configure your Palo Alto PA Series device to communicate with Extreme Security. You must create a syslog destination and forwarding policy on the Palo Alto PA Series device.

3 If Extreme Security does not automatically detect Palo Alto PA Series as a log source, create a Palo

Alto PA Series log source on the Extreme Security Console. Use the following Palo Alto values to configure the log source parameters:

Parameter

Log Source Identifier

Log Source Type

Protocol Configuration

Description

The IP address or host name of the Palo Alto PA

Series device.

Palo Alto PA Series

Syslog

Extreme Networks Security DSM Configuration Guide Addendum 153

Palo Alto Networks

Related Links

Adding a single DSM

on page 13

Creating a syslog destination on your Palo Alto device on page 154

Before you can send Palo Alto events to Extreme Networks Security Analytics, create a syslog destination on the Palo Alto PA Series device.

Creating a forwarding policy on your Palo Alto device on page 156

If your Extreme Networks Security Analytics Console or Event Collector is in a different security zone than your Palo Alto PA Series device, create a forwarding policy rule.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Creating a syslog destination on your Palo Alto device

Before you can send Palo Alto events to Extreme Networks Security Analytics, create a syslog destination on the Palo Alto PA Series device.

1 Log in to the Palo Alto Networks interface.

2 Click the Device tab.

3 Click Server Profiles > Syslog.

4 Click Add.

5 Create a syslog destination: a In the Syslog Server Profile dialog box, click Add.

b Specify the name, server IP address, port, and facility of the Extreme Security system that you want to use as a syslog server: c Click OK.

6 Configure LEEF events:

Attention

The line breaks in these examples will cause this configuration to fail. For each of the substeps, copy the code blocks into a text editor, remove the line breaks, and paste as a single line in the Custom Format column.

a Click the Custom Log Format tab.

b Copy the following text and paste it in the Custom Format column for the Config log type.

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$result|cat=

$type| usrName=$admin|src=$host|devTime=$cef-formatted-receive_time|client=

$client| sequence=$seqno|serial=$serial|msg=$cmd c Copy the following text and paste it in the Custom Format column for the System log type.

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$eventid|cat=

$type

|subtype=$subtype|devTime=$cef-formatted-receive_time|sev=$severity

|Severity=$number-of-severity|msg=$opaque|Filename=$object

Extreme Networks Security DSM Configuration Guide Addendum 154

Palo Alto Networks d Copy the following text and paste it in the Custom Format column for the Threat log type.

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$threatid|cat=

$type

|subtype=$subtype|src=$src|dst=$dst|srcPort=$sport|dstPort=$dport|proto=

$proto

|usrName=$srcuser|SerialNumber=$serial|srcPostNAT=$natsrc|dstPostNAT=

$natdst

|RuleName=$rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=

$app

|VirtualSystem=$vsys|SourceZone=$fromDestinationZone=$to|

IngressInterface=$inbound_if

|EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=

$sessionid

|RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport

|Flags=$flags|URLCategory=$category|sev=$severity|Severity=$number-ofseverity

|Direction=$direction|ContentType=$contenttype|action=$action|

Miscellaneous=$misc e Copy the following text and paste it in the Custom Format column for the Traffic log type.

LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$action|cat=

$type|src=$src

|dst=$dst|srcPort=$sport|dstPort=$dport|proto=$proto|usrName=$srcuser|

SerialNumber=

$serial|Type=$type|Subtype=$subtype|srcPostNAT=$natsrc|dstPostNAT=

$natdst|RuleName=

$rule|SourceUser=$srcuser|DestinationUser=$dstuser|Application=$app|

VirtualSystem=

$vsys|SourceZone=$from|DestinationZone=$to|IngressInterface=$inbound_if

|EgressInterface=$outbound_if|LogForwardingProfile=$logset|SessionID=

$sessionid|

RepeatCount=$repeatcnt|srcPostNATPort=$natsport|dstPostNATPort=$natdport|

Flags=$flags

|totalBytes=$bytes|totalPackets=$packets|ElapsedTime=$elapsed|

URLCategory=$category

|dstBytes=$bytes_received|srcBytes=$bytes_sent|action=$action

7 Click OK.

8 Specify the severity of events that are contained in the syslog messages: a Click Log Setting > System and click Edit.

b Select the check box for each event severity level that you want contained in the syslog message.

c Type the name of the syslog destination.

d Click OK.

9 Click the Device tab and click Commit.

To allow communication between your Palo Alto Networks device and Extreme Security, create a

forwarding policy. See Creating a forwarding policy on your Palo Alto device on page 156.

Related Links

Palo Alto Networks on page 153

Use the Extreme SIEM DSM for Palo Alto PA Series to collect events from Palo Alto PA Series devices.

Extreme Networks Security DSM Configuration Guide Addendum 155

Palo Alto Networks

Creating a forwarding policy on your Palo Alto device

If your Extreme Networks Security Analytics Console or Event Collector is in a different security zone than your Palo Alto PA Series device, create a forwarding policy rule.

1 Log in to Palo Alto Networks.

2 On the dashboard, click the Policies tab.

3 Click Policies > Policy Based Forwarding.

4 Click New.

5 Configure the parameters. For descriptions of the policy-based forwarding values, see your Palo

Alto Networks Administrator’s Guide.

Related Links

Palo Alto Networks on page 153

Use the Extreme SIEM DSM for Palo Alto PA Series to collect events from Palo Alto PA Series devices.

Extreme Networks Security DSM Configuration Guide Addendum 156

47

RSA Authentication Manager

Configuring syslog for RSA

Configuring the log file protocol for RSA

An RSA Authentication Manager DSM allows you to integrate Extreme Security with an RSA

Authentication Manager using syslog or the log file protocol.

Before you configure Extreme Security to integrate with RSA Authentication Manager, select your configuration preference:

Configuring syslog for RSA on page 157

Configuring the log file protocol for RSA

on page 158

Note

You must apply the most recent hot fix on RSA Authentication Manager 7.1 primary, replica, node, database and radius installations before configuring syslog.

Configuring syslog for RSA

The procedure to configure your RSA Authentication Manager using syslog depends on the operating system version for your RSA Authentication Manager or SecureID 3.0 appliance:

If you are using RSA Authentication Manager on Linux, see

Configuring Linux

on page 157.

If you are using RSA Authentication Manager on Windows, see Configuring Windows

on page 158.

Configuring Linux

You can configure RSA Authentication Manager for syslog on Linux-based operating systems:

1 Log in to the RSA Security Console command-line interface (CLI).

2 Open the following file for editing based on your operating system:

/usr/local/RSASecurity/RSAAuthenticationManager/utils/resources / ims.properties

3 Add the following enteries to the ims.properties

file: ims.logging.audit.admin.syslog_host = <IP address> ims.logging.audit.admin.use_os_logger = true ims.logging.audit.runtime.syslog_host = <IP address> ims.logging.audit.runtime.use_os_logger = true ims.logging.system.syslog_host = <IP address> ims.logging.system.use_os_logger = true

Where

<IP address>

is the IP address or hostname of Extreme Security.

4 Save the ims.properties

files.

Extreme Networks Security DSM Configuration Guide Addendum 157

RSA Authentication Manager

5 Open the following file for editing:

/etc/syslog.conf

6 Type the following command to add Extreme Security as a syslog entry:

*.* @<IP address>

Where

<IP address>

is the IP address or hostname of Extreme Security.

7 Type the following command to restart the syslog services for Linux.

service syslog restart

8 You are now ready to configure the log sources and protocol in Extreme Security: To configure

Extreme Security to receive events from your RSA Authentication Manager: a From the Log Source Type list, select the RSA Authentication Manager option.

For more information, see the Extreme Networks Security Log Sources User Guide. For more information on configuring syslog forwarding, see your RSA Authentication Manager documentation.

Configuring Windows

To configure RSA Authentication Manager for syslog using Microsoft Windows:

1 Log in to the system hosting your RSA Security Console.

2 Open the following file for editing based on your operating system:

/Program Files/RSASecurity/RSAAuthenticationManager/utils/ resources/ ims.properties

3 Add the following enteries to the ims.properties

file: ims.logging.audit.admin.syslog_host = <IP address> ims.logging.audit.admin.use_os_logger = true ims.logging.audit.runtime.syslog_host = <IP address> ims.logging.audit.runtime.use_os_logger = true ims.logging.system.syslog_host = <IP address> ims.logging.system.use_os_logger = true

Where

<IP address>

is the IP address or hostname of Extreme Security.

4 Save the ims.properties

files.

5 Restart RSA services.

6 You are now ready to configure the log source in Extreme Security.

To configure QRadar to receive events from your RSA Authentication Manager: a From the Log Source Type list, select the RSA Authentication Manager option.

For more information, see theExtreme Networks Security Log Sources User Guide. For more information on configuring syslog forwarding, see your RSA Authentication Manager documentation.

Configuring the log file protocol for RSA

The log file protocol allows Extreme Security to retrieve archived log files from a remote host. The RSA

Authentication Manager DSM supports the bulk loading of log files using the log file protocol source.

Extreme Networks Security DSM Configuration Guide Addendum 158

RSA Authentication Manager

The procedure to configure your RSA Authentication Manager using the log file protocol depends on the version of RSA Authentication Manager:

If you are using RSA Authentication Manager v7.x, see Configuring RSA Authentication Manager 7.x

on page 159.

If you are using RSA Authentication Manager v6.x, see Configuring RSA Authentication Manager 6.x

on page 159.

Configuring RSA Authentication Manager 7.x

You can configure your RSA Authentication Manager v7.x device:

1 Log in to the RSA Security Console.

2 Click Administration > Log Management > Recurring Log Archive Jobs.

3 In the Schedule section, configure values for the

Job Starts

,

Frequency

,

Run Time

, and

Job

Expires

parameters.

4 For the Operations field, select Export Only or Export and Purge for the following settings:

Administration Log Settings, Runtime Log Settings, and System Log Settings.

Note

The Export and Purge operation exports log records from the database to the archive and then purges the logs form the database. The Export Only operation exports log records from the database to the archive and the records remain in the database.

5 For Administration, Runtime, and System, configure an

Export

Directory to which you want to export your archive files.

Ensure that you can access the Administration Log, Runtime Log, and System Log by using FTP before you continue.

6 For Administration, Runtime, and System parameters, set the Days Kept Online parameter to 1. Logs older than 1 day are exported. If you selected Export and Purge, the logs are also purged from the database.

7 Click Save.

8 You are now ready to configure the log sources and protocol within Extreme Security: a To configure Extreme Security to receive events from an RSA device, you must select the RSA

Authentication Manager option from the Log Source Type list.

b To configure the log file protocol, you must select the Log File option from the Protocol

Configuration list.

For more information about configuring log sources and protocols, see the Extreme Networks

Security Log Sources User Guide.

Configuring RSA Authentication Manager 6.x

You can configure your RSA Authentication Manager v6.x device:

1 Log in to the RSA Security Console.

2 Log in to the RSA Database Administration tool: a Click the Advanced tool.

The system prompts you to login again.

Extreme Networks Security DSM Configuration Guide Addendum 159

RSA Authentication Manager

3 Click Database Administration.

For complete information on using SecurID, see your vendor documentation.

4 From the Log list, select Automate Log Maintenance.

The Automatic Log Maintenance window is displayed.

5 Select the Enable Automatic Audit Log Maintenance check box.

6 Select Delete and Archive.

7 Select Replace files.

8 Type an archive filename.

9 In the Cycle Through Version(s) field, type a value.

For example, 1.

10 Select Select all Logs.

11 Select a frequency.

12 Click OK.

13 You are now ready to configure the log sources and protocol in QRadar: a To configure Extreme Security to receive events from a RSA device, you must select the RSA

Authentication Manager option from the Log Source Type list.

b To configure the log file protocol, you must select the Log File option from the Protocol

Configuration list.

For more information on configuring log sources and protocols, see the Extreme Networks

Security Log Sources User Guide.

