etrust Audit irecorder Reference Guide for Microsoft NT Event Log 1.5 SP2
This documentation and related computer software program (hereinafter referred to as the Documentation ) is for the end user s informational purposes only and is subject to change or withdrawal by Computer Associates International, Inc. ( CA ) at any time. This documentation may not be copied, transferred, reproduced, disclosed or duplicated, in whole or in part, without the prior written consent of CA. This documentation is proprietary information of CA and protected by the copyright laws of the United States and international treaties. Notwithstanding the foregoing, licensed users may print a reasonable number of copies of this documentation for their own internal use, provided that all CA copyright notices and legends are affixed to each reproduced copy. Only authorized employees, consultants, or agents of the user who are bound by the confidentiality provisions of the license for the software are permitted to have access to such copies. This right to print copies is limited to the period during which the license for the product remains in full force and effect. Should the license terminate for any reason, it shall be the user s responsibility to return to CA the reproduced copies or to certify to CA that same have been destroyed. To the extent permitted by applicable law, CA provides this documentation as is without warranty of any kind, including without limitation, any implied warranties of merchantability, fitness for a particular purpose or noninfringement. In no event will CA be liable to the end user or any third party for any loss or damage, direct or indirect, from the use of this documentation, including without limitation, lost profits, business interruption, goodwill, or lost data, even if CA is expressly advised of such loss or damage. The use of any product referenced in this documentation and this documentation is governed by the end user s applicable license agreement. The manufacturer of this documentation is Computer Associates International, Inc. Provided with Restricted Rights as set forth in 48 C.F.R. Section 12.212, 48 C.F.R. Sections 52.227-19(c)(1) and (2) or DFARS Section 252.227-7013(c)(1)(ii) or applicable successor provisions. 2003 Computer Associates International, Inc. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies.
Contents Chapter 1: Welcome to the irecorder for MS NT Event Log 5 What Is an irecorder?...5 irecorder Architecture...6 Chapter 2: Installation and Configuration 11 System Requirements...11 Hardware Requirements...11 Software Requirements...11 Pre-Installation Steps...11 Installing the irecorder...11 Installing the irecorder from the etrust Security Command Center CD...12 Installing the irecorder Downloaded from esupport...12 irecorder Installation...13 Silent Installation...14 Silent Uninstallation...15 How to Generate a Response File for Custom Silent Installation...15 Configuration and Use...16 Starting the irecorder...16 Stopping the irecorder...17 Configuring the etrust Audit irecorder for NT Event Log...17 Enabling Debugging...19 Testing the irecorder for NT Event Log...19 Chapter 3: Adding the Default Policy Template for the irecorder to the etrust Audit Policy Manager 21 Chapter 4: Report Selection Criteria 23 Chapter 5: etrust Audit Field Mapping 25 etrust Audit Mandatory Fields...25 etrust Audit Normalized Fields...27 NT Event Log Product Specific Fields...27 Contents iii
Chapter 1: Welcome to the irecorder for MS NT Event Log This guide describes how to install, configure, and use the etrust Audit irecorder for NT Event Log. This irecorder harvests NT Event log data and forwards it to an etrust Audit Client. The application log records events generated by programs; the security log records security events, including logon attempts, object access, and changes to security, depending on what is audited; and the system log records operating system events. What Is an irecorder? etrust Audit 1.5 recorders can be deployed in two different ways: Recorders Recorders are one of the subcomponents packaged with etrust Audit 1.5 Client components. These predefined recorders use the etrust Audit Submit API (SAPI) to send log events to a Router and Action Manager for further processing as defined in the Policy Manager. This architecture leads to some restrictions in the Recorder development and deployment: SAPI uses remote procedure calls (RPC), which makes recorders difficult to be easily deployed across firewalls Deployments of new recorders that are not predefined require you to make manual changes to existing Routers and Action Managers irecorders irecorders are new to etrust Audit. They are developed using the irecorder SDK which is based on the itechnololgy SDK. irecorders can be easily deployed in an existing etrust Audit environment without making significant changes to that environment. irecorders, just like recorders, send log events to a Router and Action Manager for event processing. They require an intermediate component, known as an irouter, which is installed on an existing etrust Audit Client. The irouter provides a bridge between the irecorder and the etrust Audit Client. The irouter converts tokens from XML format to SAPI format and submits them to the Router. Welcome to the irecorder for MS NT Event Log 5
