Sign in to follow this  
Followers 0

Installing Event Logging to a Remote Syslog Server


Windows Intrusion Detection System - Companion Add-On Tutorial

ids.gif

Logging Events to a Remote Syslog Server

Written by: Michael E. Steele



Introduction

This tutorial is a simple to understand, step-by-step tutorial for logging events from a Windows Intrusion Detection System (WinIDS) to a remote Windows or UNIX Syslog Server.

Copyright Notice

This document is Copyright © 2002-2019 Michael Steele. All rights reserved. Permission to distribute this document is hereby granted providing that distribution is electronic, no money is involved, and this copyright notice is maintained. Other requests for distribution will be considered.

Use the information in this document at your own risk. Michael Steele disavows any potential liability of this document. Use of the concepts, examples, and/or other content of this document are entirely at your own risk.

This guide is written in the hope that it will be useful, but without any warranty; without even the implied warranty of merchantability or fitness for a particular purpose.

All copyrights are owned by their owners, unless specifically noted otherwise. Third party trademarks or brand names are the property of their owners. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark. Naming of particular products or brands should not be seen as endorsements.

Support Questions and Help

All support questions related to this specific tutorial MUST be directed to the specific forum for which this Windows Intrusion Detection System (WinIDS) tutorial resides!

By request, there is a premium fee service available for one on one support.

If you have not acquired this tutorial directly from the winsnort.com website, then you most likely do not have the latest revision of this tutorial!

How to use this guide

This installation is based on the installer being logged on with 'Administrator' privileges for the entire installation.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!

The default installation path noted above is hard coded into this tutorial, and is also hard coded into some of the install scripts. Installers will need to make the appropriate changes in both places if the default installation path is anything other then 'd:\winids', or the support files are located anywhere other than the 'd:\temp' folder.

The Windows Intrusion Detection System (WinIDS) will fail if the default installation path is not Implemented correctly!
  • An existing Windows Intrusion Detection System (WinIDS) using one of the tutorials, either a stand alone Windows Intrusion Detection System (WinIDS), or a remote Windows Intrusion Detection System (WinIDS).
It is important when asked to 'Open a CMD window with Administrator privileges' it is done, or the install will fail.

It is also important when asked to 'Close a CMD window' it is done, or the install will fail.

Note: The user installing this tutorial MUST be a member of the Administrators group.

Note: If the User Account Control dialog box appears at ANY time during this install ALWAYS left-click 'Yes' to continue, or the install will fail.

Instructions on starting a command prompt as an Administrator

In the Windows Search box, type cmd, and then press CTRL+SHIFT+ENTER.


Prepping for the Windows Intrusion Detection System (WinIDS) Tutorial


Assumptions being made prior to starting tutorial

  • An existing Windows Intrusion Detection System (WinIDS) has been installed.
  • A Windows or UNIX Syslog Server has been installed on the remote PC.
  • The IP address is known of the remote PC where the Syslog Server has been installed.
  • The Syslog listening port is known on the remote Syslog Server (suggest 514).
  • The status of listening port for the remote Syslog Server MUST be open for connections.

Testing for an open listening port on the remote Syslog Server

From the Windows Intrusion Detection System (WinIDS) go to the 'You Get Signal' website. Replace the local IP address with the IP Address of the remote Syslog Server in the 'Remote Address' dialog box. In the 'Port Number' dialog box type the listening port number of the remote Syslog Server, and left-click 'Check'.

*** If the above response is closed then do not proceed until the status is open. ***

Configuring the Windows Intrusion Detection System (WinIDS) for Remote Syslog logging


Configuring Snort to include Syslog logging

Open a CMD window with Administrator privileges and type 'notepad2 d:\winids\snort\etc\snort.conf' (less the outside quotes), and tap 'Enter' key.

Use the Find in Notepad2 to locate and change the variables below.
Original Line(s): # output alert_syslog: LOG_AUTH LOG_ALERT
Change to: output alert_syslog: host=SYSLOG_SVR_IP_ADDR:PORT, LOG_AUTH LOG_ALERT

Make SURE the SYSLOG_SVR_IP_ADDR above reflects the IP Address of the remote Syslog server, and the PORT above reflects the listening port of the remote Syslog Server.
Now save the file and eXit Notepad2.

Testing the Snort configuration file

At the CMD prompt type 'd:\winids\snort\bin\snort -W' (less the outside quotes), and tap the 'Enter' key.

