Perform this task to manage the basic configurations of the system, including basic data configuration, data source management configuration, asset management, log information management, and alarm management.

Manage the system

Perform this task to manage system-related settings, such as managing tenant and user information, setting user permissions to operate the system, recording user operation logs, customizing the system name and logo, and managing licenses.

Configure global settings

Perform this task to configure basic information about the platform.

·     System Settings: Configure platform-related parameters, such as the system name, system time, and log storage time.

·     Notification Settings: Choose to configure EMS notifications or email notifications for alarms or reports generated.

Configure system parameters

Perform this task to configure user login parameters.

Procedure

1.     Select Configuration > System Management > Global Settings > System Parameters.

2.     To restore the configuration to the default, click Restore. To cancel the configuration, click Cancel.

Parameters

·     User Idle Timeout: Idle timeout interval for users. If a user does not perform any task within the interval, the system automatically terminates the user connection to the Web interface.

·     Lockout Period: Amount of time before a locked account can be used again.

·     Failed Login Attempts Before Lockout: Number of consecutive login failures that will cause a user account to be locked.

·     Display Verification Code: Indicating whether to display the verification code on the login page. Yes indicates that a user must enter the verification code for login.

·     Company Name: Set the company name to be displayed at the copyright section of the login page. The default is New H3C Technologies Co., Ltd.

·     System Name: Name of the system displayed on the login page and on the top of the navigation pane.

·     Logo Image: System logo displayed in front of the system name. Only .png, .jpg, and .jpeg formats are supported. The recommended image size is 400*100 pixels. To set the logo image, click Replace.

Clean up data

Perform this task to clear massive log data from the platform and resolve the service exception issues caused by insufficient storage space.
With data cleanup settings, the system periodically checks the log storage and clears excessive original logs and correlated security events. When the log storage usage or storage period reaches the threshold, a data cleanup alarm is triggered. The system clears the earliest original logs and their correlated security events until the storage usage or storage period drops below the threshold.

Procedure

1.     Select Configuration > System Management > Global Settings, and then select Data Cleanup Settings.

2.     Configure the Space Threshold and Data Storage Time parameters, and then click OK. To cancel the configuration, click Cancel.

Parameters

·     Space Threshold: When the usage of a system data disk reaches the specified threshold, the system will clean up the earliest data until the disk usage drops below the threshold. The space threshold takes effect only in the single-tenant scenario.

·     Data Storage Time: The system deletes the data once its storage time reaches the specified upper limit.

Restrictions and guidelines

·     When the number of tenants is greater than or equal to 2, the cleanup configuration on this page does not take effect. The data storage time and capacity settings configured for each tenant in tenant management apply.

·     After you successfully configure data cleanup, expired data cannot be immediately cleaned up. It can be cleaned up after the detection mechanism starts (at an interval of 10 minutes).

Delete logs

Perform this task to clear logs stored at the earliest storage time when the log storage usage reaches the threshold and logs the storage duration of which reaches the threshold.

Procedure

1.     On the top navigation bar, click Settings. From the left navigation pane, select System Management > Global Settings. On the Global Settings page, select Data Cleanup Settings.

2.     Select the Delete Logs tab, edit the settings, and then click OK. To cancel the settings, click Cancel.

Parameters

·     Storage Space Usage Threshold: If the data disk usage reaches this threshold, the system will clear the logs or security events stored at the earliest time until the disk usage drops below the threshold.

·     Log Storage Period: Logs the storage duration of which reach the threshold will be deleted.

Back up and restore logs

Perform this task to back up and restore the logs generated by the platform, allowing for flexible log data management.

Configure log backup

Perform this task to back up original logs in the system. After you configure FTP server parameters and enable log backup, the system will package the log data of the previous day at 2:00 a.m. every day and transfers the log data to the FTP server.

Procedure

1.     Select Configuration > System Management > Global Settings > Log Backup and Restoration.

2.     Click the Log Backup tab. In the Backup Settings area, configure the FTP connection parameters and click Enable Backup. Then, the system tests if the FTP server is reachable. If the FTP server is reachable, the system enables the backup feature and displays log backup records. If the FTP server is unreachable, the system prompts that you have failed to enable the backup feature.

3.     To disable log backup, click Disable.

Parameters

·     FTP Server: Enter the correct FTP server address. If the FTP server address is an IPv4 address, enter the address in the format of ftp://IPv4 address:port/directory name, for example, ftp://1.1.1.1:26/files. If the FTP server address is an IPv6 address, enter the address in the format of ftp://[IPv6 address]:port/directory name, for example, ftp://[2001::1]/files. The directory name is required and the port number is optional. If you do not specify a port number, the default port number of 21 is used.

·     Start Time: Date on which log backup is enabled, which must be later than the current date.

·     Username: Username for logging in to the FTP server, which is used for testing the FTP connection availability.

·     Password: Password for logging in to the FTP server, which is used for testing the FTP connection availability.

·     Backup Serial Number: Unique identifier for identifying backup data.

·     Backup Time: Time when log backup starts.

·     State: Log backup state.

·     Backup File Name: Name of the log backup file.

Restrictions and Guidelines

Log data cannot be backed up to a Windows-based FTP server.

Configure log restoration

Perform this task to restore log files backed up within the selected time span from the specified FTP server. The restored log data will be saved in the database of the system.

Procedure

1.     Select Configuration > System Management > Global Settings > Log Backup and Restoration.

2.     Click the Log Restoration tab, configure the parameters, and then click Restore. The system will test whether the FTP server is accessible. If the FTP server is accessible, the restoration task will be executed, and the restoration record will be displayed at the bottom of the page.

Parameters

·     FTP Server: Enter the correct FTP server address. If the FTP server address is an IPv4 address, enter the address in the format of ftp://IPv4 address:port/directory name, for example, ftp://1.1.1.1:26/files. If the FTP server address is an IPv6 address, enter the address in the format of ftp://[IPv6 address]:port/directory name, for example, ftp://[2001::1]/files. The directory name is required and the port number is optional. If you do not specify a port number, the default port number of 21 is used.

·     Restoration Period/Time Span: Only backup log files within the specified period are restored.

·     Username: Username for accessing the FTP server. It will be used to test the availability of the FTP server.

·     Password: Password for accessing the FTP server. It will be used to test the availability of the FTP server.

·     Task Duration: Time when log restoration starts.

·     State: Log restoration state.

Restrictions and Guidelines

Logs cannot be restored from an FTP server that runs a Windows system.

Manage the system time

Perform this task to set the system time of the server where this platform is deployed. When the server system time is inconsistent with the time of the browser or log source used to log in to the platform webpage, issues such as inaccurate log analysis and query may occur.
The system supports the following methods to change system time:

·     Manual configuration—Manually set the server system time.

·     Time synchronization via NTP—Use Network Time Protocol (NTP) to synchronize time between distributed time servers and clients, ensuring consistent time across all devices in the network. After you enable time synchronization via NTP, servers with this platform deployed will act as clients to obtain time from an NTP server.

Procedure

1.     Select Configuration > System Management > Global Settings > Time Management.

2.     Use one of the following methods to change the system time:

○          Manual configuration: Specify the time for the System Time field and click OK.

○          Time synchronization time with an NTP server: Select Enable NTP and enter the NTP server's IP address. You can specify an IPv4 or IPv6 address. After you enter a valid IP address, the system will automatically check the NTP service status. If the NTP service is available, click OK.

Restrictions and guidelines

·     Modify the system time with caution. A change to the system time might cause some services to automatically reboot, and might interrupt the auditing service.

·     After NTP time synchronization is enabled, the system will immediately synchronize the time once, and then synchronize the time at 00:30 am every day by default. After time synchronization, some platform services will automatically restart, and audit service interruption might occur.

Configure platform network settings

Perform this task to change the platform IP address, gateway, and route settings for network re-planning.

Configure NIC settings

Perform this task to manage platform NIC information. When a new NIC is added to a server or VM, the platform can automatically identify the NIC and displays NIC information on the page. You can specify the NIC as the platform NIC as needed.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Network Settings. You are placed on the NIC Settings tab.

2.     Click Edit in the Actions column for a NIC. Configure NIC parameters, and then click OK.

Parameters

·     Network Port Name: Name of the interface assigned by the system. This field is unconfigurable.

·     IPv4 Addr: IPv4 address of the NIC.

·     IPv4 Mask Length: Mask length for the NIC IPv4 address.

·     IPv4 Gateway Addr: IPv4 address of the gateway.

·     IPv6 Addr: IPv6 address of the NIC.

·     IPv6 Prefix Length: Prefix length for the NIC IPv6 address.

·     IPv6 Gateway Addr: IPv6 address of the gateway.

Restrictions and guidelines

·     After you change management NIC and collector NIC information, some platform services will restart, which might cause audit service interruption. Please be cautious.

·     To avoid service exceptions, specify different subnets for different NICs if multiple NICs exist. Make sure only one NIC is configured with a gateway.

·     The page does not display information about faulty or removed NICs. However, you can still view information about the NICs on the collector management page and configure the IP address of such a NIC as the collector IP for a log source on the log source management page. This might affect platform services. In this case, contact Technical Support to remove the residual information.

·     The system does not support hardware or virtual hardware (NIC and disk) uninstallation. If a hardware component fails, replace the faulty hardware as soon as possible and reconfigure hardware information.

Configure port settings

Perform this task to modify the platform access port.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Network Settings > Port Settings.

2.     Configure port settings, and then click OK.

Parameters

Access Port: Specify the Web interface through which the system can be accessed.

Restrictions and Guidelines

·     You cannot specify a port in use as the access port.

·     Changing the access port terminates the current login session. To re-log in to the platform, add the port number to the IP address in the address bar, for example, https://10.10.10.1:444/.

Configure route settings

Perform this task to manage routes.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Network Settings > Route Settings.

2.     To add a route, click Add. Select the route type, enter the destination address, and set the gateway address or outgoing interface. Then, click OK.

3.     To delete a route, click Delete in the Actions column for that route.

Parameters

·     Route Type: Type of route, including Host Route and Network Route.

·     Destination Address: Destination IP address of a route.

·     Next Hop Address: Next hop IP address of the route.

·     Subnet Mask: Subnet mask of the destination address.

·     Outgoing Interface: Outgoing interface of the route.

Restrictions and guidelines

·     Both host routes and network routes are supported. The default route cannot be edited or deleted.

·     Modifying the route settings might cause network errors. Please modify route settings with caution.

·     The system does no support configuring IPv6 routes in the current software version.

Configure DNS server settings

Perform this task to edit the DNS server settings.

Procedure

1.     Select Configuration > System Management > Global Settings, select Platform Network Settings, and then click the DNS Server Configuration tab.

2.     Configure related parameters, and then click OK.

Parameters

DNS Server IP Address: IP address of the DNS server.

Configure the system login allowlist

Perform this task to specify the IP addresses that are allowed to log in to the system. If an allowlist entry is configured, only IP addresses in the allowlist entry are allowed to log in to the system. If no allowlist entry is configured, all users are allowed.

Parameters

·     Type: IP address type. Options include Single IP and IP Address Range.

·     IP: IP address in the allowlist, which can be a single IP address or an IP address range.

·     Description: Description for the allowlist entry. A proper description helps you quickly identify and understand the allowlist entry.

·     Created At: Time when the allowlist entry was created.

·     Updated At: Time when the allowlist entry was last edited.

Restrictions and guidelines

In the Security Brain platform access scenario, do not configure allowlist entries since the real access IPs cannot be obtained.

Add or edit an allowlist entry

Perform this task to add or edit an allowlist entry.

Procedure

1.     Select Configuration > System Management > Global Settings > System Login Allowlist.

2.     Click the Add icon to add an allowlist entry, or click  to edit an allowlist entry.

3.     Click OK.

Parameters

·     Type: Select an IP address type. Options include Single IP and IP Address Range.

·     IP: Enter IP addresses to add to the allowlist. Only IPv4 addresses are supported. If you enter an IP address range, the end address must be higher than the start address.

·     Description: Enter a description for the allowlist entry. A proper description helps you quickly identify and understand the allowlist entry.

Delete allowlist entries

Perform this task to delete allowlist entries. If a deleted allowlist entry includes an IP address that has logged in, the IP address is not logged out. However, the IP address is not allowed to log in after it logs out.

Procedure

1.     Select Configuration > System Management > Global Settings > System Login Allowlist.

2.     To bulk delete allowlist entries, select the allowlist entries to be deleted, and then click Delete. To delete a single allowlist entry, click Delete in the Actions column for that allowlist entry.

Configure cloud channel settings

Perform this task to configure parameters related to the connection between the platform and SecCloud OMP.

