Centralized Logging - Finger Lakes Community College
Download
Report
Transcript Centralized Logging - Finger Lakes Community College
Centralized Logging
Bill Kramp, Network Administrator
Finger Lakes Community College
SUNY Technology Conference
June 14, 2004
SUNY Technology Conference
Centralized Logging
Logging Windows events and
syslog messages to a central
server for analysis.
June 14, 2004
SUNY Technology Conference
Centralized Logging
Logging events and messages to a
central server for analysis.
June 14, 2004
SUNY Technology Conference
Overview
Reasons to log
Centralized logging and Analysis
Unix
Windows
Open source
Commercial
Home brew solution at FLCC
June 14, 2004
SUNY Technology Conference
Reasons to log events
Record security events
Monitoring applications
Configuration changes
Sarbanes-Oxley Act compliance
HIPAA compliance
Low in carb’s!
June 14, 2004
SUNY Technology Conference
Reasons to log events
Record security events
Monitoring applications
Configuration changes
Sarbanes-Oxley Act compliance
HIPAA compliance
Low in carb’s!
June 14, 2004
SUNY Technology Conference
Reasons for Centralized Logging
Correlation of data
Manageability
Data integrity
Time synchronization
Real-time alert capability
Single backup location for log data
June 14, 2004
SUNY Technology Conference
Log Analysis Process
Data Sources
Filtering
Normalization
Aggregation
Correlation
Report/Display
June 14, 2004
SUNY Technology Conference
Data Sources
Windows – Event logs and applications
Unix – syslog and applications
Firewalls
Routers
Intrusion Detection System’s
Host Intrusion Systems
SNMP traps
June 14, 2004
SUNY Technology Conference
Honeypot’s
June 14, 2004
SUNY Technology Conference
Windows Events
Application
System
Security
June 14, 2004
SUNY Technology Conference
Windows Events (Win2003)
Application
System
Security
DNS Server
Directory
File Replication
June 14, 2004
SUNY Technology Conference
Security Event Categories
Logon events
Account logon events
Object access events
Directory Service access events
Privilege use events
Process tracking events
System events
Policy change events
June 14, 2004
SUNY Technology Conference
Syslog basics
UDP messages sent on port 514
Three parts to a message:
PRI (priority)
Header
MSG (message)
PRI contains the severity and facility
June 14, 2004
SUNY Technology Conference
Unix syslog
boot
cron
secure
E-mail
Kernel
Local(0-7)
June 14, 2004
SUNY Technology Conference
*nix Syslog Alternatives
Syslog-ng www.balabit.com/products/syslog_ng/
SDSC Secure Syslog sourceforge.net/projects/sdscsyslog/
Modular Syslog –
www.corest.com/corelabs/
June 14, 2004
SUNY Technology Conference
Windows Syslog Alternatives
Kiwi syslog – www.kiwisyslog.com
Winsyslog – www.adiscon.com
SL4NT – www.netal.com
Syslog Daemon – www.triaction.nl
Cisco syslog – www.cisco.com
3com Daemon – www.3com.com
June 14, 2004
SUNY Technology Conference
Centralized Windows Events
LogAnalyst for Windows 2000 Server
Central database of events
Built in report generator
Available with Win2000 Resource Kit
GUI interface
www.cybersafe.com/centrax/cla1.html
June 14, 2004
SUNY Technology Conference
Forwarding Windows Events
Snare – www.intersect-alliance.com
NTsyslog – ntsyslog.sourceforge.net
Event Reporter – eventreporter.com
Win32:Eventlog – www.cpan.org
June 14, 2004
SUNY Technology Conference
Commercial Log Analysis Tools
enVision – www.opensystems.com
Snare - www.intersect-alliance.com
ServerVision – sunbelt-software.com
MoniLog – www.monilog.com
GFiLANguard – www.gfi.com
neuSECURE – www.guarded.net
June 14, 2004
SUNY Technology Conference
MoniLog
Handles syslog and Windows events
Windows based
Rule engine to include or discard
Reports – distributed by HTML or E-mail
June 14, 2004
SUNY Technology Conference
enVision
Many options for reports, nice console
Appliance solution
Models sold by the required sustained events
per second needed.
