netasq event analyzer v. 1.0 installation and configuration
Contents
1. File Name The default name for your logs Copyright NETASQ 2010 20 20 5 USER GUIDE PART 5 CONFIGURATION Set the parameters and click OK to validate 5 2 2 2 Configuring the UTM migration log source In the Log File acquisition screen Log Source f Flat File Log Enter local directory only File Directory F Program Files Het Met Loge E hot File Mame Flog t Log in Real Time with Syslog Protocol Er File Directory The directory where the device logs are Net Report will spy on this directory and treat the logs inside it Set the parameters and click OK to validate o NOTE For NETASQ UTM migration only the listening directory is configurable 5 2 2 3 Configuring the syslog log source u n the Log File acquisition screen select the radio button Log in Real Time with Syslog Protocol Lag Saurce C Flat File Lag Enter local directory only Ale Director Log in Real Time with Syslog Protocol Syslog IP Address Advanced Log in Real Time For logs with Syslog Protocol with Syslog Protocol Syslog IP Address The IP address of the machine transmitting the Syslog message Advanced Click here to configure advanced Syslog settings The Advanced Syslog Settings dialog box will appear and enables you to configure the Facility Severity Hostname and Process name for th2. 5 USER GUIDE NETASQ EVENT ANALYZER V 1 0 INSTALLATION AND CONFIGURATION MANUAL Dae Version Author Details May 2010 NETASQ Reference naengde nea install configuration v 1 0 5 USER GUIDE Copyright 5 2010 All rights reserved Any reproduction adaptation or translation of this current document without prior written permission is prohibited except where expressly allowed by copyright laws NETASQ applies a method of continual development and as such reserves the right to modify and improve any product described in the document without prior notice Under no circumstances shall NETASQ be held liable for any loss of data or revenue or any special damage or incident resulting from or indirectly caused by the use of the product and its associated documentation The contents of this document relate to the developments NETASQ s technology at the time of its writing With the exception of the mandatory applicable laws no guarantee shall be made in any form whatsoever expressly or implied including but not limited to implied warranties as to the merchantability or fitness for a particular purpose as to the accuracy reliability or the contents of the document NETASQ reserves the right to revise this document to remove sections or to remove this whole document at any moment without prior notice To ensure the availability of products which may vary accordin
3. TT TT TT TT File Name Define the file type to archive The use of this field depends on your configuration archive log in native format set the value to log archive log in enriched format set the value to csv Copyright NETASQ 2010 36 36 5 USER GUIDE PART 5 CONFIGURATION 5 7 3 2 Security Security MW Verify Data Integrity M Encrypt Data Verify Data Integrity By enabling the checkbox NETASQ Event Analyzer will calculate the hash code for the archived log files This hash code will be used to check the integrity of the archive during the archive retrieving process m nnn sa LEE sa CEE m tees s nnn s sa me sa TEE s TEE s LEE o o o me o o O TT TT TT TT mn Encrypt Data Enable this checkbox to permit NETASQ Event Analyzer to encrypt the archive by using the security passphrase set in the Log Vault settings DR 5 7 3 3 FTP archive file transfer settings The FTP archive file transfer allows system administrators to copy archived log files either to another directory or to another server e g to a storage area network SAN To access the FTP archive file transfer settings In the section Transfer Archive File of the screen Device Logs File Archive Settings click on the button Settings The following screen will appear 50 Event Analyzer Configurator Transfer Archive Fi
4. Security Iw Verify Data Integrity M Encrypt Data Transfer Archive Files After have been archived via the Log vault vau can move them to another location via local copy or FTP transfer Archive File Transfer disabled Settings coed Define each part of the device log archive settings 5 7 3 1 General General Configuration M ame I ew Archive Configuration Spied Directory f STORAGES File Mama 9899989999999 RR 98988 ADR E RN ONSE ERN S NER NONSE 9883 ERE R ERE ERR RE GENRE GREY GARE RASA KEV ENS AERA RASA NEAN ASA N RN SAGA RA ARR N RARE SR RASA S E ERR ANA RES E RASA GR GN S A A Ua Ga aa aa aa aaa e Configuration name Set the name that will enable identifying the device log file archive This name will appear in the column Device of the table listed in Device logs file archive settings Spied Directory This is the directory where the component Log vault will retrieve log files to archive wore _ This parameter depends on the log treatment parameter For syslog you have to use the environment variable NETREPORT STORAGE O For flatfile set the directory configured in the Log Source settings for this device bass sess soss sose soos soos HEE soos nues soos sose soos soos soos sose soss soos soos
5. i From IP Address or Mask To Mask To an IP Address or Mask Name Enter a Name for the range of addresses in the Name column This name will allow you to distinguish between two zones of the same type but with different attributes engineering department sales department and so on or two zones that are located in different places Paris London and so on Internal Addresses that are part of your network External Addresses that are outside your network o Broadcast The broadcast address is the address to which network broadcasts are sent It is the 255 255 being the total of an 8 bit binary number of all 1 s given a subnet it would be a smaller number depending on how many bits were given to it of the network range Using the 28 above and using the same method to determine that our address range is 160 175 we know that our broadcast address is 175 because 175 is the LAST address in our range o DMZ Addresses that are part of your demilitarized zone Add inserts a new row in the table via the Network Change dialog box Change modifies the row you selected via the Network Change dialog box Remove removes the row from the table Move Up moves the row up a row Move Down moves the row down a row eo Enable Global Reverse DNS selecting this option may affect the NETASQ Event Analyzer Engine s performance and cause a network traffic overload 5 4 DATABASE CONFIGUR