Extreme Networks Security DSM Configuration Guide Addendum 160

48

Riverbed SteelCentral

NetProfiler (Cascade Profiler) Alert

Configuring your Riverbed SteelCentral NetProfiler system to enable communication with Extreme Security

The Extreme Networks Security Analytics DSM for Riverbed SteelCentral NetProfiler collects alert logs from your Riverbed SteelCentral NetProfiler system. This product is also known as Cascade Profiler.

The following table identifies the specifications for the Riverbed SteelCentral NetProfiler DSM:

Table 75: Riverbed SteelCentral NetProfiler specifications

Specification Value

Manufacturer Riverbed

DSM name

RPM file name

SteelCentral NetProfiler

DSM-

RiverbedSteelCentralNetProfiler-

Qradar_version-

build_number.noarch.rpm

Event format

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

JDBC

Alert Events

No

No

No

Riverbed website (http://www.riverbed.com/)

To integrate Riverbed SteelCentral NetProfiler with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent versions of the following

RPMs on your Extreme Security Console.

• Protocol-JDBC RPM

• Riverbed SteelCentral NetProfiler RPM

2 Configure your Riverbed SteelCentral NetProfiler system to enable communication with Extreme

Security.

3 Create a log source on the Extreme Security Console. Use the following table to define the

Riverbed-specific parameters:

Extreme Networks Security DSM Configuration Guide Addendum 161

Riverbed SteelCentral NetProfiler (Cascade Profiler) Alert

Table 76: Riverbed SteelCentral NetProfiler log source parameters

Parameter Description

Log Source Type Riverbed SteelCentral NetProfiler

Protocol Configuration

Database Name

JDBC

You must type the actual name of the Riverbed database. For most configurations, the database name is mazu

.

Tip

Confirm the actual name of the Riverbed database.

Table Name

Username

Comparable Field

Polling Interval events.export_csv_view

The user name for the account that is configured to access the PostgreSQL database on the Riverbed

SteelCentral NetProfiler system.

start_time

5M

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your Riverbed SteelCentral NetProfiler system to enable communication with Extreme Security

To collect Riverbed SteelCentral NetProfiler alert events, you must configure your Riverbed

SteelCentral NetProfiler system to allow Extreme Security to retrieve events from the PostgreSQL database.

1 Log in to your Riverbed SteelCentral NetProfiler host user interface.

2 Select Configuration > Appliance Security > Security Compliance.

3 Check the Enable ODBC Access check box.

4 Select Configuration > Account Management > User Accounts.

5 Add an account that Extreme Security can use to access to the PostgreSQL database.

Extreme Networks Security DSM Configuration Guide Addendum 162

49

Salesforce Security Auditing

Downloading the Salesforce audit trail file

Configuring a Salesforce Security Auditing log source in Extreme Security

The Extreme Networks Security Analytics DSM for Salesforce Security Auditing can collect Salesforce

Security Auditing audit trail logs that you copy from the cloud to a location that Extreme Security can access.

The following table identifies the specifications for the Salesforce Security Auditing DSM:

Table 77: Salesforce Security Auditing DSM specifications

Specification Value

Manufacturer

DSM

RPM file name

Salesforce

Salesforce Security Auditing

DSM-SalesforceSecurityAuditing-

QRadar_Version-

Build_Number

.noarch.rpm

Protocol

Extreme Security recorded events

Automatically discovered

Includes identity

More information

Log File

Setup Audit Records

No

No

Salesforce web site (http://www.salesforce.com/)

Salesforce Security Auditing DSM integration process

To integrate Salesforce Security Auditing DSM with Extreme Security, use the following procedures:

1 If automatic updates are not enabled, download and install the most recent versions of the following

RPMs on your Extreme Security Console:

• Log File Protocol RPM

• Salesforce Security Auditing RPM

2 Download the Salesforce audit trail file to a remote host that Extreme Security can access.

3 For each instance of Salesforce Security Auditing, create a log source on the Extreme Security

Console.

Downloading the Salesforce audit trail file

To collect Salesforce Security Auditing events, you must download the Salesforce audit trail file to a remote host that Extreme Security can access.

You must use this procedure each time that you want to import an updated set of audit data into

Extreme Security. When you download the audit trail file, you can overwrite the previous audit trail CSV

Extreme Networks Security DSM Configuration Guide Addendum 163

Salesforce Security Auditing file. When Extreme Security retrieves data from the audit trail file, Extreme Security processes only audit records that were not imported before.

1 Log in to your Salesforce Security Auditing server.

2 Go to the Setup section.

3 Click Security Controls.

4 Click View Setup Audit Trail.

5 Click Download setup audit trail for last six months (Excel.csv file).

6 Copy the downloaded file to a location that Extreme Security can reach by using Log File Protocol.

Configuring a Salesforce Security Auditing log source in Extreme

Security

To collect Salesforce Security Auditing events, configure a log source in Extreme Security.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select Salesforce Security Auditing.

7 From the Protocol Configuration list, select Log File.

8 Configure the following Salesforce Security Auditing parameters:

Parameter

Event Generator

Start Pattern

End Pattern

Date Time RegEx

Date Time Format

Description

RegEx Based Multiline

(\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{2}:\d{2} \w+)

Ensure that this parameter remains empty.

(\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{2}:\d{2} \w+) dd/MM/yyyy hh:mm:ss z

Attention

These values are based on the Winter 2015 version of Salesforce Security Auditing. For previous versions, use the following regex statements:

• For the Start Pattern parameter, use the following statement:

(\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{2}:\d{2} [APM]{2} \w+)

• For the Date Time RegEx parameter, use the following statement:

(\d{1,2}/\d{1,2}/\d{4} \d{1,2}:\d{2}:\d{2} \w{2} \w+)

• For the Date Time Format parameter, use

MM/dd/yyyy hh:mm:ss aa z

9 Configure the remaining parameters.

10 Click Save.

11 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 164

50

Salesforce Security Monitoring

Configuring the Salesforce Security Monitoring server to communicate with Extreme

Security

Configuring a Salesforce Security Monitoring log source in Extreme Security

The Extreme Networks Security Analytics DSM for Salesforce Security Monitoring can collect event logs from your Salesforce console by using a RESTful API in the cloud.

The following table identifies the specifications for the Salesforce Security Salesforce Security

Monitoring DSM:

Table 78: Salesforce Security Salesforce Security Monitoring DSM specifications

Specification Value

Manufacturer Salesforce

DSM

RPM file name

Protocol

Extreme Security recorded events

Automatically discovered

Includes identity

More information

Salesforce Security Monitoring

DSM-SalesforceSecurityMonitoring-QRadar_Version-

Build_Number.noarch.rpm

Salesforce REST API Protocol

Login History, Account History, Case History,

Entitlement History, Service Contract History, Contract

Line Item History, Contract History, Contact History,

Lead History, Opportunity History, Solution History

No

Yes

Salesforce website (http://www.salesforce.com/)

Salesforce Security Monitoring DSM integration process

To integrate Salesforce Security Monitoring DSM with Extreme Security, use the following procedures:

1 If automatic updates are not enabled, download and install the most recent versions of the following

RPMs on your Extreme Security Console.

• DSMCommon RPM

• SalesforceRESTAPI Protocol RPM

• Salesforce Security Monitoring RPM

2 Configure the Salesforce Security Monitoring server to communicate with Extreme Security.

3 Obtain and install a certificate to enable communication between Salesforce Security Monitoring and Extreme Security. The certificate must be in the /opt/QRadar/conf/trusted_certificates/ folder and be in .DER format.

4 For each instance of Salesforce Security Monitoring, create a log source on the Extreme Security

Console.

Extreme Networks Security DSM Configuration Guide Addendum 165

Salesforce Security Monitoring

Configuring the Salesforce Security Monitoring server to communicate with Extreme Security

To allow Extreme Security communication, you need to configure Connected App on the Salesforce console and collect information that the Connected App generates. This information is required for when you configure the Extreme Security log source.

If the RESTful API is not enabled on your Salesforce server, contact Salesforce support.

1 Log in to your Salesforce Security Monitoring server.

2 From the Setup menu, click Create > Apps > New.

3 Type the name of your application.

4 Type the contact email information.

5 Select Enable OAuth Settings.

6 From the Selected OAuth Scopes list, select Full Access.

7 In the Info URL field, type a URL where the user can go for more information about your application.

8 Configure the remaining optional parameters.

9 Click Save.

The Connected App generates the information that is required for when you to configure a log source on Extreme Security. Record the following information:

Consumer Key Use the Consumer Key value to configure the Client ID parameter for the Extreme Security log source.

Consumer Secret You can click the link to reveal the consumer secret. Use the Consumer Secret value to configure the Secret ID parameter for the Extreme Security log source.

Important

The Consumer Secret value is confidential. Do not store the consumer secret as plain text.

Security token A security token is sent by email to the email address that you configured as the contact email.

Configuring a Salesforce Security Monitoring log source in

Extreme Security

To collect Salesforce Security Monitoring events, configure a log source in Extreme Security.

When you configured a Connected App on the Salesforce Security Monitoring server, the following information was generated:

• Consumer Key

• Consumer Secret

• Security token

This information is required to configure a Salesforce Security Monitoring log source in Extreme

Security.

Ensure that the trusted certificate from the Salesforce Security Monitoring instance is copied to the

/opt/qradar/conf/trusted_certificates/

folder in .DER format on Extreme Security system.

Extreme Networks Security DSM Configuration Guide Addendum 166

Salesforce Security Monitoring

1 Log in toExtreme Security.

2 Click the Admin tab.

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select Salesforce Security Monitoring.

7 From the Protocol Configuration list, select Salesforce Rest API.

8 Configure the following values:

Parameter

Login URL

Username

Security Token

Client ID

Secret ID

Description

The URL of the Salesforce security console.

The user name of the Salesforce security console.

The security token that was sent to the email address configured as the contact email for the Connected

App on the Salesforce security console.

The Consumer Key that was generated when you configured the Connected App on the Salesforce security console.

The Consumer Secret that was generated when you configured the Connected App on the Salesforce security console.

Use Proxy When a proxy is configured, all traffic for the log source travels through the proxy for Extreme

Security to access the Salesforce Security buckets.

Configure the Proxy Server, Proxy Port, Proxy

Username, and Proxy Password fields. If the proxy does not require authentication, you can leave the Proxy Username and Proxy Password fields blank.

9 Click Save.

10 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 167

51

Configuring Sun Solaris Sendmail to communicate with Extreme

Security

Configuring a Sun Solaris Sendmail log source

The Extreme Networks Security Analytics DSM for Sun Solaris Sendmail accepts Solaris authentication events using syslog and records all relevant sendmail events.

To collect events from Sun Solaris Sendmail, you must configure syslog to forward events to Extreme

Security.

1 Log in to the Sun Solaris command-line interface.

2 Open the

/etc/syslog.conf

file.

3 To forward system authentication logs to Extreme Security, add the following line to the file: mail.*; @<IP address>

Where

<IP address>

is the IP address of your Extreme Security. Use tabs instead of spaces to format the line.

Note

Depending on the version of Solaris you are running, you might need to add additional log types to the file. Contact your system administrator for more information.

4 Save and exit the file.

5 Type the following command: kill -HUP 'cat /etc/syslog.pid'

You are now ready to configure the log source Extreme Security.

Configuring a Sun Solaris Sendmail log source

Extreme Networks Security Analytics automatically discovers and creates a log source for syslog events from Sun Solaris Sendmail appliances.

The following configuration steps are optional.

Sendmail logs from Proofpoint 7.5 and 8.5 are supported.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 On the navigation menu, click Data Sources.

4 Click the Log Sources icon.

Extreme Networks Security DSM Configuration Guide Addendum 168

Configuring Sun Solaris Sendmail to communicate with Extreme Security

5 Click Add.

6 In the Log Source Name field, type a name for your log source.

7 In the Log Source Description field, type a description for the log source.

8 From the Log Source Type list, select Solaris Operating System Sendmail Logs.

9 If you want to configure the Syslog protocol, select it from the Protocol Configuration list and configure the following values:

Table 79: Syslog parameters

Parameter Description

Log Source Identifier Type the IP address or host name for the log source as an identifier for events from Sun

Solaris Sendmail installations.

