Symantec™ Event Collector for SELinux® Integration Guide

sealuncheonServers

Dec 9, 2013 (3 years and 8 months ago)

119 views

Symantec™Event Collector
for SELinux® Integration
Guide
Symantec™ Event Collector for SELinux® Integration
Guide
The software describedinthis book is furnishedunder a license agreement andmay be used
only in accordance with the terms of the agreement.
Documentation version 4.0
Legal Notice
Copyright ©2006 Symantec Corporation.
All rights reserved.
Federal acquisitions:Commercial Software - Government Users Subject to StandardLicense
Terms and Conditions.
Symantec,the Symantec logo,SESA,LiveUpdate,Symantec AntiVirus,Symantec Enterprise
Security Architecture,and Symantec Security Response are trademarks or registered
trademarks of Symantec Corporation or its affiliates in the U.S.and other countries.Other
names may be trademarks of their respective owners.
Microsoft,Windows,andWindow2000are trademarks or registeredtrademarks of Microsoft
Corporation.This product includes software that was developed by the Apache Software
Foundation.Other brands and product names mentioned inthis manual may be trademarks
or registered trademarks of their respective companies and are hereby acknowledged.
The product described in this document is distributed under licenses restricting its use,
copying,distribution,and decompilation/reverse engineering.No part of this document
may be reproduced in any formby any means without prior written authorization of
Symantec Corporation and its licensors,if any.
THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,
REPRESENTATIONS ANDWARRANTIES,INCLUDINGANY IMPLIEDWARRANTY OF
MERCHANTABILITY,FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,
ARE DISCLAIMED,EXCEPT TOTHE EXTENT THAT SUCHDISCLAIMERS ARE HELDTO
BELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTAL
ORCONSEQUENTIALDAMAGESINCONNECTIONWITHTHEFURNISHINGPERFORMANCE,
OR USE OF THIS DOCUMENTATION.THE INFORMATIONCONTAINEDINTHIS
DOCUMENTATIONIS SUBJECT TOCHANGE WITHOUT NOTICE.
TheLicensedSoftwareandDocumentationaredeemedtobe"commercial computer software"
and"commercial computer software documentation"as defined inFARSections 12.212 and
DFARS Section 227.7202.
Symantec Corporation
20330 Stevens Creek Blvd.
Cupertino,CA 95014 USA
http://www.symantec.com
Technical Support
Symantec Technical Support maintains support centers globally.Technical
Support’s primary role is to respond to specific queries about product feature and
function,installation,andconfiguration.TheTechnical Support groupalsoauthors
content for our online Knowledge Base.The Technical Support group works
collaboratively with the other functional areas within Symantec to answer your
questions in a timely fashion.For example,the Technical Support group works
with Product Engineering and Symantec Security Response to provide alerting
services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right
amount of service for any size organization
■ A telephone and web-based support that provides rapid response and
up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day,7 days a week worldwide.
Support is provided in a variety of languages for those customers that are
enrolled in the PlatinumSupport program
■ Advanced features,including Technical Account Management
For information about Symantec’s Maintenance Programs,you can visit our Web
site at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support.The specific features that
are available may vary based on the level of maintenance that was purchased and
the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support
information at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your region or language under Global Support.
Before contacting Technical Support,make sure you have satisfied the system
requirements that are listed in your product documentation.Also,you should be
at the computer onwhichthe problemoccurred,incase it is necessary to recreate
the problem.
When you contact Technical Support,please have the following information
available:
■ Product release level
■ Hardware information
■ Available memory,disk space,and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router,gateway,and IP address information
■ Problemdescription:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registrationor alicense key,access our technical
support Web page at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your regionor language under Global Support,andthenselect the Licensing
and Registration page.
Customer service
Customer service information is available at the following URL:
www.symantec.com/techsupp/ent/enterprise.html
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features,language availability,local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Information about the Symantec Value License Program
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement,
please contact the maintenance agreement administration teamfor your region
as follows:
■ Asia-Pacific and Japan:contractsadmin@symantec.com
■ Europe,Middle-East,and Africa:semea@symantec.com
■ North America and Latin America:supportsolutions@symantec.com
Additional Enterprise services
Symantec offers a comprehensive set of services that allowyou to maximize your
investment in Symantec products and to develop your knowledge,expertise,and
global insight,which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
These solutions provide early warning of cyber
attacks,comprehensive threat analysis,and
countermeasures toprevent attacks before theyoccur.
SymantecEarlyWarningSolutions
These services remove the burden of managing and
monitoring security devices and events,ensuring
rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site
technical expertise fromSymantec and its trusted
partners.SymantecConsultingServices offer avariety
of prepackagedandcustomizable options that include
assessment,design,implementation,monitoringand
management capabilities,eachfocusedonestablishing
andmaintainingthe integrityandavailabilityof your
IT resources.
Consulting Services
Educational Services provide a full array of technical
training,security education,security certification,
and awareness communication programs.
Educational Services
To access more information about Enterprise services,please visit our Web site
at the following URL:
www.symantec.com
Select your country or language fromthe site index.
Technical Support
Chapter 1 Introducing Symantec Event Collector for
Security-Enhanced Linux
About collectors.............................................................................9
Components of collectors...............................................................10
Howcollectors work......................................................................11
How collectors process events.........................................................12
What you can do with collectors......................................................13
Where to find more information about Information Manager...............13
Accessing Help for the console..................................................13
Chapter 2 Installing Symantec Event Collector for
Security-Enhanced Linux
Integration checklists for SELinux Collector......................................15
Preinstallation checklist..........................................................16
Installation checklist..............................................................16
Configuration checklist...........................................................17
Post-installation checklist........................................................17
Before you install the collector........................................................18
Updating the hosts file............................................................18
Installing the SIP,Agent,and collector component.............................19
Installing the SIP...................................................................19
Installing the Agent................................................................22
Installing the collector component............................................24
Configuring your third-party security product and collector
sensor..................................................................................25
About configuring your third-party security product to work
with the collector.............................................................26
Configuring the collector sensor to receive security events.............26
Viewing general information....................................................28
Configuring event filtering.......................................................29
Configuring event aggregation..................................................32
After you install the collector.........................................................36
Launching Symantec Security Information Manager.....................36
Contents
Testing the collector installation...............................................37
About viewing reports.............................................................43
About creating customreports..................................................43
Uninstalling the collector..............................................................44
Uninstalling the collector component........................................44
Uninstalling the Agent............................................................45
Uninstalling the Symantec Integration Package...........................45
Appendix A Quick reference for SELinux Collector
Compatibility and systemrequirements............................................49
Compatibility requirements for Security-Enhanced Linux..............49
Systemrequirements for the collector machine............................50
Preinstallation requirements for SELinux Collector............................50
Configuring your security product to work with the collector................50
Sensor information......................................................................50
Sensor settings for SELinux Collector.........................................50
Recommended collector configurations............................................51
Appendix B Creating collector configurations
Collector configuration scenarios....................................................53
Scenario 1 - One-for-All configuration........................................54
Scenario 2 - One-to-Many configuration.....................................55
Scenario 3 - One-to-One configuration.......................................58
Scenario 4 - One-per-Type configuration.....................................60
Creating collector configurations....................................................61
Adding,deleting,and disabling sensors......................................62
Appendix C Implementation notes
Implementation notes for SELinux Collector.....................................65
Method of data collection.........................................................65
Schema packages...................................................................65
Example data........................................................................65
Event mapping......................................................................65
Index
Contents8
IntroducingSymantecEvent
Collector for
Security-Enhanced Linux
This chapter includes the following topics:
■ About collectors
■ Components of collectors
■ Howcollectors work
■ Howcollectors process events
■ What you can do with collectors
■ Where to find more information about Information Manager
About collectors
Collectors enable centralized cross-tier logging,alerting,and reporting between
Symantec™SecurityInformationManager andthird-partysecurityproducts such
as firewalls and intrusion-detection sensor software.
Collectors retrieve events that are logged by a third-party security product and
forward these events to Information Manager.These events are stored in the
Information Manager database,where you can viewthemin reports,use themas
the basis for configuring alert notifications and incident creation,and configure
themas rawdata for report generation.You can also configure collectors to
selectively filter events and aggregate events that you want to forward to
Information Manager.
