Log Correlation Engine 3.6 Client Guide

Transcription

1 Log Correlation Engine 3.6 Client Guide May 7, 2012 (Revision 8) The newest version of this document is available at the following URL: Copyright Tenable Network Security, Inc. Tenable Network Security, Nessus and ProfessionalFeed are registered trademarks of Tenable Network Security, Inc. Tenable, the Tenable logo, the Nessus logo, and/or other Tenable products referenced herein are trademarks of Tenable Network Security, Inc., and may be registered in certain jurisdictions. All other product names, company names, marks, logos, and symbols may be the trademarks of their respective owners. Tenable Network Security, Inc Columbia Gateway Drive, Suite 100, Columbia, MD

2 Table of Contents Introduction... 4 Standards and Conventions... 4 Log Correlation Engine Client Overview... 4 Running LCE Clients Directly on the LCE Server... 5 Running Multiple LCE Clients on One Host... 5 Maximum Number of LCE Clients... 6 LCE Client Types and Platforms... 6 Quick Start Summary... 8 Diagnosing Connection Problems... 8 Log Correlation Engine Unix Clients... 9 Installing the LCE Unix Clients... 9 Installation Directories...11 Upgrading the LCE Clients...12 Removing the LCE Clients...12 LCE Unix Client Configuration...17 Log Correlation Engine Log Agent...18 lce_client.conf Performance Reporting Log Correlation Engine OPSEC Client...23 lce_opsec.conf FW-1 Log Grabber Linux Binary Compatibility Firewall Connectivity Reading Live or Past Log Entries Log Correlation Engine Splunk Client...29 lce_splunk.conf Log Correlation Engine WMI Monitor Agent...31 wmi_monitor.conf WMI Encrypted Credentials Tenable NetFlow Monitor...38 tfm.conf Tenable NetFlow Monitor Event Types Usage Tenable Network Monitor...42 tnm.conf Functionality Command Line Options Performance Considerations Tenable RDEP Monitor...47 trm.conf Tenable SDEE Monitor...50 sdee_monitor.conf LCE Unix Client Operations...53 Starting the LCE Unix Clients...53 Halting the LCE Unix Clients...55 Copyright Tenable Network Security, Inc. 2

3 Monitoring Log Correlation Engine Client Status...57 Log Correlation Engine Client Reconnection Attempts Log Correlation Engine Windows Client...58 Installing the Windows Client...58 Installation Location...59 Service Location...59 Removing the LCE Windows Client...60 Windows Client Configuration...60 General...60 Heartbeats...61 Local Event Logs...62 Remote Event Logs...63 Log Files...66 Monitor Files and Folders...67 LCE Windows Client Operations...69 Starting the LCE Windows Client...70 Halting the LCE Windows Client...70 Debug Logs...70 Remote Installation/Configuration for Multiple Hosts...70 For More Information...73 About Tenable Network Security...74 Appendix 1: Sample Installation Output...75 Red Hat...75 Solaris...75 Appendix 2: Sample Remove Output...77 Red Hat...77 Solaris...77 Appendix 3: Sample Windows WMI Configuration File...78 Appendix 4: Non-Tenable License Declarations...79 Copyright Tenable Network Security, Inc. 3

4 INTRODUCTION This document describes various different clients that are available for Tenable Network Security s Log Correlation Engine Please share your comments and suggestions with us by ing them to support@tenable.com. A working knowledge of Secure Shell (SSH), regular expressions and the SecurityCenter operation and architecture is assumed. Familiarity with general log formats from various operating systems, network devices and applications, as well as a basic understanding of Unix is also assumed. As of this writing, the current LCE server (daemon) version is 3.6.1, while the LCE clients are all version 3.6.x and below. Please refer to the Tenable Support Portal for the latest version of the LCE client. This document is intended to be used with LCE clients 3.6 and greater, however many of the concepts apply to legacy versions of the LCE client such as LCE Client 3.2.x. Starting with SecurityCenter 4, syslog traffic is no longer sent to the SecurityCenter. Instead, it is directed to the LCE server where it is processed. This includes traffic originating from LCE clients. STANDARDS AND CONVENTIONS Throughout the documentation, filenames, daemons and executables are indicated with a courier bold font such as gunzip, httpd and /etc/passwd. Command line options and keywords are also indicated with the courier bold font. Command line options may or may not include the command line prompt and output text from the results of the command. Often, the command being run will be boldfaced to indicate what the user typed. Below is an example running of the Unix pwd command. # pwd /opt/lce/ # Important notes and considerations are highlighted with this symbol and grey text boxes. Tips, examples and best practices are highlighted with this symbol and white on blue text. LOG CORRELATION ENGINE CLIENT OVERVIEW Copyright Tenable Network Security, Inc. 4

5 Throughout this document we will continually refer to three primary LCE components: the LCE client (the end host that initially collects data and sends it on to the LCE server); the LCE server (or daemon), which is installed on Red Hat/CentOS and performs the bulk of the processing; and the LCE host (LCE Manager or SecurityCenter), which provides a graphical user interface to view and report on the LCE data. The Log Correlation Engine (LCE) Clients are agents that are installed on systems whose logs, network traffic, performance and other types of protocols and technologies are to be monitored by forwarding the data securely to the LCE server. Once an LCE is installed and configured, one or more LCE clients can be used to send information back for normalization and correlation. This document details available LCE clients along with their installation and configuration. LCE clients can be configured to gather information and events from the following sources: > Windows Event Logs > Windows and Unix system and application logs > Checkpoint OPSEC events > Cisco RDEP events > Cisco SDEE events > NetFlow > Splunk > Sniffed TCP and UDP network traffic > Sniffed syslog messages in motion Many of these agents are required to take advantage of the LCE s power. For example, to perform Blacklist correlation, the LCE clients that monitor network traffic via sniffing or NetFlow can be used to identify connections with known hostile IP addresses even if you do not have firewall or proxy logs. RUNNING LCE CLIENTS DIRECTLY ON THE LCE SERVER LCE clients can be run directly on the LCE server. They must be configured to connect to either the localhost ( ) or the external IP address of the LCE server. Multiple LCE client types (such as a and a Tenable NetFlow Monitor) can be run at the same time as well. See the section titled LCE Client Types and Platforms for a list of available clients. While using s to watch LCE log files, be extremely careful to avoid feedback loops. For example, choosing to tail the lce.log file would cause any log saved by the lced process to be grabbed by the, sent back to lced and repeated indefinitely. RUNNING MULTIPLE LCE CLIENTS ON ONE HOST Remote systems can also run multiple LCE clients. All remote LCE clients must be configured with the same password as that configured on the LCE server for the client s IP address. Only one entry is required in the lce.conf file on the LCE server. Copyright Tenable Network Security, Inc. 5

