Screencasts - Hilfsvideos

Raw Windows Events from a Centralized Log Manager

Created: 07 Jan. 2013 • Aktualisiert: 09 Jan. 2013 | 8 Kommentare
Dieses Problem wurde gelöst. Siehe Lösung.

Here is my situation:

We have a Qradar log manager.  All of our Windows domain controllers are sending events to it via a QRadar agent.  QRadar is able to forward raw windows event logs to our Symantec SSIM.  My Symantec SSIM is receiving the logs, but the events are not normalized.  Nothing is being correlated, just raw events that SSIM doesn't know what to do with.

Other than installing Snare for Windows Event Collector on every domain controller, how can I get these windows events to my SSIM from my centralized log manager in a way that it knows what  do with them?

Kommentare KommentareZum neuesten Kommentar

das Bild der SK Oois

Do you have a sample of what the RAW logs from Qradar looks like?

In general Qradar can forward logs but the question becomes how Qradar send logs to SSIM and did Qradar modify the logs?

Specifically to Windows Collectors, SSIM uses a Windows Sensor to process those logs. If logs are coming in through other means then it will NOT be passed through the regular Windows Translator + SES Processor + Filtering/Aggregation.

Lets put up a sample RAW log and I can give you a definite answer

SK

das Bild der mathells

I assume QRadar is using syslog to send the messages? How is QRadar formatting these events?  You might try to see if you can format the events like Snare (QRadar would need to support this) and then use the Snare collector.  If QRadar can't do it, you might be able to put rsyslog in the middle and convert the events into the Snare format that way. FWIW, don't expect them to be correlated all that well.  SSIM does a pretty poor job of parsing Windows events.

das Bild der VSKs

How is QRadar forwarding the raw windows event logs to our Symantec SSIM? Is it using the  universal/genric syslog?

-VSK

das Bild der squarless

I've got Qradar forwarding un-modified events from several domain controlers.  As far as I know, Qradar is just relaying the raw event.  This is what I get when I collect the raw event from my Universal Syslog Event Collector.

Description = Jan 08 11:52:24 domaincontroler1.tnbd.local AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=1.0.14    Source=Security    Computer=DOMAINCONTROLER1    User=SYSTEM    Domain=NT AUTHORITY    EventID=673    EventIDCode=673    EventType=8    EventCategory=9    RecordNumber=2512204049    TimeGenerated=1357667544    TimeWritten=1357667544    Message=Service Ticket Request: User Name: DELLPC$@TNBD.LOCAL User Domain: TNBD.LOCAL Service Name: DELLPC$ Service ID: TNB\MSJAKMOD56217$ Ticket Options: 0x40810000 Ticket Encryption Type: 0x17 Client Address: 10.4.169.151 Failure Code: - Logon GUID: {6f68f371-af48-f819-d713-6b917ee0fa9c} Transited Services: -

event_desc = Jan 08 11:52:24 domaincontroler1.tnbd.local AgentDevice=WindowsLog    AgentLogFile=Security    PluginVersion=1.0.14    Source=Security    Computer=DOMAINCONTROLER1    User=SYSTEM    Domain=NT AUTHORITY    EventID=673    EventIDCode=673    EventType=8    EventCategory=9    RecordNumber=2512204049    TimeGenerated=1357667544    TimeWritten=1357667544    Message=Service Ticket Request: User Name: DELLPC$@TNBD.LOCAL User Domain: TNBD.LOCAL Service Name: DELLPC$ Service ID: TNB\DELLPC$ Ticket Options: 0x40810000 Ticket Encryption Type: 0x17 Client Address: 10.4.169.151 Failure Code: - Logon GUID: {6f68f371-af48-f819-d713-6b917ee0fa9c} Transited Services: -

das Bild der mathells

those look like QRadar proprietary formatted.  There really is no default plain text raw event on a Windows box, the event logs are in a proprietary binary format. I think you're either going to have to create a custom collector or convert into a format SSIM understands like Snare.

das Bild der squarless

Thanks for the look at this for me!

We may end up just putting snare agents on all the DCs. It would seem like the simplest solution.  I'm just trying to give my IT people all the options.

These are Windows Server 2003 Domain Controlers, would an "off box" windows event log collector work? 

das Bild der mathells

Yes, the SSIM supports both Snare collection and Event Collector 4.3 for Microsoft Windows.  "off-box" in the SSIM environment typically means not installed on the SSIM appliance, so you'll want to be careful with the terminology. I think what you mean is can it be installed so that you don't need an agent on each Windows host?  I don't have experience with this collector myself, but I'm pretty sure it can.

LÖSUNG