• No results found

Microsoft Internet Information Services (IIS)

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Microsoft Internet Information Services (IIS)"

Copied!
11
0
0

Loading.... (view fulltext now)

Download now ( 11 Page )

Full text

(1)

McAfee Enterprise Security Manager

Data Source Configuration Guide

Data Source:

Microsoft Internet Information Services (IIS)

(2)

Important Note:

(3)

Table of Contents

1

 

Introduction 4

 

2

 

Prerequisites 4

 

3

 

Specific Data Source Configuration Details 5

 

3.1

 

Microsoft IIS Configuration 5

 

3.2

 

McAfee Receiver Configuration 7

 

4

 

Data Source Event to McAfee Field Mappings 8

 

4.1

 

Log Format 8

 

4.2

 

Log Sample 8

 

4.3

 

Mappings 9

 

5

 

Appendix A - Generic Syslog Configuration Details 11

 

(4)

1 Introduction

This guide details how to configure Microsoft IIS to send syslog data in the proper format to the ESM.

2 Prerequisites

McAfee Enterprise Security Manager Version 9.2.0 and above.

(5)

3 Specific Data Source Configuration Details

3.1 Microsoft IIS Configuration

1. Open the Internet Information Services (IIS) Manager (found in Administrative Tools within the Control Panel).

2. Select the Logging option:

(6)

4. Take note of where the logs are being saved (or change the location if desired). 5. Finish the logging setup by configuring the MFE SIEM Collector to tail the IIS logs and

(7)

3.2 McAfee Receiver Configuration

After successfully logging into the McAfee ESM console the data source will need to be added to a McAfee Receiver in the ESM hierarchy.

1. Select the Receiver you are applying the data source setting to. 2. Select the Receiver properties.

3. From the Receiver Properties listing, select “Data Sources”. 4. Select “Add Data Source”.

OR

1. Select the Receiver you are applying the data source setting to. 2. After selecting the Receiver, select the “Add Data Source” icon.

Data Source Screen Settings

1. Data Source Vendor – Microsoft

2. Data Source Model – Internet Information Services (ASP) 3. Data Format – Default

4. Data Retrieval – MEF

5. Enabled: Parsing/Logging/SNMP Trap – <Defaults> 6. Name – Name of data source

7. IP Address/Hostname – The IP address and host name associated with the data source device.

8. Support Generic Syslogs – Do nothing 9. Time Zone – Time zone of data being sent.

(8)

4 Data Source Event to McAfee Field Mappings

4.1 Log Format

The expected formats for this device are as follows: WC3

date time s-sitename s-computername s-ip method uri-stem uri-query s-port cs-username c-ip cs-version cs(User-Agent) cs(Cookie) cs(Referer) cs-host sc-status sc-substatus sc-win32-status sc-bytes cs-bytes time-taken

NCSA

Remote_host_address Remote_log_name User_name [Date/time Greenwich mean time (GMT) offset] "Request and protocol version" Service_status_code Bytes_sent

IIS

Client_IP_address, User_name, Date, Time, Service_and_instance, Server_name, Server_IP, Time_taken, Client_bytes_sent, Server_bytes_sent, Service_status_code,

Windows_status_code, Request_type, Target_of_operation, Parameters,

4.2 Log Sample

The following are samples of possible logs from the Microsoft IIS device: WC3

2011-04-14 14:58:36 MS_ISS_1 name 127.0.0.1 GET /exampletest - 80 - 127.0.0.1 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+8.0;+Windows+NT+6.1;+WOW64;+Trident/4.0;+SLCC2;+.NET+ CLR+2.0.50727;+.NET+CLR+3.5.30729;+.NET+CLR+3.0.30729) - - 127.0.0.1 404 4 2 109 398 2 NCSA

172.21.13.45 - Microsoft\fred [08/Apr/2001:17:39:04 -0800] "GET /scripts/iisadmin/ism.dll?http/serv HTTP/1.0" 200 3401

IIS

(9)

4.3 Mappings

The table below shows the mappings between the data source and McAfee ESM fields.