6 MAXIMUM NUMBER OF LCE CLIENTS A maximum of 8,192 individual LCE clients can be specified in the lce.conf file. If more are configured, the LCE server will produce an error informing the user of the limit. The LCE itself can be configured with the specific IP address of the remote LCE clients, a network range or network CIDR blocks can be used. LCE CLIENT TYPES AND PLATFORMS There are a number of different LCE client types available. All LCE clients report performance statistics (memory, disk space and CPU usage) on their host regardless of the platform. The LCE clients written for 32-bit platforms will run on 64-bit systems as long as the 32-bit libraries are installed, however native 64-bit support is only available for certain platforms. See the table below for more details. LCE Client Platform 32/64 bit Function LCE Log Agent Red Hat ES 4, ES 5, ES 6 FreeBSD 7, /64 Monitors specific log files or directories of different operating systems. These clients will tail any number of log files and send the observed data to the LCE server for analysis. AIX Debian 5, 6 32/64 Fedora 13, 14, 15 32/64 The Windows Log Agent also can monitor: > Entries in the Windows event log > USB device inserts and removals > Entries in the event logs of remote Windows servers > Process status (available for Unix systems as well) Ubuntu 10.04, Ubuntu /64 Solaris SPARC (8,9,10) 32 Mac OS X 32 s are designed to send log data to the LCE server. Accepted log data is normally in ASCII text format and will not include binary files (with the exception of process accounting data). The LCE Log Agents will check all data before sending, specifically omitting binary files such as.zip,.gz,.tar,.lzh,.bz2, etc. If a binary file is sent to the LCE, it has the potential to Copyright Tenable Network Security, Inc. 6

7 Dragon Appliance 32 MS Windows XP Professional, Server corrupt the database. This filtering is automatically performed by the LCE client software. LCE OPSEC Client LCE Splunk Client MS Windows Server 2008, Vista and Windows 7 Ultimate Red Hat ES 4, ES 5, ES 6 Red Hat ES 4, ES 5, ES 6 32/64 32 Based on Checkpoint s API for Linux, it monitors OPSEC compliant devices for new events. 32/64 Accepts Splunk messages for logging to the LCE server. When configuring Splunk to forward data to a non-splunk system, it is necessary to set sendcookeddata=false in outputs.conf. LCE WMI Monitor Tenable NetFlow Monitor Tenable Network Monitor Red Hat ES 5, ES 6 32/64 Retrieves Windows event logs (e.g., System, Application, Security, All, etc.) from one or more Windows hosts using the Windows Management Instrumentation (WMI) protocol. Red Hat ES 4, ES 5, ES 6 FreeBSD 7, 8 32 Red Hat ES 4, ES 5, ES 6 FreeBSD 7, /64 Receives NetFlow messages for logging to the LCE. Messages can be sent from multiple NetFlow sources to a single TNS_Netflow client. The client supports NetFlow versions 5 and 9. 32/64 Designed to monitor network traffic and send session information to the LCE server. Sniffs network traffic to identify TCP sessions as well as UDP, ICMP and IGMP activity. Tenable RDEP Monitor Red Hat ES 4, ES 5, ES 6 It also has a very useful feature of sniffing live syslog traffic in motion and sending it to the LCE as if the traffic were originally destined for it. This makes it very easy to centralize logs and not rely on forwarding of events from a different log server. 32/64 Retrieves messages from one or more Cisco IDS devices using Cisco s Remote Data Exchange Protocol (RDEP) that can Copyright Tenable Network Security, Inc. 7

8 send events to the LCE for processing. Tenable SDEE Monitor Red Hat ES 4, ES 5, ES 6 32/64 Retrieves messages from one or more Cisco IDS devices using Cisco s Security Device Event Exchange Protocol (SDEE) that can send events to the LCE for processing. QUICK START SUMMARY Use these steps to get your LCE clients up and running quickly: 1. Install the client as per the instructions in the LCE Unix Clients Installation section or the LCE Windows Client Installation section. 2. Configure the clients with the IP address or hostname of the LCE server as well as a password. Do not start the client yet. See the appropriate section to Configure LCE Unix Clients or LCE Windows Clients. 3. On the LCE server, edit the lce.conf file to add in the new parameters for the LCE client. Be sure to add in the correct remote IP address of the LCE client as well as the matching password. 4. Restart the LCE server. 5. Start the LCE client. 6. From the command prompt (Unix or DOS) run the command netstat an to display any network sessions. Look for the port used for communication to the LCE server which is by default. DIAGNOSING CONNECTION PROBLEMS If the LCE client cannot connect, try the following: > View the most recent LCE client log file located in /opt/lce_client/ to determine if any error messages exist. The log has a file name in the following format: YearMon.log. > Check that the LCE server daemon is running and correctly licensed by running service lce status. If the process is running, output similar to the following is displayed: # service lce status lced (pid ) is running... lce_queryd (pid ) is running... > Check to see if there is a local firewall, network firewall or other network issue that would prevent connection from the LCE client to the LCE server. To test this, run a sniffer on the LCE server monitoring TCP port If no connections are observed from the system running the LCE client, something is blocking the connection. Running a sniffer on the system of the LCE client may also help determine if something is blocking. > Verify that the passwords are correct. Both the LCE client and LCE server will log failed authentication errors. > Verify that the IP addresses of the LCE client and LCE server are correct. The client will not connect to the LCE server if it has the wrong IP address or cannot correctly resolve the hostname and the LCE server will not accept a random client unless it is specifically configured in the lce.conf file. Copyright Tenable Network Security, Inc. 8

9 LOG CORRELATION ENGINE UNIX CLIENTS The LCE Unix clients are shipped in a package format appropriate for the platform operating system and include system startup files. INSTALLING THE LCE UNIX CLIENTS Each client comes with an example client configuration file (e.g., lce_client.conf for the ), the program binary and is installed into the appropriate client directory that will be created if it does not already exist. To install the LCE client, obtain the package for your OS platform and desired client and install as the root user on the target client system. The following table provides an installation example for each available LCE client on all supported platforms. Any special installation instructions are provided in a note following the example. LCE Client Installation Example Red Hat LCE OPSEC Client LCE Splunk Client LCE WMI Monitor Agent Tenable NetFlow Monitor Tenable Network Monitor Tenable RDEP Monitor Tenable SDEE Monitor # rpm -ivh lce_client-3.x.x-esx.i386.rpm # rpm -ivh lce_opsec-3.x.x-esx.i386.rpm # rpm ivh lce_splunk-3.x.x-esx.i386.rpm # rpm -ivh wmi_monitor-3.x.x-esx.i386.rpm # rpm -ivh TenableNetFlowMonitor-3.x.x-esX.i386.rpm # rpm -ivh TenableNetworkMonitor-3.x.x-esX.i386.rpm # rpm -ivh TenableRdepMonitor-3.x.x-esX.i386.rpm # rpm -ivh sdee_monitor-3.x.x-esx.x86_64.rpm FreeBSD # pkg_add lce_client-3.x.x-freebsdx.tbz Add the following line to /etc/rc.conf.local or /etc/rc.conf to enable the LCE client service: lce_clientd_enable="yes" Copyright Tenable Network Security, Inc. 9

