Ntuziaka onye ọrụ nyocha netwọk CISCO WSA echekwara

Okwu mmalite

Iji nakọta ozi onye ọrụ na sava proxy netwọk gị maka Cisco Secure Network Analytics (nke bụbu Stealthwatch) Proxy Log, ịkwesịrị ịhazi ndekọ ihe nkesa proxy. Onye na-anakọta Flow na-enweta ndekọ ahụ, yana Onye njikwa (nke bụbu Stealthwatch Management Console) na-egosiputa ozi dị na ibe Flow Proxy Records. Ibe a na-enye URLs na aha ngwa nke okporo ụzọ dị n'ime netwọk na-aga site na ihe nkesa proxy.

Ihe achọrọ

Tupu ịmalite, gosi na i mezuru ihe ndị a:

• A na-akwado Cisco WSA (14-5-1-016), Blue Coat, McAfee na Squid maka nhazi a. Gbaa mbọ hụ na ahaziri ihe nkesa proxy gị ma na-arụ ọrụ dịka akụkụ nke netwọkụ gị.
• Kwenye na onye na-anakọta Flow na proxy na-eji otu ihe nkesa NTP (ma ọ bụ nweta oge site na isi mmalite maka ịgbasa na ndekọ proxy ga-adakọ).
• Họrọ onye na-anakọta Flow nke na-anakọta data n'aka ndị mbupụ na njedebe nke ịchọrọ nyocha na ndekọ proxy. Ị chọrọ adreesị IP maka nhazi ahụ.
• Enweghị oke oke na ozi proxy syslog. Agbanyeghị, anyị na-akwado ka edobe ozi dị mkpụmkpụ karịa nke kacha nso kacha nso (MTU) n'akụkụ ụzọ dị n'etiti proxy na Flow Collector, na-abụkarị 1500. Nke a na-ewepụ nkewa nke ngwugwu ma na-abawanye ntụkwasị obi.
• A naghị akwado Proxy Log na ọnọdụ nnweta dị elu (HA).

Nhazi karịrịview

Mezue usoro ndị a:

1. Họrọ otu n'ime ụzọ ndị a iji hazie ihe nkesa proxy gị.
   • Na-ahazi Cisco Web Ngwa nchekwa (WSA) Ndekọ proxy
   • Na-ahazi ndekọ aha mkpuchi mkpuchi Blue
   • Na-ahazi McAfee Proxy Logs
   • Na-ahazi ndekọ aha proxy squid
2. Na-ahazi Onye na-anakọta Flow
3. Na-enyocha Ọsọ

Na-ahazi Cisco Web Ngwa nchekwa (WSA) Ndekọ proxy

Jiri ngalaba a hazie ndekọ aha proxy Cisco iziga na nyocha netwọkụ echekwara.

Cisco WSA proxy anaghị akwado Virtual IPs maka ịgbakwunye proxy ngwaọrụ.

Iji tọọ ndekọ aha onye nnọchiteanya Cisco, mezue usoro ndị a:

1. Banye na Cisco proxy nkesa.

2. Na isi menu, pịa nchịkwa Sistemu> Ndebanye aha. Ibe ndebanye aha log na-emepe.

3. Pịa bọtịnụ Tinye ndebanye aha. Ibe ndebanye aha ndebanye aha ọhụrụ ga-emepe.

4. Site na ndetu ụdị Log, họrọ W3C ndekọ. Ogige ndekọ W3C dị na-apụta.

5. Na Log Name ubi, pịnye aha maka log na ị ga-eji.

6. Site Dị Log Fields ndepụta, họrọ Timestamp, wee pịa Tinye ka ibugharịa ya Họrọ Log ubi ndepụta.

7. Tinyegharịa nzọụkwụ gara aga maka nke ọ bụla n'ime ndekọ ndekọ ndị a n'usoro:

a. ogeamp
b. x-agafe-oge
c. c-ip
d. c-ọdụ ụgbọ mmiri
e. cs-bytes
f. s-ip
g. ọdụ ụgbọ mmiri
h. sc-bytes
i. cs-aha njirimara
j. s-computerAha
k. cs-url

Ndepụta Ogige ndekọ ahọpụtara kwesịrị ịnwe mpaghara ndị a dịka e gosipụtara:

The ahọpụtara Log Fields ndepụta ga-n'usoro n'elu, na-enweghị ọzọ ubi dị.

