Installing and Configuring SpanVA

CloudSOC Installing and
Configuring
Tech Note SpanVA

Tech Note — Installing and Configuring SpanVA
Table of Contents
Introduction
Log format support
Log tokenization
SpanVA authentication with CloudSOC
SpanVA security
SpanVA monitoring
Log collection
Disk allocation
Directory synchronization
Installing SpanVA
1. Download the SpanVA image
2. Import SpanVA
3. Obtain the SpanVA token
4. Start and register SpanVA
5. Confirm CloudSOC recognizes SpanVA
6. Provision a SpanVA data source
7. Test the system with SCP
Installing SpanVA with HyperV
Monitoring SpanVA operation
Checking SpanVA status
Verifying tokenization
Installing VMWare Tools
Configuring the SpanVA ICMP listener
Configuring SpanVA to send error messages to a syslog host
Managing the SpanVA instance
Resetting the password
Rebooting SpanVA
Configuring SpanVA with a self-signed certificate
1. Create the certificate and key
2. Import the certificate as the trusted root CA
3. Import the certificate into SpanVA
Configuring automatic upgrade
Recovering the SpanVA state
Configuring SpanVA DNS settings
Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 1

Configuring SpanVA NTP settings

Resizing the SpanVA disk allocation
Backing up and restoring SpanVA
Replacing a SpanVA instance
Configuring SpanVA communication with CloudSOC
Configuring SpanVA connection notifications
Configuring Cipher mode setting
Configuring SSL version
Configuring how SpanVA fetches logs
Configuring SpanVA proxy settings
Configuring SpanVA to retrieve logs from an FTP client
Configuring SpanVA to retrieve logs with NFS
Configuring FTP over SSL
Configuring SpanVA as an SQL Client
Configuring SMB file transfer
Configuring a Samba server
Create the SMB data source in Audit
Configuring filtering of inbound traffic from external sources
Configuring SpanVA to retrieve identity mappings from a file
Configuring Secondary User ID Attribute
Configuring SpanVA to resolve IP addresses to user IDs with Active Directory
Using SpanVA detokenization
Related documents
Troubleshooting
Diagnostics tools
Common issues
Revision history


Introduction
SpanVA is a virtual appliance that collects firewall and proxy logs from your network devices and
proxies and sends them to CloudSOC for processing. Once processed, you can use the data in
the CloudSOC Audit application to evaluate your shadow IT exposure.
SpanVA is an alternative to uploading individual logs using Web Upload or other methods as
described in the CloudSOC Tech Note Managing Data Sources for the CloudSOC Audit App.
SpanVA is especially useful when:
● You must have on-premises anonymization of log data
● Your firewalls can not stream to SCP or SFTP servers
● Your network lacks a log collection mechanism
● Your network is sensitive to the bandwidth consumed as log traffic moves to the
CloudSOC cloud
● You have a large network for which SCP or SFTP access is not practical
Once you install SpanVA, you configure and maintain it using a built-in web interface that you
open by browsing its IP address. SpanVA can automatically discover the CloudSOC cloud so that
you don’t have to configure its URL into SpanVA’s configuration. However, you can also configure
a proxy address if it is required to reach the CloudSOC Cloud from your network.
You can also use SpanVA as a platform for synchronizing users from an LDAP server such as
Microsoft Active Directory as described in the CloudSOC Tech Note Configuring DSS Directory
Sync.
SpanVA is provided as a linux-based Open Virtualization Appliance (OVA) package. You install
and run this virtual appliance inside your NAT, and assign it a local IP address from your network.
In some use cases, SpanVA might also need credentials to access to other specific servers and
perimeter devices like firewalls.
NOTE: This document assumes that you have already installed the virtualization software
required to host the SpanVA. Supported virtualization hypervisors include:
● VMware Fusion
● VMware Player
● VMware Workstation
● VMware ESX/ESXi
Other virtualization hypervisors may be compatible, but are not officially supported.

SpanVA supports both push- and pull-based log collection. SpanVA supports the following log
collection mechanisms:
● Syslog Server--SpanVA comes bundled with a syslog server for capturing log messages
from firewalls that can log in syslog format. This feature provides you with a ready-made
syslog server if you have firewalls capable of logging to syslog servers but lack a log
collection framework.
● FTP/FTPS/SFTP/SCP Server--Modern firewalls can often be configured to stream logs

using FTP, FTPS, Secure FTP (SFTP), or Secure Copy (SCP). To support these log
collection methods, SpanVA contains file transfer server services that you can configure
to listen on a specified port. You must configure the IP and port in the firewall for
communication to SpanVA. Later in this Tech Note we refer to the collective service as
the SFTP/SCP/FTP server.
● FTP Client--The FTP client lets SpanVA remotely copy files from a host on your network.
Note: By default, SpanVA supports only VSFTPD servers. For other servers, you must
configure them to use specific log file names as described in Configuring SpanVA to
retrieve logs from an FTP client.
● SQL Client (Beta)--For Websense devices and for Symantec Endpoint Protection
Manager, SpanVA can act as an SQL client to retrieve logs from an SQL server. See
Configuring SpanVA as an SQL Client.
● Network Shared Files--SpanVA can access log files shared over the network using NFS.
See Configuring SpanVA to retrieve logs with NFS.
● SMB Client--SpanVA supports SMB file sharing protocol. See Configuring Samba file
transfer.
Log format support

SpanVA supports the following log formats:
● Blue Coat ProxySG
● Check Point LEA
● Cisco ASA Series
● Cisco WSA
● CloudSOC Flex universal log processor
● Fortinet

● McAfee Web Gateway
● Palo Alto Networks PAN
● Websense Proxy
● Zscaler NSS
For file-based data sources, SpanVA supports both uncompressed files and files compressed in
gzip, zip tar.gz, or bzip formats. When receiving logs over syslog or when input files are not
already compressed, SpanVA conserves bandwidth by compressing logs before transferring
them to the CloudSOC Cloud.
Log tokenization
You control SpanVA log tokenization using the Settings > CloudSOC SpanVA tab in CloudSOC,
as shown below. CloudSOC pushes the settings on this tab down to SpanVA. When set to
Tokenized, SpanVA replaces all user-identifiable information such as names, email addresses,
and IP addresses in the device logs with system-generated identifiers before it leaves your
premises. However, SpanVA also maintains an internal table that correlates the tokenized IDs
with the actual IDs, and it delivers that information over your local network to CloudSOC browser
apps when needed. This tokenization feature gives you an additional layer of protection for user
information, since user ID information never leaves your premises, but still lets admins see user
ID information in CloudSOC apps.
Important: Once you enable this feature, you cannot disable it. Read the CloudSOC Tech Note
Managing CloudSOC User Privacy Features before you enable this feature.
If you want to remove user IDs from device logs before uploading them to CloudSOC CloudSOC,
but want CloudSOC admins to see the actual user IDs, enable SpanVA tokenization but disable
CloudSoc anonymization. In this scenario role-based access control (RBAC) permissions in
CloudSOC control which admins can see actual user IDs. When authorized admins use
CloudSOC apps that show user ID information, those browser apps communicate directly with
SpanVA over your local network to obtain the actual user IDs.

