June 14, 2004SUNY Technology Conference Centralized Logging Bill Kramp, Network Administrator Finger...

June 14, 2004 SUNY Technology Conference

Centralized Logging

Bill Kramp, Network Administrator

Finger Lakes Community College

SUNY Technology Conference

Centralized Logging

Logging Windows events and syslog messages to a central

server for analysis.

Centralized Logging

Logging events and messages to a central server for

analysis.

Overview

Reasons to log Centralized logging and Analysis

Unix Windows Open source Commercial

Home brew solution at FLCC

Reasons to log events

Record security events Monitoring applications Configuration changes Sarbanes-Oxley Act compliance HIPAA compliance Low in carb’s!

Reasons to log events

Record security events Monitoring applications Configuration changes Sarbanes-Oxley Act compliance HIPAA compliance Low in carb’s!

Reasons for Centralized Logging

Correlation of data Manageability Data integrity Time synchronization Real-time alert capability Single backup location for log data

Log Analysis Process

Data Sources Filtering Normalization Aggregation Correlation Report/Display

Data Sources

Windows – Event logs and applications

Unix – syslog and applications Firewalls Routers Intrusion Detection System’s Host Intrusion Systems SNMP traps

Honeypot’s

Windows Events

Application System Security

Windows Events (Win2003)

Application System Security DNS Server Directory File Replication

Security Event Categories Logon events Account logon events Object access events Directory Service access events Privilege use events Process tracking events System events Policy change events

Syslog basics

UDP messages sent on port 514 Three parts to a message:

PRI (priority) Header MSG (message)

PRI contains the severity and facility

Unix syslog

boot cron secure E-mail Kernel Local(0-7)

*nix Syslog Alternatives

Syslog-ng - www.balabit.com/products/syslog_ng/

SDSC Secure Syslog - sourceforge.net/projects/sdscsyslog/

Modular Syslog –www.corest.com/corelabs/

Windows Syslog Alternatives

Kiwi syslog – www.kiwisyslog.com Winsyslog – www.adiscon.com SL4NT – www.netal.com Syslog Daemon – www.triaction.nl Cisco syslog – www.cisco.com 3com Daemon – www.3com.com

Centralized Windows Events

LogAnalyst for Windows 2000 Server Central database of events Built in report generator Available with Win2000 Resource Kit GUI interface

www.cybersafe.com/centrax/cla1.html

Forwarding Windows Events

Snare – www.intersect-alliance.com

NTsyslog – ntsyslog.sourceforge.net

Event Reporter – eventreporter.com

Win32:Eventlog – www.cpan.org

Commercial Log Analysis Tools

enVision – www.opensystems.com Snare - www.intersect-alliance.com ServerVision – sunbelt-

software.com MoniLog – www.monilog.com GFiLANguard – www.gfi.com neuSECURE – www.guarded.net

MoniLog

Handles syslog and Windows events

Windows based Rule engine to include or discard Reports – distributed by HTML or E-

enVision Many options for reports, nice console Appliance solution Models sold by the required sustained

events per second needed. Hardware Supported:

*nix Firewalls Switches IDS’s

neuSECURE

Handles many log formats: Unix syslog Windows events SNMP traps

Event Aggregation Threat correlation

Open Source Monitoring Tools

Swatch – swatch.sourceforge.net Logsurfer+

www.crypt.gen.nz/logsurfer LogSentry – www.psionic.com POE – poe.perl.org SEC – simple-

evcorr.sourceforge.net

Swatch

“Grandfather” of log monitoring tools

Simple expression matching Matches can trigger:

Execution of scripts Echoing to console of match

Throttle option to limit matches for a period of time.

POE – Perl Object Environment

Multitasking using events & handlers Can create separate objects to

monitor multiple log files. Tasks run in a single process Handlers can’t be interrupted DBI support for mysql, etc. Support for pre-forking web server

Simple Event Correlator

Applies pattern matching to files or pipes.

Rules for establishing both a low and high level threshold setting.

