Documente Academic
Documente Profesional
Documente Cultură
l ConfigureCiscoACSversion4.2,or
l ConfigureCiscoACSversion5.1andlater
II. ConfigureRSANetWitnessSuiteforSyslogCollection
2. Selectalloftheoptions,andclickSubmit.
3. ClickSystem Configuration>Logging.
4. IntheSyslogcolumn,clicktheConfigurelinkofanentrylistedthatyouwantto
configure.
6. Selectonlythefollowingcolumnsinthefollowingorder:
l Failed Attempts
Message-Type,User-Name,Group-Name,Caller-ID,Called-Station-Id,Authen-
Failure-Code,Author-Failure-Code,Author-Data,NAS-IP-Address,NAS-Port,
NetworkDeviceGroup,System-Posture-Token,Application-Posture-Token,AAA
Server,AccessDevice,NetworkAccessProfileName,Priv-lvl
l Passed Authentications
Message-Type,User-Name,Group-Name,Caller-ID,Called-Station-Id,NAS-IP-
Address,NAS-Port,NetworkDeviceGroup,System-Posture-Token,Application-
Posture-Token,AAAServer,AccessDevice,NetworkAccssProfileName,Real
Name,Description,Priv-lvl
l RADIUS Accounting
User-Name,Group-Name,Calling-Station-Id,Called-Station-Id,NAS-IP-
Address,NAS-Port,Acct-Status-Type,Acct-Session-Id,Acct-Session-Time,
Service-Type,Framed-IP-Address,Framed-Protocol,Login-IP-Host,Acct-
Authentic,AAAServer,ExtDBInfo,AccessDevice,Acct-Terminate-Cause,
Acct-Input-Octets,Acct-Output-Octets
l TACACS+ Accounting
User-Name,Group-Name,Caller-Id,Acct-Flags,priv-lvl,elapsed_time,service,
bytes_in,bytes_out,NAS-IP-Address,NAS-Portname,cmd
l TACACS+ Administration
User-Name,Group-Name,Caller-Id,Acct-Flags,priv-lvl,cmd,service,NAS-IP-
Address,NAS-Portname,reason
l Database Replication
Nofieldsavailable
l Administration Audit
Nofieldsavailable
7. UnderSyslog Servers,completethefieldsasfollows:
l IntheIP Addressfield,entertheIPaddressoftheRSANetWitnessSuite.
l InthePortfield,type514.
8. ClickSubmit.
9. Repeatsteps4through8foreachoftherequiredlogs.
10. Completethefollowingstepssothatthelogfilesarecreatedwithatimestampthatthe
RSANetWitnessSuitecancorrectlyinterpret:
2. ToconfigureRSANetWitnessSuiteasalogtarget,followthesesteps:
a. ClickSystem Administration > Log Configuration > Remote Log Targets.
b. ClickCreate.
c. IntheNamefield,enterthenameofyourRSANetWitnessSuite.
d. IntheIP Addressfield,entertheIPaddressofyourRSANetWitnessSuite.
e. ClickSubmit.
3. ToconfigurewhichlogstosendtoRSANetWitnessSuite,followthesesteps:
a. ClickSystem Administration > Log Configuration > Logging Categories >
Global.
b. Selectaloggingcategoryforwhichyouwanttoreceivelogs.
i. ClicktheRemote Syslog Targettab.
iii. Clickthe"greaterthan"button(>).
iv. ClickSubmit.
c. Repeatstep3bforeachloggingcategoryforwhichyouwanttoreceivelogs.
Note: Forversion5.5andhigher,theMaximumlengthcannowbechangedand
thevalidoptionsarefrom200to8192.Thedefaultvalueis1024.RSA
recommendsavalueof2048.
l ConfigureSyslogCollection
2. IntheServicesgrid,selectaLogDecoder,andfromtheActionsmenu,chooseView
>Config.
3. IntheServiceParsersConfigurationpanel,searchforyoureventsource,andensure
thattheConfig Valuefieldforyoureventsourceisselected.
Note: Therequiredparserisciscosecureacs.
Note: YouonlyneedtoconfigureSyslogcollectionthefirsttimethatyousetupanevent
sourcethatusesSyslogtosenditsoutputtoNetWitness.
YoushouldconfigureeithertheLogDecoderortheRemoteLogCollectorforSyslog.You
donotneedtoconfigureboth.
2. IntheServicesgrid,selectaLogDecoder,andfromtheActionsmenu,chooseView
>System.
3. Dependingontheiconyousee,dooneofthefollowing:
l Ifyousee ,clicktheicontostartcapturingSyslog.
l Ifyousee ,youdonotneedtodoanything;thisLogDecoderis
alreadycapturingSyslog.
2. IntheServicesgrid,selectaRemoteLogCollector,andfromtheActionsmenu,
chooseView>Config>Event Sources.
3. SelectSyslog/Configfromthedrop-downmenu.
TheEventCategoriespaneldisplaystheSyslogeventsourcesthatareconfigured,if
any.
4. IntheEventCategoriespaneltoolbar,click+.
TheAvailableEventSourceTypesdialogisdisplayed.
5. Selecteithersyslog-tcporsyslog-udp.Youcansetupeitherorboth,dependingon
theneedsofyourorganization.
6. SelectthenewtypeintheEventCategoriespanelandc lick+intheSourcespanel
toolbar.
TheAddSourcedialogisdisplayed.
7. Enter514fortheport,andselectEnabled.Optionally,configureanyofthe
Advancedparametersasnecessary.
ClickOKtoacceptyourchangesandclosethedialogbox.
Onceyouconfigureoneorbothsyslogtypes,theLogDecoderorRemoteLogCollector
collectsthosetypesofmessagesfromallavailableeventsources.So,youcancontinue
toaddSyslogeventsourcestoyoursystemwithoutneedingtodoanyfurther
configurationinNetWitness.
Copyright2017EMCCorporation.AllRightsReserved.
Trademarks
RSA,theRSALogoandEMCareeitherregisteredtrademarksortrademarksofEMCCorporation
intheUnitedStatesand/orothercountries.Allothertrademarksusedhereinarethepropertyof
theirrespectiveowners.