2. Overview
Introducing… the Event Log
Why Monitor Logs
Enabling Event Logging
Real Time Monitoring
Example: Security Log Tampering
Auditing and Analysis
Archiving Events
Example: File Modification Investigation
Event Log Limitation
Vista Event Log
Example: Creating Log File Using Event Triggered Tasks
Resources and Questions
3. Introducing…Event Log
Centralized log service to allow applications and the
operating system to report events that have taken place.
Introduced with Windows NT 4 (1993).
Main Windows Logs
Application (example: Database message)
System (example: driver failure)
Security (example: Logon attempt, file access)
A Windows 2003 domain controller will also include
Directory Service (example: Active Directory connection problem)
File Replication (example: domain controller information updates)
DNS
Vista has introduced a lot of changes
4. Why Should We Monitor Logs
We don’t NEED to… We HAVE to…
Organizations are obligated by regulations to gather and
audit systems activity logs.
HIPPA (Health Industry)
Regulatory review of system activity to ensure that a user
information remains private but accessible
Identify, respond and document security incidents
GLBA (Financial)
Dual control procedures
Segregation of duties
SOX (Financial)
Record Retention and availability
Accountability
5. Why Should We Monitor Logs (cont.)
To comply with the regulations organizations require the
following forms of log monitoring
Real-time monitoring
Identify attack attempts in progress and if a security breach has
occurred.
Audit and analysis
Periodic reports and analysis for regulation compliance (due diligence).
Archiving
Again… regulations compliance (log retention)
Forensic investigation of an incident
The event log should also enable the organization to
implement internal security policies.
6. Enabling Event Logging
Each event category is controlled by audit policies:
Account logon events (for domain accounts)
Account management (group and account events)
Directory service access
Logon events (local machine events)
Object access (user accessing an object such as file, folder, printer)
Policy change (changes in the audit, user rights and trust policies)
Privilege use (user exercising one or more of his rights)
Process tracking (detailed tracking information)
System events (events that affect the system security or log)
Each policy can be set to audit success events only, failure
events only, success/failure events, or no auditing at all.
8. Real-Time Monitoring
Successful events that grant the user high level privileges
(either by spoofing identity or elevation of privileges)
Events to monitor
Successful high profile user account / group management events
#636– Group member added or removed
Successful logon events of high profile user accounts
#680 – Logon attempt
Successful logon events to a domain controller
Operations on specific high profile resources (files, folder)
#560 (Object Access), #564 (Object Deleted)
Successful policy change events
#612 – Audit Policy Change (logs no more…)
All system events
#517 – security log was cleared
10. Example: Event #517 (Clear Security Log)
Security Log
A User will try
to erase the
logs
11. Example: Event #517 (Clear Security Log)
Security Log
A User will try
to erase the
logs (and not
event save it)
12. Example: Event #517 (Clear Security Log)
Security Log
A User will try to
erase the logs
A New Event is
Created
13. Example: Event #517 (Clear Security Log)
Security Log
A User will try to
erase the logs
A New Event is
Created
The Event
Contains the
User Name
14. Real-Time Monitoring (cont.)
Tracking and analysing event failure patterns may
indicate a range of malicious attack attempts
Failed logon activity (e.g. brute force attack)
#675 – Pre Auth, failed with Kerberos code 24 (Bad password)
#539 - logon failure due to account lockout (if systematic may be an
indication of DoS)
Failed account management activity (e.g. password reset events)
All failed system events
#517 – Audit log cleared
Note: Most of the auditing policies, by default, are set to log
successful events only. Local policies may be set to no
auditing at all.
15. Real-Time Monitoring (cont.)
Possible issues
Flood of events (domain controller and member server event
duplication, detailed tracking events)
Solution: Consolidate log information for better analysis
Unmonitored systems (e.g. unaudited events on a file server)
Solution: Threat modeling, identifying assets in organization
Unmonitored events (detailed user and process activity)
Solution: Organization security program and policies
False positives due to configuration problems
(e.g. expired service password)
Solution: Knowledge of the network, components and assets
(Human Factor)
16. Auditing and Analysis
Most regulations require a periodic review of important
events (not critical or show stoppers) for two reasons:
A “second chance” to reveal malicious activity originally undetected
(and unaccountable for).
