API - BeyondTrust Retina Vulnerability Management
Retina is a vulnerability/penetration scanner made by BeyondTrust (formerly eEye Digital Security) that has a large set of high-quality vulnerability and exploit-detecting plugins. This document instructs you how to configure collection of Retina or Retina CS vulnerability data via the LogRhythm System Monitor.
- Retina CS. Client-server version that stores data centrally on a SQL server, and the Agent points to the Retina CS server
- Retina. Community edition that stores data in a local database, and Agent resides on the local Retina server.
Regardless of the Retina product type, the LogRhythm System Monitor can import Retina scan reports and convert them into LogRhythm logs.
- Each time a Retina report is run by the Agent, it will get the same vulnerabilities, services, and compromises as the previous report, assuming no changes have been made to the scanned hosts. For example, if a host is scanned on Monday and 10 vulnerabilities are found, the Agent will log those 10 vulnerabilities. If the same host is scanned on Tuesday, and no changes have been performed on the host, then the same 10 vulnerabilities will be logged again. This is acceptable as the scan represents the current state of the host.
- The LogRhythm System Monitor supports one Retina server per message source and configuration file.
- The LogRhythm System Monitor downloads reports for all projects within the Retina server
LogRhythm supports collection from Retina up to version 5.24.4 and Retina CS up to version 5.8.1.
Prerequisites
The Retina standalone product requires the Microsoft JET OLEDB driver be installed on the system where the Windows Agent is running. For 32-bit Windows systems, the 32-bit version of the driver is already installed with the OS. For 64-bit systems, the 64-bit version of the driver needs to be installed as a separate step. The driver is called Microsoft Access Database Engine 2010 Redistributable and can be downloaded at http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=13255.
The collection mechanism used by the agent will reference a local configuration file and retain the last log read from the file by state tracking. The following information is required for this process to function properly and should be gathered prior to configuring collection:
- The Retina server connection information that will be accessed and collected by the agent.
- System Monitor used to collect the audit data from the Retina server.
Configure the retina.ini File
The Retina interface is configured using an .INI file in the config folder of the Agent (typically C:\Program Files\LogRhythm\LogRhythm System Monitor\config\retina.ini). The following settings are specified in that file:
Setting | Default Value | Description |
|---|---|---|
| RetinaDataSourceType | RetinaCS | Type of Retina or Retina CS. |
| RetinaCSServer | CHANGE_THIS | Retina CS Only: Host name or IP address of Retina CS server (SQL Server database server). |
| RetinaCSUsername | CHANGE_THIS | Retina CS Only: User name for the Retina CS database (SQL Server user name). |
| Password | CHANGE_THIS | Password for Retina CS user name. The password must be encrypted using the lrcrypt command line utility. Usage: lrcrypt [-e passwordtoencrypt] [path\inifile] For more information on how to use the LogRhythm Encryption Utility, see Deployment Security. |
| RetinaScansDirectory | CHANGE_THIS | Retina Only: The directory where the Retina RTD database scan files are stored. Example: C:\Program Files (x86)\BeyondTrust\Retina 5\Scans |
| RetinaAuditsXmlFile | CHANGE_THIS | Retina Only: The path to the Retina audits.xml file. Example: C:\Program Files (x86)\BeyondTrust\Retina 5\Database\audits.xml |
| IncludeServices | Flase | If true, the system System Monitor will log the services it discovers to be running on a host. |
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
The name of the log message source is API : BeyondTrust Retina Vulnerability Management. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.