FortiSIEM Configuring Security Gateways

Configuring Security Gateways

AccelOps supports these security gateways for discovery and monitoring.

Barracuda Networks Spam Firewall Configuration

Blue Coat Web Proxy Configuration

Cisco IronPort Mail Gateway Configuration

Cisco IronPort Web Gateway

McAfee Web Gateway Configuration

Microsoft ISA Server Configuration

Squid Web Proxy Configuration

Websense Web Filter Configuration

Fortinet FortiWeb Fortinet FortiMail

Barracuda Networks Spam Firewall Configuration

What is Discovered and Monitored

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Barracuda Spam Firewall Syslog Message  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Host name,

Interfaces, Serial

number

CPU utilization, Memory utilization, Interface Utilization Performance

Monitoring

Syslog   Various syslogs – scenarios include – mail scanned and allowed/denied/quarantined etc; mail sent and reject/delivered/defer/expired; mail received and allow/abort/block/quarantined etc. Security Monitoring and compliance

 

Event Types

In CMDB > Event Types, search for “barracuda” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed Barracuda Spam Firewall Syslog Message

Blue Coat Web Proxy Configuration

What is Discovered and Monitored

Sample Parsed Blue Coat Audit Syslog

Configure FTP in AccelOps

Configure an Epilog client in AccelOps

Configure FTP in Blue Coat

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Host name,

Interfaces, Serial

number

CPU utilization, Memory utilization Performance

Monitoring

SNMP   Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic

(KBps);  Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

Performance

Monitoring

SFTP   Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category,

Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance
Syslog   Admin authentication success and failure Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “blue coat” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable AccelOps to discover Bluecoat web proxy.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > SNMP.
  3. Under SNMP General, select Enable SNMP.
  4. Under Community Strings, click Change Read Community, and then enter a community string that AccelOps can use to access your device.
  5. Click OK.

Syslog

Syslog is used by Blue Coat to send audit logs to AccelOps.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > Event Logging.
  3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and
  4. Under Syslog, enter the IP address of your AccelOps virtual appliance for Loghost.
  5. Select Enable syslog.
  6. Click

Sample Parsed Blue Coat Audit Syslog

SFTP

SFTP is used to send access logs to AccelOps. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and AccelOps is the server. You need to configure SFTP in AccelOps first, and then on your Blue Coat web proxy server.

Configure FTP in AccelOps

  1. Log in to your Supervisor node as root.
  2. Run the ./phCreateBluecoatDestDir command to create an FTP user account.

The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ft puser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.

  1. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.

Change only the home directory as shown in this screenshot, do not change any other value.

Configure an Epilog client in AccelOps

The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the AccelOps parser for processing.

  1. Log in to your Supervisor node as root.
  2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog
  3. Log in to your Blue Coat management console.
  4. Go to Management Console > Configuration > Access Logging > General.
  5. Select Enable Access Logging.
  6. In the left-hand navigation, select Logs.
  7. Under Upload Client, configure these settings.
Setting Value
Log main
Client Type FTP Client
Encryption Certificate No Encryption
Keyring Signing No Signing
Save the log file as text file
Send partial buffer after 1 seconds
Bandwidth Class <none>
  1. Next to Client Type, click Settings.
  2. Configure these settings.
Setting Value
Settings for Primary FTP Server
Host IP address of your AccelOps virtual appliance
Port 21
Path /<Blue Coat IP Address>
Username bcFtpUser
Change Primary Password Use the password you created for ftpuser in AccelOps
Filename SG_AccelOps_bluecoat_main.log
  1. Clear the selections Use Secure Connections (SSL) and Use Local Time.
  2. Select Use Pasv.
  3. Click OK.
  4. Follow this same process to configure the settings for im, ssl and p2p. For each of these, you will refer to a different Filename.

