Re: [security-onion] GUIDE: Monitoring Windows eventlogs with ELSA

[Heine Lysemose]

Hi Casper

Thanks for sharing!

Regards,
Lysemose

On May 16, 2013 8:32 PM, <offe...@gmail.com> wrote:

Hey all,

I have been playing alot with ELSA these past weeks which frequent users of this forum would know :)

I have put togeather a little guide to best monitor your Windows servers in ELSA.

Now i started off by installing the OSSEC agent on my Windows mashine. I did this because in my case I wanted to monitor what users accessed what files on my servers, who wrote data to them at what time and who deleted files. I now know that was not the best way to go about it. I can't really groupby anything since the OSSEC hasn't gotten a class in ELSA - as fare as i know -.

There is a Windows class though which makes you able to search and groupby lots of stuff like eventid and so on. So I figured i had to get that to work.

Actually it was vary easy :)

First off the ELSA website has good documentation - thanks for that guys.
If you go here:

https://code.google.com/p/enterprise-log-search-and-archive/wiki/Documentation

You will find this section:

Eventlog-to-Syslog
Sending logs from Windows servers is best achieved with the free, open-source program Eventlog-to-Syslog. It's incredibly easy to install:

Login as an administrator or use runas
Copy evtsys.exe and evtsys.dll to Windows machine in the system directory (eg.C:\Windows\System32).
Install with: evtsys.exe -i -h ip.of.elsa.node
Profit
The logs will be sent using the syslog protocol to your ELSA server where they will be parsed as the class "WINDOWS" and available for reporting, etc.

You can download Eventlog-to-Syslog here:

https://code.google.com/p/eventlog-to-syslog/downloads/list

Go ahead and download the software and install it the way explained above from the ELSA website.

Remember to start the service "Eventlog to Syslog" mine was turned off by default.

Now your Windows server is sending logs to SO syslog which is read by ELSA..

But in my case i wanted to log if users deleted a file, read a file or wrote to a file or created a new one.

My file server is a Windows 2008R2 I am saying this because the process is different form each OS.

No matter what Windows OS you are running be it 2008 or 2008R2 you are looking to activate:

"Object Access" -> "File System"

In Vista/2008 you need to this from a elevated command line:

auditpol /get /category:"Object Access"

This will show you what is set and not set in "Object Access".

To set "file system" as enabled for both success and failure you run this:

AUDITPOL /SET /SUBCATEGORY:"file system" /SUCCESS:ENABLE /FAILURE:ENABLE

If you have a Windows Windows7/2008R2 you need to do the following:

Click start -> administrative tools -> Local Policy

Expand "Advanced Audit Policy Configuration"
Expand "System Audit Policies - Local Group Policy Object"
Click "Object Access"
Dobbelt click "Audit File System" in right window
Tick on "Configure the follwoing audit event" along with "Success" and "Failure"

Now I don't know if you want both Success and Failure depends on how strict you want to monitor.

Click OK to all the windows and now your are done.

The event for Write, Read and Delete are the follwoing

Event ID: 4663 in Security log

The content of the event looks like this:

An attempt was made to access an object.

Subject:
        Security ID:            XXX\YY
        Account Name:           YY
        Account Domain:         XXX
        Logon ID:               0x3c5676be

Object:
        Object Server:  Security
        Object Type:    File
        Object Name:    E:\Shares\Kunde Information\XXXX
        Handle ID:      0x7e94

Process Information:
        Process ID:     0x4
        Process Name:

Access Request Information:
        Accesses:       ReadAttributes

        Access Mask:    0x80

The Access request information lets you know what the user did. In this case i opend the file which it why it says ReadAttributes

If this was a delete this event would be followed by a event id 4660 which confirms if the delete happend or not

So in my case i could go to my ELSA and search for:

WINDOWS.eventid=4660 Windows.eventid=4663  groupby:WINDOWS.eventid Limit:1000

This will give me a nice easy view which i could explorer further if i wanted.

I also plan to use this to monitor my Exchange server, SQL server (which users access what database when) and so on.

!!!!!!!!!!!!!!! This guide is NOT ment as a substitute for OSSEC agent !!!!!!!!!!!!!!!!!!!!

Hope this guide was usefull for you guys!!

Thanks to Doug and the rest of the SO team!

--
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at http://groups.google.com/group/security-onion?hl=en-US.
For more options, visit https://groups.google.com/groups/opt_out.

[Martin Holste]

Thanks very much for posting that, I'm sure it will be very helpful!

On Thu, May 16, 2013 at 2:51 PM, <offe...@gmail.com> wrote:

Hey Heine,

Thanks hope you can use it :)

/Casper

[Martin Holste]

I've used Epilog to stream Exchange tracking logs, but it seems to crash regularly on loaded servers, so if you find something that works reliably for shipping flat files off of Windows, let me know.  I know you can do that with Syslog-NG premium edition.

On Fri, May 17, 2013 at 11:14 AM, <offe...@gmail.com> wrote:

Thanks Martin,

I'm planing a exchange and sql server guide too .. I don't think the Exchange one would be espcially demanding but i have started with MS SQL and that seems to require some tingerling with the SQL manager...

[Martin Holste]

The main thing you get from the Exchange tracking logs is the actual list of recipients after distribution lists have been resolved.  The fields in the SMTP class are still what you're going after, it's just more accurate information.

On Sat, May 18, 2013 at 11:57 PM, <offe...@gmail.com> wrote:

Hi Martin,

I love a challenge :) and with Windows i'm fare more experinced then Linux :P

Just curious, I looked at the transaction logs in my exchange, to be honest i have never used it that much.

