Enterprise SysLog Manager (ESM) ESM is a managed network security appliance (scalable HP server) with database for the collection, management and reporting of syslog messages, from critical hosts and network devices. This includes critical alerts involving security, performance, availability and compliance (access and change) reporting. xdefenders provides valuable design, deploy, management, moniring and maintenance services. Pages 14 22 describe and display Sample Compliance Reports. Five reports are Available User Logon Report User Logoff Report Failed User Logons Object Access Report IPS Summary Report (Cisco ASA required) Much of this material was taken from the formal ESM web training class. 1 of 21
ALERT Threshold Exceeded Compliance Reports Forensic Query 5 Minute Correlation SYSLOGS Critical Devices such as Database Servers, Domain Controllers, File Servers and Firewalls Sre and Record Syslog Events in a Central Database Manage and save syslogs from multiple devices at a single location Generate syslog event reports Monir Activity Correlation engine running every 5 minutes for threshold assessment Performance moniring of equipment study resource utilization Generate real time alerts based on activity and user defined thresholds Meet Regulary Requirements and produce Compliance Reports Provides real time alerts of system failures, possible attacks and vulnerabilities Comprehensive Search feature Easy use forensic syslog search for suspicious or unusual activity 2 of 21
Group: user defined category grouping devices logically for reporting and alerts (defined in the Thresholds section) Device: syslogs have been received from this list of devices Facility: category of the type of device sending the log Priority: severity level of the message as related device performance Date: From: date of oldest syslog in the database Until: date of most recent syslog Time: military time of day Program: a description of the type of application running on the device that generated the syslog Status: status of the event as described by the sending device Message Contents: used search for character strings found in the syslog message 3 of 21
Here is the list of syslogs found displayed below. Let's review the Search Screen...and fine tune our search, eliminate all the Cisco ASA syslogs 4 of 21
Select the Cisco ASA from the drop down list in the Programs selection box. Click Exclude drop all those records from the search That returned 153 syslog messages. 5 of 21
Next, let's search for audit policy changes. That is MS Event ID 612. That can be found from viewing the syslogs, or from Appendix A in the Snare User Guide. You can search for up 3 different character strings in the message. You do not need continue exclude the Cisco ASA, the search will work either way. The Search GUI provides a quick and easy forensic search capability. 6 of 21
NEXT Click (Compliance) REPORTS The graph on the upper portion of the screen gives the tal syslog count for the last 36 hours, and the count of the types of syslogs recorded.the five built in reports are listed on the butns below the graph. The ESM emails these 5 reports daily the designated Administrar. 7 of 21
Select a date range using the From Until boxes shown For Example: Enter 10/27/08 and 10/30/08 Next, select : Failed Log Ons. The result is actually a list of matching transactions that looks just like the ESM syslog search, as shown on the next page. 8 of 21
Daily Reports (statistics) are generated and emailed administrar. See sample on the next page: 9 of 21
ESM statistics This email may contain several reports: - General overview for day and the past three days - Compliance report : Compliance report : Compliance report : Compliance report : Proprietary report: Successful logons for yesterday Unsuccessful logons for yesterday Logoffs for yesterday Object changes for yesterday IDS/IPS messages for yesterday NOTE: Reports are only created if corresponding data are available Statistics for group 'Sample Company': -----------------------------------------------------------Host '66.666.6.255' => Total events Total : Value Today : 4 * (sugg. threshold: Yesterday : 1282 ******************************************************************* (sugg. threshold: 4) 2 days ago: 1163 ************************************************************* (sugg. threshold: 4) 3 days ago: ==> Events listed by facility <== => Facility "kern" events Day : Value Today : Yesterday : 2 days ago: 3 days ago: => Facility "user" events Day : Value Today : Yesterday : 2 days ago: 3 days ago: => Facility "mail" events Day : Value Today : Yesterday : 2 days ago: 3 days ago: => Facility "daemon" events Day : Value Today : Yesterday : 2 days ago: 3 days ago: ----------------------------------------------------------------------------------------------------------------------Host 'monman.sampleco.com' 10 of 21
=> Yesterday's successful logons (relevant GLBA, 2008-12-03 06:27:04 su[7354]: Successful su for 2008-12-03 06:27:04 su[7356]: Successful su for 2008-12-03 06:27:04 su[7358]: Successful su for SOX, HIPAA, PCI standards): 3 nobody by root nobody by root nobody by root -----------------------------------------------------------Host '66.666.6.255' => Yesterday's IDS/IPS messages (proprietary extension): 731 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 01:04:46 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53 DNS1 on interface external 2008-12-03 02:38:02 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.78 DNS1 on interface external 2008-12-03 02:38:02 %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.78 DNS1 on (All 731 not shown here, but are in actual report) 11 of 21
What are Thresholds? The threshold settings determine when and if email notification is generated. Maximum number of times an event occurs in any 5 minute timespan with no warning. Thresholds are assigned by category such as Facility, Priority, and Program. How are Thresholds set? By Device and/or User Defined Groups of Devices AND Category Priority Level AND ProgramFacility AND can be Cusm (user defined). Cusm Thresholds feature: Ability define a cusm event based on the contents of the syslog message Setting Thresholds: Threshold settings determine when and if email notification is generated. Default settings produce NO alerts. 1. Determine the events that should cause an email be sent the administrar. Such as: Emergency High incidence of critical events High incidence of events from firewall User specific threshold based on the syslog contents 2. Determine if alerts or searches will be necessary by group in addition my device. If necessary, create groups before setting thresholds. When are Alerts sent? 1. New Event Alert Events are priority WARNING or higher AND Count of events in last 5 minutes exceeds threshold count 2. Increased Event Alert Events are priority WARNING or higher AND Count of events in last 5 minutes is more than double the previous 5 minute count AND Count is greater than 80% of the the threshold value 12 of 21
Here is a sample SQL query, looking for records with a specific error message within a specific time frame: 13 of 21
Compliance Reports Package Five reports are Available User Logon Report User Logoff Report Failed User Logons Object Access Report IPS Summary Report (Cisco ASA required) 14 of 21
Summary Reports For all devices For a user defined group For a single device/host Display Top Users and Top Hosts for each report type: Top 10, 25, 50, 100, 500, 1000 View: Screen display or Printed report or File disk 15 of 21
16 of 21
17 of 21
18 of 21
19 of 21
20 of 21
21 of 21