8. Pịgharịa gaa na ala nke ibe ahụ, wee họrọ nhọrọ Syslog Push.

9. Na Hostname ubi, pịnye Flow Collector adreesị IP ma ọ bụ onye ọbịa aha na proxy na-eziga ndekọ na.

Jide n'aka na ịhọrọ onye na-anakọta Flow nke na-anakọta data sitere na ndị na-ebupụ na njedebe nke ịchọrọ nyocha na ndekọ proxy.

10. Pịa Nyefee. A na-agbakwunye ndekọ ọhụrụ ahụ na ndenye aha ndebanye aha.

11. Gaa n'ihu na Configuring the Flow Collector ngalaba ka ịtọlite ​​​​Flow Collector gị ịnata ozi syslog.

Na-ahazi ndekọ aha mkpuchi mkpuchi Blue

Jiri ngalaba a hazie ndekọ proxy Blue Coat iziga na nyocha netwọkụ echekwara.

Ụdị proxy Blue Coat ejiri mee nnwale bụ SG V100, SGOS 6.5.5.7 SWG Edition.

Ịmepụta Ụdị

Iji mepụta usoro ndekọ ọhụrụ, mezue usoro ndị a:

1. Na ihe nchọgharị gị, nweta ihe nkesa proxy Blue Coat gị.

2. Pịa nhazi tab.

3. Na isi menu nke njikwa njikwa, pịa Access Logging> Formats.

4. Pịa New na ala nke ibe. Ibe Format Mepụta ga-emepe.

5. Na Format Aha ubi, pịnye aha maka ọhụrụ usoro.

6. Họrọ W3C Extended Log File Usoro (ELFF) nhọrọ.

7. N'ọhịa usoro, pịnye eriri ndị a:

ogeamp oge c-ip c-port r-ip r-port s-ip s-port cs-bytes sc-bytes cs-user cs-host cs-uri

8. Pịa OK. Gaa n'ihu na ngalaba na-esote, Mepụta Ndekọ Ọhụrụ

Mepụta Ndekọ Ọhụrụ

Iji mepụta ndekọ, mezue usoro ndị a:

1. Na isi menu, pịa Access Logging> Logs, wee họrọ ọhụrụ log format. Ibe ndekọ na-emepe.

2. Pịa General Settings tab.

3. Site Log Format drop-down list, họrọ log ị kere na Nzọụkwụ 1.

4. Na ngalaba nkọwa, pịnye nkọwa maka log ọhụrụ gị.

5. Pịa bọtịnụ Tinye na ala nke ibe ahụ. Gaa n'ihu na ngalaba na-esote, Hazie onye ahịa bulite

Hazie onye ahịa bulite

Iji hazie onye ahịa bulite, mezue usoro ndị a:

1. Pịa Bulite Client taabụ. Ibe onye ahịa bulite ga-emepe.

2. Site Client ụdị adaala ndepụta, họrọ Omenala Client.

3. Pịa bọtịnụ Ntọala. Ibe ntọala ndị ahịa ahịa ga-emepe.

4. N'ubi kwesịrị ekwesị, pịnye adreesị IP nke onye na-anakọta Flow na-ege ntị nke proxy parser.

Anaghị akwado SSL n'oge a.

5. Pịa OK.

6. N'ihi na Transmission Parameters, mezue usoro ndị a:

• a. Maka Asambodo ezoro ezo, họrọ Ọ dịghị ezoro ezo.
• b. Site na ndebanye ndebanye aha Keyring, họrọ enweghị mbinye aka.
• c. Site na "Chekwaa log file dị ka” họrọ Ederede file nhọrọ.
• d. N'ime igbe ederede "Zipu akụkụ ihe nchekwa mgbe", pịnye 5.
• e. Pịa Bulite Ịtọ oge taabụ, na họrọ nọgidere nhọrọ maka Bulite ohere log.
• f. N'ime Chere n'etiti ogige mgbalị njikọ, pịnye 60.
• g. N'ime oge dị n'etiti ubi ngwugwu nchekwa ndụ, pịnye 5.

7. Pịa bọtịnụ Tinye na ala nke ibe ahụ. Gaa n'ihu na ngalaba na-esote, Ịhazi nhazi oge bulite.

Na-ahazi Usoro mbulite

Iji hazie nhazi oge bulite, mezue usoro ndị a:

1. Pịa bulite nhazi oge taabụ.

2. Maka "Bulite ndekọ ohere," họrọ na-aga n'ihu.

3. Chere n'etiti mgbalị ziri ezi bụ 60 sekọnd.

4. Oge n'etiti packet log na-adị ndụ 5 sekọnd.

5. Pịa bọtịnụ Tinye na ala nke ibe ahụ.

Nke a mejuputara nhazi maka ndekọ aha proxy Blue Coat maka onye na-anakọta Flow.

