CISCO WSA Secure Network Analytics User Guide

Selelekela

Ho bokella lintlha tsa mosebelisi ho tsoa ho li-server tsa hau tsa proxy bakeng sa Cisco Secure Network Analytics (eo pele e neng e le Stealthwatch) Proxy Log, u hloka ho lokisa litlaleho tsa seva sa moemeli. The Flow Collector e amohela logs, 'me Mookameli (eo pele e neng e le Stealthwatch Management Console) o bonts'a lintlha tse leqepheng la Flow Proxy Records. Leqephe lena le fana ka URLs le mabitso a ts'ebeliso ea sephethephethe ka har'a marang-rang a fetang ho seva sa proxy.

Litlhoko

Pele o qala, netefatsa hore o fihletse litlhoko tse latelang:

• Cisco WSA (14-5-1-016), Blue Coat, McAfee, le Squid li tšehetsoa bakeng sa tlhophiso ena. Etsa bonnete ba hore seva ea hau ea proxy e hlophisitsoe 'me e sebetsa e le karolo ea marang-rang a hau.
• Netefatsa hore Flow Collector le moemeli ba sebelisa seva sa NTP se tšoanang (kapa fumana nako ho tsoa mohloling o tloaelehileng bakeng sa phallo le lirekoto tsa proxy tse lokelang ho bapaloa).
• Khetha Flow Collector e bokellang data ho tsoa ho barekisi le lintlha tsa ho qetela tseo u batlang ho li etsa lipatlisiso ho li-proxy log. U hloka aterese ea IP bakeng sa tlhophiso.
• Ha ho na moeli oa boholo bo itseng ho melaetsa ea proxy ea syslog. Leha ho le joalo, re khothaletsa hore melaetsa e bolokoe e le khutšoanyane ho feta tekanyo e khutšoanyane ea Maximum Transmission Unit (MTU) tseleng e pakeng tsa proxy le Flow Collector, hangata 1500. Sena se felisa ho arohana ha pakete le ho eketsa ho tšepahala.
• Proxy Log ha e tšehetsoe ka mokhoa oa Ho Fumana Holimo (HA).

Configuration Overview

Qetella mekhoa e latelang:

1. Khetha e 'ngoe ea mekhoa e latelang ho lokisa seva ea hau ea moemeli.
   • Ho lokisa Cisco Web Lisebelisoa tsa Ts'ireletso (WSA) Proxy Logs
   • Ho lokisa li-Logs tsa Proxy tsa Blue Coat
   • Ho lokisa li-Proxy Logs tsa McAfee
   • Ho lokisa li-Proxy Logs tsa squid
2. Ho lokisa Phallo Collector
3. Ho hlahloba Phallo

Ho lokisa Cisco Web Lisebelisoa tsa Ts'ireletso (WSA) Proxy Logs

Sebelisa karolo ena ho hlophisa li-proxy tsa Cisco ho li romella ho Secure Network Analytics.

Cisco WSA proxy ha e tšehetse Virtual IPs bakeng sa ho eketsa sesebelisoa sa moemeli.

Ho theha "Cisco proxy log", tlatsa mehato e latelang:

1. Kena ho seva sa moemeli oa Cisco.

2. Ho menu e kholo, tobetsa Tsamaiso ea Tsamaiso > Lipeeletso tsa Log. Leqephe la Lipeeletso tsa Log lea buleha.

3. Tobetsa konopo ea Add Log Subscriptions. Leqephe le Lecha la Ngoliso ea Li-log lea buleha.

4. Ho tsoa lethathamong le theohang Mofuta oa Log, khetha Li-Logs tsa W3C. Libaka tse fumanehang tsa W3C Log lia hlaha.

5. Lefapheng la Lebitso la Log, ngola lebitso bakeng sa log eo u tla e sebelisa.

6. Ho tsoa lenaneng la Mafapha a Available Log, khetha Timestamp, ebe o tobetsa Eketsa ho e tsamaisa lethathamong la Khetha Mafamo a Log.

