Configuring Security Gateways
AccelOps supports these security gateways for discovery and monitoring.
Barracuda Networks Spam Firewall Configuration
Blue Coat Web Proxy Configuration
Cisco IronPort Mail Gateway Configuration
Cisco IronPort Web Gateway
McAfee Web Gateway Configuration
Microsoft ISA Server Configuration
Squid Web Proxy Configuration
Websense Web Filter Configuration
Fortinet FortiWeb Fortinet FortiMail
Barracuda Networks Spam Firewall Configuration
What is Discovered and Monitored
Rules
Reports
Configuration
SNMP
Syslog
Sample Parsed Barracuda Spam Firewall Syslog Message Settings for Access Credentials
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| SNMP | Host name,
Interfaces, Serial number |
CPU utilization, Memory utilization, Interface Utilization | Performance
Monitoring |
| Syslog | Various syslogs – scenarios include – mail scanned and allowed/denied/quarantined etc; mail sent and reject/delivered/defer/expired; mail received and allow/abort/block/quarantined etc. | Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “barracuda” in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.
Syslog
AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.
For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.
For Port, enter 514.
Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Parsed Barracuda Spam Firewall Syslog Message
Blue Coat Web Proxy Configuration
What is Discovered and Monitored
Sample Parsed Blue Coat Audit Syslog
Configure FTP in AccelOps
Configure an Epilog client in AccelOps
Configure FTP in Blue Coat
Settings for Access Credentials
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| SNMP | Host name,
Interfaces, Serial number |
CPU utilization, Memory utilization | Performance
Monitoring |
| SNMP | Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic
(KBps); Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes) |
Performance
Monitoring |
|
| SFTP | Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category,
Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration |
Security Monitoring and compliance | |
| Syslog | Admin authentication success and failure | Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “blue coat” in the Device Type and Description column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
The following procedures enable AccelOps to discover Bluecoat web proxy.
- Log in to your Blue Coat management console.
- Go to Maintenance > SNMP.
- Under SNMP General, select Enable SNMP.
- Under Community Strings, click Change Read Community, and then enter a community string that AccelOps can use to access your device.
- Click OK.
Syslog
Syslog is used by Blue Coat to send audit logs to AccelOps.
- Log in to your Blue Coat management console.
- Go to Maintenance > Event Logging.
- Under Level, select Severe Errors, Configuration Events, Policy Messages, and
- Under Syslog, enter the IP address of your AccelOps virtual appliance for Loghost.
- Select Enable syslog.
- Click
Sample Parsed Blue Coat Audit Syslog
SFTP
SFTP is used to send access logs to AccelOps. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and AccelOps is the server. You need to configure SFTP in AccelOps first, and then on your Blue Coat web proxy server.
Configure FTP in AccelOps
- Log in to your Supervisor node as root.
- Run the ./phCreateBluecoatDestDir command to create an FTP user account.
The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ft puser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.
- Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.
Change only the home directory as shown in this screenshot, do not change any other value.
Configure an Epilog client in AccelOps
The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the AccelOps parser for processing.
- Log in to your Supervisor node as root.
- Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog
- Log in to your Blue Coat management console.
- Go to Management Console > Configuration > Access Logging > General.
- Select Enable Access Logging.
- In the left-hand navigation, select Logs.
- Under Upload Client, configure these settings.
| Setting | Value |
| Log | main |
| Client Type | FTP Client |
| Encryption Certificate | No Encryption |
| Keyring Signing | No Signing |
| Save the log file as | text file |
| Send partial buffer after | 1 seconds |
| Bandwidth Class | <none> |
- Next to Client Type, click Settings.
- Configure these settings.
| Setting | Value |
| Settings for | Primary FTP Server |
| Host | IP address of your AccelOps virtual appliance |
| Port | 21 |
| Path | /<Blue Coat IP Address> |
| Username | bcFtpUser |
| Change Primary Password | Use the password you created for ftpuser in AccelOps |
| Filename | SG_AccelOps_bluecoat_main.log |
- Clear the selections Use Secure Connections (SSL) and Use Local Time.
- Select Use Pasv.
- Click OK.
- Follow this same process to configure the settings for im, ssl and p2p. For each of these, you will refer to a different Filename.
