symantec™ event collector 4.3 for mcafee® epolicy orchestrator® 4.0 quick...
TRANSCRIPT
Symantec™ Event Collector4.3 for McAfee® ePolicyOrchestrator® 4.0 QuickReference
Symantec™ Event Collector for McAfee® ePolicyOrchestrator® 4.0 Quick Reference
The software described in this book is furnished under a license agreement andmay be usedonly in accordance with the terms of the agreement.
Legal NoticeCopyright © 2008 Symantec Corporation. All rights reserved.
Symantec, the Symantec Logo are trademarks or registered trademarks of SymantecCorporation or its affiliates in theU.S. and other countries. Other namesmaybe trademarksof their respective owners.
This Symantec product may contain third party software for which Symantec is requiredto provide attribution to the third party (“Third Party Programs”). Some of the Third PartyPrograms are available under open source or free software licenses. The LicenseAgreementaccompanying the Software does not alter any rights or obligations you may have underthose open source or free software licenses. Please see theThird Party LegalNoticeAppendixto this Documentation or TPIP ReadMe File accompanying this Symantec product for moreinformation on the Third Party Programs.
The product described in this document is distributed under licenses restricting its use,copying, distribution, and decompilation/reverse engineering. No part of this documentmay be reproduced in any form by any means without prior written authorization ofSymantec Corporation and its licensors, if any.
THEDOCUMENTATIONISPROVIDED"ASIS"ANDALLEXPRESSORIMPLIEDCONDITIONS,REPRESENTATIONS ANDWARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT,ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TOBELEGALLYINVALID.SYMANTECCORPORATIONSHALLNOTBELIABLEFORINCIDENTALOR CONSEQUENTIAL DAMAGES IN CONNECTIONWITH THE FURNISHING,PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINEDIN THIS DOCUMENTATION IS SUBJECT TO CHANGEWITHOUT NOTICE.
The Licensed Software andDocumentation are deemed to be commercial computer softwareas defined in FAR12.212 and subject to restricted rights as defined in FARSection 52.227-19"Commercial Computer Software - Restricted Rights" and DFARS 227.7202, "Rights inCommercial Computer Software or Commercial Computer Software Documentation", asapplicable, and any successor regulations. Any use, modification, reproduction release,performance, display or disclosure of the Licensed Software andDocumentation by theU.S.Government shall be solely in accordance with the terms of this Agreement.
Symantec Corporation20330 Stevens Creek Blvd.Cupertino, CA 95014
http://www.symantec.com
Printed in the United States of America.
10 9 8 7 6 5 4 3 2 1
Technical SupportSymantec Technical Support maintains support centers globally. TechnicalSupport’s primary role is to respond to specific queries about product featuresand functionality. TheTechnical Support group also creates content for our onlineKnowledge Base. The Technical Support group works collaboratively with theother functional areas within Symantec to answer your questions in a timelyfashion. For example, theTechnical Support groupworkswithProductEngineeringand Symantec Security Response to provide alerting services and virus definitionupdates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the rightamount of service for any size organization
■ Telephone and Web-based support that provides rapid response andup-to-the-minute information
■ Upgrade assurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week
■ Advanced features, including Account Management Services
For information about Symantec’sMaintenance Programs, you can visit ourWebsite at the following URL:
www.symantec.com/techsupp/
Contacting Technical SupportCustomerswith a currentmaintenance agreementmay access Technical Supportinformation at the following URL:
www.symantec.com/techsupp/
Before contacting Technical Support, make sure you have satisfied the systemrequirements that are listed in your product documentation. Also, you should beat the computer onwhich theproblemoccurred, in case it is necessary to replicatethe problem.
When you contact Technical Support, please have the following informationavailable:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registrationIf yourSymantecproduct requires registrationor a licensekey, access our technicalsupport Web page at the following URL:
www.symantec.com/techsupp/
Customer serviceCustomer service information is available at the following URL:
www.symantec.com/techsupp/
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates, such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade assurance and maintenance contracts
■ Information about the Symantec Buying Programs
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resourcesIf you want to contact Symantec regarding an existing maintenance agreement,please contact the maintenance agreement administration team for your regionas follows:
[email protected] and Japan
[email protected], Middle-East, and Africa
[email protected] America and Latin America
Additional enterprise servicesSymantec offers a comprehensive set of services that allow you tomaximize yourinvestment in Symantec products and to develop your knowledge, expertise, andglobal insight, which enable you to manage your business risks proactively.
Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threatanalysis, and countermeasures to prevent attacks before they occur.
SymantecEarlyWarningSolutions
These services remove the burdenofmanaging andmonitoring security devicesand events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise fromSymantec and its trustedpartners. SymantecConsultingServices offer a varietyof prepackaged and customizable options that include assessment, design,implementation,monitoring, andmanagement capabilities. Each is focused onestablishing andmaintaining the integrity and availability of your IT resources.
Consulting Services
Educational Services provide a full array of technical training, securityeducation, security certification, and awareness communication programs.
Educational Services
To access more information about Enterprise services, please visit our Web siteat the following URL:
www.symantec.com
Select your country or language from the site index.
Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 1 Introducing Symantec Event Collector for McAfeeePolicy Orchestrator 4.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
About this quick reference .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Compatibility requirements for McAfee ePO 4.0 Event Collector ... . . . . . . . . 10System requirements for the McAfee ePO 4.0 Event Collector
computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11About the installation sequence for McAfee ePO 4.0 Event
Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Setting the SQL Server security mode to mixed authentication .... . . . . . . . . . 12Downloading database drivers ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13Installing database drivers on a remote computer ... . . . . . . . . . . . . . . . . . . . . . . . . . . . 14Installing database drivers on an Information Manager appliance .... . . . . . 14Creating read-only database users ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Creating a read-only database user account for Microsoft SQLServer 2000 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Creating a read-only database user account for Microsoft SQLServer 2005 .... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Creating a read-only database user account for Microsoft SQLServer 2000 Desktop Engine (MSDE) ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuring the SQL Server instance to listen on a non-dynamicport ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configuring an SSL connection for the Microsoft SQL Server 2005JDBC driver 1.2 ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Sensor properties for McAfee ePO 4.0 Event Collector ... . . . . . . . . . . . . . . . . . . . . . . 21Running LiveUpdate for collectors ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Chapter 2 Implementation notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Product ID for McAfee ePO 4.0 Event Collector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Event examples ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Schema packages ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Event mapping for Information Manager ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Contents
Chapter 3 Event filtering and aggregation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Event filtering and aggregation for McAfee ePO 4.0 EventCollector ... . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Contents8
IntroducingSymantecEventCollector forMcAfee ePolicyOrchestrator 4.0
This chapter includes the following topics:
■ About this quick reference
■ Compatibility requirements for McAfee ePO 4.0 Event Collector
■ System requirements for the McAfee ePO 4.0 Event Collector computer
■ About the installation sequence for McAfee ePO 4.0 Event Collector
■ Setting the SQL Server security mode to mixed authentication
■ Downloading database drivers
■ Installing database drivers on a remote computer
■ Installing database drivers on an Information Manager appliance
■ Creating read-only database users
■ Configuring the SQL Server instance to listen on a non-dynamic port
■ Configuring an SSL connection for theMicrosoft SQL Server 2005 JDBC driver1.2
■ Sensor properties for McAfee ePO 4.0 Event Collector
■ Running LiveUpdate for collectors
1Chapter
About this quick referenceThis quick reference includes information that is specific to Symantec™ EventCollector for McAfee® ePolicy Orchestrator® 4.0. General knowledge aboutinstalling and configuring collectors is assumed, as well as basic knowledge ofMcAfee ePolicy Orchestrator 4.0.
For detailed information on how to install and configure event collectors, pleasesee the Symantec Event Collectors Integration Guide.
For information on McAfee ePolicy Orchestrator 4.0, see your productdocumentation.
Compatibility requirements forMcAfee ePO4.0 EventCollector
The collector is compatible withMcAfee ePolicy Orchestrator 4.0 which capturesthe events from the following McAfee products:
■ McAfee AntiSpyware Enterprise 8.5
■ McAfee Host Intrusion Prevention 7.0
■ McAfee VirusScan Enterprise 8.5i
A separate event collector forMcAfee ePolicyOrchestrator 3.x is available. Pleasecontact Symantec.
The collector runs on the following operating systems:
■ Microsoft Windows 2000 with Service Pack 4 or later
■ Microsoft Windows Advanced Server 2000 with Service Pack 4 or later
■ MicrosoftWindowsServer 2003Enterprise Editionwith Service Pack 1 or later
■ MicrosoftWindows Server 2003 Standard Edition with Service Pack 1 or later
■ Windows XP with Service Pack 2 or later
Note: You can install version 4.3 collectors on both 32-bit and 64-bit versions ofWindows Server 2000/2003.
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0About this quick reference
10
System requirements for the McAfee ePO 4.0 EventCollector computer
Minimum system requirements for a remote collector installation are as follows:
■ Intel Pentium-compatible 133-MHzprocessor (up to and includingXeon-class)
■ 512 MB minimum, 1 GB of memory recommended for the Symantec EventAgent
■ 35 MB of hard disk space for collector program files
■ 95MB of hard disk space to accommodate the Symantec Event Agent, the JRE,and the collector
■ TCP/IP connection to a network from a static IP address
About the installation sequence for McAfee ePO 4.0Event Collector
You can install the collector on a remote computer or on the InformationManagerappliance.
The collector installation sequence is as follows:
■ Complete the preinstallation requirements.For these procedures, see the Symantec Event Collectors Integration Guide.
■ Close the Symantec Security Information Manager Client console.
■ Register the collector for all off-appliance collector installations.If you install the collector on the InformationManager appliance, the collectoris registered on the appliance during the installation procedure.For this procedure see the Symantec Event Collectors Integration Guide
■ Install the Symantec Event Agent on the collector computer.You must install the agent for all remote installations.For this procedure, see the Symantec Event Collectors Integration Guide.Symantec Event Agent 4.5.0 build 12 or later is required.
■ Run LiveUpdate on earlier collectors.If you install a 4.3 collector on a computer that has an earlier collector on it,you must first run LiveUpdate on all components of the earlier version of thecollector. You must update the earlier collector before you install the 4.3collector.See “Running LiveUpdate for collectors” on page 22.
11Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0System requirements for the McAfee ePO 4.0 Event Collector computer
■ Install the collector component.You can install the collector on the Information Manager appliance or on aremote computer.For procedures on how to install the collector on a remote computer or on anappliance, see the Symantec Event Collectors Integration Guide.
■ See “Setting theSQLServer securitymode tomixed authentication”onpage12.
■ Download and extract the required database driver.You must install the database driver on the collector computer for all remoteinstallations.Youmust install the database driver for all InformationManager 4.5 applianceinstallations.If you use Information Manager 4.6, driver installation is not required; thedatabase driver is preinstalled on the Information Manager 4.6 appliance.See “Downloading database drivers” on page 13.
■ Create a read-only database user account.See “Creating read-only database users” on page 15.
■ Configure the sensor.See “Sensor properties for McAfee ePO 4.0 Event Collector” on page 21.
■ Configure an SSL connection for the Microsoft SQL Server 2005 JDBC driver1.2See “Configuring an SSL connection for the Microsoft SQL Server 2005 JDBCdriver 1.2” on page 19.
■ Run LiveUpdate.See “Running LiveUpdate for collectors” on page 22.
For all procedures that are not covered in the quick reference, see the SymantecEvent Collectors Integration Guide.
Setting the SQL Server security mode to mixedauthentication
If you use aMicrosoft SQL Server database, youmustmake sure that the databasesecurity mode is set tomixed authenticationmode. The security mode is selectedwhen SQL Server is installed. You can change the security mode at any time.
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Setting the SQL Server security mode to mixed authentication
12
To set the SQL Server security mode to mixed authentication
1 From the Start menu, click Programs >Microsoft SQL Server > SQLEnterpriseManager.
WithSQLServer 2000, you chooseSQLEnterpriseManager.WithSQLServer2005, you choose Microsoft SQL Server Management Studio.
2 Click the appropriate server.
3 From the Tools menu, click SQLServer ConfigurationProperties, and thenclick Security.
4 Under Authentication, click SQL Server andWindows.
5 Click OK, and then click Close.
Downloading database driversSome database collector installations require that you download and install adatabase driver on the target computer. The target computer can be theInformation Manager appliance or a separate computer.
See “Installing database drivers on a remote computer” on page 14.
See “Installing database drivers onan InformationManager appliance”onpage14.
Note:Twoversions of theMicrosoft SQLServer JDBCdatabase driver are available:a Windows version, and a UNIX version. If you run the collector on a computerthat runsMicrosoftWindows, youmust download theMicrosoftWindows version.If you run the collector on a computer that runs Linux or Solaris, you mustdownload the UNIX version.
To download a database driver to the target computer
1 If you are installing the collector on the InformationManager appliance, login to the SSIM client computer.
If you are installing the collector on a separate computer, log in to thatseparate computer.
2 Create a directory to store the contents of the database driver archive file.
An example directory is as follows: DBdrivers
3 Download the required database driver into the directory that you created instep 2, as follows:
■ For the Microsoft SQL Server 2005 JDBC Driver 1.2, go to the followingURL:
13Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Downloading database drivers
www.microsoft.com/downloadsThe Microsoft SQL Server 2005 JDBC driver is compatible with bothMicrosoft SQL Server 2000 and Microsoft SQL Server 2005.
Installing database drivers on a remote computerYou must install database drivers for all remote installations.
Before you install a database driver, you must download the driver to a remotecomputer.
See “Downloading database drivers” on page 13.
To install a database driver on a remote computer
1 On the remote computer, navigate to the directory to which you downloadedthe database driver.
See “Downloading database drivers” on page 13.
2 Use the appropriate tool for the archive format to unpack the archive.
For a .zip file, use WinZIP or a similar utility.
For aUNIX tar.gz file, at the command prompt, type the following command:
tar zxvf file_name.tar.gz
Installingdatabasedrivers onan InformationManagerappliance
If you install a collector that reads from a database on an Information Managerappliance, youmay need to install a database driver on the InformationManagerappliance.
To install a database driver on an Information Manager appliance
1 On the Information Manager appliance, log in as root.
2 To create a directory to store the contents of the JDBC driver archive file, ata command prompt, type the following command:
mkdir dbdrivers
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Installing database drivers on a remote computer
14
3 To transfer the tar.gz file to the InformationManager appliance, use anSFTPclient such asWinSCP to place the tar.gz in the directory that you created instep 2.
Before you install a database driver on an Information Manager appliance,you must download the driver to the SSIM Client computer.
See “Downloading database drivers” on page 13.
4 To extract the tar file, at the command prompt, type the following command:
tar -zxvf file_name.tar.gz
5 To change the owner of the driver files to the user sesuser and the group ses,at the command prompt, type the following command:
chown -R sesuser.ses /dbdrivers/*
Creating read-only database usersIn order for the collector to query the point product, you must set up a read-onlydatabase user account with access to the point product's database. You can usean existing database account, or you can create an account specifically for thecollector.
See “Creating a read-only database user account for Microsoft SQL Server 2000”on page 15.
See “Creating a read-only database user account for Microsoft SQL Server 2005”on page 16.
See “Creating a read-only database user account for Microsoft SQL Server 2000Desktop Engine (MSDE)” on page 17.
Creating a read-only database user account for Microsoft SQL Server2000
Collectors that use a database sensor require that you create a read-only databaseuser account so that the collector can query for events.
