1
Security Event Management for Windows
How to do it really cheap!
Presenter: Gord Taylor (CISSP, GCIH, GEEK)
2
Apologies to the UNIX / Linux Guys
…but hopefully there will be some interesting things for you…
3
Taxonomy
What is SIM What is SEM SIM & SEM are not the same thing Unfortunately, industry analysts like
Gartner are blurring the lines :(
4
What is Syslog and where did it come from?
Originally created for BSD in early 1980s Ported to virtually every platform since Evolved with no standards until 2001 Uses UDP/514 by default A typical Syslog message:<133>Jul 17 13:55:51 MachineName SyslogTag: Here's
my custom message.
5
A Basic Syslog Implementation
Internet
Firewall
DMZ Server Subnet
Mail FTP
Web1 Web2
E-Comm
Syslog
Internal Network
Proxy
DB
Other Apps
6
Advantages of Syslog
Your network guys understand it It’s probably already allowed on every
firewall and router in your environment (Almost) everything supports it It’s LEAN, so network traffic isn’t typically
a concern It will be around for a long time
7
Advantages of Syslog (cont’d)
Even if you buy a vendor product, they’ll support it
A lot of vendor solutions are based on syslog-reliable
8
Disadvantages of Syslog
You’re on your own for creating reports, maintaining code changes, support, etc.
Traditional Syslog is UDP (unreliable) Not supported natively in Windows It’s not encrypted, but you can tunnel it (IPSec) –
which also makes it more reliable 1k limit on message (RFC) (maybe 4k) Scalability
9
And along comes Syslog-NG and Syslog Reliable
Syslog-ng came out before the RFC standard - though the Syslog Reliable RFC is largely based on NG
Many syslog-ng implementations are now actually Syslog Reliable under the hood
Reliable has 2 modes: RAW & COOKED WinSyslog has supported syslog-ng for a long
while and have always been active on the RFC 3195 committee (Rainer Gerhards)
10
Advantages of Reliable
Does everything Syslog does TCP based, reliable delivery, confidentiality,
integrity, authentication Provides for Relays and Collectors More customization options A single system can be a device, relay, collector,
or all three. Due to the path information you get both
SENDER time and RECEIVER time
11
Disadvantages of Reliable
You’re on your own for creating reports, maintaining code changes, support, etc.
Not everyone has implemented the RFC Some poor implementations open the TCP
channel for EACH MESSAGE (ouch!) Not clear on maximum message size
(especially in RAW mode)
12
Disadvantages of Reliable (cont’d)
Still doesn’t provide the YEAR in the timestamp
Still not widely implemented (including Windows)
More customization options
13
A Simple Syslog Reliable Implementation
Internet
Firewall
DMZ Server Subnet
Mail FTP
Web1 Web2
E-Comm
Internal Syslog
Internal Network
Proxy
DB
Other Apps
External Syslog Forwarder
14
So… What about Windows?We want to turn this: Into this syslog message:
<pri>Dec 22 9:42:26 192.168.131.67 528: NT AUTHORITY\LOCAL SERVICE Successful Logon: UserName:LOCAL SERVICE
Domain: NT AUTHORITY Logon ID: (0x0,0x3E5) Logon Type: 5 Logon
Process: Advapi Authentication Package: Negotiate: Workstation
Name: Logon GUID: - Caller User Name: MACHINENAME$ Caller
Domain: Caller Logon ID: (0x0,0x3E7) Caller Process ID: 280
Transited Services: - Source Network Address: - Source Port: -
15
Windows Syslog Agents
NTSyslog (no longer in development)Sends everything by category
Snare (InterSect Alliance)Allows you to parse before sending
Lasso (newly release by LogLogic)Syslog Reliable
Many others on sourceforge.net and download.com etc.