Audit the ongoing activity to verify no major changes have taken
place.
The data is usually reviewed in the form of reports
(detailed and summarized)
Example of Events to Monitor (A short list)
#529 to #535 and #539 – Logon failure (different reasons)
#629 – User account Disabled
#644 – User account Locked Out
17. Auditing and Analysis (cont.)
Possible issues
Finding a critical event that was not detected by the real-time
monitoring processes
Solution: Investigate the incident to eliminate or mitigate any results of
malicious activity.
Duplicated events (Domain controller and Local Server)
Solution: Correlate and consolidate events using external system
Lack of security policies to help and identify events to be audited
(e.g. Messenger)
Solution: Define security policies to determine which event types need
to be audited on a regular basis.
Report requirements are unclear and affect the log detail level
Solution: Define auditing processes to determine what type of logs
and details are required (TIP: when in doubt, use graphs…)
18. Archiving Events
Event Archiving is done for two main reasons:
Log retention compliance (e.g. SOX)
Forensic investigation of a security incident (chain of evidence)
In general, all system events should be logged. However,
by default, not all audit policies are set to generate logs.
In particular, detailed tracking of high profile objects (such
as files, folders, printers, etc.) is turned off by default. A
common misconception is that regular object access
events provide this information.
19. Example: Detailed Event Tracking
Detailed Event tracking can include the following events:
#528 – Successful Login (The user authenticate to the system)
#592 – A new process has been created (application is launched)
#560 – Object Open (a file is requested)
#567 – Object Access (the file is modified and saved)
#564 – Object Deleted
#562 – Handle Closed (the file has been closed)
#593 – A Process Has Exited (the application was terminated)
20. Example: Detailed Event Tracking
Enabling Audit Policies
Object Access
Logon (Local and
Domain)
Privilege Use
Process Tracking
21. Example: Detailed Event Tracking
A Very Important Folder
(e.g. sensitive document on
a file server)
22. Example: Detailed Event Tracking
A Very Important Folder
(e.g. sensitive document on
a file server)
The folder contains files we
wish to monitor
(compliance, sensitive
information, etc.)
24. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced
25. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab
26. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
27. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
28. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
Select the Account or
Group to be audited
29. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
Select the Account or
Group to be audited
Select the events to
audit (Read, Write,
Delete…)
30. Example: Detailed Event Tracking
Detailed Tracking is
configured on the
resource itself
Security > Advanced >
Auditing Tab > Add
Select the Account or
Group to be audited
Select the events to
audit (Read, Write,
Delete…)
Each user/group will
require additional
settings
33. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
Filter who was logged
in during that time
34. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
35. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
36. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
37. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
38. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
39. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
File (644) closed
40. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
File (644) closed
Excel Process (2916) Terminated
41. Example: Detailed Event Tracking
Timestamp: 13-06-07 04:27:40
Last Modify: 13-06-07 05:27:39
User Logon ID: 0x43F744D
Excel Process ID: 2916
File Open Handle: 644
File (644) Modified at 05:27:39
File (644) closed
Excel Process (2916) Terminated
Matching Modification Times
42. Archiving Events (cont.)
Possible issues
Volume of events
(can reach several million events a day from a busy server)
Solution: Transfer logs to long-term storage (compressed, digitally
signed, etc.)
Lack of security policies to help and identify events and
processes to be audited (e.g. Messenger)
Solution: Define security policies to determine which processes and
their relevant events need to be logged on a regular basis.
The event logs are just a portion of the “chain of evidence”
Solution: Define auditing processes to ensure that all the required logs
are being gathered and associated (e.g. a unique ID or a time stamp).
For example: associate firewall logs through the Windows event logs
and to the database logs.
43. Know Your Event Log Limits
Size matters (and its never enough…)
Solution: For long term logging, use an external storage system.
44. Know Your Event Log Limits (cont.)
Log Analysis and correlation (especially when using
automatic systems like SEM and SIM) often result in a
large number of false positives.
