advertisement
Security Threat Response Manager
STRM Log Management Administration
Guide
Release 2008.2
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-xxxxx-01, Beta Draft
2
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
STRM Log Management Administration Guide
Release 2008.2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
18 April 2008—Revision 2
The information in this document is current as of the date listed in the revision history.
ONTENTS
BOUT
HIS
UIDE
VERVIEW
Accessing the Administration Console 4
Viewing STRM Log Management Audit Logs 5
ANAGING
SERS
ETTING
P
OG
ANAGEMENT
Exporting Your License Key Information 21
Creating Your Network Hierarchy 22
Defining Your Network Hierarchy 23
Scheduling Automatic Updates 26
Configuring STRM Log Management Settings 27
Configuring System Notifications 31
Configuring the Console Settings 33
Starting and Stopping STRM Log Management 35
Accessing the Embedded SNMP Agent 35
Configuring Access Settings 36
Configuring Firewall Access 36
Configuring Interface Roles 39
4
M
ANAGING
B
ACKUP AND
R
ECOVERY
Managing Backup Archives 45
Viewing Back Up Archives 45
Importing an Archive 46
Deleting a Backup Archive 47
Backing Up Your Information 48
Scheduling Your Backup 48
Initiating a Backup 49
Restoring Your Configuration Information 50
SING THE
EPLOYMENT
DITOR
About the Deployment Editor 54
Accessing the Deployment Editor 55
Editing Deployment Editor Preferences 58
Forwarding Normalized Events 61
Using NAT with STRM Log Management 68
Assigning a Component to a Host 72
Configuring STRM Log Management Components 76
Configuring an Event Collector 76
Configuring an Event Processor 77
ORWARDING
YSLOG
ATA
Adding a Syslog Destination 79
Editing a Syslog Destination 80
Delete a Syslog Destination 81
ABS
NDEX
A
BOUT
T
HIS
G
UIDE
Audience
Conventions
Technical
Documentation
Documentation
Feedback
The
STRM Log Management Administration Guide
provides you with information for managing STRM Log Management functionality requiring administrative access.
This guide is intended for the system administrator responsible for setting up
STRM Log Management in your network. This guide assumes that you have
STRM Log Management administrative access and a knowledge of your corporate network and networking technologies.
Table 1 lists conventions that are used throughout this guide.
Table 1
Icons
Icon Type
Information note
Caution
Warning
Description
Information that describes important features or instructions.
Information that alerts you to potential loss of data or potential damage to an application, system, device, or network.
Information that alerts you to potential personal injury.
You can access technical documentation, technical notes, and release notes directly from the Juniper Networks Support Web site at http:// www.juniper.net/support
/.
•
We encourage you to provide feedback, comments, and suggestions so that we can improve the documentation. Send your comments to [email protected]
, or fill out the documentation feedback form at http://www.juniper.net/techpubs/docbug/docbugreport.html
. If you are using e-mail, be sure to include the following information with your comments:
Document name
STRM Log Management Administration Guide
2
A
BOUT
T
HIS
G
UIDE
Requesting
Support
•
•
•
Document part number
Page number
Software release version
• Open a support case using the Case Management link at http://www.juniper.net/support/
or call 1-888-314-JTAC (from the United States,
Canada, or Mexico) or 1-408-745-9500 (from elsewhere).
STRM Log Management Administration Guide
1 O
VERVIEW
•
•
•
•
•
This chapter provides an overview of the STRM Log Management Administration
Console and STRM Log Management administrative functionality including:
Accessing the Administration Console
Viewing STRM Log Management Audit Logs
About the Interface
You must have administrative privileges to access the Administration Console. The
STRM Log Management Administration Console provides access to following administrative functionality:
•
•
•
•
•
Manage users. See Chapter 2 Managing Users
.
Manage STRM Log Management. See Chapter 3 Setting Up STRM Log
.
Backup and recover your data. See Chapter 4 Managing Backup and
Recovery .
Manage your deployment views. See
Chapter 5 Using the Deployment Editor .
Configure syslog forwarding. See
Chapter 6 Forwarding Syslog Data .
All configuration updates using the Administration Console are saved to a staging area. Once all changes are complete, you can deploy the configuration changes or all configuration settings to the remainder of your deployment.
STRM Log Management Administration Guide
4
O
VERVIEW
Accessing the
Administration
Console
You can access the STRM Log Management Administration Console through the main STRM Log Management interface. Also, you can create a shortcut on your desktop that allows you to access the Administration Console directly.
To access the Administration Console, click
Config
in the main STRM Log
Management interface. The Administration Console appears.
Using the Interface
The Administration Console provides several tab and menu options that allow you to configure STRM Log Management including:
•
System Configuration
- Provides access to administrative functionality, such as, user management, automatic updates, license key, network hierarchy,
STRM settings, system thresholds, backup and recovery and Console configuration.
•
SIM Configuration
- Provides access to sensor device management and syslog forwarding.
The Administration Console also includes several menu options including:
Table 1-1
Administrative Console Menu Options
Menu Option
File
Configurations
Sub-Menu
Close
Deployment Editor
System
Deploy configuration changes
Deploy All
STRM Start
Description
Closes the Administration Console.
Opens the deployment editor interface.
Deploys any configuration changes from the current session to your deployment.
Deploys all configuration settings to your deployment.
Starts the STRM Log Management application.
STRM Log Management Administration Guide
Deploying Changes
5
Table 1-1
Administrative Console Menu Options (continued)
Menu Option
Help
Sub-Menu
STRM Stop
STRM Restart
Help and Support
About STRM
Description
Stops the STRM Log Management application.
Restarts the STRM Log Management application.
Opens user documentation.
Displays version information.
The Administration Console provides several toolbar options including:
Table 1-2
Administration Console Toolbar Options
Icon Description
Opens the deployment editor interface.
Deploys all changes made through the Administration Console.
Deploying Changes
Once you update your configuration settings using the Administration Console, you must save those changes to the staging area. You must either manually deploy all changes using the Deploy menu option or, upon exit, a window appears prompting you to deploy changes before you exit. All deployed changes are then enforced throughout your deployment.
•
•
Using the Administration Console menu, you can deploy changes as follows:
Deploy All
- Deploys all configuration settings to your deployment.
Deploy configuration changes
- Deploys any configuration changes from the current session to your deployment.
Viewing STRM Log
Management Audit
Logs
Changes made by STRM Log Management users are recorded in the audit logs.
You can view the audit logs to monitor changes to STRM Log Management and the users performing those changes.
All audit logs are stored in plain text and are archived and compressed once the audit log file reaches a size of 200 MB. The current log file is named
audit.log
.
Once the file reaches a size of 200 MB, the file is compressed and renamed as follows:
audit.1.gz, audit.2.gz
, etc with the file number incrementing each time a log file is archived. STRM Log Management stores up to 50 archived log files.
•
•
This section provides information on using the audit logs including:
STRM Log Management Administration Guide
6
O
VERVIEW
Logged Actions
STRM Log Management logs the following categories of actions in the audit log file:
Table 1-3
Logged Actions
Category
User Authentication
Action
Log in to STRM Log Management
User Authentication Log out of STRM Log Management
Administrator Authentication Log in to the STRM Log Management
Administration Console
Administrator Authentication Log out of the STRM Log Management
Administration Console
Root Login Log in to STRM Log Management, as root
Log out of STRM Log Management, as root
User Accounts
User Roles
Adding an account
Editing an account
Deleting an account
Adding a role
Sensor Devices
Protocol Configuration
Syslog Forwarding
Reports
Groups
Editing a role
Deleting a role
Adding a sensor device
Editing a sensor device
Deleting a sensor device
Adding a sensor device group
Editing a sensor device group
Deleting a sensor device group
Adding a protocol configuration
Deleting a protocol configuration
Editing a protocol configuration
Adding a syslog forwarding
Deleting a syslog forwarding
Editing a syslog forwarding
Adding a template
Deleting a template
Editing a template
Executing a template
Deleting a report
Adding a group
Deleting a group
Editing a group
STRM Log Management Administration Guide
Viewing STRM Log Management Audit Logs
7
Table 1-3
Logged Actions
Category
Sensor Device Extension
Backup and Recovery
License
Action
Adding an sensor device extension
Editing the sensor device extension
Deleting a sensor device extension
Uploading a sensor device extension
Uploading a sensor device extension successfully
Downloading a sensor device extension
Reporting a sensor device extension
Modifying a sensor devices association to a device or device type.
Editing the configuration
Initiating the backup
Completing the backup
Failing the backup
Deleting the backup
Synchronizing the backup
Cancelling the backup
Initiating the restore
Uploading a backup
Uploading an invalid backup
Deleting the backup
Adding a license key.
Editing a license key.
Viewing the Log File
To view the audit logs:
Step 1
Log in to STRM Log Management as root.
Step 2
Go to the following directory:
/var/log/audit
Step 3
Open the desired audit log file.
Each entry in the log file displays using the following format:
Note: The maximum size of any audit message (not including date, time, and host name) is 1024 characters.
<date_time> <host name> <user>@<IP address> (thread ID)
[<category>] [<sub-category>] [<action>] <payload>
Where:
STRM Log Management Administration Guide
8
O
VERVIEW
<date_time>
is the date and time of the activity in the format: Month Date
HH:MM:SS.
<host name>
is the host name of the Console where this activity was logged.
<user>
is the name of the user that performed the action.
<IP address>
is the IP address of the user that performed the action.
(thread ID)
is the identifier of the Java thread that logged this activity.
<category>
is the high-level category of this activity.
<sub-category>
is the low-level category of this activity.
<action>
is the activity that occurred.
<payload>
is the complete record that has changed, if any. This may include a user record or an event rule.
For example:
Nov 6 12:22:31 localhost.localdomain [email protected]
(Session) [Authentication] [User] [Login]
Nov 6 12:22:31 localhost.localdomain [email protected] (0)
[Configuration] [User Account] [Account Modified] username=james, password=/oJDuXP7YXUYQ, networks=ALL, [email protected], userrole=Admin
Nov 13 10:14:44 localhost.localdomain [email protected] (0)
[Configuration] [FlowSource] [FlowSourceModified] Flowsource( name="tim", enabled="true", deployed="false", asymmetrical="false", targetQflow=DeployedComponent(id=3), flowsourceType=FlowsourceType(id=6), flowsourceConfig=FlowsourceConfig(id=1))
STRM Log Management Administration Guide
2 M
ANAGING
U
SERS
•
•
•
This chapter provides information on managing STRM Log Management users including:
You can add or remove user accounts for all users that you wish to access STRM
Log Management. Each user is associated with a role, which determines the privileges the user has to functionality and information within STRM Log
Management. You can also restrict or allow access to areas of the network. By default, the STRM Log Management Administrative (admin) user has unrestricted access to all components of your deployment. You can create multiple admin accounts for your STRM Log Management system.
Managing Roles
•
•
You must create a role before you can create user accounts. By default, STRM
Log Management provides a default administrative role, which provides access to all areas of STRM Log Management. A user that has been assigned administrative privileges (including the default administrative role) cannot edit their own account.
Another administrative user must make any desired changes. Using the
Administration Console, you can:
Create a role. See Creating a Role .
Edit a role. See Editing a Role
Creating a Role
To create a role:
Step 1
In the Administration Console, click the
System Configuration
tab.
The System Configuration panel appears.
Step 2
Click the
User Roles
icon.
Step 3
The Manage User Roles window appears.
Click
Create Role
.
STRM Log Management Administration Guide
10
M
ANAGING
U
SERS
Step 4
Enter values for the parameters. You must select at least one permission to proceed.