Procedure

1.     Select Configuration > System Management > Global Settings, and then select Cloud Platform Settings.

2.     Configure the Cloud Platform Address and Cloud Platform Port parameters, and then click Test Connectivity to test the connection.

3.     Click OK.

Parameters

·     Device SN: SN of the platform, which is directly displayed on the page. You do not need to configure it.

·     Enable State: Enabling status of the cloud channel.

·     Cloud Platform Address: Address of SecCloud OMP. You can only enter an IPv4 address or domain name. The domain name cannot contain the http:// or https:// protocol header.

·     Cloud Platform Port: Port number of SecCloud OMP.

Restrictions and guidelines

If the cloud channel connection fails, the platform retries to connect to SecCloud OMP every 5 minutes.

Configure signature verification

Perform this task to configure the signature verification server to provide signature and signature verification services for original logs.

Configure signature and verification server settings

Perform this task to configure signature and verification server settings.

Procedure

1.     Select Configuration > System Management > Global Settings > Signature Server Settings.

2.     Configure the parameters as needed, and then click OK.

3.     To clear the configuration, click Clear Configuration.

Parameters

·     Enable State: Select whether to enable the signature and verification server to sign and verify raw log messages.

·     Service IP: IP addresses of the signature and verification server. To enter multiple IP addresses, separate them by colons (,).

·     Server Port: Port of the signature and verification server.

·     Key Type: Key type supported by the signature and verification server, including SGD_SM3_SM2 and SGD_SHA1_RSA.

·     Private Key Permission String: Private key permission string configured on the signature and verification server.

·     Key Index: Private key index configured on the signature and verification server.

·     Certificate Serial Number: Serial number of the signature certificate uploaded to the signature and verification server. You can obtain the certificate serial number from the detailed information of the certificate.

·     Verification Method: Method used by the signature and verification server to verify the signature, including Verify Time, Verify Time and Root Certificate, and Verify Time, Root Certificate, and CRL.

Manage disks

Support for this feature depends on the platform.
Perform this task to expand storage space for the platform. If a new disk is added to the server where the platform is installed or a virtual disk is created on the VM where the platform is installed, the platform will automatically recognize the disk and displays the disk information on this page. When the storage space of the platform is insufficient, perform this task to mount a disk to the platform.

Procedure

1.     Select Configuration > System Management > Global Settings, and then select Disk Management.

2.     Click Mount in the Actions column for an unused disk.

Restrictions and guidelines

·     By default, a newly added disk is in Not in Use state. After you mount the disk to the platform, the state is automatically changed to Used. In addition, the platform records a log on the System Logs page for the mount operation.

·     You can remount a disk after the disk fails mount. However, you cannot unmount a disk after the disk is mounted successfully. Removing or deleting a disk with caution. This operation might cause system exception.

·     You cannot uninstall hardware or virtual hardware, for example, NICs or disks. If hardware damage exists, replace the damaged hardware and reconfigure hardware information as soon as possible, for example, IP and network mask settings.

Configure platform log forwarding

Perform this task to send the operation log and system log of the platform to other platforms.

Configure syslog forwarding

Perform this task to send the operation log and system log of the platform to other platforms through a syslog protocol.

Parameters

·     Destination IP: IP address of the destination platform to which SNMP traps are sent.

·     Port: Port of the destination platform to which SNMP traps are sent.

·     Encoding: Encoding method of log messages.

·     Log Type: Types of logs to be sent to other platforms.

·     Enable State: Enabling status of a syslog forwarding task.

Restrictions and guidelines

Syslog messages can be sent to a maximum of 10 platforms.

Add or edit a syslog forwarding task

Perform this task to add a syslog forwarding task or edit an existing syslog forwarding task.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Log Forwarding > Syslog Forwarding.

2.     To add a syslog forwarding task, click Add. To edit a syslog forwarding task, click Edit in the Actions column for that syslog forwarding task.

3.     Click OK.

Parameters

·     Destination IP: IP address of the destination platform to which SNMP traps are sent.

·     Port: Port of the destination platform to which SNMP traps are sent.

·     Encoding: Encoding method of log messages.

·     Log Type: Types of logs to be sent to other platforms.

Delete a syslog forwarding task

Perform this task to delete a syslog forwarding task.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Log Forwarding > Syslog Forwarding.

2.     To delete a syslog forwarding task, click Delete in the Actions column for that task.

Configure SNMP trap forwarding

In the SNMP network architecture, the log audit platform acts as the agent and sends operation log and system log to the NMS through an SNMP protocol.

Parameters

·     Destination IP: IP address of the destination platform to which SNMP traps are sent.

·     Port: Port of the destination platform to which SNMP traps are sent.

·     Encoding: Encoding method of log messages.

·     Log Type: Types of logs to be sent to other platforms.

·     Enable State: Enabling status of an SNMP trap forwarding task.

Restrictions and guidelines

SNMP traps can be sent to a maximum of five platforms.

Set SNMP protocol configuration

Perform this task to configure SNMP protocol settings.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Log Forwarding > SNMP Trap Forwarding.

2.     Click any button for the Protocol Configuration field.

3.     Click OK.

Parameters

·     Protocol: SNMP protocol for log forwarding, including SNMPv1, SNMPv2c, and SNMPv3.

·     Community Name: Used to complete authentication with the NMS when you select SNMPv1 or SNMPv2c.

·     Security Level: Select a security level, including None, Authentication Without Encryption, and Authentication with Encryption.

·     Security Username: Specify a security username when you select SNMPv3.

·     Authentication Algorithm: Select an authentication method, including MD5 and SHA.

·     Authentication Password: Specify the authentication password.

·     Encryption Algorithm: Select an encryption method, including DES, AES128, and 3DES.

·     Encryption Password: Specify the encryption password.

Add or edit an SNMP trap forwarding task

Perform this task to add an SNMP trap forwarding task or edit an existing SNMP trap forwarding task.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Log Forwarding > SNMP Trap Forwarding.

2.     To add an SNMP trap forwarding task, click Add. To edit an SNMP trap forwarding task, click Edit in the Actions column for that SNMP trap forwarding task.

3.     Click OK.

Parameters

·     Destination IP: IP address of the destination platform to which SNMP traps are sent.

·     Port: Port of the destination platform to which SNMP traps are sent.

·     Encoding: Encoding method of log messages.

·     Log Type: Types of logs to be sent to other platforms.

Delete an SNMP trap forwarding task

Perform this task to delete an SNMP trap forwarding task.

Procedure

1.     Select Configuration > System Management > Global Settings > Platform Log Forwarding > SNMP Trap Forwarding.

2.     To delete an SNMP trap forwarding task, click Delete in the Actions column for that task.

Configure the SMS center

Perform this task to manage the SMS service. The system generates alarm information and notifies the person in charge through SMS when an alarm is identified by alarm notification policies.

Procedure

1.     Select Configuration > System Management > Global Settings > SMS Center.

2.     Edit SMS platform settings. Different SMS gateways have different parameters. Please contact the SMS service provider for the configuration.

3.     Click OK. To clear SMS server parameters, click Clear Configuration.

Parameters

·     Jiaxun SMS platform

○          SMS Server Plug-in Address: Plug-in address of the SMS server, in the format of http://ip:port/services/cmcc_mas_wbs, where ip represents the IP address of the SMS service plug-in and port represents the port number of the SMS service plug-in.

○          Application ID: Application ID of the SMS platform.

○          Internal Extension Number: Unique identifier to identify an SMS message.

○          Character Encoding: Encoding method used during the transmission of SMS content.

·     Yimei SMS Platform

○          SMS API Address: API address of the SMS platform.

○          SMS ID: Application ID of the SMS platform.

○          SMS Application Key: Secret key for calling the SMS platform.

·     Post SMS Platform

○          Server Address: Address of the SMS service.

○          Server Port: Port of the SMS service.

○          SMS Type: Type of SMS message, including Standard and Notification/Pending Tasks.

○          Organization Code: Code of the organization to which the SMS platform belongs.

○          System Code: Code that identifies the SMS service.

○          System Name: Name of the SMS platform system.

Configure email server settings

Configure email server settings to enable sending of notification emails to the designated recipients from the email server when alarm events are detected.

Procedure

1.     Select Configuration > System Management > Global Settings > Mail Server.

2.     Configure email server parameters and click OK. To clear email server parameters, click Clear Configuration.

Parameters

·     Encryption Method: Encryption method of email server.

·     Email Server Address: Specify an email server by its IPv4 or IPv6 address.

·     Email Server Port: Specify the SMTP protocol port number of the email server.

·     Sender Account: Email account for accessing the email server. This account will be used as the sender account for sending emails.

·     Sender Password: Password for accessing the email server.

Restrictions and Guidelines

Only an SMTP-capable email server is supported.

Tenant management

Perform this task to manage tenant information and isolate data between tenants with a multi-tenant mechanism. The system tenants include default tenants and custom tenants:

·     Default tenant: The system provides a default tenant. You cannot delete this tenant. Users under the default tenant can view the following statistics:

○          Users with predefined roles can view network-wide data.

○          Users without predefined roles can view only data under the default tenant.

·     Custom tenant: A tenant that a user configures based on service needs. Users under a custom tenant can only view data within their own tenant, based on the menu permissions assigned to their roles.

Procedure

1.     Select Configuration > System Management > Tenant Management.

2.     To add a tenant, click Add. To edit a tenant, click Edit in the Actions column for the tenant.

3.     To delete multiple tenants, select the tenants and click Delete. To delete a tenant, click Delete in the Actions column for the tenant.

Parameters

·     Tenant Name: Unique identifier of a tenant.

·     Data Storage Time: The system deletes data when its storage duration reaches the set period.

·     Data Storage Capacity: The system deletes data when it reaches the set storage capacity.

·     Space Threshold: The system warns you when data storage reaches the set threshold.

·     Description: Description of the tenant, which can help administrators quickly understand and identify the tenant.

Restrictions and guidelines

When the number of tenants is two or more, the platform cleanup policy applies the data storage time and storage capacity set in tenant management. Otherwise, it uses the settings in Global Settings > Data Cleanup Settings.

Manage roles and privileges

From this menu, you can manage user accounts and role privileges, and view user sessions. The system supports predefined and user-defined roles and users. You cannot delete predefined roles or users or edit their key information, including role privileges, user accounts, and passwords.
The system predefines five default roles and four corresponding users, as follows:

·     Super Administrator: The username and password of the super administrator are admin and secCsap@12345, respectively. This role has all system permissions.

·     Business Administrator: The username and password of the business administrator are buzAdmin and buzCsap@12345, respectively. This role has operation permissions to the Overview, Log Center, Event Center, and Report Center menus.

·     System Administrator: The username and password of the business administrator are sysAdmin and sysCsap@12345, respectively. This role has operation permissions to Configuration > System Management, but cannot view log records or edit users or roles.

·     Audit Administrator: The username and password of the business administrator are auditAdmin and auditCsap@12345, respectively. This role has the permission to view Configuration > System Management > Logs.

·     Tenant Administrator: The system does not have predefined tenant administrators. A tenant administrator has permissions to manage some features in the Configuration menu and view and configure Overview, Log Center, Event Center, and Report Center.

The system assigns different privileges to different roles, and then assigns the specified privileges to users by specifying a role for a user.

Users

From this menu, you can manage users, including adding, editing, and deleting users, and obtaining user information.
The system supports predefined and user-defined users. A predefined user cannot be deleted but can be edited. The predefined users include:

·     Super Administrator: The initial login username and password is admin and secCsap@12345, respectively. Users of this role have full system permissions and belong to the default tenant.

·     Business Administrator: The initial login username and password is buzAdmin and buzCsap@12345, respectively. Users of this role have operation permissions for the Overview, Log Center, Event Center, and Report Center functions, and belong to all tenants.

·     System Administrator: The initial login username and password is sysAdmin and sysCsap@12345, respectively. Users of this role have operation permissions for Configuration > System Management but do not include viewing log records or editing user and role information, and belong to all tenants.

·     Audit Administrator: The initial login username and password is auditAdmin and auditCsap@12345, respectively. Users of this role have permissions to view Configuration > System Management > Logs, and belong to all tenants.

Add a user

Perform this task to add a user.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > User Management.

2.     Click Add. In the dialog box that opens, configure the parameters, and then click OK.

·     Parameters

·     Tenant: Tenant to which the user belongs.

·     Username: Username used for login.

·     Full Name: This name can be the same as the username.

·     Password: Password of the account, which must meet the password control requirements. If password control is disabled, the password, by default, is a string of 1 to 31 characters, and must contain uppercase letters, lowercase letters, and digits.

