000029684 - Configuring Log Collector for Cisco Ironports Logs with Security Analytics 10.4

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029684
Applies ToRSA Product Set: Security Analytics
RSA Product/Service Type: Log Collector
RSA Version/Condition: 10.4.x
Platform: CentOS
Platform (Other): Cisco Ironport
O/S Version: EL6
IssueThis document describes how to configure a Log Collector to receive log files from a Cisco Ironport device.
Tasks

Configure Virtual Log Collector (VLC) for SFTP and SCP


1) First determine if rssh version rssh-2.3.3-2.el6.rf.x86_64 (or newer) is installed on the log collector device.  To perform this step, first ssh to the log collector as root, then run:


    rssh -v
Below is a sample output from the command:


###EXAMPLE OUTPUT###
[root@EPOC-VLC06 ~]# rssh -v
rssh 2.3.3
Copyright 2002-2010 Derek D. Martin <rssh-discuss at lists dot sourceforge dot net>
   rssh config file = /etc/rssh.conf
   chroot helper path = /usr/libexec/rssh_chroot_helper
     scp binary path = /usr/bin/scp
   sftp server binary = /usr/libexec/openssh/sftp-server
     cvs binary path = /usr/bin/cvs
   rdist binary path = /usr/bin/rdist
   rsync binary path = /usr/bin/rsyn



Should the rssh command fail to display output, execute: 
yum install rssh

 

3) After determining the presence of rssh, edit rssh.conf
vi /etc/rssh.conf
 

..and, uncomment the following lines: 

allowscp
allowsftp

Add to end of file:

user=upload:011:00011:"/var/netwitness/logcollector/upload_chroot"

4) Now, edit vsftpd.conf
vi /etc/vsftpd/vsftpd.conf
Then, locate and comment out (with a # sign) the following lines from the file:
 

#ftp_enable=yes

#ca_certs_file=/etc/netwitness/ng/truststore/ftps.pem


5) Now execute the lc_upload_support config script:

/opt/netwitness/bin/lc_upload_support -v install

 

Configure SA GUI for Event Source


1) Log into the SA GUI and go to Administration>Services>LogCollector>View>Config>Event Sources
2) Click on the dropdown box for "Check Point", and select "File"
3) Under the "Event Categories" box click the red + and select either "cisco_ironport_esa" or "cisco_ironport_wsa" or both. 
4) Select the event category and now an empty "Sources" section should be visible. Click the red +
5)Name your "File Directory" whatever you wish it to be. It is advised to name it something uniquely identifiable. For example: "Ironport_WSA_101" 
6) Click the down arrow for advanced settings. 
7) Search for the "Eventsource SSH Key" box. You will need to enter the SSH Key provided by the Cisco Ironport here. If you do not have the SSH Key proceed to the next section: "Configure Cisco Ironport to Send Logs to the Log Collector"
8) Click Okay


Configure Home Directory to Receive Logs


1) Open a shell session into the log collector
2) Enter the following commands: 
cd /var/netwitness/logcollector/upload_chroot/home
chmod -R 770 upload/
chown -R upload:uploads upload/

Configure Cisco Ironport to Send Logs to Log Collector


Please note that RSA does not support step by step instructions on how to configure the Ironport. However here are some basic instructions: 
1) On the Ironport GUI select "Log Subscriptions" and select the log category you want to be sent to SA. 
2) After you are finished modifying the settings for the logs as you see fit you will need to configure the Cisco Ironport to send the logs to SA. At the bottom of this settings menu you will see an option to "SCP Push to Remote Server"
3) After selecting that please make the SCP settings the following:
Protocol: SSH2
SCP Host: <SA Log Collector IP>
Directory: /home/upload/eventsources/cisco_ironport_esa/Ironport_WSA_101
Username: upload
SCP Port: 22

### In the above example the last directory in the directory setting (Ironport_WSA_101) is defined by what you name yours as in the section "Configure SA GUI for Event Source" step 4###

4) Select the button to save. At this point the Cisco Ironport will give you the ssh key to copy over to the SA GUI. You Will do this in the previous section "Configure SA GUI for Event Source" step 7. 
5) Commit your changes
NotesSupport for SFTP transfers that use such programs as sftp will be ongoing to extend support for existing event source configurations.  It is expected that event sources will be configured to transfer data by using the upload user capabilities. 
When attempting to use WinSCP to test your connection to the LogCollector, this protocol will fail. Better results are achieved with the pscp.exe (which is part of the public domain "Putty" utility).

Attachments

    Outcomes