Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 Administration Manual

Category
Software
Type
Administration Manual
Juniper Networks, Inc.
1194 North Mathilda Avenue
Sunnyvale, CA 94089
USA
408-745-2000
www.juniper.net
Part Number: 530-027298-01, Revision 1
Security Threat Response Manager
STRM Log Management Administration
Guide
Release 2008.2 R2
2 î‚„
Copyright Notice
Copyright © 2008 Juniper Networks, Inc. All rights reserved. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper
Networks Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks in this
document are the property of Juniper Networks or their respective owners. All specifications are subject to change without notice. Juniper Networks
assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Juniper Networks reserves
the right to change, modify, transfer, or otherwise revise this publication without notice.
FCC Statement
The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A
digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the
equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and
used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential
area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense. The following
information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency energy. If it
is not installed in accordance with NetScreen’s installation instructions, it may cause interference with radio and television reception. This equipment has
been tested and found to comply with the limits for a Class B digital device in accordance with the specifications in part 15 of the FCC rules. These
specifications are designed to provide reasonable protection against such interference in a residential installation. However, there is no guarantee that
interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be
determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV
technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to this product could void the user's warranty and authority to operate this device.
Disclaimer
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET
THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR JUNIPER NETWORKS REPRESENTATIVE FOR A COPY.
STRM Log Management Administration Guide
Release 2008.2 R2
Copyright © 2008, Juniper Networks, Inc.
All rights reserved. Printed in USA.
Revision History
September 2008—Revision 1
The information in this document is current as of the date listed in the revision history.
CONTENTS
ABOUT THIS GUIDE
Audience 1
Conventions 1
Technical Documentation 1
Contacting Customer Support 2
1 OVERVIEW
About the Interface 3
Accessing the Administration Console 4
Using the Interface 4
Deploying Changes 5
Viewing STRM Log Management Audit Logs 5
Logged Actions 6
Viewing the Log File 7
2 MANAGING USERS
Managing Roles 9
Creating a Role 9
Editing a Role 11
Managing User Accounts 12
Creating a User Account 12
Editing a User Account 13
Disabling a User Account 14
Authenticating Users 15
3 SETTING UP STRM LOG MANAGEMENT
Managing Your License Keys 19
Updating your License Key 20
Exporting Your License Key Information 21
Creating Your Network Hierarchy 22
Considerations 22
Defining Your Network Hierarchy 23
Scheduling Automatic Updates 26
Configuring System Settings 27
Configuring System Notifications 31
Configuring the Console Settings 33
Starting and Stopping STRM Log Management 35
Accessing the Embedded SNMP Agent 35
Configuring Access Settings 36
Configuring Firewall Access 36
Updating Your Host Set-up 38
Configuring Interface Roles 39
Changing Passwords 40
Updating System Time 40
4 MANAGING BACKUP AND RECOVERY
Managing Backup Archives 45
Viewing Back Up Archives 45
Importing an Archive 46
Deleting a Backup Archive 47
Backing Up Your Information 48
Scheduling Your Backup 48
Initiating a Backup 49
Restoring Your Configuration Information 50
5 USING THE DEPLOYMENT EDITOR
About the Deployment Editor 54
Accessing the Deployment Editor 55
Using the Editor 55
Creating Your Deployment 57
Before you Begin 57
Editing Deployment Editor Preferences 58
Building Your Event View 58
Adding Components 59
Connecting Components 60
Forwarding Normalized Events 61
Renaming Components 63
Managing Your System View 63
Setting Up Managed Hosts 64
Using NAT with STRM Log Management 68
Configuring a Managed Host 72
Assigning a Component to a Host 72
Configuring Host Context 73
Configuring STRM Log Management Components 76
Configuring an Event Collector 76
Configuring an Event Processor 77
6 FORWARDING SYSLOG DATA
Adding a Syslog Destination 79
Editing a Syslog Destination 80
Delete a Syslog Destination 81
A Q1 LABS MIB
INDEX
STRM Log Management Administration Guide
ABOUT THIS GUIDE
The STRM Log Management Administration Guide provides you with information
for managing STRM Log Management functionality requiring administrative
access.
Audience This guide is intended for the system administrator responsible for setting up
STRM Log Management in your network. This guide assumes that you have
STRM Log Management administrative access and a knowledge of your corporate
network and networking technologies.