For im the file name is SG_AccelOps_bluecoat_im.log
For ssl the file name is SG_AccelOps_bluecoat_ssl.log
For p2p the file name is SG_AccelOps_bluecoat_p2p.log
Sample Parsed Blue Coat Access Syslog
<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net
BluecoatWebLog 0 2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED
820 1075 CONNECT tcp accelops.webex.com 443 / – – – NONE 172.16.0.141 –
– “WebEx Outlook Integration Http Agent” PROXIED “none” – 25.24.23.22
Settings for Access Credentials
Cisco IronPort Mail Gateway Configuration
What is Discovered and Monitored
Event Types
Rules
Reports
Configuration
SNMP
Syslog
Sample Parsed Ironport Mail Gateway Syslog Settings for Access Credentials
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| SNMP | Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf Stat, Hardware Status | ||
| Syslog | Mail attributes: attributes include MID, ICID, DCID, Sender address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery failures and failure codes, mail action – pass, block, clean. | Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “ironport-mail” in the Display Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
In Analytics > Reports, search for “ironport mail” in the Name and Description columns to see the reports for this device.
Configuration
SNMP
AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.
Syslog
- Log in to your Ironport Mail Gateway device manager with administrator privileges.
- Edit the Log Subscription settings.
- For Log Name, enter IronPort-Mail.
This identifies the log to AccelOps as originating from an Ironport mail gateway device.
- For Retrieval Method, select Syslog Push.
- For Hostname, enter the IP address of your AccelOps virtual appliance.
- For Protocol, select UDP.
Sample Parsed Ironport Mail Gateway Syslog
Settings for Access Credentials
Cisco IronPort Web Gateway
What is Discovered and Monitored
Event Types
Rules
Reports
Configuration
Syslog
Sample Parsed Ironport Web Gateway Syslog
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| Syslog | Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes,
HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action |
Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “ironport-web” in the Display Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
- Log in to your Ironport gateway device manager with administrator privileges.
- Edit the settings for Log Subscription.
| Setting | Value |
| Log Type | Access Logs |
| Log Name | IronPort-Web
This identifies the log to AccelOps as originating from an IronPort web gateway device |
| Log Style | Squid |
| Custom Fields | %L %B %u |
| Enable Log Compression | Clear the selection |
| Retrieval Method | Syslog Push |
| Hostname | The IP address of your AccelOps virtual appliance |
| Protocol | UDP |
Sample Parsed Ironport Web Gateway Syslog
<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/P ackage/1210090007/bases/base1b1d.kdc.cab DIRECT/forefrontdl.microsoft.com application/octet-stream
ALLOW_CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NO
NE-DefaultGroup
<J_Doe,6.9,-,””-“”,-,-,-,-,””-“”,-,-,-,””-“”,-,-,””-“”,””-“”,-,-,IW_swup
,-,””-“”,””-“”,””Unknown””,””Unknown””,””-“”,””-“”,6156.35,0,-,””-“”,””-
“”> – “”09/Oct/2012:09:19:25 -0600″” 71052
“”V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};””
McAfee Web Gateway Configuration
What is Discovered and Monitored
Event Types
Rules
Reports
Configuration
Syslog
Sample Parsed McAffee Web Gateway Syslog Message
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| Syslog | Parsed event attributes: include Source IP, Destination URL, HTTP Method, HTTP User agent, HTTP
Status Code, HTTP Content Type, Blocked Reason, Risk |
Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “mcafee_web” in the Device Type column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
Syslog
AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.
For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.
For Port, enter 514.
Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.
Sample Parsed McAffee Web Gateway Syslog Message
[21/Feb/2012:11:44:19 -0500] “””””””””””” “”10.200.11.170 200
“”””GET http://abc.com/ HTTP/1.1″””” “”””General News”””” “”””Minimal Risk”””” “”””text/html”””” 101527 “””””””” “””””””” “”””0″”””””
[30/May/2012:10:39:44 -0400] “” 10.19.2.63 200
“GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126×3
1_spon2&cnn_rollup=homepage&page.allowcompete=no¶ms.styles=fs&Params
.User.UserID=4fc6251c068c9f0aa51475025d0040b8&transactionID=717986062880 5012&tile=4893878838331&domId=135492 HTTP/1.1” “Web Ads, Forum/Bulletin
Boards” “MinimalRisk” “text/html” 1 “” “” “0”
Microsoft ISA Server Configuration
What is Discovered and Monitored
Enabling SNMP on Windows Server 2003
Enabling SNMP on Windows 7 or Windows Server 2008 R2
Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group
Sample Microsoft ISA Server Syslog Settings for Access Credentials
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| SNMP | Application type | Process level metrics: CPU utilization, memory utilization | Performance
Monitoring |
| WMI | Application type, service mappings | Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O | Performance
Monitoring |
| Syslog(via
SNARE) |
Application type | W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service
Instance, Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action |
Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “isa server” in the Device Type andDescription column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
Enabling SNMP on Windows Server 2003
SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.
- In the Start menu, go to Administrative Tools > Services.
- Go to Control Panel > Add or Remove Programs.
- Click Add/Remove Windows Components.
- Select Management and Monitoring Tools and click Details.