irecorder Architecture irecorder Architecture The irecorder architecture allows easy deployment across firewalls and new irecorder development does not require changes in the existing etrust Audit deployment. The following diagram illustrates the flow of information from the irecorder to the etrust Audit Client components: As you can see, an irecorder really consists of several components that help capture, route, and convert the event data to SAPI format so that it can be processed by an etrust Audit Client. 6 irecorder for NT Event Log
irecorder Architecture The components of itechnology are as follows: igateway igateway is a service that dynamically loads isponsors and communicates with the other igateways and isponsors. The main features and functions of an igateway are as follows: Load the isponsor Locate and read.conf files associated for various isponsors in its local directory. Load the corresponding isponsor DLLs (such as icontrol or irecorder) at igateway start up or upon request from another isponsor (local or remote). Provide configuration data found in.conf file to the corresponding isponsor Support Data Communication The igateway uses the HTTP/HTTPS protocol on port 5250 to handle all data communication as follows: The data format for igateway communication is based on XML. An igateway receives XML formatted data from the local isponsors and sends it to the specified igateway for delivery to the appropriate isponsor. An igateway receives XML formatted data from a remote isponsor and delivers it to the appropriate local isponsor. Note: Each igateway can be associated with a digital certificate used by irecorders to sign all outgoing events. In addition, irecorders include the digital certificate with its associated thumbprint for the first outgoing event. For all other events, only the thumbprint is included. icontrol icontrol is an isponsor DLL that is automatically loaded by the igateway and supports the following functions: Store and Forward (SAF) for guaranteed delivery of events as follows: If the igateway cannot deliver an event, it is passed onto the icontrol component for SAF handling. icontrol stores the undelivered events in a file. Periodically, icontrol extracts events from the event file and attempts to deliver them using igateway. All events that are extracted successfully are marked as old, and periodically icontrol deletes the old events. Welcome to the irecorder for MS NT Event Log 7
irecorder Architecture Event validation If it is the first event, save the digital certificate and the associated thumb print For all events, use the thumbprint included in the event to retrieve the matching certificate. If the certificate is not found, generate an error. Use the certificate to validate signature of the event. If the signatures do not match, generate error. Routes events to a remote icontrol The icontrol.conf file contains information related to routing and which Event plug-in should be loaded. Note: icontrol can load multiple Event plug-ins and sends every event to each plug-in. Event Plug-in (EP) The Event plug-in is a DLL used by icontrol to handle specialized tasks such as converting formats, applying filters, sending events to a database, and so on. EPAudit Plug-in If the EPAudit plug-in is configured, all events received by icontrol are sent to the EPAudit plug-in to be delivered to the Router. The primary functions of EPAudit are to: Convert events from XML format to etrust Audit SAPI format. Submit events to the etrust Audit Router component running on the localhost. EPUnicenter Plug-in If the EPUnicenter plug-in is configured, all events received by icontrol are sent to the EPUnicenter to be delivered to the Event Management component of Unicenter. The primary functions of the EPUnicenter plug-in are to: Convert events from XML format to Unicenter EM format. Submit events to the Event Management component running on the localhost. EPDebug Plug-in If the EPDebug plug-in is configured, all events received by icontrol are sent to the EPDebug to be delivered to any Debug Viewer running on the local host. 8 irecorder for NT Event Log
irecorder Architecture irecorder irecorder is an isponsor DLL loaded by the igateway running on the device generating log events. Its primary functions are as follows: Extract the log events from the device or from an event log repository using an API, ODBC, or file I/O. Parse the event fields into tokens and create Name Value pairs for each parsed token in XML format. Submit XML strings containing the events to a local or remote irouter. The irouter sends the events to EPAudit plug-in, which in turn submits the events to etrust Audit for further action. For the first log event from the device, the irecorder attaches the igateway certificate as an attribute. For all log events, irecorder includes the igateway certificate thumbprint (a unique ID for the certificate) and the signature (hash of the whole event signed by the certificate). irouter An irouter is a collection of following components installed on the etrust Audit Client machine: igateway icontrol EPAudit plug-in The irouter installation package is included with the irecorder SDK and does not require any changes. It works with the existing and new irecorders. The irouter forwards all events to the etrust Audit Client using SAPI. Welcome to the irecorder for MS NT Event Log 9
