I-CISCO WSA Secure Network Analytics User Guide

Isingeniso

Ukuze uqoqe ulwazi lomsebenzisi kumaseva wakho wommeleli wenethiwekhi ye-Cisco Secure Network Analytics (ngaphambilini eyayaziwa ngokuthi i-Stealthwatch) Log lommeleli, udinga ukulungisa amalogi weseva elibamba. I-Flow Collector ithola amalogi, futhi Umphathi(owayekade eyi-Stealthwatch Management Console) ubonisa ulwazi ekhasini elithi I-Flow Proxy Records. Leli khasi liyahlinzeka URLs kanye namagama ezinhlelo zokusebenza zethrafikhi ngaphakathi kwenethiwekhi edlula kuseva elibamba.

Izimfuneko

Ngaphambi kokuthi uqale, qinisekisa ukuthi uhlangabezane nezidingo ezilandelayo:

• I-Cisco WSA (14-5-1-016), i-Blue Coat, i-McAfee, ne-squid ziyasekelwa kulokhu kulungiselelwa. Qiniseka ukuthi iseva elibamba lakho lilungisiwe futhi liyasebenza njengengxenye yenethiwekhi yakho.
• Qinisekisa ukuthi i-Flow Collector kanye nommeleli basebenzisa iseva efanayo ye-NTP (noma thola isikhathi esivela kumthombo ofanayo ukuze amarekhodi agelezayo afaniswe).
• Khetha Iqoqo Eligelezayo eliqoqa idatha kubathumeli namaphuzu okugcina ofuna ukuwaphenya kulogi lommeleli. Udinga ikheli le-IP ukuze ucushwe.
• Awukho umkhawulo kasayizi othize emilayezweni yommeleli we-syslog. Nokho, sincoma ukuthi imilayezo igcinwe imifushane kune-Maximum Transmission Unit (MTU) emfushane kakhulu endleleni ephakathi kommeleli ne-Flow Collector, ngokuvamile engu-1500. Lokhu kuqeda ukuhlukana kwephakethe futhi kwandisa ukuthembeka.
• Ilogi lommeleli alisekelwe kumodi yokutholakala Okuphezulu (HA).

Ukucushwa Kuphelileview

Qedela izinqubo ezilandelayo:

1. Khetha enye yezindlela ezilandelayo ukuze ulungiselele iseva elibamba lakho.
   • Ilungiselela i-Cisco Web Amalogi ommeleli we-Security Appliance (WSA).
   • Ilungiselela amalogi ommeleli we-Blue Coat
   • Ilungiselela amalogi ommeleli we-McAfee
   • Ilungiselela amalogi ommeleli we-squid
2. Ilungiselela Isiqoqi Esigelezayo
3. Ukuhlola Ukugeleza

Ilungiselela i-Cisco Web Amalogi ommeleli we-Security Appliance (WSA).

Sebenzisa lesi sigaba ukuze ulungiselele amalogi wommeleli we-Cisco ukuze uwathumele ku-Secure Network Analytics.

Ummeleli we-Cisco WSA akawasekeli i-Virtual IPs yokwengeza idivayisi yommeleli.

Ukuze usethe ilogi lommeleli we-Cisco, qedela lezi zinyathelo ezilandelayo:

1. Ngena ngemvume kuseva elibamba ye-Cisco.

2. Kumenyu enkulu, chofoza Ukuphathwa Kwesistimu > Okubhaliselwe Kwelogi. Ikhasi Lokubhaliselwe Kwelogi liyavuleka.

3. Chofoza inkinobho ethi Engeza Okubhaliselwe Kwelogi. Ikhasi elisha Lokubhaliselwe Kwelogi liyavuleka.

4. Kuhlu lokudonsela phansi Uhlobo Lwelogi, khetha Amalogi e-W3C. Izinkambu zelogi ye-W3C ezitholakalayo ziyavela.

5. Esigabeni Segama Lokungena, thayipha igama lelogi ozolisebenzisa.

6. Kusukela ohlwini Lwezindatshana Zelogi Ezitholakalayo, khetha i-Timestamp, bese uchofoza Engeza ukuze uyihambise ohlwini Khetha Izinkambu Zelogi.

