june 14, 2004suny technology conference centralized logging bill kramp, network administrator finger...

June 14, 2004 SUNY Technology Conference

Centralized Logging

Bill Kramp, Network Administrator

Finger Lakes Community College

SUNY Technology Conference


Centralized Logging

Logging Windows events and syslog messages to a central

server for analysis.


Centralized Logging

Logging events and messages to a central server for

analysis.


Overview

Reasons to log Centralized logging and Analysis

Unix Windows Open source Commercial

Home brew solution at FLCC


Reasons to log events

Record security events Monitoring applications Configuration changes Sarbanes-Oxley Act compliance HIPAA compliance Low in carb’s!


Reasons for Centralized Logging

Correlation of data Manageability Data integrity Time synchronization Real-time alert capability Single backup location for log data


Log Analysis Process

Data Sources Filtering Normalization Aggregation Correlation Report/Display


Data Sources

Windows – Event logs and applications

Unix – syslog and applications Firewalls Routers Intrusion Detection System’s Host Intrusion Systems SNMP traps


Honeypot’s


Windows Events

Application System Security


Windows Events (Win2003)

Application System Security DNS Server Directory File Replication


Security Event Categories Logon events Account logon events Object access events Directory Service access events Privilege use events Process tracking events System events Policy change events


Syslog basics

UDP messages sent on port 514 Three parts to a message:

PRI (priority) Header MSG (message)

PRI contains the severity and facility


Unix syslog

boot cron secure E-mail Kernel Local(0-7)


*nix Syslog Alternatives

Syslog-ng - www.balabit.com/products/syslog_ng/

SDSC Secure Syslog - sourceforge.net/projects/sdscsyslog/

Modular Syslog –www.corest.com/corelabs/


Windows Syslog Alternatives

Kiwi syslog – www.kiwisyslog.com Winsyslog – www.adiscon.com SL4NT – www.netal.com Syslog Daemon – www.triaction.nl Cisco syslog – www.cisco.com 3com Daemon – www.3com.com


Centralized Windows Events

LogAnalyst for Windows 2000 Server Central database of events Built in report generator Available with Win2000 Resource Kit GUI interface

www.cybersafe.com/centrax/cla1.html


Forwarding Windows Events

Snare – www.intersect-alliance.com

NTsyslog – ntsyslog.sourceforge.net

Event Reporter – eventreporter.com

Win32:Eventlog – www.cpan.org


Commercial Log Analysis Tools

enVision – www.opensystems.com Snare - www.intersect-alliance.com ServerVision – sunbelt-

software.com MoniLog – www.monilog.com GFiLANguard – www.gfi.com neuSECURE – www.guarded.net


MoniLog

Handles syslog and Windows events

Windows based Rule engine to include or discard Reports – distributed by HTML or E-

mail


enVision Many options for reports, nice console Appliance solution Models sold by the required sustained

events per second needed. Hardware Supported:

*nix Firewalls Switches IDS’s


neuSECURE

Handles many log formats: Unix syslog Windows events SNMP traps

Event Aggregation Threat correlation


Open Source Monitoring Tools

Swatch – swatch.sourceforge.net Logsurfer+

www.crypt.gen.nz/logsurfer LogSentry – www.psionic.com POE – poe.perl.org SEC – simple-

evcorr.sourceforge.net


Swatch

“Grandfather” of log monitoring tools

Simple expression matching Matches can trigger:

Execution of scripts Echoing to console of match

Throttle option to limit matches for a period of time.


POE – Perl Object Environment

Multitasking using events & handlers Can create separate objects to

monitor multiple log files. Tasks run in a single process Handlers can’t be interrupted DBI support for mysql, etc. Support for pre-forking web server


Simple Event Correlator

Applies pattern matching to files or pipes.

Rules for establishing both a low and high level threshold setting.

Pairing of multiple events within a time window.

Suppression rules.


Home Brew Solution


Log Sources

PIX Firewalls Primary and Redundant PIX’s Extension Center PIX’s X-net PIX’s

Windows Servers: DNS, Web, SAN Linux Servers: DNS, service

monitoring SNMP traps: network switches, UPS’s


FLCC Project Need to send all log messages from the

different sources to a single logging server.

Save all the raw data, and burn to DVD. Filter out incidents (messages) that are

not important. Normalize the data from the different

sources. Write filtered data to database. Display the important events on a single

web based interface.


