DK 'Log : /ossim/tutorials/tut5_windows

Tutorial 5: Windows event logging
Wed, 19 Dec 2007

The windows event log

As an introduction to windows event logging I recommend reading the following article: Monitoring and Troubleshooting Using Event Logs. It's the first interesting one I've found after googling for an introduction.

Quoting the article, which also talks about EventCombMT.exe which we'll mention later:

This article reviews best practices for working with Windows event logs including how to interpret 
event messages, how to configure event logs, how to search and filter events, how to view events on 
remote systems, and how to use EventCombMT.exe and other tools to monitor events on multiple systems.

::start here

Resuming, windows hosts by default log events into three local log "facilities":

System

Application

Security

The main problem with windows event logs is that there's no easy way to forward them to a central unix logging location. There are two ways (that I'm aware of) of getting those logs to OSSIM:

Using agents (ossec, ntsyslog, snare)

Agentless (had heard/thought about it but just recently started researching on how to do this easily). More info below.

Architecture

For this tutorial we'll assume OSSIM being installed using the installer on 192.168.1.56.
First thing you should do is to download the snare installer, ossec installer and .reg files. Go to Tools->Downloads as seen here:
Note: If you don't have the ossec installer don't worry, it will be included in future ossim releases.

Log forwarders

OSSEC

Installer 1.0.4 will include ossec and I'll extend this tutorial once it's released since ossec offers many advantages over Snare. But for now we'll continue to using snare for a bit.

Snare

Click on your snare installer.
Choose normal installation.
Decide wether you want snare to take over your audit configuration or not. If you haven't changed anything on your audit configuration this might be a good idea.
Choose localhost configuration only, later on you'll be able to change your pass.
Warning: Due to an incompatibility in DOS/Unix file formats the current .reg files are broken. My apologies for the inconvenience. I just tried to convert them and use them but regedit complains about them not being in the right format. Guess I'll have to "dos2unix" them, replace the IP, and "unix2dos".
Since the .reg won't work without modification, open it using notepad, check for a line that says '"Destination"="127.0.0.1"' and change the IP to your ossim's IP.
Double click on the .reg file in order to import it.
Launch a command shell and bounce snare: "net stop snare", "net start snare".

You should start receiving events from now on. More on how to check this on the next section.

AgentLess monitoring

Being at a recent commercial presentation by a commercial SIM, they repeated a couple of times how "agentless" they were, stating that they did collect windows events without needing to install anything.

http://www.sqlmag.com/Articles/Print.cfm?ArticleID=49492

Another interesting options seems to be the Microsoft Powershell. Its syntax is ugly as hell but it might do the job: Sample POSH event retrieval .

OSSIM

Once they've been read and normalized by the agent Windows events are treated like all other events. They get:

Correlated
Shown on the realtime event viewer
Fed into Acid/Base
Shown on the event viewer

Realtime Events

The first thing you can do in order to verify everything's up and running is checking the realtime event viewer. Please keep in mind that events might be arriving but not showing, look at the "skipped" column:

Events

The installer image comes with a plugin group for snare and a windows event tab pre-configured:

What to do next?

Correlate out of hour logins to your network.
Correlate pendrive inserts followed by large amounts of file copying:

Dec 19 07:00:19 192.168.1.34 ^A MSWinEventLog;4;System;25;Wed Dec 19 16:23:13 2007;134;Removable Storage Service;Unknown User;N/A;Information;^A;N/A;;Received a device interface ARRIVAL notification for device: (USB Mass Storage Device);1
Dec 19 07:00:19 192.168.1.34 ^A MSWinEventLog;4;System;26;Wed Dec 19 16:23:13 2007;134;Removable Storage Service;Unknown User;N/A;Information;^A;N/A;;Received a device interface ARRIVAL notification for device: (PB EASY STORE USB Device);2
Correlate service starts/stops.
Correlate user adds/removals/etc...

Mass distribution

Snare can be easily distributed on a wide range of host in a semi-automatic way. Check the documentation section at the Snare homepage.

Troubleshooting

Check for running snare plugin:
Tail -f /var/log/syslog (which is were events should arrive by default) and check for events like this:

Dec 19 03:20:06 192.168.1.34 ^A MSWinEventLog;1;Application;2;Wed Dec 19 12:43:05 2007;105;SNARE;
Unknown User;N/A;Information;NIL-MESA;None;;The service was started.  ;1 
Dec 19 03:21:01 192.168.1.34 ^A MSWinEventLog;0;Security;3;Wed Dec 19 12:44:00 2007;592;Security;
Pruebas Antivirus;User;Success Audit;NIL-MESA;Detailed Tracking;;A new process has been created:    ^I
New Process ID:^I1724    ^IImage File Name:^I\WINNT\system32\cmd.exe    ^ICreator Process ID:^I2744    ^I
User Name:^IPruebas Antivirus    ^IDomain:^I^INIL-MESA    ^ILogon ID:^I^I(0x0,0x108EA)    ;0

Check /etc/ossim/agent/plugins/snare.cfg and see if location is pointing at /var/log/syslog.
Check [HKEY_LOCAL_MACHINE/SOFTWARE/InterSect Alliance/AuditService/Network/Destination] for your server's ip.
Check [HKEY_LOCAL_MACHINE/SOFTWARE/InterSect Alliance/AuditService/Config/Delimiter], it has to be set to ';'.
Bounce snare (net stop snare, net start snare).
Check logfiles (grep -i mswineventlog /var/log/ossim/*).
Request help on forums/mailing lists.

