Security Event Management for Windows

1
Security Event Management for Windows

• How to do it really cheap!

Presenter Gord Taylor (CISSP, GCIH, GEEK)
2
Apologies to the UNIX / Linux Guys
but hopefully there will be some interesting
things for you
3
Taxonomy

• What is SIM
• What is SEM
• SIM SEM are not the same thing
• Unfortunately, industry analysts like Gartner are
  blurring the lines (

4
What is Syslog and where did it come from?

• Originally created for BSD in early 1980s
• Ported to virtually every platform since
• Evolved with no standards until 2001
• Uses UDP/514 by default
• A typical Syslog message
• lt133gtJul 17 135551 MachineName SyslogTag
  Here's my custom message.

5
A Basic Syslog Implementation
6
Advantages of Syslog

• Your network guys understand it
• Its probably already allowed on every firewall
  and router in your environment
• (Almost) everything supports it
• Its LEAN, so network traffic isnt typically a
  concern
• It will be around for a long time

7
Advantages of Syslog (contd)

• Even if you buy a vendor product, theyll support
  it
• A lot of vendor solutions are based on
  syslog-reliable

8
Disadvantages of Syslog

• Youre on your own for creating reports,
  maintaining code changes, support, etc.
• Traditional Syslog is UDP (unreliable)
• Not supported natively in Windows
• Its not encrypted, but you can tunnel it (IPSec)
  which also makes it more reliable
• 1k limit on message (RFC) (maybe 4k)
• Scalability

9
And along comes Syslog-NG and Syslog Reliable

• Syslog-ng came out before the RFC standard -
  though the Syslog Reliable RFC is largely based
  on NG
• Many syslog-ng implementations are now actually
  Syslog Reliable under the hood
• Reliable has 2 modes RAW COOKED
• WinSyslog has supported syslog-ng for a long
  while and have always been active on the RFC 3195
  committee (Rainer Gerhards)

10
Advantages of Reliable

• Does everything Syslog does
• TCP based, reliable delivery, confidentiality,
  integrity, authentication
• Provides for Relays and Collectors
• More customization options
• A single system can be a device, relay,
  collector, or all three.
• Due to the path information you get both SENDER
  time and RECEIVER time

11
Disadvantages of Reliable

• Youre on your own for creating reports,
  maintaining code changes, support, etc.
• Not everyone has implemented the RFC
• Some poor implementations open the TCP channel
  for EACH MESSAGE (ouch!)
• Not clear on maximum message size (especially in
  RAW mode)

12
Disadvantages of Reliable (contd)

• Still doesnt provide the YEAR in the timestamp
• Still not widely implemented (including Windows)
• More customization options

13
A Simple Syslog Reliable Implementation
14
So What about Windows?

• We want to turn this

Into this syslog message
ltprigtDec 22 94226 192.168.131.67 528 NT
AUTHORITY\LOCAL SERVICE Successful Logon
UserNameLOCAL SERVICE Domain NT AUTHORITY
Logon ID (0x0,0x3E5) Logon Type 5 Logon
Process Advapi Authentication Package
Negotiate Workstation Name Logon GUID -
Caller User Name MACHINENAME Caller Domain
Caller Logon ID (0x0,0x3E7) Caller Process ID
280 Transited Services - Source Network
Address - Source Port -
15
Windows Syslog Agents

• NTSyslog (no longer in development)
• Sends everything by category
• Snare (InterSect Alliance)
• Allows you to parse before sending
• Lasso (newly release by LogLogic)
• Syslog Reliable
• Many others on sourceforge.net and download.com
  etc.

