Reporting and Administration
| [ LiB ] |
Although you will do most of your monitoring tasks through Event Viewer, you need to perform other supporting tasks to facilitate reporting and administration. The next sections cover the final two tab sheets in Security Monitor, Reports and Admin.
Security Monitor Reports
Security Monitor allows you to generate reports on demand. Alternatively, you can schedule reports to be generated at a specific time. Creating reports involves generating, scheduling, and viewing reports.
Generating On-Demand and Scheduled Reports
If you are a Security Monitor network security administrator, you can generate audit and alarm reports on demand or schedule them to generate at a specific time or at regular intervals. The steps to generate an IDS alarm report are as follows :
- Navigate to the Generate options from the Reports tab sheet, where the Select Report page appears. Choose All from the Report Group drop-down menu. The list of Available Reports refreshes to display the full list of reports.
- Select an IDS report radio button and click the Select action button to display the Report Filtering page. Enter the values as listed and described in Table 15.11.
Table 15.11. Security Monitor Report Filtering Settings on the Reports, Generate Option
Setting
Description
Event level
The event level that is displayed in the selected report; available options are informational, low, medium, and high.
Time/date
The time and date selected in the report; valid options are since installation, a specified number of units, or a time range.
Source direction
The direction of the security violation; valid options are any, in, or out.
Source address
The source address of the security violation; valid options are any, single, or a range of IP addresses.
Destination direction
The direction of the security violation; valid options are any, in, or out.
Destination address
The destination address of the security violation; valid options are any, single, or a range of IP addresses.
IDS devices
The IDS devices that are viewed in the report; you can choose all devices that have been added to Security Monitor.
IDS signatures
The IDS signatures that are viewed in the report; you can choose one or multiple signatures.
IDS signature categories
The IDS signature categories that are viewed in the report; you can choose one or multiple signature categories.
Top n
The top number of results in the report.
- After entering your filter settings, click Next to display the Schedule Report page. Enter values for the settings, as listed and described in Table 15.12.
Table 15.12. Security Monitor Schedule Reports Settings in Admin, Reports
Setting
Description
Report title
Description field that allows you to give a title to the report.
Schedule options
Options that allow you to either run the report immediately or schedule it for later.
Repeat every
Check box with a drop-down menu allowing you to repeat the report at the following intervals: every day, week, weekday, weekend day, minute, and hour .
Email report to
Entry field that allows you to send the report to an email recipient after it is generated.
- Click Finish. If you chose to generate the report immediately, the Report View page appears. Otherwise, the Select Report page appears.
Viewing Reports
Finally, after generating a report, you can view it by navigating to Reports, View. After you select your report with its radio button, you have the option to view it within the existing window or to open the report in a new window.
Security Monitor Administration
The last tab sheet in Security Monitor is the Admin tab sheet, where you perform server administration and maintenance tasks. These tasks fall into the following categories:
-
Database maintenance Allows you to back up, restore, or prune the configuration database.
-
System configuration Enables you to configure the communication properties such as email server settings, PostOffice settings, and syslog settings and to update network IDS signatures.
-
Defining Event Viewer preferences Allows you to set your Event Viewer preferences and to create, edit, delete, activate, and de-activate correlated events. You de-activate correlated events by using event rules to specify what action to take when the correlated event is detected .
Database Rules
The first option in the Admin tab sheet is the Database Rules option. Security Monitor allows you to configure different actions to occur when a database rule is triggered. The database rules can be triggered when the Security Monitor database reaches a specified size, when a specified number of events occur, or on a daily basis.
 | Security Monitor database rules can be triggered when the Security Monitor database reaches a specified size, when a specified number of events occur, or on a daily basis. |
There are three predefined rules for database maintenance built in to Security Monitor:
-
Default pruning For alarm tables when the database reaches 2,000,000 total events
-
Default syslog pruning For syslog tables when the database reaches 2,000,000 events
-
Default audit log pruning For audit log pruning performed on a daily basis
Follow these steps to create your own custom database rule:
- Navigate to Admin, Database Rules, Add to display the Specify the Trigger Condition page. Enter the values for the settings, as listed and described in Table 15.13.
Table 15.13. Security Monitor Database Rules Trigger Conditions
Setting
Description
Rule name
Name that is to be assigned to the rule.
Database used space greater than (megabytes)
Check box that, if selected, triggers the database rule when the database reaches a size greater than specified. The default value is 500MB.
Database free space less than (megabytes)
Check box that, if selected, triggers the database rule when the free space on the drive where the database is installed falls below the specified value. The default setting is 1MB.
Total IDS events
Check box that, if selected, triggers the database rule when the number of events in the database exceeds the value specified. The default is 500,000.
Total syslog events
Check box that, if selected, triggers the database rule when the total number of syslog events exceeds the value specified. The default is 500,000.
Total events
Check box that, if selected, triggers the database rule when the total number of IDS and syslog events exceeds the specified value. The default setting is 1,000,000.
Daily beginning
Check box that, if selected, triggers the database rule daily at a specified time, beginning on a specified date. The default is 24 hours from the time on the Security Monitor server's clock.
Comment
Optional.
- Now that you've selected your database trigger conditions, click Next to display the Choose the Actions page. This page should look very familiar to the Admin, Event Rules page. Enter values for the settings as described in Table 15.14.
