Instructions for forwarding logs to your Log Management device

NETWORK INFRASTRUCTURE

Check Point Appliance

Check Point Enforcement Module

Cisco Adaptive Security Appliance (ASA)

Cisco Internetwork Operating System (IOS) Switches and Routers

Fortinet FortiGate

Fortinet FortiAnalyzer

Juniper Junos Pulse

Juniper Netscreen Firewall Appliance

Palo Alto Appliance

OPERATING SYSTEMS

Linux Server

Microsoft Windows Server using NXLog

Microsoft Windows Server using SolarWinds

Solaris

APPLICATIONS

Apache2 for Linux

McAfee ePolicy Orchestrator (ePO)

Symantec Endpoint Protection Manager

CLOUD SOLUTIONS

Microsoft Office 365

Okta

SentinelOne





Go to the Top

Check Point Appliance

 

PREREQUISITES

Check Point running Gaia OS

  • The IP Address for the Check Point
  • Credentials to access the Check Point appliance
  • Secure Shell (SSH) access configured on the Check Point appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Check Point appliance using a tool like PuTTY.

 

 

2

Log into CLISH by entering the Login name and Password and then clicking Enter.

Login name: login name

Password: login password

Click Enter.

 

 

3

Add the Clone Systems Log Management device using the add syslog command. Then click Enter to auto save the configuration changes.

HostName> add syslog log-remote-address { IP Address of Clone Systems Log collector } level info

Example: HostName> add syslog log-remote-address 10.1.1.1 level info

Click Enter.

 

 

4

Log off the Check Point Appliance by typing exit and then clicking Enter.

HostName> exit

 


Go to the Top

Check Point Enforcement Module

 

PREREQUISITES

Check Point Security Management Server running Gaia OS

  • The IP Address for the Check Point Security Management Server
  • Credentials to access the Check Point Security Management Server
  • Secure Shell (SSH) access configured on the Check Point Security Management Server

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Check Point appliance using a tool like PuTTY.

PuTTY: a free SSH and Telnet client

Note: These instructions are not supported on Multi-Domain Server.

 

 

2

Log into CLISH by entering the Login name and Password and then clicking Enter.

Login name: login name

Password: login password

Click Enter.

 

 

3

After logging in to CLISH you need to access the bash shell in expert mode.  Execute the expert command and enter the password to get to the bash shell.

[HostName]# expert

Password: expert password

Click Enter

 

 

4

Backup the cpboot script.

[Expert@HostName]# cp /etc/rc.d/init.d/cpboot /etc/rc.d/init.d/cpboot_ORIGINAL

 

 

5

Edit the current cpboot script using the VI editor.

[Expert@HostName]# vi /etc/rc.d/init.d/cpboot

 

 

6

Add the following line at the very bottom of the cpboot script.

fw log –f –t –n -1 2> /dev/null | awk ‘NF’ | sed ‘/^$/d’ | logger –p local4.info –t CP_FireWall &

 

 

7

Save the changes and exit from the VI editor.

Press :wq

 

 

8

Reboot the Security Management Server.

[Expert@HostName]# reboot

Click Enter

 

 

9

If the Check Point Security Management Server logs do not appear on the Clone Systems Log Management device, then repeat the steps above and replace the following line at the very bottom of the cpboot script instead of the line noted in Step 5 above.

While read line ; do if [ “’echo — $line’” != “—“ ] ; then logger –p local4.err –t CP_FireWall $line ; fi ; done < <(fw log –f –t –n -1 2>/dev/null) &

 


Go to the Top

Cisco Internetwork Operating System (IOS) Switches and Routers

 

PREREQUISITES

Internetwork Operating System (IOS) Switches and Routers

  • The IP Address for the switch or router
  • Credentials to access the privileged mode for the switch or router
  • Secure Shell (SSH) access configured on the switch or router

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device
 

INSTRUCTIONS

1

Open a command prompt and SSH into the Cisco switch or router using a tool like PuTTY.

 

 

2

Get to privileged mode on the Cisco switch or router and enter the password.

Router> enable

Password: ************

 

 

3

Execute a configuration command from the terminal to get into global configuration mode.

Router# config t

 

4

To log system messages and debug output to the Clone Systems Log Management device, use the logging command in global configuration mode.

Router (config)# logging { IP Address of Clone Systems Log collector }

EXAMPLE: Router (config)# logging 10.1.1.1

 

5

Enable timestamps for debugging events.

Router (config)# service timestamps debug datetime localtime

 

6

Enable timestamps for log events.

