Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Contents
Introduction ...........................................................................................1 Contents .................................................................................................1 Conventions ..........................................................................................2 Installing KiwiSyslog ...............................................................................3 Changing the logging folder and options.......................................3 Adding the License ..............................................................................4 Performing a basic test ........................................................................4 Setting up logging on servers .............................................................5 Alerting on Events .................................................................................5
Conventions
As you will see through the process of moving through this document there will be a lot of sections where you can simply copy and paste the commands to the system. Because of this and so things are organized better text or commands that can be copied will be in a window like below.
# This is an example of commands that can be copied.
Also to make things less confusing text that is to be edited or changed inside of a file using an editor in a window with the background of light blue. See below.
# This is an example of text that is to be edited.
Some areas in this process will prompt for answers to questions for its installation. When this is occurring throughout our installation, these are included in a grey box like below.
# This is an example of a running script or program that prompts for input like (Y/N)?
If there is a section that is particularly easy to overlook, or does not seem intuitive, but very necessary for proper functionality it will be noted with an exclamation point like below. This is an important note Do not ignore Other notes are simply italicized like below. Note: This is an interesting note about this section.
Installing KiwiSyslog
Run the installation from the following path: http://www.kiwisyslog.com/kiwi-syslog-daemon-download/ When prompted choose the default to Install Kiwi Syslog as a Service. Then click Next. For the Type of Install leave Normal selected and click Next. For the path leave c:\Program Files\Syslogd and click Install. When complete, leave the Run Kiwi Syslog Daemon checked and click Finish. From the Manage select Install the Syslogd service. Then from the Manage menu select Start the Syslogd service.
From the file menu select Send test message to localhost. A message similar to the following should be displayed.
The sections in each document on Snare take care of the log redirection. Between the above two documents all Windows 2003 events as well as IIS 6.0 logs end up getting sent to the syslog server. The fundamental log activity that is generated from these is the following:
SQL Logs Windows 2003 System, Application, Security Events IIS 6.0 logs Osiris Events Snort IDS Events
Alerting on Events
The alerting function of this syslog software can make it a very powerful troubleshooting and security solution. The procedure explains how to make a custom email alert customized with processes and procedures for handling that event.
Run the Kiwi Syslog management program, then from the file menu choose Setup. The area we are interested in is the rules area.
Before creating a rule, we need specific text to trigger the alert. The thing to remember is that all event logs, iis logs, etc are being sent. If we can find unique text as to the alert. We can configure a rule to send an email based upon the text found. As an example, lets say we would like to send an alert every time Symantec AntiViris finds a security risk on a system. To do this, we first need to verify the some alert text. We can accomplish this by copying an intert security file (like netcat for windows) which is harmless, but triggers a security alert. Simply downloading netcat for windows (a goolge search will yield the file), then extracting it and coping it to one of the servers should trigger the event. The following is an example of the event in the Application Event log on a server.
Notice the next Risk Found. This is what we will be using to send our email alert. Next verify that the event is properly getting sent to the log server. This can be accomplished by logging into the log server CL-2LS001 using Terminal Services. Then open a command prompt and follow these steps. Change to the Catchall directory.
F: cd \Syslogs\Catchall
Next run a cat and grep piped command against the latest log file using Risk Found as the grep criteria.
Next on the log server right click on the Rules area and select Add Rule
Notice a New Rule we be added a the bottom of the rules list. Immediately rename the New Rule to a name fitting. In this case the name of the rule will be Virus Risk. The next set is to create a filter. A filter is where we define out text to be search. In this case we will be performing a simple filter against the text Risk Found. Right click on Filter beneath the rule we just created. Then choose Add Filter.
Name the new filter, Risk Found or something pertinent to the text we are searching for.
Next in the right hand area of the setup window at the top you will see a box that says Field. Drop down this box and select Message Text. We are telling it to search through the message area of the log.
In the Include Text box put Risk Found including the quotes.
The next step is to actually add the email alert. Under our rule we created right click Actions then select Add action.
Immediately name the action something pertinent. In the case Send Symantec Alert. In the upper right hand are of the setup window, drop down the list and choose E-mail message.
For the text first describe the event in as much detail as possible, then following the text %MsgText place a procedural explanation. It would be simplest to just copy the last area of this message body into the alert.
Utilize the following procedures to eliminate the issue: Enter documents here that describe how to address.
10
The following message text explain that Symantec Antivirus has found a security risk on one of the systems in the IDEV PCI network. %MsgText If upon analysis it is determined that the system has been compromised. Utilize the following procedures to eliminate the issue: Enter documents here that describe how to address.
When complete click Apply then OK. Finally test the event alert by retriggering the event. In this case, we will copy the nc.exe up to the server again. Then watch for the email alert.
11