Eventtracker Macos Integration Guide
Total Page:16
File Type:pdf, Size:1020Kb
Integration Guide Integrating macOS with EventTracker EventTracker v9.3 and above Publication Date: July 16, 2021 © Copyright Netsurion. All Rights Reserved. 1 Abstract This guide provides instructions to configure macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) to generate and forward logs for critical events. Once EventTracker is configured to collect and parse these logs, dashboard and reports can be configured to monitor macOS. Scope The configuration details in this guide are consistent with EventTracker version v9.3 or above and Apple macOS. Audience Administrators who are assigned the task to monitor macOS events using EventTracker. © Copyright Netsurion. All Rights Reserved. 2 Table of Contents Table of Contents 3 1. Overview 4 2. Prerequisites 4 3. EventTracker Manager configuration 4 4. EventTracker macOS Log Forwarder Installation and Configuration 7 5. EventTracker Knowledge Pack 7 4.1 Flex Reports 8 4.2 Alerts 10 4.3 Categories and Saved searches 10 4.4 Dashboard 11 5. Importing macOS Knowledge Pack into EventTracker 12 5.1 Category 13 5.2 Alerts 14 5.3 Token Templates 15 5.4 Knowledge Objects 15 5.5 Flex Reports 16 5.6 Dashboards 17 6. Verifying macOS Knowledge Pack in EventTracker 20 6.1 Categories 20 6.2 Alerts 20 6.3 Token Templates 20 6.4 Knowledge Objects 21 6.5 Flex Reports 21 6.6 Dashboards 22 About Netsurion 23 © Copyright Netsurion. All Rights Reserved. 3 1. Overview Apple Macintosh Operating System (Mac) is a Unix-like Operating system. Mac contains numerous log files sent by various system processes and applications. These logs can be forwarded to syslog server. With EventTracker, you can monitor macOS events from a single view. EventTracker checks the status and availability of macOS for critical processes and consolidates all the syslog. EventTracker can generate flex reports and can also trigger alerts whenever it detects any suspicious activities. These alerts and flex reports will help you to analyze login and logout activities, authentication failure and any kind of administrator activities. 2. Prerequisites • macOS (Sierra, High Sierra, Mojave, Catalina, and Big Sur) should be configured for forwarding logs. • Make sure the syslog port to be provided during integration is open in macOS and perimeter firewalls. • It is strongly recommended to use TLS+TCP (syslog over TLS) based connection with EventTracker. EventTracker syslog port should be configured for TLS. Please follow this guide. You can also use TCP or UDP based connection based on your need. • Add exception for syslog port to be provided during integration in firewall, if exists in between macOS and EventTracker Manager. 3. EventTracker Manager configuration 1. Click on Manager under Admin. • Go to syslog/Virtual Collection Point tab. Make sure TLS+TCP is enabled on EventTracker manager against this syslog port. It is recommended to use TLS+TCP based communication between manager and macOS. You can also use TCP or UDP based connection based on your need. © Copyright Netsurion. All Rights Reserved. 4 2. Click on the symbol and then select Extract device Id. 3. Provide below Regex in Regular Expression space. Hostname:(?P<Computer>[^,]+)\,\sTenant:(?P<Tenant>[^,]+) 4. Provide below value in Token name. Computer~Tenant. 5. Check Active box. 6. Click on Add and then close. © Copyright Netsurion. All Rights Reserved. 5 7. Click on the symbol and then select Assign Device Type. 8. Provide below regex in Regular Expression Space. ETSmacOSLogForwarder 9. Select Device Type as Mac. 10. Check Active box. 11. Click on Add and then close. © Copyright Netsurion. All Rights Reserved. 6 12. Click Save. 4. EventTracker macOS Log Forwarder Installation and Configuration Please refer this guide to understand how to install macOS Log Forwarder and forward logs to EventTracker. 5. EventTracker Knowledge Pack After logs are received by EventTracker manager, Knowledge Packs can be configured into EventTracker. The following Knowledge Packs are available in EventTracker to support macOS. © Copyright Netsurion. All Rights Reserved. 7 5.1 Flex Reports • Mac OS - Administrative activities - This report gives the information about any kind of administrative activities in macOS. Sample logs: • Mac OS - Authentication and Authorization - This report gives the information about user authentication and authorization activities in macOS. Sample logs: • Mac OS - Command executed - This report gives information about command executed by users. © Copyright Netsurion. All Rights Reserved. 8 Sample logs: • Mac OS - Login and Logout activities - This report gives information about user login and logout activities based on local or remote. Sample logs: © Copyright Netsurion. All Rights Reserved. 