Pairing of multiple events within a time window.

Suppression rules.

Home Brew Solution

Log Sources

PIX Firewalls Primary and Redundant PIX’s Extension Center PIX’s X-net PIX’s

Windows Servers: DNS, Web, SAN Linux Servers: DNS, service

monitoring SNMP traps: network switches, UPS’s

FLCC Project Need to send all log messages from the

different sources to a single logging server.

Save all the raw data, and burn to DVD. Filter out incidents (messages) that are

not important. Normalize the data from the different

sources. Write filtered data to database. Display the important events on a single

web based interface.

Centralized Logging

Log Analysis Process

Data Sources Filtering Normalization Aggregation Correlation Report/Display

Normalization Issue PIX: Oct 8 23:55:02 172.16.254.254 Oct 08 2003

23:55:01: %PIX-6-302014: Teardown TCP connection 2749949 for outside:24.24.54.63/4910 to dmz1:172.19.1.7/8900 duration 0:00:15 bytes 9995 TCP Reset-O

Honeypot: 2004-06-10-12:52:18.0891 tcp(6) S 172.17.203.61 33015 172.17.222.1 80

Windows: Jun 10 08:52:39 krampwd-network MSWinEventLog 1 System 9717 Thu Jun 10 08:52:39 2004 18 Automatic Updates N/A N/A Information KRAMPWD-NETWORK Disk Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, June 10, 2004 at 11:00 AM. - Security Update for DirectX 8.1 (KB839643) 1

Filtered HTML ReportJun 4 23:17:30 192.168.1.1 %PIX-3-710003: TCP access denied by ACL from

192.168.1.9/32771 to inside:192.168.1.1/telnet Jun 4 23:16:14 192.168.1.1 %PIX-7-111009: User 'enable_15' executed cmd: show ip address outside

Jun 4 23:15:38 192.168.1.1 %PIX-6-605005: Login permitted from

192.168.1.52/3149 to inside:192.168.1.1/https for user "enable_15" Jun 4 23:15:31 192.168.1.1 %PIX-6-605004: Login denied from 192.168.1.52/3148 to

inside:192.168.1.1/https for user "enable_15" Jun 4 23:13:39 192.168.1.1 %PIX-6-302010: 1 in use, 76 most used

Jun 4 23:03:39 192.168.1.1 %PIX-6-302010: 4 in use, 76 most used

Event 1 Graph – Jan 25, 2003

Slammer Syslog Entries

Jan 25 00:29:42 router Jan 25 2003 01:32:12: %PIX-4-106023: Deny udp src outside:216.120.67.34/2596 dst library:192.156.234.247/1434 by access-group "acl-outside"

Event 2 Graph – Oct. 9, 2003

Welchia Syslog Entries

Oct 9 13:43:00 172.16.254.254 Oct 09 2003 13:42:59: %PIX-3-305005: No translation group found for icmp src student:172.17.203.169 dst inside:172.16.46.148 (type 8, code 0)

Event 2 Graph Detail

Open Source Tools Used Syslog-ng Snare POE – Perl Object Environment GD Graphics Library – www.boutell.com GDgraph module by Martien

Verbruggen Mysql Apache SEC – Simple Event Correlator CRM-114 Bayesian Filter

What’s the solution?

Depends on data sources Supported Operating Systems What are the report/alert

requirements? Comfort level with open source Affordable commercial solutions

Things to consider

Throughput (messages per second) Hashing signatures Encryption Bayesian and statistical filters Stealth logging

Hardware Issues

Dual processors and/or hyper threading

Lots of memory Fast SCSI drives DVD or tape for data backups Separate servers for data

collection and database.

