RSA enVision Event Explorer 4.0.

1 Installation Guide

Contact Information
Go to the RSA corporate web site for regional Customer Support telephone and fax numbers: www.rsa.com

Trademarks
RSA and the RSA logo are registered trademarks of RSA Security Inc. in the United States and/or other countries. For the most up-to-date listing of RSA trademarks, go to www.rsa.com/legal/trademarks_list.pdf. EMC is a registered trademark of EMC Corporation. All other goods and/or services mentioned are trademarks of their respective companies. enVision, Enterprise Dashboard, and Internet Protocol Database (IPDB) are trademarks of RSA Security Inc. LogSmart is a registered trademark of RSA Security Inc. All other trademarks, service marks, registered trademarks, registered service marks mentioned in this document are the property of their respective owners.

License agreement
This software and the associated documentation are proprietary and confidential to RSA, are furnished under license, and may be used and copied only in accordance with the terms of such license and with the inclusion of the copyright notice below. This software and the documentation, and any copies thereof, may not be provided or otherwise made available to any other person. No title to or ownership of the software or documentation or any intellectual property rights thereto is hereby transferred. Any unauthorized use or reproduction of this software and the documentation may be subject to civil and/or criminal liability. This software is subject to change without notice and should not be construed as a commitment by RSA.

Third-party licenses
This product may include software developed by parties other than RSA. The text of the license agreements applicable to third-party software in this product may be viewed in the thirdpartylicenses.pdf file.

Note on encryption technologies

This product may contain encryption technology. Many countries prohibit or restrict the use, import, or export of encryption technologies, and current use, import, and export regulations should be followed when using, importing or exporting this product.

Distribution
Limit distribution of this document to trusted personnel.

RSA notice
Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchasers personal use without the written permission of RSA Security Inc.

2009 RSA Security Inc. All rights reserved. December 2009

RSA enVision Event Explorer 4.0.1 Installation Guide

Contents
Preface................................................................................................................................... 5
About This Guide................................................................................................................ 5 RSA enVision Event Explorer Documentation .................................................................. 5 RSA enVision Documentation............................................................................................ 5 Getting Support and Service ............................................................................................... 5

Chapter 1: RSA enVision Event Explorer ........................................................ 7 Chapter 2: Requirements for Using RSA enVision Event Explorer 9
RSA enVision Compatibility .............................................................................................. 9 License Requirements ......................................................................................................... 9 User Permission Requirements ......................................................................................... 10 Client Requirements.......................................................................................................... 10 Port Requirements............................................................................................................. 12

Chapter 3: Installing RSA enVision Event Explorer ................................ 13 Chapter 4: Using RSA enVision Event Explorer ....................................... 15
Specifying an RSA enVision Appliance During Your Initial Logon ............................... 15 Logging On to RSA enVision Event Explorer.................................................................. 16 Setting Up RSA enVision Event Explorer ........................................................................ 17 Logging Off RSA enVision Event Explorer ..................................................................... 17

Contents

RSA enVision Event Explorer 4.0.1 Installation Guide

Preface
About This Guide
This guide describes how to install the RSA enVision Event Explorer module. It is intended for system administrators, security officers, end users, or anyone who needs to install Event Explorer on a client computer.

RSA enVision Event Explorer Documentation

For more information, see the following documentation: Release Notes. Provides information about what is new and changed in this release, as well as workarounds for known issues. The latest version of the Release Notes is available on RSA SecurCare Online at https://knowledge.rsasecurity.com. RSA enVision Event Explorer Help. Provides comprehensive information about setting up and using Event Explorer.

RSA enVision Documentation

For information about the RSA enVision platform, see the following documentation: Hardware Guide. Provides instructions for setting up your RSA enVision appliances. Intended audience is the system administrator. Configuration Guide. Provides instructions for configuring your RSA enVision site. Intended audience is the system administrator. Migration Guide. Provides instructions for migrating your data from a previous version of RSA enVision to the current version. RSA enVision Help. Provides comprehensive information about setting up and using RSA enVision.

Getting Support and Service

RSA SecurCare Online Customer Support Information RSA Secured Partner Solutions Directory https://knowledge.rsasecurity.com www.rsa.com/support www.rsasecured.com

RSA SecurCare Online offers a knowledgebase that contains answers to common questions and solutions to known problems. It also offers information on new releases, important technical news, and software downloads.

Preface

RSA enVision Event Explorer 4.0.1 Installation Guide

The RSA Secured Partner Solutions Directory provides information about third-party hardware and software products that have been certified to work with RSA products. The directory includes Implementation Guides with step-by-step instructions and other information about interoperation of RSA products with these third-party products.