For Each additional log source that you create when you have multiple installations, include a unique identifier, such as an IP address or host name

10 If you want to configure a Log File protocol, select it from the Protocol Configuration list and configure the following values:

Table 80: Log file parameters

Parameter Description

Log Source

Identifier

Service Type

Type the IP address or host name for the log source. The log source identifier must be unique for the log source type.

From the list, select the protocol that you want to use when retrieving log files from a remove server. The default is SFTP.

SFTP - SSH File Transfer Protocol

• FTP - File Transfer Protocol

SCP - Secure Copy

The underlying protocol that is used to retrieve log files for the SCP and SFTP service types requires that the server specified in the Remote IP or Hostname field has the SFTP subsystem enabled.

Remote IP or

Hostname

Remote Port

Type the IP address or host name of the Sun Solaris Sendmail system.

Type the TCP port on the remote host that is running the selected Service Type. If you configure the Service Type as FTP, the default is 21. If you configure the Service Type as

SFTP or SCP, the default is 22.

The valid range is 1 - 65535.

Remote User Type the user name necessary to log in to your Sun Solaris system.

The user name can be up to 255 characters in length.

Type the password necessary to log in to your Sun Solaris system.

Remote

Password

Confirm

Password

SSH Key File

Confirm the Remote Password to log in to your Sun Solaris system.

Remote

Directory

If you select SCP or SFTP from the Service Type field you can define a directory path to an

SSH private key file. The SSH Private Key File allows you to ignore the Remote Password field.

Type the directory location on the remote host from which the files are retrieved.

Extreme Networks Security DSM Configuration Guide Addendum 169

Configuring Sun Solaris Sendmail to communicate with Extreme Security

Table 80: Log file parameters (continued)

Parameter Description

Recursive Select this check box if you want the file pattern to also search sub folders. The Recursive parameter is not used if you configure SCP as the Service Type. By default, the check box is clear.

FTP File Pattern If you select SFTP or FTP as the Service Type, this option allows you to configure the regular expression (regex) that is required to filter the list of files that are specified in the

Remote Directory. All matching files are included in the processing.

Another example, if you want to retrieve all syslog files with the keyword "_maillog" in the file name, use the following entry:

.*_maillog.*\.syslog

.

Use of this parameter requires knowledge of regular expressions (regex). For more information, see the following website: http://download.oracle.com/javase/tutorial/ essential/regex/

FTP Transfer

Mode

This option only appears if you select FTP as the Service Type. The FTP Transfer Mode parameter allows you to define the file transfer mode when you retrieve log files over FTP.

From the list, select the transfer mode that you want to apply to this log source:

Binary - Select Binary for log sources that require binary data files or compressed .zip, .gzip, .tar, or .tar+gzip archive files.

ASCII - Select ASCII for log sources that require an ASCII FTP file transfer. You must select NONE for the Processor field and LINEBYLINE the Event Generator field when you are using ASCII as the transfer mode.

SCP Remote

File

Start Time

If you select SCP as the Service Type, you must type the file name of the remote file.

Type the time of day you want the processing to begin. This parameter functions with the

Recurrence value to establish when and how often the Remote Directory is scanned for files. Type the start time, based on a 24-hour clock, in the following format: HH: MM.

Recurrence

Run On Save

EPS Throttle

Processor

Type the frequency, beginning at the Start Time, that you want the remote directory to be scanned. Type this value in hours (H), minutes (M), or days (D).

For example, type

2H

if you want the directory to be scanned every 2 hours. The default is

1H.

Select this check box if you want the log file protocol to run immediately after you click

Save. After the Run On Save completes, the log file protocol follows your configured start time and recurrence schedule.

Selecting Run On Save clears the list of previously processed files for the Ignore Previously

Processed File(s) parameter.

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed.

The valid range is 100 - 5000.

If the files on the remote host are stored in a .zip, .gzip, .tar, or tar+gzip archive format, select the processor that allows the archives to be expanded and contents that are processed.

Select this check box to track files that have already been processed and you do not want the files to be processed a second time. This applies to FTP and SFTP Service Types only.

Ignore

Previously

Processed

File(s)

Change Local

Directory?

Select this check box to define the local directory on your Extreme Security system that you want to use for storing downloaded files during processing. We recommend that you leave the check box clear. When the check box is selected, the Local Directory field is displayed, which allows you to configure the local directory to use for storing files.

Event Generator From the Event Generator list, select LINEBYLINE.

Extreme Networks Security DSM Configuration Guide Addendum 170

Configuring Sun Solaris Sendmail to communicate with Extreme Security

11 Click Save.

12 On the Admin tab, click Deploy Changes.

The log source is added to Extreme Security. Events that are forwarded toExtreme Security by

Solaris Sendmail are displayed on the Log Activity tab.

Extreme Networks Security DSM Configuration Guide Addendum 171

52

SSH CryptoAuditor

Configuring an SSH CryptoAuditor appliance to communicate with Extreme Security

The Extreme Networks Security Analytics DSM for SSH CryptoAuditor collects logs from an SSH

CryptoAuditor.

The following table identifies the specifications for the SSH CryptoAuditor DSM.

Table 81: SSH CryptoAuditor DSM specifications

Specification Value

Manufacturer

Product

DSM Name

SSH Communications Security

CryptoAuditor

SSH CryptoAuditor

RPM filename

DSM-SSHCryptoAuditor-

QRadar_release-

Build_number.noarch.rpm

Supported versions

Event format

Extreme Security recorded event types

Log source type in Extreme Security UI

Auto discovered?

Includes identity?

Includes custom properties?

More information

1.4.0 or later

Syslog

Audit, Forensics

SSH CryptoAuditor

Yes

No

No

SSH Communications Security website (http:// www.ssh.com/)

To send events from SSH CryptoAuditor to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• SSH CryptoAuditor RPM

2 For each instance of SSH CryptoAuditor, configure your SSH CryptoAuditor system to communicate with Extreme Security.

3 If Extreme Security does not automatically discover SSH CryptoAuditor, create a log source on the

Extreme Security Console for each instance of SSH CryptoAuditor. Use the following SSH

CryptoAuditor specific parameters:

Extreme Networks Security DSM Configuration Guide Addendum 172

SSH CryptoAuditor

Parameter

Log Source Type

Protocol Configuration

Value

SSH CryptoAuditor

Syslog

Related Links

Configuring an SSH CryptoAuditor appliance to communicate with Extreme Security

on page 173

To collect SSH CryptoAuditor events, you must configure your third-party appliance to send events to Extreme Networks Security Analytics.

Adding a single DSM

on page 13

Configuring an SSH CryptoAuditor appliance to communicate with Extreme Security

To collect SSH CryptoAuditor events, you must configure your third-party appliance to send events to

Extreme Networks Security Analytics.

1 Log in to SSH CryptoAuditor.

2 Go to the syslog settings in Settings > External Services > External Syslog Servers.

3 To create server settings for Extreme Security, click Add Syslog Server.

4 Type the Extreme Security server settings: address (IP address or FQDN) and port in which Extreme

Security collects log messages.

5 To set the syslog format to Universal LEEF, select the Leef format check box.

6 To save the configuration, click Save.

7 Configure SSH CryptoAuditor alerts in Settings > Alerts. The SSH CryptoAuditor alert configuration defines which events are sent to external systems (email or SIEM/syslog).

a Select an existing alert group, or create new alert group by clicking Add alert group.

b Select the Extreme Security server that you defined earlier in the External Syslog Server drop box.

c If you created a new alert group, click Save. Save the group before binding alerts to the group.

d Define which alerts are sent to Extreme Security by binding alerts to the alert group. Click [+] next to the alert that you want to collect in Extreme Security, and select the alert group that has

Extreme Security as external syslog server. Repeat this step for each alert that you want to collect in Extreme Security.

e Click Save.

8 Apply the pending configuration changes. The saved configuration changes do not take effect until you apply them from pending state.

Extreme Networks Security DSM Configuration Guide Addendum 173

53

STEALTHbits

StealthINTERCEPT

Configuring your STEALTHbits StealthINTERCEPT system for communication with

Extreme Security

Adding a STEALTHbits StealthINTERCEPT log source in Extreme Security

Extreme Networks Security Analytics collects audit logs from a STEALTHbits StealthINTERCEPT server by using the STEALTHbits StealthINTERCEPT DSM.

The following table identifies the specifications for the STEALTHbits StealthINTERCEPT DSM:

Table 82: STEALTHbits StealthINTERCEPT DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

STEALTHbits Technologies

STEALTHbits StealthINTERCEPT

DSM-STEALTHbitsStealthINTERCEPT-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

3.3

Syslog LEEF

Active Directory Audit Events

Yes

No

No

StealthINTERCEPT (http://www.stealthbits.com/ products/stealthintercept)

To integrate STEALTHbits StealthINTERCEPT with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

DSMCommon

RPM

STEALTHbitsStealthINTERCEPT

RPM

2 Configure your STEALTHbits StealthINTERCEPT device to send syslog events to Extreme Security.

3 If Extreme Security does not automatically detect the log source, add a STEALTHbits

StealthINTERCEPT log source on the Extreme Security Console. The following table describes the parameters that require specific values for STEALTHbits StealthINTERCEPT event collection:

Extreme Networks Security DSM Configuration Guide Addendum 174

STEALTHbits StealthINTERCEPT

Table 83: STEALTHbits StealthINTERCEPT log source parameters

Parameter Value

Log Source type STEALTHbits StealthINTERCEPT

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Configuring your STEALTHbits StealthINTERCEPT system for communication with Extreme Security

on page 175

To collect all audit logs and system events from STEALTHbits StealthINTERCEPT, you must specify Extreme Networks Security Analytics as the syslog server and configure the message format.

Configuring your STEALTHbits StealthINTERCEPT system for communication with Extreme Security

To collect all audit logs and system events from STEALTHbits StealthINTERCEPT, you must specify

Extreme Security as the syslog server and configure the message format.

1 Log in to your STEALTHbits StealthINTERCEPT server.

2 Start the Administration Console.

3 Click Configuration > Syslog Server.

4 Configure the following parameters:

Parameter

Host Address

Description

The IP address of the Extreme Security Console

Port 514

5 Click Import mapping file.

6 Select the

SyslogLeefTemplate.txt

file and press Enter.

7 Click Save.

8 On the Administration Console, click Actions.

9 Select the mapping file that you imported, and then select the Send to Syslog check box.

Tip

Leave the Send to Events DB check box selected. StealthINTERCEPT uses the events database to generate reports.

10 Click Add.

Adding a STEALTHbits StealthINTERCEPT log source in Extreme

Security

To collect STEALTHbits StealthINTERCEPT events, configure a log source in Extreme Security.

1 Log in to Extreme Security.

2 Click the Admin tab.

Extreme Networks Security DSM Configuration Guide Addendum 175

STEALTHbits StealthINTERCEPT

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select STEALTHbits StealthINTERCEPT.

