Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Symantec System Center

The Symantec System Center (SSC) DSM for JSA retrieves events from an SSC database by using a custom view that is created for JSA.

JSA records all SSC events. You must configure the SSC database with a user that has read and write privileges for the custom JSA view to be able to poll the view for information. Symantec System Center (SSC) supports only the JDBC protocol.

Configuring a Database View for Symantec System Center

A database view is required by the JDBC protocol to poll for SSC events.

  1. In the Microsoft SQL Server database that is used by the SSC device, configure a custom default view to support JSA:

    Note:

    The database name must not contain any spaces.

    • CREATE VIEW dbo.vw_qradar AS SELECT

    • dbo.alerts.Idx AS idx,

    • dbo.inventory.IP_Address AS ip,

    • dbo.inventory.Computer AS computer_name,

    • dbo.virus.Virusname AS virus_name,

    • dbo.alerts.Filepath AS filepath,

    • dbo.alerts.NoOfViruses AS no_of_virus,

    • dbo.actualaction.Actualaction AS [action],

    • dbo.alerts.Alertdatetime AS [date],

    • dbo.clientuser.Clientuser AS user_name FROM

    • dbo.alerts INNER JOIN

    • dbo.virus ON dbo.alerts.Virusname_Idx = dbo.virus.Virusname_Idx INNER JOIN

    • dbo.inventory ON dbo.alerts.Computer_Idx = dbo.inventory.Computer_Idx INNER JOIN

    • dbo.actualaction ON dbo.alerts.Actualaction_Idx =

    • dbo.actualaction.Actualaction_Idx INNER JOIN

    • dbo.clientuser ON dbo.alerts.Clientuser_Idx = dbo.clientuser.Clientuser_Idx

After you create your custom view, you must configure JSA to receive event information by using the JDBC protocol.

JDBC Log Source Parameters for Symantec System Center

If JSA does not automatically detect the log source, add a Symantec System Center log source on the JSA Console by using the JDBC protocol.

When using the JDBC protocol, there are specific parameters that you must use.

The following table describes the parameters that require specific values to collect JDBC events from Symantec System Center:

Table 1: JDBC Log Source Parameters for the Symantec System Center DSM

Parameter

Value

Log Source Name

Type a unique name for the log source.

Log Source Description (Optional)

Type a description for the log source.

Log Source Type

Symantec System Center

Protocol Configuration

JDBC

Log Source Identifier

Type a name for the log source. The name can't contain spaces and must be unique among all log sources of the log source type that is configured to use the JDBC protocol.

If the log source collects events from a single appliance that has a static IP address or host name, use the IP address or host name of the appliance as all or part of the Log Source Identifier value; for example, 192.168.1.1 or JDBC192.168.1.1. If the log source doesn't collect events from a single appliance that has a static IP address or host name, you can use any unique name for the Log Source Identifier value; for example, JDBC1, JDBC2.

Database Type

MSDE

Database Name

Type Reporting as the name of the Symantec System Center database.

IP or Hostname

Type the IP address or host name of the Symantec System Center SQL Server.

Port

Type the port number that is used by the database server. The default port for MSDE is 1433.

The JDBC configuration port must match the listener port of the Symantec System Center database. The Symantec System Center database must have incoming TCP connections that are enabled to communicate with JSA.

If you define a Database Instance when you use MSDE as the database type, you must leave the Port field blank in your configuration.

Username

Type the user name that is required to access the database.

Password

Type the password that is required to access the database. The password can be up to 255 characters in length.

Confirm Password

Confirm the password that is required to access the database. The confirmation password must be identical to the password entered in the Password field.

Authentication Domain

If you did not select Use Microsoft JDBC, Authentication Domain is displayed.

The domain for MSDE that is a Windows domain. If your network does not use a domain, leave this field blank.

Database Instance

The database instance, if required. MSDE databases can include multiple SQL server instances on one server.

When a non-standard port is used for the database or access is blocked to port 1434 for SQL database resolution, the Database Instance parameter must be blank in the log source configuration.

Table Name

Type vw_qradar as the name of the table or view that includes the event records.

Select List

Type * for all fields from the table or view.

You can use a comma-separated list to define specific tables or views, if you need it for your configuration. The comma-separated list can be up to 255 alphanumeric characters in length. The list can include the following special characters: dollar sign ($), number sign (#), underscore (_), en dash (-), and period(.).

Compare Field

Type idx as the compare field. The compare field is used to identify new events that are added between queries to the table.

Use Prepared Statements

Prepared statements enable the JDBC protocol source to set up the SQL statement, and then run the SQL statement numerous times with different parameters. For security and performance reasons, most JDBC protocol configurations can use prepared statements.

Start Date and Time (Optional)

Type the start date and time for database polling in the following format: yyyy-MM-dd HH:mm with HH specified by using a 24-hour clock. If the start date or time is clear, polling begins immediately and repeats at the specified polling interval.

Polling Interval

Type the polling interval, which is the amount of time between queries to the event table. The default polling interval is 10 seconds.

You can define a longer polling interval by appending H for hours or M for minutes to the numeric value. The maximum polling interval is 1 week in any time format. Numeric values that are entered without an H or M poll in seconds.

EPS Throttle

Type the number of Events Per Second (EPS) that you do not want this protocol to exceed. The default value is 20000 EPS.

Use Named Pipe Communication

If you did not select Use Microsoft JDBC, Use Named Pipe Communication is displayed.

Clear the Use Named Pipe Communication check box.

MSDE databases require the user name and password field to use a Windows authentication user name and password and not the database user name and password. The log source configuration must use the default that is named pipe on the MSDE database.

Database Cluster Name

If you selected the Use Named Pipe Communication check box, the Database Cluster Name parameter is displayed. If you are running your SQL server in a cluster environment, define the cluster name to ensure Named Pipe communication functions properly.

Use NTLMv2

If you did not select Use Microsoft JDBC, Use NTLMv2 is displayed.

Select this option if you want MSDE connections to use the NTLMv2 protocol when they are communicating with SQL servers that require NTLMv2 authentication. This option does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Does not interrupt communications for MSDE connections that do not require NTLMv2 authentication.

Use Microsoft JDBC

If you want to use the Microsoft JDBC driver, you must enable Use Microsoft JDBC.

Use SSL

Select this option if your connection supports SSL.

Microsoft SQL Server Hostname

If you selected Use Microsoft JDBC and Use SSL, the Microsoft SQL Server Hostname parameter is displayed.

You must type the host name for the Microsoft SQL server.