Mumbai Security and Compliance User Group

 View Only

Upgrading IBM AIX Collector to UNIX OS Event Collector on Linux Machine 

Jan 05, 2012 02:28 AM

This is the std. procedure which needs to be followed if you are having IBM_AIX Event collector for AIX Event collection, which is log file based Event collector.

You can upgrde it to UNIX OS Event collector, which is Syslog based event collection.

 

1)  Uninstalling SSIM Agent & Collector:

         

Uninstalling the collector component

 

When you uninstall the collector component, only the collector component is

removed. The collector component includes the part of the collector that collects

events from the third-party security products, processes them, and passes them

to the Symantec Event Agent.

To uninstall the collector component

  1. On UNIX, the default directory is /opt/Symantec/sesa/Agent/collectors/ibm_aix.
  2. At the command prompt, type the following command:

./uninstall.sh

  1. Now we can proceed further with Uninstallation of SSIM Event Agent.

 

 

Uninstalling the Symantec Event Agent

 

Uninstalling the Symantec Event Agent removes the Java application that performs

communication functions between Information Manager and the collector.

To uninstall the Symantec Event Agent

 

1. Navigate to the Agent installation directory as follows:

navigate to the installation directory /opt/Symantec/sesa/Agent

2. To uninstall the Symantec Event Agent, Type following command on command prompt:

sh install.sh -u

3. Manually delete the Symantec Event Agent files in the following directories:

/opt/Symantec/sesa/Agent folder

 

 

2)  Installing SSIM Agent & Collector:

 

Updating the hosts file

To update the hosts file

1. Navigate to the /etc directory.

2. Use a text editor vi to open the hosts file.

3. Add the IP address and host name entries for the Information Manager

appliance.

4 After you have added the IP address and host name, save and close the file.

You should ensure that the text editor that you use did not add a file extension.

 

Installing Symantec Event Agents

The Symantec Event Agent sends the data that is collected by the collector to the

Information Manager appliance.

 

Before you installthe Symantec Event Agent, you should complete the following

steps in the order presented:

  • Uninstall any previous version of the agent
  • Ensure that there is network connectivity between the system where the agent

will be installed and the Information Manager appliance

  • If there is a firewall between the agent computer and the Information Manager

appliance, ensure that the following ports are open:

TCP 5998

TCP 8086

TCP 443

TCP 80

 

To install the Symantec Event Agent:

  1. copy the SSIM Agent file named symevtagent_4.5.0.12.tar to Linux server.
  2. Navigate to the directory where you copied the .tar file.
  3. At the command prompt, type the following command:

tar -xvf symevtagent_4.5.0.12.tar

This command creates a subdirectory that is named Agent, and then unpacks the Event Agent installation files into that directory.

  1. At the command prompt, to run the install script, type the following commands:

cd Agent

sh ./install.sh

  1. At the prompts, enter the appropriate information.

  

To verify Symantec Event Agent connectivity from Information Manager:

  1. From a Windows computer that has the SSIM Client installed, log on with an Information Manager user account with sufficient rights to view events.
  2. In the Information Manager console, in the left pane, click System.
  3. Onthe Administration tab, expand the tree until you see Organizational Units.
  4. Expand Organizational Units > Default.
  5. Verify that the name of the collector computer is listed.
  6. Right-click the computer name, and then click Properties.
  7. In the Computer Properties dialog box, on the Services tab, verify that the Agent Service displays Yes in the Started column.

 

Installing the collector on a remote computer:

The collector component reads the data from the security product, formats the

data, and forwards it to the Symantec Event Agent

 

 

To install the collector on a remote computer

  1. On Linux machine, navigate to install subdirectory of the collector installation files. The installation files are located in a temporary directory.
  2. At a command prompt, enter following command:

sh ./install.sh

  1. Follow the installation wizard prompts.
  2. Liveupdate the installed collector component.

 

After completion of the installation procedure if the logs are not resumed with new collector, then we can follow std. troubleshooting steps listed below:

1. You can try disabling FIPSmode for for the Agent installed on LINUX box.

2. check for the iptables of linux box, if possible try disabling it.

3. check if your LINUX box is gettting syslogs through other AIX servers.

 

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

Mar 17, 2012 03:32 AM

Good one

Feb 02, 2012 06:07 AM

Hi ,

It's Federal Information Processing Standard

For more details follow this link.

http://www.symantec.com/docs/TECH158092

Jan 28, 2012 12:18 AM

what is FIPS mode???

Related Entries and Links

No Related Resource entered.