Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Databases

Database Security Syslog Integration Specification

advertisement 
CONFIDENTIAL
McAfee Database Security
Syslog Integration
Specifications
McAfee, Inc.
Database Security - Syslog Integration Specifications
McAfee Database Security Integration via Syslog
Configuring integration via syslog
This document assumes that the 3rd party syslog component has already been configured to
receive syslog events
This section describes how to perform the following procedures:

Enable the syslog interface

Configure a proprietary alert format

Create a rule with the syslog action
Enable the syslog interface on the McAfee Database Security Server
To enable the syslog interface in Database Security:
1. Log in to the Database Security console.
2. Select System > Interfaces > Syslog.
3. Select the Use syslog checkbox.
McAfee, Inc.
Database Security - Syslog Integration Specifications
4. Configure the correct syslog host/port (where the connector is installed).
5. Select the transport protocol.
6. Set the syslog format the relevant format based on the 3rd party syslog component.
7. Click Save.
Configure a proprietary alert format
Database Security is provided with the CEF format configured by default, as shown in the
Syslog Configuration page (see above).
The proprietary alert format can be configured in the properties file.
To configure a proprietary alert format:
1. On the server machine, go to <install dir>/conf.
2. Open the server-custom.properties file and modify it as described in Appendix A.
3. Save the file.
4. Restart the server.
Now, if the CUSTOM format is selected in the Syslog Configuration page, the configuration from
this file will be displayed.
Create a rule with the syslog action
To create a rule with the syslog action:
1. Log in to the McAfee Database Security console.
2. Select Rules > Custom Rules.
2
McAfee, Inc.
Database Security - Syslog Integration Specifications
3. Click Create New Rule.
4. Configure the rule properties as required.
5. In the list of actions to be taken when the rule is matched, select the Syslog checkbox. (It is
recommended that Mcafee Database Security Console and Syslog not be selected at the
same time.)
6. Click Save.
3
McAfee, Inc.
Database Security - Syslog Integration Specifications
Appendix A
The syslog custom configuration can be edited in the <Database Security install
dir>/conf/server-custom.properties file.
The following files need to be copied into this file from the <install
dir>/webapps/ROOT/WEB-INF/config/application/server.properties file. (You
can view this file to see how CEF and Sentinel is configured).
Do not modify the server.properties file. All modifications should be made in the servercustom.properties file.
Pay special attention that any changes should fit the CEF protocol:

The header should have pipe (|) delimited fields

The body should have space delimited ‘key=value’ format.
log.format.body.custom=externalId=$id$ rt=$executionTime.time$
cs1=$database.name:20$ cs1Label=DBMS dst=$agent.ip$ src=$sourceIP$
duser=$execUser:20$ suser=$osUser:20$ shost=$sourceHost:30$
dproc=$execProgram:20$ act=$cmdType:15$ cs2=$operation:225$
cs2Label=SqlStatement cs3=$accessedObjects.name:200$
cs3Label=AccessedObjects
log.format.header.custom
=CEF:0|Sentrigo|Hedgehog|$serverVersion$|alert|$rules.name:150$|$import
ance$|
log.format.header.escaping.custom=\\|
log.format.header.seperator.custom=,
log.format.body.escaping.custom=\=
log.format.header.escape.char.custom=\\
log.format.body.escape.char.custom=\\
log.format.body.seperator.custom=|
log.format.empty.value.custom=
log.format.length.value.custom=255
log.format.convert.newline.custom=true
You can then modify log.format.body.custom to fit your format. The format is very
flexible. Each keyword identified by $<key word>$ is replaced with its value from the alert.
Additionally, it is possible to specify a max length for the field as is done for example with:
$agent.hostname:20$
If the length is not specified, the value of log.format.length.value.custom is used.
4
McAfee, Inc.
Database Security - Syslog Integration Specifications
The following keywords can be used to define the format with type and max length:
$clientInfo$ : client info field from Oracle DB - STRING(100)
$executionTimeMillis$ : execution time in millis format - NUMBER(64 bit long)
$executionTimeStr$ : execution time in date format: dd MMM yyyy HH:mm:ss STRING(32)
$severity$ : severity of the alert. One of: HIGH, MEDIUM, LOW - STRING(20)
$agent.hostname$ : hostname of the Sensor which the alert was received from - STRING(255)
$operation$ : statement executed - STRING(UNLIMITED)
$osUser$ : os user - STRING(100)
$execUser$ : database user - STRING(100)
$realExecUser$ - Real database user – STRING(100)
$serial$ : oracle session serial - NUMBER(64 bit long)
$sid$ : session id - NUMBER(64 bit long)
$terminal$ : terminal - STRING(100)
$execProgram$ : executing program - STRING(100)
$sourceHost$ : source host - STRING(255)
$sourceIP$ : source ip - STRING(16)
$databaseName$ : database name - STRING(255)
$accessedObjects.name$ : list of accessed objects pipe delimited - STRING(UNLIMITED)
$clientId$ : Oracle client Identifier field - STRING(64)
$cmdType$ : SQL CMD type - STRING(64)
$module$ : Oracle module field - STRING(64)
$contextInfo$ : MS SQL context info field - STRING(200)
$logonTime$ : Session logon time - STRING(32)
$inflowObjects.name$ : Inflow accessed objects pipe delimited - STRING(UNLIMITED)
$inflowSQL.statement$: Inflow sql statement - STRING(UNLIMITED)
$enduserName$ : end user name (relevant for IDentifier only) - STRING(64)
$enduserModule$ : end user module (relevant for IDentifier only) - STRING(64)
$enduserAction$ : end user action (relevant for IDentifier only) - STRING(64)
$enduserIP$ : end user ip (relevant for IDentifier only) - STRING(16)
$action$ : Oracle action field - STRING(64)
$schema$ : Oracle schema field - STRING(64)
$rules.name$ : rule names which caught the alert - STRING(UNLiMITED)
$rules.ruleTags.name$: tags used on the rules which caught the alert STRING(UNLiMITED)
5
McAfee, Inc.
Database Security - Syslog Integration Specifications
$rules.comment$: rule comment field – STRING(UNLIMITED)
$id$ : alert id - NUMBER(64 bit long)
$database.type$ possible values are: ORACLE, MSSQL, MSSQL2000 - STRING(32)
$database.version$: version of the database - STRING(255)
$agent.ip$: IP address of the monitoring agent - STRING(16)
The server must be restarted after modifying the server-custom.properties file for the
modified properties to take effect.
To view the correct CEF format, refer to the attached PDF document.
6
Related documents
Solutions to End of Chapter Problems
Solutions to End of Chapter Problems
Materials: 1. Each child chooses a classroom object and estimates... cutting a string the estimated length.
Materials: 1. Each child chooses a classroom object and estimates... cutting a string the estimated length.
PERTEMUAN 15 VIBRATING STRING EQUATION (finding a solution) Matakuliah
PERTEMUAN 15 VIBRATING STRING EQUATION (finding a solution) Matakuliah
Download
advertisement