7. Pheta mohato o fetileng bakeng sa karolo ka 'ngoe ea lintlha tse latelang ka tatellano:

a. linakoamp
b. x-fedile-nako
c. c-ip
d. c-port
e. cs-baethe
f. s-ip
g. boema-kepe
h. sc-byte
ke. cs-mabitso a basebelisi
j. s-computerName
k. cs-url

Lethathamo la Li-Log Fields tse Khethiloeng li tlameha ho ba le likarolo tsena joalo ka ha ho bontšitsoe:

Lethathamo le Khethiloeng la Li-Log Fields le tlameha ho ba ka tatellano e kaholimo, ho se na likarolo tse ling tse teng.

8. Tsamaisetsa tlase ho leqephe, ebe o khetha khetho ea Syslog Push.

9. Sebakeng sa Hostname, thaepa aterese ea IP ea Flow Collector kapa lebitso la moeti oa eona leo moemeli a romelang li-log ho lona.

Etsa bonnete ba hore o khetha Flow Collector e bokellang lintlha ho tsoa ho barekisi le lintlha tsa ho qetela tseo u batlang ho li etsa lipatlisiso ho li-proxy logs.

10. Tobetsa Romela. Log e ncha e kenyellelitsoe lethathamong la Ngoliso ea Li-log.

11. Tsoela pele ho ea ho Configuring Flow Collector karolo ho theha Flow Collector ea hau ho fumana boitsebiso ba syslog.

Ho lokisa li-Logs tsa Proxy tsa Blue Coat

Sebelisa karolo ena ho lokisa li-proxy tsa Blue Coat ho li romella ho Secure Network Analytics.

Mofuta oa moemeli oa Blue Coat o sebelisitsoeng ho etsa liteko e ne e le SG V100, SGOS 6.5.5.7 SWG Edition.

Ho theha Sebopeho

Ho theha sebopeho se secha sa log, tlatsa mehato e latelang:

1. Sebatling sa hau, kena ho seva ea hau ea proxy ea Blue Coat.

2. Tobetsa tab ya Configuration.

3. Ho menu e kholo ea Management Console, tobetsa Access Logging > Formats.

4. Tobetsa Ncha botlaaseng ba leqephe. Leqephe la Create Format lea buleha.

5. Lefapheng la Lebitso la Format, tlanya lebitso bakeng sa sebopeho se secha.

6. Khetha Lenane le Atolositsoeng la W3C File Khetho ea Format (ELFF).

7. Sebakeng sa sebopeho, thaepa khoele e latelang:

linakoamp nako c-ip c-port r-ip r-port s-ip s-port cs-bytes sc-bytes cs-user cs-host cs-uri

8. Tobetsa OK. Tsoela pele ho karolo e latelang, Theha Log e Ncha

Theha Log e Ncha

Ho theha li-log, etsa mehato e latelang:

1. Ho menu e kholo, tobetsa Access Logging > Logs, ebe u khetha sebopeho se secha sa log. Leqephe la Log lea buleha.

2. Tobetsa tab ya General Settings.

3. Ho tsoa lenaneng le theolelang la Format ea Log, khetha lethathamo leo u le entseng Mohato oa 1.

4. Lebaleng la Tlhaloso, thaepa tlhaloso bakeng sa log ea hau e ncha.

5. Tobetsa konopo ea Etsa kopo botlaaseng ba leqephe. Tsoela pele ho karolo e latelang, Lokisa Moreki oa Upload

Lokisa Moreki oa ho Kenya

Ho hlophisa sebatli sa upload, etsa mehato e latelang:

1. Tobetsa tab ya Upload Client. Leqephe la Moreki oa ho Kena lea buleha.

2. Ho tsoa lenaneng le theohang la mofuta oa Client, khetha Custom Client.

3. Tobetsa konopo ea Litlhophiso. Leqephe la Custom Client le a buleha.

4. Libakeng tse loketseng, thaepa aterese ea IP ea Flow Collector le koung ea ho mamela ea proxy parser.

SSL ha e sebetse ka nako ena.