Router (config)# service timestamps log datetime localtime

 

7

Set the appropriate logging trap level with the logging trap informational command.

Router (config)# logging trap informational

 

8

End the global configuration mode.

Router (config)# end

 

9

Save the configuration changes to NVRAM.

Router# copy run start

 

10

Log off the Cisco switch or router.

Router# exit



Go to the Top

Cisco Adaptive Security Appliance (ASA)

 

PREREQUISITES

Adaptive Security Appliance (ASA) or Next Generation Firewall (NGFW)

  • The IP Address for the ASA
  • Credentials to access the privileged mode for the ASA
  • Secure Shell (SSH) access configured on the ASA

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Cisco ASA using a tool like PuTTY.

 

2

Get to privileged mode on the Cisco ASA and enter the password.

Cisco_ASA> enable

Password: ************

 

3

Execute a configuration command from the terminal to get into global configuration mode.

Cisco_ASA# config t

 

4

To log system messages and debug output to the Clone Systems Log Management device, use the logging host command in global configuration mode.

Cisco_ASA (config)# logging host {log collector local interface on ASA} { IP Address of Clone Systems Log collector }

EXAMPLE:   Cisco_ASA(config)# logging host inside 10.1.1.1

 

5

Exit global configuration mode.

Cisco_ASA (config)# exit

 

6

Save the configuration changes to NVRAM.

Cisco_ASA# copy run start

 

7

Log off the Cisco ASA.

Cisco_ASA# exit



Go to the Top

Fortinet FortiGate

 

PREREQUISITES

FortiGate Next Generation (NGFW) Firewall UTM Appliance

  • The IP Address for the FortiGate appliance
  • Credentials to access the FortiGate appliance
  • Secure Shell (SSH) access configured on the FortiGate appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Fortinet FortiGate using a tool like PuTTY.

 

2

Configure the FortiGate unit to send logs to a remote computer running a syslog server.

FortiGate # config log syslogd setting

 

3

Set the IP address of the Clone Systems Log Management device.

FortiGate (setting) # set server { IP Address of Clone Systems Log collector }

EXAMPLE: Fortigate (setting) # set server 10.1.1.1

 

4

Set the source IP address for the Fortinet FortiGate.

FortiGate (setting) # set source-ip {internal IP of Fortigate}

Note: This is the source IP that will be displayed in the logs.

 

5

Enable logging to the Clone Systems Log Management device.

FortiGate (setting) # set status enable

 

6

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt.

FortiGate (setting) # next

 

7

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

FortiGate (setting) # end



Go to the Top

Fortinet FortiAnalyzer

 

PREREQUISITES

FortiAnalyzer Network Security Logging, Analysis, and Reporting Appliance

  • The IP Address for the FortiAnalyzer appliance
  • Credentials to access the FortiAnalyzer appliance
  • Secure Shell (SSH) access configured on the FortiAnalyzer appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Fortinet FortiAnalyzer using a tool like PuTTY.

 

2

Configure the FortiAnalyzer unit to send logs to a remote computer running a syslog server.

FortiAnalyzer # config system syslog

 

3

Set the name of the Clone Systems Log Management device.

FortiAnalyzer (syslog) # edit “syslog”

 

4

Set the IP address of the Clone Systems Log Management device.

FortiAnalyzer (syslog) # set ip “{ IP Address of Clone Systems Log collector }”

EXAMPLE: FortiAnalyzer (syslog) # set ip “10.1.1.1”

 

5

Enter the port number for the syslog messages.

FortiAnalyzer (syslog) # set port 514

 

5

Save the changes you have made in the current table’s fields, and exit the edit command to the object prompt.

FortiAnalyzer (syslog) # next

 

7

Save the changes to the current object and exit the config command. This returns you to the top-level command prompt.

FortiAnalyzer (syslog) # end



Go to the Top

Juniper Junos Pulse

 

PREREQUISITES

Junos Pulse SSL VPN Appliance

  • The IP Address for the Junos appliance
  • Credentials to access the Junos appliance
  • Secure Shell (SSH) access configured on the Junos appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Juniper Junos Pulse using a tool like PuTTY.

 

2

Enter configuration mode.

Juniper > config

 

3

Configure log messages to be sent to the Clone Systems Log Management device.

Juniper # set system syslog host { IP Address of Clone Systems Log collector } any error

EXAMPLE: Juniper # set system syslog host 10.1.1.1 any error

 

4

Specify a filename to capture log messages.

Juniper # set system syslog file qflogs any error

 

5

Commit the set of changes to the database and cause the changes to take operational effect.

Juniper # commit

 

6

Exit from configuration mode.