6. This message gives you ingenious ideas on using the options on your product e DEFINITION Describes technical terms relating to NETASQ or networking These terms will also be covered in the glossary 1 2 4 Messages Messages that appear in the application are indicated in double quotes Example Delete this entry 1 2 5 Examples Example This allows you to have an example of a procedure explained earlier 1 2 6 Command lines Command lines Indicates a command line for example an entry in the DOS command window 1 2 7 Reminders Heminders are indicated as follows amp Reminder 1 2 8 Access to features Access paths to features are indicated as follows Access the menu File Firewall Copyright NETASQ 2010 5 5 5 USER GUIDE INTRODUCTION 1 3 GETTING HELP To obtain help regarding your product and the different applications in it website www netasq com Your secure access area allows you to access a wide range of documentation and other information user manuals NETASQ UNIFIED MANAGER NETASQ REAL TIME MONITOR and NETASQ EVENT REPORTER 1 4 TECHNICAL ASSISTANCE CENTRE NETASQ provides several means and tools for resolving technical problems on your firewall A knowledge base A certified distribution network As such you will be able to call on your distributor o Documents these can be accessed from your client or partner area You will need a client account in order t
7. so Please read the Following license agreement carefully N ETAS Q we secure IT Li E Cg VG Cg Aequi og States copyright laws and international treaty provisions Except as provided in Section 1 above vou may not copy the SOFTWARE or Documentation EN iem CT et a Se eee ae a Se ne Se te Mem ee a 4 TRANSFER You may transfer the SOFTWARE to another single computer provided a you do so mare than once every 30 days b this License Agreement and the Documentation m are transferred along with the SOFTWARE to Ehe other computer and c all of the software programs making up this single product package are transferred together 4 permanent transfer is permitted if all copies of the SOFTWARE and Documentation including all prior versions are transferred together you retain capies and Ehe recipient agrees bo the terms of this License Agreement 5 0THER RESTRICTIONS IF you receive the SOFTWARE in more than ane media regardless gt oF Fhe kumna nr oF Fhe madia uii mass nnl be madia anmrennriaka For unur cinala 1 accept the terms in the license agreement Print C Ido not accept the terms in the license agreement Installshield lt Back Cancel Select accept the terms in the license agreement to continue Click on Next gt jie NETASQ Event Analyzer InstallShield Wizard Xx Destination Folder Click Nest bo install to this Folder ar click C
8. subfeatures require 359MB an wour hard drive Install to C Program Files WETA5Q Event Analyzer Change Installshield Help Space z Back Cancel In a distributed architecture you can either choose to install Filter Engine or Web Portal regarding your plans Click on Next gt The Ready to Install the Program message appears Copyright NETASQ 2010 12 12 5 USER GUIDE PART 4 INSTALLATION NETASQ Event Analyzer InstallShield Wizard Ready to Install the Program so The wizard is ready to begin installation NETAS Q we secure IT Click Install to begin Ehe installation IF vou want to review or change any of your installation settings click Back Click Cancel to exit the wizard Installshield Cancel Back Click on Install to launch the installation or lt Back to modify an earlier option The following screen appears once all the programs have been installed is 50 Event Analyzer InstallShield Wizard InstallShield Wizard Completed NETASO EVENT ANALYZER The InstallShield Wizard has successfully installed Event Analyzer Click Finish to exit the wizard NETASO Event Analyzer setup will now launch Ehe Event Analyzer Configuration Tool IF vau are installing METASQ Event Analyzer For the First tine it is recommended that vou run the 5 Event Analyzer Configuration Tool at least once NE T SQY we se
9. For legal and regulatory purposes Pr c dent Terminer Aide o NOTE The list of available checkboxes in the section Log Treatment depends on the log collection type flat file or syslog Click on the related checkbox of the predefined scheduled task to apply it to the selected device Aenerale Dary ang Select this check box to schedule a daily task to automatically generate the Mobility Monthly Mobility dashboard report book Generate Daily and Monthly Select this check box to schedule a daily task to automatically generate the Vulnerabilities Vulnerabilities report book dashboard Daly ANG Select this check box to schedule a daily task to automatically generate the Content Monthly Content Filtering dashboard Filtering report book Copyright NETASQ 2010 23 23 T SQY Generate Daily and Monthly Intrusion Prevention System dashboard Generate Daily and Monthly Proxy dashboard Generate Daily and Monthly Firewall dashboard Archive logs in Enriched CSV Format Aggregate Spam Information USER GUIDE PART 5 CONFIGURATION LEE EEE ECC Select this check box to schedule daily task to automatically generate the Intrusion Prevention System report book Select this check box to schedule a daily task to automatically generate the Proxy report book Select this check box to schedule a daily task to automatically generate the Firewall report book Select this
10. GUIDE PART 5 CONFIGURATION 5 4 2 Database time zone settings The database time zone parameters indicate the timestamping format used for storing log information Regardless of the time zone that has been defined for the devices NETASQ Event Analyzer will convert them into the format defined for the storage The database time zone parameter may be set either to UCT Coordinated Universal Time or to the local time of the database GMT To access the time zone configuration Database Time Zone Settings Use UTC offset Coordinated Universal Time Time Zone BT L1 0 Brussels Copenhagen Madrid Pars iw Adjust for Daylight Saving Time DST o NOTE The database time zone settings indicate the time format that will be used in the generated reports and the log analysis Use UTC offset To use UTC time zone in the reports and the log analysis select the checkbox Coordinated Use UTC offset Coordinated Universal Time Universal Time Regardless of the time zone parameters of the devices all generated events will be stored and displayed with a UTC timestamp Time Zone To use a specific time zone in the reports and the log analysis leave the checkbox Use UTC offset Coordinated Universal Time unselected and choose a time zone in the drop down list TimeZone Regardless of the time zone parameters of the devices all generated events will be stored and displayed with the selected time zone Adjust for Dayl