Table 2-1
Create Roles Parameters
Parameter
Role Name
Administrator
Event Viewer
Description
Specify the name of the role. The name can be up to 15 characters in length and must only contain integers and letters.
Select the check box if you wish to grant this user administrative access to the STRM Log Management interface. Within the administrator role, you can grant additional access to the following:
•
System Administrator
- Select this check box if you wish to allow users access to all areas of STRM Log
Management. Also users with this access are not able to edit other administrator accounts.
•
Administrator Manager
- Select this check box if you wish to allow users the ability to create and edit other administrative user accounts. If you select this check box, the System Administrator check box is automatically selected.
Select the check box if you wish this user to have access to the Event Viewer. Within the Event Viewer, you can also grant users additional access to the following:
•
•
Event Search Restrictions Override
- Select the check box if you wish to allow users the ability to override event search restrictions.
Customized Rule Creation functionality
- Select the check box if you wish to allow users to create rules using the Event Viewer.
For more information on the Event Viewer, see the
STRM
Log Management Users Guide
.
STRM Log Management Administration Guide
Managing Roles
11
Table 2-1
Create Roles Parameters (continued)
Parameter
Reporting
Description
Select the check box if you wish to grant this user access to
Reporting functionality. Within the Reporting functionality, you can grant users additional access to the following:
•
Distribute Reports via Email
- Select the check box if you wish to allow users to distribute reports through e-mail.
•
Maintain Templates
- Select the check box if you wish to allow users to maintain reporting templates.
For more information, see the
STRM Log Management
Users Guide.
Step 5
Click
Save
.
Step 6
Click
Return
.
Step 7
Close the Manage Roles window.
Step 8
The STRM Log Management Administration Console appears.
From the menu, select
Configurations > Deploy configuration changes
.
Editing a Role
To edit a role:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
User Roles
icon.
Step 3
The Manage Role window appears.
For the role you wish to edit, click the edit icon.
Step 4
The Permissions for Role window appears.
Update the permissions (see
), as necessary.
Step 5
Click
Return
.
Step 6
Click
Save
.
Step 7
Close the Manage User Roles window.
Step 8
The STRM Log Management Administration Console appears.
From the menu, select
Configurations > Deploy configuration changes
.
STRM Log Management Administration Guide
12
M
ANAGING
U
SERS
Managing User
Accounts
You can create a STRM Log Management user account, which allows a user access to selected network components using the STRM Log Management interface. You can also create multiple accounts for your system that include administrative privileges. Only the main administrative account can create accounts that have administrative privileges.
•
•
•
You can create and edit user accounts to access STRM Log Management including:
Creating a User
Account
To create an account for a STRM Log Management user:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
Users
icon.
The Manage Users window appears.
Step 3
In the Manage Users area, click
Add
.
The User Details window appears.
Step 4
Enter values for the following parameters:
Table 2-2
User Details Parameters
Parameter
Username
Password
Description
Specify a username for the new user. The username must not include spaces or special characters.
Specify a password for the user to gain access. The password must be at least 5 characters in length.
Confirm Password Re-enter the password for confirmation.
Email Address Specify the user’s e-mail address.
STRM Log Management Administration Guide
Managing User Accounts
13
Table 2-2
User Details Parameters (continued)
Parameter
Role
Description
Using the drop-down list box, select the role you wish this user to
assume. For information on roles, see Managing Roles . If you
select
Admin
, this process is complete.
Step 5
Click
Next
.
The Selected Network Objects window appears.
Step 6
From the menu tree, select the network objects you wish this user to be able to monitor.
Step 7
The selected network objects appear in the Selected Network Object panel.
Choose one of the following options:
a
Click
Deploy Now
to deploy new user information immediately.
b
Click
Cancel
to cancel all updates and return to the Manage Users window.
Step 8
Close the Manage Users window.
The STRM Log Management Administration Console appears.
Editing a User
Account
To edit a user account:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
Users
icon.
STRM Log Management Administration Guide
14
M
ANAGING
U
SERS
Step 3
The Manage Users window appears.
In the Manage Users area, click the user account you wish to edit.
The User Details window appears.
Step 4
Update values (see
Step 5
Click
Next
.
If you are editing a non-administrative user account, the Selected Network Objects window appears. If you are editing an administrative user account, go to
Step 6
From the menu tree, select the network objects you wish this user to access.
The selected network objects appear in the Selected Network Object panel.
Step 7
For all network objects you wish to remove access, select the object from the
Selected Network Objects panel and click
Remove
.
Step 8
Choose one of the following options:
a
Click
Deploy Now
to deploy new user information immediately.
b
Click
Cancel
to return to cancel all updates and return to the Manage Users window.
Step 9
Close the Manage Users window.
The STRM Log Management Administration Console appears.
Disabling a User
Account
To disable a user account:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
Users
icon.
The Manage Users window appears.
Step 3
In the Manage Users area, click the user account you wish to disable.
Step 4
The User Details window appears.
In the Role drop-down list box, select
Disabled
.
Step 5
Click
Next
.
Step 6
Close the Manage Users window.
The STRM Log Management Administration Console appears. This user no longer has access to the STRM Log Management interface. If this user attempts to log in to STRM Log Management, the following message appears:
This account has been disabled.
STRM Log Management Administration Guide
Authenticating Users
15
Authenticating
Users
•
•
•
•
You can configure authentication to validate STRM Log Management users and passwords. STRM Log Management supports the following user authentication types:
System Authentication
- Users are authenticated locally by STRM Log
Management. This is the default authentication type.
RADIUS Authentication
- Users are authenticated by a Remote Authentication
Dial-in User Service (RADIUS) server. When a user attempts to login, STRM
Log Management encrypts the password only, and forwards the username and password to the RADIUS server for authentication.
TACACS Authentication
- Users are authenticated by a Terminal Access
Controller Access Control System (TACACS) server. When a user attempts to login, STRM Log Management encrypts the username and password, and forwards this information to the TACACS server for authentication.
LDAP/ Active Directory
- Users are authenticated by a Lightweight Directory access Protocol) server using Kerberos.
•
•
•
If you wish to configure RADIUS, TACACS, or LDAP/Active Directory as the authentication type, you must :
Configure the authentication server before you configure authentication in
STRM Log Management.
Make sure the server has the appropriate user accounts and privilege levels to communicate with STRM Log Management. See your server documentation for more information.
Make sure the time of the authentication server is synchronized with the time of the STRM Log Management server. For more information on setting STRM Log
Management time, see
Chapter 3 Setting Up STRM Log Management .
Once authentication is configured and a user enters an invalid username and password combination, a message appears indicating the login was invalid. if the user attempts to access the system multiple times using invalid information, the user must wait the configured amount of time before attempting to access the system again. For more information on configuring system settings for
authentication, see Chapter 3 Setting Up STRM Log Management
- Configuring the Console Settings
. An administrative user can always access STRM Log
Management through a third party authentication module or by using the local
STRM Log Management Admin password
Step 1
To configure authentication:
In the Administration Console, click the
System Configuration
tab.
The System Configuration panel appears.
Step 2
Click the
Authentication
icon.
The Authentication window appears.
STRM Log Management Administration Guide
16
M
ANAGING
U
SERS
Step 3
From the Authentication Module drop-down list box, select the authentication type you wish to configure.
Step 4
Configure the selected authentication type:
a
If you selected
System Authentication
, go to
b
If you selected
RADIUS Authentication
, enter values for the following parameters:
Table 2-3
RADIUS Parameters
Parameter
RADIUS Server
RADIUS Port
Authentication
Type
Shared Secret
Description
Specify the hostname or IP address of the RADIUS server.
Specify the port of the RADIUS server.
Specify the type of authentication you wish to perform. The options are:
•
CHAP
(Challenge Handshake Authentication Protocol) -
Establishes a Point-to-Point Protocol (PPP) connection between the user and the server.
•
•
MSCHAP
(Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
ARAP
(Apple Remote Access Protocol) - Establishes authentication for AppleTalk network traffic.
•
•
ASCII
PAP
(Password Authentication Protocol) - Sends clear text between the user and the server.
Specify the shared secret that STRM Log Management uses to encrypt RADIUS passwords for transmission to the RADIUS server.
c
If you selected
TACACS Authentication
, enter values for the following parameters:
Table 2-4
TACACS Parameters
Parameter Description
TACACS Server Specify the hostname or IP address of the TACACS server.
TACACS Port Specify the port of the TACACS server.
STRM Log Management Administration Guide
Authenticating Users
17
Table 2-4
TACACS Parameters (continued)
Parameter
Authentication
Type
Shared Secret
Description
Specify the type of authentication you wish to perform. The options are:
•
•
•
PAP
(Password Authentication Protocol) - Sends clear text between the user and the server.
CHAP
(Challenge Handshake Authentication Protocol) -
Establishes a PPP connection between the user and the server.
MSCHAP
(Microsoft Challenge Handshake Authentication
Protocol) - Authenticates remote Windows workstations.
•
•
MSCHAP2
- (Microsoft Challenge Handshake Authentication
Protocol version 2)- Authenticates remote Windows workstations using mutual authentication.
EAPMD5
(Extensible Authentication Protocol using MD5
Protocol) - Uses MD5 to establish a PPP connection.
Specify the shared secret that STRM Log Management uses to encrypt TACACS passwords for transmission to the TACACS server.
d
If you selected
LDAP/ Active Directory
, enter values for the following parameters:
Table 2-5
LDAP/ Active Directory Parameters
Parameter
Server URL
LDAP Context
LDAP Domain
Description
Specify the URL used to connect to the LDAP server. For example, ldap://<host>:<port>
Specify the LDAP context you wish to use, for example,
DC=Q1LABS,DC=INC.
Specify the domain you wish to use, for example q1labs.inc
Step 5
Click
Save
.
STRM Log Management Administration Guide
3 S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Managing Your
License Keys
•
•
•
•
•
•
•
•
•
This chapter provides information on setting up STRM Log Management including:
Creating Your Network Hierarchy
Configuring STRM Log Management Settings
Configuring System Notifications
Configuring the Console Settings
Starting and Stopping STRM Log Management
Accessing the Embedded SNMP Agent
•
•
•
For your STRM Log Management Console, a default license key provides you access to the interface for 5 weeks. You must manage your license key using the
System Management window in the Administration Console. This interface provides the status of the license key for each system (host) in your deployment including:
Valid
- The license key is valid.
Expired
- The license key has expired. To update your license key, see
.
Override Console License
- This host is using the Console license key. You can use the Console key or apply a license key for this system. If you wish to use the Console license for any system in your deployment, click
Default
License
in the Manage License window. The license for that system will default to the Console license key.
•
•
This section provides information on managing your license keys including:
Exporting Your License Key Information
STRM Log Management Administration Guide
20
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Updating your
License Key
•
•
For your STRM Log Management Console, a default license key provides you access to the interface for 5 weeks. Choose one of the following options for assistance with your license key:
For a new or updated license key, please contact your local sales representative.
For all other technical issues, please contact Juniper Networks Customer
Support.
If you log in to STRM Log Management and your Console license key has expired, you are automatically directed to the System Management window. You must update the license key before you can continue. However, if one of your non-Console systems includes an expired license key, a message appears when you log in indicating a system requires a new license key. You must navigate to the
System Management window to update that license key.
Step 1
To update your license key:
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
System Management
icon.
The System Management window appears providing a list of all hosts in your deployment.
Step 3
For the host that on which you wish to update the license key, click the value that appears in the License column.
Note: If you update the license key for your Console, all systems in your deployment default to the Console license key at that time.
Step 4
The Current License Details window appears.