If you enable both CloudSOC anonymization and SpanVA tokenization features, only admins with
Data Protection Officer (DPO) status can reveal user IDs.
Note: If you enable SpanVA tokenization, in order for CloudSOC admins to see user IDs, the
SpanVA instance must be on the same network and accessible in the same browser where you
open CloudSOC. Also note that the SpanVA web interface uses a self-signed certificate by
default, so your browser might prompt you to with a certificate warning. You must accept this
warning to de-anonymize the user IDs with the CloudSOC User Investigation Mode.
For more information about SpanVA tokenization, see the CloudSOC Tech Note Managing
CloudSOC User Privacy Features.
SpanVA authentication with CloudSOC

When SpanVA communicates with CloudSOC, it uses the credentials and privileges of the
CloudSOC administrator or system administrator who originally configured it. If you disable that
user account, for example when they leave your company, the SpanVA instance can no longer
communicate with CloudSOC, and will be in a disconnected state. If you need to disable the user
account of an admin who configured a SpanVA instance, you can contact Symantec support and
have them transfer ownership of the SpanVA to another CloudSOC administrator.
SpanVA security
Firewall rules are configured on SpanVA so that only needed ports are open to provide security
from any potentially malicious access from within your network. As an added security measure,
SpanVA stops accepting new logs if it loses contact with the CloudSOC Cloud for more than two
days. Also, SpanVA does not support access via SSH.
Important: Regularly check for SpanVA software updates, and install new updates promptly. We
recommend that you enable automatic upgrade as described in Configuring automatic upgrade.
Doing so ensures that you receive all applicable security fixes for known vulnerabilities. We only
support the previous five released versions of SpanVA.
SpanVA monitoring
The SpanVA web interface shows you the health of the virtual appliance, including its
connectivity to CloudSOC and all essential services (such as the SMTP gateway). CloudSOC also
shows the status of the SpanVA and generates an alert via an email or log entry when SpanVA
has not connected for an extended period of time.
Log collection
SpanVA stops accepting and polling for new logs after it has been unable to connect with
CloudSOC for two days. This feature prevents SpanVA from overflowing its disk allocation with
log files.

Disk allocation
Use the formulas below to determine how much disk space you must allocate for the SpanVA
instance, where:
D = Disk allocation in gigabytes

F = maximum compressed file size in gigabytes
C = number of CPU cores
S = number of datasources
H = Total size of historical logs in gigabytes to be copied at once (where applicable, 0 otherwise)
● For .gz compressed and uncompressed files:
D = S*F*6*C+20+H
● For .tar.gz, .tar.bz2 or .zip files:
D = S*F*30+20+H
See the section Resizing the SpanVA disk allocation for information about resizing the SpanVA
disk allocation.
Directory synchronization
Directory sync is a SpanVA feature that lets you synchronize your users from a directory server
into CloudSOC using DSS (Directory Synchronization Services). Doing so makes your user list
accessible to CloudSOC apps. When you use directory sync, you don't have to manually add
users or groups in CloudSOC. DSS works with Microsoft Active Directory as well as generic LDAP
servers.
We use SpanVA to implement the directory sync feature because its location inside your
enterprise perimeter makes it the logical platform to synchronize data between your Active
Directory server and CloudSOC.
For more information about Active Directory Sync, see the CloudSOC Tech Note Configuring DSS
Directory Sync.
Installing SpanVA
Perform the steps in the following sections in sequence to download, configure, and activate a
SpanVA log collector and configure it as a CloudSOC datasource.
1. Download the SpanVA image

To download the SpanVA image:

1. Login to CloudSOC with your administrator credentials.
2. On the CloudSOC menu bar, click your username and choose Settings. On the Settings
page, click the CloudSOC SpanVA tab.
3. On the SpanVA page, click the SpanVA Setup tab to bring it to the front.
4. Click CloudSOC SpanVA Image to download the image file.
Note: The SpanVA image file is over 1GB in size, so you may want to consider using a
download manager such as flashget.
2. Import SpanVA
We provide the SpanVA virtual appliance as an OVA package that is compatible with many
virtualization platforms. In the following example we configure SpanVA under Oracle VM
VirtualBox Manager. Other virtualization platforms are similar. If necessary, see the
documentation for your virtualization platform.

Observe the prerequisites in the following table as you import and configure the SpanVA virtual
machine.
Network Access
Outbound port 443
Host access Purpose
*.elastica.net Connectivity to CloudSOC SpanVA management
elastica-oregon-audit.s3.amazonaws.com Where US customers upload logs
cep-dub-audit.s3.amazonaws.com Where EU customers upload logs
elastica-artifacts.s3.amazonaws.com Where SpanVA pulls upgrades and other data
el-public-repo.s3.amazonaws.com
NTP access UDP port 123
System Requirements
Minimum Recommended
RAM 2 GB 4 GB
CPUs 1 2
Disk Storage 100 GB See Disk allocation

To import SpanVA into your virtualization platform:
1. Open the SpanVA image file in your virtualization software and import it as shown below.


2. In your virtualization software, give the SpanVA virtual machine a descriptive name.
3. In your virtualization software, locate the network settings for the SpanVA virtual machine
and confirm that the adapter type is “bridged.”
3. Obtain the SpanVA token

To configure the SpanVA for communication with CloudSOC, you obtain a registration token that
you configure in SpanVA:
1. If you have not already done so, login to your CloudSOC account with your administrative
credentials.
2. On the CloudSOC menu bar, click your username and choose Settings.
3. On the Settings page, click the CloudSOC SpanVA tab.
4. On the SpanVA page, click the SpanVA Setup tab to bring it to the front.
5. Click Provision New SpanVA.

6. Copy the Registration Token shown on the page, as shown below.
4. Start and register SpanVA

Next, start the SpanVA virtual machine, login to its web interface, and configure it with the
registration token:
1. In your virtualization software, start the SpanVA VM and let it boot automatically. Do not
select any of the additional boot images.
When the SpanVA VM starts it displays a URL for the web-based configuration interface.
In the example below, the URL is https://192.168.1.12/.


2. Record the URL displayed by the SpanVA VM.
3. Navigate to the URL using a browser running on the local host or any other host that is on
the same network.
Note: Depending on your computer’s security profile, you might have to accept and
confirm the IP address as a security exception in order to open the URL.
4. Login to the SpanVA web interface using these default credentials:
Username: admin
Password: admin123
5. Change the login password as directed by SpanVA’s web interface.

Note: The SpanVA web interface automatically logs you out after one hour of inactivity.
This feature helps protect SpanVA from unauthorized access through an unattended web
interface session.
6. Open the Configure SpanVA tab and configure SpanVA with a name and the registration
token you recorded earlier in the procedure Provision SpanVA. If you want to address the
SpanVA using an FQDN instead of an IP address, configure that as well.
7. If necessary, click the Network tab and then click Edit to configure static IP address
parameters for the SpanVA instance, as shown below. By default, SpanVA obtains its IP
settings using DHCP.


Note: If SpanVA responds with a "cannot save" error message, its virtual machine may not
have a valid ethernet adapter associated with it. Double check that the VM is associated
with a network adapter, and that the adapter type is "bridged" as described in 2. Import
SpanVA.
8. If SpanVA must connect with the internet through a proxy:
a. Use the Network tab to configure the proxy URL and credentials, as shown below.
In this case, you must configure SpanVA to use a static IP address.
For an authenticated proxy, enter the URL in the following format:
https://<user>:<password>@
<proxyurl>
For example:
https://proxy_user:Pa$sw0rd@myco_proxy.com
Or:
http://proxy_user:Pa$sw0rd@10.10.46.11:8080
After you enter the proxy URLs, SpanVA resets.

