LogLogic Cisco IPS
Log Configuration Guide
© 2011 LogLogic, Inc.
Proprietary Information
This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc.
Trademarks
LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners.
Notice
The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the
documentation.
Contents
PrefaceAbout This Guide . . . . 5
Technical Support . . . . 5
Documentation Support . . . 5
Conventions. . . 6
Chapter 1 – Configuring LogLogic’s Cisco IPS Log Collection Introduction to Cisco IPS . . . 7
Prerequisites . . . 7
Enabling a Cisco IPS for SDEE . . . 7
Enabling the LogLogic Appliance to Capture Data . . . 8
Adding a Cisco IPS Device . . . 8
Verifying the Configuration . . . 9
Chapter 2 – How LogLogic Supports Cisco IPS How LogLogic Captures Cisco IPS Data . . . 11
LogLogic Real-Time Reports . . . 11
Preface
About This Guide
The LogLogic® Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for Cisco® IPS enables LogLogic Appliances to capture logs from machines running Cisco IPS.
Once the logs are captured and parsed, you can generate reports and create alerts on Cisco IPS’s operations. For more information on creating reports and alerts, see the LogLogic User Guide and
LogLogic Online Help.
Technical Support
LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable,
experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support:
Telephone: Toll Free—1-800-957-LOGS Local—1-408-834-7480
EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: [email protected]
You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide:
Your name, email address, phone number, and fax number Your company name and company address
Your machine type and release version
A description of the problem and the content of pertinent error messages (if any)
Documentation Support
Your feedback on LogLogic documentation is important to us. Send e-mail to
[email protected] if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team.
Conventions
LogLogic documentation uses the following conventions to highlight code and command-line elements:
A monospace font is used for programming elements (such as code fragments, objects,
methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs).
A monospace bold font is used to distinguish system prompts or screen output from
user responses, as in this example: username: system
home directory: home\app
A monospace italic font is used for placeholders, which are general names that you
replace with names specific to your site, as in this example:
LogLogic_home_directory\upgrade\
Straight brackets signal options in command-line syntax. For example:
Chapter 1 – Configuring LogLogic’s Cisco IPS Log
Collection
This chapter describes the configuration steps involved to enable a LogLogic Appliance to request Cisco IPS logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Cisco IPS-related log data.
Introduction to Cisco IPS . . . 7
Prerequisites . . . 7
Enabling a Cisco IPS for SDEE . . . 7
Enabling the LogLogic Appliance to Capture Data . . . 8
Verifying the Configuration . . . 9
Introduction to Cisco IPS
The LogLogic Appliance support for the Cisco IPS Alert events is now available. The Cisco IPS signature library will consist of specific signatures enabled with logging.
Prerequisites
Prior to configuring Cisco IPS and the LogLogic Appliance, ensure that you meet the following prerequisites:
Cisco IPS version 6.2 and 7.0
Proper access permissions to make configuration changes
LogLogic Appliance running Release 4.9.1 or later with a Log Source Package that includes
Cisco IPS support
Administrative access on the LogLogic Appliance
Enabling a Cisco IPS for SDEE
You must configure the Cisco IPS to allow connections to SDEE prior to configuring the LogLogic Appliance.
Note: This document does not describe all features and functionality within Cisco IPS regarding configuration. For more information on these areas, see Cisco IPS Product Documentation.
4. At the Prompt dialog, enter your username and password, and click OK.
5. On the left-most panel, select Sensor Setup Allowed Hosts. The Cisco IDM window displays the Allowed Hosts panel.
6. Add the IP address and Network Mask of the LogLogic Appliance. 7. Click Apply.
The LogLogic Appliance will now be able to connect to the Cisco SDEE sensor.
Note: TLS/SSL must be enabled and the Web Server Port must be set to 443 under Configuration > Sensor Setup > Network, Web Server Settings.
Enabling the LogLogic Appliance to Capture Data
The following sections describe how to enable the LogLogic Appliance to capture Cisco IPS SDEE log data.
Adding a Cisco IPS Device
If you do not want to utilize the auto-identification feature, you can manually add a Cisco IPS device to the LogLogic Appliance before you redirect the logs.
To add Cisco IPS as a new device:
1. Log in to the LogLogic Appliance.
2. From the navigation menu, select Management > Devices. The Devices tab appears.
3. Click Add New.
The Add Device tab appears.
4. Type in the following information for the device:
Name—Name for the Cisco IPS device
Description (optional)—Description of the Cisco IPS device Device Type—Select Cisco IPS from the drop-down menu Host IP—IP address of the Cisco IPS appliance
Enable Data Collection—Select the Yes radio button
Refresh Device Name through DNS Lookups (optional)—Select this checkbox to
enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign.