1
Chapter
After you install collectors,your third-party security product is integrated with
Symantec Security Information Manager.When a product is integrated with
Information Manager,you can use Information Manager to viewthe events that
it has received fromthe third-party security product.Information Manager
provides a central location in which to viewand manage the reporting of event
data across multiple Information Manager-integrated security products.
Components of collectors
Whenyouinstall acollector,youinstall three separate components:the Symantec
Integration Package (SIP) file,the Agent,and the collector component.The SIP
extends the Information Manager tables and fields so that it can receive collected
events fromthird-party security product data sources.SIPs of some collectors
also add additional reports for viewing the collected events in Symantec Security
Information Manager.The Agent is a Java™application that performs
communication functions for the Information Manager components or the
third-party security products on which it is installed.The collector component
collects events fromthe third-party security products.
Figure 1-1 shows an overviewof the Symantec Event Collector components.
Figure 1-1 Collector component overview
Table 1-1 describes the major components of collectors.
Introducing Symantec Event Collector for Security-Enhanced Linux
Components of collectors
10
Table 1-1 Major components of collectors
DescriptionComponent
Refers to the Symantec Security Information Manager where
event processing,suchas filteringandstoring,resides.Allows
for thecentralizedcollection,classification,andnormalization
of events to enable alerting and reporting across managed
security products.
Information Manager
Refers tothe Symantec IntegrationPackage,whichis installed
ontheSymantecSecurityInformationManager machine,and
extends the Information Manager tables and fields so it can
receive collected events fromthird-party security software
(SIP not shown).
SIP
Refers to the Java application that performs communication
functions for the Information Manager components on the
systemon which it is installed.
Agent
Refers to an application that collects events fromthird-party
security products,processes themand passes themto the
Agent.
Collector
Refers to the component that reads in events froma file,
database,syslog,event log,or other medium,and thenpasses
the events to the remaining collector components.The
information is then delivered to the Agent for transmission
to Information Manager.
Sensor
Refers tothe software product,suchas afirewall,that ensures
data is not vulnerable to unauthorized use or access,and is
the source of events to the collector.
Third-party security
product
Howcollectors work
Collectors readdata froma third-partysecurityproduct's data source andcompile
the data into a Symantec Security Information Manager-compatible format.The
Agent logs the events that it receives fromthe third-party product to Symantec
Security Information Manager.When the Information Manager is unavailable,
the Agent queues messages for later delivery,up to a configurable maximum
queue size.The default maximumqueue size is 20 MB.You can change this queue
size by using Information Manager.
For more information,refer tothe Symantec SecurityInformationManager online
help.
11Introducing Symantec Event Collector for Security-Enhanced Linux
Howcollectors work
Howcollectors process events
Collectors translatethird-partysecurityevents intoSymantecSecurityInformation
Manager events usingtranslator andSESProcessor rules,andthenapplies filtering
and aggregation rules on translated events.Collectors determine howto classify
the events by examining the contents of key fields withinthe third-party security
product's data source.
Table 1-2 shows the event categories that collectors assign to each event.
Table 1-2 Event categories
DescriptionCategory
Events that are generated by the security product's data sourceSecurity
Events that are generated by collectors (for example,when the
application starts or stops)
Application
Table 1-3 shows the event severities that collectors assign to each event.
Table 1-3
Event severities
DescriptionSeverity
Events that represent expected behavior1 - Informational
Events that represent suspicious behavior2 - Warning
Events that could require attention3 - Minor
Events that require attention now4 - Major
Events that require attention nowwith a broad range of
application to the enterprise
5 - Critical
Events that require attention nowand that will result in fatal
consequences to the enterprise
6 - Fatal
In the Symantec Security Information Manager environment,events that arrive
froman Agent are generally understood to be events that are generated by the
systemonwhichthe Agent is installed.However,because collectors collect events
froma data source that may receive events frommultiple computers,the event
data is structured to preserve the identity of the originating computer.
Events fromcollectors are logged as if they originated fromthe computer that
originally logged the message.Therefore,collected events display the machine
name of the computer that logs the event,rather than the machine name of the
computer on which the collector resides.
Introducing Symantec Event Collector for Security-Enhanced Linux
Howcollectors process events
12
What you can do with collectors
After collectors areinstalledandenabled,your events areinsertedintoInformation
Manager.FromSymantec Security Information Manager,you can then view,
manage,and create reports that are based on the event data.
With Symantec Security Information Manager and the collector,you can do the
following:
■ Viewreports.
See “About viewing reports” on page 43.
■ Create customreports.
See “About creating customreports” on page 43.
■ Configure collectors to filter events.
See “Configuring event filtering” on page 29.
■ Configure collectors to aggregate events.
See “Configuring event aggregation” on page 32.
Where to find more information about Information
Manager
For more information about Information Manager,a knowledge base is available
on the Symantec Technical Support Web site at the following URL:
www.symantec.com/techsupp/enterprise
The knowledge base link is listed under Technical Support.You can find the
Information Manager knowledge base listed under Security Management.
In the Downloads section of the site,you can obtain updated versions of the
documentation,including the following:
■ Symantec Security Information Manager Administrator's Guide
■ Symantec Security Information Manager Installation Guide
Accessing Help for the console
Symantec Security Information Manager provides context-sensitive help for the
console and each of the views that are available in the Viewmenu.
To access Help for the console
◆ In any window,press F1.
13Introducing Symantec Event Collector for Security-Enhanced Linux
What you can do with collectors
Introducing Symantec Event Collector for Security-Enhanced Linux
Where to find more information about Information Manager
14
Installing Symantec Event
Collector for
Security-Enhanced Linux
This chapter includes the following topics:
■ Integration checklists for SELinux Collector
■ Before you install the collector
■ Installing the SIP,Agent,and collector component
■ Configuring your third-party security product and collector sensor
■ After you install the collector
■ Uninstalling the collector
Integration checklists for SELinux Collector
You can use checklists to guide you through the following tasks that are required
to integrate and configure collectors.
■ Preinstallation tasks for Symantec Event Collector for Security-Enhanced
Linux
See Table 2-1 on page 16.
■ Installation tasks for Symantec Event Collector for Security-Enhanced Linux
See Table 2-2 on page 16.
■ Configurationtasks for Symantec Event Collector for Security-EnhancedLinux
See “Configuring the collector sensor to receive security events” on page 26.
2
Chapter
See “Sensor information” on page 50.
■ Post-installation tasks for Symantec Event Collector for Security-Enhanced
Linux
See Table 2-4 on page 17.
Preinstallation checklist
Table 2-1 covers tasks that are required before installing the collector.
Table 2-1 Preinstallation checklist
Preinstallation tasks
Meet compatibility requirements for both the third-party security product and the
collector.
See “Compatibility and systemrequirements” on page 49.
Some collectors may require specific tasks to be completed before installing the
collector.
See “Preinstallation requirements for SELinux Collector” on page 50.
Ensure network connectivity by executing a ping command or by running a test
Telnet session.
Installation checklist
Table 2-2 covers installation tasks that are required for the collector.
Table 2-2
Installation checklist
Installation tasks
Update the hosts file.
See “Updating the hosts file” on page 18.
Install the Symantec Integration Package (SIP).
See “Installing the SIP” on page 19.
Install the Agent.
See “Installing the Agent” on page 22.
Install the collector component.
See “Installing the collector component” on page 24.
Installing Symantec Event Collector for Security-Enhanced Linux
Integration checklists for SELinux Collector
16
Configuration checklist
Table 2-3 covers configuration tasks that may be required for the collector and
the third-party security product.
Table 2-3 Configuration checklist
Configuration tasks
Configure Security-Enhanced Linux,if necessary.
See “Configuring your security product to work with the collector” on page 50.
Configure the collector sensor.
See “Configuring the collector sensor to receive security events” on page 26.
See “Sensor information” on page 50.
Configure the collector for additional configurations,if necessary.
See “Recommended collector configurations” on page 51.
See “Collector configuration scenarios” on page 53.
See “Creating collector configurations” on page 61.
Configure event filtering and event aggregation.
See “Configuring event filtering” on page 29.
See “Configuring event aggregation” on page 32.
Post-installation checklist
Table 2-4 covers post-installation tasks that are required after you install the
collector.