See “Creating a read-only database user account for Microsoft SQL Server 2005”on page 16.
See “Creating a read-only database user account for Microsoft SQL Server 2000Desktop Engine (MSDE)” on page 17.
15Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Creating read-only database users
To create a read-only database user account for Microsoft SQL Server 2000
1 In the SQL Server Enterprise Manager window, in the left pane, expandConsole Root >Microsoft SQL Servers > SQL ServerGroup.
2 Click the appropriate server host nameor click local, and then click (WindowsNT) > Security.
3 Right-click Logins, and then click NewLogin.
4 In the SQL Server Login Properties - New Login dialog box, on the Generaltab, in the Name box, type the name of the read-only logon account.
5 Click SQL ServerAuthentication.
6 In the SQL Server Authentication Password box, type a password.
7 In the Database list, select the database name.
8 In the Language list, click <Default>.
9 On the Database Access tab, select the database name.
10 Under Permit in Database Role, click db_datareader.
This role gives the user read-only data access to the database.
The role of public is always selected and cannot be cleared.
11 Click OK.
12 Confirm the password for the user that you created, and then click OK.
13 Close the SQL Server Enterprise Manager window.
Creating a read-only database user account for Microsoft SQL Server2005
Collectors that use a database sensor require that you create a read-only databaseuser account so that the collector can query for events.
See “Creating a read-only database user account for Microsoft SQL Server 2000”on page 15.
See “Creating a read-only database user account for Microsoft SQL Server 2000Desktop Engine (MSDE)” on page 17.
To create a read-only database user account for Microsoft SQL Server 2005
1 Start Microsoft SQL Management Studio.
2 In the Connect to Server window, in the Server name box, select the SQLServer 2005 computer on which the database is installed.
3 In the Authentication box, click SQL ServerAuthentication.
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Creating read-only database users
16
4 In the Login box, type a user name that has permissions to create newaccounts.
5 In the Password box, type the password for the user name.
6 Click Connect.
7 On the SQL ServerManagement Studio window, in the Object Explorer pane,right-click Security, and then click New>Login.
8 In the Login-Newdialog box, perform the following tasks in the order inwhichthey appear:
■ In the Select a page pane, click General.
■ In the right pane, in the Login name box, type a logon name for the newuser.
■ Check SQLServerauthentication, type a password for the user, and thenconfirm the password.
■ Uncheck Usermust change password at next login.
■ In the Default database box, select the database to be read by this user.
9 In the Login-New dialog box, in the Select a page pane, click Server Roles.
10 In the right pane, click public.
11 In the Login-New dialog box, in the Select a page pane, click UserMapping.
12 In the right pane, under Usersmapped to this login, make sure that you haveselected the database to read.
13 Under Database role membership for the database, click db_datareader.
This role gives the user read-only data access to the database. The role ofpublic is always selected and cannot be cleared.
14 Click OK.
Creating a read-only database user account for Microsoft SQL Server2000 Desktop Engine (MSDE)
Collectors that use a database sensor require that you create a read-only databaseuser account so that the collector can query for events.
17Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Creating read-only database users
To create a read-only database user account forMicrosoft SQLServer 2000DesktopEngine (MSDE)
1 From the Start menu, select Programs > Accessories > CommandPrompt.
2 Navigate to the directory that contains the OSQL.EXE file.
The default directory location for this file is C:\Program Files\Microsoft SQLServer\80\Tools\Binn.
3 To log in as the system administrator user, type the following command:
osql -U sa
4 At the Password prompt, type the system administrator password.
5 At the command prompt, type the following commands:
EXEC sp_addlogin 'account_name', 'password', 'database_name'
USE database_name
EXEC sp_grantdbacces 'account_name'
EXEC sp_addrolemember 'db_datareader', 'account_name'
go
6 At the prompt, type the following command:
quit
The following is an example list of the commands thatmust be executed. Theconfirmation message shows that a new logon was created, granted accessto the database, and assigned to the db_datareader role:
D:\>osql -U sa Password:
1> EXEC sp_addlogin 'readonly', 'x$256wr', 'BVInternetSecuritySQL'
2> USE BVInternetSecuritySQL
3> EXEC sp_grantdbaccess 'readonly'
4> EXEC sp_addrolemember 'db_datareader', 'readonly'
5> go
New login created.
Granted database access to 'readonly'.
'readonly' added to role 'db_datareader'.
1> quit
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Creating read-only database users
18
Configuring the SQL Server instance to listen on anon-dynamic port
You must configure the SQL Server instance to listen to network requests. TheSQL Server must listen on a non-dynamic port.
To configure theSQLServer instance to listen to network requests on anon-dynamicport
1 Start SQL Server Configuration Manager.
2 In the left pane, expand SQL Server 2005 Network Configuration.
3 Right-click Protocols for instance_name.
4 Make sure that the following fields are set as follows:
■ In TCP/IP Properties, on the IP Address tab, make sure that Active andEnabled are both set to Yes.
■ Make sure that TCP Dynamic Ports is blank for the IP address that thecollector connects to.
■ Make sure that TCP Port contains the value 1433 for the IP Address thatthe collector connects to.
Configuring an SSL connection for theMicrosoft SQLServer 2005 JDBC driver 1.2
If you use Microsoft SQL Server 2005 database with the Microsoft SQL Server2005 JDBC driver 1.2, you can configure an SSL connection.
