Documente Academic
Documente Profesional
Documente Cultură
Configuring
Tech Note SpanVA
Table of Contents
Introduction
Log format support
Log tokenization
SpanVA authentication with CloudSOC
SpanVA security
SpanVA monitoring
Log collection
Disk allocation
Directory synchronization
Installing SpanVA
1. Download the SpanVA image
2. Import SpanVA
3. Obtain the SpanVA token
4. Start and register SpanVA
5. Confirm CloudSOC recognizes SpanVA
6. Provision a SpanVA data source
7. Test the system with SCP
Installing SpanVA with HyperV
Monitoring SpanVA operation
Checking SpanVA status
Verifying tokenization
Installing VMWare Tools
Configuring the SpanVA ICMP listener
Configuring SpanVA to send error messages to a syslog host
Managing the SpanVA instance
Resetting the password
Rebooting SpanVA
Configuring SpanVA with a self-signed certificate
1. Create the certificate and key
2. Import the certificate as the trusted root CA
3. Import the certificate into SpanVA
Configuring automatic upgrade
Recovering the SpanVA state
Configuring SpanVA DNS settings
Introduction
SpanVA is a virtual appliance that collects firewall and proxy logs from your network devices and
proxies and sends them to CloudSOC for processing. Once processed, you can use the data in
the CloudSOC Audit application to evaluate your shadow IT exposure.
SpanVA is an alternative to uploading individual logs using Web Upload or other methods as
described in the CloudSOC Tech Note Managing Data Sources for the CloudSOC Audit App.
● Your network is sensitive to the bandwidth consumed as log traffic moves to the
CloudSOC cloud
● You have a large network for which SCP or SFTP access is not practical
Once you install SpanVA, you configure and maintain it using a built-in web interface that you
open by browsing its IP address. SpanVA can automatically discover the CloudSOC cloud so that
you don’t have to configure its URL into SpanVA’s configuration. However, you can also configure
a proxy address if it is required to reach the CloudSOC Cloud from your network.
You can also use SpanVA as a platform for synchronizing users from an LDAP server such as
Microsoft Active Directory as described in the CloudSOC Tech Note Configuring DSS Directory
Sync.
SpanVA is provided as a linux-based Open Virtualization Appliance (OVA) package. You install
and run this virtual appliance inside your NAT, and assign it a local IP address from your network.
In some use cases, SpanVA might also need credentials to access to other specific servers and
perimeter devices like firewalls.
NOTE: This document assumes that you have already installed the virtualization software
required to host the SpanVA. Supported virtualization hypervisors include:
● VMware Fusion
● VMware Player
● VMware Workstation
● VMware ESX/ESXi
Other virtualization hypervisors may be compatible, but are not officially supported.
SpanVA supports both push- and pull-based log collection. SpanVA supports the following log
collection mechanisms:
● Syslog Server--SpanVA comes bundled with a syslog server for capturing log messages
from firewalls that can log in syslog format. This feature provides you with a ready-made
syslog server if you have firewalls capable of logging to syslog servers but lack a log
collection framework.
● FTP Client--The FTP client lets SpanVA remotely copy files from a host on your network.
Note: By default, SpanVA supports only VSFTPD servers. For other servers, you must
configure them to use specific log file names as described in Configuring SpanVA to
retrieve logs from an FTP client.
● SQL Client (Beta)--For Websense devices and for Symantec Endpoint Protection
Manager, SpanVA can act as an SQL client to retrieve logs from an SQL server. See
Configuring SpanVA as an SQL Client.
● Network Shared Files--SpanVA can access log files shared over the network using NFS.
See Configuring SpanVA to retrieve logs with NFS.
● SMB Client--SpanVA supports SMB file sharing protocol. See Configuring Samba file
transfer.
● Cisco WSA
● Fortinet
● Websense Proxy
● Zscaler NSS
For file-based data sources, SpanVA supports both uncompressed files and files compressed in
gzip, zip tar.gz, or bzip formats. When receiving logs over syslog or when input files are not
already compressed, SpanVA conserves bandwidth by compressing logs before transferring
them to the CloudSOC Cloud.
Log tokenization
You control SpanVA log tokenization using the Settings > CloudSOC SpanVA tab in CloudSOC,
as shown below. CloudSOC pushes the settings on this tab down to SpanVA. When set to
Tokenized, SpanVA replaces all user-identifiable information such as names, email addresses,
and IP addresses in the device logs with system-generated identifiers before it leaves your
premises. However, SpanVA also maintains an internal table that correlates the tokenized IDs
with the actual IDs, and it delivers that information over your local network to CloudSOC browser
apps when needed. This tokenization feature gives you an additional layer of protection for user
information, since user ID information never leaves your premises, but still lets admins see user
ID information in CloudSOC apps.
Important: Once you enable this feature, you cannot disable it. Read the CloudSOC Tech Note
Managing CloudSOC User Privacy Features before you enable this feature.
If you want to remove user IDs from device logs before uploading them to CloudSOC CloudSOC,
but want CloudSOC admins to see the actual user IDs, enable SpanVA tokenization but disable
CloudSoc anonymization. In this scenario role-based access control (RBAC) permissions in
CloudSOC control which admins can see actual user IDs. When authorized admins use
CloudSOC apps that show user ID information, those browser apps communicate directly with
SpanVA over your local network to obtain the actual user IDs.