Table 2-4 Post-installation checklist
Post-installation tasks
Launch Symantec Security Information Manager.
See “Launching Symantec Security Information Manager” on page 36.
Test the collector installation.
See “Testing the collector installation” on page 37.
Start and stop the Agent services or daemons,if necessary.
See “Starting and stopping Agent services or daemons ” on page 42.
17Installing Symantec Event Collector for Security-Enhanced Linux
Integration checklists for SELinux Collector
Table 2-4 Post-installation checklist (continued)
Post-installation tasks
Viewreports.
Refer to the Symantec Security Information Manager online help for information
on viewing reports.
Create customreports.
Refer to the Symantec Security Information Manager online help for information
on creating reports.
Before you install the collector
The following tasks must be performed before installing the collector:
■ Update the hosts file.
See “Updating the hosts file” on page 18.
■ Performany preinstallation tasks that are specific for SELinux Collector.
See “Preinstallation requirements for SELinux Collector” on page 50.
Updating the hosts file
The hosts file contains IP address and host name mapping information.If there
is no fully-qualified domain name for the Information Manager computer,or you
are not usingaDomainName System(DNS) server,the hosts file must be manually
updated to reflect the IP address and host name information that is relevant to
Information Manager and to the collectors that harvest event data.Host names
must be fully-qualified domain names.
To update the hosts file
1 Navigate to the directory of the hosts file.
■ On Windows,the hosts file is located in
C:\WINDOWS\system32\drivers\etc folder.
■ On Linux/Solaris,the hosts file is located in the/etc directory.
2
Using a text editor,open the hosts file.
Installing Symantec Event Collector for Security-Enhanced Linux
Before you install the collector
18
3 Add the IP address and host name entries for the Information Manager
appliance.Followthe instructions that are providedinthe hosts file for adding
IP address and host name mapping information to the file.
Use a tab between the IP address and host name.
4 After you have added the IP address and host name,save and close the file.
You should ensure that the text editor that you are using does not add a file
extension.
Installing the SIP,Agent,and collector component
Collectors gather security information fromyour third-party security product
andsendthe informationthroughthe Agent tothe Symantec SecurityInformation
Manager.
After you have completed the preinstallation procedures,the general collector
installation sequence is as follows:
■ Install the Symantec Integration Package (SIP) on Information Manager.If
you are installing collectors to more thanone computer that is being managed
by the same Information Manager,you only need to install the SIP once.
See “Installing the SIP” on page 19.
■ Install the Agent on the target computer.
See “Installing the Agent” on page 22.
■ Install the collector component on the target computer.
See “Installing the collector component” on page 24.
Installing the SIP
The Information Manager Web configuration interface provides a link that you
can use to download and install the Symantec Integration Wizard.The wizard
installs the Symantec IntegrationPackage (SIP) for the collector.EachSIPcontains
the configuration settings and event schemas that Information Manager requires
to recognize and log events froma product.
The Symantec Integration Wizard must run on a computer that has network
access to the Information Manager appliance and the computer on which you
copy the SIP.The computer on which you copy the SIP must be running on one
of the following computer platforms:
■ Windows 2000 Server Service Pack 4
■ Windows 2000 Advanced Server Service Pack 4
■ Windows 2003 Server Standard Edition Service Pack 1
19Installing Symantec Event Collector for Security-Enhanced Linux
Installing the SIP,Agent,and collector component
■ Windows 2003 Server Enterprise Edition Service Pack 1
■ Microsoft Windows® XP with Service Pack 2
You must complete the following tasks in the order listed to install the SIP for the
collector with Information Manager:
■ Download and install the Symantec Integration Wizard.
See “To download and install the Symantec Integration Wizard” on page 20.
■ Install the Symantec Integration Package.
See “To install the Symantec Integration Package” on page 20.
To download and install the Symantec Integration Wizard
1 In a Web browser,type the IP address of the Symantec Security Information
Manager.The following is anexample of anInformationManager IPaddress:
https://10.4.2.115
2 Click Configure Appliance,and enter the SSIMadministrator login
information.
3 On the Security Information Manager welcome page,click Register SIPs.
4 On the Register SIPs page,click DownloadSIPIntegrationWizard.
5 When prompted,specify the path of the Windows computer to which you
would like to download the SIP Integration Wizard installation file.
6 Onthe Windows computer,double-clickSIPI.zip,andunpackit tothe desired
folder.
To install the Symantec Integration Package
1 On a Windows computer,at the command prompt,change to the folder in
which you unpacked SIPI.zip.
2 To launch the Symantec Integration Wizard,type the following:
registersip_linux.bat
3 In the Welcome to the Symantec Integration Wizard panel,click Next.
4 In the Symantec Integration Requirements panel,click Next.
The Java Virtual Machine (JVM) is configuredtosupport Secure Sockets Layer
(SSL).
For more information,refer to the Symantec Security Information Manager
online help.
5 IntheDirectoryDomainAdministrator Informationpanel,specifyinformation
in the following text boxes:
Installing Symantec Event Collector for Security-Enhanced Linux
Installing the SIP,Agent,and collector component
20
Type the name for the DomainAdministrator account.
This account provides access to its associated
Information Manager administrative domain.
Directory Domain
Administrator Name
Type the Directory Domain Administrator password.Directory Domain
Administrator Password
Type the administrative domain.Anexample of dotted
notation is:NorthAmerica.SES
Log on to domain (in dotted
notation)
Do one of the following:
■ If InformationManager isusingdefault,anonymous
SSL communications,type the IP address of the
Information Manager computer.
■ If InformationManager is using authenticated SSL
communication,type the host name of the
Information Manager computer.For example,
mycomputer.com.
For more information on the SESA default,
anonymous SSL,and upgrading to authenticated
SSL,refer to the Symantec Security Information
Manager online help.
Host Name or IP Address of
SESA Directory
Typethenumber of theInformationManager Directory
SSL port (by default,636).
Secure Directory Port
6 In the Symantec Integration Package to Install panel,type or browse to the
location in which the SIP is located.
The SIP is located on the collector CDin the..\collectors\<third-party>\sip
folder,where <third-party> is an abbreviated name of your third-party
security product.
SIP files have the extension.sip.
7 In the Request Immediate Deployment/Removal of SIP panel,check one of
the following:
■ Deploy or remove the SIP at a scheduled time
Installs the SIP at the time that is specified in the Deploy time option in
Symantec Security Information Manager.The default setting for Deploy
time is every Saturday and Sunday at 2:00 P.M.GMT.You can change the
default time by modifying the Product Installation Service Deploy Time
configuration option.
For instructions onchangingthedefault setting,seetheSymantec Security
Information Manager Administration Help.
21Installing Symantec Event Collector for Security-Enhanced Linux
Installing the SIP,Agent,and collector component
■ Queue the SIP for immediate deployment or removal
Queues the SIP for immediate installation to the Information Manager
and event database.
To restart the Web services after the deployment to the Information
Managers,check If necessary,restart the Webserver.The Web server
needs to be restarted for the Information Managers to recognize the
Manager Extensions that are deployed with the SIP.
■ In the Select the Domains panel,check the administrative domains to
which you want to deploy the SIP.To deploy to all available domains,
check the top-level Available Domains check box.
8 In the Select the Managers panel,check the Information Managers to which
you want to deploy the SIP Manager Extensions.To deploy to all Information
Managers,check the top-level Available Managers check box.
9 Followthe on-screen instructions until you reach the Integration Successful
panel.
10 To complete the Symantec Integration Wizard,click Finish.
Troubleshooting the SIP installation
The SIP may take up to 15 minutes to deploy before you can see the product
represented in the Symantec Security Information Manager.
If youreceive awarningduringSIPdeployment that reports the Master SIPServlet
is not found,an Information Manager appliance was not installed in the domain
or subdomain you selected.An Information Manager appliance that is installed
toatop-level domainis never installedtoanysubdomains.Ensure that all top-level
domains andsubdomains that youselect for SIPdeployment have anInformation
Manager installed before you deploy a SIP.
A warning message that reports Unable to ping Master SIP Servlet means that
the network connection has failed.In this case,you should restore network
connectivity to the Information Manager appliance where the Master SIP Servlet
resides,and retry the deployment.
