EventTracker Windows syslog User Guide Publication Date: September 16, 2011 EventTracker 8815 Centre Park Drive Columbia MD 21045 www.eventtracker.com
Introduction This document is prepared to help user(s) to configure EventTracker Syslog. EventTracker syslog is designed to monitor windows events and send the events to third party syslog receivers/ftp servers. It reads events from event log and sends them as syslogs to the receiver. EventTracker syslog can be configured to transfer files via FTP, SFTP, and SCP. In EventTracker Syslog, windows manager and DLA manager are not available. 1
Table of Contents EventTracker Windows syslog Installation... 3 EventTracker Agent Configurations to forward windows events as syslog... 3 Windows syslog Manager(s) Configuration... 3 Agent configuration to forward logs to Syslog FTP Server... 7 Configure FTP Server on Linux machine... 9 Agent configuration to forward syslog messages to Syslog-ng server... 12 Sample syslog-ng conf. file... 20 2
EventTracker Windows syslog Installation Click the below link to read installation procedure for EventTracker Syslog. Installation Guide EventTracker Agent Configurations to forward windows events as syslog EventTracker syslog can forward windows events as Syslogs, both online and offline. To enable syslog transfer, user has to do some changes at the EventTracker agent and the syslog server as well. Windows syslog Manager(s) Configuration 1. Open EventTracker- System Manager. Figure 1 3
2. Click Configure Agents button. OR Click Start >> Programs >> Prism Microsystems >> EventTracker >> EventTracker Agent. EventTracker displays EventTracker Agent Configuration Window Figure 2 4
3. In the Syslog Manager(s) tab, click the Add button. EventTracker displays Add Destination window. Figure 3 Click Destination Port Connect to Manager using UDP To Type the syslog destination name in this field. Make sure that the EventTracker syslog is installed in the system. Type the port number in this field. By default, the port number is 514. Select the appropriate option. The options are High performance mode (UDP) or Guaranteed Delivery Mode (TCP). Event Delivery Mode This is a connectionless network, and there is no guarantee that the Manager will receive all the data blocks transported by the UDP. 5
TCP Configure Cache folder Minimum Amount of Free space to be left on Storage Device (%) Event Delivery Mode This is a connection oriented network service, and there is a guarantee that the Manager will receive all the data blocks transported by the TCP. Select the cache folder. This is used to store events locally on the Agent system when the connection to EventTracker Manager is lost. This Feature applies to TCP mode of agent. Actual usage of TCP mode is to deliver the event in a guaranteed way irrespective of connection problems, Receiver status etc. In case if the Agent is not able to communicate with the Receiver, Agent will start storing all the events as cache files in the specified folder (Refer: Configure cache folder). If the receiver is dead for weeks together, Agent keeps storing these files in disk and thereby affecting Disk space on critical systems. To control this problem, the option Minimum Amount of Free space to be left on Storage Device (%) is provided to stop storing events when the disk space is less than the configured number of %. Example: when you configure 20%, Agent will stop writing events to disk when the free space goes down beyond 20%. All these apply only to TCP mode. 4. Enter/select appropriate options, and then click the OK button. 5. Click Save on the EventTracker Agent Configuration window. Modifying Event delivery modes in EventTracker Agent Configuration window: By default, Syslog selects High Performance Mode (UDP) option. If you wish to select Guaranteed Delivery - TCP mode option then, 1. Click the Guaranteed Delivery Mode (TCP) option. 2. Select encryption option YES from Encrypt dropdown. 3. Click Authentication checkbox. 4. Browse Certificate file This Certificate file contains personal information exchange (PFX) standard for signing or encrypting data. 5. Enter name of the certificate in Certificate Common Name field. 6. Enter correct password, which is used to protect the certificate in the Password field. 7. Type the path of the cache folder in the Configure cache folder field. By default, EventTracker stores the cache in the C:\Program Files\Prism Microsystems\EventTracker\Agent\ged folder. You can modify the default path, if you prefer a different folder to store the cache. 8. Set the minimum amount of free space to be left on storage device in Minimum amount of Free space to be left on Storage device (%) field. 9. Click OK. 10. Click Save on the EventTracker Agent Configuration window. 6
Agent configuration to forward logs to Syslog FTP Server 1. Launch EventTracker Agent configuration >> Click Syslog FTP server tab. Figure 4 2. Click the Add button to add FTP server information. EventTracker Agent displays Syslog FTP Destination pop-up window. 7
Figure 5 NOTE: In case of SCP and SFTP, Host Key fingerprint is required. To get the Host key figerprint, follow the instructions below: I. Connect via SSH or PuTTy. II. Enter the appropriate details for SCP or SFTP, and then click Open. You wil get an PuTTy Security Alert message. Figure 6 III. This alert message contains the host key fingerprint. (Marked in red color). Note down the key and click the Cancel button. 8
