Accenture MDR Quick Start Guide for Sidewinder G2
- KM (Unlicensed)
This quick start guide will help Accenture MDR customers configure Sidewinder G2 to send logs to the Log collection Platform (LCP).
Ā
The document includes the following topics:
Supported Versions
A list of supported versions is available in the Accenture MDR Supported Products List document (Accenture_MDR_Supported_Products_List.xlsx) which can be found in
Accenture MDR Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
Port Requirements
Table 1-1: Port requirements for LCP communication.
Source | Destination | Port | Description |
Sidewinder G2 | LCP | 514 (UDP) | Default port |
Configuring Sidewinder G2
The Sidewinder G2 device supports the following syslog formats: acat, ascii, Sidewinder Export Format (SEF), W3C Extended Log Format (HTTP), and WebTrends (WELF). If Sidewinder G2 7.0.1.02 or higher is installed, the ascii syslog format should be used. Otherwise, use the acat format. The collector supports both Sidewinder G2 version 6 and 7, see To configure Sidewinder G2 version 6 to send audit data to a syslog server. Sidewinder G2 version 7 Admin Console provides a file editor which allows you to edit the files on the Sidewinder appliance. Do not use it. Instead, use a text editor to edit the files. See To configure Sidewinder G2 version 7 to send audit data to a syslog server.
To Configure Sidewinder G2 Version 6 to Send Audit Data to a Syslog Server
Login to Sidewinder G2 using an SSH client or the serial console and type the following command to switch to an administrative role:Ā srole
Navigate to the auditd.conf file. For Sidewinder G2 version 6, the default location is /etc/sidewinder/.
Using a text editor, edit the auditd.conf file.
Specify acat (or ascii for Sidewinder G2 version 7.0.1.02 or higher) as the type of audit logging to be sent to the syslog server.
5. Add the following line at the end of the auditd.conf file:Ā syslog (facility filters ["filter"] format)
Where:
Facility - Information that is associated with a syslog message. For example, you can use local0 through local7 as names for the facility; they are predefined in the syslogd file.
Filter - Name of Sidewinder sacap filter to use in the output. The filter value must be set to ["NULL"].
Format - Output format. The format value must be set to acat (or ascii for Sidewinder G2 version 7.0.1.02 or higher).Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā Ā
The following is an example command line that configures syslog to use the acat format:Ā syslog (local0 filters ["NULL"] acat)
6. Save and close the auditd.conf file.
7. Look up the syslog Process ID (PID) by typing the following command:Ā pss syslog
8.To implement the changes, you must restart the syslog and auditd processes by typing the following commands:Ā
kill -HUP syslogPID
cf server restart auditd
Where, syslog PID is the syslog process ID that you looked up in step 5.
Ā
To Configure Sidewinder G2 Version 7 to Send Audit Data to a Syslog Server
Login to Sidewinder G2 using an SSH client or the serial console and type the following command to switch to an administrative role:Ā srole
Navigate to the auditd.conf file.Ā For Sidewinder G2 version 7, the default location is /secureos/etc/.
Using a text editor, edit the auditd.conf file.
Specify acat (or ascii for Sidewinder G2 version 7.0.1.02 or higher) as the type of audit logging to be sent to the syslog server.
Add the following line at the end of the auditd.conf file: syslog (facility filters ["filter"] format)
Where,
Facility - Information that is associated with a syslog message. For example, you can use local0 through local7 as names for the facility; they are predefined in the syslogd file.
Filter - Name of Sidewinder sacap filter to use in the output. The filter value must be set to ["NULL"].
Format - Output format. The format value must be set to acat (or ascii for Sidewinder G2 version 7.0.1.02 or higher).
The following is an example command line that configures syslog to use the acat format:Ā syslog (local0 filters ["NULL"] acat)
5. Save and close the auditd.conf file.
6. Specify where the syslog server will send syslog messages.
Using a text editor, open the /etc/syslog.conf file.
Add the following line at the end of the syslog.conf file:Ā facility.* @ IP_address
Where, facility matches the facility in step 4 and IP_address is the IP address of the syslog server.
7. To prevent redundant logging:
Change this line:Ā *.notice;auth,...uccp.non /var/log/messagesĀ toĀ *.notice;auth,...uccp,facility.none /var/log/messages
Save and close the syslog.conf file.
8. Restart the syslog and auditd processes by typing the following commands:Ā cf daemond restart agent=syslog cf daemond restart agent=auditd
LCP Configuration Parameters
Table 1-2: TheĀ Sidewinder G2Ā event collector properties to be configured by MDR are shown in the table.
Property | Default Value | Description |
Protocol | UDP | Default protocol for syslog events. |
IP Address | Sidewinder G2Ā IP address | Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ). Note: If the device sends logs using multiple interfaces, contact the Accenture MDR onboarding team. |
Port Number | 514 | The default port for syslog. |
Ā
Legal Notice
Copyright Ā© 2021 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.