If you enable both CloudSOC anonymization and SpanVA tokenization features, only admins with
Data Protection Officer (DPO) status can reveal user IDs.
Note: If you enable SpanVA tokenization, in order for CloudSOC admins to see user IDs, the
SpanVA instance must be on the same network and accessible in the same browser where you
open CloudSOC. Also note that the SpanVA web interface uses a self-signed certificate by
default, so your browser might prompt you to with a certificate warning. You must accept this
warning to de-anonymize the user IDs with the CloudSOC User Investigation Mode.
For more information about SpanVA tokenization, see the CloudSOC Tech Note Managing
CloudSOC User Privacy Features.
SpanVA security
Firewall rules are configured on SpanVA so that only needed ports are open to provide security
from any potentially malicious access from within your network. As an added security measure,
SpanVA stops accepting new logs if it loses contact with the CloudSOC Cloud for more than two
days. Also, SpanVA does not support access via SSH.
Important: Regularly check for SpanVA software updates, and install new updates promptly. We
recommend that you enable automatic upgrade as described in Configuring automatic upgrade.
Doing so ensures that you receive all applicable security fixes for known vulnerabilities. We only
support the previous five released versions of SpanVA.
SpanVA monitoring
The SpanVA web interface shows you the health of the virtual appliance, including its
connectivity to CloudSOC and all essential services (such as the SMTP gateway). CloudSOC also
shows the status of the SpanVA and generates an alert via an email or log entry when SpanVA
has not connected for an extended period of time.
Log collection
SpanVA stops accepting and polling for new logs after it has been unable to connect with
CloudSOC for two days. This feature prevents SpanVA from overflowing its disk allocation with
log files.
Disk allocation
Use the formulas below to determine how much disk space you must allocate for the SpanVA
instance, where:
D = S*F*6*C+20+H
D = S*F*30+20+H
See the section Resizing the SpanVA disk allocation for information about resizing the SpanVA
disk allocation.
Directory synchronization
Directory sync is a SpanVA feature that lets you synchronize your users from a directory server
into CloudSOC using DSS (Directory Synchronization Services). Doing so makes your user list
accessible to CloudSOC apps. When you use directory sync, you don't have to manually add
users or groups in CloudSOC. DSS works with Microsoft Active Directory as well as generic LDAP
servers.
We use SpanVA to implement the directory sync feature because its location inside your
enterprise perimeter makes it the logical platform to synchronize data between your Active
Directory server and CloudSOC.
For more information about Active Directory Sync, see the CloudSOC Tech Note Configuring DSS
Directory Sync.
Installing SpanVA
Perform the steps in the following sections in sequence to download, configure, and activate a
SpanVA log collector and configure it as a CloudSOC datasource.
2. On the CloudSOC menu bar, click your username and choose Settings. On the Settings
page, click the CloudSOC SpanVA tab.
3. On the SpanVA page, click the SpanVA Setup tab to bring it to the front.
Note: The SpanVA image file is over 1GB in size, so you may want to consider using a
download manager such as flashget.
2. Import SpanVA
We provide the SpanVA virtual appliance as an OVA package that is compatible with many
virtualization platforms. In the following example we configure SpanVA under Oracle VM
VirtualBox Manager. Other virtualization platforms are similar. If necessary, see the
documentation for your virtualization platform.
Observe the prerequisites in the following table as you import and configure the SpanVA virtual
machine.
Network Access
Outbound port 443
Host access Purpose
*.elastica.net Connectivity to CloudSOC SpanVA management
elastica-oregon-audit.s3.amazonaws.com Where US customers upload logs
cep-dub-audit.s3.amazonaws.com Where EU customers upload logs
elastica-artifacts.s3.amazonaws.com Where SpanVA pulls upgrades and other data
el-public-repo.s3.amazonaws.com
NTP access UDP port 123
System Requirements
Minimum Recommended
RAM 2 GB 4 GB
CPUs 1 2
Disk Storage 100 GB See Disk allocation
1. Open the SpanVA image file in your virtualization software and import it as shown below.
2. In your virtualization software, give the SpanVA virtual machine a descriptive name.
3. In your virtualization software, locate the network settings for the SpanVA virtual machine
and confirm that the adapter type is “bridged.”
1. If you have not already done so, login to your CloudSOC account with your administrative
credentials.
2. On the CloudSOC menu bar, click your username and choose Settings.
4. On the SpanVA page, click the SpanVA Setup tab to bring it to the front.
1. In your virtualization software, start the SpanVA VM and let it boot automatically. Do not
select any of the additional boot images.
When the SpanVA VM starts it displays a URL for the web-based configuration interface.
In the example below, the URL is https://192.168.1.12/.
3. Navigate to the URL using a browser running on the local host or any other host that is on
the same network.
Note: Depending on your computer’s security profile, you might have to accept and
confirm the IP address as a security exception in order to open the URL.
Username: admin
Password: admin123
Note: The SpanVA web interface automatically logs you out after one hour of inactivity.
This feature helps protect SpanVA from unauthorized access through an unattended web
interface session.