10 Tenable NetFlow Monitor Tenable Network Monitor # pkg_add TenableNetFlowMonitor-3.x.x-freebsdX.tbz Add the following line to /etc/rc.conf.local or /etc/rc.conf to enable the NetFlow Monitor service: tfmd_enable="yes" # pkg_add TenableNetworkMonitor-3.x.x-freebsdX.tbz Add the following line to /etc/rc.conf.local or /etc/rc.conf to enable the Network Monitor service: tnmd_enable="yes" AIX # installp d lce_client-3.x.x-aix.bff all Fedora # rpm ivh lce_client-3.x.x-fedora.i386.rpm Solaris # gunzip c lce_client-3.x.x-sparc.pkg.tar.gz tar xvf Mac OS X # pkgadd d. The following packages are available: 1 lce-client-3-x-x LCE Client (sparc) 3.x.x Select package(s) you wish to process (or 'all' to process all packages). (default: all) [?,??,q]: 1 Download lce_client-3.x.x-osx.tar.gz to the client system and click on it to run the Mac Installer. Debian # dpkg -i lce_client_3.x.x_debian5.i386.deb Ubuntu # dpkg i lce_client_3.x.x-ubuntu_i386.deb Dragon Appliance Copyright Tenable Network Security, Inc. 10

11 # installpkg lce_client-3.x.x-dragon-skw.tgz A successful installation is indicated by the return of the command prompt with no errors. See Appendix 1 for example output of several installations. Once the client is installed, it is recommended that you customize the provided configuration file for your environment. Please see the section LCE Unix Client Configuration for more information. Installation Directories LCE Client Installation Directory Red Hat LCE OPSEC Client LCE Splunk Client LCE WMI Monitor Agent Tenable NetFlow Monitor Tenable Network Monitor Tenable RDEP Monitor Tenable SDEE Monitor /opt/lce_client /opt/lce_opsec /opt/lce_splunk /opt/wmi_monitor /opt/netflow_monitor /opt/network_monitor /opt/rdep_monitor /opt/sdee_monitor FreeBSD Tenable NetFlow Monitor Tenable Network Monitor /usr/local/lce_client /usr/local/netflow_monitor /usr/local/rdep_monitor AIX /opt/lce_client Copyright Tenable Network Security, Inc. 11

12 Fedora /opt/lce_client Solaris /opt/lce_client Mac OS X /opt/lce_client Debian /opt/lce_client Ubuntu /opt/lce_client Dragon Appliance /opt/lce_client UPGRADING THE LCE CLIENTS Prior to LCE clients 3.4.3, an upgrade involved removing the old LCE client and then installing the new one. LCE clients and greater can be upgraded by performing a basic install. During the installation process, the original LCE client is removed automatically and the new one is then added. Follow the instructions above for performing the LCE client installation. REMOVING THE LCE CLIENTS To remove the LCE client, login as the root user, stop the client daemon (see the section Halting the LCE Unix Clients for directions) and run the appropriate commands for your client and platform as shown in the following table: LCE Client Removal Example Red Hat Determine the name of the installed package: # rpm -qa grep lce_client lce_client-3.x.x-esx.2 Copyright Tenable Network Security, Inc. 12

13 # Remove the installed package: # rpm -ev lce_client-3.x.x-esx.2 LCE OPSEC Client Determine the name of the installed package: # rpm -qa grep lce_opsec lce_opsec-3.x.x-esx.2 # Remove the installed package: # rpm -ev lce_opsec-3.x.x-esx.2 LCE Splunk Client Determine the name of the installed package: # rpm -qa grep splunk lce_splunk-3.x.x-es5.2 # Remove the installed package: # rpm -ev lce_splunk-3.x.x-es5.2 LCE WMI Monitor Agent Determine the name of the installed package: # rpm qa grep wmi_monitor wmi_monitor-3.x.x-es5 # Remove the installed package: # rpm ev wmi_monitor-3.x.x-es5 Tenable NetFlow Monitor Determine the name of the installed package: # rpm -qa grep TenableNetFlowMonitor TenableNetFlowMonitor-3.x.x-esX.2 # Remove the installed package: # rpm -ev TenableNetFlowMonitor-3.x.x-esX.2 Tenable Network Monitor Determine the name of the installed package: # rpm -qa grep TenableNetworkMonitor TenableNetworkMonitor-3.x.x-esX # Remove the installed package: # rpm -ev TenableNetworkMonitor-3.x.x-esX Copyright Tenable Network Security, Inc. 13

14 Tenable RDEP Monitor Determine the name of the installed package: # rpm -qa grep TenableRdepMonitor TenableRdepMonitor-3.x.x-esX.2 # Remove the installed package: # rpm -ev TenableRdepMonitor-3.x.x-esX.2 Tenable SDEE Monitor Determine the name of the installed package: # rpm -qa grep sdee sdee_monitor-3.x.x-esx.2 # Remove the installed package: # rpm ev sdee_monitor-3.x.x-esx.2 FreeBSD Determine the name of the installed package: # pkg_info grep lce lce_client-3.x.x TNS Log Correlation Engine tail client # Remove the installed package: # pkg_delete lce_client-3.x.x Delete the following line from /etc/rc.conf.local or /etc/rc.conf to remove the LCE client service: lce_clientd_enable="yes" Tenable NetFlow Monitor Determine the name of the installed package: # pkg_info grep netflow netflow_monitor-3.x.x TNS Log Correlation Engine tail client # Remove the installed package: # pkg_delete netflow_monitor-3.x.x Delete the following line from /etc/rc.conf.local or /etc/rc.conf to remove the LCE client service: tfmd_enable="yes" Copyright Tenable Network Security, Inc. 14