Installing the Agent
The Agent sends the data that is harvested by the collector component to the
Information Manager.The Agent is installed on the same target computer as the
collector component,and must have network access to the Information Manager.
Installing Symantec Event Collector for Security-Enhanced Linux
Installing the SIP,Agent,and collector component
22
Note:JRE 1.5 is automatically installed along with the Agent into a subdirectory
of the installation directory that is specified at installation.By default,the
directory is C:\ProgramFiles\Symantec\SESA\Agent\jre on Windows,and
/opt/Symantec/SESA/Agent/jre onLinux/Solaris.The JREis usedby the collector
component and the Agent only.It does not interfere with any other JRE that is
installed on the computer.
If you are installing more thanone collector onthe same computer,you only need
to install the Agent once.
Make sure you have performed the following tasks in the order in which they are
listed before installing the Agent:
■ Contact your Symantec support engineer for the collector and Agent
installationfiles,andthencopyandextract the installationfiles toatemporary
installation directory on the computer on which you will install the Agent and
collector component.
■ Install the Symantec Integration Package (SIP).
See “To install the Symantec Integration Package” on page 20.
To install the Agent on Windows
1 On the computer on which you will install the collector,fromthe command
line,navigate to the temporary installation directory,and then navigate to
the AgtInst folder.
2 Type the following:
setup.exe -s<IPaddress>[-p<port_number>] [-i<inst_path>] [-debug]
where <IP address> corresponds to the IP address of Information Manager,
the optional -p parameter may be used to specify a port number other than
443,andthe optional -i parameter maybe usedtospecifyaninstallationpath
other than C:\ProgramFiles\Symantec\SESA\Agent.The installation is
completely silent unless the optional -debug parameter is added.
3 After the installation completes,verify that the Agent is running.
See “To verify that the Agent and collector are running” on page 25.
To install the Agent on Linux/Solaris
1 On the computer on which you will install the collector,become superuser.
2 Fromthe command line,navigate to the temporary installation directory
that contains the following file:
Unix.tar.gz
23Installing Symantec Event Collector for Security-Enhanced Linux
Installing the SIP,Agent,and collector component
3 To decompress and extract the file,type the following:
tar zxvf Unix.tar.gz
4 Navigate to the AgtInst directory and type the following:
./install.sh-s<IPaddress>[-p<port_number>] [-i<inst_path>] [-debug]
wherethe-s parameter is theIPaddress of InformationManager,theoptional
-p parameter may be used to specify a port number other than 443,and the
optional -i parameter may be used to specify an installation path other than
/opt/Symantec/SESA/Agent.The installation is completely silent unless the
optional -debug parameter is added.
Installing the collector component
The collector component reads the data fromthe third-party security product,
formats the data,and forwards it to the Agent.The computer onwhichyouinstall
the collector component must have access tothe third-partysecurityproduct that
you want to monitor.
Make sure you performed the following tasks in the order in which they are listed
before installing the collector component:
■ Contact your Symantec support engineer for the collector and Agent
installation files,and then copy or extract the installation files to a temporary
installation directory on the computer on which you will install the Agent and
collector component.
■ Install the Symantec Integration Package (SIP).
See “Installing the SIP” on page 19.
■ Install the Agent.
See “Installing the Agent” on page 22.
To install the collector component
1 On the computer on which you will install the collector,fromthe command
line,navigate to the temporary installation directory,and then the install
directory.
2 Fromthe command line,type the following:
■ On Windows,
install.bat
■ On Linux/Solaris,
sh./install.sh
Installing Symantec Event Collector for Security-Enhanced Linux
Installing the SIP,Agent,and collector component
24
3 Followthe on-screen instructions.When prompted whether or not to run
Java LiveUpdate for the collector,type Nunless youhave a LiveUpdate server
on your network,and you would like to update the collector at this time.
Symantec Event Collector for Security-Enhanced Linux does not support
LiveUpdate.
4 After theinstallationcompletes,verifythat theAgent andcollector component
are running.
To verify that the Agent and collector are running
1 At the command prompt,do one of the following:
■ On Windows,navigate to the default Agent installation folder on
C:\Programfiles\Symantec\SESA\Agent,andtypethefollowingcommand:
\jre\bin\java -jar agentcmd.jar -status
■ On Linux/Solaris,navigate to the default installation directory
/opt/Symantec/SESA/Agent,and type the following command:
./jre/bin/java -jar agentcmd.jar -status
2 In the output that appears,verify the following statement:
SESA Agent status:running
Outbound Thread state:CONNECTED
3 If the Agent is not running,restart the server onwhichthe Agent is installed.
Configuring your third-party security product and
collector sensor
After you have installed the necessary collector components,the following
configuration tasks may need to be performed:
■ Configure your third-party security product.
See “Configuring your security product to work with the collector” on page 50.
■ Configure the collector sensor.
See “Configuring the collector sensor to receive security events” on page 26.
■ Create a newcollector configuration,if necessary.
See “Creating collector configurations” on page 61.
■ Configure collectors for event filtering.
See “Configuring event filtering” on page 29.
■ Configure collectors for event aggregation.
25Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
See “Configuring event aggregation” on page 32.
About configuring your third-party security product to work with the
collector
After you have installed the necessary collector components,your third-party
security product may need configuring to make the event information available
to the collector.
See “Configuring your security product to work with the collector” on page 50.
Configuring the collector sensor to receive security events
The collector uses a sensor that must be configured to receive security events.
After the sensor is configured,or whenachange has beenmade toasensor setting,
the settings must be distributed to the collectors on the target computers.
Sensor configuration includes the following actions:
■ Configuring the collector sensor.
See “To configure the collector sensor to receive security events” on page 27.
■ Importing and exporting sensor settings,optional.
Collectors let you import and export sensor settings.Sensor settings will be
exported in an XML file format,and must be imported in the same XML file
format.
The XML file for sensor settings should be in the following format:
<?xml version="1.0"encoding="UTF-8"?>
<sensors>
<sensor enabled="true"name="Sensor"uid="26c9cb11:10923549e89:-7fff">
<property encrypted="false"name="protocol">UDP</property>
<property encrypted="false"name="hosts">*</property>
<property encrypted="false"name="port">514</property>
</sensor>
</sensors>
See “To import and export sensor settings” on page 27.
■ Globally updating sensor settings,optional.
Youcancopyselectedsensor settings toother sensors that are withinthe same
configuration.This is particularly useful if you have many sensors that need
updating.
See “To globally update sensor settings” on page 28.
Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
26
To configure the collector sensor to receive security events
1 Inthe InformationManager console,onthe Viewmenu,click OtherServices
>ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Click Default.
A default configuration (named Default) is provided upon installation.
4 In the right pane,on the sensor tab,select a sensor.
5 In the sensor property table under the Value column,change any of the
information.
See “Sensor information” on page 50.
6 Click Save.
7 In the left pane,right-click the appropriate configuration,and then click
Distribute.
8 When you are prompted to distribute the configuration,click Yes.
9 In the Configuration Viewer window,click Close.
To import and export sensor settings
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
See “Adding,deleting,and disabling sensors” on page 62.
4 In the right pane,on the sensor tab:
■ If you are importing,click Imports configurationfromXMLfile.
■ If you are exporting,click Exports configurationtoXMLfile.
5 If you are importing:
■ Inthe Import Definitions FromFile windowthat appears,specify the XML
file you wish to import into the collector.
If you are exporting:
■ In the Export Definitions to File windowthat appears,specify a filename
for which to export the configurations.
27Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
To globally update sensor settings
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
4 In the right pane,on the sensor tab,select a sensor so that it appears
highlighted.
5 In the right pane,on the lower right,click Global Update.
6 In the Select Properties for Global Update window,place a checkmark next
to the property for which you want to propagate its value to all other sensors
within the same configuration.
7 Click OKto complete the global update process.
8 Proceed to make changes that may be unique to each sensor.
See “To configure the collector sensor to receive security events” on page 27.
9 In the left pane,right-click the configuration,and then click Distribute.
10 When you are prompted to distribute the configuration,click Yes.
11 In the Configuration Viewer window,click Close.
Viewing general information
You can viewbasic information for any collector that is enabled on Symantec
Security Information Manager,such as configuration names and last modified
dates.