Note:Microsoft SQL Server 2005 JDBC driver 1.1 or earlier does not support SSL.
In order to configure an SSQL, you must complete the following procedures:
■ Configure SSL for an SQL Server.See “To configure SSL for the SQL Server” on page 19.
■ Configure the sensor properties for an encrypted protocol.See “To configure the sensor properties for an encryptedprotocol” onpage 20.
To configure SSL for the SQL Server
1 Start SQL Server Configuration Manager.
2 Expand SQL Server Network Configuration, right-click the protocols for theserver that you want, and then click Properties.
19Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Configuring the SQL Server instance to listen on a non-dynamic port
3 On the Certificate tab, select the certificate that you want to use to protectyour connection.
Self-signed certificates are supported but not recommended because they donot provide adequate security.
4 On the Flags tab, view or specify the protocol encryption option.
The logon packet is always encrypted.
5 Set the ForceEncryption option to Yes.
ForceEncryption encrypts all client/server communication and clients thatcannot support encryption are denied access.
6 Restart the SQL Server.
To configure the sensor properties for an encrypted protocol
1 In the Information Manager console, in the left pane, click System.
2 Select the Product Configurations tab, and then expand the tree until you seethe collector name.
3 In the left pane, select the appropriate configuration.
4 In the right pane, on the sensor tab, under the list of sensors, click the sensor.
5 In the Database URL field, add the following property string at the end of theURL:
;encrypt=true
For example,
jdbc:sqlserver://192.168.19.40:1433;DatabaseName=SOPHOS3;encrypt=true
6 If you are using a self-signed certificate, add the following property string atthe end of the URL:
;trustServerCertificate=true
For example,
jdbc:sqlserver://192.168.19.40:1433;DatabaseName=SOPHOS3;encrypt=true;
trustServerCertificate=true
7 Click Save.
8 In the left pane, right-click the appropriate configuration, and then clickDistribute.
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Configuring an SSL connection for the Microsoft SQL Server 2005 JDBC driver 1.2
20
9 When you are prompted to distribute the configuration, click Yes.
10 In the Configuration Viewer window, click Close.
Sensor properties forMcAfee ePO4.0 Event CollectorTable 1-1 Database sensor properties
DescriptionSensor property
■ If you install the collector on the InformationManager 4.6 appliance, the default directoryis as follows:
/opt/Symantec/simserver/collectors/drivers/mssqljdbc_2005/enu
■ If you install the collector on Windows computer, the default directory is as follows:
C:\Program Files\Microsoft SQL Server 2005 JDBC Driver\sqljdbc_1.2\enu
/
JDBC DriversDirectory
The default database URL is as follows:
jdbc:microsoft:sqlserver://localhost:1433;DatabaseName=ePO_DB_name
Database URL
Specify the read-only database user account name for the McAfee ePolicy Orchestrator 4.0database.
User Name
Specify the password for the database user account name for theMcAfee ePolicyOrchestrator4.0 database.
Password
Specify from where to start reading the database upon restart of the collector as follows:
■ BEGINNING
Specifies that the database is read from the beginning.
BEGINNING is the default position.
■ END
Specifies that the database is read from the end. Only events that are written to thedatabase after the collector starts are read.
Start Reading From
21Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Sensor properties for McAfee ePO 4.0 Event Collector
Table 1-1 Database sensor properties (continued)
DescriptionSensor property
Specify the scheduled time to send events to the appliance, or leave this field blank if youwant to collect events in real time.
Time is entered in military time. You can schedule the collector to send events on a specificday, every day at a specified time, every week, or on a specified number of weeks.
The time that is specified in the ExecutionTime fieldmust use the same time zone and systemclock as the collector computer.
If the first batch has not finished before the second batch needs to start, the second batch isskipped.
Execution Time syntax is as follows:
<Every day/Every n days/Every week/Every n weeks>On <Sun/Mon/Tue/Wed/Thu/Fri/Sat> at <n:n:n>,<n:n:n>,<Sun/Mon/Tue/Wed/Thu/Fri/Sat> at <n:n:n>,<n:n:n>
Execution Time
Running LiveUpdate for collectorsYou can run LiveUpdate to receive collector updates such as support for newevents and query updates.
If you use a collector that is preinstalled on Information Manager 4.5, you mustcomplete the following procedures in the order presented:
■ Use the Administrator Web page to run LiveUpdate.
■ Use the Administrator Web page to verify that LiveUpdate ran successfully.
See “To run LiveUpdate from the Administrator Web page” on page 23.
If you install a collector on Information Manager 4.5, you must complete thefollowing procedures in the order presented:
■ RunLiveUpdate for collectors added to the InformationManager 4.5 appliance.See “To run LiveUpdate for collectors added to the Information Manager 4.5appliance” on page 23.
■ Verify that LiveUpdate ran successfully on Information Manager 4.5.See “To verify that LiveUpdate ran successfully on InformationManager 4.5”on page 24.
If you install a collector on InformationManager 4.6, or if you use a collector thatis preinstalled on Information Manager 4.6, you must complete the followingprocedures in the order presented:
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Running LiveUpdate for collectors
22
■ Use the Administrator Web page to run LiveUpdate.