15 Tenable Network Monitor Determine the name of the installed package: # pkg_info grep network network_monitor-3.x.x TNS Log Correlation Engine tail client # Remove the installed package: # pkg_delete network_monitor-3.x.x Delete the following line from /etc/rc.conf.local or /etc/rc.conf to remove the LCE client service: tnmd_enable="yes" AIX Determine the name of the installed package: # lslpp -L grep lce lce_client-3.x.x-aix.rte 3.x.x.x C F Tenable LCE client # Remove the installed package: # installp -u lce_client-3.x.x-aix.rte When the package is uninstalled, the lce_client.conf file is left in place. If the package is later re-installed, a new configuration file will be written, and the original will be renamed to lce_client.conf.save. Fedora Determine the name of the installed package: # rpm -qa grep lce_client lce_client-3.x.x-fc8.2 Remove the installed package: # rpm -ev lce_client-3.x.x-fc8.2 Fedora Determine the name of the installed package: # rpm -qa grep lce lce_client-3.x.x-fedora Copyright Tenable Network Security, Inc. 15

16 Remove the installed package: # rpm -ev lce_client-3.x.x-fedora Solaris Determine the name of the installed package: # pkginfo grep lce security lce-client-3-x-x LCE Client # Remove the installed package: # pkgrm lce-client-3-x-x Mac OS X To remove the LCE client on a Mac, you can either use a third party de-installation program or run the following commands from the command line prompt: # rm /opt/lce_client/lce_clientd # rm r /System/Library/StartupItems/LCEClient Debian Determine the name of the installed package: # dpkg -l grep lce ii lce-client-x-x-x Tenable Log Correlation Engine Client # 3.x.x Remove the installed package: # dpkg -r lce-client-x-x-x Ubuntu Determine the name of the installed package: # dpkg -l grep lce ii lce-client-x-x-x Tenable Log Correlation Engine Client # 3.x.x Remove the installed package: # dpkg -r lce_client-x-x-x Copyright Tenable Network Security, Inc. 16

17 Dragon Appliance # removepkg lce_client-3.x.x-dragon-skw.tgz LCE UNIX CLIENT CONFIGURATION The example configuration file has limited logging enabled and can be customized for the local applications and operating system. This section describes how to configure the LCE Unix clients. The configuration files for each of the clients on the supported operating systems are listed in the table below: LCE Client Configuration File Red Hat LCE OPSEC Client LCE Splunk Client LCE WMI Monitor Agent Tenable NetFlow Monitor Tenable Network Monitor Tenable RDEP Monitor Tenable SDEE Monitor /opt/lce_client/lce_client.conf /opt/lce_opsec/lce_opsec.conf /opt/lce_splunk/lce_splunk.conf /opt/wmi_monitor/wmi_monitor.conf /opt/netflow_monitor/tfm.conf /opt/network_monitor/tnm.conf /opt/rdep_monitor/trm.conf /opt/sdee_monitor/sdee_monitor.conf FreeBSD Tenable Log Agent Tenable NetFlow Monitor Tenable Network Monitor /usr/local/lce_client/lce_client.conf /usr/local/netflow_monitor/tfm.conf /usr/local/rdep_monitor/trm.conf Copyright Tenable Network Security, Inc. 17

18 AIX /opt/lce_client/lce_client.conf Fedora /opt/lce_client/lce_client.conf Solaris /opt/lce_client/lce_client.conf Mac OS X /opt/lce_client/lce_client.conf Debian /opt/lce_client/lce_client.conf Ubuntu /opt/lce_client/lce_client.conf Dragon Appliance /opt/lce_client/lce_client.conf If changes must be made to an existing configuration file and the client is already running, make the changes, halt the client and then restart it. See Halting the LCE Unix Client. Log Correlation Engine Log Agent LCE Unix Log Agents can be used to monitor log files that contain events received from other devices. For example, a Unix server could be configured to receive syslog events from a nearby router. The and LCE server would parse all events as if they originally came from the Unix server. If there were IP address information in the syslog message, then the LCE server would assign the source and destination events accordingly. To configure the lce.conf file, enter in a list of files or directories to be monitored. You will also need to include the relevant IP address or hostname and shared secret key of the LCE server in the lce-server section. The shared secret key can contain any ASCII character except a semicolon (;) or space ( ). Copyright Tenable Network Security, Inc. 18

19 An example lce_client.conf configuration file is shown below: options { # LCE client log messages are written to a file named according to # the date in the directory specified below. log-directory./ # The files specified below are tailed. tail-file /var/log/messages tail-file /var/log/secure # All files in directories specified with the tail-dir option will # be tailed. # This can also be limited to files matching a certain pattern. # tail-dir /var/log/*.log # tail-dir /security_logs/* # In addition to plain text files, the LCE client is capable of # monitoring process accounting data. The accounting-file keyword # is used to specify each file that has been configured to store # this data on the host. The binary entry for each executed # command is converted to an English log and sent to the LCE server. # accounting-file /var/account/pacct # When a directory is monitored, the LCE client periodically re- # scans the directory to determine if any new files have been added. # The next option determines the number of seconds between each # scan. scan-frequency 60 # The following options specify files and directories that should # be monitored for changes. This includes the file being moved, # deleted, swapped, or modified. # These operations will trigger a log message being sent to LCE, # which includes the old and new MD5 checksums of the file, when # applicable. # monitor-file-changes /etc/passwd monitor-directory-changes /etc/* monitor-directory-changes /lib/* monitor-directory-changes /bin/* monitor-directory-changes /sbin/* monitor-directory-changes /usr/bin/* monitor-directory-changes /usr/sbin/* monitor-directory-changes /usr/lib/* recursive-directory-changes /usr/libexec/ # When the following options are enabled, changes to ownership # and permissions # will be reported for the above monitored files and directories. Copyright Tenable Network Security, Inc. 19

20 report-ownership-changes yes report-permissions-changes yes # The next setting determines the frequency, in minutes, with which # monitored files and directories will be re-scanned for changes. modification-check-frequency 30 # When the following line is uncommented, debugging is enabled in # the client. # client-debug # The following section defines the IP at which the LCE server is # located, as well as the authentication required to log in. Only 1 # LCE server is currently supported. For example, use the following # to configure an LCE server at (localhost) using the # password "s3kret" lce-server { client-auth auth-secret-key s3kret } # The LCE server can be configured to listen on a user-specified # port. The setting below should match the server setting, which is # by default. Server-port # The heartbeat-frequency option defines the number of seconds # between each pair of client heartbeat messages that are sent to # the server. Heartbeat-frequency 300 } # The LCE client provides the option of periodically sending a log # file containing performance statistics to the LCE server. The # following option determines the number of minutes between each # performance statistics report. When the next line # is commented out or removed, performance reporting is disabled. Statistics-frequency 60 Two types of log directives can be used. The tail-file directive specifies a specific file to follow. The tail-dir directive specifies all files in a specific directory to be followed. This is invoked by specifying the path, followed by an asterisk. See the sample tail directives below: options { tail-dir /var/log/* tail-dir /var/log/httpd/* tail-file /var/log/squid/access.log lce-server { client-auth auth-secret-key tenable Copyright Tenable Network Security, Inc. 20

