Guardium7: Windows Event Log Capture Guardium V7 - July 2009 Rodrigo Bisbal Highlights: Detect Active Directory account events such as: user creation, modification & deletion, failed domain logins, logins, log outs, etc Detect SQL Server startup or shutdown Detect any critical other server application or security events. Send real time and correlation alerts Integrated Guardium reporting Integrated with Guardium Workflow Automation Help detect risky authentication patterns: failed logins, after hour logins, etc All files needed for this exercise are in the TSE FTP Folder : Goal To monitor crucial events from the Windows Event log and collect them on the Guardium system for centrzlized and automated auditing, alerting and reporting. We will focus on two typical scenarios: 1. Monitor Active Directory user activity 2. Monitor SQL Server Startup and Shutdown Step 1: Install ActivePerl ( Perl for Windows ) Get it from the TSE FTP account, under the Software folder or download from www.activestate.com Step 2: Test Event Viewer scripts from the CMD shell Create a directory on the Windows Server as C:\monitor-events Copy the two sample event reader scripts from the tse FTP account: read_events_id.pl read_events_sql.pl Open a cmd shell and try running the scripts. The output of should look like this: Run script: read_events.pl:
Run: read_events_sql.pl: Step 3: Create CAS Template Create a new CAS Template with these properties: Add To Set: Script To Monitor SQL Server Start/Stop:
Add To Set: Script To Monitor Active Directory User activity: Step 4: Install Template on CAS Host Go to Configure CAS host, select the Windows Server, make sure the CAS service is running, click on Modify : Click on Add, then Add the template created in Step 3 Monitor Event Logs, click Save :
Click on Refresh List and make sure you have 2 Monitored Items, or as many items as you had in the template: Step 5: Generate Activity Now go ahead and login to the Windows server and create a new domain user, this will be trigger an EventID=626 User Account Enabled and will be detected by the script read_events_id.pl. Please edit this script and add the event_id numbers that need to be detected. There is an event id for every action: new user, drop user, change password, failed login, etc. Also go ahead and Stop SQL server, this will be detected by the second script: read_events_sql.pl. Go ahead and open this script and you can see it is scanning the Application log for these strings: service started, SQL Server is now ready and Server is terminating. If you need to modify this, go ahead, but test it first on the CMD shell. Step 6: Create Reports Go to the Assess/Harden -> Change Reports tab, look for the CAS Saved Data report
If you don t have this tab, no worries, under the CAS domain look for the CAS Saved Data report and place it in your portal: CAS Saved Data Report: Double click to drill down and View Difference, see domain account mgamache was added
Or view report for SQL Server startup/shutdown:
Drill down and View Difference to see that SQL server was shutdown: Appendix A: sample event viewer scripts
1) Script to detect SQL Server Start/Stop #!c:\perl\bin\perl.exe # Guardium CAS script to detect SQL Server Start/Stop use strict; use Win32::EventLog; my $server = shift Win32::NodeName; ## CONFIG ## Set this to one of these EventLog types: ## Application, Security, System ## For SQL Server events use "Application" my $event_type = "Application"; \&GetEvents($server,$event_type); #---------------------------------------------------- # GetEvents() # Input: Server name, EventLog # Output: Log entries, to STDOUT #---------------------------------------------------- sub GetEvents { ## CONFIG ## Look at sample EventLog entries and identify the ## string to match under the Source column: ## For MSSQL use "MSSQLSERVER", or for failed logins and security events use "Security" ## my $search_source ="."; my $search_source ="MSSQLSERVER"; my($server,$log) = @_; my ($evt,$total,$oldest,$evthashref); my $start = 0; $evt = Win32::EventLog->new($log,$server) die "Could not open $log log on $server: $!\n"; $evt->getnumber($total) die "Can't get number of EventLog records: $!\n"; $evt->getoldest($oldest) die "Can't get number of oldest EventLog record: $!\n"; while ($start < $total ) { is terminating/ ) { $evt->read(eventlog_forwards_read EVENTLOG_SEEK_READ,$oldest+$start,$evtHashRef) or die "Can't read EventLog entry #$start\n"; my $eventid = (${$evthashref{eventid & 0xffff); my $source = ${$evthashref{source; my $recordnumber = ${$evthashref{recordnumber; my $timeg = localtime(${$evthashref{timegenerated); Win32::EventLog::GetMessageText($evtHashRef); my $msg = $evthashref->{message; if ( $source =~ /$search_source/ ) { $start++; ## CONFIG ## Even more filtering. If you are looking for specific ## message strings, enter them here: ## Match for SQL Server start/stop if ( $msg =~ /service started/ $msg =~ /SQL Server is now ready/ $msg =~ /SQL Server print "-" x 75; print "\n"; print "Source: $source\n"; print "RecordNumber: $recordnumber\n"; print "Time: $timeg\n"; print "Message: $msg\n"; print "Event_ID: $eventid\n"; 2) Script to audit AD user account events: #!c:\perl\bin\perl.exe