Table 15.14. Security Monitor Database Rule Actions Settings in Admin, Database Rules
Setting
Description
Notify via email
Check box that, if selected, enables Security Monitor to send an email when the database rule is triggered.
Recipients
Addresses to receive an email when the database rule is triggered. Separate multiple addresses with a comma.
Subject
Subject of the email that will be sent to the recipients.
Message
Message body of the email that will be sent to the recipients.
Log a console notification event
Check box that, if selected, enables Security Monitor to log a notification report to the console when the database rule is triggered.
Subject
Subject of the notification report.
Message
Message body of the notification report.
Execute a script
Check box that, if selected, enables Security Monitor to execute a script when the database rule is triggered.
Script file
Drop-down menu with a list of script options that can be executed if the Execute a Script box is selected.
Argument
Additional arguments that can accompany a script which executes when the database rule is triggered.
- Click Finish to refresh the Database Rules page, which will then show the database rule that you have just created.
System Configuration Settings
The next option after Database Rules under the Admin tab sheet is the System Configuration option. It is where you configure the email server, PostOffice settings, and syslog settings, and update IDS signatures. Configuring the email server and PostOffice settings is straightforward. Here we focus on syslog settings and updating the network IDS signatures.
You might recall that IOS IDS devices (those not using PostOffice) and PIX IDS devices use connectionless syslog messages to communicate with Security Monitor. Follow these steps to configure your syslog settings:
- Navigate to Admin, System Configuration and click on Syslog Settings from the TOC to display the Syslog Settings page.
- Enter a new syslog port number in the Listen on UDP Port entry field.
- Enter the new port to forward UDP syslog information to in the Forward to UDP Port entry field.
- Click Apply to refresh the Syslog Settings page, which should now display the new port settings that you have just entered.
You can update sensor signatures through IDS MC, the command-line interface (CLI), or Security Monitor. Follow these steps to update signatures with Security Monitor:
- Download the latest IDS updates for the Security Monitor from the Cisco Software center at http://www.cisco.com/cgi-bin/tablebuild.pl/ids4.
- Copy the files into this directory: ...CSCOpx\MDC\etc\ids\updates .
- Navigate to Admin, System Configuration and click on Update Network IDS Signatures from the TOC to display the Update Network Signatures page.
- Use the Update File drop-down menu to choose the downloaded IDS signature update for the Security Monitor. Click Apply. If Security Monitor needs to be updated, the Update Summary page appears and you should go to Step 6. If Security Monitor doesn't need to be updated but sensors need signature updates, the Select Sensor page appears and you should go to Step 5.
- Select the check boxes of the sensors that need to be updated and click Next to display the Update Summary page.
- Click Continue to display the Update Network IDS Signatures page and complete the update.
| | You can use Security Monitor to update network IDS signatures. Download the update from the Cisco Web site, copy the file to the specified directory, and navigate to Admin, System Configuration, Update Network IDS Signatures to complete the update. |
Defining Event Viewer Preferences
Finally, we come to the last option of the last tab sheet, Admin, Event Viewer. Recall that the changes you made to customize your Event Viewer window were not persistent; that is, they are not saved when you shut down Event Viewer and open a new session. It can be cumbersome and repetitive to customize your views each time that you launch Event Viewer. From the Admin, Event Viewer page, you can define your Event Viewer preferences so that they are saved with your user account and reappear each time you log in to Security Monitor and launch Event Viewer.
You can configure the Event Viewer preferences for Your Preferences or for the Default Preferences, which changes the settings for all users. The steps and entry fields are the same whether you are editing your own preferences or the default ones, so we only go through the steps for your preferences here:
- Navigate to Admin, Event Viewer, Your Preferences to display the Your Preferences page.
- Enter the values for the settings, as listed and described in Table 15.15.
Table 15.15. Security Monitor Your Preference Settings at the Admin, Event Viewer, Your Preferences Page
Setting
Description
Command timeout
Determines how long, in seconds, the Event Viewer waits for a response from a sensor before concluding that it has lost communications with the sensor. The default value is 10 seconds.
Time to block
Specifies how long, in minutes, the sensor blocks traffic from the specified source when you issue a block command from the Event Viewer TOC. The default value is 1440 minutes (one day).
Subnet mask
Subnet mask of the Security Monitor.
Default expansion boundary
Amount of expansion that takes place when opening security event levels within the Event Viewer.
Maximum events per grid
Maximum number of events that populate the Event Viewer grid.
Auto collapse enabled
Check box that, if selected, enables the automatic collapsing of a cell .
Query interval
Amount of time that the Event Viewer waits between queries to the database for new events. The default interval is 5 minutes.
Auto query enabled
Check box that, if selected, enables automatic queries to the database for new security events.
Event security indicator
Radio buttons that change the event severity indicator from a color to an icon or vice versa.
Cells
Check boxes that, if selected, allow the Event Viewer to display security events blank left, blank right, or both.
Sort by
Radio buttons that allow you to sort the security events by count or alphabetically by content. The default is content.
| [ LiB ] |
- Key #4: Base Decisions on Data and Facts
- Beyond the Basics: The Five Laws of Lean Six Sigma
- When Companies Start Using Lean Six Sigma
- Making Improvements That Last: An Illustrated Guide to DMAIC and the Lean Six Sigma Toolkit
- The Experience of Making Improvements: What Its Like to Work on Lean Six Sigma Projects