7. Phinda isinyathelo sangaphambilini senkambu yelogi ngayinye elandelayo ngokulandelana:

a. izikhathiamp
b. x-isikhathi esidlulile
c. c-ip
d. c-port
e. cs-amabhayithi
f. s-ip
g. i-s-port
h. sc-amabhayithi
i. cs-amagama abasebenzisi
j. s-computerName
k. cs-url

Uhlu Lwezinkambu Zelogi Ezikhethiwe kufanele luqukathe lezi zinkambu njengoba kubonisiwe:

Uhlu Lwezinkambu Zelogi Ezikhethiwe kufanele lube ngohlelo olungenhla, zingabi khona ezinye izinkambu ezikhona.

8. Skrolela phansi ekhasini, bese ukhetha inketho ye-Syslog Push.

9. Esigabeni Segama Lomethuleli, thayipha ikheli lasesizindeni se-inthanethi le-Flow Collector noma igama lomsingathi walo ummeleli athumela kulo izingodo.

Qiniseka ukuthi ukhetha I-Flow Collector eqoqa idatha kubathumeli kanye namaphoyinti okugcina ofuna ukuwaphenya kulogi lommeleli.

10. Chofoza Thumela. Ilogi entsha yengezwa ohlwini Lokubhaliselwe Kwelogi.

11. Qhubekela esigabeni sokulungisa Iqoqo Lokugeleza ukuze umise Isiqoqi Esigelezayo ukuze uthole ulwazi lwe-syslog.

Ilungiselela amalogi ommeleli we-Blue Coat

Sebenzisa lesi sigaba ukuze ulungiselele amalogi ommeleli we-Blue Coat ukuze uwathumele ku-Secure Network Analytics.

Inguqulo yommeleli ye-Blue Coat esetshenziselwa ukuhlolwa kwakuyi-SG V100, i-SGOS 6.5.5.7 SWG Edition.

Ukudala Ifomethi

Ukuze udale ifomethi yelogi entsha, qedela lezi zinyathelo ezilandelayo:

1. Esipheqululini sakho, finyelela iseva elibamba lakho le-Blue Coat.

2. Chofoza ithebhu yokumisela.

3. Kumenyu eyinhloko ye-Management Console, chofoza okuthi Finyelela Elogging > Amafomethi.

4. Chofoza Okusha ngaphansi kwekhasi. Ikhasi elithi Dala Ifomethi liyavuleka.

5. Esigabeni Segama Lefomethi, thayipha igama lefomethi entsha.

6. Khetha Ilogi Enwetshiwe ye-W3C File Inketho yefomethi (ELFF).

7. Enkambini yefomethi, thayipha iyunithi yezinhlamvu elandelayo:

izikhathiamp ubude besikhathi c-ip c-port r-ip r-port s-ip s-port cs-bytes sc-bytes cs-user cs-host cs-uri

8. Chofoza okuthi KULUNGILE. Qhubekela esigabeni esilandelayo, Dala Ilogi Elisha

Dala Ilogi Entsha

Ukuze udale amalogi, qedela lezi zinyathelo ezilandelayo:

1. Kumenyu enkulu, chofoza okuthi Finyelela Ukungena Emithi > Amalogi, bese ukhetha ifomethi entsha yelogi. Ikhasi Lokungena liyavuleka.

2. Chofoza ithebhu ethi Izilungiselelo Ezivamile.

3. Kusukela ohlwini lokudonsela phansi lwefomethi yefayela, khetha ilogi oyidalile Esinyathelweni 1.

4. Enkambini Yezincazelo, thayipha incazelo yelogi yakho entsha.

5. Chofoza inkinobho ethi Faka ngaphansi kwekhasi. Qhubekela esigabeni esilandelayo, Lungiselela Iklayenti Lokulayisha

Lungiselela Iklayenti Lokulayisha

Ukuze ulungiselele iklayenti lokulayisha, qedela lezi zinyathelo ezilandelayo:

1. Chofoza ithebhu ethi Layisha Iklayenti. Ikhasi Leklayenti Lokulayisha liyavuleka.

2. Kuhlu lokudonsela phansi lohlobo lweKlayenti, khetha Iklayenti Ngokwezifiso.

3. Chofoza inkinobho ethi Izilungiselelo. Ikhasi lezilungiselelo Zeklayenti Ngokwezifiso liyavuleka.

4. Ezinkambini ezifanele, thayipha ikheli lasesizindeni se-inthanethi le-Flow Collector kanye nembobo yokulalela yomhlahleli wommeleli.