Note: The SpanVA web interface obfuscates any username or password

configured for the HTTP and HTTPS proxy as shown below. Once you save the
proxy configuration, the credentials are represented with asterisks. When you edit
the proxy configuration, you must either re-enter the correct credentials or click
Cancel to retain the existing configuration.
After upgrading from SpanVA versions prior to 2.92, you must edit and save the
proxy details in order to trigger obfuscation.
b. Update your proxy configuration to whitelist the hosts listed in the table in the
section 2. Import SpanVA. These are hosts that SpanVA accesses when uploading
logs to CloudSOC and when upgrading. If you don't whitelist these hosts, it might
result in issues such as failure to upload log files or failure to upgrade SpanVA.
9. If you configured SpanVA to use a static IP address, use your browser to login to SpanVA
at the new address.
10. If you are using SpanVA behind a proxy that uses a self-signed certificate, upload the proxy
root CA certificate as follows:
a. Click the Certificates tab, then click Add Root CA.

b. On the Add Root CA Certificate panel, browse to the proxy root CA certificate, give
the certificate a name, then click Submit, as shown below.
11. If you want to upload a web server certificate so your browser does not raise a security
alert when you browse to SpanVA, upload a web server certificate and private key as
follows:
a. Click the Certificates tab, then click Add Server.
b. On the Add Server Certificate panel, browse to the web server certificate and private
key files.

c. If the key file is password-protected, enter the password, then click Submit, as
shown below.
12. At the bottom of the Configure SpanVA tab, Click Register SpanVA.
SpanVA displays a “Processing Registration” message as shown below while it connects

to CloudSOC.
13. If you are installing SpanVA on an AWS VM, reboot SpanVA by choosing Settings >
Reboot. Otherwise SpanVA status does not connect with CloudSOC, and its status
changes to "Disconnected" and stays that way.
After SpanVA reboots, log back into SpanVA as described earlier.

14. Wait for the SpanVA status to change to "Alive," as shown below. This status indicates
that SpanVA has connected with CloudSOC.
15. After the Status changes to "Alive," Click the Upgrade Tab, and then click Download and
Install Updates to get any applicable updates. The button is disabled If no updates are
available.
SpanVA instances maintain connectivity to CloudSOC and can download and install
updates automatically. CloudSOC uses this connection to provide updates to
already-installed virtual appliances. See Configuring auto upgrade for more information.
5. Confirm CloudSOC recognizes SpanVA

CloudSOC monitors all SpanVA instances and shows their status. To confirm that CloudSOC can
communicate with the new SpanVA instance:
1. If you have not already done so, login to CloudSOC account with your administrator
credentials.
2. On the CloudSOC menu bar, click your username and choose Settings.
3. On the left edge of the Settings page, click the CloudSOC SpanVA tab.

4. Click the Status Monitor tab to view the status of all configured SpanVA instances. Your
new SpanVA instance shows should appear on the list and show status “Alive” as shown
below.
If your new SpanVA instance does not appear on the list or is not alive, double-check the
installation to this point.
6. Provision a SpanVA data source

In order for SpanVA to collect data from your firewalls and proxies, you configure a data source
for it. You do this configuration using CloudSOC, which pushes the configuration down to
SpanVA. In the procedure below, we show how to configure SpanVA as a
SCP/SFTP/FTP/FTPS/HTTPS server in order to test the system. Procedures for configuring
SpanVA as other data source types are similar.
To provision a SpanVA Datasource for use as an SCP/SFTP/FTPS/FTP server, follow these steps:
1. In the CloudSOC left side navigation bar, choose Audit > Device Logs.
2. Near the upper right corner of the Audit page, choose New Data Source > SpanVA
Datasource.


3. Name the New Datasource and select the appropriate options as shown below.
For Source Type, choose SCP/SFTP/FTP/FTPS/HTTPS Server. Later, you can create a
new SpanVA datasource of a different type if you want.
Note: If you choose Syslog Server as the Source Type, CloudSOC displays a fifth option
that lets you select BSD or IETF messages. Use this option in cases where you are
configuring more than one SpanVA instance.
4. Click Create Connection. CloudSOC opens the Datasource Details panel to show you the
configuration details.
You use these parameters to configure your firewalls and proxies to stream log data to
SpanVA. In particular, note the username and password shown. Later, you will use these
to configure the devices sending log files to SpanVA.

Note: The password is valid for current and future uploads, but will not be shown when
you open the Datasource Details panel in the future. The password persistence feature is
useful when you are configuring devices to send log files to SpanVA. If you lose the
password, click Reset to receive a new password. If you reset the password, you must
reconfigure your network devices to use the new password for subsequent log uploads.
7. Test the system with SCP

After configuring SpanVA as an SCP/SFTP/FTP server, test the system by using SCP to send
SpanVA a sample log file. For the purposes of this test you need a sample network device log
file, preferably 16MB or larger. The reason you need a 16MB or larger file is that the CloudSOC
queue holds your data files until either 16 MB of files have accumulated or two hours has elapsed.
Uploading a test file larger than 16 MB ensures that the file is processed more quickly.

To test the system with SCP:
1. Open a terminal session and enter the following command:
scp path/logfile username@host:p

ath

Where:
● path/logfile is the path (if not in the current directory) and filename for the log file
● username is the username shown you on the Datasource Details panel
● host is the Host IP address shown you on the Datasource Details panel
● path is the Destination Directory shown you on the Datasource Details panel
For example:
host> scp bluecoat.log1.gz ds_elastica@192.168.2.191:

/ds_elastica/datasources/531eeadfca78c264ae87e317
The system prompts you for a password.
2. Enter the password that CloudSOC showed you when you were configuring the SpanVA
data source.
The system responds with upload status in the terminal session.
Audit updates the Status when the CloudSOC servers start processing the logs, and again
when the processing is complete. Under normal circumstances, log processing takes
somewhere between 20 minutes and 6 hours, depending on the log file size and other
factors such as processing queue length. You also receive email alerts at each stage of
the process. You do not need to stay logged in while the logs are processed.

3. In CloudSOC, choose Audit > Device Logs to check the status of the transfer as shown
below.
In the example above, the test log file has been received and processed, and is available
for analysis in Audit.
Monitoring SpanVA operation

The following sections describe procedures for verifying that SpanVA is operating properly.
Checking SpanVA status

The SpanVA web interface displays current status at the top of the navigation bar as shown
below:


The table below describes the statuses:
Status Description
New SpanVA just started, and has not yet registered with CloudSOC.
Registered SpanVA has registered with CloudSOC but has not yet validated that it is
fully functional.
Alive SpanVA is fully functional.
Degraded SpanVA is connected to CloudSOC but is having trouble uploading logs

to CloudSOC via S3. The trouble may be caused by connectivity issues
between SpanVA and S3, or between SpanVA and its outbound proxy, if
any.
● If you have configured a proxy for the SpanVA, double-check that
the proxy settings are still valid as described in Configuring
SpanVA proxy settings.
● If you are not using a proxy, or the proxy settings are valid, and
the problem persists for more than six hours, contact CloudSOC
technical support.
Disconnected SpanVA cannot connect with CloudSOC.

You can also view the following SpanVA operational statistics in CloudSOC:
● Received and uploaded logs
● Available memory and total memory
● CPU usage percentage
● Disk allocation available and total disk usage
To view operational statistics in CloudSOC:
1. In CloudSOC, go to the gear icon on the top right corner, then click the CloudSOC
SpanVA tab.
2. On the Status Monitor tab, click an entry for a SpanVA.

3. On the details panel that slides in from the right, scroll down to see the statistics charts, if
available, as shown below.
Verifying tokenization
SpanVA features a test mode that shows you the first 100 lines of tokenized logs that it prepares
to send to CloudSOC. If you have enabled SpanVA Tokenization, use this feature to compare
your logs with the tokenized versions to verify that tokenization is taking place correctly before
SpanVA sends them to CloudSOC. In test mode, SpanVA does not send any logs to CloudSOC.
1. In the SpanVA web interface, click the Verify Tokenization tab, then mark the Enable
Tokenization Test Mode checkbox.
SpanVA then shows you the first 100 lines of each log file.

