FortiSIEM Configuring Security Gateways

Configuring Security Gateways

AccelOps supports these security gateways for discovery and monitoring.

Barracuda Networks Spam Firewall Configuration

Blue Coat Web Proxy Configuration

Cisco IronPort Mail Gateway Configuration

Cisco IronPort Web Gateway

McAfee Web Gateway Configuration

Microsoft ISA Server Configuration

Squid Web Proxy Configuration

Websense Web Filter Configuration

Fortinet FortiWeb Fortinet FortiMail

Barracuda Networks Spam Firewall Configuration

What is Discovered and Monitored

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Barracuda Spam Firewall Syslog Message  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics collected Used for
SNMP Host name,

Interfaces, Serial

number

CPU utilization, Memory utilization, Interface Utilization Performance

Monitoring

Syslog   Various syslogs – scenarios include – mail scanned and allowed/denied/quarantined etc; mail sent and reject/delivered/defer/expired; mail received and allow/abort/block/quarantined etc. Security Monitoring and compliance

 

Event Types

In CMDB > Event Types, search for “barracuda” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed Barracuda Spam Firewall Syslog Message

Blue Coat Web Proxy Configuration

What is Discovered and Monitored

Sample Parsed Blue Coat Audit Syslog

Configure FTP in AccelOps

Configure an Epilog client in AccelOps

Configure FTP in Blue Coat

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Host name,

Interfaces, Serial

number

CPU utilization, Memory utilization Performance

Monitoring

SNMP   Proxy performance: Proxy cache object count, Proxy-to-server metrics: HTTP errors, HTTP requests, HTTP traffic

(KBps);  Server-to-proxy metrics: HTTP traffic (KBps), Client-to-proxy metrics: HTTP requests, HTTP Cache hit, HTTP errors, HTTP traffic (KBps); Proxy-to-client metrics: HTTP traffic (KBytes)

Performance

Monitoring

SFTP   Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category,

Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration

Security Monitoring and compliance
Syslog   Admin authentication success and failure Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “blue coat” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

The following procedures enable AccelOps to discover Bluecoat web proxy.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > SNMP.
  3. Under SNMP General, select Enable SNMP.
  4. Under Community Strings, click Change Read Community, and then enter a community string that AccelOps can use to access your device.
  5. Click OK.

Syslog

Syslog is used by Blue Coat to send audit logs to AccelOps.

  1. Log in to your Blue Coat management console.
  2. Go to Maintenance > Event Logging.
  3. Under Level, select Severe Errors, Configuration Events, Policy Messages, and
  4. Under Syslog, enter the IP address of your AccelOps virtual appliance for Loghost.
  5. Select Enable syslog.
  6. Click

Sample Parsed Blue Coat Audit Syslog

SFTP

SFTP is used to send access logs to AccelOps. Access logs includes the traffic that Blue Coat proxies between the client and the server. The access logs are sent via FTP, where Bluecoat is the client and AccelOps is the server. You need to configure SFTP in AccelOps first, and then on your Blue Coat web proxy server.

Configure FTP in AccelOps

  1. Log in to your Supervisor node as root.
  2. Run the ./phCreateBluecoatDestDir command to create an FTP user account.

The files sent from Blue Coat will be temporarily stored in this account. The script will create an user called ftpuser. If the this user already exists, you do not need to create a new one. The script will ask for the IP address of Blue Coat and the password for the user ft puser, and will then create the directory /opt/phoenix/cache/bluecoat/<Bluecoat IP>.

  1. Run vi /etc/passwd to change the home directory for ftpuser to /opt/phoenix/cache/bluecoat.

Change only the home directory as shown in this screenshot, do not change any other value.

Configure an Epilog client in AccelOps

The Epilog client converts each line of the log files in the /opt/phoenix/cache/bluecoat/<Bluecoat IP> directory in real time into a syslog, and sends it to the AccelOps parser for processing.

  1. Log in to your Supervisor node as root.
  2. Update the Epilog configuration in /etc/snare/epilog/epilog.conf as shown in this code block, and then restart the epilog
  3. Log in to your Blue Coat management console.
  4. Go to Management Console > Configuration > Access Logging > General.
  5. Select Enable Access Logging.
  6. In the left-hand navigation, select Logs.
  7. Under Upload Client, configure these settings.
Setting Value
Log main
Client Type FTP Client
Encryption Certificate No Encryption
Keyring Signing No Signing
Save the log file as text file
Send partial buffer after 1 seconds
Bandwidth Class <none>
  1. Next to Client Type, click Settings.
  2. Configure these settings.
Setting Value
Settings for Primary FTP Server
Host IP address of your AccelOps virtual appliance
Port 21
Path /<Blue Coat IP Address>
Username bcFtpUser
Change Primary Password Use the password you created for ftpuser in AccelOps
Filename SG_AccelOps_bluecoat_main.log
  1. Clear the selections Use Secure Connections (SSL) and Use Local Time.
  2. Select Use Pasv.
  3. Click OK.
  4. Follow this same process to configure the settings for im, ssl and p2p. For each of these, you will refer to a different Filename.

For im the file name is SG_AccelOps_bluecoat_im.log

For ssl the file name is SG_AccelOps_bluecoat_ssl.log

For p2p the file name is SG_AccelOps_bluecoat_p2p.log

Sample Parsed Blue Coat Access Syslog

<2> Jun 25 11:15:33 SJ-QA-W-FDR-Test-01.prospect-hills.net

BluecoatWebLog 0 2010-06-25 18:13:34 2021 192.168.22.21 200 TCP_TUNNELED

820 1075 CONNECT tcp accelops.webex.com 443 / – – – NONE 172.16.0.141 –

– “WebEx Outlook Integration Http Agent” PROXIED “none” – 25.24.23.22

Settings for Access Credentials
Cisco IronPort Mail Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample Parsed Ironport Mail Gateway Syslog  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP   Ping Status, SNMP Ping Stat, Uptime, CPU Util, Mem Util, Net Intf Stat, Hardware Status  
Syslog   Mail attributes: attributes include MID, ICID, DCID, Sender address, Receiver Address, Mail Subject, Sent Bytes, Attachment, Spam indicator, Virus indicator, Quarantine indicator, SMTP delivery failures and failure codes, mail action – pass, block, clean. Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “ironport-mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “ironport mail” in the Name and Description columns to see the reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

  1. Log in to your Ironport Mail Gateway device manager with administrator privileges.
  2. Edit the Log Subscription settings.
  3. For Log Name, enter IronPort-Mail.

This identifies the log to AccelOps as originating from an Ironport mail gateway device.

  1. For Retrieval Method, select Syslog Push.
  2. For Hostname, enter the IP address of your AccelOps virtual appliance.
  3. For Protocol, select UDP.

Sample Parsed Ironport Mail Gateway Syslog

Settings for Access Credentials
Cisco IronPort Web Gateway

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Ironport Web Gateway Syslog

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   Squid style web logs: attributes include Source IP Address, Destination Host name, Sent Bytes, Received Bytes,

HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, URL, HTTP Content type, Web Category, HTTP Proxy Action

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “ironport-web” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

  1. Log in to your Ironport gateway device manager with administrator privileges.
  2. Edit the settings for Log Subscription.
Setting Value
Log Type Access Logs
Log Name IronPort-Web

This identifies the log to AccelOps as originating from an IronPort web gateway device

Log Style Squid
Custom Fields %L %B %u
Enable Log Compression Clear the selection
Retrieval Method Syslog Push
Hostname The IP address of your AccelOps virtual appliance
Protocol UDP

Sample Parsed Ironport Web Gateway Syslog

<134>Oct 09 09:19:25 IronPort-Web: Info: 1349795965.314 92 10.163.154.153 TCP_CLIENT_REFRESH_MISS/200 70798 GET http://forefrontdl.microsoft.com/server/scanengineupdate/x86/Kaspersky/P ackage/1210090007/bases/base1b1d.kdc.cab DIRECT/forefrontdl.microsoft.com application/octet-stream

ALLOW_CUSTOMCAT_11-UnAuthenticated_Applications-APU_No_Auth-NONE-NONE-NO

NE-DefaultGroup

<J_Doe,6.9,-,””-“”,-,-,-,-,””-“”,-,-,-,””-“”,-,-,””-“”,””-“”,-,-,IW_swup

,-,””-“”,””-“”,””Unknown””,””Unknown””,””-“”,””-“”,6156.35,0,-,””-“”,””-

“”> – “”09/Oct/2012:09:19:25 -0600″” 71052

“”V3S;{6ADC64A3-11F9-4B04-8257-BEB541BE2975};””

McAfee Web Gateway Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed McAffee Web Gateway Syslog Message

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   Parsed event attributes: include Source IP, Destination URL, HTTP Method, HTTP User agent, HTTP

Status Code, HTTP Content Type, Blocked Reason, Risk

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “mcafee_web” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed McAffee Web Gateway Syslog Message

[21/Feb/2012:11:44:19  -0500]  “”””””””””””    “”10.200.11.170 200

“”””GET http://abc.com/ HTTP/1.1″””” “”””General News”””” “”””Minimal Risk”””” “”””text/html”””” 101527 “””””””” “””””””” “”””0″”””””

[30/May/2012:10:39:44 -0400] “” 10.19.2.63 200

“GEThttp://abc.com/html.ng/site=cnn&cnn_pagetype=main&cnn_position=126×3

1_spon2&cnn_rollup=homepage&page.allowcompete=no&params.styles=fs&Params

.User.UserID=4fc6251c068c9f0aa51475025d0040b8&transactionID=717986062880 5012&tile=4893878838331&domId=135492 HTTP/1.1” “Web Ads, Forum/Bulletin

Boards” “MinimalRisk” “text/html” 1 “” “” “0”

Microsoft ISA Server Configuration

What is Discovered and Monitored

Enabling SNMP on Windows Server 2003

Enabling SNMP on Windows 7 or Windows Server 2008 R2

Creating a Generic User Who Does Not Belong to the Local Administrator Group Creating a User Who Belongs to the Domain Administrator Group

Sample Microsoft ISA Server Syslog  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Application type Process level metrics: CPU utilization, memory utilization Performance

Monitoring

WMI Application type, service mappings Process level metrics: uptime, CPU Utilization, Memory utilization, Read I/O, Write I/O Performance

Monitoring

Syslog(via

SNARE)

Application type W3C proxy logs: attributes include Service Instance, Source IP, User, Destination IP, Destination Port, Service

Instance,  Sent Bytes, Received Bytes, Connection Duration, HTTP User Agent, HTTP Referrer, HTTP Version,

HTTP Method, HTTP Status Code, URL, Source interface, Destination interface, Proxy action

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “isa server” in the Device Type  andDescription column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

Enabling SNMP on Windows Server 2003

SNMP is typically enabled by default on Windows Server 2003, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you need to make sure that the SNMP Management tool has been enabled for your device.

  1. In the Start menu, go to Administrative Tools > Services.
  2. Go to Control Panel > Add or Remove Programs.
  3. Click Add/Remove Windows Components.
  4. Select Management and Monitoring Tools and click Details.

Make sure that Simple Network Management Tool is selected.

If it isn’t selected, select it, and then click Next to install.

  1. Go to Start > Administrative Tools > Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

Enabling SNMP on Windows 7 or Windows Server 2008 R2

SNMP is typically enabled by default on Windows Server 2008, but you will still need to add AccelOps to the hosts that are authorized to accept SNMP packets. First you should check that SNMP Services have been enabled for your server.

  1. Log in to the Windows 2008 Server where you want to enable SNMP as an administrator.
  2. In the Start menu, select Control Panel.
  3. Under Programs, click Turn Windows features on/off.
  4. Under Features, see if SNMP Services is installed.

If not, click Add Feature, then select SMNP Service and click Next to install the service.

  1. In the Server Manager window, go to Services > SNMP Services.
  2. Select and open SNMP Service.
  3. Click the Security
  4. Select Send authentication trap.
  5. Under Accepted communities, make sure there is an entry for public that is set to read-only.
  6. Select Accept SNMP packets from these hosts.
  7. Click
  8. Enter the IP address for your AccelOps virtual appliance that will access your device over SNMP.
  9. Click Add.
  10. Click Apply.
  11. Under SNMP Service, click Restart service.

WMI

Configuring WMI on your device so AccelOps can discover and monitor it requires you to create a user who has access to WMI objects on the device. There are two ways to do this:

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Creating a User Who Belongs to the Domain Administrator Group

Creating a Generic User Who Does Not Belong to the Local Administrator Group

Log in to the machine you want to monitor with an administrator account.

Enable Remote WMI Requests by Adding a Monitoring Account to the Distributed COM Users Group and the Performance Monitor Users Group

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Local Users and Groups.
  2. Right-click Users and select Add User.
  3. Create a user.
  4. Go to Groups, right-click Distributed COM Users, and then click Add to group.
  5. In the Distributed COM Users Properties dialog, click Add.
  6. Find the user you created, and then click OK.

This is the account you will need to use in setting up the Performance Monitor Users group permissions.

  1. Click OK in the Distributed COM Users Properties dialog, and then close the Computer Management dialog.
  2. Repeat steps 4 through 7 for the Performance Monitor Users group. Enable DCOM Permissions for the Monitoring Account
  3. Go to Start > Control Panel > Administrative Tools > Component Services.
  4. Right-click My Computer, and then Properties.
  5. Select the COM Security tab, and then under Access Permissions, click Edit Limits.
  6. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  7. Click OK.
  8. Under Access Permissions, click EditDefault.
  9. Make sure that the Distributed COM Users group and the Performance Monitor Users group have Local Access and Remote Access set to
  10. Click
  11. Under Launch and Activation Permissions, click Edit Limits.
  12. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  13. Click OK.
  14. Under Launch and Activation Permissions, click Edit Defaults.
  15. Make sure that the Distributed COM Users group and the Performance Monitor Users group have the permissions Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

See the sections on Enabling WMI Privileges and Allowing WMI Access through the Windows Firewall in the Domain Admin User set up instructions for the remaining steps to configure WMI.

Creating a User Who Belongs to the Domain Administrator Group

Log in to the Domain Controller with an administrator account.

Enable remote WMI requests by Adding a Monitoring Account to the Domain Administrators Group

  1. Go to Start > Control Pane > Administrative Tools > Active Directory Users and Computers > Users.
  2. Right-click Users and select Add User.
  3. Create a user for the @accelops.com domain.

For example, YJTEST@accelops.com.

  1. Go to Groups, right-click Administrators, and then click Add to Group.
  2. In the Domain Admins Properties dialog, select the Members tab, and then click Add.
  3. For Enter the object names to select, enter the user you created in step 3.
  4. Click OK to close the Domain Admins Properties dialog.
  5. Click OK.

Enable the Monitoring Account to Access the Monitored Device

Log in to the machine you want to monitor with an administrator account. Enable DCOM Permissions for the Monitoring Account

  1. Go to Start > Control Panel > Administrative Tools > Component Services.
  2. Right-click My Computer, and then select Properties.
  3. Select the Com Security tab, and then under Access Permissions, click Edit Limits.
  4. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  5. Click OK.
  6. In the Com Security tab, under Access Permissions, click Edit Defaults.
  7. Find the user you created for the monitoring account, and make sure that user has the permission Allow for both Local Access and Re mote Access.
  8. Click OK.
  9. In the Com Security tab, under Launch and Activation Permissions, click Edit Limits.
  10. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.
  11. In the Com Security tab, under Launch and Activation Permissions, click Edit Defaults.
  12. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Local Launch, Remote Launch, Local Activation, and Remote Activation.

Enable Account Privileges in WMI

The monitoring account you created must have access to the namespace and sub-namespaces of the monitored device.

  1. Go to Start > Control Panel > Administrative Tools > Computer Management > Services and Applications.
  2. Select WMI Control, and then right-click and select Properties.
  3. Select the Security
  4. Expand the Root directory and select CIMV2.
  5. Click Security.
  6. Find the user you created for the monitoring account, and make sure that user has the permission Allow for Enable Account and Remot e Enable.
  7. Click Advanced.
  8. Select the user you created for the monitoring account, and then click Edit.
  9. In the Apply onto menu, select This namespace and subnamespaces.
  10. Click OK to close the Permission Entry for CIMV2 dialog.
  11. Click OK to close the Advanced Security Settings for CIMV2 dialog.
  12. In the left-hand navigation, under Services and Applications, select Services.
  13. Select Windows Management Instrumentation, and then click Restart. Allow WMI to Connect Through the Windows Firewall (Windows 2003)
  14. In the Start menu, select Run.
  15. Run msc.
  16. Go to Local Computer Policy > Computer Configuration > Administrative Templates > Network > Network Connections > Windows Firewall.
  17. Select Domain Profile or Standard Profile depending on whether the device you want to monitor is in the domain or not.
  18. Select Windows Firewall: Allow remote administration exception.
  19. Run exe and enter these commands:
  20. Restart the server.

Allow WMI through Windows Firewall (Windows Server 2008, 2012)

  1. Go to Control Panel > Windows Firewall.
  2. In the left-hand navigation, click Allow a program or feature through Windows Firewall.
  3. Select Windows Management Instrumentation, and the click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Use the Windows Agent Manager to configure sending syslogs from your device to AccelOps.

Sample Microsoft ISA Server Syslog

<13>Mar  6 20:56:03 ISA.test.local ISAWebLog    0    192.168.69.9   anonymous    Mozilla/5.0 (Windows; U; Windows NT 5.2; en-GB; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12    Y    2011-03-05   21:33:55    w3proxy    ISA    –    212.58.246.82    212.58.246.82    80 156    636    634    http    TCP    GET   http://212.58.246.82/rss/newsonline_uk_edition/front_page/rss.xml   text/html; charset=iso-8859-1    Inet    301    0x41200100    Local Machine    Req ID: 07c10445; Compression: client=No, server=No, compress rate=0% decompress rate=0%    Local Host    External    0x400    Allowed 2011-03-05 21:33:55    –

Settings for Access Credentials
Squid Web Proxy Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps Sample Parsed Squid Syslog Messages

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Host name,

Interfaces,

Serial number

CPU utilization, Memory utilization Performance

Monitoring

Syslog   Proxy traffic: attributes include Source IP, Destination IP, Destination Name, Destination Port, URL, Web category, Proxy action, HTTP User Agent, HTTP Referrer, HTTP Version, HTTP Method, HTTP Status Code, Sent Bytes, Received Bytes, Connection Duration Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “squid” in the Description and Device Type columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled on the server where Squid is running, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

  1. Add this line to the logformat section in /etc/squid/squid.conf.

Configure syslogd (or rsyslogd) to Forward the Logs to AccelOps

  1. Modify /etc/syslog.conf (/etc/rsyslog.conf if running rsyslog) .
  2. Restart syslogd (or rsyslogd).

Sample Parsed Squid Syslog Messages

Squid on Linux with syslog locally to forward to Accelops

<166>squid[28988]: 192.168.25.15 51734 65.54.87.157 172.16.10.40 3128

5989 – – – – – [22/Apr/2011:17:17:46 -0700] GET

“http://col.stj.s-msn.com/br/sc/js/jquery/jquery-1.4.2.min.js” HTTP/1.1

200 26141 407 “http://www.msn.com/” “Mozilla/5.0 (Windows; U; Windows NT

6.1; en-US; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally to forward to Accelops

<166>Oct 20 09:21:54 QA-V-CentOS-Syslog-ng squid[7082]: 192.168.20.42

1107 74.125.19.100 172.16.10.34 3128 291 – – – – – [20/Oct/2009:09:21:54

-0700] GET “http://clients1.google.com/generate_204” HTTP/1.1 204 387

603 “http://www.google.com/” “Mozilla/4.0 (compatible; MSIE 7.0; Windows

NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)”

TCP_MISS:DIRECT

Squid on Linux with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 10:21:42 172.16.10.40 squid[26033]: 192.168.20.42 1121

66.235.132.121 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:05:49

\-0700|] GET

“http://metrics.sun.com/b/ss/sunglobal,suncom,sunstruppdev/1/H.14/s21779

365053734?” HTTP/1.1 200 746 1177 “http://www.sun.com/” “Mozilla/4.0

(compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR

3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Linux with syslog-ng locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 12:44:12 172.16.10.40 squid[26033]: 192.168.20.42 1125

64.213.38.80 172.16.10.40 3128 117 – – – – – [20/Oct/2009:12:44:12

-0700] GET

“http://www-cdn.sun.com/images/hp5/hp5b_enterprise_10-19-09.jpg”

HTTP/1.1 200 12271 520 “http://www.sun.com/” “Mozilla/4.0 (compatible;

MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;

.NET CLR 3.5.30729)” TCP_MISS:DIRECT

Squid on Solaris with syslog locally to forward to Accelops

<166>May  6 17:55:48 squid[1773]: [ID 702911 local4.info] 192.168.20.39

1715 72.14.223.18 172.16.10.6 3128 674 – – – – – [06/May/2008:17:55:48

-0700] GET “http://mail.google.com/mail/?” HTTP/1.1 302 1061 568 “http://www.google.com/” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14” TCP_MISS:DIRECT

Squid on Solaris with syslog locally and forward to syslog-ng remotely to forward to Accelops

<166>Oct 20 13:02:19 172.16.10.6 squid[687]: [ID 702911 local4.info]

192.168.20.42 1112 208.92.236.184 172.16.10.6 3128 201 – – – – –

[20/Oct/2009:13:02:19 -0700] GET

“http://m.webtrends.com/dcs4f6vsz99k7mayiw2jzupyr_1s2e/dcs.gif?”

HTTP/1.1 200 685 1604 “http://www.microsoft.com/en/us/default.aspx”

“Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;

.NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)” TCP_MISS:DIRECT

Websense Web Filter Configuration
What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   Parsed event attributes: include Source IP, Destination Name, Destination URL, HTTP Method, HTTP User agent, HTTP Status Code, HTTP Content Type, Blocked Reason, Website category, HTTP Disposition, Sent Bytes, Recv Bytes, Duration, File Type etc Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “web sense_mail” in the Display Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps integrates with Websense Web Filter via syslogs sent in the SIEM integration format as described in the Websense SEIM guide. See page 22 for instructions on how to install a Websense Multiplexer that integrates with Websense Policy server and creates syslog for consumption by SIEM products such as AccelOps.

