Comments
Posts

Windows

Running Syslog-NG on Windows

This post describes running syslog-ng as a server on Windows.  In another post, we describe how to send Windows Event Logs to syslog.

There are many great commercial syslog servers for Windows.  There are not many options for those looking for a free alternative.  One option is Aonaware.  Another option is to install syslog-ng through cygwin.  Cygwin is a Linux-like environment run inside a windows command shell.  Cygwin runs on all current desktop and server versions of Windows.  In this post, we will walk through setting up syslog-ng on a windows host.

  1. First, visit the Cygwin website to download the setup.exe application.  Save, then run setup.exe.
  2. Choose “Install From Internet”
  3. Select the directory to install into and the user to install for (leave this as “all users”).
  4. Enter the directory for local packages. Accepting the default location is fine.
  5. Choose your Internet connection type (direct or proxy)
  6. Select a site to download from.  Any one should be fine.
  7. At the “install packages” window, type is “syslog” in the search box.  You will see “Admin” below.  Expand the admin section, and you will see syslog-ng.  Click the word “skip” until you see 3.0.1 (or whatever the latest supported version is).
  8. Also choose the following packages:
    1. Admin/cygrunsrv
    2. Editors/VIM
    3. Gnome/glib
  9. Finish the installation. Read more…

Be the first to comment - What do you think?  Posted by admin - February 21, 2010 at 9:43 pm

Categories: Windows, logging   Tags:

Configuring The Snare Windows Client And Syslog-NG To Work Together

In a previous post, we looked at installing Snare to log Windows events to a syslog server.  Here, we will configure syslog-ng to accept messages from Snare and implement a few simple customizations, including storing the logs in individual files.  We will assume that Snare is operational for the purposes of this guide.  Please see the post referenced above for help with installing Snare.

For this test, I am running syslog-ng 3.0.1 on FreeBSD 7.1 and Snare 3.14 on Windows XP.

First, we will start with a very basic configuration that logs to /var/log/messages:

source src {
internal();
udp(port(514));
};
destination messages { file(“/var/log/messages”); };

log {source(src); destination(messages);};

Read more…

Be the first to comment - What do you think?  Posted by admin - May 13, 2009 at 7:57 pm

Categories: Windows, logging   Tags: , ,

On The Importance of Centralized Windows Event Logging

I was just catching up on my reading on Technorati and came across this article that details the ways attackers can cover their tracks upon compromising a Windows server.  This article should server as a warning: if your logs are not moved off to a central server, you will lose visibility and key evidence on attacks.  This applies to any type of system, whether Windows, Linux, BSD or any other UNIX OS.

I strongly encourage the practice of centralizing logs to a hardened log server.  For Windows, there are a bunch of good applications that will export Windows Event Logs out to syslog.  I recently took a at logging Windows Events to a syslog server using Snare.

It is important to note that in the event of a successful compromise, the attacker will likely still disable logging and auditing, which will probably cause the stream of logs to the syslog server to cease.  The difference, though, is that the events which were captured during the attack remain on the log server, despite the attacker having deleted the local logs.  In a better case, the attacker does not disable logging and auditing first, opting to clear the event logs later in the attack, providng more evidence in the centralized logs of what was accessed or modified by the attacker.

Be the first to comment - What do you think?  Posted by admin - April 27, 2009 at 3:55 pm

Categories: Security, Windows, logging   Tags: ,

Logging Windows Events To Syslog Using Snare

There are now a bunch of commercial and open source agents that can run on a Windows system to take in Windows Event Logs and send them off to a syslog server.  We’ll be looking at the Snare agent in this post.

As of this writing, Snare is compatible with Windows NT, 2000, XP, 2003 and Vista.  There is also an agent available for 64 bit Windows versions.

For my test, I am installing on a Windows XP system.  Installation is quite straight forward.  There are MSI and scripted installers available on the Snare web site for large scale deployments.

The recommended installation has Snare taking control over the Event Log configuration, to synchronize the configurable logging “Objectives” in Snare with the Event Log settings.  Read more…

5 comments - What do you think?  Posted by admin - April 22, 2009 at 7:28 pm

Categories: Log Management, Security, Windows, logging   Tags: , ,