2. Compare SpanVA's tokenized version with the original as shown below to verify that the
user IDs and IP addresses have been replaced with tokenized versions. In the example
below, the identifiable IP address 10.68.134.119 has been tokenized to 10.1.1.29.
3. After verifying that tokenization is taking place correctly, disable tokenization test mode
by clearing the checkbox after you verify that tokenization is working correctly.
Important: Make sure to disable the test mode after you verify that SpanVA is tokenizing
log files correctly. Otherwise SpanVA does not send log files to CloudSOC.

Installing SpanVA with HyperV

Follow this procedure to install SpanVA with HyperV.

1. Go to the folder where you downloaded the SpanVA virtual machine, and extract it:


2. Open HyperV, click Actions, and select Import Virtual Machine…:



3. Go to the Before You Begin tab, and click Next:

4. Go to the Locate Folder tab, and click B

rowse to specify the folder containing the extracted
SpanVA virtual machine, then click Next:

5. In the Select Virtual Machine tab, select the SpanVA virtual machine, and click Next:

6. In the Choose Import Type tab, select the option Copy the virtual machine (create a new
unique ID) and click Next:

7. In the Choose Destination tab you can specify new or existing folders to store the virtual
machine files. After selecting the configuration folders, click Next:

8. In the Choose Storage Folders tab select the folder where you want to store the imported
virtual hard disks for the SpanVA virtual machine. Afterwards, review the Summary tab, and
click Finish:

9. To start SpanVA, open HyperV, go to the list of virtual machines, select the SpanVA virtual
machine and then select Start:


Installing VMWare Tools

When you install SpanVA on a VMware virtual machine, you can install VMware Tools on
SpanVA. VMware Tools let you monitor the health, memory usage, and CPU utilization of the
SpanVA instance.
● In the SpanVA web interface, click Settings, then click Install VMware Tools as shown
below.
For more information about VMware Tools, see:
https://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&externalId=340
Configuring the SpanVA ICMP listener

SpanVA lets you activate an ICMP listener that responds to ICMP queries such as ping. This
features makes it easier for you to monitor the health of your SpanVA instances.
● In SpanVA, open the Settings tab, then enable the ICMP listener slider as shown below.
Configuring SpanVA to send error messages to a syslog host

You can configure SpanVA to send error messages via TCP or UDP to a syslog server.
To configure error message logging with syslog:
1. In the SpanVA web interface, click the Monitoring tab, then click the Syslog tab.
2. Configure values for the syslog host IP address and port, as shown below.

3. Choose either TCP or U

DP, then click Save.
To retrieve the error messages, open one of the following files, depending on the network type
you configure:
● /var/log/spanva_tcp.log
● /var/log/spanva_udp.log
SpanVA only sends messages of the following levels to the syslog host. For routine status
messages, click Monitoring, then open the Console tab:
● Warning
● Error
● Critical
Managing the SpanVA instance

The following sections describe how to set configuration settings for the SpanVA instance.
Resetting the password

You can reset the password for a SpanVA instance from within CloudSOC. When you do this, the
password length is as you configured for Audit data sources in CloudSOC settings.
1. In CloudSOC, navigate to the Settings page and open the CloudSOC SpanVA tab, then
open the Status Monitor tab.

2. Find the SpanVA you want to reset the password for, and in the Actions column, click the
Details link as shown below.
3. On the Details panel for the SpanVA, click Reset SpanVA Password, as shown below.
CloudSOC resets the SpanVA password, then shows you the new password as shown
below.
4. Wait three minutes, then use the new password to login to the SpanVA instance.
5. Change the password to something of your choosing.

Rebooting SpanVA
The SpanVA web UI features a Reboot button that you can use to restart the SpanVA instance.
Using this feature is a safer way to restart SpanVA than doing a hard reset on the VM. To reboot
SpanVA, in the SpanVA web interface, click the Settings tab and then click Reboot as shown
below.
Configuring SpanVA with a self-signed certificate

With some browsers, you see a warning that SpanVA's default self-signed certificate is untrusted,
and you must accept the warning to proceed. With some other browsers, you cannot proceed at
all. If you are using SpanVA to tokenize user IDs as described in the CloudSOC Tech Note
Managing CloudSOC User Privacy Features, these security warnings prevent CloudSOC and
SpanVA from synchronizing user IDs and tokens.
The procedures below describe how to configure SpanVA and your Chrome browser with a
self-signed certificate and matching key so that the browser trusts SpanVA. You can use these
procedures to establish trust for test installations and proof-of-concept testing.
Important: For production SpanVA deployments, we strongly recommend that you use a
well-known CA signed certificate or a certificate signed by your trusted enterprise CA.
1. Create the certificate and key
Open a terminal window and use the following OpenSSL command to create a self-signed
certificate and key (all on one line):
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout
example.key -out example.crt

After you issue this command, OpenSSL prompts you for more information, then creates the
certificate and key pair example.crt and example.key.
Note: When OpenSSL prompts you for a common name, enter the SpanVA FQDN (if configured)
or IP address.
2. Import the certificate as the trusted root CA
On Mac:
1. Locate and double-click the example certificate you created earlier. Your Mac opens the
Add Certificates box to prompt whether you want to add the certificate.
2. From the Keychain menu, choose System, then click Add.
3. If prompted, enter the admin username and password for your computer.
4. Locate the new certificate in the list and double-click it. The certificate is listed by the IP
address or FQDN you used as the Common Name when creating the certificate with
OpenSSL.

5. Click the arrow to expand the Trust area. Then, from the Secure Sockets Layer (SSL)
menu, choose Always Trust as shown below.
6. Restart Chrome.
On Windows:
1. In Chrome, open Settings > Show Advanced Settings.
2. In the HTTPS/SSP area, click Manage Certificates. Chrome opens the window shown
below.
3. On the Certificates window, click Import and browse to the example.crt certificate.
4. Click Install Certificate.

5. On the Certificate Import Wizard, choose the certificate store Trusted Root Certification
Authorities, then click Next.
6. In the Certificates list, locate the new certificate and double-click it. Then make sure that in the
Certificate Purposes area, the checkbox for Server Authentication is marked.
7. Restart your Chrome browser.
3. Import the certificate into SpanVA
1. In the SpanVA web interface, open the Certificates tab, then click Add Server as shown
below.
2. The Add Server Certificate panel opens.

3. In the Select Server Certificate area, click Browse and locate the example.crt file you
created with OpenSSL.
4. In the Select Private Key File, click Browse and locate the example.key file you created
with OpenSSL.
5. In the Description area, enter a description for the certificate.
6. Click Submit.
The next time you open SpanVA in your browser, the browser trusts SpanVA as shown below,
and does not show a security alert.
Configuring automatic upgrade

You can configure SpanVA to automatically install software updates from CloudSOC when they
become available. All upgrades install at midnight UTC. On the SpanVA web interface, click the
Upgrade tab then use the "Automatically install updates" slider to enable or disable auto upgrade
as shown below.

Recovering the SpanVA state

SpanVA shows you an alert banner to warn you of the consequences when you provision a new
SpanVA to replace an earlier SpanVA for which a state backup exists. The warning text on the
banner is similar to that shown below:
SpanVA State Recovery: It has been detected that this SpanVA has saved its restore point to a
backup server. This SpanVA will NOT process any log files until you take an action. Click here
to open State Recovery dialog.

If the banner appears, click the Click here link and choose one of the three options as shown
below.
If you still have access to the state backup, we strongly recommend that you restore it to the new
SpanVA instance. Doing so ensures continuity of the SpanVA state and user identity mappings. If
you do not restore the backup, you may get missing, invalid, or duplicate users on the Audit >
Users and Audit > Threats tabs.

