Login
- Released At: 13-07-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
|
|
H3C SecCenter CSAP-SA |
|
Configuration Examples |
|
|
|
|
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
The information in this document is subject to change without notice.
Contents
Expanding storage space for the platform
Configuring collection of network and security device logs
Configuring log collection for various types of devices
Configuring log collection for IPS and firewall devices
Configuring log collection for NTA-V[X00] series H3C SecCenter CSAP-NTA devices
Configuring log collection for sandbox devices
Configuring log collection for ACG devices
Configuring collection of host and application logs
Installing and configuring the agent
Configuring the agent on the platform
Configuring SMS/email settings and a notification policy
Configuring SMS center settings
Configuring email server settings
Configuring a notification policy
Introduction
The following information introduces typical networking solutions and common configuration descriptions for the comprehensive log audit platform, including various log source access settings, correlation rule settings, email and SMS platform integration settings, and alarm notification settings.
Prerequisites
This document is not restricted to specific software or hardware versions. Procedures and information in the examples might be slightly different depending on the software or hardware version of the device.
The configuration examples were created and verified in a lab environment, and all the devices were started with the factory default configuration. When you are working on a live network, make sure you understand the potential impact of every command on your network.
The log source devices in this document are all H3C devices. For information about devices of other vendors, see the corresponding operation guides.
The following information is provided based on the assumption that you have basic knowledge of the comprehensive log audit platform.
Network deployment
Network configuration
As shown in Figure 1, the comprehensive log audit platform is typically deployed in out-of-path mode at the core switching area to collect logs from the following devices of various vendors for storage, auditing, analysis, and display:
· Network devices (such as routers, switches, and load balancers).
· Security devices (such as firewalls, IPS, IDS, ACG, and WAF devices).
· Servers (such as Windows, Linux, and Unix servers).
· Applications (such as MySQL, SQL server, Oracle, WebLogic, and Tomcat applications).
Audit objectives
The comprehensive log audit platform supports log auditing for over 200 types of devices, systems, and applications. You can configure different log source devices on the Web interface based on actual situations. To connect a device for which no matching type, vendor, or model can be selected on the Web interface, you can select the Other option in these fields. The system will collect and store but not analyze the log data reported by the device.
|
|
NOTE: The supported device types vary by software version. For more information, see the corresponding release notes. |
Expanding storage space for the platform
This section expands the storage space for the H3C SecCenter CSAP-SA Comprensive Log Audit Platform deployed on H3C CAS as an example. You can refer to this example when expanding the storage space for other virtual platforms or servers.
Restrictions and guidelines
· You can expand the storage space for the comprehensive log audit platform on the Settings > System Management > Global Settings > Drive Management page. For more information, see the online help on the page.
· To expand a server, please prepare unused drives. To expand a virtual host, create new virtual disks. This prevents conflicts between the filesystems on the expansion drives or virtual disks and that on the platform operating system, which will cause data damages.
· You can remount a drive after the drive fails mount. However, you cannot unmount a drive after the drive is mounted successfully. Removing or deleting a drive will cause system exception.
Software versions used
· H3C CAS: V5.0 (E0535).
· H3C SecCenter CSAP-SA Comprensive Log Audit Platform: E1708P01.
Procedures
1. Log in to H3C CAS, select the target VM, and then right-click and select Edit.
2. Click Add Hardware to add a virtual disk.
Figure 2 Adding a virtual disk
3. Select Storage in the Hardware Type field, and then click Next.
Figure 3 Selecting Storage
4. Specify the disk path in the File Path field.
Figure 4 Configuring virtual disk information (1)
Figure 5 Configuring virtual disk information (2)
Figure 6 Configuring virtual disk information (3)
5. Log in to the comprehensive log audit platform. Navigate to the Settings > System Management > Global Settings > Drive Management page. Verify that the newly added drive (disk) is in Not in Use state.
Figure 7 Drive management
Figure 8 Viewing the newly added drive
6. Click the Mount icon in the Actions column for the drive to mount the drive to the platform.
After successful mounting, the state of the drive is automatically changed to Used.
Figure 9 Clicking Mount to mount the drive
Figure 10 Mounting the drive
Figure 11 Successfully mounted the drive
7. Navigate to the dashboard. Verify that the total disk capacity of the platform has increased.
Figure 12 Viewing total disk capacity
Configuring collection of network and security device logs
Analysis
To collect network and security device logs using the comprehensive log audit platform, complete the following settings:
· Specify the log host for syslogs on the network devices and security devices as the comprehensive log audit platform.