What information is it you need from those logs that are not already in the ELSA SMTP Class? or posted in the event logs?

I'm asking cause my goal, and i don't know if it can be achived, is to get all the information i need into the event viewer and have that being sent to my SO

Thanks :)

Casper

[Martin Holste]

Sure, anything helps the cause!

On Tue, May 21, 2013 at 12:52 PM, <offe...@gmail.com> wrote:

Hi Martin,

I haven't forgotten this thread.. i'm just a little swamped at work.. i will see if the set-eventloglevel put out the same detailed information as the tracking log.. i don't know if you are happy with that?

/Casper

[Martin Holste]

That looks really interesting, I'll have to give it a shot.  For logging multiple files, I think you could use the type command with an asterisk to send multiple files to logger's stdin.

On Mon, May 27, 2013 at 1:51 AM, <offe...@gmail.com> wrote:

Hi Martin,

I have been playing around with some programs that somewhat does the same as epilog or atleast i think so :)

I have found one called Logger. Its based on the unix variant but this is for Windows. I'm not entirely sure its what you are looking for. The command line you run ends with a message string you need to type something in. If this is suppose to be the actual syslog message then i would assume this is unsuable?

My understanding is we need to find a tool that can read the log file and send the content to the syslog server.

Another problem i think we have with it is that in the command line you also define a file. Now in my world i wanted to send the RPC client access logs to the syslog and those produced daily in separate files.

I assume that i then would have a to write a command line for each file but i really want to have this down automaticly which is then not possible. I have opend a ticket with Adiscon about this.

The software is freeware and you can get it here:

http://www.monitorware.com/en/logger/index.php

Maybe you can tell me if this suits your needs and perhaps tell me how you would handle the problems i listed above

Thanks

[Martin Holste]

Bad news:  It's got a nag screen until you pay for it if using the file monitor (according to the included documentation).  I don't know if that means that reading stdin will work without the nag screen.

[Martin Holste]

By stdin, I mean piping a command to logger.exe, like type *.log | logger.exe

On Tue, May 28, 2013 at 8:47 AM, <offe...@gmail.com> wrote:

damn... I haven't gotten to try it out my self yet...

and im not sure what you mean by stdin?

[Martin Holste]

Interesting, maybe they removed that.  I can't get any nag screen to appear.  However, it appears that the program does not tail a log file, it just sends the entire file as syslog in one shot, so this doesn't help too much except for batch loads.

On Tue, May 28, 2013 at 6:24 PM, <offe...@gmail.com> wrote:

Hi Martin,

I have never used type and then something in a windows command prompt.. gotta look into that :)

In regards to the nag in logger

I looked in the manual and i also saw the nag thing. But i don't get any dialog box when i run a command with logger?????

Like i went to a elevated windows command prompt and wrote this:

logger.exe -f "C:\Program Files\Microsoft\Exchange Server\V14\Logging\RPC Client Access\RCA_20130429-1.LOG" -p local4.alert -a 514 -l 10.10.10.19 -m udp "TEST"

and the command output was

Adiscon logger V1.3 - see www.monitorware.com/logger/ for details.
Logging to 10.10.10.19:514

I wasn't meet with any popup I had to click ok to.

Either im doing something wrong OR maybe the information in the manual is outdated?

Did you get so fare as to try to run the program on your windows system?

Thanks

Casper

[Martin Holste]

I love logparser and have used it a lot previously, but never sending syslog, only for doing reporting on Windows .evt files.  I love logparser's SQL-based reporting capabilities.  I see they've even added the IPV4_TO_INT and INT_TO_IPV4 built-in functions, which are nice.

I played around with this on my Windows 7 lab box, and it works very well.  Here's how to send messages without having to change any ELSA parsers.  It will send only the events written in the last 60 seconds, so you can put it in as a scheduled task to run every minute.

logparser.exe -i:EVT -o:SYSLOG "SELECT STRCAT(STRCAT(TO_STRING(eventid), ': '), message) INTO @ip.of.elsa.server FROM Security WHERE timewritten > TO_LOCALTIME( SUB( SYSTEM_TIMESTAMP(), TIMESTAMP('0001-01-01 00:01:00', 'yyyy-MM-dd hh:mm:ss')))"

You can already do better than this by installing eventlog-to-syslog or Snare, but this can obviously be extended to IIS logs, DHCP logs, etc.

On Wed, May 29, 2013 at 8:31 AM, <offe...@gmail.com> wrote:

Martin I think i got it :)

I haven't gotten it to work myself but this looks like to be a extreamly powerfull cli tool to send logs to syslog and in generel to extrate data from data sources and send them .. somewhere..

and, are you sitting down..?? Its made by Microsoft AND its free

http://www.microsoft.com/en-us/download/confirmation.aspx?id=24659

I have read some about it on the net and i CAN send information to syslog server.

what do you say?

[lefast...@gmail.com]

Hi

I followed all of the steps detailed below and ELSA is still no receiving logs from my Windows server. Do I need to allow SO or ELSA to accept logs from external machines maybe?

[Doug Burks]

Hi lefasticated,

If you're using Eventlog-to-Syslog as detailed below, then your
Windows box should be sending logs over syslog port 514 which should
be open in the Security Onion firewall by default.

Do you have any other network firewalls that may be blocking port 514?

What queries have you tried in ELSA to try to find your Windows logs?

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.

> Visit this group at http://groups.google.com/group/security-onion.

> For more options, visit https://groups.google.com/groups/opt_out.

--
Doug Burks