■ Use the Administrator Web page to verify that LiveUpdate ran successfully.
See “To run LiveUpdate from the Administrator Web page” on page 23.
If you installed the collector on a separate computer, you must complete thefollowing tasks in the order presented:
■ Run LiveUpdate for a collector installed on a separate computer.See “To run LiveUpdate for a collector installed on a separate computer”on page 24.
■ Verify that LiveUpdate ran successfully for a collector installed on a separatecomputer.See “To verify that LiveUpdate ran successfully for a collector installed on aseparate computer” on page 25.
For information about running LiveUpdate on internal LiveUpdate servers, seethe Symantec LiveUpdate Administrator User's Guide.
To run LiveUpdate from the Administrator Web page
1 From aWeb browser, navigate to the Information Manager AdministratorWeb page, and then log in with administrator credentials.
2 From the list on the left, click LiveUpdate.
3 In the list of products, to select the items to update, in the correspondingcheck box, check Update.
At the bottom of the page, you can also click CheckAll.
4 At the bottom of the page, click Update.
If LiveUpdate runs successfully, the status column in the Summary pagedisplays Success.
5 To troubleshoot a problem with LiveUpdate, under Session Log, click ViewLog File.
To run LiveUpdate for collectors added to the Information Manager 4.5 appliance
1 Connect to the Information Manager 4.5 appliance, and log in as root.
2 Navigate to the collectors directory.
The default directory is /opt/Symantec/sesa/Agent/collectors/epov4
3 At the command prompt, type the following command:
sh ./runliveupdate.sh
4 To stop the Symantec Event Agent, type the following command:
service sesagentd stop
23Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Running LiveUpdate for collectors
5 To change the ownership of the updated collector files, type the followingcommand:
chown -R sesuser.ses *
6 Navigate to the Symantec Event Agent directory.
The default directory is /opt/Symantec/sesa/Agent/
7 To restart the Symantec Event Agent, type the following command:
service sesagentd start
To verify that LiveUpdate ran successfully on Information Manager 4.5
1 Connect to the Information Manager 4.5 appliance, and log in as root.
2 Navigate to the collectors subdirectory of theSymantecEventAgent directory.
The default directory is as follows:
/opt/Symantec/sesa/Agent/collectors/epov4
3 Verify that a file named LiveUpdate-Collector.txt exists.
This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.
4 Navigate to the LiveUpdate directory.
The default directory is as follows:
/opt/Symantec/LiveUpdate
5 To view the last 100 lines of the liveupdt.log file, type the following command:
tail -100 liveupdt.log | more
The first part of the log is in text format; the second part of the log repeatsthe information in XML format.
If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.
For example, Status = Failed (return code - 2001).
To run LiveUpdate for a collector installed on a separate computer
1 On the collector computer, navigate to the collector directory as follows:
■ OnWindows, the default directory is as follows:C:\Program Files\Symantec\Event Agent\collectors\epov4
■ On UNIX, the default directory is as follows:
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Running LiveUpdate for collectors
24
/opt/Symantec/sesa/Agent/collectors/epov4
2 At a command prompt, do one of following tasks:
■ OnWindows, type the following command:runliveupdate.bat
■ On UNIX, as the root user, type the following command:runliveupdate.sh
To verify that LiveUpdate ran successfully for a collector installed on a separatecomputer
1 On the collector computer, navigate to the collector directory as follows:
■ OnWindows, the default directory is as follows:C:\Program Files\Symantec\sesa\Event Agent\collectors\epov4
■ On UNIX, the default directory is as follows:/opt/Symantec/sesa/Agent/collectors/epov4
2 Verify that a file named LiveUpdate-Collector.txt exists.
This text file shows the date of the last LiveUpdate and contains informationabout any defects that were addressed and any enhancements that wereadded.
3 Navigate to the LiveUpdate directory as follows:
■ OnWindows, the default LiveUpdate directory is as follows:C:\Documents and Settings\All Users\Application Data\Symantec\JavaLiveUpdate
■ On UNIX, the default LiveUpdate directory is as follows:/opt/Symantec/LiveUpdate
4 To view the liveupdt.log file, do one of the following tasks:
■ OnWindows, use a text editor such as Notepad to view the liveupdt.logfile.
■ On UNIX, to view the last 100 lines of the liveupdt.log file, type thefollowing command:tail -100 liveupdt.log | more
The first part of the log is in text format; the second part of the log repeatsthe information in XML format.
If LiveUpdate was unsuccessful, a status message that notes the failureappears at the end of the log file.
For example, Status = Failed (return code - 2001).
25Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Running LiveUpdate for collectors
Introducing Symantec Event Collector for McAfee ePolicy Orchestrator 4.0Running LiveUpdate for collectors
26
Implementation notes
This chapter includes the following topics:
■ Product ID for McAfee ePO 4.0 Event Collector
■ Event examples
■ Schema packages
■ Event mapping for Information Manager
Product ID for McAfee ePO 4.0 Event CollectorThe product ID of the collector is 3318.
