Security Information Manager
novadean
|
November 18th, 2009
Hello,
I am in process of using the NewsFeeder tool to replay back existing events into a new archive. Trying to filter out events from a previous date so that they do not become correlated when I replay the events. What format is the eventdate stored as so that I may construct my filter properly?
eventdate >= ___________
Thanks!
Dean
0 comments
Balazs 2
|
November 17th, 2009
Hi,
I tested our SSIM failover configuration and had the following error in the sesa-agent.log. I tested what happens when I turn off the main appliance. After the third attempt the agent stopped working and nothing happen. If I change the failover retry attempt to 1 everything works fine.
2009-11-10 13:20:57,046 INFO [Logging] >>ForwardingProvider.sendEvents() - Exception: java.io.IOException: connection to manager failed, retry later (30) seconds.
2009-11-10 13:20:57,046 ERROR [Logging] java.io.IOException: connection to manager failed, retry later (30) seconds.
at com.symantec.management.providers.config.ConfigProvider.getMgmtServerConnectionEx(ConfigProvider.java:2231)
at com.symantec.management.providers.config.ConfigProvider.getMgmtServerConnection(ConfigProvider.java:2046)
at com.symantec.management.providers.forwarder.SESAEventForwardingProvider.sendEvents(SESAEventForwardingProvider.java:386)
at com.symantec.management.providers.forwarder....
2 comments
novadean
|
November 13th, 2009
Hello!
Can anyone provide me information on where the look up tables are populated on the OS (i.e. directory)?
Thanks!
1 comments
Belén del Toro
|
November 12th, 2009
Hi,
I have a question about doing a liveupdate for an off-box collector in a windows computer in spanish.
When I try to execute runliveupdate.bat I get the next error:
C:\Documents and Settings\Administrador>"C:\Archivos de programa\Symantec\Event Agent\collectors\symcep\runliveupdate.bat"
Updating "symcepcollector"......
ERROR: Exception caught while reading product catalog from C:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate\Product.Catalog.LiveUpdate. Details:
java.io.FileNotFoundException: C:\Documents and Settings\All Users\Application Data\Symantec\Java LiveUpdate\Product.Catalog.LiveUpdate (El sistema no puede hallar la ruta especificada)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at java.io.FileReader.<init>(FileReader....
1 comments
novadean
|
November 11th, 2009
Hello,
Is there any way to specify the width of the columns in the reports? I would much rather dedicate a larger width space to the description, and perhaps let all other rows text wrap accordingly.
Thanks!
1 comments
Belén del Toro
|
November 11th, 2009
Hi,
I've installed a Symantec Endpoint Protection Status event collector in SSIM and configured it to work with Sybase. I configured the property "Start reading from" in 'Beginning' and everything works fine. But the moment I change that property, and use 'end' instead, the collector starts writing this error:
WARN 2009-11-11 17:06:14,000 Collectors.3293.wGroup.[workinggroup0].SensorThread Thread-4721 Restarting the sensor...
WARN 2009-11-11 17:06:15,047 Collectors.3293.wGroup.[workinggroup0].SensorThread Thread-4721 Exception in Sensor thread [SEP state Sybase CEGES] while reading device. Details:
java.lang.NumberFormatException: For input string: "SELECT MAX(TIME_STAMP) FROM SEM_AGENT"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
at java.lang.Long...
5 comments
Steelejaxon
|
November 11th, 2009
I am administering the SSIM for my organization and, to be honest, my first impressions are not that great. I am trying to tweak the rules to minimize false positives but have been met with roadblocks time after time.
My specific issue is this: I am trying to create and deploy a custom rule using the "Windows Account Lockout" as a starting point. The condition I want to add is to exclude any events in which the user "administrator" on either my XXX server or my YYY server gets locked out.
I have the rule set up as follows:
---------------------------------------------------------------------------
And (over all criteria)
Or (over next 3 criteria)
Windows Event ID = 539
Windows Event ID = 644
Windows Event ID = 4740
Or (over next 2 citeria)
Destination Host Name <> (not equal to) XXX server
Destination Host Name <> (not equal to) YYY server
User Name <> (not equal to) administrator...
2 comments
joe1026
|
November 9th, 2009
Hi, I just upgraded SSIM to 4.6.2 (Maintenance Pack 2) and when I try to log into the client I get the following message:
The notification service is not running. This service is required for security reasons.