Ihe achọrọ

Ihe ndetu ndị ọzọ na nhazi:

• Kwenye na onye na-anakọta Flow na Proxy na-eji otu ihe nkesa NTP (ma ọ bụ nweta oge site na isi mmalite maka ịgbasa na ndekọ proxy ga-adakọ).
• Naanị otu usoro mmepụta log maka proxy ka akwadoro. Ọ bụrụ na ị na-ebupụ ndekọ, ị nweghị ike ijide ma tụsa ndekọ proxy.
• Akwadoghi nnweta onye isi UDP.

Na-ahazi njikwa amụma ọhụụ

Nhazi nke Njikwa Amụma Ahụhụ na-enyere gị aka ịlele na a na-eziga faịlụ proxy na onye na-anakọta Flow.

1. N'ime ibe taabụ nhazi na isi menu, pịa Amụma> Onye njikwa amụma anya. Onye njikwa amụma Visual na-emepe.

2. Pịa bọtịnụ Launch na ala maka ndekọ ahaziri gị. Onye njikwa amụma Visual maka mpio ndekọ ga-emepe.

3. Pịa amụma> Tinye Web Nweta Layer. Ihuenyo Tinye ọhụrụ oyi akwa ga-emepe.

4. Pịnye aha maka oyi akwa ọhụrụ, wee pịa OK.

5. Pịa aka nri Gọchie na kọlụm Action wee pịa Tọọ. Mkparịta ụka Set Action Object mepere.

6. Pịa New wee họrọ gbanwee Access Logging. The Dezie Access Logging dialog na-emepe.

7. Pịa Kwado abanye na.

8. Pịnye aha maka log gị wee họrọ log gị.

9. Pịa OK. A na-agbakwunye ihe ahụ.

10. Na dialog Set Action Object, pịa OK.

11. Pịa bọtịnụ Wụnye iwu dị n'elu aka nri.

12. Pịa Mba wee OK maka windo ndị a.

13. Ẹkedori Blue Coat Visual Policy Manager ọzọ.

14. Pịa aka nri taabụ ndekọ wee họrọ Kwado Layer.

15. Pịa bọtịnụ Wụnye Iwu. Iwu arụnyere na-emepe.

16. Pịa OK.

17. Pịa taabụ Statistics, na na log menu, họrọ log gị.

18. Na isi menu, pịa Access Logging, wee pịa Log Tail tab. Window Log Tail ga-emepe.

19. Pịa Malite Tail bọtịnụ na ala nke ibe.

20. Na isi nchịkọta akụkọ, pịa Sistemu> Ndekọ ihe omume. Ibe a ga-egosi ma ọ bụrụ ndekọ file na-ebugote na Flow Collector na mgbanwe ndị e mere. Ọ na-egosi ma ejikọrọ proxy na onye na-anakọta Flow.

21. Gaa n'ihu na Configuring the Flow Collector ngalaba ka ịtọlite ​​​​Flow Collector gị ịnata ozi syslog.

Na-ahazi McAfee Proxy Logs

Jiri ngalaba a hazie ndekọ proxy McAfee sitere na McAfee Web Ọnụ ụzọ iziga na nyocha netwọkụ echekwara.

• Gbaa mbọ hụ na ị budatala nhazi XML file maka McAfee proxy. Gaa na Cisco Software Central ka ibudata readme na Proxy Log XML nhazi files.
• Banye na Akaụntụ Smart Cisco gị na https://software.cisco.com ma ọ bụ kpọtụrụ onye nchịkwa gị.
• Ụdị proxy McAfee ejiri mee nnwale bụ 7.4.2.6.0 - 18721.

Iji tọọ ndekọ proxy McAfee, mezue usoro ndị a:

1. Budata XML file, FlowCollector_[ụbọchị]_McAfee_Log_XML_Config_[v].xml, wee chekwaa ya na ebe masịrị gị.

"Ụbọchị" na-egosi ụbọchị nke XML file, na “v” na-egosi ụdị nke ụdị proxy McAfee. Họrọ XML file yana otu nọmba ụdị dị ka proxy McAfee gị.