11. checkbox to schedule daily task to automatically create enriched log files Enriched files are log files with the same events as the logs generated from a device but where NETASQ Event Analyzer has consolidated certain dedicated information e g Internal external traffic network or named network This feature is useful for rebuilding a report with old logs but with the same environment variable For instance when you apply old logs the network name might have changed between the date of the old logs and the current date using the enriched CSV format you retain the environment and the same report as the one that has been generated Select this check box to automatically aggregate sender and recipient mailboxes Archive logs in Native format for legal and regulatory Select this checkbox to schedule daily task to automatically create log files from _ events sent through syslog This entry appears only for syslog configured devices The created log files may then be used for long storage and legal compliancy purposes 5 2 5 Definition of domain names Content filtering reports require the definition of domain names The NETASQ Event Analyzer will use it to determine incoming and outgoing e mail traffic To access domain name definition In the Log Souce Configuration screen click on the button Next Copyright NETASQ 2010 24 24 5 USER GUIDE PART 5 CONFIG
12. for the purpose of maintaining a fully operational database NETASQ Event Analyzer performs treatments on 3 kinds of data Detailed data concerning the information that has just been received Such data may be used for log analysis and should be aggregated before building the reports Daily aggregated data are calculated from detailed data during the nightly aggregation process During this process the detailed information of each specific event is consolidated hour by hour The daily data are used in building daily reports o Monthly aggregated data are calculated from daily data during the nightly aggregation process During this process the daily information of each specific event is consolidated day by day The monthly data are used in building monthly reports Copyright NETASQ 2010 30 30 5 USER GUIDE PART 5 CONFIGURATION Purge Settings Detailed Data Aggregated Data t Delete all data after treatment Keep last days of data fe Keep last E days keep last 12 months of data Note the settings configured for the task you selected under Scheduled Tasks Detailed Data Define the number of days detailed data should be kept inside the database Delete all data after treatment purges the detailed data from the detailed data table once they have been aggregated Keep last n days selects the number of days of detailed data you want to keep in your database The data recorded before the period
13. of days you selected will be purged d NOTE The number of days begins from the date of the last data not necessarily from the current day i e today Aggregated Data Keep last n Days of Data keeps the last n days of data in the database tables that contain data aggregated by day The data before the last days selected will be purged from these tables Keep last n Days of Data keeps the last n days of data in the database tables that contain data aggregated by month The data before the last days selected will be purged from these tables number of days begins from the date of the last data not necessarily from the current day i e today 5 6 MAIL SERVER The mail server configuration allows system administrators to define the mail server NETASQ Event Analyzer will use to send e mail To access the mail server configuration 4 Click the button Mail Server Settings Mail Server Define the Server you want NE TASG Event Analyzer to use to send alerts Settings The following screen will appear 50 Event Analyzer Configurator Mail Server fi Server SMTP uauremailserver Test 5 USER GUIDE PART 5 CONFIGURATION i Mail Server SMTP Enter the name of the SMTP server for the company in the Mail Server SMTP field NETASQ Event Analyzer will use it to send the reports automatically generated by the Report Sc
14. ATION The database configuration allows system administrators to define the parameters for accessing the database where NETASQ Centralized Manager will store logs and related information Copyright NETASQ 2010 26 26 5 USER GUIDE PART 5 CONFIGURATION To access the database configuration Click on the button Database Settings Database Configure the connection and Time one settings For the Database want ASG Event Analyzer to use to manage your log data Settings zi The following screen will appear 50 Event Analyzer Configurator Database Settings B Database Connection Settings Please use only Case Insensitive settings Database Server Local SQL Server Server Mare NEA TESTS Server Instance SQLEXPRESS Login Windows User MT AUTHORIT Local System Password Database Update Settings Configure the update settings for the NEA Database Update Database Delete existing data Database Zone Settings Use UTC offset Coordinated Universal Time Time zone GMT 01 00 Bruxelles Copenhague Madrid Paris M Adjust for Daylight Saving Time DST Powered by Click and DECIDE Uk Cancel Help Q IMPORTANT NETASQ Event Analyzer does not support case sensitive settings for Microsoft SQL Server 2005 Architecture Your database server can either be local or remote Copyright NETASQ 2010 27 27 5 U
15. EQUIREMENTS 3 SYSTEM REQUIREMENTS The NETASQ Event Analyzer solution requires a specific software environment These requirements are described in the related section 3 1 OPERATING SYSTEMS The NETASQ Event Analyzer solution runs the following operating systems o Windows 2003 SP2 or greater 32 bits Windows 2008 SP2 or greater 32 and 64 bits 3 2 SOFTWARE REQUIREMENTS The NETASQ Event Analyzer setup program will first check if the required software program is already installed on your computer and will suggest installing it if necessary The system requirements are as follows Microsoft Web Components 11 version1 2 SQL Server Native Client 2005 SQL Server 2005 SP3 or greater Express Standard and Enterprise Editions Microsoft NET Framework 3 5 SP1 0 NOTE If you have installed Microsoft IIS Internet Information Services after installing the Microsoft NET Framework 3 5 SP1 don t forget to enable the Microsoft NET framework in IIS as below T Select the program Start All Programs Accessories Command Prompt Go to the following directory where the Microsoft framework was installed C Windows Microsoft NET Framework v2 0 50727 by default E the following command aspnet regiis i Copyright NETASQ 2010 9 9 NETASQ USER GUIDE PART 4 INSTALLATION 4 INSTALLATION The process of installing the NETASQ Event Analyzer solution consists of performing the tasks decribed in the relate