Juniper # exit



Go to the Top

Juniper Netscreen Firewall Appliance

 

PREREQUISITES

Juniper Netscreen Firewall Appliance

  • The IP Address for the Juniper Netscreen appliance
  • Credentials to access the Juniper Netscreen appliance
  • Secure Shell (SSH) access configured on the Juniper Netscreen appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Juniper Netscreen appliance using a tool like PuTTY.

 

2

Enter the credentials and log into the Netscreen appliance.

 

3

Set the IP Address for the syslog host.

Netscreen> set syslog config { IP Address of Clone Systems Log collector }

EXAMPLE: Netscreen> set syslog config 10.1.1.1

 

4

Set the facilities setting which classifies and sends messages for events to the syslog host.

Netscreen> set syslog config { IP Address of Clone Systems Log collector } facilities local0 local0

EXAMPLE: Netscreen> set syslog config 10.1.1.1 facilities local0 local0

 

5

Set the default port 514 to which the Netscreen appliance sends syslog messages.

Netscreen> set syslog config { IP Address of Clone Systems Log collector } port 514

EXAMPLE: Netscreen> set syslog config 10.1.1.1 port 514

 

6

Send all event log entries to the syslog host.

Netscreen> set syslog config { IP Address of Clone Systems Log collector } log all

EXAMPLE: Netscreen> set syslog config 10.1.1.1 log all

 

7

Enable the syslog appliance.

Netscreen> set syslog enable

 

8

Log off the Juniper Netscreen Appliance by typing exit and then clicking Enter.



Go to the Top

Palo Alto Appliance

 

PREREQUISITES

Palo Alto Appliance

  • The IP Address for the Palo Alto appliance
  • A web browser for accessing the Palo Alto appliances web interface
  • Credentials to access the Palo Alto appliance

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a web browser and enter the IP address for the Palo Alto appliance to bring up the web interface.

 

2

Enter the credentials and log into the Palo Alto appliance.

 

3

Create a syslog server profile for the Clone Systems Log Management device by navigating to Device > Server Profiles > Syslog

Enter a name for the Syslog profile and on the Servers tab enter the information for the Clone Systems Log Management device.

  • Name: { Name of the Clone Systems Log Management device }
  • Server: { IP address of the Clone Systems Log Management device }
  • Port: Default port 514
  • Facility: To be elected from the drop down according to the requirements

Click the Ok button.

 

4

Configure the log-forwarding profile to select the traffic and threat logs to be forwarded to Clone Systems Log Management device.

Navigate to Objects > Log forwarding then select the syslog server profile for forwarding traffic and threat logs to the Clone Systems Log Management device.

Click the Ok button.

 

5

Use the log forwarding profile in the security rules.

Navigate to Policies > Security Rule.

Select the rule for which the log forwarding needs to be applied. Apply the security profiles to the rule.

Go to Actions > Log forwarding and select the log forwarding profile from drop-down list.

Click the Ok button.

 

6

Commit the changes by clicking Commit at the top of the web interface.



Go to the Top

Linux Server

 

PREREQUISITES

Linux Server

  • Credentials to access the Linux Server
  • Secure Shell (SSH) access configured on the Linux Server

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Linux Server using a tool like PuTTY.

 

2

Open the rsyslog configuration file.

vi /etc/rsyslog.conf

 

3

Go to the end of the file and add the following lines to configure log messages to be sent to the Clone Systems Log Management device.

 

#(udp)

*.* @{ IP Address of Clone Systems Log collector }:514

#[tcp}

*.* @@{ IP Address of Clone Systems Log collector }:514

EXAMPLE:

#(udp)

*.* @10.1.1.1:514

#[tcp}

*.* @@10.1.1.1:514

 

4

Save the rsyslog configuration file.

 

5

Restart the rsyslog service.

service rsyslog restart

 

6

Restart the Linux server

reboot -f



Go to the Top

Microsoft Windows Server with NXLog

 

PREREQUISITES

Microsoft Windows Server

  • NXLog Community or Enterprise Edition
  • Credentials to access the Windows Server

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device


INSTRUCTIONS

1

An additional third party agent is required to configure your Microsoft Windows Server to send syslog.

The following instructions will detail how to configure the open source NXLog Community Edition agent.

Navigate a browser to the NXLog Community Edition download page.

 

 

2

Locate the Windows version and download the MSI installer file to your server.

Once the file has successfully downloaded, navigate to the downloaded file by clicking the View Downloads button and then Run the NXLog Community Edition MSI installer.

 

 

3

On the Welcome to the nxLog-CE Setup Wizard step, click the Next button.

