Upload
ledan
View
253
Download
2
Embed Size (px)
Citation preview
Blue Coat ProxySG Page 1 of 24
McAfee Enterprise Security Manager Data Source Configuration Guide
Data Source: Blue Coat ProxySG
September 22, 2014
Blue Coat ProxySG Page 2 of 24
Important Note: The information contained in this document is confidential and proprietary.
Please do not redistribute without permission.
Blue Coat ProxySG Page 3 of 24
Table of Contents 1 Introduction 4 2 Prerequisites 4 3 Specific Data Source Configuration Details 5
3.1 Blue Coat ProxySG Configuration 5 Creating a Custom Log Format 5 Blue Coat Syslog Configuration 7 FileZilla FTP Server Configuration 9 Blue Coat FTP Configuration 10
3.2 McAfee Receiver Configuration 13 Syslog setup 13 FTP Setup 14
4 Data Source Event to McAfee Field Mappings 15 4.1 Log Format 15 4.2 Mappings 17
nFP2P 22 5 Appendix A - Generic Syslog Configuration Details 23 6 Appendix B - Troubleshooting 24
Blue Coat ProxySG Page 4 of 24
1 Introduction This guide details how to configure Blue Coat ProxySG to send System and Access logs via Syslog or File Retrieval (FTP, SCP, etc.) in the proper format to the ESM. This guide is based on setting up Blue Coat version 7.0 and above.
2 Prerequisites McAfee Enterprise Security Manager Version 8.3.0 and above.
In order to configure the Blue Coat ProxySG Syslog or FTP services, appropriate administrative level access is required to perform the necessary changes documented below.
In order to use FTP, an intermediary server running FTP services (such as FileZilla, vsftpd, etc.) must be used which has sufficient storage to store the Access logs. For the purposes of this guide, FileZilla will be used.
Blue Coat ProxySG Page 5 of 24
3 Specific Data Source Configuration Details 3.1 Blue Coat ProxySG Configuration
Creating a Custom Log Format McAfee SIEM requires a custom format for the Blue Coat Access Logs.
• Select Configuration | Access Logging | Formats • Click New. The Create Format Dialog will appear.
• Give the format a name. • Choose W3C Extended Log File Format (ELFF) string.
o If you would rather use the log specific formats (shown later in this document) instead of choosing the W3C ELFF string format, choose “Custom format string (specify below)”.
• Enter the following custom format: date time time-‐taken c-‐ip cs-‐username cs-‐auth-‐group x-‐exception-‐id sc-‐filter-‐result cs-‐categories cs(Referer) sc-‐status s-‐action cs-‐method rs(Content-‐Type) cs-‐uri-‐scheme cs-‐host cs-‐uri-‐port cs-‐uri-‐path cs-‐uri-‐query cs-‐uri-‐extension cs(User-‐Agent) s-‐ip sc-‐bytes cs-‐bytes
• If “Custom format string (specify below)” was chosen, instead of the format show above, enter in the desired supported custom string format.
Blue Coat ProxySG Page 6 of 24
• Click Test Format to ensure that there are no syntax errors. • Choose Log all headers from the Multiple-valued header policy. • Click Ok.
Associating the Custom Log format with a Custom Log • Select Configuration | Access Logging | Logs | Logs • Click New. The Create Log Dialog appears
• Enter a Log Name. • For Log Format, choose your custom format from the pull down. • Add a meaningful Description. • Enter the Maximum size of the remote file.
o This is the maximum file size that the log file will reach before rolling over to a new file.
• Enter an Early Upload file size. • Click Ok.
Associating the above Custom Log to the Web Content Policy • Select Configuration | Policy | Visual Policy Manager | Launch • Once the Visual Policy Manager (VPM) has launched, you can either add a new Web
Content Layer or you can edit the existing. This document will walk you through on how to add a new Web Content Layer.
• In the VPM, Select Policy | Add Web Content Layer. • Enter a name for this new Web Content Layer. • Right Click on the Action column and select Set. • Select New | Modify Access Logging. • Select Enable Logging to: and from the dropdown menu choose the Custom Log you created
above. • Click Ok.