16. SER GUIDE PART 5 CONFIGURATION 5 4 1 Database update settings Database Update Settings Configure the update settings for the netreport Database gt Do not execute SOL scripts now only generate Manually execute your SUL scripts later Delete existing data Update database The first time you launch the Configurator the NETASQ Event Analyzer database will be fully updated The second time you launch the Configurator it will not You must select the Update Database check box under Database Update Settings in the Database Settings dialog box each time you set parameters via the Configurator in order for the NETASQ Event Analyzer database to be updated You must run the Configurator update at least once for the Database Update Settings to be freely configurable The first time you install NETASQ Event Analyzer the Configurator will select the Update Database check box by default since the database must be updated in order for NETASQ Event Analyzer to be used Do not execute SQL Selecting the Check Box This check box automatically generates the SQL Scripts now only scripts in a specific directory once the NETASQ Event Analyzer Configuration generate Manually Wizard has completed The SQL script generation feature is intended for execute your SQL Database Administrators DBAs wishing to modify certain parameters before scripts later creating the various objects in the database This enables DBAs to view mod
17. URATION The following screen will appear 50 Event Analyzer Configurator 50 UTH NETASQ Define your Company Domain EVENT ANALYZER Internal Damain Name nelasq cam Change Remove Add pee pues Pr c dent Aide ET Add the domain names used for determining incoming and outgoing e mail traffic Click on the button Finish to terminate the log source configuration 5 3 NETWORK CONFIGURATION The network configuration allows system administrators to name the network It will provide easy network identification in the generated reports To access the network configuration Click on the button Network Settings Network Enter IP configuration data for internal and external IP Addresses and cum e subnet masks and define your network address ranges Copyright NETASQ 2010 25 25 5 USER GUIDE PART 5 CONFIGURATION The following screen will appear 50 Event Analyzer Configurator Network Connection Settings ka To Mask 132 158 1 0 132 158 255 255 Internal 132 Change 172 176 0 0 1 231 255 255 172 127 0 0 1 Local host Remove 250 255 255 255 Broadcast 0 0 0 0 255 255 255 254 External Move Up LE Move Down Enable Global Reverse DNS Warning selecting to Enable Global Reverse ONS may cause drop in the performance of the Cancel Help Filter Engine and an overload of your network traffic
18. cure IT Cancel Back Click on Finish A message will appear asking you to restart your computer 5 USER GUIDE PART 4 INSTALLATION You must restart your system For configuration changes made to Event Analyzer to take effect Click Yes bo restart now or vou plan to restart later E Click on Yes if you wish to reboot now Copyright NETASQ 2010 14 14 5 USER GUIDE PART 5 CONFIGURATION 5 CONFIGURATION The configuration wizard consists of the definition of NETASQ Event Analyzer parameters such as Source of logs the solution has to treat Network naming to facilitate identification of the traffic Database configuration localization and credentials Task scheduling report generation and other processes Email configuration to transfer the generated reports Log archiving process License installation eoocososog The configuration will normally start automatically once your computer has restarted after the installation process You can launch it at any time to modify the NETASQ Event Analyzer configuration parameters To launch the configuration wizard Start gt Program gt NETASQ gt NETASQ Event Analyzer gt Configurator The following screen will appear ES NETASQ Event Analyzer Configurator xj Log Source Configure NE TASG Event Analyzer log treatment Network Enter F configuration data for internal and
19. d sections 4 1 DOWNLOADING THE INSTALLATION FILE The installation file is available on the NETASQ web site www netasg com in your private area Once you have downloaded the file please perform the following steps Double click on the downloaded file for example NETASQEventAnalyzer 10 01 02 3750 exe Extract the contents to the following directory default C Program Files NETASQ Event Analyzer NEASetupFiles Q NOTE The Setup exe file will automatically run to start the installation 4 2 RUNNING THE SETUP EXE FILE The setup file normally starts automatically If it does not you can manually launch the installation program by double clicking on the file setup exe in the directory where it has been extracted gt The default directory of the setup file is C Program Files NETASQ Event Analyzer NEASetupFiles Once the setup file runs the following screen will appear ix 50 Event Analyzer InstallShield Wizard x Welcome to the InstallShield Wizard for NETASQ Event Analyzer HETASQ 7 EVENT ANALYZER The Installshield R wizard will install NETASQ Event Analyzer on your computer To continue click Next WARMING This program is protected by copyright law and international treaties NE we secure IT E Cancel Back 5 USER GUIDE PART 4 INSTALLATION BR click on Next gt NETASQ Event Analyzer InstallShield Wizard License Agreement
20. e Enable this checkbox to allow end users to delete log files from the archived Archives directory By default this check box is left unselected Encryption Passphrase Enter the passphrase or password that would be used to encrypt the log files stored in the archived directory This passphrase will be required for retrieving the archived log files o WARNING RECOMMENDATION We recommend using strong passphrase that will be much harder to 5 7 3 Device log file archive settings The device log file archive settings allow a system administrator to configure the behavior of the archiving process for each device configured in the Log Source section Device Log File Archive Settings To enable log archival you must go back to the previous screen select the device and click Change Select the Following Lag Treatment Archive Logs in Native Format and or Archive Logs in Enriched CSV Format Add Remove Archive Settings Summary Select a device to view a summary of the archive settings To add a device log file in the Log vault archive process Click on the button Add Copyright NETASQ 2010 35 35 5 USER GUIDE PART 5 CONFIGURATION The following screen will appear 50 Event Analyzer Configurator Add Device Logs to Archive General Configuration M ame ew Archive Configuration Spied Directory ZMETREP HT STOURAGES File M ame
