Table Of ContentExtreme Networks Security
DSM Configuration Guide
Addendum
9034855
Published July 2015
Copyright © 2005–2015 All rights reserved.
Legal Notice
Extreme Networks, Inc. reserves the right to make changes in specifications and other
information contained in this document and its website without prior notice. The reader should in
all cases consult representatives of Extreme Networks to determine whether any such changes
have been made.
The hardware, firmware, software or any specifications described or referred to in this document
are subject to change without notice.
Trademarks
Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of
Extreme Networks, Inc. in the United States and/or other countries.
All other names (including any product names) mentioned in this document are the property of
their respective owners and may be trademarks or registered trademarks of their respective
companies/owners.
For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks/
Support
For product support, including documentation, visit: www.extremenetworks.com/
documentation/
For information, contact:
Extreme Networks, Inc.
145 Rio Robles
San Jose, California 95134
USA
Table of Contents
About this DSM Configuration Guide Addendum.................................................................8
Conventions.............................................................................................................................................................................8
Providing Feedback to Us................................................................................................................................................9
Getting Help...........................................................................................................................................................................10
Related Publications..........................................................................................................................................................10
Chapter 1: Event collection from third-party devices.........................................................12
Adding a single DSM..........................................................................................................................................................13
Installing a DSM bundle....................................................................................................................................................14
Adding a log source...........................................................................................................................................................14
Adding bulk log sources..................................................................................................................................................15
Adding a log source parsing order.............................................................................................................................16
Chapter 2: 3Com Switch 8800................................................................................................17
Configuring your 3COM Switch 8800 .....................................................................................................................18
Chapter 3: AccessData InSight...............................................................................................19
Configuring your AccessData InSight device to communicate with Extreme Security.................20
Adding an AccessData InSight log source on your Extreme Security Console.................................20
Chapter 4: AhnLab Policy Center..........................................................................................22
Chapter 5: Amazon AWS CloudTrail....................................................................................24
Chapter 6: Ambiron TrustWave ipAngel .............................................................................26
Chapter 7: Arbor Networks Pravail.......................................................................................28
Configuring your Arbor Networks Pravail system to send events to Extreme Security................29
Chapter 8: APC UPS................................................................................................................30
Configuring your APC UPS to forward syslog events......................................................................................31
Chapter 9: Barracuda Web Application Firewall................................................................32
Configuring Barracuda Web Application Firewall to send syslog events to Extreme Security
.....................................................................................................................................................................................................33
Chapter 10: Bit9 Security Platform.......................................................................................34
Configuring Bit9 Security Platform to communicate with Extreme Security......................................35
Chapter 11: Blue Coat SG........................................................................................................36
Creating a custom event format.................................................................................................................................38
Creating a log facility.......................................................................................................................................................38
Enabling access logging.................................................................................................................................................39
Configuring Blue Coat SG for log file protocol uploads.................................................................................39
Configuring Blue Coat SG for syslog uploads.....................................................................................................40
Creating extra custom format key-value pairs...................................................................................................40
Chapter 12: Cisco IronPort......................................................................................................42
Configuring the Cisco IronPort to send syslog events....................................................................................43
Chapter 13: Correlog Agent for IBM z/OS...........................................................................45
Configuring your CorreLog Agent system for communication with Extreme Security.................46
Chapter 14: CloudPassage Halo ............................................................................................47
Extreme Networks Security DSM Configuration Guide Addendum 3
Table of Contents
Configuring CloudPassage Halo for communication with Extreme Security.......................................47
Configuring a CloudPassage Halo log source in Extreme Security..........................................................49
Chapter 15: DG Technology MEAS........................................................................................51
Configuring your DG Technology MEAS system for communication with Extreme Security.....52
Chapter 16: FireEye..................................................................................................................53
Configuring your FireEye system for communication with QRadar®.......................................................54
Configuring a FireEye log source in Extreme Security...................................................................................54
Chapter 17: FreeRADIUS.........................................................................................................55
Configuring your FreeRADIUS device to communicate with Extreme Security................................56
Chapter 18: genua genugate..................................................................................................58
Configuring genua genugate to send events to Extreme Security...........................................................59
Chapter 19: HyTrust CloudControl........................................................................................60
Configuring HyTrust CloudControl to communicate with Extreme Security........................................61
