Network Security - F

Transkrypt

F-Deets
Evaluation guide
Guide Version: 1.0.2
Software version: 0.6.3
Last Revision: 08/11/2011
CC Open Computer Systems Sp. z o.o.
Network Security
Contents
1 Introduction.......................................................................................................................................... 3
2 Getting started..................................................................................................................................... 4
2.1 Installation......................................................................................................................................... 4
2.2 Platform Support............................................................................................................................... 5
2.3 License............................................................................................................................................. 5
3 Using F-Deets...................................................................................................................................... 6
3.1 The Configuration Wizard................................................................................................................. 6
3.2 Uploading a license.......................................................................................................................... 9
3.3 Defining a first view .......................................................................................................................... 9
3.4 Displaying data............................................................................................................................... 11
3.5 Working with F-deets ..................................................................................................................... 12
3.6 Generating reports.......................................................................................................................... 14
3.7 Advanced functions......................................................................................................................... 15
4 F-Deets components and configuration ............................................................................................ 16
4.1 Parser & Server.............................................................................................................................. 17
4.2 Syslog............................................................................................................................................. 17
4.3 GUI Client....................................................................................................................................... 18
4.4 Windows Services.......................................................................................................................... 19
5 Troubleshooting................................................................................................................................. 20
6 Uninstall............................................................................................................................................. 20
2/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
e-mail:[email protected]
Web: http://www.cc.com.pl/
CC Otwarte Systemy Komputerowe Sp. z o.o. zarejestrowana w Wydz.XIII Gospodarczym KRS, pod nr 0000023570, zarząd:
Grzegorz Blinowski – Prezes Zarządu, Tomasz Ramsza - Członek Zarządu; Kapitał zak.:100000 PLN
Network Security
1 Introduction
F-Deets is a tool for network administrators, it gathers and analyzes log messages. It provides the
means to quickly analyze and extract data from multiple system- and device logs. With F-Deets you
can access and analyze any subset of collected logs through either default or user-defined filters.
The F-Deets architecture is comprised of:
•
syslog server – aggregates network generated events
•
event parser and event store – extracts, parses and stores in a built-in relational database
events in a field-by-field format (e.g.: IP addresses, TCP/UDP ports, etc. are extracted and
made available for searching and filtering)
•
GUI – a Windows interface for viewing, sorting, filtering and analyzing events.
•
F-Deets Server – presents the parsed database data to the client, hence it can be treated as
an intermediary between the processed syslog data and the directly available user GUI.
F-Deets components can be installed on one server (the default) or on multiple servers.
Notice: All components except the GUI may be installed on Linux or MS Windows
machine. The GUI is currently supported only under Windows.
Two key F-Deets terms are: “Connection “ and “View”:
A connection is defined by F-Deets server address and user credential data. Connection
represents an authenticated session to the F-Deets server. Please note that under one
connection you can view data from multiple syslog-compatible sources – because FDeets syslog, database and server can integrate multisource data. Under the F-Deets GUI
you may define multiple connections.
A view is always defined in a context of a connection. View is a filtered data obtained from a
given connection – i.e. from a given F-deets server. View may represent current data
(constantly updated - as in the Unix “tail” tool) or a set of historic data from a given time
period. You may define multiple views per connection.
3/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
More information on F-Deets architecture can be found in chapter 4 of this guide.
2 Getting started
2.1 Installation
F-Deets is distributed as a single-file installation setup. To install F-Deets simply run it and the setup
will guide you through the fairly standard step-by-step process. If you are installing F-Deets for the first
time, the default settings need not be changed.
During the installation you may be prompted to install Microsoft .NET 3.5. It is necessary to install it in
order to use F-Deets Client. If you selected only the server part of the installation, the .NET framework
will not install. Microsoft C++ Redistributables will be installed without prompting the user.
After all the necessary files are copied on disk, three Windows Services will be registered and ran.
Additionally, Windows Firewall exceptions will be created so that F-Deets syslog may work properly. If
you are using custom desktop-firewall, make sure you add appropriate exceptions manually and then
restart the Syslog and ConnectionDaemon services.
F-Deets comes with a small set of sample data, so you can test it without providing any actual log
files or logging real-time data to the F-Deets syslog server. See instruction in the “Using F-Deets”
chapter.
Notice: When choosing the install directory make sure that the disk you are
installing F-Deets to has enough space left for the incoming log messages and
database files. Parsed data takes roughly four times the space the plain logs files do.
