Security Event Management for Windows How to do it really cheap! Presenter: Gord Taylor (CISSP, GCIH, GEEK) 1 Apologies to the UNIX / Linux Guys …but hopefully there will be some interesting things for you… 2 Taxonomy What is SIM What is SEM SIM & SEM are not the same thing Unfortunately, industry analysts like Gartner are blurring the lines :( 3 What is Syslog and where did it come from? Originally created for BSD in early 1980s Ported to virtually every platform since Evolved with no standards until 2001 Uses UDP/514 by default A typical Syslog message: <133>Jul 17 13:55:51 MachineName SyslogTag: Here's my custom message. 4 A Basic Syslog Implementation 5 Advantages of Syslog Your network guys understand it It’s probably already allowed on every firewall and router in your environment (Almost) everything supports it It’s LEAN, so network traffic isn’t typically a concern It will be around for a long time 6 Advantages of Syslog (cont’d) Even if you buy a vendor product, they’ll support it A lot of vendor solutions are based on syslog-reliable 7 Disadvantages of Syslog You’re on your own for creating reports, maintaining code changes, support, etc. Traditional Syslog is UDP (unreliable) Not supported natively in Windows It’s not encrypted, but you can tunnel it (IPSec) – which also makes it more reliable 1k limit on message (RFC) (maybe 4k) Scalability 8 And along comes Syslog-NG and Syslog Reliable Syslog-ng came out before the RFC standard though the Syslog Reliable RFC is largely based on NG Many syslog-ng implementations are now actually Syslog Reliable under the hood Reliable has 2 modes: RAW & COOKED WinSyslog has supported syslog-ng for a long while and have always been active on the RFC 3195 committee (Rainer Gerhards) 9 Advantages of Reliable Does everything Syslog does TCP based, reliable delivery, confidentiality, integrity, authentication Provides for Relays and Collectors More customization options A single system can be a device, relay, collector, or all three. Due to the path information you get both SENDER time and RECEIVER time 10 Disadvantages of Reliable You’re on your own for creating reports, maintaining code changes, support, etc. Not everyone has implemented the RFC Some poor implementations open the TCP channel for EACH MESSAGE (ouch!) Not clear on maximum message size (especially in RAW mode) 11 Disadvantages of Reliable (cont’d) Still doesn’t provide the YEAR in the timestamp Still not widely implemented (including Windows) More customization options 12 A Simple Syslog Reliable Implementation 13 So… What about Windows? We want to turn this: Into this syslog message: <pri>Dec 22 9:42:26 192.168.131.67 528: NT AUTHORITY\LOCAL SERVICE Successful Logon: UserName:LOCAL SERVICE Domain: NT AUTHORITY Logon ID: (0x0,0x3E5) Logon Type: 5 Logon Process: Advapi Authentication Package: Negotiate: Workstation Name: Logon GUID: - Caller User Name: MACHINENAME$ Caller Domain: Caller Logon ID: (0x0,0x3E7) Caller Process ID: 280 Transited Services: - Source Network Address: - Source Port: 14 Windows Syslog Agents NTSyslog (no longer in development) Sends everything by category Snare (InterSect Alliance) Allows you to parse before sending Lasso (newly release by LogLogic) Syslog Reliable Many others on sourceforge.net and download.com etc. 15 NTSyslog 16 Snare 17 Snare (cont’d) 18 Windows Syslog Daemons (server) WinSyslog Kiwi Syslog Snare Server ($$) There’s also a ‘lite’ version called Snare Micro Server Linux / Unix (all version have syslog) Again, see sourceforge.net & download.com 19 WinSyslog Syslog Reliable Filter by many conditions Many Actions to take when filter valid (true) Log to File and/or DB most common “Discard” is very valuable 20 WinSyslog (cont’d) 21 WinSyslog (cont’d) 22 Logging to Database