Make sure that Simple Network Management Tool is selected.
If it isn’t selected, select it, and then click Next to install.
- Go to Start > Administrative Tools > Services.
- Select and open SNMP Service.
- Click the Security
- Select Send authentication trap.
- Under Accepted communities, make sure there is an entry for public that is set to read-only.
- Select Accept SNMP packets from these hosts.
- Click
- Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
- Click Add.
- Click Apply.
- Under SNMP Service, click Restart service.
Enabling SNMP on Windows 7 or Windows Server 2008 R2
SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.
- Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
- In the Start menu, select Control Panel.
- Under Programs, click Turn Windows features on/off.
- Under Features, see if SNMP Services is installed.
If not, click Add Feature, then select SMNP Service and click Next to install the service.
- In the Server Manager window, go to Services > SNMP Services.
- Select and open SNMP Service.
- Click the Security
- Select Send authentication trap.
- Under Accepted communities, make sure there is an entry for public that is set to read-only.
- Select Accept SNMP packets from these hosts.
- Click
- Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
- Click Add.
- Click Apply.
- Under SNMP Service, click Restart service.
WMI
Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Creating a User Who Belongs to the Domain Administrator Group
Creating a Generic User Who Does Not Belong to the Local Administrator Group
Log in to the machine you want to monitor with an administrator account.
Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group
- Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
- Right-click Users and select Add User.
- Create a user.
- Go to Groups, right-click Distributed COM Users, and then click Add to group.
- In the Distributed COM Users Properties dialog, click Add.
- Find the user you created, and then click OK.
This is the account you will need to use in setting up the Performance Monitor Users group permissions.
- Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
- Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
- Go to Start > Control Panel > Administrative Tools > Component Services.
- Right-click My Computer, and then Properties.
- Select the COM Security tab, and then under Access Permissions, click Edit Limits.
- Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
- Click OK.
- Under Access Permissions, click EditDefault.
- Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
- Click
- Under Launch and Activation Permissions, click Edit Limits.
- Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
- Click OK.
- Under Launch and Activation Permissions, click Edit Defaults.
- Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.
Creating a User Who Belongs to the Domain Administrator Group
Log in to the Domain Controller with an administrator account.
Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group
- Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
- Right-click Users and select Add User.
- Create a user for the @accelops.com domain.
For example, YJTEST@accelops.com.
- Go to Groups, right-click Administrators, and then click Add to Group.
- In the Domain Admins Properties dialog, select the Members tab, and then click Add.
- For Enter the object names to select, enter the user you created in step 3.
- Click OK to close the Domain Admins Properties dialog.
- Click OK.
Enable the Monitoring Account to Access the Monitored Device
Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account
- Go to Start > Control Panel > Administrative Tools > Component Services.
- Right-click My Computer, and then select Properties.
- Select the Com Security tab, and then under Access Permissions, click Edit Limits.
- Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
- Click OK.
- In the Com Security tab, under Access Permissions, click Edit Defaults.
- Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
- Click OK.
- In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
- Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
- In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
- Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
Enable Account Privileges in WMI
The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.
- Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
- Select WMI Control, and then right-click and select Properties.
- Select the Security
- Expand the Root directory and select CIMV2.
- Click Security.
- Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
- Click Advanced.
- Select the user you created for the monitoring account, and then click Edit.
- In the Apply onto menu, select This namespace and subnamespaces.
- Click OK to close the Permission Entry for CIMV2 dialog.
- Click OK to close the Advanced Security Settings for CIMV2 dialog.
- In the left-hand navigation, under Services and Applications, select Services.
- Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
- In the Start menu, select Run.
- Run msc.
- Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
- Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
- Select Windows Firewall: Allow remote administration exception.
- Run exe and enter these commands:
- Restart the server.
Allow WMI through Windows Firewall (Windows Server 2008, 2012)
- Go to Control Panel > Windows Firewall.
- In the left-hand navigation, click Allow a program or feature through Windows Firewall.
- Select Windows Management Instrumentation, and the click OK.
You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.
Syslog
Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.
Sample Microsoft ISA Server Syslog
<13>Mar 6 20:56:03 ISA.test.local ISAWebLog 0 192.168.69.9 anonymous Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12 Y 2011-03-05 21:33:55 w3proxy ISA – 212.58.246.82 212.58.246.82 80 156 636 634 http TCP GET http://212.58.246.82/rss/newsonline_uk_edition/front_page/rss.xml text/html; charset=iso-8859-1 Inet 301 0x41200100 Local Machine Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0% Local Host External 0x400 Allowed 2011-03-05 21:33:55 –
Settings for Access Credentials
Squid Web Proxy Configuration
What is Discovered and Monitored
Event Types
Rules
Reports
Configuration
SNMP
Syslog
Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps Sample Parsed Squid Syslog Messages
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| SNMP | Host name,
Interfaces, Serial number |
CPU utilization, Memory utilization | Performance
Monitoring |
| Syslog | Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration | Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “squid” in the Description and Device Type columns to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
SNMP
AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled on the server where Squid is running, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.