· Configure the network devices and security devices as passive log sources on the comprehensive log audit platform.
Restrictions and guidelines
· If the logs received from a log source are in binary format, select the bin encoding method when you add the log source on the comprehensive log audit platform. For example, AAA logs sent by H3C IMC-EIA endpoint access control devices, and session logs sent by H3C firewall series, IPS devices, and firewall modules are all in binary format.
· To add a device for which no matching device type, vendor, or model can be selected on the page, you can select the Other option in these fields. The system will collect and store the logs generated by the device, and display the collected logs as system logs.
Configuring log collection for various types of devices
Configuring log collection for IPS and firewall devices
Configuring a log server
Log in to the target device's Web interface. Navigate to the System > Log Settings > Basic Settings page, click the Fast Log Output tab, and then configure the following settings:
1. Add a log host and configure related parameters.
¡ Log host address: Enter the log collection IP address of the comprehensive log audit platform.
¡ Port number: Enter the port number of the log host. The default port number is 514. Use the default setting as a best practice.
¡ VRF: Select the VPN instance to which the log host belongs. The default option is Public network. This example uses the default setting.
¡ Log types: Select IPS logs, Anti-virus logs, Session logs, and URL filtering logs.
Figure 13 Creating a log host
2. Select the time zone to use in the log timestamp. Options include:
¡ Greenwich Mean Time (GMT): Standard Greenwich Mean Time (GMT). The device's time zone is set to Greenwich Mean Time. You can use the default setting.
¡ Local time: Standard GMT plus or minus the time zone offset. If the device's time zone has been modified to a value other than the GMT, select this option.
Configuring threat log settings
Navigate to the System > Log Settings > Threat Log Settings page, and configure IPS log settings and anti-virus log settings as follows.
Figure 14 Configuring threat log settings
Configuring session log settings
1. Navigate to the System > Log Settings > Session Log Settings page, and configure session log settings as follows:
¡ Select Fast log output in the Log type field.
¡ Select Session deletion logging (required), and select Session creation logging as needed.
¡ Add logging-enabled interfaces through which the traffic passes and specify the inbound and outbound directions for each interface as needed.
Figure 15 Configuring session log settings
2. (Optional.) Navigate to the System > Session Aging Time Settings > Advanced Setting page to enable session statistics collection.
Figure 16 Enabling session statistics collection
|
|
CAUTION: · You cannot configure reception of flow logs (in binary format) in session log settings, because this configuration affects system stability. · If the session statistics feature is not enabled, session logs will not include uplink and downlink byte data, which affects some comprehensive log audit features. Enabling the session statistics feature affects device processing performance. Configure this feature based on the actual scenario. |
NAT session log settings
1. Navigate to the System > Log Settings > NAT Log Settings page, and then configure session log settings as follows:
¡ Select Enable NAT logging.
¡ Do not select Fast log output.
¡ Select NAT session establishment logging, NAT session removal logging, and Active NAT session logging as needed.
Figure 17 Configuring NAT log settings
2. Navigate to the System > Log Settings > Session Log Settings page. Select Fast logs in the Log type field.
Figure 18 Configuring output of fast logs
3. Navigate to the System > Log Settings > Basic Settings page, click the Fast Log Output tab, and then configure the following settings:
¡ Log host address: Enter the log collection IP address of the comprehensive log audit platform.
¡ Port number: Enter the port number of the log host. The default port number is 514. Use the default setting as a best practice.
¡ VRF: Select the VPN instance to which the log host belongs. The default option is Public network. This example uses the default setting.
¡ Log types: Select Session logs.
Figure 19 Creating a log host
Configuring URL filter log settings
Navigate to the System > Log Settings > URL Filtering Log Settings page, and then configure the following settings:
· Select Fast log output in the Log type field.
· Select Enable URL filtering logging.
Figure 20 Configuring URL filter log settings
|
|
CAUTION: · Disabling URL filtering logging affects some comprehensive log audit features. Enabling URL filtering logging affects device's processing performance. Configure this feature based on the actual scenario. · IPS/firewall devices output logs in the gbk encoding method by default, so the default setting for the devices on the comprehensive log audit platform is gbk. |
Configuring log source settings
Log in to the comprehensive log audit platform. Navigate to the Settings > Data Sources > Log Sources > Passive Collection page, and then click Add to add a log source as follows:
· Name: Name to identify the security device log source.
· IP: Management IP of the device.
· Device Type: Select IPS or FW.
· Vendor: Select H3C.
· Device Model: Select the model of the device, such as T1000 series(V7).
· Collector Name: Select a log collector of the comprehensive log audit platform.