Conventions Table 1 lists conventions that are used throughout this guide.
Technical
Documentation
You can access technical documentation, technical notes, and release notes
directly from the Juniper Networks support web site at https://juniper.net/support.
Once you access the Juniper Networks support web site, locate the product and
software release for which you require documentation.
Your comments are important to us. Please send your e-mail comments about this
guide or any of the Juniper Networks documentation to:
documentation@juniper.net.
Include the following information with your comments:
• Document title
Table 1 Icons
Icon Type Description
Information note Information that describes important features or
instructions.
Caution Information that alerts you to potential loss of
data or potential damage to an application,
system, device, or network.
Warning Information that alerts you to potential personal
injury.
STRM Log Management Administration Guide
2 ABOUT THIS GUIDE
• Page number
Contacting
Customer Support
To help you resolve any issues that you may encounter when installing or
maintaining STRM Log Management, you can contact Customer Support as
follows:
• Log a support request 24/7: https://juniper.net/support/
For access to the Juniper Networks support web site, please contact Customer
Support.
• Access Juniper Networks support and Self-Service support using e-mail:
support@juniper.net
• Telephone assistance: 1-800-638-8296.
QSTRM Log Management Administration Guide
1
OVERVIEW
This chapter provides an overview of the STRM Log Management Administration
Console and STRM Log Management administrative functionality including:
• About the Interface
• Accessing the Administration Console
• Using the Interface
• Deploying Changes
• Viewing STRM Log Management Audit Logs
About the Interface You must have administrative privileges to access the Administration Console. The
STRM Log Management Administration Console provides access to following
administrative functionality:
• Manage users. See Chapter 2 Managing Users.
• Manage STRM Log Management. See Chapter 3 Setting Up STRM Log
Management.
• Backup and recover your data. See Chapter 4 Managing Backup and
Recovery.
• Manage your deployment views. See Chapter 5 Using the Deployment Editor.
• Configure syslog forwarding. See Chapter 6 Forwarding Syslog Data.
All configuration updates using the Administration Console are saved to a staging
area. Once all changes are complete, you can deploy the configuration changes or
all configuration settings to the remainder of your deployment.
QSTRM Log Management Administration Guide
4 OVERVIEW
Accessing the
Administration
Console
You can access the STRM Log Management Administration Console through the
main STRM Log Management interface. Also, you can create a shortcut on your
desktop that allows you to access the Administration Console directly.
To access the Administration Console, click Config in the main STRM Log
Management interface. The Administration Console appears.
Using the Interface The Administration Console provides several tab and menu options that allow you
to configure STRM Log Management including:
• System Configuration - Provides access to administrative functionality, such
as, user management, automatic updates, license key, network hierarchy,
system settings, system thresholds, backup and recovery and Console
configuration.
• SIM Configuration - Provides access to sensor device management and
syslog forwarding.
The Administration Console also includes several menu options including:
Table 1-1 Administrative Console Menu Options
Menu Option Sub-Menu Description
File Close Closes the Administration Console.
Configurations Deployment Editor Opens the deployment editor
interface.
Deploy configuration
changes
Deploys any configuration changes
from the current session to your
deployment.
Deploy All Deploys all configuration settings to
your deployment.
System STRM Start Starts the STRM Log Management
application.
QSTRM Log Management Administration Guide
Deploying Changes 5
The Administration Console provides several toolbar options including:
Deploying Changes Once you update your configuration settings using the Administration Console,
you must save those changes to the staging area. You must either manually
deploy all changes using the Deploy menu option or, upon exit, a window appears
prompting you to deploy changes before you exit. All deployed changes are then
enforced throughout your deployment.
Using the Administration Console menu, you can deploy changes as follows:
• Deploy All - Deploys all configuration settings to your deployment.
• Deploy configuration changes - Deploys any configuration changes from the
current session to your deployment.
Viewing STRM Log
Management Audit
Logs
Changes made by STRM Log Management users are recorded in the audit logs.
You can view the audit logs to monitor changes to STRM Log Management and
the users performing those changes.
All audit logs are stored in plain text and are archived and compressed once the
audit log file reaches a size of 200 MB. The current log file is named
audit.log.
Once the file reaches a size of 200 MB, the file is compressed and renamed as
follows:
audit.1.gz, audit.2.gz, etc with the file number incrementing each
time a log file is archived. STRM Log Management stores up to 50 archived log
files.