Sample Parsed Websense Web Filter Syslog Message

<159>Feb 28 14:25:32 10.203.28.21 vendor=Websense product=Security product_version=7.7.0 action=permitted severity=1 category=153 user=- src_host=10.64.134.74 src_port=62189 dst_host=mail.google.com dst_ip=74.125.224.53 dst_port=443 bytes_out=197 bytes_in=76 http_response=200 http_method=CONNECT http_content_type= – http_user_agent=Mozilla/5.0_(Windows;_U;_Windows_NT_6.1;_enUS;_rv:1.9.2. 23)_Gecko/20110920_Firefox/3.6.23

http_proxy_status_code=200 reason=- disposition=1034 policy=- role=8 duration=0 url=https://mail.google.com

Fortinet FortiWeb

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
SNMP Host Name, Vendor, Model, Version,

Hardware Model, hardware

CPU, memory, Disk, Interface, Uptime Performance monitoring
Syslog   System events (e.g. configuration changes), System up/down/restart events,

Performance issues, Admin logon events, Security exploits

Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “fortiweb” to see the event types associated with this device.

Rules

In Analytics > Rules, search for “fortiweb” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In CMDB > Reports, search for “fortiweb” to see the reports associated with this device.

Configuration

Syslog

Configure FortiWenb appliance to send logs to FortiSIEM. Make sure the format matches.

Sample FortiWeb Syslog

Fortinet FortiMail

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored
Protocol Information discovered Metrics collected Used for
Syslog   System events (e.g. configuration changes), System up/down/restart events, Performance issues, Admin logon events, malware attachments Security Monitoring and compliance

Event Types

In CMDB > Event Types, search for “fortimail” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortimail” to see the rules associated with this device.

For generic availability rules, see Analytics > Rules > Availability > Network

For generic performance rules, see Analytics > Rules > Performance > Network

Reports

In Analytics > Reports, search for “fortimail” to see the reports associated with this device.

Configuration

Syslog

Configure FortiMail appliance to send logs to FortiSIEM. Make sure the format matches.

Sample Parsed FortiMail Syslog

date=2012-08-17 time=12:26:41 device_id=FE100C3909600504 log_id=0001001623 type=event subtype=admin pri=information user=admin ui=GUI(172.20.120.26) action=login status=success reason=none msg=”User admin login successfully from GUI(172.20.120.26)” date=2012-07-16 time=12:22:56 device_id=FE100C3909600504 log_id=0200001075 type=statistics pri=information

session_id=”q6GJMuPu003642-q6GJMuPv003642″ client_name=”[172.20.140.94]” dst_ip=”172.20.140.92″ endpoint=”” from=”user@external.lab” to=”user5@external.lab” subject=””mailer=”mta” resolved=”OK” direction=”in” virus=”” disposition=”Reject” classifier=”Recipient

Verification” message_length=”188″

FortiSIEM Configuring Routers and Switches

Configuring Routers and Switches

AccelOps supports these routers and switches for discovery and monitoring.

Alcatel TiMOS and AOS Switch Configuration

Arista Router and Switch Configuration

Brocade NetIron CER Routers

Cisco 300 Series Routers

Cisco IOS Router and Switch Configuration

How CPU and Memory Utilization is Collected for Cisco IOS

Cisco Meraki Cloud Controller and Network Devices Configuration

Cisco NX-OS Router and Switch Configuration

Cisco ONS Configuration

Dell Force10 Router and Switch Configuration

Dell NSeries Switch Configuration

Dell PowerConnect Switch and Router Configuration

Foundry Networks IronWare Router and Switch Configuration

HP/3Com ComWare Switch Configuration

HP ProCurve Switch Configuration

HP Value Series (19xx) and HP 3Com (29xx) Switch Configuration

Juniper Networks JunOS Switch Configuration

Mikrotek Router Configuration

Nortel ERS and Passport Switch Configuration

 

 

 

 

 

 

Alcatel TiMOS and AOS Switch Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP

(V1, V2c)

Host name, Software version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

SNMP

(V1, V2c)

  Hardware status: Power Supply, Fan, Temperature Availability
SNMP (V1, V2c,

V3)

Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses   Identity and location table; Topology  

 

Event Types

In CMDB > Event Types, search for “alcatel” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Arista Router and Switch Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP (V1,

V2c)

Host name, Serial number, Software version, Hardware model, Network interfaces, Hardware Components Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Memory utilization, Flash utilization, Hardware Status Availability and

Performance

Monitoring

Telnet/SSH Running and Startup configurations Startup Configuration Change, Difference between Running and Startup configurations Change

monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

  1. show startup-config
  2. show running-config
  3. show version
  4. show ip route
  5. enable
  6. terminal pager 0

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Settings for Access Credentials

Brocade NetIron CER Routers

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

Host name, software version, Hardware model, Network interfaces CPU, Memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware Status, Real Server

Status

Availability and

Performance

Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules specifically for this device.

Reports

There are no predefined reports specifically for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Cisco 300 Series Routers

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

Host name, software version, Hardware model, Network interfaces Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules specifically for this device.

Reports

There are no predefined reports specifically for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Protocol Information Discovered Metrics collected Used for
SNMP (V1,

V2c, V3)

Host name, IOS version, Hardware model, Memory size, Network interface details – name, address, mask and description Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Availability

and

Performance

Monitoring

SNMP (V1,

V2c, V3)

Hardware component details: serial number, model, manufacturer, software firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc. Hardware health: temperature, fan and power supply Availability
SNMP (V1,

V2c, V3)

Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association   Topology and end-host location
SNMP (V1,

V2c, V3)

BGP connectivity, neighbors, state, AS number BGP state change Routing

Topology,

Availability

Monitoring

SNMP (V1,

V2c, V3)

OSPF connectivity, neighbors, state,

OSPF Area

OSPF state change Routing

Topology,

Availability

Monitoring

SNMP (V1,

V2c, V3)

  IP SLA and VoIP performance metrics: Max/Min/Avg Delay and Jitter – both overall and Source->Destination and Destination->Source, Packets Lost – both overall and Source->Destination and Destination->Source, Packets Missing in Action, Packets

Late, Packets out of sequence, VoIP Mean Opinion Score (MOS), VoIP Calculated Planning Impairment Factor (ICPIF) score

VoIP

Performance

Monitoring

SNMP (V1,

V2c, V3)

  Class based QoS metrics (from CISCO-CLASS-BASED-QOS-MIB): For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; police action metrics including conform rate, exceeded rate and violated rate; queue metrics including current queue length, max queue length and discarded packets QoS

performance monitoring

SNMP (V1,

V2c, V3)

  NBAR metrics (from CISCO-NBAR-PROTOCOL-DISCOVERY-MIB): For each

interface and application, sent/receive flows, sent/receive bytes, sent/receive bits/sec

Performance

Monitoring

Telnet/SSH Running and startup configuration,

Image file name, Flash memory size,

Running processes

Startup configuration change, delta between running and startup configuration, Running process CPU and memory utilization Performance

Monitoring,

Security and

Compliance

Syslog Device type System logs and traffic logs matching acl statements Availability,

Security and

Compliance

Event Types

Performance Monitoring events

Configuration change events

Syslog events

In CMDB > Event Types, search for “cisco_os” in the Description column to see the event types associated with this device.

Rules

 Performance Monitoring rules

Configuration change rules

Other rules

Reports

Performance Monitoring Reports

Configuration change Reports

Other Reports

Configuration

Telnet/SSH

AccelOps uses SSH and Telnet to communicate with your device. Follow the instructions in the product documentation for your device to enable SSH and Telnet.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

  1. show startup-config
  2. show running-config
  3. show version
  4. show flash
  5. show ip route
  6. show mac-address-table or show mac address-table
  7. show vlan brief
  8. show process cpu
  9. show process mem
  10. show disk0
  11. enable
  12. terminal pager 0

SNMP

SNMP V1/V2c

  1. Log in to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.

SNMP V3

  1. Log in to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.
  3. Exit configuration mode.

Syslog

  1. Login to the Cisco IOS console or telnet to the device.
  2. Enter configuration mode.

Sample Cisco IOS Syslog Messages

 

NetFlow

Enable NetFlow on the Router

  1. Enter configuration mode.
  2. For every interface, run this command.

Set Up NetFlow Export

  1. Enter configuration mode.
  2. Run these commands.

On MLS switches, such as the 6500 or 7200 models, also run these commands.

You can verify that you have set up NetFlow correctly by running these commands.

Sample Flexible Netflow Configuration in IOS

IP SLA

IP SLA is a technology where a pair of routers can run synthetic tests between themselves and report detailed traffic statistics. This enables network administrators to get performance reports between sites without depending on end-host instrumentation.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP.

A variety of IP SLA tests can be run, for example UDP/ICMP Jitter, UDP Jitter for VoIP, UDP/ICMP Echo, TCP Connect, HTTP, etc. You can see the traffic statistics for these these tests by routing appropriate Show commands on the router. However, only these IP SLA tests are exported via

RTT-MON SNMP MIB.

UDP Jitter (reported by AccelOps event type PH_DEV_MON_IPSLA_MET)

UDP Jitter for VoIP (reported by AccelOps event type PH_DEV_MON_IPSLA_VOIP_MET)

HTTP performance (reported by AccelOps event type PH_DEV_MON_IPSLA_HTTP_MET)

ICMP Echo (reported by AccelOps event type PH_DEV_MON_IPSLA_ICMP_MET) UDP Echo (reported by AccelOps event type PH_DEV_MON_IPSLA_UDP_MET)

These are the only IP SLA tests monitored by AccelOps.

Configuring IP SLA involves choosing and configuring a router to initiate the test and a router to respond. The test statistics are automatically reported by the initiating router via SNMP, so no additional configuration is required. Bi-directional traffic statistics are also reported by the initiating router, so you don’t need to set up a reverse test between the original initiating and responding routers.  AccelOps automatically detects the presence of the IP SLA SNMP MIB (CISCO-RTTMON-MIB) and starts collecting the statistics. Configuring IP SLA Initiator for UDP Jitter

 

 

Class-Based QoS

CBQoS enables routers to enforce traffic dependent Quality of Service policies on router interfaces for to make sure that important traffic such as VoIP and mission critical applications get their allocated network resources.

Cisco provides detailed documents for configuring IP SLA for both general traffic and VoIP,

The CbQoS statistics are automatically reported by the router via SNMP, so no additional configuration is needs. AccelOps detects the presence of valid CBQoS MIBs and starts monitoring them.

NBAR

Cisco provides protocol discovery via NBAR configuration guide.

Make sure that the CISCO-NBAR-PROTOCOL-DISCOVERY-MIB is enabled.

Sample event generated by AccelOps

[PH_DEV_MON_CISCO_NBAR_STAT]:[eventSeverity]=PHL_INFO,[fileName]=deviceC isco.cpp,[lineNumber]=1644,[hostName]=R1.r1.accelops.com,[hostIpAddr]=10 .1.20.59,[intfName]=Ethernet0/0,[appTransportProto]=snmp,[totFlows]=4752

,[recvFlows]=3168,[sentFlows]=1584,[totBytes64]=510127,[recvBytes64]=277

614,[sentBytes64]=232513,[totBitsPerSec]=22528.000000,[recvBitsPerSec]=1

2288.000000,[sentBitsPerSec]=10240.000000,[phLogDetail]=

 

Settings for Access Credentials

How CPU and Memory Utilization is Collected for Cisco IOS

AccelOps follows the process for collecting information about CPU utlization that is recommended by Cisco.

Monitoring CPU

Monitoring Memory using PROCESS-MIB

Monitoring CPU

The OID is 1.3.6.1.4.1.9.9.109.1.1.1.1.8. The issue there are multiple CPUs – which ones to take? A sample SNMP walk for this OID looks like this

Note that there are 4 CPUs – indexed 1-4. We need to identify Control plane CPU and Data plane CPU

The cpu Id -> entity Id mapping from the following SNMP walk

Combining all this information, we finally obtain the CPU information for each object

The relevant OIDs are

Used memory OID = 1.3.6.1.4.1.9.9.48.1.1.1.6

Free memory OID =  1.3.6.1.4.1.9.9.48.1.1.1.5

Memory Util = (Used memory) / (Used memory + Free memory)

Therefore

Cisco Meraki Cloud Controller and Network Devices Configuration

What is Discovered and Monitored

Availability (from SNMP Trap)

Performance (Fixed threshold)

Performance (Dynamic threshold based on baselines)

Settings for Access Credentials

What is Discovered and Monitored

Cisco Meraki Devices are discoverable in either of the following ways

SNMP to the Cloud Controller

SNMP to each Network Device

SNMP Traps can be sent from the Cloud Controller. Cisco Meraki Network Devices can also send logs directly to AccelOps.

Protocol Information Discovered Metrics collected Used for  
SNMP (V1, V2c) to

Cloud Controller or

Devices

Host name, Software version, Hardware model, Network interfaces Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

Syslog from Meraki

Firewalls

  Firewall logs Security Monitoring  
SNMP Traps from

Cloud Controller

  Health Availability

Monitoring

 

Event Types

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Rules

Availability (from SNMP Trap)

Meraki Device Cellular Connection Disconnected

Meraki Device Down

Meraki Device IP Conflict

Meraki Device Interface Down

Meraki Device Port Cable Error

Meraki Device VPN Connectivity Down

Meraki Foreign AP Detected

Meraki New DHCP Server

Meraki New Splash User

Meraki No DHCP lease

Meraki Rogue DHCP Server

Meraki Unreachable Device

Meraki Unreachable RADIUS Server

Meraki VPN Failover

Performance (Fixed threshold)

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Reports

None

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Cisco NX-OS Router and Switch Configuration

What is Discovered and Monitored

Enable NetFlow on the Router

Create a Flow Template and Define the Fields to Export

Set up Netflow Exporter

Associate the Record to the Exporter Using a Flow Monitor

Apply the Flow Monitor to Every Interface  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP (V1,

V2c, V3)

Host name, IOS version, Hardware model, Memory size, Network interface details name, address, mask and description Uptime, CPU and Memory utilization, Free processor and I/O memory, Free contiguous processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability

and

Performance

Monitoring

SNMP (V1,

V2c, V3)

Hardware component details: serial number, model, manufacturer, software and firmware versions of hardware components such as chassis, CPU, fan, power supply, network cards etc. Hardware health: temperature, fan and power supply Availability
SNMP (V1,

V2c, V3)

Trunk port connectivity between switches and

VLANs carried over a trunk port (via CDP

MIB), ARP table

  Topology and end-host location
SNMP (V1,

V2c, V3)

BGP connectivity, neighbors, state, AS number BGP state change Routing

Topology,

Availability

Monitoring

SNMP (V1,

V2c, V3)

OSPF connectivity, neighbors, state, OSPF

Area

OSPF state change Routing

Topology,

Availability

Monitoring

SNMP (V1,

V2c, V3)

  Class based QoS metrics: For (router interface, policy, class map) tuple: class map metrics including Pre-policy rate, post-police rate, drop rate and drop pct; po lice action metrics including conform rate, exceeded rate and violated rate; queu e metrics including current queue length, max queue length and discarded packets QoS

performance monitoring

Telnet/SSH Running and startup configuration, Image file

name, Flash memory size, Running processes

Startup configuration change, delta between running and startup configuration,

Running process CPU and memory utilization

Performance

Monitoring,

Security and

Compliance

Telnet/SSH End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association    
Syslog Device type System logs and traffic logs matching acl statements Availability,

Security and

Compliance

Event Types

In CMDB > Event Types, search for “nx-os” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

  1. show startup-config
  2. show running-config
  3. show version
  4. show flash
  5. show context
  6. show ip route
  7. show cam dynamic
  8. show mac-address-table
  9. show mac address-table (for Nexus 1000v)
  10. show vlan brief
  11. show process cpu
  12. show process mem
  13. show disk0
  14. enable
  15. terminal length 0

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

NetFlow

Enable NetFlow on the Router

  1. Enter configuration mode.
  2. Run this command.

Create a Flow Template and Define the Fields to Export You can can also try using the pre-defined NetFlow template.

Set up Netflow Exporter Run these commands.

Associate the Record to the Exporter Using a Flow Monitor In this example the flow monitor is called AccelOpsMonitoring.

Run these commands.

Apply the Flow Monitor to Every Interface Run these commands.

You can now check the configuration using the show commands.

Settings for Access Credentials

Cisco ONS Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

Host name, Serial Number, software version,

Hardware model, Network interfaces, Hardware

Components

Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

SNMP

Trap

  Alerts Availability and

Performance

Monitoring

Event Types

Over 1800 event types defined – search for “Cisco-ONS” in CMDB > Event Types

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell Force10 Router and Switch Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP (V1,

V2c)

Host name, Serial number, Software version,

Hardware model, Network interfaces, Hardware Components

Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status Availability and

Performance

Monitoring

Telnet/SSH Running and Startup configurations Startup Configuration Change, Difference between Running and Startup configurations Change

monitoring

Event Types

In CMDB > Event Types, search for “force10” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

TelNet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, follow the instructions in Setting Access Credentials for Device Discovery.

  1. show startup-config
  2. show running-config
  3. show version
  4. show ip route
  5. enable
  6. terminal pager 0

Settings for Access Credentials

Dell NSeries Switch Configuration

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP

(V1, V2c)

Host name, software version, Hardware model, Network

interfaces,

Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

SNMP

(V1, V2c)

  Hardware Status (Power Supply, Fan) Availability

Monitoring

SSH   Configuration Change management  

Event Types

CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Hardware Status: PH_DEV_MON_HW_STATUS

Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG

Rules

Availability

Network Device Degraded – Lossy Ping Response

Network Device Down – no ping response

Network Device Interface Flapping

Critical Network Device Interface Staying Down

Non-critical Network Device Interface Staying Down

Network Device Hardware Warning

Network Device Hardware Critical

Performance (Fixed threshold)

Network CPU Warning

Network CPU Critical

Network Memory Warning

Network Memory Critical

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase In System CPU Usage

Sudden Increase in System Memory Usage

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Change

Startup Config Change

Reports

Availability

Availability: Router/Switch Ping Monitor Statistics

Performance

Performance: Top Routers Ranked By CPU Utilization

Performance: Top Routers By Memory Utilization

Performance: Top Router Network Intf By Util, Error, Discards

Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)

Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by System Uptime Pct (Achieved System SLA)

Top Router Interfaces by Days-since-last-use

Change

Change: Router Config Changes Detected Via Login

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Dell PowerConnect Switch and Router Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP (V1,

V2c)

Host name, Serial number, Software version,

Hardware model, Network interfaces, Hardware Components

Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), CPU utilization, Hardware Status Availability and

Performance

Monitoring

Telnet/SSH Running and Startup configurations Startup Configuration Change, Difference between Running and Startup configurations Change

monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device. To initiate discovery and monitoring of your device over this protocol, follow the instructions in Setting Access Credentials for Device Discovery.

  1. show startup-config
  2. show running-config
  3. show version
  4. show ip route
  5. enable
  6. terminal pager 0

Settings for Access Credentials

 

Foundry Networks IronWare Router and Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Telnet/SSH

Syslog

Sample Parsed PowerConnect Syslog Message  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP (V1,

V2c)

Host name, Ironware version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

Telnet/SSH Running and startup configuration Startup configuration change, delta between running and startup configuration Performance Monitoring,

Security and

Compliance

SNMP (V1,

V2c)

Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association   Topology and end-host location    
Syslog Device type System logs and traffic logs matching acl statements Availability,

Security and

Compliance

 

Event Types

In CMDB > Event Types, search for “foundry_ironware” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

  1. Log in to the device manager for your switch or router with administrative privileges.
  2. Enter configuration mode.
  3. Run these commands to set the community string and enable the SNMP service.
  4. Exit config mode.
  5. Save the configuration.

Telnet/SSH

AccelOps uses Telnet/SSH to communicate with this device. Refer to the product documentation for your device to enable Telnet/SSH. Syslog

  1. Log in to the device manager for your switch or router with administrative privileges.
  2. Enter configuration mode.
  3. Run this command to set your AccelOps virtual appliance as the recipient of syslogs from your router or switch.
  4. Exit config mode.
  5. Save the configuration.

Sample Parsed PowerConnect Syslog Message

Settings for Access Credentials

HP/3Com ComWare Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Example Syslog for ComWare Switch Messages  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP

(V1, V2c)

Host name, software version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status:

Power Supply, Fan, Temperature

Availability and

Performance

Monitoring

SNMP (V1, V2c,

V3)

  Hardware status: Temperature Availability  
Syslog   System logs Availability,

Security and

Compliance

 

Event Types

In CMDB > Event Types, search for “compare” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog for ComWare Switch Messages

%Apr 2 11:38:11:113 2010 H3C DEVD/3/BOARD REBOOT:Chasis 0 slot 2 need be rebooted automatically! %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board or subcard in slot 1 is not supported. %Sep 22 20:38:32:947 2009 H3C DEVD/4/BRD MISPLUG: The board type of MR in 1 is different from the Mate MR’s, so the MR can’t work properly. %Sep 22 20:38:32:947 2009 H3C DEVD/2/BRD TOO HOT:Temperature of the board is too high! %Sep 22 20:38:32:947 2009 H3C DEVD/2/ FAN CHANGE: Chassis 1: Fan communication state changed: Fan 1 changed to fault.

Settings for Access Credentials

HP ProCurve Switch Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP (V1,

V2c)

Host name, version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature Availability

and

Performance

Monitoring

Telnet/SSH Running and startup configuration Startup configuration change, delta between running and startup configuration Performance

Monitoring,

Security and Compliance

SNMP (V1,

V2c)

Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host

IP/MAC address association

  Topology and end-host location    

Event Types

In CMDB > Event Types, search for “procurve” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

  1. Go to Configuration > SNMP Community > V1/V2 Community.
  2. Enter a Community Name.
  3. For MIB-View, select Operator.
  4. For Write-Access, leave the selection cleared.
  5. Click Add.

