McAfee Enterprise Security Manager Data Source ... · Windows DNS Server Windows DHCP Server Windows IIS Server Logs 3 Prerequisites To install the McAfee SIEM Collector, you will

McAfee Enterprise Security Manager Data Source Configuration Guide

Data Source: McAfee (Nitro) SIEM Collector

August 15, 2013

Important Note:

The information contained in this document is confidential and proprietary.

Please do not re-distribute without permission.

McAfee (Nitro) SIEM Collector Product Evaluation Kit Page 3 of 19

Table of Contents

1 Revision History 4 1.1 Revision Details 4

2 Introduction 5 3 Prerequisites 5 4 SIEM Collector Installation 6

4.1 SIEM Collector Installation 6 4.3 Receiver Configuration 7 4.4 Initial Agent Configuration 9

5 Data Source Configuration Details 11 5.1 Windows Server DHCP Logs 11 5.2 Windows Server DNS Logs 14 5.3 Windows Server IIS Logs 17

6 Troubleshooting 19


1 Revision History

1.1 Revision Details Revision Version Author Date Description

1.0 Brian B. Brown May 21, 2012 Initial template

1.11 Craig A. Simon July 22 2013

1.2 Craig A. Simon August 15, 2013 Text edits, and corrections.


2 Introduction When using the McAfee SIEM to collect Microsoft Windows events, there are two main methods of collection available, WMI and with an agent. Most customers generally use WMI as the main collection protocol, as it requires little change to the existing environment. It only requires the use of a privileged account to access the logs on remote windows servers, and to collect the events from those log files remotely.

However, there are cases where an agent is the most effective solution for log collection. In some instances, it might be due to limited connectivity. In environments that utilize a secure enclave firewall rules will NOT allow connectivity into the enclave, but generally will allow limited access from devices within the enclave to connect out. Other situations where the agent is useful is where the target events we are interested in importing into the SIEM are not accessible via WMI: many logs were introduced in Microsoft Windows 2008/Vista or later that WMI can not access. This will be the use case that we will explore within this paper.

Our purpose will be to properly install and configure the SIEM Collector for both local and remote log collection. We will look at local log collection in the instances where an end user would like to install the agent on each server where we will be collecting logs. A remote configuration will allow an agent to support collection from itself, and other hosts via remote logins and UNC paths.

Once the agent is installed and running, the rest of the document will cover how to create an agent configuration and data source configuration for the following data sources:

Windows DNS Server

Windows DHCP Server

Windows IIS Server Logs

3 Prerequisites To install the McAfee SIEM Collector, you will require the following:

1. Windows servers running Windows Server 2003, Windows Server 2008, Windows Server 2008r2, or Window Server 2012. All editions are supported.

2. 256 MB of additional ram for the agent.

3. At least 1 GB of disk space for the agent files.

4. Local or Domain administrative rights on the servers the agent will run on or communicate with.

5. Any additional requirements needed to allow connectivity. i.e. Firewall rules, HIPS exclusions, etc.

You will need to download the agent installer. The download can be accessed at the McAfee download site at the following URL http://www.mcafee.com/us/downloads/downloads.aspx or at the download site for your specific country.

You will need to provide your grant number to gain access to the downloads. Once there you'll be able to access and download the McAfee SIEM Collector. At the time of this writing, the current version is 9.1.1.

The agent installer is available in two forms, one is a setup executable and the second is a .msi file to support automated deployment. The manual setup mode will be used in this document, however if you would like to push the agent, please review the agent readme for all the supported installation flags and options.


4 SIEM Collector Installation 4.1 SIEM Collector Installation

First, we will be installing the SIEM Collector to one or more hosts that require its services. To start the installation, double click on the agent installer executable. This will launch the installer.

If you have not installed .NET 3.5 you will receive the following message.

Please install .NET to continue. To install on Windows Server 2008/R2 start the Add Features Wizard and select the .NET Framework 3.5.1 Features check box. It will require that you also install additional roll services and features to install .NET. Select the Add Required Roll Services button to continue. Click next to continue. The setup will then ask you to configure the services for IIS. Take the defaults and click next. Then confirm the install by clicking the install button.

It is recommended that you apply any needed patches to the server and reboot before continuing.