Therefore if you have 100MB of logs per month, be prepared for 500 MB of disk
space consumed each month and 6 GB per year. Installing F-Deets on non-system
drive may improve performance, especially if there is a large amount of logs
generated.
4/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
2.2 Platform Support
The platform Support for F-deets modules is shown below:
Module
Windows
XP/200x
Windows 7
Linux
syslogd
Yes
Yes
System
Parser & database
Yes
Yes
Yes
Server
Yes
Yes
Yes
GUI
Yes
Yes
No
F-Deets supports both 32 and 64-bit environments. F-Deets used on a 64bit machine tends to work
slightly faster.
2.3 License
F-Deets requires a license file to work. You can obtain a demo license from the F-Deets web-site. You
will be asked for a license when you first connect to F-Deets server.
5/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
3 Using F-Deets
3.1 The Configuration Wizard
To start F-Deets client, select “F-Deets” from the “Start” menu. When you first start the program a
configuration wizard will appear. It will guide you through basic configuration steps like defining a
server connection, creating non-admin user and selecting directories in which logs are stored.
In general it is safe to assume that the wizard's default values are correct. The first dialog is used to
setup connection parameters of the F-Deets server. Typically you have installed the sever on the same
machine as the client (and the rest of F-Deets components), so all the default parameters should be
used.
6/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
On the next dialog F-Deets client will try to connect to the server with provided parameters. If you have
problems at this point make sure that the F-Deets server is running and that the client is able to
connect to the specified port.
In the third step you should input the new admin account password. The admin account will be used to
manage other users for the default connection.
The next step is to create the connection's default user. This is the “working account” for log browsing
and all typical tasks:
7/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
In the last step the default log directory should be initialized. This is the directory for the unprocessed
syslog files. Please note that F-deets syslog service is used to receive syslog connections from the
network and store syslog-formated logfiles on the local disk. However, you can manually copy syslogformat files to the same directory, they will be parsed and processed by F-deets like all other syslog
files. You can define up to 3 directories, one is created by default:
Notice: After this step you may copy the sample log file to the syslog source data
directory – the logfile will be automatically parsed and sample log records will be
added to the F-Deets database.
Defining syslog directories is the last step of the configuration wizard. Please press “Finish” on the
confirmation dialog to proceed to the main application window:
8/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
3.2 Uploading a license
F-Deets server requires a license to work. After a fresh install, when the license expires or if the event
limit is exceeded, a dialog prompting for a new license will appear. It can be used to upload a new
license.
To upload a new license you must first click the “Select license” button and select a license file on your
disk. The license will then be verified and, if it is valid, the “Upload license” button will activate. Clicking
it will cause the new license to be uploaded and activated.
To manually upload a new license to a server right-click a server in F-Deets gui connections list, select
“Upload license” and proceed as described above. Remember, that “configuration” privileges are
required to upload a license.
Event count is calculated on a weekly-average basis. Exceeding the event limit by more than 10% will
invalidate the license until the event count lowers. If the event limit is exceeded by less than 10%, a
warning message will appear, but the server will still work normally.
3.3 Defining a first view
To begin work with F-Deets a View term needs to be explained:
A view is representation of a subset of logs you wish to view. It is defined by a name, description, set
of columns that are to be displayed and a set of filters, that narrow the results. For example a filter
called IKE may show it's time, type, number and the message while showing only IKE category.
To start using F-deets after a fresh install and running the configuration wizard you must create at least
one view. To do this:
9/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
•
Right-click on the local connection in the
connection/view list on the left
•
Choose “connect” and enter the admin
password (the window title should change
from “No active connection set” to
“Local/admin”
•
Click the “Define new view” icon or use the
right-click menu again
•
Enter the view name and optionally a
description, you can also define more
view options, but at this point simply
confirm and close the dialog. Tthe view will
appear under the connection name.
•
Double click on the view name to bring up
the view window
10/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
3.4 Displaying data
With the view window open it is time to get a look at some log data! To do this a time frame must be
defined. This may be a bit tricky – if you enter a very short or very recent time frame - for example 1
hour there is a chance that no log events were actually recorded in that time (especially if you use
built-in sample log data). For the start use a long time frame: for example 2 weeks or enter a custom
time interval. Click on the “search logs” icon to get the data.
Selecting the data time interval.
Filtered data in the view pane.
11/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
3.5 Working with F-deets
The main window consists of four major panes: a horizontal toolbar at the top is used to manage
user and log directory configuration, there's also a current server information label and a button
toggling server/views tree. A new view wizard can also be run from here. To the bottom of the window
a status bar is visible. It shows application version, current time and F-Deets services states. The left
pane contains a connection/view tree showing available log-server connections and data views.
When you open a view a log view window will appear in the middle. At it's top another toolbar is
visible, providing options like tail mode, jumping to specified log, etc. In the middle there's a grid
showing current view's results.
12/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
The log view window also contains a status bar, which shows current server time, connection state,
messages count and active filters count. Right clicking on any cell in the messages grid will make a
popup menu appear. It will contain various filter-related options like creating a new filter based on the
