WWW.ABSTRACT.XLIBX.INFO
FREE ELECTRONIC LIBRARY - Abstract, dissertation, book
 
<< HOME
CONTACTS



«CONTENTS Introduction 1 Best Practice Reports in Log Manager 2 Active Directory 2 Databases 2 Network Devices 2 Windows Server (2008 R2, 2008, 2003) ...»

w h i t e pa p e r

Alert Logic Log Manager

Configuring Log Sources for Best Practice Reports

CONTENTS

Introduction 1

Best Practice Reports in Log Manager 2

Active Directory 2

Databases 2 Network Devices 2 Windows Server (2008 R2, 2008, 2003) 2 UNIX/Linux 3 Configure Logging per Platform 4 Active Directory 4 Databases 4-5 Network Devices 6 Windows Server (2008 R2, 2008, 2003) 7 UNIX/Linux 7 1776 Yorktown, 7th Floor, Houston, TX 77056 | 877.484.838 | info@alertlogic.com | www.alertlogic.com Alert Logic and the Alert Logic logo are trademarks, registered trademarks, or service marks of Alert Logic Inc.

All other trademarks listed in this document are the property of their respective owners.

Documents are the property of their respective owners.

© 2013-2014 Alert Logic, Inc. All rights reserved.

Introduction A well-defined log management process enables organizations to deal with the large volumes of computer-generated log messages generated each day. By collecting, aggregating, parsing and analyzing these messages, you can better understand what’s happening with systems in your IT environment and extract real value from the information for performance, security, compliance and other purposes.

The purpose of this white paper is to outline a set of best practice reports that can be created from a repository of centralized log data and show the configuration steps needed to generate events for these best practice reports.

The report and configuration examples come from Alert Logic Log Manager. Log Manager is a software-as-a-service based log management solution that collects, parses, and normalizes the millions of data points that are embedded in applications and IT infrastructure logs. Reports are presented back to you in an easily understandable, searchable format that can be used for compliance purposes or for further alerting of suspicious log activity.

For more information on Log Manager, visit https://www.alertlogic.com/products-services/log-manager/.

For more detail on configuring Log Manager to collect log data, documentation is available at http://docs.alertlogic.com/.

–  –  –

Active Directory (AD) Active Directory Global Catalog Change – The Microsoft Active Directory Global Catalog provides searchable information about every object controlled within your AD forest. Additionally, it provides the ability to search across multiple different domains without being required to access the AD for each domain directly. This report details all changes to the AD Global Catalog that are recorded as log messages.

Active Directory Global Catalog Demotion – The Microsoft Active Directory Global Catalog provides searchable information about every object controlled within your AD forest. Additionally, it provides the ability to search across multiple different domains without being required to access the AD for each domain directly. This report provides log message details each time a domain controller in your AD forest has been demoted, and can no longer serve the global catalog.

Databases Database Failed Logins – This report is generated to identify and display database login failure log messages received from all monitored hosts. This report is applicable to Oracle and SQL Server.

Network Devices Network Device Failed Logins – This report is generated to identify and display network device login failure log messages received from all monitored hosts.

Network Device Policy Change – This report is generated when a policy is added/changed/removed on network devices.

Windows Server (2008 R2, 2008, 2003) Excessive Windows Account Lockouts – This report is generated when a threshold of two log messages has been exceeded. The messages indicate that Windows user accounts have been locked out.

Excessive Windows Account Lockouts by Administrative User – This report is generated when a threshold of two log messages has been exceeded. The messages indicate that the Windows Administrator account has been locked out.

Excessive Windows Failed Logins – This report is generated to identify and display excessive Windows login failure log messages received from all monitored hosts with a threshold greater than five messages.

Excessive Windows Failed Logins by Administrative User – This report is generated when an excessive number of Windows login failure log messages are received from a single host for the Administrator account. The threshold is more than five messages.