Iji budata ya file, mezue usoro ndị a:

• a. Gaa na https://software.cisco.com, Cisco Software Central.
• b. Na ngalaba nbudata na jikwaa > Budata na nkwalite, họrọ Nweta nbudata.
• c. Pịgharịa gaa na ala họrọ ubi ngwaahịa.
• d. Pịnye Nchekwa Network Analytics na Họrọ mpaghara ngwaahịa. Pịa Tinye.
• e. Họrọ Secure Network Analytics Virtual Flow Collector ma ọ bụ ihe nchịkọta ọsọ ọzọ.
• f. Họrọ Ngwanrọ Sistemụ nyocha netwọkụ echekwara > Nhazi Files.

2. Banye na ihe nkesa proxy McAfee.

3. Pịa akara ngosi amụma, wee pịa taabụ Iwu Ntọala.

4. Họrọ Log Handler, wee họrọ Ndi an-kpọ.

5. Pịa Tinye> Iwu Ntọala si Library.

6. Pịa Bubata si file, wee họrọ XML file.

7. Họrọ mcafeelancopelog n'ime onye na-elekọta ndekọ nke ebubatala ugbu a.

Jide n'aka na agbanyere usoro iwu na iwu "mepụta logline ohere" na "ziga na syslog".

8. Pịa akara ngosi nhazi n'elu ibe.

9. N'aka ekpe nke ibe, pịa File Onye nchịkọta akụkọ, wee họrọ rsyslog.conf file.

10. N'okpuru igbe ederede (n'akụkụ ndepụta nke files), pịnye ederede na-esonụ:

Jide n'aka na ịhọrọ onye na-anakọta Flow nke na-anakọta data sitere na ndị na-ebupụ na njedebe nke ịchọrọ nyocha na ndekọ proxy.

11. Kwuo ahịrị a:

*.info;mail.none;authpriv.none;cron.ọ dịghị onye.

12. Tinye ahịrị a:

*.info;daemon.!=ama;mail.none;authpriv.none;cron.none - /var/log/messages.

13. Pịa bọtịnụ Chekwaa mgbanwe dị n'elu aka nri nke ibe ahụ.

14. Gaa n'ihu na Configuring the Flow Collector ngalaba ka ịtọlite ​​​​Flow Collector gị ịnata ozi syslog.

Na-ahazi ndekọ aha proxy squid

Jiri ngalaba a hazie ndekọ proxy Squid ka iziga na nyocha netwọkụ echekwara. Ị nwere ike dezie ya files na ihe nkesa proxy na-eji SSH.
Iji hazie ndekọ proxy Squid, mezue usoro ndị a:

1. Banye n'ime shei maka igwe na-agba Squid.

2. Gaa na ndekọ nwere squid.conf (nke a /etc/squid) wee mepee ya na nchịkọta akụkọ.

3. Tinye ahịrị ndị a na squid.conf iji hazie ndekọ:

logformat access_format %ts%03tu % a %>p %>st %

4. Malitegharịa squid site na iji ihe ndị a:

• Maka sistemụ dabere na init: /etc/init.d/squid3 malitegharịa
• Maka sistemụ dabere: systemctl malitegharia squid

5. Hazie ọrụ syslog na sava Squid ka ibugharịa ndekọ na onye nchịkọta Flow. Nke a dabere na ọrụ nkesa/syslog Linux.

Maka syslog-ng, tinye ihe ndị a na /etc/syslog-ng/syslog-ng.conf:

# Audit Log Facility BEGIN filter bs_filter {nyo(f_user) na larịị(ozi)}; ebe udp_proxy { udp ("10.205.14.15" ọdụ ụgbọ mmiri (514)); }; log {isi iyi(s_all); nzacha (bs_filter); ebe aga(udp_proxy); }; # Ihe ndekọ ndekọ nyocha agwụ

Maka rsyslog, tinye ihe ndị a na /etc/rsyslog.conf:

:aha mmemme, nwere, "squid" @10.205.14.15:514

Jide n'aka na ịhọrọ onye na-anakọta Flow nke na-anakọta data sitere na ndị na-ebupụ na njedebe nke ịchọrọ nyocha na ndekọ proxy.

6. Mgbe ahụ malitegharịa ọrụ syslog.

• Maka sistemu init dabere:
  /etc/init.d/syslog-ng malitegharịa (maka syslog-ng)
  /etc/init.d/rsyslog malitegharịa (maka rsyslog)
• Maka sistemụ arụmọrụ:
  systemctl malitegharịa syslog (maka syslog-ng)
  systemctl malitegharịa rsyslog (maka rsyslog)

7. Gaa n'ihu na nhazi ngalaba na-anakọta Flow iji nweta ozi syslog.

Na-ahazi Onye na-anakọta Flow

Mgbe ị haziela ihe nkesa proxy, ịkwesịrị ịhazi Flow Collector iji nabata data ahụ.

