Modifying the data export configuration, Auditing the exported data, Anomaly detection management – H3C Technologies H3C Intelligent Management Center User Manual
Page 66
56
4.
Click Query to view the data export logs matching the criteria. Click Reset to clear all query
criteria.
Modifying the data export configuration
1.
Select Service > Traffic Analysis and Audit > Data Export.
The Data Export Config List appears in the main pane of the Data Export page.
2.
Click the Modify icon
.
3.
Select the Enable Data Export option to enable the data export function.
After you enable the data export function, you can configure the Trigger Data Export by Data
Space Alarm and Path of Exported File parameters.
If you do not select the Trigger Data Export by Data Space Alarm option, the NTA server can
export data according to only the log lifetime. With the Trigger Data Export by Data Space Alarm
option selected, when the data space alarms occur, the NTA server automatically exports the
oldest data day by day until the data space alarms are eliminated.
4.
Enter the absolute path of the exported file on the NTA server.
5.
Click OK to complete modifying the data export configuration.
Auditing the exported data
NTA provides an auditing tool. An operator can use the log auditing tool to audit the traffic data of the
exported file. The auditing tool depends on JRE. To guarantee normal operation of the auditing tool,
make sure you have downloaded the latest JRE.
To audit the exported data:
1.
From the top navigation bar, select Service > Traffic Analysis and Audit > Data Export.
The Data Export Config List appears in the main pane of the Data Export page.
2.
Click Log File Audit to download and start the auditing tool.
The auditing tool can perform only general audit for the exported data. Use the auditing tool in the
same way as you use the auditing tool of UBA. For information about using an auditing tool, see
IMC IMC User Behavior Auditor Administrator Guide.
Anomaly detection management
NTA collects statistics on traffic flow records and compares the statistics with the thresholds in the
anomaly detection templates. If a threshold is crossed, NTA issues an alarm.
NTA has a series of predefined anomaly detection templates. You cannot add or delete templates, but
you can modify them.
The anomaly detection templates fall into two categories: templates that use the same parameters and
templates that use anomaly type-specific parameters.
The following templates use the same parameters:
•
TCP Null Scan
•
TCP Fin Scan
•
TCP Syn Fin Scan
•
TCP Xmas Scan
•
UDP Bomb Attack
•
Snork Attack