Home

Forums
       Operations Manager
       MP Development
       Config Manager
       CP Development
       Data Protection Mgr
       Essentials (SCE)
       Hyper-V
       SCVMM
       Service Manager
       Cloud
       Cross-Platform
       Opalis
       Avicode

Articles
       Operations Manager
       MP Development
       Config Manager
       CP Development
       Data Protection Mgr
       Essentials (SCE)
       SCVMM
       Hyper-V
       Virtualization
       Service Manager
       Cross-Platform

Web/Podcasts
       Virtualization
       Essentials (SCE)
       SCVMM
       Hyper-V
       Data Protection Mgr
       Config Manager
       Operations Manager

Downloads
       Config Manager
       Cross-Platform
       Data Protection Mgr
       Essentials (SCE)
       Operations Manager
       SCVMM
       Scripts
          Samples (SCOM 2007)
       Service Manager
       SQL Queries

Pack Catalog
       MP Catalog
       CP Catalog
       Mgmt Pack Extensions Contest
       Opalis IP Catalog

WIKI

Blogs
       Community
       Community Feedback
       Events

User Groups
       Arizona Systems Management User Group
       Atlanta Systems Management User Group
       Microsoft Enterprise Management User Group (Denver
       System Center Professional's User Group of Jax (Fl
       New York System Center User Group
       Portland EPG System Center User Group
       Northwest System Center User Group (Seattle)
       System Center User Group (Netherlands)
       System Center User Group (Belgium)
       System Center User Group (Malaysia)
       System Center Virtual User Group
       Powershell Virtual User Group

RSS
       Support Forum
 
  
Blog
Announcing: Cross Platform auditing with ACS
By Maarten Goet on 5/8/2009 5:34:04 AM • Rank (819) • Views 1038
    Retweet
0

0

Last year we launched the Audit Collection Syslog Gateway which provides the ability to centrally collect SYSLOG events via the Audit Collection Service (ACS) within Operations Manager 2007 SP1. This enables organizations to centralize Windows, UNIX/LINUX and network security events within System Center for audit and reporting purposes. As an agent-less solution customers can simply deploy the Syslog Gateway, enable forwarding on target devices, applications or from an existing Syslog server and start to use ACS as a central cross-platform audit repository within the enterprise.

Download Flyer

Visit Solutions Page

In a couple weeks an updated build for the Audit Collection Syslog Gateway, Service Pack 1, will be released that improves the core service and gateway logging with an improved installation wizard. The SP1 also introduces a health MP which includes security alerting rules for UNIX operating Systems, Cisco Firewalls and Routers plus an MP Template which enables users to create custom alerts and views for any Syslog event.

Below is a general overview on the Audit Collection Syslog Gateway architecture and features.

Audit Collection Syslog Gateway Overview

· Provides SYSLOG event collection, alerting and reporting for UNIX/LINUX and network devices via ACS

· Includes Secure Vantage Syslog Gateway Service, Generic Syslog Report and alerting Management Pack

· Requires Operations Manager 2007 SP1 with ACS, and a Windows Server with Forwarder to act as Gateway

Common Syslog Sources

· UNIX/Linux Operating Systems like AIX, BSD, HPUX, Mac OS X, RedHat, SuSE, Solaris, zOS and others

· Network devices like Cisco Routers, Switches and Firewalls

· Environmental devices and 3rd party applications like Citrix Application Gateways or Web Servers

· Most hardware and applications running on a UNIX/Linux OS

Deployment Considerations

· Must enable SYSLOG forwarding on endpoint (User Guide has instructions for Unix and Cisco devices)

· Default SYSLOG collection is UDP on port 514, TCP is optional in most cases but must be configured

· Single Gateway supports up to 200 devices or 1000 Events Per Second (EPS)

Syslog Gateway Reporting

The Audit Collection Syslog Gateway includes one generic report that enables users to filter on any Syslog message pattern or all events. For example users could filter for all Cisco ASA events, all events with ‘root’ or from a specific device. Users can then save these filters as report subscriptions and quickly establish a standardized set of reports for auditing purposes.

Syslog Gateway Management Pack (included with upcoming SP1)

The Audit Collection Syslog Gateway MP provides health and performance monitoring of the Gateway Service plus security alerting for the Syslog events. The security alerting includes canned rules and knowledge articles for UNIX/Linux operating systems security events like logon failures, root access and suspicious activities; alerting rules for Cisco routers and firewall IDS events, plus an MP Template that enables users to quickly create custom views and alert rules for any Syslog event pattern. Users can easily override existing rules and use the MP Template to implement custom alerting and security auditing within their SCOM environment.

Below is a sample of Syslog facilities and priority codes which can be used for alert filtering and reporting.

Useful Syslog Links and Resources

· NIST: Guide to Computer Security Log Management

o http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf

· IETF RFCs: 3164 The BSD syslog protocol & 3195 Reliable delivery of syslog

o http://www.ietf.org/rfc/rfc3164.txt  & http://www.ietf.org/rfc/rfc3195.txt

· SANS Institute: The Ins and Outs of System Logging Using Syslog

o http://www.sans.org/reading_room/whitepapers/logging/1168.php

· Cisco: Identifying Incidents using Firewall and IOS Router Syslog Events

o http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html

Looking towards SCOM R2

This year at MMS Microsoft announced ACS for Cross Platform, a post SCOM R2 feature, which enables partners to integrate non-Windows security events into the ACS collection stream. With this capability any cross platform log file source exposed via SCOM R2 could be integrated into ACS, allowing organizations to centralize all security auditing events into a single repository which can be alerted, reported and archived as needed. The feature enables parsing of the event messages to extract key attributes and strings for improved reporting and analytics. The diagram below illustrates the high-level concept of this upcoming feature; in general it’s the same architecture as our Syslog Gateway, except the event source is from the SCOM agent vs Syslog and the event transformation is optimized to enable more granular data mining.

For users planning to leverage the new cross platform capabilities of SCOM R2 you’ll soon have the ability to integrate security events from those devices and application into ACS natively and will be pleased to know we’re migrating our alerting and reporting functionality to leverage this new feature as well. Users wanting to leverage the new SCOM R2 feature should enroll in our TAP program or stay tuned for more details and announcements.

Users needing a solution today or who have agent-less requirements can use the Audit Collection Syslog Gateway, which provides a very cost effective option that is licensed per Gateway (not per device) that’s easy to deploy and simple to use. And remember, regardless of how you collect your security events, once they’re in ACS our entire suite of Security Auditing solutions can be used for alerting, archiving and data analysis.

If you need more than just security auditing we have two partners who provide great health and performance monitoring solutions for cross platform devices and applications: BridgeWays and JalaSoft. By combining the breadth of partner monitoring solutions with our security auditing features in ACS, users can standardize and simplify systems management, auditing and compliance within System Center which reduces the cost, complexity and overhead associated with managing your heterogeneous environment.

 

Original: http://securevantage.spaces.live.com/blog/cns!905E136EE69247B4!520.entry?wa=wsignin1.0&sa=32496051

Read More
Comments - Comment RSS


Who Viewed
Who Reviewed
Categories
Blog
Related Pages
Shortened URL
http://tinyurl.com/ycqp3p5

Quick Links
Top Contributors
Featured Members
Pete Zerger
Points: 65442
Level: System Center Expert
Tommy Gunn
Points: 42712
Level: System Center Expert
Simon Skinner
Points: 40744
Level: System Center Expert
Stefan Koell
Points: 28999
Level: System Center Expert
Andreas Zuckerhut
Points: 27434
Level: System Center Expert
  
  
 
    
Copyright 2009 - 2012 by System Center Central