21. e IP Address you entered in the Syslog IP Address field Set the parameters and click OK to validate 5 USER GUIDE PART 5 CONFIGURATION 5 2 3 Definition of time zone settings Each log generated by a device is timestamped This timestamp depends on the time zone parameters defined for the device The time zone parameter may be set either to UCT Coordinated Universal Time or to the local time of the device GMT In order to correctly treat incoming logs NETASQ Event Analyzer should be aware of the time zone parameter defined for the device To access the time zone configuration 3 4 n the Log File acquisition screen use the parameters for Log Time Zone Settings Log Time one Settings Use UTC offset Coordinated Universal Time Time Zone GMT 01 00 Brussels Copenhagen Madrid Paris Adjust for Daylight Saving Time DST To configure your device s time zone either select the UTC offset or choose the time zone of the device s physical location For time zone settings you can enable Adjust for Daylight Saving Time DST you are configuring NETASQ Event Analyzer for several devices with different time zones then you will need to select as many Time Zones as the number of devices Use UTC offset Select the check box UTC offset Coordinated Universal Time if your device is Coordinated defined with this parameter for log timestam
22. e to the directory where you stored your license certificate Select your licence certificate Bh SO documents 4 Poste de travail Favoris r seau Regarder dans Mes documents r cents sllicense cert documents Mes documents Poste de travail Mam du fichier Fichiers de type Favoris r seau Copyright NETASQ 2010 license cert v men oo Ouvrir en lecture seule 16 16 5 USER GUIDE PART 5 CONFIGURATION The following screen will appear NETASQ Event Analyzer Configurator License Certificate NI Ce certificat a t d livr a HETASO Cette licence vous autorise utiliser version 5 Event Analyzer Business Application Intelligence Enterprise Edition 10 1 YwebPortal 5 Concurrent utilisateur s cient Access Scheduled Tasks Oui Types de projet METAS Projects Execute oni Contrat de maintenance Valable jusqu au 2710712010 Hetwork amp Security Intelligence Professional 1 0 1 Ev nements journaliers 36000000 Oem Norm des quipements WETASG UTM METASG Migration Contrat de maintenance Valable jusqu au 2710712010 Ce certificat arrive expiration 27 07 2010 METAS Standard Edition 50 devices Cancel Change Help Q NOTE The information displayed depends on the license to which you have subscribed 5 1 1 License description Licence table The table below indicates the
23. es stored in the Log Storage directory Archive Other Flat File Logs Select the frequency in days or weeks you want the Log Vault component from Elsewhere Older than _ to archive your files For example if you select 2 Days default value then all files that are older than 2 days will be archived in the Archive Directory you specified Q NOTE This parameter is used for the log files stored in the directory you define in the section Device Log File Archive Settings Allow real time archival Enable this checkbox to permit the Log Vault component to archive the log files once every minute Archive everyday at Enable this checkbox to permit the Log Vault component to archive the log files everyday at the time you select in the dropdown list Copyright NETASQ 2010 34 34 5 USER GUIDE PART 5 CONFIGURATION Purge Archives Older than Enable this checkbox to permit the Log Vault component to purge log files from the archived directory at the frequency set So NETASQ Event Analyzer will purge archived log files that are older than the value you defined in the related field d NOTE The right settings to purge archived log files depend on the number of treated events and storage capacity o WARNING RECOMMENDATION By configuring this action you may lose your archived log files Besides setting the purge parameters we strongly recommend configuring the feature Transfer Archive File Allow User Delet
24. external IP Addresses and Subnet masks and define your network address ranges Database Configure the connection and Time one settings For the Database you au want NE TASO Event Analyzer to use to manage your log data settings url scheduled Tasks u Automate key Database management tasks aggregate and purge data 14 and schedule report generation settings Mail Server Defne the Server vou want Event Analyzer to use to send alere Settings rchive Configure to store and archive device log files in specific directory with specific formats CSV Flat File Syslog and encrypt files settings License Certificate I View or update your current NE TASO Event Analyzer License Certificate M p Settings VE Cancel Apply Help NETASOY 5 1 LICENSE CERTIFICATE Note USER GUIDE PART 5 CONFIGURATION This step in the configuration should be performed just after the installation process and prior to any other configuration operation Click on the button License Certificate Settings The first time you launch the application the following screen will appear 50 Event Analyzer Configurator License Certificate 1 Aucune licence n a t install e Certificate Please contact your supplier ta receive the appropriate license Cancel Change Help BR click on Change and brows
25. g to your geographical locations contact your nearest NETASQ distributor Products concerned U30 U70 U120 U250 U450 U1100 U1500 and U6000 NG1000 NG5000 VS5 VS10 V50 V100 V200 V500 VU Copyright NETASQ 2010 2 2 5 USER GUIDE FOREWORD FOREWORD Copyright Copyright NETASQ 2010 All rights reserved Under copyright law any form of reproduction whatsoever of this user manual without NETASQ s prior written approval is prohibited NETASQ rejects all liability arising from the use of the information contained in these works Liability This manual has undergone several revisions to ensure that the information in it is as accurate as possible The descriptions and procedures herein are correct where NETASQ firewalls are concerned NETASQ rejects all liability directly or indirectly caused by errors or omissions in the manual as well as for inconsistencies between the product and the manual Notice Copyright NETASQ 2010 WEEE Directive All NETASQ products that are subject to the WEEE directive will be marked with the mandated crossed out wheeled bin symbol as shown above for items shipped on or after August 13 2005 This symbol means that the product meets the requirements laid down by the WEEE directive with regards to the destruction and reuse of waste electrical and electronic equipment For further details please refer to NETASQ s website at this X address http www netasq com recycli
