Security Event
Management for
Windows
How to do it really cheap!
Presenter: Gord Taylor (CISSP, GCIH, GEEK)
1
Apologies to the UNIX / Linux Guys
…but hopefully there will be some
interesting things for you…
2
Taxonomy
What is SIM
 What is SEM
 SIM & SEM are not the same thing
 Unfortunately, industry analysts like
Gartner are blurring the lines :(

3
What is Syslog and where did it
come from?
Originally created for BSD in early 1980s
 Ported to virtually every platform since
 Evolved with no standards until 2001
 Uses UDP/514 by default
 A typical Syslog message:

<133>Jul 17 13:55:51 MachineName SyslogTag: Here's my
custom message.
4
A Basic Syslog Implementation
5
Advantages of Syslog
Your network guys understand it
 It’s probably already allowed on every
firewall and router in your environment
 (Almost) everything supports it
 It’s LEAN, so network traffic isn’t typically a
concern
 It will be around for a long time

6
Advantages of Syslog (cont’d)
Even if you buy a vendor product, they’ll
support it
 A lot of vendor solutions are based on
syslog-reliable

7
Disadvantages of Syslog






You’re on your own for creating reports,
maintaining code changes, support, etc.
Traditional Syslog is UDP (unreliable)
Not supported natively in Windows
It’s not encrypted, but you can tunnel it (IPSec) –
which also makes it more reliable
1k limit on message (RFC) (maybe 4k)
Scalability
8
And along comes Syslog-NG and
Syslog Reliable




Syslog-ng came out before the RFC standard though the Syslog Reliable RFC is largely based
on NG
Many syslog-ng implementations are now
actually Syslog Reliable under the hood
Reliable has 2 modes: RAW & COOKED
WinSyslog has supported syslog-ng for a long
while and have always been active on the RFC
3195 committee (Rainer Gerhards)
9
Advantages of Reliable






Does everything Syslog does
TCP based, reliable delivery, confidentiality,
integrity, authentication
Provides for Relays and Collectors
More customization options
A single system can be a device, relay, collector,
or all three.
Due to the path information you get both
SENDER time and RECEIVER time
10
Disadvantages of Reliable
You’re on your own for creating reports,
maintaining code changes, support, etc.
 Not everyone has implemented the RFC
 Some poor implementations open the TCP
channel for EACH MESSAGE (ouch!)
 Not clear on maximum message size
(especially in RAW mode)

11
Disadvantages of Reliable (cont’d)
Still doesn’t provide the YEAR in the
timestamp
 Still not widely implemented (including
Windows)
 More customization options

12
A Simple Syslog Reliable
Implementation
13
So… What about Windows?
We want to turn this:
Into this syslog message:
<pri>Dec 22 9:42:26 192.168.131.67
528: NT AUTHORITY\LOCAL
SERVICE Successful Logon:
UserName:LOCAL SERVICE
Domain: NT AUTHORITY Logon ID:
(0x0,0x3E5) Logon Type: 5 Logon
Process: Advapi Authentication
Package: Negotiate: Workstation
Name: Logon GUID: - Caller User
Name: MACHINENAME$ Caller
Domain: Caller Logon ID:
(0x0,0x3E7) Caller Process ID: 280
Transited Services: - Source
Network Address: - Source Port: 14
Windows Syslog Agents

NTSyslog (no longer in development)
Sends everything by category

Snare (InterSect Alliance)
Allows you to parse before sending

Lasso (newly release by LogLogic)
Syslog Reliable

Many others on sourceforge.net and
download.com etc.
15
NTSyslog
16
Snare
17
Snare (cont’d)
18
Windows Syslog Daemons (server)



WinSyslog
Kiwi Syslog
Snare Server ($$)
There’s also a ‘lite’ version called Snare Micro Server


Linux / Unix (all version have syslog)
Again, see sourceforge.net & download.com
19
WinSyslog
Syslog Reliable
 Filter by many conditions
 Many Actions to take
when filter valid (true)
 Log to File and/or DB
most common
 “Discard” is very valuable