1. Double click the installer executable to begin installation.

2. Please read the installation overview and click next to continue.

.NET 3.5 is required for the Agent. On Windows Server 2008 and 2012 you will need to install the .Net Framework 3.5.1 Features


3. Read the license agreement and click I Agree to continue.

4. Confirm your installation directory and click next to continue.

5. Now you will see the McAfee Event Receiver Configuration screen. In this window you configure the agent to communicate with a specific receiver. Just type the IP address of the receiver that you would like this agent to forward its events to. You can also change the port and if the agent will use SSL to communicate with the receiver. Please note the settings used here as we will use these to configure the receiver in the next section.

6. When you click Next, the agent will be installed.

4.2 Receiver Configuration Now that we have the agent installed on one or more hosts, we need to allow agent communications to the receiver(s). The default configuration of a receiver is with a fully enabled firewall, when we enable agent communications, the receiver will modify the firewall configuration. This is done within NitroView, the client application of the SIEM. First launch an instance of NitroView and authenticate to your SIEM with an administrative account.

1. Select a receiver that would like to enable.


2. Click properties on the menu for the receiver. Properties are the most upper left white button in the UI.

3. Once in the Receiver Properties window select the Receiver Configuration Tab, and then

click the Interface button.

4. Now select the Communication Tab. You can enter a port number that the receiver will listen on for all agent communications. The default MEF (McAfee Event Format) port is 8081, and any value can be used as long as it is not in conflict anywhere else in the system.

5. Enter your chosen port and click OK, and OK a second time to return to the main

NitroView screen.

6. You will need to perform these steps on any other receivers in your environment.

7. Next, we need to allow for an initial data source for the agent to identify it to the receiver. To do this we will configure a data source for the agent itself.

8. Click on the plus icon on the upper right corner of the NitroView screen. The plus won’t display unless you have your receiver selected as below.

9. Once in the Add Data Source dialog we can add the data source to the receiver.

a. In the Data Source Vendor pull down select Microsoft.

b. In the Data Source Model pull down select WMI Event Log

c. In the Data Retrieval pull down select MEF (McAfee Event Format)


d. Now we need to fill out the remaining two fields Name and IP address. The name field is for your use only, so it can be mostly anything. Then use the IP address of the host that we will configure to host the agent.

e. The state of the use encryption checkbox must match the setting made in the agent configuration selection below. If you will configure your agent to use encryption then this checkbox must also be checked.

f. Click ok, then write your data source to the receiver and roll out policy.

4.3 Initial Agent Configuration We will now setup an initial configuration for the agent, which will allow us to collect the standard windows log files, both locally and remotely.

1. Launch the SIEM Collector Management Utility (SCMU) by navigating to Start / All Programs / McAfee / Event Collector Management Utility.

2. Select the receiver node on the left, and confirm the receiver IP address and port value. Make any changes as necessary.

3. Select the Event Collector node on the left panel. Right click on the Event Collector node and click on Add Group.

Note: Why do we have both IP address and Host ID fields? When we create a data source on a receiver, a single data source can have only one IP address, and that IP address can only be used once on a receiver. In the case where a customer would like to collect their Windows Server events via WMI, and then would like to use an agent to collect DNS and DHCP server logs from the same server. That will not work since each data source would use the same source IP address for all three data sources. That is where the Host ID field comes into play. You can create a data source without an IP address and instead use the Host ID field as a free form ID to identify the source. For example you could create a host ID with the value dns_dc1.mydomain.com and dhcp_dc1.mydomain.com, then use those values in the data source configuration, NOT the IP address.


4. A group is a container object that will contain hosts. One or more hosts can be added to

a group to ease management of agents that will remotely collect events from many hosts. For this example we will create a group called Local Server and another one called Remote Servers.

5. Once you have clicked the Add Group button, you group object will be created, and the properties of the group will be displayed in the right hand panel.

6. On this screen you can change the name of your new group, and the credentials that will

be used for collection. Once your settings match those in the image above, you can click on Apply.

7. Now right click on your newly created group, and click on Add Host.

8. On the host properties on the right, type in the DNS name or IP address of the host we

will be collecting events from. Then press the <TAB> key on your keyboard, which will enable the fields New Configuration and Edit Configuration below. In this example I am using the FQDN of my server.

9. Pull down the New Configuration menu and select Windows Event Log. That will enable the fields Configuration Name and the list of logs found on the local server. You will need to name this configuration something to save it. You also need to select one or more log files to be collected and parsed. In this example I am using the configuration name of Local Windows Logs. I have selected the standard three system logs to collect - Application, System, and Security.


10. Once your agent configuration is complete, click the Save button.

11. Now right click on the group you created and select Enable Group. This will enable the group and all hosts contained within it. Then click Apply. This will write out the new configuration and restart the service.