·     Confirm Password: Enter the password again to confirm it. The password is configured successfully only when the passwords entered twice are the same.

·     Phone Number: User contact phone number. You can enter a mobile number of a landline number. Use a space or a hyphen (-) to separate the area code and local number.

·     Email Address: Email address of the user.

·     User Role: Role of the user, which assigns the user with the privileges of the role.

·     State: User state. The default is Normal. A user in Locked state cannot log in to the system.

Edit a user

Perform this task to edit an existing user.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > User Management.

2.     Click Edit in the Actions column for a user. Edit user parameters and click OK. For more information about the parameters, see Add a user.

Delete users

Perform this task to delete existing users.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > User Management.

2.     To delete multiple users in bulk, select the users and then click Delete. To delete a single user, click Delete in the Actions column for the user.

Change a login password

Perform this task to change the login password for a user.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > User Management.

2.     Click Change Password in the Actions column for a user. The admin user not only can change its own password, but also can reset other users' login passwords without knowing their old passwords.

Enable password management

Perform this task to configure password length and complexity check and enable notice on password expiration.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > User Management.

2.     Click Password Management. Configure password length and complexity check and notice on password expiration as needed.

○          Password Length Check: Limits the minimum length of user passwords that can be configured.

○          Password Composition Check: Limits categories of characters that must be included in a user password. Available options include uppercase letters, lowercase letters, digits, and special characters. With password complexity check configured, user passwords must include the specified characters. For example, if you select uppercase letters and digits, user passwords must include uppercase letters and digits. Special character semicolons (;) are not supported.

○          Password Expiration Notification: Allows users to set the password validity period and early notice time. When a user logs in, the system checks whether the password will expire in a time period equal to or less than the early notice period. If so, the system notifies the user of the expiry time and provides a choice for the user to change the password. If the user chooses to change the password, the system records the new password and updates its expiry time. If the user chooses to leave the password or fails to change it, the system allows the user to log in using the present password until the password expires.

Manage roles

Perform this task to manage roles. You can add, edit, and delete roles, as well as assigning permissions to roles. Predefined roles cannot be edited or deleted. You can manage user-defined roles as needed. Predefined roles include super administrator, system administrator, business administrator, audit administrator, and tenant administrator.

·     Super Administrator: A super administrator has all permissions to the system, including adding, deleting, and editing tenant, user, and role configuration.

·     Business Administrator: A business administrator has operation permissions to the Overview, Log Center, Event Center, and Report Center menus.

·     System Administrator: A system administrator has operation permissions to Configuration > System Management, but cannot view log records or edit users or roles.

·     Audit Administrator: An audit administrator has the permission to view Configuration > System Management > Logs.

·     Tenant Administrator: A tenant administrator has the permission to manage some features in the Configuration menu and view and configure Overview, Log Center, Event Center, and Report Center.

Add a role

Perform this task to add a role.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > Role Management.

2.     Click Add. Enter the role name and description, and then click OK.

3.     To assign permissions to a role, click Permission Settings for that role. Then, select the target options, and click OK.

Parameters

·     Role Name: Unique identifier of the role.

·     Role Description: Description of the role for easy identification of the role.

Edit a role

Perform this task to edit an existing role.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > Role Management.

2.     Click Edit in the Actions column for a role. Edit role parameters and click OK. For more information about the parameters, see Add a role.

3.     To edit the permissions of a role, click Permission Settings in the Actions column for that role.

Assign permissions to roles

Perform this task to set or edit the permissions of a role.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > Role Management.

2.     Click Permission Settings in the Actions column for a role.

Delete roles

Perform this task to delete roles.

Procedure

1.     Select Configuration > System Management > Role and Privilege Management > Role Management.

2.     To delete roles in bulk, select the target roles, and then click the Delete button above the role list. To delete a single role, click Delete in the Actions column for that role.

Manage sessions

Perform this task to obtain information about online users, including username, user role, login time, and login IP.

Procedure

1.     Select “Configuration”tab.

2.     Select Configuration > System Management > Role and Privilege Management.

Service monitors

From this menu, you can view the system operation information, including service health status, CPU usage, and memory usage.

License management

To use license-based features, such as basic platform and node scale-up, you must apply for and install a license. The system supports the following licensing methods:

·     Local licensing: Install the license activation file on the system.

·     Remote licensing through the license server: Install the license activation file on H3C License Server. The system acts as a license client to obtain license seats from the license server. H3C License Server is license management software developed by H3C to provide unified management and assignment of licenses. For more information about installing and configuring License Server, see the license server installation manual.

You can switch the licensing method as follows:

·     Remote-to-local switchover: Access the login page, click Registration, select Local Licensing, and then upload the license activation file. The license seats on License Server will be released. After logging in to the system, you can access Configuration > System Management > License Management to view local license information.

·     Local-to-remote switchover: Access the login page, click Registration, select License Server, configure connection parameters to connect to License Server, and apply for license seats. The local license seats will be released. After logging in to the system, you can access Configuration > System Management > License Management to view license server information.

Local licensing

Procedure

1.     Access the system login page, click Registration, select Local Licensing, and download the host information file. Then, access the official website of H3C, and use the host information file and license key to apply for a license activation file. For more information about obtaining for a license activation file, see H3C SecCenter [CSAP][SMP] Series License User Guide.

2.     Upload the license activation file. After the activation succeeds, log in to the system.

3.     You can access Configuration > System Management > License Management to view license information. You can view the total number of log sources in the top-left corner of the workpane.

4.     On the License Management page, you can click Import Local License to download the host information file or upload the activation file.

Parameters

·     License Name: Name of the license.

·     License Type: Type of the license.

·     Licensed or Not: Whether the feature is licensed.

·     Validity Period: Validity period of the license.

·     Log Source Specifications: Maximum number of log sources that can be added to the system.

Remote Licensing

Procedure

1.     Access the login page, click Registration, select License Server, configure connection parameters to connect to License Server, and apply for license seats. Then, log in to the system.

2.     You can access Configuration > System Management > License Management to view license information. You can view the total number of log sources in the top-left corner of the workpane.

Parameters

·     License Name: Name of the license.

·     License Type: Type of the license.

·     Licensed or Not: Whether the feature is licensed.

·     Validity Period: Validity period of the license.

·     Applied License Seats: Number of license seats applied from the license server.

·     Log Source Specifications: Maximum number of log sources that can be added to the system.

·     Release License: Revoke or release a license or permission authorized to a terminal.

Restrictions and guidelines

·     To use remote licensing you must first click Registration on the login page and configure the License Server connection parameters. Remote licensing is available only after the system connects to the server successfully.

·     The system's forced release of licenses on the License Server, forced disassociation of clients, and synchronization of disconnections require waiting for an LCP synchronization cycle (20 minutes by default) to take effect, rather than taking effect immediately.

·     The License Server client does not support modifying network card hardware information. Modifying the network card will trigger a check during startup, which might delete the relevant information and result in license loss.

Obtain a license key

Perform this task to obtain the host information file, which is a .did file generated by encrypting the device hardware information and user information of the platform. You can obtain a activation file from the H3C website by using the host information file, license key, and serial number.

Import an activation file

Perform this task to import the activation file obtained from the H3C website.

Procedure

1.     Select Configuration > System Management > License Management.

2.     Click Import Activation File, and select the activation file obtained from the H3C website to upload it on the Register Product window.

3.     The system parses and installs the activation file.

Logging

This feature displays the logs generated by the system, including operation logs and system logs.

·     Operation Logs: Record user operations, such as logging in to the system, exiting the system, and accessing a webpage.

·     System Logs: Record hardware, software, and system issues occurred in the system, such as log deletion, threshold exceeding, alarms, and log cleanup.

Manage operation logs

Perform this task to view and export operation logs. Operation logs record user operations, including system login, logout, and page access.

Procedure

1.     Select Configuration > System Management > Logs. You are placed on the Operation Log tab.

2.     To filter operation logs, enter the filtering criteria and then click Search. You can filter operation logs by operator, IP address, operation result, and log generation time range. To reset the criteria, click Reset.

3.     To export the displayed logs, click Export. The system exports logs in an .xlsx file.

Parameters

·     Operation Time: Time at which the operation was performed.

·     Operator: User account that performed the operation.

·     Role Name: Role of the user account that performed the operation.

·     Login IP: IP address of the operator.

·     Operation Result: Operation result. Options include success and failure.

·     Operation Content: Operation content, for example, accessing the system homepage.

System log

The system log records the hardware, software, and system issues in the system, including log deletion reaching the threshold, alarming, and log cleaning. The system also supports system log query and export.

Procedure

1.     Select Configuration > System > Logs. Click the System Log tab.

2.     To filter log entries, select the time span, module name, and severity as needed, and then click Search. To reset the filters to the default, click Reset.

3.     To export all log entries that meet the filters, click Export. The exported log file is in XLSX format.

Parameters

·     Module Name: Name of the module where the exception has occurred.

·     Severity: Severity level of the log. Options include Critical, Error, Warning, Informational, and Debugging.

·     Timestamp: Time when the exception occurred.

·     Details: Detailed information about the log entry.

Data source management

Data source management is an important foundational functional module of this platform, providing functions for collector management, log source management, agent management, and adaptation rule management. Log sources are the origins from which the platform collects log data. After log sources obtain log data, they report it to the platform through collectors. The platform then performs comprehensive analysis to provide data for other functional modules. The process of the system acquiring log data is as follows:

1.     Log sources are added. A log source is a device or system that generates or stores log data.

2.     The collectors obtain log data from log sources through active collection or passive reception.

3.     The collectors report logs to the platform, which then analyzes, filters, and enriches them before storing for use by other functional modules.

Collectors

Perform this task to manage collectors. Active log collection and passive log collection are supported.

·     Passive Collection: A collector passively receives logs reported from devices that can send logs out of the devices. For example, an H3C firewall can use the Information Center to output logs to a collector and the collector passively receives the logs.

·     Active Collection: A collector actively obtains logs from a database or shared file for analysis.

View collector information

Perform this task to view detailed information about collectors.

Procedure

1.     Select Configuration > Data Source Management > Collector Management.

2.     Click the  icon in front of a collector name to view information about the log sources associated with the collector, including the listening port and log source name.

3.     To view detailed information, click Details in the Actions column for a collector.

Parameters

·     Tenant Name: Name of the tenant to which the collector belongs.

·     Collector Name: Name of the registered collector.

·     Collector Status: Status of the collector, including Online, Offline, and Not Licensed. Collectors in offline or not licensed state cannot execute collection tasks.

·     Registered At: Time at which the collector was registered.

·     Updated At: Time at which the collector was last updated. When the collector status is offline, the update time is the time when the collector encountered an anomaly.

·     Collection Method: Method used by the collector to collect logs, including active and passive.

·     Description: Description of the collector. This helps you quickly understand collector's function and identify the collector.

·     Collection Monitoring: You can click the  icon to view the the summary of the collector's collection status. For more information about collection monitoring, see Collection monitoring.

Edit active collector

Perform this task to modify the description of an active collector. You cannot edit the collector name.

Procedure

1.     Select Configuration > Data Source Management > Collector Management.

2.     Click Edit in the Actions column for the target collector, and configure the collector settings as needed.

3.     Click OK to confirm the operation or click Cancel to remove the changes.

Parameters

·     Collector Name: Identifier of the collector. By default, the collector name is in the collector's host Host Name:collection method format, for example, cyber:active.

·     Collector Description: Description for the collector. A proper description helps you quickly understand collector's function and identify the collector.

·     Tenant: Tenant to which the collector belongs. A collector belongs to the default tenant by default.

Edit a passive collector

Perform this task to edit passive collector information, such as collector name, description, and related log source.

Procedure

1.     Select Configuration > Data Source Management > Collector Management.

2.     Click the  icon for the target passive collector, and configure collector settings as needed.

3.     Click OK to confirm the operation or click Cancel to remove the changes.

Parameters

·     Collector Name: Identifier of the collector. By default, the collector name is in the collector's host Host Name:collection method format, for example, 186.64.6.105:passive. The collector name cannot be empty.

·     Collector Description: Description for the collector. A proper description helps you quickly understand collector's function and identify the collector.

·     Log Source IP: Specify a collector IP address in a multi-NIC scenario for the collector to obtain only log sources bound with the IP address.

·     Log Source Name: Specify the log sources from which the collector obtains logs. Unbound log sources are displayed at the left and bound log sources are displayed at the right.

○     : Select log sources from the left box and then click the  icon to bind the log sources to the collector.

○     : Click the  icon to bind all unbound log sources to the collector.

