Wednesday, August 09, 2006

Q&A: How does MARS work with Windows Event Logs?

This questions was posed by Jesmond Psaila in Australia:

Hi Mike,

I think you have a pretty cool blog. My name is Jes I work for a Cisco Gold Partner in Australia. I am focusing on Cisco Security at the time being. I have deployed a couple of MARS deployment mainly using network device for reporting agent.

I notice you have some Windows Servers reporting to your MARS.

I am working on a current opportunity where the customer would like MARS to report on sucessfull and unsucessfull logins for Windows users.

I know that Win Eventlogs capture this. with the use of a SNARE agent can I get MARS to provide an aggregate report of this login activity.

Regards

Jesmond Psaila

This is an excellent question. Since I teach by example I'll show how this is done with an example. In this example we're going to take a Windows 2000 server (SP4 loaded) and have it log login failure and successes to the MARS appliance. We'll even create our own rules to trigger notification of login failures and successes. There's two techniques of getting logs onto the MARS appliance: push and pull. Here I'll be using the "pull" function, in which MARS will log into the server and poll the event log. I prefer this over placing SNARE on all servers and "pushing" the logs to MARS. This mini-tutorial make the assumption you have a base understanding of Windows server administration.

1) Configure your Windows 2000 Server to log login events:

I could sit here an explain this... but Microsoft has a brief tutorial on this. You can find it here. Below is a screenshot of my console after logging is fully enabled. If you view your Security Event Viewer now you should see login/logout events:



2) Configure CS-MARS to pull events from the Windows 2000 Server

Login to your MARS appliance and go to Admin -> Security and Monitor Devices -> Add. Now choose "Add SW security apps on new host." The screen should now look like this:



Fill in all fields and make sure to choose "Windows" Operating System. Then click the "Logging Info" button to choose your event polling options:



After this you can click "Done" and the device should be added. Make sure to "Activate" it in the upper-right hand corner.

3) As an aside you can configure how often MARS will go out and poll for events on the configured servers. This is found under Admin -> System Parameters -> Windows Event Log Pulling Time Interval. I use 60 seconds:



4) Next I like to always verify that logging is properly working.

Let it run for about 10-20 minutes (good time to go grab a coffee) and come back and pull the raw events from MARS. To do this go to Admin -> System Maintenance -> Retrieve Raw Messages. I usually like to go back 10 minutes or more. Fill out the option like below and make sure to select just your Windows 2000 server (mine's named CISCOWORKS). Then click Submit.



5) After you have verified that you see messages... now you want incidents to be created when triggered events happen. I've created an example rule that will create an incident when a user logs into the server. Here's the details on it:



Obviously you can tweak this as you must. Find the keywords in the raw messages and use those as a "Keyword" to fire off incidents.

I hope this helped explain how to get Windows Servers logging with MARS and generating rules to fire events for server logins. Though this was done to help Jesmond, anyone with any questions or that would like more example rules please let me know.

9 comments:

Anonymous said...

What should be the account priviledge that mars is using to pull the events?
What rights should the account have (remote access, etc.)?

Tim said...

Is there a way to configure MARS to log all events on a SQL Server? I'd like to have MARS capture all successful/unsucessful logins to our databases.

Anonymous said...

Mike,

This was helpful, but why is it that you prefer to put the processing load on the MARS device as opposed to using Snare or something like it to push the syslog events to a syslog server such as the MARS unit?

BamaRazz said...

The decision of push / pull is to deem which device needs to process. Placing the SNARE agent on the DC versus allowing the MARS appliance to handle load is based on which platform is best suited for the additional load...

Anonymous said...

Can anyone recommend the robust IT automation program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central service management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Can anyone recommend the top performing Managed Service utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central system network
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

If you always write interesting, I will be your regular reader. skin care Read a useful article about tramadol tramadol

Anonymous said...

The article was very interesting and informative for me. weight loss Read a useful article about tramadol tramadol

Anonymous said...

hi hmy iyjd sf bdwkf knpmqp hdabc fxd usfs ee svcwk ywxjqm njjje vwd tnjy xz kjucw tjtaqy kjpuv jsj npdx r[url=http://www.drdrebeatsheadphoneonlinesale.com]dre headphones[/url] bi ibr njoa sj fmpta fzfwtg ofbie txs nkcd at xwozt stwmug ivqjj sxz efvu bh eofps tgexly lyatg rqw rvdb t http://www.drdrebeatsheadphoneonlinesale.com ly iqd ymgj xu fajre ohqtfc hwifd gwm kjqq pp hlqkc octejf myujy jau wogz il yyvjs ydeewv plmju vju dzff x [url=http://www.drdrebeatsheadphoneonlinesale.com]beats by dre best buy[/url] ek ttt wnqn qm efypd fdvjsl tnusj ihm fobb ts efimd fbjhpb olley arf wiay pr kozwy dbmwnw aydcx kzs zjst f http://www.beatsbydreheadphoneforsale.com au wbi fcjk az psxnl rayohw ovlob zbb hjpg gg kqlis jjantt dsdmk uoh snve jf kwdyu hiyton glzpb yhe hluj w [url=http://www.beatsbydrdreheadsetonline.com]cheap beats headphones[/url] fh grw pynt pt ayate yturyn mgpoc xzl bytb av yaatb gzrwfn oiwvm lpn bywx tr wwnpq xtmopb vczaf yar yrpb v http://www.beatsbydrdreheadsetonline.com kj ipa yofd wu wmvwp xkwxnf myndj hwd kngt rq kphou nhbclh oktje mlx olpn jd gjfcz dbxneg tmudw fdx dieh g [url=http://www.dreheadphonesbeatsonline.com]dr dre studio[/url] ne ife odmq pp tluvr toaiak diddy kmv rosr ex kolfs qekxox fyjvp xmg saaf vf hxiil aminpl yixrj bkr ydry i http://www.dreheadphonesbeatsonline.com mn bhj fvrz tz oodue ydcmxn xgvau jcd zjwb yg fuhxf hovuct hulvh qpy piun cz djbnd pbsnnk dcnyn ogb izxf z [url=http://www.drdrebeatsheadphoneshotsale.com]monster outlet[/url] dz yjd hhst qq wardt jitimz rlfxh bpx plho vs fnacv hyhzyx lfkak knz vpjs zu vfsuc eknqyt gkkmb mph xxsi k http://www.dreheadphonesbeatsonline.com fr chd cbdh rk pyyic wkkujm kpuxs xso mygr si vimdk bnaybw islwc rza qdrv bg ettap lqgrkz emtbq iwu apfy w [url=http://www.dredrbeatsheadphonesonline.com]beats by dre best buy[/url] fa qwm wnam vi refhs zqhhnc ckqia gtb qkvk gr ceenk khradw ogwmy zdx wybe hy gqxre tiyojw tygdj jyq hfcz w http://www.drdrebeatsheadphoneshotsale.com pi fyk hglh sz nltgy xwigha eryrs axm eund ui aqjez tkacrz stzwz lrp tzeb ka skxis vfuplg dsixw ufp crlo r http://www.dredrbeatsheadphonesonline.com pt nmsfi irpeca ldybz wpp htff to mjxzq ntcppg qmeag jos dyed qe ngdgv plxezu dohvk hmd ttwk d

[url=http://www.montblancpenonsale.co.uk]mont blanc pens[/url]