Click
Browse
beside the New License Key File and locate the license key.
STRM Log Management Administration Guide
Managing Your License Keys
21
Step 5
Once you locate and select the license key, click
Open
.
Step 6
The Current License Details window appears.
Click
Save
.
A message appears indicating the license key was successfully updated.
Note: If you wish to revert back to the previous license key, click Revert to
Deployed. If you revert to the license key used by the STRM Log Management
Console system, click Revert to Console.
Step 7
Close the license key window.
Step 8
The Administration Console appears.
From the menu, select
Configurations > Deploy All
.
The license key information is updated in your deployment.
Exporting Your
License Key
Information
To export your license key information for all systems in your deployment:
Step 1
In the Administration Console, click the
System Configuration
tab.
The System Configuration panel appears.
Step 2
Click the
System Management
icon.
The System Management window appears providing a list of all hosts in your deployment.
STRM Log Management Administration Guide
22
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 3
Click
Export Licenses
.
Step 4
The export window appears.
Select one of the following options:
•
•
Open
- Opens the license key data in an Excel spreadsheet.
Save
- Allows you to save the file to your desktop.
Step 5
Click
OK
.
Creating Your
Network Hierarchy
STRM Log Management uses the network hierarchy to understand your network traffic and provide you with the ability to view network activity for your entire deployment.
When you develop your network hierarchy, you should consider the most effective method for viewing network activity. Note that the network you configure in STRM
Log Management does not have to resemble the physical deployment of your network. STRM Log Management supports any network hierarchy that can be defined by a range of IP addresses. You can create your network based on many different variables, including geographical or business units.
Considerations
Consider the following when defining your network hierarchy:
• Group together systems and user groups that have similar behavior. This provides you with a clear view of your network.
•
•
Do not group together servers that have unique behavior with other servers on your network. For example, placing a unique server alone provides the server greater visibility in STRM Log Management allowing you to enact specific policies.
Combine multiple Classless Inter-Domain Routings (CIDRs) or subnets into a single network/group to conserve disk space. For example:
2
3
Group
1
Description
Marketing
Sales
Database Cluster
IP Address
10.10.5.0/24
10.10.8.0/21
10.10.1.3/32
10.10.1.4/32
10.10.1.5/32
STRM Log Management Administration Guide
Creating Your Network Hierarchy
23
Note:
We recommend
that you do not configure a network group with more than 15 objects. This may cause you difficulty in viewing detailed information for each group.
You may also wish to define an all encompassing group so when you define new networks, the appropriate policies and behavioral monitors are applied. For example:
Group
Cleveland
Cleveland
Cleveland
Subgroup
Cleveland misc
Cleveland Sales
Cleveland Marketing
IP Address
10.10.0.0/16
10.10.8.0/21
10.10.1.0/24
Defining Your
Network Hierarchy
To define your network hierarchy:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
Network Hierarchy
icon.
The Network Views window appears.
Step 3
From the menu tree, select the areas of the network you wish to add a network component.
Step 4
The Manage Group window appears for the selected network component.
Click
Add
.
Step 5
The Add Network Object window appears.
Enter your network object values:
Table 3-1
Add New Object Parameters
Parameter
Group
Name
Weight
Action
Specify the group for the new network object. Click
Add Group
to specify the group.
Specify the name for the object.
Specify the weight of the object. The range is 1 to 100 and indicates the importance of the object in the system.
IP/CIDR(s) Specify the CIDR range(s) for this object. For more information
on CIDR values, see Accepted CIDR Values .
Specify a description for this network object.
Description
Color Specify a color for this object.
Database Length Specify the database length.
Step 6
Click
Save
.
Step 7
Repeat for all network objects.
STRM Log Management Administration Guide
24
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 8
Click
Re-Order
.
Step 9
The Reorder Group window appears.
Order the network objects in the desired order.
Step 10
Click
Save
.
Note:
We recommend that you consider adding key servers as individual objects and grouping other major but related servers into multi-CIDR objects.
Accepted CIDR Values
provides a list of the CIDR values that STRM Log Management accepts:
Table 3-2
Accepted CIDR Values
/19
/20
/21
/22
/15
/16
/17
/18
/23
/24
/25
/26
/11
/12
/13
/14
/7
/8
/9
/10
/3
/4
/5
/6
CIDR
Length
/1
/2
Mask
128.0.0.0
192.0.0.0
224.0.0.0
240.0.0.0
248.0.0.0
252.0.0.0
254.0.0.0
255.0.0.0
255.128.0.0
255.192.0.0
255.224.0.0
255.240.0.0
255.248.0.0
255.252.0.0
255.254.0.0
255.255.0.0
255.255.128.0
255.255.192.0
255.255.224.0
255.255.240.0
255.255.248.0
255.255.252.0
255.255.254.0
255.255.255.0
255.255.255.128
255.255.255.192
2 B
1 B
128 C
64 C
32 C
16 C
8 C
4 C
2 C
1 C
2 subnets
4 subnets
2 A
1 A
128 B
64 B
32 B
16 B
8 B
4 B
Number of
Networks
128 A
64 A
32 A
16 A
8 A
4 A
65,534
32,512
16,256
8,128
4,064
2,032
1,016
508
254
124
62
Hosts
2,147,483,392
1,073,741,696
536,870,848
268,435,424
134,217,712
67,108,856
33,554,428
16,777,214
8,388,352
4,194,176
2,097,088
1,048,544
524,272
262,136
131,068
STRM Log Management Administration Guide
Creating Your Network Hierarchy
25
Table 3-2
Accepted CIDR Values (continued)
/29
/30
/31
/32
CIDR
Length
/27
/28
Mask
255.255.255.224
255.255.255.240
255.255.255.248
255.255.255.252
255.255.255.254
255.255.255.255
Number of
Networks
8 subnets
16 subnets
32 subnets
64 subnets none
1/256 C
Hosts
30
14
6
2 none
1
•
•
•
•
•
For example, a network is called a supernet when the prefix boundary contains fewer bits than the network's natural (such as, classful) mask. A network is called a subnet when the prefix boundary contains more bits than the network's natural mask:
209.60.128.0 is a class C network address with a natural mask of /24.
209.60.128.0 /22 is a supernet which yields:
209.60.128.0 /24
209.60.129.0 /24
209.60.130.0 /24
209.60.131.0 /24
192.0.0.0 /25
Subnet Host Range
0 192.0.0.1-192.0.0.126
1 192.0.0.129-192.0.0.254
192.0.0.0 /26
Subnet Host Range
0 192.0.0.1 - 192.0.0.62
1 192.0.0.65 - 192.0.0.126
2 192.0.0.129 - 192.0.0.190
3 192.0.0.193 - 192.0.0.254
192.0.0.0 /27
Subnet Host Range
0 192.0.0.1 - 192.0.0.30
1 192.0.0.33 - 192.0.0.62
2 192.0.0.65 - 192.0.0.94
3 192.0.0.97 - 192.0.0.126
4 192.0.0.129 - 192.0.0.158
STRM Log Management Administration Guide
26
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
5 192.0.0.161 - 192.0.0.190
6 192.0.0.193 - 192.0.0.222
7 192.0.0.225 - 192.0.0.254
Scheduling
Automatic Updates
STRM Log Management uses system configuration files to provide useful characterizations of network data flows. You can now update your configuration files automatically or manually using the STRM Log Management interface to make sure your configuration files contain the latest network security information.
The updates, located on the Qmmunity web site, include threats, vulnerabilities, and geographic information from various security related web sites. The managed host must be connected to the Internet to receive the updates.
Note: We do not guarantee the accuracy of the third-party information contained on the above mentioned web sites.
STRM Log Management allows you to either replace your existing configuration files or integrate the updates with your existing files to maintain the integrity of your current configuration and information.
You can also update the configuration files for all systems in your STRM Log
Management deployment. However, you must have the views created in your deployment editor. For more information on using the deployment editor, see
Chapter 5 Using the Deployment Editor .
Caution: Failing to build your deployment map before configuring automatic or manual updates results in your remote systems not being updated.
Step 1
To schedule automatic updates:
In the Administration Console, click the
System Configuration
tab.
The System Configuration panel appears.
Step 2
Click the
Auto Update
icon.
The Auto Update Configuration window appears.
Step 3
In the Schedule Autoupdates section, select the check box to enable automatic updates.
STRM Log Management Administration Guide
Configuring STRM Log Management Settings
27
Step 4
In the Frequency list box, select the frequency of the updates in the Frequency list box:
•
•
Daily
- Updates are downloaded every day at 1 am.
Weekly
- Updates are downloaded every Sunday at 1 am.
Step 5
•
Monthly
- Updates are downloaded on the first day of every month at 1 am.
Click
Save
save your settings or click
Save and Update Now
to initiate the update process immediately.
Configuring STRM
Log Management
Settings
Using the Administration Console, you can configure the STRM Log Management system, database, and sentry settings.
Step 1
To configure STRM Log Management settings:
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
STRM Settings
icon.
Step 3
The STRM Settings window appears.
Enter values for the parameters:
Table 3-3
System Settings Parameters
Parameter Description
STRM Settings
Administrative Email
Address
Specify the e-mail address of the designated system administrator. The default is root@localhost.
Alert Email From Address Specify the e-mail address from which you wish to receive e-mail alerts.
Delete Root Mail Root mail is the default location for host context messages. Specify one of the following:
•
Yes
- Delete the local administrator e-mail. This is the default.
Temporary Files
Retention Period
Audit Log Enable
Coalescing Events
•
No
- Do not delete local administrator e-mail.
Specify the time period the system stores temporary files.
The default is 6 hours.
Enables or disables the ability to collect audit logs. You can view audit log information using the Event Viewer.
The default is Yes.
Enables or disables the ability for a sensor device to coalesce (bundle) events. This value applies to all sensor devices. However, if you wish to alter this value for a specific sensor device, edit the Coalescing Event parameter in the sensor device configuration. For more information, see the
Managing Sensor Devices Guide
.
The default is Yes.
STRM Log Management Administration Guide
28
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Table 3-3
System Settings Parameters (continued)
Parameter
Store Event Payload
Global Iptables Access
Description
Enables or disables the ability for a sensor device to store event payload information. This value applies to all auto detected sensor devices. However, if you wish to alter this value for a specific sensor device, edit the Event Payload parameter in the sensor device configuration. For more information, see the
Managing Sensor Devices Guide
.
The default is Yes.
Specify the IP address of a non-Console system that does not have IP tables configuration to which you wish to enable direct access. To enter multiple systems, enter a comma separated list of IP addresses.
Database Settings
User Data Files
Database Storage
Location
Ariel Database Settings
Device Log Storage
Location
Device Log Data
Retention Period
Specify the location of the user profiles. The default is
/store/users.
Specify the location of the database files. The default location is /store/db.
Specify the location that you wish to store the device log information. The default location is /store/ariel/events.
Specify the amount of time that you wish to store the device log data. The default is 30 days.
Maximum Real Time
Results
Reporting Max Matched
Results
Specify the maximum number of results you wish to view in the Event Viewer and Flow Viewer. The default is
10000.
Specify the maximum number of results you wish a report to return. This value applies to the search results in the
Event Viewer. The default is 1000000.
Specify the maximum number of results you wish the command line to return. The default is 0.
Command Line Max
Matched Results
Web Execution Time Limit Specify the maximum amount of time, in seconds, you wish a query in the interface to process before a time out occurs. This value applies to the search results in the
Event Viewer and Flow Viewer. The default is 600 seconds.
Reporting Execution Time
Limit
Specify the maximum amount of time, in seconds, you wish a reporting query to process before a time out occurs. The default is 57600 seconds.