6. Open the Configure SpanVA tab and configure SpanVA with a name and the registration
token you recorded earlier in the procedure Provision SpanVA. If you want to address the
SpanVA using an FQDN instead of an IP address, configure that as well.
7. If necessary, click the Network tab and then click Edit to configure static IP address
parameters for the SpanVA instance, as shown below. By default, SpanVA obtains its IP
settings using DHCP.
Note: If SpanVA responds with a "cannot save" error message, its virtual machine may not
have a valid ethernet adapter associated with it. Double check that the VM is associated
with a network adapter, and that the adapter type is "bridged" as described in 2. Import
SpanVA.
a. Use the Network tab to configure the proxy URL and credentials, as shown below.
In this case, you must configure SpanVA to use a static IP address.
https://<user>:<password>@
<proxyurl>
For example:
https://proxy_user:Pa$sw0rd@myco_proxy.com
Or:
http://proxy_user:Pa$sw0rd@10.10.46.11:8080
After upgrading from SpanVA versions prior to 2.92, you must edit and save the
proxy details in order to trigger obfuscation.
b. Update your proxy configuration to whitelist the hosts listed in the table in the
section 2. Import SpanVA. These are hosts that SpanVA accesses when uploading
logs to CloudSOC and when upgrading. If you don't whitelist these hosts, it might
result in issues such as failure to upload log files or failure to upgrade SpanVA.
9. If you configured SpanVA to use a static IP address, use your browser to login to SpanVA
at the new address.
10. If you are using SpanVA behind a proxy that uses a self-signed certificate, upload the proxy
root CA certificate as follows:
b. On the Add Root CA Certificate panel, browse to the proxy root CA certificate, give
the certificate a name, then click Submit, as shown below.
11. If you want to upload a web server certificate so your browser does not raise a security
alert when you browse to SpanVA, upload a web server certificate and private key as
follows:
b. On the Add Server Certificate panel, browse to the web server certificate and private
key files.
c. If the key file is password-protected, enter the password, then click Submit, as
shown below.
12. At the bottom of the Configure SpanVA tab, Click Register SpanVA.
13. If you are installing SpanVA on an AWS VM, reboot SpanVA by choosing Settings >
Reboot. Otherwise SpanVA status does not connect with CloudSOC, and its status
changes to "Disconnected" and stays that way.
14. Wait for the SpanVA status to change to "Alive," as shown below. This status indicates
that SpanVA has connected with CloudSOC.
15. After the Status changes to "Alive," Click the Upgrade Tab, and then click Download and
Install Updates to get any applicable updates. The button is disabled If no updates are
available.
SpanVA instances maintain connectivity to CloudSOC and can download and install
updates automatically. CloudSOC uses this connection to provide updates to
already-installed virtual appliances. See Configuring auto upgrade for more information.
1. If you have not already done so, login to CloudSOC account with your administrator
credentials.
2. On the CloudSOC menu bar, click your username and choose Settings.
3. On the left edge of the Settings page, click the CloudSOC SpanVA tab.
4. Click the Status Monitor tab to view the status of all configured SpanVA instances. Your
new SpanVA instance shows should appear on the list and show status “Alive” as shown
below.
If your new SpanVA instance does not appear on the list or is not alive, double-check the
installation to this point.
To provision a SpanVA Datasource for use as an SCP/SFTP/FTPS/FTP server, follow these steps:
1. In the CloudSOC left side navigation bar, choose Audit > Device Logs.
2. Near the upper right corner of the Audit page, choose New Data Source > SpanVA
Datasource.
3. Name the New Datasource and select the appropriate options as shown below.
For Source Type, choose SCP/SFTP/FTP/FTPS/HTTPS Server. Later, you can create a
new SpanVA datasource of a different type if you want.
Note: If you choose Syslog Server as the Source Type, CloudSOC displays a fifth option
that lets you select BSD or IETF messages. Use this option in cases where you are
configuring more than one SpanVA instance.
4. Click Create Connection. CloudSOC opens the Datasource Details panel to show you the
configuration details.
You use these parameters to configure your firewalls and proxies to stream log data to
SpanVA. In particular, note the username and password shown. Later, you will use these
to configure the devices sending log files to SpanVA.
Note: The password is valid for current and future uploads, but will not be shown when
you open the Datasource Details panel in the future. The password persistence feature is
useful when you are configuring devices to send log files to SpanVA. If you lose the
password, click Reset to receive a new password. If you reset the password, you must
reconfigure your network devices to use the new password for subsequent log uploads.
● path/logfile is the path (if not in the current directory) and filename for the log file
● username is the username shown you on the Datasource Details panel
● host is the Host IP address shown you on the Datasource Details panel
● path is the Destination Directory shown you on the Datasource Details panel
For example:
2. Enter the password that CloudSOC showed you when you were configuring the SpanVA
data source.
Audit updates the Status when the CloudSOC servers start processing the logs, and again
when the processing is complete. Under normal circumstances, log processing takes
somewhere between 20 minutes and 6 hours, depending on the log file size and other
factors such as processing queue length. You also receive email alerts at each stage of
the process. You do not need to stay logged in while the logs are processed.
