An essential part of using a SIEM is getting the logs from all nodes. This is a simple feat when dealing with Unix or Cisco IOS. But for the dreaded windows os, it becomes a slight challenge.
I am running a Windows 2003 Server with IIS 6.0 and Exchange Enterprise 2007. Also a Windows XP client. Both which I need all of the event and service logs centralized.
Windows Event Logs: NTSyslog2 (Eventlog to syslog forwarder)
Exchange Logs: I used the Exchange Management Shell to set all log types to ‘Expert’ level which then sends the detailed event to the windows event logs, and then forwards to syslog server.
IIS Logs: After configuring IIS to store logs in W3SVC as a single non-rotated file, I wrote this simple script to tail the file and then forward each entry as a syslog event.
Running production servers within VMWare makes system backups super simple. I wrote a shell script to take automatic snapshots of the servers, mount an external drive, generate syslog events, and rsync the vmware images+snapshots.
Monitoring your file systems for change is an obvious known necessity. Here are some undocumented tricks to run the Tripwire Enterprise 7.0 agent on a Debian box:
Note: This was successful for me on multiple Ubuntu/Debian boxen running kernel 2.6.x
Run the standard .bin installer (this will fail). Then go fetch the extracted .rpm from your /tmp directory.
Use Alien to convert the .rpm to a .deb package: ‘alien -k twfilename.rpm’
Install the .deb package: ‘dpkg -i twfilename.deb’
Change permissions to the tripwire agent bin directory to be executable by root.
Now you must run the post install config script: ‘/usr/local/tripwire/te/agent/bin/twconfig
postInstallConfig xxx.xxx.xxx.xxx 9898 service_passwd’
A few errors will be outputted to the display ‘ln: creating symbolic link
/etc/rc.d/rc5.d/S95twdaemon’ to/etc/init.d/twdaemon’: No such file or directory’
Safely ignore since the installer is just trying to add the twdaemon to startup on boot. If you do wish for the agent to run upon boot, add ‘/usr/local/tripwire/te/agent/bin/twdaemon start’ to your ‘/etc/rc.local’ file.
NOTE: Before starting the agent, change the line: ‘127.0.0.1 hostname’ in ‘/etc/hosts’ to ‘127.0.0.1 someotherhostname’ so when the agent performs the initial phone home it will report the active hostname of the machine and the actual ip. If you skip this step, and the hostname associated with 127.0.0.1 in the hosts file is the exact hostname of the machine, then the agent will report the ip as 127.0.0.1.
Here is a simple howto for installing Snort on Ubuntu.
Since starting the development for my SIEM, I started to see how ‘ghetto’ it is and is going to always be. Therefore I am officially changing the name to GhettoSIEM!
After experiencing the deployment of enterprise level SIEM (Security Information Event Manager) applications within a couple large organizations … I have come to the conclusion that these are beasts to administer and maintain. Corporations can afford to have a team of operators, administrators, and developer support for these commercial SIEMs. Even OSSIM (a popular open-source SIEM) is a beast to deploy.
So what solution does someone like myself have for a SIEM? For those of you who haven’t been following my blog, I maintain a small personal network consisting of 5 linux servers, 2 windows servers, 1 linux based firewall, and 1 border router. The current state of logging within my network is a centralized syslog server with absolutely no filtering/parsing of events. Without counting logs from Apache, IIS, Exchange, MySQL … I receive approximately 100 events per minute. The majority of these events are common and should not be alerted on. But there are some (failed logons, port scans, etc) that I need to see immediately.
And just seeing the event still requires manual human correlation of various events to put build the big picture. A basic example of this would be multiple failed logons to more than 1 host.
So.. back to the question here, what SIEM solution does a small time network administrator like myself do?
Answer: Build my own SIEM. Which I shall call: SimpleSIEM.
Expect v0.1 to be posted by next weekend.