Monitoring Windows Networks Using Syslog (Part One)

Published: 2014-01-04. Last Updated: 2014-01-04 01:09:15 UTC
by Tom Webb (Version: 1)
5 comment(s)

As an incident responder, I love high value logs. We all know Windows event logs can be super chatty, but with the right tuning they can be very useful.  I’ve tried out several utilties for sysloging Windows event logs, but I’ve found event-to-syslog (code.google.com/p/eventlog-to-syslog) to be my favorite due to the simple config and install.  

If you are not logging anything from your Windows clients and you suddenly turn on everything, you will be overwhelmed. I’m going to cover a couple of logs to start looking at in this post and go into more detail on my next post.   AppLocker, EMET (http://support.microsoft.com/kb/2458544/en-US) ,Windows Defender and application error logs are some of the most valuable logs when looking for compromised systems. These are what we are going to cover today.

AppLocker Setup

If you haven’t set up AppLocker in your environment, now would be a great time to get started. Microsoft has a great document that covers it in complete detail (

http://download.microsoft.com/download/B/F/0/BF0FC8F8-178E-4866-BBC3-178884A09E18/AppLocker-Design-Guide.pdf)  For most, using the Path Rules will get you what you need.  The pros and cons of each ruleset are covered  in section 2.4.4 pg.17-22.

The MS doc is quite extensive, but for a quick start guide try the NCSC Guide (http://ncsc.govt.nz/sites/default/files/articles/NCSC%20Applocker-public%20v1.0.5.pdf)

The basic idea of the path rules is to allow things to run from normal folders (e.g. Program Files and Windows Folders) and block everything else. The NSA SRP guide (YEA YEA, I know) gives a good list of rules  to use with Applocker (www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf).‎ You will run into some issues with Chrome and other apps (Spotify) that run from the users AppData folder,but  that is where the syslog auditing comes into play.  First deploy this in audit mode and then once you are comfortable, move to prevent mode.  If you already have a software inventory product, you will be able to leverage that information to feed into your policy. Much has been written about this, but I wanted to cover the basics.

EventLog-to-Syslog Installation

Download the software from (https://code.google.com/p/eventlog-to-syslog/)

1. To install it as a service its simple run:

c:>evtsys.exe -i -h <Syslog Server IP>

2. Copy the evtsys.cfg  to C:\windows\system32\ directory. (More on this below)

3. Restart the service.

c:>Net stop evtsys

c:>Net start evtsys

Thats it, you should be ready to get logs.

Evtsys.cfg Setup

A basic version of the evtsys.cfg can be found on my Github (http://goo.gl/79spGK). This config file is for Windows 7 and Up. Please rename the file to Evtsys.cfg before using. This file uses XPATH for the filters, which makes creating new ones easy. Here is a quick way to create your own.

1. In the Windows Event Viewer, select the Event logs you wish to create a rule from.

2. Click the Details Tab and Select XML View.

3. Determine the Channel for the Event along with any specific Event ID you want from that channel.

In this case the Windows Defender Channel is:

<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>

The event ID’s we want are: 1005,1006,1010,1012,1014,2001,2003, 2004, 3002,5008

4.  Putting it all together. The format for the rules are:XPath:<PathtoChannel>:<Select statement> and the rule must be on one line. In the channel name it’s ok to have spaces, but the Select statement has to have double quotes.

5. Click the Filter Current Log Button on the side of the Event View and enter the additional data you want to use to filter. Then Click on the XML tab at the top. You can cut and paste the entire <SELECT PATH portion into your filter.

XPath:Microsoft-Windows-Windows Defender/Operational:<Select Path=”Microsoft-Windows-Windows Defender/Operational\”>*[System[(EventID=1005 or EventID=1006 or EventID=1010 or EventID=1012 or EventID=1014 or EventID=2001 or EventID=2003 or EventID=2004 or EventID=3002 or EventID=5008)]]</Select>

 

Other Items that will be syslogged are:

  • Application Crashes

  • Emet

  • Windows Defender

  • Account Lockouts

  • User Added to Privileged Group

Finished Product

The  raw syslog for a blocked AppLocker log looks like below.

Jan  3 12:59:35 WIN-C AppLocker: 8004:  %OSDRIVE%\TEMP\bob\X64\AGENT.EXE was prevented from running.

 

Raw syslog for allowed programs.

Jan  3 14:37:51 WIN-CC AppLocker: 8002: %SYSTEM32%\SEARCHPROTOCOLHOST.EXE was allowed to run.

 

Simple Stats

To get a list of all applications that have been blocked, use the following command:

$cat /var/log/syslog |fgrep AppLocker |fgrep prevent|awk ‘{print $7}’ |sort|uniq -c

1 %OSDRIVE%\TEMP\bob\X64\AGENT.EXE

 

Next Time on ISC..

In the next post I’ll cover more comprehensive config file to detect attackers and integrate logs for reporting.

--

Tom Webb

5 comment(s)

Comments

Hi,

Curious about using syslog on all end systems (rather than using the build in windows event forwarding a. la. "winrm" and "wecutil" - http://technet.microsoft.com/en-us/library/cc748890.aspx )

Could you address why you chose the syslog software on all endpoints?

Thanks!
Jim
For those of us who don't (yet) do centralized logging, why did you choose Eventlog-to-Syslog over similar tools like NxLog or OSSEC?

And for those who have a more Windows-centric view of the world, could you suggest some tools for managing Syslog servers. It's nice to have logging in one place, but I imagine additional infrastruture is needed to filter and make sense of that data, even on relatively small networks.
I think Windows Event forwarding is a great option in many cases. There are Pros and Cons to all ways of doing things. In a large very mixed environment you will generally need more then one solution. This is often a good fit for non-persistent VM's where have other configs can be an issue. Next post will cover additional tools, including OSSEC. OSSEC for servers works great, but Windows client auto enrollment needs to get better.
Nice post. Question. You said,
[quote]
Simple Stats
To get a list of all applications that have been blocked, use the following command:
$cat /var/log/syslog |fgrep AppLocker |fgrep prevent|awk ‘{print $7}’ |sort|uniq -c
[/quote]

I see that the syslog service is installed on windows machines, but is the central syslog server something that runs on Linux? I'm confused how you're running a Linux command when this is a windows-focused solution
In this case, I'm sysloging to a Unix system and will perform analysis on it. You can also use Unix utilities on windows, unxutils.sourceforge.net, but with the new powershell features its not really needed. The next post will go into analysis of the logs.

Diary Archives