Windows FTP Failed Logins – This report is generated when log messages indicate that accounts have failed to successfully login to IIS.

Windows User Account Created – This report is generated when log messages indicate that user accounts have been successfully created.

Windows User Account Modified – This report is generated when log messages indicate that user accounts have been modified (changed, created and deleted).

Windows User Group Created – This report is generated when log messages indicate that a user group has been created.

Windows User Group Modified – This report is generated when log messages indicate that user groups have been modified (changed, created and deleted).

–  –  –

Failed UNIX Switch User Command – This report provides details of all recorded failed uses of the UNIX switch user (su) command.





UNIX Account Created – This report is generated when log messages indicate the creation of UNIX accounts.

UNIX Failed Logins – This report is generated when log messages indicate that local and remote accounts have failed to successfully login.

UNIX Group Created – This report is generated when log messages indicate that a UNIX user group was added.

UNIX SSH Failed Logins – This report is generated to identify and display SSH login failure log messages received from all monitored hosts.

UNIX Sudo Access – This report is generated when a user has executed the UNIX sudo command.

UNIX Switch User Command Success – This report is generated when log messages indicate that a user has successfully executed the UNIX switch user (su) command.

–  –  –

Active Directory To generate logs messages from Microsoft Active Directory, you need to make changes to the Audit Policy of a Domain Controller with a Domain Administrator login account.

You can configure the Audit policy settings in the following location on the Domain Controller:

Administrative Tools Domain Controller Security Policy Security Settings Local Policies Audit Policy There are nine different kinds of events you can audit. To generate meaningful log events that will populate the best practice reports above,

here are the settings that should be configured:

–  –  –

Databases MySQL MySQL logging configuration will vary based on the installed platform. The steps to enable logging for MySQL for Linux and Windows are outlined below.

Linux

• Most current versions of MySQL have logging enabled by default. Check /var/log/ directory to ensure logging is enabled.

Windows

1. Open the MySQL Administrator and connect to the MySQL server as an administrative user.

2. Click Startup Variables (Windows) or Options (Mac). The first step will be to enable logging, which can be done within this area of the application.

3. Enable login success and failure auditing.

–  –  –

Microsoft SQL Server logging configuration is performed in both SQL Server Management Studio and Windows Audit Policy. The steps are outlined below.

» SQL Server Management Studio

1. Connect to SQL Server in Object Explorer.

2. Right-click SQL Server Properties.

–  –  –

» Once the above steps are followed to enable auditing within Miscrosoft SQL Server, you will also need to configure some settings at the Windows Server level.

• You can configure the Audit policy settings in the following location on the DB server:

• Administrative Tools Local Security Policy Security Settings Local Policies User Rights Assignment

1. Double click Generate security Audits.

–  –  –

3. Click Object Types Check Computers and click OK.

4. Type the name of the current database server into the “Enter the object names to select” field and click Check Names.

5. Once the computer name is resolved (it will display an underlined computer name), click OK.

6. Click OK to close the Generate security audits Properties window.

• Administrative Tools Local Security Policy Security Settings Local Policies Audit Policy

–  –  –

3. Close the Local Security Settings window.

• Microsoft SQL Server will start posting logs to the Application log of the server after the next reboot of the server.

–  –  –

Cisco ASA and PIX Firewall By default logging is disabled, and must be enabled.

» Enable message logging:

Begin sending logging messages to all configured destinations:

–  –  –

» (Optional) Limit rate in which logging messages are generated:

• FWSM 2.x : Firewall(config)# logging rate-limit {unlimited | number [interval]} {level level | message message_id}

• You can rate-limit messages generated by using level keywords. Alert Logic recommends rate limiting notifications, informational and

debugging (5-7):

–  –  –

In /var/netscreen/GuiSvr/guiSvr.cfg change the following:

• Find the following:

 guiSvrManager.auditlog_flag 0  guiSvrManager.auditlog_detail_flag 0

• Change to the following:

 guiSvrManager.auditlog_flag 1  guiSvrManager.auditlog_detail_flag 1

• Restart NSM services: /etc/init.d/guiSvr restart

• If firewalls are configured for High Availability:

 Stop the secondary: /etc/init.d/haSvr stop  Restart the primary: /etc/init.d/haSvr restart  When the primary is started, Start the services on the secondary: /etc/init.d/haSvr start Windows Server (2008 R2, 2008, 2003) To generate log messages from standalone Windows servers, you need to make changes to the Audit Policy.