SSH/Telnet

  1. Log into the device manager for your ProCurve switch.
  2. Go to Security > Device Passwords.
  3. Create a user and password for Read-Write Access.

Although AccelOps does not modify any configurations for your switch, Read-Write Access is needed to read the device configuration.

  1. Go to Security > Authorized Addresses and add the AccelOps IP to Telnet/SSH. This is an optional step.

Settings for Access Credentials

HP Value Series (19xx) and HP 3Com (29xx) Switch Configuration

Configuration

SNMP

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP

(V1, V2c)

Host name, software version, Hardware model, Network

interfaces,

Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

SSH   Configuration Change management  

Event Types

CPU Monitoring: PH_DEV_MON_SYS_CPU_UTIL

Memory Monitoring: PH_DEV_MON_SYS_MEM_UTIL

Interface Utilization: PH_DEV_MON_NET_INTF_UTIL

Configuration Change: PH_DEV_MON_CHANGE_STARTUP_CONFIG

Rules

Availability

Network Device Degraded – Lossy Ping Response

Network Device Down – no ping response

Network Device Interface Flapping

Critical Network Device Interface Staying Down

Non-critical Network Device Interface Staying Down

Performance (Fixed threshold)

Network CPU Warning

Network CPU Critical

Network Memory Warning

Network Memory Critical

Network Intf Error Warning

Network Intf Error Critical

Network Intf Util Warning

Network Intf Util Critical

Performance (Dynamic threshold based on baselines)

Sudden Increase In System CPU Usage

Sudden Increase in System Memory Usage

Sudden Increase in Network Interface Traffic

Sudden Increase in Network Interface Errors

Change

Startup Config Change

Reports

Availability

Availability: Router/Switch Ping Monitor Statistics

Performance

Performance: Top Routers Ranked By CPU Utilization

Performance: Top Routers By Memory Utilization

Performance: Top Router Network Intf By Util, Error, Discards

Top Routers/Switches by Business Hours Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by Business Hours System Uptime Pct (Achieved System SLA)

Top Routers/Switches by Network Ping Uptime Pct (Achieved Network Ping SLA)

Top Routers/Switches by System Uptime Pct (Achieved System SLA)

Top Router Interfaces by Days-since-last-use

Change

Change: Router Config Changes Detected Via Login

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Juniper Networks JunOS Switch Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Sample JunOS Syslog Messages sFlow

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP (V1,

V2c)

Host name, JunOS version, Hardware model, Network interfaces, Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Hardware status: Power Supply, Fan, Temperature Availability and

Performance

Monitoring

Telnet/SSH Running and startup configuration Startup configuration change, delta between running and startup configuration Performance

Monitoring,

Security and

Compliance

SNMP (V1,

V2c, V3)

Trunk port connectivity between switches and VLANs carried over a trunk port, End host Layer 2 port mapping: switch interface to VLAN id, end host IP/MAC address association   Topology and end-host location
Syslog   System logs and traffic logs matching acl statements Availability,

Security and

Compliance

sflow   Traffic flow Availability,

Security and

Compliance

Event Types

In CMDB > Event Types, search for “junos” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

  1. Log in to the device manager for your JunOS switch with administrator privileges.
  2. Go to Configure > Services > SNMP.
  3. Under Communities, click Add.
  4. Enter a Community Name.
  5. Set Authorization to read-only.
  6. Click OK.

Syslog

  1. Log in to the device manager for your JunOS switch with administrator privileges.
  2. Go to Dashboard > CLI Tools > CLI Editor.
  3. Edit the syslog section to send syslogs to AccelOps.
  4. Click Commit. Sample JunOS Syslog Messages

sFlow

Routing the sFlow Datagram in EX Series Switches

According to Juniper documentation, the sFlow datagram cannot be routed over the management Ethernet interface (me0) or virtual management interface (vme0) in an EX Series switch implementation. It can only be exported over the network Gigabit Ethernet or 10-Gigabit Ethernet ports using valid route information in the routing table.

  1. Log in to the device manager for your JunOS switch with administrator privileges.
  2. Go to Configure > CLI Tools > Point and Click CLI.
  3. Expand Protocols and select slow.
  4. Next to Collector, click Add new entry.
  5. Enter the IP address for your AccelOps virtual appliance.
  6. For UDP Port, enter 6343.
  7. Click Commit.
  8. Next to Interfaces, click Add new entry.
  9. Enter the Interface Name for all interfaces that will send traffic over sFlow.
  10. Click Commit.
  11. To disable the management port, go to Configure > Management Access, and remove the address of the management port. You can also disconnect the cable.

Settings for Access Credentials

Mikrotek Router Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

Host name, software version,

Hardware model, Network interfaces

Uptime, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

Nortel ERS and Passport Switch Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for  
SNMP

(V1, V2c)

Host name, software version, Hardware model, Network

interfaces,

Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths) Availability and

Performance

Monitoring

SNMP

(V1, V2c)

  Hardware status: Temperature  
SNMP (V1, V2c,

V3)

  Layer 2 port mapping: associating switch ports to directly connected host IP/MAC addresses Identity and location table; Topology  

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

FortiSIEM Configuring Network Intrusion Protection Systems (IPS)

Configuring Network Intrusion Protection Systems (IPS)

AccelOps supports these intrusion protection systems for discovery and monitoring.

AirTight Networks SpectraGuard

Cisco FireSIGHT

Cisco Intrusion Protection System Configuration

Cylance Protect Endpoint Protection

Cyphort Cortex Endpoint Protection

FireEye Malware Protection System (MPS)

FortiDDoS

Fortinet FortiSandbox Configuration

IBM Internet Security Series Proventia Configuration

Juniper DDoS Secure Configuration

Juniper Networks IDP Series Configuration

McAfee IntruShield Configuration

McAfee Stonesoft IPS

Motorola AirDefense Configuration

Snort Intrusion Protection System Configuration

Sourcefire 3D and Defense Center Configuration

TippingPoint Intrusion Protection System Configuration

AirTight Networks SpectraGuard

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
Syslog      

Event Types

In CMDB > Event Types, search for “airtight” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<30><2013.09.09 19:45:16>CEF:0|AirTight|SpectraGuard Enterprise|6.7|5.51.515|Authorized AP operating on non-allowed channel|3|msg=Stop: Authorized AP [AP2.12.c11d] is operating on non-allowed channel. rt=Sep 09 2013 19:45:16 UTC dvc=10.255.1.36 externalId=726574 dmac=58:BF:EA:FA:26:EF cs1Label=TargetDeviceName cs1=AP2.12.c11d cs2Label=SSID cs2=WiFiHiSpeed cs3Label=SecuritySetting cs3=802.11i cn1Label=RSSI_dBm cn1=-50 cn2Label=Channel cn2=149 cs4Label=Location cs4=//FB/FBFL2

Cisco FireSIGHT

This section describes how AccelOps collects logs from Cisco FireSIGHT console.

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

What is Discovered and Monitored

Protocol Information Discovered Logs Collected Used For
 eStreamer API   Intrusion Events

Malware Events

File Events

Discovery Events

User Activity Events Impact Flag Events

Security Monitoring

Event Types

Intrusion events: PH_DEV_MON_FIREAMP_INTRUSION

[PH_DEV_MON_FIREAMP_INTRUSION]:[eventSeverity]=PHL_CRITICAL,[fileNa me]=phFireAMPAgent.cpp,[lineNumber]=381,[reptDevIpAddr]=10.1.23.177 ,[envSensorId]=6,[snortEventId]=393258,[deviceTime]=1430501705,[eve ntType]=Snort-1,[compEventType]=PH_DEV_MON_FIREAMP_INTRUSION,[ipsGe neratorId]=137,[ipsSignatureId]=2,[ipsClassificationId]=32,[srcIpAd dr]=10.131.10.1,[destIpAddr]=10.131.10.120,[srcIpPort]=34730,[destI pPort]=443,[ipProto]=6,[iocNum]=0,[fireAmpImpactFlag]=7,[fireAmpImp act]=2,[eventAction]=1,[mplsLabel]=0,[hostVLAN]=0,[userId]=3013,[we bAppId]=0,[clientAppId]=1296,[appProtoId]=1122,[fwRule]=133,[ipsPol icyId]=63098,[srcIntfName]=b16c69fc-cd95-11e4-a8b0-b61685955f02,[de stIntfName]=b1a1f900-cd95-11e4-a8b0-b61685955f02,[srcFwZone]=9e3405 2a-9b4f-11e4-9b83-efa88d47586f,[destFwZone]=a7bd89cc-9b4f-11e4-8260 -63a98d47586f,[connEventTime]=1430501705,[connCounter]=371,[srcGeoC ountryCode]=0,[destGeoCountryCode]=0,[phLogDetail]=

Malware events:  PH_DEV_MON_FIREAMP_MALWARE

[PH_DEV_MON_FIREAMP_MALWARE]:[eventSeverity]=PHL_INFO,[fileName]=ph FireAMPAgent.cpp,[lineNumber]=487,[reptDevIpAddr]=10.1.23.177,[envS ensorId]=6,[deviceTime]=1430502934,[srcIpAddr]=10.110.10.73,[destIp Addr]=10.0.112.132,[srcIpPort]=21496,[destIpPort]=80,[ipProto]=6,[f ileName]=CplLnk.exe ,[filePath]=,[fileSize64]=716325,[fileType]=1,[fileTimestamp]=0,[ha shAlgo]=SHA,[hashCode]=f1bfab10090541a2c3e58b4b93c504be8b65cdc82320 9c7f4def24acc38d7fd1 ,[fileDirection]=1,[fireAmpFileAction]=3,[parentFileName]=,[parentF ileHashCode]=,[infoURL]=http://wrl/wrl/CplLnk.exe ,[threatScore]=0,[fireAmpDisposition]=3,[fireAmpRetrospectiveDispos ition]=3,[iocNum]=1,[accessCtlPolicyId]=125870424,[srcGeoCountryCod e]=0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[applica tionId]=676,[connEventTime]=1430502933,[connCounter]=409,[cloudSecI ntelId]=0,[phLogDetail]=

File events: PH_DEV_MON_FIREAMP_FILE

[PH_DEV_MON_FIREAMP_FILE]:[eventSeverity]=PHL_INFO,[fileName]=phFir eAMPAgent.cpp,[lineNumber]=541,[reptDevIpAddr]=10.1.23.177,[envSens orId]=6,[deviceTime]=1430497343,[srcIpAddr]=10.131.15.139,[destIpAd dr]=10.0.112.137,[srcIpPort]=1587,[destIpPort]=80,[ipProto]=6,[file Name]=Locksky.exe

,[hashAlgo]=SHA,[hashCode]=aa999f5d948aa1a731f6717484e1db32abf92fdb

5f1e7ed73ad6f5a21b0737c1,[fileSize64]=60905,[fileDirection]=1,[fire AmpDisposition]=3,[fireAmpSperoDisposition]=4,[fireAmpFileStorageSt atus]=11,[fireAmpFileAnalysisStatus]=0,[threatScore]=0,[fireAmpFile Action]=3,[fileType]=17,[applicationId]=676,[destUserId]=2991,[info

URL]=http://wrl/wrl/Locksky.exe

,[signatureName]=,[accessCtlPolicyId]=125869976,[srcGeoCountryCode] =0,[destGeoCountryCode]=0,[webAppId]=0,[clientAppId]=638,[connCount er]=103,[connEventTime]=1430497343,[phLogDetail]=

Discovery events:

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL

PH_DEV_MON_FIREAMP_DISCOVERY_NETWORK_PROTOCOL]:[eventSeverity]= PHL_INFO,[fileName]=phFireAMPAgent.cpp,[lineNumber]=815,[reptDe vIpAddr]=10.1.23.177,[destIpPort]=2054,[ipProto]=54,[phLogDetai l]=

PH_DEV_MON_FIREAMP_DISCOVERY_OS_FINGERPRINT

There are no predefined rules for this device.

Reports

The following reports are provided

  1. Top Cisco FireAMP Malware Events
  2. Top Cisco FireAMP File Analysis Events
  3. Top Cisco FireAMP Vulnerable Intrusion Events
  4. Top Cisco FireAMP Discovered Login Events
  5. Top Cisco FireAMP Discovered Network Protocol
  6. Top Cisco FireAMP Discovered Client App
  7. Top Cisco FireAMP Discovered OS

Configuration

AccelOps obtains events from Cisco FireSIGHT via eStreamer protocol.

Cisco FireSIGHT Configuration

  1. Logon to Cisco FIRESIGHT console
  2. Go to System > Local > Registration > eStreamer
  3. Click Create Client
    1. Enter IP address and password for AccelOps
    2. Click Save
  4. Select the types of events that should be forwarded to AccelOps
  5. Click Download Certificate and save the certificate to a local file

AccelOps Configuration

  1. Go to Admin > Setup > Credentials
  2. Create a credential
    1. Set Device Type to Cisco FireAMP
    2. Set Access Method to eStreamer
    3. Enter the Password as in Step 3a above
    4. Click Certificate File > Upload and enter the certificate downloaded in Step 5
    5. Click Save
  3. Create an IP range to Credential Association
    1. Enter IP address of the FireSIGHT Console
    2. Enter the credential created in Step 2 above
  4. Click Test Connectivity – AccelOps will start collecting events from the FIRESIGHT console

 

 

 

Cisco Intrusion Protection System Configuration

What is Discovered and Monitored

 

Protocol Information Discovered Metrics Collected Used For
SNMP     Performance and Availability Monitoring
SDEE   Alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “cisco ips” in the Device Type and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “cisco ips” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “cisco ips” in the Name column to see the reports associated with this device.

Configuration

SNMP

  1. Log in to the device manager for your Cisco IPS.
  2. Go to Configuration > Allowed Hosts/Networks.
  3. Click Add.
  4. Enter the IP address of your AccelOps virtual appliance to add it to the access control list, and then click OK.
  5. Go to Configuration > Sensor Management > SNMP > General Configuration.
  6. For Read-Only Community String, enter public.
  7. For Sensor Contact and Sensor Location, enter Unknown.
  8. For Sensor Agent Port, enter 161.
  9. For Sensor Agent Protocol, select udp.

If you need to create an SDEE account for AccelOps to use, go to Configuration > Users and Add a new administrator. Sample XML-Formatted Alert

<os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.87</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.86</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.84</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>          </victim>

<victim>

<addr locality=”OUT”>171.66.255.85</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

<victim>

<addr locality=”OUT”>171.66.255.82</addr>            <os idSource=”unknown” type=”unknown” relevance=”relevant”></os>         </victim>

</attack>

</participants>

 

Cylance Protect Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   End point malware alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “cylance” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Cyphort Cortex Endpoint Protection

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   End point malware alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “cyphort” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

FireEye Malware Protection System (MPS)

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “fireeye mps” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example. Example Syslog

<164>fenotify-45640.alert:

CEF:0|FireEye|MPS|6.0.0.62528|MC|malware-callback|9|rt=Apr 16 2012 15:54:41 src=192.168.26.142 spt=0 smac=00:14:f1:90:c8:01 dst=2.2.2.2 dpt=80 dmac=00:10:db:ff:50:00 cn1Label=vlan cn1=202 cn2Label=sid cn2=33335390 cs1Label=sname cs1=Trojan.Gen.MFC cs4Label=link cs4=https://10.10.10.10/event_stream/events_for_bot?ev_id\=45640 cs5Label=ccName cs5=3.3.3.3 cn3Label=ccPort cn3=80 proto=tcp cs6Label=ccChannel cs6= shost=abc.org <http://abc.org> dvchost=ALAXFEYE01 dvc=10.10.10.10 externalId=45640

FortiDDoS

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Protocol Information Discovered Information Collected Used For
 Syslog Host Name, Access IP,

Vendor/Model

Over 150 event types to include Protocol Anomaly, Traffic Volume Anomaly, DoS Attacks, Security

Monitoring

Event Types

In CMDB > Event Types, search for “FortiDDoS” to see the event types associated with this device.

Rules

There are many IPS correlation rules for this device under Rules > Security > Exploits

Reports

There are many reports for this device under Reports > Function > Security

Configuration

Syslog

FortiSIEM processes FortiDDoS events via syslog. Configure FortiDDoS to send syslog to FortiSIEM as directed in the device’s product documentation.

Example Syslog

Jan 10 16:01:50 172.30.84.114 devid=FI400B3913000032 date=2015-01-23 time=17:42:00 type=attack SPP=1 evecode=1 evesubcode=8 dir=0 protocol=1 sIP=0.0.0.0 dIP=0.0.0.0 dropCount=312

devid=FI800B3913000055 date=2017-01-27 time=18:24:00 tz=PST type=attack spp=0 evecode=2 evesubcode=61 description=”Excessive Concurrent Connections Per Source flood” dir=1 sip=24.0.0.2 dip=24.255.0.253 subnet_name=default dropcount=40249 facility=Local0 level=Notice

Fortinet FortiSandbox Configuration

What is Discovered and Monitored Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Host Name, OS, version, Hardware CPU, Memory, Disk, Interface utilization Performance Monitoring
Syslog   Malware found/cleaned, Botnet, Malware URL, System

Events

Log Management, Security Compliance,

SIEM

HTTP(S) Threat feed – Malware URL, Malware

Hash

  Log Management, Security Compliance,

SIEM

Event Types

In CMDB > Event Types, search for “fortisandbox-” to see the event types associated with this device.

Rules

In CMDB > Rules, search for “fortisandbox-” to see the rules associated with this device.

Also, basic availability rules in CMDB > Rules> Availability > Network and performance rules in CMDB > Rules> Performance > Network also trigger

Reports

In CMDB > Reports, search for “fortisandbox-” to see the rules associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog format is the same as that shown in the example.

Example Syslog

Oct 12 14:35:12 172.16.69.142

devname=turnoff-2016-10-11-18-46-05-172.16.69.142

device_id=FSA3KE3A13000011 logid=0106000001 type=event subtype=system pri=debug user=system ui=system action= status=success  reason=none letype=9 msg=”Malware package: urlrel version 2.88897 successfully released, total 1000″

<14>2016-08-19T06:48:51 devhost=turnoff-2016-08-15-19-24-55-172.16.69.55 devid=FSA35D0000000006 tzone=-25200 tz=PDT  date=2016-08-19 time=06:48:51 logid=0106000001 type=event subtype=system level=information user=admin ui=GUI action=update status=success reason=none letype=9 msg=”Remote log server was successfully added”

IBM Internet Security Series Proventia Configuration

What is Discovered and Monitored

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

Define AccelOps as a Response Object for SNMP Traps

Define a Response Rule to Forward SNMP Traps to AccelOps

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Traps      

Event Types

In CMDB > Event Types, search for “proventia” in the Device Type and Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP Trap

AccelOps receives SNMP traps from IBM/ISS Proventia IPS appliances that are sent by IBM/ISS SiteProtector Management Console. You need to first configure IBM/ISS Proventia to send alerts to IBM/ISS SiteProtector, then configure IBM/ISS SiteProtector to send those alerts as SNMP traps to AccelOps.

Configure IBM/ISS Proventia Appliances to Send SNMP Notifications to IBM/ISS SiteProtector Management Console

  1. Log in to the IBM Proventia IPS web interface.
  2. Click Manage System Settings > SiteProtector Management.
  3. Click and select Register withSiteProtector.
  4. Click and select Local Settings Override SiteProtector Group Settings.
  5. Specify the Group, Heartbeat Interval, and Logging Level.
  6. Configure these settings:
Setting Description
Authentication

Level

Use the default first-time trust
Agent

Manager

Name

Enter the Agent Manager name exactly as it appears in SiteProtector. This setting is case-sensitive.
Agent

Manager

Address

Enter the Agent Manager’s IP address
Agent

Manager Port

Use the default value 3995
User Name If the appliance has to log into an account access the Agent Manager, enter the user name for that account here
User

Password

Click Set Password, enter and confirm the password, and then click OK.
Use Proxy

Settings

If the appliance has to go through a proxy to access the Agent Manager, select the Use Proxy Settings option, and then enter the Proxy Server Address and Proxy Server Port.

Define AccelOps as a Response Object for SNMP Traps

  1. Log in to IBM SiteProtector console.
  2. Go to Grouping > Site Management > Central Responses > Edit settings.
  3. Select Response Objects > SNMP.
  4. Click Add.
  5. Enter a Name for your AccelOps virtual appliance.
  6. For Manager, enter the IP address of your virtual appliance.
  7. For Community, enter public.
  8. Click OK.

Define a Response Rule to Forward SNMP Traps to AccelOps

  1. Go to Response Rules.
  2. Click Add.
  3. Select Enabled.
  4. Enter a Name and Comment for the response rule.
  5. In the Responses tab, select SNMP.
  6. Select Enabled for the response object that represents your AccelOps virtual appliance.
  7. Click OK.

Sample SNMP trap

2013-02-07 16:52:18 100.0.0.218(via UDP: [192.168.64.218]:55545) TRAP,

SNMP v1, community public SNMPv2-SMI::enterprises.2499 Enterprise

Specific Trap (4) Uptime: 0:00:00.15 SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.1 = STRING:

“SiteProtector_Central_Response (Response1)”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.2 = STRING: “16:52:18

2013-02-07” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.3 = STRING: “6”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.4 = STRING: “100.0.0.216”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.5 = STRING: “100.0.0.218”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.6 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.7 = “”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.8 = STRING: “48879”

SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.9 = STRING: “80” SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.10 = STRING:

“DISPLAY=WithoutRaw:0,BLOCK=Default:0″ SNMPv2-SMI::enterprises.2499.1.1.2.1.1.1.1.11 = STRING: ” SensorName:

IBM-IPS ObjectName: 80 DestinationAddress: 100.0.0.218 AlertName:

HTTP_OracleAdmin_Web_Interface AlertTarget: 100.0.0.218 AlertCount: 1 VulnStatus: Simulated block (blocking not enabled) AlertDateTime:

16:52:17 2013-02-07 ObjectType: Target Port SourceAddress: 100.0.0.216

SensorAddress: 192.168.64.15″

Juniper DDoS Secure Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   DDoS Alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “juniper ddos” in the Device Type and Description columns to see the event types associated with this device.

