User manual JUNIPER NETWORKS SECURITY THREAT RESPONSE MANAGER 2008.2 ADAPTIVE LOG EXPORTER REV1

[. . . ] Security Threat Response Manager STRM Adaptive Log Exporter Release 2008. 2 Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408-745-2000 www. juniper. net Part Number: 530-023497-01, Revision 1 Copyright Notice Copyright © 2008 Juniper Networks, Inc. Juniper Networks and the Juniper Networks logo are registered trademarks of Juniper Networks Inc. All other trademarks, service marks, registered trademarks, or registered service marks in this document are the property of Juniper Networks or their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. [. . . ] The Adaptive Log Exporter appears. Step 2 Click the Destination tab. Step 3 For the destination type that includes the destination that you wish to delete, click + to expand the menu tree. Step 4 On the destination you wish to delete, use the right-mouse button (right-click) on the destination name and select Delete Destination. Step 9 From the menu, select File > Deploy. STRM Adaptive Log Exporter 40 MANAGING DESTINATIONS Mapping to a Destination Once you have configured your devices and destinations, you must map your device to a destination. This section provides information on mapping a destination to a device including: · · Creating a Mapping Removing a Mapping Creating a Mapping To map a device to a destination: Configure Adapter Log Exporter. The Adaptive Log Exporter appears. Step 1 From the Start menu, select Start > Programs > AdaptiveLogExporter > Step 2 Click the Destination tab. Step 3 For the destination type that includes the destination that you map to a device, click + to expand the menu tree. Step 4 For the destination you wish to map to a device, use the right-mouse button (right-click) on the destination name and select Add Device Mapping. A new + sign appears next to the mapped destination. Step 5 To view the mapping, click + to view the mapped device name. Step 9 From the menu, select File > Deploy. STRM Adaptive Log Exporter Mapping to a Destination 41 Removing a Mapping To delete a mapping between a device and a destination: Configure Adapter Log Exporter. The Adaptive Log Exporter appears. Step 1 From the Start menu, select Start > Programs > AdaptiveLogExporter > Step 2 Click the Destination tab. Step 3 For the destination type that includes the mapping you wish to remove, click + to expand the menu tree. Step 4 For the destination that includes the mapping you wish to remove, click + to expand the menu tree. Step 5 For the mapping you wish to remove, use the right-mouse button (right-click) on the device name and select Delete Device Mapping. Step 9 From the menu, select File > Deploy. STRM Adaptive Log Exporter 6 CONFIGURING THE CISCO ACS DEVICE This chapter provides information on configuring your Cisco ACS device. For information on adding or managing a device, see Chapter 4 Managing Devices. Configure the Cisco ACS device parameter to specify the Root Log Directory, which is the location Cisco ACS stores the logs files. STRM Adaptive Log Exporter 7 CONFIGURING THE CISCO CSA DEVICE Cisco Security Agents (CSA) provides security to your deployment to defend against the spread of attacks across networks and systems. These CSA devices enforce a set of policies provided by the Management Center (MC) for CSA devices and selectively applied to system nodes by the network administrator. This chapter provides information on configuring your CSA device using the Adaptive Log Exporter. For information on adding or managing a device, see Chapter 4 Managing Devices. Enter values the following parameters: · · Root Log Directory -- Specify the location of the CSA MC alert log files. By default, the CSA alert log files are located in the C:\alerts\ directory Log Filename -- Specify the name of the active alert log file. The CSA MC can generate a flat logging file to which events are written with a name of your choosing. Note: This file data is encoded in UTF-8 format. Event entries are separated by a carriage return/line feed (ASCII Hex 0D 0A). Once a log file exceeds 1 MB, the file is closed and the file name is suffixed STRM Adaptive Log Exporter 46 CONFIGURING THE CISCO CSA DEVICE with a time stamp. A new file, using the same file name entered in the CSA MC Alerts Log file field, is then created. Events continue to be written to this new file until it reaches 1 MB. STRM Adaptive Log Exporter 8 CONFIGURING THE FILE FORWARDER DEVICE This chapter provides information on configuring your File Forwarder device. For information on adding or managing a device, see Chapter 4 Managing Devices. Enter values the following parameters: · · Root Log Directory -- Specify the location the File Forwarder device stores the logs files. [. . . ] System Log -- Select the check box if you wish the device to monitor the system log. Step 7 In the Windows Event Log Remote System Configuration, enter values for the parameters: · Remote Machine-- Select the check box for the device to retrieve the logs from a remote machine. Poll Interval -- Specify the remote poll interval enter a value, in milliseconds. The default is 5000 milliseconds. · Collecting Logs With an Agent To collect logs with an agent, you must install the Adaptive Log Exporter on each monitored host in your network. The Adaptive Log Exporter then reports, using syslog, to your STRM system. [. . . ]