SDEE Collection: Configuration Parameters

Document created by RSA Information Design and Development on May 9, 2016Last modified by RSA Information Design and Development on May 4, 2017
Version 6Show Document
  • View in full screen mode
  

This topic describes the Security service Event Exchange (SDEE) event source parameters.

Use the SDEE option on the Log Collector Config View Event Sources tab to add and maintain configuration parameters for collecting Intrusion Detection System (IDS) data (for example, Cisco Secure IDS messages) formatted under the SDEE standard.

To access the SDEE Event Source Configuration Parameters:

  1. In the Security Analytics menu, select Administration > Services.
  2. In the Services grid, select a Log Collector service.
  3. Click AdvcdExpandBtn.PNGunder Actions and select View > Config.
  4. In the Event Sources tab, select SDEE/Config from the drop-down menu.

SDEEEvSrcTb.png

The SDEE/Config view in the Event Sources tab has two panels: Event Categories and Sources.

Event Categories Panel

In the Event Categories panel, you can add or delete the appropriate event source types.

                         
FeatureDescription
Icon-Add.png Displays the Available Event Source Types dialog from which you select the event source type for which you want to define parameters.
Icon_Delete_sm.png Deletes the selected event source types from the Event Categories panel.
Checkbox.png Selects event source types.
NameDisplays the name of the event source types that you have added.

Available Event Sources Types Dialog

The Available Event Source Types dialog displays the list of supported event source types.

                         
FeatureDescription
Checkbox.png Selects the event source type that you want to add.
TypeDisplay the event source types that are available to add.
CancelCloses the dialog without adding an event source type.
OKAdds the selected event source type to the Event Categories panel.

Sources Panel

Use this panel to review, add, modify, and delete event sources.

Toolbar

The following table provides descriptions of the toolbar options.

                               
FeatureDescription
Icon-Add.png

Displays the Add Source dialog in which you define the parameters for a Firewall host.

Icon_Delete_sm.png Deletes the host that you selected.
icon-edit.png

Opens the Edit Source dialog, in which you edit the parameters for the selected event source.

Select multiple event sources and click icon-edit.png to open the Bulk Edit Source dialog in which you can edit the parameters values for the selected event sources.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

ImportSourceIcon.PNG

Opens the Bulk Add Option dialog in which you can import hosts in bulk from a comma-separated values (CSV) file.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

ExportSourceIcon.PNG

Creates a .csv file that contains the parameters for the selected hosts.

Refer to the Log Collection Configuration Guide for detailed information on how to import, export, and edit event sources in bulk.

Add or Modify Source Dialog

In this dialog, you add or modify a file directory for the selected event source.

                       
FeatureDescription
Source ParametersLists the parameters populated with the default values. Enter or modify the appropriate values.
CancelCloses the dialog without adding a file directory or saving the parameter values for the selected event sources.
OKIn the Add Source dialog, adds the file directory and its parameters. In the Modify Sources dialog, applies the parameter value changes for the selected event source.

Add or Edit Source Parameters

The following table provides descriptions of the source parameters.

                                                                                                          
NameDescription
Basic
Name *Name of the event source.
Username *User name to authenticate with the event source.
Password *

Password to authenticate with the event source.

Caution: The password is encrypted internally and is displayed in its encrypted form.

Address *IP Address for the event source that is the IDS Sensor.
EnabledSelect the check box to enable the event source configuration to start collection. The check box is selected by default.
Certificate Name

Certificate name for secure connections to use when the transport mode is https. Valid values are the certificates currently existing in your trust store that you created using the Settings tab.

Note: If you leave this field blank, Security Analytics does not perform validation.

Advanced
PortPort number. A valid port number is any number within the 1 through 65535 range (443 default value).
SSL Version

Version of SSL through which the event source is configured to communicate.  Valid values are:

  • tlsv1 (default)
  • sslv2
  • sslv3
  • sslv2
Include Raw Event Data

Select the checkbox to include the raw XML data for the event returned by the SDEE event source in the event data sent to the Log Decoder. The check box is not selected by default.

Note: This parameter is only supported for content 3.0 data.

Save Raw XML FilesSelect the check box to send raw data to /var/netwitness/logcollector/runtime/sdee/saved_raw_events. The check box is not selected by default.
Saved File QuotaAmount of space available for saved XML files. Valid value is the number of Megabytes, Kilobytes, or Gigabytes of space that you want to allocate. Security Analytics defaults to 100 Megabytes.
Subscription Event Types

(Only applies when you make initial subscription request.)

Filters events for the specified Subscription event types (for example, IDS alerts). Default is evIdsAlert.

Force Subscription

(Only applies when you make initial subscription request.)

Select the checkbox if you want the SDEE server to create a subscription even when  maximum number of subscriptions are open. The checkbox is selected by default.

Note: The server closes the existing subscription to accommodate new one.

Subscription Severity Filter

(Only applies when you make initial subscription request.)

All events generated by an SDEE event source have a severity level assigned to them. Use this parameter to filter event messages by severity. If you leave this field blank, Security Analytics collects all the events regardless of severity level.
For example, if you wanted to collected events with medium and high severity levels exclusively, you would specify the following character string in this parameter:
medium+high

Subscription Time Offset

(Only applies when you make initial subscription request.)

Default (time of subscription on). This parameter allows you to specify how far back in time (in seconds) to start pulling events.

Polling Interval

Interval (amount of time in seconds) between each poll. The default value is 180.

For example, if you specify 180, the collector schedules a polling of the event source every 180 seconds. If the previous polling cycle is still underway, the collector waits for that cycle to finish. If you have a large number of event sources that you are polling, it may take longer than 180 seconds for the polling to start because the threads are busy.

Max Events PollThe maximum number of events per polling cycle (how many events collected per polling cycle).
Query TimeoutValue (in seconds) passed to the SDEE event source that instructs the server on how long to wait when there is no data.
URL ParametersAppends parameters to the url string (for example, /cgi-bin/sdee-server.cgi).
URL PathURL path for the SDEE server.
URL Protocol

Valid values are:

  • http
  • https
Debug

Caution: Only enable debugging (set this parameter to "On" or "Verbose") if you have a problem with an event source and you need to investigate this problem. Enabling debugging will adversely affect the performance of the Log Collector.

Enables or disables debug logging for the event source. Valid values are:
  • Off = (default) disabled
  • On = enabled
  • Verbose = enabled in verbose mode ‐ adds thread information and source context information to the messages.
This parameter is designed to debug and monitor isolated event source collection issues.
If you change this value, the change takes effect immediately (no restart required).
The debug logging is verbose, so limit the number of event sources to minimize performance impact.

Tasks

Step 1. Configure SDEE Event Sources in Security Analytics

You are here
Table of Contents > SDEE Collection Configuration Guide > Reference - SDEE Event Source Configuration Parameters

Attachments

    Outcomes