Configuring an ArcSight Smart Connector for AdminKit
Post on 08-Nov-2015
45 Views
Preview:
DESCRIPTION
Transcript
Configuring an ArcSight Smart-Connector to collect events from Kaspersky Admin Kit 8.0
Page 2
As part of a comprehensive security monitoring program, many organizations have deployed Security Information Event Management (SIEM) software within their infrastructure to centrally collect and analyze valuable security and application logs from the variety of systems and applications that support their business.
When deploying SIEM technology, it is important to identify the systems and applications that will generate the necessary log information in support of your documented security objectives.
This will usually include the following types of systems and applications; however, this is not a comprehensive list:
Firewalls
ProxyServers
VPNs
Authentication
PhysicalAccessControl
IdentityManagement
IntrusionDetection
Antivirus
Anti-Spam
ApplicationAuditLogs
TherearemanySIEMvendorsinthemarketplacesuchasQ1Labs,ArcSight,SplunkandLogLogic.This particular document will focus on the collection of antivirus event information from Kaspersky AdministrationKit8.0usingtheArcSight(nowHewlett-Packard)SmartConnectortechnology.
TheArcSightSmartConnectortechnologyisaJavaframeworkusedtointegrate3rdpartyproductsforthe purposes of collecting event log information and forwarding the collected events to a central server forstorage,real-timeanalysis,trendingandreporting.
TheArcSightSmartConnectorframeworkoffersavarietyofeventcollectionoptions,anddependingonthe particular application or system, more than one collection method may be available. Which one you select will depend on the given limitations of the application/system to generate events, and the needs and capabilities of your IT infrastructure to support a particular method.
Example event log collection methods SYSLOGMessage
SNMPTrap
NativeAPI(e.g.WMI,OPSECLEA)
FileMonitoring(e.g.Flat-file,CSV)
Database(viaJDBC/ODBC)
Page 3
KasperskyAdminKit8.0iscapableofgeneratingeventnotificationswhenaparticulareventoractionoccurs(e.g.policychange,virusdetection,networkattacketc).Policysettingsallowforgranularcontroltowhicheventswillbelogged,whicheventswillgenerateanotification,orboth.
Supported Notification Methods Email
NetworkMessage(NETSEND)
SNMP
Runninganexecutablefile
Supported Event Log Methods WindowsEventLog(LocalClient)
WindowsEventLog(AdministrationServer)
Forthisexercise,KasperskyAdministrationKit8.0willbeconfiguredviapolicytoforwardclientevents to the Kaspersky Administration Server, where they will be logged into the Windows Applications and Services Logs,usingtheKasperskyEventLogwhichwasautomaticallycreatedwhen the Administration Server was installed.
TheArcSightSmartConnectorframework,whichcanbeinstalledremotely,willbeinstalledlocallyontheKasperskyAdministrationServer,andwillbeconfiguredtocollecteventsfromtheKasperskyEventLoginreal-time,andtostoretheminalocalfilefordemonstrationpurposes.
Note: In a production deployment of ArcSight, the events would be forwarded to an ArcSight Logger or Enterprise Security Manager (ESM) appliance; however, for this exercise a local file destination was chosen to demonstrate the concept.
Page 4
ToenableloggingofKasperskyAnti-ViruseventsbyArcSight,thefollowingtwoproceduresarerequired:
1. ConfigureeventloggingwithinKasperskyAdminKit
2. InstallandConfiguretheArcSightSmartConnectorframework
Step 1 Configure Kaspersky Event Logging1. LogintotheKasperskyAdministrationKit
Page 5
2. Usingthenavigationontheleft,expandtheManaged Computers object and drill down to the policythatyouwouldliketoenableloggingfor,inthisexample,Windows Workstation Policy
3. RightclickonthepolicytobeeditedandselectProperties
Page 6
4. ClickontheEvents tab
5. The drop down list displays the four event categories available; Critical event, Error, Warning, and Info.Eacheventcategoryhasseveraleventswhosepropertieswithregardstonotificationandloggingcanbeindividuallyconfigured.