You can configure the Audit policy settings in the following location on each server:

Administrative Tools Local Security Policy Security Settings Local Policies Audit Policy There are nine different kinds of events you can audit. To generate meaningful log events that will populate the best practice reports above, here are

the settings that should be configured:

–  –  –

UNIX/Linux To generate log messages from UNIX/Linux servers, you need to use syslog. UNIX/Linux servers should already have this configured by default.

–  –  –





Similar works:

«A WELCOME LETTER San ban oh Peace Corps Mongolia invitees! The staff and current Volunteers of Peace Corps/Mongolia eagerly await your arrival to this fascinating land of blue sky, green steppe, rugged mountains, endless desert, and vast expanses of uninhabited land. Since you have chosen to join Peace Corps, you will find that Mongolia offers you a unique opportunity to serve others and to form lifelong friendships with Mongolians and other Volunteers in a physically challenging environment...»

«Немировская Анна Валентиновна кандидат социологических наук, кандидат филологических наук Почтовый адрес: 660001, г. Красноярск, а/я 16168 Тел. +7 913-451-31-30, (391) 244-98-56, 244-36-41 E-mail: annanemirov@gmail.com Web: http://ipps.institute.sfu-kras.ru/node/298 http://www.lssi.hse.spb.ru/nemirovskaja Дата рождения 12 сентября 1981 г. Опыт работы:...»

«Anthology. Gervasio Sánchez Srebrenica Memorial Bosnia. July 2005 © Gervasio Sánchez This exhibition features the extensive survey of the photojournalist Gervasio Sánchez, awarded with the 2009 National Photography Prize in Spain. His intensive career started in 1984, in Central America, firmly up to nowadays. This anthological exhibition composed by 148 photographs -100 portraits and 6 projections-, represents the extensive and hard working photojournalistic career of Gervasio Sánchez,...»

«Bedienungsanleitung D 82021 Code-Combi K Seite 1 7 Operational Instructions GB 82021 Code-Combi K Page 8 14 D Inhaltsverzeichnis 1 Bedienhinweise 2 Signale und ihre Bedeutung 3 Codes 4 Schlossfunktionen 4. Öffnen mit Erstoder Zweitcode 4.2 Öffnen nach 3 oder mehr fehlerhaften Codeeingaben  Sperrzeit 4.3 Ändern des Erstcodes durch Erstcodeinhaber 4.4 Zuschalten des Zweitcodes durch Erstcodeinhaber 4.5 Ändern des Zweitcodes durch Zweitcodeinhaber 4.6 Löschen des Zweitcodes durch...»

«Module VI Unit 28 А: Packing. Size. Age. Verbs with the suffix –ова(упаковать). Conditional sentences with the conjunction «если». B: At the confectionery. Покупка кондитерских изделий. Part А For beginners 0 – А1 28.1. во что (ВП) вы можете упаковать /положить/? Where can you pack /put/ them? в коробку, в бумагу, в пакетик in a box, in paper, in a bag упаковать положить...»

«Neuropsychologia, 1968, Vol. 6, pp. 235 to 244. Pergamon Press. Printed in England SPARING OF SHORT-TERM MEMORY IN AN AMNESIC PATIENT: IMPLICATIONS FOR STRENGTH THEORY OF MEMORY* WAYNE A. WICKELGREN Massachusetts Institute of Technology, Cambridge, Massachusetts 02139, U.S.A. (Received 13 September 1967) AbstractShort-term recognition memory for single-digit numbers, three-digit numbers, and the pitch of pure tones was studied in a subject (H.M.) who appears to possess normal shortterm memory,...»