Juniper-DDoS-Secure-WorstOffender

Juniper-DDoS-Secure-Blacklisted

Juniper-DDoS-Secure-Generic

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send syslog to AccelOps. Make sure that the event matches the format specified below.

Juniper Networks IDP Series Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog from NSM

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “juniper_idp” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog from NSM

<25>Oct 11 14:29:27 10.146.68.68 20101011, 58420089, 2010/10/11

18:29:25, 2010/10/11 18:33:12, global.IDP, 1631, par-real-idp200, 10.146.68.73, traffic, udp port scan in progress, (NULL), (NULL), 161.178.223.221, 0, 0.0.0.0, 0, (NULL), (NULL), 10.248.8.110, 0, 0.0.0.0, 0, udp, global.IDP, 1631, Metro IDP IP / Port Scan Policy, traffic anomalies, 2, accepted, info, yes, ‘interface=eth3’, (NULL), (NULL), (NULL), 0, 0, 0, 0, 0, 0, 0, 0, no, 25, Not

McAfee IntruShield Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Syslog Message

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles custom syslog messages from McAfee Intrushield.

  1. Log in to McAfee Intrushield Manager.
  2. Create a customer syslog format with these fields:
    1. AttackName
    2. AttackTime
    3. AttackSeverity
    4. SourceIp
    5. SourcePort
    6. DestinationIp
    7. DestinationPort
    8. AlertId
    9. AlertType
    10. AttackId
    11. AttackSignature
    12. AttackConfidence
    13. AdminDomain
    14. SensorName:ASCDCIPS01
    15. Interface
    16. Category
    17. SubCategory
    18. Direction
    19. ResultStatus
    20. DetectionMechanism
    21. ApplicationProtocol
    22. NetworkProtocol
    23. Relevance
  3. Set the message format as a sequence of Attribute:Value pairs as in this example.

AttackName:$IV_ATTACK_NAME$,AttackTime:$IV_ATTACK_TIME$,AttackSever ity::$IV_ATTACK_SEVERITY$,SourceIp:$IV_SOURCE_IP$,SourcePort:$IV_SO URCE_PORT$,

DestinationIp:$IV_DESTINATION_IP$,DistinationPort:$IV_DESTINATION_P ORT$,AlertId:$IV_ALERT_ID$,AlertType:$IV_ALERT_TYPE$,AttackId$IV_AT

TACK_ID$,

AttackSignature:$IV_ATTACK_SIGNATURE$,AttackConfidence:$IV_ATTACK_C ONFIDENCE$,AdminDomain:$IV_ADMIN_DOMAIN$,SensorName:$IV_SENSOR_NAME

$,

Interface:$IV_INTERFACE$,Category:$IV_CATEGORY$,SubCategory:$IV_SUB _CATEGORY$,Direction:$IV_DIRECTION$,ResultStatus:$IV_RESULT_STATUS$

,

DetectionMechanism:$IV_DETECTION_MECHANISM$,ApplicationProtocol:$IV _APPLICATION_PROTOCOL$,NetworkProtocol:$IV_NETWORK_PROTOCOL$,Releva nce:$IV_RELEVANCE$

  1. Set AccelOps as the syslog recipient.

Sample Parsed Syslog Message

Mar 24 16:23:18 SyslogAlertForwarder: AttackName:Invalid Packets detected,AttackTime:2009-03-24 16:23:17 EDT,AttackSeverity:Low,SourceIp:127.255.106.236,

SourcePort:N/A,DestinationIp:127.255.106.252,DistinationPort:N/A,AlertId :5260607647261334188,AlertType:Signature,AttackId:0x00009300,AttackSigna ture:N/A, AttackConfidence:N/A,AdminDomain:ASC,SensorName:ASCDCIPS01,Interface:1A-

1B,Category:Exploit,SubCategory:protocol-violation,Direction:Outbound, ResultStatus:May be successful,DetectionMechanism:signature,ApplicationProtocol:N/A,NetworkP rotocol:N/A,Relevance:N/A,HostIsolationEndTime:N/A

McAfee Stonesoft IPS

What is Discovered and Monitored Configuration

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   Network IPS alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “stonesoft” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via CEF formatted syslog sent by the device. Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

<6>CEF:0|McAfee|IPS|5.4.3|70018|Connection_Allowed|0|spt=123 deviceExternalId=STP-NY-FOO01 node 1 dmac=84:B2:61:DC:E1:31 dst=169.132.200.3 cat=System Situations app=NTP (UDP) rt=Apr 08 2016 00:26:13 deviceFacility=Inspection act=Allow deviceOutboundInterface=Interface #5 deviceInboundInterface=Interface #4 proto=17 dpt=123 src=10.64.9.3 dvc=12.17.2.17 dvchost=12.17.2.17 smac=78:DA:6E:0D:FF:C0 cs1Label=RuleId cs1=2097152.6

Motorola AirDefense Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   Wireless IDS logs Security Monitoring

Event Types

About 37 event types covering various Wireless attack scenarios – search for them by entering “Motorola-AirDefense” in CMDB > EventType.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Configure the device to send logs to AccelOps. Make sure that the format is as follows.

Snort Intrusion Protection System Configuration

What is Discovered and Monitored

Example Parsed Snort Syslog

Supported Databases and Snort Database Schemas

SNMP Access to the Database Server

Debugging Snort Database Connectivity

Examples of Snort IPS Events Pulled over JDBC

Viewing Snort Packet Payloads in Reports

Exporting Snort IPS Packets as a PCAP File  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics

Collected

Used

For

 Syslog      
 JDBC Generic information: signature ID, signature name, sensor ID, event occur time, signature priority TCP: packet header, including source IP address, destination IP address, Source Port, Destination

Port, TCP Sequence Number, TCP Ack Number, TCP Offset, TCP Reserved, TCP Flags, TCP

Window size, TCP Checksum, tTCP Urgent Pointer; and  packet payload

UDP: packet header, including source IP address, destination IP address, Source Port, Destination Port, UDP Length,  checksum; and  packet payload

ICMP: packet header, including source IP address, destination IP address, ICMP Type, ICMP Code, Checksum, ICMP ID, Sequence Number; and  packet payload

   
SNMP (for access to the database server hosting the Snort database)      

Event Types

In CMDB > Event Types, search for “snort_ips” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

There are no predefined reports for this device.

Configuration

Syslog

Collecting event information from Snort via syslog has two drawbacks:

  1. It is not reliable because it is sent over UDP.
  2. Information content is limited because of UDP packet size limit.

For these reasons, you should consider using JDBC to collect event information from Snort.

These instructions illustrate how to configure Snort on Linux to send syslogs to AccelOps. For further information, you should consult the Snort product documentation.

  1. Log in to your Linux server where Snort is installed.
  2. Navigate to and open the file /etc/snort/snort.conf.
  3. Modify alert_syslog to use a local log facility.
  4. Navigate to and open the file /etc/syslog.conf.
  5. Add a redirector to send syslogs to AccelOps.

 

  1. Restart the Snort daemon.

Example Parsed Snort Syslog

<161>snort[2242]: [1:206:9] BACKDOOR DeepThroat 3.1 CD ROM Open Client

Request [Classification: Misc activity] [Priority: 3]: {UDP}

192.168.19.1:6555 -> 172.16.2.5:514 <161>snort[5774]: [1:1560:6] WEB-MISC /doc/ access [Classification:

access to a potentially vulnerable web application] [Priority: 2]: {TCP} 192.168.20.53:41218 -> 192.168.0.26:80 <161>snort[5774]: [1:466:4] ICMP L3retriever Ping [Classification:

Attempted Information Leak] [Priority: 2]: {ICMP} 192.168.20.49 ->

192.168.0.10

<161>snort[5774]: [1:1417:9] SNMP request udp [Classification: Attempted

Information Leak] [Priority: 2]: {UDP} 192.168.20.40:1061 ->

192.168.20.2:161

JDBC

Supported Databases and Snort Database Schemas

When using JDBC to collect IPS information from Snort, AccelOps can capture a full packet that is detailed enough to recreate the packet via a PCAP file.

AccelOps supports collecting Snort event information over JDBC these database types:

Oracle

MS SQL

MySql

PostgreSQL

AccelOps supports Snort database schema 107 or higher.

SNMP Access to the Database Server

You will need to set up an SNMP access credential for the server that hosts the Snort database. See the topics under Database Server Configuration for information on setting up SNMP for communication with AccelOps for several common types of database servers.

Once you have set up SNMP on your database server, you can configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Debugging Snort Database Connectivity

Snort IPS alert are pulled over JDBC by a Java agent, which has to join multiple database tables to create the events. An internal log file is created for each pull.

At most 1000 database records (IPS Alerts) are pulled at a time. If AccelOps finds more than 1000 new records, then it begins to fall behind and this log is created.

Examples of Snort IPS Events Pulled over JDBC

UDP Event

<134>Feb 25 14:27:56 10.1.2.36 java: [Snort-1417]:[eventSeverity]=PHL_INFO,[relayDevIpAddr]=10.1.2.36,[ipsSen sorId]=1,[snortEventId]=10343430,[sensorHostname]=10.1.2.36,[signatureId ]=1417,[eventName]=SNMP request udp,[eventSeverity]=2,[eventTime]=2012-11-07 17:56:51.0,[srcIpAddr]=10.1.2.245,[destIpAddr]=10.1.2.36,[ipVersion]=4,[ ipHeaderLength]=5,[tos]=0,[ipTotalLength]=75,[ipId]=0,[ipFlags]=0,[ipFra gOffset]=0,[ipTtl]=64,[ipProto]=17,[ipChecksum]=8584,[srcIpPort]=35876,[ destIpPort]=161,[udpLen]=55,[checksum]=39621,[dataPayload]=302D020101040 67075626C6963A520…

TCP Event

<134>Aug 08 09:30:59 10.1.20.51 java: [Snort-1000001]:[eventSeverity]=PHL_INFO,[hostIpAddr]=10.1.20.51,[sensor

Id]=1,[eventId]=17897184,[signatureId]=1000001,[signatureName]=Snort

Alert [1:1000001:0],[signaturePri]=null,[eventTime]=2012-08-08

09:26:24.0,[srcIpAddr]=10.1.2.99,[destIpAddr]=10.1.20.51,[srcIpPort]=523

14,[destIpPort]=80,[seqNum]=967675661,[tcpAckNum]=3996354107,[tcpOffset] =5,[tcpReserved]=0,[tcpFlags]=24,[tcpWin]=16695,[checksum]=57367,[tcpUrg entPointer]=0,[dataPayload]=474554202F66617669636F6E2E69636F204…

Viewing Snort Packet Payloads in Reports

 

AccelOps creates an event for each IPS alert in Snort database. You can view the full payload packet associated with a Snort event when you run a report.

  1. Set up a structured historical search.
  2. Set these conditions, where Reporting IP is an IP belonging to the Snort Application group.
Attribute Operator Value
Reporting IP IN Applications: Network IPS App
  1. For Display Fields, include Data Payload.

When you run the query, Data Payload will be one one of the display columns.

  1. When the query runs, select an event, and the data payload will display at the bottom of the search results in a byte-by-byte ethereal/wireshark format.

 

Exporting Snort IPS Packets as a PCAP File

After running a report, click the Export button and choose the PCAP option.

Settings for Access Credentials

 

 

Sourcefire 3D and Defense Center Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “sourcefire” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps handles SourceFire alerts via syslog either from IPS appliances themselves or from DefenseCenter. Events are classified as Snort event types.

Simply configure SourceFire appliances or DefenseCenter to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Syslogs from SourceFire3D IPS

Sample Syslogs from SourceFire DefenseCenter

TippingPoint Intrusion Protection System Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 SNMP   CPU, memory, Interface utilization Performance and Availability Monitoring
 Syslog   IPS Alerts Security Monitoring

Event Types

In CMDB > Event Types, search for “tippingpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

 SNMP

  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > SMS/NMS.
  3. For SMS Authorized IP Address/CIDR, make sure any is entered.
  4. Select Enabled for SNMP V2.
  5. For NMS Community String, enter public.
  6. Click Apply.

Syslog

  1. Log in to the TippingPoint appliance or the SMS Console.
  2. Go to System > Configuration > Syslog Servers.
  3. Under System Log, enter the IP Address of the AccelOps virtual appliance.
  4. Select Enable syslog offload for System Log.
  5. Under Aud Log, enter the IP Address of the AccelOps virtual appliance.
  6. Select Enable syslog offload for Audit Log.
  7. Click Apply.

Configure the Syslog Forwarding Policy (Filter Notification Forwarding)

The filter log can be configured to generate events related to specific traffic on network segments that need to pass through the device. This log includes three categories of events.

Event

Category

Description
Alert Alert events indicate that the IPS has detected suspicious activity in the packet, but still permits the packet to pass through (specific settings are controlled by administrator profile)
Block Block events are malicious packets not permitted to pass
P2P Refers to peer-to-peer traffic events

In addition, filter events contain a UUID, which is a unique numerical identifier that correlates with the exact security threat defined by Tipping Point Digital Vaccine Files. The Accelops Virtual Appliance will correlate these with authoritative databases of security threats.

  1. Go to IPS > Action Sets.
  2. Click Permit + Notify.
  3. Under Contacts, click Remote Syslog.
  4. Under Remote Syslog Information, enter the IP Address of the Accelops virtual appliance.
  5. Make sure the Port is set to 514.
  6. Make sure Delimiter is set to tab, comma, or semicolon.
  7. Click Add to Table Below.

You should now see the IP address of the Accelops virtual appliance appear as an entry in the Remote Syslogs table.

Sample parsed syslog messages

FortiSIEM Configuring Network Compliance Management Applications

Configuring Network Compliance Management Applications

AccelOps supports these Network Compliance Management applications and monitoring.

Cisco Network Compliance Manager Configuration

Cisco Network Compliance Manager Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Network device software update, configuration analysis for compliance, admin login Log analysis and compliance

Event Types

Over 40 event types are generated by parsing Cisco Network Configuration Manager logs. The complete list can be found in CMDB > Event Types by searching for Cisco-NCM. Some important ones are

Cisco-NCM-Device-Software-Change

Cisco-NCM-Software-Update-Succeeded

Cisco-NCM-Software-Update-Failed

Cisco-NCM-Policy-Non-Compliance

Cisco-NCM-Device-Configuration-Deployment

Cisco-NCM-Device-Configuration-Deployment-Failure

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps processes events from this device via syslog.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Note that each JSON formatted syslog contains many logs.

490998571 Mon Mar 03 03:09:31 EST 2014 Savvy Device Command Script

Completed Successfully server01.foo.com 10.4.161.32 Script ‘Re-enable

EasyTech port for Cisco IOS configuration’ completed.  Connect –

Succeeded Connected via ssh to 10.170.30.9 [in realm Default Realm]   Login / Authentication – Succeeded Successfully used: Last successful password  (Password rule Retail TACACS NCM Login)    Optional:Script Succeeded Successfully executed: prepare configuration for deployment Script – Succeeded Successfully executed: deploy to running configuration via TFTP through CLI Bypassed: deploy to running configuration via SCP through CLI.  (Requires SCP, CLI to be enabled.) Tried: deploy to running configuration via FTP through CLI (Warning: SSH server username or password not specified in NA admin settings.) Optional:Script – Succeeded Successfully executed: determine result of deployment operation  Script run: ———————————————————— ! interface fast0/16 no shut

491354611 Tue Mar 04 03:38:22 EST 2014 FooA Software Update Succeeded server01.foo.com 1.1.1.32  44571 10.173.30.9 $OrignatorEmail$ FooA Update Device Software 2014-03-04 03:30:00.0 usmist_1699295009

(1.13.3.9) Succeeded

 

 

FortiSIEM Configuring Load Balancers and Application Firewalls

Configuring Load Balancers and Application Firewalls

AccelOps supports these load balancers and application firewalls for discovery and monitoring.

Brocade ServerIron ADX Configuration

Citrix Netscaler Application Delivery Controller (ADC) Configuration

F5 Networks Application Security Manager

F5 Networks Local Traffic Manager Configuration

F5 Networks Web Accelerator

Qualys Web Application Firewall

Brocade ServerIron ADX Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
SNMP Host name, serial number, hardware (CPU, memory, network interface etc) Uptime, CPU, Memory, Interface Utilization, Hardware status,

Real Server Statistics

Performance/Availability

Monitoring

There are no predefined rules for this device other than covered by generic network devices.

Reports

There are no predefined reports for this device other than covered by generic network devices.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Citrix Netscaler Application Delivery Controller (ADC) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Permitted and Denied traffic Log analysis and compliance

Event Types

In CMDB > Event Types, search for “netscaler” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “nestler” in the Name column to see the reports associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<182> 07/25/2012:19:56:41   PPE-0 : UI CMD_EXECUTED 473128 :  User nsroot – Remote_ip 10.13.8.75 – Command “show ns hostName” – Status “Success” <181> 07/25/2012:19:56:05  NS2-MAIL PPE-0 : EVENT DEVICEUP 33376 : Device “server_vip_NSSVC_SSL_172.17.102.108:443(accellion:443)” – State

UP <181> 07/25/2012:19:55:35  NS2-MAIL PPE-0 : EVENT DEVICEDOWN 33374 : Device “server_vip_NSSVC_SSL_172.17.102.108:443(accellion:443)” – State

DOWN

<182> 07/24/2012:15:37:08   PPE-0 : EVENT MONITORDOWN 472795 :  Monitor

Monitor_http_of_Domapps:80(10.50.15.14:80) – State DOWN

F5 Networks Application Security Manager

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Various application level attack scenarios – invalid directory access, SQL injections, cross site exploits. Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-asm” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

<134>Jun 26 14:18:56 f5virtual.tdic.ae

ASM:CEF:0|F5|ASM|10.2.1|Successful Request|Successful Request|2|dvchost=f5virtual.adic.com dvc=192.168.1.151 cs1=master-key_default cs1Label=policy_name cs2=master-key cs2Label=web_application_name deviceCustomDate1=Jul 13 2011 16:24:25 deviceCustomDate1Label=policy_apply_date externalId=3601068286554428885 act=passed cn1=404 cn1Label=response_code src=10.10.77.54 spt=49399 dst=10.10.175.82 dpt=443 requestMethod=POST app=HTTPS request=/ipp/port1 cs5=N/A cs5Label=x_forwarded_for_header_value rt=Jun 26 2012 14:18:55 deviceExternalId=0 cs4=N/A cs4Label=attack_type cs6=N/A cs6Label=geo_location cs3Label=full_request cs3=POST /ipp/port1 HTTP/1.1\r\nHost: 127.0.0.1:631\r\nCache-Control: no-cache\r\nContent-Type: application/ipp\r\nAccept: application/ipp\r\nUser-Agent: Hewlett-Packard IPP\r\nContent-Length: 9\r\n\r\n

 

F5 Networks Local Traffic Manager Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Syslog

Example Syslog

Settings for Access Credentials

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
SNMP Host name, serial number, hardware (CPU, memory, network interface, disk etc) and software information (running and installed software) Uptime, CPU, Memory, Disk utilization, Interface Utilization, Hardware status, process level CPU and memory urilization Performance/Availability

Monitoring

SNMP

Trap

  Exception situations including hardware failures, certain security attacks, Policy violations etc Performance/Availability

Monitoring

Syslog   Permitted and Denied traffic Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-LTM” in the Name column to see the event types associated with this device.

Search for “f5-BigIP” in  CMDB > Event Types to see event types associated with SNMP traps for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2012-01-18 14:13:43 0.0.0.0(via UDP: [192.168.20.243]:161) TRAP2, SNMP v2c, community public                . Cold Start Trap (0) Uptime: 0:00:00.00         DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks:

(33131) 0:05:31.31                SNMPv2-MIB::snmpTrapOID.0 = OID:

SNMPv2-SMI::enterprises.3375.2.4.0.1

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Settings for Access Credentials

F5 Networks Web Accelerator

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Permitted traffic Log analysis and compliance

Event Types

In CMDB > Event Types, search for “f5-web” in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Qualys Web Application Firewall

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Example Syslog

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Permitted and Denied Web traffic Log analysis and compliance

Event Types

The following event types are generated by parsing Qualys Web Application Firewall traffic logs and analyzing the HTTP error code.

Qualys-WAF-Web-Request-Success

Qualys-WAF-Web-Bad-Request

Qualys-WAF-Web-Client-Access-Denied

Qualys-WAF-Web-Client-Error

Qualys-WAF-Web-Forbidden-Access-Denied

Qualys-WAF-Web-Length-Reqd-Access-Denied

Qualys-WAF-Web-Request

Qualys-WAF-Web-Request-Redirect

Qualys-WAF-Web-Server-Error

Rules

There are no predefined rules for this device.

Reports

Relevant reports are defined in CMDB > Reports > Device > Network > Web Gateway

Configuration

AccelOps processes events from this device via syslog sent in JSON format.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog

Note that each JSON formatted syslog contains many logs.

