Friday, February 3, 2012

Evtsys Part I


Eventlog-to-syslog  was a Purdue university project that has been taken up by Sherwin Faria for Google Code  and recently updated. The project is Windows 7 compliant and helps solve processing audit policies that produce large number of log entries like the commands:

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /failure:enable

or the all inclusive:

auditpol /set /category:*


To use evtsys, I install Cygwin with syslog on my local Win 7 host, configure as needed /etc/syslog.conf, and start the syslog daemon ('net start syslogd'). Then I install Event-to-syslog, configure evtsys.cfg, start evtsys (-i to install as service or  -d debug mode) and invoke gawk/bash incantations on a messages file to handle queries.  These tools give me several advantages over other tool sets ('Get-winevent','psloglist', 'eventviewer') designed to query Windows events logs: fast, elegant, text based storage and filtering.   Through the  syslog facility, network message passing is possible. The default installation configures as such in the registry where these values can be changed [from Powershell], presumably after restarting the service:

PS C:\Windows\system32> gci registry::HKLM\Software\ECN\EvtSys\

    Hive: HKLM\Software\ECN\EvtSys

Name                           Property
----                           --------
3.0                            Facility       : 3
                               LogHost        : 127.0.0.1
                               LogHost2       :
                               LogHost3       :
                               LogHost4       :
                               Port           : 514
                               StatusInterval : 0
                               QueryDhcp      : 0
                               LogLevel       : 0
                               IncludeOnly    : 0
                               Tag            :
                               MaxMessageSize : 1024
                               EnableTcp      : 0

PS C:\Windows\system32> set-itemproperty -path HKLM:Software\ECN\EvtSys\3.0\ -name Facility -value 5
PS C:\Windows\system32> gci registry::HKLM\Software\ECN\EvtSys


    Hive: HKLM\Software\ECN\EvtSys


Name                           Property
----                           --------
3.0                            Facility       : 5
                               LogHost        : 127.0.0.1
                               LogHost2       :
....

They can also be configured by the command line installation:

PS C:\Windows\system32> evtsys /?
Version: 4.4 (64-bit)
Usage: C:\Windows\system32\evtsys.exe -i|-u|-d [-h host] [-b host] [-f facility] [-p port]
       [-t tag] [-s minutes] [-l level] [-n]
  -i           Install service
  -u           Uninstall service
  -d           Debug: run as console program
  -h host      Name of log host
  -b host      Name of secondary log host
  -f facility  Facility level of syslog message
  -l level     Minimum level to send to syslog.
               0=All/Verbose, 1=Critical, 2=Error, 3=Warning, 4=Info
  -n           Include only those events specified in the config file.
  -p port      Port number of syslogd
  -q bool      Query the Dhcp server to obtain the syslog/port to log to
               (0/1 = disable/enable)
  -t tag       Include tag as program field in syslog message.
  -s minutes   Optional interval between status messages. 0 = Disabled

Default port: 514
Default facility: daemon
Default status interval: 0
Host (-h) required if installing.

Check.c of the 4.0 code shows the conversion table for the facility levels:

/* Facility conversion table */
static struct {
        char * name;
        int id;
} FacilityTable[] = {
        { "auth", SYSLOG_AUTH },
        { "authpriv", SYSLOG_AUTHPRIV },
        { "cron", SYSLOG_CRON },
        { "daemon", SYSLOG_DAEMON },
        { "ftp", SYSLOG_FTP },
        { "kern", SYSLOG_KERN },
        { "local0", SYSLOG_LOCAL0 },
        { "local1", SYSLOG_LOCAL1 },
        { "local2", SYSLOG_LOCAL2 },
        { "local3", SYSLOG_LOCAL3 },
        { "local4", SYSLOG_LOCAL4 },
        { "local5", SYSLOG_LOCAL5 },
        { "local6", SYSLOG_LOCAL6 },
        { "local7", SYSLOG_LOCAL7 },
        { "lpr", SYSLOG_LPR },
        { "mail", SYSLOG_MAIL },
        { "news", SYSLOG_NEWS },
        { "ntp", SYSLOG_NTP },
        { "security", SYSLOG_SECURITY },
        { "user", SYSLOG_USER },
        { "uucp", SYSLOG_UUCP }
};