The application will now exit.
com.symantec.sim.rx.RXAuthException: Unable to validate session
at com.symantec.sim.sal.auth.rx.SIMAuthManager.getNewAdminSession(SIMAuthManager.java:84)
at com.symantec.sim.sal.auth.rx.SIMAuthManager.validateCredential(SIMAuthManager.java:216)
at com.symantec.sim.rx.RXTcpService$WorkerTask.validateSession(RXTcpService.java:915)
at com.symantec.sim.rx.RXTcpService$WorkerTask.handleMethodCall(RXTcpService.java:723)
at com.symantec.sim.rx.RXTcpService$WorkerTask.run(RXTcpService.java:654)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
at java.lang.Thread.run(Thread.java:...
7 comments
raul_b7
|
November 8th, 2009
Hi,
Can we monitor events on Firewall Policy Change through SSIM? Any specific Rule Set for that?
Kind Regards
Raul
2 comments
Steelejaxon
|
November 6th, 2009
New to SSIM. I have made several changes to the correlation rules (ex. changed the Windows account lockout to excude a certain username who frequently gets locked out). However, even after making the change, I am still getting incidents based on these changes. Another examples is the Spyware Not Quarentined events. I made a change to exclude any events in which the words "google search bar" appear in the Name field as this is a common false positive for us. Again, I have seen incidents with events which should be excluded pop up after I made the changes. I have the custom (User) rule checked and the default (System) is deselected. Any ideas?
2 comments
Andrey Wang
|
November 4th, 2009
Hi,Guys:
how can i scheduled atuomated fowarding events from a ssim to another's; for example, if i configurated the time range that the ssim would forwarding events to another ssim on schedule, it looks like a schedule liveupdate or sending reports.
it's vital importance and can you find a solution to me?
thanks a lot.
0 comments
Nitass
|
November 4th, 2009
Hi,
I am a newcomer in SSIM. I am doubted how Ironport sends its logs to SSIM. Would anyone please clarify it for me? The following is my configuration.
At IronPort, it is set to send syslog messages to SSIM.
At SSIM, Ironport collector's sensor listens to UDP port 10535 but there is no syslog director configuration for Ironport collector. The syslog director's sensor is on UDP port 10514.
Anyway, I am able to query Ironport's logs in SSIM. I am wondered how it comes. Please let me know if I misunderstand anything.
Thanks,
Nitass
9 comments
novadean
|
November 3rd, 2009
Hello,
I am attempting to audit a handful of MSSQL tables like I have for Oracle. Oracle allows you to specify a set of tables to audit including the operations (SELECT, INSERT, UPDATE, etc.) It looks like the MSSQL collector uses a file sensor and only monitors the Error.log file though. Is there anyway to audit SQL operations like Oracle and then send to SSIM?
Thanks!
1 comments
novadean
|
October 29th, 2009
Hello,
What summarizer tables does SEP 11 use? We have reports for SAV that we would like to replicate for SEP. However, it looks like the queries do not use the same summarizer tables. I am attempting other tables to try to duplicate the report. For example, we have a query that displays a chart of Infected computers per hour. This query uses SYMCMGMT.SUM_60_VIRUSEVENTIDMACHINE table.
Thanks
Dean
3 comments
bgrove7997
|
October 28th, 2009
Hello,
I am trying to find out more information that what is listed in the available documentation.
1. What if any, system/software configuration for Windows Server 2003/2008 are needed
2. What is also needed (system requirements and software) for the workstations (windows xp) other than an event collector.
Thank you.
2 comments
novadean
|
October 26th, 2009
I noticed that the Service Provider model only allows you to forward to a master SP from unique domains. Meaning, that you cannot forward incidents if the correlation machines are all under the same domain.
I have two correlation appliances in my environment under the same domain. Is there any other way to forward incidents from multiple appliances to a SSIM that are all under the same domain?
Thanks!
3 comments
cchsleo
|
October 26th, 2009
Any ideas, please share.
I have created a rule to alert me (via an email) when my vendors connect via VPN to my network. From the design console the rule works, but it fails to alert me when I push to rule out.
Anyone?
SSIM ver 4.6.1.24
(Event Type ID = VPN Connection Statistics AND User Name = VENDOR-NAME)
here is the rule
<?xml version="1.0" encoding="UTF-8"?>
<Rule name="VPN_Consultant_1_1" type="SingleEventRule">
<EventCriteria name="">
<Group operator="0">
<Condition operator="0">
<Argument>
<Field id="event_id" name="Event Type ID" type="1" byname="true" byuser="true" />
</Argument>
...
