1 2 Previous Next 10 Replies Latest reply on Sep 1, 2014 9:57 AM by alexander_h

    Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM

    allegiance

      I would like to ask for assistance on my concerns below.

       

      1. How to add MS Exchange(Windows 2012)?

           a. What configuration do I need on the SIEM side?

           b. Does it a McAfee SIEM agent?

       

      2. How to add MS DNS and DHCP(Windows 2012)

           a. What configuration do I need on the SIEM side?

           b. Does it a McAfee SIEM agent?

       

      3. There is no Allied Telesis on the supported logs, how can I add it?

       

      4. How to enable GTI on SIEM?

       

      5. If I have an ISA server and stores its logs on C:\Program Files\<ISA Server install dir>\Logs\

           a. What configuration do I need so I can add ISA logs and the Windows logs?

       

      6. If I have linux server and I need to add the logs from /var/logs/ and logs from /usr/application_logs

           a. How do I add the device having multiple log path?

       

      7. On the drill down on the dashboard there are :: destination ip  addresses?

       

      8. On the bound event summary there are 13 event counts but on the drill down it only 8? please see attached screenshot

       

      9. Why is there high severity level of 2000+, how is it being computed?

        • 1. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
          mlev462251

          ad1

          Officially supported are 2007 and 2010.

          For logs that go to EventLog you configure it as a WMI (Windows) source. If you need message tracking logs you need to use an agent.

           

          ad2

          You need to use an agent.

           

          ad3

          You will have to make a custom parser.

           

          ad4

          Right now you need an extra subscription. From 9.4 on it should be enabled out-of-the-box but i don't know if this is also the case for existing deployments

           

          ad5

          You need to use an agent.

           

          ad6

          I'd reccomend forwarding them via syslog, but you can also use an agent.

           

          ad7

          True. IPv6 equivalent of 0.0.0.0

           

          ad8

          I'm guessing you are looking at aggregated correlations. "13" means how many times the event happened but was aggregated to "1".

          One of this 13 correlated events was triggered by the 8 source events below.

          I'd reccomend turning of aggregation for correlated events.

          • 2. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
            mlev462251

            Ah. I missed #9

            Cumulative severity is just a sum of severities of aggregated events.

            • 3. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
              marcmazu

              Hello,

               

              I will talk about aggregation, since it's involved in your 7th question and it's an important concept that we struggled with since our SIEM installation.

               

              Concerning the :: that appear in the Destination IP column, my experience is that this happens with aggregated events.

               

              The first field that gets aggretated on is often the Dest IP, so similar events (same signature ID, same Src IP but possibly different Dest IP) will be aggregated together for performance reasons. In this case, the :: in the Dest IP field means that there are different values for this field. This is why the "count" filed is almost always greater than 1 when :: appears. Its also possible that even though many events were aggregated together, the Dest IP is the same for all of them, so in this situation the Dest IP is shown since it's unique.

               

              It's important to know this, because if you look at the event details in such a case, you only see one event with one Dest IP, but all the other events that were aggregated together don't necessarily have the same Dest IP. Aggregation makes you loose details of certain events, and it's important to know.

               

              There are some ways to get around this:

              • turn aggregation off for a specific signature ID (in the Policy editor, choose "off" in the Aggregation column)
              • fine-tune the aggregation fileds by choosing different fields to aggregate on (Modify Aggregation Settings in the Action menu)
              • fine-tune the aggregation (level 1, level 2, etc) for the whole receiver in Receiver Properties => Event Aggregation
              • if you have a ELM archiving the raw events for the data source in question, you can extract the information from the ELM since the ELM archives raw (non-aggregated) events

               

              Be careful when turning off aggregation - with high event rates, the effect on performance can be quite important. In our installation, our FortiGate peripheral firewall has a average aggregation rate of about 12-14, meaning that if we turned down agregation, we would have 12 to 14 times more events to handle, and we just could not handle this load. Aggregation is a good thing, you just have to know about it and fine-tune the different parameters according to your situation. By the way, McAfee's ratings in events/sec for the receivers, ESM console, etc are based on aggregation being ON, and I seem to remember that they assume an aggregation ratio of about 10-to-1 (not sure of the number but it's in this ballpark).