 

 

4

On the End-User License Agreement step, click the I accept the terms in the License Agreement checkbox and then click the Next button.

 

 

5

On the Destination Folder step, customize the installation directory, if desired, then click the Next button.

Note: If you chose a custom installation directory, please note the path as you will need to make a modification to the NXLog configuration file.

 

6

On the Ready to install NXLog-CE step, click the Install button.

 

 

7

On the Completed the NXLog-CE Setup Wizard step, click the Finish button and the README.txt file will be opened in Notepad.

 

 

8

Next, we need to edit the NXLog configuration file to configure the log forwarding.

The default location for the NXLog configuration file is: C:\Program Files (x86)\nxlog\conf\nxlog.conf

Note: If you chose a custom installation directory, you will need to navigate to that directory to locate the NXLog configuration file. You will also need to update the ROOT directory specified in the configuration file before the NXLog service will start.

 

9

Edit, the NXLog configuration file using an editor, such as Notepad, and paste the following configurations detailed in this section to the bottom of the NXLog configuration file.

Note: In the <Output tcp> section, replace the Host setting with the IP Address of SIEM / Log Collector and exclude the <brackets>.

EXAMPLE: Host 10.1.1.1

<Extension syslog>
Module xm_syslog
</Extension>

# Windows Event Log
<Input eventlog>
Module im_msvistalog
</Input>

<Output tcp>
Module om_tcp
Host <IP Address of SIEM / Log Collector without <brackets> >
Port 514
Exec to_syslog_snare();
</Output>

<Route eventlog_to_tcp>
Path eventlog => tcp
</Route>

 

10

Save the NXLog configuration file.

 

 

11

Open the Services tool in the Windows Start menu, find the service named nxlog in the list, and then Start the service.

Start the Services tool by clicking the Windows Start button and entering services.msc in the Search programs and files field and then click the Enter button.



Go to the Top

Microsoft Windows Server using SolarWinds

PREREQUISITES

Microsoft Windows Server

  • SolarWinds Event Log Forwarder for Windows
  • Credentials to access the Windows Server

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device


INSTRUCTIONS

1

An additional third party agent is required to configure your Microsoft Windows Server to send syslog.

The following instructions will detail how to configure the free SolarWinds Event Log Forwarder for Windows.

Navigate a browser to the SolarWinds Event Log Forwarder for Windows download page and click the Download Free Tool button.

 

2

Fill out the Regiatration Form and then click the Proceed to Free Download button.

On the Add a Free 30-day Trial of Log & Event Manager pop up, click the Continue Without Adding link.

 

 

3

Download the Event Log Forwarder for Windows by clicking the Download Now button.

The SolarWinds-LogForwarder-FreeTool-v1.2.0 zip file will be downloaded to your machine. Extract the files and run the SolarWinds_Event_LogForwarder_Setup Windows Installer Package.

 

 

4

On the Welcome to the SolarWinds Event Log Forwarder for WIndows Setup Wizard page click the Next button.

 

 

5

On the End-User License Agreement page select the I accept the terms in the License Agreement radio button and then click the Next button.

 

 

6

On the Configure Shortcuts page click the Next button.

 

 

7

On the Select Installation Folder page click the Next button.

 

 

8

On the Ready to Install page click the Install button.

 

 

9

On the Completing the SolarWInds Event Log Forwarder for Windows Setup Wizard page click the Finish button.

 

 

10

Launch the SolarWinds Event Log Forwarder for Windows application by clicking the Windows Start button and locating the application.

 

 

11

Once the SolarWinds Event Log Forwarder for Windows application loads the Event Log Forwarder Dashboard will be displayed. Click the Subscriptions tab and select the Add button.

 

 

 

12

On the Select Event Logs step select the types of logs you would like to forward (Ex: Application, HardwareEvents, Security, System, Windows PowerShell, etc.) and then click the Next button.

 

 

13

On the Define Priority step click the Finish button.

Note: On the Subscription tab you will now see the “New Event Log Subscription” that contains the information about the Windows event logs you are forwarding.

14

Click the Syslog Servers tab and select the Add button.

 



15

On the Add Syslog Server page enter the IPv4 address for the Clone Systems Log Management device in the Server Address field and then click the Create button.

Note: On the Syslog Servers page you will now see the “New Syslog Server” that contains the information about the Clone Systems Log Management device.



16

Click on the Test tab and select System for the Event logs you wish to add a test event to field and Warning for the Type of test event field and then click the Create a test event button.

Note: The Test event sucessfully created message will appear next to the Create a test event button if it was successful.



