In general, to configure collecting information from sources, you follow these steps:
|
Name |
Description |
|---|---|
|
Step 1. Configure audit on AD and Syslog servers |
You may need to enable audit on AD servers for the following security event categories: On syslog servers, configure log upload to the IP address of UserID Log collector. |
|
Step 2. Create a UserID agent |
To do that, go to Settings ➜ Users and devices ➜ UserID agent, click Add, and select the desired agent type. |
|
Step 3. Configure the UserID agent settings |
To do it, click Configure agent button under Users and devices ➜ UserID agent. |
|
Step 4. Configure the event source. |
You can use Microsoft Active Directory or Syslog as sources. |
When configuring the agent, you must fill in the following fields:
|
Name |
Description |
|---|---|
|
General tab |
General agent settings |
|
Polling interval (sec.) |
Active Directory servers polling interval. The default value is 120 seconds. |
|
Session expiration time (sec.) |
The period of time after which the user's session will be forcibly terminated. The default value is 2700 seconds (45 minutes). |
|
Syslog Monitoring Interval (sec.) |
Database poll period to look for user session start/end events in the syslog sources. |
|
Syslog server settings tab |
This tab is used to configure a Syslog collection agent. |
|
Protocol |
The underlying protocol for collecting logs using the Syslog protocol:
To select a protocol, set the Enabled checkbox in the corresponding section. |
|
Port |
The port number used to collect Syslog events. The default port is 514. |
|
Max session number |
The maximum allowed number of concurrent devices connected for message sending. |
|
Secure connection |
Enable or disable data flow encryption. This is part of Syslog server configuration when the TCP protocol is used. For more details on using TLS with Syslog, refer to the relevant documentation. |
|
CA certificate file |
The certification authority (CA) certificate used to establish a secure connection. This is part of Syslog server configuration when the TCP protocol is used. |
|
Certificate file |
A user-created, CA-signed certificate that needs to be specified when configuring a secure connection. This is part of Syslog server configuration when the TCP protocol is used. |
|
Ignore network list tab |
Lists of IP addresses the events from which should be ignored by the UserID agent. A record about the ignored source appears in the UserID log. You can create the list in the Libraries ➜ IP addresses or when configuring the agent (Create and add new object button). For more details about how to create and configure IP address lists, see IP addresses. This setting is global and applies to all sources. |
|
Ignore user list tab |
Names of users the events from which should be ignored by the UserID agent. The search is based on the Common Name (CN) of the AD user. This setting is global and applies to all sources. A record about the ignored user appears in the UserID log. Important! When specifying a name, you can use the asterisk (*), but only at the end of a string. |