«ROBERT SCHUMAN CENTRE FOR ADVANCED STUDIES EUI Working Papers RSCAS 2009/41 ROBERT SCHUMAN CENTRE FOR ADVANCED STUDIES THE LIMITS AND MERITS OF INTERNATIONALISM. EXPERTS, THE STATE AND THE INTERNATIONAL COMMUNITY IN POLAND IN THE FIRST HALF OF THE TWENTIETH CENTURY Katrin Steffen and Martin Kohlrausch EUROPEAN UNIVERSITY INSTITUTE, FLORENCE ROBERT SCHUMAN CENTRE FOR ADVANCED STUDIES The Limits and Merits of Internationalism. Experts, the State and the International Community in Poland in the...»

«Cygwin/X Frequently Asked Questions 2016-03-20 21:14 Questions and Answers 1. General Information 1.1. What is Cygwin/X? Cygwin/X is a port of the X Window System to Cygwin. Cygwin provides a UNIX-like API on the Win32 platform.1.2. What is Cygwin? Cygwin tools are, in the words of the Cygwin FAQ (http://cygwin.com/faq.html#faq.what), “ ports of the popular GNU development tools and utilities for Microsoft Windows. They run thanks to the Cygwin library which provides the POSIX system calls...»

«Fireside Book Of Chess A loan incurred that unproductive Fireside Book of Chess companies as your poster from people, is verifying the future mobi of our programs. In pdf, it can almost determine afford you then than an other $30,000 portfolio and see you to start the most bad family section with their insurance folders. But, receive your mortgage in you realizes to understand at new scams characteristic of 3 articles and certain sales. Basis or solution pdf foreclosure serves and fast download...»

«CULTURE MACHINE REVIEWS • APRIL 2013 ROSI BRAIDOTTI (2013) THE POSTHUMAN. CAMBRIDGE: POLITY PRESS. ISBN: 978-0-7456Stefan Herbrechter The Roar on the Other Side of Silence. or, What’s Left of the Humanities? ‘Life’. is an acquired taste, an addiction like any other, an open-ended project. One has to work at it. Life is passing and we do not own it, we just inhabit it, not unlike a time-share location. (Braidotti, 2013: 133) 1. The Posthuman Predicament For anyone who has followed Rosi...»

«ELECBOOK CLASSICS Middlemarch George Eliot ELECBOOK CLASSICS ebc0022. George Eliot: Middlemarch This file is free for individual use only. It must not be altered or resold. Organisations wishing to use it must first obtain a licence. Low cost licenses are available. Contact us through our web site © The Electric Book Co 1998 The Electric Book Company Ltd 20 Cambridge Drive, London SE12 8AJ, UK +44 (0)181 488 3872 www.elecbook.com MIDDLEMARCH A Study of Provincial Life George Eliot To my dear...»

«D US-China Education Review A, February 2016, Vol. 6, No. 2, 91-104 doi:10.17265/2161-623X/2016.02.002 DAVID PUBLISHING Eight-Point Scheme Proposal for Translating the Qur’anic Text Ali Al-Halawani International Islamic University Malaysia, Kuala Lumpur, Malaysia  The purpose of this paper is to examine the issue of translating the Qur’anic text into foreign languages. In so doing, the paper considers the unique features and characteristics of the language of the Qur’an and the special...»





 
<<  HOME   |    CONTACTS
2016 www.abstract.xlibx.info - Free e-library - Abstract, dissertation, book

Materials of this site are available for review, all rights belong to their respective owners.
If you do not agree with the fact that your material is placed on this site, please, email us, we will within 1-2 business days delete him.