Blue Coat ProxySG Page 7 of 24
• Click Install Policy.
Blue Coat Syslog Configuration Enable Access Logging Globally • Select Configuration | Access Logging | General | Default Logging • Select Enable Access Logging • Click Apply
Blue Coat ProxySG Page 8 of 24
Syslog Configuration • Select Configuration | Access Logging | Logs | Upload Client
• In the Log dropdown, choose the Custom Log that was created in Step 5.1. • Select Custom Client from the Client Type dropdown, then click Settings.
o • Fill in the Fields
o Host - Enter the IP Address of the McAfee Event Receiver o Port – Enter 514 o Use Secure Connections (SSL) – Uncheck
• Click Ok • Click Apply • Back at the Upload Client Configuration
• Keep all defaults except for Save the log file as. Here choose text file. • Leave all of the other options as defaults. • Click on the Upload Schedule tab.
Blue Coat ProxySG Page 9 of 24
• Select Upload Type. • Keep all defaults except for “Upload the access log”. Change this setting to “continuously”.
This will stream the access logs to the McAfee Event Receiver. • Click Ok • Click Apply
FileZilla FTP Server Configuration If you are using FTP as the method you must first setup
• Download the FileZilla FTP Server for Windows from http://filezilla-project.org/download.php?type=server
• Install the FileZilla FTP server on your choice of Windows Server and accept all of the default options.
• Create a directory that will be used to store the BlueCoat ProxySG Access Logs. In this guide, D:\BlueCoatLogs will be used.
• With Filezilla up and running, a Filezilla server window will now open. You will want to click on Edit > Users. Here you will be shown the current users (none) and setup and configure new users.
• On the "General" page (left hand side), click on the "Add" button under the Users section on the right hand side. Type in the FTP account name. In this example, use "proxysg" as the account name. You do not have to make the user a member of a group.
• Make sure "Enable Account" is checked under the account settings section. Also put a check mark next to "Password:" and give the newly created “proxysg” user a password. In this example, the password will be "bluecoat". For security purposes, please make sure that this password is complex.
• Click on the "Shared Folders" page. Click on the "Add" button. Walk the directory tree to D:\BlueCoatLogs\ and click on the OK button. For files and directories, give that user all file rights (Read, Write, Delete, Append) and all directory rights (Create, Delete, List, + Subdirs) to D:\BlueCoatLogs\. Make sure that D:\BlueCoatLogs\ has a capital H next to it. If not, highlight the directory and click on the "Set as home dir" button to make it the home directory for that user. The "H" signifies that D:\BlueCoatLogs is the home directory for that particular user. When the “proxysg” FTP user logs into the FTP server, the root directory will be D:\BlueCoatLogs\ .
• Click on the "OK" button to save the user. • The Filezilla FTP server should be up and running at this point and the “proxysg” user is
ready to go.
Blue Coat ProxySG Page 10 of 24
Blue Coat FTP Configuration Enable Access Logging Globally • Select Configuration | Access Logging | General | Default Logging • Select Enable Access Logging • Click Apply
FTP Upload Configuration • In the image above you will see all of the Blue Coat Access Logs. • Select Configuration | Access Logging | Logs | Upload Client.
o This is where the access logs are configured to upload their data to the FTP server (in this case the Filezilla Server).
Blue Coat ProxySG Page 11 of 24
• In the Log dropdown, choose the Custom Log that was created in Step 5.1. • Choose FTP Client from the Upload Client Type dropdown, and click Settings.
• Fill in the Fields o Host: Enter the IP address of the Filezilla FTP server o Port: 21 is the Default FTP port o Path: Enter “/”; without quotes o Username: Enter proxysg (This user was created in Step 4) o Click the Change Primary Password.
! Enter the Password twice, then click Ok.. In this guide, bluecoat would be entered twice (that was the password configured for the user “proxysg” in Section 4)
o Filename: The filename can contain text and/or specifiers. The above files name will include the log name, last octet of the proxy sg, month, day, hour, minute and seconds.
o Uncheck Use Secure Connections (SSL) as the Filezilla Server is not configured for FTPS or SFTP.
o Check Local Time if you would like the Local Time the file was uploaded to be reflected instead of UTC.
o Click Ok o Click Apply
• Back at the Upload Client Configuration
Blue Coat ProxySG Page 12 of 24
• Keep all defaults except for “Save the log file as”, choose gzip file. This will reduce the log file
size. The McAfee Event Receiver is capable of decompressing a gzipped log file and parsing the logs within.
