Transcription
SURELOGUser GuideANET USA INC.
Table of ContentsPreface . 4Intended Audience . 4Technical Support . 4Chapter 1: Introduction to SureLog . 4Comprehensive Log Data Collection and Log Management . 5Cross-Platform Log Collection . 5Windows Event Logs: Agent-less or Agent-based . 5Supported Devices. 5Supported Applications . 6Supported Operating Systems. 6Supported Network Devices. 6Introduction to Syslog Protocol . 14SNMP Trap Reception and Processing . 14SureLog Server Features. 14Chapter 2: System Requirements . 15Supported Operating Systems. 15Hardware Requirements . 15Chapter 3: First Time Users . 16Installing and Uninstalling SureLog . 16Uninstalling SureLog . 16Accessing the Web Client . 16Navigating Through SureLog . 16Login and Log out . 16Chapter 4: Performance . 17Why Fast EPS Performance Matters . 18Chapter 5: Dashboards . 18Transition Between Dashboard . 22To add a Statistic Report on Dashboard . 22To add a Top list Report on Dashboard: . 23To add a Trend Report on Dashboard: . 24To add a SQL Query Report on Dashboard: . 24To add a SQL Query (Graphic) Report on Dashboard:. 25Last Logs . 26Log Sources. 26Drill –Down Feature . 261
Adding a Dashboard Panel . 28Customizing Dashboard View . 28Chapter 6: Reports . 31Log Management . 31Log Management Report Categories: . 31Creating Dynamic Top List Reports . 36Top List Report . 36Change Monitor Report. 38Schedule Reports. 44Combining Reports . 45Creating Reports . 47Creating Statistics Reports . 48Creating Report Categories . 50Chapter 7: Search . 50Google like Search . 50Structured Search . 52Chapter 8: Correlation . 53Why Use Correlation? . 53To Reduce the Amount of Information to Monitor. 53To Automate the Response after Receiving a Message . 53To Enhance the Quality of the Diagnosis . 53To Compensate for the Lack of Consistency among Security Device-Generated Messages . 54SureLog Correlation GUI . 54SureLog Advanced Correlation Engine . 54Sample Correlation Rules . 54Out-of-the-Box Correlation Rules . 56Advantages of SureLog Correlation Engine . 58Template Rules . 59Chapter 9: Creating Custom Correlation Rules . 61Observed Rule . 62Relations Between Logs. 64Treshold Rule . 66Count Treshold Rule . 66Sum Threshold Rule. 67Trend Monitor Rule . 68Statistic Rule . 682
Statistic Count Rule . 69Statistic Average Rule . 69Value Changed Rule. 70Never Seen Before Rule. 70Add List Rule . 71Expert Rule . 72Chapter 10: Alerts. 73Activating an alert . 73Chapter 11: User Management . 84Chapter 12: Incident Management . 86Chapter 13: Threat Intelligence . 87Chapter 14: Settings . 88The Update Changes . 88Changing Theme . 89General Configuration . 89General Configuration . 89Managing Protocol Groups. 89Operations on Protocols. 90Operations on Protocol Groups. 90DNS Converter . 90Mail Configuration. 90Log Configuration . 91Adding a New Log Collector . 92Adding a New Syslog Server . 93Configuring Log Source Availability Alerts. 93Add Text Logs . 95Schedule Configuration . 95Domain Configuration . 96Correlation Configuration. 99Network User Configuration . 102File Access Configuration . 102Network Access Configuration . 103Intranet Configuration. 103ARP Table Configuration. 104License Configuration . 105Backup Configuration . 1053
Custom Parser Configuration . 106User Activities:. 107Configuration Files:. 108Log Files: . 110Data Storage Options: . 110Database Console: . 111File Sign Control:. 111AD (Active Directory) Authentication . 112Tag Configurations. 112Preparser Rule . 113PrefaceThis guide explains how to use the SureLog platform software.Intended AudienceThe reader should have experience in system administration along with networking and informationsecurity. In addition, they should be comfortable in installing software on distributed enterpriseservers and understand TCP/IP networking and remote logging. Familiarity with network protocolsand standards is also highly recommended.Technical SupportCustomers requiring technical assistance can reach our support representatives through telephoneor email:E-mail Address:Please send a detailed email to support@anetusa.netChapter 1: Introduction to SureLogAs Information Technology (IT) becomes the center of today‘s wired enterprise, organizations areunder increasing pressure to implement best practices to better control growing security, risk, andcompliance challenges. These challenges include internal and external threats, operational issues,intellectual property protection, privacy, and even regulatory mandates. Even though there has beena great emergence of network security centers and risk management groups to help remedy thissituation, they have discovered that no one tool completely integrates security, risk, and compliance.4
As a result, numerous organizations are forced to bundle tools from multiple vendors to achieve theirsecurity and compliance goals. However, these techniques result in disparate silos of data that arecostly and complex to manage. SureLog software attempts to resolve this issue for its customers.For custom or non-supported data types, SureLog includes a universal parser to map anydata feedinto a data store. Once the data is collected, full record fidelity is maintained to ensure the forensicand evidentiary capabilities of the data. From there, the data is encrypted -a best practice requiredby numerous regulations including PCI. Finally, the stored data is compressed at a rate of 15:1 tocontrol storage costs. SureLog's correlation engine is unmatched in the industry because it correlatesnot just log data, but all other data types that are collected and parsed. SureLog also provides over1,000 security and compliance metrics-based reports, letting users quickly gain visibility intoinfrastructure activities across lines of business, locations, and applications. These reports areviewable from a secure onscreen portal or they can exported into HTML, PDF, and various otherformats.Comprehensive Log Data Collection and Log ManagementIt is imperative that a true log management and analysis solution have the ability to collect log dataacross an enterprise regardless of its source. The solution must also be able to present the logs in auniform and consistent manner, while managing the state and location for efficient access to thedata. The SureLog solution was designed to address these needs along with the following: The ability to collect any type of log data regardless of sourceThe ability to collect log data with or without installing an agent on the log source device,system or applicationThe ability to "normalize" any type of log data for more effective reporting and analysisThe ability to "scale-down" for small deployments and "scale-up" for extremely largeenvironmentsAn open architecture allowing direct and secure access to log data via third-party analysisand reporting toolsA role-based security model providing user accountability and access controlAuto
BlueCoat SGOS BlueCoat WebProxy SMC Networks SMCWBR14T-G . 8 Enterasys Dragon IDS Watchguard Firebox SOHO . A10 A10 Load Balancer and A10 Web Application Firewall 3Com Switch Actiance Actiance U