26. hange to install to a N TAS Q diff rent Folder we secure Install Event Analyzer to C Program Files WETA5Q Event Analvzer Change InstallShield Cancel lt Back 5 USER GUIDE PART 4 INSTALLATION Click on Next gt or click on Change to install the software in a different folder i NETASQ Event Analyzer InstallShield Wizard Setup Type so Choose the setup type that best suits your needs NE TAS we secure IT Please select a setup type All program Features will be installed Requires the most disk space Choose which program Features you want installed and where they will be installed Recommended For advanced users Installshield lt Back Cancel Click on Next gt to install all the NETASQ Event Analyzer products or select the Setup Type that best suits your needs i NETASQ Event Analyzer InstallShield Wizard Custom Setup so Select the program Features you want installed N E TAS Q we secure IT Click an an icon in the list below to change how Feature is installed E Event Analyzer H E Filter Engine N E Reporting We Web Portal EI Report Builder Feature prescription Contains all the Feature to install the whole WETA5O Event Analyzer solution This Feature requires 132MB our hard drive It has 2 of 2 subfeatures selected The
27. heckboxes Archive logs in Enriched CSV Format and or Archive logs in Native format for legal and regulatory purposes have been selected WARNING RECOMMENDATION The Log vault component uses this value to get the generated log files from the incoming syslog to perform legal storage 5 7 2 Log vault settings The log vault settings allow a system administrator to configure the long term archiving storage for legal and compliancy purposes Log Yault General Settings Ventes data integrity compresses and encrypts logs for long term archival Archive Directory L Hetheport rchives Archive Files from NETREPORT STORAGE Director Older than 2 Davis Archive Other Flat File from Elsewhere Older than ES Davis Allow real time archival Archive everyday at 00 00 00 MW Purge Archive Files Older than je Monthis Allow User to Delete Security Encryption Passphrase E nter your passphrase Archive directory Select the directory where NETASQ Event Analyzer archives your files for and compliancy purposes Select the frequency in hours days or weeks at which you want the Log Vault component to archive your files Archive Files from NETREPORT STORAGE Directory Older than For example if you select 2 Days default value then all files that are older than 2 days will be archived in the Archive Directory you specified 0 This parameter is used for the log fil
28. heduler Click on Test to check that the name of the SMTP Server has been correctly entered 5 7 LOG ARCHIVING The Log archive configuration allows system administrators to define the log archiving process to be set up NETASQ Event Analyzer uses two components where its behavior depends on the format of received logs syslog or flatfile 2 Log Storage provides 2 main features Stores generated files in enriched CSV format This storage is used for both received log types syslog and flatfile An enriched CSV log file contains event information with additional data that NETASQ Event Analyzer has added following the consolidation process This process consists of indicating some specific information such as IP addresses or networks Stores files in native format for incoming syslog events It allows archiving such events in native file format Q NOTE For flatfile events the log archiving without legal compliancy is done by transferring log files from the device to the spied directory You can also use other archiving features to perform advanced archiving operations Log Vault provides features like data integrity compression and encryption for long term archival and legal compliancy The process of treating incoming logs depends on the format of the received logs syslog or flatfile For flatfile format the logs to archive are transferred from the spied directory For syslog format the logs to archive are transfe
29. ify and manually execute SQL scripts later The SQL scripts generated by the NETASQ Event Analyzer Configuration Wizard are in the following directory C Program Files x86 NETASQWETASQ Event Analyzer database sql scripts SQL Server 20100303 1028 Please note that the SQL scripts are in a format compatible with SQL Server management tools The pathname of the SQL script location depends on the parameters set during the installation procees Leaving the Check Box Clear by default the Do not execute SQL scripts now only generate check box is unselected It means the SQL scripts will be automatically executed once the NETASQ Event Analyzer Configuration Wizard has completed and you will not need to manually execute them later Delete existing data This will create and destroy Database tables for the devices you select in your database if it is the first time you have installed NETASQ Event Analyzer If you have previously configured several devices enabling this option means that existing data will be destroyed and the tables will be created again 0 WARNING If you select the checkbox Delete existing data it is recommended that you save the data in the database tables The data in these tables will be destroyed and the tables will be created automatically when you reconfigure NETASQ Event Analyzer either with the same devices selected or with different devices Copyright NETASQ 2010 28 28 5 USER
30. ight In the event a specific time zone is used select the checkbox Adjust for Daylight Saving Time DST saving Time to adjust the time to the so called Summer Time in many countries 5 5 SCHEDULED TASKS Task scheduling allows system administrators to configure automatic treatments from high level perspective To access task scheduling Click on the button Scheduled tasks Settings Scheduled Tasks Automate key Database management tasks aggregate and purge data 14 and schedule report generation settings Copyright NETASQ 2010 29 29 5 USER GUIDE PART 5 CONFIGURATION The following screen will appear 50 Event Analyzer Configurator Tasks Scheduling Scheduling Hun the Consolidation Aggregation Purge and Report Tasks everyday at Purge Settings Detailed Data Aggregated Data C Delete all data after treatment keep last 52 E days of data f Keep last m days keep last 12 E months of data Cancel Help 5 5 1 Scheduling Scheduling Hun the Consolidation Aggregation Purge and Report Tasks everday at 1 00 00 Run the Define the time at which the Consolidation Aggregation Purge and Report Task Consolidation will be performed o NOTE and Report Tasks These processes will be launched everyday at the defined time everyday at 5 5 2 Purge settings The purge parameters are used for deleting old data stored
31. les Settings Enable Archive File Transfer Passive Mode FTP Connection Transfer Type FTP Archive File Transfer x Destination f Hostname User Password Enable Archive File Transfer Passive Mode FIP n the event of an FTP transfer select the checkbox to enable a Passive FTP Connection connection Otherwise leave the checkbox unselected for an Active Mode FTP Connection Transfer Type Choose the kind of transfer to perform FTP or local Destination Target directory of the archived log files Copyright NETASQ 2010 37 37 5 USER GUIDE PART 5 CONFIGURATION Hostname In the event of an FTP transfer set the FTP server hostname User In the event of an FTP transfer set the username to use for the FTP connection Password In the event of an FTP transfer set the password to use for the FTP connection o IMPORTANT Check network credentials for this target directory regarding the Click and DECIDE Log Vault service 5 8 END OF SETUP Once the NETASQ Event Analyzer parameters have been set you can close the Configuration screen in order to validate the configuration In the main screen NETASQ Event Analyzer Configuration click on the button OK ES 50 Event Analyzer Configurator Log Source Configure NE TASG Event Analyzer log treatment Network F 2 Enter IP configuration data for internal and external IP Addresse