Chapter 2: Installation and Configuration This chapter describes how to install and configure the irecorder for MS NT Event Log. System Requirements The topics that follow describe the hardware and software requirements for the irecorder assuming that MS NT Event Log is already installed and operational on some host. Hardware Requirements The following additional disk space is required: Approximately 10 MB of disk space for the irecorder installation. Software Requirements The following are operating system and software requirements: etrust Audit irouter installed on a host where etrust Audit Client components are installed. x86 PC running Windows 2000 with Service Pack 2 or 3 or Windows XP with Service Pack 1 or Windows NT 4.0 with Service Pack 5 or above. Pre-Installation Steps Ensure that native NT Auditing is enabled and set up correctly if it is required to process events from the Security Log. Installing the irecorder The following topics describe how to install the irecorder for MS NT Event Log from the CD or from the web. Installation and Configuration 11
Installing the irecorder Installing the irecorder from the etrust Security Command Center CD To install the irecorder from the etrust Security Command Center CD, insert CD 5 into the CD drive. The Product Explorer should automatically start and display the installation menu. If the Product Explorer does not automatically start, click Start, Run and enter the following command: [CD-Drive]:\PE_I386.exe where [CD-Drive] is your CD drive letter designation. All irecorders available on the etrust Security Command Center CD are located as follows etrust, Audit, irecorders. To install an irecorder, select the appropriate recorder from the list and follow the detailed install instructions provided in the following sections. Installing the irecorder Downloaded from esupport You can also download and install an irecorder from the web. To install the downloaded package, you will need two components: 1. irecorder installation package from http://esupport.ca.com 2. Appropriate (Windows, UNIX) igateway package from ftp://ftp.ca.com/pub/itech/downloads Download these packages into the same directory and run the irecorder install package. The irecorder install package automatically installs the igateway package, if needed. Detailed installation instructions for the irecorder are provided in the next topic. 12 irecorder for NT Event Log
Installing the irecorder irecorder Installation If the install package for irecorder for NT Event Log is not already running, run the package NTEventLog_<version number>.exe to start installation of the irecorder. It starts a wizard that guides you through installation and configuration of the irecorder as follows: 1. Enter the host name where the irouter is installed. If the irouter is on the localhost, enter localhost. Installation and Configuration 13
Installing the irecorder 2. Next you are prompted for NT Event Log specific information: 3. Select all the sources that need to be monitored. If additional Event Logs are found on the system, then prompts appear after clicking Next to ask whether the additional sources should be monitored. Selecting Include all existing events imports all existing events from all sources that will be monitored the first time that the irecorder is started. The value set for the maximum number of events to be processed limits the amount of events to be processed per source per second so that it does not consume too much of the system resources. Silent Installation The irecorder can be installed silently by following these steps: 1. Download or copy the irecorder and igateway installation packages in one directory. 2. Create a response file by running the following command: NTEventlog_<version_number>.exe /r 3. Modify the response file to suit your needs. 14 irecorder for NT Event Log
Installing the irecorder 4. Run the following command: NTEventlog.exe /s /v/qn /z"[options]" where [options] can contain the following: MonitorAllLogs All logs in the Eventlog will be monitored MonitorNoLogs No logs will be monitored GetOldEvents All existing records in the logs will also be retrieved The above example demonstrates the silent install capability provided by the irecorder package. The response file in the example should be changed to reflect the particular conditions of the target environment. See How to Generate a Response File for Custom Silent Installation. Silent Uninstallation Use the following command to silently uninstall the NT EventLog irecorder using an InstallShield response file: NTEventLog_<version>.exe /s /f1"nteventlog_uninstall.iss" How to Generate a Response File for Custom Silent Installation Windows Packages The response files provided with the package contain an example of a silent install session. It is often necessary to customize the silent installation to the particular needs of the enterprise. The sections below provide instructions on how to customize silent installation. Choose a system that is similar if not identical to the target system. Installation and Configuration 15