Before You Call Customer Support

Make sure that you have direct access to the computer running the Event Explorer software. Please have the following information available when you call: Your RSA Customer/License ID Your RSA enVision appliance serial number Event Explorer software version number The make and model of the machine on which the problem occurs The name and version of the operating system under which the problem occurs

Preface

RSA enVision Event Explorer 4.0.1 Installation Guide

RSA enVision Event Explorer

As part of the RSA enVision platform, RSA enVision Event Explorer is a client application that allows advanced analysis of real-time and historical event source log data. Event Explorer benefits include: Real-time data mining. Perform data mining for compliance and investigation of possible security breaches. Interactive user monitoring. Zoom from an enterprise-wide to single-user view to track and analyze user activities. Detailed application and system insight. Gain insight into business operations through real-time application analysis. Event Explorer is a client application. You install Event Explorer on your client and establish a connection to an RSA enVision appliance. For complete information on setting up and using enVision, see the enVision Help.

1: RSA enVision Event Explorer

RSA enVision Event Explorer 4.0.1 Installation Guide

Requirements for Using RSA enVision Event Explorer

This chapter describes the requirements to use RSA enVision Event Explorer.

RSA enVision Compatibility

RSA enVision Event Explorer 4.0.1 is compatible only with RSA enVision sites running RSA enVision 4.0 or later.
Note: You cannot use Event Explorer with enVision running on 50 series EX

appliances.

License Requirements
To use Event Explorer, you must have: A valid enVision license key. For information on the enVision license key, see the enVision Help topic License Key. Enough user licenses for each user to log on concurrently. Event Explorer allows up to 15 licensed users to log on per Application Server (A-SRV) based on the Event Explorer license you purchased.

To purchase enVision licenses, contact the RSA Sales team.

2: Requirements for Using RSA enVision Event Explorer

RSA enVision Event Explorer 4.0.1 Installation Guide

User Permission Requirements

To allow you to log on to Event Explorer, your enVision administrator must: Set you up as a user in enVision with your user account set to Enabled. For more information, see the enVision Help topic Users. Give you access permissions for Event Explorer. For more information, see the enVision Help topic Event Explorer Permissions. Give you permission to view at least one event source (device) on the enVision appliance. For more information, see the enVision Help topic Device Access Filters. Give you site access permission for the site on the enVision appliance to which you want to establish an event trace. For more information, see the enVision Help topic Site Login Permissions.

Important: An administrator can force a log out for an Event Explorer user from

within the enVision application. For more information, see the enVision Help topic Force User Log Out.

Client Requirements
The following table describes client configurations for PCs running under Microsoft Windows XP or Windows Vista, based on how you intend to use Event Explorer. If you do not follow these recommendations, you may experience poor performance when you carry out simultaneous tasks, such as running more than one event trace.
Item Task Triage and Light Event Trace Usage Moderate Event Trace Usage Heavy Event Trace Usage

OS Processor RAM CPU CPU Speed Disk RPM Disk Space

Microsoft Windows XP or Microsoft Windows Vista Pentium 4 or higher 2 GB RAM 1 CPU (minimum) 2 Ghz 7,200 7,200 10,000 RAID 2 GB RAM 2 CPUs (minimum) 3 GB RAM 4 CPUs (minimum)

100 MB of free disk space for the Event Explorer application ( the amount of space you will require for persisted databases is need-based)

10

2: Requirements for Using RSA enVision Event Explorer

RSA enVision Event Explorer 4.0.1 Installation Guide

Item

Task Triage and Light Event Trace Usage

Moderate Event Trace Usage

Heavy Event Trace Usage

Network Display Resolution Browser

100baseTX network event trace to the enVision appliances (minimum) 1024x768 at 16-bit color (minimum)

Microsoft Internet Explorer 5.5 or later, Mozilla Firefox 1.0 or later

Port Requirements
To use Event Explorer, you must be able to connect to various ports on each enVision appliance as described in the following table.
On Appliance Type (For Multiple Appliance Sites Only) A-SRV

Usage

Ports

Service That Opens and Port Direction Closes the Ports

Authentication of Event HTTP 8080 HTTPS 8443 Explorer user Event Explorer access to IPDB Event Explorer connection to the NIC App Server Service TCP 2010

NIC Web Server Service

Inbound and Outbound

NIC Server Service Inbound and Outbound NIC App Server Service Inbound and Outbound

D-SRV

TCP 1098, 1099, 3873, and 4444

A-SRV

For information on the NIC services, see the enVision Help.

