Monitor DHCP Logs. EventTracker. EventTracker Centre Park Drive Columbia MD Publication Date: July 16, 2009

Transcription

1 Monitor DHCP Logs EventTracker Publication Date: July 16, 2009 EventTracker 8815 Centre Park Drive Columbia MD

2 Abstract This document highlights the major advantages of employing EventTracker to consolidate and manage Dynamic Host Configuration Protocol (DHCP) Server logs. The paper introduces at a high level the major design concepts that enable EventTracker to process, store and allow users to gain actionable intelligence from the millions of critical events generated by DHCP. DHCP event data contains a wealth of valuable information for Network Administrators and Security groups for controls, compliance and security. For example, an easy way to detect new network devices accessing the network is through analysis of the DHCP logs. To monitor DHCP logs using EventTracker, an EventTracker agent must be installed on the DHCP server. The information contained in this document represents the current view of Prism Microsystems Inc. on the issues discussed as of the date of publication. Because Prism Microsystems must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Prism Microsystems, and Prism Microsystems cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. Prism Microsystems MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, this paper may be freely distributed without permission from Prism, as long as its content is unaltered, nothing is added to the content and credit to Prism is provided. Prism Microsystems may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Prism Microsystems, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred Prism Microsystems Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 1

3 Table of Contents DHCP Logs... 3 Example DHCP Audit log... 6 Example: Using EventTracker to monitor and alert on DHCP Audit Log entries... 7 Monitoring Alerting Reporting About EventTracker About Prism Microsystems

4 DHCP Logs DHCP on Windows 2003 and Windows 2008 includes the ability to generate an audit log for the DHCP service. These logs include detailed descriptions of DHCP activity, including leases and renewals, starting and stopping of the DHCP service, and server error messages. The Event Log data also indicates the date and time of the event, as well as the full identity of the client involved (IP address, name and hardware address). DHCP logging is enabled by default. You can enable and disable logging by following the steps listed below: 1. Click the Start button, click Settings, and then click Control Panel. 2. Double-click Administrative Tools, and then double-click DHCP. 3. In the console tree, click the applicable DHCP server. 4. On the Action menu, click Properties. 5. On the General tab, select Enable DHCP audit logging, and then click OK. By default, DHCP logs are stored in the %systemroot%\system32\dhcp folder. The logs can be opened using Notepad. The storage location can also be changed by right-clicking a server in the DHCP console and choosing Properties. In the properties dialog box that opens, switch to the advanced tab and indicate the new audit log file path. The DHCP Server bases the name of the audit log file on the current day of the week, as determined by checking the current date and time at the server. For example, when the DHCP Server starts, if the current date and time is Monday, April 7, 2003, 04:56:42 P.M. the server audit log file is named: DhcpSrvLog-Mon.Log In Microsoft Windows NT and Microsoft Windows 2000, this same audit log file would be named as the following: DhcpSrvLog.Mon 3

5 The Following event IDs are used for DHCP Log monitoring for Windows Server ID Number DHCP Event 00 The log was started. 01 The log was stopped. 02 The log was temporarily paused due to low disk space. 10 A new IP address was leased to a client. 11 A lease was renewed by a client. 12 A lease was released by a client. 13 An IP address was found to be in use on the network. 14 A lease request could not be satisfied because the scope's address pool was exhausted. 15 A lease was denied. 16 A lease was deleted. 17 A lease was expired. 20 A BOOTP address was leased to a client. 21 A dynamic BOOTP address was leased to a client. 22 A BOOTP request could not be satisfied because the scope's address pool for BOOTP was exhausted. 23 A BOOTP IP address was deleted after checking to see it was not in use. 24 IP address cleanup operation has begun. 25 IP address cleanup statistics. 50+ Codes above 50 are used for Rogue Server Detection information. Table 1 If the DHCP server is configured to perform Domain Name System (DNS) dynamic updates on behalf of DHCP clients, the DHCP audit logs can be used to monitor update requests by the DHCP server for the DNS server. The audit logs can also be used to record DNS record update successes, as well as DNS record failures. The following event IDs are used for DNS dynamic update events: ID Number DHCP Event 30 DNS dynamic update request 31 DNS dynamic update failed 32 DNS dynamic update successful Table 2 4

