Wednesday, April 18, 2007

Windows Event Logging

The next few articles i`m looking to publish are regarding getting information from Microsoft Windows Hosts.

By this i mean getting MARS to process data pulled from the application, system and security event logs, whether from a server or workstation.

Information regarding pulling other logs from Windows servers, will follow in later articles.

Now we can use 2 methods to retrieve event logs from a Windows Host. Either we tell MARS to pull the events from the host or we configure the host to send the event data to the MARS appliance, but NOT both at the same time.

The decision on what method to use, depends on a few factors, namely whether to install an agent on the host, the desired load on the MARS appliance, and how near real-time we want the event data that MARS will process.

Some of the major differences....

A) Use an Agent (Pushes info to MARS via Syslog)

1. Takes up Host CPU and Memory
2. More efficient in terms of resource utilization on the MARS Appliance itself
3. Agents allow real-time reporting of events (event by event)
4. Allows all Event Logs to be sent to MARS; however requires customer
parsing for logs other that Security Events & select MS Application events
5. A freeware version is available.. Snare (Intersect Alliance) - Support can be purchased

The SNARE application for example, (shown below) interfaces with the Windows event logging sub-system to read the logs, filter according to a set of administrator defined objectives, and then sends via syslog to MARS.




B) No Agent (Pull method via RPC)

1. Less administration overhead.
2. Can be configured for Global Access to all devices with 1 AD Account.
3. Scheduled Access to Security Event Logs only (Not real-time), default is 5 minutes interval.
4. Allows you selectively choose what Security Events to be logged via Windows Security Policies - Audit Policies
5. Can restrict access to the device for MARS for the Security Events only via Windows AD Security Policies, does not require full admin access rights.
6. Operates in a single process on the MARS device, completing the pull from one device before moving to the next. As a result it may take much longer to cycle through all of the reporting devices as the number of devices grows.




C) No Agent (Push method via SNMP)

1. Real time logging of event data
2. Allow all Event Logs to be sent to MARS
3. Requires Custom Parsing for MARS to understand log data, since in SNMP format
4. Lower Resource Impact than an Agent

Typically a Microsoft tool like Evntcmd could be used, but there also Agent based systems for sending the Windows Event logs via SNMP.

One recommendation is to have all your windows devices report to a DC/PDC and pull or push the Domain Event logs from there, so you are effectively pulling the information from one machine, rather than several.

Using this model, you leverage windows security policies to dictate what is sent to the MARS appliance. This is more scalable in terms of Management and Configuration.

And finally in upcoming articles, i`ll show how what events we should be logging, and how we can run reports and create rules on this information.

5 comments:

Anonymous said...

One other disadvantage to the push method is that Mars has a 500-byte limit on incoming syslog messages. If a Windows event is longer than 500 bytes, which in many cases they are, Mars will not parse all the fields resulting in inconsistent rules, reports, etc.

Anthony Holloway said...

Awesome! Once again you are tackling just the problem I am about to face. It's like you are reading my mind.

Anonymous said...

Hi there,

Great blog. I'm connecting MARs to a Windows box using pull method but logs not going across.

(1) Configuring logs on Windows box to be read by local admin account and setting up some audit events

(2) Checking RPC service is running

(3) Setting up connection on Mars to connect to Windows box using admin account

(4) Mars can see Windows box but not able to retreve any data

There are no firewalls in between. Any ideas?

Anonymous said...

Aparantly from TAC the limit is not there post 4.3.1 in 2nd gen MARS.

ima said...

Hi, I´m a bit new.
I´m thinking to use the PNAGENT windows client to push the syslog to mars?
But I cant config the client.
Could you help me?

Many thanks in advance