3. In CloudSOC, choose Audit > Device Logs to check the status of the transfer as shown
below.
In the example above, the test log file has been received and processed, and is available
for analysis in Audit.
Status Description
New SpanVA just started, and has not yet registered with CloudSOC.
Registered SpanVA has registered with CloudSOC but has not yet validated that it is
fully functional.
You can also view the following SpanVA operational statistics in CloudSOC:
1. In CloudSOC, go to the gear icon on the top right corner, then click the CloudSOC
SpanVA tab.
3. On the details panel that slides in from the right, scroll down to see the statistics charts, if
available, as shown below.
Verifying tokenization
SpanVA features a test mode that shows you the first 100 lines of tokenized logs that it prepares
to send to CloudSOC. If you have enabled SpanVA Tokenization, use this feature to compare
your logs with the tokenized versions to verify that tokenization is taking place correctly before
SpanVA sends them to CloudSOC. In test mode, SpanVA does not send any logs to CloudSOC.
1. In the SpanVA web interface, click the Verify Tokenization tab, then mark the Enable
Tokenization Test Mode checkbox.
SpanVA then shows you the first 100 lines of each log file.
2. Compare SpanVA's tokenized version with the original as shown below to verify that the
user IDs and IP addresses have been replaced with tokenized versions. In the example
below, the identifiable IP address 10.68.134.119 has been tokenized to 10.1.1.29.
3. After verifying that tokenization is taking place correctly, disable tokenization test mode
by clearing the checkbox after you verify that tokenization is working correctly.
Important: Make sure to disable the test mode after you verify that SpanVA is tokenizing
log files correctly. Otherwise SpanVA does not send log files to CloudSOC.
Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 28
3. Go to the Before You Begin tab, and click Next:
5. In the Select Virtual Machine tab, select the SpanVA virtual machine, and click Next:
6. In the Choose Import Type tab, select the option Copy the virtual machine (create a new
unique ID) and click Next:
7. In the Choose Destination tab you can specify new or existing folders to store the virtual
machine files. After selecting the configuration folders, click Next:
8. In the Choose Storage Folders tab select the folder where you want to store the imported
virtual hard disks for the SpanVA virtual machine. Afterwards, review the Summary tab, and
click Finish:
9. To start SpanVA, open HyperV, go to the list of virtual machines, select the SpanVA virtual
machine and then select Start:
● In the SpanVA web interface, click Settings, then click Install VMware Tools as shown
below.
https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=340
● In SpanVA, open the Settings tab, then enable the ICMP listener slider as shown below.
1. In the SpanVA web interface, click the Monitoring tab, then click the Syslog tab.
2. Configure values for the syslog host IP address and port, as shown below.
To retrieve the error messages, open one of the following files, depending on the network type
you configure:
● /var/log/spanva_tcp.log
● /var/log/spanva_udp.log
SpanVA only sends messages of the following levels to the syslog host. For routine status
messages, click Monitoring, then open the Console tab:
● Warning
● Error
● Critical
1. In CloudSOC, navigate to the Settings page and open the CloudSOC SpanVA tab, then
open the Status Monitor tab.
2. Find the SpanVA you want to reset the password for, and in the Actions column, click the
Details link as shown below.
3. On the Details panel for the SpanVA, click Reset SpanVA Password, as shown below.
CloudSOC resets the SpanVA password, then shows you the new password as shown
below.
4. Wait three minutes, then use the new password to login to the SpanVA instance.
Rebooting SpanVA
The SpanVA web UI features a Reboot button that you can use to restart the SpanVA instance.
Using this feature is a safer way to restart SpanVA than doing a hard reset on the VM. To reboot
SpanVA, in the SpanVA web interface, click the Settings tab and then click Reboot as shown
below.
The procedures below describe how to configure SpanVA and your Chrome browser with a
self-signed certificate and matching key so that the browser trusts SpanVA. You can use these
procedures to establish trust for test installations and proof-of-concept testing.
Important: For production SpanVA deployments, we strongly recommend that you use a
well-known CA signed certificate or a certificate signed by your trusted enterprise CA.
Open a terminal window and use the following OpenSSL command to create a self-signed
certificate and key (all on one line):
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
example.key -out example.crt
After you issue this command, OpenSSL prompts you for more information, then creates the
certificate and key pair example.crt and example.key.
Note: When OpenSSL prompts you for a common name, enter the SpanVA FQDN (if configured)
or IP address.
On Mac:
1. Locate and double-click the example certificate you created earlier. Your Mac opens the
Add Certificates box to prompt whether you want to add the certificate.
3. If prompted, enter the admin username and password for your computer.
4. Locate the new certificate in the list and double-click it. The certificate is listed by the IP
address or FQDN you used as the Common Name when creating the certificate with
OpenSSL.
5. Click the arrow to expand the Trust area. Then, from the Secure Sockets Layer (SSL)
menu, choose Always Trust as shown below.
6. Restart Chrome.
On Windows:
2. In the HTTPS/SSP area, click Manage Certificates. Chrome opens the window shown
below.
3. On the Certificates window, click Import and browse to the example.crt certificate.
5. On the Certificate Import Wizard, choose the certificate store Trusted Root Certification
Authorities, then click Next.