21 } } This would cause all new files or any existing files with new content in the /var/log and /var/log/httpd directories and the file /var/log/squid/access.log to be tailed by the. Note that only regular text files are looked at in a specified directory, not special files, binary files or sub-directories. Comments can be entered into the configuration file with lines starting with the # character. Once the configuration file is updated, check the client log to ensure it is operating properly and to validate that configuration directives were configured correctly. lce_client.conf The following table describes the configuration options available in the lce_client.conf configuration file: Option log-directory tail-file tail-dir Description Directory where logs are stored. If the logdirectory keyword is commented out, then the client install directory will be used. Otherwise, ISO9000 compliant log files will be saved in the specified directory. Specifies which log(s) are to be tailed for monitoring by the. Configuration file allows multiple tail-file options. All files in directories specified with the tail-dir option will have the tail command run on them. This can also be limited to files matching a certain pattern. tail-dir /var/log/*.log tail-dir /security_logs/* accounting-file scan-frequency monitor-file-changes Specifies location of accounting file to be monitored. The binary entry for each executed command is converted to a plain text log and sent to the LCE server. Frequency with which the will re-scan the tail-dir directory to determine if new files have been added. If this option is used with the tail-file directive, the client checks at that interval to see if the file was readded after deletion. Specifies files that are monitored for changes. This includes files being moved, deleted, swapped or modified. When used in conjunction with report-ownership-changes/reportpermissions-changes, changes to ownership and permissions are reported. Copyright Tenable Network Security, Inc. 21

22 monitor-directorychanges recursive-directorychanges report-ownershipchanges report-permissionschanges modification-checkfrequency client-debug lce-server server-port heartbeat-frequency statistics-frequency Specifies that all files under the specified directory are monitored for changes. Allow a directory s subdirectories to automatically be recursed for monitoring. Files/directories being monitored will report any ownership changes. Files/directories being monitored will report any permissions changes. Specifies the frequency with which the LCE client checks the monitored files. Set debug mode on or off. Directs the to the IP address or hostname of the LCE, and specifies the password used to connect. Note: Each client can only connect to one server, and will connect to the first available server specified if multiple lce-server directives exist. The port the LCE listens to as designated by the lce-server directive. The can be configured to send a heartbeat message to the LCE. This message indicates that the client is still alive and performing normally. The frequency with which the sends a log entry containing performance statistics to the LCE. The following is an example of the heartbeat message sent from the to the LCE: Performance Reporting When the sends performance statistics to the LCE server, the exact information sent depends on the operating system (e.g., swap and cache data is not available on all platforms). The performance report is sent to the LCE server. The various performance logs are normalized to the lce event type for easy analysis. When viewed using the Raw Syslog Events tool, the data appears similar to the following screen capture: Copyright Tenable Network Security, Inc. 22

23 This data is very useful for troubleshooting performance issues on the remote LCE client. Used in conjunction with the process LCE event type that hourly monitors and reports on system processes, runaway processes can be quickly debugged and resolved before they completely take the LCE client system down. Log Correlation Engine OPSEC Client To configure the LCE OPSEC Client, edit the lce_opsec.conf file with a text editor. A script that pulls a cryptographic key from the desired OSPEC source is also required. The opsec_pull_cert script is bundled with OPSEC SDK and can be found at the following link: This script will be used in the event that authenticated connections are required from the Checkpoint firewall. The OPSEC API supports a variety of features for connecting to OPSEC enabled devices. These options are defined with examples throughout the lce_opsec.conf file. The file also includes two keywords for specifying the location of the LCE server IP and the shared secret. The shared secret key can contain any ASCII character except a semicolon (;) or space (). The following is an example of the lce_opsec.conf configuration file: # Messages generated during runtime will be stored in a dated file # of the format YYYYMon.log in the following directory. LOG_DIR="/opt/lce_opsec/" # DEBUG_MODE={yes YES no NO} DEBUG_MODE="no" # This option defines the location of the FW1 management station. # Only 1 station is currently supported. # FW1_SERVER=<IP address of FW1-Management Station> FW1_SERVER=" " # FW1_PORT=<Port number for LEA connections> FW1_PORT="50001" Copyright Tenable Network Security, Inc. 23

24 # FW1_LOGFILE=<Name of FW1-Logfilename> FW1_LOGFILE="fws.log" # FW1_OUTPUT=<files logs> FW1_OUTPUT="logs" # FW1_TYPE=<NG ng 2000> FW1_TYPE="NG" # FW1_MODE=<audit AUDIT normal NORMAL> FW1_MODE="NORMAL" # This option defines the number of seconds between each pair of client # heartbeat messages that are sent to the server. HEARTBEAT_FREQUENCY="300" # The LCE client provides the option of periodically sending a log file # containing performance statistics to the LCE server. The following option # determines the number of minutes between each performance statistics # report. When the next line is commented out or removed, performance # reporting is disabled. STATISTICS_FREQUENCY="60" # ONLINE_MODE=<yes YES no NO> ONLINE_MODE="no" # RESOLVE_MODE=<yes YES no NO> RESOLVE_MODE="no" # SHOW_FIELDNAMES=<yes YES no NO> SHOW_FIELDNAMES="yes" # RECORD_SEPARATOR=<char> RECORD_SEPARATOR=" " # DATEFORMAT=<CP UNIX STD> # CP = " 3Feb :15:16" # UNIX = " " # STD = " :15:16" DATEFORMAT="STD" # # FW1-Authentication settings # # AUTHENTICATES={yes YES no NO} AUTHENTICATED="no" # OPSEC_CERTIFICATE=<Path and Name of Opsec Certificate> OPSEC_CERTIFICATE="opsec.p12" # OPSEC_CLIENT_DN=<DN of Opsec-Client> OPSEC_CLIENT_DN="CN=LEA-Client,O=fw1-host-web.com..abc" # OPSEC_SERVER_DN=<DN of Opsec-Server> Copyright Tenable Network Security, Inc. 24