Hardware Supported:
*nix
Firewalls
Switches
IDS’s
June 14, 2004
SUNY Technology Conference
neuSECURE
Handles many log formats:
Unix syslog
Windows events
SNMP traps
Event Aggregation
Threat correlation
June 14, 2004
SUNY Technology Conference
Open Source Monitoring Tools
Swatch – swatch.sourceforge.net
Logsurfer+ www.crypt.gen.nz/logsurfer
LogSentry – www.psionic.com
POE – poe.perl.org
SEC – simple-evcorr.sourceforge.net
June 14, 2004
SUNY Technology Conference
Swatch
“Grandfather” of log monitoring tools
Simple expression matching
Matches can trigger:
Execution of scripts
Echoing to console of match
Throttle option to limit matches for a
period of time.
June 14, 2004
SUNY Technology Conference
POE – Perl Object Environment
Multitasking using events & handlers
Can create separate objects to monitor
multiple log files.
Tasks run in a single process
Handlers can’t be interrupted
DBI support for mysql, etc.
Support for pre-forking web server
June 14, 2004
SUNY Technology Conference
Simple Event Correlator
Applies pattern matching to files or
pipes.
Rules for establishing both a low and
high level threshold setting.
Pairing of multiple events within a time
window.
Suppression rules.
June 14, 2004
SUNY Technology Conference
Home Brew Solution
June 14, 2004
SUNY Technology Conference
Log Sources
PIX Firewalls
Primary and Redundant PIX’s
Extension Center PIX’s
X-net PIX’s
Windows Servers: DNS, Web, SAN
Linux Servers: DNS, service monitoring
SNMP traps: network switches, UPS’s
June 14, 2004
SUNY Technology Conference
FLCC Project
Need to send all log messages from the
different sources to a single logging server.
Save all the raw data, and burn to DVD.
Filter out incidents (messages) that are not
important.
Normalize the data from the different
sources.
Write filtered data to database.
Display the important events on a single web
based interface.
June 14, 2004
SUNY Technology Conference
Centralized Logging
June 14, 2004
SUNY Technology Conference
Log Analysis Process
Data Sources
Filtering
Normalization
Aggregation
Correlation
Report/Display
June 14, 2004
SUNY Technology Conference
Normalization Issue
PIX: Oct 8 23:55:02 172.16.254.254 Oct 08 2003
23:55:01: %PIX-6-302014: Teardown TCP connection
2749949 for outside:24.24.54.63/4910 to
dmz1:172.19.1.7/8900 duration 0:00:15 bytes 9995 TCP
Reset-O
Honeypot: 2004-06-10-12:52:18.0891 tcp(6) S
172.17.203.61 33015 172.17.222.1 80
Windows: Jun 10 08:52:39 krampwd-network
MSWinEventLog 1 System 9717 Thu Jun 10
08:52:39 2004 18 Automatic Updates N/A
N/A
Information
KRAMPWD-NETWORK Disk
Installation
Ready: The following updates are downloaded and ready
for installation. This computer is currently scheduled to
install these updates on Thursday, June 10, 2004 at 11:00
AM. - Security Update for DirectX 8.1 (KB839643) 1
June 14, 2004
SUNY Technology Conference
Filtered HTML Report
Jun 4 23:17:30 192.168.1.1 %PIX-3-710003: TCP access denied by ACL from
192.168.1.9/32771 to inside:192.168.1.1/telnet
Jun 4 23:16:14 192.168.1.1 %PIX-7-111009: User 'enable_15' executed cmd: show ip address
outside
Jun 4 23:15:38 192.168.1.1 %PIX-6-605005: Login permitted from 192.168.1.52/3149 to
inside:192.168.1.1/https for user "enable_15"
Jun 4 23:15:31 192.168.1.1 %PIX-6-605004: Login denied from 192.168.1.52/3148 to
inside:192.168.1.1/https for user "enable_15"
Jun 4 23:13:39 192.168.1.1 %PIX-6-302010: 1 in use, 76 most used
Jun 4 23:03:39 192.168.1.1 %PIX-6-302010: 4 in use, 76 most used
June 14, 2004
SUNY Technology Conference
Event 1 Graph – Jan 25, 2003
June 14, 2004
SUNY Technology Conference
Slammer Syslog Entries
Jan 25 00:29:42 router Jan 25 2003
01:32:12: %PIX-4-106023: Deny udp
src outside:216.120.67.34/2596 dst
library:192.156.234.247/1434 by
access-group "acl-outside"
June 14, 2004
SUNY Technology Conference
Event 2 Graph – Oct. 9, 2003
June 14, 2004
SUNY Technology Conference
Welchia Syslog Entries
Oct 9 13:43:00 172.16.254.254 Oct 09
2003 13:42:59: %PIX-3-305005: No
translation group found for icmp src
student:172.17.203.169 dst
inside:172.16.46.148 (type 8, code 0)
June 14, 2004
SUNY Technology Conference
Event 2 Graph Detail
June 14, 2004
SUNY Technology Conference
Open Source Tools Used
Syslog-ng
Snare
POE – Perl Object Environment
GD Graphics Library – www.boutell.com
GDgraph module by Martien Verbruggen
Mysql
Apache
SEC – Simple Event Correlator
CRM-114 Bayesian Filter
June 14, 2004
SUNY Technology Conference
What’s the solution?