○     : Select log sources from the right box and then click the  icon to unbind the log sources from the collector.

○     : Click the  icon to unbind all the log sources from the collector.

Restrictions and guidelines

·     You can enter filtering criteria to filter log sources in the left box. If no filtering criteria are specified, the left box displays all unbound log sources.

·     After an Agent registers successfully, you cannot remove the registration relation between the collector and the Agent.

Collection monitoring

Collection monitoring mainly displays the log collection status of the selected collectors showing the number of logs reported by all associated log sources and the time trend. It also allows filtering and querying by statistical cycle and log source IP.

Procedure

1.     Select Configuration > Data Source Management > Collector Management.

2.     Click the  icon to access the collection monitoring page.

3.     The system supports statistics collection based on log source IP and statistical period.

4.     Reset: Restore the default filter conditions.

Parameters

·     Log Source: Log source name.

·     Source IP:Port: IP address and port number of the log source.

·     Average Rate: Display the average rate that the log source reported logs to the platform in the specified time span.

·     Log Collection Duration (Days): Duration from the first log collection to the present for each log source.

·     Log Retention Period (Days): Period that a log message can be reserved.

·     Total Count: Number of log messages reported by each log source within the statistical period.

Restrictions and guidelines

·     If a log source has been deleted when you use it to filter statistics, the platform still displays statistics about the logs reported by the log source.

·     The collection monitoring page displays the statistical values of all logs collected by the collector. When log types are selected in the log source, the platform discards logs of unselected types during subsequent processing, but the discarded logs will still be counted in the statistics. To view the actual reserved log statistics, go to the Log Center > Full-Text Search page.

Log sources

Perform this task to manage log sources. You can view, add, delete, edit, import, or export log sources. A log source bound to a collector can send logs through the collector to the system The system supports the following two log sources:

·     Active log sources: Log sources bound to active log collectors, such as databases and file sharing severs. For information about collectors, see Collectors.

·     Passive log sources: Log sources bound to passive log collectors, such as H3C firewalls and IPS devices that can send logs. For information about collectors, see Collectors.

·     ·  High-performance flow collection log sources: Report flow logs through a unified port.

Configure active collection log sources

Perform this task to manage active collection log sources, including adding, deleting, editing, filtering, importing, and exporting active collection log sources. Active collection log sources include database log sources, shared file log sources (FTP and SFTP), WMI log sources, and Kafka log sources.
After you configure an active log source, the collector periodically accesses the log source to obtain log data.

Search for active collection log sources

Perform this task to search for active collection log sources added to the platform.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Enter a log source name or select a log source type, and then click Search. The matching log sources are displayed.

3.     To restore the default search conditions, click Reset.

Parameters

·     Tenant Name: Name of the tenant to which the log source belongs.

·     Name: Name of the log source.

·     IP: IP address of the log source.

·     Protocol: Protocol used by the log source to report logs.

·     Log Source Type: Type of the log source, including database, shared file, WMI, and Kafka.

·     Associated Collector IP: IP address of the collector for the log source.

·     Enabling Status: Enabling status of the log source.

Add a database log source

Perform this task to add a database log source. Log data are stored in various relational databases. To add a database to the platform as a log source and use a collector on the platform to collect logs from the database, you must connect the collector to the database.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click Add. On the page that opens, select Database Log Source.

3.     Configure the log source parameters, and then click OK.

Parameters

·     Name: Unique ID of the database log source.

·     Database Name: Name of the database that stores logs.

·     Database Type: Type of the database.

·     Database IP: IPv4 or IPv6 address of the database.

·     Port Number: Port number of the database.

·     Username: Username used for accessing the database.

·     Password: Password used for accessing the database.

·     Associated Collector: Enter the name of the collector associated with this log source. After you select a collector, the log source will report log information to that collector.

·     Associated Collector IP: IP address of the collector associated with this log source.

·     Description: Enter the description of the database log source.

·     Database Log Source Table Info: Click Add and configure the log information to be reported for the collector to retrieve log data based on this information.

○          Table Name: Name of the database log source table.

○          Primary Key Name: Primary key name of the table. The key is used to mark the address where the collector has obtained log information the last time to avoid repeated log collection.

○          Asset Type: Select the type of device that generated the log message.

○          Vendor: Vendor for the device that generated the log message.

○          Model: Model of the device that generated the log message.

○          Log Type: Select the type of log data that the device sends. The default log type varies by device type.

Restrictions and guidelines

·     An offline collector cannot be bound to a log source.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The model, log type, and vendor describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Edit a database log source

Perform this task to edit the configuration of a database log source.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click the Edit button in the Actions column for the log source you want to edit. For parameter descriptions, see Edit a database log source.

3.     Enter the information as required, and then click OK.

Restrictions and guidelines

·     An offline collector cannot be bound to a log source.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The model, log type, and vendor describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Add a shared file log source

Perform this task to add a shared file log source. The log data is stored on the FTP server. To add a shared file log source and obtain log data, you must connect the collector to the FTP server.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click the Add icon, and select Shared File Log Source on the Add Active Log Source window.

3.     Configure the parameters for the log source, and then click OK.

Parameters

·     Name: Unique ID of the shared file log source.

·     Report Protocol: Type of protocol used by the log source to report logs.

·     Protocol: Type of the shared file server. Options include FTP and SFTP.

·     FTP/SFTP Address: Specify the IPv4 or IPv6 address of the FTP/SFTP server that stores the log file.

·     FTP/SFTP Port: Specify the port number of the FTP/SFTP server.

·     Username: Specify the username used to log in to the FTP/SFTP server.

·     Password: Specify the password used to log in to the FTP/SFTP server.

·     Associated Collector: Enter the name of the collector associated with this log source. After you select a collector, the log source will report log information to that collector.

·     Associated Collector IP: IP address of the collector associated with this log source.

·     Collection Scope: Options include File and File Folder. The File option means obtaining the log files in the file path. The File Folder option means obtaining the log files of all folders in the file path.

·     File Path: Path where log files are stored. If you have selected File for Collection Scope, the file path must be an absolute path.

·     File Encoding Method: Log encoding method for the log file.

·     Asset Type: Select the type of device that generated the log message.

·     Vendor: Vendor for the device that generated the log message.

·     Model: Model of the device that generated the log message.

·     Description: Enter a description for the shared file log source for quick identification.

·     Log Type: Select the type of log data that the device sends. The default log type varies by device type.

Restrictions and guidelines

·     Offline collectors cannot be associated.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The model, asset type, and vendor describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

·     As a best practice to ensure accurate log resolution results, store only log files with the same vendor, asset type, and model in a folder when you select folder as the write type.

·     Logs on a Windows-based FTP server cannot be obtained.

·     Log files that can be collected are .log, .txt, and .csv files. Log files without a suffix can also be collected.

Edit a shared file log source

Perform this task to edit a shared file log source.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click the Edit button in the Actions column for the log source you want to edit. For parameter descriptions, see Add a shared file log source.

3.     Edit the settings for the log source, and then click OK.

Restrictions and guidelines

·     Offline collectors cannot be associated.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The model, asset type, and vendor describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

·     As a best practice to ensure accurate log resolution results, store only log files with the same vendor, asset type, and model in a folder when you select folder as the write type.

Add a WMI log source

Perform this task to add a WMI log source. Use this log source to collect system, security, and application logs from Windows. WMI log sources can be added and the collector can read log data only after the collector establishes a connection to the server successfully.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click Add. On the page that opens, select WMI Log Source.

3.     Enter the information as required, and then click OK.

Parameters

·     Name: Unique ID of the WMI log source.

·     Host IP: IPv4 address of the Windows host.

·     Domain: Domain name of the network environment where the remote Windows host resides. This parameter is optional.

·     Username: User identifier for connecting to the WMI service on the remote Windows host.

·     Password: Password for the user to connect to the remote Windows host.

·     Associated Collector: Enter the name of the collector associated with this log source. After you select a collector, the log source will report log information to that collector.

·     Associated Collector IP: IP address of the collector associated with this log source.

·     Asset Type: Select the type of device that generated the log message.

·     Vendor: Vendor for the device that generated the log message.

·     Model: Model of the device that generated the log message.

·     Description: Enter a description for the WMI log source for quick identification.

·     Log Type: Select the type of log data that the device sends. The default log type varies by device type.

Restrictions and guidelines

·     Collectors in offline state cannot be associated.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The asset type, vendor, and model describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Edit a WMI log source

Perform this task to edit a WMI log source.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click the Edit button in the Actions column for the log source you want to edit. For parameter descriptions, see Add a WMI log source.

3.     Enter the information as required, and then click OK.

Restrictions and guidelines

·     Collectors in offline state cannot be associated.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The asset type, vendor, and model describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Add a Kafka log source

Perform this task to add a Kafka log source. Log data is stored in Kafka. Kafka log sources can be added and the collector can read log data only after the collector establishes a connection to the server successfully .

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click Add. On the page that opens, select Kafka Log Source.

3.     Enter the information as required, and then click OK.

Parameters

·     Name: Unique ID of the Kafka log source.

·     Report Protocol: Type of protocol used by the log source to report logs.

·     Kafka Address: Enter the IPv4 or IPv6 address of Kafka in the format ip1:port1,ip2:port2,ip3:port3.

·     Topic: Specify the topic to collect logs from in the Kafka platform.

·     File Code: Select a log encoding method.

·     Associated Collector: Enter the name of the collector associated with this log source. After you select a collector, the log source will report log information to that collector.

·     Associated Collector IP: IP address of the collector associated with this log source.

·     Asset Type: Select the type of device that generated the log message.

·     Vendor: Vendor for the device that generated the log message.

·     Model: Model of the device that generated the log message.

·     Description: Enter a description for the Kafka log source for quick identification.

·     Log Type: Select the type of log data that the device sends. The default log type varies by device type.

Restrictions and guidelines

·     To collect logs from a Kafka cluster, configure the Kafka address as a combination of node addresses in the format ip1:port1,ip2:port2,ip3:port3. Example: 192.168.9.1:9092,192.168.9.2:9092,192.168.9.3:9092.

·     Collectors in offline state cannot be associated.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The asset type, vendor, and model describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Edit a Kafka log source

Perform this task to edit a Kafka log source.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click the Edit button in the Actions column for the log source you want to edit. For parameter descriptions, see Add a Kafka log source.

3.     Enter the information as required, and then click OK.

Restrictions and guidelines

·     To collect logs from a Kafka cluster, configure the Kafka address as a combination of node addresses in the format ip1:port1,ip2:port2,ip3:port3. Example: 192.168.9.1:9092,192.168.9.2:9092,192.168.9.3:9092.

·     Collectors in offline state cannot be associated.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     The asset type, vendor, and model describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Delete active collection log sources

Perform this task to delete one or multiple log sources for active collection. After a log source is deleted, a log collector does not collect log data from the log source.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     To delete a log source, click Delete in the Actions column for the source. To delete multiple log sources in bulk, select the log sources, and then click Delete.

Import active collection log sources

Perform this task to bulk import log sources for active collection.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click Import. Select Database Log Sources or Shared File Log Sources to download the import template.

3.     Fill the template as needed and then save it.

4.     Click or drag the template file to the gray area to import the file.

5.     Click Import and select Operation Result. You can view the operation time and details of the most recent log source import operations.

Export active collection log sources

Perform this task to export active collection log sources to a file.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Active Collection.

2.     Click Export and select the log source type. The system export passive collection log sources in Excel format.

Passive collection log sources

Perform this task to manage passive collection log sources, including adding, deleting, editing, filtering, importing, and exporting passive collection log sources. With passive collection log sources configured, the log source devices automatically report log data to the collectors at specific intervals.

View passive collection log sources

Perform this task to view added log sources for passive collection.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Passive Collection.

2.     Enter an IP address, or select an asset type, vendor, or model to filter log sources. By default, all log sources are displayed.

3.     To reset the filtering criteria, click Reset.

Parameters

·     Tenant Name: Name of the tenant to which the log source belongs.

·     Name: Log source name.

·     IP: IP address of the log source device.

·     Asset Type: Select a device type.

·     Model: Select a device model.

·     Vendor: Name of the vendor for the log source device.

·     Associated Collector IP: IP address of the collector associated with this log source.

·     Report Port: Port number that receives log data.

·     Enabling Status: Indicates whether the log source is enabled.

·     Send Status: The log source's data transmission status. If the log source has not sent any log data in the past 48 hours, it will be flagged as abnormal.

Add a passive collection log source

Perform this task to add passive collection log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Passive Collection.