7 From the Protocol Configuration list, select Syslog.

8 Configure the remaining parameters.

9 Click Save.

10 On the Admin tab, click Deploy Changes.

Extreme Networks Security DSM Configuration Guide Addendum 176

54

STEALTHbits StealthINTERCEPT

Alerts

Collecting alerts logs from STEALTHbits StealthINTERCEPT

Extreme Networks Security Analytics collects alerts logs from a STEALTHbits StealthINTERCEPT server by using STEALTHbits StealthINTERCEPT Alerts DSM

The following table identifies the specifications for the STEALTHbits StealthINTERCEPT Alerts DSM:

Table 84: STEALTHbits StealthINTERCEPT Alerts DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

STEALTHbits Technologies

STEALTHbits StealthINTERCEPT Alerts

DSM-

STEALTHbitsStealthINTERCEPTAlerts-

Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

3.3

Syslog LEEF

Active Directory Alerts Events

Yes

No

No

StealthINTERCEPT (http://www.stealthbits.com/ products/stealthintercept)

To integrate STEALTHbits StealthINTERCEPT with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

DSMCommon

RPM

STEALTHbitsStealthINTERCEPT

RPM

STEALTHbitsStealthINTERCEPTAlerts

RPM

2 Configure your STEALTHbits StealthINTERCEPT device to send syslog events to Extreme Security.

3 If Extreme Security does not automatically detect the log source, add a STEALTHbits

StealthINTERCEPT Alerts log source on the Extreme Security Console. The following table describes the parameters that require specific values for STEALTHbits StealthINTERCEPT Alerts event collection:

Extreme Networks Security DSM Configuration Guide Addendum 177

STEALTHbits StealthINTERCEPT Alerts

Table 85: STEALTHbits StealthINTERCEPT Alerts log source parameters

Parameter Value

Log Source type STEALTHbits StealthINTERCEPT Alerts

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Collecting alerts logs from STEALTHbits StealthINTERCEPT

To collect all alerts logs from STEALTHbits StealthINTERCEPT, you must specify Extreme Networks

Security Analytics as the syslog server and configure the message format.

1 Log in to your STEALTHbits StealthINTERCEPT server.

2 Start the Administration Console.

3 Click Configuration > Syslog Server.

4 Configure the following parameters:

Parameter

Host Address

Description

The IP address of the Extreme Security Console

Port 514

5 Click Import mapping file.

6 Select the

SyslogLeefTemplate.txt

file and press Enter.

7 Click Save.

8 On the Administration Console, click Actions.

9 Select the mapping file that you imported, and then select the Send to Syslog check box.

Tip

Leave the Send to Events DB check box selected. StealthINTERCEPT uses the events database to generate reports.

10 Click Add.

Extreme Networks Security DSM Configuration Guide Addendum 178

55

STEALTHbits StealthINTERCEPT

Analytics

Collecting analytics logs from STEALTHbits StealthINTERCEPT

Extreme Networks Security Analytics collects analytics logs from a STEALTHbits StealthINTERCEPT server by using STEALTHbits StealthINTERCEPT Analytics DSM.

The following table identifies the specifications for the STEALTHbits StealthINTERCEPT Analytics DSM:

Table 86: STEALTHbits StealthINTERCEPT Analytics DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

STEALTHbits Technologies

STEALTHbits StealthINTERCEPT Analytics

DSM-

STEALTHbitsStealthINTERCEPTAnalytic s-Qradar_version-

build_number.noarch.rpm

Supported versions

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

3.3

Syslog LEEF

Active Directory Analytics Events

Yes

No

No

StealthINTERCEPT (http://www.stealthbits.com/ products/stealthintercept)

To integrate STEALTHbits StealthINTERCEPT with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

DSMCommon

RPM

STEALTHbitsStealthINTERCEPT

RPM

STEALTHbitsStealthINTERCEPTAnalytics

RPM

2 Configure your STEALTHbits StealthINTERCEPT device to send syslog events to Extreme Security.

3 If Extreme Security does not automatically detect the log source, add a STEALTHbits

StealthINTERCEPT Analytics log source on the Extreme Security Console. The following table describes the parameters that require specific values for STEALTHbits StealthINTERCEPT Analytics event collection:

Extreme Networks Security DSM Configuration Guide Addendum 179

STEALTHbits StealthINTERCEPT Analytics

Table 87: STEALTHbits StealthINTERCEPT Analytics log source parameters

Parameter Value

Log Source type STEALTHbits StealthINTERCEPT Analytics

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Collecting analytics logs from STEALTHbits StealthINTERCEPT on page 180

To collect all analytics logs from STEALTHbits StealthINTERCEPT, you must specify Extreme

Networks Security Analytics as the syslog server and configure the message format.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Collecting analytics logs from STEALTHbits StealthINTERCEPT

To collect all analytics logs from STEALTHbits StealthINTERCEPT, you must specify Extreme Networks

Security Analytics as the syslog server and configure the message format.

1 Log in to your STEALTHbits StealthINTERCEPT server.

2 Start the Administration Console.

3 Click Configuration > Syslog Server.

4 Configure the following parameters:

Parameter

Host Address

Description

The IP address of the Extreme Security Console

Port 514

5 Click Import mapping file.

6 Select the

SyslogLeefTemplate.txt

file and press Enter.

7 Click Save.

8 On the Administration Console, click Actions.

9 Select the mapping file that you imported, and then select the Send to Syslog check box.

Tip

Leave the Send to Events DB check box selected. StealthINTERCEPT uses the events database to generate reports.

10 Click Add.

Extreme Networks Security DSM Configuration Guide Addendum 180

56

Symantec Critical System

Protection

The Extreme Networks Security Analytics DSM for Symantec Critical System Protection can collect event logs from Symantec Critical System Protection systems.

The following table identifies the specifications for the Symantec Critical System Protection DSM.

Table 88: Symantec Critical System Protection DSM specifications

Specification Value

Manufacturer Symantec

DSM Name

RPM file name

Critical System Protection

DSM-

SymantecCriticalSystemProtection-

Qradar_version_build

number.noarch.rpm

Supported versions

Event format

Extreme Security recorded event types

Log source type in Extreme Security UI

Auto discovered?

Includes identity?

Includes custom properties

For more information

5.1.1

DB Entries

All events from the ‘CSPEVENT_VW´ view

Symantec Critical System Protection

No

No

No

Symantec Web Page (http://www.symantec.com/)

To integrate Symantec Critical System Protection with Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most current version of the following

RPMs on your Extreme Security Console:

• Protocol-JDBC RPM

• Symantec Critical System Protection RPM

2 For each Symantec Critical System Protection instance, configure Symantec Critical System

Protection to enable communication with Extreme Security.

Ensure that Extreme Security can poll the database for events by using TCP port 1433 or the port that is configured for your log source. Protocol connections are often disabled on databases and extra configuration steps are required in certain situations to allow connections for event polling.

Configure firewalls that are located between Symantec Critical System Protection and Extreme

Security to allow traffic for event polling.

Extreme Networks Security DSM Configuration Guide Addendum 181

Symantec Critical System Protection

3 If Extreme Security does not automatically discover Symantec Critical System Protection, create a log source for each Symantec Critical System Protection instance on the Extreme Security Console.

Use the following values for the required log source parameters:

Parameter

Log Source Type

Protocol Configuration

Database Type

Instance

Database Name

Table Name

Compare Field

Description

Symantec Critical System Protection

JDBC

MSDE

SCSP

SCSPDB

CSPEVENT_VW

EVENT_ID

Related Links

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Extreme Networks Security DSM Configuration Guide Addendum 182

57

Sourcefire Defense Center (DC)

Creating Sourcefire 4.x certificates

Creating Sourcefire 5.x certificates

Importing a Sourcefie certificate to Extreme Security

Configuring a log source for Sourcefire Defense Center events

The Extreme Networks Security Analytics DSM for Sourcefire Defense Center accepts Sourcefire

Defense Center events by using the eStreamer API service

Extreme Security supports Sourcefire Defense Center v4.8.0.2 to v5.2.0.4.

You must download and install one of the following patches from the Sourcefire website to collect

Sourcefire Defense Center 5.x events in Extreme Security:

Sourcefire_hotfix-v5.1.0-0-build_1.tar

Sourcefire_hotfix-v5.1.1-0-build_1.tar

For more information about patches for your Sourcefire appliance, see the Sourcefire website.

Configuration overview

To integrate with Sourcefire Defense Center, you must create certificates in the Sourcefire Defense

Center interface, and then add the certificates to the Extreme Security appliances that receive eStreamer event data.

If your deployment includes multiple Sourcefire Defense Center appliances, you must copy the certificate for each appliance that receives eStreamer events. The certificate allows the Sourcefire

Defense Center appliance and the Extreme SecurityConsole or Event Collector to communicate by using the eStreamer API to collect events.

To integrate Extreme Security with Sourcefire Defense Center, use the following steps:

1 Create the eStreamer certificate on your Sourcefire Defense Center appliance.

2 Add the Sourcefire Defense Center certificate files to Extreme Security.

3 Configure a log source in Extreme Security for your Sourcefire Defense Center appliances.

Supported event types

Extreme Security supports the following event types from Sourcefire Defense Center:

• Intrusion events and extra data

Intrusion events that are categorized by the Sourcefire Defense Center DSM in Extreme Security use the same QRadar Identifiers (QIDs) as the Snort DSM. To ensure that all intrusion events are categorized properly.

Extreme Networks Security DSM Configuration Guide Addendum 183

Sourcefire Defense Center (DC)

Intrusion events in the 1,000,000 - 2,000,000 range are user-defined rules in Sourcefire Defense

Center. User-defined rules that generate events are added as an Unknown event in Extreme

Security, and include additional information that describes the event type. For example, a userdefined event can identify as Unknown:Buffer Overflow for Sourcefire Defense Center.

• Correlation events

• Metadata events

• Discovery events

• Host events

• User events

Creating Sourcefire 4.x certificates

Extreme Security requires a certificate for every Sourcefire Defense Center appliance in your deployment. Certificates are generated in pkcs12 format and must be converted to keystore and truststore files, which are usable by Extreme Security appliances.

1 Log in to your Sourcefire Defense Center interface.

2 Select Operations > Configuration > eStreamer.

3 Click the eStreamer tab.

4 Click Create Client.

5 Select check boxes for the event types Sourcefire Defense Center provides to Extreme Security.

6 Click + Create Client in the upper right-side of the interface.

7 In the Hostname field, type the IP address or host name.

• If you use a Extreme Security Console or use an All-in-one appliance to collect eStreamer events, type the IP address or host name of your Extreme Security Console.

• If you use a remote Event Collector to collect eStreamer events, type the IP address or host name for the remote Event Collector.

• If you use High Availability (HA), type the virtual IP address.

8 In the Password field, leave the password field blank or type a password for your certificate and click Save.

The new client is added to the Streamer Client list and the host is allowed to communicate with the eStreamer API on port 8302.

9 From the Certificate Location column, click the client that you created to save the pkcs12 certificate to a file location and click OK.

You are now ready to import your Sourcefire Defense Center certificate to your Extreme Security appliance.

Creating Sourcefire 5.x certificates

Certificates are created by Sourcefire Defense Center appliances in your deployment.

Extreme Security requires a certificate for every Sourcefire Defense Center appliance in your deployment. Certificates are generated in pkcs12 format and must be converted to a keystore and truststore file, which are usable by Extreme Security appliances.

1 Log in to your Sourcefire Defense Center interface.

Extreme Networks Security DSM Configuration Guide Addendum 184

Sourcefire Defense Center (DC)

2 Select System > Local > Registration.

3 Click the eStreamer tab.

4 Select check boxes for the event types Sourcefire Defense Center provides to Extreme Security and click Save.

Important

For Sourcefire Defense Center 5.x, you must clear the Impact Flag Alerts check box.

5 Click + Create Client in the upper right-side of the interface.

6 In the Hostname field, type the IP address or host name.

• If you use Extreme Security Console or use an All-in-one appliance to collect eStreamer events, type the IP address or host name of your Extreme Security Console.

• If you use an Event Collector to collect eStreamer events, type the IP address or host name for the Event Collector.

• If you use High Availability (HA), type the virtual IP address.

7 In the Password field, type a password for your certificate or leave the field blank and click Save.

The new client is added to the Streamer Client list and the host is allowed to communicate with the eStreamer API on port 8302.

8 Click the download arrow for your host to save the pkcs12 certificate to a file location.

9 Click OK to download the file.

You are now ready to import your Sourcefire Defense Center certificate to your Extreme Security appliance.

Importing a Sourcefie certificate to Extreme Security

The estreamer-cert-import.pl script for Extreme Security converts your pkcs12 certificate file to a keystore and truststore file and places the certificates in the proper directory on your Extreme Security appliance. Repeat this procedure for each Sourcefire Defense Center pcks12 certificate you need to import to your Extreme Security Console or Event Collector.