cell's value, editing or removing existing filters, etc.
13/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
Take a minute or two and try out the options. The view you create can then be saved with a new
name, so that you don't have to repeat the same steps again and again.
3.6 Generating reports
Report generation is a feature available since version 6.0. A sample view of the generate report
window can be seen below.
There are four possible output formats for a report: pdf, html, cvs and xml. There are also several
options available for the reports, though not each of them is valid for each file format.
A generated report will contain exactly the same events as the view for which it was generated. The
columns visible depend on the “Report content” option - “Columns from view “ mean that the same
columns that are visible in view will be included, and “Typical columns” is a predefined set of columns
that contain the most useful information.
After clicking the export button you will be prompted to specify the report's save location and file name.
14/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
3.7 Advanced functions
To view the details of an event, dobule click it in the event view. A properties window will appaer
Important information is highlighted by different colors.
Right clicking on an event will pup up a menu with many options. It allows for adding filters based on
the clicked value and column, removing filters, adding or removing columns. There are two notable
options which are useful for debugging or intrusion detection.
The first is the “Trace connection” option. It can be used to track an entire connection through many
devices. When opened for an event, it will find all related events from all devices that the connection
came through.
The second important feature is “Count events by this column” option. It is appliable only for certain
columns (like IPs, ports or category). It will find and count all events grouping by the given column and
display them in a new window. More grouping columns can be later added for more detailed results. A
sample grouping view can be seen below.
15/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
Through this dialog a column can be added or removed from the grouping view. All filters from the
original view are preserved, so the counts are performed only on the data that was viewed before.
Furthermore, double-clicking on any of the rows will display a new, standard grid, with filters based on
the selected values. In other words, the new grid will contain exactly the same data that was grouped
together and clicked. Such view can of course be saved for further reference.
4 F-Deets components and configuration
F-Deets comprises of five major components: server, parser, syslog, client and services monitor.
Syslog listens for new messages, parser analyzes them and stores them within a database, server
handles network communication with client, which is the user's main tool for accessing the log
messages. Services monitor is a small application which resides in the system tray and shows the FDeets services status.
16/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
Log files From syslog and
other sources
Syslogd
server
Data sources in the networkSyslog compatible
Configuration
Database
Log
parser
Log
database
Server
F-Deets server components
GUI
Client
F-deets architecture scheme
4.1 Parser & Server
Parser and server share a common configuration file – winaid.cfg. It is located in config directory in the
F-Deets installation folder. See reference manual for description of the configuration files.
4.2 Syslog
There is currently no configuration for syslog. It listens on port 514, accepts all messages and saves
them to syslog/logs directory. Files are rotated on weekly basis and old logs are never deleted (this
can be done manually, since old log files are not used by F-Deets).
17/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
4.3 GUI Client
Client configuration is available in options → preferences menu. There are also two custom screens
dedicated for server configuration which can be accessed through client. These are User Management
and Log Directories Management.
User Management dialog
User Management screen can be used to view, add, modify and remove users. To use this dialog one
needs the Mange Users permission.
Log Directories configuration screen can be used to manage directories in which logs are kept. The
syslog's log directory is listed there as well – if the entry is deleted, no incoming logs will be parsed.
Log Directories configuration
If you have some old logs that need to be parsed, you may specify the directory in which they are
stored using this dialog.
18/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
4.4 Windows Services
When running F-Deets under Windows the server components are available as windows services and
may be administered by the standard Windows Service Interface, click: Settings → Cntrol Panel →
Administrative Tools → Services to access F-Deets service options:
F-Deets component services.
19/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80
Network Security
5 Troubleshooting
I can not run the client.
If you are experiencing problems running the client, ensure you have .net 3.5 installed. Make sure
there you didn't delete any dll's from fdeets/client directory. You might also try reinstalling the program.
The client starts, but it tells me that I do not have a license. How can I get one?
Visit http://www.f-deets.com/ to obtain an evaluation or demo license
The client starts, but I can not connect to the server.
Ensure the connection is properly configured. Check if the FdeetsConnectionDaemon service is
started. Ensure proper certificate files are in the client directory.
I think I connected to the server, but what to do next?
Create a new view. For a start, enter all as a name and select all columns. The view will appear below
the connection entry. Double click it and a log view window will appear.
There are no entries in the log view window
Ensure you have configured your network devices so they send messages to the machine F-Deets is
installed on. Ensure the fdeets/syslog/logs directory is added to server log directories. Try to choose 1
day instead of 15 minutes in the time span selection.
6 Uninstall
To uninstall F-Deets select uninstall option from F-Deets program group in the start menu. After
confirmation the application will be removed.
Remember that configuration files, log files and database files are not removed during uninstall. If you
are certain you do not need them, it can be done manually.
20/20
ul. Rakowiecka 36
02-532 Warsaw
phone +48 22 646-68-73
fax +48 22 606-37-80

Network Security - F

Transkrypt

Podobne dokumenty

KREZUS S.A.

paper_plastic_removal_EN

Proceedings of the International Workshop on Smoothing and

Kraków, 16

Ruleset manual - F

Tarnów, 21

English version

TelForceOne SA ul. Krakowska 119, 50-428 Wroc 2-25