Video Screencast Help

SSIM Integration Strategies ( Windows )

Created: 31 Jan 2012 • Updated: 31 Jan 2012 | 15 comments
Language Translations
Avkash K's picture
+24 24 Votes
Login to vote

SSIM Windows Integration Strategies

 

Installation Types

  1. OnBox Installation
  2. OFFBox Installation

 

OnBox Installation : The SSIM Agent and Collector will be installed on Target server itself.

OFFBox Installation: The SSIM Agent and Collector will be installed on the Remote Server and Collector will fetch the logs from the Host Server. For OFFBox installation, Host server and Collector server should have established the communication between them.

 

 

 

ON-BOX Agent Installation Procedure (Windows)

 

Changes in the Windows server

Step1:

Before begin with the installation, CPU utilization needs to be monitor and capture the snapshot. Administrator needs more intervention on the CPU usage while installing the agent in the Windows server. Agent un-install can happen if the CPU usage is more than the normal.

Step2:

  • Copy the Agent, Collector and JDBC software and paste in the local windows server as below mentioned path,
  •  D:/SSIM or C:/SSIM (New SSIM Folder needs to be created by the administrator)

 

  • Add the SSIM IP address and corresponding hostname in the Hosts file, (To Open Hosts file, Go to Run - > Type Drivers -->etc --> Open the ‚Hosts‛ file with notepad)

 

First install the agent software

Using an account with Administrative privileges, execute the installer by double-clicking on the executable file install.exe.

(After clicking the install.exe)

 

 (Symantec Event Agent Installer Introduction)

 

(Choose install folder)

 

(Put the IP or hostname to which Appliance you want to integrate the server)

 

(Connection Test)

  

  (Pre-Installation summary)

 

(Installing)

 

(Finished Installation and click the next)

 

 (Install complete select done)

  

Install the Collector

Open the command prompt goes that directory where the collector installation file exists and run the install.bat file.

After the completion it will ask for ‚Run java live update for the collector‛. Select ‚No‛ Go to C:/ --> Program Files --> Symantec --> Event Agent --> Open ‚log4jproperity‛ file and edit log4jproperity Maxsize between ‚40000KB - 80000KB‛ (Default size is 100KB) as shown in the below diagram.

  

Changes in the SSIM Boxes

Add Host name and IP address of the integrated windows server in all SSIM boxes separately (Open via browser).

Go to: Network Setting -> Edit Host File-> Add the Entries -> and Click Save to Hosts Open SSIM client and add the Entry in Windows server category,

Go to -> System -> Product configuration -> Expand ‚Microsoft Windows Event Collector‛ ->

Right click specific Collector sensor category -> Click Properties

Go to -> Computers Tab -> Click Add button

Search the newly added server entry with the help of search option,

Select the server -> click Add and press OK as shown below,

Right click the Collector Sensor Category and Press Distribute (Mandatory)

 

OFF-BOX Agent Integration Procedure (Windows)

 

In this case we need not to install any agent and collector in the client system, only SSIM client installation at Off host machine.

 

 

Step1: Installed the Agent and collector in the offbox server.

Step2: Checked the connectivity between client and Offbox server (eg: Ping)

Step3: SSIM -> System -> Offbox server -> Windows Event log Sensor and clicked the add button

 

 

Step4: Provided the client system IP X.X.X.X (as mentioned in the above the diagram)

Step5: Entered the path to the administrator account name. We can provide either domain account path like domain name\account name or Hostname\Account Name.

Step6: Entered the password of the provided account name.

Step7: Checked the events to verified whether logs are getting generated or not.

Comments 15 CommentsJump to latest comment

Srikanth_Subra's picture

Useful information..we are also in plan for integrating SSIM..so this article really useful..vote upyes

Thanks & Regards,

 Srikanth.S

"Defeat the Defeat before the Defeat Defeats you"
(Swami Vivekananda)

+1
Login to vote
Milan_T's picture

Avkash,

thanx for sharing such good article it will help us for future use also.

As you have mentioned for off box installation I need to create hole at off box system, so how can i create it???

+1
Login to vote
Avkash K's picture

Hi,

For changes required at target server, i will try to cover in my next article as it is very long procedure  to cover all aspects here..

Regards,

Avkash K

0
Login to vote
Prem Thakur's picture

This article is very usefull for me as I am planning to implement it.

+1
Login to vote
mathell's picture

@Avkash, I think your references to what is "off box" and "on box" don't really jive with what Symantec uses.  The off-box collector is any collector not installed on an appliance.  The on-box collector is installed on the appliance. Both the scenario's illustrated are considered "off box".  Here are some examples of Symantec usage of those terms:

http://www.symantec.com/business/support/index?page=content&id=TECH156921

http://www.symantec.com/business/support/index?page=content&id=TECH85715

http://www.symantec.com/business/support/index?page=content&id=TECH144356

 

Otherwise, the article does a good job of illustrating the two different methods of collecting via WinRM or WMI.  Remember though, there is also the Snare for Windows collection method.

+1
Login to vote
Avkash K's picture

Hi Mathell,

Thanks for your reply.

I know that Symantec resembles it as as OFFBOX.

 

But as per my understanding, there are actually 3 integration scenarios.

ON-BOX- As expalined above.

OFF-BOX- As explained above

ON-Board- This is exactly Agent & collector installed on the SSIM aplliance.

Please correct me if i am wrong.

Regards,

Avkash K

0
Login to vote
mathell's picture

It's not a huge deal, but I think calling the Vista/2008 collector "onbox" in any situation is incorrect.  There is no onbox installation for this collector. One of the reasons this distinction is important is because all offbox collector installations must be registered with an appliance.  Onbox installations do not. In both scenarios you describe, registration is required (which isn't mentioned is it?).  Onbox and offbox (sometimes referred to as on server and off server) are terms used in Symantec documentation and by Symantec support, so that's another reason to use consistent terminology.

+1
Login to vote
ya4ept's picture

I think so will correctly

sorry, but I use translate.google.ru

+2
Login to vote
Avkash K's picture

Yes,

You are exactly correct!!

Regards,

Avkash K

0
Login to vote
AR Sharma's picture

I need to understand why host file entry is required on the machines which are getting integrated. DNS resolution should also work, right?

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

+1
Login to vote
Avkash K's picture

Hi A R,

You are right!! DNS Resolution should work.

But for safer side we are doing the host file entries to evade some DNS resolution issues.

All of the SSIM Appliances are LINUX Based & most of the times we face DNS Resolution issues with LINUX.

 

So for maintaining best practices for integration we always do the host file entry in each & every case.

Regards,

Avkash K

0
Login to vote
nilk88's picture

Good article!!

+1
Login to vote
Syed Hussain -Compliance Devil's picture

Good one

Thanks,

-Syed Hussain

 

If a post solves your problem, please flag it as solved. If you like an item, please give it a thumbs up vote.
+1
Login to vote
Prem Thakur's picture

quite handy!!!!!

 

Thanks for sharing.

0
Login to vote
M P Keshava's picture

Thanks for  such a clear, simple article.

 

Any idea whether this will work in an enterprise witn about 10000 vista/7 clients all in domain, and the collector / agent installed on domain controller and collects and forwards events from all clients.

0
Login to vote