You must have root

or su - root

privileges to run the estreamer-cert-import.pl

import script.

The estreamer-cert-import.pl

script is stored on your Extreme Security appliance when you install the Sourcefire Defense Center protocol.

The script converts and imports one pkcs12 file at a time. You are required only to import a certificate for the Extreme Security appliance that manages the Sourcefire Defense Center log source. For example, after the Sourcefire event is categorized and normalized by an Event Collector in a Extreme

Security deployment, it is forwarded to the Extreme Security Console. In this scenario, you would import a certificate to the Event Collector.

When you import a new certificate, existing Sourcefire Defense Center certificates on the Extreme

Security appliance are renamed to estreamer.keystore.old

and estreamer.truststore.old

.

1 Log in to your Extreme Security Console or Event Collector as the root user.

Extreme Networks Security DSM Configuration Guide Addendum 185

Sourcefire Defense Center (DC)

2 Copy the pkcs12 certificate from your Sourcefire Defense Center appliance to the following directory:

/opt/qradar/bin/

3 To import your pkcs12 file, type the following command and any extra parameters

/opt/qradar/bin/estreamer-cert-import.pl -f pkcs12_file_name options

Extra parameters are described in the following table:

Parameter

-f

-o

Description

Identifies the file name of the pkcs12 files to import.

Overrides the default estreamer name for the keystore and truststore files. Use the

-o

parameter when you integrate multiple Sourcefire Defense

Center devices. For example, / opt/qradar/bin/ estreamer-cert-import.pl -f <file

name> -o 192.168.1.100

The import script creates the following files:

/opt/qradar/conf/

192.168.0.100.keystore

/opt/qradar/conf/

192.168.0.100.truststore

-d

-p

-v

-h

Enables verbose mode for the import script. Verbose mode is intended to display error messages for troubleshooting purposes when pkcs12 files fail to import properly.

Specifies a password if a password was accidentally provided when you generated the pkcs12 file.

Displays the version information for the import script.

Displays a help message on using the import script.

The import script creates a keystore and truststore file in the following locations:

/opt/qradar/conf/estreamer.keystore

/opt/qradar/conf/estreamer.truststore

Configuring a log source for Sourcefire Defense Center events

You must configure a log source because Extreme Security does not automatically discover Sourcefire

Defense Center events.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 On the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select Sourcefire Defense Center.

Extreme Networks Security DSM Configuration Guide Addendum 186

Sourcefire Defense Center (DC)

7 From the Protocol Configuration list, select Sourcefire Defense Center Estreamer.

8 Configure the following parameters:

Parameter

Server Address

Server Port

Keystore Filename

Truststore Filename

Request Extra Data

Description

The IP address or host name of the Sourcefire Defense

Center device.

The port number Extreme Security uses to receive

Sourcefire Defense Center Estreamer events.

The directory path and file name for the keystore private key and associated certificate.

The directory path and file name for the truststore files. The truststore file that contains the certificates that are trusted by the client.

Select this option to request extra data from

Sourcefire Defense Center Estreamer, for example, extra data includes the original IP address of an event.

Use Extended Requests

Select this option to use an alternative method for retrieving events from an eStreamer source.

Extended Requests are supported on Sourcefire

DefenseCenter Estreamer version 5.0 or later.

Extreme Networks Security DSM Configuration Guide Addendum 187

58

Sourcefire Intrusion Sensor

Configuring Sourcefire Intrusion Sensor

Configuring a log source for Sourcefire Defense Center events

The Sourcefire Intrusion Sensor DSM for Extreme Security accepts Snort based intrusion and prevention syslog events from Sourcefire devices.

Configuring Sourcefire Intrusion Sensor

To configure your Sourcefire Intrusion Sensor, you must enable policy alerts and configure your appliance to forward the event to Extreme Security.

1 Log in to your Sourcefire user interface.

2 On the navigation menu, select Intrusion Sensor > Detection Policy > Edit.

3 Select an active policy and click Edit.

4 Click Alerting.

5 In the State field, select on to enable the syslog alert for your policy.

6 From the Facility list, select Alert.

7 From the Priority list, select Alert.

8 In the Logging Host field, type the IP address of the Extreme Security Console or Event Collector.

9 Click Save.

10 On the navigation menu, select Intrusion Sensor > Detection Policy > Apply.

11 Click Apply.

You are now ready to configure the log source in Extreme Security.

Configuring a log source for Sourcefire Defense Center events

You must configure a log source because Extreme Security does not automatically discover Sourcefire

Defense Center events.

1 Log in to Extreme Security.

2 Click the Admin tab.

3 On the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 From the Log Source Type list, select Sourcefire Defense Center.

7 From the Protocol Configuration list, select Sourcefire Defense Center Estreamer.

Extreme Networks Security DSM Configuration Guide Addendum 188

8 Configure the following parameters:

Parameter

Server Address

Server Port

Keystore Filename

Truststore Filename

Request Extra Data

Use Extended Requests

Sourcefire Intrusion Sensor

Description

The IP address or host name of the Sourcefire Defense

Center device.

The port number Extreme Security uses to receive

Sourcefire Defense Center Estreamer events.

The directory path and file name for the keystore private key and associated certificate.

The directory path and file name for the truststore files. The truststore file that contains the certificates that are trusted by the client.

Select this option to request extra data from

Sourcefire Defense Center Estreamer, for example, extra data includes the original IP address of an event.

Select this option to use an alternative method for retrieving events from an eStreamer source.

Extended Requests are supported on Sourcefire

DefenseCenter Estreamer version 5.0 or later.

Extreme Networks Security DSM Configuration Guide Addendum 189

59

Trend Micro Deep Discovery

Analyzer

Configuring your Trend Micro Deep Discovery Analyzer instance for communication with Extreme Security

The Extreme Networks Security Analytics DSM for Trend Micro Deep Discovery Analyzer can collect event logs from your Trend Micro Deep Discovery Analyzer console.

The following table identifies the specifications for the Trend Micro Deep Discovery Analyzer DSM:

Table 89: Trend Micro Deep Discovery Analyzer DSM specifications

Specification Value

Manufacturer Trend Micro

DSM name

RPM file name

Supported versions

Event format

QRadar recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

More information

Deep Discovery Analyzer

DSM-TrendMicroDeepDiscoveryAnalyzerbuild_number

.noarch.rpm

1.0

LEEF

All events

Yes

No

No

Trend Micro website (www.trendmicro.com/

DeepDiscovery)

To send Trend Micro Deep Discovery events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download the most recent versions of the following RPMs.

• DSMCommon

• Trend Micro Deep Discovery DSM

2 Configure your Trend Micro Deep Discovery device to communicate with Extreme Security.

3 If Extreme Security does not automatically detect Trend Micro Deep Discovery as a log source, create a Trend Micro Deep Discovery log source on the Extreme Security Console. Configure all required parameters and use the following table to determine specific values that are required for

Trend Micro Deep Discovery Inspector event collection:

Extreme Networks Security DSM Configuration Guide Addendum 190

Trend Micro Deep Discovery Analyzer

Table 90: Trend Micro Deep Discovery Analyzer log source parameters

Parameter Value

Log Source type Trend Micro Deep Discovery Analyzer

Protocol Configuration Syslog

Related Links

Adding a single DSM

on page 13

Configuring your Trend Micro Deep Discovery Analyzer instance for communication with Extreme

Security

on page 191

To collect Trend Micro Deep Discovery Analyzer events, configure your third-party instance to enable logging.

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your Trend Micro Deep Discovery Analyzer instance for communication with Extreme Security

To collect Trend Micro Deep Discovery Analyzer events, configure your third-party instance to enable logging.

1 Log in to the Deep Discovery Analyzer web console.

2 Click Administrator > Log Settings.

3 Select Forward logs to a syslog server.

4 Select LEEF as the log format.

5 In the Syslog server field, type the IP address of your Extreme Security Console or Event Collector.

6 In the Port field, type

514

.

Extreme Networks Security DSM Configuration Guide Addendum 191

60

WatchGuard Fireware OS

Configuring your WatchGuard Fireware OS appliance in Policy Manager for communication with Extreme Security

Configuring your WatchGuard Fireware OS appliance in Fireware XTM for communication with Extreme Security

Configuring a WatchGuard Fireware OS log source in Extreme Security

The Extreme Networks Security Analytics DSM for WatchGuard Fireware OS can collect event logs from your WatchGuard Fireware OS.

The following table identifies the specifications for the WatchGuard Fireware OS DSM:

Table 91: WatchGuard Fireware DSM specifications

Specification Value

Manufacturer

DSM name

RPM file name

WatchGuard

WatchGuard Fireware OS

DSM-WatchGuardFirewareOS-

QRadar-version-

Build_number

.noarch.rpm

Supported versions

Event format

Extreme Security recorded event types

Automatically discovered?

Includes identity?

More information

Fireware XTM OS v11.9 and later syslog

All events

Yes

No

WatchGuard Website (http://www.watchguard.com/)

To integrate the WatchGuard Fireware OS with Extreme Security, use the following steps:

1 If automatic updates are not enabled, download and install the most recent versions of the following

RPMs on your Extreme Security Console.

• DSMCommon RPM

• WatchGuard Fireware OS RPM

2 For each instance of WatchGuard Fireware OS, configure your WatchGuard Fireware OS appliance to enable communication with Extreme Security. You can use one the following procedures:

Configuring your WatchGuard Fireware OS appliance in Policy Manager for communication with

Extreme Security on page 193

Configuring your WatchGuard Fireware OS appliance in Fireware XTM for communication with

Extreme Security on page 193

3 If Extreme Security does not automatically discover the WatchGuard Fireware OS log source, create a log source for each instance of WatchGuard Fireware OS on your network.

Related Links

Extreme Networks Security DSM Configuration Guide Addendum 192

WatchGuard Fireware OS

Adding a single DSM

on page 13

Adding a log source

on page 14

If a log source is not automatically discovered, you can manually add a log source to receive events from your network devices or appliances.

Configuring your WatchGuard Fireware OS appliance in Policy

Manager for communication with Extreme Security

To collect WatchGuard Fireware OS events, you can use the Policy Manager to configure your thirdparty appliance to send events to Extreme Security.

You must have Device Administrator access credentials.

1 Open the WatchGuard System Manager.

2 Connect to your Firebox or XTM device.

3 Start the Policy Manager for your device.

4 To open the Logging Setup window, select Setup > Logging.

5 Select the Send log messages to this syslog server check box.

6 In the IP address text box, type the IP address for your Extreme Security Console or Event Collector.

7 In the Port text box, type

514

.

8 From the Log Format list, select IBM LEEF.

9 Optional: Specify the details to include in the log messages.

a Click Configure.

b To include the serial number of the XTM device in the log message details, select the The serial number of the device check box.

c To include the syslog header in the log message details, select the The syslog header check box.

d For each type of log message, select one of the following syslog facilities:

• For high-priority syslog messages, such as alarms, select Local0.

• To assign priorities to other types of log messages, select an option from Local1 through

Local7. Lower numbers have greater priority.

• To not send details for a log message type, select NONE.

e Click OK.

10 Click OK.

11 Save the configuration file to your device.

Configuring your WatchGuard Fireware OS appliance in Fireware

XTM for communication with Extreme Security

To collect WatchGuard Fireware OS events, you can use the Fireware XTM web user interface to configure your third-party appliance to send events to Extreme Security.

You must have Device Administrator access credentials.

1 Log in to the Fireware XTM web user interface for your Fireware or XTM device.

2 Select System > Logging.

Extreme Networks Security DSM Configuration Guide Addendum 193

WatchGuard Fireware OS

3 In the Syslog Server pane, select the Send log messages to the syslog server at this IP address check box.

4 In the IP Address text box, type the IP address for the Extreme Security Console or Event Collector.

5 In the Port text box, type

514

.