• Click on the Upload Schedule tab
• In the Log dropdown, choose the Custom Log that was created in Step 5.1 • Under Upload Type, choose periodically • Under Rotate the Log File, Select Every 0 Hours and 5 minutes. The Blue Coat ProxySG will
now upload the access logs to the FTP server every 5 minutes. • Click Apply • Test to make sure the upload is successful. On the Upload Client tab, click Test Upload. Go
to the FTP server (Filezilla Server) and check to make sure the user proxysg logged in and that it had uploaded a file named “main_upload_result” to the FTP server.
Blue Coat ProxySG Page 13 of 24
3.2 McAfee Receiver Configuration Syslog setup After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy.
1. Select the Receiver you are applying the data source setting to 2. Select the Receiver properties 3. From the Receiver Properties listing, select “Data Sources” 4. Select “Add Data Source”
OR 1. Select the Receiver you are applying the data source setting to 2. After selecting the Receiver, select the “Add Data Source” icon
Data Source Screen Settings
1. Data Source Vendor – Blue Coat Systems 2. Data Source Model – ProxySG Access Log (ASP) 3. Data Format – Default 4. Data Retrieval – Default 5. Enabled: Parsing/Logging/SNMP Trap – <Defaults> 6. Name – Name of data source 7. IP Address/Hostname – The IP address and host name associated with the data source
device 8. Syslog Relay – <Enable> 9. Mask – <Default> 10. Require Syslog TLS – Enable to require the Receiver to communicate over TLS 11. Support Generic Syslogs – <Default> 12. Time Zone – Time zone of data being sent
Blue Coat ProxySG Page 14 of 24
FTP Setup After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy.
5. Select the Receiver you are applying the data source setting to 6. Select the Receiver properties 7. From the Receiver Properties listing, select “Data Sources” 8. Select “Add Data Source”
OR 3. Select the Receiver you are applying the data source setting to 4. After selecting the Receiver, select the “Add Data Source” icon
Data Source Screen Settings
13. Data Source Vendor – Blue Coat Systems 14. Data Source Model – ProxySG Access Log (ASP) 15. Data Format – Default 16. Data Retrieval – FTP File Source 17. Enabled: Parsing/Logging/SNMP Trap – <Defaults> 18. Name – Name of data source 19. IP Address/Hostname – The IP address and host name associated with the data source
device. 20. Port – 21 (Default for FTP) 21. Number of Lines per record – <Default> 22. Interval – 5 Minutes 23. File Completion – 60 Seconds 24. Delete processed files – Check this to have the Receiver delete the files from the FTP
Server after they are processed 25. Path – Enter “/” (without quotation marks) 26. Wildcard exression – *.log.gz 27. Userrname – The username for the FTP client 28. Password – The password for the FTP client 29. Encryption – Leave unchecked 30. Support Generic Syslogs – Do nothing 31. Time Zone – Time zone of data being sent
Note – Refer to Appendix A for details on the Data Source Screen options
