Other Resources

    Setting up OpManager - SIEM plug-in


    Here is a guide on how to set up and run the OpManager - SIEM plug-in

    Prerequisites

    1. At the time of SIEM plugin installation, do not run OpManager service. After installation, when OpManager server is started, the SIEM plugin will also automatically started.
    2. Do not change the suggested installation path, while installing SIEM plugin. By default, the plugin will be installed in the same directory in which OpManager is installed (Default path: ManageEngine_EventLogAnalyzer_Plugin.exe/bin).In case, if you have moved OpManager installation to a different directory, then provide the changed path for the plugin installation.
    3. For Linux installation, you need to provide the directory path of OpManager installation (Default path: /opt/ManageEngine/OpManager)

     

    Note: Click here to know the system requirements of SIEM plug-in

     

    Troubleshooting tips

     

    1. After SIEM plugin has been installed, ensure the working of database by checking the file elaPluginDB.log file in <OpManager_Home>\Eventlog
    2. If the database creation fails, then you need to recreate the database. To do that, run <OpManager_Home>\Eventlog\Troubleshooting\DBRecreaction.bat\sh<database name> in the command prompt with administrator privilege.
    3. After recreating the database, ensure the database creation by executing elaPluginDB.log file. Once the database is created successful, then start OpManager service.

     

    Note: Provide the database name as an argument to the command. For instance, in the command, 'DBRecreation.bat eventlog', 'eventlog' is the database name

     

    Need further assistance? Contact support

     

    FAQs

     

    1. My Email/SMS setting and users are not synchronized with OpManager. What should I do?
    2. How to change from HTTP to HTTPS (secure communication), after installing SIEM plug-in?
    3. How to migrate to a different database for SIEM plug-in?
    4. How do I add only specific Windows hosts for monitoring?
    5. How do I add a syslog device to the SIEM plug-in?
    6. How do I add a syslog device exclusively for SIEM plug-in alone?
    7. What if the default port 519 is preoccupied in my environment? How do I change the default UDP port used by SIEM plug-in?

     

     

    1. My Email/SMS setting and users are not synchronized with OpManager. What should I do?

    By default the Email/SMS settings and users  will be automatically synchronized. If they are not synchronized, then click on OpManager's 
    Admin tab> Sync EventLog option to manually synchronize them.

    1. How to change from HTTP to HTTPS (secure communication), after installing SIEM plug-in?

    If you want to change the protocol from HTTP to  HTTPS after SIEM installation,follow the below procedure

    • Go to the location <OpManager_Home>\EventLog\il8nScript
    • Open the file server.xml and locate the below entry
    <Connector port="8400" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="<OpManager keystore file location>" keystorePass="<password>" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8"/>
    • Provide OpManager's keystroke file location and password for the fields 'keystoreFile' and 'keystorePass'

    Note:

    For example in the below lines, 'D:/ManageEngine_OP/OpManager_latest/conf/OPMTrans.key' is the keystoreFile value and
    'opmanager' is the password.  
     

     <Connector port="8400" SSLEnabled="true" acceptCount="100" address="0.0.0.0" clientAuth="false" compressableMimeType="text/html,text/xml" compression="force" compressionMinSize="1024" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false" keystoreFile="D:/ManageEngine_OP/OpManager_latest/conf/OPMTrans.key" keystorePass="opmanager" maxSpareThreads="75" maxThreads="150" minSpareThreads="25" noCompressionUserAgents="gozilla, traviata" protocol="HTTP/1.1" scheme="https" secure="true" sslProtocol="TLS" URIEncoding="UTF-8"/>


    If the plugin's web server port connection turns out to be untrusted, then you need to handle this exception through 'Tools option' in your web browser. Below is the screenshot on 'Adding Security Exception' to SIEM plugin's web server port in Firefox browser. Carry out this procedure in accordance to your web browser.

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

     

    Note:
    1. Webserver port number of SIEM plugin is available in server.xml file located in <EventLogAnalyzer_Home>/conf directory
    2. Both OpManager installation and SIEM plug-in should use the same web protocol. If OpManager runs in HTTP then the plug-in should also use HTTP mode.

     

    1. How to migrate to a different database for SIEM plug-in?

     The SIEM plugin uses OpManager's database to store the log data. In case you have changed the database of OpManager after SIEM plug-in installation, then follow the below procedure to manually migrate SIEM plugin's database.
     
    Execute the file DBRecreation.bat/sh located in '<OpManager_Home>\Eventlog\Troubleshooting' in command prompt.