To viewgeneral information
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Select the appropriate configuration.
A configuration called Default is provided upon installation.
See “Adding,deleting,and disabling sensors” on page 62.
4 In the right pane,on the General tab,viewthe following information:
Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
28
Configuration name■
■ Description
■ Last modified on
5 In the Configuration Viewer window,click Close.
Configuring event filtering
Collectors include a feature that lets you exclude events frombeing forwarded to
Symantec Security Information Manager.Event filtering provides you with the
flexibility to reduce the event traffic,and the number of events that are stored in
the event database,by filtering out data that may be less important to your
organization’s security.
Collectors also let you import and export filtering configurations.Filtering
configurations will be exported in an XML file format,and must be imported in
the same XML file format.
The XML file for filtering should be in the following format:
<?xml version="1.0"encoding="UTF-8"?>
<filter>
<filter-spec enabled="false"index="0"name="Specification 0">
<filter-field comparator="EQ"name="queue_product_id">1</filter-field>
</filter-spec>
<filter-spec enabled="true"index="1"name="Specification 1">
<filter-field comparator="EQ"name="server">33</filter-field>
</filter-spec>
</filter>
For guidelines on setting up event filtering rules,see the Symantec Security
Information Manager Deployment Planning Guide.
Event filtering configuration consists of the following actions:
■ Adding and enabling event filtering rules
See “To add and enable event filtering rules” on page 30.
■ Changing existing event filtering rules
See “To change existing event filtering rules” on page 31.
■ Importing and exporting event filtering rules
See “To import and export event filtering rules” on page 32.
Event filtering rules are not configured by default.You must add rules before you
can enable or configure them.
29Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
To add and enable event filtering rules
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
See “Adding,deleting,and disabling sensors” on page 62.
4 In the right pane,on the Filter tab,click Add.
5 Double-click Specificationn (where n is 0,1,2,and so on),type a name for
the rule,and then click OK.
6 Under the rule properties table,click Add,and then do the following:
■ Inthe Name column,type aname for the event filter property(for example,
IP Destination Port) or double-click in the Name text box to bring up a
InformationManager fields window.Youcanchoose fromthe list of items
presented in the expanded directories of the Information Manager fields
window.
■ In the Operator column,select an operator fromthe drop-down list (for
example,equal to).
■ In the Value column,type a value or select a preset value for the event
filter property (for example,80 for the port number).
You can filter events by pattern by using a regular expression function.
For example,to filter all events that contain"SUCCESS",enter the
following in the Value column:
regex(.*SUCCESS.*)
where all characters within the parentheses are part of the regular
expression,and"."and"*"are both metacharacters."."matches any
character."*"matches zeroor more occurrences of the precedingelement.
Therefore,match zero or more occurrences of any character,followed by
the literal string SUCCESS,followed by zero or more occurrences of any
character.Torephrase,matchtheliteral stringSUCCESSanywherewithin
the field.
7 Repeat step 6 to add more event filtering information for the rule.
All rules within a given specification will use the boolean ANDto determine
whether or not an event is a candidate for filtering.If there are multiple
specifications,each specification will use the boolean OR.
Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
30
8 Whenyouare finishedaddinginformationfor the rule,inthe filter list,check
the filter name.
9 Click Save.
10 In the left pane,right-click the appropriate configuration,and then click
Distribute.
11 When you are prompted to distribute the configuration,click Yes.
12 In the Configuration Viewer window,click Close.
To change existing event filtering rules
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
4 In the right pane,on the Filter tab,do any of the following:
■ To add a specification,click Add.
■ To delete a specification,select the specification,and then click Remove.
■ To delete all specifications,click Remove All.
5 Todetermine the order inwhichInformationManager follows event filtering,
next to the list of specifications,click the arrowkeys.
6 To change the name of the specification,double-click the specification in the
specification list,and then in the Name text box,type a newname.
7 To disable a specification,but not delete it,inthe filter list,uncheck the filter
name.
8 In the rule properties table,change the information in any of the following
columns:
■ Name
■ Operator
■ Value
9 Under the rule properties table,do any of the following:
■ To add a rule property,click Add.
■ To delete a rule property,select the rule property,and then click Remove.
31Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
■ To delete all rule properties,click Remove All.
10 Click Save.
11 In the left pane,right-click the appropriate Default folder,and then click
Distribute.
12 When you are prompted to distribute the configuration,click Yes.
13 In the Configuration Viewer window,click Close.
To import and export event filtering rules
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
See “Adding,deleting,and disabling sensors” on page 62.
4 In the right pane,on the Filter tab:
■ If you are importing,click Imports configurations fromXMLfile.
■ If you are exporting,click Export configurations toXMLfile.
5 If you are importing:
■ In the Import Configurations FromFile windowthat appears,specify the
XML file you wish to import into the collector.
If you are exporting:
■ In the Export Configurations to File windowthat appears,specify a
filename for which to export the configurations.
Configuring event aggregation
Collectors include a feature that lets you group similar events to reduce event
traffic and the number of events that are stored in the event datastore.The first
event of a given type is sent to Symantec Security Information Manager
immediately.All subsequent events of the same type are sent as one aggregated
event.Aggregated events contain start and end times,but all other event fields
are taken fromthe first event in the aggregated set.
Collectors alsolet youimport andexport aggregationconfigurations.Aggregation
configurations will be exported in an XML file format,and must be imported in
the same XML file format.
Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
32
The XML file for aggregation should be in the following format:
<?xml version="1.0"encoding="UTF-8"?>
<aggregator maxbuffer="0">
<aggregator-spec enabled="true"index="0"name="Specification 0"
time="124">
<aggregator-fields>
<aggregator-field name="display_id"operator="EQ">15</aggregator-field>
</aggregator-fields>
<similarity-fields>
<similarity-field name="data_scan_guid"/>
</similarity-fields>
</aggregator-spec>
<aggregator-spec enabled="false"index="1"name="Specification 1"
time="234">
<aggregator-fields>
<aggregator-field name="connection_type_name"operator="NEQ">1
</aggregator-field>
</aggregator-fields>
<similarity-fields/>
</aggregator-spec>
</aggregator>
For guidelines on setting up event aggregation,see the Symantec Security
Information Manager Deployment Planning Guide.
Event aggregation configuration consists of the following actions:
■ Adding and enabling event aggregation rules
See “To add and enable event aggregation rules” on page 33.
■ Changing existing event aggregation rule configurations
See “To change existing event aggregation rule configurations” on page 34.
■ Importing and exporting event aggregation rules
See “To import and export event aggregation rules” on page 36.
Event aggregation rules are not configured by default.You must add rules before
you can enable or configure them.
To add and enable event aggregation rules
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
33Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
4 In the right pane,on the Aggregator tab,click Add.
5 Double-click Specificationn (where n is 0,1,2,and so on),type a name for
the rule,and then click Ok.
6 Under the rule properties table,click Add,and then do the following:
■ In the Name column,type a name for the event aggregation property (for
example,Event Date) or double-click in the Name text box to open a
InformationManager fields window.Youcanchoose fromthe list of items
that are presentedinthe expandeddirectories of the InformationManager
fields window.
■ In the Operator column,select an operator fromthe drop-down list (for
example,greater than).
■ In the Value column,type a value or select a preset value for the event
aggregation property (for example,2004-03-30 19:18:31).
7 Repeat step 6 to add more event filtering information for the rule.
All rules withinagivenspecificationwill be use the booleanANDtodetermine
whether or not an event is a candidate for aggregation.If there are multiple
specifications,each specification will use the boolean OR.
8 Inthe Aggregationtime (ms) text box,type the time inmilliseconds for which
the aggregated events should correspond to the rule property.
The default value is 0.This property applies to all aggregation rules.
9 Whenyouare finished adding informationfor the rule,inthe aggregator list,
check the aggregator name.
10 Click Save.
11 In the left pane,right-click the appropriate configuration,and then click
Distribute.
12 When you are prompted to distribute the configuration,click Yes.
13 In the Configuration Viewer window,click Close.
To change existing event aggregation rule configurations
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
34
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
4 In the right pane,on the Aggregator tab,under the list of rules,do any of the
following:
■ To add a specification,click Add.
■ To delete a specification,select the rule,and then click Remove.
