Blue Cat
Click here to load reader
-
Upload
rahmiamalia -
Category
Documents
-
view
217 -
download
3
description
Transcript of Blue Cat
![Page 1: Blue Cat](https://reader038.fdocuments.net/reader038/viewer/2022100508/55cf8efd550346703b97cae5/html5/thumbnails/1.jpg)
RSA Security AnalyticsEvent Source Log Configuration Guide
BlueCatLast Modified: Thursday, February 19, 2015
Event Source Product Information:
Vendor: BlueCatEvent Source: BlueCat IPAM, DNS and DHCPVersion: Adonis 7.0
RSA Product Information:
Supported On: Security Analytics 10.0 and laterEvent Source Log Parser: bluecatCollection Method: SyslogEvent Source Class.Subclass: Network.System
![Page 2: Blue Cat](https://reader038.fdocuments.net/reader038/viewer/2022100508/55cf8efd550346703b97cae5/html5/thumbnails/2.jpg)
Event Source Log Configuration Guide
Configure BlueCatTo configure Syslog collection for the BlueCat event source, you must:
I. Configure Syslog Output on BlueCat IPAM
II. Configure Security Analytics for Syslog Collection
Configure Syslog Output on BlueCatYou can configure the BlueCat IPAM to send DNS and DHCP log messages to
RSA Security Analytics.
To configure BlueCat:
1. Log onto the BlueCat Proteus™ URL, using administrator credentials.
2. Click the Servers tab.
The Servers tab lists all available BlueCat DHCP servers.
3. Select the server for which you are configuring logging.
4. Click the server name, then select Service Configuration from the drop-down
menu.
In this screen shot, the server is named test-server:
5. From the Service Type field, select Syslog.
6. In the SIEM Settings section, do the following:
l Select the Enable ArcSight Forwarding check box.
l For the ArcSight Server, enter the IP address of your RSA Security Analytics
Log Decoder or RSA Security Analytics Remote Log Collector.
7. Click Update.
2
![Page 3: Blue Cat](https://reader038.fdocuments.net/reader038/viewer/2022100508/55cf8efd550346703b97cae5/html5/thumbnails/3.jpg)
Event Source Log Configuration Guide
You have now enabled the collection of DNS and DHCP log messages for
RSA Security Analytics.
Configure Security Analytics for Syslog Collection
Note: You only need to configure Syslog collection the first time that you set up anevent source that uses Syslog to send its output to Security Analytics.
You should configure either the Log Decoder or the Remote Log Collector for
Syslog. You do not need to configure both.
To configure the Log Decoder for Syslog collection:
1. In the Security Analytics menu, select Administration > Services.
2. In the Services grid, select a Log Decoder, and from the Actions menu, choose
View > System.
3. Depending on the icon you see, do one of the following:
l If you see , click the icon to start capturing Syslog.
l If you see , you do not need to do anything; this Log Decoder is
already capturing Syslog.
4. Ensure that the parser for your event source is enabled.
a. From the System pull-down menu, select Config.
b. In the Service Parsers Configuration panel, search for your event source.
c. Ensure that the Config Value field for your event source is selected.
To configure the Remote Log Collector for Syslog collection:
1. In the Security Analytics menu, select Administration > Services.
2. In the Services grid, select a Remote Log Collector, and from the Actions
menu, choose View > Config > Event Sources.
3. Select Syslog/Config from the drop-down menu.
The Event Categories panel displays the Syslog event sources that are
configured, if any.
4. In the Event Categories panel toolbar, click +.The Available Event Source Types dialog is displayed.
5. Select either syslog-tcp or syslog-udp. You can set up either or both, depending
on the needs of your organization.
6. Select the new type in the Event Categories panel and click + in the Sources
panel toolbar.
The Add Source dialog is displayed.
3
![Page 4: Blue Cat](https://reader038.fdocuments.net/reader038/viewer/2022100508/55cf8efd550346703b97cae5/html5/thumbnails/4.jpg)
Event Source Log Configuration Guide
7. Enter 514 for the port, and select Enabled. Optionally, configure any of the
Advanced parameters as necessary.
Click OK to accept your changes and close the dialog box.
Once you configure one or both syslog types, the Remote Log Collector collects
those types of messages from all available event sources. So, you can continue to
add Syslog event sources to your system without needing to do any further
configuration in Security Analytics.
Copyright © 2015 EMC Corporation. All Rights Reserved.
Trademarks
RSA, the RSA Logo and EMC are either registered trademarks or trademarks of EMC Corporation in theUnited States and/or other countries. All other trademarks used herein are the property of their respectiveowners. For a list of RSA trademarks, go towww.rsa.com/legal/trademarks_list.pdf. Published in theUSA.
4