5. Tlanya OK.

6. Bakeng sa Liparamente tsa Phetiso, tlatsa mehato ena:

• a. Bakeng sa Setifikeiti sa Encryption, khetha Ha ho encryption.
• b. Ho tsoa lenaneng le theohang la Ho saena Keyring, khetha ho se saena.
• c. Ho tsoa ho "Boloka log file joalo ka” khetha Mongolo file kgetho.
• d. Lebokoseng la mongolo la "Romela karoloana ka mor'a", thaepa 5.
• e. Tobetsa tab ea Kemiso ea Upload, 'me u khethe khetho e tsoelang pele bakeng sa Upload log log.
• f. Bukeng ea Ema lipakeng tsa liteko tsa ho hokahanya, thaepa 60.
• g. Nakong e pakeng tsa tšimo ea lipakete tsa ho boloka bophelo, mofuta oa 5.

7. Tobetsa konopo ea Etsa kopo botlaaseng ba leqephe. Tsoela pele ho karolo e latelang, Ho Lokisa Kemiso ea ho Kena.

Ho lokisa Kemiso ea Upload

Ho hlophisa kemiso ea ho kenya, tlatsa mehato e latelang:

1. Tobetsa tab ya Kemiso ya Upload.

2. Bakeng sa "Kenya log log," khetha kamehla.

3. Ema lipakeng tsa boiteko bo nepahetseng ke metsotsoana e 60.

4. Nako lipakeng tsa pakete ea bolokoe ea ho boloka o phela metsotsoana e mehlano.

5. Tobetsa konopo ea Etsa kopo botlaaseng ba leqephe.

Sena se phethela litlhophiso tsa li-log tsa proxy tsa Blue Coat bakeng sa Moqokeleli oa Flow.

Litlhoko

Lintlha tse ling mabapi le tlhophiso:

• Netefatsa hore Flow Collector le Proxy ba sebelisa seva sa NTP se tšoanang (kapa fumana nako ho tsoa mohloling o tloaelehileng bakeng sa phallo le lirekoto tsa proxy tse lokelang ho bapaloa).
• Ke mokhoa o le mong feela oa tlhahiso ea li-proxy o tšehetsoeng. Haeba u se u ntse u romela li-log, u ke ke ua khona ho tšoara le ho hlahloba lirekoto tsa proxy.
• Mookameli oa UDP Ho Fumaneha ho Phahameng ha ho tšehetsoe.

Ho lokisa Taolo ea Leano la Visual

Tlhophiso ea Mookameli oa Leano la Visual e u nolofalletsa ho lekola hore na logong ea proxy e romelloa ho Flow Collector.

1. Leqepheng la tab ya Configuration ho menu e kgolo, tobetsa Policy > Visual Policy Manager. The Visual Policy Manager oa bula.

2. Tobetsa konopo ea Launch ka tlase bakeng sa log ea hau e hlophisitsoeng. The Visual Policy Manager bakeng sa fensetere ea log e bula.