<1350>1 2015-05-15T12:57:30.945000+00:00 localhost qualys_waf –

QUALYS_WAF –

{“timestamp”:”2015-05-15T12:57:30.945-00:00″,”duration”:6011,”id”:”487c1

16c-4908-4ce3-b05c-eda5d5bb7045″,”clientIp”:”172.27.80.170″,”clientPort”

:9073,”sensorId”:”d3acc41f-d1fc-43be-af71-e7e10e9e66e2″,”siteId”:”41db09 70-8413-4648-b7e2-c50ed53cf355″,”connection”:{“id”:”bc1379fe-317e-4bae-a e30-2a382e310170″,”clientIp”:”172.27.80.170″,”clientPort”:9073,”serverIp “:”192.168.60.203″,”serverPort”:443},”request”:{“method”:”POST”,”uri”:”/ “,”protocol”:”HTTP/1.1″,”host”:”esers-test.foo.org”,”bandwidth”:0,”heade rs”:[{“name”:”Content-Length”,”value”:”645″},{“name”:”Accept”,”value”:”t ext/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0. 8″},{“name”:”User-Agent”,”value”:”Mozilla/5.0 (Windows NT 6.1; WOW64)

AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36″},{“name”:”Content-Type”,”value”:”application/x-www-form-u rlencoded”},{“name”:”Referer”,”value”:”https://esers-test.ohsers.org/”}, {“name”:”Accept-Encoding”,”value”:”gzip, deflate”},{“name”:”Accept-Language”,”value”:”en-US,en;q=0.8″}],”headerOr der”:”HILCAUTRELO”},”response”:{“protocol”:”HTTP/1.1″,”status”:”200″,”me ssage”:”OK”,”bandwidth”:0,”headers”:[{“name”:”Content-Type”,”value”:”tex t/html; charset=utf-8″},{“name”:”Server”,”value”:”Microsoft-IIS/8.5″},{“name”:”C ontent-Length”,”value”:”10735″}],”headerOrder”:”CTXSDL”},”security”:{“au ditLogRef”:”b02f96e9-2649-4a83-9459-6a02da1a5f05″,”threatLevel”:60,”even ts”:[{“tags”:[“qid/226015″,”cat/XPATHi”,”cat/SQLi”,”qid/150003″,”loc/req /body/txtUserId”,”cfg/pol/applicationSecurity”],”type”:”Alert”,”rule”:”m ain/qrs/sqli/xpathi/condition_escaping/boolean/confidence_high/3″,”messa ge”:”Condition escaping detected (SQL or XPATH injection) txtUserId.”,”confidence”:80,”severity”:60,”id”:”262845566″},{“tags”:[“ca t/correlation”,”qid/226016″],”type”:”Observation”,”rule”:”main/correlati on/1″,”message”:”Info: Threat level exceeded blocking threshold (60).”,”confidence”:0,”severity”:0,”id”:”262846018″},{“tags”:[“cat/corre lation”,”qid/226016″],”type”:”Observation”,”rule”:”main/correlation/1″,” message”:”Info: Blocking refused as blocking mode is

disabled.”,”confidence”:0,”severity”:0,”id”:”262846167″},{“tags”:[“cat/c orrelation”,”cat/XPATHi”,”qid/226015″],”type”:”Alert”,”rule”:”main/corre lation/1″,”message”:”Detected:

XPATHi.”,”confidence”:80,”severity”:60,”id”:”268789851″}]}}

FortiSIEM Configuring Firewalls

Configuring Firewalls

AccelOps supports these firewalls for discovery and monitoring.

Check Point FireWall-1 Configuration

Check Point Provider-1 Firewall Configuration

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Check Point VSX Firewall Configuration

Cisco Adaptive Security Appliance (ASA) Configuration

Dell SonicWALL Firewall Configuration

Fortinet FortiGate Firewall Configuration

Juniper Networks SSG Firewall Configuration

McAfee Firewall Enterprise (Sidewinder) Configuration

Palo Alto Firewall Configuration

Sophos UTM Firewall Configuration

WatchGuard Firebox Firewall Configuration

Check Point FireWall-1 Configuration

What is Discovered and Monitored

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps  Settings for Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, Firewall model and version, Network interfaces Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

LEA   All traffic and system logs Security and

Compliance

Event Types

In CMDB > Event Types, search for “firewall-1” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Settings for Access Credentials

 

Check Point Provider-1 Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration Overview

Component Configuration for Domain-Level Audit Logs

Component Configuration for Firewall Logs

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP Host name, Firewall model and version, Network interfaces Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

LEA   All traffic and system logs Security and

Compliance

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration Overview

The configuration of  Check Point Provider-1 depends on the type of log that you want sent to AccelOps. There are two options:

 Domain level audit logs, which contain information such as domain creation, editing, etc.

Firewall logs, which include both audit log for firewall policy creation, editing, etc., and traffic logs

These logs are generated and stored among four different components:

Multi-Domain Server (MDS), where domains are configured and certificates have to be generated

Multi-Domain Log Module (MLM), where domain logs are stored

Customer Management Add-on (CMA), the customer management module

Customer Log Module (CLM), which consolidates logs for an individual customer/domain

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Component Configuration for Domain-Level Audit Logs

  1. Configure MDS.
  2. Use the Client SIC obtained while configuring MDS to configure MLM.
  3. Pull logs from MLM.

Component Configuration for Firewall Logs

  1. Configure CMA.
  2. Use the Client SIC obtained while configuring CMA to configure CLM.
  3. Pull logs from CLM.

If you want to pull firewall logs from a domain, you have to configure CLM for that domain.

See these topics for instructions on how to configure each component for Check Point Provider-1 firewalls.

Configuring MDS for Check Point Provider-1 Firewalls

Configuring MLM for Check Point Provider-1 Firewalls

Configuring CMA for Check Point Provider-1 Firewalls

Configuring CLM for Check Point Provider-1 Firewalls

Configuring MDS for Check Point Provider-1 Firewalls

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

The Check Point Provider-1 firewall Multi-Domain Server (MDS) is where domains are configured and certificates are generated for communicating with AccelOps. if you want to have domain logs from the Multi-Domain Log Module (MLM) sent from your firewall to AccelOps, you must first configure and discover MDS, then use the AO Client SIC created for your AccelOps OPSEC application to configure the access credentials for MLM.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get the MDS Server SIC for AccelOps Access Credentials

You will use the MDS Server SIC to create access credentials in AccelOps for communicating with your server.

  1. Log in to your Check Point SmartDomain Manager.
  2. Select Multi-Domain Server Contents.
  3. Select MDS, and then right-click to select Configure Multi-Domain Server… .
  4. In the General tab, under Secure Internet Communication, note the value for DN.

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Copy Secure Internal Communication (SIC) certificatesCopy Client SIC

  1. Go to Manage > Server and OPSEC Applications.
  2. Select OPSEC Application and then right-click to select accelops.
  3. Click
  4. Enter the SIC DN of your application. Copy Server SIC
  5. In the Firewall tab, go to Manage.
  6. Click the Network Object icon, and then right-click to select Check Point Gateway.
  7. Click Edit.
  8. Enter the SIC DN.
  9. If there isn’t a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

  1. Configure Checkpoint Provider-1 MDS credential as shown below.

Activation key was the one-time password you input in Step 2f above.

AO Client SIC was generated in Step 2g above

MDS Server SIC was generated in Step 1 above

  1. Click “Generate Certificate”. It should be successful. Note that the button will be labeled ‘Regenerate Certificate’ if you have

Configuring MLM for Check Point Provider-1 Firewalls

Prerequisites

Configuration

Get MLM Server SIC for Setting Up AccelOps Access Credentials

Settings for Access Credentials

Prerequisites

You need to have configured and discovered your Check Point Provider-1 MDS before you configure the Multi-Domain Log Module (MLM). You will need the AO Client SIC that was generated when you created your AccelOps OPSEC application in the MDS to set up the access credentials for your MLM in AccelOps.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

 Get MLM Server SIC for Setting Up AccelOps Access Credentials
  1. Log in to your Check Point SmartDomain Manager.
  2. In the General tab, click Multi-Domain Server Contents.
  3. Right-click MLM and select Configure Multi-Domain Server… .
  4. Next to Communication, note the value for DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

 

 

Configuring CMA for Check Point Provider-1 Firewalls

The Check Point Provider-1 Customer Management Add-On (CMA) creates logs that are then consolidated by the Customer Log Module (CLM). If you want the CLM to send logs to AccelOps, you need to first configure the CMA and obtain the AO Client SIC to configure access credentials for communication between the CLM and AccelOps.

Configuration

Get CMA Server SIC for Setting Up AccelOps Access Credentials

  1. Log in to your Check Point SmartDomain Manager.
  2. Click the General
  3. Select Domain Contents.
  4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
  5. Select the Desktop
  6. Select the Network Objects
  7. Double-click on the Domain Management Server to view the General Properties
  8. Click Test SIC Status… .

Note the value for DN. You will use this for the CMA Server SIC setting when creating the access credentials for AccelOps to access your CMA server.

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Configuring CLM for Check Point Provider-1 Firewalls

Prequisites

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

Settings for Access Credentials

Prequisites

You must first configure and discover the Check Point CLA and obtain the AO Client SIC before you can configure the Customer Log Module (CLM). The AO Client SIC is generated when you create the AccelOps OPSEC application.

Discover Paired Components on the Same Collector or Supervisor

Discovery of the MLM requires the certificate of the MDS, and discovery of the CLM requires the certificate of the CMA. Make sure that you discover the MDS & MLM pair, and the CMA & CLM pair, on the same Supervisor or Collector. If you attempt to discover them on separate Collectors, discovery will fail.

Configuration

Get CLM Server SIC for Creating AccelOps Access Credentials

  1. Log in to your Check Point SmartDomain Manager.
  2. Click the General
  3. Select Domain Contents.
  4. Select the Domain Management Server and right-click to select Launch Application > Smart Dashboard.
  5. Select the Desktop
  6. Click the Network Objects
  7. Under Check Point, select the CLM host and double-click to open the General Properties
  8. Under Secure Internal Communication, click Test SIC Status… .
  9. In the SIC Status dialog, note the value for DN.

This is the CLM Server SIC that you will use in setting up access credentials for the CLM in AccelOps.

  1. Click Close.
  2. Click OK.

Install the Database

  1. In the Actions menu, select Policy > Install Database… .
  2. Select the MDS Server and the CLM, and then OK. The database will install in both locations.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Check Point VSX Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

SNMP

Add AccelOps as a Managed Node

Create an OPSEC Application for AccelOps

Create a Firewall Policy for AccelOps

Copy Secure Internal Communication (SIC) certificates Settings for Access Credentials

What is Discovered and Monitored

AccelOps uses SNMP, LEA to discover the device and to collect logs, configurations and performance metrics.

Protocol Information Discovered Metrics collected Used for
SNMP Host name, Firewall model and version, Network interfaces Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

LEA   All traffic and system logs Security and

Compliance

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

LEA

Add AccelOps as a Managed Node

  1. Log in to your Check Point SmartDomain Manager.
  2. In the Global Policies tab, select Multi-Domain Security Management, and then right-click to select Launch Global SmartDashboard

.

  1. Select the Firewall
  2. Click the Network Objects
  3. Select Nodes, and then right-click to select Node > Host… .
  4. Select General Properties.
  5. Enter a Name for your AccelOps host, like AccelOpsVA. 8. Enter the IP Address of your AccelOps virtual appliance.
  6. Click OK.

Create an OPSEC Application for AccelOps

  1. In the Firewall tab, click the Servers and OPSEC
  2. Select OPSEC Applications, and then right-click to select New > OPSEC Application.
  3. Click the General
  4. Enter a Name for your OPSEC application, like OPSEC_AccelOpsVA.
  5. For Host, select the AccelOps host.
  6. Under Client Entities, select LEA and CPMI.

For Check Point FireWall-1, also select SNMP.

  1. Click Communication.
  2. Enter a one-time password.

This is the password you will use in setting up access credentials for your firewall in AccelOps.

  1. Click Initialize.
  2. Close and re-open the application.
  3. In the General tab, next to Communication, the DN field will now contain a value like CN=OPSEC_AccelOpsVA,0=MDS..i6g4zq. This is the AccelOps Client SIC DN that you will need when you copy the secure internal communication certificates and set the access credentials for your firewall in AccelOps.

Create a Firewall Policy for AccelOps

  1. In Servers and Opsec > OPSEC Applications, select your AccelOps application.
  2. In the Rules menu, select Top.
  3. Right-click SOURCE, then click Add and select your AccelOps virtual appliance.
  4. Right-click DESTINATION, then click Add and select your Check Point firewall.
  5. Right-click SERVICE, then click Add and select FW1_lea, and CPMI.

Also select snmp if you are configuring a Check Point FireWall-1 firewall.

  1. Right-click ACTION and select Accept.
  2. Right-click TRACK and select Log.
  3. Go to Policy > Install.
  4. Click OK.
  5. Go to OPSEC Applications and select your AccelOps application.
  6. In the General tab of the Properties window, make sure that the communications have been enabled between your firewall and AccelOps.

Copy Secure Internal Communication (SIC) certificates

Copy Client SIC

  1. Go to Manage > Server and OPSEC Applications.
  2. Select OPSEC Application and then right-click to select accelops.
  3. Click
  4. Enter the SIC DN of your application. Copy Server SIC
  5. In the Firewall tab, go to Manage.
  6. Click the Network Object icon, and then right-click to select Check Point Gateway.
  7. Click Edit.
  8. Enter the SIC DN.
  9. If there isn’t a field to enter the SIC DN, click Test SIC Status and a dialog will display the SIC DN.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. Settings for Access Credentials

 

Cisco Adaptive Security Appliance (ASA) Configuration

What is Discovered and Monitored

Sample Cisco ASA Syslog

Commands Used During Telnet/SSH Communication

Set Up AccelOps as a NetFlow Receiver

Create a NetFlow Service Policy

Configure the Template Refresh Rate

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for  
SNMP (V1,

V2c, V3)

Host name, Hardware model, Network interfaces, Hardware component details: serial number, model, manufacturer, software and firmware versions of components such as fan, power supply, network cards etc., Operating system version, SSM modules such as IPS Uptime, CPU and Memory utilization, Free processor and I/O memory, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability

and

Performance

Monitoring

SNMP (V1,

V2c, V3)

  Hardware health: temperature, fan and power supply status  
SNMP (V1,

V2c, V3)

OSPF connectivity, neighbors, state, OSPF Area OSPF state change Routing

Topology,

Availability

Monitoring

SNMP (V1,

V2c, V3)

  IPSec VPN Phase 1 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent

Dropped Packets, Received/Sent Rejected Exchanges, Received/Sent

Invalid Exchanges Invalid Received Pkt Dropped, Received Exchanges

Rejected, Received Exchanges Invalid

IPSec VPN Phase 2 tunnel metrics: local and remote Vpn Ip addresses, Tunnel status, Tunnel Uptime, Received/Sent BitsPerSec, Received/Sent Packets, Received/Sent BitsPerSec, Received/Sent

Dropped Packets, Received/Sent Auth Failed, Sent Encrypted Failed,

Received Decrupt failed, Received Replay Failed

Performance

Monitoring

   
Telnet/SSH Running and startup configuration, Interface security levels, Routing tables, Image file name,

Flash memory size

Startup configuration change, delta between running and startup configuration Performance

Monitoring,

Security and Compliance

 
Telnet/SSH   Virtual context for multi-context firewalls, ASA interface security levels needed for setting source and destination IP address in syslog based on interface security level comparisons, ASA name mappings from IP addresses to locally unique names needed for converting names in syslog to IP addresses  
Netflow

(V9)

Open server ports Traffic logs (for ASA 8.x and above) Security and

Compliance

Syslog Device type All traffic and system logs Security and

Compliance

Event Types

In CMDB > Event Types, search for “asa” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “asa” in the Description column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “asa” in the Description column to see the reports associated with this device.

Configuration
  1. Log in to your ASA with administrative privileges.

Configure SNMP with this command.

Syslog

  1. Log in to your ASA with administrative privileges.
  2. Enter configuration mode (config terminal).
  3. Enter the following commands: no names logging enable logging timestamp logging monitor errors logging buffered errors logging trap debugging logging debug-trace logging history errors logging asdm errors logging mail emergencies

logging facility 16 logging host <ASA interface name> <AccelOps IP>

Sample Cisco ASA Syslog

SSH

  1. Log in to your ASA with administrative privileges.
  2. Configure SSH with this command.

Telnet

  1. Log in to your ASA with administrative privileges.
  2. Configure telnet with this command.

Commands Used During Telnet/SSH Communication

The following commands are used for discovery and performance monitoring via SSH. Make sure that the accounts associated with the ASA access credentials you set up in AccelOps have permission to execute these commands.

  1. show running-config
  2. show version
  3. show flash
  4. show context
  5. show ip route
  6. enable
  7. terminal pager 0
  8. terminal length 0

NetFlow

NetFlow is an optimized protocol for collecting high volume traffic logs. You should configure NetFlow with ASM, the ASA device manager.

Set Up AccelOps as a NetFlow Receiver

  1. Login to ASDM.
  2. Go to Configuration > Device Management > Logging > Netflow.
  3. Under Collectors, click
  4. For Interface, select the ASA interface over which NetFlow will be sent to AccelOps.
  5. For IP Address or Host Name, enter the IP address or host name for your AccelOps virtual appliance that will receive the NetFlow logs.
  6. For UDP Port, enter 2055.
  7. Click OK.
  8. Select Disable redundant syslog messages.

This prevents the netflow equivalent events from being also sent via syslog.

  1. Click Apply.

Create a NetFlow Service Policy

  1. Go to Configuration > Firewall > Service Policy Rules.
  2. Click Add.

The Service Policy Wizard will launch.

  1. Select Global – apply to all interfaces, and then click Next.
  2. For Traffic Match Criteria, select Source and Destination IP Address, and then click Next.
  3. For Source and Destination, select Any, and then click Next.
  4. For Flow Event Type, select All.
  5. For Collectors, select the AccelOps virtual appliance IP address.
  6. Click OK.

Configure the Template Refresh Rate

This is an optional step. The template refresh rate is the number of minutes between sending a template record to AccelOps. The default is 30 minutes, and in most cases this is sufficient. Since flow templates are dynamic, AccelOps cannot process a flow until it knows the details of the corresponding template. This command may not always be needed, but if flows are not showing up in AccelOps, even if tcpdump indicates that  they are, this is worth trying.

You can find out more about configuring NetFlow in the Cisco support forum.

Settings for Access Credentials
Dell SonicWALL Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

Syslog

Example Syslog

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version CPU Utilization, Memory utilization and Firewall

Session Count

Availability and Performance

Monitoring

Syslog Device type All traffic and system logs Availability, Security and

Compliance

Event Types

In CMDB > Event Types, search for “sonicwall” in the Device Type column to see the event types associated with Dell SonicWALL firewalls.

Rules

There are no predefined rules for Dell SonicWALL firewalls.

Reports

There are no predefined reports for Dell SonicWALL firewalls.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Dell SonicWALL Firewall Administrator’s Guide (PDF)

Syslog

  1. Log in to your SonicWALL appliance.
  2. Go to Log > Syslog.

Keep the default settings.

  1. Under Syslog Servers, click Add.

The Syslog Settings wizard will open.

  1. Enter the IP Address of your AccelOps Supervisor or Collector.

Keep the default Port setting of 514.

  1. Click OK.
  2. Go to Firewall > Access Rules.
  3. Select the rule that you want to use for logging, and then click Edit.
  4. In the General tab, select Enable Logging, and then click OK.

Repeat for each rule that you want to enable for sending syslogs to AccelOps.

Your Dell SonicWALL firewall should now send syslogs to AccelOps.

Example Syslog

Settings for Access Credentials
Fortinet FortiGate Firewall Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths). For 5xxx series firewalls, per CPU utilization (event PH_DEV_MON_FORTINET_PROCESSOR_USGE) Availability and

Performance

Monitoring

Telnet/SSH Running configuration Configuration Change Performance

Monitoring,

Security and

Compliance

Syslog Device type All traffic and system logs Availability,

Security and

Compliance

Event Types

In CMDB > Event Types, search for “fortigate” in the Name and Description columns to see the event types associated with this device.

Rules

In Analytics > Rules, search for “fortigate” in the Name column to see the rules associated with this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP and SSH

  1. Log in to your firewall as an administrator.
  2. Go to System > Network.
  3. Select the FortiGate interface IP that AccelOps will use to communicate with your device, and then click Edit.
  4. For Administrative Access, makes sure that SSH and SNMP are selected.
  5. Click OK
  6. Go to System > Config > SNMP v1/v2c.
  7. Click Create New to enable the public

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

These commands are used for discovery and performance monitoring via SSH. Please make sure that the access credentials you provide in AccelOps have the permissions necessary to execute these commands on the device.

  1. show firewall address
  2. show full-configuration
  3. Log in to your firewall as an administrator.
  4. Go to Log &Report > Log Config > syslog.
  5. Enter the IP Address, Port Number, and Minimum Log Level and Facility for your AccelOps virtual appliance.
  6. Make sure that CSV format is not selected. With the CLI note th
  7. Connect to the Fortigate firewall over SSH and log in.
  8. To configure your firewall to send syslog over UDP, enter this command, replacing the IP address 168.53.2 with the IP address of your AccelOps virtual appliance.

Example FortiGate Syslog

Settings for Access Credentials
Juniper Networks SSG Firewall Configuration

What is Discovered and Monitored

SNMP and SSH

Create SNMP Community String and Management Station IP

Modify Policies so Traffic Matching a Policy is Sent via Syslog to AccelOps

Set AccelOps as a Destination Syslog Server

Set the Severity of Syslogs to Send to AccelOps

Sample Parsed FortiGate Syslog

Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version Uptime, CPU and Memory utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

Telnet/SSH Running configuration Configuration Change Performance

Monitoring, Security and Compliance

Syslog Device type Traffic log, Admin login activity logs, Interface up/down logs Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “SSG” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP and SSH

Enable SNMP, SSH, and Ping

  1. Log in to your firewall’s device manager as an administrator.
  2. Go to Network > Interfaces > List.
  3. Select the interface and click Edit.
  4. Under Service Options, for Management Services, select SNMP and SSH.
  5. For Other Services, select Ping.

Create SNMP Community String and Management Station IP

  1. Go to Configuration > Report Settings > SNMP.
  2. If the public community is not available, create it and provide it with read-only access.
  3. Enter the Host IP address and Netmask of your AccelOps virtual appliance.
  4. Select the Source Interface that your firewall will use to communicate with AccelOps.
  5. Click OK.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure.

Syslog

Modify Policies so Traffic Matching a Policy is Sent via Syslog to AccelOps

  1. Go to Policies.
  2. Select a policy and click Options.
  3. Select Logging.
  4. Click OK.

Set AccelOps as a Destination Syslog Server

  1. Go to Configuration > Report Settings > Syslog.
  2. Select Enable syslog messages.
  3. Select the Source Interface that your firewall will use to communicate with AccelOps.
  4. Under Syslog servers, enter the IP/Hostname of your AccelOps virtual appliance.
  5. For Port, enter 514.
  6. For Security Facility, select LOCALD.
  7. For Facility, select LOCALD.
  8. Select Event Log and Traffic Log.
  9. Select Enable.
  10. Click Apply.

Set the Severity of Syslogs to Send to AccelOps

  1. Go to Configuration > Report Setting > Log Settings.
  2. Click Syslog.
  3. Select the Severity Levels of the syslogs you want sent to AccelOps.
  4. Click Apply.

Sample Parsed FortiGate Syslog

<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26

09:09:40, 2009/08/26 08:09:49, global.CoX, 1363,

CoX-eveTd-fw1, 213.181.41.226, traffic, traffic log, untrust, (NULL),

81.243.104.82, 64618, 81.243.104.82,

64618, dmz, (NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.CoX, 1363, Workaniser_cleanup, fw/vpn, 34, accepted, info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not

<129>Aug 26 11:09:45 213.181.33.233 20090826, 6219282, 2009/08/26

09:09:40, 2009/08/26 08:09:49, global.CoX, 1363,

CoX-eveTd-fw1, Category, Sub-Category, untrust, (NULL), 81.243.104.82,

64618, 81.243.104.82, 64618, dmz,

(NULL), 213.181.36.162, 443, 213.181.36.162, 443, tcp, global.Randstad, 1363, Workaniser_cleanup, fw/vpn, 34, accepted,

info, no, (NULL), (NULL), (NULL), (NULL), 3, 858, 1323, 2181, 0, 0, 14, 1, no, 0, Not

Settings for Access Credentials
McAfee Firewall Enterprise (Sidewinder) Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Sidewinder Syslog

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “sidewinder” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Sample Parsed Sidewinder Syslog

Jun 18 10:34:08 192.168.2.10 wcrfw1 auditd: date=”2011-06-18 14:34:08 +0000″,fac=f_http_proxy,area=a_libproxycommon, type=t_nettraffic,pri=p_major,pid=2093,logid=0,cmd=httpp,hostname=wcrfw1 .community.int,event=”session end”,app_risk=low,

app_categories=infrastructure,netsessid=1adc04dfcb760,src_geo=US,srcip=7 4.70.205.191,srcport=3393,srczone=external,protocol=6,

dstip=10.1.1.27,dstport=80,dstzone=dmz1,bytes_written_to_client=572,byte s_written_to_server=408,rule_name=BTC-inbound, cache_hit=1,start_time=”2011-06-18 14:34:08 +0000″,application=HTTP

Palo Alto Firewall Configuration

What is Discovered and Monitored

SNMP, SSH, and Ping

Set AccelOps as a Syslog Destination

Set the Severity of Logs to Send to AccelOps

Create a Log Forwarding Profile

Use the Log Forwarding Profile in Firewall Policie

Sample Parsed Palo Alto Syslog Mesage  Settings for Access Credentials

What is Discovered and Monitored
Protocol Information Discovered Metrics collected Used for
SNMP Host name, Hardware model, Network interfaces,  Operating system version Uptime, CPU utilization, Network Interface metrics (utilization, bytes sent and received, packets sent and received, errors, discards and queue lengths), Firewall connection count Availability and

Performance

Monitoring

Telnet/SSH Running configuration Configuration Change Performance

Monitoring, Security and Compliance

Syslog Device type Traffic log, Threat log (URL, Virus, Spyware, Vulnerability, File, Scan, Flood and data subtypes), config and system logs Availability, Security and Compliance

Event Types

In CMDB > Event Types, search for “palo alto” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “palo alto” in the Description column to see the reports associated with this device.

Configuration

SNMP, SSH, and Ping

  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, clickSetup.
  3. Click Edit.
  4. Under MGMT Interface Services, make sure SSH, Ping, and SNMP are selected.
  5. For SNMP Community String, enter public.
  6. If there are entries in the Permitted IP list, Add the IP address of your AccelOps virtual appliance.
  7. Click OK.
  8. Go to Setup > Management and check that SNMP is enabled on the management interface

Syslog

Set AccelOps as a Syslog Destination

  1. Log in to the management console for your firewall with administrator privileges.
  2. In the Device tab, go to Log Destinations > Syslog.
  3. Click New.
  4. Enter a Name for your AccelOps virtual appliance.
  5. For Server, enter the IP address of your virtual appliance.
  6. For Port, enter 514.
  7. For Facility, select LOG_USER.
  8. Click OK.

Set the Severity of Logs to Send to AccelOps

  1. In the Device tab, go to Log Settings > System.
  2. Click .. .
  3. For each type of log you want sent to AccelOps, select the AccelOps virtual appliance in the Syslog
  4. Click OK.

Create a Log Forwarding Profile

  1. In the Objects tab, go to Log Forwarding > System.
  2. Create a new log forwarding profile by entering a Name for the profile, and then setting Syslog to the IP address of your AccelOps virtual appliance for each type of log you want send to AccelOps.
  3. Click OK.

Use the Log Forwarding Profile in Firewall Policie

  1. In the Policies tab, go to Security > System.
  2. For each security rule that you want to send logs to AccelOps, click Options.
  3. For Log Forwarding Profile, select the profile you created for AccelOps.
  4. Click OK.
Settings for Access Credentials

 

Sophos UTM Firewall Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog   Configuration change, command execution Log Management, Compliance and SIEM

Event Types

In CMDB > Event Types, search for “sophos-utm” to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

FortiSIEM processes events from this device via syslogs sent by the device. Configure the device to send syslog to FortiSIEM as directed in the device’s product documentation, and FortiSIEM will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance. For Port, enter 514.

Sample Syslog Message

<30>2016:07:05-16:57:39 c-server-1 httpproxy[15760]: id=”0001″ severity=”info” sys=”SecureWeb” sub=”http” name=”http access” action=”pass” method=”GET” srcip=”10.10.10.10″ dstip=”1.1.1.1″ user=”” group=”” ad_domain=”” statuscode=”302″ cached=”0″ profile=”REF_DefaultHTTPProfile (Default Web Filter Profile)” filteraction=”REF_HttCffCustoConteFilte (Custom_Default content filter action)” size=”0″ request=”0xdc871600″ url=”http://a.com” referer=”http://foo.com/bar/” error=”” authtime=”0″ dnstime=”1″ cattime=”24080″ avscantime=”0″ fullreqtime=”52627″ device=”0″ auth=”0″ ua=”Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko” exceptions=”” category=”154″ reputation=”unverified” categoryname=”Web Ads”

WatchGuard Firebox Firewall Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Syslog

Sample Parsed Firebox Syslog Message

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

In CMDB > Event Types, search for “firebox” in the Device Type  andDescription column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

FortiSIEM Configuring End point Security Software

Configuring End point Security Software

The following anti-virus and host security (HIPS) applications are supported for discovery and monitoring by AccelOps.

Bit9 Security Platform Configuration

Cisco Security Agent (CSA) Configuration

ESET NOD32 Anti-Virus Configuration

MalwareBytes Configuration

McAfee ePolicy Orchestrator (ePO) Configuration

Sophos Endpoint Security and Control Configuration

Symantec Endpoint Protection Configuration

Trend Micro Intrusion Defense Firewall (IDF) Configuration Trend Micro OfficeScan Configuration

Bit9 Security Platform Configuration

What is Discovered and Monitored

Bit9 Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   Logs Security Monitoring

Event Types

In CMDB > Event Types, search for “Bit9” in the Device Type columns to see the event types associated with this device.

Rules

Bit9 Agent Uninstalled or File Tracking Disabled

Bit9 Fatal Errors

Blocked File Execution

Unapproved File Execution

Reports

Bit9 Account Group Changes

Bit9 Fatal and Warnings Issues

Bit9 Functionality Stopped

Bit9 Security Configuration Downgrades

Bit9 Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<14>1 2015-04-06T16:24:02Z server1.foo.com – – – – Bit9 event: text=”Server discovered new file ‘c:\usersacct\appdata\local\temp\3cziegdd.dll’ [361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99f9f].” type=”Discovery” subtype=”New file on network” hostname=”SVR123″ username=”SVR123\acct” date=”4/6/2015 4:22:52 PM” ip_address=”10.168.1.1″

process=”c:\abc\infrastructure\bin\scannerreset.exe” file_path=”c:\users\acct\appdata\local\temp\3cziegdd.dll” file_name=”3cziegdd.dll” file_hash=”361aa7fbd5d00aa9952e94adc01d6f8d4cb08766eb03ff522ba5c7a2f9e99 f9f” installer_name=”csc.exe” policy=”High Enforce” process_key=”00000000-0000-1258-01d0-7085edb50080″ server_version=”7.2.0.1395″ file_trust=”-2″ file_threat=”-2″ process_trust=”-1″ process_threat=”-1″

Cisco Security Agent (CSA) Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap      

Events

There are no specific events defined for this device.

Rules

AccelOps uses these rules to monitor events for this device:

Rule Description
Agent service control Attempts to modify agent configuration
Agent UI control Attempts to modify agent UI default settings, security settings, configuration, contact information
Application control Attempts to invoke processes in certain application classes
Buffer overflow attacks  
Clipboard access control Attempts to acccess clipboard data written by sensitive data applications
COM component access

control

Unusual attempts to access certain COM sets including Email objects
Connection rate limit Excessive connections to web servers or from email clients
Data access control Unusual attempts to access restricted data sets such as configuration files, password etc. by suspect applications
File access control Unusual attempts to read or write restricted files sets such as system executables, boot files etc. by suspect applications
Kernel protection Unusual attempts to modify kernel functionality by suspect applications
Network access control Attempts to connect to local network services
Network interface control Attempts by local applications to open a stream connection to the NIC driver
Network shield Attacks based on bad IP/TCP/UDP/ICMP headers, port and host scans etc
Windows event log  
Registry access control Attempts to write certain registry entries
Resource access control Symbolic link protection
Rootkit/kernel protection Unusual attempts to load files after boot
Service restart Service restarts
Sniffer and protocol detection Attempts by packet/protocol sniffer to receive packets
Syslog control Syslog events
System API control Attempts to access Windows Security Access Manager (SAM)

Reports

There are no predefined reports for Cisco Security Agent.

Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2008-05-13 11:00:36 192.168.1.39 [192.168.1.39]:SNMPv2-MIB::sysUpTime.0

= Timeticks: (52695748) 6 days, 2:22:37.48

SNMPv2-MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.8590.3.1

SNMPv2-SMI::enterprises.8590.2.1 = INTEGER: 619

SNMPv2-SMI::enterprises.8590.2.2 = INTEGER: 261 SNMPv2-SMI::enterprises.8590.2.3 = STRING:

“sjdevVwindb06.ProspectHills.net”

SNMPv2-SMI::enterprises.8590.2.4 = STRING: “2008-05-13 19:03:21.157”

SNMPv2-SMI::enterprises.8590.2.5 = INTEGER: 5

SNMPv2-SMI::enterprises.8590.2.6 = INTEGER: 452

SNMPv2-SMI::enterprises.8590.2.7 = STRING: “C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe”

SNMPv2-SMI::enterprises.8590.2.8 = NULL SNMPv2-SMI::enterprises.8590.2.9

= STRING: “192.168.20.38”

SNMPv2-SMI::enterprises.8590.2.10 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.11 = STRING: “The process ‘C:\\Program

Files\\RealVNC\\VNC4\\winvnc4.exe’ (as user NT AUTHORITY\\SYSTEM) attempted to accept a connection as a server on TCP port 5900 from 192.168.20.38 using interface Wired\\VMware Accelerated AMD PCNet Adapter. The operation was denied.”

SNMPv2-SMI::enterprises.8590.2.12 = INTEGER: 109

SNMPv2-SMI::enterprises.8590.2.13 = STRING: “192.168.1.39”

SNMPv2-SMI::enterprises.8590.2.14 = STRING: “W”

SNMPv2-SMI::enterprises.8590.2.15 = INTEGER: 3959

SNMPv2-SMI::enterprises.8590.2.16 = INTEGER: 5900

SNMPv2-SMI::enterprises.8590.2.17 = STRING: “Network access control” SNMPv2-SMI::enterprises.8590.2.18 = STRING: “Non CSA applications, server for TCP or UDP services” SNMPv2-SMI::enterprises.8590.2.19 = INTEGER: 33

SNMPv2-SMI::enterprises.8590.2.20 = STRING: “CSA MC Security Module”

SNMPv2-SMI::enterprises.8590.2.21 = NULL

SNMPv2-SMI::enterprises.8590.2.22 = STRING: “NT AUTHORITY\\SYSTEM”

SNMPv2-SMI::enterprises.8590.2.23 = INTEGER: 2

ESET NOD32 Anti-Virus Configuration

What is Discovered and Monitored

ESET NOD32 Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ESET NOD32 Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps Supervisor.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

MalwareBytes Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   Malware detection log Security Monitoring

Event Types

In CMDB > Event Types, search for “malwarebytes” to see the event types associated with this device.

Rules

Malware found but not remediated

Reports

In Analytics > Reports, search for “malware found” to see the reports associated with this device.

Configuration

Syslog

AccelOps processes events from this device via syslog. Configure the device to send syslog to AccelOps on port 514.

Sample Syslog

<45>1 2016-09-23T14:40:35.82-06:00 reportDeviceName

Malwarebytes-Endpoint-Security 1552 – {“security_log”:{“client_id”:”ef5f8fc8-ad0e-46f8-b6d7-1a85d5f73e64″,”hos t_name”:”Abc-cbd”,”domain”:”abc.com”,”mac_address”:”FF-FF-FF-FF-FF”,”ip_ address”:”10.1.1.1″,”time”:”2016-09-23T14:40:14″,”threat_level”:”Moderat e”,”object_type”:”FileSystem”,”object”:”HKLM\\SOFTWARE\\POLICIES\\GOOGLE \\UPDATE”,”threat_name”:”PUM.Optional.DisableChromeUpdates”,”action”:”Qu arantine”,”operation”:”QUARANTINE”,”resolved”:true,”logon_user”:”dsamuel s”,”data”:”data”,”description”:”No

description”,”source”:”MBAM”,”payload”:null,”payload_url”:null,”payload_ process”:null,”application_path”:null,”application”:null}}

McAfee ePolicy Orchestrator (ePO) Configuration

What is Discovered and Monitored ePO Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
SNMP Traps      

Event Types

In CMDB > Event Types, search for “mcafee epolicy” in the Description column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

ePO Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device.

  1. Log in to the McAfee EPO console.
  2. Go to Menu > Configuration > Registered Servers, and then click New Server.

The Registered Server Builder opens.

  1. For Server type, enter SNMP Server.
  2. For Name, enter the IP address of your SNMP server.
  3. Enter any Notes, and then click Next to go to the Details
  4. For Address, enter the IP address or DNS Name for the AccelOps virtual appliance that will receive the SNMP trap.
  5. For SNMP Version, select SNMPv1.
  6. For Community, enter public.
  7. Click Send Test Trap, and then click OK.
  8. Log in to your Supervisor node and use Real Time Search to see if AccelOps received the trap.
Example SNMP Trap

2011-04-14 01:28:46 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public SNMPv2-SMI::enterprises.3401 Enterprise Specific Trap (5) Uptime:

0:00:00.30

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.9.245 = STRING: “To

SJ-Dev-S-RH-DNS-01”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.11.245 = STRING: “My

Organization”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.12.245 = STRING: “Directory”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.18.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.19.245 = STRING: “Any”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.33.245 = STRING: “(Any)”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.15.245 = STRING: “4/16/08

3:07:04 AM”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.31.245 = STRING: “1278” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.32.245 = STRING: “file infected.  No cleaner  available, file deleted successfully” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.16.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.17.245 = STRING: “1”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.13.245 = STRING: “VirusScan” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.14.245 = STRING: “Virus detected and removed” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.22.245 = STRING: “EICAR test file” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.23.245 = STRING: “Not

Available” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.24.245 = STRING:

“192.168.1.6” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.25.245 = STRING:

“SJDEVSWINIIS01” SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.26.245 = STRING:

“C:\Documents and

Settings\administrator.PROSPECTHILLS\Desktop\eicar.com”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.27.245 = STRING: “3”

SNMPv2-SMI::enterprises.3401.12.2.1.1.4.1.1.6.245 = STRING: “4/16/08

3:07:04 AM”

Sophos Endpoint Security and Control Configuration

What is Discovered and Monitored

Sophos Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap      

Event Types

In CMDB > Event Types, search for “sophos endpoint” in the Device Type column to see the event types associated with this application or device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device. .

Sophos Configuration

SNMP Trap

AccelOps processes Sophos Endpoint control events via SNMP traps sent from the management console. Configure the management console to send SNMP traps to AccelOps, and the system will automatically recognize the messages.

SNMP Traps are configured within the Sophos policies.

  1. In the Policies pane, double-click the policy you want to change.
  2. In the policy dialog, in the Configure panel, click Messaging.
  3. In the Messaging dialog, go to the SNMP messaging tab and select Enable SNMP messaging.
  4. In the Messages to send panel, select the types of event for which you want Sophos Endpoint Security and Control to send SNMP messages.
  5. In the SNMP trap destination field, enter the IP address of the recipient.
  6. In the SNMP community name field, enter the SNMP community name.

Sample SNMP Trap

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Symantec Endpoint Protection Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog   Logs Security Monitoring

Event Types

In CMDB > Event Types, search for “symantec endpoint” in the Device Type and Description columns to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Symantec Endpoint Protection Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device.

Configuring Log Transmission to AccelOps

  1. Log in to Symantec Endpoint Protection Manager.
  2. Go to Admin> Configure External Logging > Servers > General.
  3. Select Enable Transmission of Logs to a Syslog Server.
  4. For Syslog Server, enter the IP address of the AccelOps virtual appliance.
  5. For UDP Destination Port, enter 514.

Configuring the Types of Logs to Send to AccelOps

  1. Go to Admin> Configure External Logging > Servers > Log Filter.
  2. Select the types of logs and events you want to send to AccelOps.
Sample Syslog

<13>Feb 23 12:36:37 QA-V-Win03-App1.ProspectHills.net SymAntiVirus  0   2701170C2410,3,2,1,QA-V-WIN03-APP1,Administrator,,,,,,,16777216,”Scan started on selected drives and folders and all

extensions.”,1235421384,,0,,,,,0,,,,,,,,,,,{C11B44CF-35C9-4342-AB3D-E0E9 E3756510},,(IP)-0.0.0.0,,ACME,00:50:56:A3:30:2F,11.0.1000.1112,,,,,,,,,,

,,,,,,0,,,,,

<54>Jun 11 12:24:38 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin: admin,Administrator  log on failed

<54>Jun 11 12:24:51 SymantecServer sjdevswinapp05: Site: Site sjdevswinapp05,Server: sjdevswinapp05,Domain: Default,Admin:

admin,Administrator  log on succeeded

<54>Feb 23 13:08:29 SymantecServer sjdevswinapp05: Virus found,Computer name: Filer,Source: Real Time Scan,Risk name: EICAR Test String,Occurrences: 1,C:/Documents and

Settings/Administrator.PROSPECTHILLS/Local Settings/Temp/vpqz3cxj.com,””,Actual action: Cleaned by deletion,Requested action: Cleaned,Secondary action: Quarantined,Event time: 2009-02-23 21:06:51,Inserted: 2009-02-23 21:08:29,End: 2009-02-23 21:06:51,Domain: Default,Group: Global\Prospecthills,Server:

sjdevswinapp05,User: Administrator,Source computer:  ,Source IP: 0.0.0.0

Mar 16 15:11:06 SymantecServer aschq97: NF77088-PCA,Local:

192.168.128.255,Local: 138,Local: FFFFFFFFFFFF,Remote:

192.168.128.86,Remote: ,Remote: 138,Remote:

0015C53B9216,UDP,Inbound,Begin: 2009-03-16 15:05:02,End: 2009-03-16 15:05:02,Occurrences: 1,Application: C:/WINDOWS/system32/ntoskrnl.exe,Rule: Allow local file sharing,Location: Default,User: ,Domain: ASC

<54>Feb 24 11:51:19 SymantecServer sjdevswinapp05: QA-V-Win03-App2,[SID: 20352] HTTP Whisker/Libwhisker Scan (1) detected.  Traffic has been allowed from this application: C:\WINDOWS\system32 toskrnl.exe,Local: 0.0.0.0,Local: 000000000000,Remote: ,Remote: 192.168.1.4,Remote:

000000000000,Inbound,TCP,Intrusion ID: 0,Begin: 2009-02-24 11:50:01,End:

2009-02-24 11:50:01,Occurrences: 1,Application:

C:/WINDOWS/system32/ntoskrnl.exe,Location: Default,User:

Administrator,Domain: PROSPECTHILLS

<54>Jul 28 08:08:52 SymantecServer corpepp01: 6910p-X751008R,Category:

2,Symantec AntiVirus,New virus definition file loaded. Version:

130727ag.

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category: 2,Symantec AntiVirus,Symantec Endpoint Protection services shutdown was successful.

<52>Jul 28 08:10:13 SymantecServer corpepp01: TEMPEXP02,Category:

0,Smc,Failed to disable Windows firewall

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (10.0.11.17)

<54>Jul 28 08:08:52 SymantecServer corpepp01: 8440p-X0491JYR,Category:

0,Smc,Disconnected from Symantec Endpoint Protection Manager

(10.0.11.17)

<54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category:

0,Smc,Connected to Symantec Endpoint Protection Manager (corphqepp01) <54>Jul 28 08:09:52 SymantecServer corpepp01: CORPES-3042,Category: 0,Smc,Disconnected from Symantec Endpoint Protection Manager (corpepp01)

<54>Jul 28 08:09:32 SymantecServer corpepp01: CORPMIO-H4VYWB1,Category:

0,Smc,Network Threat Protection – – Engine version: 11.0.480  Windows

Version info:  Operating System: Windows XP (5.1.2600 Service Pack 3)

Network  info:  No.0  “Local Area Connection 3”  00-15-c5-46-58-1e

“Broadcom NetXtreme 57xx Gigabit Controller” 10.0.208.66

<54>Jul 28 07:55:32 SymantecServer corpepp01: tol-afisk,Blocked,Unauthorized NT call rejected by protection driver.,System,Begin: 2011-07-27 15:29:57,End: 2011-07-27 15:29:57,Rule:

Trend Micro Intrusion Defense Firewall (IDF) Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 Syslog      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

Syslog

AccelOps processes events from this device via syslogs sent by the device. Configure the device to send syslogs to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

For Syslog Server, or the server where the syslogs should be sent, enter the IP address of your AccelOps virtual appliance.

For Port, enter 514.

Make sure that the syslog type is Common Event Format (CEF). The syslog format should be the same as that shown in the example.

Example Syslog

Trend Micro OfficeScan Configuration

What is Discovered and Monitored

Trend Micro Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
 SNMP Trap      

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Trend Micro Configuration

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

2011-04-14 02:17:54 192.168.20.214(via UDP: [192.168.20.214]:45440)

TRAP, SNMP v1, community public    SNMPv2-SMI::enterprises.6101

Enterprise Specific Trap (5) Uptime: 0:00:00.30   SNMPv2-SMI::enterprises.6101.141 = STRING: “Virus/Malware:

Eicar_test_file Computer: SJDEVVWINDB05 Domain: ABC File:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\yc8eayj0.com Date/Time: 4/10/2008 14:23:26 Result: Virus successfully detected, cannot perform the Clean action (Quarantine) ”

Configuring Environmental Sensors

AccelOps supports these devices for monitoring.

APC Netbotz Environmental Monitor Configuration

APC UPS Configuration

Generic UPS Configuration

Liebert FPC Configuration

Liebert HVAC Configuration Liebert UPS Configuration

APC Netbotz Environmental Monitor Configuration

What is Monitored and Collected

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Monitored and Collected

 

Protocol Information

Discovered

Metrics collected Used for
SNMP

(V1, V2c)

Host name, Hardware model, Network interfaces Temperature: Sensor Id, Sensor label, Enclosure Id, Temperature

Relative Humidity: Sensor Id, Sensor label, Enclosure Id, Relative Humidity

Air Flow: Sensor Id, Sensor label, Enclosure Id, Air Flow

Dew Point Temperature: Sensor Id, Sensor label, Enclosure Id, Dew Point Temperature Current: Sensor Id, Sensor label, Enclosure Id, Current

Audio Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Audio Sensor Reading

Dry Contact Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Dry Contact Sensor Reading

Door Switch Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Door Switch Sensor Reading (Open/Close)

Camera Motion Sensor Reading: Sensor Id, Sensor label, Enclosure Id, Camera Motion Sensor Reading (Motion/No Motion)

Hadware Status (for NBRK0200): Contact Status, Output Relay Status, Outlet Status, Alarm

Device Status, Memory Sensor Status, Memory Output Status, Memory Outlet Status, memory Beacon Status

EMS Status (for NBRK0200): EMS Hardware Status, Connection State

Hardware Probe (for NBRK0200): Sensor Id, Temperature, Relative Humidity, Connection State Code

Module Sensor (for NBRK0200): Sensor Name, Sensor location, Temperature, Relative Humidity, Connection State Code

Availability and

Performance

Monitoring

SNMP Trap (V1,

V2c)

SNMP Trap See Event Types for more information about viewing the SNMP traps collected by AccelOps for this device. Availability and

Performance

Monitoring

 

Event Types

In CMDB > Event Types, search for “NetBotz” in the Name column to see the event types associated with this application or device.

 

Event types for NetBotz NBRK0200

In Analytics > Rules, search for “NetBotz” in the Name column to see the rules associated with this application or device.

Reports

In Analytics > Reports, search for “Netbotz” in the Name column to see the reports associated with this application or device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

 

APC UPS Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

SNMP

SNMP Trap

Example SNMP Trap

Setting Access Credentials

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Replace battery indicator, Time on battery, Output status, Output load, Output voltage, Output frequency Availability and

Performance

Monitoring

SNMP

Trap

    Availability and

Performance

Monitoring

Event Types

In CMDB > Event Types, search for “apc” in the Device Type column to see the event types associated with this device.

Rules

In Analytics > Rules, search for “apc” in the Name column to see the rules associated with this device.

Reports

In Analytics > Reports, search for “apc” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

SNMP Trap

AccelOps processes events from this device via SNMP traps sent by the device. Configure the device to send send SNMP traps to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example SNMP Trap

Setting Access Credentials

Generic UPS Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated

Seconds Remaining, Output voltage, Output current, Temperature

Availability and

Performance

Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Setting Access Credentials

Liebert FPC Configuration

What is Discovered and Monitored

Protocol Information

Discovered

Metrics collected Used for
SNMP

(V1, V2c)

Host name, Hardware model, Network interfaces Output voltage (X-N, Y-N, Z-N), Output current (X, Y. Z), Neutral Current, Ground current, Output power, Power

Factor, Output Frequency, Output Voltage THD (Vx, Vy, Vz), Output Current THD (Lx, Ly. Lz), Output KWh,

Output Crest factor (Lx, Ly, Lz), Output K-factor (Lx, Ly, Lz), Output Lx Capacity, output Ly capacity

Availability

and

Performance

Monitoring

Event Types

In CMDB > Event Types, search for “LIebert FPC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert FPC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Liebert HVAC Configuration

What is Discovered and Monitored

Protocol Information

Discovered

Metrics collected Used for
SNMP

(V1, V2c)

Host name,

Hardware model, Network

interfaces

HVAC metrics: Temperature: current value, upper threshold, lower threshold, Relative Humidity: current value, upper threshold, lower threshold, System state, Cooling state, Heating state, Humidifying state, Dehumidifying state, Economic cycle, Fan state, Heating capacity, Cooling capacity Availability

and

Performance

Monitoring

AccelOps uses SNMP to discover and collector metrics from Generic UPS devices – requires the presence of UPS-MIB on the UPS device.

Follow Liebert HVAC documentation to enable AccelOps to poll the device via SNMP.

Event Types

In CMDB > Event Types, search for “Liebert HVAC” in the Description column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

In Analytics > Reports, search for “Liebert HVAC” in the Name column to see the reports associated with this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

 

Liebert UPS Configuration

What is Discovered and Monitored

Protocol Information Discovered Metrics collected Used for
SNMP

(V1, V2c)

Host name, Hardware model, Network interfaces UPS metrics: Remaining battery charge, Battery status, Time on battery, Estimated

Seconds Remaining, Output voltage, Output current, Temperature

Availability and

Performance

Monitoring

Event Types

There are no event types defined specifically for this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

SNMP

AccelOps uses SNMP to discover and monitor this device. Make sure SNMP is enabled for the device as directed in its product documentation, then follow the instructions in Setting Access Credentials for Device Discovery to establish the connection between the device and AccelOps, and to initiate the device discovery process.

Settings for Access Credentials

FortiSIEM Configuring Cloud Applications

Configuring Cloud Applications

AccelOps supports these cloud applications for monitoring.

AWS Access Key IAM Permissions and IAM Policies

AWS CloudTrail API Configuration

AWS EC2 CloudWatch API Configuration

AWS RDS Configuration

Box.com Configuration

Cisco FireAMP Cloud Configuration

Google Apps Audit Configuration

Microsoft Azure AuditTrail Configuration

Microsoft Office365 Audit Configuration

Okta Configuration

Salesforce CRM Audit Configuration

 

 

AWS Access Key IAM Permissions and IAM Policies

In order to monitor AWS resources in AccelOps, an access key and a corresponding secret access key is needed. Prior to the availability of AWS IAM users, the recommendation was to create an access key at the level of root AWS account. This practice has been deprecated since the availability of AWS IAM users as you can read from the AWS Security Credentials best practice guide. If you were monitoring AWS using such access keys, the first step is to delete such keys and create keys based on a standalone IAM user dedicated for monitoring purposes in AccelOps. This document explains how to create such a user, and what permissions and policies to add to allow AccelOps to monitor your AWS environment.

Create IAM user for AccelOps monitoring

  1. Login to the IAM Console – Users Tab.
  2. Click Create Users
  3. Type in a username, e.g. aomonitoring under Enter User Names.
  4. Leave the checkbox Generate an access key for each user selected or select it if it is not selected
  5. Click Download Credentials and click on Close button
  6. The downloaded CSV file contains the Access Key ID and Secret Access Key that you can use in AccelOps to monitor various AWS services. You will need to add permissions before you can actually add them in AccelOps.

Change permissions for IAM user

  1. Select the user aomonitoring 2. Switch to tab Permissions
  2. Click Attach Policy.
  3. Select AmazonEC2ReadOnlyAccess, AWSCloudTrailReadOnlyAccess, AmazonRDSReadOnlyAccess, CloudWatchReadOnlyAccess, A mazonSQSFullAccess and click Attach Policy

You can choose to skip attaching some policies if you do not use that service or plan on monitoring that service. For instance, if you do not use RDS, then you do not need to attach AmazonRDSReadOnlyAccess

  1. You can choose to provide blanket read-only access to all S3 buckets by attaching the policy AmazonS3ReadOnlyAccess. Alternatively, you can specificy a more restricted policy as described in the next step
  2. Now, identify the set of S3 bucket(s) that you have configured to store Cloudtrail logs for each region. You can create an inline policy, ch oose custom policy, then paste the sample policy below. Make sure you replace the actual S3 bucket names below aocloudtrail1, aoclo udtrail2 with the ones you have configured

 

 

 

AWS CloudTrail API Configuration

What is Discovered and Monitored

Configuration

Settings for Access Credentials

Sample Events for AWS CloudTrail

What is Discovered and Monitored

Protocol Information Discovered Metrics Collected Used For
CloudTrail API None None Security Monitoring

Event Types

In CMDB > Event Types, search for “Cloudtrail” in the Device Type column to see the event types associated with this device. See the Amazon API reference for more information about the event types available for CloudTrail monitoring.

Rules

There are no predefined rules for this device. However,

Reports

In Analytics > Reports, search for “cloudtrail” in the Name column to see the rules associated with this device.

Configuration

 

 

AccelOps receives information about AWS events through the CloudTrail API. After creating an S3 bucket for the storage of log files on AWS, you then configure the Simple Notification Service (SNS) and Simple Queue Service (SQS) to create a notification for the log file and have it delivered by SQS. In your AccelOps virtual appliance you then enter access credentials so AccelOps can communicate with CloudTrail as it would any other device.

Create a new Cloudtrail

  1. Log in to https://console.aws.amazon.com/cloudtrail.
  2. Switch to the region for which you want to generate cloud trail logs.
  3. Click Trails.
  4. Click on Add New Trail
  5. Enter a Trail name such as aocloudtrail
  6. Select No for Apply Trail to all regions

You will need to create a cloudtrail for each region by following all the steps mentioned here for cloudtrail, SQS, and SNS. You cannot use ‘Apply Trail to all regions’ to collect trails for all regions in one S3 bucket and have AccelOps pull these logs. In the future, AccelOps will be enhanced to support this capability

  1. Select Yes for Create a new S3 bucket.
  2. For S3 bucket, enter a name like s3aocloudtrail.
  3. Click Advanced.
  4. Select Yes for Create a new SNS topic.
  5. For SNS topic, enter a name like snsaocloudtrail.
  6. Leave the rest of advanced settings to the default values
  7. Click Create.

A dialog will confirm that logging is turned on.

Configure Simple Queue Service (SQS) Delivery

  1. Log in to https://console.aws.amazon.com/sqs.
  2. Switch to the region in which you created a new cloudtrail above
  3. Click Create New Queue.
  4. Enter a Queue Name such as sqsaocloudtrail
  5. Enter the Queue Settings.
Setting Value
Default Visibility Timeout 0 seconds
Message Retention Period

This must be set for between 5 and 50 minutes. A lower value is recommended for high event rates to avoid event loss.

10 minutes
Maximum Message Size 256KB
Delivery Delay 0 seconds
Receive Message Wait Time 5 seconds

 

  1. Click Create Queue.
  2. When the queue is created, click the Details tab and make note of the ARN (Amazon Resource Name), as you will need this when configuring the Simple Notification Service below and when configuring the access credentials for AccelOps.

Set Up Simple Notification Service (SNS)

  1. Log in to https://console.aws.amazon.com/sns.
  2. Select Topics
  3. Select the SNS topic snsaocloudtrail that you specified when creating a cloudtrail 4. Click Actions > Subscribe to topic from the menu to launch the popup Create Subscription.
  4. For Protocol, select Amazon SQS.
  5. For Endpoint, enter the ARN of the queue that you created when setting up SQS.
  6. Click Create Subscription.

Give Permission for Amazon SNS to Send Messages to SQS

  1. Log in to https://console.aws.amazon.com/sqs.
  2. Select the queue you created, sqsaocloudtrail
  3. In the Queue Actions menu, select Subscribe Queue to SNS Topic.
  4. From the Choose a Topic dropdown, select the SNS topic snsaocloudtrail that you created earlier. 5. The Topic ARN will be automatically filled
  5. Click Subscribe.

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device

Discovery. You do not need to initiate discovery of AWS Cloud Trail, but should check that AccelOps is pulling events for AWS by checking for an amazon.com entry in Admin > Setup Wizard > Event Pulling.

Settings for Access Credentials
Sample Events for AWS CloudTrail

Fri Oct 10 14:44:23 2014 AccelOps-CloudTrail [additionalEventData/LoginTo]=https://console.aws.amazon.com/console/hom e?state=hashArgs%23&isauthcode=true [additionalEventData/MFAUsed]=No [additionalEventData/MobileVersion]=No [awsRegion]=us-east-1

[eventID]=fdf8f837-7e75-46a0-ac95-b6d15993ebf7 [eventName]=ConsoleLogin

[eventSource]=SIGNIN [eventTime]=2014-10-10T06:38:11Z

[eventVersion]=1.01 [requestParameters]=null

[responseElements/ConsoleLogin]=Success [sourceIPAddress]=211.144.207.10

[userAgent]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:user/John.Adams

[userIdentity/principalId]=AIDAIUSNMEIUYBS7AN4UW

[userIdentity/type]=IAMUser [userIdentity/userName]=John.Adams

Fri Oct 10 14:19:45 2014 AccelOps-CloudTrail [awsRegion]=us-east-1

[eventID]=351bda80-39d4-41ed-9e4d-86d6470c2436

[eventName]=DescribeInstances [eventSource]=EC2

[eventTime]=2014-10-10T06:12:24Z [eventVersion]=1.01

[requestID]=2d835ae2-176d-4ea2-8523-b1a09585e803

[requestParameters/filterSet/items/0/name]=private-ip-address

[requestParameters/filterSet/items/0/valueSet/items/0/value]=10.0.0.233

[responseElements]=null [sourceIPAddress]=211.144.207.10

[userAgent]=aws-sdk-php2/2.4.7 Guzzle/3.7.1 curl/7.19.7 PHP/5.3.3

[userIdentity/accessKeyId]=AKIAI2MUUCROHFSLLT3A

[userIdentity/accountId]=623885071509

[userIdentity/arn]=arn:aws:iam::623885071509:root

[userIdentity/principalId]=623885071509 [userIdentity/type]=Root

[userIdentity/userName]=accelops

AWS EC2 CloudWatch API Configuration

What is Discovered and Monitored

Event Types

Rules

Reports

Configuration

Settings for Access Credentials

Sample events

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
CloudWatch API Machine name

Internal Access IP

Instance ID

Image ID

Availability Zone

Instance Type

Volume ID

Status

Attach Time

CPU Utilization

Received Bits/sec

Sent Bits/sec

Disk reads (Instance Store)

Disk writes (Instance Store)

Disk reads/sec (Instance Store)

Disk writes/sec (Instance Store)

Packet loss

Read Bytes (EBS)

Write Bytes (EBS)

Read Ops (EBS)

Write Ops (EBS)

Disk Queue (EBS)

Performance Monitoring

Event Types

PH_DEV_MON_EBS_METRIC  captures EBS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

You can now configure AccelOps to communicate with your device by following the instructions in Setting Access Credentials for Device Discovery, and then initiate discovery of the device as described in the topics in Discovering Infrastructure. You should also be sure to read the topic Discovering Amazon Web Services (AWS) Infrastructure.

Settings for Access Credentials

 

Sample events

[PH_DEV_MON_EC2_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=phPerfJob.cp p,[lineNumber]=6571,[hostName]=ec2-54-81-216-218.compute-1.amazonaws.com ,[hostIpAddr]=10.144.18.131,[cpuUtil]=0.334000,[diskReadKBytesPerSec]=0. 000000,[diskWriteKBytesPerSec]=0.000000,[diskReadReqPerSec]=0.000000,[di skWriteReqPerSec]=0.000000,[sentBytes]=131,[recvBytes]=165,[sentBitsPerS ec]=17.493333,[recvBitsPerSec]=22.026667,[phLogDetail]=

[PH_DEV_MON_EBS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAws.cp p,[lineNumber]=133,[hostName]=ec2-52-69-215-178.ap-northeast-1.compute.a mazonaws.com,[hostIpAddr]=172.30.0.50,[diskName]=/dev/sda1,[volumeId]=vo l-63287d9f,[diskReadKBytesPerSec]=7.395556,[diskWriteKBytesPerSec]=7.395 556,[ioReadsPerSec]=0.000000,[ioWritesPerSec]=0.010000,[diskQLen]=0,[phL ogDetail]=

 

 

AWS RDS Configuration

What is Discovered and Monitored

Configuration

What is Discovered and Monitored
Type Protocol Information Discovered Metrics Collected Used For
Relational Database Storage (RDS) CloudWatch API   CPU Utilization

User Connections

Free Memory

Free Storage

Used Swap

Read Latency

Write Latency

Read Ops

Write Ops

Performance Monitoring

Event Types

PH_DEV_MON_RDS_METRIC  captures RDS metrics

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration
  1. Create a AWS credential
    1. Go to Admin > Credentials > Step 1: Enter Credentials
    2. Click Add
      1. Set Device Type to Amazon AWS RDS
      2. Set Access Protocol as AWS SDK
  • Set Region as the region in which your AWS instance is located
  1. Set Access Key ID as the access key for your EC2 instance v. Set Secret Key as the secret key for your EC2 instance
  1. Click Save
  1. Create a IP to credential mapping
    1. Set IP/IP Range to com
    2. Choose Credentials to the one created in Step 1b
  2. Click test Connectivity to make sure the credential is working correctly
  3. Go to Admin > Discovery
    1. Set Discovery Type as AWS Scan
    2. Click OK to Save
    3. Select the entry and Click Discover
  4. After Discovery finishes, check CMDB > Amazon Web Services > AWS Database

Sample Events

[PH_DEV_MON_RDS_METRIC]:[eventSeverity]=PHL_INFO,[fileName]=deviceAwsRDS .cpp,[lineNumber]=104,[hostName]=mysql1.cmdzvvce07ar.ap-northeast-1.rds. amazonaws.com,[hostIpAddr]=54.64.131.93,[dbCpuTimeRatio]=1.207500,[dbUse rConn]=0,[dbEnqueueDeadlocksPerSec]=0.000587,[freeMemKB]=489,[freeDiskMB ]=4555,[swapMemUtil]=0.000000,[ioReadsPerSec]=0.219985,[ioWritesPerSec]= 0.213329,[devDiskRdLatency]=0.08,[devDiskWrLatency]=0.4029,[phLogDetail]

=

Box.com Configuration
What is Discovered and Monitored
Protocol Information Discovered Metrics

Collected

Used

For

Box.com

API

Ccreation, deletion, and modification activity for specific files or folders

File-sharing properties, including whether the file is shared, password protected, or preview/download enabled, and how many times the file was downloaded or viewed

   

Event Types

In CMDB > Event Types, search for “box.com” and look for BOX events in the Name column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps can monitor a directory or subdirectory, for example /All Files or /All Files/my files, or a single file , for example /All Files/my files/user guide.pdf. When you set up the access credentials for AccelOps to communicate with Box.com, you provide the path to the folder or files you want to monitor, so you should have your Box.com storage set up before you set up your access credentials. You also won’t need to initiate discovery of Box.com as you would with other devices, but should go to to Admin > Setup wizard > Event Pulling and make sure that a Box.com event pulling job is created after you have successfully set up access credentials.

Settings for Access Credentials

Sample Box.com Events

//the following event is generated when a folder called share was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700374,[accountName]=box.usage@gmail

.com,[fileId]=2541809279,[fileVersion]=1,

[targetHashCode]=,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was created using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_CREATE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=625,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage,

[userId]=225282673,[accessTime]=1412700377,[accountName]=box.usage@gmail .com,[fileId]=21701906465,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4 b0d3255bfef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/b.txt was deleted using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_DELETE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=503,[fileType]=file, [targetName]=b.txt,[fileSize64]=0,[filePath]=/All

Files/share,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=0,[accountName]=box.usage@gmail.com,[fil eId]=21701844673,[fileVersion]=1,[targetHashCode]=da39a3ee5e6b4b0d3255bf ef95601890afd80709,[phLogDetail]=

//the following event is generated when a file called  All

Files/share/a.txt was modified using the box.usage@gmail.com account [PH_DEV_MON_BOX_FILE_MODIFY]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAg ent.cpp,[lineNumber]=652,[fileType]=file, [targetName]=a.txt,[fileSize64]=8,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[user]=box usage, [userId]=225282673,[accessTime]=1412700491,[accountName]=box.usage@gmail

.com,[fileId]=21701903189,[fileVersion]=2,[targetHashCode]=0a74245f78b73

39ea8cdfc4ac564ed14dc5c22ad,[phLogDetail]=

//the following event is generated periodically for each monitored file

and folder [PH_DEV_MON_BOX_FILE_SHARE]:[eventSeverity]=PHL_INFO,[fileName]=phBoxAge nt.cpp,[lineNumber]=601,[fileType]=folder, [targetName]=share,[fileSize64]=0,[filePath]=/All Files,[fileOwner]=box usage,[fileDesc]=,[accountName]=box.usage@gmail.com,

[fileId]=2541809279,[fileVersion]=1,[infoURL]=https://app.box.com/s/zine

f627pyuexdcxir1q,[downloadURL]=,[filePasswordEnabled]=no, [filePreviewEnabled]=yes,[fileDownloadEnabled]=yes,[fileUnshareAtTime]=-

1,[filePreviewCount]=0,[fileDownloadCount]=0,[phLogDetail]=

Cisco FireAMP Cloud Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored
Protocol Logs Collected Used For
CloudAMP API End point malware activity Security Monitoring

Event Types

In CMDB > Event Types, search for “Cisco FireAMP Cloud” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Cisco FireAMP Cloud

Reports

There are no predefined reports for Cisco FireAMP Cloud.

Configuration

Create Cisco FireAMP Cloud Credential

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Cisco FireAMP Cloud
  5. For Access Protocol, select FireAMP Cloud API
  6. For Password Configuration, select Manual or CyberArk For Manual credential method, enter Client ID and Client Secret.
  7. For CyberArk credential method, specify CyberArk properties.
  8. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter amp.sourcefire.com
  5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection
Sample Events for Salesforce Audit

[FireAMP_Cloud_Threat_Detected]:[eventSeverity]=PHL_CRITICAL,[connectorG UID]=d2f5d61f-feb0-4b67-80fd-073655b86425,[date]=2015-11-25T19:17:39+00: 00,[detection]=W32.DFC.MalParent,[detectionId]=6159251516445163587,[even tId]=6159251516445163587,[eventType]=Threat Detected,[eventTypeId]=1090519054,[fileDispostion]=Malicious,[fileName]= rjtsbks.exe,[fileSHA256]=3372c1edab46837f1e973164fa2d726c5c5e17bcb888828 ccd7c4dfcc234a370,[hostName]=Demo_TeslaCrypt

Google Apps Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored
Protocol Logs Collected Used For
Google Apps Admin

SDK

Configuration Change, Account Create/Delete/Modify, Account Group

Create/Delete/Modify, Document Create/Delete/Modify/Download, Document

Permission Change, Logon Success, Logon Failure, Device compromise

Security Monitoring

Event Types

In CMDB > Event Types, search for “Google_Apps” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Google Apps

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for ” Google Apps”.

Configuration

Create a Google App Credential in Google API Console

  1. Logon to Google API Console
  2. Under Dashboard, create a Google Apps Project
    1. Project Name – enter a name
    2. Click Create
  3. Under Dashboard, click Enable API to activate Reports API service for this project
  4. Create a Service Account Key for this project
    1. Under Credentials, click Create Credentials > Create Service Account Key
    2. Choose Key type as JSON
    3. Click Create
    4. A JSON file containing the Service Account credentials will be stored in your computer
  5. Enable Google Apps Domain-wide delegation
    1. Under IAM & Admin section, choose the Service account
    2. Check Enable Google Apps Domain-wide Delegation
    3. Click Save
  6. View Client ID
    1. Under IAM & Admin section, choose the Service account
    2. Click View Client ID
  7. Delegate domain-wide authority to the service account created in Step 4
    1. Go to your Google Apps domain’s Admin console
    2. Select Security from the list of controls. If you don’t see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls.
    3. Select Advanced settings from the list of options.
    4. Select Manage API Client access in the Authentication section
    5. In the Client name field enter the service account’s Client ID (Step 6)
    6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to.

Define Google App Credential in FortiSIEM

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Google Google Apps
  5. For Access Protocol, select Google Apps Admin SDK
  6. Enter the User Name
  7. For Service Account Key, upload the JSON credential file (Step 4d above)
  8. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter com
  5. For Credentials, enter the name of credential created in the “Google App Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection
Sample Events for Google Apps Audit

Logon Success

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_success]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.time]=2016-09-09T06:53:58.000Z,[id.applic ationName]=login,[kind]=admin#reports#activity,[id.customerId]=C01lzy8ye ,[id.uniqueQualifier]=8830301951515521023,[event.parameters.login_type]= google_password,[event.type]=login,[ipAddress]=45.79.100.103,[actor.emai l]=api1@accelops.net,[event.name]=login_success,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/Nfrg2SFjlC2gR6pJtpP2scVidmc”””,Google_Apps_login_login_succ ess,login_success,1,45.79.100.103,

Logon Failure

<134>Jan 21 19:29:21 google.com java: [Google_Apps_login_login_failure]:[eventSeverity]=PHL_INFO,[actor.profil eId]=117858279951236905887,[id.applicationName]=login,[kind]=admin#repor ts#activity,[event.parameters.login_type]=google_password,[ipAddress]=45 .79.100.103,[event.name]=login_failure,[id.time]=2016-09-19T09:27:51.000 Z,[id.customerId]=C01lzy8ye,[id.uniqueQualifier]=4795688196368428241,[ev ent.type]=login,[actor.email]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpg jPKUOF8yJF1A/v5zsUPNoEdXLLK79zQpBcuxNbQU””,[event.parameters.login_failu re_type]=login_failure_invalid_password”,Google_Apps_login_login_failure ,login_failure,1,45.79.100.103,

Create User

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_CREATE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=CREATE_USER,[id.time]=2016-09-19T09:22:44.646Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-8133102622954793216,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/R5GJyWG9YHSiGRv o3-8ZBM0ZlL0″””,Google_Apps_USER_SETTINGS_CREATE_USER,CREATE_USER,1,45.7 9.100.103,

Delete user

<134>Jan 21 19:29:20 google.com java: [Google_Apps_USER_SETTINGS_DELETE_USER]:[eventSeverity]=PHL_INFO,[actor. callerType]=USER,[actor.profileId]=117858279951236905887,[id.application Name]=admin,[kind]=admin#reports#activity,[ipAddress]=45.79.100.103,[eve nt.name]=DELETE_USER,[id.time]=2016-09-19T09:22:28.582Z,[id.customerId]= C01lzy8ye,[id.uniqueQualifier]=-4630441819990099585,[event.type]=USER_SE

TTINGS,[event.parameters.USER_EMAIL]=test-user@accelops.org,[actor.email ]=api1@accelops.net,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF1A/08MaodxPU6Zv7s6 vJtuUQW9ugx0″””,Google_Apps_USER_SETTINGS_DELETE_USER,DELETE_USER,1,45.7 9.100.103,

Move user settings

<134>Jan 21 19:29:20 google.com java:

[Google_Apps_USER_SETTINGS_MOVE_USER_TO_ORG_UNIT]:[eventSeverity]=PHL_IN FO,[actor.callerType]=USER,[actor.profileId]=117858279951236905887,[even t.parameters.ORG_UNIT_NAME]=/test,[id.applicationName]=admin,[kind]=admi n#reports#activity,[ipAddress]=45.79.100.103,[event.name]=MOVE_USER_TO_O RG_UNIT,[id.time]=2016-09-19T09:24:25.285Z,[id.customerId]=C01lzy8ye,[id

.uniqueQualifier]=-6704816947489240452,[event.type]=USER_SETTINGS,[event .parameters.USER_EMAIL]=test-user@accelops.org,[actor.email]=api1@accelo ps.net,[event.parameters.NEW_VALUE]=/,[etag]=””6KGrH_UY2JDZNpgjPKUOF8yJF 1A/r1v9DiPZbL06fXFFjJlrWf2s3qI”””,Google_Apps_USER_SETTINGS_MOVE_USER_TO

_ORG_UNIT,MOVE_USER_TO_ORG_UNIT,1,45.79.100.103,,

Microsoft Azure AuditTrail Configuration

What is Discovered and Monitored

Configuration

Sample Events for Microsoft Azure Audit Trail

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
Azure CLI None None Security Monitoring

Event Types

In CMDB > Event Types, search for “Microsoft Azure Auditl” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Microsoft Azure Audit

Reports

There are no predefined reports for Microsoft Azure Audit.

Configuration

Create Microsoft Azure Audit Credential

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Microsoft Azure Audit
  5. For Access Protocol, select Azure CLI
  6. For Password Configuration, select Manual or CyberArk
  7. For Manual credential method, enter the user name and credentials 8. For CyberArk credential method, specify CyberArk properties.
  8. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter some IP Address
  5. For Credentials, enter the name of credential created in the “Microsoft Azure Audit Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Microsoft Audit Log Collection
Sample Events for Microsoft Azure Audit Trail

2016-02-26 15:19:10 AccelOps-Azure,[action]=Microsoft.ClassicCompute/virtualmachines/shutdow n/action,[caller]=Cuiping.Wang@shashiaccelops.onmicrosoft.com,[level]=Er ror,[resourceId]=/subscriptions/3ed4ee1c-1a83-4e02-a928-7ff5e0008e8a/res ourcegroups/china/providers/Microsoft.ClassicCompute/virtualmachines/chi na,[resourceGroupName]=china,[eventTimestamp]=2016-02-14T06:12:18.553970 9Z,[status]=Failed,[subStatus]=Conflict,[resourceType]=Microsoft.Classic

Compute/virtualmachines,[category]=Administrative

Microsoft Office365 Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Google Apps Audit

What is Discovered and Monitored
Office 365

Activity Type

Operation
File and folder activities FileAccessed, FileCheckedIn, FileCheckedOut, FileCopied, FileDeleted,FileCheckOutDiscarded, FileDownloaded, FileModified, FileMoved, FileRenamed, FileRestored, FileUploaded
Sharing and access request activities AccessRequestAccepted, SharingInvitationAccepted, CompanyLinkCreated, AccessRequestCreated,

AnonymousLinkCreated, SharingInvitationCreated, AccessRequestDenied, CompanyLinkRemoved,

AnonymousLinkRemoved, SharingSet, AnonymousLinkUpdated, AnonymousLinkUsed, SharingRevoked, CompanyLinkUsed, SharingInvitationRevoked

Synchronization activities ManagedSyncClientAllowed, UnmanagedSyncClientBlocked, FileSyncDownloadedFull, FileSyncDownloadedPartial, FileSyncUploadedFull, FileSyncUploadedPartial
Site administration activities ExemptUserAgentSet, SiteCollectionAdminAdded, AddedToGroup, AllowGroupCreationSet, CustomizeExemptUsers,

SharingPolicyChanged, GroupAdded, SendToConnectionAdded, SiteCollectionCreated, GroupRemoved,

SendToConnectionRemoved, PreviewModeEnabledSet, LegacyWorkflowEnabledSet, OfficeOnDemandSet,

NewsFeedEnabledSet, PeopleResultsScopeSet, SitePermissionsModified, RemovedFromGroup, SiteRenamed, SiteAdminChangeRequest, HostSiteSet, GroupUpdated

Exchange mailbox

activities

Copy, Create, SoftDelete, Move, MoveToDeletedItems, HardDelete, SendAs, SendOnBehalf, Update, MailboxLogin
Sway activities SwayChangeShareLevel, SwayCreate, SwayDelete, SwayDisableDuplication, SwayDuplicate, SwayEdit, EnableDuplication,

SwayRevokeShare, SwayShare, SwayExternalSharingOff, SwayExternalSharingOn, SwayServiceOff, SwayServiceOn,

SwayView

User administration activities Add user, Change user license, Change user password, Delete user, Reset user password, Set force change user password, Set license properties, Update user
Group

administration activities

Add group, Add member to group, Delete group, Remove member from group, Update group
Application administration activities Add delegation entry, Add service principal, Add service principal credentials, Remove delegation entry, Remove service principal, Remove service principal credentials, Set delegation entry
Role administration activities Add role member to role, Remove role member from role, Set company contact information
Directory administration activities Add domain to company, Add partner to company, Remove domain from company, Remove partner from company, Set

company information, Set domain authentication, Set federation settings on domain, Set password policy, Set DirSyncEnabled flag on company, Update domain, Verify domain, Verify email verified domain

Event Types

In CMDB > Event Types, search for “MS_Office365” in the Search column to see the event types associated with Office 365.

Rules

There are no predefined rules for Office 365

Reports

There are many reports defined in Analytics > Reports > Device > Application > Document Mgmt. Search for “Office365”

Configuration

Create Office365 API Credential

  1. Check Office365 Account
    1. Login to Microsoft Online with your Office account
    2. Navigate to office home->admin center->Billing->Purchase services->Office 365 Business Premium
    3. Make sure the you have Office365 Business Premium subscription
  2. Create a X.509 certificate and extract some values
    1. Download Windows SDK and install on your workstation
    2. In windows PowerShell run these commands and make sure they succeed
    3. Open certmgr.msc, and export the new X.509 certificate (office365Cert) by clicking Action->All Tasks-> Export Choose Do not export private key
      1. Choose Base-64 encoding
  • Specify the file name to export
  1. Run the following power shell commands to get values $base64Value, $base64Thumbprint, $keyid from the X.509 certificate for use in next step

After running these commands, the values will be set as follows

(prompt)> $keyid a8a98039-aa56-4497-ab82-d7c419e70eca (prompt)> $base64Thumbprint

A7DP44d3q++M+Cq5MQdFZDcwbr4=

(prompt)>$base64Value

MIIC/zCCAeugAwIBAgIQTdQI9aEaZ4FP/zTqmOXZrzAJBgUrDgMCHQUAMBgxFjA UBgNVBAMTDU9mZmljZTM2NUNlcnQwHhcNMTYwMzE1MDgwMDAwWhcNMTg wMzE1MDgwMDAwWjAYMRYwFAYDVQQDEw1PZmZpY2UzNjVDZXJ0MIIBIjANBgkqhk iG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp9IG5ZNQ9xrtolAc2jUItRhwjm FKsdST+GTlzax7bXiQl8Zp905DUBgfSyAQr77r/2cDRkf0mV7wW/2i+Pqbfi9CY wzjINLyzqxBL5lJPwzVo8aqi/ykILCsbBX6prGvc/TJXjWHbP90AHfZU t6cDPN3CrE98s3gZlWwz7wDnJP5AU/FXx4Cf4gPZOMEBPRdJqQwIZgLzHk0oDg9 kXFoiwDKORsTiamSMd34nncmmNivrqjKM57pa6jacxWFwbXDov6TlxLm tniHuH1psMRj/+jkmucoF2c2cRvTdqFePEqoWemB/np7Zwjj6VTruI5Zld22CcN IJY4ZbheAgYMXmwIDAQABo00wSzBJBgNVHQEEQjBAgBBekE2Kf2vBlJd fJmP+pAtAoRowGDEWMBQGA1UEAxMNT2ZmaWNlMzY1Q2VydIIQTdQI9aEaZ4FP/z TqmOXZrzAJBgUrDgMCHQUAA4IBAQANiw//Vxe04mUInzJUSNXCOUJFj9

HWDzQfbfBOWQQ9YiVm7o0qmSHR8bkaKTxNDl4ng0i6WpMnzmodJjtDpn4I7ZmwA

YehBiFWlUVhAW+M00bvOezcROiscOBuvWd6dQ7Op0XDpYGRnBctCv3w+

YWs0f3odrLCECvO3dk5QJbk500+S8QkLmoVv31/T1BEHnIaY3YudiVO/EpM8n7I /o8YlThHqqSQ6WGeMxYA+ts7yi+Jm++mV6xScK9qWdCbB4BW4ePZWxXi t5Bod+kC9iSco3o44hmmZdohUpF0t08Gu27dMXsaltd7djb7KeqxZrXihfFC8Xe FRBoPALIB52Ud

  1. Create FortiSIEM application in Azure
    1. Login to Azure
    2. Click Active Directory in left panel
    3. Click Default Directory in the right
    4. Select APPLICATIONS tab, then click ADD.
    5. Fill application details and click Next
      1. Name – FortiSIEM
      2. Type – Choose WEB Application AND/OR API
      3. Fill in App properties and Click Done
      4. Sign-on URL – https://<Supervisor IP>
      5. App ID URL – https://<Supervisor IP>
      6. Click the application (FortiSIEM) in left panel, choose Configure tab
      7. Client ID is displayed
      8. User assignment required – No
  • Keys – Select time duration
  1. Save
  2. Key is now displayed – copy this key to local workstation. You would not be able to retrieve it once you leave this page. In the command bar, click Manage Manifest and select Download Manifest
  1. Edit the downloaded JSON file in Step 3.g.vi and
    1. Enter the following in the “keyCredentials” section
    2. The credential file looks like this
  2. Store the JSON file. Click Upload Manifest to upload it to Azure

Permit Office365 Monitoring

  1. Continue with Step 5 above
  2. Choose Office 365 Activities
    1. Microsoft 265 Management APIs – Yes
    2. Microsoft Sharepoint Online – Yes
  3. Allow read permission to chosen Office365 activities

Define Office365 Management Credential in FortiSIEM

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
    1. For Name, provide a name for reference
    2. For Device Type, select Microsoft Office365
    3. For Access Protocol, select Office365 Mgmt Activity API
    4. For Tenant ID, use the ID from Azure Login URL

 

  1. For Password Configuration, select Manual or
  2. For Client ID, choose from Step 3.g.i in Create Office365 API Credential
  3. For Client Secret, choose from Step 3.g.v in Create Office365 API Credential
  1. For Manual credential method, enter the user name, password and Security Token.
  2. For CyberArk credential method, specify CyberArk properties.
  3. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter office.com
  5. For Credentials, enter the name of credential created in the Define Office365 Management Credential step 3a 6. Click Save
  6. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  7. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Office365 Log Collection
Sample Events for Google Apps Audit
Okta Configuration

AccelOps can integrate with Okta as a single-sign service for AccelOps users, discover Okta users and import them into the CMDB, and collect audit logs from Okta. See Setting Up External Authentication for information on configuring Okta to use as a single-sign on service, and Adding Users from Okta for discovering users and associating them with the Okta authentication profile. Once you have discovered Okta users, AccelOps will begin to monitor Okta events.

What is Discovered and Monitored

Event Types

Rules

Reports

Sample Okta Event

What is Discovered and Monitored
Protocol Information Discovered Metrics Collected Used For
 Okta API      

Event Types

In CMDB > Event Types, search for “okta” in the Device Type column to see the event types associated with this device.

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

 Sample Okta Event

Mon Jul 21 15:50:26 2014 AccelOps-Okta [action/message]=Sign-in successful [action/objectType]=core.user_auth.login_success [action/requestUri]=/login/do-login [actors/0/displayName]=CHROME

[actors/0/id]=Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36

(KHTML, like Gecko) Chrome/36.0.1985.125 Safari/537.36

[actors/0/ipAddress]=211.144.207.10

[actors/0/login]=YaXin.Hu@accelops.com [actors/0/objectType]=Client

[eventId]=tev-UlpTnWJRI2vXNRKTJHE4A1405928963000

[eventName]=USER-AUTH-LOGIN-SUCCESS [published]=2014-07-21T07:49:23.000Z

[requestId]=U8zGA0zxVNXabfCeka9oGAAAA [sessionId]=s024bi4GPUkRaegPXuA1IFEDQ [targets/0/displayName]=YaXin Hu

[targets/0/id]=00uvdkhrxcPNGYWISAGK

[targets/0/login]=YaXin.Hu@accelops.com [targets/0/objectType]=User

Salesforce CRM Audit Configuration

What is Discovered and Monitored

Configuration

Sample Events for Salesforce Audit

What is Discovered and Monitored
Protocol Logs Collected Used For
Salesforce API Successful/Failed Login, API Query Activity, Dashboard Activity, Opportunity Activity,

Report Export Activity, Report Activity, Document Download Activity

Security Monitoring

Event Types

In CMDB > Event Types, search for “Salesforce Audit” in the Search column to see the event types associated with this device.

Rules

There are no predefined rules for Salesforce CRM Audit

Reports

There are many reports defined in Analytics > Reports > Device > Application > CRM

Salesforce Failed Logon Activity

Salesforce Successful Logon Activity

Top Browsers By Failed Login Count

Top Browsers By Successful Login Count Top Salesforce Users By Failed Login Count

Top Salesforce Users By Successful Login Count

Top Successful Salesforce REST API Queries By Count, Run Time

Top Failed Salesforce Failed REST API Queries By Count, Run Time

Top Salesforce API Queries By Count, Run Time

Top Salesforce Apex Executions By Count, Run Time

Top Salesforce Dashboards Views By Count

Top Salesforce Document Downloads By Count

Top Salesforce Opportunity Reports By Count

Top Salesforce Report Exports By Count

Top Salesforce Reports By Count, Run Time Top Salesforce Events

Configuration

Create Salesforce Audit Credential

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 1, Click Add to create a new credential
  4. For Device Type, select Salesforce Salesforce Audit
  5. For Access Protocol, select Salesforce API
  6. For Password Configuration, select Manual or CyberArk
  7. For Manual credential method, enter the user name, password and Security Token.
  8. For CyberArk credential method, specify CyberArk properties.
  9. Click Save.

Test Connectivity

  1. Log in to AccelOps Supervisor node.
  2. Go to Admin > Setup Wizard > Credentials.
  3. In Step 2, Click Add to create a new association
  4. For Name/IP/IP Range, enter salesforce.com
  5. For Credentials, enter the name of credential created in the “Salesforce Audit Credential” step.
  6. Click Save
  7. Select the entry just created and Click Test Connectivity without Ping. A pop up will appear and show the Test Connectivity results.
  8. Go to Admin > Setup Wizard > Pull Events and make sure an entry is created for Salesforce Audit Log Collection
Sample Events for Salesforce Audit
Configuring Console Access Devices

AccelOps supports these console access devices for discovery and monitoring.

Lantronix SLC Console Manager Configuration

 

 

 

Lantronix SLC Console Manager Configuration

What is Discovered and Monitored

Protocol Information discovered Metrics/Logs collected Used for
Syslog   Admin access, Updates, Commands run Log analysis and compliance

Event Types

Around 10 event types are generated by parsing Lantronix SLC logs. The complete list can be found in CMDB > Event Types by searching for Lantronix-SLC. Some important ones are

Lantronix-SLC-RunCmd

Lantronix-SLC-Update

Lantronix-SLC-User-Logon-Success

Rules

There are no predefined rules for this device.

Reports

There are no predefined reports for this device.

Configuration

AccelOps processes events from this device via syslog.  Configure the device to send syslog to AccelOps as directed in the device’s product documentation, and AccelOps will parse the contents.

Example Syslog