1 / 52

Centralized Logging

Centralized Logging. Bill Kramp, Network Administrator Finger Lakes Community College SUNY Technology Conference. Centralized Logging. Logging Windows events and syslog messages to a central server for analysis. Centralized Logging.

etan
Download Presentation

Centralized Logging

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Centralized Logging Bill Kramp, Network Administrator Finger Lakes Community College SUNY Technology Conference SUNY Technology Conference

  2. Centralized Logging Logging Windows events and syslog messages to a central server for analysis. SUNY Technology Conference

  3. Centralized Logging Logging events and messages to a central server for analysis. SUNY Technology Conference

  4. Overview • Reasons to log • Centralized logging and Analysis • Unix • Windows • Open source • Commercial • Home brew solution at FLCC SUNY Technology Conference

  5. Reasons to log events • Record security events • Monitoring applications • Configuration changes • Sarbanes-Oxley Act compliance • HIPAA compliance • Low in carb’s! SUNY Technology Conference

  6. Reasons to log events • Record security events • Monitoring applications • Configuration changes • Sarbanes-Oxley Act compliance • HIPAA compliance • Low in carb’s! SUNY Technology Conference

  7. Reasons for Centralized Logging • Correlation of data • Manageability • Data integrity • Time synchronization • Real-time alert capability • Single backup location for log data SUNY Technology Conference

  8. Log Analysis Process • Data Sources • Filtering • Normalization • Aggregation • Correlation • Report/Display SUNY Technology Conference

  9. Data Sources • Windows – Event logs and applications • Unix – syslog and applications • Firewalls • Routers • Intrusion Detection System’s • Host Intrusion Systems • SNMP traps SUNY Technology Conference

  10. Honeypot’s SUNY Technology Conference

  11. Windows Events • Application • System • Security SUNY Technology Conference

  12. Windows Events (Win2003) • Application • System • Security • DNS Server • Directory • File Replication SUNY Technology Conference

  13. Security Event Categories • Logon events • Account logon events • Object access events • Directory Service access events • Privilege use events • Process tracking events • System events • Policy change events SUNY Technology Conference

  14. Syslog basics • UDP messages sent on port 514 • Three parts to a message: • PRI (priority) • Header • MSG (message) • PRI contains the severity and facility SUNY Technology Conference

  15. Unix syslog • boot • cron • secure • E-mail • Kernel • Local(0-7) SUNY Technology Conference

  16. *nix Syslog Alternatives • Syslog-ng - www.balabit.com/products/syslog_ng/ • SDSC Secure Syslog - sourceforge.net/projects/sdscsyslog/ • Modular Syslog –www.corest.com/corelabs/ SUNY Technology Conference

  17. Windows Syslog Alternatives • Kiwi syslog – www.kiwisyslog.com • Winsyslog – www.adiscon.com • SL4NT – www.netal.com • Syslog Daemon – www.triaction.nl • Cisco syslog – www.cisco.com • 3com Daemon – www.3com.com SUNY Technology Conference

  18. Centralized Windows Events • LogAnalyst for Windows 2000 Server • Central database of events • Built in report generator • Available with Win2000 Resource Kit • GUI interface • www.cybersafe.com/centrax/cla1.html SUNY Technology Conference

  19. Forwarding Windows Events • Snare – www.intersect-alliance.com • NTsyslog – ntsyslog.sourceforge.net • Event Reporter – eventreporter.com • Win32:Eventlog – www.cpan.org SUNY Technology Conference

  20. Commercial Log Analysis Tools • enVision – www.opensystems.com • Snare - www.intersect-alliance.com • ServerVision – sunbelt-software.com • MoniLog – www.monilog.com • GFiLANguard – www.gfi.com • neuSECURE – www.guarded.net SUNY Technology Conference

  21. MoniLog • Handles syslog and Windows events • Windows based • Rule engine to include or discard • Reports – distributed by HTML or E-mail SUNY Technology Conference

  22. enVision • Many options for reports, nice console • Appliance solution • Models sold by the required sustained events per second needed. • Hardware Supported: • *nix • Firewalls • Switches • IDS’s SUNY Technology Conference

  23. neuSECURE • Handles many log formats: • Unix syslog • Windows events • SNMP traps • Event Aggregation • Threat correlation SUNY Technology Conference

  24. Open Source Monitoring Tools • Swatch – swatch.sourceforge.net • Logsurfer+ www.crypt.gen.nz/logsurfer • LogSentry – www.psionic.com • POE – poe.perl.org • SEC – simple-evcorr.sourceforge.net SUNY Technology Conference

  25. Swatch • “Grandfather” of log monitoring tools • Simple expression matching • Matches can trigger: • Execution of scripts • Echoing to console of match • Throttle option to limit matches for a period of time. SUNY Technology Conference

  26. POE – Perl Object Environment • Multitasking using events & handlers • Can create separate objects to monitor multiple log files. • Tasks run in a single process • Handlers can’t be interrupted • DBI support for mysql, etc. • Support for pre-forking web server SUNY Technology Conference

  27. Simple Event Correlator • Applies pattern matching to files or pipes. • Rules for establishing both a low and high level threshold setting. • Pairing of multiple events within a time window. • Suppression rules. SUNY Technology Conference