25 OPSEC_SERVER_DN="cn=cp_mgmt,o=fw1-ng.fellhauer-web.de..n77jpa" # This option defines the location and authentication settings of the # Log Correlation Engine. Only 1 server is currently supported. LCE_SERVER=" " LCE_PASSWORD="tenable" LCE_PORT="31300 While running, a network connection between the lce_opsec client and the Checkpoint firewall will be established on TCP port 50001, as well as a network connection between the lce_opsec client and the LCE server on TCP port lce_opsec.conf The following table describes the configuration options available in the lce_opsec.conf configuration file: Option LOG_DIR DEBUG_MODE FW1_SERVER FW1_PORT FW1_LOGFILE Description Log message storage point. Set debug mode on or off. Location of the FireWall-1 management station. Listening port of the FireWall-1 management station as defined in the FW1_SERVER directive. Name of the FireWall-1 log file. This option must be commented out (place a # in front of the line) if online mode is enabled. See the ONLINE_MODE option below. FW1_OUTPUT Specify if the FireWall-1 log file output is files or logs. FW1_TYPE Specify the FireWall-1 type: NG, ng or FW1_MODE HEARTBEAT_FREQUENCY STATISTICS_FREQUENCY ONLINE_MODE Specify the FireWall-1 mode: AUDIT or NORMAL The LCE OPSEC client can be configured to send a heartbeat message to the LCE. This message indicates that the client is still alive and performing normally. The frequency with which the LCE OPSEC client sends a log entry containing performance statistics to the LCE. Specify the online mode: yes or no (not case sensitive). Copyright Tenable Network Security, Inc. 25

26 RESOLVE_MODE SHOW_FIELDNAMES RECORD_SEPARATOR DATEFORMAT AUTHENTICATED OPSEC_CERTIFICATE OPSEC_CLIENT_DN OPSEC_SERVER_DN LCE_SERVER LCE_PASSWORD LCE_PORT Specify the resolve mode: yes or no (not case sensitive). Specify if field names will be displayed: yes or no (not case sensitive). Specify the character that acts as the record separator. Specify the log file date format: CP, UNIX or STD. Specify the FireWall-1 authentication settings: yes or no (not case sensitive). The path and name of the OPSEC certificate file. The OPSEC Client Distinguished Name. The OPSEC Server Distinguished Name. The IP address of the LCE server. The password required to authenticate to the LCE server. The remote port of the LCE server designated in the LCE_SERVER directive. FW-1 Log Grabber Although Tenable provides a native LCE OPSEC Client, the client can be utilized to monitor logs generated by the open source FW-1 Log Grabber project. The open source tool is located at: To use this tool, add a client to your Linux server that is also running Log Grabber. Configure the lce_client.conf file of the client to monitor the log file generated by the Log Grabber program. At the LCE server, ensure that the firewall_checkpoint_loggrabber.prm library has been enabled. This library is used to process the firewall log events generated by the Log Grabber tool. Linux Binary Compatibility Depending on your specific Linux kernel, when starting, the lce_opsec client may complain about not being able to locate the libelf.so.0 library. If this is the case, please run the following commands: # ln -s /usr/lib/libelf.so.1 /usr/lib/libelf.so.0 # ldconfig Copyright Tenable Network Security, Inc. 26

27 This will ensure that the lce_opsec client has proper access to the required system libraries. Firewall Connectivity Configuration of unauthenticated connections Configuration of FW-1 server: > Modify $FWDIR/conf/fwopsec.conf and define the port to be used for unauthenticated lea connections: lea_server port > Restart FW-1 in order to activate changes: # cpstop; cpstart Configuration of FW-1 policy: > Add a rule to the policy to allow the port defined above from the lce_opsec-client machine to the FW-1 management server. > Install the policy. Configuration of lce_opsec-client: > Edit the FW1_PORT configuration file parameter to specify the port you defined on your FW-1 server (This example 50001). Configuration of authenticated connections Configuration of FW-1 server: > Modify $FWDIR/conf/fwopsec.conf and define the port to be used for authenticated lea connections as well as the authentication algorithm. The default algorithm for authenticated connections is SSLCA: lea_server auth_port lea_server auth_type sslca > Restart FW-1 in order to activate changes # cpstop; cpstart (If settings above are in place then restarting the FW-1 Management Server is not necessary.) Configuration of FW-1 policy: > Create a new Opsec Application Object with the following details: > Name: e.g., lce (lce is an example Object name) > Vendor: User Defined > Server Entities: None > Client Entities: LEA > Initialize Secure Internal Communication (SIC) for recently created Opsec Application Object and enter (and remember) the initial password. Copyright Tenable Network Security, Inc. 27

28 > Write down the DN of the recently created Opsec Application Object. This is your Client Distinguished Name, which you will need later on. > Open the object of your FW-1 management server and write down the DN of that object. This is the Server Distinguished Name, which you will need later on. > Add a rule to the policy to allow the port defined above as well as port 18210/TCP (FW1_ica_pull) in order to allow pulling of the PKCS#12 certificate from the lce_opsecclient machine to the FW-1 management server. The port 18210/TCP can be shut down after the communication between lce_opsec-client and the FW-1 management server has been established successfully. The pulling of the certificate will be accomplished with the opsec_pull_cert script. > Install the policy. Configuration of lce_opsec-client: > Execute the command opsec_pull_cert as follows and copy the resulting PKCS#12 file (default: opsec.p12) to your lce_opsec-client directory. (The opsec_pull_cert can be accessed at the following address: opsec_pull_cert \ -h <IP of FW-1 Management Server> \ -n <Name of Opsec Application Object> \ -p <Password you entered before in policy Example: #./opsec_pull_cert -h host -n object-name -p activation-key #./opsec_pull_cert -h n c001_lea -p abc123 The full entity sic name is: CN=c001_lea,O=cpmodule..gysidy Certificate was created successfully and written to "opsec.p12". The following options will need to be updated within the lce_opsec.conf: > Edit the FW1_PORT configuration file parameter to specify the port you defined on your FW-1 server. (This example uses port ) > Edit the AUTHENTICATED="yes" option within the lce_opsec.conf file. > Edit the OPSEC_CERTIFICATE configuration file parameter according to the name of the PKCS#12 file that you created before using the opsec_pull_cert command. (The example above uses opsec.p12) > Edit the OPSEC_CLIENT_DN configuration file parameter according to the Client DN that you have written down before. Copyright Tenable Network Security, Inc. 28