This section provides information on using the audit logs including:
• Logged Actions
• Viewing the Log File
STRM Stop Stops the STRM Log Management
application.
STRM Restart Restarts the STRM Log Management
application.
Help Help and Support Opens user documentation.
About STRM Displays version information.
Table 1-2 Administration Console Toolbar Options
Icon Description
Opens the deployment editor interface.
Deploys all changes made through the Administration Console.
Table 1-1 Administrative Console Menu Options (continued)
Menu Option Sub-Menu Description
QSTRM Log Management Administration Guide
6 OVERVIEW
Logged Actions STRM Log Management logs the following categories of actions in the audit log
file:
Table 1-3 Logged Actions
Category Action
User Authentication Log in to STRM Log Management
User Authentication Log out of STRM Log Management
Administrator Authentication Log in to the STRM Log Management
Administration Console
Administrator Authentication Log out of the STRM Log Management
Administration Console
Root Login Log in to STRM Log Management, as root
Log out of STRM Log Management, as root
User Accounts Adding an account
Editing an account
Deleting an account
User Roles Adding a role
Editing a role
Deleting a role
Sensor Devices Adding a sensor device
Editing a sensor device
Deleting a sensor device
Adding a sensor device group
Editing a sensor device group
Deleting a sensor device group
Protocol Configuration Adding a protocol configuration
Deleting a protocol configuration
Editing a protocol configuration
Syslog Forwarding Adding a syslog forwarding
Deleting a syslog forwarding
Editing a syslog forwarding
Reports Adding a template
Deleting a template
Editing a template
Executing a template
Deleting a report
Groups Adding a group
Deleting a group
Editing a group
QSTRM Log Management Administration Guide
Viewing STRM Log Management Audit Logs 7
Viewing the Log File To view the audit logs:
Step 1 Log in to STRM Log Management as root.
Step 2 Go to the following directory:
/var/log/audit
Step 3 Open the desired audit log file.
Each entry in the log file displays using the following format:
Note: The maximum size of any audit message (not including date, time, and host
name) is 1024 characters.
<date_time> <host name> <user>@<IP address> (thread ID)
[<category>] [<sub-category>] [<action>] <payload>
Where:
Sensor Device Extension Adding an sensor device extension
Editing the sensor device extension
Deleting a sensor device extension
Uploading a sensor device extension
Uploading a sensor device extension
successfully
Downloading a sensor device extension
Reporting a sensor device extension
Modifying a sensor devices association to a
device or device type.
Backup and Recovery Editing the configuration
Initiating the backup
Completing the backup
Failing the backup
Deleting the backup
Synchronizing the backup
Cancelling the backup
Initiating the restore
Uploading a backup
Uploading an invalid backup
Deleting the backup
License Adding a license key.
Editing a license key.
Table 1-3 Logged Actions
Category Action
QSTRM Log Management Administration Guide
8 OVERVIEW
<date_time> is the date and time of the activity in the format: Month Date
HH:MM:SS.
<host name> is the host name of the Console where this activity was logged.
<user> is the name of the user that performed the action.
<IP address> is the IP address of the user that performed the action.
(thread ID) is the identifier of the Java thread that logged this activity.
<category> is the high-level category of this activity.
<sub-category> is the low-level category of this activity.
<action> is the activity that occurred.
<payload> is the complete record that has changed, if any. This may include a
user record or an event rule.
For example:
Nov 6 12:22:31 localhost.localdomain [email protected]
(Session) [Authentication] [User] [Login]
Nov 6 12:22:31 localhost.localdomain [email protected] (0)
[Configuration] [User Account] [Account Modified]
username=james, password=/oJDuXP7YXUYQ, networks=ALL,
[email protected], userrole=Admin
Nov 13 10:14:44 localhost.localdomain [email protected] (0)
[Configuration] [FlowSource] [FlowSourceModified] Flowsource(
name="tim", enabled="true", deployed="false",
asymmetrical="false", targetQflow=DeployedComponent(id=3),
flowsourceType=FlowsourceType(id=6),
flowsourceConfig=FlowsourceConfig(id=1))
STRM Log Management Administration Guide
2
MANAGING USERS
This chapter provides information on managing STRM Log Management users
including:
• Managing Roles
• Managing User Accounts
• Authenticating Users
You can add or remove user accounts for all users that you wish to access STRM
Log Management. Each user is associated with a role, which determines the
privileges the user has to functionality and information within STRM Log
Management. You can also restrict or allow access to areas of the network. By
default, the STRM Log Management Administrative (admin) user has unrestricted
access to all components of your deployment. You can create multiple admin
accounts for your STRM Log Management system.