Chapter 20: IBM AIX DSMs.....................................................................................................62
IBM AIX Server DSM overview.....................................................................................................................................62
IBM AIX Audit DSM overview.......................................................................................................................................63
Chapter 21: IBM AS/400 iSeries event collection..............................................................69
Chapter 22: IBM AS/400 iSeries DSM..................................................................................70
Configuring an IBM iSeries device to communicate with Extreme Security..........................................71
Chapter 23: IBM Federated Directory Server .....................................................................73
Configuring IBM Federated Directory Server to monitor security events.............................................74
Chapter 24: IBM® Fiberlink® MaaS360®..................................................................................75
Manually installing an RPM.............................................................................................................................................75
Configuring your Fiberlink® MaaS360® instance for communication with Extreme Security.......76
Configuring an IBM® Fiberlink® MaaS360® log source in Extreme Security............................................76
Chapter 25: IBM Security Privileged Identity Manager......................................................78
Configuring IBM Security Privileged Identity Manager...................................................................................79
Chapter 26: IBM RACF.............................................................................................................81
Integrating RACF with Extreme Security Using Security zSecure.............................................................81
Integrate RACF with Extreme Security using audit scripts..........................................................................86
Chapter 27: IBM® Privileged Session Recorder...................................................................90
Configuring IBM Privileged Session Recorder to communicate with Extreme Security.................91
Chapter 28: IBM® Security Network IPS................................................................................92
Configuring your Security Network IPS appliance for communication with Extreme Security
.....................................................................................................................................................................................................93
Configuring an IBM® Security Network IPS log source in Extreme Security.........................................93
Chapter 29: IBM SmartCloud Orchestrator..........................................................................95
Installing IBM SmartCloud Orchestrator.................................................................................................................96
Configuring an IBM SmartCloud Orchestrator log source in QRadar......................................................96
Chapter 30: IBM Tivoli Endpoint Manager...........................................................................97
Chapter 31: IBM Security Trusteer Apex Advanced Malware Protection ......................99
Extreme Networks Security DSM Configuration Guide Addendum 4
Table of Contents
Configuring IBM Security Trusteer Apex Advanced Malware Protection to send syslog events to Extreme Security
...................................................................................................................................................................................................102
Configuring a Flat File Feed service.......................................................................................................................102
Chapter 32: IBM WebSphere DataPower...........................................................................104
Configuring IBM WebSphere DataPower to communicate with Extreme Security........................105
Chapter 33: Kaspersky Security Center.............................................................................106
Creating a database view for Kaspersky Security Center for JDBC event collection...................108
Exporting syslog to Extreme Security from Kaspersky Security Center ............................................109
Chapter 34: Kisco Information Systems SafeNet/i............................................................110
Configuring Kisco Information Systems SafeNet/i to communicate with Extreme Security........111
Chapter 35: Lastline Enterprise............................................................................................113
Configuring Lastline Enterprise to communicate with Extreme Security.............................................114
Chapter 36: McAfee ePolicy Orchestrator..........................................................................115
Configuring a McAfee ePO log source by using the JDBC protocol.......................................................115
Configuring ePO to forward SNMP events...........................................................................................................118
Chapter 37: LOGbinder EX event collection from Microsoft Exchange Server............122
Configuring your LOGbinder EX system to send Microsoft Exchange event logs to Extreme Security
....................................................................................................................................................................................................123
Chapter 38: LOGbinder SP event collection from Microsoft SharePoint......................124
Configuring your LOGbinder SP system to send Microsoft SharePoint event logs to Extreme Security
....................................................................................................................................................................................................125
Chapter 39: LOGbinder SQL event collection from Microsoft SQL Server...................126
Configuring your LOGbinder SQL system to send Microsoft SQL Server event logs to Extreme Security
....................................................................................................................................................................................................127
Chapter 40: Microsoft Exchange Server.............................................................................128
Configuring Microsoft Exchange Server to communicate with Extreme Security..........................129
Configuring a log source for Microsoft Exchange...........................................................................................130
Chapter 41: Microsoft™ SQL Server......................................................................................133
Microsoft™ SQL Server preparation for communication with Extreme Security..............................134
Configuring a Microsoft™ SQL Server log source..............................................................................................135
Chapter 42: Microsoft™ Windows™ Security Event Log....................................................138
Enabling MSRPC on Windows hosts.......................................................................................................................138
Enabling a Snare Agent on Windows hosts.........................................................................................................141
Enabling WMI on Windows hosts.............................................................................................................................142
Chapter 43: Netskope Active...............................................................................................146
Configuring Extreme Security to collect events from your Netskope Active system...................147
Chapter 44: OpenStack.........................................................................................................148
Configuring OpenStack to communicate with Extreme Security............................................................149