Command Line Execution
Time Limit
Specify the maximum amount of time, in seconds, you wish a query in the command line to process before a time out occurs. The default is 0 seconds.
Event Log Hashing Enables or disables the ability for STRM Log
Management to store a hash file for every stored event log file. The default is No.
STRM Log Management Administration Guide
Configuring STRM Log Management Settings
29
Table 3-3
System Settings Parameters (continued)
Parameter
Hashing Algorithm
Description
You can use a hashing algorithm for database storage and encryption. You can use one of the following hashing algorithms:
•
•
•
Message-Digest Hash Algorithm
- Transforms digital signatures into shorter values called Message-Digests
(MD).
•
Secure Hash Algorithm (SHA) Hash Algorithm
-
Standard algorithm that creates a larger (60 bit) MD.
Specify the log hashing algorithm you wish to use for your deployment. The options are:
MD2
- Algorithm defined by RFC 1319.
MD5
- Algorithm defined by RFC 1321.
•
•
•
•
SHA-1
- Default. Algorithm defined by Secure Hash
Standard, NIST FIPS 180-1.
SHA-256
- Algorithm defined by the draft Federal
Information Processing Standard 180-2, Secure
Hashing Standard (SHS). SHA-256 is a 256 bit hash algorithm intended for 128 bits of security against security attacks.
SHA-384
- Algorithm defined by the draft Federal
Information Processing Standard 180-2, Secure
Hashing Standard (SHS). SHA-384 is a bit hash algorithm is provided by truncating the SHA-512 output.
SHA-512
- Algorithm defined by the draft Federal
Information Processing Standard 180-2, Secure
Hashing Standard (SHS). SHA-512 is a bit hash algorithm intended to provide 256 bits of security.
SNMP Settings
Enable
Destination Host
Destination Port
Community (V2)
User Name
Enables or disables SNMP responses in the STRM Log
Management custom rules engine. The default is No, which means you do not wish to accept events using
SNMP.
Specify the IP address to which you wish to send SNMP notifications.
Specify the port to which you wish to send SNMP notifications. The default is 162.
Specify the SNMP community, such as public. This parameter only applies if you are using SNMPv2.
Specify the name of the user you wish to access SNMP related properties.
STRM Log Management Administration Guide
30
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Table 3-3
System Settings Parameters (continued)
Parameter
Security Level
Authentication Protocol
Description
Specify the security level for SNMP. The options are:
•
NOAUTH_NOPRIV
- Indicates no authorization and no privacy. This the default.
•
•
AUTH_NOPRIV
- Indicates authorization is permitted but no privacy.
AUTH_PRIV
- Allows authorization and privacy.
Specify the algorithm you wish to use to authenticate
SNMP traps.
Authentication Password Specify the password you wish to use to authenticate
SNMP.
Privacy Protocol Specify the protocol you wish to use to decrypt SNMP traps.
Privacy Password Specify the password used to decrypt SNMP traps.
Embedded SNMP Agent Settings
Enabled
Community String
Enables or disables access to data from the SNMP Agent using SNMP requests. The default is No.
Specify the SNMP community, such as public. This parameter only applies if you are using SNMPv2 and
SNMPv3.
IP Access List Specify the systems that can access data from the SNMP agent using SNMP request. If the Enabled option is set to
Yes, this option is enforced.
Step 4
Click
Save
.
The STRM Log Management Administration Console appears.
Step 5
From the menu, select
Configurations > Deploy All
.
STRM Log Management Administration Guide
Configuring System Notifications
31
Configuring
System
Notifications
You can configure global system performance alerts for thresholds using the
STRM Log Management Administration Console. This section provides information for configuring your global system thresholds.
Step 1
To configure global system thresholds:
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
Global System Notifications
icon.
Step 3
•
The Global System Notifications window appears.
Enter values for the parameters. For each parameter, you must select the following options:
Enabled
- Select the check box to enable the option.
•
•
Respond if value is
- Specify one of the following options:
-
Greater Than
- An alert occurs if the parameter value exceeds the configured value.
-
Less Than
- An alert occurs if the parameter value is less than the configured value.
Resolution Message
- Specify a description of the preferred resolution to the alert.
Table 3-4
Global System Notifications Parameters
Parameter
User CPU usage
Nice CPU usage
System CPU usage
Description
Specify the threshold percentage of user CPU usage.
Specify the threshold percentage of user CPU usage at the nice priority.
Specify the threshold percentage of CPU usage while operating at the system level.
Specify the threshold percentage of idle CPU time.
Specify the threshold percentage of idle time.
Idle CPU usage
Percent idle time
Run queue length
Number of processes in the process list
System load over 1 minute
System load over 5 minute
Specify the threshold number of processes waiting for run time.
Specify the threshold number of processes in the process list.
Specify the threshold system load average over the last minute.
Specify the threshold system load average over the last 5 minutes.
System load over 15 minutes
Specify the threshold system load average over the last
15 minutes.
Kilobytes of memory free Specify the threshold amount, in kilobytes, of free memory.
STRM Log Management Administration Guide
32
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Table 3-4
Global System Notifications Parameters (continued)
Parameter Description
Kilobytes of memory used Specify the threshold amount, in kilobytes, of used memory. This does not consider memory used by the kernel.
Specify the threshold percentage of used memory. Percentage of memory used
Kilobytes of cache swap memory
Kilobytes of buffered memory
Specify the threshold amount of memory, in kilobytes, shared by the system.
Specify the threshold amount of memory, in kilobytes, used as a buffer by the kernel.
Kilobytes of memory used for disc cache
Specify the threshold amount of memory, in kilobytes, used to cache data by the kernel.
Kilobytes of swap memory free
Specify the threshold amount of free memory, in kilobytes.
Kilobytes of swap memory used
Specify the threshold amount, in kilobytes, of used swap memory.
Percentage of swap used Specify the threshold percentage of used swap space.
Number of Interrupts per second
Received Packets per second
Specify the threshold number of received interrupts per second.
Specify the threshold number of packets received per second.
Transmitted Packets per second
Received Bytes per second
Specify the threshold number of packets transmitted per second.
Specify the threshold number of bytes received per second.
Transmitted Bytes per second
Received Compressed
Packets
Transmitted Compressed
Packets
Received Multicast
Packets
Receive Errors
Specify the threshold number of bytes transmitted per second.
Specify the threshold number of compressed packets received per second.
Specify the threshold number of compressed packets transmitted per second.
Specify the threshold number of received Multicast packets per second.
Transmit Errors
Specify the threshold number of corrupt packets received per second.
Specify the threshold number of corrupt packets transmitted per second.
Packet Collisions Specify the threshold number of collisions that occur per second while transmitting packets.
Dropped receive packets Specify the threshold number of received packets that are dropped per second due to a lack of space in the buffers.
STRM Log Management Administration Guide
Configuring the Console Settings
33
Table 3-4
Global System Notifications Parameters (continued)
Parameter
Dropped Transmit packets
Transmit carrier errors
Receive frame errors
Description
Specify the threshold number of transmitted packets that are dropped per second due to a lack of space in the buffers.
Specify the threshold number of carrier errors that occur per second while transmitting packets.
Specify the threshold number of frame alignment errors that occur per second on received packets.
Receive fifo overruns
Transmit fifo overruns
Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on received packets.
Specify the threshold number of First In First Out (FIFO) overrun errors that occur per second on transmitted packets.
Transactions per second Specify the threshold number of transfers per second sent to the system.
Sectors written per second
Specify the threshold number of sectors transferred to or from the system
Step 4
Click
Save
.
Step 5
The STRM Log Management Administration Console appears.
From the menu, select
Configurations > Deploy configuration changes
.
Configuring the
Console Settings
The STRM Log Management Console provides the interface for STRM Log
Management. This Console is also used to manage distributed STRM Log
Management deployments.
•
•
The Console is accessed from a standard web browser. When you access the system, a prompt appears for a user name and password, which must be configured in advance by the STRM Log Management administrator. STRM Log
Management supports the following web browsers:
Internet Explorer 6.0 or 7.0
Mozilla Firefox 2.0
Step 1
To configure STRM Log Management Console settings:
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
Console
icon.
The Console Management window appears.
STRM Log Management Administration Guide
34
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 3
Enter values for the parameters:
Table 3-5
STRM Log Management Console Management Parameters
Parameter
Console Settings
Enable 3D graphs in the user interface
Description
Using the drop-down list box, select one of the following:
•
•
Yes
- Displays Dashboard graphics in 3-dimensional format.
No
- Displays Dashboard graphics in 2-dimensional format.
Authentication Settings
Persistent Session
Timeout
Specify the length of time, in days, that a user system will be persisted, in days. The default is 0, which disables this features and the “remember me” option upon login.
Maximum Login Failures Specify the number of times a login attempt may fail. The default is 5.
Login Failure Attempt
Window (in minutes)
Specify the length of time during which a maximum login failures may occur before the system is locked. The default is 10 minutes.
Login Failure Block Time
(in minutes)
Login Host Whitelist
Specify the length of time that the system is locked if the the maximum login failures value is exceeded. The default is 30 minutes.
Specify a list of hosts who are exempt from being locked out of the system. Enter multiple entries using a comma delimited list.
Inactivity Timeout (in minutes)
Specify the amount of time that a user will be automatically logged out of the system if no activity occurs.
STRM Log Management Administration Guide
Starting and Stopping STRM Log Management
35
Table 3-5
STRM Log Management Console Management Parameters (continued)
Parameter
Login Message File
Data Export Settings
Include Header in CSV
Exports
Maximum Simultaneous
Exports
Description
Specify the location and name of a file that includes content you wish to appear on the STRM Log
Management log in window. This file may be in text or
HTML format and the contents of the file appear below the current log in window.
DNS Settings
Enable DNS Lookups for
Host Identity
Enable or disable the ability for STRM Log Management to search for host identity information. When enabled, this information is available using the right-mouse button
(right-click) on any IP address or asset name in the interface. The default is True.
Specify whether you wish to include a header in a CSV export file.
Specify the maximum number of exports you wish to occur at one time.
Step 4
Click
Save
.
Step 5
From the Administration Console menu, select
Configurations > Deploy configuration changes
.
Starting and
Stopping STRM
Log Management
To start, stop, or restart STRM Log Management:
Step 1
In the main STRM Log Management interface, click
Config
.
Step 2
The STRM Log Management Administration Console appears.
From the System menu, select one of the following options:
a
STRM Start
b
STRM Stop
c
STRM Restart
Accessing the
Embedded SNMP
Agent
To access the SNMP agent:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
System Management
icon.
The System Management window appears.
STRM Log Management Administration Guide
36
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 3
In the View Agent column, click
View Agent
for the SNMP agent you wish to access.
The SNMP Agent appears.
Configuring
Access Settings
•
•
•
•
•
The System Configuration tab provides access the web-based system administration interface, which allows you to configure firewall rules, interface roles, passwords, and system time. This section includes:
Firewall access. See Configuring Firewall Access
.
Update your host set-up. See
.
Configure the interface roles for a host. See Configuring Interface Roles
.
Change password to a host. See
Update the system time. See
Configuring Firewall
Access
You can configure local firewall access to enable communications between devices and STRM Log Management. Also, you can define access to the web-based system administration interface.
To enable STRM Log Management managed hosts to access specific devices or interfaces:
Step 1
In the Administration Console, click the
System Configuration
tab.
The System Configuration panel appears.
Step 2
Click the
System Management
icon.
Step 3
The System Management window appears.
For the host you wish to configure firewall access, click
Manage System.