I-SSL ayisekelwe ngalesi sikhathi.

5. Chofoza OK.

6. Ngamapharamitha Wokudlulisa, qedela lezi zinyathelo:

• a. Ukuze uthole Isitifiketi Sokubethela, khetha Akukho ukubethela.
• b. Kusuka ohlwini lokudonsela phansi lokusayina ukhiye, khetha ukungasayini.
• c. Kusukela ku-“Londoloza ilogi file njenge” khetha Umbhalo file inketho.
• d. Ebhokisini lombhalo elithi “Thumela ingxenye yebhafa ngemva”, thayipha u-5.
• e. Chofoza ithebhu Yokulayishwa Kweshejuli, bese ukhetha inketho eqhubekayo yokulayisha ifayela lokungena.
• f. Ku-Linda phakathi kwenkambu yemizamo yokuxhuma, thayipha u-60.
• g. Esikhathini esiphakathi kwenkambu yamaphakethe elogi ogcina ephila, thayipha u-5.

7. Chofoza inkinobho ethi Faka ngaphansi kwekhasi. Qhubekela esigabeni esilandelayo, Ilungiselela Isheduli Yokulayisha.

Ilungiselela Isheduli Yokulayisha

Ukuze ulungiselele ishejuli yokulayisha, qedela lezi zinyathelo ezilandelayo:

1. Chofoza ithebhu yeSheduli yokulayisha.

2. Ku-“Layisha ifayela lokungena,” khetha ngokuqhubekayo.

3. Ukulinda phakathi kwemizamo efanele imizuzwana engama-60.

4. Isikhathi phakathi kwephakethe lelogi eligcina liphila imizuzwana emi-5.

5. Chofoza inkinobho ethi Faka ngaphansi kwekhasi.

Lokhu kuqedela ukucushwa kwamalogi ommeleli we-Blue Coat Ye-Flow Collector.

Izimfuneko

Amanothi engeziwe mayelana nokucushwa:

• Qinisekisa ukuthi Umqoqi Ogelezayo kanye Nommeleli zisebenzisa iseva efanayo ye-NTP (noma thola isikhathi esivela kumthombo ovamile ukuze amarekhodi agelezayo afaniswe).
• Ilogu eyodwa kuphela indlela yokukhipha ummeleli esekelwayo. Uma usuvele uthekelisa amalogi, awukwazi ukuthwebula nokuhlaziya amarekhodi ommeleli.
• Ukutholakala Okuphezulu Komqondisi we-UDP akusekelwe.

Ilungiselela Isiphathi Senqubomgomo Ebonakalayo

Ukucushwa Kwesiphathi Senqubomgomo Esibonakalayo kukuvumela ukuthi uhlole ukuthi ilogi yommeleli ithunyelwa Kumqoqi Ogelezayo.

1. Ekhasini lethebhu yokucushwa kumenyu enkulu, chofoza Inqubomgomo > Isiphathi Senqubomgomo Ebonakalayo. I-Visual Policy Manager iyavula.

2. Chofoza inkinobho yokuQalisa ezansi kulogi yakho emisiwe. I-Visual Policy Manager yewindi lokungena iyavuleka.

3. Chofoza Inqubomgomo > Engeza Web Isendlalelo sokufinyelela. Isikrini sokungeza isendlalelo esisha siyavuleka.

4. Thayipha igama lesendlalelo esisha, bese uchofoza okuthi KULUNGILE.

5. Chofoza kwesokudla okuthi Nqaba kukholomu Yesenzo bese uchofoza okuthi Setha. Ibhokisi lengxoxo le-Set Action Object liyavula.