Event examplesEvent examples are as follows:
An example of a virus event is as follows:
AutoID|150|EventDateTime|1201597844000|ManagerName|TSHOPYRINA|
ProductName|VirusScan Enterprise|ProductVersion|8.5|
LoggedDevice|TSEPOCLIENT1|NumLoggedDeviceIP|-1442968138|
LoggedDeviceIPV6|[B@d0af9b|LoggedDeviceMAC|null|DATVersion|
5216.0000|TaskName|test|EventID|1024|ThreatName|
EICAR test file|ThreatType|test|ThreatCategory|av.detect|
ThreatSeverity|2|EventDesc|Infected file found.|ActionTaken|
1024|ActionName|none|ResolutionID|true|TargetHostName|
TSEPOCLIENT1|NumTargetIP|-1442968138|TargetIPV6|[B@b8f8eb|
TargetMAC|null|TargetPort|null|TargetUserName|Administrator|
TargetProcessName|null|TargetFileName|c:\Virus\
Test_virus_files\eicar_com.zip\EICAR.COM|SourceHostName|null|
2Chapter
NumSourceIP|null|SourceIPV6|null|SourceMAC|null|
SourceProcessName|null|SourceURL|null
An example of an HIP event is as follows:
AutoID|696|EventDateTime|1202732366000|Severity|4|TVDEventID|
18002|ThreatName|Notepad|ThreatType|create|SignatureID|null|
SignatureName|null|ThreatActionTaken|hip.app.block.blocked|
EventDescription|Application blocked|CVECode|null|ProductName|
McAfee Host Intrusion Prevention|ProductVersion|7.0.0|
LoggedDevice|TSEPOCLIENT2|LoggedDeviceIP|-1442968137|
LoggedDeviceMAC|000C298BE2BD|SourceHost|null|SourceIP|null|
SourceMAC|null|SourceProcessName|NOTEPAD.EXE|SourceURL|
file:///C:\WINDOWS\SYSTEM32\NOTEPAD.EXE|DestinationHost|
TSEPOCLIENT2|DestinationIP|-1442968137|DestinationMAC|
000C298BE2BD|UserName|null|SigRuleDirective|null|ManagerName|
TSHOPYRINA|type|HIPS_DETECTION
An example of an audit event is as follows:
AutoID|525|UserName|admin|Priority|3|CmdName|Login attempt|
Message|Successful logon for user "admin" from IP Address:
127.0.0.1|StartTime|1202375745377|EndTime|1202375745377|type|
AuditEvents
Schema packagesTable 2-1 shows the schema packages that are used for event collection.
Table 2-1 Schema packages
CommentInformation Manager event class
This schema is used to map service start and stop events.symc_base_class
This schema is used to mapmapping virus events from VirusEnterprise andAntiSpyware
symc_data_virus_incident_class
This schema is used to map scan events.symc_data_scan_class
This schema is used to map malware events.symc_data_incident_class
This schema is used to populate blocked events from all products and topopulate HIPS Blocked events.
symc_host_intrusion_class
This schema is used to populate network events fromMcAfee HIPS.symc_network_intrusion_class
Implementation notesSchema packages
28
Table 2-1 Schema packages (continued)
CommentInformation Manager event class
This schema is used to populateHIPS firewall andVirusScan firewall events.symc_firewall_network_class
Event mapping for Information ManagerTable 2-2 shows event mapping.
Table 2-2 Event mapping
CommentMcAfee ePO field nameInformation Manager field name
Possible values are as follows:
■ 30007601 - Application
■ 30007606 - Security
N/ACategory ID
The status of the data object as a whole
Possible values are as follows:
■ 117238 - Quarantined
■ 117230 - Corrected
■ 117237 - Deleted
■ 117234 - Blocked
■ 117239 - Unknown
N/AData Status
The type of the data object as a whole
Possible values are as follows:
■ 117200 - Memory
■ 117201 - Boot Record
■ 117202 - File
■ 117208 - Groupware Email
■ 117207 - SMTP mail
N/AData Type
The host name of the destination computerDestination Host Name
Description of the eventN/ADescription
The host name of the destination computerN/ADestination Host Name
29Implementation notesEvent mapping for Information Manager
Table 2-2 Event mapping (continued)
CommentMcAfee ePO field nameInformation Manager field name
Contains the direction of network intrusion
Possible values are as follows:
■ 517100 - Inbound
■ 517101 - Outbound
Direction
Date of the eventN/AEvent Date
Possible values are as follows:
■ 112051 - Data Scan Start
■ 112052 - Data Scan End
■ 112055 - Data Scan Cancel
■ 112056 - Unscannable Violation
■ 122000 - Virus
■ 122001 - Malware Content
■ 132000 - Generic Content
■ 132001 - Spam Content
■ 1952000 - Data Scan Duration Violation
■ 92054 - Virus Definition Update Failed
N/AEvent Type ID
Filled only for intrusion events
Possible values are as follows:
■ 1037202 - Unknown
■ 1037203 - Create
■ 1037204 - Access
■ 1037205 - Modify
■ 1037215 - Execute
■ 1037218 - Misuse
Intrusion Action
Additional information about intrusion
Filled only for intrusion events
Intrusion Data
The intrusion intent
Filled only for intrusion events
Possible values are as follows:
■ 1027100 - None
■ 1027103 - Access
Intrusion Intent
Implementation notesEvent mapping for Information Manager
30
Table 2-2 Event mapping (continued)
CommentMcAfee ePO field nameInformation Manager field name
The outcome of the intrusion
Possible values are as follows:
■ 1027200 - None
■ 1027205 – Prevented.
