Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

How to – Configure FireEye Network Security and Forensics (NX) to forward logs to EventTracker

Overview

The FireEye Network Security and Forensics (NX) is an effective cyber threat protection solution. It helps organizations minimize the risk of costly breaches by accurately detecting and immediately stopping advanced, targeted and other evasive attacks hiding in Internet traffic. EventTracker, when integrated with FireEye NX, collects log from FireEye NX and creates detailed reports, alerts, dashboards and saved searches. These attributes of EventTracker help users to view the critical and important information on a single platform. Reports contain a detailed overview of events such as, malware object, indicating the presence of a file attachment with a malicious executable payload. It will also show web infection indicating an outbound connection to a website initiated by a web browser that was determined to be malicious. Alerts are provided as soon as any critical event is triggered by the FireEye NX. With alerts, users will be able to get notifications about real time occurrences of events such as, suspicious file hash detection, or suspicious web URL detection, and any such activities. Dashboards will display a graphical overview of all the malwares detected by FireEye NX, or Command and Control server connection, etc. These services will include information such as suspicious source IP address, source port, destination IP address, destination port, anomaly type, malware name, etc.

Pre- Requisite

  • VCP (virtual collection point) syslog port should be opened

  • Port 514 should be allowed in Firewall (if applicable).

Steps of Configuration

Login to FireEye NX Web UI with an admin account.

2. Navigate to Settings > Notifications.

3. Click rsyslog and Check the “Event type” check box.

4. Make sure Rsyslog settings are:

Default format: CEF

Default delivery:Per Event

Default send as: Alert

5.Next to the “Add Rsyslog Server” button, type “EventTracker”. And, click on “Add Rsyslog Server” button.

6. Enter the EventTracker server IP address in the "IP Address" field. (Public IP, if hosted in cloud)

7. Check off the Enabled check box.

8. Select Per Event in the "Delivery" drop-down list.

9. Select All Events from the "Notifications" drop-down list.

10. Select CEF as the "Format" drop-down list.

11. Select UDP from the "Protocol" drop-down list. (Default port is 514)

12. Now, click Update. And click the “Test-Fire” button to send the test events to EventTracker server

Verification

  • VERIFICATION CAN BE DONE IN TWO WAYS :-

                 1. By checking on UI 

2. Checking logs through CCE server

Verification through UI 

  • Open UI >>System tab >> Logs and flows collection status:

  • The IP will reflect below source device IP 

 

Verification Through CCE server

  • Run the command " sudo tcpdump -i any port 514 and host <IP address>

 

Seceon Inc. All rights reserved. https://www.seceon.com