               

              A :: in the Dest IP field when the "count" is 1 either means that this event doesn't contain an Dest IP field, or that the parser wasn't able to parse it for whatever reason.

               

              Regards,

              Marc.

              • 4. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
                Regis

                allegiance wrote:

                 

                I would like to ask for assistance on my concerns below.

                 

                1. How to add MS Exchange(Windows 2012)?

                     a. What configuration do I need on the SIEM side?

                     b. Does it a McAfee SIEM agent?

                 

                2. How to add MS DNS and DHCP(Windows 2012)

                     a. What configuration do I need on the SIEM side?

                     b. Does it a McAfee SIEM agent?

                 

                 

                1) add exchange as a microsoft wmi log source and feed it domain admin creds.   No agent needed.

                2)  For DHCP,   a microsoft dns source type with cifs retrieval method works (provided you dump the dhcp log file in a directory such that you dont' have any spaces in the file path name)

                2 - for DNS it's tricky.    Depends if file timestamps update on your DNS server log file.  I currently have  PER open  to fix the fact that the cifs file restriver only retrieves files with a newer timestamp than the last time they checked it.   In server 2008,  open dns audit log files being actively writeen will maintain the time stamp that it had when it was opened.   Right now, support will tell you you need a siem agent for dns request log files to get collected.

                • 5. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
                  allegiance

                  Hi All,

                     i was trying to add IIS but SIEM cannot parse the logs from IISv7. Below is the sample logs.

                   

                  #Software: Microsoft Internet Information Services 7.5

                  #Version: 1.0

                  #Date: 2014-09-01 09:26:44

                  #Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) sc-status sc-substatus sc-win32-status time-taken

                  2014-09-01 09:26:44 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 171

                  2014-09-01 09:26:44 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 327

                  2014-09-01 09:26:49 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 202

                  2014-09-01 09:26:53 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 202

                  2014-09-01 09:40:28 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 62

                  2014-09-01 09:40:28 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 202

                  2014-09-01 09:40:32 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 15

                  2014-09-01 09:40:32 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 202

                  2014-09-01 09:40:32 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 31

                  2014-09-01 09:40:32 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 109

                  2014-09-01 09:40:32 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 31

                  2014-09-01 09:40:32 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 93

                  2014-09-01 09:40:32 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 31

                  2014-09-01 09:40:32 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 265

                  2014-09-01 09:40:35 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 15

                  2014-09-01 09:40:35 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 202

                  2014-09-01 09:40:35 192.168.1.45 GET / - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 31

                  2014-09-01 09:40:35 192.168.1.45 GET /welcome.png - 80 - 192.168.1.69 Mozilla/5.0+(Windows+NT+6.1;+WOW64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chro me/37.0.2062.94+Safari/537.36 304 0 0 265

                  • 6. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
                    alexander_h

                    If you have installed the agent and you are collecting the logs just check on the IIS manager under logging options whether all default logging fields are selected.

                     

                    Also for reference this KB describes everything:

                     

                    McAfee KnowledgeBase - Nitro Windows Agent and IIS log tailing

                    • 7. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
                      habanero

                      I was pulling Exchange Message Tracking logs from a share using CIF in our 9.3.2 evaluation so that might be option in addition to WMI and the agent.  I haven't been able to get it to work yet in our purchased 9.4.0 production implementation yet though (never sees events, ticket opened).

                      • 8. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
                        alexander_h

                        It's always an option but if it's not the only option i wouldn't use it

                        • 9. Re: Add MS Exchange, MS DNS, MS DHCP and Allied Telesis to SIEM
                          allegiance

                          I can see that there are logs coming from the Agent installed on the IIS server, I also tried uploading the log file but nothing appears on the dashboard reports. Reports only shows when I enable the "log as unknown format"

                          1 2 Previous Next