Go to the Top

Solaris

 

PREREQUISITES

Solaris 11.X

  • To configure the audit_syslog plugin, you must become an administrator who is assigned the Audit Configuration rights profile
  • To configure the syslog utility and create the auditlog file, you must assume the root role

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Select audit classes to be sent to the audit_syslog plugin, and make the plugin active.

Note: p_flags audit classes must be preselected as either system defaults or in the audit flags of a a user or a rights profile. Records are not collected for a class that is not preselected.

# auditconfig -setplugin audit_syslog 
active p_flags=lo,+as,-ss

 

2

Configure the syslog utility.

Add an audit.notice entry to the syslog.conf file.
The entry includes the location of the log file.

# cat /etc/syslog.conf


audit.notice /var/adm/auditlog

Create the log file.

# touch /var/adm/auditlog

Set the log file’s permissions to 640.

# chmod 640 /var/adm/auditlog

Check which system-log service instance is running on the system.

# svcs system-log

STATE STIME FMRI
online Nov_27 svc:/system/system-log:default
disabled Nov 27 svc:/system/system-log:rsyslog

Refresh the configuration information for the active syslog service instance.

# svcadm refresh system/system-log:default

 

3

Refresh the audit service.

The audit service reads the changes to the audit plugin upon refresh.

# audit -s

 

4

Regularly archive the syslog log files.

The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.

Example 4-11 Specifying Audit Classes for syslog Output

In the following example, the syslog utility collects a subset of the preselected audit classes. The pf class is created in Example 3–15.

# auditconfig -setnaflags lo,na

# auditconfig -setflags lo,ss

# usermod -K audit_flags=pf:no jdoe

# auditconfig -setplugin audit_syslog 
active p_flags=lo,+na,-ss,+pf

The arguments to the auditconfig command instruct the system to collect all login/logout, non-attributable, and change of system state audit records. The audit_syslog plugin entry instructs the syslog utility to collect all logins, successful non-attributable events, and failed changes of system state.

For the jdoe user, the binary utility collects successful and failed calls to the pfexec command. The syslog utility collects successful calls to the pfexec command.

Example 4-12 Putting syslog Audit Records on a Remote System

You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is sys1.1. The remote system is remote1.

sys1.1 # cat /etc/syslog.conf


audit.notice @remote1

The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.

remote1 # cat /etc/syslog.conf


audit.notice /var/adm/auditlog



Go to the Top

Apache2 for Linux

 

PREREQUISITES

Apache2 on Linux OS

  • Access to the apache2 log file
  • Access and permission to modify the rsyslog config file

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Open a command prompt and SSH into the Linux Server using a tool like PuTTY.

 

2

Locate the necessary files.

By default, the rsyslog.conf can be found at /etc/.

By default, the apache2 logs (possibly named access.log or error.log) are located in /var/log/apache2/.

 

3

Open the rsyslog configuration file.

vi /etc/rsyslog.conf

 

4

Go to the end of the file and add the following lines to configure log messages to be sent to the Clone Systems Log Management device.

Note: It may be necessary to change the location/name of the log file.

Note: There are 2 variables, target and protocol, in the code that must be declared.

### Modules####

module(load=”imfile”) # file

#### Inputs#######

## Apache2 Error File

input(type=”imfile” File=”/var/log/apache2/error.log”

Tag=”Apache2-Error”

PersistStateInterval=”10000″

Severity=”info”

MaxSubmitAtOnce=”20000″

Facility=”local5″

)

## Apache2 Access log

input(type=”imfile” File=”/var/log/apache2/access.log”

Tag=”Apache2-access”

PersistStateInterval=”10000″

Severity=”info”

MaxSubmitAtOnce=”20000″

Facility=”local5″

)

#### Action Forward to syslog server with a disk queue

action(type=”omfwd”

name=”syslogfwd”

action.resumeinterval=”2″

action.resumeretrycount=”-1″

queue.type=”disk”

queue.filename=”actionRqyslog”

queue.maxdiskspace=”500m”

queue.size=”500000″

queue.timeoutenqueue=”0″

queue.discardmark=”499990″

target=”{ IP Address of Clone Systems Log collector }”

port=”514″

protocol=”{ tcp or udp }” # change to support tcp or udp

)

 

5

Save the rsyslog configuration file.

 

6

Restart the rsyslog service.

service rsyslog restart

 

7

Restart the Linux server.

reboot -f

 



Go to the Top

McAfee ePolicy Orchestrator (ePO)

 

PREREQUISITES

McAfee ePolicy Orchestrator (ePO) 5.9.x, 5.3.x to Clone LOGM/SIEM

  • Make sure your ePO installation is version 5.9 or 5.3.2 (with Hotfix 1185471 applied).