6. Chofoza Okusha bese ukhetha Guqula Ukugawula Ukufinyelela. Ingxoxo Yento Yokungena Ngengo Yokuhlela iyavuleka.

7. Chofoza Vumela ukungena ku-.

8. Thayipha igama lelogi yakho bese ukhetha ilogi yakho.

9. Chofoza u-OK. Into yengezwa.

10. Engxoxweni ethi Setha Into Yesenzo, chofoza okuthi KULUNGILE.

11. Chofoza inkinobho ethi Faka inqubomgomo phezulu kwesokudla.

12. Chofoza Cha bese u-OK kumawindi alandelayo.

13. Yethula i-Blue Coat Visual Policy Manager futhi.

14. Chofoza kwesokudla ithebhu yokungena bese ukhetha Vumela Isendlalelo.

15. Chofoza inkinobho ethi Faka Inqubomgomo. Ipholisi Efakiwe iyavula.

16. Chofoza OK.

17. Chofoza ithebhu yezibalo, bese kumenyu yokungena, khetha ilogi yakho.

18. Kumenyu enkulu, chofoza u-Finyelela Ukungena, bese uchofoza ithebhu ethi Umsila Wokungena. Iwindi le-Log Tail liyavuleka.

19. Chofoza inkinobho ethi Qala Umsila ngaphansi kwekhasi.

20. Kumenyu eyinhloko Yezibalo, chofoza Isistimu > Ukuloga Komcimbi. Leli khasi lizobonisa uma ilogu file ilayishwa ku-Flow Collector kanye nezinguquko ezenziwe. Ibonisa ukuthi ingabe ummeleli uxhumekile Kuqoqo Eligelezayo.

21. Qhubekela esigabeni sokulungisa Iqoqo Lokugeleza ukuze umise Isiqoqi Esigelezayo ukuze uthole ulwazi lwe-syslog.

Ilungiselela amalogi ommeleli we-McAfee

Sebenzisa lesi sigaba ukuze ulungiselele amalogi ommeleli we-McAfee avela ku-McAfee Web Isango lokuthumela ku-Secure Network Analytics.

• Qiniseka ukuthi ulande ukucushwa kwe-XML file kummeleli we-McAfee. Iya ku-Cisco Software Central ukuze ulande ukucushwa kwe-readme ne-Proxy Log XML files.
• Ngena ngemvume ku-akhawunti yakho ye-Cisco Smart ku https://software.cisco.com noma uthinte umlawuli wakho.
• Inguqulo yommeleli we-McAfee esetshenziselwa ukuhlolwa yayingu-7.4.2.6.0 - 18721.

Ukusetha ilogi lommeleli we-McAfee, qedela lezi zinyathelo ezilandelayo:

1. Landa i-XML file, FlowCollector_[date]_McAfee_Log_XML_Config_[v].xml, bese uyigcina endaweni oyithandayo.

"Usuku" lubonisa usuku lwe-XML file, kanye nokuthi “v” kubonisa inguqulo yenguqulo yommeleli we-McAfee. Khetha ifayela le-XML file ngenombolo yenguqulo efanayo nommeleli wakho we-McAfee.

Ukuze ulande i file, qedela lezi zinyathelo ezilandelayo:

• a. Iya ku https://software.cisco.com, Cisco Software Central.
• b. Esigabeni esithi Landa futhi uphathe > Landa futhi uthuthukise, khetha okuthi Finyelela okulandiwe.
• c. Skrolela phansi kunkambu yokukhetha yoMkhiqizo.
• d. Thayipha Izibalo Zenethiwekhi Ezivikelekile kunkambu ethi Khetha Umkhiqizo. Cindezela u-Enter.
• e. Khetha I-Virtual Analytics Evikelekile Yokuqoqa Ukugeleza noma omunye Umqoqi Wokugeleza.
• f. Khetha Isofthiwe Yesistimu Yokuhlaziya Inethiwekhi > Ukucushwa Files.

2. Ngena ngemvume kuseva elibamba le-McAfee.

3. Chofoza isithonjana Senqubomgomo, bese uchofoza ithebhu ethi Amasethi Womthetho.

4. Khetha Isibambi Selogi, bese ukhetha Okumisiwe.

5. Chofoza Engeza > Ukusetha Umthetho kusukela Kulabhulali.

6. Chofoza okuthi Ngenisa kusuka file, bese ukhetha i-XML file.

7. Khetha i-mcafeelancopelog kusibambi selogi esisanda kungenisa.

Qiniseka ukuthi umthetho osethiwe kanye nomthetho othi “dala umugqa wokungena wokufinyelela” kanye no-“thumela ku-syslog” uvuliwe.

