Hi Casper
Thanks for sharing!
Regards,
Lysemose
Hey all,
I have been playing alot with ELSA these past weeks which frequent users of this forum would know :)
I have put togeather a little guide to best monitor your Windows servers in ELSA.
Now i started off by installing the OSSEC agent on my Windows mashine. I did this because in my case I wanted to monitor what users accessed what files on my servers, who wrote data to them at what time and who deleted files. I now know that was not the best way to go about it. I can't really groupby anything since the OSSEC hasn't gotten a class in ELSA - as fare as i know -.
There is a Windows class though which makes you able to search and groupby lots of stuff like eventid and so on. So I figured i had to get that to work.
Actually it was vary easy :)
First off the ELSA website has good documentation - thanks for that guys.
If you go here:
https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation
You will find this section:
Eventlog-to-Syslog
Sending logs from Windows servers is best achieved with the free, open-source program Eventlog-to-Syslog. It's incredibly easy to install:
Login as an administrator or use runas
Copy evtsys.exe and evtsys.dll to Windows machine in the system directory (eg.C:\Windows\System32).
Install with: evtsys.exe -i -h ip.of.elsa.node
Profit
The logs will be sent using the syslog protocol to your ELSA server where they will be parsed as the class "WINDOWS" and available for reporting, etc.
You can download Eventlog-to-Syslog here:
https://code.google.com/p/eventlog-to-syslog/downloads/list
Go ahead and download the software and install it the way explained above from the ELSA website.
Remember to start the service "Eventlog to Syslog" mine was turned off by default.
Now your Windows server is sending logs to SO syslog which is read by ELSA..
But in my case i wanted to log if users deleted a file, read a file or wrote to a file or created a new one.
My file server is a Windows 2008R2 I am saying this because the process is different form each OS.
No matter what Windows OS you are running be it 2008 or 2008R2 you are looking to activate:
"Object Access" -> "File System"
In Vista/2008 you need to this from a elevated command line:
auditpol /get /category:"Object Access"
This will show you what is set and not set in "Object Access".
To set "file system" as enabled for both success and failure you run this:
AUDITPOL /SET /SUBCATEGORY:"file system" /SUCCESS:ENABLE /FAILURE:ENABLE
If you have a Windows Windows7/2008R2 you need to do the following:
Click start -> administrative tools -> Local Policy
Expand "Advanced Audit Policy Configuration"
Expand "System Audit Policies - Local Group Policy Object"
Click "Object Access"
Dobbelt click "Audit File System" in right window
Tick on "Configure the follwoing audit event" along with "Success" and "Failure"
Now I don't know if you want both Success and Failure depends on how strict you want to monitor.
Click OK to all the windows and now your are done.
The event for Write, Read and Delete are the follwoing
Event ID: 4663 in Security log
The content of the event looks like this:
An attempt was made to access an object.
Subject:
Security ID: XXX\YY
Account Name: YY
Account Domain: XXX
Logon ID: 0x3c5676be
Object:
Object Server: Security
Object Type: File
Object Name: E:\Shares\Kunde Information\XXXX
Handle ID: 0x7e94
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Accesses: ReadAttributes
Access Mask: 0x80
The Access request information lets you know what the user did. In this case i opend the file which it why it says ReadAttributes
If this was a delete this event would be followed by a event id 4660 which confirms if the delete happend or not
So in my case i could go to my ELSA and search for:
WINDOWS.eventid=4660 Windows.eventid=4663 groupby:WINDOWS.eventid Limit:1000
This will give me a nice easy view which i could explorer further if i wanted.
I also plan to use this to monitor my Exchange server, SQL server (which users access what database when) and so on.
!!!!!!!!!!!!!!! This guide is NOT ment as a substitute for OSSEC agent !!!!!!!!!!!!!!!!!!!!
Hope this guide was usefull for you guys!!
Thanks to Doug and the rest of the SO team!
--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.
Hey Heine,
Thanks hope you can use it :)
/Casper
Thanks Martin,
I'm planing a exchange and sql server guide too .. I don't think the Exchange one would be espcially demanding but i have started with MS SQL and that seems to require some tingerling with the SQL manager...
Hi Martin,
I love a challenge :) and with Windows i'm fare more experinced then Linux :P
Just curious, I looked at the transaction logs in my exchange, to be honest i have never used it that much.
What information is it you need from those logs that are not already in the ELSA SMTP Class? or posted in the event logs?
I'm asking cause my goal, and i don't know if it can be achived, is to get all the information i need into the event viewer and have that being sent to my SO
Thanks :)
Casper
Hi Martin,
I haven't forgotten this thread.. i'm just a little swamped at work.. i will see if the set-eventloglevel put out the same detailed information as the tracking log.. i don't know if you are happy with that?
/Casper
Hi Martin,
I have been playing around with some programs that somewhat does the same as epilog or atleast i think so :)
I have found one called Logger. Its based on the unix variant but this is for Windows. I'm not entirely sure its what you are looking for. The command line you run ends with a message string you need to type something in. If this is suppose to be the actual syslog message then i would assume this is unsuable?
My understanding is we need to find a tool that can read the log file and send the content to the syslog server.
Another problem i think we have with it is that in the command line you also define a file. Now in my world i wanted to send the RPC client access logs to the syslog and those produced daily in separate files.
I assume that i then would have a to write a command line for each file but i really want to have this down automaticly which is then not possible. I have opend a ticket with Adiscon about this.
The software is freeware and you can get it here:
http://www.monitorware.com/en/logger/index.php
Maybe you can tell me if this suits your needs and perhaps tell me how you would handle the problems i listed above
Thanks
damn... I haven't gotten to try it out my self yet...
and im not sure what you mean by stdin?
Hi Martin,
I have never used type and then something in a windows command prompt.. gotta look into that :)
In regards to the nag in logger
I looked in the manual and i also saw the nag thing. But i don't get any dialog box when i run a command with logger?????
Like i went to a elevated windows command prompt and wrote this:
logger.exe -f "C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access\RCA_20130429-1.LOG" -p local4.alert -a 514 -l 10.10.10.19 -m udp "TEST"
and the command output was
Adiscon logger V1.3 - see www.monitorware.com/logger/ for details.
Logging to 10.10.10.19:514
I wasn't meet with any popup I had to click ok to.
Either im doing something wrong OR maybe the information in the manual is outdated?
Did you get so fare as to try to run the program on your windows system?
Thanks
Casper
Martin I think i got it :)
I haven't gotten it to work myself but this looks like to be a extreamly powerfull cli tool to send logs to syslog and in generel to extrate data from data sources and send them .. somewhere..
and, are you sitting down..?? Its made by Microsoft AND its free
http://www.microsoft.com/en-us/download/confirmation.aspx?id=24659
I have read some about it on the net and i CAN send information to syslog server.
what do you say?
I followed all of the steps detailed below and ELSA is still no receiving logs from my Windows server. Do I need to allow SO or ELSA to accept logs from external machines maybe?