6. In the Certificates list, locate the new certificate and double-click it. Then make sure that in the
Certificate Purposes area, the checkbox for Server Authentication is marked.
1. In the SpanVA web interface, open the Certificates tab, then click Add Server as shown
below.
3. In the Select Server Certificate area, click Browse and locate the example.crt file you
created with OpenSSL.
4. In the Select Private Key File, click Browse and locate the example.key file you created
with OpenSSL.
6. Click Submit.
The next time you open SpanVA in your browser, the browser trusts SpanVA as shown below,
and does not show a security alert.
SpanVA State Recovery: It has been detected that this SpanVA has saved its restore point to a
backup server. This SpanVA will NOT process any log files until you take an action. Click here
to open State Recovery dialog.
If the banner appears, click the Click here link and choose one of the three options as shown
below.
If you still have access to the state backup, we strongly recommend that you restore it to the new
SpanVA instance. Doing so ensures continuity of the SpanVA state and user identity mappings. If
you do not restore the backup, you may get missing, invalid, or duplicate users on the Audit >
Users and Audit > Threats tabs.
If you choose not to restore the SpanVA state backup, it offers one more warning about the
consequences:
2. Next to the DNS Servers box, click + to add additional DNS server entries.
1. From the SpanVA web UI, open the NTP Server tab as shown below.
2. In the NTP Server boxes, enter URLs for up to four NTP Servers.
3. Click Save.
To change the allocation click the Settings tab and use the Disk Resize slider to change the
allocation as shown below.
Note: The allocation tool in the SpanVA web interface does not let you increase the allocation
above that configured for the SpanVA instance in your virtualization software. If you want to
increase the allocation above the maximum shown in the SpanVA web interface, you must make
that change in your virtualization software.
We strongly recommend that you use this functionality if you are using the SpanVA tokenization
feature, since the mapping between tokenized user IDs and real user ids are only kept on the
SpanVA. Otherwise, if the SpanVA becomes lost or corrupted, you lose the ability to view actual
user IDs in the CloudSOC Audit app.CloudSOC sends you alert emails and also CloudSOC
notifications if it detects that SpanVA tokenization is enabled but the SpanVA has not
successfully performed a backup in the last day, as shown below. CloudSOC sends the emails
and notifications to the administrator who configured SpanVA.
If you receive such a notification or alert, use the SpanVA Backup/Restore tab to confirm that
your SpanVA is configured to backup its configuration and state information, and that the backup
settings are valid.
To configure SpanVA backup, in the SpanVA web UI open the Backup/Restore tab and use the
tools there to configure the server as shown below.
Note: For the Target Path, use backslashes for UNIX file systems and forward slashes for
Windows file systems. For example, you would use “\path\subpath\” for UNIX and
“/path/subpath/” for Windows.
You use the restore feature as follows to recover a lost or corrupted SpanVA:
1. If necessary, create a new SpanVA instance to restore to. The new SpanVA must have the
same registration token as the SpanVA that created the backup.
2. Click a link in the list of backups in the Restore list to restore it.
Note: After you revoke the registration, the previous instance of SpanVA can no longer
reconnect with CloudSOC. Use this option with caution and only when you are sure that you want
to get rid of the existing SpanVA instance.
2. In CloudSOC, go to the gear icon on the top right corner, then go to CloudSOC SpanVA >
Status Monitor.
3. Click the entry for the SpanVA instance, then click Revoke SpanVA as shown below.
Note: The Revoke button is only available when the SpanVA has been in the
disconnected state for at least 10 minutes.
CloudSOC prompts you to confirm that you want to revoke the SnapVA's registration
token.
4. Click Revoke.
5. CloudSOC revokes the registration token, and shows you a new token as shown below.
6. Copy the token onto the clipboard and paste it into a file for later use.
7. Download the SpanVA image and install it as described in Installing SpanVA. Omit the
procedure Obtain the SpanVA token, and instead use the registration token that
CloudSOC provided when you revoked the old token.
If possible, restore the SpanVA state from a previous backup as described Recovering the
SpanVA state.
1. In CloudSOC, go to the gear icon on the top right corner, and click the CloudSOC
SpanVA tab.
2. At the bottom of the tab, mark the checkbox for Enable SpanVA Connectivity
notifications.
3. Enter one or more valid email addresses within your primary domain and click Update as
shown below.
4. Click Update.
● In SpanVA, click the Settings tab, then use the Strict Ciphers slider to configure this
feature as shown below.
● In SpanVA, click Settings, choose an SSL version from the menu as shown below, then
click Save.
Note: When you configure the proxy URL, you must include the port number, even if you use
the default port.
If you are using SpanVA behind a proxy that uses a self-signed certificate, upload the proxy
root CA certificate as follows:
2. On the Add Root CA Certificate panel, browse to the proxy root CA certificate, then click
Submit, as shown below.
If you want to upload a web server certificate so your browser does not raise a security alert
when you browse to SpanVA, upload a web server certificate that is trusted by your browser
and its private key as follows:
2. On the Add Web Server Certificate panel, browse to the web server certificate and private
key files.
3. If the key file is password-protected, enter the password, then click Submit, as shown
below.