2.     Click Add.

3.     Configure parameters for the passive collection log source, and then click OK.

Parameters

·     Name: Unique identifier of a log source.

·     IP: IPv4 or IPv6 address of a log source.

·     Asset Type: Select a device type.

·     Vendor: Name of the vendor for the log source device.

·     Model: Select a device model.

·     Associated Collector: Select the collector associated with the log source. This collector will receive log data reported from the source.

·     Associated Collector IP: IP address of the collector associated with log source.

·     Add Port Entry: Click Add to add information about logs to be reported by the log source.

○          Report Protocol: Specify the protocol used for log reporting.

○          Report Port: Specify the port used by the collector to obtain log data reported by the log source.

○          Encoding Method: Specify the log coding method.

○          Log Type: Specify the type of logs to be collected. The available types vary by device model.

Restrictions and guidelines

·     If a log source uses various protocols to report logs, configure the collector to use different ports for each protocol.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     You cannot select an offline collector for log source creation.

·     To avoid log decoding failure, specify the bin coding method if the log source reports logs in binary format (for example, NetStream and AAA service logs).

·     The model, asset type, and vendor describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

·     In the current software version, the system supports decoding only SNMP v2c trap logs.

·     If the SNMP trap logs contain Chinese characters, the system displays the Chinese characters in hexadecimal format.

Edit a passive collection log source

Perform this task to edit passive collection log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Passive Collection.

2.     Click the Edit button in the Actions column for the log source you want to edit. For parameter descriptions, see Add a passive collection log source.

3.     Modify log source information. Click OK.

Restrictions and guidelines

·     If a log source uses various services to report logs, configure the collector to use different ports for each service.

·     If no options are available in the asset type, vendor, and model fields for a log source, the system does not support that log source. To resolve this issue, contact Technical Support.

·     You cannot select an offline collector for log source creation.

·     To avoid log decoding failure, specify the bin coding method if the log source reports logs in binary format (for example, NetStream and AAA service logs).

·     The model, asset type, and vendor describe information for the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Delete passive log sources

Perform this task to delete passive log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Passive Collection.

2.     To delete a single log source, click the Delete icon in the Actions column for it. To delete multiple log sources in bulk, select them and click the Delete button.

Import passive log sources

Perform this task to import passive log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Passive Collection.

2.     Click Import, and select Import Passive Log Sources. On the Import Passive Log Sources window that opens, click Download Import Template, and enter log source information in the template.

3.     Click Import, and select Import Passive Log Sources. On the Import Passive Log Sources window that opens, click to select the saved template file or drag the saved template file to the gray area to import the file.

4.     Click Import, and select Operation Result. In the Operation Result window that opens, you can view the operation time and details of the most recent log source import operation.

Export passive collection log sources

Perform this task to export passive collection log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > Passive Collection.

2.     Select the target log sources, and then click Export. The system exports passive collection log sources in Excel format.

High-performance flow collection

This feature allows you to high-performance flow log sources, including the add, delete, edit, and search operations.

Configure ports

Enable or disable the collection port shared by all high-performance flow collection log sources.

Configure log sources

Configure information about high-performance flow log sources.

Restrictions and guidelines

·     Support for this feature depends on the real Web interface.

·     After you enable the collection port, all high-performance flow log sources start collecting logs. Log collection is stopped as long as you disable the collection port.

·     High-performance flow log sources do not support log forwarding.

View high-performance flow collection log sources

Perform this task to view high-performance flow collection log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > High-Performance Flow Collection.

2.     Enter an IP address, or select an asset type, vendor, or model to filter log sources. By default, all log sources are displayed.

3.     To clear search conditions, click Reset.

Parameters

·     Collection Port: Port shared by all high-performance flow collection log sources.

·     Name: Name of the log source.

·     IP: IP address of the log source.

·     Asset Type: Device type of the log source.

·     Vendor: Name of the vendor for the log source.

·     Model: Device model of the log source.

Add a high-performance flow collection log source

Perform this task to add a high-performance flow collection log source.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > High-Performance Flow Collection.

2.     Click Add.

3.     Configure the log source parameters, and then click OK.

Parameters

·     Collection Port: Port shared by all high-performance flow collection log sources.

·     Name: Unique ID of the log source.

·     IP: IPv4 or IPv6 address of the log source.

·     Asset Type: Device type of the log source.

·     Vendor: Name of the vendor for the log source.

·     Model: Device model of the log source.

Restrictions and guidelines

Device model, type, and vendor describe information about the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Edit a high-performance flow collection log source

Perform this task to edit a high-performance flow collection log source.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > High-Performance Flow Collection.

2.     Click Edit in the Actions column for the target log source. For parameter descriptions, see Add a high-performance flow collection log source.

3.     Configure the log source parameters as needed, and then click OK.

Restrictions and guidelines

Device model, type, and vendor describe information about the device that generates the log messages. Incorrect configuration can cause inaccurate log resolution results.

Delete high-performance flow collection log sources

Perform this task to delete high-performance flow collection log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > High-Performance Flow Collection.

2.     To delete a single high-performance flow collection log source, click Delete in the Actions column for that log source. To delete multiple high-performance flow collection log sources in bulk, select those log sources, and then click the Delete button above the log source list.

Import high-performance flow collection log sources

Perform this task to import high-performance flow collection log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > High-Performance Flow Collection.

2.     Click Import, and select Import High-Performance Flow Collection Log Sources. In the window that opens, click Download Import Template to download the log source import template. Fill in the template with the desired log source information, and then save the template.

3.     Click Import, and select Import High-Performance Flow Collection Log Sources. In the window that opens, upload the log source import template by either clicking or dragging the template to the gray area.

4.     Click Import, and select Operation Result. In the Operation Result window, you can view the operation time and details of the most recent log source import operation.

Export high-performance flow collection log sources

Perform this task to export high-performance flow collection log sources.

Procedure

1.     Select Configuration > Data Source Management > Log Source Management > High-Performance Flow Collection.

2.     Select the target log sources, and then click Export. Those log sources will be exported as an Excel file.

Agents

Agents are used to collect logs of the hosts, services, and middleware that cannot output logs. For example, some Windows or Linux hosts or databases or middleware deployed on the hosts do not support sending system logs in syslog format. You can install agents on the hosts to collect the logs (including OS operation status logs such as CPU and disk usages) generated by the host, databases, and middleware to the log collectors in syslog format. The collectors then report the logs to the platform for analysis and presentation.

Manage agents

Perform this task to manage the agents for log collection.

Procedure

1.     On the top navigation bar, click Settings. From the left navigation pane, select Data Sources > Agents. Click the Download Agents tab. You can perform the following operations:

2.     View agent information: Multiple filters are supported, such as agent name, agent host IP, and agent state. Enter the filters and then click Search to view the matching agent information. To reset the search filters, click Reset.

3.     Enable log connection: Select one or multiple agents whose collection state is Off, and then click On above the agent list.

4.     Disable log connection: Select one or multiple agents whose collection state is On, and then click Off above the agent list. The disabled agents will not collect or report log data.

5.     Enable auto upgrade: Select one or multiple agents whose auto upgrade state is Off, and then click Enable Auto Upgrade above the agent list.

6.     Disable log connection: Select one or multiple agents whose auto upgrade state is On, and then click Disable Auto Upgrade above the agent list.

7.     Manual upgrade: For that agents that are not upgraded or failed the upgrade, you can click Manual Upgrade to immediately upgrade the software versions of the agents.

8.     Edit an agent name: Click the  icon in the Agent Name column for the target agent to edit the agent's name.

9.     Configure collection objects: Click Configure in the Actions column for the target agent to open the Configure Agent Management page. On this page, you can add or edit the collection object settings of the agent.

10.     Delete agents: To delete multiple agents in bulk, select the target agents, and then click the Delete button above the agent list. To delete a single agent, click Delete in the Actions column for the target agent.

Parameters

·     Agent Name: Name assigned to an agent after the agent successfully registers with the platform. The format is agent host IP_number, for example, 1.1.1.1_0.

·     Agent Host IP: IP address of the host installed with the agent.

·     Agent Host OS: Operation system of the host installed with the agent.

·     Agent State: Identifies whether the agent is online or offline.

·     Software Version: Current software version of the agent.

·     Auto Upgrade: Whether the auto agent upgrade function is enabled. The system can upgrade agents automatically only if this function is enabled.

·     Upgrade State: Upgrade state of the agent.

·     Collection State: Whether the agent is available. Only agents in collection-enabled state can collect logs.

·     Collector IP: IP address of the collector associated with the agent. The agent sends collected logs to the collector.

Restrictions and guidelines

·     The auto agent upgrade function is supported only in non-ARM Agent 1.0.15, ARM Agent 1.0.25, and later versions. To use this function, manually uninstall the old agent version, and then download and install the latest version from the Agent Download page.

·     To ensure a successful agent upgrade, make sure the root user password is effective. If the password is expired, the agent upgrade will fail. In this case, retry the agent upgrade after you update the root user password.

Manage agents

Perform this task to manage the settings for agent-associated collection objects. An agent can collect the key registry and file operation logs, the logs in customized files, and the running logs of the databases (such as MySQL and Oracle) deployed on the target host.

Procedure

1.     Select Configuration > Data Source Management > Agent Management > Agent Management.

2.     Click Configure in the Actions column for the target agent.

3.     Add a collection object: Click the related tab, click Add to add a collection object, and then associate it with the current agent.

4.     Delete a collection object: Click the related tab, and then click Delete in the Actions column for the target object.

Restrictions and guidelines

You can add or edit collection objects only for agents in online state.

Databases

Perform this task to manage databases associated with an agent. After a database is bound to an agent, the agent will periodically collect logs from the database. Multiple types of databases can be bound to one agent. Only one database can be bound to an agent for each database type.

Procedure

1.     Select Configuration > Data Source Management > Agent Management > Agent Management.

2.     Click Configure in the Actions column for the target agent, and then click the Database tab.

3.     Click Add. In the dialog box that opens, configure the parameters, and then click OK.

Parameters

·     Database Type: Type of the database from which the agent collects log.

·     Port Number: Port number of the database.

·     Username: Username used by the agent to connect to the database.

·     Password: Password used by the agent to connect to the database.

·     Database Name: Name of the database. This parameter is available only for MongoDB, DB2, and Oracle databases.

·     Database Privileges: Privileges of the account used by the agent to connect to the database. This parameter is available only for Oracle databases.

·     Slow Query Time: Specify the slow query time. This parameter is available only for SQLServer, MongoDB, DB2, and Oracle databases.

·     Authentication Protocol: Authentication protocol used by the agent to connect to the database. This parameter is available only for MongoDB databases.

Key files

Perform this task to associate key file paths with an agent. An agent collects the file operation logs in the associated file paths. An agent can have a maximum of 50 associated key file paths.

Procedure

1.     Select Configuration > Data Source Management > Agent Management > Agent Management.

2.     Click Configure in the Actions column for the target agent, and then click the Key File tab.

3.     Click Add, enter a key file path, configure related parameters, and then click OK.

Parameters

File Path: Specify a file folder or file path. For example, use C:\Documents\* or C:\Documents\file.txt in Windows systems, and use /mnt/* or /mnt/file.txt in Linux systems. If you specify a file folder path, the agent will collect all files in the specified directory and all files in the subdirectories. For Linux systems, the number of subdirectories in the specified directory cannot exceed 500.

Key registry entries

Perform this task to associate key registry entry paths with an agent. An agent collects the registry operation logs in the associated registry entry paths. An agent can have a maximum of 50 associated key registry entry paths.

Procedure

1.     Select Configuration > Data Source Management > Agent Management > Agent Management.

2.     Click Configure in the Actions column for the target agent, and then click the Key Registry tab.

3.     Click Add, configure related parameters, and click OK.

Parameters

Registry Entry Path: Enter a registry entry path. If you enter a path without a registry entry name (for example, HKEY_CURRENT_CONFIG), the collection scope includes all registry entries under the specified path and its subdirectories. If you enter a path with a registry entry name (for example, HKEY_CURRENT_CONFIG\Software), the collection scope includes only the contents under the specified registry entry.

Custom files

Perform this task to manage paths for custom files associated with an agent. After a custom file path is bound to an agent, the agent will periodically collect new log information in the file. A maximum of 50 custom file paths can be bound to an agent.

Procedure

1.     Select Configuration > Data Source Management > Agent Management > Agent Management.

2.     Click Configure in the Actions column for the target agent, and then click the Customized File tab.

3.     Click Add. In the dialog box that opens, configure the parameters, and then click OK.

Parameters

·     Customized File: Specify a file folder or file path. For example, use C:\Documents\* or C:\Documents\file.txt in Windows systems, and use /mnt/* or /mnt/file.txt in Linux systems. The specified file folder path must end with an asterisk (*), for example, /home/*. If this requirement is not met, the agent will not collect logs.