32. llection parameters n the Log Source Configuration screen select the device you want to configure for the log acquisition o NOTE By adding a new device in the log acquisition process access to the log collection parameters will be automatic The following screen will appear Log File Acquisition Settings Device NETASO UTM Device Name NETASG UTM Log Source Flat File Log Enter local directory only File Directory p C Program Files x86 Click and DECIDESNSI Log C Log in Real Time with Syslog Protocol Syslog P Address Advanced Log Time one Settings Use UTC offset Coordinated Universal Time Time Zone UTC 01 00 Brussels Copenhagen Madrid Paris M Adjust for Daylight Saving Time DST Cancel Help 5 2 2 1 Configuring the flat file log source In the Log File acquisition screen select the radio button Flat File Log Log Source FlatFile Log Enter local directory only File Directory s F Program Fies NetReport NetRepartiLagsiEngi File M ame C Log in Real Time with Syslog Protocol Syslog IP Address Advanced Flat File Log The default log format File Directory The directory where the device logs are Net Report will spy this directory and treat the logs inside it f f
33. ng html 3 3 5 USER GUIDE INTRODUCTION INTRODUCTION 1 1 WHO SHOULD READ THIS This manual is intended for system administrators with some basic IP knowledge In order to install and configure your NETASQ Event Analyzer solution in the most efficient manner you must be familiar with the Windows operating system SQL databases NETASQ products IP operations and their specific features IP nternet Protocol TCP Transmission Control Protocol o UDP User Datagram Protocol syslog 1 2 TYPOGRAPHICAL CONVENTIONS This document uses several different typographical conventions 1 2 1 Abbreviations For the sake of clarity the usual abbreviations have been kept For example VPN Virtual Private Network Other acronyms will be defined in the Glossary 1 2 2 Display Names of windows menus sub menus buttons and options in the application will be represented in the following fonts Example Menu Interfaces 1 2 3 Indications Indications in this manual provide important information and are intended to attract your attention Among these you will find 5 These messages provide a more detailed explanation particular point Copyright NETASQ 2010 4 4 NETASO USER GUIDE INTRODUCTION WARNING RECOMMENDATION These messages warn you about the risks involved in performing a certain manipulation or about how not to use your appliance TIP
34. o access these documents For further information regarding technical assistance please refer to the document Standard NETASQ support Copyright NETASQ 2010 6 6 NETASQ USER GUIDE PART 2 HARDWARE REQUIREMENTS 2 HARDWARE REQUIREMENTS When deploying the NETASQ Event Analyzer solution the dimensions of the server are very important The hardware requirements depend essentially on the number of events the solution has to treat per day 4 hardware architectures are presented below according to the volume of data to be treated o NOTE The storage capacity is provided for information only It depends on the configuration of the report generation aggregation and archiving processes NETASQ guarantees the architecture parameters based on the default configuration values Under no circumstances shall NETASQ be held liable for any dysfunction loss of data or revenue arising from these processes once the NETASQ Event Analyzer administrator has customized the predefined value 2 1 LOW ARCHITECTURE UP TO 5 MILLION EVENTS PER DAY Processor Xeon dual processor 3 GB Storage space 160 GB Hard drive SCSI disk RAIDS configuration 10 KTPM 0 NOTE The storage space indicated includes the use of the archiving process The value depends on the volume of data the client needs to store 2 2 MIDDLE ARCHITECTURE FROM 5 TO 10 MILLION EVENTS PER DAY Processor dual core bi processor RAM 4 GB Sto
35. ou must go back to the previous screen select the device and click Change Select the following Log Treatment Archive Logs in Native Format and or Archive Logs in Enriched CS Format Configuration Name Spied Directory File Mask Add New Archive Configuration METREPORT STORAGES Change Remove Archive Settings Summary Enable data encryption Enable data integrity verification Date reference settings Extract from standard Filename configuration oy M MD est Transfer archive Archive File Transfer disabled all lag files are compressed in before archival caen To fully define log archiving processes the system administrator should configure the following settings 5 7 1 Log storage settings The log storage settings consist of defining the directory that will store files in native and or enriched CSV format Log Storage Settings Log Storage generates files in Native and or Enriched CS Format for temporary storage before they are archived by the Lag Vault Log Storage does not treat other Flat File Logs which can be directly archived in the Archive Directory NETREPORT STORAGES Environment Variable f k The environment variable defines the default directory for the log storage actions Copyright NETASQ 2010 33 33 5 USER GUIDE PART 5 CONFIGURATION o NOTE This value is only used if the c
36. ping Universal Time If the UTC time zone is not used select the time zone of your device s physical location Adjust for Daylight Select this check box if the Date Time parameters of your device are configured to Saving Time DST A adjust for Daylight Saving Time DST That is where clocks are set one hour or more ahead of standard time to provide more daylight at the end of the working day during late spring summer and early autumn Copyright NETASQ 2010 22 22 5 USER GUIDE PART 5 CONFIGURATION 5 2 4 Selection of the predefined scheduled tasks 2 In the Log Souce Configuration screen select the device for which you want to define scheduled tasks The following screen will appear HETASQ UTH NETASQ 9777 _ EVENT ANALYZER Log Acquisition Add Remove NETASO UTM Flat File Properties Time one GMT 01 00 Bruxelles Copenhague Madrid Paris Format IP Address 10 24 10 Facility Severity Hast snc Log Treatment Generate Daily and Monthly Mobility Dashboards Generate Daily and Monthly Vulnerabilities Dashboards Generate Daily and Monthly Content Filtering Dashboards Generate Daily and Monthly Intrusion Prevention System Dashboards Generate Daily and Monthly Proxy Dashboards Generate Daily and Monthly Firewall Dashboards Archive logs in Enriched CSY format Aggregate Spam Information Archive logs in Native format