2. On the Device Logs page, click New Datasource > SpanVA Datasource.
3. Use settings shown in the table below. Configure other settings to suit:
Field Setting
Firewall Type Choose the device type from the menu.
Custom Headers Mark the checkbox only if the device is configured for
non-default field order in its log files.
SpanVA Choose the applicable SpanVA from the menu.
Source Type Choose FTP Client.
File Extension Mark this checkbox if you want to retrieve only files with certain
filename extensions from the FTP client. Then build a list of the
applicable extensions.
Post Process Action Mark the radio button for the action SpanVA takes on each file
after it retrieves it. For Rename and Move Files To, enter the
applicable filename or path in the box.
Host Enter the hostname or IP address for the FTP client.
Username Enter the username that SpanVA logs into the FTP client as.
Password Enter the password that SpanVA uses to login into the
Username account on the FTP client.
Source Directory Enter the full path to the directory where SpanVA retrieves the
log files.
4. At the top of the New SpanVA Datasource panel, click Create Connection.
5. CloudSOC opens the Datasource Details panel to let you review the connection details.
6. Review the connection details, then click the right arrow at the top of the panel to close it.
7. For FTP servers other than VSFTPD, such as FileZilla, configure the server to use the
following format for log filenames:
SG_main_%y%j%H%M%S.log.gz
Where:
2. On the Device Logs page, click New Datasource > SpanVA Datasource.
Field Setting
Source Type Choose Network File.
File Extension Clear the checkbox to have SpanVA pull all of the files in the
source directory. Mark this checkbox and build a list of filename
extensions that identify files that SpanVA pulls from the client to
deliver to CloudSOC.
Important: After entering a filename extension in the text box,
press Enter to add it to the list below the text box.
Post Process Action Choose the action you want SpanVA take on the file after
retrieving it. SpanVA can take no action, delete the file, rename it,
or move it to a different directory.
Type Choose NFS.
Host Enter the IP address of the NFS server.
Source Directory Enter the shared directory on the NFS Server, for example
/nfs/share/bluecoat.
4. On the NFS server, make sure that SpanVA IP has access to the shared folder specified in
the “Source Directory,” and also to its subdirectories.
The permissions for all directories and subdirectories must include read and execute for
“others” and all files must be readable by “others.”
5. Configure network file share details as described below for an ubuntu NFS server. You
can adapt this procedure to your specific configuration:
a. Select a VM or your host machine to share the files from. The following commands
assume an ubuntu machine.
c. If the last command lists the nfs-kernel-server package, install it using the
following command:
mkdir -p /export/logs
For example, if you want to use your logs under directory: /home/firewalllogs/logs,
you should first mount this to /export/logs directory using this command:
You can enter this line in /etc/fstab to avoid having to type this line at every
restart:
NFS only supports host-based authentication. You can either make this share
available to everyone on the network or only allow specific hosts to access it. For
testing, we suggest you allow it for everyone on the network by adding the
following lines in /etc/exports to allow everyone on the network to be able to
access the mount. Change the IP address and mask according to your network
configuration:
/export
192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/export/logs
192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)
Note: Make sure all the sub-directories including /export and /export/logs have
read and execute permissions for group and others.
e. Now run:
If the above command succeeds your NFS share is ready for mounting.
https://help.ubuntu.com/community/SettingUpNFSHowTo
1. Generate an SSL certificate and a key and have it signed by the CA used by your
enterprise.
2. Upload the key and certificate under by clicking + Add Server on the SpanVA Certificates
tab as shown below.
3. Configure trust for the CA in your firewall or proxy. You may have to import the CA
certificate as the trusted root certificate.
While you configure the FTP connection from the firewall to SpanVA, make sure to select
the secure mode as shown below. You can also do a test connection (if available) to
check the connectivity between firewall and SpanVA.
Samba is an open-source software suite that provides file and print services to SMB/CIFS clients
and allows for interoperability between Linux/Unix servers and Windows-based clients. You can
use Samba as an alternative to Microsoft Windows-based SMB servers.
If you are using a Windows SMB server, or have already configured a Samba server, skip ahead
to the section Create the SMB data source in Audit. Otherwise, use the procedure in this section
to configure a Samba server.
Note: Install Samba 4.3.12 or later. Earlier versions might have trouble deleting files from
the source directory as described in Troubleshooting.
2. Open /etc/samba/smb.conf and at the bottom add a share section such as:
[share]
comment = Log share
path = /home/admin/samba/logs_share
browsable = yes
valid users = elastica
read only = no
create mask = 0755
3. Add a linux user with a username referenced in the share section of the smb.conf file
("elastica" in the example above):
adduser elastica
4. Set the user's password if so prompted, or create the password explicitly with:
passwd elastica
smbpasswd -a elastica
This is the password that you use to authenticate the user "elastica" when you mount the
file system. It can be different from the linux password.
6. Create the shared directory identified by the path statement in the smb.conf file, if it does
not already exist:
mkdir -p /home/admin/samba/logs_share
You can now copy log files to the share directory to share them over the network.
1. If you are using a Samba server, make sure that it is installed and configured for file
sharing as described in Configuring the Samba server.
2. In CloudSOC, navigate to Audit > Device logs. Then click New Data Source > SpanVA
Datasource.