References

Conclusion

Windows log integration isn't perfect by default. The regular expression matching the above lines isn't perfect for every language/event type, so some event's might just end up in the "generic" category.
OSSEC provides a bunch of nice features but already with Snare you can do really nice things.

It is left as an exercise to the reader to combine the information shown here with that of Tutorial 2: Syslog data mining.
Attaching an md5sum to the received windows logs would again enable to be a bit more "compliant" with some regulations.

posted at: 15:54 | path: /ossim/tutorials | permanent link to this entry | 12 comments |
Tags: ossim, snare, ossec, compliance, eventlog

* Posted by Leonardo Abbondanza at Thu Dec 20 19:14:21 2007

Sweet tutorial.
Thanks

* Posted by Trevor at Fri Jan 4 01:42:15 2008

Out of the box, the snare plugin doesn't seem to be parsing any alerts from syslog where the username contains a space character (ex: "Unknown User").� Can you share with us the regexp used in your example?

* Posted by Dominique Karg at Mon Jan 7 13:01:06 2008

Sure, I just uploaded it to the cvs, this would match the spaces in some of the log fields:

[snare-ossim-format-fallthrough]
#Feb 20 14:16:57 10.186.64.58 ^A MSWinEventLog;1;Security;466;Tue Feb 20 14:17:17 2007;538;Security;Administrador;User;Success Audit;QUICKSILVER-0JM08ZRD;Inicio/cierre de sesiÃ³Cierre de sesiÃ³e usuario: ^INombrr
e de usuario:^IAdministrador ^IDominio:^I^IQUICKSILVER-0JM08ZRD ^IId. de inicio de sesiÃ³I^I(0x0,0x200
E0FA) ^ITipo de inicio de sesiÃ³I7 ;61
event_type=event
regexp="^(?P<date>\w+\s+\d{1,2}\s\d\d:\d\d:\d\d)\s+(?P<sensor>\S+)\s+.<b>MSWinEventLog;\d+;\w+;\d+;(?P<date2>\w+\s+\w+\s+\d{1,2}\s\d\d:\d\d:\d\d\s+\d+);(?P<plugin_sid>\d+);[^;]+;(?P<username>[^;]+);[^;]+;[^;]+;[^;]+;[^;]+;;(?P<userdata1>.</b>)"
date={normalize_date($date)}
sensor={resolv($sensor)}
src_ip={resolv($sensor)}
dst_ip={resolv($sensor)}
plugin_id=1518
plugin_sid={$plugin_sid}
username={$username}
userdata1={$userdata1}

* Posted by Andres at Fri Jan 11 19:04:23 2008

Hello.

the documentation is good. but i have a doub

how do i?

to see another windows events, because when a follow your guide a saw the messages that you put in the page, but a can't see any more.

In my /var/log/syslog a can saw other messages but in the web interface a can saw.

Thanks for your help and colaboration

* Posted by carlos at Sat Jan 12 00:14:25 2008

thanks for the tutorial.

* Posted by Brian Lavender at Thu Apr 10 18:44:34 2008

I tried converting the snare_takeover.reg file with unix2dos. Then I double clicked the file and it gives the following error.

The specified file is not a registry script. You can only import binary registry files within the registry editor.

I got the registry file from my
http://ossim-server/ossim/downloads/snare_takeover.reg

I suppose I could just modify these entries by hand, but double click seems so much easier.

* Posted by Brian Lavender at Sat Apr 12 00:20:16 2008

Hmm, can't seem to get the snare agent to snag the syslog data. I don't think the regex is catching my log entry. Here is a sample of a log entry.

Apr 11 17:14:23 2003_server 2003_server MSWinEventLog;0;Security;16;Fri Apr 11 17:14:19 2008;593;Security;lavendbr;User;Success Audit;2003_SERVER;Detailed Tracking;;A process has exited: ^IProcess ID:^I2012 ^IImage File Name:^IC:\WINDOWS\system32\cmd.exe ^IUser Name:^Ilavender ^IDomain:^I^I2003_SERVER ^ILogon ID:^I^I(0x0,0xBDEE9D) ;5

* Posted by Brian Lavender at Fri Apr 18 23:11:47 2008

It turns out that dns was the problem. The ossim server could not resolve the name of the Windows server.

* Posted by Brian Lavender at Fri May 9 17:21:40 2008

Dominique,

I see that OSSEC is part of the AV installer and it's running, but I don't see how it is integrated into OSSIM. I am looking at the details for it. Can you comment on it?

brian

* Posted by dramirez at Thu May 22 14:19:42 2008

Very useful tutorial, thx.

* Posted by Karim at Tue Aug 5 14:55:36 2008

hi,
thanks for this efficient tutorial.

* Posted by shiju at Tue Dec 23 04:48:59 2008

Hi,

thanks for the tutorial , could you please provide the correlation examples also :) , like out of hour logins ,
service starts/stops,user adds/removals/etc...

Thanks