Blue Coat ProxySG Page 15 of 24
4 Data Source Event to McAfee Field Mappings 4.1 Log Format
The expected format for this device is as follows:
Access log event v6 log example: date time time-‐taken c-‐ip cs-‐username cs-‐auth-‐group x-‐exception-‐id sc-‐filter-‐result cs-‐categories cs(Referer) sc-‐status s-‐action cs-‐method rs(Content-‐Type) cs-‐uri-‐scheme cs-‐host cs-‐uri-‐port cs-‐uri-‐path cs-‐uri-‐query cs-‐uri-‐extension cs(User-‐Agent) s-‐ip sc-‐bytes cs-‐bytes x-‐virus-‐id
Access log event v5.4.6.1 log example: date time c-‐ip c-‐port r-‐ip r-‐port x-‐cifs-‐uid x-‐cifs-‐tid x-‐cifs-‐fid x-‐cifs-‐method x-‐cifs-‐server x-‐cifs-‐share x-‐cifs-‐path x-‐cifs-‐orig-‐path x-‐cifs-‐client-‐bytes-‐read x-‐cifs-‐server-‐bytes-‐read x-‐cifs-‐bytes-‐written x-‐client-‐connection-‐bytes x-‐server-‐connection-‐bytes x-‐server-‐adn-‐connection-‐bytes x-‐cifs-‐client-‐read-‐operations x-‐cifs-‐client-‐write-‐operations x-‐cifs-‐client-‐other-‐operations x-‐cifs-‐server-‐operations s-‐action x-‐cifs-‐error-‐code cs-‐username cs-‐auth-‐group s-‐ip
The following log formats are supported custom formats:
nFMAIN log example: nFMAIN Date=|$(date)|, Time=|$(time)|, Time-‐Taken=|$(time-‐taken)|, Source=|$(c-‐ip)|, Status=|$(sc-‐status)|, Action=|$(s-‐action)|, IncomingBytes=|$(sc-‐bytes)|, OutgoingBytes=|$(cs-‐bytes)|, Method=|$(cs-‐method)|, Scheme=|$(cs-‐uri-‐scheme)|, Username=|$(cs-‐username)|, Supplier=|$(s-‐supplier-‐name)|, UserAgent=|$(cs(User-‐Agent))|, Result=|$(sc-‐filter-‐result)|, Category=|$(sc-‐filter-‐category)|, Virus=|$(x-‐virus-‐id)|, DeviceIP=|$(s-‐ip)|, DevicePort=|$(s-‐port)|, URL=|$(c-‐uri)|, DestinationIP=|$(r-‐ip)|, DestinationPort=|$(cs-‐uri-‐port)|
nFIM log example: nFIM Date=|$(date)|, Time=|$(time)|, Time-‐Taken=|$(time-‐taken)|, Source=|$(c-‐ip)|, Username=|$(cs-‐username)|, Protocol=|$(cs-‐protocol)|, Method=|$(x-‐im-‐method)|, User-‐Id=|$(x-‐im-‐user-‐id)|, Client=|$(x-‐im-‐client-‐info)|, Buddy=|$(x-‐im-‐buddy-‐id)|, ChatRoom=|$(x-‐im-‐chat-‐room-‐id)|, Action=|$(s-‐action)|, File=|$(x-‐im-‐file-‐path)|, FileSize=|$(x-‐im-‐file-‐size)|, DeviceIP=|$(s-‐ip)|
nFSSL log example: nFSSL Date=|$(date)|, Time=|$(time)|, Time-‐Taken=|$(time-‐taken)|, Source=|$(c-‐ip)|, Action=|$(s-‐action)|, CertStatus=|$(x-‐rs-‐certificate-‐validate-‐status)|, Errors=|$(x-‐rs-‐certificate-‐observed-‐errors)|, DestinationIP=|$(r-‐ip)|, DestinationPort=|$(cs-‐uri-‐port)|, Supplier=|$(s-‐supplier-‐name)|, ClientCipher=|$(x-‐rs-‐connection-‐negotiated-‐ssl-‐version)|, ClientCiphernegotiate=|$(x-‐rs-‐connection-‐negotiated-‐cipher)|, CipherSize=|$(x-‐rs-‐connection-‐negotiated-‐cipher-‐size)|, Category=|$(x-‐rs-‐certificate-‐hostname-‐category)|, ServerCipher=|$(x-‐cs-‐connection-‐negotiated-‐ssl-‐version)|, ServernegotiatedCipher=|$(x-‐cs-‐connection-‐negotiated-‐cipher)|, ServerCipherSize=|$(x-‐cs-‐connection-‐negotiated-‐cipher-‐size)|, Device=|$(s-‐ip)|, IncomingBytes=|$(sc-‐bytes)|, OutgoingBytes=|$(cs-‐bytes)|, Protocol=|$(cs-‐protocol)|, URL=|$(c-‐uri)|