6 From the Log Format list, select IBM LEEF.

7 Optional: Specify the details to include in the log messages.

a To include the serial number of the XTM device in the log message details, select the The serial number of the device check box.

b To include the syslog header in the log message details, select the The syslog header check box.

c For each type of log message, select one of the following syslog facilities:

• For high-priority syslog messages, such as alarms, select Local0.

• To assign priorities to other types of log messages, select an option from Local1 through

Local7. Lower numbers have greater priority.

• To not send details for a log message type, select NONE.

8 Click Save.

Configuring a WatchGuard Fireware OS log source in Extreme

Security

Use this procedure if your Extreme Security Console did not automatically discover the WatchGuard

Fireware OS log source.

1 Log in to Extreme Security

2 Click the Admin tab.

3 In the navigation menu, click Data Sources.

4 Click the Log Sources icon.

5 Click Add.

6 In the Log Source Identifier field, type the IP address or host name of the WatchGuard Fireware OS device.

7 From the Log Source Type list, select WatchGuard Fireware OS.

8 From the Protocol Configuration list, select Syslog.

9 Configure the remaining parameters.

10 Click Save.

Extreme Networks Security DSM Configuration Guide Addendum 194

61

Universal CEF

Configuring event mapping for Universal CEF events

The Extreme Networks Security Analytics DSM for Universal CEF accepts events from any device that produces events in the Common Event Format (CEF).

The following table identifies the specifications for the Universal CEF DSM:

Table 92: Universal CEF DSM specifications

Specification Value

DSM name

RPM file name

Universal CEF

DSM-UniversalCEF-Qradar_version-

build_number.noarch.rpm

Protocol

Recorded event types

Automatically discovered?

Includes identity?

Includes custom properties?

syslog

Log File

CEF-formatted events

No

No

No

To send events from a device that generates CEF-formatted events to Extreme Security, complete the following steps:

1 If automatic updates are not enabled, download and install the most recent version of the following

RPMs on your Extreme Security Console:

• DSMCommon RPM

• Universal CEF RPM

2 Add a Universal CEF log source on the Extreme Security Console. Use the following values that are specific to Universal CEF:

Parameter

Log Source Type

Description

Universal DSM

Protocol Configuration Syslog or Log File

3 Configure your third-party device to send events to Extreme Security. For more information about how to configure your third-party device, see your vendor documentation.

4 Configure event mapping for Universal CEF events.

Extreme Networks Security DSM Configuration Guide Addendum 195

Universal CEF

Configuring event mapping for Universal CEF events

Universal CEF events do not contain a predefined QRadar Identifier (QID) map to categorize security events. You must search for unknown events from the Universal CEF log source and map them to high and low-level categories.

Ensure that you installed the Universal CEF DSM and added log source for it in Extreme Security.

By default, the Universal CEF DSM categorizes all events as unknown. All Universal CEF events display a value of unknown in the Event Name and Low Level Category columns on the Log Activity tab. You must modify the QID map to individually map each event for your device to an event category in

Extreme Security. Mapping events allows Extreme Security to identify, coalesce, and track events from your network devices.

For more information about event mapping, see the Extreme Networks SIEM Users Guide.

1 Log in to Extreme Security.

2 Click the Log Activity tab.

3 Click Add Filter.

4 From the first list, select Log Source.

5 From the Log Source Group list, select Other.

6 From the Log Source list, select your Universal CEF log source.

7 Click Add Filter.

8 From the View list, select Last Hour.

9 Optional: Click Save Criteria to save your existing search filter.

10 On the Event Name column, double-click an unknown event for your Universal CEF DSM.

11 Click Map Event.

12 From the Browse for QID pane, select any of the following search options to narrow the event categories for a QRadar Identifier (QID):

• From the High-Level Category list, select a high-level event category. For a full list of high-level and low-level event categories or category definitions, see the Event Categories section of the

Extreme Networks SIEM Administration Guide.

• From the Low-Level Category list, select a low-level event category.

• From the Log Source Type list, select a log source type.

Tip

Searching for QIDs by log source is useful when the events from your Universal CEF

DSM are similar to another existing network device. For example, if your Universal CEF provides firewall events, you might select Cisco ASA, as another firewall product that likely captures similar events.

• To search for a QID by name, type a name in the QID/Name field.

13 Click Search.

14 Select the QID that you want to associate to your unknown Universal CEF DSM event and click OK.

Extreme Networks Security DSM Configuration Guide Addendum 196

62

Extreme Security supported

DSMs

Extreme Networks Security Analytics can collect events from your security products by using a plugin file that is called a Device Support Module (DSM).

If you can't find the documentation for your DSM in the IBM ® Knowledge Center, view the PDF library on the customer support web site (http://www-01.ibm.com/support/docview.wss?uid=swg21614644).

All DSM documentation for each Extreme Security release is available from here in PDF format.

The following table lists supported DSMs for third-party and IBM ® security solutions. The documentation for the DSMs that are marked with an asterisk (*) in the Device name and version column is not yet available in the IBM ® Knowledge Center. Click the link in the column to download the

Extreme Networks Security DSM Configuration Guide ( PDF download ).

Table 93: Extreme Security Supported DSMs

Manufacturer Device name and version

3Com

AccessData

AhnLab

Amazon

Ambiron

Apache

APC

Apple

8800 Series Switch v3.01.30

AccessData InSight

AhnLab Policy Center

Amazon AWS CloudTrail v1.0

TrustWave ipAngel v4.0

HTTP Server v1.3 and later*

UPS

Mac OS X (10)*

Protocol

Application

Security, Inc.

DbProtect v6.2, v6.3, v6.3sp1, v6.3.1, and v6.4*

Arbor Networks Pravail APS v3.1 and later

Arpeggio Software SIFT-IT v3.1 and later*

Syslog

Syslog

Syslog

Array Networks

Aruba Networks

Avaya Inc.

SSL VPN ArraySP v7.3*

Mobility Controllers v2.5 and later*

Avaya VPN Gateway v9.0.7.2*

Syslog

Syslog

Syslog

Syslog

Log File

AhnLabPolicy

CenterJdbc

Log File

Syslog

Syslog

Syslog

Syslog

Recorded events and formats

Auto discovered?

Status and network condition events

Log file

Spyware detection

Virus detection

Audit

All events

Snort-based events

HTTP status

Smart-UPS series events

Firewall, web server

(access/ error), privilege, and information events

All events

Yes

No

No

No

No

Yes

No

No

Yes

Includes identity?

No

No

Yes

No

No

No

Yes

No

Yes

All events

All events configured in the SIFT-IT rule set

All events

All events

All events

Yes

Yes

No

Yes

Yes

No

No

Yes

No

Yes

No

No

No

Yes

No

No

No

No

No

No

No

No

No

Includes custom properties?

No

Extreme Networks Security DSM Configuration Guide Addendum 197

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and formats

Auto discovered?

Cisco

Cisco

Cisco

Cisco

Cisco

BalaBit IT Security Microsoft™ Windows™ Security Event

BalaBit IT Security

Blue Coat

Bridgewater

Systems

Brocade

CA

CA

CA

Check Point

Cilasoft

Cisco

Cisco

Cisco

Log v4.x*

Microsoft™ ISA v4.x*

Syslog

Syslog

Barracuda

Networks

Spam & Virus Firewall v5.x and later*

Barracuda

Networks

Barracuda

Networks

Web Application Firewall v7.0.x

Web Filter 6.0.x and later*

Bit9 Security Platform v6.0.2 and later

BlueCat Networks Adonis v6.7.1-P2 and later*

SG v4.x and later

AAA v8.2c1*

Syslog

Check Point

Check Point

Fabric OS V7.x*

Access Control Facility v12 to v15*

SiteMinder*

Top Secret v12 to v15*

Syslog

Syslog

Syslog

Syslog

System, web firewall, access, and audit events

Web traffic and web interface events

All events

DNS and DHCP events

Syslog Log File Protocol All events

Syslog All events

Syslog

Log File Protocol

Syslog

Log File Protocol

FireWall-1 versions NG, FP1, FP2, FP3,

AI R54, AI R55, R65, R70, R77, NGX, and R75*

Syslog or OPSEC LEA

VPN-1 versions NG, FP1, FP2, FP3, AI

R54, AI R55, R65, R70, R77 NGX

Syslog or OPSEC LEA

Provider-1 versions NG, FP1, FP2, FP3,

AI R54, AI R55, R65, R70, R77, NGX*

Syslog or OPSEC LEA

Cilasoft QJRN/400 V5.14.K and later* Syslog

Microsoft™ Event Log

Events

Microsoft™ Event Log

Events

All events

System and audit events

All events

All events

All events

All events

All events

All events

4400 Series Wireless LAN Controller v7.2

Syslog or SNMPv2

CallManager v8.x* Syslog

ACS v4.1 and later if directly from ACS v3.x and later if using ALE

Syslog

Aironet v4.x and later* Syslog

ACE Firewall v12.2*

ASA v7.x and later*

ASA v7.x and later*

CSA v4.x, v5.x and v6.x*

IBM® audit events

All events

Application events

Failed Access Attempts

Cisco Emblem Format

Syslog

Syslog

All events

All events

NSEL Protocol All events

Syslog SNMPv1 SNMPv2 All events

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

No

Yes

Includes identity?

Yes

Yes

No

Yes

No

No

Yes

Yes

No

No

No

No

Yes

No

No

Yes

Yes

No

No

Yes

No

Yes

Yes

No

Yes

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

Includes custom properties?

No

No

Yes

No

Yes

Yes

No

No

Yes

No

Extreme Networks Security DSM Configuration Guide Addendum 198

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and formats

Auto discovered?

Includes identity?

Yes

Cisco

Cisco

Cisco

Cisco

Cisco

Cisco

Cisco

Cisco

Cisco

Cisco

Cisco

Cisco

Citrix

Citrix

CloudPassage

CorreLog

CRYPTOCard

Cyber-Ark

CyberGuard

Damballa

Digital China

Networks

DG Technology

Enterasys

Enterasys

Enterasys

CatOS for catalyst systems v7.3 and later*

IPS v7.1.10 and later, v7.2.x, v7.3.x

IronPort v5.5, v6.5, v7.1, and v7.5*

Nexus v6.x*

Syslog

Syslog

All events

SDEE All events

Syslog, Log File Protocol All events

All events Firewall Service Module (FWSM) v2.1

and later*

Syslog

Syslog Catalyst Switch IOS, 12.2, 12.5, and later*

NAC Appliance v4.x and later* Syslog

All events

Audit, error, failure, quarantine, and infected events

Nexus-OS events

Cisco PIX events

All events

All events

PIX Firewall v5.x, v6.3, and later*

IOS 12.2, 12.5, and later*

Syslog

Syslog

VPN 3000 Concentrator vVPN 3005,

4.1.7.H*

Syslog

Wireless Services Modules (WiSM) v

5.1 and later*

Syslog

Identity Services Engine v1.1*

NetScaler v9.3 to v10.0*

Access Gateway v4.5*

UDP Multiline Syslog

Protocol

Syslog

Syslog

All events

Device events

All events

Access, audit, and diagnostic events

All events CloudPassage Halo

CorreLog Agent for IBM z/OS

CRYPTO- Shield v6.3*

Vault v6.x*

Firewall/VPN KS1000 v5.1*

Syslog, Log file

Syslog LEEF

Syslog

Syslog

Syslog

Failsafe v5.0.2 and later* Syslog

DCS and DCRS Series switches v1.8.7

and later*

Syslog

All events

All events

All events

CyberGuard events

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

All events Yes

DCS and DCRS IPv4 events No

No

No

Yes

Yes

Yes

Yes

Yes

DG Technology MEAS

800-Series Switch*

Dragon v5.0, 6.x, v7.1, v7.2, v7.3, and v7.4*

Matrix Router v3.5*

LEEF Syslog

Syslog

Mainframe events

All events

Syslog SNMPv1 SNMPv3 All relevant Enterasys

Dragon events

Syslog SNMPv1 SNMPv2

SNMPv3

SNMP and syslog login, logout, and login failed events

Yes

Yes

Yes

Yes

No

No

Yes

Yes

Yes

No

No

No

No

No

No

No

No

No

No

Yes

No

Yes

Yes

No

No

No

Yes

Yes

No

No

Yes

No

Includes custom properties?