·     Reading Mode: Select a reading method. Options are Incremental and Full. To read only new contents in a file, select Incremental. To read all contents in a file, select Full. In full reading, the collector does not collect information that has been collected.

Restrictions and Guidelines

The platform supports only log files in UTF-8 encoding format.

Download agents

Perform this task to download the updated agent software for log collection. You can view the agent installation online help.

Procedure

1.     Select Configuration > Data Source Management > Agent Management > Agent Management. You can perform the following operations:

2.     In the Document Help area, click Online Preview to view the agent installation help online. Click Document Download to download the agent installation help document.

3.     In the Software Download area, click a link to download the agent software of a specific version.

Restrictions and guidelines

·     After an agent successfully registers with a collector, you cannot cancel the association between the collector and the agent.

·     Agents cannot be associated with IPv6 addresses.

Adaptation rule management

This page allows you to add, edit, and delete adaptation rules, view current adaptation rule version information, and view historical operation records.

Manage adaptation rules

Log adaptation rules are used to categorize logs collected by the platform, extract important field information from them, and resolve them into a format that can be identified by this platform.

Procedure

1.     Select Configuration > Data Source Management > Adaptation Rule Management > Adaptation Rules.

2.     Search for adaptation rules: Enter an adaptation rule name, and click Search. To reset the search conditions, click Reset.

3.     Add an adaptation rule: Add a user-defined adaptation rule.

4.     Delete adaptation rules: To bulk delete adaptation rules, select multiple agents and click Delete. To delete a single adaptation rule, click the Delete button in the Actions column for that adaptation rule.

5.     Enable adaptation rules: Select one or more adaptation rules in disabled state, and click Enable to enable the adaptation rules.

6.     Disable adaptation rules: Select one or more adaptation rules in enabled state, and click Disable to disable the adaptation rules.

7.     Edit an adaptation rule: Click the Edit icon in the Actions column for an adaptation rule.

Parameters

·     Rule Name: Name of the adaptation rule.

·     Rule Type: Type of the adaptation rule. Options include Regular Expression, Key-Value Pair, and JSON.

·     Asset Type: Select a device type, for example, Firewall.

·     Vendor: Select the vendor of the device.

·     Model: Select the device model.

·     Status: Enabled or disabled state of the adaptation rule.

·     Actions: You can edit, delete, or view the details of an adaptation rule.

Add an adaptation rule

Perform this task to add an adaptation rule.

Procedure

1.     Select Configuration > Data Source Management > Adaptation Rule Management > Adaptation Rules.

2.     Click Add.

3.     Configure related parameters.

4.     Click OK. To cancel the addition, click Cancel.

Parameters

·     Rule Name: Name of the adaptation rule.

·     Asset Type: Select a device type, for example, Firewall.

·     Vendor: Select the vendor of the device.

·     Model: Select the device model.

·     Rule Type: Type of the adaptation rule. Options include Regular Expression, Key-Value Pair, and JSON. The default is Regular Expression.

·     Connector: The connector is used to connect key-value pairs in logs. This field is displayed only if you have selected the Key-Value Pair rule type.

·     Delimiter: The delimiter is used to separate key-value pairs in logs. This field is displayed only if you have selected the Key-Value Pair rule type.

·     Log Sample: Example of a device log adapted for use.

·     Regular Expression: Used to extract original log field information from log samples.

·     Match: After you select this button, the system will use the configured regular expression to extract the original log field information from the log sample.

·     Key Fields for Log Types: Display the mappings between the extracted original log fields and the supported log types on the platform, indicating the log type to which the field belongs. Click Add, select a log field, and select a log type to complete the mapping between the log field and log type. For example, if you select emergency for the field name and security log for the log type, the log is regarded as a security log based on the current value of the emergency field. When a log field has multiple values and corresponds to various log types, click Add multiple times to add the log field and fill in the corresponding values.

○          Field Name: Name of the original log field.

○          Field Value: Value of the original log field.

○          Log Type: Type of the original log field.

·     Log Field Mapping: After completing the mapping between the original log field and log type, you can further map the original log field to a specific field of that log type. In the Key Fields for Log Types list, click Edit in the Actions column for a field. On the Log Field Mapping page that opens, select the target mapping field for each original log field.

○          Original Field Name: Name of the original log field.

○          Original Field Value: Value of the original log field.

○          Mapped Field Name: Name of the target log field to which the original log field is mapped. The target log field can only be one supported by the current log type.

○          Mapping Type: Type of the mapping between the original log field and the mapped field. Options include time, value assignment, and value mapping. The system automatically selects the appropriate mapping type based on the mapped field name.

§     Time: When the mapped field is related to time, such as Log Generated At, the system displays the value of the mapped field as time. You can select the display format for time in the Mapped Field Value column. bb represents the abbreviated month, such as Apr for April, dd represents the date, and mm represents the month in digits, such as 04 for April. For example, Apr 24 10:00:00 2023 is in bb dd HH:MM:SS YYYY format, and 2023-04-24 10:00:00 is in YYYY-mm-dd HH:MM:SS format.

§     Value Assignment: The system directly assigns the value for the original field to the mapped field, such as Source IP and Username.

§     Value Mapping: The system converts the original field value into a specific character string and assigns it to the mapped field. Click Configure in the Mapped Field Value column to edit the original and mapped values. For example, when the mapped field is Severity, you can map 1 in the original field to critical information. When the original field has multiple values, you can add multiple original and mapped values by clicking Add in the Actions column.

○          Mapped Field Value: Value for the mapped field.

Restrictions and guidelines

·     Devices in the same series share custom matching rules. See Device series to identify whether the devices belong to the same series and for other related information.

·     When you add custom adaptation rules to predefined devices, the system prioritizes custom rules for log adaptation.

·     You can configure JSON matching rules and key-value pair matching rules but not both on a device.

·     When you configure both regular expression matching rules and JSON matching rules on a device, regular expression matching rules take precedence over JSON matching rules.

·     When you configure both regular expression matching rules and key-value pair matching rules on a device, regular expression matching rules take precedence over key-value pair matching rules.

·     When you configure a key-value pair matching rule or JSON matching rule, the system automatically populates a regular expression. If the regular expression does not match the log sample, you can manually edit it based on the log sample.

·     The log sample in JSON matching supports only simple value formats. It does not support complex formats such as objects or arrays.

·     Browsers of a version lower than Chrome 64 do not support regular expression naming captures. To configure regular expression matching rules, you must use a browser of Chrome 64 or later versions.

·     For the Key Fields for Log Types list, if you add multiple log types with the same field value but map them to different log types, the system will only resolve them as one of the log types.

·     For the Log Field Mapping list, if you select the same mapped field for different original fields, the system will only resolve and map one of the original fields.

·     For the Mapped Field Value list, If you configure different mapped values for the same original value, the system will only resolve and map one of the mapped values.

Edit an adaptation rule

Procedure

1.     Select Configuration > Data Source Management > Adaptation Rule Management > Adaptation Rules.

2.     Click Edit in the Actions column for a rule.

3.     Configure related parameters.

4.     Click OK. To cancel the modification, click Cancel.

Parameters

·     Log Sample: Example of a device log adapted for use.

·     Regular Expression: Used to extract original log field information from log samples.

·     Match: After you select this button, the system will use the configured regular expression to extract the original log field information from the log sample.

·     Key Fields for Log Types: Display the mappings between the extracted original log fields and the supported log types on the platform, indicating the log type to which the field belongs. Click Add, select a log field, and select a log type to complete the mapping between the log field and log type. For example, if you select emergency for the field name and security log for the log type, emergency is a field in a security log entry. When a log field corresponds to multiple log types, click Add multiple times to configure mapping relationships between the log field and the multiple log types.

○          Field Name: Name of the original log field.

○          Field Value: Value of the original log field.

○          Log Type: Type of the original log field.

·     Log Field Mapping: After completing the mapping between the original log field and log type, you can further map the original log field to a specific field of that log type. In the Key Fields for Log Types list, click Edit in the Actions column for a field. On the Log Field Mapping page that opens, select the target mapping field for each original log field.

○          Original Field Name: Name of the original log field.

○          Original Field Value: Value of the original log field.

○          Mapped Field Name: Name of the target log field to which the original log field is mapped. The target log field can only be one supported by the current log type.

○          Mapping Type: Type of the mapping between the original log field and the mapped field. Options include time, value assignment, and value mapping. The system automatically selects the appropriate mapping type based on the mapped field name.

§     Time: When the mapped field is related to time, such as Log Generated At, the system displays the value of the mapped field as time. You can select the display format for time in the Mapped Field Value column. bb represents the abbreviated month, such as Apr for April, dd represents the date, and mm represents the month in digits, such as 04 for April. For example, Apr 24 10:00:00 2023 is in bb dd HH:MM:SS YYYY format, and 2023-04-24 10:00:00 is in YYYY-mm-dd HH:MM:SS format.

§     Value Assignment: The system directly assigns the value for the original field to the mapped field, such as Source IP and Username.

§     Value Mapping: The system converts the original field value into a specific character string and assigns it to the mapped field. Click Configure in the Mapped Field Value column to edit the original and mapped values. For example, when the mapped field is Severity, you can map 1 in the original field to critical information. When the original field has multiple values, you can add multiple original and mapped values by clicking Add in the Actions column.

○          Mapped Field Value: Value for the mapped field.

Restrictions and guidelines

Browsers of a version lower than Chrome 64 do not support regular expression naming captures. To configure regular expression matching rules, you must use a browser of Chrome 64 or later versions.

Current version info

This function is used to view the version information and historical operation records of the current log adaptation rules, as well as to upgrade the rule versions.

Procedure

1.     Select Configuration > Data Source Management > Adaptation Rule Management.

2.     Click the Current Version Info tab.

3.     Click Import File, and select an adaptation rule file in format to upload it to the platform. The adaptation rules will be upgraded.

4.     After a successful upgrade, you can view the version operation records of the adaptation rules in the Historical Operation Records area, including the version number, operation time, and operator.

Operation History

This feature is used to view the upgrade records of log adaptation rules.

Steps

1.     Navigate to "Configuration > Data Source Management > Adaptation Rule Management" to access the Adaptation Rule Management page.

2.     Select the "Operation History" tab to enter the Operation History page.

3.     View version operation records of adaptation rules, including version number, operation time, operator, etc.

Device series

Device series	Asset type	Vendor	Device model
H3C Web application firewall series 1	Web application firewall	H3C	W1000-D series
	Web application firewall	H3C	W2000 series
	Web application firewall	H3C	W2000-V series
H3C Web application firewall series 2	Web application firewall	H3C	W2000-AK4X0 series
	Web application firewall	H3C	W2000-G series
	Web application firewall	H3C	W2000-V-G series
H3C Web application firewall series 3	Web application firewall	H3C	W2000-G2 series
	Web application firewall	H3C	W2000-V-G2 series
	Web application firewall	H3C	W2000-AK4X5 series
NSFOCUS Web application firewall series	Web application firewall	NSFOCUS	WAF NX3 series
	Web application firewall	NSFOCUS	WAF P300 series
	Web application firewall	NSFOCUS	WAF NX5 series
UniCloud Web application firewall series 1	Web application firewall	UniCloud	W1000-D series
	Web application firewall	UniCloud	W2000-V series
	Web application firewall	UniCloud	W2000 series
UniCloud Web application firewall series 2	Web application firewall	UniCloud	W2000-AK4X0 series
	Web application firewall	UniCloud	W2000-G series
	Web application firewall	UniCloud	W2000-V-G series
UniCloud Web application firewall series 3	Web application firewall	UniCloud	W2000-G2 series
	Web application firewall	UniCloud	W2000-V-G2 series
	Web application firewall	UniCloud	W2000-AK4X5 series
H3C Comware 7-based firewall series	Firewall	H3C	F1000 series (Comware 7)
	Firewall	H3C	F100 series (Comware 7)
	Firewall	H3C	F5000 series (Comware 7)
	Firewall	H3C	M9000 series (Comware 7)
	Firewall	H3C	Card series (Comware 7)
	Firewall	H3C	vFW1000 Series (Comware 7)
	Firewall	H3C	vFW2000 series (Comware 7)
H3C Comware 5-based firewall series	Firewall	H3C	F100 series (Comware 5)
	Firewall	H3C	F1000 series (Comware 5)
	Firewall	H3C	F5000 series (Comware 5)
	Firewall	H3C	Card series (Comware 5)
Huawei firewall series 1	Firewall	Huawei	USG6000 series
	Firewall	Huawei	USG9500 series
	Firewall	Huawei	USG9560 series
	Firewall	Huawei	USG6300 series
Huawei firewall series 2	Firewall	Huawei	USG2000 series
	Firewall	Huawei	USG5000 series
QI-ANXIN firewall series 1	Firewall	QI-ANXIN	NSG3000-TE15P-Q
	Firewall	QI-ANXIN	NSG3300-7680-F
QI-ANXIN firewall series 2	Firewall	QI-ANXIN	NSG Series
	Firewall	QI-ANXIN	NSG7000 series
	Firewall	QI-ANXIN	NSG9000 series
Hillstone Networks firewall series	Firewall	Hillstone Networks	SG6000 series (5.5R3)
	Firewall	Hillstone Networks	SG6000 series (5.5R8)
UNIS firewall series	Firewall	UNIS	F1000 series
	Firewall	UNIS	F5000 series
TopSec firewall series	Firewall	TopSec	NGFW4000-UF (NG-85266)
	Firewall	TopSec	NGFW4000-UF (TG-62242)
DBAPPSecurity firewall series	Firewall	DBAPPSecurity	DAS-NGFW1900 series
	Firewall	DBAPPSecurity	DAS-NGFW2900 series
H3C load balancing series	Load balancing	H3C	L1000 series (Comware 7)
	Load balancing	H3C	L5000 series (Comware 7)
	Load balancing	H3C	M9000 series (V7)
	Load balancing	H3C	Card series (Comware 7)
Cisco switch series	Switch	Cisco	Catalyst 2360 series
	Switch	Cisco	Catalyst 2955 series
	Switch	Cisco	Catalyst 2960 series
	Switch	Cisco	Catalyst 2970 series
	Switch	Cisco	Catalyst 2975 series
	Switch	Cisco	Catalyst 3550 series
	Switch	Cisco	Catalyst 3560 series
	Switch	Cisco	Catalyst 3750 series
	Switch	Cisco	Catalyst 6509 series
	Switch	Cisco	Nexus 7000 series
Viewintech traffic probing series	Traffic probing	Viewintech	ENS-500 Encryption Traffic Security Detection System
	Traffic probing	Viewintech	ENS-501 Encryption Traffic Security Detection System
QI-ANXIN traffic probing series	Traffic probing	QI-ANXIN	NSG3000 series
	Traffic probing	QI-ANXIN	NSG5000 series
H3C router series	Router	H3C	CR series
	Router	H3C	ER series
	Router	H3C	GR series
	Router	H3C	MSR series
	Router	H3C	SR series
H3C IPS iWare series	IPS	H3C	Card series (iWare)
	IPS	H3C	T200 series (iWare)
	IPS	H3C	T1000 series (iWare)
	IPS	H3C	T5000 series (iWare)
H3C IPS Comware 7-based series	IPS	H3C	T1000 series (Comware 7)
	IPS	H3C	T5000 series (Comware 7)
	IPS	H3C	T9000 series (Comware 7)
	IPS	H3C	Card series (Comware 7)
Venustech IPS series	IPS	Venustech	Tianqing IDS6070 series
	IPS	Venustech	NGIPS series
Leadsec IPS series	IPS	Leadsec	Leadsec series
	IPS	Leadsec	8600G series
Huawei IPS series	IPS	Huawei	NIP6000 series
	IPS	Huawei	IPS6000 series
UNIS IPS series 1	IPS	UNIS	T1000 series
	IPS	UNIS	T5000 series
UNIS IPS series 2	IPS	UNIS	T1000-CN80-G
	IPS	UNIS	F1000-CN80-G
UniCloud IPS series	IPS	UniCloud	T1000 series (Comware 7)
	IPS	UniCloud	T5000 series (Comware 7)
	IPS	UniCloud	T9000 series (Comware 7)
	IPS	UniCloud	Card series (Comware 7)
H3C sandbox series 1	Sandbox	H3C	ATD-A Series Advanced Edition
	Sandbox	H3C	ATD-E Series Professional Edition
	Sandbox	H3C	ATD-P Series Professional Edition
H3C sandbox series 2	Sandbox	H3C	ATD-A Series Advanced Edition (WELF Edition)
	Sandbox	H3C	ATD-E Series Professional Edition (WELF Edition)
	Sandbox	H3C	ATD-P Series Professional Edition (WELF Edition)
AsiaInfo sandbox series	Sandbox	AsiaInfo	Deep Security-V10.0 series
	Sandbox	AsiaInfo	Deep Security-V20.0 series
Sangfor behavior audit series	Behavior audit	Sangfor	AC-action
	Behavior audit	Sangfor	AC-channel
	Behavior audit	Sangfor	AC-custom_log
	Behavior audit	Sangfor	AC-demain_time_count
	Behavior audit	Sangfor	AC-domain_flux
	Behavior audit	Sangfor	AC-flux
	Behavior audit	Sangfor	AC-flux_webapp
	Behavior audit	Sangfor	AC-group_flux
	Behavior audit	Sangfor	AC-group_flux_webapp
	Behavior audit	Sangfor	AC-httptype_flux
	Behavior audit	Sangfor	AC-ips
	Behavior audit	Sangfor	AC-singress
	Behavior audit	Sangfor	AC-time_count
	Behavior audit	Sangfor	AC-time_count_webapp
NSFOCUS behavior audit series	Behavior audit	NSFOCUS	SAS NX3 series
	Behavior audit	NSFOCUS	SAS NX5 series
H3C application control gateway series	Application control gateway	H3C	ACG1000 series
	Application control gateway	H3C	Card series
H3C application system series	Application system	H3C	BPM system
	Application system	H3C	Citrix system
	Application system	H3C	CMS system
	Application system	H3C	CRM system
	Application system	H3C	ERP system
	Application system	H3C	PMO system
	Application system	H3C	PMS system
	Application system	H3C	Security event check system
	Application system	H3C	ARL (Asset Reconnaissance Lighthouse) system
	Application system	H3C	Network DLP system
	Application system	H3C	Zhiliao Community
	Application system	H3C	Endpoint DLP system
QI-ANXIN endpoint access control series	Endpoint access control	QI-ANXIN	Trusted Application Proxy (TAP)
	Endpoint access control	QI-ANXIN	Trusted API Proxy (TIP)

 

Manage assets

This feature allows you to manage assets in the user network. After asset information is entered, the administrator can manage the assets uniformly and group them by asset type for more detailed monitoring and management. In addition, the feature supports synchronizing assets as log sources. Upon successful synchronization, when security incidents occur on the assets, they will be recorded as logs and reported to this system for analysis.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Configure search criteria such as asset name and asset IP, and click Search to view the required asset information. No search criteria is configured by default, and the system displays all asset information.

3.     To reset the search criteria, click Reset.

4.     You can filter asset information by clicking the tree-structured asset types and organizations on the left.

Parameters

·     Asset Name: Unique identifier of the asset.

·     Asset IP: IP address of the asset.

·     Asset Level: Importance level of the asset.

·     Group Name: Name of the group to which the asset belongs.

·     Asset Type: Type of the asset.

·     Organizational Structure: Organizational structure to which the asset belongs.

·     Synchronized Log Sources: Whether the asset has been synchronized as a passive log source.

·     Actions:

○          To view details of an asset, click Details.

○          To edit information for an asset, click Edit.

○          To sync an asset as a passive log source, click Sync.

○          To delete an asset, click Delete.

Restrictions and guidelines

The predefined asset types under the predefined group names such as server, endpoint, and IoT do not include vendor and model information, and do not support log source synchronization. If synchronization is required, you must configure the information in the asset type management list in advance.

Manage asset types

Use this feature to view, edit, add, or delete custom asset type information.

Procedure

1.     Select Configuration > Asset Management > Asset Type Management.

2.     View asset type information: Filter asset types by group name, asset type, vendor, or model by entering the keyword, and click Search. To reset the filter criteria, click Reset.

3.     Add an asset type: Click Add to add custom asset type information.

4.     Delete asset types: Select one or multiple asset types and click Delete to delete the asset types bulk. Click Delete in the Actions column for an asset type to delete that asset type.

5.     Edit asset type information: Click Edit in the Actions column to edit the information for the specified asset type.

Parameters

·     Group Name: Group to which the asset type belongs.

·     Asset Type: Type to which an asset belongs.

·     Vendor: Vendor of the asset type.

·     Model: Model of the asset type.

·     Description: Description of the asset type.

·     Actions: Supports editing and deleting asset types, and viewing asset type details.

Add an asset type

Procedure

1.     Select Configuration > Asset Management > Asset Type Management.

2.     Click Add.

3.     Configure related parameters.

4.     Click OK. To cancel your operation, click Cancel.

Parameters

·     Group Name: Name of the group to which the asset type belongs.

·     Asset Type: Type to which an asset belongs.

·     Vendor: Vendor of the asset type.

·     Model: Model of the asset type.

·     Description: Description of the asset type.

Edit an asset type

Procedure

1.     Select Configuration > Asset Management > Asset Type Management.

2.     Click Edit in the Actions column for an asset type.

3.     Edit related parameters.

4.     Click OK. To cancel your modification, click Cancel.

Parameters

·     Group Name: Name of the group to which the asset type belongs.

·     Asset Type: Type to which an asset belongs.

·     Vendor: Vendor of the asset type.

·     Model: Model of the asset type.

·     Description: Description of the asset type.

Manage assets

Use this feature to manage asset types (including adding, editing, deleting, and viewing asset types), filter assets by asset type or organizational structure, manage asset type groups (including adding and deleting groups as well as editing group names), and manage the organizational structure to which assets belong (including adding and deleting organizational nodes as well as editing node names).

Edit a group name

Use this feature to edit a custom group name, and add or delete custom groups.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Click Edit Group Name.

3.     Click Add to add a custom group. Click Rename to edit the name of a custom group. Click Delete to delete a custom group.

4.     Click OK.

Edit the organizational structure

This feature allows you to edit the organizational structure, including adding, editing, and deleting nodes.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Click Edit Structure.

3.     Click  to add a node. Click  to edit the organizational structure name. Click  to delete a node.

4.     Click OK.

Join the organizational structure

The feature enables an asset to join an organizational structure, including adding, editing, and deleting nodes.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Select an asset that requires editing the organizational structure. Click Join Organizational Structure.

3.     Click  to add a node. Click  to edit the organizational structure name. Click  to delete a node.

4.     Click a node name. After you complete configuration, click OK.

Import assets

This feature allows you to import asset in bulk.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Click Import > Import Assets, and select the assets you want to import.

3.     Download the asset bulk import template, enter the asset parameters as required, and save it.

4.     Click or drag the saved template file to the gray area.

5.     To view the detailed time and result for the most recent asset import operation, click Import > Operation Result.

Export assets

Use this feature to export asset information.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Select the assets to be exported, and click Export. The exported file is an Excel file.

Synchronize log sources

This feature allows you to synchronously add a specific asset as a passive log source.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Click Sync in the Actions column for an asset.

3.     Enter log source information and then click OK.

Parameters

·     Asset Type: Asset type to which the log source belongs.

·     Vendor: Device vendor for the log source.

·     Model: Device model for the log source.

·     Associated Collector: Select the collector associated with the log source, indicating that this collector is responsible for receiving log data reported from the log source.

·     Associated Collector IP: IP address of the collector associated with the log source.

·     Add port information: Click Add to configure the log information reported by the log source.

○          Report Protocol: Select a protocol used by the device to send log data.

○          Report Port: Enter a port number used by the collector to receive log data.

○          Code: Select a log encoding method.

○          Log Type: Select the type of log data that the device sends. The default log type varies by device type.

Restrictions and guidelines

·     You must use different port numbers on the collector to receive the log data sent by the same log source through different protocols.

·     Collectors in offline state cannot be associated.

·     For binary log data (for example, log data of NetStream and AAA) to be parsed successfully, you must select bin as the encoding method.

·     Only SNMPv2c traps can be resolved.

·     Chinese characters contained in logs generated by SNMP will be displayed in hexadecimal format.

Add or edit an asset

This feature allows you to add a new asset or edit existing asset information.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     To add an asset, click Add. To edit an asset, click Edit in the Actions column for that asset.

3.     Enter asset information and then click OK.

Parameters

·     Asset Name: Unique identifier of the asset. As a best practice, enter the actual name of the device.

·     Asset IP: Configure the IP address of the asset.

·     Asset Level: Importance level of the asset.

·     Organizational Structure: Select the organizational structure to which the asset belongs.

