Review of ICS Syslog Proxy

by Russ Rogers - 12/10/99

The Very Basics

System Administrators can no longer ignore the importance of security on their networks, and as frustrating a task as security can be, it still needs to be dealt with. Network intrusions arecommonplace now. You can find tons of news articles each day about web page defacings orhow some "kid" broke into a corporate network and was snooping around.

The key to catching intruders, is watching your networks. Auditing is your first line of defensein this arena. Each operating system (at a server level) comes with a default method of auditingthat should be implemented and watched. HP-UX has it's auditing functions, Solaris has theBasic Security Module (BSM), and Windows NT has the event logs.

But let's face it, system administrators are in a catch 22. Good security sense tells us to audit, butfinancial and physical resources can't handle the tremendous amount of log data that builds up.Your choice with NT, normally, is to have the machine lock up when the logs fill to capacity orit can overwrite the oldest events.

What we need is a centralized location for storing audit data so that it can be reviewed and movedoff of the server environment. The product is Integrated Computing Solutions, Inc Syslog Proxy (ICSSP, for short).

The ICSSP-NT client resides on the NT server and monitors the three event logs. When an event is triggered, the client sends data to a UNIX archive machine. The data is sent to any port that you specify using either UDP or TCP. In our lab, we used UDP and sent the traffic to the syslog port (514) on the target machine. Assuming that you have configured your syslogd correctly, you will be able to direct that data to a particular log on your UNIX file system. A sample configuration line for /etc/syslog.conf would look like this:

*.info /var/log/NTserver.log

How ICSSP installs itself

There is a configuration file that needs to be addressed in order for ICSSP-NT to install itself correctly.Here's what the file looks like:

/* -DEBUG_LOG_ON *//*

Comments are delimited by the C delimiters. This designates the TCP/UDP address to where the event log items are to be sent.

-A //[UDP|TCP]/[ASCII|BINARY]*/-A10.10.15.25/514/UDP/ASCII/-A10.10.15.25/4241/TCP/BINARY//*

This is the master log selection. That is, if the log does not meet this criteria of selection, then no further monitoring of that log would take place. That is, if we had the value: a) 1 instead of 7, only the Application log would be monitored. b) 2 instead of 7, only the Security log would be monitored. c) 3 instead of 7, only the Application & Security logs would be monitored. d) 4 instead of 7, only the System log would be monitored. e) 5 instead of 7, only the Application & System logs would be monitored. f) 6 instead of 7, only the Security & System logs would be monitored. But, as you can see the value 7 is used, this means all logs are monitored. -E[Decision]/[Logs]/[event-type]/[sourcename]/[Low Event Number]/[High Event Number]/ Rules: Are made up of the following: -E - denotes this as an EVENT RULE [Decision] - 'i' for include, and 'e' for exclude. [Logs] - single digit designating the logs to which the rule applies. See the previous explanation of the master log selection for value meanings. [sourcename] - the string to search for in the Sourcename of the log entry. one sourcename per 'S' (sourcename) criteria of the rule [event-type] - the addition of the following values to select the event types to evaluation 1 = ERROR type 2 = WARNING type 4 = INFORMATION type 8 = AUDIT SUCCESS type 16 = AUDIT FAILURE type */-EI/7/31///99999/

Configuring the client doesn't take long, learning the syntax looks complicated, but is actually quite easy once you've done it. Only the lines with a DASH as the first character are addressed configuration lines. Comments are delimited with common C delimiters.

Aside from the tremendous flexibility of the product, as far as configuration goes, it also allows you to install the client as any user/password combination you prefer. For instance, some sites might not allow the "system" account access to the security event log. You can install the service to run as another account that CAN access the log. The client is also quite small and will not drain your resources. If there's a problem, the software provides an excellent means for debugging it's operation.

I'm providing a sample of what the output look like in ASCII format. This will be typical of logentries on your UNIX machine.

Dec 9 10:10:29 testunix.as.net testunix.ourlab.world.net 10.1.1.25 (10.1.1.20 514) TimeGenerated:19991209 10:12:22 TimeWritten: 19991209 10:12:22 ComputerName:testunix SID:01050000000000051500000056202a05054d514a14787b49f4010000SourceName:Security Log:Security EventID:612 EventCategory:6 EventType:8(Audit Success)Data:N/A EventStrings:+ + + + - + - + - + + + + + Administrator testunix (0x0, 0x195F) Dec 9 10:10:34 testunix.as.net testunix.ourlab.world.net 10.1.1.25 (10.1.1.20 514) TimeGenerated:19991209 10:12:27 TimeWritten:19991209 10:12:27 ComputerName:testunix SID:01050000000000051500000056202a05054d514a14787b49f4010000 SourceName:Security Log:Security EventID:612 EventCategory:6 EventType:8(Audit Success)Data:N/A EventStrings:+ + + + - + + + - + + + + + Administrator testunix (0x0,0x195F) Dec 9 10:23:11 testunix.as.net testunix.ourlab.world.net 10.1.1.25 (10.1.1.20 514)TimeGenerated:19991209 10: 25:04 TimeWritten:19991209 10:25:04 ComputerName:testunix SID:N/A SourceName:Rdr Log:System EventID:8003 EventCategory:0 EventType:1( Error) Data:0000000003004a0000000000431f00c0000000000000000000000000000000000000000000000000 EventStrings:\Device\ LanmanDatagramReceiver DETECTOR1 NetBT_CpqNF31 Dec 9 10:27:24 testunix.as.net testunix.ourlab.world.net 10.1.1.25 (10.1.1.20 514) TimeGenerated:19991209 10:29:18 TimeWritten:19991209 10:29:18 ComputerName:testunix SID:010100000000000512000000 SourceName:Security Log:Security EventID:529 EventCategory:2EventType:16(Audit Failure) Data:N/A EventStrings:Administrator testunix 7 User32 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 testunix

There are currently other significant developments in the product that are still coming down the line. If you're interested in the product and would like to see more, contact ICS at (334)241-4320 or visit their website at http://www.integrate-u.com/