1

Security Event Management for Windows

How to do it really cheap!

Presenter: Gord Taylor (CISSP, GCIH, GEEK)

2

Apologies to the UNIX / Linux Guys

…but hopefully there will be some interesting things for you…

3

Taxonomy

What is SIM What is SEM SIM & SEM are not the same thing Unfortunately, industry analysts like

Gartner are blurring the lines :(

4

What is Syslog and where did it come from?

Originally created for BSD in early 1980s Ported to virtually every platform since Evolved with no standards until 2001 Uses UDP/514 by default A typical Syslog message:<133>Jul 17 13:55:51 MachineName SyslogTag: Here's

my custom message.

5

A Basic Syslog Implementation

Internet

Firewall

DMZ Server Subnet

Mail FTP

Web1 Web2

E-Comm

Syslog

Internal Network

Mail

Proxy

DB

Other Apps

6

Advantages of Syslog

Your network guys understand it It’s probably already allowed on every

firewall and router in your environment (Almost) everything supports it It’s LEAN, so network traffic isn’t typically

a concern It will be around for a long time

7

Advantages of Syslog (cont’d)

Even if you buy a vendor product, they’ll support it

A lot of vendor solutions are based on syslog-reliable

8

Disadvantages of Syslog

You’re on your own for creating reports, maintaining code changes, support, etc.

Traditional Syslog is UDP (unreliable) Not supported natively in Windows It’s not encrypted, but you can tunnel it (IPSec) –

which also makes it more reliable 1k limit on message (RFC) (maybe 4k) Scalability

9

And along comes Syslog-NG and Syslog Reliable

Syslog-ng came out before the RFC standard - though the Syslog Reliable RFC is largely based on NG

Many syslog-ng implementations are now actually Syslog Reliable under the hood

Reliable has 2 modes: RAW & COOKED WinSyslog has supported syslog-ng for a long

while and have always been active on the RFC 3195 committee (Rainer Gerhards)

10

Advantages of Reliable

Does everything Syslog does TCP based, reliable delivery, confidentiality,

integrity, authentication Provides for Relays and Collectors More customization options A single system can be a device, relay, collector,

or all three. Due to the path information you get both

SENDER time and RECEIVER time

11

Disadvantages of Reliable

You’re on your own for creating reports, maintaining code changes, support, etc.

Not everyone has implemented the RFC Some poor implementations open the TCP

channel for EACH MESSAGE (ouch!) Not clear on maximum message size

(especially in RAW mode)

12

Disadvantages of Reliable (cont’d)

Still doesn’t provide the YEAR in the timestamp

Still not widely implemented (including Windows)

More customization options

13

A Simple Syslog Reliable Implementation

Internet

Firewall

DMZ Server Subnet

Mail FTP

Web1 Web2

E-Comm

Internal Syslog

Internal Network

Mail

Proxy

DB

Other Apps

External Syslog Forwarder

14

So… What about Windows?We want to turn this: Into this syslog message:

<pri>Dec 22 9:42:26 192.168.131.67 528: NT AUTHORITY\LOCAL SERVICE Successful Logon: UserName:LOCAL SERVICE

Domain: NT AUTHORITY Logon ID: (0x0,0x3E5) Logon Type: 5 Logon

Process: Advapi Authentication Package: Negotiate: Workstation

Name: Logon GUID: - Caller User Name: MACHINENAME$ Caller

Domain: Caller Logon ID: (0x0,0x3E7) Caller Process ID: 280

Transited Services: - Source Network Address: - Source Port: -

15

Windows Syslog Agents

NTSyslog (no longer in development)Sends everything by category

Snare (InterSect Alliance)Allows you to parse before sending

Lasso (newly release by LogLogic)Syslog Reliable

Many others on sourceforge.net and download.com etc.