■ To delete all specifications,click Remove All.
5 To determine the order in which Information Manager follows the event
aggregation specifications,next to the list of specifications,click the arrow
keys.
6 To change the name of the specification,double-click the specification in the
specification list,and then,in the Name box,type a newname.
7 To change the time in which the aggregated events should correspond to the
rule property,in the Aggregation time (ms) box,type the newtime in
milliseconds.
The default value is 0.This property applies to all aggregation rules.
8 To disable a specification,but not delete it,in the aggregator list,uncheck
the aggregator name.
9 In the rule properties table,change information in any of the following
columns:
■ Name
■ Operator
■ Value
10 Under the rule properties table,do any of the following:
■ To add a rule property,click Add.
■ To delete a rule property,select the rule property,and then click Remove.
■ To delete all rule properties,click Remove All.
11 Click Save.
12 In the left pane,right-click the appropriate Default folder,and then click
Distribute.
13 When you are prompted to distribute the configuration,click Yes.
14 In the Configuration Viewer window,click Close.
35Installing Symantec Event Collector for Security-Enhanced Linux
Configuring your third-party security product and collector sensor
To import and export event aggregation rules
1 In Symantec Security Information Manager,on the Viewmenu,click Other
Services >ConfigurationViewer.
2 In the Configuration Viewer window,in the left pane,expand the top-level
domain,and then expand the collector name twice.
3 Click the appropriate configuration.
A configuration called Default is provided upon installation.
See “Adding,deleting,and disabling sensors” on page 62.
4 In the right pane,on the Aggregator tab:
■ If you are importing,click Imports configurationfromXMLfile.
■ If you are exporting,click Exports configurationtoXMLfile.
5 If you are importing:
■ In the Import Configurations FromFile windowthat appears,specify the
XML file you wish to import into the collector.
If you are exporting:
■ In the Export Configurations to File windowthat appears,specify a
filename for which to export the configurations.
After you install the collector
After you have successfully installed the collector,you should performthe
following tasks:
■ Launch Symantec Security Information Manager
See “Launching Symantec Security Information Manager” on page 36.
■ Test the collector installation
See “Testing the collector installation” on page 37.
■ Viewreports
See “About viewing reports” on page 43.
■ Create customreports
See “About creating customreports” on page 43.
Launching Symantec Security Information Manager
You can launch Symantec Security Information Manager fromthe Windows
desktop or froma remote Windows computer with a supported Web browser.
Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
36
To launch Symantec Security Information Manager
◆ Froma Windows computer,click Start >Programs >Symantec Security
InformationManager 4.0 >SSIMClient 4.0.
Testing the collector installation
After the collector is installed,you can verify that the appropriate components
are installed and working properly by doing the following:
■ Verifying the collector installation
See “Verifying the collector installation” on page 37.
■ Verifying the Information Manager IP address and Agent port
See“VerifyingtheInformationManager IPaddress andAgent port” onpage39.
■ Verifying Agent operation
See “Verifying Agent operation” on page 40.
■ Starting and stopping Agent services or daemons
See “Starting and stopping Agent services or daemons ” on page 42.
■ Verifying event collection in Symantec Security Information Manager
See “Verifying event collection in Symantec Security Information Manager”
on page 42.
Verifying the collector installation
To verify the collector installation,you must do the following:
■ On the collector computer,verify that the appropriate services or daemons
have started.
If your installation was on a Windows computer,you will be verifying that
services have started.If your installation was on a Linux/Solaris computer,
you will be verifying that daemons have started.
See “To verify that the appropriate services have started on Windows”
on page 38.
See “To verify that the appropriate daemons have started on Linux/Solaris”
on page 38.
■ Verify that the collector appears in Information Manager.
See “To verify that the collector appears in Information Manager ” on page 38.
■ Verify that the collector was successfully installed.
See “To verify that the collector was successfully installed” on page 38.
37Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
To verify that the appropriate services have started on Windows
1 On the collector computer,on the Windows taskbar,click Start >Settings >
Control Panel.
2 In the Control Panel window,double-click Administrative Tools.
3 In the Administrative Tools window,double-click Services.
4 Inthe Services dialog box,verify that the AgentStart Service is listed and has
started.
To verify that the appropriate daemons have started on Linux/Solaris
1 To verify that the collector daemon process is running,at the command
prompt,type the following:
ps -el | grepagentd
2 Verify that the sesagentd process exists.
To verify that the collector appears in Information Manager
1 Launch Symantec Security Information Manager.
See “Launching Symantec Security Information Manager” on page 36.
2 Log on using a Symantec Security Information Manager user account with
sufficient rights to viewevents.
3 Fromthe Viewmenu,click Other Services,and then click Event Viewer.
4 Expand an event type folder;for example,Firewall Events or Host Intrusion
detection events.
5 Right-click on a report and select Filter.
6 In the Filter panel,click Add.
7 Under the Event Column,double-click and select Product.
8 Under the Operator Column,select equal to fromthe drop-down menu.
9 Under the Value column,double-click and verify that the collector name is
listed.
To verify that the collector was successfully installed
1 On the Symantec Security Information Manager computer,fromthe View
menu,click Other Services,then click Event Viewer.
2 Expand <DomainName>>DataStore:<IPaddress>Global Reports >
Applicationevents:All where <Domain Name> is the name of the domain
and<IPaddress>is theIPaddress of Symantec SecurityInformationManager.
3 In the right pane,in the Product column,locate the collector.
Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
38
4 In the Event Type column,verify that the latest state is an Application Start
event.
5 If an Application Stop is the latest state,do the following:
■ On Windows,on the collector computer,navigate to the collector log
folder.
The default folder is C:\ProgramFiles\Symantec\SESA\Agent\logs\
<third_party>.log where <third_party> is the name of your third-party
security product.
■ On Linux/Solaris,on the collector computer,become superuser,and then
navigate to the collector log directory.
The default directory and log file is/opt/Symantec/SESA/Agent/logs/
<third_party>.log where <third_party> is the name of your third-party
security product.
6 Viewthe log files by doing the following:
■ OnWindows,usinga text editor suchas Notepad,openthe logfile toverify
why the collector did not start.
■ On Linux/Solaris,using a text editor such as vi,open the log file to verify
why the collector did not start.
Verifying the Information Manager IP address and Agent port
You must verify the IP address for Symantec Security Information Manager and
the port number for the Agent.
You can also verify Agent connectivity fromSymantec Security Information
Manager.
To verify the Information Manager IP address and Agent port
1 On the collector computer,do one of the following:
■ On Windows,log on as Administrator.
■ On Linux/Solaris,become superuser.
2 Change directories to the Agent installation folder:
■ On Windows,the default location is C:\ProgramFiles\Symantec\SESA\
Agent.
■ On Linux/Solaris,the default location is/opt/Symantec/SESA/Agent.
3 In a text editor,open the configprovider.cfg file.
4 Verify that the following options containthe correct settings for the collector
product to which you want to send events:
39Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
■ MgmtServer contains thecorrect Symantec SecurityInformationManager
IP address.
■ MgmtPort contains the correct Agent port number (default value is 443).
To verify Agent connectivity fromSymantec Security Information Manager
1 Launch Symantec Security Information Manager.
See “Launching Symantec Security Information Manager” on page 36.
2 Log on using an Information Manager user account with sufficient rights to
viewevents.
The Information Manager user must belong to a role that has rights to the
Information Manager-integrated collector.
3 Fromthe Viewmenu,click Other Services,and then click SystemViewer.
Expand Organizational Units >Default.
4 Verify that the name of the collector computer is listed.
5 Right-click the computer name,and then click Properties.
6 In the Computer Properties dialog box,on the Services tab,verify that the
Agent Service displays Yes in the Started column.
Verifying Agent operation
You can verify that the Agent is operating correctly by requesting its status at
the command line.