You can test them with the debug (console) option. However, the console will not return all messages.

evtsys -d -h RMFVPC -p 514
Checking ignore file...
Feb  3 10:13:26 RMFVPC Eventlog to Syslog Service Started: Version 4.4 (64-bit)
Feb  3 10:13:26 RMFVPC Flags: LogLevel=0, IncludeOnly=False, EnableTcp=False, IncludeTag=False, StatusInterval=0

To see all messages, you can tail /var/log/messages with or without text filtering:

rferrisx@rmfvpc /var/log

$ tail -f messages | gawk '{print $1,$2,$3,$4,$5,$6,$7}'
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5156:
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5152:
Feb 3 13:24:29 rmfvpc RMFVPC Security-Auditing: 5152:
...
Feb 3 13:24:37 rmfvpc RMFVPC Security-Auditing: 5156:
Feb 3 13:24:37 rmfvpc RMFVPC Security-Auditing: 5152:
Feb 3 13:24:38 rmfvpc RMFVPC Security-Auditing: 4688:

Searching the Messages file with  gawk is fast, most probably faster than with 'get-winevent', 'psloglist', or eventvwr filters:

gawk -F":" '{print $4}' Messages | sort -nr | uniq -c | sort -nr

145530  5156
137132  5447
 81992  5158
  9393  5154
  7397  5152
  5754  4688
  5475  4689
  2988  4957
  ...

gawk -F":" '$4 == 5156 {print $10,$11,$12,$13,$14,$15}' Messages

Outbound Source Address  192.168.0.11 Source Port  137 Destination Address  192.168.0.255 Destination Port  137 Protocol  17
Inbound Source Address  192.168.0.255 Source Port  137 Destination Address  192.168.0.11 Destination Port  137 Protocol  17
Inbound Source Address  192.168.0.255 Source Port  137 Destination Address  192.168.0.11 Destination Port  137 Protocol  17
Inbound Source Address  192.168.0.255 Source Port  137 Destination Address  192.168.0.11 Destination Port  137 Protocol  17
Inbound Source Address  239.255.255.250 Source Port  1900 Destination Address  192.168.0.1 Destination Port  1900 Protocol  17
Inbound Source Address  239.255.255.250 Source Port  1900 Destination Address  192.168.0.1 Destination Port  1900 Protocol  17
....

gawk -F":" '$4 == 5156 {print $13}' Messages | gawk '{print $1}' | sort -nr | uniq -c | sort -nr
  69562 192.168.0.1
   5992 192.168.0.11
   4020 127.0.0.1
   3765 6172
   3694 192.168.0.5
   2950 192.168.0.255
  ...

gawk -F":" '$4 == 5158 {print $11}' Messages | gawk '{print $1}' | sort -nr | uniq -c | sort -nr | more
   23
    7 514
    6 1434
    5 49154
    5 49153
    4 63982
    4 60711
    4 58924
  ....

gawk -F":" '$4 == 5447 {print $18,$19}' Messages | sort -nr | uniq -c | sort -nr
  29026  Media Center Extenders - WMDRM-ND/RTP/RTCP (UDP-In) Type  Not persistent Run-Time ID
  10186  File and Printer Sharing (Spooler Service - RPC-EPMAP) Type  Not persistent Run-Time ID
  10061  Media Center Extenders - RTSP (TCP-In) Type  Not persistent Run-Time ID
   5889  Boot Time Filter Type  Not persistent Run-Time ID
   2967  Port Scanning Prevention Filter Type  Not persistent Run-Time ID
   2201  Microsoft Visual Studio 11 Developer Preview Remote Debugger Discovery (devenv.exe) Type
   2111  Query User Type  Not persistent Run-Time ID
   1714  Network Discovery (SSDP-In) Type  Not persistent Run-Time ID
  ....

No comments:

Post a Comment