Blue Coat ProxySG Page 16 of 24
nFSTREAM log example: nFSTREAM Date=|$(date)|, Time=|$(time)|, Scheme=|$(cs-‐uri-‐scheme)|, DestinationPort=|$(cs-‐uri-‐port)|, Status=|$(c-‐status)|, User-‐Agent=|$(cs(User-‐Agent))|, Hostexe=|$(c-‐hostexe)|, Hostexever=|$(c-‐hostexever)|, Filesize=|$(filesize)|, Protocol=|$(transport)|, Bytes1=|$(sc-‐bytes)|, Bytes2=|$(c-‐bytes)|, Device=|$(s-‐ip)|, Source=|$(x-‐client-‐address)|, URL=|$(c-‐uri)|, Method=|$(cs-‐method)|
nFP2P log example: nFP2P Date=|$(date)|, Time=|$(time)|, Source=|$(c-‐ip)|, Username=|$(cs-‐username)|, Protocol=|$(cs-‐protocol)|, ClientType=|$(x-‐p2p-‐client-‐type)|, Bytes1=|$(x-‐p2p-‐client-‐bytes)|, Bytes2=|$(x-‐p2p-‐peer-‐bytes)|, Action=|$(s-‐action)|, DestinationIP=|$(r-‐ip)|, DestinationPort=|$(cs-‐uri-‐port)|, Device=|$(s-‐ip)|
Blue Coat ProxySG Page 17 of 24
4.2 Mappings Access Log
Those with * indicate compatibility with version 9.2 and above only.
Log Fields McAfee ESM Fields
Date, Time Firsttime, lasttime
c-ip src_ip
cs-username src_username
sc-filter-result Query_Response.Query_Response*
cs-categories Subject.Subject
sc-status Action
s-action Message
cs-method commandname
rs-Content-Type application
cs-host domain
cs-uri-port src_port
cs-uri-path URL.URL
Job_Name.Job_Name*
cs-User-Agent User_Agent.User_Agent*
s-ip dst_ip
Blue Coat ProxySG Page 18 of 24
Access Log v5.4.6.1 Those with * indicate compatibility with version 9.2 and above only.
Log Fields McAfee ESM Fields
Date, Time Firsttime, lasttime
c-ip src_ip
s-action Message
cs-bytes Bytes_Sent.Bytes_Sent*
sc-bytes Bytes_Received.Bytes_Received*
cs-method Method.Method
cs-uri-scheme
cs-host domain
cs-uri-port src_port
cs-uri-path URL.URL
cs-username src_username
rs(Content-Type) application
cs(Referer) Referer.Referer*
cs-User-Agent User_Agent.User_Agent*
sc-filter-result Action
cs-categories Object_Type.Object_Type
x-virus-id Object_Type.Object_Type
s-ip dst_ip
Blue Coat ProxySG Page 19 of 24
nFMAIN Those with * indicate compatibility with version 9.2 and above only.
Log Fields McAfee ESM Fields
nfMAIN Application
Date, Time Firsttime, lasttime
Source src_ip
Status Response_Code.Response_Code*
Action Action
IncomingBytes Bytes_Received.Bytes_Received*
OutgoingBytes Bytes_Sent.Bytes_Sent*
Method Method.Method
Scheme Protocol
Username src_username
User-Agent User_Agent.User_Agent*
Result Query_Response.Query_Response*
Category Category.Category*
Virus Threat_Name.Threat_Name*
Device_IP Device_IP.Device_IP*
DevicePort src_port
URL URL. URL
DestinationIP dst_ip
DestinationPort dst_port
Blue Coat ProxySG Page 20 of 24
nFIM Fields with a * indicate compatibility with version 9.2 and above only.
Log Fields McAfee ESM Fields
nFIM Application
Date, Time Firsttime, lasttime
Source src_ip
Username src_username
Protocol Protocol
Method Method.Method
Client Client_Version.Client_Version*
Action Action
File Filename.Filename
DeviceIP DeviceIP.DeviceIP*
nFSSL Those with * indicate compatibility with version 9.2 and above only.