3. On the New SpanVA Datasource panel, select a SpanVA instance that is running 1.15.2.75
or later.
4. Choose Network File as the source type, and choose SMB as the Type as shown below.
Field Description
Host Hostname or IP address of the SMB Server.
User The username of an SMB server user with privileges to read and download
files from the shared location. This is not necessarily the Unix or Windows
username. In the example in the section Configuring the Samba server, the
username is elastica.
Password The SMB server user password.
Share Name The alias for the the shared directory. In the example in the section
Configuring the Samba server, the share name is share.
For example:
To configure IP filtering:
2. Mark the Enable IP Filtering checkbox, and enter an IP pattern in the box as shown
below. All traffic with source IP addresses not matching the pattern is omitted when
SpanVA sends the logs to CloudSOC.
3. Click Save.
For each user, you can also configure up to three custom user attributes that you can use to filter
user activities in Audit.
Note: The mapping file must be on a Unix server. SpanVA does not support Windows servers
for this feature.
If you have enabled the CloudSOC anonymization feature, the Audit app displays
machine-generated IDs in place of the actual user IDs. If necessary, you can reveal the actual
user IDs with approval from a Data Protection Officer (DPO). See the CloudSOC Tech Note
Managing CloudSOC User Privacy Features for more information.
You can create the mapping file manually, or you can configure your DHCP server or another
network device to produce the file. For a sample mapping file, on the Identity Mappings tab of
the SpanVA web interface, click Show Sample File Info. Detailed information about creating
the mapping file is beyond the scope of this Tech Note.
Note: This feature is only directly supported for Blue Coat Proxy SG and Cisco ASA-series
firewalls. However, it is also supported for the Flex universal log processor, which processes logs
for virtually any firewall or proxy. See the CloudSOC Tech Note Using the Flex Universal Log
Processor for details.
1. In SpanVA, click the Upgrade tab and make sure that the current version is 1.15.2.106.0 or
later. If necessary, upgrade SpanVA to the latest version.
3. Use the tools in the upper half of the page to configure the file transfer via SCP, SFTP, or
FTP. SpanVA uses these parameters to login to your Unix server and fetch the mapping
file from the specified file location.
4. If you want to use an SSH key to authenticate SpanVA when using SCP or SFTP, mark the
Use SSH Key checkbox, then:
● If you have never before configured the SSH key for the mapping file, click
Renew SSH Key. SpanVA generates a new RSA key and displays the
corresponding public SSH key that it uses to connect to your server.
Note that if you have previously configured the SSH key on a server, that
earlier key becomes invalid, and you must configure the renewed key on
the server. Also, as a security measure, SpanVA displays the key only
when you renew it. If you wish to use the same key again, record it in a
secure location.
● If you have previously configured the SSH key and want to use the same
key again, locate that key so that you can configure it on the server.
b. Create an entry for the SSH key in the authorized_keys file for the specified
username on your server.
5. Use the tools in the File Format area to configure SpanVA so that it correctly parses the
mapping file that it retrieves from the server that allocates your network IP addresses.
● If the mapping file starts with a header row that identifies the contents of each
comma-separated column, mark the Mapping file has header checkbox. Then
enter the headers that correspond to the columns as shown below. Identify at
least the user ID and IP address columns. You can also identify up to three custom
attribute columns. For each custom attribute, also enter the field display text as
shown.
● If the mapping file does not start with a header row, clear the checkbox. Then
enter the numbers of the comma-separated columns (starting from 0 at the
leftmost) that contain the attributes for at least the user ID and the IP address. You
can also identify the columns for up to three custom attributes as shown.
6. In the Fetch Interval area, click the button that matches the the interval at which you want
SpanVA to fetch the mapping file. Your choices are 30 minutes, one hour, two hours, or
six hours.
We recommend that you set a fetch interval so that it is the same interval at which the
server updates the file.
7. In the Expire After area, type the number of days for which the mappings remain valid.
This value applies to user IDs mappings that are not updated by subsequent fetches. For
example, if a mapping file matches 192.168.0.1 with user_1, that mapping remains valid
until a new mapping for 192.168.0.1 appears in a subsequent mapping file, or until the
Expire After time elapses.
1. Go to the settings section by clicking the gear icon on the top right corner of the interface:
3. Click on the SpanVA Setup tab, and scroll down. In SpanVA Secondary User Attribute
you can select mail, msDS-PrincipalName or the configured Custom attributes. Select it,
and click Save Secondary User Attribute:
In order to use this feature, you must first configure DSS directory sync as described in the
CloudSOC Tech Note Configuring DSS Directory Sync.
1. In SpanVA, click the Identity Mappings tab, then click the Active Directory (WMI) tab.
4. Click Save.
● The currently selected Audit datasources must be limited to those uploaded to CloudSOC
through SpanVA
2. Near the upper left corner of the page, click Select Sources and enable only sources that
use SpanVA, then click Save.
3. On the Users tab, Click Export CSV, then click Email CSV as shown below.
CloudSOC processes the data in the tab and emails you a download link for the CSV file
as shown below.
4. Click the link to login to CloudSOC (if you are not already logged in) and download the
CSV file in your browser.
