Monday, April 30, 2007

RAW Event Query Limits

Heres an error, that you may come across now and again, in a large MARS setup, with multiple users having access to the reporting console.

Basically, there are limits on the number of Raw Event Queries, that can be run simultaneously, and rightly so!, unless you want your MARS box to run like a dog :-)

The limits for the various models are as follows...

  • MARS 20R - 1 Raw Event Query
  • MARS 20 - 2 Raw Event Query
  • MARS 50 - 3 Raw Event Query
  • MARS 100e & Above - 5 Raw Event Query

I`m on the lookout for MARS stories/Parsers/Integrations for up coming articles. If you fancy putting something together please get in contact.

Monday, April 23, 2007

Thursday, April 19, 2007

XP Firewall Custom Parser

Now before i start, NO NO NO i do not recommend configuring this on all the desktops in your network!

I have created this parser basically as a sample exercise, for those people getting to know MARS, and the custom parser functionality.

Without having to have vendor X,Y,Z`s appliance or application on the network etc, you can simply install the PNLog Agent on your XP machine (sorry no Vista, i`ve refrained for now, due to colleagues screams in the office), create the simple parser, and test the functionality.

This is available in the MARS User Group Files Section, and i`ll provide a direct link next week.

Wednesday, April 18, 2007

Windows Event Logging

The next few articles i`m looking to publish are regarding getting information from Microsoft Windows Hosts.

By this i mean getting MARS to process data pulled from the application, system and security event logs, whether from a server or workstation.

Information regarding pulling other logs from Windows servers, will follow in later articles.

Now we can use 2 methods to retrieve event logs from a Windows Host. Either we tell MARS to pull the events from the host or we configure the host to send the event data to the MARS appliance, but NOT both at the same time.

The decision on what method to use, depends on a few factors, namely whether to install an agent on the host, the desired load on the MARS appliance, and how near real-time we want the event data that MARS will process.

Some of the major differences....

A) Use an Agent (Pushes info to MARS via Syslog)

1. Takes up Host CPU and Memory
2. More efficient in terms of resource utilization on the MARS Appliance itself
3. Agents allow real-time reporting of events (event by event)
4. Allows all Event Logs to be sent to MARS; however requires customer
parsing for logs other that Security Events & select MS Application events
5. A freeware version is available.. Snare (Intersect Alliance) - Support can be purchased

The SNARE application for example, (shown below) interfaces with the Windows event logging sub-system to read the logs, filter according to a set of administrator defined objectives, and then sends via syslog to MARS.

B) No Agent (Pull method via RPC)

1. Less administration overhead.
2. Can be configured for Global Access to all devices with 1 AD Account.
3. Scheduled Access to Security Event Logs only (Not real-time), default is 5 minutes interval.
4. Allows you selectively choose what Security Events to be logged via Windows Security Policies - Audit Policies
5. Can restrict access to the device for MARS for the Security Events only via Windows AD Security Policies, does not require full admin access rights.
6. Operates in a single process on the MARS device, completing the pull from one device before moving to the next. As a result it may take much longer to cycle through all of the reporting devices as the number of devices grows.

C) No Agent (Push method via SNMP)

1. Real time logging of event data
2. Allow all Event Logs to be sent to MARS
3. Requires Custom Parsing for MARS to understand log data, since in SNMP format
4. Lower Resource Impact than an Agent

Typically a Microsoft tool like Evntcmd could be used, but there also Agent based systems for sending the Windows Event logs via SNMP.

One recommendation is to have all your windows devices report to a DC/PDC and pull or push the Domain Event logs from there, so you are effectively pulling the information from one machine, rather than several.

Using this model, you leverage windows security policies to dictate what is sent to the MARS appliance. This is more scalable in terms of Management and Configuration.

And finally in upcoming articles, i`ll show how what events we should be logging, and how we can run reports and create rules on this information.

Monday, April 09, 2007

Cisco NAC Appliance Custom Parser

Following on from the recent Custom Parser demos, I am very pleased to be able to provide this great CS-MARS custom parser guide for the Cisco NAC Appliance, or Clean Access as it was previously known.

Many thanks to the author, a CSE out of Ohio named Craig Hyps, for allowing this to be published.

Cisco Systems TAC supports the custom parser functionality; however, it does not support or provide assistance in building or troubleshooting custom parsers.

As i`ve previously said, i`m keen to share Parsers in the Cisco MARS User Group, and this is one file i have recently uploaded.