Wednesday, August 09, 2006

Q&A: How does MARS work with Windows Event Logs?

This questions was posed by Jesmond Psaila in Australia:

Hi Mike,

I think you have a pretty cool blog. My name is Jes I work for a Cisco Gold Partner in Australia. I am focusing on Cisco Security at the time being. I have deployed a couple of MARS deployment mainly using network device for reporting agent.

I notice you have some Windows Servers reporting to your MARS.

I am working on a current opportunity where the customer would like MARS to report on sucessfull and unsucessfull logins for Windows users.

I know that Win Eventlogs capture this. with the use of a SNARE agent can I get MARS to provide an aggregate report of this login activity.

Regards

Jesmond Psaila

This is an excellent question. Since I teach by example I'll show how this is done with an example. In this example we're going to take a Windows 2000 server (SP4 loaded) and have it log login failure and successes to the MARS appliance. We'll even create our own rules to trigger notification of login failures and successes. There's two techniques of getting logs onto the MARS appliance: push and pull. Here I'll be using the "pull" function, in which MARS will log into the server and poll the event log. I prefer this over placing SNARE on all servers and "pushing" the logs to MARS. This mini-tutorial make the assumption you have a base understanding of Windows server administration.

1) Configure your Windows 2000 Server to log login events:

I could sit here an explain this... but Microsoft has a brief tutorial on this. You can find it here. Below is a screenshot of my console after logging is fully enabled. If you view your Security Event Viewer now you should see login/logout events:



2) Configure CS-MARS to pull events from the Windows 2000 Server

Login to your MARS appliance and go to Admin -> Security and Monitor Devices -> Add. Now choose "Add SW security apps on new host." The screen should now look like this:



Fill in all fields and make sure to choose "Windows" Operating System. Then click the "Logging Info" button to choose your event polling options:



After this you can click "Done" and the device should be added. Make sure to "Activate" it in the upper-right hand corner.

3) As an aside you can configure how often MARS will go out and poll for events on the configured servers. This is found under Admin -> System Parameters -> Windows Event Log Pulling Time Interval. I use 60 seconds:



4) Next I like to always verify that logging is properly working.

Let it run for about 10-20 minutes (good time to go grab a coffee) and come back and pull the raw events from MARS. To do this go to Admin -> System Maintenance -> Retrieve Raw Messages. I usually like to go back 10 minutes or more. Fill out the option like below and make sure to select just your Windows 2000 server (mine's named CISCOWORKS). Then click Submit.



5) After you have verified that you see messages... now you want incidents to be created when triggered events happen. I've created an example rule that will create an incident when a user logs into the server. Here's the details on it:



Obviously you can tweak this as you must. Find the keywords in the raw messages and use those as a "Keyword" to fire off incidents.

I hope this helped explain how to get Windows Servers logging with MARS and generating rules to fire events for server logins. Though this was done to help Jesmond, anyone with any questions or that would like more example rules please let me know.

6 comments:

Anonymous said...

What should be the account priviledge that mars is using to pull the events?
What rights should the account have (remote access, etc.)?

Anonymous said...

Is there a way to configure MARS to log all events on a SQL Server? I'd like to have MARS capture all successful/unsucessful logins to our databases.

Anonymous said...

Mike,

This was helpful, but why is it that you prefer to put the processing load on the MARS device as opposed to using Snare or something like it to push the syslog events to a syslog server such as the MARS unit?

Unknown said...

The decision of push / pull is to deem which device needs to process. Placing the SNARE agent on the DC versus allowing the MARS appliance to handle load is based on which platform is best suited for the additional load...

Anonymous said...

Can anyone recommend the robust IT automation program for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central service management
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!

Anonymous said...

Can anyone recommend the top performing Managed Service utility for a small IT service company like mine? Does anyone use Kaseya.com or GFI.com? How do they compare to these guys I found recently: N-able N-central system network
? What is your best take in cost vs performance among those three? I need a good advice please... Thanks in advance!