6 The following are additional server log event ID codes and descriptions. These events can appear in logs made by DHCP servers running Windows Server They pertain to the applicable DHCP server and its authorization status when deployed in Active Directory environments. ID Number DHCP Event 50 Unreachable domain The DHCP server could not locate the applicable domain for its configured Active Directory installation. 51 Authorization succeeded. The DHCP server was authorized to start on the network 52 Upgraded to a Windows Server 2008 operating system The DHCP server was recently upgraded to a Windows Server 2008 operating system, and, therefore, the unauthorized DHCP server detection feature (used to determine whether the server has been authorized in Active Directory) was disabled. 53 Cached Authorization The DHCP server was authorized to start using previously cached information. AD DS could not be found at the time the server was started on the network. 54 Authorization failed The DHCP server was not authorized to start on the network. When this event occurs, it is likely followed by the server being stopped. 55 Authorization (servicing) The DHCP server was successfully authorized to start on the network. 56 Authorization failure, stopped servicing The DHCP server was not authorized to start on the network and was shut down by the operating system. You must first authorize the server in the directory before starting it again. 57 Server found in domain Another DHCP server exists and is authorized for service in the same domain. 58 Server could not find domain The DHCP server could not locate the specified domain. 59 Network failure A network-related failure prevented the server from determining if it is authorized. 60 No DC is DS Enabled No domain controller running Windows Server 2008 was located. For detecting whether the server is authorized, a domain controller that is enabled for AD DS is required. 61 Server found that belongs to DS domain Another DHCP server was found on the network that belongs to the Active Directory domain. 62 Another server found Another DHCP server was found on the network. 63 Restarting rogue detection The DHCP server is trying once more to determine whether it is authorized to 5

7 start and provide service on the network. 64 No DHCP enabled interfaces The DHCP server has its service bindings or network connections configured so that it is not enabled to provide service. This usually means one of the following: The network connections of the server are either not installed or not actively connected to a network. The server has not been configured with at least one static IP address for one of its installed and active network connections. All of the statically configured network connections for the server are disabled. Table 3 Example DHCP Audit log ID,Date,Time,Description,IP Address,Host Name,MAC Address 24,05/18/09,00:00:16,Database Cleanup Begin,,,, 25,05/18/09,00:00:16,0 leases expired and 0 leases deleted,,,, 25,05/18/09,00:00:16,0 leases expired and 0 leases deleted,,,, 24,05/18/09,00:40:16,Database Cleanup Begin,,,, 25,05/18/09,00:40:16,0 leases expired and 0 leases deleted,,,, 25,05/18/09,00:40:16,0 leases expired and 0 leases deleted,,,, 24,05/18/09,01:40:16,Database Cleanup Begin,,,, 25,05/18/09,01:40:16,0 leases expired and 0 leases deleted,,,, 25,05/18/09,01:40:16,0 leases expired and 0 leases deleted,,,, 24,05/18/09,02:40:17,Database Cleanup Begin,,,, 25,05/18/09,02:40:17,0 leases expired and 0 leases deleted,,,, 25,05/18/09,02:40:17,0 leases expired and 0 leases deleted,,,, 30,05/18/09,03:06:46,DNS Update Request, ,vssserver.prismusa.com,, 11,05/18/09,03:06:46,Renew, ,vssserver.prismusa.com,0008A1117C07, 32,05/18/09,03:06:46,DNS Update Successful, ,vssserver.prismusa.com,, 6

8 30,05/18/09,03:07:17,DNS Update Request, ,linen.prismusa.com,, 11,05/18/09,03:07:17,Renew, ,linen.prismusa.com,001111A0D578, 32,05/18/09,03:07:17,DNS Update Successful, ,linen.prismusa.com,, 30,05/18/09,03:15:34,DNS Update Request, ,erm10.PRISMTEST.com,, 11,05/18/09,03:15:34,Renew, ,erm10.PRISMTEST.com,000BDB113980, 32,05/18/09,03:15:34,DNS Update Successful, ,erm10.PRISMTEST.com,, Example: Using EventTracker to monitor and alert on DHCP Audit Log entries EventTracker uses Log File Monitor (LFM) in the Windows agent to access DHCP Server logs. To set up EventTracker Log File Monitoring perform the following steps: 1. Select the Start button, select All Programs, and then select Prism Microsystems. 2. Select EventTracker, and then select EventTracker Control Panel. Figure 1 3. Open up the Agent Configuration option and select the DHCP Server system from Select Systems combo box. 7

9 Figure 2 4. Click on Logfile Monitor tab and check Logfile Monitor check box. 8

10 Figure 3 5. Click on Add File Name, check the box Get All Existing Log Files and select CSV from Select Log File Type combo box. 9

11 Figure 4 6. Browse and select C:\windows\system32\dhcp path and click OK. Enter \DhcpSrvLog- *.log in Enter the log file(s) to be processed dialog box. Figure 5 7. Select 30 as Enter Header Line Number of the above file. The final file details screen looks as below: 10