Note: Without Hotfix 1185471 applied to ePO 5.3.2, you can complete the installation of the syslog server, but ePO will not be able to communicate with the syslog server.

Note: If you use ePO 5.3.2 with Hotfix 1185471 applied and you have additional agent handlers, an extra step is required to replace two files on the agent handler with the Hotfix versions taken from the ePO server. See KB87469 for details.

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Launch McAfee ePolicy Orchestrator (ePO), enter your Username and Password, and then click the Log On button.

 

 

2

Add a new Registered Server and select Syslog for the type.

 

 

3

Enter the FQDN of the syslog server.

Note: you will need to create an DNS record on your DNS server to the Clone Systems LOGM/SIEM IP addresses.

 

 

4

Enter ‘514‘ for the port (or whatever port was communicated by Clone Systems’ Support Team).

 

 

5

Select Enable event forwarding.

 

 

6

Click Test Connection.

Note: You should see a syslog connection success message when done.

 

 

7

Click Save to save the syslog Registered Server.

Note: All threat events received by ePO should now be automatically forwarded to the syslog server.

 



Go to the Top

Symantec Endpoint Protection Manager

 

PREREQUISITES

Symantec Endpoint Protection Manager (SEPM) v12

  • The IP Address for the Symantec Endpoint Protection Manager
  • Credentials to access Symantec Endpoint Protection

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Log onto the server that Symantec Endpoint Protection Manager (SEPM) is installed on. Launch SEPM and enter your Username and Password. And then click the Log On button.

 

2

Click Admin from the toolbar on the left.

 

3

Click Servers

 

4

Click the local site or remote site that you want to export log data from

 

5

Click Configure External Logging

 

6

On the General tab, in the Update Frequency list box, select how often to send the log data to the file

 

7

In the Master Logging Server list box, select the management server to send the logs to.

If you use SQL Server and connect multiple management servers to the database, specify only one server as the Master Logging Server

 

8

Check Enable Transmission of Logs to a Syslog Server

 

9

Provide the following information:

Syslog Server

Type the IP Address of Clone Systems Log collector

Destination Port

Select the TCP protocol to use, and type the destination port that the Syslog server uses to listen for Syslog messages.

Log Facility

Leave this setting alone

 

10

On the Log Filter tab, check which logs to export

 

11

Click OK and confirm that the log messages are being sent to the Clone Systems Log Management device.



Go to the Top

MICROSOFT OFFICE 365

 

PREREQUISITES

Microsoft Office 365

  • Office 365 Portal
  • Administrator Credentials to access the Office 365 portal

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1.  Enable Office 365 Auditing

The following procedures detail the steps for enabling Office 365 auditing.

1

Navigate a browser to the Office 365 Portal.

 

2

On the Sign in screen of your Office 365 Portal login with your administrator account.

Login name: Your Admin email

Click Next.

Password: Your Admin password

Click Sign in

If prompted to Stay Signed in click No.

 

3

Note: If you are not on the Admin Center page you will need to click the App Launcher located in the top left corner and select the Admin app.

On the left-side menu of the Admin center page, select Security & Compliance located under the Admin centers menu.

Locate the left-side menu on the Admin center page.

Click Admin centers

Under Admin centers click Security & Compliance.

 

4

On the Audit log search page click the link to start recording user and admin activities.

Note: If you do not see a link that says Start recording user and admin activities then Auditing may already be enabled. You can click the Search button at the bottom of the screen and see if results are returned. If you see results you can skip the remaining steps in this section.

On the Audit log search page navigate to the link below the heading.

Click the Start recording user and admin activities link.

 

5

On the Start recording user and admin activities dialog box turn on recording for user and admin activities.

On the Start recording user and admin activities dialog box.

Click Turn on

 

6

A Security & Compliance dialog box may appear requiring you to update your organization.

If the Security & Compliance dialog box appears requiring you to update your organization.

Click Yes

7

The Auditing will begin within the next couple of hours. You can click the Search button at the bottom of the screen to see if results are returned.

Note: Be sure that you are seeing results before you proceed to the next section on registering the Clone Systems Appliance with Azure Active Directory.

On the Audit log search page.

Click Search

Confirm that Results are returned and displayed on the page.

 

2. Registering the Clone Systems Appliance with Azure Active Directory

The following procedures detail the steps for registering the Clone Systems Clone Guard® Log Management device.