20
WinSyslog (cont’d)
21
WinSyslog (cont’d)
22
Logging to Database
Simple table with ReceivedAt,
DeviceReportedTime, Facility, Priority,
FromHost, Message, SyslogTag
 No Indices (indexes)
 No Primary Keys
 Poor Database Support - but see the
“Database” discussion group :-)

23
Logging Problems
Database Blocking
 Nightly Deletes / Transaction log explodes
 Nightly Maintenance / run too long
 Split Database & File Logging
 File Logging & Nightly Import
 Hourly Deletes

24
Tail & Logger
(Syslog’s Best Friends)

Tail allows you to view the “tail end” of a file
Tail –f will show new messages as they arrive

Logger sends a file to a Syslog daemon
Sends entire file, line-by-line
Each line is a separate Syslog message
UDP, TCP, or 3195RAW (not Cooked)
Can send a single “custom message” log line
Can specify Priority
25
Uses for Logger (cont’d)
Logger –f webserver_today.log –l
syslogserver –m 3195raw
 Tail –f webserver.log | logger –l dest –m
proto

You can do the same thing with FW1 logs !!

Autorunsc -c –m | logger –l dest –m proto
26
Where do vendor products fit in?






Homegrown can be a lot of work - vendor solutions are
“out of the box”
There is a LOT of value in doing this in-house to learn
what you need (including event volumes)
Do you need forensics abilities or just reporting (SEM vs
SIM)?
Real-time correlation is exceptionally difficult
Does the vendor provide for all your platforms?
Don’t include building of reports into your decision –
you’ll ALWAYS have to build
27
Various Sites
 The
most important:
www.loganalysis.org
Syslog Tools

WinSyslog Server (Adiscon)
http://www.monitorware.com

KiwiSyslog Server
http://www.kiwisyslog.com

Snare Agents for Windows, IIS, ISA, Apache, etc…
http://snare.sourceforge.net

Lasso (syslog-reliable based on Snare source)
http://lassolog.sourceforge.net
28

Modular Syslog (BSD flavours, Unix, Linux only)
http://msyslog.sourceforge.net
http://msyslogui.sourceforge.net

NTSyslog (no longer in development)
http://ntsyslog.sourceforge.net
Windows Security Eventlog Information

Altair Technologies Event ID database
http://www.eventid.net

Randy Franklin Smith’s Event Encyclopedia
http://www.ultimatewindowssecurity.com/encyclopedia.html
29
Other Open Source Tools

Privateye (SIM)
http://privateye.sourceforge.net

Splunk (Google for log files – no more to be said.)
http://www.splunk.com

Simple Event Correlator
http://simple-evcorr.sourceforge.net
30
Whitepapers & Other Reading

SANS Top 5 Essential Log Reports
http://www.sans.org/resources/top5_logreports.pdf

The Ins and Outs of System Logging Using Syslog
http://www.sans.org/reading_room/whitepapers/logging/1168.php

BSD Syslog (RFC 3164)
http://www.networksorcery.com/enp/rfc/rfc3164.txt

Syslog Reliable (RFC 3195)
http://www.networksorcery.com/enp/rfc/rfc3195.txt

BEEP Protocol (RFC 3080)
http://www.networksorcery.com/enp/rfc/rfc3080.txt

Draft Special Publication 800-92 Guide to Computer Security Log Management
http://csrc.nist.gov/publications/drafts.html
Complementary Tools

Any “tail” utility
http://www.baremetalsoft.com (GUI based, allows color coding for manual review & highlighting
of interesting entries in realtime)

A command-line tail utility
Windows 2003 Resource kit comes with a tail.exe

Logger (Unix port of command line tool)
http://www.monitorware.com/logger
31
xNix-only Tools

Logcheck (http://sourceforge.net/projects/logcheck)
Parses logs looking for “interesting” patterns (includes an ignore file)
Output is straightforward for admins – good to mail to yourself for daily reviews

Logwatch (http://www.logwatch.org)
Similar to Logcheck, but summarizes all entries and the number of times they
occurred.

Swatch (http://swatch.sourceforge.net)
Regex to monitor log files in real time (alert via pager, mail)

LogSurfer (http://www.cert.dfn.de/eng/logsurf/)
Realtime monitoring of any log file – a little more verbose than Swatch
32