If you choose not to restore the SpanVA state backup, it offers one more warning about the
consequences:
Configuring SpanVA DNS settings

SpanVA lets you configure up to three DNS server entries as shown below.
To add DNS entries:
1. In SpanVA click the Network tab, then click Edit.
2. Next to the DNS Servers box, click + to add additional DNS server entries.
3. Enter the IP address for each new DNS server.
Configuring SpanVA NTP settings

By default, SpanVA uses time settings it gets from the server on which it is installed. If you want,
you can configure SpanVA to use time settings it obtains from a Network Time Protocol (NTP)
server:

1. From the SpanVA web UI, open the NTP Server tab as shown below.
2. In the NTP Server boxes, enter URLs for up to four NTP Servers.
3. Click Save.
Resizing the SpanVA disk allocation

The SpanVA web interface now lets you change the disk space allocation for the SpanVA
instance. The minimum allocation is 79 GB. The maximum allocation is the disk size allocated for
the SpanVA instance in your virtualization software.
To change the allocation click the Settings tab and use the Disk Resize slider to change the
allocation as shown below.
Note: The allocation tool in the SpanVA web interface does not let you increase the allocation
above that configured for the SpanVA instance in your virtualization software. If you want to
increase the allocation above the maximum shown in the SpanVA web interface, you must make
that change in your virtualization software.

Backing up and restoring SpanVA

You can configure SpanVA to backup the tokenization state and anonymized user mapping to an
SCP/SFTP server, and also restore it from the server. Backups occur each day at 12:01 am
SpanVA local time.
We strongly recommend that you use this functionality if you are using the SpanVA tokenization
feature, since the mapping between tokenized user IDs and real user ids are only kept on the
SpanVA. Otherwise, if the SpanVA becomes lost or corrupted, you lose the ability to view actual
user IDs in the CloudSOC Audit app.CloudSOC sends you alert emails and also CloudSOC
notifications if it detects that SpanVA tokenization is enabled but the SpanVA has not
successfully performed a backup in the last day, as shown below. CloudSOC sends the emails
and notifications to the administrator who configured SpanVA.
If you receive such a notification or alert, use the SpanVA Backup/Restore tab to confirm that
your SpanVA is configured to backup its configuration and state information, and that the backup
settings are valid.

To configure SpanVA backup, in the SpanVA web UI open the Backup/Restore tab and use the
tools there to configure the server as shown below.
Note: For the Target Path, use backslashes for UNIX file systems and forward slashes for
Windows file systems. For example, you would use “\path\subpath\” for UNIX and
“/path/subpath/” for Windows.
You use the restore feature as follows to recover a lost or corrupted SpanVA:
1. If necessary, create a new SpanVA instance to restore to. The new SpanVA must have the
same registration token as the SpanVA that created the backup.
2. Click a link in the list of backups in the Restore list to restore it.
Replacing a SpanVA instance

Use the procedure described below to replace a SpanVA instance when the previous instance is
lost or corrupted. In this procedure, you use CloudSOC to revoke the old SpanVA token and
issue a new token. This new token lets the new SpanVA instance restore the datasource
configuration and also import the state (if configured) for the previous SpanVA instance.
Note: After you revoke the registration, the previous instance of SpanVA can no longer
reconnect with CloudSOC. Use this option with caution and only when you are sure that you want
to get rid of the existing SpanVA instance.
1. Download the latest SpanVA image from CloudSOC.

2. In CloudSOC, go to the gear icon on the top right corner, then go to CloudSOC SpanVA >
Status Monitor.
3. Click the entry for the SpanVA instance, then click Revoke SpanVA as shown below.
Note: The Revoke button is only available when the SpanVA has been in the
disconnected state for at least 10 minutes.
CloudSOC prompts you to confirm that you want to revoke the SnapVA's registration
token.
4. Click Revoke.
5. CloudSOC revokes the registration token, and shows you a new token as shown below.
6. Copy the token onto the clipboard and paste it into a file for later use.
7. Download the SpanVA image and install it as described in Installing SpanVA. Omit the
procedure Obtain the SpanVA token, and instead use the registration token that
CloudSOC provided when you revoked the old token.
If possible, restore the SpanVA state from a previous backup as described Recovering the
SpanVA state.

Configuring SpanVA communication with CloudSOC

The following sections describe how to configure SpanVA communication with CloudSOC
Configuring SpanVA connection notifications

You can now configure CloudSOC so that it sends you an email whenever any SpanVA instance
changes connectivity state. Use this feature to get instant alerts when a SpanVA goes offline or
comes back up.
1. In CloudSOC, go to the gear icon on the top right corner, and click the CloudSOC
SpanVA tab.
2. At the bottom of the tab, mark the checkbox for Enable SpanVA Connectivity
notifications.
3. Enter one or more valid email addresses within your primary domain and click Update as
shown below.
4. Click Update.
Configuring Cipher mode setting

SpanVA lets you configure whether or not to enforce the use of strict ciphers on SSH
connections with CloudSOC.
● In SpanVA, click the Settings tab, then use the Strict Ciphers slider to configure this
feature as shown below.

Configuring SSL version

SpanVA now lets you choose the SSL version it uses when uploading logs to CloudSOC. We
recommend you use TLSv1.2, but give you the option of earlier versions if it is not supported on
your network.
● In SpanVA, click Settings, choose an SSL version from the menu as shown below, then
click Save.
Configuring how SpanVA fetches logs

The following sections describe how to configure SpanVA to fetch logs from network firewalls
and proxies.
Configuring SpanVA proxy settings

You can configure the SpanVA proxy settings using the SpanVA web interface as shown
below. SpanVA doesn’t use the HTTP protocol, but you must set the same value in both the
HTTP and HTTPS proxy fields.

On the Network tab, click Edit to set the proxy addresses.
Note: When you configure the proxy URL, you must include the port number, even if you use
the default port.
If you are using SpanVA behind a proxy that uses a self-signed certificate, upload the proxy
root CA certificate as follows:
1. Click the Certificates tab, then click Add Root CA.
2. On the Add Root CA Certificate panel, browse to the proxy root CA certificate, then click
Submit, as shown below.
If you want to upload a web server certificate so your browser does not raise a security alert
when you browse to SpanVA, upload a web server certificate that is trusted by your browser
and its private key as follows:
1. Click the Certificates tab, then click Add Web Server.
2. On the Add Web Server Certificate panel, browse to the web server certificate and private
key files.

3. If the key file is password-protected, enter the password, then click Submit, as shown
below.
Configuring SpanVA to retrieve logs from an FTP client

To configure SpanVA to retrieve logs from an FTP client:
1. In CloudSOC, choose Audit > Device Logs.
2. On the Device Logs page, click New Datasource > SpanVA Datasource.

3. Use settings shown in the table below. Configure other settings to suit:
Field Setting
Firewall Type Choose the device type from the menu.
Custom Headers Mark the checkbox only if the device is configured for
non-default field order in its log files.
SpanVA Choose the applicable SpanVA from the menu.
Source Type Choose FTP Client.
File Extension Mark this checkbox if you want to retrieve only files with certain
filename extensions from the FTP client. Then build a list of the
applicable extensions.
Post Process Action Mark the radio button for the action SpanVA takes on each file
after it retrieves it. For Rename and Move Files To, enter the
applicable filename or path in the box.
Host Enter the hostname or IP address for the FTP client.
Username Enter the username that SpanVA logs into the FTP client as.
Password Enter the password that SpanVA uses to login into the
Username account on the FTP client.
Source Directory Enter the full path to the directory where SpanVA retrieves the
log files.