Chapter 45: Oracle Enterprise Manager..............................................................................151
Chapter 46: Palo Alto Networks..........................................................................................153
Creating a syslog destination on your Palo Alto device...............................................................................154
Creating a forwarding policy on your Palo Alto device................................................................................156
Extreme Networks Security DSM Configuration Guide Addendum 5
Table of Contents
Chapter 47: RSA Authentication Manager.........................................................................157
Configuring syslog for RSA..........................................................................................................................................157
Configuring the log file protocol for RSA.............................................................................................................158
Chapter 48: Riverbed SteelCentral NetProfiler (Cascade Profiler) Alert......................161
Configuring your Riverbed SteelCentral NetProfiler system to enable communication with Extreme Security
....................................................................................................................................................................................................162
Chapter 49: Salesforce Security Auditing..........................................................................163
Downloading the Salesforce audit trail file..........................................................................................................163
Configuring a Salesforce Security Auditing log source in Extreme Security.....................................164
Chapter 50: Salesforce Security Monitoring......................................................................165
Configuring the Salesforce Security Monitoring server to communicate with Extreme Security
...................................................................................................................................................................................................166
Configuring a Salesforce Security Monitoring log source in Extreme Security................................166
Chapter 51: Configuring Sun Solaris Sendmail to communicate with Extreme Security
...................................................................................................................................................168
Configuring a Sun Solaris Sendmail log source ................................................................................................168
Chapter 52: SSH CryptoAuditor...........................................................................................172
Configuring an SSH CryptoAuditor appliance to communicate with Extreme Security..............173
Chapter 53: STEALTHbits StealthINTERCEPT..................................................................174
Configuring your STEALTHbits StealthINTERCEPT system for communication with Extreme Security
....................................................................................................................................................................................................175
Adding a STEALTHbits StealthINTERCEPT log source in Extreme Security......................................175
Chapter 54: STEALTHbits StealthINTERCEPT Alerts........................................................177
Collecting alerts logs from STEALTHbits StealthINTERCEPT....................................................................178
Chapter 55: STEALTHbits StealthINTERCEPT Analytics..................................................179
Collecting analytics logs from STEALTHbits StealthINTERCEPT............................................................180
Chapter 56: Symantec Critical System Protection.............................................................181
Chapter 57: Sourcefire Defense Center (DC).....................................................................183
Creating Sourcefire 4.x certificates.........................................................................................................................184
Creating Sourcefire 5.x certificates.........................................................................................................................184
Importing a Sourcefie certificate to Extreme Security..................................................................................185
Configuring a log source for Sourcefire Defense Center events..............................................................186
Chapter 58: Sourcefire Intrusion Sensor ............................................................................188
Configuring Sourcefire Intrusion Sensor...............................................................................................................188
Configuring a log source for Sourcefire Defense Center events..............................................................188
Chapter 59: Trend Micro Deep Discovery Analyzer.........................................................190
Configuring your Trend Micro Deep Discovery Analyzer instance for communication with Extreme Security
.....................................................................................................................................................................................................191
Chapter 60: WatchGuard Fireware OS...............................................................................192
Configuring your WatchGuard Fireware OS appliance in Policy Manager for communication with Extreme Security
...................................................................................................................................................................................................193
Configuring your WatchGuard Fireware OS appliance in Fireware XTM for communication with Extreme Security
...................................................................................................................................................................................................193
Extreme Networks Security DSM Configuration Guide Addendum 6
Table of Contents
Configuring a WatchGuard Fireware OS log source in Extreme Security...........................................194
Chapter 61: Universal CEF.....................................................................................................195
Configuring event mapping for Universal CEF events..................................................................................196
Chapter 62: Extreme Security supported DSMs................................................................197
Extreme Networks Security DSM Configuration Guide Addendum 7
About this DSM Configuration Guide
Addendum
The Extreme Networks Security DSM Configuration Guide Addendum provides instructions about how
to collect data from your third-party devices, also known as log sources. The addendum includes
information only for Device Support Module (DSM) integrations that were introduced or upgraded after
Extreme Networks Security Analytics V7.2.2 was released and are supported by Extreme Security 7.1
and later. For information about previous DSMs, see the Extreme Networks Security DSM Configuration
Guide.
Intended audience
System administrators who are responsible for installing DSMs must be familiar with network security
concepts and device configurations.
Statement of good security practices
IT system security involves protecting systems and information through prevention, detection and
response to improper access from within and outside your enterprise. Improper access can result in
information being altered, destroyed, misappropriated or misused or can result in damage to or misuse
of your systems, including for use in attacks on others. No IT system or product should be considered
completely secure and no single product, service or security measure can be completely effective in
preventing improper use or access. Extreme Networks® systems, products and services are designed to
be part of a lawful comprehensive security approach, which will necessarily involve additional
operational procedures, and may require other systems, products or services to be most effective.