29 > Edit the OPSEC_SERVER_DN configuration file parameter according to the Server DN that you have written down before. Reading Live or Past Log Entries The LCE OPSEC Client can operate in online and offline modes. In the online mode it will report events as they occur (i.e., in real-time). In the offline mode the client will read all of the events that are currently in the log and forward them onto the LCE server. To see past log entries, use the offline mode. To see real-time entries, use the online mode. Some examples of manual invocation (the following is configurable within the lce_opsec.conf as well): #./lce_opsec --online #./lce_opsec --offline Standard lce_opsec invocation involves running: service lce_opsec start. When run in this manner, the ONLINE_MODE parameter is read from the lce_opsec.conf file. Log Correlation Engine Splunk Client When configuring Splunk to forward data to a non-splunk system, it is necessary to set sendcookeddata=false in outputs.conf. Splunk is a monitoring and reporting tool with search capabilities that consolidates metrics, logs and other data from various network devices and applications into a searchable repository. LCE Splunk Clients can be used to monitor log files that contain events received from Splunk servers. For example, a Unix server could be configured to receive Splunk events from a nearby Splunk server. The LCE Splunk Client and LCE server would parse all events as if they originally came from the Splunk server. Tenable provides Splunk clients for Red Hat Enterprise Linux versions 4, 5 and 6. To configure the lce_splunk.conf file, enter in the IP address of the Splunk server to be monitored. You will also need to include the relevant IP address or hostname and shared secret key of the LCE server in the lce-server section. The shared secret key can contain any ASCII character except a semicolon (;) or space ( ). An example lce_splunk.conf configuration file is shown below: options { # Splunk client log messages are written to a file named according # to the date in the directory specified below. log-directory./ # The splunk client listens for connections from Splunk servers at # the port specified below. Each Splunk server in the deployment # should be configured to forward data to this location. listen-port 9800 Copyright Tenable Network Security, Inc. 29

30 # The splunk client will only accept connections from servers # authorized with the splunk-server keyword. splunk-server # The following section defines the IP at which the LCE server is # located, as well as the authentication required to log in. Only # 1 LCE server is currently supported. For example, use the # following to configure an LCE server at (localhost) # using the password "s3kret" lce-server { client-auth auth-secret-key s3kret } # The LCE server can be configured to listen on a user-specified # port. The setting below should match the server setting, # which is by default. server-port # The heartbeat-frequency option defines the number of seconds # between each pair of client heartbeat messages that are sent # to the server. heartbeat-frequency 300 # The LCE client provides the option of periodically sending a log # file containing performance statistics to the LCE server. The # following option determines the number of minutes between each # performance statistics report. When the next line # is commented out or removed, performance reporting is disabled. statistics-frequency 60 } # When the following line is uncommented, debugging is enabled in # the client. # client-debug lce_splunk.conf The following table describes the configuration options available in the lce_splunk.conf configuration file: Option log-directory listen-port splunk-server lce-server Description Log directory storage point. Listening port of the Splunk client (9800 by default). IP address of the Splunk server. IP address or hostname of the LCE server. Copyright Tenable Network Security, Inc. 30

31 server-port heartbeat-frequency statistics-frequency client-debug Port that the LCE server is configured to listen on. The number of seconds between each pair of client heartbeat messages that are sent to the server. The number of minutes between each performance statistics report to the LCE server. Whether debugging is enabled or disabled on the client. Log Correlation Engine WMI Monitor Agent The LCE WMI Monitor Agent is used to automate the collection of Windows event logs from remote Windows systems by using WMIC calls from the Linux system running the agent. This facilitates the collection of Windows logs from many hosts for the purpose of event normalization/searches and performance analysis. Host network connections occur in parallel, and though very quick, they may cause a temporary spike in network traffic and WMIC processes from the WMI Monitor Agent host while collection is occurring. For performance reasons, Tenable recommends configuring no more than 100 Windows hosts per WMI Monitor Agent. After the WMI Monitor Agent is installed, configure the wmi_monitor.conf file as detailed below and then start the service (service wmi_monitor start). To configure the wmi_monitor.conf file, add a list of Windows hosts (one per WMI-host keyword) to be monitored. You will also need to include the relevant IP address or hostname and shared secret key of the LCE server in the lce-server section. The shared secret key can contain any ASCII character except a semicolon (;) or space ( ). For example, the block below demonstrates how to monitor two different Windows systems for the configured event types: WMI-host { } WMI-host { address domain HEADQUARTERS username Administrator password password1 monitor All address domain HEADQUARTERS Copyright Tenable Network Security, Inc. 31

32 username Administrator password password1 monitor Security } In the first host, the WMI agent will automatically query the host to determine which files are available, and those files will be tracked. In the second example, only Security events are tracked. An example wmi_monitor.conf configuration file with more verbose explanations is shown below: options { # WMI Monitor log messages are written to a file named according # to the date in the directory specified below. log-directory./ # The following section defines the IP at which the LCE server is # located, as well as the authentication required to log in. Only # one LCE server is currently supported. For example, use the # following to configure an LCE server at (localhost) # using the password "s3kret" lce-server { client-auth auth-secret-key s3kret } # The LCE server can be configured to listen on a user-specified # port. The setting below should match the server setting, which # is by default. server-port # Each WMI-host block specifies a Windows system to be monitored. WMI-host { address # domain HEADQUARTERS username Administrator password password } # The "monitor" option below is used to specify which # Win32_NTLogEvent log files will be tracked. If "All" is # specified, the WMI agent will automatically query the # host to determine which files are available, # and those files will be tracked. monitor All # monitor System # monitor Windows PowerShell # monitor Application monitor Security # In addition to the Log Correlation Engine, events downloaded # from the security device can also be forwarded to one or more Copyright Tenable Network Security, Inc. 32

33 # syslog servers. The syslog-server keyword defines the address at # which each is located. # syslog-server # syslog-server # The heartbeat-frequency option defines the number of seconds # between each pair of client heartbeat messages that are sent to # the LCE server. heartbeat-frequency 300 # The WMI monitor provides the option of periodically sending a # log file containing performance statistics to the LCE server. # The following option determines the number of minutes between # each performance statistics report. When the next line is # commented out or removed, performance reporting is disabled. statistics-frequency 60 } # When the following line is uncommented, extra debugging # information is logged. This option should be enabled only # temporarily, as it may # cause the application log file to grow extremely large. # Debug mode can be toggled during runtime by sending the SIGUSR1 # signal to the lce_wmid process. debug wmi_monitor.conf The following table describes the configuration options available in the wmi_monitor.conf configuration file: Option log-directory lce-server server-port Description Log directory storage point IP address or hostname of the LCE server Port that the LCE server is configured to listen on WMI-host address IP address or hostname of a Windows system to be monitored DNS must be configured properly if a hostname is used in this field. domain username password The Windows domain in which the credentials used to log into the system belong Username that will be used to perform Windows system login Password that will be used to perform Copyright Tenable Network Security, Inc. 33