16
NTSyslog
17
Snare
18
Snare (contd)
19
Windows Syslog Daemons (server)

• WinSyslog
• Kiwi Syslog
• Snare Server ()
• Theres also a lite version called Snare Micro
  Server
• Linux / Unix (all version have syslog)
• Again, see sourceforge.net download.com

20
WinSyslog

• Syslog Reliable
• Filter by many conditions
• Many Actions to take when filter valid (true)
• Log to File and/or DB most common
• Discard is very valuable

21
WinSyslog (contd)
22
WinSyslog (contd)
23
Logging to Database

• Simple table with ReceivedAt, DeviceReportedTime,
  Facility, Priority, FromHost, Message, SyslogTag
• No Indices (indexes)
• No Primary Keys
• Poor Database Support - but see the Database
  discussion group -)

24
Logging Problems

• Database Blocking
• Nightly Deletes / Transaction log explodes
• Nightly Maintenance / run too long
• Split Database File Logging
• File Logging Nightly Import
• Hourly Deletes

25
Tail Logger(Syslogs Best Friends)

• Tail allows you to view the tail end of a file
• Tail f will show new messages as they arrive
• Logger sends a file to a Syslog daemon
• Sends entire file, line-by-line
• Each line is a separate Syslog message
• UDP, TCP, or 3195RAW (not Cooked)
• Can send a single custom message log line
• Can specify Priority

26
Uses for Logger (contd)

• Logger f webserver_today.log l syslogserver m
  3195raw
• Tail f webserver.log logger l dest m proto
• You can do the same thing with FW1 logs !!
• Autorunsc -c m logger l dest m proto

27
Where do vendor products fit in?

• Homegrown can be a lot of work - vendor solutions
  are out of the box
• There is a LOT of value in doing this in-house to
  learn what you need (including event volumes)
• Do you need forensics abilities or just reporting
  (SEM vs SIM)?
• Real-time correlation is exceptionally difficult
• Does the vendor provide for all your platforms?
• Dont include building of reports into your
  decision youll ALWAYS have to build

28
Various Sites

• The most important
• www.loganalysis.org
• Syslog Tools
• WinSyslog Server (Adiscon)
• http//www.monitorware.com
• KiwiSyslog Server
• http//www.kiwisyslog.com
• Snare Agents for Windows, IIS, ISA, Apache, etc
• http//snare.sourceforge.net
• Lasso (syslog-reliable based on Snare source)
• http//lassolog.sourceforge.net

29

• Modular Syslog (BSD flavours, Unix, Linux only)
• http//msyslog.sourceforge.net
• http//msyslogui.sourceforge.net
• NTSyslog (no longer in development)
• http//ntsyslog.sourceforge.net
• Windows Security Eventlog Information
• Altair Technologies Event ID database
• http//www.eventid.net
• Randy Franklin Smiths Event Encyclopedia
• http//www.ultimatewindowssecurity.com/encyclopedi
  a.html

30

• Other Open Source Tools
• Privateye (SIM)
• http//privateye.sourceforge.net
• Splunk (Google for log files no more to be
  said.)
• http//www.splunk.com
• Simple Event Correlator
• http//simple-evcorr.sourceforge.net

31

• Whitepapers Other Reading
• SANS Top 5 Essential Log Reports
• http//www.sans.org/resources/top5_logreports.pdf
• The Ins and Outs of System Logging Using Syslog
• http//www.sans.org/reading_room/whitepapers/loggi
  ng/1168.php
• BSD Syslog (RFC 3164)
• http//www.networksorcery.com/enp/rfc/rfc3164.txt
• Syslog Reliable (RFC 3195)
• http//www.networksorcery.com/enp/rfc/rfc3195.txt
• BEEP Protocol (RFC 3080)
• http//www.networksorcery.com/enp/rfc/rfc3080.txt
• Draft Special Publication 800-92 Guide to
  Computer Security Log Management
• http//csrc.nist.gov/publications/drafts.html
• Complementary Tools
• Any tail utility
• http//www.baremetalsoft.com (GUI based, allows
  color coding for manual review highlighting of
  interesting entries in realtime)
• A command-line tail utility
• Windows 2003 Resource kit comes with a tail.exe

32

• xNix-only Tools
• Logcheck (http//sourceforge.net/projects/logcheck
  )
• Parses logs looking for interesting patterns
  (includes an ignore file)
• Output is straightforward for admins good to
  mail to yourself for daily reviews
• Logwatch (http//www.logwatch.org)
• Similar to Logcheck, but summarizes all entries
  and the number of times they occurred.
• Swatch (http//swatch.sourceforge.net)
• Regex to monitor log files in real time (alert
  via pager, mail)
• LogSurfer (http//www.cert.dfn.de/eng/logsurf/)
• Realtime monitoring of any log file a little
  more verbose than Swatch