For im the file name is SG_AccelOps_bluecoat_im.log

For ssl the file name is SG_AccelOps_bluecoat_ssl.log

For p2p the file name is SG_AccelOps_bluecoat_p2p.log

Sample Parsed Blue Coat Access Syslog

<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net

BluecoatWebLog 0 2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED

820 1075 CONNECT tcp accelops.webex.com 443 / – – – NONE 172.16.0.141 –

– “WebEx Outlook Integration Http Agent” PROXIED “none” – 25.24.23.22

Settings for Access Credentials
Cisco IronPort Mail Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Ironport Mail Gateway Syslog  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP   Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf Stat, Hardware Status  
Syslog   Mail attributes: attributes include MID, ICID, DCID, Sender address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery failures and failure codes, mail action – pass, block, clean. Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “ironport-mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “ironport mail” in the Name and Description columns to see the reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

  1. Log in to your Ironport Mail Gateway device manager with administrator privileges.
  2. Edit the Log Subscription settings.
  3. For Log Name, enter IronPort-Mail.

This identifies the log to AccelOps as originating from an Ironport mail gateway device.

  1. For Retrieval Method, select Syslog Push.
  2. For Hostname, enter the IP address of your AccelOps virtual appliance.
  3. For Protocol, select UDP.

Sample Parsed Ironport Mail Gateway Syslog

Settings for Access Credentials
Cisco IronPort Web Gateway

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Ironport Web Gateway Syslog

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes,

HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “ironport-web” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

  1. Log in to your Ironport gateway device manager with administrator privileges.
  2. Edit the settings for Log Subscription.
Setting Value
Log Type Access Logs
Log Name IronPort-Web

This identifies the log to AccelOps as originating from an IronPort web gateway device

Log Style Squid
Custom Fields %L %B %u
Enable Log Compression Clear the selection
Retrieval Method Syslog Push
Hostname The IP address of your AccelOps virtual appliance
Protocol UDP

Sample Parsed Ironport Web Gateway Syslog

<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/P ackage/1210090007/bases/base1b1d.kdc.cab DIRECT/forefrontdl.microsoft.com application/octet-stream

ALLOW_CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NO

NE-DefaultGroup

<J_Doe,6.9,-,””-“”,-,-,-,-,””-“”,-,-,-,””-“”,-,-,””-“”,””-“”,-,-,IW_swup

,-,””-“”,””-“”,””Unknown””,””Unknown””,””-“”,””-“”,6156.35,0,-,””-“”,””-

“”> – “”09/Oct/2012:09:19:25 -0600″” 71052

“”V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};””

McAfee Web Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed McAffee Web Gateway Syslog Message

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   Parsed event attributes: include Source IP, Destination URL, HTTP Method, HTTP User agent, HTTP

Status Code, HTTP Content Type, Blocked Reason, Risk

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “mcafee_web” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed McAffee Web Gateway Syslog Message

[21/Feb/2012:11:44:19  -0500]  “”””””””””””    “”10.200.11.170 200

“”””GET http://abc.com/ HTTP/1.1″””” “”””General News”””” “”””Minimal Risk”””” “”””text/html”””” 101527 “””””””” “””””””” “”””0″”””””

[30/May/2012:10:39:44 -0400] “” 10.19.2.63 200

“GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126×3

1_spon2&cnn_rollup=homepage&page.allowcompete=no&params.styles=fs&Params

.User.UserID=4fc6251c068c9f0aa51475025d0040b8&transactionID=717986062880 5012&tile=4893878838331&domId=135492 HTTP/1.1” “Web Ads, Forum/Bulletin

Boards” “MinimalRisk” “text/html” 1 “” “” “0”

Microsoft ISA Server Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample Microsoft ISA Server Syslog  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Application type Process level metrics: CPU utilization, memory utilization Performance

Monitoring

WMI Application type, service mappings Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O Performance

Monitoring

Syslog(via

SNARE)

Application type W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service

Instance,  Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version,

HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “isa server” in the Device Type  andDescription column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample Microsoft ISA Server Syslog