· Report Protocol: Select Syslog.
· Report Port: Specify a port number. The default value is 514. Make sure the specified port number is the same as that configured on the device's log server for log reporting.
· Encoding Method: Select an encoding method. By default, the encoding method is gbk. If utf8 is specified at the CLI, the encoding method is utf8 by default on the Web interface.
· Log Type: Specify the log types. This example uses the default value. (This field is available for E1709P05 and later versions.)
Figure 21 Adding a passive log source
Configuring log collection for NTA-V[X00] series H3C SecCenter CSAP-NTA devices
The syslog settings in this configuration example were created and verified on vNTA200 E1260P1211. You can refer to this configuration example when configuring H3C SecCenter CSAP-NTA devices of other models.
Configuring device-side settings from the CLI
|
|
NOTE: Because the Web interface does not support some configuration operations, all device-side settings are configured from the CLI. |
# Output logs of the session management, URL filtering, IPS, anti-virus, reputation, and DNS modules to a log collector of the comprehensive log audit platform. In this example, the log collector IP is 1.1.1.1, and the device reports logs through port 514.
[H3C] customlog host 1.1.1.1 export session dpi url-filter ips anti-virus reputation dns
# Create a logging parameter profile named ips_logging_default_parameter.
[H3C] inspect logging parameter-profile ips_logging_default_parameter
# Create a logging parameter profile named av_logging_default_parameter.
[H3C] inspect logging parameter-profile av_logging_default_parameter
# Enable fast log output for the IPS, anti-virus, session management, URL filtering, reputation, and DNS modules.
[H3C] customlog format dpi ips
[H3C] customlog format dpi anti-virus
[H3C] customlog format session
[H3C] customlog format dpi url-filter
[H3C] customlog format dpi reputation
[H3C] customlog format dns
# Enable IPv4 session logging, session statistics collection, session creation logging, and session deletion logging in the inbound and outbound directions of GigabitEthernet 1/0/20. This interface is used for accessing mirrored traffic.
[H3C] int G1/0/20
[H3C-GigabitEthernet1/0/20] session log enable ipv4 inbound
[H3C-GigabitEthernet1/0/20] session log enable ipv4 outbound
[H3C] session statistics enable
[H3C] session log flow-end
[H3C] session log flow-begin
# Enable DNS snooping logging.
[H3C] dns snooping log enable
# (Optional.) Configure the encoding method. Fast log output uses the gbk encoding by default. You can configure the utf8 encoding as needed if this encoding is supported by the device version.
[H3C] customlog character-encoding utf-8
# (Optional.) Configure the timestamp of fast output logs to show the system time.
[H3C] customlog timestamp localtime
Configuring the log source on the platform
Log in to the comprehensive log audit platform. Navigate to the Settings > Data Sources > Log Sources > Passive Collection page, and then click Add to add a log source as follows:
· Name: Name to identify the security device log source.
· IP: Management IP of the device.
· Device Type: Select FB.
· Vendor: Select H3C.
· Device Model: Select the model of the device, such as CSAP-NTA series.
· Collector Name: Select a log collector of the comprehensive log audit platform.
· Report Protocol: Select Syslog.
· Report Port: Specify a port number. The default value is 514. Make sure the specified port number is the same as that configured on the device's log server for log reporting.
· Encoding Method: Select utf8.
· Log Type: Specify the log types. This example uses the default value. (This field is available for E1709P05 and later versions.)
Figure 22 Adding a passive log source
Configuring log collection for sandbox devices
When you configure log collection for sandbox devices, follow these restrictions and guidelines:
· As a best practice, use a Chrome browser to access and operate the SecCenter CSAP-ATD Advanced Threat Detection Engine Web interface. Using any other browser might cause compatibility issues.
· The log output feature currently supports only outputting network attack events, malicious code events, threat intelligence events, and custom events.
Configuring a sandbox log server
1. Enter the correct username and password, and then click Log In to log in to the Web interface of the device. The default username and password are admin and Admin@123, respectively.
Figure 23 Logging in to the Web interface of the advanced threat detection engine
2. Configure output of alarm events to specified servers in syslog log format through UDP. Click Policy > Data Transmission > Log Output Configuration from the top navigation bar. Make sure the log output feature is enabled and configure related settings. By default, the log output feature is disabled, and the log encoding format is UTF-8.
¡ Output Protocol Type: Select the output protocol. Options include TCP and UDP. The comprehensive log audit platform supports UDP.
¡ Log Transfer Format: Select a transfer format. Options include |, WELF, and JSON. The comprehensive log audit platform supports WELF.
