UDLA - ISS Proventia SiteProtector - IPS
Different types of IBM Proventia devices feed into the IBM ISS Proventia SiteProtector Manager software package, many of which use different tables. The schema is provided both as a part of a free distribution from IBM ISS and by using Microsoft SQL Studio 2005.
Prerequisites
Identify and note the following prior to configuration:
- The IP address and host name of the Microsoft SQL Database Server used by ISS Proventia SiteProtector.
- The user account and password LogRhythm uses to access the ISS Proventia SiteProtector log data on the Microsoft SQL Database Server, if necessary.
- The LogRhythm System Monitor Agent used to collect the logs from ISS Proventia SiteProtector.
Configure the ISS Proventia SiteProtector
An account that the LogRhythm agent will need to access the ISS Proventia SiteProtector Microsoft SQL database must be available. This can be the default sa account, an account created with administrator access to be used for LogRhythm, or domain credentials.
Configure the ODBC Driver for ISS Proventia SiteProtector
ISS Proventia SiteProtector logs are accessed by LogRhythm via an ODBC driver. The recommended driver must already be installed on the System Monitor host and configured according to Configure UDLA Log Collection.
- Name. SQL Server
- Company Name. Microsoft Corporation
- Version. 2000.85.1132.00
- Date. 4/13/2008
- Download Location. pre-installed
After you configure the device, you must also configure LogRhythm according to the instructions provided on the overview page of this guide. The System Monitor does not need to be installed on the ISS Proventia SiteProtector server, but it does need to be able to establish a network ODBC connection. In addition, the host where the agent is installed needs the Microsoft SQL client drivers installed.
Only Global Admins or Restricted Admins with elevated View and Manage privileges can take this action.
Before you begin, download the XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
The name of the log message source is UDLA - ISS SiteProtector IPS. In addition, when configuring this log source:
- For Log Message Processing Mode, select MPE Processing Enabled, Event Forwarding Enabled.
- For Log Message Processing Engine (MPE) Policy, select LogRhythm Default.
- On the UDLA Settings tab, enter the following:
Click Import, and then browse to and open the XML file that you downloaded from LogRhythm.
In the Connection String box, ensure that you change the placeholder values to those matching your deployment.
- If you want to validate the current settings, click Test.
If the test fails, verify the connection settings and that all values were entered correctly. - When the test passes, close the Test dialog box.