6 Replies Latest reply on Jan 5, 2017 10:29 AM by dritans.

    DEM installation/implementation guide or instructions?

    dritans.

      Does anyone have a plan or an implementation guide with step by step instruction that they used to install DEM on the SIEM? I will be installing the DEM modules (DSM-2600) on a ENMELM-4600 (which I believe is referred to as a combo box?) the guides I've found so far seem to be a bit confusing to me and are more focused on the physical installation of the hardware and don't mention any pre-requisites except that you will need to use span ports. So far I have the below checklist steps

      1. Add span ports to replicate database traffic,

      2. Connect the DEM modules

      3. Configure the network interface on the DEM

      4. Add the DEM devices to the ESM console.

       

      Am I missing any other steps or any tests that I need to perform in order to get this working? We will be monitoring Oracle, and SQL databases and those servers I am not sure if they are in different VLAN's or if the servers are already being monitored by the ESM. In the situation where the database servers are in the ESM how does that affect any of the steps? Do they need to be re-added as separate servers under the DEM properties as new Database servers? Any information will be greatly appreciated.

       

      Thank you!

        • 1. Re: DEM installation/implementation guide or instructions?
          rth67

          We have a DEM already in our environment, and are looking to add another.

          Basic Steps:

          1 - Rack, cable, and power up the DEM

          2 - Configure the Management IP on the DEM via a crash cart

          3 - Key the DEM to the ESM

          4 - Modify your connection settings to enable ping (personal preference)

               NOTE - The DEM does not support the use of the IPMI port for remote lights out management

          5 - Work with your LAN/WAN team to configure a SPAN/TAP to replicate traffic destined for your Database Servers (probably based on port usage - i.e. 1433, 1521 > you will need to work with your DBA's to get all of the ports being used) - cable this to the DEM. Note > You can connect the SPAN port to any one of the NIC's (except MGMT1 and IPMI), disregard the whole Trusted/Untrusted labeling on the expansion Ethernet Cards, we have worked directly with the developers in the UK during troubleshooting and they monitor all of the ports.

          6 - Tune your DEM, if you are only using SQL and Oracle, disable the other database Policies in Policy Editor > DEM > Database (there are 709 rules - disable things like DB2, Greenplum, Informix, etc) this will help with performance.

          7 - Depending on how many Databases you are going to be tracking, and how busy they are, you may want to put them in to different "Priority Groups" within the Database Configuration setup on the DEM. There are 8 Priority Groups possible, and each one spins up a new process to handle the events, so distribute the load, more processes use more CPU's, so rather than hammering one process / cpu, spread it out.

          8 - You will then either need to monitor your "New Database Discovered" events, and create them from the Database from their, or if you already know the Database information, you can pre-populate.

           

               NOTE - The data you see in the events is not all of the data, there are no packets captured and saved to the local drive, the Policies are matched in memory and it takes 2 packets to match a given rule (i.e. Oracle Select Statement)

           

          Also, there is a maximum of 255 defined databases per DEM, regardless of the size of the DEM, the larger DEM just allows you to handle more database traffic, not more databases.

           

          If you need to exceed 1GB on your SPAN port, you can split up your data to come in on multiple SPAN ports, SQL traffic to SPAN Port 1, and Oracle Traffic to SPAN port 2, again according to the UK developer, they scan all of the ports for traffic. We have the DEM-4600 which has 2 4-port Ethernet cards, and 4 built-in Ethernet ports, the program actually scans all 12 ports for database traffic.

          1 of 1 people found this helpful
          • 2. Re: DEM installation/implementation guide or instructions?
            dritans.

            Thanks rth67! This is really helpful. I will also need to perform an upgrade on the ESM, currently on version 9.5.0. Are you recommending to do the upgrade first and then setup the DEM or connect the DEM first and then do the upgrade of the ESM to the latest version?

            • 3. Re: DEM installation/implementation guide or instructions?
              rth67

              You may want to upgrade to 9.6.0 first, we had an issue with our DEM on a previous version where it would not create any events. We had a ticket with support to resolve this issue, they had to get to the Developers to fix it (and re-fix it after upgrades) until we got to 9.6.0

               

              Also, we are on 9.6.0 MR6 and there is still a bug that shows an "Out of Sync" warning on the DEM, it is not affecting anything, just annoying. Support can clear the flag/issue, but it returns later.

              • 4. Re: DEM installation/implementation guide or instructions?
                dritans.

                Great! I had a feeling it would be better to upgrade first but Support advised to setup the DEM first because according to them when you do the upgrade on the ESM the DEM will be updated also instead of doing a separate update for it. Is this true? Trying to formulate an action plan so things can go smoothly. You know how these things go, you miss a step or the order of steps and you have to troubleshoot 100 different things.

                • 5. Re: DEM installation/implementation guide or instructions?
                  rth67

                  The DEM has a separate Upgrade File, if you upgrade to 9.6.0 MR? first, then add the DEM, and it is running 9.5.x, it will still allow you to Key the device, but you will get a warning that the software is not on the same version. Upgrade it to the same release as everything else and your good.

                   

                  The opposite could also be true, if your on 9.5.0 MR? and you add the DEM and it's running a newer release of 9.5.0 or 9.5.2, you will also get the warning about the software version mismatch.

                   

                  The issue we had with the DEM not showing events was seen when we were running version 9.5.0 MR9, and had to be tweaked to work when upgraded to 9.5.2 as well.

                  1 of 1 people found this helpful
                  • 6. Re: DEM installation/implementation guide or instructions?
                    dritans.

                    Ok I see, that makes sense.

                    Thanks!