1

Note: If you are not on the Admin Center page you will need to click the App Launcher located in the top left corner and select the Admin app.

On the left-side menu of the Admin center page, select Azure Active Directory located under the Admin centers menu

Locate the left-side menu on the Admin center page.

Click Admin centers

Under Admin centers click Azure Active Directory.

 

2

On the left-side menu of the Azure Active Directory admin center page, select Azure Active Directory. A menu will appear to the right of the left-side menu and you should select App registrations.

Locate the left-side menu on the Azure Active Directory admin center page.

Click Azure Active Directory

A menu will appear to the right of the left-side menu.

Click App registrations

 

3

On the App Registrations page click the View all applications button to display the Applications. If you do not have a CGLOGM application configured, click the New application registration button in the top menu.

The App Registrations page will appear on the right.

Click View all applications

Confirm that you do not have a CGLOGM application in the list.

Click New application registration

 

4

On the Create window enter the information for the Clone Systems Clone Guard® Log Management appliance and create the App registration.

Note: Record the Application ID assigned to CGLOGM.

For the Name field enter CGLOGM

For Application type drop down keep the Web app / API selection.

For the Sign-on URL field enter https://www.clone-systems.com

Click the Create button

A message box will display in the top right corner indicating: Successfully created application CGLOGM.

Click the View all applications button and you should see CGLOGM in the list of App registrations.

Note: Copy the string in the Application ID column to notepad and label it Application ID as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

 

5

Click CGLOGM in the Display Name column to bring up the registered app settings then click the Settings cog and when the Settings section is displayed select Required permissions under the API Access heading.

In the Display Name column click CGLOGM

Click the Settings cog in the menu below the CGLOGM Registered app heading.

The Settings section will appear, then locate the API Access section.

Click Required permissions

 

6

On the Required permissions section click Add to bring up the Add API access section. Click Select and API to display the Select an API section and then click Office 365 Management APIs.

The Required permissions section will appear.

Click Add

The Add API Access section will appear.

Click Select an API

The Select an API section will appear

Click Office 365 Management APIs

Click the Select button

7

On the Enable Access section locate the Application Permissions and then select the checkboxes noted in the detail sections of this step.

On the same section locate the Delegated Permissions and then select the checkboxes noted in the detail sections of this step.

On the Add API access section click the Done button.

The Enable Access section will appear.

Under Application Permissions select the following checkboxes.

  • Read DLP policy events including detected sensitive data
  • Read activity data for your organization
  • Read service health information for your organization

Under Delegated Permissions select the following checkboxes.

  • Read DLP policy events including detected sensitive data
  • Read activity data for your organization
  • Read service health information for your organization

Click the Select button

The Add API access section will appear

Click the Done button

A message box will display in the top right corner indicating: Successfully added application Office 365 Management APIs’s permissions.

8

On the Required permissions section click Windows Azure Active Directory.

On the Enable Access section locate the Application Permissions and then select the checkbox noted in the detail sections of this step.

On the Required permission section.

Click Windows Azure Active Directory

The Enable Access section will appear.

Under Application Permissions select the following checkbox.

  • Read directory data

Click the Save button

A message box will display in the top right corner indicating: Updating application Windows Azure Active Directory’ permissions.




9

On the Required permissions section click the Grant Permissions button. Then click Yes to Grant the permissions.

On the Required permission section.

Click Grant Permissions

Click Yes

A message box will display in the top right corner indicating: Successfully granted permissions for application CGLOGM.

 

10

On the Settings section select Keys under the API Access heading.

To the Left of the Required permission section is the Settings section.

Locate the API Access heading

Click Keys

 

11

On the Keys section enter a name for the Key and an Expiration duration.

Note: Record the Key Value assigned to CGLOGM as you will not be able to access it after you leave this section.

For the Key Description field enter CGLOGM

For Duration drop down select Never expires

Click Save

A message box will display in the top right corner indicating: Successfully updated application CGLOGM keys

Note: Copy the string in the Key Value column to notepad and label it Key Value as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

 

12

Using another tab in your browser, grant admin consent to the CGLOGM app so that it can access your logs.

Replace the following text below <REPLACE-THE-BRACKETS-<->-AND-THIS-TEXT-WITH-APPLICATION-ID> with the Application ID recorded in step 4.

https://login.windows.net/common/oauth2/authorize?response_type=code&resource=https%3A%2F%2Fmanage.office.com&client_id=<REPLACE-THE-BRACKETS-<->-AND-THIS-TEXT-WITH-APPLICATION-ID>&redirect_uri=https%3A%2F%2Fwww.clone-systems.com&prompt=admin_consent

Copy the URL and then paste into a new tab in your browser.

