Niksun NetDetector CEF Certified Configuration Guide

Summary:

The "Common Event Format Configuration Guide" for NIKSUN's NetDetector product is designed to assist with setting up the CEF (Common Event Format) Connector for syslog event collection across Windows, Linux, and Solaris platforms supporting device version 4.0. The guide focuses on configuring the ArcSight server IP address through a GUI for each alarming module in the NetDetector appliance under the Notifications tab, where users can specify the ArcSight Server IP/hostname to configure CEF events. Key aspects include: - Configuring various event types such as network utilization, TCP connections, etc., with specific IDs assigned. - A table detailing mappings between vendor-specific event definitions and ArcSight data fields, including Event Definitions and Data Fields like StartTime, End Time, Name, Severity, Device Type, Host Name (dvchost), Attacker Address (src), Destination, Source Port (spt), Destination Port (dpt), Monitoring Interval, Threshold, Breached Value, Layer, Filter, Classification, Description, Interface name, and Event Category. - Detailed breakdown of how information from specific vendor events is sent to the ArcSight SmartConnector, with each vendor-specific event definition mapped to a corresponding ArcSight data field. - Specific fields for certain events like Average Jitter (1001), Packet Loss (1002), Average Packet Delay (1003), Average MOS (1004), Total Calls (1005), and more, which are represented in the ArcSight system through a mapping process. - The "Event Category" field is mapped to "Cat", used for classification across multiple events in the unified monitoring framework. The document serves as a comprehensive guide for ensuring interoperability between NIKSUN's NetDetector and ArcSight systems, facilitating seamless integration of different vendor-specific event types into a unified monitoring environment using the ArcSight system.

Details:

The "Common Event Format Configuration Guide" for NIKSUN's NetDetector product provides instructions on how to set up the CEF (Common Event Format) Connector for syslog event collection. This guide is applicable to Windows, Linux, and Solaris platforms with device version 4.0 support. It outlines configuring the ArcSight server IP address through a graphical user interface (GUI) for each alarming module in the NetDetector appliance. The configuration settings are detailed under the Notifications tab, where users can specify the ArcSight Server IP/hostname to configure CEF events. These include various event types such as network utilization, TCP connections, and more, with specific IDs assigned to each type of event. This document is part of a series designed to ensure interoperability between NIKSUN's NetDetector and ArcSight systems for comprehensive security surveillance and management. The text provides a summary of mappings between vendor-specific event definitions and ArcSight data fields. It outlines how information from specific vendor events is sent to the ArcSight SmartConnector, where it is then mapped to an appropriate ArcSight data field. Key details include: 1. **Event Definitions and Data Fields**: The table lists various aspects such as StartTime, End Time, Name, Severity, Device Type, Host Name (dvchost), Attacker Address (src), Destination, Source Port (spt), Destination Port (dpt), Monitoring Interval, Threshold, Breached Value, Layer, Filter, Classification, Description, Interface name, and Event Category. 2. **Mapping Breakdown**: Each vendor-specific event definition is mapped to a corresponding ArcSight data field. For example, the "Device Severity" maps to "Severity", and "Device Host Name(dvchost)" corresponds to "recorder Device Host Name". 3. **Specific Fields for Certain Events**: Some fields are unique to certain events such as Average Jitter (1001), Packet Loss (1002), Average Packet Delay (1003), Average MOS (1004), Total Calls (1005), and more, which indicates how these specific metrics are represented in the ArcSight system. 4. **Event Category**: The "Event Category" field is mapped to "Cat", indicating that this categorization is used across multiple events for classification purposes. This summary helps in understanding how different event types and their associated data points are standardized and integrated into a unified monitoring framework using the ArcSight system, ensuring interoperability between various vendor-specific solutions.