5 Data Source Configuration Details

5.1 Windows Server DNS Logs

Assumptions – To collect Windows DNS server logs, you will need a properly functioning SIEM Collector. It is assumed that you have followed the preceding instructions and have tested your SIEM Collector to ensure that communications are working properly.

Note: If there are configuration details for multiple versions of the Data Source then add details for all versions here and remove this box.


Requirements - As the windows DNS Server functions it posts some events into the Windows Event Logs, such as performance data for the server. The data that we are interested in however is never stored in the Windows Event Logs. We will then need to modify the Windows Server configuration to create a plain text log file that contains all DNS requests. It’s this log file that will be parsed by the McAfee SIEM Agent. First we will configure the server to create the needed logs

1. To enable windows server DNS debugging, from the Windows Server Manager open the Server Rolls / DNS Server / DNS / <SERVER NAME> and then right click on the Server Name and select properties.

2. Click on the Debug Logging Tab.

a. Then click on the check box for Log packets for debugging. Make sure that the next eight checkboxes are selected.

b. c. Lastly you need to setup a location and filename for the logs to use. I created a

logs directory under c:\winows\system32\dns so my final path and name settings are.

d. e. Then click OK to commit your changes, which will take effect immediately. To

confirm that you are now logging correctly look at the log file you specified above. As an example, a DNS request for bing.com, may result in the following events.

i. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002899210 UDP Rcv ::1 2cbd Q [0001 D NOERROR] A (3)www(4)bing(3)com(0)

ii. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002AD9210 UDP Snd 10.0.2.1 ae7d Q [1001 D NOERROR] A (3)www(4)bing(3)com(0)

iii. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002941170 UDP Rcv 10.0.2.1 ae7d R Q [9081 DR NOERROR] A (3)www(4)bing(3)com(0)

iv. 12/27/2012 11:49:36 AM 0634 PACKET 0000000002899210 UDP Snd ::1 2cbd R Q [8081 DR NOERROR] A (3)www(4)bing(3)com(0)

3. Now we can configure the agent to read and parse the newly created log files. In this example, we will be using a remote machine to read the logs off of our Domain Controller.

a. First start the Event Collector Management Utility (ECMU).

b. Create or select a group to host our new data source. Then right click on the group and select Add Host.


c. From the new host window, type in the Domain Controller FQDN or IP address.

d. Under the Logs section select New Configuration / Generic Log Tail. Then Name the configuration and fill out the rest of the options as below.

e.

f. Once your configuration is correct, then click the save button.

4. To create a Data Source on the receiver, follow these steps

a. Select your receiver and then click on the plus button to create a new data source.

b. Select the data source vendor of Microsoft and the model as Windows DNS (ASP).

c. Select the format of Default and the data retrieval of MEF.

What is this Event Delimiter field and how do I use it? The event delimiter is a regular expression that the agent uses to determine when one event stop and the next one starts. Therefore it is very important that you use the proper delimiter for your specific Operating System. For windows 2003 - ^\d{8.EN_US}\s+\d{1,2}:\d{1,2}:\d{1,2}\s+\d+\s+PACKET For windows 2008 - ^(?:\d{1,2}\/){2.EN_US}\d{4.EN_US} Since my DNS server is Windows 2008R2, I have selected the 2008 pattern above.


d. Select the parsing and logging options as you require.

e. The name and IP address of the source need to be added to the proper fields.

f. Then select the use encryption checkbox so that it matches the setting of the agent.

5.2 Windows Server DHCP Logs Assumptions – To collect Windows DHCP server logs, you will need a properly functioning SIEM Collector. It is assumed that you have followed the preceding instructions and have tested your SIEM Collector to ensure that communications are working properly.

First you must confirm that the Windows DHCP server is logging events to a local log file that we can parse with the McAfee Agent. To confirm the setting, open the DHCP management application open your server and the ipv4 scope, then right click on the DHCP scope and under general confirm that the Enable DHCP Audit Logging is checked.