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

Yes

No

Yes

No

Extreme Networks Security DSM Configuration Guide Addendum 199

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer

Enterasys

Enterasys

Enterasys

Enterasys

Enterasys

Enterasys

Enterasys

FreeRADIUS

ForeScout

Fortinet

Foundry

Device name and version

NetSight Automatic Security Manager v3.1.2*

Matrix N/K/S Series Switch v6.x, v7.x*

Stackable and Standalone Switches*

XSR Security Router v7.6.14.0002*

HiGuard Wireless IPS V2R2.0.30*

HiPath Wireless Controller V2R2.0.30*

NAC v3.2 and v3.3*

FreeRADIUS V2.x

CounterACT v7.x and later*

Protocol

Syslog

Syslog

Extreme Networks Extreme Ware v7.7 and XOS v12.4.1.x* Syslog

F5 Networks BIG-IP AFM v11.3* Syslog

F5 Networks

F5 Networks

F5 Networks

F5 Networks

Fair Warning

Fidelis Security

Systems

FireEye

BIG-IP LTM v4.5, v9.x to v11.x*

BIG-IP ASM v10.2*

BIG-IP APM v10.x, and v11.x*

FirePass v7.0*

Fair Warning v2.9.2*

Fidelis XPS 7.3.x*

FireEye CMS, MPS, EX, AX, NX, FX, and HX

Syslog

Syslog

Syslog

Syslog

Syslog

Log File Protocol

Syslog

FortiGate FortiOS v2.5 and later*

FastIron v3.x.x and v4.x.x*

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Recorded events and formats

All events

Auto discovered?

Includes identity?

Yes No

No All relevant Matrix K-

Series, N-Series and S-

Series device events

All events

All events

All events

All events

All events

Yes

All events No

Network, network DoS, protocol security, DNS, and

DNS DoS events

Yes

All events

All events

No

No

All events

All events

All events

Alert events

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

All relevant events

Common Event Format

(CEF) formatted messages

Log Extended Format

(LEEF)

No

All events Yes

Denial of Service, system, exploit, authentication, and suspicious events

No

All events

All events

Yes

Yes

Yes

No

Yes

Yes

Yes

No

No

No

No

Yes

No

Yes

Yes

No

No

No

Yes

Yes

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

Includes custom properties?

No

No

Yes

No

Extreme Networks Security DSM Configuration Guide Addendum 200

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer genua

Great Bay

HBGary

HP

HP

HP

Honeycomb

Technologies

Huawei

Huawei

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

Device name and version Protocol Recorded events and formats

Auto discovered?

genugate 8.2 and later Syslog General error messages

High availability

General relay messages

Relay-specific messages genua programs/daemons

EPSI Accounting Daemon gg/src/acctd

Configfw FWConfig

ROFWConfig

User-Interface

Webserver

Yes

Yes

Yes

No

Beacon*

Active Defense v1.2 and later*

Tandem*

ProCurve K.14.52*

UX v11.x and later*

Lexicon File Integrity Monitor mesh service v3.1 and later*

S Series Switch S5700, S7700, and

S9700 using V200R001C00

Syslog

Syslog

Log File Protocol

Syslog

Syslog

Syslog

All events

All events

Safe Guard Audit file events

All events

All events integrity events

Syslog IPv4 events from S5700,

S7700, and S9700

Switches

IPv4 events AR Series Router (AR150, AR200,

AR1200, AR2200, and AR3200 routers using V200R002C00)

AIX® v6.1 and v7.1

AIX® 5.x, 6.x, and v7.x

AS/400®iSeries® DSM V5R4 and later

AS/400® iSeries® - Robert Townsend

Security Solutions V5R1 and later

Syslog

Syslog, Log File Protocol Configured audit events

Syslog Authentication and operating system events

Log File Protocol

Syslog

All events

CEF formatted messages

No

No

Yes

Yes

No

Yes

Yes

No

Yes

AS/400® iSeries® - Powertech Interact

V5R1 and later

Syslog

LEEF Federated Directory Server V7.2.0.2

and later*

InfoSphere® 8.2p45

Syslog

SNMP ISS Proventia® M10 v2.1_2004.1122_15.13.53*

Lotus® Domino® v8.5*

Proventia® Management

SiteProtector™ v2.0 and v2.9*

SNMP

JDBC

CEF formatted messages Yes

FDS Audit

Policy builder events

All events

All events

IPS and audit events

Yes

No

No

No

No

Includes identity?

Yes

Yes

No

No

No

Yes

No

No

No

No

Yes

Yes

Yes

Yes

No

No

No

No

No

Includes custom properties?

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 201

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

IBM®

Imperva

Infoblox

Device name and version Protocol Recorded events and formats

Auto discovered?

RACF® v1.9 to v1.13*

CICS® v3.1 to v4.2*

DB2® v8.1 to v10.1* z/OS® v1.9 to v1.13

Informix® v11*

Log File Protocol

Log File Protocol

Log File Protocol

Log File Protocol

Log File Protocol

Log File Protocol

Syslog

All events

All events

All events

All events

All events

All events

System, access, and security events

IMS™*

Security Network Protection (XGS) v5.0 with fixpack 7*

Security Network IPS v4.6 and later

Security Identity Manager 6.0.x and later*

IBM® Security Trusteer Apex™

Advanced Malware Protection

IBM® SmartCloud Orchestrator v2.3

FP1 and later

Tivoli® Access Manager IBM® Web

Security Gateway v7.x*

Tivoli® Endpoint Manager v8.2.x and later

WebSphere® Application Server 5.0.x

to 6.1

Log File Protocol

WebSphere® DataPower® FirmwareV6 and V7

Syslog zSecure™ Alert v1.13.x and later*

Security Access Manager v8.1 and v8.2*

Security Directory v6.3.1 and later*

UNIX™ syslog

Syslog

Syslog LEEF

SecureSphere v6.2 and v7.x or 9.5 and

10.0 (LEEF)*

Syslog

NIOS v6.x* Syslog

Syslog

JDBC

Security, health, and system events

Audit and recertification events

Yes

No

Syslog/LEEF

Log File Protocol

Malware Detection

Exploit Detection

Data Exfiltration Detection

Lockdown for Java™ Event

File Inspection Event

Apex Stopped Event

Apex Uninstalled Event

Policy Changed Event

ASLR Violation Event

ASLR Enforcement Event

Password Protection Event

Yes

Audit Records No IBM® SmartCloud

Orchestrator REST API

Syslog audit, access, and HTTP events

IBM® Tivoli® Endpoint

Manager SOAP Protocol

Server events

Yes

No

All events

All events

Alert events

Audit, system, and authentication events

All events

All events

All events

No

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

No

No

Yes

Includes identity?

No

No

No

No

No

No

No

No

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

No

Yes

No

Yes

No

No

No

No

Yes

Yes

Yes

No

Includes custom properties?

Yes

No

No

No

No

No

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 202

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and formats

Auto discovered?

Internet Systems

Consortium (ISC) iT-CUBE

Itron

Juniper Networks

Juniper Networks

Juniper Networks

Juniper Networks

Juniper Networks

Juniper Networks

Juniper Networks

BIND v9.9* agileSI v1.x*

Openway Smart Meter*

AVT*

DDoS Secure*

DX*

Juniper Networks* Infranet Controller v2.1, v3.1 & v4.0*

Juniper Networks Firewall and VPN v5.5r3 and later*

Juniper Networks Junos WebApp Secure v4.2.x

IDP v4.0, v4.1 & v5.0

Junos OS v7.x to v10.x Ex Series*

Ethernet Switch DSM only supports v9.0 to v10.x*

Syslog

SMB Tail

Syslog

JDBC

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Network and Security Manager (NSM) and Juniper SSG v2007.1r2 to

2007.2r2, 2008.r1, 2009r1.1, 2010.x*

Syslog

Secure Access RA*

Juniper SA version 6.1R2 and Juniper

IC version 2.1*

Syslog

All events

AgileSI SAP events

All events

All events

All events

Status and network condition events

All events

NetScreen Firewall events

Yes

No

Yes

No

Yes

Yes

No

Yes

Incident and access events Yes

NetScreen IDP events

NetScreen NSM events

Syslog or PCAP Syslog*** All events

All events

Yes

Yes

Yes**

Yes

Audit, system, firewall, and

IPS events

No Juniper Networks

Juniper Networks

Juniper Networks

Juniper Security Binary Log Collector

SRX or J Series appliances at v12.1 or above

Binary

Steel-Belted Radius v5.x and later* vGW Virtual Gateway v4.5*

Syslog

Syslog

Syslog

All events

Firewall, admin, policy and

IDS Log events

All events

Yes

Yes

Yes Juniper Networks

Kaspersky

Wireless LAN Controller*

Wireless LAN devices with Mobility

System Software (MSS) V7.6 and later*

Security Center v9.2 and later JDBC, LEEF

Kisco

Antivirus, server, and audit events

No

All events No

Lastline

Lieberman

Linux™

Kisco Information Systems SafeNet/i

V10.11

Log File

Lastline Enterprise 6.0

Random Password Manager v4.8x*

LEEF

Syslog

Open Source Linux™ OS v2.4 and later*

Syslog

Anti-malware

All events

Operating system events

Yes

Yes

Yes

Includes identity?

No

Yes

Yes

No

Yes

No

No

No

No

Yes

No

No

No

Yes

No

No

No

Yes

Yes

No

Yes

No

Yes

Yes

Yes

Yes

No

No

No

No

No

No

No

Yes

Yes

No

Yes

Yes

No

No

Yes

No

Yes

Includes custom properties?

No

Extreme Networks Security DSM Configuration Guide Addendum 203

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer

Linux™

Linux™

McAfee

McAfee

McAfee

McAfee

McAfee

MetaInfo

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Microsoft™

Motorola

NetApp

Device name and version Protocol Recorded events and formats

Auto discovered?

DHCP Server v2.4 and later*

IPtables kernel v2.4 and later*

Intrushield v2.x - v5.x*

Intrushield v6.x - v7.x*

Syslog

Syslog

Syslog

Syslog

All events from a DHCP server

Accept, Drop, or Reject events

Alert notification events

Yes

Yes

Yes

Alert and fault notification events

Yes

No

No ePolicy Orchestrator v3.5 to v4.6

JDBC, SNMPv2, SNMPv3 AntiVirus events

Application / Change Control v4.5.x* JDBC Change management events

Web v6.0.0 and later*

MetaIP v5.7.00-6059 and later*

IIS v6.0 and 7.0*

Syslog, Log File Protocol

Syslog

Syslog

All events

All events

HTTP status code events

Yes

Yes

Yes

Internet and Acceleration (ISA) Server or Threat Management Gateway

2006*

Syslog

Exchange Server 2003, 2007, and

2010

Windows™ Exchange

Protocol

ISA or TMG events Yes

Exchange mail and security events

No

Malware detection events No

All events No

All events Yes

Endpoint Protection 2012*

Hyper V v2008 and v2012*

JDBC

WinCollect

IAS Server v2000, 2003, and 2008

Syslog

Microsoft™ Windows™ Event Security

Log v2000, 2003, 2008, XP, Vista, and Windows™ 7 (32 or 64-bit systems supported)

Syslog non-Syslog

Microsoft™Windows™

Event Log Protocol

Source

Common Event Format

(CEF) format,

Log Event Extended

Format (LEEF)

SQL Server 2008, 2012, and 2014

SharePoint 2010*

JDBC

JDBC

DHCP Server 2000/2003*

Operations Manager 2005*

System Center Operations Manager

2007*

Symbol AP firmware v1.1 to 2.1*

Data ONTAP*

Syslog

JDBC

JDBC

Syslog

Syslog

All events

SQL Audit events

SharePoint audit, site, and file events

All events

All events

All events

All events

CIFS events

Yes

No

No

Yes

No

No

No

Yes

Includes identity?