You may be prompted to Pick a login account and if so, select your Office 365 Administrator account.

Click Accept

You will then be redirected to the Clone Systems home page.

 

13

Navigate back to the Browser tab that you used to configure the CGLOGM app.

On the left-side menu of the Azure Active Directory admin center page, select Azure Active Directory. A menu will appear to the right of the left-side menu and you should select Custom domain names. Identify the Primary domain name as it will have a check mark in the Primary column.

Note: Record the primary Domain Name located in the Name column.

Locate the left-side menu on the Azure Active Directory admin center page.

Click Azure Active Directory

A menu will appear to the right of the left-side menu.

Click Custom domain names

Note: Copy the string in the Name column for the Domain Name that has a check mark in the Primary column to notepad and label it Domain Name as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

14

On the left-side menu of the Azure Active Directory admin center page, select Azure Active Directory. A menu will appear to the right of the left-side menu and you should select Properties. Identify the Directory ID field and copy the value.

Note: Record the value in the Directory ID field.

Locate the left-side menu on the Azure Active Directory admin center page.

Click Azure Active Directory

A menu will appear to the right of the left-side menu.

Click Properties

Note: Copy the string in the Directory ID column to notepad and label it Directory ID as you will need this value to configure the Office Connector in the Clone Systems Clone Guard® Log Management appliance.

15

Please provide the following values to Clone Systems to complete the configuration for forwarding Microsoft Office 365 logs to your Log Management device:

  • The Application ID assigned to CGLOGM
  • The Key Value assigned to CGLOGM
  • The primary Domain Name
  • The Directory ID

 



Go to the Top

Okta

 

PREREQUISITES

Okta

  • Okta Portal
  • Administrator Credentials to access the Okta portal

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Navigate a browser to the Okta Portal.

 

2

On the Sign in screen of your Okta Portal login with your organization and administrator account.

mycompany: Your Okta Organization

Click Go.

Username: Your Admin username

Password: Your Admin password

Click Sign In

 

3

On the UserHome page select Admin to access the Admin dashboard for your Okta portal.

Locate the top menu on the UserHome page.

Click Admin.

 

4

On the Admin dashboard, select the Security menu and then the API menu option.

Locate the top menu on the Admin dashboard page.

Click Security.

Under Security click API.

 

5

On the API Tokens page select Create Token.

Locate the Create Token button under the Tokens section of the API page.

Click Create Token.

 

6

Enter a name for your API Token.

Enter a name for the API Token in the What do you want your token to be named? field of the Create Token page.

Click Create Token.

 

7

The API Token Value will be created.

Note: Record the Token Value assigned.

A message will display indicating: Token created successfully!

Note: Copy the string in the Token Value field to notepad and label it Token Value as you will need this value to configure Okta in the Clone Systems Clone Guard® Log Management appliance.

Click OK, Got it.

 

8

Please provide the following values to Clone Systems to complete the configuration for forwarding Okta logs to your Log Management device:

  • The Token Value
  • The Your Okta Organization name

Note: The URL used to access your Okta portal API is:

https://{Your Okta Organization}.okta.com/api/v1



Go to the Top

SentinelOne

 

PREREQUISITES

SentinelOne

  • SentinelOne cloud-based Portal
  • Administrator Credentials to access the SentinelOne solution

Clone Systems Log Management Device

  • The IP Address for the Clone Systems Log Management device

INSTRUCTIONS

1

Navigate a browser to your company’s SentinelOne cloud-based management portal.

https://<Your Domain Name>.sentinelone.net

 

2

On the Sign-in screen of your SentinelOne Portal login with your Administrator account.

Username: Your Admin username

Password: Your Admin password

Click LOGIN

 

3

On the SentinelOne management console, click Settings.

Locate the left side menu on the SentinelOne management console.

Click the Settings menu option.

 

4

On the Settings screen, click USER.

Locate the menu at the top of the Settings page.

Click the USER menu option.

 

5

On the User page, create a new User that will be configured to log into the API.

Note: Record the Username and Password.

Click the +User button at the top of the page and fill in the Users details.

Click the CREATE button.

 

6

Please provide the following values to Clone Systems to complete the configuration for forwarding SentinelOne logs to your Log Management device:

  • The Username
  • The Password
  • The Domain Name for your SentinelOne cloud-based management portal

Note: The Domain Name used to access your SentinelOne portal is typically :

https://<Your Domain Name>.sentinelone.net

Note: The API documentation is available via https://<Your Domain Name>.sentinelone.net/apidoc