The sample output,including the running status and the Information Manager
URL,is similar to the following:
SESA Agent (v 2.5.0.14) - Copyright© - Symantec Corporation
SESA Agent status:running
Listening on:127.0.0.1:8086
SSL:On
SESA Manager URL:https://127.0.0.1:443/sesa/servlet/
Outbound Thread State:CONNECTED
Java Version 1.5.0_04
Queue Status
Total events accepted:83
Total events forwarded:83
Entries waiting in queue:0
Direct events accepted:0
Queue File:.\agent.que
Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
40
Flush Size (KB):2000
Flush Count:1000
Flush Time (sec):20
Spool Size (KB):20000
Max Queue Size (KB):80000
Forwarding Provider:Symc_SESAEventForwardingProvider
Total number of post failures:0
Event Acceptor HTTP ThreadPool:
Thread 0 state = IDLE
Thread 1 state = IDLE
Thread 2 state = IDLE
Thread 3 state = IDLE
Last state update time:Tue Sep 06 18:24:17 PDT 2005
Last configuration download request time:Tue Sep 06 18:24:15 PDT 2005
Last configuration update invocation time:Tue Sep 06 18:24:15 PDT 2005
Last configuration update completion time:Tue Sep 06 18:"24:17 PDT 2005
To verify Agent operation on Windows
1 Onthecomputer onwhichyouinstalledthecollector,at thecommandprompt,
navigate to the following directory (if the Agent was installed to the default
directory):
C:\ProgramFiles\Symantec\SESA\Agent
2 To get statistics on the Agent,type the following:
\jre\bin\java -jar agentcmd.jar -status
To verify Agent operation on Linux/Solaris
1 On the computer on which you installed the collector,become superuser.
2 At the command prompt,type the following:
ps -ef|grepagentd
3 In the list of processes that are shown,verify that the sesagentd process is
running.
4 Change directories to the following installation directory of the Agent (if the
Agent was installed to the default folder):
/opt/Symantec/SESA/Agent
5 To get statistics on the Agent,type the following:
./jre/bin/java -jar agentcmd.jar -status
41Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
Starting and stopping Agent services or daemons
The Agent runs as a service if your collector is installed on a Windows computer,
or as a daemon if the collector is installed on a Linux/Solaris computer.To start
and stop the Agent,you start and stop the services or daemons as necessary.
To start and stop the Agent service on Windows
1 On the computer on which you installed the Agent,on the Windows taskbar,
click Start >Settings >Control Panel.
2 In the Control Panel window,double-click Administrative Tools.
3 In the Administrative Tools window,double-click Services.
4 In the Services dialog box,right-click SESAAgentStart Service.
5 Select one of the following:
■ Start
■ Stop
To start and stop the Agent daemon on Linux/Solaris
1 On the computer on which you installed the Agent,become superuser.
2 At the command prompt,do one of the following:
■ To start the Agent daemon,type the following command:
service sesagentdstart
■ To stop the Agent daemon,type the following command:
service sesagentdstop
Verifying event collection in Symantec Security Information
Manager
Youmust verify that Symantec Security InformationManager is collecting events
correctly.
To verify event collection in Symantec Security Information Manager
1 Launch Symantec Security Information Manager.
See “Launching Symantec Security Information Manager” on page 36.
2 Log on using a Symantec Security Information Manager user account with
sufficient rights to viewevents.
The Symantec Security Information Manager user must belong to a role that
has rights to the Information Manager-integrated collector.
3 Fromthe Viewmenu,click Other Services,and then click Event Viewer.
Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
42
4 On the Events viewtab,in the left pane,expand the appropriate event
database.
5 Expand Global Reports >Applicationevents:All.
6 Under the menu bar,click Refresh.
7 Verify that the Application Start event has been logged by the collector.
About viewing reports
Collectors let you use Symantec Security Information Manager to viewevents
that are logged by your third-party security product.The Symantec Integration
Packages (SIP) of some collectors that you installed on the Symantec Security
InformationManager includepredefinedreports for collector events.Somereports
only display events if the security product they support is installed.
The reports that are available are specific to each collector and are stored in a
folder namedwiththe name of your third-partysecurityproduct,withinthe report
types folders.Available report types may include the following:
■ Firewall Events
■ AntiVirus Events
■ Network Intrusion Detection Events
■ Intrusion Detection Events
■ Host Intrusion Detection Event Family
■ Vulnerability Events
■ Virtual Private Network Events
■ Event Log Family
Refer to the Symantec Security Information Manager online help for more
information on queries and reports.
About creating customreports
Once you have determined the set of default or customqueries that you would
like to use for a report,you are ready to create the report.You can also create new
queries while creating a report.
For more information about customreports,refer to the Symantec Security
Information Manager online help.
43Installing Symantec Event Collector for Security-Enhanced Linux
After you install the collector
Uninstalling the collector
To uninstall the collector,youmust performthe following procedures inthe order
listed:
■ Uninstall the collector component
See “Uninstalling the collector component” on page 44.
■ Uninstall the Agent
See “Uninstalling the Agent” on page 45.
■ Uninstall the Symantec Integration Package
See “Uninstalling the Symantec Integration Package” on page 45.
Uninstalling the collector component
Uninstallingthecollector component removes thepart of thecollector that collects
events fromthe third-party security products,processes them,and passes them
to the Agent.
To uninstall the collector component on Windows
1 On the collector computer,navigate to the folder containing the collector.
The default folder is C:\ProgramFiles\Symantec\SESA\Agent\collectors\
<third_party> where <third_party> is the name of your third-party security
product.
2 Double-click uninstall.bat.
3 If the Agent is no longer needed,manually remove it.
See “Uninstalling the Agent” on page 45.
Directories that contain logs and other files that were modified after the
installation remain in the installation directory.Log files are deleted during
the uninstallation process.
To uninstall the collector component on Linux/Solaris
1 On the collector computer,become superuser.
2 Change directories to the collector installation directory.
The default is/opt/Symantec/SESA/Agent/collectors/<third_party> where
<third_party> is the name of your third-party security product.
Installing Symantec Event Collector for Security-Enhanced Linux
Uninstalling the collector
44
3 At the command prompt,type:
./uninstall.sh
4 Manually remove the Agent.
See “Uninstalling the Agent” on page 45.
Directories that contain logs and other files that were modified after the
installation remain in the installation directory.Log files are deleted during
the uninstallation process.
Uninstalling the Agent
UninstallingtheAgent removes theJavaapplicationthat performs communication
functions between Information Manager and the collector.
If no other products are using the Agent,you must uninstall the Agent after you
have uninstalled the collector component.
To uninstall the Agent
1 ■ On Windows,change directories to the default installation folder
C:\Programfiles\Symantec\SESA\Agent folder on your local hard drive.
■ On Linux/Solaris,become superuser,and then navigate to the default
installation directory/opt/Symantec/SESA/Agent directory.
2 ■ On Windows,type the following:
setup.exe -u-debug
■ On Linux/Solaris,type the following:
./install.sh-u
3 Manually delete the following folder:
■ On Windows:
C:\ProgramFiles\Symantec\SESA\Agent folder
■ On Linux/Solaris:
/opt/Symantec/SESA/Agent folder
Uninstalling the Symantec Integration Package
UninstallingtheSymantec IntegrationPackage(SIP) removes onlytheinformation
that is specific tothe collector (suchas tables,fields,andreports) fromInformation
Manager.Uninstallationof the SIPis performedthroughthe Symantec Integration
Wizard that you used to install the SIP on the Information Manager computer.
The same Windows computer that you used to install the SIP can be used to
45Installing Symantec Event Collector for Security-Enhanced Linux
Uninstalling the collector
uninstall the SIP.If this computer is not available,youcandownloadthe Symantec
Integration Wizard to another Windows computer.
See “Installing the SIP” on page 19.
Warning:Event data is unavailable after you uninstall the SIP.If you need to have
access to that event data,consider purging,moving,or copying important data
before uninstalling the SIP.
For more information,refer tothe Symantec SecurityInformationManager online
help.
To uninstall the Symantec Integration Package
1 On a Windows computer that has the Symantec Integration Wizard,at the
command prompt,type the following:
unregistersip_linux.bat
2 In the Welcome to the Symantec Integration Wizard panel,click Next.
3 In the Integration Requirements panel,click Next.
4 IntheDirectoryDomainAdministrator Informationpanel,specifyinformation
in the following text boxes:
Type the name for the DomainAdministrator account.
This account provides access to its associated
administrative domain.
Directory Domain
Administrator Name
Type the Directory Domain Administrator password.Directory Domain
Administrator Password
Type the name of the administrative domain.An
example of dotted notation is:NorthAmerica.SES.