<13>Mar  6 20:56:03 ISA.test.local ISAWebLog    0    192.168.69.9   anonymous    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12    Y    2011-03-05   21:33:55    w3proxy    ISA    –    212.58.246.82    212.58.246.82    80 156    636    634    http    TCP    GET   http://212.58.246.82/rss/newsonline_uk_edition/front_page/rss.xml   text/html; charset=iso-8859-1    Inet    301    0x41200100    Local Machine    Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0%    Local Host    External    0x400    Allowed 2011-03-05 21:33:55    –

Settings for Access Credentials
Squid Web Proxy Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps Sample Parsed Squid Syslog Messages

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Host name,

Interfaces,

Serial number

CPU utilization, Memory utilization Performance

Monitoring

Syslog   Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “squid” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled on the server where Squid is running, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

  1. Add this line to the logformat section in /etc/squid/squid.conf.

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps

  1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .
  2. Restart syslogd (or rsyslogd).

Sample Parsed Squid Syslog Messages

Squid on Linux with syslog locally to forward to Accelops

<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128

5989 – – – – – [22/Apr/2011:17:17:46 -0700] GET

“http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js” HTTP/1.1

200 26141 407 “http://www.msn.com/” “Mozilla/5.0 (Windows; U; Windows NT

6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally to forward to Accelops

<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42

1107 74.125.19.100 172.16.10.34 3128 291 – – – – – [20/Oct/2009:09:21:54

-0700] GET “http://clients1.google.com/generate_204” HTTP/1.1 204 387

603 “http://www.google.com/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows

NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

TCP_MISS:DIRECT

Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121

66.235.132.121 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:05:49

\-0700|] GET

“http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779

365053734?” HTTP/1.1 200 746 1177 “http://www.sun.com/” “Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR

3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125

64.213.38.80 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:44:12

-0700] GET

“http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg”

HTTP/1.1 200 12271 520 “http://www.sun.com/” “Mozilla/4.0 (compatible;

MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;

.NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Solaris with syslog locally to forward to Accelops

<166>May  6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39

1715 72.14.223.18 172.16.10.6 3128 674 – – – – – [06/May/2008:17:55:48

-0700] GET “http://mail.google.com/mail/?” HTTP/1.1 302 1061 568 “http://www.google.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14” TCP_MISS:DIRECT

Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info]

192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 – – – – –

[20/Oct/2009:13:02:19 -0700] GET

“http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?”

HTTP/1.1 200 685 1604 “http://www.microsoft.com/en/us/default.aspx”

“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;

.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Websense Web Filter Configuration
What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “web sense_mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps integrates with Websense Web Filter via syslogs sent in the SIEM integration format as described in the Websense SEIM guide. See page 22 for instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as AccelOps.

Sample Parsed Websense Web Filter Syslog Message

<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type= – http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2. 23)_Gecko/20110920_Firefox/3.6.23

http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com

Fortinet FortiWeb

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Host Name, Vendor, Model, Version,

Hardware Model, hardware

CPU, memory, Disk, Interface, Uptime Performance monitoring
Syslog   System events (e.g. configuration changes), System up/down/restart events,

Performance issues, Admin logon events, Security exploits

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “fortiweb” to see the event types associated with this device.

Rules

In Analytics > Rules, search for “fortiweb” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In CMDB > Reports, search for “fortiweb” to see the reports associated with this device.

Configuration

Syslog

Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches.

Sample FortiWeb Syslog

Fortinet FortiMail

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “fortimail” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortimail” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In Analytics > Reports, search for “fortimail” to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

Sample Parsed FortiMail Syslog

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg=”User admin login successfully from GUI(172.20.120.26)” date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information

session_id=”q6GJMuPu003642-q6GJMuPv003642″ client_name=”[172.20.140.94]” dst_ip=”172.20.140.92″ endpoint=”” from=”user@external.lab” to=”user5@external.lab” subject=””mailer=”mta” resolved=”OK” direction=”in” virus=”” disposition=”Reject” classifier=”Recipient

Verification” message_length=”188″


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website

This site uses Akismet to reduce spam. Learn how your comment data is processed.