  28. Home Brew Solution SUNY Technology Conference

  29. Log Sources • PIX Firewalls • Primary and Redundant PIX’s • Extension Center PIX’s • X-net PIX’s • Windows Servers: DNS, Web, SAN • Linux Servers: DNS, service monitoring • SNMP traps: network switches, UPS’s SUNY Technology Conference

  30. FLCC Project • Need to send all log messages from the different sources to a single logging server. • Save all the raw data, and burn to DVD. • Filter out incidents (messages) that are not important. • Normalize the data from the different sources. • Write filtered data to database. • Display the important events on a single web based interface. SUNY Technology Conference

  31. Centralized Logging SUNY Technology Conference

  32. Log Analysis Process • Data Sources • Filtering • Normalization • Aggregation • Correlation • Report/Display SUNY Technology Conference

  33. Normalization Issue • PIX: Oct 8 23:55:02 172.16.254.254 Oct 08 2003 23:55:01: %PIX-6-302014: Teardown TCP connection 2749949 for outside:24.24.54.63/4910 to dmz1:172.19.1.7/8900 duration 0:00:15 bytes 9995 TCP Reset-O • Honeypot: 2004-06-10-12:52:18.0891 tcp(6) S 172.17.203.61 33015 172.17.222.1 80 • Windows: Jun 10 08:52:39 krampwd-network MSWinEventLog 1 System 9717 Thu Jun 10 08:52:39 2004 18 Automatic Updates N/A N/A Information KRAMPWD-NETWORK Disk Installation Ready: The following updates are downloaded and ready for installation. This computer is currently scheduled to install these updates on Thursday, June 10, 2004 at 11:00 AM. - Security Update for DirectX 8.1 (KB839643) 1 SUNY Technology Conference

  34. Filtered HTML Report SUNY Technology Conference

  35. Event 1 Graph – Jan 25, 2003 SUNY Technology Conference

  36. Slammer Syslog Entries • Jan 25 00:29:42 router Jan 25 2003 01:32:12: %PIX-4-106023: Deny udp src outside:216.120.67.34/2596 dst library:192.156.234.247/1434 by access-group "acl-outside" SUNY Technology Conference

  37. Event 2 Graph – Oct. 9, 2003 SUNY Technology Conference

  38. Welchia Syslog Entries • Oct 9 13:43:00 172.16.254.254 Oct 09 2003 13:42:59: %PIX-3-305005: No translation group found for icmp src student:172.17.203.169 dst inside:172.16.46.148 (type 8, code 0) SUNY Technology Conference

  39. Event 2 Graph Detail SUNY Technology Conference

  40. Open Source Tools Used • Syslog-ng • Snare • POE – Perl Object Environment • GD Graphics Library – www.boutell.com • GDgraph module by Martien Verbruggen • Mysql • Apache • SEC – Simple Event Correlator • CRM-114 Bayesian Filter SUNY Technology Conference

  41. What’s the solution? SUNY Technology Conference

  42. What’s the solution? • Depends on data sources • Supported Operating Systems • What are the report/alert requirements? • Comfort level with open source • Affordable commercial solutions SUNY Technology Conference

  43. Things to consider • Throughput (messages per second) • Hashing signatures • Encryption • Bayesian and statistical filters • Stealth logging SUNY Technology Conference

  44. Hardware Issues • Dual processors and/or hyper threading • Lots of memory • Fast SCSI drives • DVD or tape for data backups • Separate servers for data collection and database. SUNY Technology Conference

  45. Web Resources • http://www.loganalysis.org • http://rr.sans.org • http://www.microsoft.com/technet/ SUNY Technology Conference

  46. www.loganalysis.org Site • Centralizing Logging • Complete Reference Guide to Creating a Remote Log Server • Configuring and using syslogd to collect logging messages on systems running Solaris 2.x • Centralized Logging using Logsentry in a Large UNIX Environment - Saleem Kazmi paper for SANS GIAC certification • Practical Implementations of syslog in Mixed Windows Environments for Secure Centralized Audit Logging - from the SANS reading room SUNY Technology Conference

  47. rr.SANS.org Reading Room • Logging IssuesThe Importance of Logging and Traffic Monitoring for Information SecuritySeham GadAllah, April 19, 2004 Centralizing Event Logs on Windows 2000Gregory Lalla, GSEC April 4, 2003 • Security Management Systems: An Oversite Layer for Layers of DefenseDan Keldsen, September 4, 2003 The Ins and Outs of System Logging Using SyslogIan Eaton, GSEC-3077 August 14, 2003 SUNY Technology Conference

  48. Mixed Environment Logging • Garbrecht, Frederick C.Practical Implementation of Syslog in Mixed Windows Environments for Secure Centralized Audit Logging 10 June 2004. <http://www.sans.org/rr/papers/9/713.pdf> SUNY Technology Conference

  49. Visualization Techniques • Takada, Tetsuji and Koike, HidekiMieLog 10 June 2004. Univ’ of Electro-Communications. <http://www.vogue.is.uec.ac.jp/~koike/papers/mielog/FormattedPaperLISA02.pdf> SUNY Technology Conference

  50. Filtering and Correlation • Chyssler, Tobias and Nadjm-Tehrani, stefan and Burbeck, Kalle. Alarm Reduction and Correlation in Defense of IP Networks 10 June 2004. <http://www.ida.liu.se/~rtslab/publications/2004/Chyssler04_wetice.pdf> SUNY Technology Conference

More Related