Symantec™ Event Collector for Kiwi© Syslog Daemon
Quick Reference
The software described in this book is furnished under a license agreement and may be used only in accordance with the terms of the agreement.
Documentation version 4.0
Legal Notice
Copyright © 2007 Symantec Corporation. All rights reserved.
Symantec, the Symantec logo, LiveUpdate, Symantec AntiVirus, and Symantec Security Response are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. Microsoft, Windows, and Window 2000 are trademarks or registered trademarks of Microsoft Corporation. This product includes software that was developed by the Apache Software Foundation. Other brands and product names mentioned in this manual may be trademarks or registered trademarks of their respective companies and are hereby acknowledged. Kiwi Syslog Daemon is freeware developed by Kiwi Enterprises.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Symantec Corporation and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. SYMANTEC CORPORATION SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING,
PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
Technical Support
Symantec Technical Support maintains support centers globally. Technical Support’s primary role is to respond to specific queries about product feature and function, installation, and configuration. The Technical Support group also authors content for our online Knowledge Base. The Technical Support group works collaboratively with the other functional areas within Symantec to answer your questions in a timely fashion. For example, the Technical Support group works with Product Engineering and Symantec Security Response to provide alerting services and virus definition updates.
Symantec’s maintenance offerings include the following:
■ A range of support options that give you the flexibility to select the right amount of service for any size organization
■ A telephone and web-based support that provides rapid response and up-to-the-minute information
■ Upgrade insurance that delivers automatic software upgrade protection
■ Global support that is available 24 hours a day, 7 days a week worldwide. Support is provided in a variety of languages for those customers that are enrolled in the Platinum Support program
■ Advanced features, including Technical Account Management
For information about Symantec’s Maintenance Programs, you can visit our Web site at the following URL:
www.symantec.com/techsupp/
Select your country or language under Global Support. The specific features that are available may vary based on the level of maintenance that was purchased and the specific product that you are using.
Contacting Technical Support
Customers with a current maintenance agreement may access Technical Support information at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support.
When you contact Technical Support, please have the following information available:
■ Product release level
■ Hardware information
■ Available memory, disk space, and NIC information
■ Operating system
■ Version and patch level
■ Network topology
■ Router, gateway, and IP address information
■ Problem description:
■ Error messages and log files
■ Troubleshooting that was performed before contacting Symantec
■ Recent software configuration changes and network changes
Licensing and registration
If your Symantec product requires registration or a license key, access our technical support Web page at the following URL:
www.symantec.com/techsupp/
Select your region or language under Global Support, and then select the Licensing and Registration page.
Customer service
Customer service information is available at the following URL: www.symantec.com/techsupp/
Select your country or language under Global Support.
Customer Service is available to assist with the following types of issues:
■ Questions regarding product licensing or serialization
■ Product registration updates such as address or name changes
■ General product information (features, language availability, local dealers)
■ Latest information about product updates and upgrades
■ Information about upgrade insurance and maintenance contracts
■ Advice about Symantec's technical support options
■ Nontechnical presales questions
■ Issues that are related to CD-ROMs or manuals
Maintenance agreement resources
If you want to contact Symantec regarding an existing maintenance agreement, please contact the maintenance agreement administration team for your region as follows:
■ Asia-Pacific and Japan: [email protected]
■ Europe, Middle-East, and Africa: [email protected]
■ North America and Latin America: [email protected]
Additional Enterprise services
Symantec offers a comprehensive set of services that allow you to maximize your investment in Symantec products and to develop your knowledge, expertise, and global insight, which enable you to manage your business risks proactively. Enterprise services that are available include the following:
These solutions provide early warning of cyber attacks, comprehensive threat analysis, and countermeasures to prevent attacks before they occur. Symantec Early Warning Solutions
These services remove the burden of managing and monitoring security devices and events, ensuring rapid response to real threats.