Syslog
- Add this line to the logformat section in /etc/squid/squid.conf.
Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps
- Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .
- Restart syslogd (or rsyslogd).
Sample Parsed Squid Syslog Messages
Squid on Linux with syslog locally to forward to Accelops
<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128
5989 – – – – – [22/Apr/2011:17:17:46 -0700] GET
“http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js” HTTP/1.1
200 26141 407 “http://www.msn.com/” “Mozilla/5.0 (Windows; U; Windows NT
6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16” TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally to forward to Accelops
<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42
1107 74.125.19.100 172.16.10.34 3128 291 – – – – – [20/Oct/2009:09:21:54
-0700] GET “http://clients1.google.com/generate_204” HTTP/1.1 204 387
603 “http://www.google.com/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows
NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”
TCP_MISS:DIRECT
Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to Accelops
<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121
66.235.132.121 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:05:49
\-0700|] GET
“http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779
365053734?” HTTP/1.1 200 746 1177 “http://www.sun.com/” “Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR
3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT
Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to Accelops
<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125
64.213.38.80 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:44:12
-0700] GET
“http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg”
HTTP/1.1 200 12271 520 “http://www.sun.com/” “Mozilla/4.0 (compatible;
MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;
.NET CLR 3.5.30729)” TCP_MISS:DIRECT
Squid on Solaris with syslog locally to forward to Accelops
<166>May 6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39
1715 72.14.223.18 172.16.10.6 3128 674 – – – – – [06/May/2008:17:55:48
-0700] GET “http://mail.google.com/mail/?” HTTP/1.1 302 1061 568 “http://www.google.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14” TCP_MISS:DIRECT
Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to Accelops
<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info]
192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 – – – – –
[20/Oct/2009:13:02:19 -0700] GET
“http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?”
HTTP/1.1 200 685 1604 “http://www.microsoft.com/en/us/default.aspx”
“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;
.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT
Websense Web Filter Configuration
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| Syslog | Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc | Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “web sense_mail” in the Display Name column to see the event types associated with this device.
Rules
There are no predefined rules for this device.
Reports
There are no predefined reports for this device.
Configuration
AccelOps integrates with Websense Web Filter via syslogs sent in the SIEM integration format as described in the Websense SEIM guide. See page 22 for instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as AccelOps.
Sample Parsed Websense Web Filter Syslog Message
<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type= – http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2. 23)_Gecko/20110920_Firefox/3.6.23
http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com
Fortinet FortiWeb
What is Discovered and Monitored
Event Types
Rules
Reports
Configuration
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| SNMP | Host Name, Vendor, Model, Version,
Hardware Model, hardware |
CPU, memory, Disk, Interface, Uptime | Performance monitoring |
| Syslog | System events (e.g. configuration changes), System up/down/restart events,
Performance issues, Admin logon events, Security exploits |
Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “fortiweb” to see the event types associated with this device.
Rules
In Analytics > Rules, search for “fortiweb” to see the rules associated with this device.
For generic availability rules, see Analytics > Rules > Availability > Network
For generic performance rules, see Analytics > Rules > Performance > Network
Reports
In CMDB > Reports, search for “fortiweb” to see the reports associated with this device.
Configuration
Syslog
Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches.
Sample FortiWeb Syslog
Fortinet FortiMail
What is Discovered and Monitored
Event Types
Rules
Reports
Configuration
What is Discovered and Monitored
| Protocol | Information discovered | Metrics collected | Used for |
| Syslog | System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments | Security Monitoring and compliance |
Event Types
In CMDB > Event Types, search for “fortimail” to see the event types associated with this device.
Rules
In CMDB > Rules, search for “fortimail” to see the rules associated with this device.
For generic availability rules, see Analytics > Rules > Availability > Network
For generic performance rules, see Analytics > Rules > Performance > Network
Reports
In Analytics > Reports, search for “fortimail” to see the reports associated with this device.
Configuration
Syslog
Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.
Sample Parsed FortiMail Syslog
date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg=”User admin login successfully from GUI(172.20.120.26)” date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information
session_id=”q6GJMuPu003642-q6GJMuPv003642″ client_name=”[172.20.140.94]” dst_ip=”172.20.140.92″ endpoint=”” from=”user@external.lab” to=”user5@external.lab” subject=””mailer=”mta” resolved=”OK” direction=”in” virus=”” disposition=”Reject” classifier=”Recipient
Verification” message_length=”188″
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!