The Event View page allows you to create and manage the components for your deployment, including the following components:
• Event Collector - Collects security events from various types of security devices, known as log sources, in your network. The Event Collector gathers events from local and remote log sources. The Event Collector then normalizes the events and sends the information to the Event Processor. The Event Collector also bundles all virtually identical events to conserve system usage.
• Event Processor - An Event Processor processes events collected from one or more Event Collectors. The events are bundled once again to conserve network usage. When received, the Event Processor correlates the information from STRM Log Manager and distributes to the appropriate area, depending on the type of event. The Event Processor also includes information gathered by STRM Log Manager to indicate any behavioral changes or policy violations for that event. Rules are then applied to the events that allow the Event Processor to process according to the configured rules.
To build your Event View:
1 Add SIEM components to your view. See Adding Components. 2 Connect the components. See Connecting Components.
3 Forward normalized events. See Forwarding Normalized Events.
4 Rename the components so each component has a unique name. See Renaming Components.
Adding Components To add components to your Event View:
Step 1 In the deployment editor, click the Event View tab.
Step 2 In the Event Tools pane, select a component you want to add to your deployment.
Step 3 Type a unique name for the component you want to add. The name can be up to 20 characters in length and may include underscores or hyphens. Click Next.
Step 4 From the Select a host to assign to list box, select a managed host you want to assign the new component to. Click Next.
Step 5 Click Finish.
Step 6 Repeat for each component you want to add to your view.
Step 7 From the deployment editor menu, select File > Save to staging.
The deployment editor saves your changes to the staging area and automatically closes.
Step 8 On the Admin tab menu, select Deploy Changes.
Connecting Components
After you add all the necessary components in your Event View, you must connect your Event Processors and Event Collectors.
To connect components:
Step 1 On the Event View page, select the component for which you want to establish a connection.
Step 2 From the menu, select Actions > Add Connection.
NOTE
You can also right-click a component to access the Action menu item.
An arrow is displayed in your map. The arrow represents a connection between two components.
Step 3 Drag the end of the arrow to the component you want to establish a connection to.
Table 8-3 provides a list of components you are able to connect.
Building Your Event View 121
Step 4 Repeat for all remaining components that you want to establish a connection.
Step 5 Type a unique name for the source or target. The name can be up to 20 characters in length and may include underscores or hyphens. Click Next.
Step 6 Enter values for the parameters:
• Enter a name for the off-site host - Type the name of the off-site host. The name can be up to 20 characters in length and may only include numbers, letters, underscores or hyphens.
• Enter the IP address of the server - Type the IP address of the managed host to which you want to connect.
Table 8-3 Component Connections
You can connect a... To Connection Guide
Event Collector Event Processor An Event Collector can only be connected to one Event Processor.
A Console Event Collector can only be connected to a Console Event Processor. This connection cannot be removed.
A non-Console Event Collector can be connected to an Event
Processor on the same system.
A non-Console Event Collector can be connected to a remote Event Processor, but only if the Event Processor does not already exist on the Console.
Event Collector Off-site Target The number of connections is not restricted.
Off-site Source Event Collector The number of connections is not restricted.
Event Processor Event Processor A Console Event Processor cannot connect to a non-Console Event Processor.
A non-Console Event Processor can be connected to another Console or non-Console Event Processor, but not both at the same time.
A non-Console Event Processor will be connected to a Console Event Processor when a non-Console managed host is added.
• Encrypt traffic from off-site source - Select the check box if you want to encrypt traffic from an off-site source. To enable encryption, you must select this check box on the associated off-site source and target.
Step 7 Click Next.
Step 8 Click Finish.
Step 9 Repeat for all remaining off-site sources and targets.
Step 10 From the main menu, select File > Save to staging.
NOTE
If you update your Event Collector configuration or the monitoring ports, you must manually update your source and target configurations to maintain the connection between deployments.
Forwarding Normalized Events
To forward normalized events, you must configure an off-site Event Collector (target) in your current deployment and the associated off-site Event Collector in the receiving deployment (source).
You can add the following components to your Event View page:
• Off-site Source - An off-site Event Collector from which you want to receive event data. The off-site source must be configured with appropriate
permissions to send event data to the off-site target.
• Off-site Target - An off-site Event Collector to which you want to send event data.
For example:
To forward normalized events between two deployments (A and B), where deployment B wants to receive events from deployment A:
1 Configure deployment A with an off-site target to provide the IP address of the managed host that includes Event Collector B.
2 Connect Event Collector A to the off-site target.
3 In deployment B, configure an off-site source with the IP address of the managed host that includes Event Collector A and the port that Event Collector A is
monitoring.
If you want to disconnect the off-site source, you must remove the connections from both deployments. From deployment A, remove the off-site target and in deployment B, remove the off-site source.
Building Your Event View 123
To enable encryption between deployments, you must enable encryption on both off-site source and target. Also, you must ensure the SSH public key for the off-site source (client) is available to the target (server) to ensure appropriate access. For example, if you want to enable encryption between the off-site source and Event Collector B, you must copy the public key (located at /root/.ssh/id_rsa.pub) from the off-site source to Event Collector B (add the contents of the file to
/root/.ssh/authorized_keys).
Figure 1 Example of Connecting Deployments NOTE
If the off-site source or target is an all-in-one system, the public key is not automatically generated, therefore, you must manually generate the public key.
For more information on generating public keys, see your Linux documentation.
To forward normalized events:
Step 1 On the Admin tab, click Deployment Editor.
Step 2 In the Components pane, select one of the following options:
• Off-site Source
• Off-site Target
Step 3 Type a unique name for the off-site source or off-site target. The name can be up to 20 characters in length and may include underscores or hyphens. Click Next.
Step 4 Enter values for the parameters:
• Enter a name for the off-site host - Type the name of the off-site host. The name can be up to 20 characters in length and may include the underscores or hyphens characters.
• Enter the IP address of the source server - Type the IP address of the managed host you want to connect the off-site host to.
• Receive Events - Select the check box to enable the off-site host to receive events.
• Encrypt traffic from off-site source - Select the check box to encrypt traffic from an off-site source. When enabling encryption, you must select this check box on the associated off-site source and target.
Step 5 Click Next.
Step 6 Click Finish.
Step 7 Repeat for all remaining off-site sources and targets.
Step 8 From the deployment editor menu, select File > Save to staging.
The deployment editor saves your changes to the staging area and automatically closes.
Step 9 From the Admin tab menu, select Advanced > Deploy Changes.
NOTE
If you update your Event Collector configuration, you must manually update your source and target configurations to maintain the connection between
deployments.
Renaming Components
You can rename a component in your view to uniquely identify components through your deployment.
To rename a component:
Step 1 Select the component you want to rename.
Step 2 From the menu, select Actions > Rename Component.
NOTE
You can also right-click a component to access the Action menu items.
Step 3 Type a new name for the component. The name must be alphanumeric with no special characters.
Step 4 Click OK.