16
NTSyslog
17
Snare
18
Snare (cont’d)
19
Windows Syslog Daemons (server)
WinSyslog Kiwi Syslog Snare Server ($$)
There’s also a ‘lite’ version called Snare Micro Server
Linux / Unix (all version have syslog) Again, see sourceforge.net & download.com
20
WinSyslog
Syslog Reliable Filter by many conditions Many Actions to take
when filter valid (true) Log to File and/or DB
most common “Discard” is very valuable
21
WinSyslog (cont’d)
22
WinSyslog (cont’d)
23
Logging to Database
Simple table with ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message, SyslogTag
No Indices (indexes) No Primary Keys Poor Database Support - but see the
“Database” discussion group :-)
24
Logging Problems
Database Blocking Nightly Deletes / Transaction log explodes Nightly Maintenance / run too long Split Database & File Logging File Logging & Nightly Import Hourly Deletes
25
Tail & Logger(Syslog’s Best Friends)
Tail allows you to view the “tail end” of a fileTail –f will show new messages as they arrive
Logger sends a file to a Syslog daemonSends entire file, line-by-lineEach line is a separate Syslog messageUDP, TCP, or 3195RAW (not Cooked)Can send a single “custom message” log lineCan specify Priority
26
Uses for Logger (cont’d)
Logger –f webserver_today.log –l syslogserver –m 3195raw
Tail –f webserver.log | logger –l dest –m protoYou can do the same thing with FW1 logs !!
Autorunsc -c –m | logger –l dest –m proto
27
Where do vendor products fit in?
Homegrown can be a lot of work - vendor solutions are “out of the box”
There is a LOT of value in doing this in-house to learn what you need (including event volumes)
Do you need forensics abilities or just reporting (SEM vs SIM)?
Real-time correlation is exceptionally difficult Does the vendor provide for all your platforms? Don’t include building of reports into your decision –
you’ll ALWAYS have to build
28
Various SitesThe most important:
www.loganalysis.org
Syslog Tools WinSyslog Server (Adiscon)
http://www.monitorware.com KiwiSyslog Server
http://www.kiwisyslog.com Snare Agents for Windows, IIS, ISA, Apache, etc…
http://snare.sourceforge.net Lasso (syslog-reliable based on Snare source)
http://lassolog.sourceforge.net
29
Modular Syslog (BSD flavours, Unix, Linux only)http://msyslog.sourceforge.net
http://msyslogui.sourceforge.net NTSyslog (no longer in development)
http://ntsyslog.sourceforge.net
Windows Security Eventlog Information Altair Technologies Event ID database
http://www.eventid.net Randy Franklin Smith’s Event Encyclopedia
http://www.ultimatewindowssecurity.com/encyclopedia.html
30
Other Open Source Tools Privateye (SIM)
http://privateye.sourceforge.net Splunk (Google for log files – no more to be said.)
http://www.splunk.com Simple Event Correlator
http://simple-evcorr.sourceforge.net
31
Whitepapers & Other Reading SANS Top 5 Essential Log Reports
http://www.sans.org/resources/top5_logreports.pdf The Ins and Outs of System Logging Using Syslog
http://www.sans.org/reading_room/whitepapers/logging/1168.php BSD Syslog (RFC 3164)
http://www.networksorcery.com/enp/rfc/rfc3164.txt Syslog Reliable (RFC 3195)
http://www.networksorcery.com/enp/rfc/rfc3195.txt BEEP Protocol (RFC 3080)
http://www.networksorcery.com/enp/rfc/rfc3080.txt Draft Special Publication 800-92 Guide to Computer Security Log Management
http://csrc.nist.gov/publications/drafts.html
Complementary Tools Any “tail” utility
http://www.baremetalsoft.com (GUI based, allows color coding for manual review & highlighting of interesting entries in realtime)
A command-line tail utilityWindows 2003 Resource kit comes with a tail.exe
Logger (Unix port of command line tool)http://www.monitorware.com/logger
32
xNix-only Tools Logcheck (http://sourceforge.net/projects/logcheck)
Parses logs looking for “interesting” patterns (includes an ignore file)
Output is straightforward for admins – good to mail to yourself for daily reviews Logwatch (http://www.logwatch.org)
Similar to Logcheck, but summarizes all entries and the number of times they occurred.
Swatch (http://swatch.sourceforge.net)
Regex to monitor log files in real time (alert via pager, mail) LogSurfer (http://www.cert.dfn.de/eng/logsurf/)
Realtime monitoring of any log file – a little more verbose than Swatch