3. Tobetsa Leano> Eketsa Web Access Layer. Skrine sa Add New layer se a bula.

4. Ngola lebitso bakeng sa lera le lecha, ebe o tobetsa OK.

5. Penya ka ho le letona la Hana kholomong ea Ketso ebe o tobetsa Seta. Moqoqo oa Set Action Object oa bula.

6. Tobetsa e Ncha ebe u khetha Fetola ho Rema lifate. Moqoqo oa Edit Access Logging Object oa buleha.

7. Tobetsa Numella ho rema lifate ho.

8. Ngola lebitso bakeng sa tlaleho ea hau ebe u khetha tlaleho ea hau.

9. Tobetsa OK. Ntho e eketsoa.

10. Moqoqong oa Set Action Object, tobetsa OK.

11. Tobetsa konopo ea Instalar policy ka holimo ka ho le letona.

12. Click Che 'me joale OK bakeng sa lifensetere tse latelang.

13. Qala hape Blue Coat Visual Policy Manager.

14. Tobetsa ka ho le letona tabeng ea ho rema lifate ebe u khetha Enable Layer.

15. Tobetsa konopo ea Instalar Policy. Leano le kentsoeng lea bula.

16. Tlanya OK.

17. Tobetsa tab ea Lipalo-palo, 'me ho menu ea log, khetha tlaleho ea hau.

18. Ho menu e kholo, tobetsa Access Logging, ebe o tobetsa ea Log Tail tab ya. Fesetere ea Log Tail ea bula.

19. Tobetsa konopo ea Qala Mohatla botlaaseng ba leqephe.

20. Ho menu e kholo ea Lipalo-palo, tobetsa Sistimi > Ho Rengoa ha Liketsahalo. Leqephe lena le tla bonts'a hore na logi file e kenngoa ho Phallo Collector le liphetoho tse entsoeng. E bonts'a hore na proxy e hokahane le Phallo ea Phallo.

21. Tsoela pele ho ea ho Configuring Flow Collector karolo ho theha Flow Collector ea hau ho fumana boitsebiso ba syslog.

Ho lokisa li-Proxy Logs tsa McAfee

Sebelisa karolo ena ho hlophisa lintlha tsa proxy tsa McAfee ho tsoa ho McAfee Web Tsela ea ho romela ho Secure Network Analytics.

• Etsa bonnete ba hore u khoasolla tlhophiso ea XML file bakeng sa moemeli oa McAfee. Eya ho Cisco Software Central ho khoasolla Readme le Proxy Log XML tlhophiso files.
• Kena ho Cisco Smart Account ea hau ho https://software.cisco.com kapa ikopanye le molaodi wa hao.
• Mofuta oa moemeli oa McAfee o sebelisitsoeng ho etsa liteko e ne e le 7.4.2.6.0 - 18721.

Ho theha proxy log ea McAfee, tlatsa mehato e latelang:

1. Khoasolla XML file, FlowCollector_[date]_McAfee_Log_XML_Config_[v].xml, 'me u e boloke sebakeng seo u se ratang.

"Letsatsi" le bontša letsatsi la XML file, le "v" e bonts'a mofuta oa mofuta oa moemeli oa McAfee. Khetha faele ea XML file ka nomoro ea mofuta o tšoanang le moemeli oa hau oa McAfee.

To download the file, tlatsa mehato e latelang:

• a. E ea ho https://software.cisco.com, Cisco Software Central.
• b. Karolong ea Khoasolla le ho laola > Khoasolla le ho Ntlafatsa, khetha Fumana lintho tse khoasollang.
• c. Tsamaisetsa tlase ho khetha sebaka sa Sehlahisoa.
• d. Tlanya Secure Network Analytics sebakeng sa Khetha Sehlahisoa. Tobetsa Enter.
• e. Khetha "Secure Network Analytics Virtual Flow Collector" kapa "Flow Collector" e 'ngoe.
• f. Kgetha Secure Network Analytics System Software > Tlhophiso Files.

2. Kena ho seva sa moemeli oa McAfee.

3. Tobetsa aekhone ya Policy, ebe o tobetsa Rule Sets tab ya.

4. Kgetha Log Handler, ebe o kgetha Default.

5. Tobetsa Add > Rule Seta ho tloha Library.

6. Tobetsa Import ho tloha file, ebe u khetha XML file.

7. Khetha mcafeelancopelog ho sebatli sa log se neng se sa tsoa tsoa kantle ho naha.

Etsa bonnete ba hore molao o behiloeng le molao oa "create logline" le "send to syslog" o nolofalitsoe.