Managed Security Services
Symantec Consulting Services provide on-site technical expertise from Symantec and its trusted partners. Symantec Consulting Services offer a variety of prepackaged and customizable options that include assessment, design, implementation, monitoring and management capabilities, each focused on establishing and maintaining the integrity and availability of your IT resources.
Consulting Services
To access more information about Enterprise services, please visit our Web site at the following URL:
www.symantec.com
Technical Support
Chapter 1
Introducing Symantec Event Collector for Kiwi Syslog
Daemon
About this Quick Reference ... 11
Compatibility requirements ... 11
Compatibility requirements for Kiwi Syslog Daemon ... 12
System requirements for the collector machine ... 12
Preinstallation requirements for the Kiwi Syslog Daemon Event Collector ... 12
Configuring your security product to work with the collector ... 12
Configuring Kiwi Syslog Daemon to work with the collector ... 13
About the installation sequence ... 13
Sensor configuration ... 13
Sensor settings for Kiwi Syslog Daemon Event Collector ... 13
About LiveUpdate ... 14
Chapter 2
Implementation notes
Implementation notes for Kiwi Syslog Daemon Event Collector ... 15Product ID ... 15
Method of data collection ... 15
Schema package ... 15
Event example ... 15
Event mapping for Information Manager version 4.5 ... 16
Index
Introducing Symantec Event
Collector for Kiwi Syslog
Daemon
This chapter includes the following topics:
■ About this Quick Reference
■ Compatibility requirements
■ Preinstallation requirements for the Kiwi Syslog Daemon Event Collector
■ Configuring your security product to work with the collector
■ About the installation sequence
■ Sensor configuration
■ About LiveUpdate
About this Quick Reference
This quick reference includes information that is specific to Symantec Event Collector for Kiwi Syslog Daemon. For detailed information on how to install and configure event collectors, please see the Symantec Event Collectors Integration
Guide.
Compatibility requirements
The collector is compatible with specific versions of the security product and is compatible with certain operating systems.
Compatibility requirements for Kiwi Syslog Daemon
The collector is compatible with the Kiwi Syslog Daemon version 7.2 and later. The collector runs on the following operating systems:
■ Microsoft Windows 2000 with Service Pack 4 or higher
■ Microsoft Windows XP with Service Pack 2 or higher
■ Microsoft Windows 2003 Standard Edition with Service Pack 1 or higher
■ Microsoft Windows 2003 Server Enterprise Edition with Service Pack 1 or higher
System requirements for the collector machine
The machine on which you install the collector must meet the following minimum system requirements:
■ Intel® Pentium®-compatible 133-MHz processor (up to and including Xeon®-class)
■ 512 MB minimum, 1 GB of memory recommended for the Agent
■ 35 MB of hard disk space for collector program files
■ 95 MB of hard disk space to accommodate the Agent, JRE, and the collector
■ TCP/IP connection to a network with a fixed IP address
Preinstallation requirements for the Kiwi Syslog
Daemon Event Collector
There are no preinstallation requirements.
Configuring your security product to work with the
collector
After you have installed the necessary collector components, you must configure Kiwi Syslog Daemon so that event information is available to the collector. For detailed information on configuring Kiwi Syslog Daemon, see your security product documentation.
Introducing Symantec Event Collector for Kiwi Syslog Daemon
Configuring Kiwi Syslog Daemon to work with the collector
Make sure you identify the path and name of the log file where Kiwi Syslog Daemon stores events. Also, you must identify the IP address and port number of the machine that will be collecting events.
About the installation sequence
The collector installation sequence is generally as follows:
■ Register the collector
Note: The SSIM Client console should be closed before registering the collector.
■ Install the Agent
■ Install the collector component
For more information, see the Symantec Event Collectors Integration Guide.
Sensor configuration
The collector uses a sensor that must be configured to receive security events. After the sensor is configured, the settings must be distributed to the collectors on the target computers.
The collector can not use the configuration named Default. You must create a new one.
