NAC Collection Settings

Genian Insights E can collect audit log information in real time through linking with Genian NAC server and monitor the status of the NAC system in real time.
In addition, you can install an agent on Endpoints, collect asset information on Endpoints, monitor major actions occurring in Endpoints, and save and analyze in real time.

It is broadly classified into event collection by interworking between servers and agent installation, and several preliminary preparations are required to collect various information.

Environment Settings for Information Collection

Agent Actions:

  1. Prepare a .gpf file that starts with NAC-ThreatDetector2 .
  2. From System > Update, go to the Plugins menu.
  3. Double-click the gpf file prepared by clicking Tasks-Upload Plugin and clicking the Choose File button.
  4. When the file name is displayed on the screen, click the Upload button to upload the file.
  5. Go to Policy > NodePolicy > NodeAction.
  6. Click the Tasks -Create menu, enter an action name, and then select the Plug-in-Threat Detector2 item in the Settings section to enter basic information and click the Create button.

Server Actions:

  1. Log in to the NAC web console, and click Policy Server IP in the System > SystemSystem column.
  2. In the Environment Settings tab, change the Use or not in the **SNMP Agent Settings section to On**, enter the username and click the Edit button.
  3. Access the NAC CLI and set the IP that allows external access to the database.

Warning

The MySQL service on the NAC server will be restarted when IP settings are approved

  1. On the Roles screen, check insightsConnector and save it.

Note

insightsConnector can only be set in NAC Server version 4.0.1X,5.0.

  1. You can see that the insightsConnector account has been created in Settings > User Authentication > Roles.
  2. In the System > Users column, click Tasks -> User Registration.
  3. Set the System role to insightsConnector and create a user.
  4. In the UsersSettings tab, click the Create New Key button of the API Key item to create and save a new API.
  5. Create a nodegroup to select the nodes on which to install the plugin.
  6. Create a Node Policy to assign the node group created above.
  7. Assign and save the Threat Detector2 action.
  8. Click Apply ChangePolicy in the upper right corner.

NAC audit log collection

Environment Settings for information collection Once completed, Settings to get NAC audit logs from Insights E server are required.

  1. Log in to the Genian Insights E web console and click GENIAN NAC in the drop-down menu of the Configurator located in System > Collector Settings > Collector Sets.
  2. On the Add Collector Automation screen, enter information and click the Save button.
  • Collector Sets name: Collector Sets name and Collector Sets description are the values displayed in the Collector Sets field.
  • Server hostname: The server string that will appear in the log. - Center Address: Enter the Genian NAC Policy Server IP and the Genian NAC DB Server IP in the DB Server Address. - DB user name and PASSWORD: Enter the user name and PASSWORD of the NAC DB server.
  • Select Audit Log from the information to be collected and save it.
  1. Click the Start button of the added Collector Sets in the Collector Sets field. If the NAC log collection (syslog) in the collector starts normally, you can see that the Genian Insights filter is created in Log > Search Filter in the Genian NAC web console. At this time, Insights<-> NAC-to-NAC communication CHARSET must be 'UTF-8'.

Note

In version 4.0.X, the following 4 steps are separately required for NAC server event processing after automatic search filter creation.

  1. Click on the generated Genian insights filter name as shown below.
../_images/sysaudit.png
  1. Click the Edit button at the bottom left. The insights filter detail screen is displayed on the right. If you click the Edit button once more, syslog transmission starts from that point.
../_images/auditedit.png
  1. Whenever an audit record is generated from the NAC server, data is sent to the Insights E server through syslog, and the log can be viewed in the Insights E web console Discovery > NAC logs menu.

NAC asset information collection

When the environment settings for information collection are completed, you can access the NAC server database from the Insights E server and collect various asset information of Endpoints.

  1. Log in to the Genian Insights E web console and click GENIAN NAC in the drop-down menu of the Configurator located in System > Collector Settings > Collector Sets.
  2. On the Add Collector Automation screen, enter information and click the Save button.
  • Collector Sets name: Collector Sets name and Collector Sets description are the values displayed in the Collector Sets field.
  • Server hostname: The server string that will appear in the log. - Center Address: Enter the Genian NAC Policy Server IP and the Genian NAC DB Server IP in the DB Server Address. - DB user name and PASSWORD: Enter the user name and PASSWORD of the NAC DB server.
  • Select the asset information to be collected from the collection target information and save it.
  1. Click the Start button of the added Collector Sets in the Collector Sets field.
  2. Asset information is collected according to the collection cycle set by default, and the log can be checked in the Insights E web console Discovery > NAC Assets menu.