Configuration and Use Note: The system must not contain the irecorder for which you want to customize the silent installation. If the system has the irecorder installed, uninstall the irecorder using the Add/Remove Programs option of the Control Panel applet. Proceed as follows to generate a custom response file: 1. Open a DOS window 2. Change directory to the folder that contains the irecorder package 3. On the CD labeled etrust Audit 1.5 SP2 part of the etrust Security Command Center package, the irecorder package folder is: <CD Drive>:\eTrust\Audit\iRecorders\Winnt For instance, if G drive is the CD drive, the irecorder package folder is: G:\eTrust\Audit\iRecorders Enter the following: <irecorder package>.exe /r /f1"<pathname of response file>" For example: MSNTEvent Log_<version_number>.exe /r /f1"c:\temp\uninstall.iss" 4. Follow instructions given by the installation procedure and install the package as you would do on the target system. 5. Click Finish. The response file is generated. It can be used for silent installation on similar target systems. Configuration and Use The following topics describe how to configure and use the irecorder. Starting the irecorder The irecorder is run as a sub-component of the itechnology-igateway service. To start the irecorder on Windows 2000, start the igateway service using either of the following methods: Use the Services Management GUI (Start, Control Panel, Services or Administrative Tools, Services). Issue the following command: net start igateway 16 irecorder for NT Event Log
Configuration and Use Stopping the irecorder The irecorder is run as a sub-component of the itechnology-igateway service. To stop the irecorder on Windows 2000, stop the igateway service using either of the following methods: Use the Services Management GUI (Start, Control Panel, Services or Administrative Tools, Services). Issue the following command: net stop igateway Configuring the etrust Audit irecorder for NT Event Log irecorder configuration parameters are kept in a configuration file usually located in the igateway installation directory. The irecorder configuration parameters are automatically set during irecorder installation and do not require any changes for the normal operation of the irecorder. If you must change any parameters, you must stop the itechnology igateway service or daemon before making the changes. After making the changes, restart the service for changes to take effect. The irecorder configuration file is named NTEventLog.conf and is found in the installation directory of the igateway, for eaxmple C:\Program Files\CA\igateway. The irecorder rewrites its configuration file every time it shuts down. This is to update the last record read per event log so that it can restart from that point and not lose any events. Installation and Configuration 17
Configuration and Use To make any changes to the config file follow these steps: 1. Stop the irecorder. 2. Make the changes. Note: Any changes made to the config file while the recorder is running will be lost! By default the irecorder monitors all NT Eventlogs.This includes DNS, File Replication, Directory, etc. To disable monitoring of a log add and entry to the config file as follows: <Monitor Log="[logname]">false</Monitor> The irecorder throttles processing of events to avoid using to much CPU time. It defaults to sending a maximum of 150 events per second per event log being monitored. To change the throttling add an entry to the config file as follows: < MaxEventsPerSecond>[number]</ MaxEventsPerSecond> Sample Configuration File <?xml version='1.0' encoding='utf-8' standalone='no'?> <isponsor> <Name>NTEventLog</Name> <ISType>DSP</ISType> <ImageName>NTEventLog</ImageName> <DispatchEP>iDispatch</DispatchEP> <ClsPath></ClsPath> <LibPath></LibPath> <Version>1.0.0.030624</Version> <PreLoad>true</PreLoad> <MaxEventsPerSecond>25</MaxEventsPerSecond> <SIDLookupTimeout>5</SIDLookupTimeout> <SearchStringFile>selogrec.str</SearchStringFile> <Monitor Log="Application">false</Monitor> <Monitor Log="System">false</Monitor> <Monitor Log="Security">false</Monitor> <LastRecordRead Log="System">0</LastRecordRead> <LastRecordRead Log="Application">0</LastRecordRead> <LastRecordRead Log="Security">0</LastRecordRead> </isponsor> 18 irecorder for NT Event Log
Configuration and Use Enabling Debugging You can configure the irecorder to output debugging information to a debugging application or to a file. A file containing debug information can be useful for technical support purposes. To enable debugging and log debug information to a file, follow these steps: 1. Stop the irecorder by stopping the itechnology igateway Service. 2. Edit the irecorder configuration file by adding the following <DebugLevel> tag between the <isponsor> tags: <DebugLevel>{level}</DebugLevel> where {level} is one of the following: ISP_NOLEVEL Disables debugging. ISP_FILE Prints all debug messages to a debug application as well as writing it to a log file, irecordername.log, in the same directory as the irecorder. The debug file may grow very quickly; to avoid possible disk space shortage, we recommend turning off the debugging option as soon as possible by replacing ISP_FILE by ISP_NOLEVEL. 3. Save the configuration file. 4. Start the irecorder by restarting the itechnology igateway Service. 5. Send the debug file to CA Technical Support for further analysis. Testing the irecorder for NT Event Log Using the following steps, you can verify that the irecorder is installed properly and sending events to etrust Audit: 1. Install the irecorder and irouter on a host as described in the installation instructions. 2. Start etrust Audit Policy Manager and define a policy for NT Event Log events received by the host where irouter and other etrust Audit Client components are installed. 3. Create a test policy with a rule that sends all events to the etrust Audit Security Monitor (no filter with Action set to Security Monitor). If there is no defined policy (rule and action), etrust Audit ignores the events. You can find more details on how to create a policy in the etrust Audit Policy Management Guide. 4. Verify that <Program Files>\CA\iGateway contains the following files: NTEventlog.dll and NTEventlog.conf Installation and Configuration 19