8. Chofoza isithonjana sokumisa phezulu ekhasini.

9. Ngakwesokunxele kwekhasi, chofoza okuthi File Ithebhu yomhleli, bese ukhetha i-rsyslog.conf file.

10. Phansi kwebhokisi lombhalo (eceleni kohlu lwe files), thayipha umbhalo olandelayo:

Qiniseka ukuthi ukhetha I-Flow Collector eqoqa idatha kubathumeli kanye namaphoyinti okugcina ofuna ukuwaphenya kulogi lommeleli.

11. Phawula lo mugqa:

*.info;mail.none;authpriv.none;cron.none.

12. Engeza lo mugqa:

*.info;daemon.!=info;mail.none;authpriv.none;cron.none - /var/log/messages.

13. Chofoza inkinobho ethi Londoloza Izinguquko phezulu kwesokudla sekhasi.

14. Qhubekela esigabeni sokulungisa Iqoqo Lokugeleza ukuze umise Isiqoqi Esigelezayo ukuze uthole ulwazi lwe-syslog.

Ilungiselela amalogi ommeleli we-squid

Sebenzisa lesi sigaba ukuze ulungiselele amalogi ommeleli we-squid ukuze uwathumele ku-Secure Network Analytics. Ungahlela ifayela le- files kuseva elibamba usebenzisa i-SSH.
Ukuze ulungiselele amalogi ommeleli we-squid, qedela lezi zinyathelo ezilandelayo:

1. Ngena egobolondweni lomshini osebenzisa i-squid.

2. Iya kuhla lwemibhalo oluqukethe i-squid.conf (ngokuvamile /etc/squid) bese uyivula kumhleli.

3. Engeza imigqa elandelayo ku-squid.conf ukuze ulungiselele ukugawula:

logformat access_format %ts%03tu % a %>p %>st %

4. Qala kabusha i-squid usebenzisa okulandelayo:

• Okwamasistimu asekelwe ku-init: /etc/init.d/squid3 qala kabusha
• Okwamasistimu asekelwe ku-systemd: i-systemctl iqala kabusha i-squid

5. Lungiselela isevisi ye-syslog kuseva ye-squid ukuze udlulisele amalogi ku-Flow Collector. Lokhu kuncike ekusatshalalisweni kwe-Linux/syslog service.

Ku-syslog-ng, engeza okulandelayo ku-/etc/syslog-ng/syslog-ng.conf:

# Isikhungo Sokungena Kwerekhodi QALA isihlungi bs_filter { filter(f_user) kanye neleveli(info) }; indawo udp_proxy {udp("10.205.14.15" port(514)); }; log {umthombo(s_konke); isihlungi(bs_filter); indawo (udp_proxy); }; # Isikhungo Sokubhalisela Irekhodi END

Ku-rsyslog, engeza okulandelayo ku-/etc/rsyslog.conf:

:igama lohlelo, liqukethe, "squid" @10.205.14.15:514

Qiniseka ukuthi ukhetha I-Flow Collector eqoqa idatha kubathumeli kanye namaphoyinti okugcina ofuna ukuwaphenya kulogi lommeleli.

6. Bese uqala kabusha isevisi ye-syslog.

• Okwamasistimu asuselwa ku-init:
  /etc/init.d/syslog-ng qala kabusha (ye-syslog-ng)
  /etc/init.d/rsyslog qala kabusha (ye-rsyslog)
• Okwamasistimu asekelwe ku-systemd:
  i-systemctl iqalisa kabusha i-syslog (ye-syslog-ng)
  i-systemctl iqala kabusha i-rsyslog (ye-rsyslog)

7. Qhubekela esigabeni Ukulungisa Iqoqo Eligelezayo ukuze uthole ulwazi lwe-syslog.

Ilungiselela Isiqoqi Esigelezayo

Ngemva kokuthi ulungise iseva elibamba, udinga ukulungisa Isiqoqi Esigelezayo ukuze samukele idatha.

