JSA supports a number of IBM Proventia DSMs.
Several IBM Proventia DSMs are supported by JSA:
IBM Proventia Management SiteProtector
The IBM Proventia Management SiteProtector DSM for JSA accepts SiteProtector events by polling the SiteProtector database.
The DSM allows JSA to record Intrusion Prevention System (IPS) events and audit events directly from the IBMSiteProtector database.
The IBM Proventia Management SiteProtector DSM requires the latest JDBC Protocol to collect audit events.
The IBM Proventia Management SiteProtector DSM for JSA can accept detailed SiteProtector events by reading information from the primary SensorData1 table. The SensorData1 table is generated with information from several other tables in the IBMSiteProtector database. SensorData1 remains the primary table for collecting events.
IDP events include information from SensorData1, along with information from the following tables:
Audit events include information from the following tables:
Audit events are not collected by default and make a separate query to the AuditInfo and AuditTrail tables when you select the Include Audit Events check box. For more information about your SiteProtector database tables, see your vendor documentation.
Before you configure JSA to integrate with SiteProtector, we suggest that you create a database user account and password in SiteProtector for JSA.
Your JSA user must have read permissions for the SensorData1 table, which stores SiteProtector events. The JDBC - SiteProtector protocol allows JSA to log in and poll for events from the database. Creating a JSA account is not required, but it is recommended for tracking and securing your event data.
Ensure that no firewall rules are blocking the communication between the SiteProtector console and JSA.
Configuring a Log Source in JSA to collect IBM Proventia Management SiteProtector Events
Configure JSA to collect IBM Proventia Management SiteProtector events by using the JDBC protocol.
- Click the Admin tab.
- Click the Log Sources icon.
- Click Add.
the parameters. The following table describes the parameters that
require specific values to collect event from IBM Proventia Management
Table 1: IBM® Proventia Management SiteProtector JDBC Protocol Parameters
Log Source Name
Type a unique name for the log source.
Log Source Description (Optional)
Type a description for the log source.
Log Source Type
IBM Proventia Management SiteProtector
Log Source Identifier
Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.
If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.
From the list, select MSDE as the type of database to use for the event source.
The name of the database to which you want to connect.
IP or Hostname
Type the IP address or host name of the database server.
Type the port number that is used by the database server. The default port for MSDE is 1433. You must enable and verify that you can communicate by using the port that you specified in the Port field.
The JDBC configuration port must match the listener port of the IBM Proventia database. To be able to communicate with JSA, the IBM Proventia database must have incoming TCP connections enabled.
If you define a database instance that uses MSDE as the database type, you must leave the Port parameter blank in your configuration.
Type the database user name. The user name can be up to 255 alphanumeric characters in length. The user name can also include underscores (_).
Type the database password.
The password can be up to 255 characters in length.
Confirm the password to access the database.
If you did not select Use Microsoft JDBC, Authentication Domain is displayed.
The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank.
The authentication domain must contain alphanumeric characters. The domain can include the following special characters: underscore (_), en dash (-), and period(.).
The database instance, if required. MSDE databases can include multiple SQL server instances on one server.
When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.
Predefined Query (Optional)
Select a predefined database query for the log source. If a predefined query is not available for the log source type, administrators can select the none option.
Type the name of the view that includes the event records. The default table name is SensorData1.
Type * to include all fields from the table or view.
You can use a comma-separated list to define specific fields from tables or views, if needed for your configuration. The list must contain the field that is defined in the Compare Field parameter. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period(.).
Type SensorDataRowID to identify new events added between queries to the table.
Use Prepared Statements
Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements.
Start Date and Time(Optional)
Type the start date and time for database polling in the following format: yyyy- MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.
Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds.
You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values without an H or M designator poll in seconds.
The number of Events Per Second (EPS) that you do not want this protocol to exceed. The valid range is 100 - 20,000.
Use Named Pipe Communication
If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.
MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default, that is named pipe on the MSDE database.
Database Cluster Name
If you select the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.
If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.
Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.
Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.
Use Microsoft JDBC
If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC.
Select this option if your connection supports SSL. This option appears only for MSDE.
Log Source Language
If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed
You must type the host name for the Microsoft SQL server.
- Click Save.
- On the Admin tab, click Deploy Changes.
The configuration is complete.
IBM ISS Proventia
The IBMIntegrated Systems Solutions (ISS) Proventia DSM for JSA records all relevant IBM Proventia events by using SNMP.
- In the Proventia Manager user interface navigation pane, expand the System node.
- Select System.
- Select Services.
The Service Configuration page is displayed.
- Click the SNMP tab.
- Select SNMP Traps Enabled.
- In the Trap Receiver field, type the IP address of your JSA you want to monitor incoming SNMP traps.
- In the Trap Community field, type the appropriate community name.
- From the Trap Version list, select the trap version.
- Click Save Changes.
You are now ready to configure JSA to receive SNMP traps.
- To configure JSA to receive events from an
ISS Proventia device. From the Log Source Type list, select
IBM Proventia Network Intrusion Prevention System (IPS).
For more information about your ISS Proventia device, see your vendor documentation.