Managing Roles You must create a role before you can create user accounts. By default, STRM
Log Management provides a default administrative role, which provides access to
all areas of STRM Log Management. A user that has been assigned administrative
privileges (including the default administrative role) cannot edit their own account.
Another administrative user must make any desired changes. Using the
Administration Console, you can:
• Create a role. See Creating a Role.
• Edit a role. See Editing a Role
Creating a Role To create a role:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage User Roles window appears.
Step 3 Click Create Role.
STRM Log Management Administration Guide
10 MANAGING USERS
Step 4 Enter values for the parameters. You must select at least one permission to
proceed.
Table 2-1 Create Roles Parameters
Parameter Description
Role Name Specify the name of the role. The name can be up to 15
characters in length and must only contain integers and
letters.
Administrator Select the check box if you wish to grant this user
administrative access to the STRM Log Management
interface. Within the administrator role, you can grant
additional access to the following:
• System Administrator - Select this check box if you wish
to allow users access to all areas of STRM Log
Management. Also users with this access are not able to
edit other administrator accounts.
• Administrator Manager - Select this check box if you
wish to allow users the ability to create and edit other
administrative user accounts. If you select this check box,
the System Administrator check box is automatically
selected.
Event Viewer Select the check box if you wish this user to have access to
the Event Viewer. Within the Event Viewer, you can also
grant users additional access to the following:
• Event Search Restrictions Override - Select the check
box if you wish to allow users the ability to override event
search restrictions.
• Customized Rule Creation functionality - Select the
check box if you wish to allow users to create rules using
the Event Viewer.
For more information on the Event Viewer, see the STRM
Log Management Users Guide.
STRM Log Management Administration Guide
Managing Roles 11
Step 5
Click Save.
Step 6 Click Return.
Step 7 Close the Manage Roles window.
The STRM Log Management Administration Console appears.
Step 8 From the menu, select Configurations > Deploy configuration changes.
Editing a Role To edit a r ol e:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the User Roles icon.
The Manage Role window appears.
Step 3 For the role you wish to edit, click the edit icon.
The Permissions for Role window appears.
Step 4 Update the permissions (see Ta b le 2 -1 ), as necessary.
Step 5 Click Return.
Step 6 Click Save.
Step 7 Close the Manage User Roles window.
The STRM Log Management Administration Console appears.
Step 8 From the menu, select Configurations > Deploy configuration changes.
Reporting Select the check box if you wish to grant this user access to
Reporting functionality. Within the Reporting functionality,
you can grant users additional access to the following:
• Distribute Reports via Email - Select the check box if
you wish to allow users to distribute reports through
e-mail.
• Maintain Templates - Select the check box if you wish to
allow users to maintain reporting templates.
For more information, see the STRM Log Management
Users Guide.
Table 2-1 Create Roles Parameters (continued)
Parameter Description
STRM Log Management Administration Guide
12 MANAGING USERS
Managing User
Accounts
You can create a STRM Log Management user account, which allows a user
access to selected network components using the STRM Log Management
interface. You can also create multiple accounts for your system that include
administrative privileges. Only the main administrative account can create
accounts that have administrative privileges.
You can create and edit user accounts to access STRM Log Management
including:
• Creating a User Account
• Editing a User Account
• Disabling a User Account
Creating a User
Account
To create an account for a STRM Log Management user:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Users icon.
The Manage Users window appears.
Step 3 In the Manage Users area, click Add.
The User Details window appears.
Step 4 Enter values for the following parameters:
Table 2-2 User Details Parameters
Parameter Description
Username Specify a username for the new user. The username must not
include spaces or special characters.
Password Specify a password for the user to gain access. The password
must be at least 5 characters in length.
Confirm Password Re-enter the password for confirmation.
Email Address Specify the user’s e-mail address.
STRM Log Management Administration Guide
Managing User Accounts 13
Step 5 Click Next.
The Selected Network Objects window appears.
Step 6 From the menu tree, select the network objects you wish this user to be able to
monitor.
The selected network objects appear in the Selected Network Object panel.