June 14, 2004
SUNY Technology Conference
What’s the solution?
Depends on data sources
Supported Operating Systems
What are the report/alert requirements?
Comfort level with open source
Affordable commercial solutions
June 14, 2004
SUNY Technology Conference
Things to consider
Throughput (messages per second)
Hashing signatures
Encryption
Bayesian and statistical filters
Stealth logging
June 14, 2004
SUNY Technology Conference
Hardware Issues
Dual processors and/or hyper threading
Lots of memory
Fast SCSI drives
DVD or tape for data backups
Separate servers for data collection and
database.
June 14, 2004
SUNY Technology Conference
Web Resources
http://www.loganalysis.org
http://rr.sans.org
http://www.microsoft.com/technet/
June 14, 2004
SUNY Technology Conference
www.loganalysis.org Site
Centralizing Logging
Complete Reference Guide to Creating a Remote Log
Server
Configuring and using syslogd to collect logging
messages on systems running Solaris 2.x
Centralized Logging using Logsentry in a Large UNIX
Environment - Saleem Kazmi paper for SANS GIAC
certification
Practical Implementations of syslog in Mixed
Windows Environments for Secure Centralized Audit
Logging - from the SANS reading room
June 14, 2004
SUNY Technology Conference
rr.SANS.org Reading Room
Logging Issues
The Importance of Logging and Traffic Monitoring for
Information Security
Seham GadAllah, April 19, 2004
Centralizing Event Logs on Windows 2000
Gregory Lalla, GSEC April 4, 2003
Security Management Systems: An Oversite Layer for
Layers of Defense
Dan Keldsen, September 4, 2003
The Ins and Outs of System Logging Using Syslog
Ian Eaton, GSEC-3077 August 14, 2003
June 14, 2004
SUNY Technology Conference
Mixed Environment Logging
Garbrecht, Frederick C. Practical
Implementation of Syslog in Mixed
Windows Environments for Secure
Centralized Audit Logging 10 June
2004.
<http://www.sans.org/rr/papers/9/713.
pdf>
June 14, 2004
SUNY Technology Conference
Visualization Techniques
Takada, Tetsuji and Koike, Hideki
MieLog 10 June 2004. Univ’ of ElectroCommunications.
<http://www.vogue.is.uec.ac.jp/~koike
/papers/mielog/FormattedPaperLISA02.
pdf>
June 14, 2004
SUNY Technology Conference
Filtering and Correlation
Chyssler, Tobias and Nadjm-Tehrani,
stefan and Burbeck, Kalle. Alarm
Reduction and Correlation in
Defense of IP Networks 10 June
2004.
<http://www.ida.liu.se/~rtslab/publicati
ons/2004/Chyssler04_wetice.pdf>
June 14, 2004
SUNY Technology Conference
Books and Guides
Bauer, Michael. Building Secure Servers
with Linux. O’Reilly, 2002.
Microsoft Solution for Securing Windows
2000 Server, Chapter 9: Auditing and
Intrusion Detection. 10 June 2004
<http://www.microsoft.com/technet/Se
curity/prodtech/win2000/secwin2k/defa
ult.mspx>
June 14, 2004
SUNY Technology Conference
End of presentation
Please remember to fill out the form.
E-mail questions to [email protected]
The full presentation will be available
online at my web page:
http://paws.flcc.edu/~krampwd/presentations/
Thank you for attending.
June 14, 2004
SUNY Technology Conference