Enterprise SysLog Manager _ESM_

Document Sample
Enterprise SysLog Manager _ESM_ Powered By Docstoc
					                               Enterprise SysLog Manager (ESM)
                                                                       
ESM is a managed network security appliance (scalable HP server) with database for the 
collection, management and reporting of syslog messages, from critical hosts and 
network devices.  This includes critical alerts involving security, performance, 
availability and compliance (access and change) reporting.  xDefenders provides 
valuable design, deploy, management, monitoring and maintenance services.

Pages 14 ­ 22 describe and display Sample Compliance Reports.

      Five reports are Available

                       User Logon Report
                       User  Logoff Report
                       Failed User Logons
                       Object Access Report
                       IPS Summary Report  (Cisco ASA required)

Much of this material was taken from the formal ESM web training class.




                                                                1 of 21                                                            
                                                                                                    ALERT
                                                                                         Threshold Exceeded
            Compliance
                                                                                          5 Minute Correlation
            Reports


            Forensic 
                                                                         
            Query                                        SYSLOGS




                        Critical Devices such as Database Servers,
                        Domain Controllers, File Servers and Firewalls

                  Store and Record Syslog Events in a Central Database
                       Manage and save syslogs from multiple devices at a single location 
               Generate syslog event reports
                       Meet Regulatory Requirements and produce Compliance Reports
                 Monitor Activity
                       Correlation engine running every 5 minutes for threshold assessment
                       Performance monitoring of equipment to study resource utilization
                 Generate real­time alerts based on activity and user defined thresholds
                       Provides real­time alerts of system failures, possible attacks and 
                        vulnerabilities
                 Comprehensive Search feature
                       Easy­to ­use forensic syslog search for suspicious or unusual activity

                                                                          2 of 21                                                            
Group:  user defined category grouping devices logically for reporting and alerts (defined  in the
          Thresholds section)

Device:  syslogs have been received from this list of devices 

Facility: category of the type of device sending the log

Priority: severity level of the message as related to device performance

Date:   From: date of oldest syslog in the database                                 Until:  date of most recent syslog 

Time: military time of day

Program:  a description of the type of application running on the device that generated the syslog

Status:  status of the event as described by the sending device

Message Contents:   used to search for character strings found in the syslog message

                                                                   3 of 21                                                            
Here is the list of syslogs­found displayed below.




Let's review the Search Screen ...and fine­tune our search, to 
eliminate all the Cisco­ASA syslogs




                                                                 4 of 21                                                            
Select the Cisco­ASA from the drop­down list in the Programs selection box.

Click “Exclude” to drop all those records from the search

That returned 153 syslog messages.




                                                                5 of 21                                                            
Next, let's search for audit policy changes.  

That is MS Event ID 612.  That can be found from viewing the syslogs, or from 
Appendix A in the Snare User Guide.

You can search for up to 3 different character strings in the message.




You do not need to continue to exclude the Cisco­ASA, the search will work either way.


The Search GUI provides a quick and easy forensic search capability.



                                                                 6 of 21                                                            
NEXT – Click  (Compliance) REPORTS

The graph on the upper portion of the screen gives the total syslog count for the last 36 
hours, and the count of the types of syslogs recorded .The five built­in reports are listed 
on the buttons below the graph.  The ESM emails these 5 reports daily to the designated 
Administrator.




                                                                 7 of 21                                                            
Select a date range using the From – Until boxes shown

For Example:             Enter 10/27/08 and 10/30/08

Next, select :           Failed Log Ons.


The result is actually a list of matching transactions that looks just like the ESM syslog 
search, as shown on the next page.




                                                                 8 of 21                                                            
Daily Reports (statistics) are generated and emailed to administrator.

See sample on the next page:




                                                                 9 of 21                                                            
ESM statistics

This email may contain several reports:

- General overview for today and the past three days

-   Compliance report :            Successful logons for yesterday
-   Compliance report :            Unsuccessful logons for yesterday
-   Compliance report :            Logoffs for yesterday
-   Compliance report :            Object changes for yesterday
-   Proprietary report:            IDS/IPS messages for yesterday

NOTE: Reports are only created if corresponding data are available

Statistics for group 'Sample Company':
        ------------------------------------------------------------
        Host '66.666.6.255'

=> Total events
Total     : Value
Today     :     4 * (sugg. threshold: -1)
Yesterday : 1282
******************************************************************* (sugg.
threshold: 4)
2 days ago: 1163 *************************************************************
(sugg. threshold: 4)
3 days ago:     0 (sugg. threshold: -1)