8. Tobetsa setšoantšo sa Configuration holimo leqepheng.

9. Ka ho le letšehali la leqephe, tobetsa ea File Editor tab, ebe o khetha rsyslog.conf file.

10. Botlaaseng ba lebokose la mongolo (ka thōko ho lethathamo la files), ngola mongolo o latelang:

Etsa bonnete ba hore o khetha Flow Collector e bokellang lintlha ho tsoa ho barekisi le lintlha tsa ho qetela tseo u batlang ho li etsa lipatlisiso ho li-proxy logs.

11. Hlalosa ntlha ena:

*.info;mail.none;authpriv.none;cron.none.

12. Kenya mola ona:

*.info;daemon.!=info;mail.none;authpriv.none;cron.none - /var/log/messages.

13. Tobetsa konopo ea Boloka Liphetoho ka holimo letsohong le letona la leqephe.

14. Tsoela pele ho ea ho Configuring Flow Collector karolo ho theha Flow Collector ea hau ho fumana boitsebiso ba syslog.

Ho lokisa li-Proxy Logs tsa squid

Sebelisa karolo ena ho hlophisa lintlha tsa proxy tsa Squid ho li romella ho Secure Network Analytics. O ka edit files ho seva ea proxy e sebelisang SSH.
Ho lokisa li-log tsa proxy ea Squid, tlatsa mehato e latelang:

1. Kena ka har'a khetla bakeng sa mochini o tsamaisang Squid.

2. E-ea bukeng e nang le squid.conf (hangata /etc/squid) 'me u e bule ho mohlophisi.

3. Kenya mela e latelang ho squid.conf ho lokisa ho rema lifate:

logformat access_format %ts%03tu % a %>p %>st %

4. Qala bocha squid u sebelisa tse latelang:

• Bakeng sa litsamaiso tse thehiloeng ho init: /etc/init.d/squid3 restart
• Bakeng sa litsamaiso tse thehiloeng ho systemd: systemctl qala hape squid

5. Hlophisa tšebeletso ea syslog ho seva sa Squid ho fetisetsa lits'oants'o ho Moqokeleli oa Phallo. Sena se ipapisitse le ts'ebeletso ea kabo ea Linux/syslog.

Bakeng sa syslog-ng, eketsa tse latelang ho /etc/syslog-ng/syslog-ng.conf:

# Setsi sa Litlhahlobo tsa Libuka BEGIN sefa bs_filter {sefa (f_user) le boemo(info)}; udp_proxy e eang {udp("10.205.14.15" boema-kepe(514)); }; log { mohloli(s_all); sefa(bs_filter); sebaka (udp_proxy); }; # Setsi sa Audit Log END

Bakeng sa rsyslog, eketsa tse latelang ho /etc/rsyslog.conf:

:programname, e na le, "squid" @10.205.14.15:514

Etsa bonnete ba hore o khetha Flow Collector e bokellang lintlha ho tsoa ho barekisi le lintlha tsa ho qetela tseo u batlang ho li etsa lipatlisiso ho li-proxy logs.

6. Ebe u qala tšebeletso ea syslog hape.

• Bakeng sa litsamaiso tse thehiloeng ho init:
  /etc/init.d/syslog-ng restart (bakeng sa syslog-ng)
  /etc/init.d/rsyslog restart (bakeng sa rsyslog)
• Bakeng sa litsamaiso tse thehiloeng ho systemd:
  systemctl qala hape syslog (bakeng sa syslog-ng)
  systemctl qala hape rsyslog (bakeng sa rsyslog)

7. Tsoela pele ho ea ho Configuring Flow Collector karolo ea ho fumana tlhahisoleseding ea syslog.

Ho lokisa Phallo Collector

Ka mor'a hore u lokise seva sa moemeli, u lokela ho lokisa Phallo Collector ho amohela data.