EXTREME NETWORKS DOES NOT WARRANT THAT ANY SYSTEMS, PRODUCTS OR SERVICES ARE
IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL
CONDUCT OF ANY PARTY.
Note
Use of this Program may implicate various laws or regulations, including those related to
privacy, data protection, employment, and electronic communications and storage. Extreme
Networks Security Analytics may be used only for lawful purposes and in a lawful manner.
Customer agrees to use this Program pursuant to, and assumes all responsibility for
complying with, applicable laws, regulations and policies. Licensee represents that it will
obtain or has obtained any consents, permissions, or licenses required to enable its lawful use
of Extreme Networks Security Analytics.
Conventions
This section discusses the conventions used in this guide.
Text Conventions
The following tables list text conventions that are used throughout this guide.
Extreme Networks Security DSM Configuration Guide Addendum 8
About this DSM Configuration Guide Addendum
Table 1: Notice Icons
Icon Notice Type Alerts you to...
Note Important features or instructions.
Caution Risk of personal injury, system damage, or loss of data.
Warning Risk of severe personal injury.
New This command or section is new for this release.
Table 2: Text Conventions
Convention Description
This typeface indicates command syntax, or represents information as it appears on
Screen displays
the screen.
The words enter and When you see the word “enter” in this guide, you must type something, and then press
type the Return or Enter key. Do not press the Return or Enter key when an instruction
simply says “type.”
[Key] names Key names are written with brackets, such as [Return] or [Esc]. If you must press two
or more keys simultaneously, the key names are linked with a plus sign (+). Example:
Press [Ctrl]+[Alt]+[Del]
Words in italicized type Italics emphasize a point or denote new terms at the place where they are defined in
the text. Italics are also used when referring to publication titles.
Terminology
When features, functionality, or operation is specific to a switch family, the family name is used.
Explanations about features and operations that are the same across all product families simply refer to
the product as the "switch."
Providing Feedback to Us
We are always striving to improve our documentation and help you work better, so we want to hear
from you! We welcome all feedback but especially want to know about:
• Content errors or confusing or conflicting information.
• Ideas for improvements to our documentation so you can find the information you need faster.
• Broken links or usability issues.
If you would like to provide feedback to the Extreme Networks Information Development team about
this document, please contact us using our short online feedback form. You can also email us directly at
InternalInfoDev@extremenetworks.com.
Extreme Networks Security DSM Configuration Guide Addendum 9
About this DSM Configuration Guide Addendum
Getting Help
If you require assistance, contact Extreme Networks Global Technical Assistance Center using one of
the following methods:
Web www.extremenetworks.com/support
Phone 1-800-872-8440 (toll-free in U.S. and Canada) or 1-603-952-5000
For the Extreme Networks support phone number in your country:
www.extremenetworks.com/support/contact
Email support@extremenetworks.com
To expedite your message, enter the product name or model number in the subject line.
Before contacting Extreme Networks for technical support, have the following information ready:
• Your Extreme Networks service contract number
• A description of the failure
• A description of any action(s) already taken to resolve the problem (for example, changing mode
switches or rebooting the unit)
• The serial and revision numbers of all involved Extreme Networks products in the network
• A description of your network environment (such as layout, cable type, other relevant
environmental information)
• Network load and frame size at the time of trouble (if known)
• The device history (for example, if you have returned the device before, or if this is a recurring
problem)
• Any previous Return Material Authorization (RMA) numbers
Related Publications
The Extreme Security product documentation listed below can be downloaded from http://
documentation.extremenetworks.com.
Extreme Security Analytics Threat Protection
• Extreme Networks Security API Reference Guide
• Extreme Networks Security Application Configuration Guide
• Extreme Networks Security Ariel Query Language Guide
• Extreme Networks Security DSM Configuration Guide
• Extreme Security DSM Configuration Guide Addendum
• Extreme Networks Security Hardware Guide
• Extreme Networks Security Installation Guide
• Extreme Networks Security Juniper NSM Plug-in User Guide
• Extreme Networks Security Log Manager Administration Guide
• Extreme Networks Security Log Sources User Guide
• Extreme Networks Security Managing Log Sources Guide
• Extreme Networks Security Offboard Storage Guide
• Extreme Security Release Notes
Extreme Networks Security DSM Configuration Guide Addendum 10
Description:Configuring a McAfee ePO log source by using the JDBC information only for Device Support Module Extreme Networks Security DSM Configuration Guide Addendum 8.