4. At the top of the New SpanVA Datasource panel, click Create Connection.
5. CloudSOC opens the Datasource Details panel to let you review the connection details.
6. Review the connection details, then click the right arrow at the top of the panel to close it.
7. For FTP servers other than VSFTPD, such as FileZilla, configure the server to use the
following format for log filenames:
SG_main_%y%j%H%M%S.log.gz
Where:
● %y = year 0-99
● %j = day of the year 1-366
● %H = Hour (0-23)
● %M = Minute (0-59)
● %S = Second (0-59)

Configuring SpanVA to retrieve logs with NFS

SpanVA can retrieve logs from a shared folder on a network using the NFS protocol. To use this
feature, configure the SpanVA datasource and NFS server as follows:
1. In CloudSOC, choose Audit > Device Logs.
2. On the Device Logs page, click New Datasource > SpanVA Datasource.
3. Use settings shown in the table below.
Field Setting
Source Type Choose Network File.
File Extension Clear the checkbox to have SpanVA pull all of the files in the
source directory. Mark this checkbox and build a list of filename
extensions that identify files that SpanVA pulls from the client to
deliver to CloudSOC.
Important: After entering a filename extension in the text box,
press Enter to add it to the list below the text box.
Post Process Action Choose the action you want SpanVA take on the file after
retrieving it. SpanVA can take no action, delete the file, rename it,
or move it to a different directory.
Type Choose NFS.
Host Enter the IP address of the NFS server.
Source Directory Enter the shared directory on the NFS Server, for example
/nfs/share/bluecoat.


4. On the NFS server, make sure that SpanVA IP has access to the shared folder specified in
the “Source Directory,” and also to its subdirectories.
The permissions for all directories and subdirectories must include read and execute for
“others” and all files must be readable by “others.”
5. Configure network file share details as described below for an ubuntu NFS server. You
can adapt this procedure to your specific configuration:
a. Select a VM or your host machine to share the files from. The following commands
assume an ubuntu machine.
b. Check and install nfs-kernel-server:
dpkg -l | grep nfs-kernel-server
c. If the last command lists the nfs-kernel-server package, install it using the
following command:
apt-get install nfs-kernel-server
d. Create an export directory to be used by the server to mount to:

mkdir -p /export/logs
For example, if you want to use your logs under directory: /home/firewalllogs/logs,
you should first mount this to /export/logs directory using this command:
mount --bind /home/firewalllogs/logs /export/logs
You can enter this line in /etc/fstab to avoid having to type this line at every
restart:
/home/firewalllogs/logs /export/logs none bind 0 0
NFS only supports host-based authentication. You can either make this share
available to everyone on the network or only allow specific hosts to access it. For
testing, we suggest you allow it for everyone on the network by adding the
following lines in /etc/exports to allow everyone on the network to be able to
access the mount. Change the IP address and mask according to your network
configuration:
/export
192.168.1.0/24(rw,fsid=0,insecure,no_subtree_check,async)
/export/logs
192.168.1.0/24(rw,nohide,insecure,no_subtree_check,async)
Note: Make sure all the sub-directories including /export and /export/logs have
read and execute permissions for group and others.
e. Now run:
service nfs-kernel-server restart
If the above command succeeds your NFS share is ready for mounting.
For more information, see the following Ubuntu how-to:
https://help.ubuntu.com/community/SettingUpNFSHowTo
Configuring FTP over SSL

SpanVA supports FTP over SSL for transferring firewall logs. This feature adds security and
makes SpanVA compatible with more firewalls. SpanVA uses the same certificate and key for FTP
as for the web server.
To configure FTP over SSL:
1. Generate an SSL certificate and a key and have it signed by the CA used by your
enterprise.

2. Upload the key and certificate under by clicking + Add Server on the SpanVA Certificates
tab as shown below.
3. Configure trust for the CA in your firewall or proxy. You may have to import the CA
certificate as the trusted root certificate.
While you configure the FTP connection from the firewall to SpanVA, make sure to select
the secure mode as shown below. You can also do a test connection (if available) to
check the connectivity between firewall and SpanVA.

Configuring SpanVA as an SQL Client

SpanVA can act as an SQL client to fetch logs from an SQL server. See the following CloudSOC
Tech Notes for more information:
● Audit Support for Websense
● Audit Support for Symantec Endpoint Protection Manager
Configuring SMB file transfer

The following sections describe how to configure SpanVA to use the SMB file sharing protocol.
Configuring a Samba server
Samba is an open-source software suite that provides file and print services to SMB/CIFS clients
and allows for interoperability between Linux/Unix servers and Windows-based clients. You can
use Samba as an alternative to Microsoft Windows-based SMB servers.
If you are using a Windows SMB server, or have already configured a Samba server, skip ahead
to the section Create the SMB data source in Audit. Otherwise, use the procedure in this section
to configure a Samba server.
1. Install and configure the Samba server. For Linux, use:
sudo apt-get install samba
Note: Install Samba 4.3.12 or later. Earlier versions might have trouble deleting files from
the source directory as described in Troubleshooting.
2. Open /etc/samba/smb.conf and at the bottom add a share section such as:
[share]
comment = Log share
path = /home/admin/samba/logs_share
browsable = yes
valid users = elastica
read only = no
create mask = 0755
3. Add a linux user with a username referenced in the share section of the smb.conf file
("elastica" in the example above):
adduser elastica
4. Set the user's password if so prompted, or create the password explicitly with:

passwd elastica
5. Create an SMB password for the user "elastica":
smbpasswd -a elastica
This is the password that you use to authenticate the user "elastica" when you mount the
file system. It can be different from the linux password.
6. Create the shared directory identified by the path statement in the smb.conf file, if it does
not already exist:
mkdir -p /home/admin/samba/logs_share
7. Restart the smbd and nmbd services:
sudo service smbd restart
sudo service nmbd restart
You can now copy log files to the share directory to share them over the network.
Create the SMB data source in Audit
1. If you are using a Samba server, make sure that it is installed and configured for file
sharing as described in Configuring the Samba server.
2. In CloudSOC, navigate to Audit > Device logs. Then click New Data Source > SpanVA
Datasource.
3. On the New SpanVA Datasource panel, select a SpanVA instance that is running 1.15.2.75
or later.
4. Choose Network File as the source type, and choose SMB as the Type as shown below.

5. Enter the transport information shown in the table below:
Field Description
Host Hostname or IP address of the SMB Server.
User The username of an SMB server user with privileges to read and download
files from the shared location. This is not necessarily the Unix or Windows
username. In the example in the section Configuring the Samba server, the
username is elastica.
Password The SMB server user password.
Share Name The alias for the the shared directory. In the example in the section
Configuring the Samba server, the share name is share.

For example:
Configuring filtering of inbound traffic from external sources

SpanVA lets you filter traffic from your firewall logs according to IP patterns that you enter in the
SpanVA web interface. This feature lets you discard any irrelevant or undesirable log traffic
based on their source IPs. You would typically use this feature when you have servers hosted
within your network and external sources are accessing them through your firewall.

To configure IP filtering:
1. In SpanVA, click the IP Filtering tab as shown below.
2. Mark the Enable IP Filtering checkbox, and enter an IP pattern in the box as shown
below. All traffic with source IP addresses not matching the pattern is omitted when
SpanVA sends the logs to CloudSOC.
3. Click Save.

