http://www.neweve.

net Security Policy Date: 09/21/2007

Kiwi Syslog Configuration Standard

Introduction
The purpose of this document is to provide a sound configuration for installing and monitoring using the Kiwi Syslog software.

Contents
Introduction ...........................................................................................1 Contents .................................................................................................1 Conventions ..........................................................................................2 Installing KiwiSyslog ...............................................................................3 Changing the logging folder and options.......................................3 Adding the License ..............................................................................4 Performing a basic test ........................................................................4 Setting up logging on servers .............................................................5 Alerting on Events .................................................................................5

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

Conventions
As you will see through the process of moving through this document there will be a lot of sections where you can simply copy and paste the commands to the system. Because of this and so things are organized better text or commands that can be copied will be in a window like below.
# This is an example of commands that can be copied.

Also to make things less confusing text that is to be edited or changed inside of a file using an editor in a window with the background of light blue. See below.
# This is an example of text that is to be edited.

Some areas in this process will prompt for answers to questions for its installation. When this is occurring throughout our installation, these are included in a grey box like below.
# This is an example of a running script or program that prompts for input like (Y/N)?

If there is a section that is particularly easy to overlook, or does not seem intuitive, but very necessary for proper functionality it will be noted with an exclamation point like below. This is an important note Do not ignore Other notes are simply italicized like below. Note: This is an interesting note about this section.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

Installing KiwiSyslog
Run the installation from the following path: http://www.kiwisyslog.com/kiwi-syslog-daemon-download/ When prompted choose the default to Install Kiwi Syslog as a Service. Then click Next. For the Type of Install leave Normal selected and click Next. For the path leave c:\Program Files\Syslogd and click Install. When complete, leave the Run Kiwi Syslog Daemon checked and click Finish. From the Manage select Install the Syslogd service. Then from the Manage menu select Start the Syslogd service.

Changing the logging folder and options

From the file menu choose Setup. Choose the following drive letters, directories and file format. Note: Notice the %DateISO at the end of the path and name. This instructs the log server to create a new log at the start of each day.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

Click Apply. Then click OK.

Adding the License

From the Help menu select Enter Registration Details. Then click the Enter the details manually. A license can be purchased here. http://www.kiwisyslog.com/private/order.php Then click the Register button.

Performing a basic test

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

From the file menu select Send test message to localhost. A message similar to the following should be displayed.

Setting up logging on servers

The following documents contain information on how logs are sent to the logging server:
Windows 2003 R1 and R2 Configuration Standard IIS 6 Configuration Standard

The sections in each document on Snare take care of the log redirection. Between the above two documents all Windows 2003 events as well as IIS 6.0 logs end up getting sent to the syslog server. The fundamental log activity that is generated from these is the following:
SQL Logs Windows 2003 System, Application, Security Events IIS 6.0 logs Osiris Events Snort IDS Events

Alerting on Events
The alerting function of this syslog software can make it a very powerful troubleshooting and security solution. The procedure explains how to make a custom email alert customized with processes and procedures for handling that event.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

Run the Kiwi Syslog management program, then from the file menu choose Setup. The area we are interested in is the rules area.

Before creating a rule, we need specific text to trigger the alert. The thing to remember is that all event logs, iis logs, etc are being sent. If we can find unique text as to the alert. We can configure a rule to send an email based upon the text found. As an example, lets say we would like to send an alert every time Symantec AntiViris finds a security risk on a system. To do this, we first need to verify the some alert text. We can accomplish this by copying an intert security file (like netcat for windows) which is harmless, but triggers a security alert. Simply downloading netcat for windows (a goolge search will yield the file), then extracting it and coping it to one of the servers should trigger the event. The following is an example of the event in the Application Event log on a server.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

Notice the next Risk Found. This is what we will be using to send our email alert. Next verify that the event is properly getting sent to the log server. This can be accomplished by logging into the log server CL-2LS001 using Terminal Services. Then open a command prompt and follow these steps. Change to the Catchall directory.
F: cd \Syslogs\Catchall

Next run a cat and grep piped command against the latest log file using Risk Found as the grep criteria.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

cat SyslogCatchAll-2007-09-25 | grep "Risk Found"

Notice the text / alert matches what is in event viewer.

Next on the log server right click on the Rules area and select Add Rule

Notice a New Rule we be added a the bottom of the rules list. Immediately rename the New Rule to a name fitting. In this case the name of the rule will be Virus Risk. The next set is to create a filter. A filter is where we define out text to be search. In this case we will be performing a simple filter against the text Risk Found. Right click on Filter beneath the rule we just created. Then choose Add Filter.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

Name the new filter, Risk Found or something pertinent to the text we are searching for.

Next in the right hand area of the setup window at the top you will see a box that says Field. Drop down this box and select Message Text. We are telling it to search through the message area of the log.

In the Include Text box put Risk Found including the quotes.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

The next step is to actually add the email alert. Under our rule we created right click Actions then select Add action.

Immediately name the action something pertinent. In the case Send Symantec Alert. In the upper right hand are of the setup window, drop down the list and choose E-mail message.

For the text first describe the event in as much detail as possible, then following the text %MsgText place a procedural explanation. It would be simplest to just copy the last area of this message body into the alert.
Utilize the following procedures to eliminate the issue: Enter documents here that describe how to address.

So the complete message for this alert will be:

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

10

The following message text explain that Symantec Antivirus has found a security risk on one of the systems in the IDEV PCI network. %MsgText If upon analysis it is determined that the system has been compromised. Utilize the following procedures to eliminate the issue: Enter documents here that describe how to address.

The actual alert entry will look like this:

When complete click Apply then OK. Finally test the event alert by retriggering the event. In this case, we will copy the nc.exe up to the server again. Then watch for the email alert.

New Eve Technologies, Inc .- support@neweve.net Documentation 2007

11