Solution: Knowledge of the network and assets to refine alerts, ongoing
tuning
Logs are a “detective” measure and are not an IPS
(Intrusion prevention system) on their own
Solution: Vista has a partial solution. For complicated responses,
leverage external solution to gather and analyze logs
Not all events are logged on the domain controller. These
events require a log gathering process
Solution: Vista has presented a solution. Otherwise, use external log
gathering system.
45. Know Your Event Log Limits (cont.)
Security event logs monitor only the authentication and
authorization mechanisms of the operating system.
Solution: Most applications write (or should…) logs to the Windows event
log. These logs can be used to enhance the monitoring capabilities.
Custom application logs neglect to provide information
regarding the log details or the severity or of the event.
Solution: Educate your developers, develop an API, buy something
better…
55. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
56. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
57. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
e-mail settings
58. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
59. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Launch a process
60. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
61. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
A New Task is Born…
62. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
Task Created
Task is Visible in the
Task Scheduler
63. Event Log Tasks (Vista)
Select an Event to
open the Wizard
The type of Event is
pre-selected (basic)
Select Action
Finalize Settings
Task Created
Task is Visible in the
Task Scheduler (new
Tasks Category)
65. Event Log Tasks (Vista)
Problem: Basic Task
Event Details are pre-
defined.
The next example will:
• Trigger on successful logon events of a specific group
• Create a file with a list of users that logged on
• Highlight username with “Admin” string
67. Event Log Tasks (Vista)
Create a New Task
Select the User Group
68. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Triggers Tab > New
69. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
70. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
71. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
72. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs
73. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
74. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
Select Events ID (Possible
Multiple IDs) and Keywords
75. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
Select Events ID (Possible
Multiple IDs)
The trigger is saved as
XMLQuery (Can be modified)
76. Event Log Tasks (Vista)
Create a New Task
Select the User Group
Trigger Task On an Event
Switch from Basic to Custom
and Create New Filter…
Select Event Logs (Multiple
Logs!)
Select Events ID (Possible
Multiple IDs)
The trigger is saved as
XMLQuery (Can be modified)
The Task Action will be
“Select a Program”…
77. Event Log Tasks (Vista)
This VB script search for “Admin” string in the
logged user name and add a notes beside it.
78. Event Log Tasks (Vista)
The output of three different users logging to the machine…
79. Event Log @ Vista
New Event Viewer (interface)
Over 50 new Event categories
Over 2400 policies (over 1000 in W2K3)
XML based
Events are still written locally
Critical Events can be forwarded
Expanded to serve as single location for all
events (using Windows Remote Manager)
Events can launch system tasks
80. Resources
TechNet – Auditing Overview
(http://technet2.microsoft.com/windowsserver/en/library/768463f6-02b9-4e5e-af55-
29c089ade6381033.mspx?mfr=true)
EventID.net (http://www.eventid.net/search.asp)
Randy Franklin Smith’s Windows Security Log Encyclopedia
(http://www.ultimatewindowssecurity.com/encyclopedia.html)
81. Company:
Private Canadian company Toronto based
Providing Security consulting and networking solutions for over 10 years
Business model focused on delivering timely security information to all areas of an organization
(CEO down to administrator)
Dynamic, agile response to client needs
Experience with customers in multiple verticals
Experienced management team
Consistent Approach:
Provide “snapshot” security information for senior executives
Provide detailed “security to-do” lists for follow-up by onsite personnel
Proven & Scalable Solutions:
Phased Delivery method ensures client satisfaction
Successful deployments with large organizations
Clients need fewer in-house qualified security professionals
Minimize manual, mundane daily client tasks
Leverages both Proprietary and Industry Best-of-Breed Technologies
Extensible Framework:
Adheres to ISO 17799 Framework, Security & Industry Best Practices
The Sentry Dashboard is an enabler for any security subsystem
Can be adapted to present information from non-security sources (network availability and trending,
HR reporting, etc.)
Engages all areas of an organization, from Senior Executives and security officers, to hands-on
systems and network administrators