Step 4
Log-in to the System Administration interface. The default is:
Username:
root
Password:
<your root password>
Step 5
Note: The username and password are case sensitive.
From the menu, select
Managed Host Config > Local Firewall
.
The Local Firewall window appears.
STRM Log Management Administration Guide
Configuring Access Settings
37
Step 6
In the Device Access box, you must include any STRM Log Management systems you wish to have access to this managed host. Only managed hosts listed will have access. For example, if you enter one IP address, only that one IP address will be granted access to the managed host. All other managed hosts are blocked.
To configure access:
a
In the IP Address field, enter the IP address of the managed host you wish to have access.
b
From the Protocol list box, select the protocol you wish to enable access for the specified IP address and port:
-
UDP
- Allows UDP traffic.
-
TCP
- Allows TCP traffic.
-
Any
- Allows any traffic.
c
In the Port field, enter the port on which you wish to enable communications.
Note: If you change your External Flow Source Monitoring Port parameter in the
QFlow Configuration, you must also update your firewall access configuration.
d
Click
Allow
.
Step 7
In the System Administration Web Control box, enter the IP address of managed hosts that you wish to allow access to the web-based system administration interface in the IP Address field. Only IP addresses listed will have access to the interface. If you leave the field blank, all IP addresses will have access. Click
Allow
.
Note: Make sure you include the IP address of your client desktop you wish to access the interface. Failing to do so may affect connectivity.
STRM Log Management Administration Guide
38
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 8
Click
Apply Access Controls
.
Step 9
Wait for the interface to refresh before continuing.
Updating Your Host
Set-up
You can use the web-based system administration interface to configure the mail server you wish STRM Log Management to use, the global password for STRM
Log Management configuration, and the IP address for the STRM Log
Management Console:
Step 1
To configure your host set-up:
In the Administration Console, click the
System Configuration
tab.
The System Configuration panel appears.
Step 2
Click the
System Management
icon.
Step 3
The System Management window appears.
For the host you wish to update your host set-up, click
Manage System.
Step 4
Log-in to the System Administration interface. The default is:
Username:
root
Password:
<your root password>
Step 5
Note: The username and password are case sensitive.
From the menu, select
Managed Host Config > STRM Log Management Setup
.
The STRM Log Management Setup window appears.
Step 6
You must enable communications between the STRM Log Management Console and the current host. In the
Enter the IP address of the STRM Log Management console
field, enter the IP address of the managed host operating the STRM Log
Management Console.
Step 7
In the
Mail Server
field, specify the address for the mail server you wish STRM
Log Management to use. STRM Log Management uses this mail server to
STRM Log Management Administration Guide
Configuring Access Settings
39
distribute alerts and event messages. To use the mail server provided with STRM
Log Management, enter
localhost
.
Step 8
In the
Enter the global configuration password
, enter the password you wish to use to access the host. Confirm the entered password.
Note: The global configuration password must be the same throughout your deployment. If you edit this password, you must also edit the global configuration password on all systems in your deployment.
Step 9
In the
Enter the web address of the console
field, enter the IP address of the managed host operating the STRM Log Management Console.
Step 10
Click
Apply Configuration
.
Configuring Interface
Roles
You can assign specific roles to the network interfaces on each managed host.
Step 1
To assign roles:
In the Administration Console, click the
System Configuration
tab.
The System Configuration panel appears.
Step 2
Click the
System Management
icon.
Step 3
The System Management window appears.
For the host you wish to configure interface roles, click
Manage System.
Step 4
Log-in to the System Administration interface. The default is:
Username:
root
Password:
<your root password>
Step 5
Note: The username and password are case sensitive.
From the menu, select
Managed Host Config > Network Interfaces
.
The Network Interfaces window appears with a list of each interface on your managed host.
Note: For assistance with determining the appropriate role for each interface, please contact Juniper Networks Customer Support.
STRM Log Management Administration Guide
40
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 6
For each interface listed, select the role you wish to assign to the interface using the Role list box.
Step 7
Click
Save Configuration
.
Step 8
Wait for the interface to refresh before continuing.
Changing Passwords
To change the passwords:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
System Management
icon.
Step 3
The System Management window appears.
For the host you wish to change passwords, click
Manage System.
Step 4
Log-in to the System Administration interface. The default is:
Username:
root
Password:
<your root password>
Note: The username and password are case sensitive.
Step 5
From the menu, select
Managed Host Config > Root Password
.
The Root Passwords window appears.
STRM Log Management Administration Guide
Configuring Access Settings
41
Step 6
Update the passwords and confirm:
•
Note: Make sure you record the entered values.
New Root Password
- Specify the root password necessary to access the web-based system administration interface.
Step 7
•
Confirm New Root Password
- Re-enter the password for confirmation.
Click
Update Password
.
Updating System
Time
•
•
•
•
You are able to change the time for the following options:
System time
Hardware time
Time Zone
Time Server
Note: You must change the system time information on the host operating the
Console only. The change is then distributed to all managed hosts in your deployment.
•
•
You can configure time for your system using one of the following methods:
Configuring Your Time Server Using RDATE
Configuring Time Settings For Your System
Configuring Your Time Server Using RDATE
To update the time settings using RDATE:
Step 1
In the Administration Console, click the
System Configuration
tab.
Step 2
The System Configuration panel appears.
Click the
System Management
icon.
Step 3
The System Management window appears.
For the host on which you wish to configure time, click
Manage System.
Step 4
Log-in to the System Administration interface. The default is:
Username:
root
Password:
<your root password>
Note: The username and password are case sensitive.
Step 5
From the menu, select
Managed Host Config > System Time
.
The System Time window appears.
Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.
STRM Log Management Administration Guide
42
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 6
In the Time Zone box, select the time zone in which this managed host is located using the Change timezone to list box. Click
Save
.
Step 7
In the Time Server box, you must specify the following options:
•
•
•
Timeserver hostnames or addresses
- Specify the time server hostname or
IP address.
Set hardware time too
- Select the check box if you wish to set the hardware time as well.
Synchronize on schedule?
- Specify one of the following options:
•
•
-
No
- Select the option if you do not wish to synchronize the time specified in
the Run at selected time below options. Go to Step 8
.
-
Yes
- Select the option if you wish to synchronize the time. See options below.
Simple Schedule
- Specify if you wish the time update to occur at a specific time. If not, select the Run at times selected below option.
Times and dates are selected below
- Specify the time you wish the time update to occur.
Step 8
Click
Sync and Apply
.
STRM Log Management Administration Guide
Configuring Access Settings
43
Configuring Time Settings For Your System
To update the time settings for your system:
Step 1
From the System View, use the right mouse button (right-click) on the managed host you wish to update the time settings and select
Config Management
.
Step 2
The web-based system administration interface login appears.
Log-in to the System Administration interface. The default is:
Username:
root
Password:
<your root password>
Step 3
Note: The username and password are case sensitive.
From the menu, select
Managed Host Config > System Time
.
The System Time window appears.
Caution: The time settings window is divided into four sections. You must save each setting before continuing. For example, when you configure System Time, you must click Apply within the System Time section before continuing.
STRM Log Management Administration Guide
44
S
ETTING
U
P
STRM L
OG
M
ANAGEMENT
Step 4
In the Time Zone box, select the time zone in which this managed host is located using the Change timezone to list box. Click
Save
.
Step 5
In the System Time box, you must specify the current date and time you wish to assign to the managed host. Click
Apply
.
Step 6
If you wish to set the System Time to the same as the Hardware time, click
Set system time to hardware time
.
In the Hardware Time box, you must specify the current date and time you wish to assign to the managed host. Click
Save
.
If you wish to set the System Time to the same as the Hardware time, click
Set hardware time to system time
.
STRM Log Management Administration Guide
5 U
SING THE
D
EPLOYMENT
E
DITOR
The deployment editor allows you to manage the individual components of your
STRM Log Management deployment. Once you configure your Event, and System
Views, you can access and configure the individual components of each managed host.
Note: The Deployment Editor requires Java Runtime Environment. Download
JRE5.0 at www.java.sun.com
. Also, If you are using the Firefox browser, you must configure your browser to accept Java Network Language Protocol (JNLP) files.
Caution: Many third-party web browsers that use the Internet Explorer engine, such as Maxthon or MyIE, install components that may be incompatible with the
STRM Log Management Administration Console. You must disable any third-party web browsers installed on your system. For further assistance, please contact customer support.
If you wish to access the STRM Log Management Administration Console from behind a proxy server or firewall, you must configure the appropriate proxy settings on your desktop. This allows the software to automatically detect the proxy settings from your browser. To configure the proxy settings, open the Java configuration located in your Control Panel and configure the IP address of your proxy server.
For more information on configuring proxy settings, see your Microsoft documentation.
•
•
•
•
•
This chapter provides information on managing your views including:
Editing Deployment Editor Preferences
Configuring STRM Log Management Components
STRM Log Management Administration Guide
54
U
SING THE
D
EPLOYMENT
E
DITOR
About the
Deployment Editor
You can access the deployment editor using the STRM Log Management
Administration Console. You can use the deployment editor to create your deployment, assign connections, and configure each component.
•
•
The deployment editor provides the following views of your deployment:
System View
- Allows you to assign software components to systems
(managed hosts) in your deployment. The System View includes all managed hosts in your deployment. A managed host is a system in your deployment that providing additional event processing. By default, the System View also includes the Host Context component, which monitors all STRM Log
Management components to ensure that each component is operating as expected.
Event View
- Allows you to create a view for your SIM components including
Event Processor, and Event Collector components.
Each view is divided into two panels.
In the Event View, the left panel provides a list of SIM components you can add to the view and the right panel provides an existing view of your SIM deployment.
In the System View, the left panel provides a list of managed hosts, which you can view and configure. The deployment editor polls your deployment for updates to managed hosts. If the deployment editor detects a change to a managed host in your deployment, a message appears notifying you of the change. For example, if you remove a managed host, a message appears indicating that the assigned components to that host must be re-assigned to another host. Also, if you add a managed host to your deployment, the deployment editor displays a message indicating that the managed host has been added.
STRM Log Management Administration Guide
About the Deployment Editor
55
Accessing the
Deployment Editor
In the Administration Console, click the deployment editor icon. The deployment editor appears. Once you update your configuration settings using the deployment editor, you must save those changes to the staging area. You must either manually deploy all changes using the Administration Console Deploy menu option or, upon exiting the Administration Console, a window appears prompting you to deploy changes before you exit. All deployed changes are then enforced throughout your deployment.
Using the Editor
The deployment editor provides you with several menu and toolbar options when configuring your views including:
•
•
Menu Options
The menu options that appear depend on the selected component in your view.
Table 5-1 provides a list of the menu options and the component for which they
appear.
Table 5-1
Deployment Editor Menu Options
Menu Option
File
Edit
Actions
Sub Menu Option
Save to staging
Save and close
Open staged deployment
Open production deployment
Close current deployment
Revert
Description
Saves deployment to the staging area.
Save deployment to the staging area and closes the deployment editor.
Opens a deployment that was previously saved to the staging area.
Opens a deployment that was previously saved.
Closes the current deployment.
Reverts current deployment to the previously saved deployment.
Edit Preferences
Close editor
Opens the preferences window.
Closes the deployment editor.
Delete Deletes a component, host, or connection.
Add a managed host Opens the Add a Managed Host wizard.
Manage NATed
Networks
Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment.
Rename component Renames an existing component.
This option is only available when a component is selected.
STRM Log Management Administration Guide
56
U
SING THE
D
EPLOYMENT
E
DITOR
Table 5-1
Deployment Editor Menu Options (continued)
Menu Option Sub Menu Option
Configure
Assign
Unassign
Description
Configure a STRM Log Management components.