¡ Output Log Type: Select Malicious Code Event.
Figure 24 Log output configuration page
3. Click Save.
Configuring the log source on the platform
Log in to the comprehensive log audit platform. Navigate to the Settings > Data Sources > Log Sources > Passive Collection page, and then click Add to add a log source as follows.
· Name: Name to identify the sandbox device log source.
· IP: Management IP of the sandbox device.
· Device Type: Select Sandbox.
· Vendor: Select H3C.
· Device Model: Select the model of the device from Advanced Edition ATD-A series(WELF), Professional Edition ATD-E series(WELF), or Professional Edition ATD-P series(WELF).
· Collector Name: Select a log collector of the comprehensive log audit platform.
· Report Protocol: Select Syslog.
· Report Port: Specify a port number. The default value is 514. Make sure the specified port number is the same as that configured on the device's log server for log reporting.
· Encoding Method: Select utf8.
· Log Type: Specify the log types. This example uses the default value. (This field is available for E1709P05 and later versions.)
Figure 25 Adding a passive log source
Configuring log collection for ACG devices
Software versions used
· Comprehensive log audit platform: E1708P01.
· H3C SecPath ACG1000 series: F6608.
Procedures
1. Log in to the ACG device through the Web interface.
2. On the System Management > System Setting > Log Settings > Log Server page, configure the log server as a log collector of the comprehensive log audit platform.
Figure 26 Configuring the log server
3. Configure the ACG device as a passive log source on the comprehensive log audit platform in a similar way to the firewall or IPS device, with the exception of selecting the gbk encoding method.
Verifying the configuration
After the target log source is configured and logs are successfully sent to the platform, you can view the log information on the monitoring statistics, dashboard, and log overview pages. The log information reported by a firewall is displayed as follows.
Figure 27 Statistics of reported logs
Figure 28 Dashboard log statistics
Figure 29 Real-time monitoring page of device logs
Configuring collection of host and application logs
Analysis
Configure the following settings:
1. Download the target agent software from the comprehensive log audit platform.
2. Install the agent software on the user endpoint asset.
3. Verify that the endpoint can come online and report logs to the comprehensive log audit platform.
4. Configure the agent to collect database logs, file operation logs, registry event logs, and custom file logs as needed.
Restrictions and guidelines
To audit logs of servers (such as Windows, Linux, and Unix servers) and various applications (such as MySQL, SQLServer, Oracle, WebLogic, and Tomcat applications) in the network, first install an agent (log collection agent software) on the corresponding server. Before installation, make sure the host and the comprehensive log audit platform can reach each other.
The versions of operating systems, databases, and middleware supported by the log collection agent software are shown in Table 1. Other versions are currently not supported.
Table 1 Agent version compatibility
|
Type |
Name |
Supported versions |
|
Operating system |
Windows |
· Windows 2000 · Windows XP · Windows 7 · Windows 8 · Windows 10 · Windows Server 2003 · Windows Server 2008 · Windows Server 2008 R2 · Windows Server 2012 R2 · Windows Server 2016 |
|
Linux |
· CentOS 6 · CentOS 7 · RedHat 6 · RedHat 7 · Solaris11 (Unix SUNOS5.11) · Ubuntu 14.04 · Ubuntu 15.10 · Ubuntu 16.04 · Ubuntu 17.10 |
|
|
Database |
MySQL |
· MySQL 5.5 · MySQL 5.6 · MySQL 5.7 |
|
SQL Server |
· SQL Server 2005 · SQL Server 2008 · SQL Server 2012 · SQL Server 2014 · SQL Server 2016 · SQL Server 2017 |
|
|
Oracle |
· Oracle 9i · Oracle 10g · Oracle 10.2 · Oracle 11g · Oracle 12c |
|
|
DB2 |
· DB2 9.7 · DB2 10.5 · DB2 11.1 |
|
|
MongoDB |
MongoDB 4.0 |
|
|
Middleware |
Tomcat |
· Tomcat 5 · Tomcat 6 · Tomcat 7 · Tomcat 8 (Tomcat 8.5.33) |
|
IIS |
· IIS 6 · IIS 7 · IIS 8 |
|
|
WebLogic |
· WebLogic 11g (10.3.6) · WebLogic 12.1.3 |
|
|
Domino |
· Domino 8 |
|
|
JBoss |
· JBoss 6 · JBoss 7 · WildFly 8.0 |
|
|
WebSphere |
· WebSphere 7 · WebSphere 8.5 |
Installing and configuring the agent
Obtaining the agent software
Navigate to the Settings > Data Sources > Agents > Download Agents page of the comprehensive log audit platform, and download the target agent software.
