分类: LINUX
2009-11-30 11:45:15
There are now a bunch of commercial and open source agents that can run on a Windows system to take in Windows Event Logs and send them off to a syslog server. We’ll be looking at the agent in this post.
As of this writing, Snare is compatible with Windows NT, 2000, XP, 2003 and Vista. There is also an agent available for 64 bit Windows versions.
For my test, I am installing on a Windows XP system. Installation is quite straight forward. There are MSI and scripted installers available on the Snare web site for large scale deployments.
The recommended installation has Snare taking control over the Event Log configuration, to synchronize the configurable logging “Objectives” in Snare with the Event Log settings.
Snare is managed via a local web interface that can be set up either to be locally accessible only, or accessible via the network with a password.
There is a good configuration guide for the Windows share agent available.
Once installed, the agent can be configured by opening the “Snare For Windows” icon in the newly installed “Intersect Alliance” folder on the start menu. Or, you can open your web browser to
You will first need to configure the syslog server. Choose “Network Configuration” from the menu on the left.
Enter the IP address of the syslog server in the “Destination Snare Server Address” box.
Change the “Destination Port” from te default 6161 to 514 (the standard syslog port)
Check the “Enable SYSLOG Header” box.
Then, click the “Change Configuration” Button.
For this example, I am running a stock syslogd server on FreeBSD 7.1. Out of the box, syslogd does not listen to network requests. Kill the syslogd process and restart with these switches:
# syslogd -a 192.168.0.0/24:’*’
This allows any host on the network 192.168.0.1-192.168.0.254 to send logs, and will accept connections from any source port (this is important, as Snare tends to select random source ports).
Now, logs should start flowing from the Windows client to the syslog server. An easy way to test is to open cmd.exe (start, run, “CMD.EXE”) on the Windows system. One of the default events Snare captures is the opening of cmd.exe. You should see a set of logs that look like this:
Apr 22 17:05:34 jerry jerry MSWinEventLog 0 Security 32 Wed Apr 22 17:05:30 2009 592 Security Jerryb User Success Audit JERRY Detailed Tracking A new process has been created: New Process ID: 5920 Image File Name: C:\WINDOWS\system32\cmd.exe Creator Process ID: 444 User Name: Jerryb Domain: JERRY Logon ID: (0×0,0×1B054) 23
Apr 22 17:05:34 jerry jerry MSWinEventLog 0 Security 33 Wed Apr 22 17:05:34 2009 593 Security Jerryb User Success Audit JERRY Detailed Tracking A process has exited: Process ID: 5920 Image File Name: C:\WINDOWS\system32\cmd.exe User Name: Jerryb Domain: JERRY Logon ID: (0×0,0×1B054) 24
The configuration to support syslog-ng or rsyslog should look pretty similar. As time allows, I will add a configuration example for each of these daemons.
One of the things I really like about the Snare agent is the “Objectives Configuration”. The flexibility of the settings is extremely powerful. The out of the box settings are pretty good.
The USB logging is pretty interesting, though quite verbose. Here is what I get upon inserting a USB flash drive:
Apr 22 17:12:43 jerry jerry MSWinEventLog 1 System 7 Wed Apr 22 17:12:42 2009 134 Removable Storage Service Unknown User N /A Information JERRY N/A Received a device interface ARRI VAL notification for device: (USB Mass Storage Device) 5
Apr 22 17:12:43 jerry jerry MSWinEventLog 1 System 8 Wed Apr 22 17:12:42 2009 134 Removable Storage Service Unknown User N /A Information JERRY N/A Received a device interface ARRI VAL notification for device: (USB Mass Storage Device) 6
Apr 22 17:12:43 jerry jerry MSWinEventLog 1 System 9 Wed Apr 22 17:12:42 2009 134 Removable Storage Service Unknown User N /A Information JERRY N/A Received a device interface ARRI VAL notification for device: (Kingston DataTraveler 2.0 USB Device) 7
Apr 22 17:12:43 jerry jerry MSWinEventLog 1 System 10 Wed Apr 22 17:12:42 2009 134 Removable Storage Service Unknown User N /A Information JERRY N/A Received a device interface ARRI VAL notification for device: (Kingston DataTraveler 2.0 USB Device) 8
Apr 22 17:12:43 jerry jerry MSWinEventLog 1 System 11 Wed Apr 22 17:12:42 2009 134 Removable Storage Service Unknown User N /A Information JERRY N/A Received a device interface ARRI VAL notification for device: No details available: STORAGE\REMOVABLEMEDIA\7&2BAD A6B7&0&RM 9
Apr 22 17:12:43 jerry jerry MSWinEventLog 1 System 12 Wed Apr 22 17:12:42 2009 134 Removable Storage Service Unknown User N /A Information JERRY N/A Received a device interface ARRI VAL notification for device: No details available: STORAGE\REMOVABLEMEDIA\7&2BAD A6B7&0&RM 10
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 13 Wed Apr 22 17:13:01 2009 135 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface REMOVAL notification for device: No details available: STORAGE\REMOVABLEMEDIA\7&2BADA6B7&0&RM 11
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 14 Wed Apr 22 17:13:01 2009 135 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface REMOVAL notification for device: No details available: STORAGE\REMOVABLEMEDIA\7&2BADA6B7&0&RM 12
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 15 Wed Apr 22 17:13:01 2009 135 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface REMOVAL notification for device: (Disk drive) 13
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 16 Wed Apr 22 17:13:01 2009 135 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface REMOVAL notification for device: (Disk drive) 14
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 17 Wed Apr 22 17:13:01 2009 134 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface ARRIVAL notification for device: (Disk drive) 15
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 18 Wed Apr 22 17:13:01 2009 134 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface ARRIVAL notification for device: (Disk drive) 16
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 19 Wed Apr 22 17:13:01 2009 134 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface ARRIVAL notification for device: No details available: STORAGE\REMOVABLEMEDIA\7&2BADA6B7&0&RM 17
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 20 Wed Apr 22 17:13:01 2009 134 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface ARRIVAL notification for device: No details available: STORAGE\REMOVABLEMEDIA\7&2BADA6B7&0&RM 18
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 21 Wed Apr 22 17:13:03 2009 135 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface REMOVAL notification for device: (Generic volume) 19
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 22 Wed Apr 22 17:13:03 2009 135 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface REMOVAL notification for device: (Generic volume) 20
Apr 22 17:13:05 jerry jerry MSWinEventLog 1 System 23 Wed Apr 22 17:13:03 2009 134 Removable Storage Service Unknown User N/A Information JERRY N/A Received a device interface ARRIVAL notification for device: (Generic volume) 21