12 Figure 6 8. The next screen will appear which will ask for the search string. Figure 7 9. Click on the Add String button and enter * in the Enter Search String text box. 11

13 Figure Click the OK button. The Search String screen will look like: Figure Click the OK button, then save the agent configuration. 12

14 Monitoring After completing the steps listed above, EventTracker will monitor all logs generated by DHCP. System Administrators can monitor specific groups of DHCP events like DHCP log started, stopped, paused, new IP address assigned, lease renewed, lease release, new IP address found in network, lease not satisfied, lease denied, lease deleted, lease expired, BOOTP assigned, BOOTP request not satisfied, BOOTP ip delete, dynamic BOOTP assigned, IP address cleaned up, cleaned up statistics, DNS update request, DNS update successful, DNS update failure. Alerting EventTracker can alert System Administrators on critical events such as DHCP BOOTP address assigned, BOOTP address deleted, BOOTP address not satisfied, DNS update failed, Dynamic BOOTP address leased, lease denied, lease expired, new IP address was leased, new IP address found in network, lease not satisfied, DHCP logging paused due to low disk space, DHCP logging stopped. These alerts can be received via , SNMP traps, or delivered to any text enabled device. It is also possible to deliver the alert details via RSS. Reporting EventTracker provides an exclusive reporting tool designed to generate requirement specific reports. Below are the sample reports created by EventTracker specific to DHCP logs. Report 1: DHCP Lease Renewed by client DHCP- Lease renewed by client Detail Report : Log Time Client Host Name Client IP Client MAC Computer Address Address 7/13/ :31 linux-3olh.prismusa.com F1F46F53A, NAVYBLUE 7/13/ :31 steelblue2.prismusa.com C552FA61, NAVYBLUE 7/13/ :31 dell FEAC13A, NAVYBLUE 7/13/ : DABD91, NAVYBLUE 7/13/ :31 crimson.prismusa.com C09F2B3D1F, NAVYBLUE 7/13/ :31 vssserver.prismusa.com A1117C07, NAVYBLUE 7/13/ :31 erm10.prismtest.com BDB113980, NAVYBLUE 7/13/ : BDBB7D9D5, NAVYBLUE 7/13/ :31 linen.prismusa.com A0D578, NAVYBLUE 13

15 7/13/ :31 navyblue.prismusa.com B7D0D81C1, NAVYBLUE 7/13/ :31 crimson.prismusa.com B48179D, NAVYBLUE 7/13/ :31 LEMONYELLOW.prismusa.com DB00FEA, NAVYBLUE 7/13/ :31 LEMONYELLOW.prismusa.com BBA1D15, NAVYBLUE 7/13/ :31 Plum.prismusa.com D7C1, NAVYBLUE 7/13/ :31 black.prismusa.com BB, NAVYBLUE 7/13/ :31 rallen.prismusa.com FDFA873, NAVYBLUE DHCP- Lease renewed by clients Report 2: DHCP Lease Denied. Computer LogTime Client IP Address Client Host Name Client MAC Address NAVYBLUE 7/13/ : B7D0D81C1, NAVYBLUE 7/13/ : B7D0D81C1, NAVYBLUE 7/13/ : B7D0D81C1, NAVYBLUE 7/13/ : B7D0D81C1, NAVYBLUE 7/13/ : B7D0D81C1, NAVYBLUE 7/13/ : B7D0D81C1, NAVYBLUE 7/13/ : B7D0D81C1, NAVYBLUE 7/13/ :26 11: B7D0D81C1, i Report 3: DHCP DNS update request report DHCP - DNS Update Request Detail Report: Computer Log Time Client Host Name Client IP Address NAVYBLUE 7/13/ :34 maroon.prismusa.com NAVYBLUE 7/13/ :34 salmon.prismusa.com NAVYBLUE 7/13/ :34 linen.prismusa.com NAVYBLUE 7/13/ :34 vssserver.prismusa.com NAVYBLUE 7/13/ :34 steelblue2.prismusa.com NAVYBLUE 7/13/ :34 dell

