Centralized logging with alerts for Windows Presented by Steve Massman and Jim Long Email us: massmans@more.net and long@more.net Overview Review best practices Install KiwiSyslog Configure KiwiSyslog Install SNARE client Install SNARE for IIS client Install Logcheck and other open source utilities 1
Pros and Cons Pros Automate log collection to a central log location Alerts help maintain server health Cons You have to read your email Best practices Review logs daily or at a minimum weekly Security guides Please download and review the Security Guides for your operating systems. 2
Best Practices cont. Audit policy Best if these settings are pushed out through Group Policy Server Requirements Windows 2000, XP, 2003, 2008 Can use an existing machine Software-based firewall installed to protect server Virus software (possible problem) http://www.kiwisyslog.com/faq/syslog/s yslog_norton_anti_virus.htm 3
Install KiwiSyslog Purchase Extended version (~$300) Creates separate log files for each host Automated archival of log files http://www.kiwisyslog.com/software_downloads.htm OR Use free version of KiwiSyslog Syslog-NG on *nix OR http://www.syslog.org/logged/running-syslog-ng-on-windows/ Configure Kiwi Enter registration information Syslogcatchall.txt log Auto create each host log Archiving logs Email stats Replace non printable characters Install syslogd service 4
Install SNARE client Audit configuration System log Security log If Domain Controller also include Directory Service, DNS server, and File Replication logs Look for new events in Kiwi Install SNARE for IIS Change start menu group name Audit service configuration Look for new events in Kiwi 5
Windows 2003 or earlier Install Logcheck Install directory Mail settings Choose NO on log and Audit settings Check install directory permissions Edit wrapper.cmd file Testblat.cmd Run wrapper.cmd, look at email Open source tools Edit logcheck.sh Run wrapper.cmd, look at email Windows 2003 or earlier Configure Logcheck s built-in files Logcheck.hacking The administrator should always be alerted of events that match keywords used in this file to catch such things as hacking attempts, and locked administrator accounts Logcheck.ignore This file includes routine information such as successful logins or normal web server activity that DO NOT require administrator attention 6
Windows 2003 or earlier Logcheck s built-in files Logcheck.violations Information in this file contains items such as gaining elevation of privileges, known hacking signatures, such as CodeRed, other viruses or script kiddie attack signatures Logcheck.violations.ignore At MOREnet this file is not used very much. It can be used to prune out common errors Windows 2008 Install GnuWin tools and create batch file Install directory Mail settings Create wrapper.cmd file Run wrapper.cmd, look at email Open source tools 7
Windows 2008 Logcheck.ignore This file includes routine information such as successful logins or normal web server activity that DO NOT require administrator attention Add entries to logcheck.ignore Servername.*Windows-Security-Auditing.*Success Audit.*[A new process has been created A process has exited].*[c..logcheck.bin C..Windows.System32.dllhost.exe] Windows-Security-Auditing.*Success Audit.*Windows Filtering Platform has permitted a connection.*program files.snare.snarecore.exe Windows-Security-Auditing.*Success Audit.*Windows Filtering Platform has permitted a connection.*program files.x86..syslogd.syslogd_service.exe Windows-Security-Auditing.*Success Audit.*Windows Filtering Platform has permitted a bind to a local port.*logcheck.bin PrintServerName.*System.*Print.*owned by.*was printed on WebServerName.*IISWebLog.*GET.*Default.htm.*200 8
Configure Scheduled Task Be sure to enable Network access: Do not allow storage of passwords and credentials for network authentication Add scheduled task to run wrapper.cmd every 15 or 30 minutes Log Retention Missouri Attorney General office recommends 30-90 days When working with law enforcement you may need to keep logs up to 1 year 9
Windows 2008 Script details Windows 2008 files Temp location for downloads ftp://ftp.more.net/pub/s_p/massmans/ 10
Demo Questions 11
Our E-mail Addresses! massmans@more.net reddicktw@more.net long@more.net 12