Page 7
6. Select the Event Category and Event Type that you would like to enable logging for, and click on the Properties button.
7. Select whether you would like the event to be logged to the clients local event log, or the event log on the Kaspersky Administration Server, or both, then click OK. Note: For this exercise, we require that the logs be on to the Kaspersky Administration Server.
Page 8
8. Repeatsteps6and7asrequiredfortheremainingEventCategoriesandEventTypes.Whenfinished,clicktheApply button to save your changes, then click OK
9. Clickonthenameofthepolicythatyouwerejustediting,andchangethePolicy Status from Inactive to Active
Page 9
Step 2 Install the ArcSight SmartConnector Framework1. DownloadtheArcSightSmartConnectorframeworkandlaunchtheinstallerbydouble-clickingonit.
Note: For this exercise, the Microsoft Windows version of the ArcSight SmartConnector framework utilized was 5.1.1.5782.0
2. When the installer appears, click Next
3. SelectthelocationtoinstalltheArcSightSmartConnectorandclickNext
Page 10
4. The Choose Install Set window will be displayed, select Typical and click Next
5. ConfirmtheShortcut Folder options and click Next
Page 11
6.ConfirmyourselectionsandclickInstall
7. TheArcSightSmartConnectorframeworkwilltakeseveralminutestoinstalltheJavaRuntimeEnvironmentandthenecessarySmartConnectoragent.
Page 12
8. When prompted to select the SmartConnector Destination, select CEF File and click Next
9. ConfirmthePath and File Name that the events will be written to and click Next
Page 13
10. SelectthetypeofSmartConnectortoinstall,Microsoft Windows Event Log Local, and click Next
11. Bydefault,theSmartConnectorisconfiguredtocollecttheApplication, System, and Security event logs.
Page 14
12.ProvideaName,andoptionaldescriptionforthisSmartConnectorandclickNext
Highlight the defaults and delete them, then type Kaspersky Event Log and click Next
Page 15
13. ConfirmtheoptionsyouhaveselectedandclickNext
14. TheSmartConnectorwillnowbeconfigured.Whencompleted,clickNext
Page 16
15.SelectwhetheryouwouldliketheSmartConnectortorunasaService or as a Standalone Application and click Next
16. ConfirmtheSmartConnectorService Parameters and click Next
Page 17
17. OncetheSmartConnectorservicehasbeeninstalled,clickFinish
18. TheArcSightSmartConnectorinstallationisnowcomplete,clickDone
Page 18
19. LaunchtheMicrosoft Windows Services Applet (services.msc) and verify that the newly installedArcSightSmartConnectorserviceisrunning.Starttheserviceifnecessary.
20.GeneratesomeKasperskyevents(i.e.downloadtheEICARtestvirusat http://www.eicar.org from a client)
Page 19
21. LaunchtheWindows Event Viewer and drill down to the Applications and Service Logs, and click on the Kaspersky Event Log
22.VerifythattheeventsarebeingwrittentotheKasperskyEventLogbydoubleclickingonanevent
Page 20
23.VerifythattheeventsarebeingcollectedbytheArcSightSmartConnectorandstoredinafile,byviewingthefilecreatedinthedestinationdirectorythatwasspecifiedduringtheinstall(e.g.c:\ProgramFiles\ArcSightSmartConnectors\current\user\agent\cef\2011-04-12-04-33-38.cef)
Page 21
24. EacheventwillberecordedintheArcSightCommonEventFormat(CEF),witheachentrystarting with the header CEF:0,andtheindividualeventfieldsbeingPipeDelimited(|)
At this point, the events can be fed into ArcSight, however, normalization and categorization has not been performed, so although the SIEM can collect and store the events, it will not understand the meaningofthem,ortheircontext.
Categorizationofeventswasoutsideofthescopeofthisexercise,whichwastodemonstratetheability to collect the events.
Kaspersky Lab500 Unicorn ParkWoburn, MA 01801866.563.3099smbsales@kaspersky.com
www.kaspersky.comwww.threatpost.com
top related