    • Provide your database name as the argument in the above command. For instance in the below command, 'eventlog' is the database name.
    • 'DBRecreation.bat/sh eventlog'
    • You must take the database backup before migrating the database. To take the back up, follow the below procedure
      • Run the command prompt with administrator privilege
      • Go to <EventLog Analyzer_Home>/tools/backUpDatabase.bat/sh to backup the data available in the current database. Wait until the backup completion
      • By default, backup file will be stored in <EventLog Analyzer_Home>/backup directory in the name: 'backup_eventlog_<Build_Number>_MM_DD_YYYY_hh_mm.data'
    • If you are migrating to MS SQL database, then you need to copy the bcp.exe and bcp.rll files from the installted MS SQL Server to <EventLog Analyzer_Home>/mysqlbin folder
    Note:
    If you are copying the above file from SQL (Version 2005 & above) installed in a machine where plugin is not installed, then install the SQL Native Client in the plugin server as per the SQL version and CPU type
     
    MSSQL 2005 (32 bit)
    http://download.microsoft.com/download/4/4/d/44dbde61-b385-4fc2-a67d-48053b8f9fad/sqlncli.msi
    MSSQL 2005 (64 bit)
    http://download.microsoft.com/download/4/4/d/44dbde61-b385-4fc2-a67d-48053b8f9fad/sqlncli_x64.msi
    MSSQL 2008 (32 bit)
    http://go.microsoft.com/fwlink/?LinkId=123717&clcid=0x409
    MSSQL 2008 (64 bit)
    http://go.microsoft.com/fwlink/?LinkId=123718&clcid=0x409

     

    1. How do I add only specific Windows hosts for monitoring?

    By default, the plugin synchronizes all the Windows,Syslog hosts monitored by OpManager. If you need to monitor only specific Windows host, then

    1. Set 'AutoSync OpManager Hosts' option in Log Analytics Settings > ELA Configurations tab to 'False'

     

    1. Select the specific hosts which you want to add to the plugin from Log Analytics Settings> Manage Hosts > Add > OPM Hosts option

     

     

     

    1. How do I add a syslog device to the SIEM plug-in?

    The SIEM plug-in automatically adds all the syslog devices that are forwarding its logs to OpManager installation. If you want to add only specific syslog devices to SIEM plug-in then contact our support team for the assistance.

    1. How do I add a syslog device exclusively for SIEM plug-in alone?

    To add a syslog device only to the SIEM plug-in, follow the below procedure:

    1. Login as root user and edit the syslog.conf file in the /etc directory.
    2. Append *.*<space/tab>@<server_name> at the end, where <server_name> is the name of the machine on which SIEM plug-in is running.
    3. Save the configuration and exit the editor.
    4. Edit the services file in the /etc directory.
    5. Change the syslog service port number to 519, which is  the default listener port of SIEM plug-in. If you have chosen a different port other than 519 then remember to enter that same port while adding the device to the SIEM plug-in.
    6. Save the file and exit the editor.
    7. Restart the syslog service on the host using the command:
    8. /etc/rc.d/init.d/syslog restart
    9. For configuring syslog-ng daemon in a Linux host, append the following entries 

    destination eventloganalyzer { udp("<server_name>" port(514)); };

    log { source(src); destination(eventloganalyzer); };

    at the end of /etc/syslog-ng/syslog-ng.conf, where <server_name> is the ip address of the machine on which SIEM plug-in is running.

     

    1. What if the default port 519 is preoccupied in my environment? How do I change the default UDP port used by SIEM plug-in?

    If SIEM plug-in's default UDP  port is preoccupied, then you can change this default UDP port for syslogs by carrying out the following procedure:
     

    • Go to Admin tab> Syslog Rules. Click on Actions drop down menu and select forward Syslog option.
    • Now in the Destination details window, edit the destination port  by clicking on Actions menu.
    • Stop OpManager and SIEM plugin's service
    • Edit the file runsec.bat/sh which is located <EventLog Analyzer_Home>/bin folder.
    • Edit (in notepad) the entry "binSysEvtCol.exe -loglevel 2 -519" for default port change and remove ports that are not required. For example, if you do not want port 519 as default, the edited line will look like:

    "binSysEvtCol.exe -loglevel 2 -<your_port_number>" - where <your_port_number> is your chosen port

    • After saving the runsec.bat/sh, restart the SIEM plug-in - OpManager service/server for the changes to take effect
    Note: If you want to detect the syslog reception, click on Admin Tab > Syslog rules > Select 'Action' drop down menu > Select 'Syslog Viewer'. The syslog viewer will show you the syslogs collected in real-time.