Iji hazie Flow Collector iji nweta ozi syslog, mezue usoro ndị a:

1. Banye na njikwa gị.

2. Họrọ Hazie > Global > Central Management.

3. Pịa akara ngosi (Ellipsis) maka mkpokọta Flow gị, wee pịa View Ngwa ọnụ ọgụgụ.

4. Banye na onye nchịkọta mmiri. The Flow Collector interface mepere.

5. Pịa Nhazi> Proxy Ingest. Ibe Proxy Sava na-emepe.

6. Pịnye adreesị IP nke ihe nkesa proxy.

7. Site Proxy Ụdị ndepụta ndọpụta, họrọ ihe nkesa proxy gị.

Ọ bụrụ na edepụtaghị ụdị nkesa proxy gị, ị gaghị enwe ike iji ndekọ proxy n'oge a.

8. Ọ bụrụ na ihe nkesa proxy:

• nwere naanị otu adreesị IP, wee pịnye adreesị IP nke ihe nkesa proxy na mpaghara Adreesị IP. Hapụ oghere Adreesị IP Telemetry efu.
• nwere ọtụtụ adreesị IP, wee pịnye adreesị IP njikwa nke ihe nkesa proxy (adreesị IP isi mmalite nke syslog) na mpaghara Adreesị IP. Na mpaghara Adreesị IP Telemetry, pịnye adreesị IP telemetry nke ihe nkesa proxy.

9. Na mpaghara Port Service Port, pịnye nọmba ọdụ ụgbọ mmiri nke ihe nkesa proxy.

10. Ọ bụrụ na ịchọrọ ka ihe nkesa proxy kpalite oti mkpu, lelee igbe nlele Wepụ si na egwu.

11. Pịa Tinye.

12. Pịa Tinye. Ihe nkesa proxy na-egosi na tebụl Proxy Ingest dị n'elu ibe ahụ.

13. Gaa n'ihu na-enyocha akụkụ nke mmiri.

Na-enyocha Ọsọ

Ka ịlele na ị na-anata mmiri, mezue usoro ndị a:

1. Na Flow Collector interface, pịa Nkwado> Chọgharịa Files na isi menu. Ihe Nchọgharị Files ibe emepe.

2. Mepee sw.log file.

3. Lelee na webproxy na-agụta elu iji gosi na ị na-enweta data.

Nkwado kọntaktị

Ọ bụrụ na ịchọrọ nkwado teknụzụ, biko mee otu n'ime ihe ndị a:

• Kpọtụrụ onye mmekọ Cisco mpaghara gị
• Kpọtụrụ nkwado Cisco
• Imepe ikpe site na web: http://www.cisco.com/c/en/us/support/index.html
• Maka nkwado ekwentị: 1-800-553-2447 (US)
• Maka ọnụọgụ nkwado zuru ụwa ọnụ:
  https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html

Gbanwee akụkọ ihe mere eme

Ozi nwebisiinka

Cisco na akara Cisco bụ ụghalaahịa ma ọ bụ ụghalaahịa edenyere n'akwụkwọ ikikere nke Cisco na/ma ọ bụ ndị mmekọ ya na US na obodo ndị ọzọ. Iji view ndepụta nke Cisco ụghalaahia, gaa na nke a URL: https://www.cisco.com/go/trademarks. Ighalaahia nke ndị ọzọ akpọrọ aha bụ ihe onwunwe nke ndị nwe ha. Ojiji okwu onye mmekọ anaghị egosi mmekọrịta mmekọrịta dị n'etiti Cisco na ụlọ ọrụ ọ bụla ọzọ. (1721R)

© 2025 Cisco Systems, Inc. na/ma ọ bụ ndị mmekọ ya.
Ikike niile echekwabara.

Akwụkwọ / akụrụngwa

CISCO WSA Secure Network Analytics [pdf] Ntuziaka onye ọrụ WSA 14-5-1-016, Blue Coat, McAfee, Squid, WSA Secure Network Analytics, WSA, Secure Network Analytics, Network Analytics, Analytics

Ntụaka

• Akwụkwọ ntuziaka onye ọrụ