The following is a partial example of what might be listed as valid Network Interface Cards.
Index	Physical Address	IP Address
-----	----------------	----------
    1	00:0C:29:25:B4:96	0000:0000:fe80:0000:0000:0000:ad63:31cf
In the above list, the 'Index' number is important, and will need to be remembered for later use in this tutorial. There may be several Network Interface Cards listed, and it will be up to the installer to determine the correct Network Interface Card (Index number) that will be monitoring the Windows Intrusion Detection System (WinIDS).

The switch for the Network Interface Card will always be '-ix' (less the outside quotes), and the 'x' (less the outside quotes) will always represent the 'Index' number of Network Interface Card that will be monitoring the Windows Intrusion Detection System (WinIDS).
At the CMD prompt type 'd:\winids\snort\bin\snort -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -ix -T' (less the outside quotes), and tap the 'Enter' key.

The above run line will require the 'Index' number of the monitoring Network Interface Card added to the 'x' above.

This will start Snort in self-test mode for configuration and rule file testing, and depending on the resources used, and/or available, it could take several minutes to run the self-test mode.

If all the tests are passed, the following is a confirmation that the Snort configuration file and rules have tested good.
Snort successfully validated the configuration!
Snort exiting
Do not proceed until 'Snort successfully validated the configuration!'

Configuring the Snort service run line for the Syslog Server logging

At the CMD prompt type 'net stop snort' (less the outside quotes), and tap 'Enter' key.

At the CMD prompt type 'cd /d d:\winids\snort\bin' (less the outside quotes), and tap 'Enter' key.

At the CMD prompt type 'snort /SERVICE /SHOW' (less the outside quotes), and tap 'Enter' key.

The output display will be the full run line that Snort uses in the startup, and might look like the below:
Snort is currently configured to run as a Windows service using the following command-line parameters:
     -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1
At the CMD prompt type 'snort /SERVICE /UNINSTALL' (less the outside quotes), and tap 'Enter' key.

The following is a confirmation that the Snort service was successfully removed from the services database.
 [SNORT_SERVICE] Attempting to uninstall the Snort service.
 [SNORT_SERVICE] Successfully removed registry keys from:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
 [SNORT_SERVICE] Successfully removed the Snort service from the Services database.
The new Snort auto start configuration line needs to be added that contains the switch to turn on the option to log all events to the Syslog Server.

The Snort run line that should be entered in below should be exactly what was displayed when the snort /SERVICE /SHOW command was ran previously, except adding ' -s' (less the outside quotes) to the end.
At the CMD prompt type 'snort /SERVICE /INSTALL -c d:\winids\snort\etc\snort.conf -l d:\winids\snort\log -i1 -s' (less the outside quotes), and tap the 'Enter' key.

The following as a confirmation that the Snort service was successfully added to the services database.
 [SNORT_SERVICE] Attempting to install the Snort service.
 [SNORT_SERVICE] The full path to the Snort binary appears to be:
D:\winids\snort\bin\snort /SERVICE
 [SNORT_SERVICE] Successfully added registry keys to:
    \HKEY_LOCAL_MACHINE\SOFTWARE\Snort\
 [SNORT_SERVICE] Successfully added the Snort service to the Services database.
At the CMD prompt type 'sc config snortsvc start= auto' (less the outside quotes), and tap the 'Enter' key.

The following as a confirmation that the Snort auto start service has been successfully activated.
[SC] ChangeServiceConfig SUCCESS
At the CMD prompt type 'net start snort' (less the outside quotes), and tap the 'Enter' key.

At the CMD prompt type 'exit' (less the outside quotes), and tap the 'Enter' key.

In Conclusion

At this point, it could take several minutes before seeing events arriving in the remote Syslog Server.

Optional Companion Documents

Be SURE to check out the available 'Companion Add-on Documents' to enhance the Windows Intrusion Detection System (WinIDS) experience.

Updating the Windows Intrusion Detection Systems (WinIDS) Major components


Debugging Installation errors

Check the Event Viewer as most of the support programs will throw FATAL errors into the Windows Application log.

General tutorial issues

For general problem issues that pertain to this specific tutorial, left-click the community support button at the top of this tutorial, or manually navigate to the correct community support forum pertaining to this specific tutorial.

Feedback

I would love to get feedback from you about this tutorial. Any recommendations, or ideas, please leave feedback HERE.

Michael E. Steele | Microsoft Certified System Engineer (MCSE)
Email Support: support@winsnort.com
Snort: Open Source Network IDS - www.snort.org