·     Asset Type: Select the type of the asset.

·     Description: Enter a description for administrators to fast identify the asset.

Delete assets

This feature allows you to delete assets.

Procedure

1.     Select Configuration > Asset Management > Asset List.

2.     Delete the specified assets. To delete a specific asset, click Delete in the Actions column for that asset. To delete one or multiple assets in bulk, select the assets, and then click Delete.

Manage logs

This page allows you to forward and import logs, enabling data integration with other systems. Log forwarding allows you to forward logs from this platform to other systems. Log importing allows you to import log files that cannot be collected by collectors into this platform for analysis and processing.

Log forwarding

Configure log forwarding tasks to forward logs collected by this platform to other log analysis platforms or log receiving systems.

Configure Syslog forwarding

This page allows you to forward logs collected by the platform to other platforms via the Syslog protocol.

Parameters

·     Destination IP: IPv4 or IPv6 address that receives the log data forwarded by the platform.

·     Destination Port: Port that receives the log data forwarded by the platform.

·     Transport Protocol: Transport protocol used by the platform to forward log data.

·     Log Source: The system forwards the log data reported by the selected log source.

·     Asset Type: Device type of the log source.

·     Log source IP: IP address of the log source.

·     Log Severity: Severity of the forwarded logs.

·     Forwarded Content: Forwarded log fields.

·     Enabling Status: Enabled or disabled state. Enabled indicates that the system forwards logs according to the log forwarding task. Disabled indicates that the system does not forward logs according to the log forwarding task.

Add a log forwarding task

Perform this task to configure a log forwarding task.

Procedure

1.     Select Configuration > Log Management > Log Forwarding.

2.     On the Syslog Forwarding tab, click Add to add a log forwarding task.

3.     Configure related parameters, and then click OK.

Parameters

·     Destination IP: IPv4 or IPv6 address to receive the log data forwarded from this platform.

·     Destination Port: Port to receive the log data forwarded from this platform.

·     Transport Protocol: Select the protocol for transporting the logs.

·     Log Source: The system forwards the log data reported by the selected log source. If you select multiple log sources, the system will generate multiple log forwarding tasks.

·     Filter Conditions: Configure filter conditions.

·     Forwarded Content: Select the contents to be forwarded.

Delete log forwarding tasks

Perform this task to delete log forwarding tasks. After a log forwarding task is deleted, the platform will not forward logs based on the configuration in the task.

Procedure

1.     Select Configuration > Log Management > Log Forwarding. You are placed on the Syslog Forwarding tab.

2.     To delete log forwarding tasks in bulk, select the target log forwarding tasks, and then click the Delete button above the log forwarding task list. To delete a single log forwarding task, click the Delete icon in the Actions column for that log forwarding task.

Enable log forwarding tasks

Perform this task to enable log forwarding tasks. After a log forwarding task is enabled, the platform will start forwarding logs according to that forwarding task.

Procedure

1.     Select Configuration > Log Management > Log Forwarding. You are placed on the Syslog Forwarding tab.

2.     To enable log forwarding tasks in bulk, select the target log forwarding tasks, and then click the Delete button above the log forwarding task list. To enable a single log forwarding task, click the  icon in the Actions column for that log forwarding task.

Disable log forwarding tasks

Perform this task to disable log forwarding tasks. After a log forwarding task is disabled, the platform will not forward logs according to that forwarding task.

Procedure

1.     Select Configuration > Log Management > Log Forwarding. You are placed on the Syslog Forwarding tab.

2.     To disable log forwarding tasks in bulk, select the target log forwarding tasks, and then click the Delete button above the log forwarding task list. To disable a single log forwarding task, click the  icon in the Actions column for that log forwarding task.

Configure Kafka forwarding

This feature allows you to forward logs collected by the platform to the Kafka platform.

Procedure

1.     Select Configuration > Log Management > Log Forwarding. Click the Kafka Forwarding tab.

2.     Configure related parameters, and then click OK.

Parameters

·     Enabling Status: Enabling status of the Kafka forwarding function.

·     Node: IP address and port number of the Kafka platform that receives the log data from the log audit platform.

·     Topic: Topic of the platform that receives the log data forwarded by the log audit platform.

·     Log Source: The platform will forward the log data reported by the selected log source to the Kafka platform.

·     Filter Conditions: Configure filter conditions.

·     Forwarding Log Type: Select the types of logs to be forwarded to the Kafka platform.

Configuration scenario

The listening address in the Kafka configuration file is the IP address of its host machine. You must configure the node parameter as the IP address and port number of the host where Kafka resides.

Restrictions and guidelines

·     If the listening address in the Kafka configuration file is set to the host name of its local machine, the connection to Kafka to fail and this platform's logs cannot be forwarded to the Kafka platform.

·     If the listening address in the Kafka configuration file is set to the host name NIC IP address in the hosts file, the connection to Kafka to fail and this platform's logs cannot be forwarded to the Kafka platform.

Import logs

Perform this task to import local .log or .txt log files to the system for analysis. If logs cannot be uploaded from the active or passive log sources, save the log files to the local storage and then upload the files to the system.

Parameters

·     Log Source Name: Identifier of the log import record.

·     Asset Type: Type of the device that generated the log file.

·     Vendor: Vendor of the device that generated the log file.

·     Model: Model of the device that generated the log file.

·     File Encoding Method: Select the encoding method for the logs in the log file.

·     Protocol: Select the protocol that the log source uses to report the logs.

·     Log File Name: Name of the log file.

·     Imported at: Time at which the log file is imported.

Import log files

Perform this task to import local .log or .text log files. The log file to be imported must be larger than 0 KB.

Procedure

1.     Select Configuration > Log Management > Log Importing.

2.     Click Add to add a log import task.

3.     Configure related parameters, and then click OK.

Parameters

·     Log Source Name: Name uniquely identifies a log import record.

·     Asset Type: Type of the device that generated the log file.

·     Vendor: Vendor of the device that generated the log file.

·     Model: Model of the device that generated the log file.

·     File Encoding Method: Select the encoding method for the logs in the log file.

·     Protocol: Select the protocol that the log source uses to report the logs.

·     Log File: Select the log file to be uploaded. Only one log file can be uploaded at a time.

Delete log import records

Perform this task to delete log import records. Deletion of the import records does not affect upload of log files to the collector.

Procedure

1.     Select Configuration > Log Management > Log Importing.

2.     To bulk delete log import records, select multiple log import records, and click Delete. To delete a single log import record, click the Delete icon in the Actions column for that record.

Manage alarms

From the alarm management menu, you can configure alarm notification polices for security events and view the alarm notification records. Within a detection interval, a security event is generated if the log messages reported by a log source match a correlation rule. If the log source is monitored by an alarm notification policy, the system generates an alarm email or SMS for this security event and sends the alarm to the person in charge according to the alarm notification policy.

Manage alarm policies

Perform this task to manage alarm notification policies. Within a detection interval, an alarm is generated if a log message reported by a log source matches the rules of an alarm notification policy and a security event is triggered. The system generates alarm information and notifies the person in charge through email or SMS.

Procedure

1.     Select Configuration > Alarm Management > Alarm Policies.

2.     Click Add. In the window that opens, configure basic policy information.

3.     Click OK. The newly added alarm policy is enabled by default.

4.     To enable or disable alarm policies in bulk, select the alarm policies, and then click Enabled or Disabled. To change the enabling state for an alarm policy, turn on or turn off the option in the Enabling State column for that alarm policy.

5.     To view detailed information about an alarm policy, including basic information, triggering conditions, and alarm method, click Details in the Actions column for that alarm policy.

6.     To edit parameters for an alarm policy, click Edit in the Actions column for that alarm policy.

7.     To delete alarm policies in bulk, select the alarm policies, and then click Delete. To delete a specific alarm policy, click Delete in the Actions column for that alarm policy.

Parameters

·     Policy Name: Unique identifier of the alarm notification policy.

·     Alarm Type: By default, the system generates alarms for security events matching the policy rules.

·     Alarm Notification Method: Method through which alarms are notified. Options include email and SMS. You must also specify the alarm recipients.

·     Created At: Time when the alarm policy was created.

·     Updated At: Time when the alarm policy was updated.

·     Notification Interval: Interval at which an alarm task is executed. If a security event matching the triggering condition is detected during a detection interval, the system sends alarm information.

·     Policy Description: Description of the alarm notification policy. A proper description helps you quickly identify the policy.

·     Enabling State: Enabling state of the alarm policy.

·     Log Source Names: Name of the log source monitored by the alarm notification policy. The system generates an alarm if log messages reported by the log source match the policy rules and a security event is triggered.

·     Correlation Rules: Rules of the alarm notification policy. The system generates alarms for log messages matching the policy rules.

Restrictions and Guidelines

·     For the system to notify alarms, you must also configure email server or short message settings from the Settings > Global Settings page.

·     To use the email or short message notification method, you must specify email addresses or phone numbers of the alarm recipients, respectively.

Manage alarm records

Perform this task to view triggered alarms, including log generation time, alarm policy name, alarm method, alarm type, and alarm content.

Procedure

1.     Select Configuration > Alarm Management > Alarm Records.

2.     On the Alarm Records page, you can view relevant information about triggered alarms.

3.     To view detailed information about an alarm record, click Details in the Actions column for that alarm record.

4.     To delete one or multiple alarm records, select the alarm records, and then click Delete above the list. To delete a specific alarm record, click Delete in the Actions column for that alarm record.

Restrictions and guidelines

By default, the system automatically clears alarm records older than 30 days at 1 am every day (on a daily basis).

Diagnosis center

Use this feature to identify the availability of network connections.

Perform network diagnosis

Perform this task to identify whether the network connection is available. You can use ping, Telnet, and traceroute methods to analyze and diagnose network faults.

·     Ping—Use this function to check whether a specific address is reachable and whether the network connection is faulty.

·     Telnet—Use this function to check whether a specific port at a given address is open.

·     Traceroute—Use this function to view the Layer 3 devices that an IP packet passes through from the source to the destination to check whether the network connection is available.

Procedure

1.     Select Configuration > Diagnosis Center > Network Diagnostics.

2.     In the Diagnostic Conditions area, select the diagnostic method, configure the corresponding parameters, and then click Start Diagnostics.

3.     After the operation, check the diagnostic result in the Diagnostic Result area.

Parameters

·     IP Version: Select the version of the destination IP addresses. Options include IPv4 and IPv6.

·     Destination IP or Host Name: Enter the IP address or host name to be diagnosed. When the IP version is IPv6, the ping, Telnet, and traceroute methods do not support diagnosing a host name.

Restrictions and guidelines

In the Telnet IPv6 scenario, the destination IP address does not support diagnosis via IPv6 address, it supports diagnosis only via IPv6 link address.

Capture packets

Perform this task to capture bidirectional packets sent and received on the collector server and generate .PCAP files that Wireshark (a network packet analyzer) can recognize. After capturing packets, you can download the specified capture files from the page to analyze and diagnose traffic sent and received on the collector server.

Procedure

1.     Click Configuration > Diagnosis Center > Packet Capture.

2.     In the Packet Capture Parameter Settings area, configure the relevant parameters and then click Start Capturing Packets.

3.     After completing the operation, download the capture files from the Packet Capture Files area.

Parameters

·     Collector IP: Specify the IP address of a collector. Packets will be captured for only the server where the collector resides.

·     Interface: Select an NIC of the collector server.

·     Protocol: Specify the protocol whose packets are to be captured.

·     Duration: Specify the duration for the capture action. The system will stop capturing packets once the configured time is reached.

·     Max File Size: Specify the maximum size for each capture file. The system will continuously capture packets within the specified duration. When the captured packets reach the specified file size, a capture file will be generated.

·     Source Host: Capture only the packets sourced from the specified IP address or host name.

·     Source Port: Capture only the packets with the specified source port number.

·     Destination Host: Capture only the packets destined for the specified IP address or host name.

·     Destination Port: Capture only the packets with the specified destination port number.

Restrictions and guidelines

The packet capture feature supports a maximum storage capacity of 10 GB and only retains the most recent capture file. Download the files promptly.

Upgrade the system

Perform this task to upgrade the system software online.

Procedure

1.     Select Configuration > System Upgrade.

2.     Click Select Upgrade Package. Select a correct upgrade package, and then click OK to start the upgrade. During upgrade, you cannot refresh the page.

3.     After the upgrade finishes, you can view the successful upgrade record on the version upgrade history page.

Restrictions and guidelines

During the upgrade process, the collector goes offline and prompts an offline notification. Close the notification and wait for the upgrade to complete. After the upgrade succeeds, the collector will automatically come online .