The default location for the audit logs is c:\windows\system32\dhcp

To configure the SIEM Collector, perform the following steps:

1. Open the MacAfee SIEM Agent Collector Management Utility and navigate to the group you have created.

2. Right click on the group and create a host if necessary.

3. Once the host is selected, then fill out the rest of the form as below:

a. Host Name / IP – The host you are currently configuring.

b. Under new configuration, select Generic Log Tail.

c. Data Source IP – The ip address of the host where the DHCP logs live.

d. Log Directory – Generally the default path is c:\windows\system32\dhcp

e. Log File – Using the wildcard dhcp*.log will allow the ipv4 and ipv6 log files to be collected and parsed.

f. Tail Mode – Beginning of file


a. To create the Data Source on the Receiver, follow the steps below:

i. Select your receiver and then click on the plus button to create a new data source.

ii. Select the data source vendor of Microsoft and the model as Windows DHCP (ASP).

iii. Select the format of Default and the data retrieval of MEF.

iv. Select the parsing and logging options as you require.

v. The name and IP address of the source need to be added to the proper fields.

vi. Then select the use encryption checkbox so that it matches the setting of the agent.


12. Once the agent and receiver settings are correct, you can then go to the agent

configuration and enable the group and server, if they are disabled, and then you can start the agent.

13. Once the receiver receives DHCP events, you will start to see events being ingested into the SIEM.

14.

5.3 Windows Server IIS Logs

Note: It’s important to make sure that your IIS server is logging in W3C Extended format, not the default IIS format. To confirm or set the logging format for your IIS server, open the IIS Manager Application, select your website, then select the logging button. Make sure the format says W3C or W3C Extended format. Also please make sure that all the fields are enabled.


1. First please verify the log format and location as detailed above. Once the log format and location

are set, then you can go about configuring the agent. a. To configure the Agent, you may want to create a new group or host as necessary. Then

select the new host and add the IP address of the IIS server that you want to receive and parse events from.

b. Under logs, select a Generic Log Tail and then name your configuration. In this example, I have named my configuration IIS.

c. Fill out the fields as shown below:

d. Please note that the path above also includes the W3SVC1 directory. This is required.

2. To then create the data source on the ESM, please follow the steps below: a. First add your data source, as the Vendor of Microsoft, and the Model as Internet

Information Services (ASP) b. Set the Data Format as Default and the Data Retrieval as MEF. c. Then name the data source, enter the IP address of the Host and Select the proper setting

for encryption based on your agent settings. d. Set the proper Time Zone for the data source that you have just created and then click

OK. e. Write the Data Source and then push out the new policy.

3. Once your Agent and Data Source settings are complete, you can then start the agent service and watch for IIS events to be ingested into the SIEM.

4. You new events will look similar to these:


6 Troubleshooting

1. How do I use the IP address vs Host ID when creating data sources in the McAfee SIEM?

a. It’s important to understand the dynamic of an IP address and a Host ID. The IP address and Host ID simply allow the SIEM to determine where an event originated, however since a single IP address can only be associated with a single data source when we are setting up multiple data sources from a single host, we need have another identifier then the IP address. That is the Host ID. For example if I was going to set up a Windows server that is running DHCP, and DNS as well, your configuration might look like this.

i. Setup the initial agent and data source using the IP address first. This allows the receiver to modify its firewall and allow all packets from that source into the receiver. So initially I might set the agent to parse the standard windows logs (System, Application, and Security) and use the systems IP in its data source definition.

ii. Then you can add each additional configuration to the agent, in each successive configuration you will then NOT enter an IP address but instead add a Host ID. For Example my Host ID for my DNS and DHCP servers might be “Server1-DNS” and then “Server1-DHCP”.

2. How do I setup debug logging to see what is happening with the agent. a. When using debug logging to determine what might be causing an issue, I

enable debugging on the agent as a whole. Open your Windows Event Collector Management Utility, and select the Event Collector node on the left of the display. Move the log level sider all the way to the top for Full Diagnostic, then save your changes. You will now get a debug.log file that lives in the agent directory. Do not run for too long with debugging enabled as it will quickly consume a lot of space.

3. When I originally set up the agent, I thought that I had the configuration correct, however I didn’t. Now when I try and restart the agent and have it reread and parse my old data it will not, it only reads and parses new data. How do I resolve this?

a. You can always delete the bookmark files that tell the agent what it has parsed already.

i. To perform this task first you must stop the agent service. ii. Then delete the bookmark files. These are stored here be default:

<AgentHome>\Plugins\<RandomGUID>_log.bookmark iii. Once the bookmarks are deleted and the agent is restarted, it will reread

all the data files that it has already consumed.

Documents

McAfee Enterprise Security Manager Data Source ... · Windows DNS Server Windows DHCP Server Windows IIS Server Logs 3 Prerequisites To install the McAfee SIEM Collector, you will