Log Fields McAfee ESM Fields
nFSSL Application
Date, Time Firsttime, lasttime
Source src_ip
Action Action
DestinationIP dst_ip
DestinationPort dst_port
Supplier URL.URL
Category Category.Category*
DeviceIP DeviceIP.DeviceIP*
IncomingBytes Bytes_Received.Bytes_Received*
OutgoingBytes Bytes_Sent.Bytes_Sent*
Protocol Protocol
Blue Coat ProxySG Page 21 of 24
nFSTREAM Those with * indicate compatibility with version 9.2 and above only.
Log Fields McAfee ESM Fields
nFSTREAM Application
Date, Time Firsttime, lasttime
DestinationPort dst_port
Status Response_Code.Response_Code*
Action Action
User-Agent User_Agent.User_Agent*
Hostexe Client_Version.Client_Version*
Protocol Protocol
Bytes1 Bytes_Received.Bytes_Received*
Bytes2 Bytes_Sent.Bytes_Sent*
Device Device_IP.Device_IP*
Source src_ip
URL URL.URL
Method Method.Method
Blue Coat ProxySG Page 22 of 24
nFP2P Those with * indicate compatibility with version 9.2 and above only.
Log Fields McAfee ESM Fields
nFP2P Application
Date, Time Firsttime, lasttime
Source src_ip
Username src_username
Protocol Protocol
ClientType Message
Bytes1 Bytes_Received.Bytes_Received*
Bytes2 Bytes_Sent.Bytes_Sent*
Action Action
DestinationIP dst_ip
DestinationPort dst_port
Device Device_IP.Device_IP*
Blue Coat ProxySG Page 23 of 24
5 Appendix A - Generic Syslog Configuration Details Once you select the option to add a data source, you are taken to the “Add Data Source” menu. The general options for adding a data source are shown. As you select different options, additional parameters may show. Each of these parameters will be examined in more detail.
1. Use System Profiles – System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism.
2. Data Source Vendor – List of all supported vendors. 3. Data Source Model – List of supported products for a vendor. 4. Data Format – “Data Format” is the format the data is in. Options are “Default”, “CEF”, and
“MEF”. Note – If you choose CEF it will enable the generic rule for CEF and may not parse data source-specific details.
5. Data Retrieval – “Data Retrieval” allows you to select how the Receiver is going to collect the data. Default is over syslog.
6. Enabled: Parsing/Logging/SNMP Trap – Enables parsing of the data source, logging of the data source, and reception of SNMP traps from the data source. If no option is checked, the settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select “Parsing”.
7. Name – This is the name that will appear in the Logical Device Groupings tree and the filter lists.
8. IP Address/Hostname – The IP address and host name associated with the data source device.
9. Syslog Relay – “Syslog Relay” allows data to be collected via relays and bucketed to the correct data source. Enable syslog relay on relay sources such as Syslog-NG.
10. Mask – Enables you to apply a mask to an IP address so that a range of IP addresses can be accepted.
11. Require Syslog TLS – Enable to require the receiver to communicate over TLS. 12. Support Generic Syslog – “Generic Syslog” allows users to select “Parse generic syslog” or
“Log ‘unknown syslog event”. Both these options will create an alert for an auto-learned syslog event if there is no parsing rule.
13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the time zone of the data source so the date on the events can be set accordingly.
14. Interface – Opens the receiver interface settings to associate ports with streams of information.
15. Advanced – Opens advanced settings for the data source.
Blue Coat ProxySG Page 24 of 24
6 Appendix B - Troubleshooting • If a data source is not receiving events, verify that the data source settings have been written out
and that policy has been rolled out to the Receiver. • If you see errors saying events are being discarded because the “Last Time” value is more than
one hour in the future, or the values are incorrect, you may need to adjust the “Time Zone” setting.
The following tips may help with troubleshooting this configuration if events are not seen in the ESM after a period of time.
• Log into the FTP server (FileZilla in this guide) and check the log, make sure that there are entries that state that the ProxySG has uploaded the log files. And check to make sure that there are logs that state that the Receiver connected and downloaded the log files.
• Verify port 514 is open on the receiver. You output will be similar. o netstat –an | grep 514
• Use tcpdump on the receiver to verify receipt of syslog from the server. You can use something as simple as the following command to verify the receipt of data.
o tcpdump –i eth0 source <remote host IP>