This module is where server information is created and stored. OTUS SIEM allows you to add and maintain servers. Here you can also track, process and report data and logs extracted from these servers.
The section on Auto-Detection and Copy methods is located at the bottom of this topic.
To view the current servers in the system
1. Select Servers from the Configuration menu.
The list of servers in the system are displayed in the table below.
Note: Using the Search field you can also filter wanted servers.
To add a server
1. Click . The web page displays the following additional fields and buttons.
2. Enter the server's name in the Name field.
3. Enter the IP address of the server in the IP address field.
Note: When adding a new server, the hostname, ip address, or both must be specified. The application will attempt to resolve missing information by DNS.
4. Enter the login name of the server in the Login field.
5. Enter the password of the server in the Password field.
6. Click the ON-OFF toggle control under Active to indicate that the server is active. By default it is set to "ON".
Note: A server that is active means that the server is running. An inactive server means that the server is not in use. An inactive server also does not provide a service or services that is was providing and it also stops utilizing any resources it was using when active.
7. Click the ON-OFF toggle control under Windows to indicate the server's configuration status to receive logs from windows server. By default it is set to "OFF".
Note: When windows switch is turned "ON" the OTUS server is configured to receive (PUSH type) event logs from the windows server using the syslog protocol. To forward the needed data, the windows service that must be installed on windows host can be found here https://code.google.com/p/eventlog-to-syslog/. By turning on this switch the data type for windows server in the raw log search is sorted by event log type (security,application type etc).
8. Click inside the Groups box to choose one or more groups from the drop-down list.
Note: You can search for groups by typing the first few characters of the group's name. To delete a server from the Groups box after it has been selected, click the "X" symbol of the group to remove it from the field.
9. Click to save the record.
To modify a server's information
1. Double-click the field that needs to be modified and the field is enabled for editing as shown below. In the example below the Last name field of a server was double-clicked.
2. Modify the field and click to save the changes. Click
to quit without saving the changes.
To delete a server from the system
1. From the list of servers displayed (refer step 1 of the first section of this topic) select the server you wish to delete. The selected server is highlighted as shown below.
2. Click . The delete confirmation dialog is displayed.
3. Click Yes.
Caution: Exercise this function with care. The process cannot be undone. All archived data (raw logs, indexed logs, reports) for that server are deleted.
OTUS Copy methods
There are two types of copy methods in OTUS that use the following processes.
1. PULL METHOD - Here the server gets files by requesting them from the remote server. Otus periodically fetches new data from remote servers via SCP, FTP and HTTP.
2. PUSH METHOD - Here the server receives files from the remote server. Remote servers send data to OTUS in real time via SYSLOG or SNMP.
Auto-detecting PULL copy method
There is no way to select PULL copy method for each server, only username and password are entered. OTUS automatically tries all available copy methods and uses one that:
•successfully logins
•successfully transfers file from remote server
Priorities for PULL are the following:
1. SCP
2. FTP
3. HTTP
Auto-detecting PUSH copy method
The easiest way to configure OTUS for receiving files is just to configure remote servers to send SYSLOG or SNMP data to the OTUS server. When OTUS detects a new source of data it will present an auto-detection confirmation dialog. When and if a system administrator confirms it, the new server will become configured with smart defaults and will be ready to use.
If auto-configuration is allowed it will try to auto-configure new server with:
1. server information (server name, ip address, custom group)
2. connecting the server to groups and distributions