Configuring SpanVA to retrieve identity mappings from a file

You can configure SpanVA to regularly retrieve information from an external mapping file that
correlates device IP addresses with the identities of the device users. Use this feature if the
device or proxy logs that SpanVA delivers to CloudSOC have the device IP addresses but not the
user identities. SpanVA uses the information in the mapping file to add annotations to the device
or proxy logs that it uploads to CloudSOC for use in the Audit app. When you view the user
activities extracted from the log files in Audit, they are associated with the user IDs instead of the
original IP addresses.
For each user, you can also configure up to three custom user attributes that you can use to filter
user activities in Audit.
Note: The mapping file must be on a Unix server. SpanVA does not support Windows servers
for this feature.
If you have enabled the CloudSOC anonymization feature, the Audit app displays
machine-generated IDs in place of the actual user IDs. If necessary, you can reveal the actual
user IDs with approval from a Data Protection Officer (DPO). See the CloudSOC Tech Note
Managing CloudSOC User Privacy Features for more information.
You can create the mapping file manually, or you can configure your DHCP server or another
network device to produce the file. For a sample mapping file, on the Identity Mappings tab of
the SpanVA web interface, click Show Sample File Info. Detailed information about creating
the mapping file is beyond the scope of this Tech Note.
Note: This feature is only directly supported for Blue Coat Proxy SG and Cisco ASA-series
firewalls. However, it is also supported for the Flex universal log processor, which processes logs
for virtually any firewall or proxy. See the CloudSOC Tech Note Using the Flex Universal Log
Processor for details.
To configure the mapping file retrieval settings:
1. In SpanVA, click the Upgrade tab and make sure that the current version is 1.15.2.106.0 or
later. If necessary, upgrade SpanVA to the latest version.
2. In SpanVA, click the Identity Mappings tab.

3. Use the tools in the upper half of the page to configure the file transfer via SCP, SFTP, or
FTP. SpanVA uses these parameters to login to your Unix server and fetch the mapping
file from the specified file location.

4. If you want to use an SSH key to authenticate SpanVA when using SCP or SFTP, mark the
Use SSH Key checkbox, then:
a. Do one of the following:
● If you have never before configured the SSH key for the mapping file, click
Renew SSH Key. SpanVA generates a new RSA key and displays the
corresponding public SSH key that it uses to connect to your server.
Note that if you have previously configured the SSH key on a server, that
earlier key becomes invalid, and you must configure the renewed key on
the server. Also, as a security measure, SpanVA displays the key only
when you renew it. If you wish to use the same key again, record it in a
secure location.
● If you have previously configured the SSH key and want to use the same
key again, locate that key so that you can configure it on the server.
b. Create an entry for the SSH key in the authorized_keys file for the specified
username on your server.

5. Use the tools in the File Format area to configure SpanVA so that it correctly parses the
mapping file that it retrieves from the server that allocates your network IP addresses.
● If the mapping file starts with a header row that identifies the contents of each
comma-separated column, mark the Mapping file has header checkbox. Then
enter the headers that correspond to the columns as shown below. Identify at
least the user ID and IP address columns. You can also identify up to three custom
attribute columns. For each custom attribute, also enter the field display text as
shown.


● If the mapping file does not start with a header row, clear the checkbox. Then
enter the numbers of the comma-separated columns (starting from 0 at the
leftmost) that contain the attributes for at least the user ID and the IP address. You
can also identify the columns for up to three custom attributes as shown.
6. In the Fetch Interval area, click the button that matches the the interval at which you want
SpanVA to fetch the mapping file. Your choices are 30 minutes, one hour, two hours, or
six hours.
We recommend that you set a fetch interval so that it is the same interval at which the
server updates the file.

7. In the Expire After area, type the number of days for which the mappings remain valid.
This value applies to user IDs mappings that are not updated by subsequent fetches. For
example, if a mapping file matches 192.168.0.1 with user_1, that mapping remains valid
until a new mapping for 192.168.0.1 appears in a subsequent mapping file, or until the
Expire After time elapses.
8. Click Save to save the identity mapping settings.


Configuring Secondary User ID Attribute

You can add a secondary user attribute to SpanVA.
1. Go to the settings section by clicking the gear icon on the top right corner of the interface:
2. Click CloudSOC SpanVA:
3. Click on the SpanVA Setup tab, and scroll down. In SpanVA Secondary User Attribute
you can select mail, msDS-PrincipalName or the configured Custom attributes. Select it,
and click Save Secondary User Attribute:

Configuring SpanVA to resolve IP addresses to user IDs with Active Directory

You can configure SpanVA to resolve user IDs and IP addresses using Active Directory via WMI.
Use this feature if the device or proxy logs that SpanVA delivers to CloudSOC have the device IP
addresses but not the user identities. SpanVA uses information from Active Directory to add
annotations to the device or proxy logs that it uploads to CloudSOC for use in the Audit app.
When you view the user activities extracted from the log files in Audit, they are associated with
the user IDs instead of the original IP addresses.
In order to use this feature, you must first configure DSS directory sync as described in the
CloudSOC Tech Note Configuring DSS Directory Sync.
1. In SpanVA, click the Identity Mappings tab, then click the Active Directory (WMI) tab.
2. Enable the slider at the top of the tab.
3. Configure the fetch interval and mapping expiration as shown below.
4. Click Save.

Using SpanVA detokenization

When you have SpanVA tokenization enabled, the .CSV files you download via email from the
Audit app have the user IDs tokenized, so you cannot correlate between activities in the file and
actual user IDs. SpanVA has a tool that you can use to detokenize the emailed .CSV files and
match users with activities from your device logs.
In order to use this feature:
● SpanVA tokenization must be enabled
● CloudSOC anonymization must be disabled
● The currently selected Audit datasources must be limited to those uploaded to CloudSOC
through SpanVA
1. In CloudSOC, choose Audit > Users or Audit > Services.
2. Near the upper left corner of the page, click Select Sources and enable only sources that
use SpanVA, then click Save.
3. On the Users tab, Click Export CSV, then click Email CSV as shown below.


CloudSOC processes the data in the tab and emails you a download link for the CSV file
as shown below.
4. Click the link to login to CloudSOC (if you are not already logged in) and download the
CSV file in your browser.
5. After you receive the CSV from CloudSOC, open the SpanVA web interface and log in.
Then click the Detokenization tab.
6. On the tab, either drag the CSV file to the Drag & Drop box as shown below or click the
box and navigate to the file.

7. Click Convert the Selected File.
SpanVA detokenizes the file and then displays a download button for the file. Click
Download to download the detokenized file in your browser. The Detokenization page
shows the five most recent detokenized files.


Related documents
See the following CloudSOC Tech Notes for more information about using SpanVA:
● Managing CloudSOC Privacy Features--Describes how to how to manage the various

CloudSOC anonymization and tokenization features that help you protect the privacy and
personal information of your network users.
● Configuring DSS Directory Sync--Describes how you can synchronize your users from
Microsoft Active Directory into CloudSOC using DSS (Directory Synchronization Services).
The directory sync feature uses SpanVA because its location inside your enterprise
perimeter makes it the logical platform to synchronize data between your Active Directory
server and CloudSOC.
● Audit Support for Websense--Describes how to use SpanVA as an SQL client to retrieve
Websense logs from an SQL server.
● Audit Support for Symantec Endpoint Protection Manager- -Describes how to use SpanVA
as an SQL client to retrieve SEPM logs from an SQL server.
● Using the Flex Universal Log Processor--Describes how to use the Flex log processor to
parse logs for devices that are not explicitly supported by CloudSOC Audit.

Troubleshooting
Diagnostics tools
The SpanVA web interface features a suite of diagnostic tools you can use to troubleshoot issues
with your SpanVA instance. Click the Diagnostics tab and choose from the available tools:
● Click the Diagnostic Report tab, then click Generate Diagnostic Report to generate a
report showing the results for a broad spectrum of tests, as shown below.


● Click Network Connectivity Tools, then choose a test type and enter the required
information to test connectivity between SpanVA and various services and hosts.
● Click SQL Connectivity Test, then enter information for an SQL server to test a query as
shown below.

