9 Replies Latest reply on Oct 18, 2011 10:08 AM by nicole pauls

    Forefront Security SQL DB Tool

    TheButcher

      Has anyone set up this tool for Microsoft Forefront Endpoint Protection? Currently, we have FEP managed through SCCM, and the FEP logs are written to our DB Server. How can we get this tool in LEM to grab the info from the DB Server? I have the agent installed on our SCCM Server, and I'm trying to configure the Forefront Security SQL DB Tool to obtain the logs from the SQL DB.

        • Re: Forefront Security SQL DB Tool
          phil3

          Have you tried installing a LEM Agent on the DB server? If you do that, you should be able to configure the Forefront Security SQL Database tool on that Agent and it will send the normalized alerts from your DB server to the LEM Manager.

            • Re: Forefront Security SQL DB Tool
              TheButcher

              Do you know which FEP DB the tool needs access to? Also, we will be making a username specifically for LEM for when it accesses the SQL DB. What role does the user need to be to access and normalize the logs?

                • Re: Forefront Security SQL DB Tool
                  phil3

                  The default values for Database Name, Database Server Instance Name, and Database Server Port in the tool are a good place to start. However, your DB admin should know what to use if the defaults aren't right for your DB.

                  Regarding the user account, the tool is configured to use the sa account by default, but the only thing it needs permissions to do is to query items from the SDKEventView table. As long as the SQL user you create for LEM can do that, you should be fine.

                    • Re: Forefront Security SQL DB Tool
                      TheButcher

                      Are we sure that this tool is actually for Microsoft Forefront Endpoint Protection and not Symantec Forefront Client Security? I don't even see Microsoft Forefront Endpoint Security on the list of compatible AV.

                       

                      http://www.solarwinds.com/products/log-management/comprehensive-data-source-support.aspx

                        • Re: Forefront Security SQL DB Tool
                          nicole pauls

                          We do support Forefront AV (Endpoint Security) via either the MOM (SCOM, or equivalent current Microsoft term) database OR the event log (event log would require an agent on each system, database would be centralized - basically MOM pulls from the event log and pushes to the database). The DB tool is "Forefront Security SQL Database."

                          There's a few possibilities:

                          1. The instance and/or user and/or password and/or port are incorrect 
                          2. There are additional configuration steps that need to happen.
                          3. In a distant third, something has changed in the database schema

                          #1: You should see errors/alerts in your Console that indicate this one - they'd be in "SolarWinds Alerts" (or "TriGeo Alerts" in earlier versions). You may also see noise in the agent log, if you're running this from an agent.

                          #2: You do need to configure MOM (SCOM, et al) to pull in the event log data and push it to the database. From our documentation having worked with Microsoft using MOM 2005 (so, they may have changed slightly):

                          • Start in the MOM Administrator Console, in the left pane, navigate to expand  _Microsoft Operations Manager (<Server>) > Management Packs > Rule  Groups > Microsoft Forefront Client Security > _ Host Alerts > Event Rules.
                          • Right click on Event Rules to Create a new Event Rule
                          • Select Alert on or Respond to Event (Event)
                          • The Data Provider dialog opens. Under Provider name, select Application or System depending on the event and click Next.
                          • NOTE: You'll have to select the Event Log that you want to gather the events  from, some are Application, some are System (you can create multiple  rules for each)
                          • The Criteria dialog opens. Place a check mark next to from source and enter the source of the event you want alert from and click Next.
                          • NOTE: The "source" should match the Event Log source you want to match.
                          • Click Next on the Schedule dialog ("Always Process Data")
                          • The Alert dialog opens. If an alert is wanted in the MOM console (NOT required), place a check mark next to Generate alert and complete the necessary fields and click Next.
                          • Click Next in the Alert Suppression dialog. (Optionally, choose whether you want duplicates suppressed)
                          • In the Responses dialog, click Add and select Send a notification to a Notification Group.
                          • On the Notification tab, select Client Security Notification Group from the Notification Group drop down. Place a check mark next to Run this response before duplicate alert suppression (optional). Click OK and then click Next.
                          • Click Next on the Knowledge Base dialog. (Optionally, if you use this, fill it out)
                          • Enter a Rule Name on the General dialog page and click Finish.
                          • Finally, rule additions and changes must be committed. Expand Microsoft Operations Manager (<Server>)  and right-click on Management Packs and select Commit Configuration  Change. A Configuration Change dialog will appear stating that the  configuration changes have been transmitted to the servers.

                          I can pull in some screen shots that fill those in if it's not quite matching up.

                          #3: If all else fails, it IS possible that we need to update our tool. Support can help gather data and confirm this is the case.

                          HTH.

