This document provides information about how to configure the collection of Symmetry Access Control logs using a LogRhythm System Monitor Agent.
Symmetry Access Control stores event logs in a Microsoft SQL database, which is typically included on the Symmetry server. Collection from a Microsoft SQL database requires:
- Universal Database Log Adapter (UDLA) Log Source.
- A LogRhythm System Monitor to collect the logs.
- Access to the Microsoft SQL Server Database that Symmetry uses for storing event logs.
Identify the following prior to configuration:
- The IP address and host name of the Microsoft SQL Server Database used by Symmetry.
- A LogRhythm System Monitor to collect the logs from Symmetry.
- The user ID and password to access the Symmetry log data on the Microsoft SQL Database Server, if necessary.
Verify Access to the Symmetry Server
The LogRhythm System Monitor needs to use an existing SQL account to access the Symmetry SQL database. This can be the default “sa” account, an account created with administrator access, or domain credentials.
Configure the ODBC Driver
The LogRhythm System Monitor will access Symmetry logs via an ODBC driver. The recommended driver should already be installed on the System Monitor host:
- Name: SQL Server
- Company Name: Microsoft Corporation
- Version: 2000.85.1132.00
- Date: 4/13/2008
- Download Location: pre-installed
Add a Symmetry Log Source
You must be logged in as a Global Administrator to take this action.
You will use a LogRhythm System Monitor to collect Symmetry logs. The System Monitor does not need to be installed on the Symmetry server, but it needs to establish a network ODBC connection. In addition, the Microsoft SQL client drivers must be installed on the System Monitor host.
Note: Before you begin, download the Symmetry Access Control XML Configuration File. You will import this file later to populate the UDLA configuration fields for the Log Source.
To create the Symmetry Access Control Log Source, do the following:
- Start the LogRhythm Client Console and log in as a Global Administrator.
- Click Deployment Manager on the main toolbar.
- Click the System Monitors tab.
- Double-click the System Monitor that will be collecting SharePoint logs.
- In the System Monitor Agent Properties dialog box, click the Agent Settings tab.
- Right-click anywhere in the Log Sources List, and then click New.
The Log Message Source Properties dialog box is displayed.
- Click the Basic Configuration tab.
- Set the Log Message Source Type to System: UDLA - Symmetry Access Control, and set the Log Message Processing Engine (MPE) Policy to LogRhythm Default.
- Click the UDLA Settings tab.
Click Import at the bottom of the UDLA Settings tab, then browse to and open the XML file that you downloaded from LogRhythm.In the Connection String box, ensure that you change the placeholder values to those matching your deployment.
- Click Test to verify the settings.
- If the test fails, ensure that the values are correct and test the connection settings again.
- When the test passes, close the test dialog box.
- Click OK to save the configuration and close the Log Message Source Properties dialog box.
- Click OK to close the System Monitor Agent Properties dialog box.