3. Enter all required details, and then click the OK button. 4. Click the Save button. 5. Verify Log files are being transferred to FTP Server. Configure FTP Server on Linux machine 1. Login to Linux machine using Super user (Root). By default, Linux is configured with FTP, but the service would be disabled. To enable this service, login as root or as super user. Root Login: Figure 7 Super user Login: This can be used to give the administrative rights if you have logged in with other user account. 9
Figure 8 2. Verify FTP server is installed or not. If not, please download appropriate FTP installer package and install. Run the following command to install FTP #rpm q ftp 3. Check If FTP Daemon is running or not. Run the following command to check Daemon configuration status #chkconfig vsftpd Status Figure 9 If it is not running, then start FTP daemon by running following command. #Service vsftpd Start Run the following command to configure vsftpd to start automatically on system startup. # chkconfig vsftpd on 10
Run the following command to edit FTP configuration file. #cd /etc/xinetd.d Run the following command to restart the FTP service based on the previous state, #service vsftpd restart 4. Create Folder where received offline syslog files will be stored after receiving logs via file transfer. Create User and assign full permission to newly created folder. Figure 10 Figure 11 11
Agent configuration to forward syslog messages to Syslog-ng server 1. Configure the EventTracker agent. Open EventTracker Control panel >> click EventTracker Agent configuration >> Click Managers tab >> Click Edit button >> Select Yes in Encrypt dropdown >>Locate the path of certificate.pfx >>Enter the correct Password >> Click OK >> Click Save. Figure 12 NOTE: If you do not select Encryption, then you can transfer the syslog files directly using following command: openssl genrsa -des3 -out server.key 1024 12
If you select Encryption then the certificate file should be present in agent and server machine. 2. Create a folder called ca.d in /opt/syslog-ng and navigate to the folder /opt/syslogng/ca.d. Figure 13 3. Create your RSA Private Key. This key is a 1024-bit RSA key, which is encrypted using Triple-DES and stored in a PEM format so that it is readable as ASCII text. 4. Run the following command. openssl genrsa -des3 -out server.key 1024 13
Figure 14 5. Once the private key is generated, a Certificate Signing Request (CSR) can be generated. The CSR is then can be used in one of two ways. I. The CSR will be sent to a Certificate Authority, such as Thawte or Verisign who will verify the identity of the requestor and issue a signed certificate. II. The second option is to self-sign the CSR. Run the following command to self-sign the CSR. openssl req - new - key server.key out server.csr 14
Figure 15 Note: During the generation of the CSR, you will be prompted for several pieces of information. These are the X.509 attributes of the certificate. One of the prompts will be for "Common Name (e.g., YOUR name)". It is important that this field be filled in with the fully qualified domain name of the server to be protected by SSL (you may give either the name of the Linux machine or the name of the EventTracker agent machine). 6. Use the following commands to remove the pass-phrase from the key: cp server.key server.key.org 15
Figure 16 openssl rsa -in server.key.org -out server.key Figure 17 16
7. To generate a Self-Signed Certificate, run the following command. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Figure 18 8. Export the certificate to.pfx format so that it can be used in the EventTracker agent machine. openssl pkcs12 -export -out certificate.pfx -inkey server.key -in server.crt Figure 19 17
9. Get a hash value for the certificate and link it. openssl x509 -noout -hash -in server.crt ln -s server.crt <hashvalue>.0 Figure 20 10. Transfer the certificate.pfx to the EventTracker agent machine. If you are using ftp to transfer then use binary mode to transfer. 18
Figure 21 11. On the Syslog-ng machine, you can edit the syslog-ng.conf. Please find below the reference for a sample syslog-ng.conf. The below configuration file writes the received logs from the EventTracker agent to the /var/log/etmessages file, ensure rotation of the log with additional configuration to prevent the log file becoming too large. To rotate the /var/log/etmessages file, we can use logrotate, please refer to the main page of the logrotate. 19
Sample syslog-ng conf. file @version: 3.2 #Default configuration file for syslog-ng. # # For a description of syslog-ng configuration file directives, please read # the syslog-ng Administrator's guide at: # # http://www.balabit.com/dl/html/syslog-ng-admin-guide_en.html/bk01-toc.html # options { create_dirs (yes); }; # Create the source driver to receive the logs over TLS source s_syslog_tls{ tcp( ip(192.168.1.13) port(1514) tls( peer-verify(required-trusted) ca_dir('/opt/syslog-ng/ca.d/') key_file('/opt/syslog-ng/ca.d/server.key') cert_file('/ opt/syslog-ng/ca.d/server.crt') ));}; #Create destination to store the received logs in etmessages file. destination logmessages { file("/var/log/etmessages"); }; # transfer the received logs to etmessages file. log { source(s_syslog_tls); destination(logmessages); }; 20