Ho hlophisa Phallo Collector ho amohela tlhaiso-leseling ea syslog, tlatsa mehato e latelang:

1. Kena ho Motsamaisi oa hau.

2. Kgetha Beakanya > Global > Taolo e Bohareng.

3. Tobetsa letšoao la (Ellipsis) bakeng sa Phallo ea hau ea Phallo, ebe o tobetsa View Lipalopalo tsa Lisebelisoa.

4. Kena ho Moqokeleli oa Phallo. Sebopeho sa Flow Collector sea bula.

5. Tobetsa Configuration > Proxy Ingest. Leqephe la Li-server tsa Proxy lea bula.

6. Ngola aterese ea IP ea seva ea moemeli.

7. Ho tsoa lenaneng le theohang la Mofuta oa Moemeli, khetha seva sa hau sa moemeli.

Haeba mofuta oa hau oa seva ea proxy o sa thathamisoa, u ke ke ua khona ho sebelisa li-log tsa proxy ka nako ena.

8. Haeba Seva ea Proxy:

• e na le aterese e le 'ngoe feela ea IP, ebe u thaepa aterese ea IP ea seva ea moemeli sebakeng sa Aterese ea IP. Tlohela tšimo ea Aterese ea IP ea Telemetry e se na letho.
• e na le liaterese tse ngata tsa IP, ebe u ngola aterese ea IP ea taolo ea seva ea moemeli (mohloli oa aterese ea IP ea molaetsa oa syslog) lebaleng la Aterese ea IP. Sebakeng sa Aterese ea IP ea Telemetry, thaepa aterese ea IP ea telemetry ea seva ea proxy.

9. Sebakeng sa Boema-kepe ba Tšebeletso ea Proxy, thaepa nomoro ea boema-kepe ea seva ea moemeli.

10. Haeba o batla hore seva sa proxy se qale ho hlaba dialamo, se hlahlobe Lebokoso la ho Nketsa ho Alarming check box.

11. Tobetsa Add.

12. Tobetsa Etsa kopo. Seva ea moemeli e hlaha tafoleng ea Proxy Ingest kaholimo ho leqephe.

13. Tsoela pele ho ea ho Checking the Flows karolo.

Ho hlahloba Phallo

Ho netefatsa hore o fumana liphallo, tlatsa mehato e latelang:

1. Ka har'a sehokelo sa Phallo Collector, tobetsa Tšehetso> Batla Files ho menu e kholo. The Browse Files leqephe lea bula.

2. Bula sw.log file.

3. Lekola hore na webproxy e balla holimo ho bontša hore u amohela data.

Ho ikopanya le Tšehetso

Haeba o hloka tšehetso ea tekheniki, ka kopo etsa e 'ngoe ea tse latelang:

• Ikopanye le Cisco Partner ea hau ea lehae
• Ikopanye le Cisco Support
• Ho bula nyeoe ka web: http://www.cisco.com/c/en/us/support/index.html
• Bakeng sa tšehetso ea mohala: 1-800-553-2447 (US)
• Bakeng sa linomoro tsa tšehetso lefatšeng ka bophara:
  https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Fetola Histori

Litaba tsa Copyright

Cisco le logo ea Cisco ke matšoao a khoebo kapa matšoao a ngolisitsoeng a Cisco le/kapa mafapha a eona a US le linaheng tse ling. Ho view lethathamo la matšoao a khoebo a Cisco, e ea ho sena URL: https://www.cisco.com/go/trademarks. Matshwao a kgwebo a motho wa boraro a boletsweng ke thepa ya beng ba ona. Tšebeliso ea lentsoe molekane ha e bolele kamano ea tšebelisano pakeng tsa Cisco le k'hamphani efe kapa efe. (1721R)

© 2025 Cisco Systems, Inc. le/kapa mekhatlo e amanang le eona.
Litokelo tsohle li sirelelitsoe.

Litokomane / Lisebelisoa

CISCO WSA Sireletsehile Network Analytics [pdf] Bukana ea Mosebelisi WSA 14-5-1-016, Blue Coat, McAfee, Squid, WSA Secure Network Analytics, WSA, Secure Network Analytics, Network Analytics, Analytics

Litšupiso

• Bukana ea Mosebelisi