Simple table with ReceivedAt, DeviceReportedTime, Facility, Priority, FromHost, Message, SyslogTag No Indices (indexes) No Primary Keys Poor Database Support - but see the “Database” discussion group :-) 23 Logging Problems Database Blocking Nightly Deletes / Transaction log explodes Nightly Maintenance / run too long Split Database & File Logging File Logging & Nightly Import Hourly Deletes 24 Tail & Logger (Syslog’s Best Friends) Tail allows you to view the “tail end” of a file Tail –f will show new messages as they arrive Logger sends a file to a Syslog daemon Sends entire file, line-by-line Each line is a separate Syslog message UDP, TCP, or 3195RAW (not Cooked) Can send a single “custom message” log line Can specify Priority 25 Uses for Logger (cont’d) Logger –f webserver_today.log –l syslogserver –m 3195raw Tail –f webserver.log | logger –l dest –m proto You can do the same thing with FW1 logs !! Autorunsc -c –m | logger –l dest –m proto 26 Where do vendor products fit in? Homegrown can be a lot of work - vendor solutions are “out of the box” There is a LOT of value in doing this in-house to learn what you need (including event volumes) Do you need forensics abilities or just reporting (SEM vs SIM)? Real-time correlation is exceptionally difficult Does the vendor provide for all your platforms? Don’t include building of reports into your decision – you’ll ALWAYS have to build 27 Various Sites The most important: www.loganalysis.org Syslog Tools WinSyslog Server (Adiscon) http://www.monitorware.com KiwiSyslog Server http://www.kiwisyslog.com Snare Agents for Windows, IIS, ISA, Apache, etc… http://snare.sourceforge.net Lasso (syslog-reliable based on Snare source) http://lassolog.sourceforge.net 28 Modular Syslog (BSD flavours, Unix, Linux only) http://msyslog.sourceforge.net http://msyslogui.sourceforge.net NTSyslog (no longer in development) http://ntsyslog.sourceforge.net Windows Security Eventlog Information Altair Technologies Event ID database http://www.eventid.net Randy Franklin Smith’s Event Encyclopedia http://www.ultimatewindowssecurity.com/encyclopedia.html 29 Other Open Source Tools Privateye (SIM) http://privateye.sourceforge.net Splunk (Google for log files – no more to be said.) http://www.splunk.com Simple Event Correlator http://simple-evcorr.sourceforge.net 30 Whitepapers & Other Reading SANS Top 5 Essential Log Reports http://www.sans.org/resources/top5_logreports.pdf The Ins and Outs of System Logging Using Syslog http://www.sans.org/reading_room/whitepapers/logging/1168.php BSD Syslog (RFC 3164) http://www.networksorcery.com/enp/rfc/rfc3164.txt Syslog Reliable (RFC 3195) http://www.networksorcery.com/enp/rfc/rfc3195.txt BEEP Protocol (RFC 3080) http://www.networksorcery.com/enp/rfc/rfc3080.txt Draft Special Publication 800-92 Guide to Computer Security Log Management http://csrc.nist.gov/publications/drafts.html Complementary Tools Any “tail” utility http://www.baremetalsoft.com (GUI based, allows color coding for manual review & highlighting of interesting entries in realtime) A command-line tail utility Windows 2003 Resource kit comes with a tail.exe Logger (Unix port of command line tool) http://www.monitorware.com/logger 31 xNix-only Tools Logcheck (http://sourceforge.net/projects/logcheck) Parses logs looking for “interesting” patterns (includes an ignore file) Output is straightforward for admins – good to mail to yourself for daily reviews Logwatch (http://www.logwatch.org) Similar to Logcheck, but summarizes all entries and the number of times they occurred. Swatch (http://swatch.sourceforge.net) Regex to monitor log files in real time (alert via pager, mail) LogSurfer (http://www.cert.dfn.de/eng/logsurf/) Realtime monitoring of any log file – a little more verbose than Swatch 32