This option is only available when Event
Collector or Event Processor is selected.
Assigns a component to a managed host.
This option is only available when Event
Collector or Event Processor is selected.
Unassigns a component from a managed host. This option is only available when the selected component has a managed host running a compatible version of STRM Log
Management software.
This option is only available when Event
Collector or Event Processor is selected.
Toolbar Options
The toolbar options include:
Table 5-2
Toolbar Options
Icon Description
Saves deployment to the staging area and closes the deployment editor.
Opens current production deployment.
Opens a deployment that was previously saved to the staging area.
Discards recent changes and reloads last saved model.
Deletes selected item from the deployment view.
This option is only available when the selected component has a managed host running a compatible version of STRM Log Management software.
Opens the Add a Managed Host wizard, which allows you to add a managed host to your deployment.
Opens the Manage NATed Networks window, which allows you to manage the list of NATed networks in your deployment.
Resets the zoom to the default.
STRM Log Management Administration Guide
About the Deployment Editor
57
Table 5-2
Toolbar Options (continued)
Icon Description
Zoom in.
Zoom out.
Creating Your
Deployment
To create your deployment, you must:
Step 1
Build your System View. See Managing Your System View .
Step 2
Configure added components. See
Configuring STRM Log Management
Step 3
Build your Event View. See Building Your Event View .
Step 4
Stage the deployment. From the deployment editor menu, select
File
>
Save to
Staging
.
Step 5
Deploy all configuration changes. From the Administration Console menu, select
Configurations
>
Deploy All
.
For more information on the Administration Console, see
.
Before you Begin
Before you begin, you must:
• Install all necessary hardware and STRM Log Management software.
•
•
•
Install Java Runtime Environment. You can download Java version 1.5.0_12 at the following web site: http://java.com/en/download/index.jsp
If you are using the Firefox browser, you must configure your browser to accept
Java Network Language Protocol (JNLP) files.
Plan your STRM Log Management deployment including the IP addresses and login information for all devices in your STRM Log Management deployment.
Note: If you require assistance with the above, please contact Juniper Networks
Customer Support.
STRM Log Management Administration Guide
58
U
SING THE
D
EPLOYMENT
E
DITOR
Editing Deployment
Editor Preferences
To edit the deployment editor preferences:
Step 1
From the deployment editor main menu, select
File
>
Edit Preferences
.
The Deployment Editor Setting window appears.
Step 2
Enter values for the following parameters:
•
•
Presence Poll Frequency
- Specify how often, in milliseconds, that the managed host monitors your deployment for updates, for example, a new or updated managed host.
Zoom Increment
- Specify the increment value when the zoom option is selected. For example. 0.1 indicates 10%.
Step 3
Close the window
The Deployment Editor appears.
Building Your
Event View
•
•
The Event View allows you to create and manage the SIM components for your deployment including:
Event Collector
- Collects security events from various types of security devices in your network. The Event Collector gathers events from local, remote, and device sources. The Event Collector then normalizes the events and sends the information to the Event Processor. The Event Collector also bundles all virtually identical events to conserve system usage.
Event Processor
- An Event Processor processes flows collected from one or more Event Collector(s). The events are bundled once again to conserve network usage. Once received, the Event Processor correlates the information from STRM Log Management and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM Log Management to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules.
Step 1
To build your Event View, you must:
Add SIM components to your view. See
.
Step 2
Connect the components. See
Step 3
Forward normalized events. See
Forwarding Normalized Events .
STRM Log Management Administration Guide
Building Your Event View
59
Step 4
Rename the components so each component has a unique name. See
Adding Components
To add components to your Event View:
Step 1
In the deployment editor, click the
Event View
tab.
Step 2
The Event View appears.
In the Event Tools panel, select a component you wish to add to your deployment.
The Adding a New Component Wizard appears.
Step 3
Enter a unique name for the component you wish to add. The name can be up to
15 characters in length and may include underscores or hyphens. Click
Next
.
The Assign Component window appears.
STRM Log Management Administration Guide
60
U
SING THE
D
EPLOYMENT
E
DITOR
Step 4
From the Select a host to assign to list box, select a managed host to which you wish to assign the new component. Click
Next
.
Step 5
Click
Finish
.
Step 6
Repeat for each component you wish to add to your view.
Step 7
From the main menu, select
File
>
Save to staging
.
Connecting
Components
Once you add all the necessary components in your Event View, you must connect your Event Processor(s) and Event Collector(s).
Step 1
To connect components:
In the Event View, select the component for which you wish to establish a connection.
Step 2
From the menu, select
Actions
>
Add Connection
.
Note: You can also use the right mouse button (right-click) to access the Action menu item.
An arrow appears in your map.
Step 3
Drag the end of the arrow to the component on which you wish to establish a connection. You can only connect Event Collectors to Event Processors.
The arrow connects the two components.
Step 4
Repeat for all remaining components that you wish to establish a connection.
Step 5
Specify a unique name for the source or target. The name can be up to 15 characters in length and may include underscores or hyphens. Click
Next
.
The event source/target information window appears.
Step 6
Enter values for the parameters:
•
Enter a name for the off-site host
- Specify the name of the off-site host. The name can be up to 15 characters in length and may include underscores or hyphens.
•
Enter the IP address of the server
- Specify the IP address of the managed host to which you wish to connect.
•
Encrypt traffic from off-site source
- Select the check box if you wish to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target.
Step 7
Click
Next
.
Step 8
Click
Finish
.
Step 9
Repeat for all remaining off-site sources and targets.
Step 10
From the main menu, select
File
>
Save to staging
.
Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.
STRM Log Management Administration Guide
Building Your Event View
61
Forwarding
Normalized Events
To forward normalized events, you must configure an off-site Event Collector
(target) in your current deployment and the associated off-site Event Collector in the receiving deployment (source).
•
•
You can add the following components to your Event View:
Off-site Source
- Indicates an off-site Event Collector from which you wish to receive data. The source must be configured with appropriate permissions to send events to the off-site target.
Off-site Target
- Indicates an off-site Event Collector to which you wish to send data.
For example, if you wish to forward normalized events between two deployments
(A and B), where deployment B wishes to receive events from deployment A you must configure deployment A with an off-site target to provide the IP address of the managed host that includes Event Collector B. You must then connect Event
Collector A to the off-site target. In deployment B, you must configure an off-site source with the IP address of the managed host that includes Event Collector A and the port to which Event Collector A is monitoring.
If you wish to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, you must remove the off-site target and in deployment B, you must remove the off-site source.
If you wish to enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure both the off-site source and target include the public keys to ensure appropriate access. For example, in the example below, if you wish to enable encryption between the off-site source and Event Collector B, you must copy the public key (located at
/root/.ssh/id_rsa.pub) from the Event Collector to the off-site source (copy the file to /root/.ssh/authorized_keys).
Event Collector A
Off-site
Source
Event Processor
Off-site
Target
Figure 5-1
Example of Connecting Deployments
To forward normalized events:
Step 1
In the deployment editor, click the
Event View
tab.
The Event View appears.
Event Collector B
Event Processor
STRM Log Management Administration Guide
62
U
SING THE
D
EPLOYMENT
E
DITOR
Step 2
In the Components panel, select either
Add Off-site Source
or
Add Off-site
Target
.
The Adding a New Component Wizard appears.
Step 3
Specify a unique name for the source or target. The name can be up to 15 characters in length and may include underscores or hyphens. Click
Next
.
The event source/target information window appears.
Step 4
Enter values for the parameters:
•
•
Enter a name for the off-site host
- Specify the name of the off-site host. The name can be up to 15 characters in length and may include underscores or hyphens.
Enter the IP address of the server
- Specify the IP address of the managed host to which you wish to connect.
STRM Log Management Administration Guide
Managing Your System View
63
•
Encrypt traffic from off-site source
- Select the check box if you wish to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target.
Step 5
Click
Next
.
Step 6
Click
Finish
.
Step 7
Repeat for all remaining off-site sources and targets.
Step 8
From the main menu, select
File
>
Save to staging
.
Note: If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.
Renaming
Components
You may wish to rename a component in your view to uniquely identify components through your deployment.
Step 1
To rename a component:
Select the component you wish to rename.
Step 2
From the menu, select
Actions
>
Rename Component
.
Note: You can also use the right mouse button (right-click) to access the Action menu items.
The Rename component window appears.
Managing Your
System View
Step 3
Enter a new name for the component. The name must be alphanumeric with no special characters.
Step 4
Click
Ok
.
The System View allows you to manage all managed hosts in your network. A managed host is a component in your network that includes STRM Log
Management software. If you are using a STRM Log Management appliance, the components for that appliance model appear. If your STRM Log Management software is installed on your own hardware, the System View includes a Host
Context component. The System View allows you to select which component(s) you wish to run on each managed host.
•
•
Using the System View, you can:
Set up managed hosts in your deployment. See Setting Up Managed Hosts
.
Use STRM Log Management with NATed networks in your deployment. See
Using NAT with STRM Log Management .
STRM Log Management Administration Guide
64
U
SING THE
D
EPLOYMENT
E
DITOR
•
•
•
Update the managed host port configuration. See
Assign a component to a managed host. See
Configure Host Context. See Configuring Host Context
.
Setting Up Managed
Hosts
•
•
•
Using the deployment editor you can manage all hosts in your deployment including:
Add a managed host to your deployment. See
.
Edit an existing managed host. See Editing a Managed Host
.
Remove a managed host. See Removing a Managed Host
.
You also can not assign or configure components on a non-Console managed host when the STRM Log Management software version is incompatible with the software version that the Console is running. If a managed host has previously assigned components and is running an incompatible software version, you can still view the components, however, you are not able to update or delete the components.
Encryption provides greater security for all STRM Log Management traffic between managed hosts. To provide enhanced security, STRM Log Management also provides integrated support for OpenSSh and attachmateWRQ
®
Reflection SSH software. Reflection SSH software provides a FIPS 140-2 certified encryption solution. When integrated with STRM Log Management, Reflection SSH provides secure communication between STRM Log Management components. For information on Reflection SSH, see the following web site: www.wrq.com/products/reflection/ssh
Note: You must have Reflection SSH installed on each managed host you wish to encrypt using Reflection SSH. Also, Reflection SSH is not compatible with other
SSH software, such as, Open SSH.
Since encryption occurs between managed hosts in your deployment, your deployment must consist of more than one managed host before encryption is possible. Encryption is enabled using SSH tunnels (port forwarding) initiated from the client. A client is the system that initiates a connection in a client/server relationship. When encryption is enabled for a managed host, encryption tunnels are created for all client applications on a managed host to provide protected access to the respective servers. If you enable encryption on a non-Console managed host, encryption tunnels are automatically created for databases and other support service connections to the Console.
Note: Enabling encryption reduces the performance of a managed host by at least
50%.
STRM Log Management Administration Guide
Managing Your System View
65
Adding a Managed Host
To add a managed host:
Step 1
From the menu, select
Actions
>
Add a managed host
.
The Add new host wizard appears.
Step 2
Click
Next
.
The Enter the host’s IP window appears.
Step 3
Enter values for the parameters:
•
•
Enter the IP of the server or appliance to add
host you wish to add to your System View.
- Specify the IP address of the
Enter the root password of the host
- Specify the root password for the host.
STRM Log Management Administration Guide
66
U
SING THE
D
EPLOYMENT
E
DITOR
•
•
Confirm the root password of the host
- Specify the password again, for confirmation.
Host is NATed
- Select the check box if you wish to use an existing Network
Address Translation (NAT) on this managed host. For more information on NAT,
see Using NAT with STRM Log Management
.