16 NAVYBLUE 7/13/ :34 crimson.prismusa.com NAVYBLUE 7/13/ :34 INDIANRED.prismusa.com NAVYBLUE 7/13/ :34 Cobaltblue.prismusa.com NAVYBLUE 7/13/ :34 salmon.prismusa.com Report 4: DHCP DNS updated successful. DHCP - DNS update successful Detail Report: Computer Log Time Client Host Name Client IP Address NAVYBLUE 7/13/ :32 Aqua.prismusa.com NAVYBLUE 7/13/ :32 navyblue.prismusa.com NAVYBLUE 7/13/ :32 rallen.prismusa.com NAVYBLUE 7/13/ :32 swisscoffee.prismusa.com NAVYBLUE 7/13/ :32 black.prismusa.com NAVYBLUE 7/13/ :32 Plum.prismusa.com NAVYBLUE 7/13/ :32 LEMONYELLOW.prismusa.com NAVYBLUE 7/13/ :32 LEMONYELLOW.prismusa.com NAVYBLUE 7/13/ :32 salmon.prismusa.com NAVYBLUE 7/13/ :32 maroon.prismusa.com NAVYBLUE 7/13/ :32 Cobaltblue.prismusa.com NAVYBLUE 7/13/ :32 Khakki.prismusa.com NAVYBLUE 7/13/ :32 erm6.prismusa.com NAVYBLUE 7/13/ :32 snow.prismusa.com NAVYBLUE 7/13/ :32 salmon.prismusa.com NAVYBLUE 7/13/ :32 INDIANRED.prismusa.com

17 About EventTracker EventTracker is a scalable, enterprise-class Security Information and Event Management (SIEM) solution for Windows systems, Syslog/Syslog NG (UNIX and many networking devices), SNMP V1/2, legacy systems, applications and databases. EventTracker enables defense in depth, where log data is automatically collected, correlated and analyzed from the perimeter security devices down to the applications and databases. To prevent security breaches, Event Log data becomes most useful when interpreted in near real time and in context. Context is vitally important because often the critical indications of impending problems and security violations can only be learned by watching patterns of events across multiple systems. Complex rules can be run on the event stream to detect signs of such a breach. EventTracker also provides realtime alerting capability in the form of an , page or SNMP message to proactively alert security personnel to an impending security breach. The original log data is securely stored in a highly compressed event repository for compliance purposes and later forensic analysis. For compliance, EventTracker provides a powerful reporting interface, scheduled or on-demand report generation, automated compliance workflows that prove to auditors that reports are being reviewed and many other features. With pre-built auditor grade reports included for most of the compliance standards (FISMA, HIPAA, SOX, GLBA, PCI, and more), EventTracker represents a compliance solution that is second to none. EventTracker also provides advanced forensic capability where all the stored logs can be quickly searched through a powerful Google-like search interface to perform quick problem determination. EventTracker lets users completely meet the logging requirements specified in NIST SP Guide To Computer Security Log Management, and additionally provides Host Based Intrusion Detection, Change Monitoring and USB activity tracking on Windows systems, all in an off the shelf, affordable, software solution. EventTracker provides the following benefits A highly scalable, component-based architecture that consolidates all Windows, SNMP V1/V2, legacy platforms, Syslog received from routers, switches, firewalls, critical UNIX servers (Red Hat Linux, Solaris, AIX etc), Solaris BSM, workstations and various other SYSLOG generating devices. Automated archival mechanism that stores activities over an extended period to meet auditing requirements. The complete log is stored in a highly compressed (>90%), secured 16

18 (Sealed with SHA-1 checksum) archive that is limited only by the amount of available disk storage. Real-time monitoring and parsing of all logs to analyze user activities such as logon failures and failed attempts to access restricted information. Alerting interface that generates custom alert actions via , pager, console message, etc. Event correlation modules to constantly monitor for malicious hacking activity. In conjunction with alerts, this is used to inform network security officers and security administrators in real time. This helps minimize the impact of breaches. Various types of network activity reports, which can be scheduled or generated as required for any investigation or meeting audit compliances. Host-based Intrusion Detection (HIDS). Role-based, secure event and reporting console for data analysis. Change Monitoring on Windows machines USB Tracking, including restricted use, insert/removal recording, and a complete audit trail of all files copied to the removable device. Built-in compliance workflows to allow inspection and annotation of the generated reports. 17

19 About Prism Microsystems Prism Microsystems, Inc. delivers business-critical solutions to consolidate, correlate and detect changes that could impact the performance, availability and security of your IT infrastructure. With a proven history of innovation and leadership, Prism provides easy-todeploy products and solutions for integrated Security Management, Change Management and Intrusion Detection. EventTracker, Prism s market leading enterprise log management solution, enables commercial enterprises, educational institutions and government organizations to increase the security of their environments and reduce risk to their enterprise. Customers span multiple sectors including financial, communications, scientific, healthcare, banking and consulting. Prism Microsystems was formed in 1999 and is a privately held corporation with corporate headquarters in the Baltimore-Washington high tech corridor. Research and development facilities are located in both Maryland and India. These facilities have been independently appraised in accordance with the Software Engineering Institute s Appraisal Framework, and were deemed to meet the goals of SEI Level 3 for CMM. For additional information, please visit 18