9 • Mac OS - User and Group management - This report gives information about user and group management activities like modification, creation, and addition. Sample logs: 5.2 Alerts • Mac OS: Login failure - This alert will be generated when the user login failure is attempted. • Mac OS: User authentication failure - This alert will be generated when the user authentication fails. 5.3 Categories and Saved searches • Mac OS - Administrative activities - This category-based report provides information related to administrative activities. • Mac OS - Authentication and Authorization - This category-based report provides information related to user authentication and authorization activities. • Mac OS - Command executed - This category-based report provides information related to command executed by users. • Mac OS - Login and Logout activities - This category-based report provides information related to user login and logout activities based on local or remote. • Mac OS - User and Group management- This category-based report provides information related to user and group management activities like modification, creation, and addition. © Copyright Netsurion. All Rights Reserved. 10 5.4 Dashboard • Mac OS- Authentication and Authorization: This dashboard provides information related to user authentication and authorization activities. • Mac OS- User Authentication failure: This dashboard provides information related to user authentication failure activities. • Mac OS- User and Group management: This dashboard provides information related to user and group management activities like addition, creation, and modification. © Copyright Netsurion. All Rights Reserved. 11 • Mac OS- Login and Logout activities: This dashboard provides information related to user login and logout activities. 6. Importing macOS Knowledge Pack into EventTracker Note: Import knowledge pack items in the following sequence: • Categories • Alerts • Token Templates • Knowledge Objects © Copyright Netsurion. All Rights Reserved. 12 • Flex Reports • Dashboards 1. Launch EventTracker Control Panel. 2. Double click Export Import Utility. 3. Click the Import tab. 6.1 Category 1. Click Category option, and then click the browse button. © Copyright Netsurion. All Rights Reserved. 13 2. Locate Category_MAC OS.iscat file, and then click the Open button. 3. To import categories, click the Import button. EventTracker displays success message. 4. Click OK, and then click the Close button. 6.2 Alerts 1. Click Alert option, and then click the browse button. 2. Locate Alert_MAC OS.isalt file, and then click the Open button. 3. To import alerts, click the Import button. © Copyright Netsurion. All Rights Reserved. 14 4. Click OK, and then click the Close button. 6.3 Token Templates 1. Click Parsing rules under Admin option in the EventTracker manager page. 2. Move to Template and click on import configuration icon on the top right corner. 3. In the popup window browse the file named Token Template_ MAC OS.ettd. 4. Select all the check box and then click on Import option. EventTracker displays success message. 5. Click OK, and then click the Close button. 6.4 Knowledge Objects 1. Click Knowledge objects under Admin option in the EventTracker manager page. 2. Locate the KO_MAC OS.etko file. © Copyright Netsurion. All Rights Reserved. 15 3. Click the Upload option. 4. Select all the check box and then click on Import option. 5. Knowledge objects are now imported successfully. 6. Click OK, and then click the Close button. 6.5 Flex Reports On EventTracker Control Panel, 1. Click Reports option and select new (*.etcrx) from the option. © Copyright Netsurion. All Rights Reserved. 16 2. Locate the Reports_MAC OS.etcrx file and select all the check box. 3. Click the Import button to import the reports. EventTracker displays success message. 4. Click OK, and then click the Close button. 6.6 Dashboards Note: If you have EventTracker version v9.3, you can import dashboards. 1. Open EventTracker. © Copyright Netsurion. All Rights Reserved. 17 2. Navigate to Dashboard>My Dashboard. My Dashboard pane is shown. 3. Click the Import button to import the dashlets. 4. Locate the Dashboard_MAC OS.etwd file. 5. Click the Upload option. © Copyright Netsurion. All Rights Reserved. 18 6. Select all the check box and then click on Import option. Dashlets are now imported successfully. 7. Click the Add button to create a new dashlets. 8. Fill suitable Title and Description and click Save. 9. Click Customize to locate macOS dashlets and choose all created dashlets for macOS. 10. Click Add dashlet to create dashboard. © Copyright Netsurion. All Rights Reserved. 19 7. Verifying macOS Knowledge Pack in EventTracker 7.1 Categories 1. Logon to EventTracker. 2. Click Admin dropdown, and then click Categories. 3. In Category Tree to view imported categories,