Common issues
● Issue: When using a Samba server as described in Configuring SMB file transfer, you see
errors such as the following in the status monitor:
2017-04-04 04:30:07,689 : Datasource: SMB_DELPPA; error while performing

post process action for file Bluecoat-NR-Regex.log.gz. Error: [Errno 13]
Permission denied: '/mnt/58e26acf3c0eca13fec3c8e0//Bluecoat-NR-Regex.log.gz'

Solution: Update to Samba version 4.3.11 or later. Earlier versions had issues deleting files
from the source directory.
● Issue: When creating a SpanVA datasource for FTP Client or Network file, you enter all
necessary information but the Create Connection button remains disabled, and does not
let you create the datasource.
Solution: If you have marked the File Extension checkbox, make sure that you have built a
valid list of file extensions by pressing Enter after typing each extension as shown below.


Revision history
Date Version Description
19 Feb 2015 1.0-1.11 Initial release and minor revisions
20 June 2016 2.0 Add SQL support, NFS support, reboot button, password reset, and
other features
16 November 2016 3.0 Major update; add identity mapping, proxy configuration, related
documents
22 December 2016 4.0 Add section on SpanVA status
16 February 2017 5.0 Add NTP configuration
22 February 2017 6.0 Add procedure for self-signed certificate
23 May 2017 7.0 Add SpanVA connection notifications, syslog status, FQDN, and
NFS post-process options
16 June 2017 8.0 Add instruction to reboot SpanVA after registration when installed
in AWS VM, add section on filtering of inbound traffic from external
sources, update directory sync section
5 September to 9.0-9.4 Add section on verifying tokenization, add cipher mode settings,
29 November 2017 address "cannot save" error message, other minor changes
2 February 2018 10.0 Reorganize, add note about backup target path and slash
characters, update Host access table
7 March 2018 10.1 Update list of virtualization platforms
20 April 2018 11.0 Add DNS configuration, automatic logout, diagnostic tools,
detokenization tools, obfuscation of HTTP proxy credentials, FTP
client
20 June 2018 12.0 Add section on authentication
29 October 2018 12.1 Address that mapping file must be in a Unix server
31 October 2018 12.2 Remove reference to Windows FTP IIS as supported FTP server.
14 November 2018 12.3 Clarify SSH key for identity mapping file
11 December 2018 13.0 Address resolving IP addresses to user IDs with Active Directory
14 February 2019 14.0 Update UI terminology, address custom user attribute mapping
and ICMP listener
13 March 2019 14.1 Address password length
29 March 2019 14.2 Minor changes
11 April 2019 14.3 Add directories used for syslog error messages
12 April 2019 14.4 Remove Informational from Syslog messages
19 June 2019 14.4 Added Configuring Secondary User ID Attribute section
12 July 2019 14.5 Added “Configuring SpanVA with HyperV” section


Get better security About
with less complexity CloudSOC
Deploy an enterprise security system that integrates with your existing Data Science Powered™ Symantec Cloud-
SOC platform empowers companies to
web, endpoint, data center, user, and information security solutions,
confidently leverage cloud applications
and avoid the complexity and challenges of managing a standalone cloud and services while staying safe, secure
and compliant. A range of capabilities on
solution. A Symantec security system with CloudSOC makes deployment
the CloudSOC platform deliver the full
easier, allows you to share policies and intelligence across solutions, and life cycle of cloud application security,
including auditing of shadow IT, real-time
enables a user-centric and information-centric approach to security.
detection of intrusions and threats, pro-
tection against data loss and compliance
violations, and investigation of historical
account activity for post-incident analysis.
About
Symantec
Symantec Corporation (NASDAQ: SYMC),
the world’s leading cyber security company,
helps businesses, governments and people
secure their most important data wherever
it lives. Organizations across the world
look to Symantec for strategic, integrated
solutions to defend against sophisticated
attacks across endpoints, cloud and infra-
structure. Likewise, a global community of
more than 50 million people and families
rely on Symantec’s Norton suite of products
for protection at home and across all of
their devices. Symantec operates one of the
world’s largest civilian cyber intelligence
networks, allowing it to see and protect
against the most advanced threats.
For more info on Symantec CloudSOC CASB and its industry leading integrations For additional information, please visit
with Symantec Enterprise Security Systems, visit go.symantec.com/casb www.symantec.com or connect with us
on Facebook, Twitter, and LinkedIn.
symantec.com +
1 650-527-8000
Copyright © 2019 Symantec Corp. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo, are trademarks or registered trademarks of Symantec
Corp. or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only
and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed
by law, and are subject to change without notice.

Installing and Configuring SpanVA

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Installing and Configuring SpanVA

Încărcat de

Drepturi de autor:

Formate disponibile

CloudSOC Installing and

Tech Note — Installing and Configuring SpanVA

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 1

Tech Note — Installing and Configuring SpanVA

Configuring SpanVA NTP settings

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 2

Tech Note — Installing and Configuring SpanVA

SpanVA is especially useful when:

● You must have on-premises anonymization of log data

● Your firewalls can not stream to SCP or SFTP servers

● Your network lacks a log collection mechanism

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 3

Tech Note — Installing and Configuring SpanVA

● FTP/FTPS/SFTP/SCP Server--​Modern firewalls can often be configured to stream logs

Log format support

● Blue Coat ProxySG

● Check Point LEA

● Cisco ASA Series

● CloudSOC Flex universal log processor

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 4

Tech Note — Installing and Configuring SpanVA

● McAfee Web Gateway

● Palo Alto Networks PAN

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 5

Tech Note — Installing and Configuring SpanVA

SpanVA authentication with CloudSOC

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 6

Tech Note — Installing and Configuring SpanVA

D = Disk allocation in gigabytes

● For .gz compressed and uncompressed files:

● For .tar.gz, .tar.bz2 or .zip files:

1. Download the SpanVA image

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 7

Tech Note — Installing and Configuring SpanVA

1. Login to CloudSOC with your administrator credentials.

4. Click ​CloudSOC SpanVA Image​ to download the image file.

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 8

Tech Note — Installing and Configuring SpanVA

To import SpanVA into your virtualization platform:

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 9

Tech Note — Installing and Configuring SpanVA

3. Obtain the SpanVA token

3. On the Settings page, click the ​CloudSOC SpanVA ​tab.

5. Click ​Provision New SpanVA​.

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 10

Tech Note — Installing and Configuring SpanVA

6. Copy the Registration Token shown on the page, as shown below.

4. Start and register SpanVA

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 11

Tech Note — Installing and Configuring SpanVA

2. Record the URL displayed by the SpanVA VM.

4. Login to the SpanVA web interface using these default credentials:

5. Change the login password as directed by SpanVA’s web interface.

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 12

Tech Note — Installing and Configuring SpanVA

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 13

Tech Note — Installing and Configuring SpanVA

8. If SpanVA must connect with the internet through a proxy:

For an authenticated proxy, enter the URL in the following format:

After you enter the proxy URLs, SpanVA resets.

Copyright © 2019 Symantec Corp. Confidential Information. Do Not Distribute. 14

Tech Note — Installing and Configuring SpanVA

Note: ​The SpanVA web interface obfuscates any username or password

a. Click the ​Certificates​ tab, then click ​Add Root CA​.

● FTP/FTPS/SFTP/SCP Server--Modern firewalls can often be configured to stream logs

4. Click CloudSOC SpanVA Image to download the image file.

3. On the Settings page, click the CloudSOC SpanVA tab.

5. Click Provision New SpanVA.

Note: The SpanVA web interface obfuscates any username or password

a. Click the Certificates tab, then click Add Root CA.

a. Click the Certificates tab, then click Add Server.

scp path/logfile username@host:p

host> scp bluecoat.log1.gz ds_elastica@192.168.2.191:

2. Open HyperV, click Actions, and select Import Virtual Machine…:

4. Go to the Locate Folder tab, and click B