Note: If you wish to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see
Using NAT with STRM Log Management
•
Enable Encryption
- Select the check box if you wish to create an encryption tunnel for the host.
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 4 . Otherwise, go to Step 5
.
Step 4
To select a NATed network, enter values for the following parameters:
•
Enter public IP of the server or appliance to add
- Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.
•
Select NATed network
- Using the drop-down list box, select network you wish this managed host to use.
Note: For information on managing your NATed networks, see
.
Step 5
Click
Next
.
Step 6
Click
Finish
.
Note: If your deployment included undeployed changes, a window appears enabling you to deploy all changes.
The System View appears with the host in the Managed Hosts panel.
Editing a Managed Host
To edit an existing managed host:
Step 1
Click the
System View
tab.
Step 2
Use the right mouse button (right-click) on the managed host you wish to edit and select
Edit Managed Host
.
The Edit a managed host wizard appears.
Note: This option is only available when the selected component has a managed host running a compatible version of STRM Log Management software.
STRM Log Management Administration Guide
Managing Your System View
67
Step 3
Click
Next
.
The attributes window appears.
Step 4
Edit the following values, as necessary:
•
•
Host is NATed
- Select the check box if you wish to use existing Network
Address Translation (NAT) on this managed host. For more information on NAT,
see Using NAT with STRM Log Management
.
Note: If you wish to enable NAT for a managed host, the NATed network must be using static NAT translation. For more information on using NAT, see
Using NAT with STRM Log Management
Enable Encryption
- Select the check box if you wish to create an encryption tunnel for the host.
STRM Log Management Administration Guide
68
U
SING THE
D
EPLOYMENT
E
DITOR
•
If you selected the Host is NATed check box, the Configure NAT settings window
appears. Go to Step 5 . Otherwise, go to Step 6
.
Step 5
To select a NATed network, enter values for the following parameters:
Enter public IP of the server or appliance to add
- Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.
•
Select NATed network
- Using the drop-down list box, select network you wish this managed host to use.
Note: For information on managing your NATed networks, see
.
Step 6
Click
Next
.
Step 7
Click
Finish
.
The System View appears with the updated host in the Managed Hosts panel.
Removing a Managed Host
You can only remove non-Console managed hosts from your deployment. You can not remove a managed host that is hosting the STRM Log Management Console.
Step 1
To remove a managed host:
Click the
System View
tab.
Step 2
Use the right mouse button (right-click) on the managed host you wish to delete and select
Remove host
.
Note: This option is only available when the selected component has a managed host running a compatible version of STRM Log Management software.
Step 3
A confirmation window appears.
Click
Ok
.
Step 4
From the Administration Console menu, select
Configurations > Deploy All.
Using NAT with
STRM Log
Management
Network Address Translation (NAT) translates an IP address in one network to a different IP address in another network. NAT provides increased security for your deployment since requests are managed through the translation process and essentially hides internal IP address.
Before you enable NAT for a STRM Log Management managed host, you must set-up your NATed networks using static NAT translation. This ensures communications between managed hosts that exist within different NATed networks.
Note: Your static NATed networks must be set-up and configured on your network before you enable NAT using STRM Log Management. For more information, see your network administrator.
STRM Log Management Administration Guide
Managing Your System View
69
You can add a non-NATed managed host using inbound NAT for the public IP address and dynamic for outbound NAT but are located on the same switch as the
Console or managed host. However, you must configure the managed host to use the same IP address for the public and private IP addresses.
•
•
•
•
When adding or editing a managed host, you can enable NAT for that managed host. You can also use the deployment editor to manage your NATed networks including:
Adding a NATed Network to STRM Log Management
Deleting a NATed Network From STRM Log Management
Changing the NAT Status for a Managed Host
Adding a NATed Network to STRM Log Management
To add a NATed network to your STRM Log Management deployment:
Step 1
In the deployment editor, click the NATed networks icon.
Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
The Manage NATed Networks window appears.
Step 2
Click
Add.
The Add New Nated Network window appears.
Step 3
Enter a name of a network you wish to use for NAT.
Step 4
Click
Ok
.
Step 5
The Manage NATed Networks window appears.
Click
Ok
.
Step 6
A confirmation window appears.
Click
Yes
.
STRM Log Management Administration Guide
70
U
SING THE
D
EPLOYMENT
E
DITOR
Editing a NATed Network
To edit a NATed network:
Step 1
In the deployment editor, click the NATed networks icon.
Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
The Manage NATed Networks window appears.
Step 2
Select the NATed network you wish to edit and click
Edit.
The Edit NATed Network window appears.
Step 3
Update the name of the network you wish to use for NAT.
Step 4
Click
Ok
.
The Manage NATed Networks window appears.
Step 5
Click
Ok
.
Step 6
A confirmation window appears.
Click
Yes
.
Step 1
Deleting a NATed Network From STRM Log Management
To delete a NATed network from your deployment:
In the deployment editor, click the NATed networks icon.
Note: You can also use the Actions > Managed NATed Networks menu option to access the Managed NATed Networks window.
Step 2
The Manage NATed Networks window appears.
Select the NATed network you wish to delete.
Step 3
Click
Delete.
A confirmation window appears.
Step 4
Click
Ok
.
Step 5
Click
Yes
.
STRM Log Management Administration Guide
Managing Your System View
71
Changing the NAT Status for a Managed Host
To change your NAT status for a managed host, make sure you update the managed host configuration within STRM Log Management before you update the device. This prevents the host from becoming unreachable and allows you to deploy changes to that host.
Step 1
To change the status of NAT (enable or disable) for an existing managed host:
In the deployment editor, click the
System View
tab.
Step 2
Use the right mouse button (right-click) on the managed host you wish to edit and select
Edit Managed Host
.
The Edit a managed host wizard appears.
Step 3
Click
Next
.
Step 4
The networking and tunneling attributes window appears.
Choose one of the following:
a
If you wish to enable NAT for the managed host, select the check box. Go to
Note: If you wish to enable NAT for a managed host, the NATed network must be using static NAT translation.
b
If you wish to disable NAT for the managed host, clear the check box. Go to
Step 5
To select a NATed network, enter values for the following parameters:
•
•
•
Change public IP of the server or appliance to add
- Specify the public IP address of the managed host. The managed host uses this IP address to communicate with another managed host that belongs to a different network using NAT.
Select NATed network
- Using the drop-down list box, select network you wish this managed host to use.
Manage NATs List
- Update the NATd network configuration. For more information see,
Using NAT with STRM Log Management
.
Step 6
Click
Next
.
Step 7
Click
Finish
.
The System View appears with the updated host in the Managed Hosts panel.
Note: Once you change the NAT status for an existing managed host error messages may appear. Ignore all error messages.
Step 8
Update the configuration for the device (firewall) to which the managed host is communicating.
Step 9
From the STRM Log Management Administration Console menu, select
Configurations > Deploy All
.
STRM Log Management Administration Guide
72
U
SING THE
D
EPLOYMENT
E
DITOR
Configuring a
Managed Host
To configure a managed host:
Step 1
From the System View, use the right mouse button (right-click) on the managed host you wish to configure and select
Configure
.
The Configure host window appears.
Step 2
Enter values for the parameters:
•
•
Minimum port allowed
- Specify the minimum port for which you wish to establish communications.
Maximum port allowed
- Specify the maximum port for which you wish to establish communications.
•
Ports to exclude
- Specify the port you wish to exclude from communications.
You can enter multiple ports you wish to exclude. Separate multiple ports using a comma.
Step 3
Click
Save
.
Assigning a
Component to a Host
You can assign the STRM Log Management components added in the Event
Views to the managed hosts in your deployment. This section provides information on assigning a component to a host using the System View, however, you can also assign components to a host in the Event Views.
Step 1
To assign a host:
Click the
System View
tab.
Step 2
From the Managed Host list, select the managed host to which you wish to assign a STRM Log Management component.
Step 3
The System View of the host appears.
Select the component you wish to assign to a managed host.
Step 4
From the menu, select
Actions
>
Assign
.
Note: You can also use the right mouse button (right-click) to access the Actions menu items.
The Assign Component wizard appears.
STRM Log Management Administration Guide
Managing Your System View
73
Step 5
From the Select a host drop-down list box, select the host that you wish to assign to this component. Click
Next
.
Note: The drop-down list box only displays managed hosts that are running a compatible version of STRM Log Management software.
Step 6
Click
Finish
.
Configuring Host
Context
The Host Context component monitors all STRM Log Management components to make sure that each component is operating as expected.
Step 1
To configure Host Context:
In the Deployment Editor, click the
System View
tab.
Step 2
The System View appears.
Select the Managed Host that includes the Host Context you wish to configure.
Step 3
Select the Host Context component.
Step 4
From the menu, select
Actions
>
Configure
.
Note: You can also use the right mouse button (right-click) to access the Actions menu item.
The Host Context Configuration window appears.
STRM Log Management Administration Guide
74
U
SING THE
D
EPLOYMENT
E
DITOR
Step 5
Enter values for the parameters:
Table 5-3
Host Context Parameters
Parameter Description
Disk Usage Sentinal Settings
Warning Threshold When the configured threshold of disk usage is exceeded, an e-mail is sent to the administrator indicating the current state of disk usage. The default is 0.75, therefore, when disk usage exceeds 75%, an e-mail is sent indicating that disk usage is exceeding 75%. If disk usage continues to increase above the configured threshold, a new e-mail is sent after every 5% increase in usage. By default, Host Context monitors the below partitions for disk usage:
•
•
•
/
/store
/store/tmp
Specify the desired warning threshold for disk usage.
Note: Notification e-mails are send to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
.
STRM Log Management Administration Guide
Managing Your System View
75
Table 5-3
Host Context Parameters (continued)
Parameter
Recovery Threshold
Shutdown Threshold
Inspection Interval
Description
Once the system has exceeded the shutdown threshold, disk usage must fall below the recovery threshold before
STRM Log Management processes are restarted. The default is 0.90, therefore, processes will not be restarted until the disk usage is below 90%.
Specify the recovery threshold.
Note: Notification e-mails are send to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
.
When the system exceeds the shutdown threshold, all
STRM Log Management processes are stopped. An e-mail is sent to the administrator indicating the current state of the system. The default is 0.95, therefore, when disk usage exceeds 95%, all
STRM Log Management
processes stop.
Specify the shutdown threshold.
Note: Notification e-mails are send to the Administrative
Email Address and are sent from the Alert Email From
Address, which is configured in the System Settings. For
.
Specify the frequency, in milliseconds, that you wish to determine disk usage.
SAR Sentinel Settings
Inspection Interval
Alert Interval
Time Resolution
Specify the frequency, in milliseconds, that you wish to inspect SAR output. The default is 300,000 ms.
Specify the frequency, in milliseconds, that you wish to be notified that the thresholds have been exceeded. The default is 7,200,000 ms.
Specify the time, in seconds, that you wish the SAR inspection to be engaged. The default is 60 seconds.
Log Monitor Settings
Inspection Interval
Monitored SYSLOG
File Name
Alert Size
Specify the frequency, in milliseconds, that you wish to monitor the log files. The default is 60,000 ms.
Specify a filename for the SYSLOG file. The default is
/var/log/qradar.error.
Specify the maximum number of lines you wish to monitor from the log file. The default is 1000.
Step 6
Click
Save
.
The System View appears.
STRM Log Management Administration Guide
76
U
SING THE
D
EPLOYMENT
E
DITOR
Configuring STRM
Log Management
Components
•
•
This section provides information on configuring STRM Log Management components and includes:
Configuring an Event Collector
Configuring an Event Processor
Configuring an Event
Collector
The Event Collector collects security events from various types of security devices in your network.