SSL Port—Cisco IPS Sensor SDEE port Polling Interval—Collection Polling Interval UserID—User name of account on Cisco IPS Sensor Password—Password for User account
5. In the Cisco IPS Collector Configuration panel, enter a UserID and a Password, then click Test Connection to ensure that the connection does work.
Figure 1 Add Device Tab
7. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. When the logs arrive from the specified Cisco IPS appliance, the LogLogic Appliance uses the device you just added if the hostname or IP match.
Verifying the Configuration
The section describes how to verify that the configuration changes made to Cisco IPS and the LogLogic Appliance are applied correctly.
To verify the configuration:
1. Log in to the LogLogic Appliance.
2. From the navigation menu, select Dashboards > Log Source Status.
Figure 2 Verification of the Cisco IPS Configuration
Chapter 2 – How LogLogic Supports Cisco IPS
This chapter describes LogLogic’s support for Cisco IPS. LogLogic enables you to capture Cisco IPS log data to monitor events. LogLogic supports Cisco IPS logs.
How LogLogic Captures Cisco IPS Data . . . 11
LogLogic Real-Time Reports . . . 11
How LogLogic Captures Cisco IPS Data
Cisco IPS posts events using the SDEE (Security Device Event Exchange) format and protocol over SSL for the LogLogic Appliance to retrieve.
Once the data is captured you can generate search reports or create alerts. For more information on creating reports and alerts, see the LogLogic Users Guide and LogLogic Online Help.
Figure 3 Cisco IPS, SDEE, and Loglogic Architecture
LogLogic Real-Time Reports
LogLogic provides pre-configured Real-Time Reports for log data. The following Real-Time Reports are available:
All Unparsed Events— Displays data for all events retrieved from the Microsoft Windows
log for a specified time interval
IDS/IPS Activity - Displays Source and Destination IP address, Destination port number,
and Signature intrusion detection information for a specified time interval.
2. Click Threat Management.
The following Real-Time Reports are available:
IDS/IPS Activity
3. Click Operational.
The following Real-Time Reports are available:
All Unparsed Events
Appendix A – Event Reference
This appendix lists the LogLogic-supported Cisco IPS events. The LogLogic Cisco IPS event table identifies event formats that can be analyzed through LogLogic Agile Reports, as well as a sample log message.
LogLogic Support for Cisco IPS Events
The following list describes the contents of each of the columns in the table below.
Event ID – Refers to an ID referencing the unique occurrence.
Agile Reports/Search – Defines whether the Cisco IPS event is available through the
LogLogic Agile Reporting engine or through the search capabilities. If the event is available through the Agile Report engine, then you can use LogLogic Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data.
Title – Not Applicable (N/A).
Event Category – Category of event, such as Alert, System, Error. Event Type – Type of event Traffic.
Sample Log Message – Sample Cisco IPS log messages.
LogLogic supports all "evIdsAlert" eventType, if enabled to log on the Cisco IPS device. These events are supported by the IDS Activity report.
Example Event:
eventType="evIdsAlert",eventId="1265425594593088348",vendor="Cisco",severity="informational ",originator_hostId="CISCO_IPS_4240",originator_appName="sensorApp",originator_appInstanc eId="396",time_offset="-480",time_timeZone="GMT-08:00",time="2010-05-25
Table 1 Cisco IPS Events Event ID Agile/ Search Reports Title Event Category
Event Type Sample Log Message
1 N/A Agile N/A Alert evIdsAlert eventType="evIdsAlert",eventId="1265425594593088348",vendor="Ci sco",severity="informational",originator_hostId="CISCO_IPS_4240", originator_appName="sensorApp",originator_appInstanceId="396",t ime_offset="-480",time_timeZone="GMT-08:00",time="2010-05-25 16:44:14.887257",signature_description="Net Flood TCP",signature_id="6920",signature_version="S4",signature_type="a nomaly",signature_created="20010725",signature_subsigId="0",signa ture_marsCategory="DoS/Network/ TCP",interfaceGroup="vs0",vlan="0",participants="",alertDetails="M axPPS during this interval: 29
;",riskRatingValue_targetValueRating="medium",riskRatingValue="2 5",threatRatingValue="25",interface="sy0_0",protocol="tcp"
2 N/A Search N/A System evStatus eventType="evStatus",eventId="1265405134507577854",vendor="Cisc o",originator_hostId="CISCO_IPS_4240",originator_appName="cidw ebserver",originator_appInstanceId="325",time_offset="60",time_tim eZone="Pacific",time="1271699008192750000",loginAction_action="lo ggedIn",loginAction_description="User logged into HTTP
server",loginAction_userName="loglogic",loginAction_userAddress _port="60058",loginAction_userAddress="192.168.11.10"