5. After you receive the CSV from CloudSOC, open the SpanVA web interface and log in.
Then click the Detokenization tab.
6. On the tab, either drag the CSV file to the Drag & Drop box as shown below or click the
box and navigate to the file.
SpanVA detokenizes the file and then displays a download button for the file. Click
Download to download the detokenized file in your browser. The Detokenization page
shows the five most recent detokenized files.
Related documents
See the following CloudSOC Tech Notes for more information about using SpanVA:
● Configuring DSS Directory Sync--Describes how you can synchronize your users from
Microsoft Active Directory into CloudSOC using DSS (Directory Synchronization Services).
The directory sync feature uses SpanVA because its location inside your enterprise
perimeter makes it the logical platform to synchronize data between your Active Directory
server and CloudSOC.
● Audit Support for Websense--Describes how to use SpanVA as an SQL client to retrieve
Websense logs from an SQL server.
● Audit Support for Symantec Endpoint Protection Manager- -Describes how to use SpanVA
as an SQL client to retrieve SEPM logs from an SQL server.
● Using the Flex Universal Log Processor--Describes how to use the Flex log processor to
parse logs for devices that are not explicitly supported by CloudSOC Audit.
Troubleshooting
Diagnostics tools
The SpanVA web interface features a suite of diagnostic tools you can use to troubleshoot issues
with your SpanVA instance. Click the Diagnostics tab and choose from the available tools:
● Click the Diagnostic Report tab, then click Generate Diagnostic Report to generate a
report showing the results for a broad spectrum of tests, as shown below.
● Click Network Connectivity Tools, then choose a test type and enter the required
information to test connectivity between SpanVA and various services and hosts.
● Click SQL Connectivity Test, then enter information for an SQL server to test a query as
shown below.
Common issues
● Issue: When using a Samba server as described in Configuring SMB file transfer, you see
errors such as the following in the status monitor:
Solution: Update to Samba version 4.3.11 or later. Earlier versions had issues deleting files
from the source directory.
● Issue: When creating a SpanVA datasource for FTP Client or Network file, you enter all
necessary information but the Create Connection button remains disabled, and does not
let you create the datasource.
Solution: If you have marked the File Extension checkbox, make sure that you have built a
valid list of file extensions by pressing Enter after typing each extension as shown below.
Revision history
Date Version Description
19 Feb 2015 1.0-1.11 Initial release and minor revisions
20 June 2016 2.0 Add SQL support, NFS support, reboot button, password reset, and
other features
16 November 2016 3.0 Major update; add identity mapping, proxy configuration, related
documents
22 December 2016 4.0 Add section on SpanVA status
16 February 2017 5.0 Add NTP configuration
22 February 2017 6.0 Add procedure for self-signed certificate
23 May 2017 7.0 Add SpanVA connection notifications, syslog status, FQDN, and
NFS post-process options
16 June 2017 8.0 Add instruction to reboot SpanVA after registration when installed
in AWS VM, add section on filtering of inbound traffic from external
sources, update directory sync section
5 September to 9.0-9.4 Add section on verifying tokenization, add cipher mode settings,
29 November 2017 address "cannot save" error message, other minor changes
2 February 2018 10.0 Reorganize, add note about backup target path and slash
characters, update Host access table
7 March 2018 10.1 Update list of virtualization platforms
20 April 2018 11.0 Add DNS configuration, automatic logout, diagnostic tools,
detokenization tools, obfuscation of HTTP proxy credentials, FTP
client
20 June 2018 12.0 Add section on authentication
29 October 2018 12.1 Address that mapping file must be in a Unix server
31 October 2018 12.2 Remove reference to Windows FTP IIS as supported FTP server.
14 November 2018 12.3 Clarify SSH key for identity mapping file
11 December 2018 13.0 Address resolving IP addresses to user IDs with Active Directory
14 February 2019 14.0 Update UI terminology, address custom user attribute mapping
and ICMP listener
13 March 2019 14.1 Address password length
29 March 2019 14.2 Minor changes
11 April 2019 14.3 Add directories used for syslog error messages
12 April 2019 14.4 Remove Informational from Syslog messages
19 June 2019 14.4 Added Configuring Secondary User ID Attribute section
12 July 2019 14.5 Added “Configuring SpanVA with HyperV” section
About
Symantec
Symantec Corporation (NASDAQ: SYMC),
the world’s leading cyber security company,
helps businesses, governments and people
secure their most important data wherever
it lives. Organizations across the world
look to Symantec for strategic, integrated
solutions to defend against sophisticated
attacks across endpoints, cloud and infra-
structure. Likewise, a global community of
more than 50 million people and families
rely on Symantec’s Norton suite of products
for protection at home and across all of
their devices. Symantec operates one of the
world’s largest civilian cyber intelligence
networks, allowing it to see and protect
against the most advanced threats.
For more info on Symantec CloudSOC CASB and its industry leading integrations For additional information, please visit
with Symantec Enterprise Security Systems, visit go.symantec.com/casb www.symantec.com or connect with us
on Facebook, Twitter, and LinkedIn.
symantec.com +
1 650-527-8000
Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo, are trademarks or registered trademarks of Symantec
Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only
and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed
by law, and are subject to change without notice.