The collector includes the following features:
■ Raw events
■ Sensor statistics
■ Importing and exporting of sensor settings, and filtering and aggregation rules
■ Global updating of sensor settings
For more information, see the Creating collector configurations section located in the Symantec Event Collectors Integration Guide.
Sensor settings for Kiwi Syslog Daemon Event Collector
The collector uses a log file sensor with the following properties:
■ Log file directory
13 Introducing Symantec Event Collector for Kiwi Syslog Daemon
Specify the path to the log file on the security product machine. The default log file directory is:C:\Program Files\Syslogd.
See“Configuring your security product to work with the collector”on page 12.
■ Log File Name
Specify the name of the log file. The default log file name isLogs.
You can also leave this property blank to read all files in the log file directory.
■ Reading Mode
Specify whether to check for new log files after reaching the end of the current log file, or to wait for new events to be added to the current log file.
■ Start Reading From
Specify where to start reading the log file upon restart of the collector. Specify Last Position to keep track of which line the collector is reading from in the log file. If the collector is interrupted and restarted, reading continues from this position. If starting the collector for the first time, the collector reads all events from all files. Last Position is the default value.
Note: If the file for which a last position was saved no longer exists, the collector starts reading from the log file with the timestamp that is later than, but nearest to, the file for which the last position was saved.
■ Time Offset
This property is not in use at this time.
About LiveUpdate
LiveUpdate is not supported on this collector.
Introducing Symantec Event Collector for Kiwi Syslog Daemon About LiveUpdate
Implementation notes
This chapter includes the following topics:
■ Implementation notes for Kiwi Syslog Daemon Event Collector
Implementation notes for Kiwi Syslog Daemon Event
Collector
This section describes the implementation details for the Kiwi Syslog Daemon Event Collector.
Product ID
The product ID for Symantec Event Collector for Kiwi Syslog Daemon is: 3143.
Method of data collection
The Kiwi Syslog Daemon Event Collector uses a log file sensor for data collection.
Schema package
The collector uses the following schema package:
■ Base events
Event example
Intrusion event example:
20051107 20:01:15 Local7.Debug 127.0.0.1 Kiwi Syslog Daemon -Test message number 0031
Event mapping for Information Manager version 4.5
Table 2-1 Event mapping
Comment Kiwi Syslog Daemon field name
Information Manager field name
symc_host_intrusion. Value is added by SES processor for all events.
n/a EventClassName
30007601 - Application. Value is added by SES processor for all events. n/a
category_id
The IP or host name of the system logging the syslog event.
n/a destination_host_name
The IP or host name of the system logging the syslog event.
n/a destination_ip
Description of the event. Any string range in syslog file after Position 3. event_desc
event_desc
Date and time of the event. Normally occurs at the beginning of the syslog event (Position 0 and Position 1). event_dt
event_dt
1032000 – Host Intrusion Event. Value is added by SES processor for all events. n/a
event_id
The IP or host name of the system logging the syslog event.
n/a source_host_name
The IP or host name of the system logging the syslog event.
n/a source_ip
The field contains the string “KiwiSyslog”.
n/a intrusion_vendor_name
Implementation notes
Table 2-1 Event mapping (continued)
Comment Kiwi Syslog Daemon field name
Information Manager field name
Depending on the event type, possible values are: 1 – Informational 2 - Warning 3 - Minor 4 - Major 5 - Critical 6 – Fatal
Severity is translated as follows: debug - 1 - Low-priority message typically used for troubleshooting info - 1 - Informational messages notice - 1 - Normal condition that may require attention
warning - 2 - Warning message, usually resulting from a recoverable error err - 3 - Error condition
crit - 4 - Critical condition, possibly a hardware problem
alert - 5 - Condition that requires immediate attention
emerg - 6 - Emergency condition of the highest priority
Severity severity
The field contains the string “KiwiSyslog”.
n/a vendor_code
Implementation notes
C
compatibility requirements 11 configuring
Kiwi Syslog Daemon 12 sensor 13
I
implementation notes 15 installation 13
K
Kiwi Syslog Daemon configuration 12
