End User Traffic functionality requires separate Syslog agent to be installed on working stations or domain controller.
NetVizura, by default, includes built-in support for Snare OpenSource agent. Installation and configuration of Snare agent is described in the following steps.
If you have another Syslog agent then you can create a separate rule for that agent: End User Settings.
Download Snare OpenSource Syslog agent from the official website, www.intersectalliance.com or from our site https://www.netvizura.com/files/products/general/downloads/SnareForWindows-4.0.2.0-MultiArchOpenSource.exe
This is a third-party application and not supported by NetVizura. |
Install Snare OpenSource agent on domain controller and/or Windows working station by following these instructions.
If you have followed previous steps carefully, you will be able to access Remote Control Interface using your browser of choice.
To access Remote Control Interface paste http://localhost:6161/ into your address bar in your browser and press Enter.
In order to fully configure Snare OpenSource agent to work correctly with NetVizura follow these steps.
Click on Objectives Configuration on the left side of the Control Interface.
Make sure that objective named Logon_Logoff exists in the list.
Other objectives are not needed for NetVizura to work properly and therefore can be deleted from the list.
Make sure to run Command Prompt with Administrative privileges |
First stop Snare service by running:
net stop snare |
After that, start Snare again by running:
net start snare |
By now, you should have your Snare agent successfully installed and configured to work with NetVizura.
Follow step 4 to make sure that NetVizura is actually receiving Syslog messages from Snare agent.
If you have EventLog module activated, you can easily check if you are receiving Syslog messages by going to EventLog > Syslog tab.
Otherwise, login to your NetVizura server over SSH, and first check if NetVizura is listening for Syslog messages on specified port.
In order to perform this check run the following command inside your shell.
netstat -lnup | grep 33515 |
33515 is a default port. If you have configured collection port to have another value, put that value in the previous command instead of 33515.
If collection is working fine you should see something similar to the following after running this command.
udp 0 0 :::33515 :::* 31414/jsvc.exec |
Next, check if Snare agent is sending syslog to Netvizura collector by running tcpdump.
tcpdump port 33515 |
Once again, default port value is used. In case some other value is configured through Settings, replace that value into provided command.
After running tcpdump command, you shoud see packets incoming to your server from workstations or domain controller.
If you are running NetVizura on Windows Server, you can use packet analyzer tools for windows (wireshark, windump, etc).
If tcpdump is not installed on your server do the following: Debian/Ubuntu
CentOS
|