1 comments
novadean
|
October 26th, 2009
Hello,
I am attempting to configure a service provider model architecture. So far, I have one SSIM configured as the "Service Provider Master" (Enabled in Appliance option) and enabled "Store Incidents locally". I also have two separate Correlation SSIM appliances and have set up an incident forwarding rule to the SP SSIM. I definitely see events coming through and being correlated on the correlation SSIM devices (I see it on the statistics page), however it does not look like the SP master is receiving any of the forwarded incidents.
Is there anything that I missed or should double check?
Thanks!
1 comments
Intasunta N.
|
October 26th, 2009
Hi,
I found some problem when I use search filter contain \ (back slash) in filter criteria.
For example:
I found this when I need to filter Username for MS-ISA product that contain "Domain\Username" in Username column.
1) when I use filter criteria; Username = or contains "Domain\Username" There is no output result.
2) Then I try to reproduce by remove "Domain\" It is okay for me.
3) Then I re-try again by using "\Username" and only "\" . There is no output again.
So I need to know how I can filter the content that contain \ (back slash) inside ?
Please help.
2 comments
Miak
|
October 23rd, 2009
HI Friends,
I'm new to SSIM I need some help to install and configure SSIM, I have two new boxes 9650 and 9630 with software 4.5.2.22. I want to know which is the database ( to store events ) and which is the manager ( to process the evernts). Is the installtion is simple? How the manager and database will communicate. how will be the data Archiving? prerequest for installation? any document and senarioi will be higly appriciated.
Thanks and Regards.
2 comments
kosk
|
October 22nd, 2009
Hi,
Our SSIM is failed to pull any log from the SEPM. The following is our devices spec.
SEPM Version - 11.0.5
SEPM DB - MS SQL SVR 2000 SP 4
SSIM - SSIM 4.5.1.15 Hotfix 6
We followed through the Symantec Event Collectors integration Guide for SSIM 4.5, but it doesn't work.
The following our progress:
1. We register the SEP collector to the SSIM.
2. We didn't install the symantec events agents because the agent is embedded in the SSIM. (if we understand correctly)
3. Installed the JDBC driver.
4. Configured the sensor properties from the SEP Collector.
5. Installing queries on the Information Manager Appliances.
Can someone advise?
Many thanks.
3 comments
igor.ramalho
|
October 21st, 2009
Hello everybody,i´m litte bit confusing ,i have installed a Snort Collecor in the SourceFire IPS ( the engine used is Snort ) , but the ip_destination and the source_ip fields are missing (they appear as empty) ,so i created a new syslog collector from sourcefire,based on the log directly captured from the sourcefire,everything went fine,all the fileds are ok,but when i register in the ssim the instalation is ok,but in the Syslog Director the new collector doensn´t appear,so i can´t use the redirector ports,and i can´t get the information,my question is, what may i forgot in the collector development to automatic add to the syslog director? maybe a fucntion etc? i can send the files that i used in the Collector Studio. Any sugestion please...
Sorry my englissh..
Igor Ramalho
1 comments
Belén del Toro
|
October 21st, 2009
Hi,
I'm installing SSIM 4.6 and I'm having problems in the last step, with the domain name.
The domain I'm trying to add is "ccccc.ccc.ccc.ccccc-ccccccccc.es". There's no blank spaces, all the c's are lower case letters and there's only a dash.
The error message I'm receiveng is: The SSIM Domain contains special characters which are reserved. Please re-enter the domain. The domain also cannot contain spaces.
I've checked in the kb (http://service1.symantec.com/support/ent-gate.nsf/...) and it doesn't exceed the size limitation nor the special characters restriction.
What's wrong?
4 comments
JPAC
|
October 20th, 2009
This is a first-time install of SIM 4.6, so it's probably something really dumb I'm doing here.
I installed on a Dell 2950, and got through installing the license, certificate, and console, now I'm stuck. Whenever I log in as either Administrator or my newly created account, all of the dashboard events simply read "An error occured while trying to load query." I checked the priveleges for my role, ensuring I have read and search rights, and also verified the UN/PW is correct under System > DataStores > Properties > Connection. Verified that my role shows up under Permissions, as well.
In addition, whenever I click on System > Operating Systems or System > Loactions, I get the error popup "Error occured while communicating with the data store."
Any help is appreciated. Thanks!
Tim
1 comments
novadean
|
October 20th, 2009
Hello,
Is there a way to automatically close incidents? I ask because it appears our SSIM system is flooded with open incidents - it would be nice if these incidents were not handled by 'x' date they become automatically closed. If this is not possible, is there a way to create alerts that are closed by default? That way you are alerted via e-mail that the rule has fired off, but it does not require you to manage alerts by closing them.
Thanks!
Dean
1 comments