Yes

No

No

No

No

Yes

No

Yes

No

No

No

No

No

No

Yes

No

No

Yes

No

No

No

Yes

No

No

No

No

Yes

No

No

No

No

No

No

No

No

No

No

Includes custom properties?

No

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 204

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and formats

Nortel

Nortel*

Nortel*

Nortel*

Nortel

Nortel

Nortel

Netskope

Niksun

Nokia

Nokia

Nominum

Nortel

Nortel

Nortel

Nortel

Nortel

Nortel

Nortel

Novell

ObserveIT

OpenBSD Project

Open LDAP

Foundation

Open Source

OpenStack

Netskope Active

NetVCR 2005 v3.x*

Firewall NG FP1, FP2, FP3, AI R54, AI

R55, NGX on IPSO v3.8 and later*

VPN-1 NG FP1, FP2, FP3, AI R54, AI

R55, NGX on IPSO v3.8 and later

Vantio v5.3*

Contivity *

Application Switch v3.2 and later*

Netskope Active REST

API

Syslog

Syslog or OPSEC LEA

Syslog or OPSEC LEA

Syslog

Syslog

Syslog

Alert, All events

Niksun events

All events

All events

ARN v15.5

Ethernet Routing Switch 2500 v4.1*

Ethernet Routing Switch 4500 v5.1*

Ethernet Routing Switch 5500 v5.1*

Ethernet Routing Switch 8300 v4.1*

Ethernet Routing Switch 8600 v5.0*

VPN Gateway v6.0, 7.0.1 and later, v8.x*

Secure Router v9.3, v10.1*

Secure Network Access Switch v1.6

and v2.0*

Switched Firewall 5100 v2.4*

Switched Firewall 6000 v4.2*

Threat Protection System v4.6 and v4.7* eDirectory v2.7*

ObserveIT 5.7.x and later*

OpenBSD v4.2 and later*

Open LDAP 2.4.x*

SNORT v2.x*

OpenStack V2014.1

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog

Syslog or OPSEC

Syslog or OPSEC

Syslog

Syslog

JDBC

Syslog

UDP Multiline Syslog

Syslog

HTTP Reciever

All events

All events

Status and network condition events

All events

All events

All events

All events

All events

All events

All events

All events

All events

All events

All events

All events

All events

Alerts

User Activity

System Events

Session Activity

DBA Activity

All events

All events

All events

Audit events

No

No

No

Yes

Yes

Yes

Yes

No

Yes

No

Yes

No

Yes

Yes

Yes

Yes

No

No

No

No

No

Yes

No

Yes

Auto discovered?

Includes identity?

No Yes

No

Yes

Yes

No

No

Yes

No

Yes

Yes

No

No

No

Yes

Yes

Yes

Yes

No

No

Yes

Yes

Yes

Yes

Yes

Yes

No

No

No

No

No

No

No

Includes custom properties?

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 205

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and formats

Auto discovered?

Oracle

Oracle

Oracle

Oracle

Oracle

Audit Records v9i, v10g, and v11g* Syslog JDBC

Audit Vault v10.2.3.2 and later*

OS Audit v9i, v10g, and v11g*

JDBC

Syslog

BEA WebLogic v10.3.x* Log File Protocol

Database Listener v9i, v10g, and v11g* Syslog

All relevant Oracle events Yes

Oracle events

Oracle events

Oracle events

Oracle events

No

Yes

No

Yes

Oracle Fine Grained Auditing v9i and v10g*

DefensePro v4.23 and 5.01*

AS/400® iSeries® Firewall 15.7 and

Audit 11.7*

JDBC Select, insert, delete, or update events for tables configured with a policy

No

OSSEC OSSEC v2.6 and later*

Palo Alto Networks PanOS v3.0 and later

Pirean

PostFix

ProFTPd

Proofpoint

Syslog

Syslog

All relevant

All events

Yes

Yes

Access: One v2.2 with DB2® v9.7* JDBC Access management and authentication events

Mail Transfer Agent v2.6.6 and later* UDP Multiline Protocol or

Syslog

Mail events

ProFTPd v1.2.x, v1.3.x* Syslog All events

Proofpoint Enterprise Protection and

Enterprise Privacy versions 7.0.2, 7.1, or 7.2*

Syslog

No

No

Yes

System, email audit, email encryption, and email security threat classification events

No

Radware

Raz-Lee iSecurity

Syslog

Syslog

All events Yes

Security and audit events Yes

Redback Networks ASE v6.1.5*

Riverbed SteelCentral NetProfiler

Riverbed SteelCentral NetProfiler Audit

Syslog

JDBC

Log file protocol

All events

Alert events

Audit events

Yes

No

No

RSA All events No

SafeNet

Salesforce

Salesforce

Authentication Manager v6.x, v7.x and v8.x

Syslog or Log File

Protocol

DataSecure v6.3.0 and later Syslog

Security Auditing

Security Monitoring

Log File

Salesforce REST API

Protocol

All events Yes

Setup Audit Records No

Login History

Account History

Case History

Entitlement History

Service Contract History

Contract Line Item History

Contract History

Contact History

Lead History

Opportunity History

Solution History

No

Includes identity?

No

Yes

No

No

Yes

No

No

Yes

Yes

No

No

No

Yes

No

No

No

Yes

No

No

No

Yes

No

No

No

No

Includes custom properties?

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 206

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer Device name and version Protocol Recorded events and formats

Auto discovered?

Sun

Sun

Sun

Samhain Labs HIDS v2.4*

Secure Computing Sidewinder G2 v61*

Sentrigo Hedgehog v2.5.3*

SolarWinds

SonicWALL

Orion v2011.2*

UTM/Firewall/VPN Appliance v3.x

and later*

Sophos

Sophos

Sophos

Sophos

Sourcefire

Sourcefire

Syslog

JDBC

Syslog

Syslog

Syslog

Syslog

Astaro v8.x*

Enterprise Console v4.5.1 and v5.1*

Syslog

Sophos Enterprise

Console protocol

JDBC

JDBC PureMessage v3.1.0.0 and later for

Microsoft™ Exchange v5.6.0 for

Linux™*

Web Security Appliance v3.x*

Intrusion Sensor IS 500, v2.x, 3.x, 4.x

Defense Center v4.8.0.2 to v5.2.0.4.

Syslog

Syslog

Sourcefire Defense

Center

Splunk

Squid

Microsoft™ Windows™ Security Event

Log*

Windows-based event provided by Splunk

Forwarders

Web Proxy v2.5 and later* Syslog

Startent Networks Startent Networks*

STEALTHbits

Technologies

STEALTHbits

Technologies

STEALTHbits

Technologies

Stonesoft

Sun

StealthINTERCEPT

STEALTHbits StealthINTERCEPT

Alerts

STEALTHbits StealthINTERCEPT

Analytics

Management Center v5.4*

Solaris v5.8, v5.9, Sun OS v5.8, v5.9*

Solaris DHCP v2.8*

Solaris Sendmail v2.x

Solaris Basic Security Mode (BSM) v5.10 and later*

Syslog

Syslog LEEF

Syslog LEEF

Syslog LEEF

Syslog

Syslog

Syslog

Syslog

Log File Protocol

Proofpoint 7.5 and 8.0

Sendmail log

Log File Protocol

All events

All events

All events

All events

All events

All events

All events

Yes

All cache and access log events

All events

Active Directory Audit

Events

Yes

Yes

Yes

Active Directory Alerts

Events

Yes

Active Directory Analytics

Events

Yes

Management Center, IPS,

Firewall, and VPN Events

Yes

All events

All events

All events

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Quarantined email events No

Transaction log events

All events

All events

All events

All events

Yes

Yes

No

No

No

Includes identity?

No

No

No

No

No

No

No

No

No

No

No

Yes

No

No

No

No

No

No

Yes

Yes

No

Yes

No

No

No

No

No

No

No

No

No

No

No

No

Includes custom properties?

No

No

No

No

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 207

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer Device name and version Protocol

Sun

Sybase

Symantec

Symantec

Symantec

Symantec

Symantec

Symark

ThreatGRID

TippingPoint

TippingPoint

Top Layer

Trend Micro

Trend Micro

Trend Micro

Trend Micro

Tripwire

ONE LDAP v11.1

Log File Protocol

ASE v15.0 and later*

Endpoint Protection v11 and v12*

JDBC

Syslog

SGS Appliance v3.x and later*

SSC v10.1*

Syslog

JDBC

Data Loss Prevention (DLP) v8.x and later*

Syslog

PGP Universal Server 3.0.x*

PowerBroker 4.0*

Syslog

Syslog

Malware Threat Intelligence Platform v2.0*

Log file protocol

Syslog

Intrusion Prevention System (IPS) v1.4.2 to v3.2.x*

Syslog

X505/X506 v2.5 and later*

IPS 5500 v4.1 and later*

Control Manager v5.0 or v5.5 with hotfix 1697 or hotfix 1713 after SP1

Patch 1*

Syslog

Syslog

SNMPv1

SNMPv2

SNMPv3

Deep Discovery v3.x

InterScan VirusWall v6.0 and later*

Office Scan v8.x and v10.x*

Enterprise Manager v5.2 and later*

Syslog

Syslog

SNMPv2

Syslog

Tropos Networks

Trusteer™

Universal

Universal

Universal

Universal

Tropos Control v7.7* Syslog

Apex Local Event Aggregator v1304.x

and later*

Syslog

Syslog and SNMP

Syslog

Authentication Server

Firewall

Syslog

SNMP

SDEE

Syslog

Log File Protocol

Syslog

Syslog

All events

All events

Yes

Yes

All events No

Resource additions, removal, and modification events

Yes

Fault management, login/ logout, provision, and device image upload events

No

Malware, exploit, and data exfiltration detection events

Yes

All events No

All events

All events

All events

No

No

No

Recorded events and formats

Auto discovered?

All relevant access and

LDAP events

No

All events No

All Audit and Security Logs Yes

All events

All events

All events

Yes

Yes

No

Includes identity?

No

No

No

No

No

No

All events

All events

Malware events

All events

All events

All events

All events

Yes

Yes

No

No

Yes

Yes

Yes

No

No

No

No

Yes

No

No

No

No

No

No

No

No

No

No

Yes

Yes

No

No

Includes custom properties?

No

No

No

No

No

No

No

Yes

Yes

Yes

No

No

No

No

No

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 208

Extreme Security supported DSMs

Table 93: Extreme Security Supported DSMs (continued)

Manufacturer

Verdasys

Vericept

VMware

VMware

VMware

VMWare

Vormetric, Inc.

Digital Guardian 6.0.x*

Content 360 up to v8.0*

VMware ESX or ESXi 3.5.x, 4.x, and

5.x* vCenter v5.x* vCloud v5.1* vShield*

Vormetric Data Security*

Syslog

Syslog

Syslog

VMWare protocol

VMWare protocol vCloud protocol

Syslog

Syslog (LEEF)

Watchguard

Websense

Websense

Websense

Zscaler

Device name and version

WatchGuard Fireware OS

TRITON v7.7*

V Series Data Security Suite (DSS) v7.1.x and later*

V Series Content Gateway v7.1.x and later*

Zscaler NSS v4.1*

Protocol

Syslog

Syslog

Syslog

Log File Protocol

Syslog

Recorded events and formats

All events

All events

All events

Auto discovered?

Includes identity?

Yes

Yes

Yes if syslog

No

No

No

All events

All events

All events

Audit

Alarm

Warn

Learn Mode

System

All events

All events

All events

No

No

Yes

Yes

Yes

Yes

Yes

No

No

No

Yes

No

No

No

All events

Web log events

No

Yes

No

No

No

No

No

No

No

No

Includes custom properties?

No

No

No

No

No

No

Extreme Networks Security DSM Configuration Guide Addendum 209

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals