symantec event collector 4.3 for snare® for windows€¦ · symantec™ event collector for...
TRANSCRIPT
Symantec™ Event Collector4.3 for SNARE® for WindowsQuick Reference
Symantec™ Event Collector for SNARE® for WindowsQuick Reference
The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.
Legal NoticeCopyright © 2008 Symantec Corporation.
All rights reserved.
Symantec, the Symantec Logo, LiveUpdate, Symantec AntiVirus, Symantec Mail Security,Symantec Backup Exec, Symantec NetBackup, Symantec Endpoint Protection, SymantecScan Engine, Symantec Control Compliance Suite, Symantec Critical System Protection,SymantecEnterpriseSecurityManager, Symantec IntruderAlert, SymantecSygateEnterpriseProtection, Symantec Mail Security, and Symantec Security Response are trademarks orregistered trademarks of Symantec Corporation or its affiliates in the U.S. and othercountries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS ANDWARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014 USA
http://www.symantec.com
Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product feature andfunction, installation, andconfiguration.TheTechnical Support groupalso authorscontent for our online Knowledge Base. The Technical Support group workscollaboratively with the other functional areas within Symantec to answer yourquestions in a timely fashion. For example, the Technical Support group workswith Product Engineering and Symantec Security Response to provide alertingservices and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the rightamount of service for any size organization
■ A telephone and web-based support that provides rapid response andup-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide.Support is provided in a variety of languages for those customers that areenrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:
www.symantec.com/techsupp/
Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:
www.symantec.com/techsupp/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich the problem occurred, in case it is necessary to recreatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:
www.symantec.com/techsupp/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/techsupp/
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Information about the Symantec Value License Program
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:
■ Asia-Pacific and Japan: [email protected]
■ Europe, Middle-East, and Africa: [email protected]
■ North America and Latin America: [email protected]
Additional Enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.
SymantecEarlyWarningSolutions
These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation, monitoring and management capabilities, each focused onestablishing andmaintaining the integrity and availability of your IT resources.
Consulting Services
Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.
Educational Services
To access more information about Enterprise services, please visit our Web siteat the following URL:
www.symantec.com
Select your country or language from the site index.
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 1 Introducing Symantec Event Collector for SNAREfor Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
About this quick reference .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Compatibility requirements for SNARE for Windows Event
Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10System requirements for the SNARE for Windows Event Collector
computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10About the installation sequence for SNARE for Windows Event
Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Configuring SNARE or Lasso to work with the collector ... . . . . . . . . . . . . . . . . . . . . 12Sensor properties for SNARE for Windows Event Collector ... . . . . . . . . . . . . . . . 13
About syslog event forwarding .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14About Syslog Director ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Running LiveUpdate for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Product ID for SNARE for Windows Event Collector ... . . . . . . . . . . . . . . . . . . . . . . . . 19Event example ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19Schema packages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Event mapping for Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Chapter 3 Event filtering and aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Event filtering and aggregation for SNARE for Windows EventCollector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Contents
Contents8
IntroducingSymantecEventCollector for SNARE forWindows
This chapter includes the following topics:
■ About this quick reference
■ Compatibility requirements for SNARE for Windows Event Collector
■ System requirements for the SNARE for Windows Event Collector computer
■ About the installation sequence for SNARE for Windows Event Collector
■ Configuring SNARE or Lasso to work with the collector
■ Sensor properties for SNARE for Windows Event Collector
■ About Syslog Director
■ Running LiveUpdate for collectors
About this quick referenceThis quick reference includes information that is specific to Symantec™ EventCollector for SNARE® for Windows. General knowledge about installing andconfiguring collectors is assumed, as well as basic knowledge of SNARE forWindows.
For detailed information on how to install and configure event collectors, pleasesee the Symantec Event Collectors Integration Guide.
For information on SNARE for Windows, see your product documentation.
1Chapter
Compatibility requirements for SNARE for WindowsEvent Collector
The collector is compatible with the following products:
■ Intersect Alliance SNARE 2.4 for Windows and later
■ LogLogic Project Lasso 4.0 and later
The collector runs on the following operating systems:
■ Microsoft Windows 2000 with Service Pack 4 or later
■ Microsoft Windows Advanced Server 2000 with Service Pack 4 or later
■ MicrosoftWindowsServer 2003Enterprise Editionwith Service Pack 1 or laterYou can install version 4.3 collectors on both 32-bit and 64-bit versions ofWindows Server 2003. You can install version 4.2 collectors only on the 32-bitversion of Windows Server 2003.
■ MicrosoftWindows Server 2003 Standard Edition with Service Pack 1 or later
■ Windows XP with Service Pack 2 or laterYou can install version 4.3 collectors on both 32-bit and 64-bit versions ofWindows XP.
■ Red Hat Enterprise Linux AS 3.0
■ Red Hat Enterprise Linux AS 4.0
System requirements for the SNARE for WindowsEvent Collector computer
Minimum system requirements for a remote collector installation are as follows:
■ Intel Pentium-compatible 133-MHzprocessor (up to and includingXeon-class)
■ 512 MB minimum, 1 GB of memory recommended for the Symantec EventAgent
■ 35 MB of hard disk space for collector program files
■ 95MB of hard disk space to accommodate the Symantec Event Agent, the JRE,and the collector
■ TCP/IP connection to a network from a static IP address
Introducing Symantec Event Collector for SNARE for WindowsCompatibility requirements for SNARE for Windows Event Collector
10
About the installation sequence for SNARE forWindows Event Collector
The collector is preinstalled on the Information Manager 4.6 appliance. You canalso install this collector on a remote computer or on an Information Manager4.5 appliance.
The collector installation sequence is as follows:
■ Configure SNARE or Lasso to work with the collector.
■ Close the Symantec Security Information Manager Client console.
■ Register the collector for all off-appliance collector installations.If you use InformationManager 4.6, the collector has been pre-registered. Youdo not have to register it.
■ Install the Symantec Event Agent on the collector computer.You must install the agent for all remote installations.Symantec Event Agent 4.5.0 build 12 or later is required.
■ Run LiveUpdate on earlier collectors.If you install a 4.3 collector on a computer that has an earlier collector on it,you must first run LiveUpdate on all components of the earlier version of thecollector. You must update the earlier collector before you install the 4.3collector.See “Running LiveUpdate for collectors” on page 15.
■ Install the collector component.The collector is preinstalled on the InformationManager 4.6 appliance. If youwant to use the collector on a remote computer, you must install it on theremote computer.You can install the collector on the Information Manager 4.5 appliance.However, you must first apply Information Manager 4.5.1 with MaintenanceRelease 1 (or later) upgrade package on the appliance.
■ Configure the sensor.
■ Configure Syslog Director, optional.See “About Syslog Director” on page 14.
■ Run LiveUpdate.See “Running LiveUpdate for collectors” on page 15.
For all procedures that are not covered in the quick reference, see the SymantecEvent Collectors Integration Guide.
11Introducing Symantec Event Collector for SNARE for WindowsAbout the installation sequence for SNARE for Windows Event Collector
ConfiguringSNAREor Lasso toworkwith the collectorYoumust enable SNARE forWindows to send syslog messages to the collector asfollows:
■ If you are using this collector with SNARE:See “To enable SNARE to send syslog messages to the collector” on page 12.
Note: The collector receives events directly from SNARE for Windows.
■ If you are using this collector with Lasso:See “To enable Lasso to send syslog messages to the collector” on page 12.
To enable SNARE to send syslog messages to the collector
1 Start SNARE.
2 Depending on the version of SNARE for Windows, do one of the followingsteps:
■ In SNARE for Windows 2.4, from the Setup menu, click AuditConfiguration
■ In SNARE for Windows 2.6 and later, from the Setup menu, click SNARENetwork Configuration
3 Fill out the following fields with the appropriate information:
Leave this field blank.Override detected DNS Name with
Type the IP address of the collectorcomputer.
Destination SNARE Server address
Type the port number of thecollector computer.
The default port number of thecollector sensor is 10514.
Destination port
4 Check Enable SYSLOGheader.
5 Click OK.
To enable Lasso to send syslog messages to the collector
1 From the Lasso host computer, navigate to the C:\Program Files\Lassodirectory.
2 Use a text editor such as Notepad or Wordpad, to open the Lasso.ini file.
Introducing Symantec Event Collector for SNARE for WindowsConfiguring SNARE or Lasso to work with the collector
12
3 Edit the Lasso.ini configuration file so it follows the following format:
LogAppliance,IP_Address,Port_Number,udp
■ LogAppliance is a reserved keyword and must be the first parameter.
■ IP_Address is the IP address of the collector computer. You must specifythe IP address.
■ Port_Number is the port number used for syslog communication. Thedefault syslog port is 514. If you do not use port 514, you can specify adifferent port as the third parameter. The default port number of thecollector sensor is 10514. The port number of the collector sensor mustmatch the port number that is entered in this field.
■ You must specify UDP as the protocol.For example, if the collector computer's address is 192.168.22.199, andthe syslog port is 10514, then the corresponding line in the Lasso.ini fileis as follows:
LogAppliance,192.168.22.199,10514,udp
4 Save and close the Lasso.ini configuration file.
5 Restart the Lasso service.
Sensor properties for SNARE for Windows EventCollector
Table 1-1 shows the sensor properties for the syslog sensor.
Table 1-1 Syslog sensor properties
DescriptionSensor properties
Specify UDP as the syslog protocol that SNARE for Windows uses to send events. TCP isnot supported.
Protocol
Specify the IP addresses or names of the host computers that the collector monitors.
Specify * (or any) to allow any host to send events to the collector, or specify multiplehost names. Separate multiple host names with commas or semicolons.
Host Names
Specify the port number towhich youhave configured SNARE forWindows to send syslogmessages.
The default port number is 10514. You can use 10514, 6161, or 514.
Port Number
13Introducing Symantec Event Collector for SNARE for WindowsSensor properties for SNARE for Windows Event Collector
Table 1-1 Syslog sensor properties (continued)
DescriptionSensor properties
Specify a time offset to convert timestamps of all logged events to the time zone of thecollector computer.
You can use a time offset value if the following statements are true:
■ The time zone of the collector computer and the point product are different
■ The timestamps in the point product data are not Coordinated Universal Time (UTC).
You do not need to use this property if the collector and the point product computers arein the same time zone.
Acceptable formats are: +HH, -HH, +HH:MM, -HH:MM,where HH is the number of hours(-99 to +99), and MM is the number of minutes (0 to 59). The default value is +00:00.
For example, if Pacific Standard Time (PST) is the time zone of the collector computer,you can specify -3 to convert incoming events with an Eastern Standard Time (EST) toPacific Standard Time. You can specify +3 to convert incoming events with aHawaii-Aleutian Standard Time (HST) standard to Pacific Standard Time.
If you enter and distribute an erroneous time zone offset, the collector automaticallyresets the offset value to the default value of +00:00. An error message is posted in thecollector’s log.
Time Offset
About syslog event forwardingIf you forward events to a standard syslog server, you can use a syslog forwarderon that server rather than change the settings on your security device. A syslogforwarder can receive and forward events to both InformationManager and yourexisting syslog server.
About Syslog DirectorIf you use the collector on the InformationManager appliance, you can set up thiscollector to use Syslog Director. Syslog Director accepts syslog events from anydevice or application that sends events to the standard port for syslog messages,UDP port 514. (You can also configure Syslog Director to listen on other UDP andTCP ports.) Syslog Director identifies the incoming events by their signatures(specific patterns that identify each collector) and redirects the events that arereceived to the appropriate collector. All events that are not identified by asignature are sent to the Generic Syslog Collector.
You can upgrade Syslog Director 4.2 to Syslog Director 4.3 on your SymantecSecurity Information Manager 4.5 appliance.
For a detailed procedure, see the Symantec Event Collectors Integration Guide.
Introducing Symantec Event Collector for SNARE for WindowsAbout Syslog Director
14
Note: In all deployments, you must list the Generic Syslog Collector last, and youmust leave its Collector Signature empty.
The default Syslog Director settings for this collector are as follows:
Snare for Windows Event CollectorCollector name
MSWinEventLogCollector signature
10529Default port
For detailed procedures on Syslog Director, see the Symantec Event CollectorsIntegration Guide.
Running LiveUpdate for collectorsYou can run LiveUpdate to receive collector updates such as support for newevents and query updates.
If you install a collector on Information Manager 4.5, you must complete thefollowing procedures in the order presented:
■ RunLiveUpdate for collectors added to the InformationManager 4.5 applianceSee “To run LiveUpdate for collectors added to the Information Manager 4.5appliance” on page 16.
■ Verify that LiveUpdate ran successfully on Information Manager 4.5See “To verify that LiveUpdate ran successfully on InformationManager 4.5”on page 17.
If you install a collector on InformationManager 4.6, or if you use a collector thatis preinstalled on Information Manager 4.6, you must complete the followingprocedures in the order presented:
■ Use the Administrator Web page to run LiveUpdate
■ Use the Administrator Web page to verify that LiveUpdate ran successfully
See “To run LiveUpdate from the Administrator Web page” on page 16.
If you installed the collector on a separate computer, you must complete thefollowing tasks in the order presented:
■ Run LiveUpdate for a collector installed on a separate computer.See “To run LiveUpdate for a collector installed on a separate computer”on page 17.
15Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors
■ Verify that LiveUpdate ran successfully for a collector installed on a separatecomputer.See “To verify that LiveUpdate ran successfully for a collector installed on aseparate computer” on page 17.
To run LiveUpdate from the Administrator Web page
1 From aWeb browser, navigate to the Information Manager AdministratorWeb page, and then log in with administrator credentials.
2 From the list on the left, click LiveUpdate.
3 In the list of products, to select the items to update, in the correspondingcheck box, check Update.
At the bottom of the page, you can also click CheckAll.
4 At the bottom of the page, click Update.
If LiveUpdate runs successfully, the status column in the Summary pagedisplays Success.
5 To troubleshoot a problem with LiveUpdate, under Session Log, click ViewLog File.
To run LiveUpdate for collectors added to the Information Manager 4.5 appliance
1 Connect to the Information Manager 4.5 appliance, and log in as root.
2 Navigate to the Symantec Event Agent directory.
The default directory is /opt/Symantec/sesa/Agent/collectors/snarewin
3 At the command prompt, type the following command:
sh ./runliveupdate.sh
4 To stop the Symantec Event Agent, type the following command:
service sesagentd stop
5 To change the ownership of the updated collector files, type the followingcommand:
chown -R sesuser.ses *
6 To restart the Symantec Event Agent, type the following command:
service sesagentd start
Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors
16
To verify that LiveUpdate ran successfully on Information Manager 4.5
1 Connect to the Information Manager 4.5 appliance, and log in as root.
2 Navigate to the collectors subdirectory of theSymantecEventAgent directory.
The default directory is as follows:
cd /opt/Symantec/sesa/Agent/collectors/snarewin
3 Verify that a file named LiveUpdate-Collector.txt exists.
This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.
4 Navigate to the LiveUpdate directory navigate to the following directory:
/opt/Symantec/LiveUpdate
5 To view the last 100 lines of the liveupdt.log file, type the following command:
tail -100 liveupdt.log | more
The first part of the log is in text format; the second part of the log repeatsthe information in XML format.
If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.
For example, Status = Failed (return code - 2001).
To run LiveUpdate for a collector installed on a separate computer
1 On the collector computer, navigate to the collector directory as follows:
■ OnWindows, the default directory is as follows:C:\Program Files\Symantec\Event Agent\collectors\snarewin
■ On UNIX, the default directory is as follows:/opt/Symantec/sesa/Agent/collectors/snarewin
2 At a command prompt, do one of following tasks:
■ OnWindows, type the following command:runliveupdate.bat
■ On UNIX, as the root user, type the following command:runliveupdate.sh
To verify that LiveUpdate ran successfully for a collector installed on a separatecomputer
1 On the collector computer, navigate to the collector directory as follows:
■ OnWindows, the default directory is as follows:
17Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors
C:\Program Files\Symantec\sesa\Agent\collectors\snarewin
■ On UNIX, the default directory is as follows:/opt/Symantec/sesa/Agent/collectors/snarewin
2 Verify that a file named LiveUpdate-Collector.txt exists.
This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.
3 Navigate to the LiveUpdate directory as follows:
■ OnWindows, the default LiveUpdate directory is as follows:C:\Documents and Settings\All Users\Application Data\Symantec\JavaLiveUpdate
■ On UNIX, the default LiveUpdate directory is as follows:/opt/Symantec/LiveUpdate
4 To view the liveupdt.log file, do one of the following tasks:
■ OnWindows, use a text editor such as Notepad to view the liveupdt.logfile.
■ On UNIX, to view the last 100 lines of the liveupdt.log file, type thefollowing command:tail -100 liveupdt.log | more
The first part of the log is in text format; the second part of the log repeatsthe information in XML format.
If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.
For example, Status = Failed (return code - 2001).
Introducing Symantec Event Collector for SNARE for WindowsRunning LiveUpdate for collectors
18
Implementation notes
This chapter includes the following topics:
■ Product ID for SNARE for Windows Event Collector
■ Event example
■ Schema packages
■ Event mapping for Information Manager
Product ID for SNARE for Windows Event CollectorThe product ID of the collector is 3241.
Event exampleThe following is an example event:
Jul 10 17:18:44 SIMANET2000-2 MSWinEventLog 1 Application 2 Mon
Jul 10 17:18:36 2006 105 SNARE Unknown User N/A Information
SIMANET2000-2 None The service was started. 1
The event is in Microsoft Windows Server Update Services (WSUS) database fileformat. The structure is as follows:
Syslog Header (Date\Hostname\EventLog type)0
Criticality1
SourceName2
SNARE/Lasso Event Counter3
2Chapter
DateTime4
EventID5
SourceName6
UserName7
SIDType8
EventLogType9
ComputerName10
CategoryString11
DataString12
ExpandedString13
MD5 Checksum (optional)14
Schema packagesThe collector uses the following schema packages:
■ symc_base_classFor catch-all events
■ symc_windows_eventlog_classFor Windows events
Event mapping for Information ManagerTable 2-1 show the event mapping for the collector.
Table 2-1 Event mapping
CommentSNARE for Windows field nameInformation Manager field name
30007601 - Application
30007606 - Security
Category ID
Windows computer nameComputerNameComputer Name
Windows computer nameComputerNameDestination Host Name
Implementation notesSchema packages
20
Table 2-1 Event mapping (continued)
CommentSNARE for Windows field nameInformation Manager field name
Count of the events from source eventor 1
Event Count
Description of the eventDescription
Contains the expanded data stringsExpandedDataStringDescription Message
Category of the audit event, as definedby theWindows event logging system
CategoryStringEvent Category
Date and time of the eventDateTimeEvent Date
Windows Event ID that identifies theevent type
EventIDEvent ID
Based on the internal SNARE eventcounter
SNARE Event CounterEvent Record Number
First occurrence of this field indicatesthe log file from which event data istaken
For example, application, security,system, directory service,DNS server,or file replication
SourceNameEvent Source
Possible values:
1912000 - Windows and NovellSecurity Event
1912001 -WindowsandNovell SystemEvent
1912002 - Windows and NovellApplication Event
1912003 - Windows and NovellExtended Event
Event Type ID
Facility value from the PRI part of theSyslog header (RFC 3164)
Only for events received by TCP
FacilityFacility
Windows computer nameComputerNameIP Destination Address
Computer that caused this eventSourceNameIP Source Address
21Implementation notesEvent mapping for Information Manager
Table 2-1 Event mapping (continued)
CommentSNARE for Windows field nameInformation Manager field name
Option 1 fieldOption 1
Option 2 fieldOption 2
Option 3 fieldOption 3
Option 4 fieldOption 4
Option 5 fieldOption 5
Option 6 fieldOption 6
Option 7 fieldOption 7
Option 8 fieldOption 8
Option 9 fieldOption 9
Option10 fieldOption10
Option11 fieldOption11
Option12 fieldOption12
Option13 fieldOption13
Option14 fieldOption14
Option15 fieldOption15
Option16 fieldOption16
Option17 fieldOption17
IP address and host name of thecomputer where the SNARE/ProjectLasso product is installed
ProxyMachine, ProxyMachineIPProxy Machine, Proxy Machine IP
Based on EventLogType
Possible values:
1 - Informational
2 - Warning
3 - Minor
4 - Major
5 - Critical
Severity ID
Implementation notesEvent mapping for Information Manager
22
Table 2-1 Event mapping (continued)
CommentSNARE for Windows field nameInformation Manager field name
Computer that caused this eventSourceNameSource Computer Name
The second occurrence of the field inthe SNARE logs
For security, both fields are the same;for Application System, it is the nameof the particular application or systemcomponent.
SourceNameSource Eventlog
Computer that caused this eventSourceNameSource Host Name
Windows UserNameUserNameUser Name
Actual: 53Vendor Device
Severity of the logged event
Severity is defined as follows:
Critical=4
Priority=3
Warning=2
Informational=1
Clear=0
CriticalityVendor Severity
<EventLogType>:<EventID>Vendor Signature
Possible values:
Success Audit
Failure Audit
Error
Information
Warning
EventLogTypeWindows and Novell Event Type
Table 2-2 showsEventClassmappingandhow thewindows_source_eventlog fieldaffects the event_id field.
23Implementation notesEvent mapping for Information Manager
Table 2-2 EventClass mapping
Destination field(s)Source field
event_idwindows_source_eventlog
1912000 - Windows and Novell Security EventSecurity
1912001 - Windows and Novell System EventSystem
1912002 - Windows and Novell Application EventApplication
1912003 - Windows and Novell Extended EventDNS Server
1912003 - Windows and Novell Extended EventFile Replication Service
1912003 - Windows and Novell Extended EventDirectory Service
Table 2-3 shows severity mapping and how the windows_event_type field affectsthe severity field.
Table 2-3 Severity mapping
Destination field
severity
Source field
windows_event_type
1 – Informational (Default)Information
2 - WarningSuccess Audit
3 - MinorWarning
4 - MajorFailure Audit
5 - CriticalError
Table 2-4 shows category mapping and how the windows_source_eventlog fieldaffects the category_id field.
Table 2-4 Category mapping
Destination field(s)Source field
category_idwindows_source_eventlog
30007606 - SecuritySecurity
30007601 - ApplicationSystem
30007601 - ApplicationApplication
Implementation notesEvent mapping for Information Manager
24
Table 2-4 Category mapping (continued)
Destination field(s)Source field
30007601 - ApplicationDNS Server
30007601 - ApplicationFile Replication Service
30007601 - ApplicationDirectory Service
25Implementation notesEvent mapping for Information Manager
Implementation notesEvent mapping for Information Manager
26
Event filtering andaggregation
This chapter includes the following topics:
■ Event filtering and aggregation for SNARE for Windows Event Collector
Event filtering and aggregation for SNARE forWindows Event Collector
The collector includes a default filter called catch-all events. The filter removesevents when the field not_translated is equal to true. The filter is enabled bydefault. If you want all events processed by the collector, you can disable thisfilter rule.
Table 3-1 shows example filters and aggregation.
Table 3-1 Filtering and aggregation examples
DescriptionValueOperatorName
This filter removes informational eventswhile retaining error and warning events.
Informationequal toWindows and Novell EventType
This aggregationgroups events by theusername Smith.
Smithequal toWindows User Name
This aggregationgroups events for all userswho tried to access theWindows computer.
similar propertyWindows User Name
3Chapter
Event filtering and aggregationEvent filtering and aggregation for SNARE for Windows Event Collector
28