Log on to domain (in dotted
notation)
Do one of the following:
■ If InformationManager isusingdefault,anonymous
SSL communications,type the IP address of the
Information Manager computer.
■ If InformationManager is using authenticated SSL
communication,type the host name of the
Information Manager computer.An example host
name is:mycomputer.com.
For more information on the Information Manager
default,anonymous SSL,and upgrading to
authenticated SSL,refer to the Symantec Security
Information Manager online help.
Host Name or IP Address of
the Information Manager
computer
Installing Symantec Event Collector for Security-Enhanced Linux
Uninstalling the collector
46
Type the number of the InformationManager SSLport
(by default,636).
Secure Directory Port
5 In the Information Manager Integration Package to Uninstall panel,type or
browse to the location in which the SIP is located.
SIP files have the extension.sip.
6 In the Request Immediate Deployment/Removal of SIP panel,check one of
the following:
■ Deploy or remove the SIP at a scheduled time
Removes the SIP at the time that is specified in the Deploy time option in
Symantec Security Information Manager.The default setting for Deploy
time is every Saturday and Sunday at 2:00 P.M.GMT.You can change the
default time by modifying the Product Installation Service Deploy Time
configuration option.
For instructions onchangingthedefault setting,seetheSymantec Security
Information Manager Administration Help.
■ Queue the SIP for immediate deployment or removal
Queues the SIP for immediate removal fromthe Information Manager
and event database.
To restart the Web services after the removal fromthe Information
Managers,check If necessary,restart the Webserver.The Web server
needs to be restarted for the Information Manager to recognize the
Manager Extensions that are removed with the SIP.
■ In the Select the Domains panel,check the administrative domains for
which you want to remove the SIP.To remove the SIP fromall available
domains,check the top-level Available Domains check box.
7 In the Select the Managers panel,check the Information Managers from
which you want to remove the SIP Manager Extensions.To remove the SIP
Manager Extensions fromall Information Managers,check the top-level
Available Managers check box.
8 Followthe on-screen instructions until you reach the Integration Successful
panel.
9 To complete the Symantec Integration Wizard,click Finish.
47Installing Symantec Event Collector for Security-Enhanced Linux
Uninstalling the collector
Installing Symantec Event Collector for Security-Enhanced Linux
Uninstalling the collector
48
Quickreferencefor SELinux
Collector
This appendix includes the following topics:
■ Compatibility and systemrequirements
■ Preinstallation requirements for SELinux Collector
■ Configuring your security product to work with the collector
■ Sensor information
■ Recommended collector configurations
Compatibility and systemrequirements
The collector is compatible withspecific versions of the product andis compatible
with certain operating systems.The machine on which the collector is installed
must meet minimumsystemrequirements.
See “Compatibility requirements for Security-Enhanced Linux” on page 49.
Compatibility requirements for Security-Enhanced Linux
The collector is compatible with Security-Enhanced Linux version 2.6.
The collector runs on the following platform:
■ Red Hat® Enterprise Linux AS 4.0
A
Appendix
Systemrequirements for the collector machine
Thecomputer onwhichyouinstall thecollector must meet thefollowingminimum
systemrequirements:
■ Intel® Pentium®-compatible 133-MHz processor (up to and including
Xeon®-class)
■ 512 MB minimum,1 GB of memory recommended for the Agent
■ 35 MB of hard disk space for collector programfiles
■ 95 MB of hard disk space to accommodate the Agent,JRE,and the collector
■ TCP/IP connection to a network with a fixed IP address
Preinstallation requirements for SELinux Collector
There are no preinstallation procedures specific to SELinux Collector.
Configuring your security product to work with the
collector
After you have installed the necessary collector components,you must configure
Security-Enhanced Linux so that event information is available to the collector.
Only general information to configure Security-Enhanced Linux is provided.
Please consult your Security-Enhanced Linux manual for more information.
Sensor information
The collector uses a sensor that must be configured to receive security events.
After the sensor is configured,the settings are distributed to the collectors onthe
target computers.
See “Configuring the collector sensor to receive security events” on page 26.
See “Sensor settings for SELinux Collector” on page 50.
Sensor settings for SELinux Collector
Symantec Event Collector for Security-Enhanced Linux uses a Log sensor:
■ Log File Directory
Specify the path to the log file on the security product machine.
The default log file directory is:/var/log/.
Quick reference for SELinux Collector
Preinstallation requirements for SELinux Collector
50
■ Log File Name
Specify the name of the log file.
The default log file name is messages.
■ File Name Dynamic
Specify whether or not the log file name is dynamic.
This option should be checked,as SE Linux creates dynamically-named log
files in this format:messages,messages.0,messages.1,and so on.
■ File Encoding
This value should be UTF-8 (default).
■ End of File Marker
EOF specifies the end-of-file character which is the default.NULL specifies
hexadecimal 00.
■ Start Reading From
This property allows you to specify where to start reading the log file upon
restart of the collector.
■ BEGINNING:Specifies that the log file is read fromthe beginning of the
most recent file in the directory.
■ END:Specifies that the log file is read fromthe end of the file.Only events
written to the log file after the collector starts are read.
■ Last Position:Keeps track of which line the collector is reading fromin the
log file,and then continues reading fromthis position if the collector is
interrupted and restarted.
■ End of Record Marker
Specify the delimiter that is used at the end of each message.
■ BLANKLINE:Refers to a blank line as a message delimiter (specify two
successive ENDOFLINE characters).
■ Monitor in Real Time
Check the box to monitor the log file in real time.This is the default.
Recommended collector configurations
While many configurations are possible,we recommend the following scenario(s)
for SELinux Collector.
See “Collector configuration scenarios” on page 53.
51Quick reference for SELinux Collector
Recommended collector configurations
Uses the default configuration and one sensor for all machines:
Default
Sensor 0
Scenario 1
One-for-All
Quick reference for SELinux Collector
Recommended collector configurations
52
Creating collector
configurations
This appendix includes the following topics:
■ Collector configuration scenarios
■ Creating collector configurations
Collector configuration scenarios
When a collector is installed,the collector includes an initial configuration set
named Default.This configuration is generally set up with information that is
specific to both the computer on which the collector is installed and to the data
source or sources fromwhich that installation of the collector harvests event
data.
A collector will pull down the latest configuration fromInformation Manager on
startup and at regular intervals,or on demand.In the configuration properties,
it is necessary to define the systems or configuration groups that will receive this
information.If a collector starts up and no configuration has been explicitly
assigned to it,it will download the Default configuration.
Generally,if the same sensor settings are to be used by most of the installed
collectors,then the Default configuration should be used and its sensors
configured.This means that the collector can start to collect events as soon as it
is installedwithout requiringthe collector tobe explicitlyaddedtoaconfiguration.
If each collector requires different sensor settings,it is advisable to not use the
Default configurationand to create a newconfigurationper collector installation.
Howyou configure your collector depends on the network topology of your
organizationas well as specific characteristics of the third-partysecurityproduct,
B
Appendix
and the collector itself.The collector allows you to set up various configurations,
however,you should attempt to set up only the recommended configurations.
See “Recommended collector configurations” on page 51.
Scenario 1 - One-for-All configuration
When a collector is installed,the collector includes an initial configuration set
namedDefault that is accessible throughInformationManager.This configuration
is generallyset upwithinformationthat is specific toboththe computer onwhich
the collector is installed,and the event data source.
For example,you want to deploy a number of servers with the same operating
system,with a collector installed on each server.If the security product (or in this
case,operating system) stores its data in a syslog file or log file,the only
configuration parameter needed by the collector is the name and location of the
syslog or log file.If the security product stores its data in a syslog,the only
configuration parameter needed by the collector is the port number fromwhich
to collect event data.If the location or port number is identical across all the
servers,a single configuration,the Default,will suffice for all instances of the
collector.
A representation of this type of configuration is:
Default
Sensor 0
Creating collector configurations
Collector configuration scenarios
54
Figure B-1 Collector configuration scenario 1 - One-for-All
The advantage of using the Default configuration is that it allows you to easily
addadditional servers withthesameoperatingsystem.Thecollector automatically
receives the settings of the Default configuration,and can be fully functional the
first time the Agent is started on the collector machine.If you were to not use the