Configuration and Use 5. Create an event in the NT Eventlog remember to set up NT Auditing if the Security log will also be monitored 6. Verify that the generated events are displayed in the etrust Audit Security Monitor irecorders also support standard itechnology SDK tools (like TestHarness and Spin interface) to query the irecorder for current status and configuration information. For more details on these tools, see the itechnology SDK Reference Guide. 20 irecorder for NT Event Log
Chapter 3: Adding the Default Policy Template for the irecorder to the etrust Audit Policy Manager The etrust Audit Policy Manager has default policies for this irecorder. Adding the Default Policy Template for the irecorder to the etrust Audit Policy Manager 21
Chapter 4: Report Selection Criteria For events that are reported by the irecorder and stored in the etrust Audit Collector database, selected reports can be generated using a Report Generator. The following table describes suggested selection criteria for reports of general interest. The first column of the table is the Report Name. The second column is the Audit Logname that can be specified to include all events for this Logname in the report. Additional Criteria column specifies one or more additional fields that may be used to further narrow the range of events to be included in the report. Finally the Comment column specifies whether the field name is in the Audit MSGTEXT field or not. The distinction is important because the MSGTEXT field is a free form text field that may contain several fields. Since the MSGTEXT column contains multiple field name and field value pairs, the MSGTEXT field must be searched using wild card characters to select the specific field names and values. Sample Report Selection Criteria NT Event Log Report Logname AND additional criteria (format field name : field value) Login NT Eventlog Taxonomy : NT- Application.Winlogon.*.*.* Comment Taxonomy is in MSGTEXT field Dhcp NT Eventlog Taxonomy : NT-System.Dhcp.*.*.* Taxonomy is in MSGTEXT field Netlogon NT Eventlog Taxonomy : NT-System.Netlogon.*.*.* Taxonomy is in MSGTEXT field RemoteAccess NT Eventlog Taxonomy : NT- System.RemoteAccess.*.*.* Taxonomy is in MSGTEXT field Report Selection Criteria 23
Chapter 5: etrust Audit Field Mapping The following topics describe how fields in the MS NT Event Log events are captured by the etrust Audit irecorder and mapped to a standard set of normalized fields. etrust Audit requires all irecorders to follow a standard Data Model and Taxonomy. The following topics describe how the irecorder maps the native MS NT Event Log fields into etrust Audit fields. etrust Audit Mandatory Fields Mandatory fields are a fixed set of fields that are added to each event processed by any irecorders. The following tables describe what values are assigned to the Mandatory Fields in the irecorder for NT Event log. Required Fields Field Name Field Value Description Taxonomy <Category>.<System>.<Action>.<Result>.<Severity> Date TimeGenerated TimeGenerated value TimeZone timezone in +/- seconds format (calculated from GMT) Src Variable Source field from Event Log NT-Application NT-Security NT-System NT-* See Table 2 for further breakdown of Taxonomy TimeZone of system where irecorder is installed NT-<Log> Location Hostname Computer field from Event Recorder NTEvent Log The name of the irecorder that collected the event Version Version Number The version number of the irecorder Table 1: Mapping of etrust Audit Required fields etrust Audit Field Mapping 25
etrust Audit Mandatory Fields The table provides Field Names, Descriptions as well as Values (or possible values). Additional information about the Taxonomy field is provided in Table 2 below. Taxonomy Possible Values Description Category NT-Application NT-Security NT-System NT-* NT-<Log> System Variable Source field from Event Action Variable Unknown or string defined in selogrec.str for Event ID Result N, S or F Based on NT EventType EVENTLOG_AUDIT_SUCCESS: Result = Success EVENTLOG_AUDIT_FAILURE: Result = Failure Severity I, C or W Based on NT EventType Table 2: Details of Taxonomy Field EVENTLOG_ERROR_TYPE: Severity = Critical EVENTLOG_WARNING_TYPE: Severity = Warning EVENTLOG_INFORMATION_TYPE: Severity = Info 26 irecorder for NT Event Log
etrust Audit Normalized Fields etrust Audit Normalized Fields Normalized Fields are etrust Audit field names that are mapped or translated from the native event field names according to the classification of the irecorder. Normalized fields are common across all products in the same classification. The Taxonomy field, one of the mandatory fields, defines the classification of this irecorder. etrust Audit Field Name Native Field Name Description Category EventCategory User domainname\username Native ID EventID & 0x0000FFFF Info Description NT Event Log Product Specific Fields Product Specific fields are native event fields that are not mapped or translated by the irecorder. These fields are sent to etrust Audit with minor name change: all characters in the field name that are not letters, digits, or underscore are converted to underscores. etrust Audit Field Mapping 27