Figure 30 Obtaining the agent software
Installing the agent software
For more information about the installation method of the agent software, see the help document on the Settings > Data Sources > Agents > Download Agents page.
Figure 31 Agent help document
Upgrading the agent software
Version 1.0.15 and later versions support online auto upgrade of agents on the platform. Versions earlier than 1.0.15 do not support online auto upgrade. You need to manually uninstall the old version and then install the new version.
Configuring the agent on the platform
After the host agent is successfully installed, you can view the registered agent information on the Settings > Data Sources > Agents > Agents page of the comprehensive log audit platform.
Figure 32 Agent management page
After successful registration of the agent, it will automatically collect host logs and middleware logs. To collect database logs or file logs, you must configure the following settings:
1. Click the Configure icon in the Actions column for the agent.
Figure 33 Agent management page
Figure 34 Agent configuration page
2. On the Databases tab, click Add, configure the related parameters, and then click OK. The platform will collect the logs sent by the configured database.
Figure 35 Database configuration page
Verifying the configuration
· Verify that you can view the log statistics reported by the agent on the dashboard, with device type Endpoint Security and log type Host Log.
Figure 36 Viewing log statistics
· Verify that you can view the real-time monitoring results of logs collected by the agent on the Logs > Real-Time Monitoring > Device Types page.
Figure 37 Monitoring results by device type
Configuring correlation rules
Correlation rules are used to perform correlation analysis on logs collected by the collector within a period of time. Logs that match a correlation rule will be output as an event, which will be displayed on the event details page. The system provides predefined correlation rules.
Restrictions and guidelines
· You can add multiple subrules for a correlation rule. The matching order between multiple subrules can be customized.
· As a best practice to ensure matching performance, do not configure too long a time window.
· After a correlation rule is disabled, the matching data before the rule is disabled is still displayed.
Predefined correlation rules
Log in to the comprehensive log audit platform. Navigate to the Events > Correlation Rules page. The system provides ten predefined correlation rules.
Figure 38 Correlation rules
Verifying the configuration
Verify that you can view the matching results on related pages after a predefined correlation event occurs.
· Verify that a corresponding security event is generated on the Events > Event Details page.
Figure 39 Viewing event details
· Verify that the hit count of the corresponding correlation rule has changed on the Events > Correlation Rules page.
Figure 40 Viewing the hit count
Configuring SMS/email settings and a notification policy
Restrictions and guidelines
· For correct sending of notifications, you must configure the email server and SMS center settings on the Settings > System Management > Global Settings page.
· You must configure the email addresses of the email recipients and the phone numbers of the SMS recipients.
Configuring SMS center settings
The system supports Jiaxun SMS platform and Emay SMS platform. Select a platform as needed. This example uses Jiaxun SMS platform.
1. Navigate to the Settings > System Management > Global Settings > SMS Center page.
2. Select Jiaxun SMS Platform in the Selected Gateway field, configure the related parameters, and then click Submit.
Figure 41 Configuring Jiaxun SMS platform
3. Click Add Recipients to add a phone user. Click Test to test the connectivity and determine whether SMS message reception works normally. If SMS message reception works normally, click OK.
Figure 42 Adding a phone user
Configuring email server settings
The system supports only email servers using the SMTP protocol and you cannot enable SSL on such a server.
1. Navigate to the Settings > System Management > Global Settings > Email Server Settings page.
2. Configure the related parameters for an email server, and then click Submit.
Figure 43 Configuring email server settings
3. Click Add Email Recipients to add an email recipient. Click Test to test the connectivity and determine whether the email address works normally. If the email address works normally, click OK.
Figure 44 Adding an email recipient
Configuring a notification policy
This section configures a notification policy using the email and SMS platforms for correlation rule alarms.
1. Navigate to the Settings > Alarm Notification > Notification Policies page. Click Add to add a notification policy.
Figure 45 Adding a notification policy
2. Select the email and SMS notification methods as needed. This example uses the email and SMS notification methods. When a security event triggers an alarm, the system will notify the user via email and SMS.
Figure 46 Configuring the notification methods
Verifying the configuration
After the notification policy is configured, within the detection interval, if a log reported by log source FW matches a correlation rule, an alarm will be triggered and the system will notify user Alice via email and SMS. You can view the notification records on the Settings > Alarm Notification > Notification Records page.
Figure 47 Notification records
Figure 48 Email notification received by a recipient's mailbox
Figure 49 SMS message notification received by a recipient's phone