Note: The D-SRV port 2010 traffic is not encrypted.

2: Requirements for Using RSA enVision Event Explorer

11

RSA enVision Event Explorer 4.0.1 Installation Guide

Installing RSA enVision Event Explorer

You can install and use RSA enVision Event Explorer on a PC running Microsoft Windows XP or Windows Vista. RSA enVision Event Explorer 4.0.1 is compatible only with enVision sites running RSA enVision 4.0 or later. Event Explorer cannot be used with enVision running on 50 series EX appliances.
To install Event Explorer:

1. Download the Event Explorer installation file, as follows: a. Go to https://knowledge.rsasecurity.com, and log on to RSA SecurCare Online. b. Under Browse By Product Family, click RSA enVision. c. Click the Downloads tab. d. Under Latest Event Explorer Downloads, click RSA Event Explorer 4.0.1. e. Click Software Update for Windows. f. When prompted, specify the directory into which you want to download the file.

2. Double-click the file to execute it. 3. Complete the installation wizard. The wizard creates a shortcut on your desktop for Event Explorer, and the installation is complete. If you chose to launch Event Explorer when completing the wizard, Event Explorer will start now.

3: Installing RSA enVision Event Explorer

13

RSA enVision Event Explorer 4.0.1 Installation Guide

Using RSA enVision Event Explorer

This chapter describes how to log on to and set up RSA enVision Event Explorer.

Specifying an RSA enVision Appliance During Your Initial Logon

Important: To log on to Event Explorer, you must be set up as an Event Explorer user in RSA enVision, and there must be sufficient user licenses available. For more information on user permissions, see User Permission Requirements.

The first time that you launch Event Explorer after a new installation, it displays the following message: Welcome to Event Explorer Please enter the information below for the enVision server that you would like to log into.
Note: This message does not appear if you upgraded Event Explorer from an earlier

version.
To log on to Event Explorer for the first time:

1. In the Protocol field, select the protocol (http:// or https://) with which to connect to the enVision appliance. 2. In the Hostname or IP Address field, enter the host name or IP address. 3. In the Port field, select or enter the port to which to connect. 4. Click OK. Event Explorer opens the Event Explorer Login window that you will see in all subsequent sessions. 5. Log on to Event Explorer. For instructions, see the following section, Logging On to RSA enVision Event Explorer.

4: Using RSA enVision Event Explorer

15

RSA enVision Event Explorer 4.0.1 Installation Guide

Logging On to RSA enVision Event Explorer

During the Event Explorer logon process, you can update the list of available enVision appliances.
To log on:

1. Click Start > Programs > Network Intelligence > Event Explorer > Event Explorer. 2. Select or edit an enVision appliance as follows.
Goal Select an appliance from the list. Add an appliance to the list. Action to Take Click the appliance to select it. 1. Click New. 2. From the Protocol drop down list, select a protocol. 3. In the Hostname or IP Address field, enter the host name or IP address. 4. In the Port field, select or enter a port. 5. Click OK. 1. Click the appliance to select it. 2. Click Del.

Remove an appliance from the list.

Edit the properties of an appliance that 1. Click the appliance to select it. appears in the list. 2. Click Edit. 3. Edit the fields that you want to change, and click OK.

3. Enter your enVision user name and password in the Username and Password fields for the server that you selected in step 2. 4. Click Log In. The logon process starts by authenticating to the selected enVision appliances with the user name and password that you entered. A progress bar indicates logon status. When the authentication is complete and successful, the Event Explorer window opens.

16

4: Using RSA enVision Event Explorer

RSA enVision Event Explorer 4.0.1 Installation Guide

Setting Up RSA enVision Event Explorer

To set up Event Explorer, perform the following tasks: 1. Add one enVision appliance to Event Explorer for each NIC domain. These are the enVision appliances from which you want to receive events in Event Explorer. 2. Establish an event trace to determine: The event data that you want to view in Event Explorer The time frame of this data The size of the event buffer that you want to keep within Event Explorer for analysis

3. Set up trace views to define which information to display and how to display it within Event Explorer. For information on setting up and using Event Explorer, see the Event Explorer Help.

Logging Off RSA enVision Event Explorer

When you are finished using Event Explorer, you can log off to conserve system resources.
To log off Event Explorer:

On the Event Explorer window, click File > Exit.

Important: When you are logged on to Event Explorer, you are not constrained by the

enVision Automatic timeout option. Event Explorer does not disconnect users when they are idle for any amount of time.

4: Using RSA enVision Event Explorer

17