Web Resources

http://www.loganalysis.org http://rr.sans.org http://www.microsoft.com/technet/

www.loganalysis.org Site Centralizing Logging Complete Reference Guide to Creating a

Remote Log Server Configuring and using syslogd to collect logging

messages on systems running Solaris 2.x Centralized Logging using Logsentry in a Large

UNIX Environment - Saleem Kazmi paper for SANS GIAC certification

Practical Implementations of syslog in Mixed Windows Environments for Secure Centralized Audit Logging - from the SANS reading room

rr.SANS.org Reading Room Logging Issues

The Importance of Logging and Traffic Monitoring for Information Security

Seham GadAllah, April 19, 2004

Centralizing Event Logs on Windows 2000Gregory Lalla, GSEC April 4, 2003

Security Management Systems: An Oversite Layer for Layers of DefenseDan Keldsen, September 4, 2003

The Ins and Outs of System Logging Using SyslogIan Eaton, GSEC-3077 August 14, 2003

Mixed Environment Logging

Garbrecht, Frederick C. Practical Implementation of Syslog in Mixed Windows Environments for Secure Centralized Audit Logging 10 June 2004. <http://www.sans.org/rr/papers/9/713.pdf>

Visualization Techniques

Takada, Tetsuji and Koike, Hideki MieLog 10 June 2004. Univ’ of Electro-Communications. <http://www.vogue.is.uec.ac.jp/~koike/papers/mielog/FormattedPaperLISA02.pdf>

Filtering and Correlation

Chyssler, Tobias and Nadjm-Tehrani, stefan and Burbeck, Kalle. Alarm Reduction and Correlation in Defense of IP Networks 10 June 2004. <http://www.ida.liu.se/~rtslab/publications/2004/Chyssler04_wetice.pdf>

Books and Guides

Bauer, Michael. Building Secure Servers with Linux. O’Reilly, 2002.

Microsoft Solution for Securing Windows 2000 Server, Chapter 9: Auditing and Intrusion Detection. 10 June 2004 <http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/default.mspx>

End of presentation

Please remember to fill out the form.

E-mail questions to krampwd@flcc.edu

The full presentation will be available online at my web page: http://paws.flcc.edu/~krampwd/presentations/

Thank you for attending.

June 14, 2004SUNY Technology Conference Centralized Logging Bill Kramp, Network Administrator Finger...

Documents

Transcript of June 14, 2004SUNY Technology Conference Centralized Logging Bill Kramp, Network Administrator Finger...

Kramp Focus Magazine 2014 03 GB

Kramp, Carpentier, Hepp, Tomanić Trivundža, Nieminen ... · ECREA Kramp, Carpentier, Hepp, Tomanić Trivundža, Nieminen, Kunelius, Olsson, Sundin, Kilborn (Eds.): Media Practice

Model Kramp GmbH Model Kramp GmbH Van Genechten … · 2017. 10. 3. · MMP Poligram, Poland MMP CP Schmidt A&R Carton GmbH - Werk Frankfurt AR Carton Kuban AR Carton Kuban Siemer

Dump cart - Kramp

Pipeline Technology Conference 2012 - Conference Program

Pipeline Technology Conference 2007 - Conference … Technology Conference 2007 Conference Program Organisers 16 ... management and tech- ... TDW Offshore Services AS, ...

Technology Solutions Conference School Security Technology Solutions Conference School Security.

PVG 120 Proportional Valve Service Manual - Kramp

Karen Kramp Honored In AHF Parade

Eucheilota menoni Kramp 1959 (Cnidaria: Hydrozoa: Lovenellidae

CONFERENCE PROCEEDINGS Metallomics Technology Conference ...web2.mendelu.cz/af_239_nanotech/core/sbornik_V4_178.pdf · CONFERENCE PROCEEDINGS Metallomics Technology Conference 2015:

Gerben Peet - Hoe online de agrarische groothandel Kramp een enorme impuls gaf

Kramp Focus Magazine 2011-03 UK

Kramp Focus Magazine 2011-01 UK

Kramp Focus Magazine 2012-02 UK

Kramp Focus magazine 2014 01 GB

Pipeline Technology Conference 2008 - Conference Program

D219 Technology Conference

OFF ROAD GRADE - Kramp

98-01187 R8 GPS Speed Sensor - Kramp