16

NTSyslog

17

Snare

18

Snare (cont’d)

19

Windows Syslog Daemons (server)

WinSyslog Kiwi Syslog Snare Server ($$)

There’s also a ‘lite’ version called Snare Micro Server

Linux / Unix (all version have syslog) Again, see sourceforge.net & download.com

20

WinSyslog

Syslog Reliable Filter by many conditions Many Actions to take

when filter valid (true) Log to File and/or DB

most common “Discard” is very valuable

21

WinSyslog (cont’d)

22

WinSyslog (cont’d)

23

Logging to Database

Simple table with ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message, SyslogTag

No Indices (indexes) No Primary Keys Poor Database Support - but see the

“Database” discussion group :-)

24

Logging Problems

Database Blocking Nightly Deletes / Transaction log explodes Nightly Maintenance / run too long Split Database & File Logging File Logging & Nightly Import Hourly Deletes

25

Tail & Logger(Syslog’s Best Friends)

Tail allows you to view the “tail end” of a fileTail –f will show new messages as they arrive

Logger sends a file to a Syslog daemonSends entire file, line-by-lineEach line is a separate Syslog messageUDP, TCP, or 3195RAW (not Cooked)Can send a single “custom message” log lineCan specify Priority

26

Uses for Logger (cont’d)

Logger –f webserver_today.log –l syslogserver –m 3195raw

Tail –f webserver.log | logger –l dest –m protoYou can do the same thing with FW1 logs !!

Autorunsc -c –m | logger –l dest –m proto

27

Where do vendor products fit in?

Homegrown can be a lot of work - vendor solutions are “out of the box”

There is a LOT of value in doing this in-house to learn what you need (including event volumes)

Do you need forensics abilities or just reporting (SEM vs SIM)?

Real-time correlation is exceptionally difficult Does the vendor provide for all your platforms? Don’t include building of reports into your decision –

you’ll ALWAYS have to build

28

Various SitesThe most important:

www.loganalysis.org

Syslog Tools WinSyslog Server (Adiscon)

http://www.monitorware.com KiwiSyslog Server

http://www.kiwisyslog.com Snare Agents for Windows, IIS, ISA, Apache, etc…

http://snare.sourceforge.net Lasso (syslog-reliable based on Snare source)

http://lassolog.sourceforge.net

29

Modular Syslog (BSD flavours, Unix, Linux only)http://msyslog.sourceforge.net

http://msyslogui.sourceforge.net NTSyslog (no longer in development)

http://ntsyslog.sourceforge.net

Windows Security Eventlog Information Altair Technologies Event ID database

http://www.eventid.net Randy Franklin Smith’s Event Encyclopedia

http://www.ultimatewindowssecurity.com/encyclopedia.html

30

Other Open Source Tools Privateye (SIM)

http://privateye.sourceforge.net Splunk (Google for log files – no more to be said.)

http://www.splunk.com Simple Event Correlator

http://simple-evcorr.sourceforge.net

31

Whitepapers & Other Reading SANS Top 5 Essential Log Reports

http://www.sans.org/resources/top5_logreports.pdf The Ins and Outs of System Logging Using Syslog

http://www.sans.org/reading_room/whitepapers/logging/1168.php BSD Syslog (RFC 3164)

http://www.networksorcery.com/enp/rfc/rfc3164.txt Syslog Reliable (RFC 3195)

http://www.networksorcery.com/enp/rfc/rfc3195.txt BEEP Protocol (RFC 3080)

http://www.networksorcery.com/enp/rfc/rfc3080.txt Draft Special Publication 800-92 Guide to Computer Security Log Management

http://csrc.nist.gov/publications/drafts.html

Complementary Tools Any “tail” utility

http://www.baremetalsoft.com (GUI based, allows color coding for manual review & highlighting of interesting entries in realtime)

A command-line tail utilityWindows 2003 Resource kit comes with a tail.exe

Logger (Unix port of command line tool)http://www.monitorware.com/logger

32

xNix-only Tools Logcheck (http://sourceforge.net/projects/logcheck)

Parses logs looking for “interesting” patterns (includes an ignore file)

Output is straightforward for admins – good to mail to yourself for daily reviews Logwatch (http://www.logwatch.org)

Similar to Logcheck, but summarizes all entries and the number of times they occurred.

Swatch (http://swatch.sourceforge.net)

Regex to monitor log files in real time (alert via pager, mail) LogSurfer (http://www.cert.dfn.de/eng/logsurf/)

Realtime monitoring of any log file – a little more verbose than Swatch