■ Filled only for intrusion detection events
Intrusion Outcome
The name of the intrusion processIntrusion Source Process
The intrusion user name.Intrusion Source User Name
Filled only for intrusion events
Possible values are as follows:
■ 1037105 - File
■ 1037110 - Port
■ 1037120 - Registry Data
Intrusion Target Type
The name of the productIntrusion Vendor Name
The IP address of the destination computerIP Destination Address
The destination portIP Destination Port
The IP address of the source computerN/AIP Source Address
The source portIP Source Port
Possible values are as follows:
■ 1237008
■ 1237005
■ 1237003
■ 1237006
■ 1237000
IP address of the device that detected the activityLogging Device IP
IPV6 address of the device that detected theactivity
LoggedDeviceIPV6logging_device_ipv6
MAC address of the device that detected theactivity
LoggedDeviceMAClogging_device_mac
Hostnameof thedevice that detected the activityLoggedDeviceLogging Device Name
31Implementation notesEvent mapping for Information Manager
Table 2-2 Event mapping (continued)
CommentMcAfee ePO field nameInformation Manager field name
IP address of the device that detected the activityLoggedDeviceIPLogging Device Numeric IP
The MAC address of the destination computerMAC Destination Address
The MAC address of the source computerMAC Source Address
Type of network protocol
Possible values are as follows:
■ 167102 - TCP
■ 167103 - UDP
N/ANetwork Protocol ID
IP address of the destination computer innumeric representation
Numeric IP Destination Address
The name of the part of the data object wherethe incident was detected
N/APart Name
The status of the part of the data object wherethe incident was detected
Contains the value “Unknown”
N/APart Status
The permanence of the data object
Possible values are as follows:
■ 117280 - Transient for incidents in mail
■ 117281 - Fixed for incidents in files
N/APersistence
Host name of the device that recorded the eventManagerNameProxy Machine
Firewall rule that is associated with the eventthat is logged
N/ARule
The name of the rule that was triggered.N/ARule Description
Populated only for scan violation events
Possible values are as follows:
■ 117303 - Cannot scan encrypted data
■ 117301 - Insufficient permissions to scan
■ 117300 - Excluded from scan
N/ARule Reason ID
An application-generated ID number that linksall events that are associated with a scan ofmultiple objects
Scan GUID
Implementation notesEvent mapping for Information Manager
32
Table 2-2 Event mapping (continued)
CommentMcAfee ePO field nameInformation Manager field name
The name of the scanScan Name
The type of scan
Possible values are as follows:
■ 117050 - Auto-Protect
■ 117051 - Manual
N/AScan Type
Severity of the eventN/ASeverity ID
The name of the vulnerability
Filled only for vulnerability events
N/AShort Descriptive Name
The host name of the source computerN/ASource Host Name
The name of the serviceN/ASource Service Name
The target of the thread or the intrusion
For example, this field can contain the name ofthe infected file for virus incidents or the nameof the computer for intrusion events
N/ATarget Resource
The user nameN/AUser Name
Filled with the value “38”N/AVendor Device ID
Thevendor-specific or product-specific severitycode
N/AVendor Severity
The point product vendor’s unique eventreference
Can contain unique Event IDs for non viralevents or the name of the virus for virusincidents
N/AVendor Signature
The version of the virus definition files thatwereused by the scanning engine at the time of thedetection
For example, “4.0.4418”
N/AVirus Definitions
Type of virusN/AVirus Type
33Implementation notesEvent mapping for Information Manager
Implementation notesEvent mapping for Information Manager
34
Event filtering andaggregation
This chapter includes the following topics:
■ Event filtering and aggregation for McAfee ePO 4.0 Event Collector
Event filtering and aggregation for McAfee ePO 4.0Event Collector
Table 3-1 shows the default filters that are included with the collector.
Table 3-1 Default filters
CommentCriteriaFilter name
Filters out odd events
Filter is enabled by default
Removes events where "not_translated"equal to true
Filtering odd events
Filters out events from the Host IntrusionPrevension System
Filter is disabled by default
Removes events where"intrusion_vendor_name" equal toRegEx(.*Host Intrusion Prevention.*)
Filter out HIPS events
Filters out events fromVirusScanEnterpriseSystem
Filter is disabled by default
Removes events where "event_desc" equalto RegEx(VirusScan Enterprise .*)
Filter out VirusScanevents
Filters out User Logout events
Filter is disabled by default
Removes eventswhere "vendor_code" equalto User Logout
Filter out "Audit: Userlogged out" events
3Chapter
Table 3-1 Default filters (continued)
CommentCriteriaFilter name
Filters out User Login successful events
Filter is disabled by default
Removes eventswhere "vendor_code" equalto Login attempt: Succeeded
Filter out Audit: Loginsucceeded events
Filtering is not recommended for this collector because the purpose of antivirusevents is to detect possible outbreaks on the network. However, if the main roleof Information Manager is not to track and assess outbreaks, you can set upaggregation for quarantined events.
To aggregate quarantined events, select the Data Incident class and the DataStatus ID field. You must set the value of the data_status_id field to 117230.
Event filtering and aggregationEvent filtering and aggregation for McAfee ePO 4.0 Event Collector
36