Step 7 Choose one of the following options:
a Click Deploy Now to deploy new user information immediately.
b Click Cancel to cancel all updates and return to the Manage Users window.
Step 8 Close the Manage Users window.
The STRM Log Management Administration Console appears.
Editing a User
Account
To edit a user account:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Users icon.
Role Using the drop-down list box, select the role you wish this user to
assume. For information on roles, see
Managing Roles. If you
select Admin, this process is complete.
Table 2-2 User Details Parameters (continued)
Parameter Description
STRM Log Management Administration Guide
14 MANAGING USERS
The Manage Users window appears.
Step 3 In the Manage Users area, click the user account you wish to edit.
The User Details window appears.
Step 4 Update values (see Table 2-2), as necessary.
Step 5 Click Next.
If you are editing a non-administrative user account, the Selected Network Objects
window appears. If you are editing an administrative user account, go to Step 9.
Step 6 From the menu tree, select the network objects you wish this user to access.
The selected network objects appear in the Selected Network Object panel.
Step 7 For all network objects you wish to remove access, select the object from the
Selected Network Objects panel and click Remove.
Step 8 Choose one of the following options:
a Click Deploy Now to deploy new user information immediately.
b Click Cancel to return to cancel all updates and return to the Manage Users
window.
Step 9 Close the Manage Users window.
The STRM Log Management Administration Console appears.
Disabling a User
Account
To disable a user account:
Step 1 In the Administration Console, click the System Configuration tab.
The System Configuration panel appears.
Step 2 Click the Users icon.
The Manage Users window appears.
Step 3 In the Manage Users area, click the user account you wish to disable.
The User Details window appears.
Step 4 In the Role drop-down list box, select Disabled.
Step 5 Click Next.
Step 6 Close the Manage Users window.
The STRM Log Management Administration Console appears. This user no longer
has access to the STRM Log Management interface. If this user attempts to log in
to STRM Log Management, the following message appears: This account has
been disabled.
  • Page 1 1
  • Page 2 2
  • Page 3 3
  • Page 4 4
  • Page 5 5
  • Page 6 6
  • Page 7 7
  • Page 8 8
  • Page 9 9
  • Page 10 10
  • Page 11 11
  • Page 12 12
  • Page 13 13
  • Page 14 14
  • Page 15 15
  • Page 16 16
  • Page 17 17
  • Page 18 18
  • Page 19 19
  • Page 20 20
  • Page 21 21
  • Page 22 22
  • Page 23 23
  • Page 24 24
  • Page 25 25
  • Page 26 26
  • Page 27 27
  • Page 28 28
  • Page 29 29
  • Page 30 30
  • Page 31 31
  • Page 32 32
  • Page 33 33
  • Page 34 34
  • Page 35 35
  • Page 36 36
  • Page 37 37
  • Page 38 38
  • Page 39 39
  • Page 40 40
  • Page 41 41
  • Page 42 42
  • Page 43 43
  • Page 44 44
  • Page 45 45
  • Page 46 46
  • Page 47 47
  • Page 48 48
  • Page 49 49
  • Page 50 50
  • Page 51 51
  • Page 52 52
  • Page 53 53
  • Page 54 54
  • Page 55 55
  • Page 56 56
  • Page 57 57
  • Page 58 58
  • Page 59 59
  • Page 60 60
  • Page 61 61
  • Page 62 62
  • Page 63 63
  • Page 64 64
  • Page 65 65
  • Page 66 66
  • Page 67 67
  • Page 68 68
  • Page 69 69
  • Page 70 70
  • Page 71 71
  • Page 72 72
  • Page 73 73
  • Page 74 74
  • Page 75 75
  • Page 76 76
  • Page 77 77
  • Page 78 78
  • Page 79 79
  • Page 80 80
  • Page 81 81
  • Page 82 82
  • Page 83 83
  • Page 84 84
  • Page 85 85
  • Page 86 86
  • Page 87 87
  • Page 88 88
  • Page 89 89
  • Page 90 90
  • Page 91 91
  • Page 92 92

Juniper SECURITY THREAT RESPONSE MANAGER 2008.2 R2 - LOG MANAGEMENT ADMINISTRATION GUIDE REV 1 Administration Manual

Category
Software
Type
Administration Manual

Ask a question and I''ll find the answer in the document

Finding information in a document is now easier with AI