                            • Re: Forefront Security SQL DB Tool
                              TheButcher

                              Screen Shots would be awesome if you could get them

                                • Re: Forefront Security SQL DB Tool
                                  nicole pauls

                                  Here's a copy of the full instructions with screenshots included. It's the same as my paraphrased version, but with a few extra comments (and the pictures ;)).

                                  HTH!!

                                   

                                  This document outlines the steps needed to configure event rules on  the MOM Server. This document assumes that Forefront Security for  Exchange and/or Forefront Security for Sharepoint Management Packs have  been previously installed on the MOM Server.

                                  Any Forefront system which is being managed by Microsoft Operations  Manager can be monitored by ForefrontSQLDB.xml. Forefront Security  products need to have corresponding management packs installed and  configured on the MOM server in order for it to interpret the Windows  Event logs. Once the management pack is installed, rules have been  configured and committed, the rule configs will be pushed to the  relevant MOM agents on the servers which will enable the events to be  sent and stored in the MOM DB.

                                  Event Rules in MOM Administrator Console

                                  Forefront Security Client  management pack contains predefined rules including a few for virus  detections, but more rules may need to be added. Forefront Security for  Sharepoint / Exchange only have rules predefined for scan, service and  engine update monitoring. In order to get events for virus detections,  rules need to be configured through the MOM Administrator Console.
                                  Determining the Data Provider
                                  Some events are logged under the Windows Application Event log while  others are logged under the Windows System Event log. When configuring a  particular event, refer to the Windows Event log to see which log the  message is being logged to. This information is entered on the Data  Provider dialog page.
                                  Configuring Rules
                                  Rules need to be entered under the correct rule base. Sharepoint rules  will be entered under Microsoft Forefront Security for Sharepoint and  Exchange rules will be entered under Microsoft Forefront Security for  Exchange.
                                  Client Security Rule Additions
                                  In the MOM Administrator Console, in the left pane, navigate to expand  _Microsoft Operations Manager (<Server>) > Management Packs > Rule  Groups > Microsoft Forefront Client Security >_ Host Alerts > Event Rules.
                                  Exchange Rule Additions
                                  In the MOM Administrator Console, in the left pane, navigate to expand  _Microsoft Operations Manager (<Server>)  Management Packs  Rule  Groups  Microsoft Forefront Server Security _ Microsoft Forefront Security for Exchange Server  Event Rules.



                                  Sharepoint Rule Additions
                                  In the MOM Administrator Console, in the left pane, navigate to expand  _Microsoft Operations Manager (<Server>) > Management Packs > Rule  Groups > Microsoft Forefront Server Security > Microsoft Forefront  Security for Sharepoint > Event Rules._

                                  Right-Click Event Rules and select Create Event Rule…



                                  From the Select Event Rule Type dialog, select Alert on or Respond to Event (Event).

                                  The Data Provider dialog opens. Under Provider name, select Application or System depending on the event and click Next.


                                  The Criteria dialog opens. Place a check mark next to from source and enter the source of the event you want alert from and click Next.

                                  Click Next on the Schedule dialog.


                                  The Alert dialog opens. If an alert is wanted in the MOM console, place a check mark next to Generate alert and complete the necessary fields and click Next.



                                  Click Next in the Alert Suppression dialog.
                                   

                                  In the Responses dialog, click Add and select Send a notification to a Notification Group.

                                  On the Notification tab, select Client Security Notification Group from the Notification Group drop down. Place a check mark next to Run this response before duplicate alert suppression (optional). Click OK and them click Next.



                                  Click Next on the Knowledge Base dialog.

                                  Enter a Rule Name on the General dialog page and click Finish.



                                  Committing rule additions and changes
                                  Rule additions and changes must be committed. Expand Microsoft Operations Manager (<Server>)  and right-click on Management Packs and select Commit Configuration  Change. A Configuration Change dialog will appear stating that the  configuration changes have been transmitted to the servers.



                                  Repeat these steps for any events which do not have predefined rules.  Be sure that the Data Provider has been entered correctly so the rules  are reading from the correct Windows Event log.

                                    • Re: Forefront Security SQL DB Tool
                                      TheButcher

                                      I still don't understand. It really doesn't look like we are on the same page. We use Microsoft Forefront Endpoint Protection, and we manage it through SCCM, not through MOM or SCOM.

                                        • Re: Forefront Security SQL DB Tool
                                          nicole pauls

                                          The only way to receive the events centrally is through MOM/SCOM, as far as I know.

                                          Otherwise, the events come into the event log on each system running the AV, and you deploy an agent to each system, and configure tools on that agent.

                                          PS: If you can see the events in SCCM and it looks like we should be able to pick them up there, I can have our development team do a little deeper investigation.