Step 1
To configure an Event Collector:
From either the Event View or System View, select the Event Collector you wish to configure.
Step 2
From the menu, select
Actions
>
Configure
.
Note: You can also use the right mouse button (right-click) to access the Action menu items.
The Event Collector Configuration window appears.
Step 3
Enter values for the parameters:
Table 5-4
Event Collector Parameters
Parameter
Event Collector Server
Listen Port
Destination Event
Processor
Listen Port
Event Targets
Description
The Event Collector monitors at least one device per instance of the component.
Specify the destination Event Processor for communications.
Specifies the listening port for event forwarding.
If the Event Collector includes an off-site target, this parameter specifies the normalized event forwarding device, separated by commas, using the following format:
<device>:<type>
This parameter is for informational purposes only and is not amendable.
STRM Log Management Administration Guide
Configuring STRM Log Management Components
77
Step 4
In the toolbar, click
Advanced
to display the advanced parameters.
The advanced configuration parameter appear.
Step 5
Enter values for the parameters:
Table 5-5
Event Collector Advanced Parameters
Parameter Description
Receives Flow Context Specifies the first Event Collector installed in your deployment. This parameter is for informational purposes only and is not amendable.
Auto Detection
Enabled
Specify if you wish the Event Collector to auto analyze and accept traffic from previously unknown sensor devices. The default is true, which means that the Event Collector detects sensor devices in your network. Also, when set to True, the appropriate firewall ports are opened to enable auto detection to receive events. For more information on configuring sensor devices, see the
Managing Sensor
Devices Guide.
Step 6
Click
Save
.
The deployment editor appears.
Step 7
Repeat for all Event Collectors in your deployment you wish to configure.
Configuring an Event
Processor
The Event Processor processes flows collected from one or more Event
Collector(s).
Step 1
To configure an Event Processor:
From either the Event View or System View, select the Event Processor you wish to configure.
Step 2
From the menu, select
Actions
>
Configure
.
Note: You can also use the right mouse button (right-click) to access the Action menu items.
The Event Processor Configuration window appears.
STRM Log Management Administration Guide
78
U
SING THE
D
EPLOYMENT
E
DITOR
Step 3
Enter values for the parameters:
Table 5-6
Event Processor Parameters
Parameter
Event Processor Server
Listen Port
Description
Specify the port that the Event Processor monitors for incoming connections. The default range is from 32000 to
65535.
Step 4
In the toolbar, click
Advanced
to display the advanced parameters.
The advanced configuration parameters appear.
Step 5
Enter values for the parameters, as necessary:
Table 5-7
Event Processor Parameters
Parameter
Overflow Routing
Threshold
Events database path
Payloads database path
Description
Specify the events per second threshold that the Event
Processor can manage events. Events over this threshold are placed in the cache.
Specify the location you wish to store events. The default is
/store/ariel/events
.
Specify the location you wish to store payload information. The default is
/store/ariel/payloads
.
Step 6
Click
Save
.
Step 7
The deployment editor appears.
Repeat for all Event Processors in your deployment you wish to configure.
STRM Log Management Administration Guide
6 F
ORWARDING
S
YSLOG
D
ATA
STRM Log Management allows you to forward received log data to other products.
You can forward syslog data (raw log data) received from devices as well as STRM
Log Management normalized event data. You can forward data on a per Event
Collector/ Event Processor basis and you can configure multiple forwarding destinations. Also, STRM Log Management ensures that all data that is forwarded is unaltered.
•
•
•
This chapter includes:
Adding a Syslog
Destination
To add a syslog forwarding destination:
Step 1
In the Administration Console, click the
SIM Configuration
tab.
Step 2
The SIM Configuration panel appears.
Click the
Syslog Forwarding Destinations
icon.
The Syslog Forwarding Destinations window appears.
Step 3
Click
Add
.
The Syslog Forwarding Destinations window appears.
STRM Log Management Administration Guide
80
F
ORWARDING
S
YSLOG
D
ATA
Step 4
Enter values for the parameters:
•
Forwarding Event Collector
- Using the drop-down list box, select the deployed Event Collector from which you wish to forward log data.
•
•
IP
- Enter the IP address of the system to which you wish to forward log data.
Port
- Enter the port number on the system to which you wish to forward log data.
Step 5
Click
Save
.
Editing a Syslog
Destination
To edit a syslog forwarding destination:
Step 1
In the Administration Console, click the
SIM Configuration
tab.
Step 2
The SIM Configuration panel appears.
Click the
Syslog Forwarding Destinations
icon.
Step 3
The Syslog Forwarding Destinations window appears.
Select the entry you wish to edit.
Step 4
Click
Edit
.
The Syslog Forwarding Destinations window appears.
Step 5
Update values, as necessary:
•
Forwarding Event Collector
- Using the drop-down list box, select the deployed Event Collector from which you wish to forward log data.
•
•
IP
- Enter the IP address of the system to which you wish to forward log data.
Port
- Enter the port number on the system to which you wish to forward log data.
Step 6
Click
Save
.
STRM Log Management Administration Guide
Delete a Syslog Destination
81
Delete a Syslog
Destination
To delete a syslog forwarding destination:
Step 1
In the Administration Console, click the
SIM Configuration
tab.
Step 2
The SIM Configuration panel appears.
Click the
Syslog Forwarding Destinations
icon.
Step 3
The Syslog Forwarding Destinations window appears.
Select the entry you wish to delete.
Step 4
Click
Delete
.
A confirmation window appears.
Step 5
Click
Ok
.
STRM Log Management Administration Guide
A Q1 L
ABS
MIB
This appendix provides information on the Q1 Labs Management Information Base
(MIB). The Q1 Labs MIB allows you to send SNMP traps to other network management systems. The Q1 Labs OID is 1.3.6.1.4.1.20212.
Note: For assistance with the Q1 Labs MIB, please contact Q1 Labs Customer
Support.
The Q1 Labs MIB includes:
Q1LABS-MIB DEFINITIONS ::= BEGIN
IMPORTS
OBJECT-TYPE, NOTIFICATION-TYPE, MODULE-IDENTITY, Integer32,
Opaque, enterprises, Counter32 FROM SNMPv2-SMI
DisplayString FROM SNMPv2-TC; q1Labs MODULE-IDENTITY
LAST-UPDATED "200508120000Z"
ORGANIZATION "Q1 Labs Inc"
CONTACT-INFO
"
1000 Winter Street
Suite 2950
Waltham, MA 02451 USA
Phone: 781-250-5800 email: [email protected]
"
DESCRIPTION
"Q1 Labs MIB Definition"
::= { enterprises 20212 } q1NotificationData OBJECT-TYPE
STRM Log Management Administration Guide
84
Q1 L
ABS
MIB
SYNTAX DisplayString
MAX-ACCESS read-only
STATUS current
DESCRIPTION "Notification Data"
::= { q1Labs 100 } q1Notifications OBJECT IDENTIFIER
::= { q1Labs 200 } q1CRENotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "QRADAR Custom Rule Engine Notification"
::= { q1Notifications 0 } q1EventRuleNotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "Notification Triggered by an Custom Event
Rule"
::= { q1Notifications 1 } q1OffenseRuleNotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "Notification Triggered by an Custom Offense
Rule"
::= { q1Notifications 2 } q1SentryNotification NOTIFICATION-TYPE
STATUS current
DESCRIPTION "Notification Triggered by a QRadar Sentry"
::= { q1Notifications 3 }
END
STRM Log Management Administration Guide
I
NDEX
A
administration console about
accessing
using
administrator role
Ariel database
audience
audit log viewing
audit logs
authentication configuring
LDAP
RADIUS
system
TACACS
user
auto detection
automatic update about
scheduling
B
backup and recovery 45
C
changes deploying
command line max matched results
components
console settings
conventions
D
database settings
deploying changes
deployment editor
about
accessing
creating your deployment
event view
preferences
QRadar SLIM components
requirements
system view
toolbar
using
device access
device management
E
encryption
,
Event Collector about
configuring
Event Processor about
configuring
event view about
adding components
building
connecting components
renaming components
F
firewall access
flow view components
H
hashing alogrithm
host adding
host context
,
I
interface roles
L
LDAP/Active directory
license key exporting
managing
logs
M
managed host adding
assigning components
editing
removing
set-up
STRM Log Management Administration Guide
86
I
NDEX maximum real-time results
MIB
N
NAT editing
enabling
removing
using with QRadar SLIM
Network Address Translation. See NAT
network hierarchy creating
NTP
O
off-site source
off-site target
P
passwords changing
Q
QRadar SLIM components
QRadar SLIM user
R
RADIUS authentication
RDATE
recovery 45 restarting QRadar SLIM
role
administrator
creating
editing
managing
S
SNMP agent accessing
SNMP Settings
source off-site
,
starting QRadar SLIM
stopping QRadar SLIM
syslog forwarding
adding
deleting
editing
system authentication
system settings
configuring
STRM Log Management Administration Guide
system thresholds
system time
system view about
assigning components
Host Context
managed host
managing
T
TACACS authentication
target off-site
,
thresholds
time
time limit command like execution
reporting execution
web execution
U
user creating account
editing account
managing
roles
users authentication
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 7 About This Guide
- 7 Audience
- 7 Conventions
- 7 Technical Documentation
- 7 Documentation Feedback
- 8 Requesting Support
- 9 Overview
- 9 About the Interface
- 10 Accessing the Administration Console
- 10 Using the Interface
- 11 Deploying Changes
- 11 Viewing STRM Log Management Audit Logs
- 12 Logged Actions
- 13 Viewing the Log File
- 15 Managing Users
- 15 Managing Roles
- 15 Creating a Role
- 17 Editing a Role
- 18 Managing User Accounts
- 18 Creating a User Account
- 19 Editing a User Account
- 20 Disabling a User Account
- 21 Authenticating Users
- 25 Setting Up STRM Log Management
- 25 Managing Your License Keys
- 26 Updating your License Key
- 27 Exporting Your License Key Information
- 28 Creating Your Network Hierarchy
- 28 Considerations
- 29 Defining Your Network Hierarchy
- 32 Scheduling Automatic Updates
- 33 Configuring STRM Log Management Settings
- 37 Configuring System Notifications
- 39 Configuring the Console Settings
- 41 Starting and Stopping STRM Log Management
- 41 Accessing the Embedded SNMP Agent
- 42 Configuring Access Settings
- 42 Configuring Firewall Access
- 44 Updating Your Host Set-up
- 45 Configuring Interface Roles
- 46 Changing Passwords
- 47 Updating System Time
- 51 Using the Deployment Editor
- 52 About the Deployment Editor
- 53 Accessing the Deployment Editor
- 53 Using the Editor
- 55 Creating Your Deployment
- 55 Before you Begin
- 56 Editing Deployment Editor Preferences
- 56 Building Your Event View
- 57 Adding Components
- 58 Connecting Components
- 59 Forwarding Normalized Events
- 61 Renaming Components
- 61 Managing Your System View
- 62 Setting Up Managed Hosts
- 66 Using NAT with STRM Log Management
- 70 Configuring a Managed Host
- 70 Assigning a Component to a Host
- 71 Configuring Host Context
- 74 Configuring STRM Log Management Components
- 74 Configuring an Event Collector
- 75 Configuring an Event Processor
- 77 Forwarding Syslog Data
- 77 Adding a Syslog Destination
- 78 Editing a Syslog Destination
- 79 Delete a Syslog Destination
- 81 Q1 Labs MIB
- 83 Index