==> Events listed by facility <==
=> Facility "kern" events
Day       : Value
Today     :    0 (sugg. threshold:                          -1)
Yesterday :    0 (sugg. threshold:                          -1)
2 days ago:    0 (sugg. threshold:                          -1)
3 days ago:    0 (sugg. threshold:                          -1)

=> Facility "user" events
Day       : Value
Today     :    0 (sugg. threshold:                          -1)
Yesterday :    0 (sugg. threshold:                          -1)
2 days ago:    0 (sugg. threshold:                          -1)
3 days ago:    0 (sugg. threshold:                          -1)

=> Facility "mail" events
Day       : Value
Today     :    0 (sugg. threshold:                          -1)
Yesterday :    0 (sugg. threshold:                          -1)
2 days ago:    0 (sugg. threshold:                          -1)
3 days ago:    0 (sugg. threshold:                          -1)

=> Facility "daemon" events
Day       : Value
Today     :    0 (sugg. threshold: -1)
Yesterday :    0 (sugg. threshold: -1)
2 days ago:    0 (sugg. threshold: -1)
3 days ago:    0 (sugg. threshold: -1)
 ------------------------------------------------------------
        ------------------------------------------------------------
        Host 'monman.sampleco.com'


                                                                10 of 21                                                            
=> Yesterday's successful logons (relevant to GLBA,                                       SOX, HIPAA, PCI standards): 3
2008-12-03 06:27:04     su[7354]: Successful su for                                       nobody by root
2008-12-03 06:27:04     su[7356]: Successful su for                                       nobody by root
2008-12-03 06:27:04     su[7358]: Successful su for                                       nobody by root

        ------------------------------------------------------------
        Host '66.666.6.255'
=> Yesterday's IDS/IPS messages (proprietary extension): 731
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 01:04:46     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.53                                                        to
DNS1 on interface external
2008-12-03 02:38:02     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.78                                                        to
DNS1 on interface external
2008-12-03 02:38:02     %ASA-3-400023: IDS:2150 ICMP fragment from 10.100.7.78                                                        to
DNS1 on

                               (All 731 not shown here, but are in actual report)




                                                               11 of 21                                                            
What are Thresholds?

The threshold settings determine when and if email notification is generated.
Maximum number of times an event occurs in any 5 minute timespan with no warning.
Thresholds are assigned by category such as Facility, Priority, and Program.

How are Thresholds set?   By Device and/or User Defined Groups of Devices AND Category
Priority Level AND ProgramFacility AND can be Custom (user defined).

Custom Thresholds feature: Ability to define a custom event based on the contents of the syslog 
message

Setting Thresholds:

Threshold settings determine when and if email notification is generated.   Default settings produce NO 
alerts.
  1.  Determine the events that should cause an email to be sent to the administrator.  Such as:
                      Emergency
                      High incidence of critical events 
                      High incidence of events from firewall
                      User specific threshold based on the syslog contents

   2.  Determine if alerts or searches will be necessary by group in addition to my device.
         If necessary, create groups before setting thresholds.

When are Alerts sent?

       1.      New Event Alert
               Events are priority WARNING or higher
                      AND
               Count of events in last 5 minutes exceeds threshold count

       2.      Increased Event Alert
               Events are priority WARNING or higher
                      AND
               Count of events in last 5 minutes is more than double the previous 5 minute count 
                      AND
               Count is greater than 80% of the the threshold value




                                                                  12 of 21                                                            
Here is a sample SQL query, looking for records with a specific error message within a 
specific time frame:




                                                                13 of 21                                                            
                                    Compliance Reports Package




Five reports are Available

                  User Logon Report
                  User  Logoff Report
                  Failed User Logons
                  Object Access Report
                  IPS Summary Report  (Cisco ASA required)




                                                          14 of 21                                                            
Summary Reports 

                        For all devices
                        For a user defined group
                        For a single device/host

Display Top Users and Top Hosts for each report type:   Top 10, 25, 50, 100, 500, 1000

      View:              Screen display or Printed report or File to disk




                                                                15 of 21                                                            
                                                      16 of 21                                                            
                                                      17 of 21                                                            
                                                      18 of 21                                                            
                                                      19 of 21                                                            
                                                      20 of 21                                                            
                                                      21 of 21                                                            

				
DOCUMENT INFO