Ukuze ulungiselele I-Flow Collector ukuthola ulwazi lwe-syslog, qedela lezi zinyathelo ezilandelayo:

1. Ngena kuMphathi wakho.

2. Khetha Hlela > Umhlaba jikelele > Ukuphatha Okuphakathi.

3. Chofoza isithonjana (se-Ellipsis) se-Flow Collector yakho, bese uchofoza View Izibalo zikagesi.

4. Ngena ku-Flow Collector. I-interface ye-Flow Collector iyavula.

5. Chofoza Ukucushwa > Ukungenisa Ummeleli. Ikhasi lamaseva wommeleli liyavuleka.

6. Thayipha ikheli le-IP leseva elibamba.

7. Kuhlu lokudonsela phansi Lohlobo Lommeleli, khetha iseva yakho yommeleli.

Uma uhlobo lwakho lweseva elibamba lungekho ohlwini, ngeke ukwazi ukusebenzisa amalogi wommeleli ngalesi sikhathi.

8. Uma iseva yommeleli:

• inekheli le-IP elilodwa kuphela, bese uthayipha ikheli le-IP leseva elibamba kunkambu yekheli le-IP. Shiya inkambu Yekheli Le-IP ye-Telemetry ingenalutho.
• inamakheli e-IP engeziwe, bese uthayipha ikheli le-IP lokuphatha leseva elibamba (ikheli le-IP lomthombo womlayezo we-syslog) kunkambu Yekheli Le-IP. Kunkambu yekheli le-IP ye-Telemetry, thayipha ikheli le-telemetry IP leseva elibamba.

9. Enkabeni Yembobo Yesevisi Yommeleli, thayipha inombolo yembobo yeseva elibamba.

10. Uma ufuna iseva elibamba ukuthi icuphe ama-alamu, yeka ukuthikha ibhokisi elithi Khipha kokuthi Okuthusayo.

11. Chofoza Engeza.

12. Chofoza okuthi Faka. Iseva elibamba ivela kuthebula Lokungenisa Ummeleli phezulu ekhasini.

13. Qhubekela esigabeni Ukuhlola Ukugeleza.

Ukuhlola Ukugeleza

Ukuhlola ukuthi uthola ukugeleza, qedela lezi zinyathelo ezilandelayo:

1. Ku-interface ye-Flow Collector, chofoza Ukusekela > Phequlula Files kwimenyu enkulu. The Phequlula Files ikhasi liyavuleka.

2. Vula i-sw.log file.

3. Bheka ukuthi i- webummeleli ubala ukuya phezulu ukukhombisa ukuthi wamukela idatha.

Ixhumana Nosekelo

Uma udinga ukwesekwa kobuchwepheshe, sicela wenze okukodwa kokulandelayo:

• Xhumana ne-Cisco Partner yangakini
• Xhumana ne-Cisco Support
• Ukuvula icala ngo web: http://www.cisco.com/c/en/us/support/index.html
• Ngosekelo lwefoni: 1-800-553-2447 (US)
• Ngezinombolo zosekelo zomhlaba wonke:
  https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Shintsha Umlando

Ulwazi Lwelungelo Lobunikazi

I-Cisco kanye nelogo ye-Cisco yizimpawu zokuthengisa noma izimpawu zokuthengisa ezibhalisiwe ze-Cisco kanye/noma izinhlaka zayo e-US nakwamanye amazwe. Kuya view uhlu lwezimpawu zokuthengisa ze-Cisco, hamba kulokhu URL: https://www.cisco.com/go/trademarks. Izimpawu zokuthengisa zezinkampani zangaphandle ezishiwo ziyimpahla yabanikazi bazo. Ukusetshenziswa kwegama elithi uzakwethu akusho ubudlelwano bokusebenzisana phakathi kweCisco nanoma iyiphi enye inkampani. (1721R)

© 2025 Cisco Systems, Inc. kanye/noma amanxusa ayo.
Wonke Amalungelo Agodliwe.

Amadokhumenti / Izinsiza

I-CISCO WSA Secure Network Analytics [pdf] Umhlahlandlela Womsebenzisi WSA 14-5-1-016, Blue Coat, McAfee, Squid, WSA Secure Network Analytics, WSA, Secure Network Analytics, Network Analytics, Analytics

Izithenjwa

• Imaniwali yosebenzisayo