37. rage space 300 GB Hard drive SCSI disk RAIDS configuration 15 KTPM 0 NOTE The storage space indicated includes the use of the archiving process The value depends on the volume of data the client needs to store Copyright NETASQ 2010 7 7 NETASQ USER GUIDE PART 2 HARDWARE REQUIREMENTS 2 3 HIGH ARCHITECTURE FROM 10 TO 36 MILLION EVENTS PER DAY Processor quad core bi processor RAM 6 GB Storage space 600 GB Hard drive SCSI disk RAIDS configuration 15 KTPM Q NOTE The storage space indicated includes the use of the archiving process The value depends on the volume of data the client needs to store 2 4 SPECIFIC ARCHITECTURE MORE THAN 36 MILLION EVENTS PER DAY Managing a huge number of events per day requires specific hardware architectures according to the treatments the NETASQ Event Analyzer solution has to perform Such architectures may require several servers whereby each of them is responsible for a dedicated purpose as described in the example below Server 1 collects the logs Server 2 runs the database engine and performs aggregation processes Server 3 builds the automatic reports Server 4 runs the web portal solution The architecture presented above is just an example Depending on the number of events to be treated some processes may run on the same server Copyright NETASQ 2010 8 8 NETASQ USER GUIDE PART 3 SYSTEM R
38. restrictions of the provided licenses 1 concurrent 5 concurrent 5 concurrent Scheduled Tasks Pane Types NETASQ NETASQ NETASQ 5 USER GUIDE PART 5 CONFIGURATION Event limitation The table below displays the maximum number of events per license type devices Number of events for 900 000 1 800 000 4 500 000 9 000 000 18 000 000 45 000 000 90 000 000 180 000 000 SMB devices 5 2 LOG SOURCE CONFIGURATION The log source configuration allows system administrators to define the parameters for collecting logs from NETASQ devices To access the log source configuration Click on the button Log Source Settings Log Source Configure WE TASG Event Analyzer log treatment The following screen will appear 50 Event Analyzer Configurator NETASQ UTM NETASQ 179777 _ 94 EVENT ANALYZER Add METASU UTM Migration Flat File Remove METASE UTM Flat File Properties Properties Time one GhM7 01 00 Bruxelles Copenhague Madrid Paris Format METASH IP Address 10 2 4 10 Facility Severity Heck arna Log Treatment Generate Daily and Monthly Mobility Dashboards Generate Daily and Monthly Vulnerabilities Dashboards Generate Daily and Monthly Content Filtering Dashboards Generate Daily and Monthly Intrusion Prevention System Dashboards Generate Daily and Monthly Proxy Dashboards Generate Daily and Monthly Firewall Dashboards Archive logs in En
39. riched CS format Aggregate Spam Information Archive logs in Native Format for legal and regulatory purposes Precedent Tener Aide TASO From a high level perspective NETASQ Event Analyzer can collect logs from two kinds of devices NETASQ UTM devices relating to NETASQ UTM products F and V series NETASQ UTM syslog concerning the collection of logs that have been sent using syslog NETASQ UTM migrations concerning the collection of logs that have been archived The steps in the log configuration wizard are USER GUIDE PART 5 CONFIGURATION EB selection of the device type Configuration of the log collection parameters 3 Definition of time zone settings Selection of the pre defined scheduled tasks Each step is described in the following sections 5 2 1 Selection of the device type 3 In the Log Souce Configuration screen click on the button Add The following screen will appear 50 Event Analyzer Configurator Add Device Select device for device type NETASO UTM Description HETASG UTM For HE TASO NETASO UTM Migration For Cancel Help ER Click on the device from which you want to collect logs UTM device for a physical device or UTM migration for logs that have already been treated or archived Click on the button OK Copyright NETASQ 2010 19 19 5 b USER GUIDE PART 5 CONFIGURATION 5 2 2 Configuration of log co
40. rred from the directory of the Log Storage component To access the log archive configuration Click on the button Log Archive Settings E Configure to store and archive device log files in specific directory with specific formats CS Flat File Syslog and encrypt files Settings E Archive Copyright NETASQ 2010 32 32 5 USER GUIDE PART 5 CONFIGURATION The following screen will appear NETASQ Event Analyzer Configurator Log Archive Settings Log Storage Settings Log Storage generates in Native and or Enriched CS Format temporary storage before they are archived by the Log Vault Log Storage does not treat other Flat File Logs which can be directly archived in the Archive Directory 2NETREPORT STORAGE Environment Variable PEAN EA Storage k The environment variable defines the default directory for the log storage actions Log Vault General Settings Vertes data integrity compresses and encrypts logs for long term archival Archive Directory CANEA Archives Archive Files from ZNETREF RT STORAGE Directory Older than Day s Archive Other Flat File Logs from Elsewhere Older than Day Allow real time archival C Archive everyday at 00 00 00 M Purge Archive Files Older than E Monthis Allow User ta Delete Security Encryption Passphrase Enter pour passphrase Device Log File Archive Settings To enable log archival v
41. s and Seth Subnet masks and define your network address ranges Database Configure the connection and Time one settings For the Database you x want NE TASO Event Analyzer to use to manage your log data settings Scheduled Tasks Automate key Database management tasks aggregate and purge data 14 and schedule report generation settings Mail Server Define the Mail Server you want NE TASO Event Analyzer to use to send i alerts Settings Log Archive Configure to store and archive device log files in specific directory with specific formats CSV Flat File Syslog and encrypt files License Certificate I View or update your current NE TASO Event Analyzer License Certificate M p Settings Cancel Apply Help Copyright NETASQ 2010 38 38 5 USER GUIDE PART 5 CONFIGURATION The following screen will appear 50 Event Analyzer Configurator 1 Your previous Configuration will be overwritten any ULA Filters and Actions added manually will be removed tf Do vou want continue Click on Yes to continue 50 Event Analyzer Configurator Click on Close to exit the configuration Copyright NETASQ 2010 39 39
Download Pdf Manuals
Related Search