Centralized Logging


Log Analysis Process

Data Sources Filtering Normalization Aggregation Correlation Report/Display


Normalization Issue PIX: Oct 8 23:55:02 172.16.254.254 Oct 08 2003

23:55:01: %PIX-6-302014: Teardown TCP connection 2749949 for outside:24.24.54.63/4910 to dmz1:172.19.1.7/8900 duration 0:00:15 bytes 9995 TCP Reset-O

Honeypot: 2004-06-10-12:52:18.0891 tcp(6) S 172.17.203.61 33015 172.17.222.1 80

Windows: Jun 10 08:52:39 krampwd-network MSWinEventLog 1 System 9717 Thu Jun 10 08:52:39 2004 18 Automatic Updates N/A N/A Information KRAMPWD-NETWORK Disk Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, June 10, 2004 at 11:00 AM. - Security Update for DirectX 8.1 (KB839643) 1


Filtered HTML ReportJun 4 23:17:30 192.168.1.1 %PIX-3-710003: TCP access denied by ACL from

192.168.1.9/32771 to inside:192.168.1.1/telnet Jun 4 23:16:14 192.168.1.1 %PIX-7-111009: User 'enable_15' executed cmd: show ip address outside

Jun 4 23:15:38 192.168.1.1 %PIX-6-605005: Login permitted from

192.168.1.52/3149 to inside:192.168.1.1/https for user "enable_15" Jun 4 23:15:31 192.168.1.1 %PIX-6-605004: Login denied from 192.168.1.52/3148 to

inside:192.168.1.1/https for user "enable_15" Jun 4 23:13:39 192.168.1.1 %PIX-6-302010: 1 in use, 76 most used

Jun 4 23:03:39 192.168.1.1 %PIX-6-302010: 4 in use, 76 most used


Event 1 Graph – Jan 25, 2003


Slammer Syslog Entries

Jan 25 00:29:42 router Jan 25 2003 01:32:12: %PIX-4-106023: Deny udp src outside:216.120.67.34/2596 dst library:192.156.234.247/1434 by access-group "acl-outside"


Event 2 Graph – Oct. 9, 2003


Welchia Syslog Entries

Oct 9 13:43:00 172.16.254.254 Oct 09 2003 13:42:59: %PIX-3-305005: No translation group found for icmp src student:172.17.203.169 dst inside:172.16.46.148 (type 8, code 0)


Event 2 Graph Detail


Open Source Tools Used Syslog-ng Snare POE – Perl Object Environment GD Graphics Library – www.boutell.com GDgraph module by Martien

Verbruggen Mysql Apache SEC – Simple Event Correlator CRM-114 Bayesian Filter


What’s the solution?


What’s the solution?

Depends on data sources Supported Operating Systems What are the report/alert

requirements? Comfort level with open source Affordable commercial solutions


Things to consider

Throughput (messages per second) Hashing signatures Encryption Bayesian and statistical filters Stealth logging


Hardware Issues

Dual processors and/or hyper threading

Lots of memory Fast SCSI drives DVD or tape for data backups Separate servers for data

collection and database.


Web Resources

http://www.loganalysis.org http://rr.sans.org http://www.microsoft.com/technet/


www.loganalysis.org Site Centralizing Logging Complete Reference Guide to Creating a

Remote Log Server Configuring and using syslogd to collect logging

messages on systems running Solaris 2.x Centralized Logging using Logsentry in a Large

UNIX Environment - Saleem Kazmi paper for SANS GIAC certification

Practical Implementations of syslog in Mixed Windows Environments for Secure Centralized Audit Logging - from the SANS reading room


rr.SANS.org Reading Room Logging Issues

The Importance of Logging and Traffic Monitoring for Information Security

Seham GadAllah, April 19, 2004

Centralizing Event Logs on Windows 2000Gregory Lalla, GSEC April 4, 2003

Security Management Systems: An Oversite Layer for Layers of DefenseDan Keldsen, September 4, 2003

The Ins and Outs of System Logging Using SyslogIan Eaton, GSEC-3077 August 14, 2003


Mixed Environment Logging

Garbrecht, Frederick C. Practical Implementation of Syslog in Mixed Windows Environments for Secure Centralized Audit Logging 10 June 2004. <http://www.sans.org/rr/papers/9/713.pdf>


Visualization Techniques

Takada, Tetsuji and Koike, Hideki MieLog 10 June 2004. Univ’ of Electro-Communications. <http://www.vogue.is.uec.ac.jp/~koike/papers/mielog/FormattedPaperLISA02.pdf>


Filtering and Correlation

Chyssler, Tobias and Nadjm-Tehrani, stefan and Burbeck, Kalle. Alarm Reduction and Correlation in Defense of IP Networks 10 June 2004. <http://www.ida.liu.se/~rtslab/publications/2004/Chyssler04_wetice.pdf>


Books and Guides

Bauer, Michael. Building Secure Servers with Linux. O’Reilly, 2002.

Microsoft Solution for Securing Windows 2000 Server, Chapter 9: Auditing and Intrusion Detection. 10 June 2004 <http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/default.mspx>


End of presentation

Please remember to fill out the form.

E-mail questions to [email protected]

The full presentation will be available online at my web page: http://paws.flcc.edu/~krampwd/presentations/

Thank you for attending.

june 14, 2004suny technology conference centralized logging bill kramp, network administrator finger...

Documents

events record security

flcc slide

facility slide

log data slide

syslog messages

syslog daemon

cisco syslog

applications unix syslog