WC3 Log Fields McAfee ESM Fields

Date Time (two fields) FirstTime,LastTime

s-ip Destination IP

cs-method Command

cs-uri-stem Object

s-port Destination Port

cs-username (domain section) Domain

cs-username Source User

c-ip Source IP

cs(User-Agent) Application

cs-host Hostname

sc-status sid

sc-status(first number) Action

IIS Log Fields McAfee ESM Fields

Client IP Source IP

User name Source User

Date Time (two fields) FirstTime, LastTime

Server Name Hostname

Server IP Destination IP Clients bytes sent Bytes_from_Client Server bytes sent Bytes_from_Server Service Status Code sid

Service Status Code (first number) action

(10)

NCSA Log Fields McAfee ESM Fields Remote Host Address Source IP

User name Source User

Date Time (two fields) FirstTime, LastTime Request and protocol version (first part) Command

Request and protocol version (second part) Object Request and protocol version (third part) Protocol Service Status Code sid Service Status Code (first number) action

(11)

5 Appendix A - Generic Syslog Configuration Details

Once you select the option to add a data source, you are taken to the “Add Data Source” menu. The general options for adding a data source are shown. As you select different options, additional parameters may show. Each of these parameters will be examined in more detail.

1. Use System Profiles – System Profiles are a way to use settings that are repetitive in nature, without having to enter the information each time. An example is WMI credentials, which are necessary to retrieve Windows Event Logs if WMI is the chosen mechanism.

2. Data Source Vendor – List of all supported vendors.

3. Data Source Model – List of supported products for a vendor.

4. Data Format – “Data Format” is the format the data is in. Options are “Default”, “CEF”, and “MEF”.

Note – If you choose CEF it will enable the generic rule for CEF and may not parse data source-specific details.

5. Data Retrieval – “Data Retrieval” allows you to select how the Receiver is going to collect the data. Default is over syslog.

6. Enabled: Parsing/Logging/SNMP Trap – Enables parsing of the data source, logging of the data source, and reception of SNMP traps from the data source. If no option is checked, the settings are saved to the ESM, but not written to the Receiver or utilized. Default is to select “Parsing”.

7. Name – This is the name that will appear in the Logical Device Groupings tree and the filter lists.

8. IP Address/Hostname – The IP address and host name associated with the data source device.

9. Syslog Relay – “Syslog Relay” allows data to be collected via relays and bucketed to the correct data source. Enable syslog relay on relay sources such as Syslog-NG.

10. Mask – Enables you to apply a mask to an IP address so that a range of IP addresses can be accepted.

11. Require Syslog TLS – Enable to require the receiver to communicate over TLS.

12. Support Generic Syslog – “Generic Syslog” allows users to select “Parse generic syslog” or “Log ‘unknown syslog event”. Both these options will create an alert for an auto-learned syslog event if there is no parsing rule.

13. Time Zone - If syslog events are sent in a time zone other than GMT, you need to set the time zone of the data source so the date on the events can be set accordingly.

14. Interface – Opens the receiver interface settings to associate ports with streams of information.

15. Advanced – Opens advanced settings for the data source.

6 Appendix B - Troubleshooting

• If a data source is not receiving events, verify that the data source settings have been written out and that policy has been rolled out to the Receiver.

References

Download now ( PDF - 11 Page - 422.74 KB )

Related documents

Ectopic intrathyroidal thymus in children: Two case reports and review of the literature

Ectopic thymus most commonly occurs in the cervical area or mediastinum, whereas ectopic intrathyroidal thymic tissue is a rare occurrence.. This report describes a 26-month-old

How to Lay Favourites for a Living

Elusive Warrior has no primary warning signs against it's name and seems to be more than a match for the favourite as it has won a class 5 event on it's previous run.... Danish

Effects of Process Variations on 3-D Global Clock Distribution Networks

When the data-related sinks are located in adjacent planes of a 3D circuit, the multigroup 3D clock tree topology is more efficient in reducing the skew variation than both the

Schedule Meeting Time Zone

Recurrence options will by using meeting time zone that the windows global time zone settings windows global time zones in which dates and when in the appropriate time..

PENGARUH VARIETAS DAN KEPADATAN TANAM TERHADAP PERTUMBUHAN DAN HASIL PADI (Oryza sativa L.) PADA LAHAN SAWAH DI ANTURAN

Sebaliknya Pengaruh kepadatan tanam pada cara tanam jajar legowo 2:1 terhadap perkembangan jumlah anakan produktif per rumpun padi menunjukkan, bahwa tanam jajar

Conquer Chronic Wounds with Wound Bed Preparation

Débridement is the third critical component to pre- pare the chronic wound bed for healing. Débridement decisions require the clinician to think outside the acute wound model. The

What s New In IceWarp 10.2

• Time Zone Selection for Events - Offers all available time zones including Local Time (default),.. UTC/GMT and Location/City for all major locations around

Virtual Show Best Practices Global Audiences

Also note, per the time zone discussion earlier in this document, you’ll want to ensure all promotions include the show default time zone of GMT, as well as the local region