NetVizura is capable of detecting end user activity in the company network. End user traffic is identified by mapping IP address provided in syslog logon event and IP address provided in NetFlow data. Logon events could be generated by Domain Controllers or Work Stations relayed via Syslog server to NetVizura server. We use Windows Domain Controller in our example.
NetVizura comes with predefined matching rules for Snare Open Source Syslog agent: In > Settings > NetFlow Settings > End Users there is already predefined logon rules for collecting logon events from Snare syslog agent. You can activate it by clicking Active at Status field. Double click on rule opens rule condition where you can change Source IP to more specific value to increase performance and check collection of logon events by clicking on Verify match. For detailed explanation on how to install and configure Snare Syslog agent see Installing and Configuring Syslog Agent for End User Traffic. |
* MSWinEventLog * 4624 Microsoft-Windows-Security-Auditing * Success Audit * Logon Type: 3 * Account Name: <USERNAME> * Account Domain: <DOMAIN> * Source Network Address: <USER-IP> * |
Navigate to Netvizura Eventlog module and choose Syslog tab. Identify syslog message with logon information. This log should contain:
IP address of domain controller that exports Syslogs - type IP address into Exporter text box and press Enter
Steps for creating correct match string :
By default collection port for logon events is set to 33515 so the syslog's should be sent to 33515 port at NetVizura server. If you want to change the port go to > Settings > NetFlow Settings > Configuration and search for End users collection port value. |
In upper right corner of Netvizura application navigate to > Settings > NetFlow Settings > End Users:
To check results of your work, navigate to NetFlow > End Users. If the three is empty, refresh your web browser with ctrl+F5.
In order to improve system performance, we recommend to set status as inactive for all rules that are not in use. |
Specifying too broad subnet in the Source IP field might result in performance penalty. For best results consider changing Source IP to more specific value or concrete IP address. |
Use help button: Move your cursor under the question mark on the screen for additional help. |
You can easily verify the rule by clicking Verify. It will check if any Syslog message from the last 24 hours matches the rule. |