System Administration

To maintain your SmartEvent system, you can do these tasks from the General Settings section of the Policy tab:

• Adding a SmartEvent Correlation Unit and Log Servers
• Create offline jobs analyze historical log files
• Adding objects to the Internal Network
• Creating scripts to run as Automatic Reactions for certain events
• Creating objects for use in filters

Save Event Policy

Modifications to the Event Policy do not take effect until saved on the SmartEvent server and installed to the SmartEvent Correlation Unit.

To enable changes made to the Event Policy:

1. Click File > Save.
2. Click Actions > Install Event Policy.

Revert Changes

You can undo changes to the Event Policy, if they were not saved.

To undo changes: click File > Revert Changes.

Adding Network and Host Objects

Network Objects are the objects that are synchronized from the Management object database as well as user defined additional objects. These objects from the Management server are added to SmartEvent during the initial sync and updated at set intervals.

As a best practice, use SmartConsole to add new network or host objects to the Management server.

The customer cannot define the internal network until the initial sync is complete.

To add a host or network object to SmartEvent:

1. From the Policy tab, select General Settings > Objects > Network Objects > Add > Host or Add Network.
2. Give the device a significant name.
3. For a host, enter the IP Address or select Get Address.
4. For a network object, enter the Network Address and Net Mask.
5. Select OK.

Defining the Internal Network

To help SmartEvent conclude if events originated internally or externally, you must define the Internal Network. These are the options to calculate the traffic direction:

• Incoming - All the sources are external to the network and all destinations are internal.
• Outgoing - All sources are in the network and all destinations are external.
• Internal - Sources and destinations are all in the network.
• Other - A mixture of internal and external values makes the result indeterminate.

To define the Internal Network:

1. From the Policy tab, select General Settings > Initial Settings > Internal Network.
2. Add internal objects.

   We recommend you add all internal Network objects, and not Host objects.

Some network objects are copied from the Management server to the SmartEvent server during the the initial sync and updated afterwards.

Note - The customer cannot define the internal network until the initial sync is complete.

Defining the Internal Network

To help SmartEvent conclude if events originated internally or externally, you must define the Internal Network. These are the options to calculate the traffic direction:

• Incoming – all the sources are external to the network and all destinations are inner
• Outgoing – all sources are in the network and all destinations external
• Internal – sources and destinations are all in the network
• Other – a mixture of and internal and external values makes the result indeterminate

To define the Internal Network:

1. From the Policy tab, select General Settings > Initial Settings > Internal Network.
2. Add internal objects.

   We recommend you add all internal Network objects, and not Host objects.

Some network objects are copied from the Management server to the SmartEvent Server during the initial sync and updated afterwards.

SmartEvent with Management High Availability

The SmartEvent database keeps a synchronized copy of management objects locally on the SmartEvent Server. This process, dbsync, allows SmartEvent to work independently of different management versions and different management servers in a High Availability environment.

Management High Availability capability exists for Security Management Servers, and in a Multi-Domain Security Management environment, dbsync supports High Availability for the Multi-Domain Servers and the Domain Management Servers.

How it works

Dbsync initially connects to the active management server. It retrieves all the objects. After the initial synchronization it gets updates when changes are published. Dbsync registers all the machines and periodically tests the connectivity with the active management server. If connectivity is lost, it connects to new active server.