## Guardium CAS script to search EventLog by Event_ID use strict; use Win32::EventLog; my $server = shift Win32::NodeName; ## CONFIG ## Set this to one of these EventLog types: ## Application, Security, System ## my $event_type = "Application"; my $event_type = "Security"; \&GetEvents($server,$event_type); #---------------------------------------------------- # GetEvents() # Input: Server name, EventLog # Output: Log entries, to STDOUT #---------------------------------------------------- sub GetEvents { ## SET VARIABLES my($server,$log) = @_; my ($evt,$total,$oldest,$evthashref); my $start = 0; ## SEE BELOW FOR SAMPLE EVENT IDs ## THIS IS WHERE YOU CONTROL WHAT EVENTS TO LOOK FOR ## Add events to this list, separated by " ", example: n n n n n... my $event_ids = "642 626"; ## SAMPLE EVENT IDs ## 626 - User Account Enabled ( New Account ) ## 630 - Account Deleted ## 642 - User Account Changed ## 540 - Successful Network Logon ## 538 - User Log Off ## 517 - Audit Log was cleared $evt = Win32::EventLog->new($log,$server) die "Could not open $log log on $server: $!\n"; $evt->getnumber($total) die "Can't get number of EventLog records: $!\n"; $evt->getoldest($oldest) die "Can't get number of oldest EventLog record: $!\n"; while ($start < $total ) { $evt->read(eventlog_forwards_read EVENTLOG_SEEK_READ,$oldest+$start,$evtHashRef) or die "Can't read EventLog entry #$start\n"; my $eventid = (${$evthashref{eventid & 0xffff); my $source = ${$evthashref{source; my $recordnumber = ${$evthashref{recordnumber; my $timeg = localtime(${$evthashref{timegenerated); Win32::EventLog::GetMessageText($evtHashRef); my $msg = $evthashref->{message; if ( $eventid =~ /$event_ids/ ) { ## CONFIG ## Even more filtering. If you are looking for specific ## message strings, enter them here: ## if ( $msg =~ /match string 1/ $msg =~ /match string 2/ ) { print "-" x 75; print "\n"; print "Time: $timeg Source: $source RecordNumber: $recordnumber\n"; print "Event_ID: $eventid\n"; print "Message: $msg"; ## $start++; About the Guardium Platform Guardium s real-time database security and monitoring solution monitors all access to sensitive data, across all major DBMS platforms and applications, without impacting performance or requiring changes to databases or applications.
The solution prevents unauthorized or suspicious activities by privileged insiders, potential hackers, and end-users of enterprise applications such as Oracle EBS, PeopleSoft, Siebel, JD Edwards, SAP, Business Intelligence and in-house systems. Additional modules are available for performing database vulnerability assessments, change and configuration auditing, data-level access control and blocking, data discovery and classification, and compliance workflow automation. Forrester Research recently named Guardium a Leader across the board, with dominance and momentum on its side. Guardium earned the highest overall scores for Architecture, Current Offering and Corporate Strategy ( The Forrester Wave: Enterprise Database Auditing And Real-Time Protection, Q4 2007 by Noel Yuhanna, October 2007). About Guardium Guardium, the database security company, delivers the most widely-used solution for ensuring the integrity of enterprise information and preventing information leaks from the data center. The company s enterprise security platform is now installed in more than 450 data centers worldwide, including 3 of the top 4 global banks; 2 of the top 3 global retailers; one of the world s largest PC manufacturers; a global soft drink brand; and a leading supplier of business intelligence software. Founded in 2002, Guardium was the first company to address the core data security gap by delivering a scalable enterprise platform that both protects databases in real-time and automates the entire compliance auditing process. For more information, please contact your Guardium partner, Regional Sales Manager or visit www.guardium.com. Copyright 2009 Guardium. All rights reserved. Information in this document is subject to change without notice. Guardium, Safeguarding Databases, and S-TAP are trademarks of Guardium. All other trademarks and service marks are the property of their respective owners. VADS-PN 1108