Accenture MDR Quick Start Guide for Symantec™ O3

Owned by Sekar Venkataramani
Last updated: Apr 20, 2021 by KS
3 min read

This quick start guide will help Accenture MDR customers configure Symantec™ O3 to send logs to the Log Collection Platform (LCP).

The document includes the following topics:

  • Supported Versions

  • Port Requirements

  • Configuring Symantec O3

  • LCP Configuration Parameters

Supported Versions

A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MSS_Supported_Products_List.xlsx) which can be found in

Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents

Port Requirements

Table 1-1: Port requirements for LCP communication.

Source

Destination

Port

Description

Symantec O3

LCP

514 (UDP)

601 (TCP)

Default port

Configuring the Symantec O3

To configure the Symantec O3 event collector to send logs, follow the steps below.

Configuring Audit Logging

The audit logs can be stored to a file or on a syslog server.

  1. Click the Edit Profile link at the top right-hand corner of any O3 Intelligence Center page. The Edit Profile dialog box appears.

  2. Select the Audit Logging tab. The Audit Logging Configuration page appears.

  3. Configure Audit logging by selecting the check boxes of the events to be logged:

  • Audit Logging Enabled - Check the check box to enable the logging feature.

  • User Events Enabled - Check the check box to log user events.

    • Authorization Request Events Enabled - Check the check box to log authorization request events (which are also user-related events affected by the User Events Enabled check box).

  • System Events Enabled - Check the check box to log system-related events.

    • System Error Events Enabled - Check the check box to log system-error events (which are also system-related events affected by the System Events Enabled check box).

  • Output Type - Select a value from the drop-down menu to determine where logs will be stored. The LCP supported option is as follows:

    • SysLog - In addition, to store log files on the O3 gateway, this option also stores log files on a sysLog server, as configured in Local Disk Backup on the Backup tab.

Configuring SysLog

The sysLog configuration fields appear only when the SysLog option is selected from the Output Type drop-down menu, when you configure Audit logging, see Configuring Audit Logging.

 Note: The SysLog server is completely independent from O3 Intelligence Center. The SysLog server must support structured SysLog Message Format.

Before you begin, ensure that you have the location and settings for your SysLog server.

 To configure syslog, follow the steps below.

  1. Complete the following fields, as required:

  • Server - Enter the IP address of the LCP to send O3 Gateway messages.

  • Port - Enter the port of the LCP to send O3 Gateway messages.

  • Protocol - Select the appropriate protocol that the O3 Gateway must use to send messages to the SysLog server. Collector supported options are as follows:

    • UDP

    • TCP

  • Routing Interface - Select the interface from the drop-down list from which the SysLog messages will be sent.

  • Security Method - This option determines if the O3 Gateway will add additional information to the log messages to assert message authenticity and ensure that the log messages have not been altered while being transmitted between the O3 Gateway and the SysLog server. 

Note: The HMAC-MD5, HMAC-SHA1, HMAC-SHA256, and HMAC-SHA512 security method options require a password. The Password field appears when any of these security methods are selected.

 2. Click Save.

LCP Configuration Parameters

Table 1-2: The Symantec O3 event collector (Syslog- 3686) properties to be configured by MSS are shown in the table.

Property

Default Value

Description

Protocol

UDP

The default protocol for syslog. The collector can also accept logs in TCP.

Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP. To balance TCP for reliability over UDP for speed/simplicity,

contact the Accenture Security MSS onboarding team.

IP Address

Symantec O3 Interface IP address

Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).

Note: If the device sends logs using multiple interfaces, contact the Accenture Security MSS onboarding team.

Signatures

USER_LOGIN,USER_LOGOUT, USER_AUTHZ,USER_REQUEST_AUTHZ,USER_PROTECTED_APP_AUTHN,USER_EDIT_KEYCHAIN,

USER_STRONG_AUTHN, SYSTEM_REBOOT,SYSTEM_CONFIG_ROUTE,SYSTEM_BACKUP,SYSTEM_SHUTDOWN,SYSTEM_CONFIG_HOST, SYSTEM_ERROR, SYSTEM_CONFIG_UPDATE

MSS recommended signatures processed by the Symantec O3 event collector.

Port Number

514

The default port for UDP. For TCP, the default port is 601.

Note: The LCP can be configured to listen on a non-standard port, please advise the Accenture Security MSS onboarding team if this is a requirement.

 

Legal Notice

Copyright © 2021 Accenture. All rights reserved.

Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.

The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.

THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.

The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.