34 Windows system login syslog-server heartbeat-frequency statistics-frequency debug monitor Specifies which Win32_NTLogEvent log files to track. If All is specified, the WMI agent will automatically query the host to determine which files are available, and those files will be tracked. In addition to the Log Correlation Engine, events downloaded from the security device can also be forwarded to one or more syslog servers. The syslog-server keyword defines the address at which each server is located. The number of seconds between each pair of client heartbeat messages that are sent to the server The number of minutes between each performance statistics report to the LCE server When this line is uncommented, extra debugging information is logged. This option should be enabled only temporarily, as it may cause the application log file to grow extremely large. Debug mode can be toggled during runtime by sending the SIGUSR1 signal to the lce_wmid process. WMI Encrypted Credentials As of version of the WMI client, a feature is available through the /opt/wmi_monitor/wmi_config_credentials binary to encrypt the WMI credentials to an external file set. This feature eliminates the need to store the username and password in cleartext in the /opt/wmi_monitor/wmi_monitor.conf file. The tool has the ability to read the current hosts and credentials in the configuration file. Once saved, the cleartext credentials in the configuration file may be deleted. As of version of the WMI monitor, the preferred method to store credentials is to use the wmi_config_credentials tool. While cleartext usernames and password will currently work, a warning about their use being deprecated will appear in the log files. Option Description -i <wmi_monitor.conf> When the i option is used, it will read the specified wmi_monitor.conf file and will read in the data available for the configured host(s). -o </path/to/credentials> When used, the o option will instruct the program to write the credential files to the specific directory. -c </path/to/credentials> When used, the c option will instruct the program where to read the credential files from the specific directory for modification purposes. Copyright Tenable Network Security, Inc. 34

35 -v When used, the v option will print the version information to the screen. -h When used, the h option will display the help file. When the wmi_config_credentials program is run on its own without options, it will read the default file /opt/wmi_monitor/wmi_monitor.conf and the encrypted credentials in the /opt/wmi_monitor/data/ directory and will save the modifications to the same directory. When run, output similar to the following will be displayed: [root@securitycenter42 wmi_monitor]#./wmi_config_credentials Using: input config: /opt/wmi_monitor/wmi_monitor.conf output cred: /opt/wmi_monitor/data/ input cred: /opt/wmi_monitor/data/ WARNING: Plaintext usernames/passwords are deprecated (I found one for ). Please run wmi_config_credentials to encrypt your credentials, then remove plaintext usernames/passwords from the wmi_monitor.conf file. The "address", "domain", and "monitor" lines must remain in the wmi_monitor.conf file. (0): Domain: bogusdom Address: Username: <Not Set> Password: <Not Set> Files: Security (1): Domain: bogusdom Address: Username: *** Password: ******* Files: Security (2): Domain: bogusdom Address: Username: **** Password: ******** Files: Security (3): Domain: bogusdom Address: Username: *** Password: *** Files: Security Found 4 host(s) in your configuration. ****************************************** ***** Please select an option below ***** ****************************************** *[1] Display current hosts * *[2] Add a new host * *[3] Modify an existing host * *[4] Delete an existing host * Copyright Tenable Network Security, Inc. 35

36 *[5] Save hosts and credentials * *[Q] Save and quit * *[X] Quit without saving * * * * >> At the beginning under the Using: section we have the location that is being used for input config, output cred, and input cred. This allows us to confirm that we are using and saving the credentials from the expected locations. In the Warning: section we see that a username and password exists in the configuration file that is being read. This informs us that once encrypted, we may delete the username and password lines from the configuration file for that host. Following the Warning: section we have a list of the hosts within the configuration file followed by the total number of hosts in the configuration. Each host is prefaced with the number in the order it was found in the configuration file (starting with 0). The Domain, Address, Username, Password and Files fields are contained in the description: Field Domain Address Username Password Files Description This is the Windows domain that the credentials will attempt to login to when the program is executed. This is stored in the wmi_monitor.conf file. This is the IP address of the host that will attempt to be logged into when the program is executed. This is stored in the wmi_monitor.conf file. This field indicates if a Username is saved or not. If there are asterisks in the field, the username is set in the encrypted file. If <Not Set> is shown, then the host does not have a corresponding encrypted credential saved. This field indicates if a Password is saved or not. If there are asterisks in the field, the username is set in the encrypted file. If <Not Set> is shown, then the host does not have a corresponding encrypted credential saved. This field indicates the files that are monitored by the WMI monitor on the targeted host. This is stored in the wmi_monitor.conf file. The following section shows the menu of actions that may be performed: ****************************************** ***** Please select an option below ***** ****************************************** *[1] Display current hosts * *[2] Add a new host * *[3] Modify an existing host * Copyright Tenable Network Security, Inc. 36

37 *[4] Delete an existing host * *[5] Save hosts and credentials * *[Q] Save and quit * *[X] Quit without saving * * * * >> Selecting 1 will display a list of the hosts currently available within the encrypted host credential directory. Selecting 2 allows for adding a new host to the credential directory. When selected, a series of questions will be asked beginning with the new host address and followed by the username and password to use. Once entered, a list of available hosts will be shown on the screen followed by a success or failure message. When successful, a reminder will be given to enter the host s address, domain and monitor lines to the wmi_monitor.conf file. Note that when you are entering the Username and Password there is nothing echoed to the screen. Selecting 3 will allow you to make changes to the credentials of an existing host. A list of all hosts will be displayed. Select the host you wish to modify by selecting the number next to the host information. You will then be prompted to enter the updated username and password to be used with the host. Selecting 4 will allow you to delete an existing host from the records. After selecting the option, enter the number of the host you wish to delete. If successful, the list of menu options will be displayed. If there is an issue, an error message will be displayed indicating what has gone wrong. Selecting 5 will save the current state of hosts and passwords. This allows you to save your work without exiting the program. Selecting Q (case insensitive) will save the changes that have been made since the last save and quit the program. Selecting X (case insensitive) will quit the program and not save any of the changes that were entered. When running the wmi_config_credentials program, ensure that the configuration file used contains at least the hosts that have been previously encrypted. Otherwise, a warning will be issued and credentials will be lost if you continue. For more information about configuring remote hosts for remote WMIC connectivity or troubleshooting connectivity issues, please refer to the following helpful links: > > Copyright Tenable Network Security, Inc. 37

38 Tenable NetFlow Monitor The Tenable NetFlow Monitor Client currently only supports NetFlow versions 5 and 9. A list of decimal protocol enumerations is found here: The Tenable NetFlow Monitor (TFM) client takes advantage of the ability in most modern routers to use the NetFlow protocol to send network session statistics to remote collectors for processing and reporting. This enables you to monitor network traffic without having to install a sniffer on a hub or switched span port. The following is an example tfm.conf configuration file: options { # Log messages will be stored in a file named according to date in the following # directory. log-directory "./"; # This section defines the login information for the LCE server. Only one server # is currently supported. lce-server { client-auth auth-secret-key "s3kr3t"; } # The LCE server can be configured to listen on a user-specified port. The setting # below should match the server setting, which is by default. server-port 31300; netflow-server-port 9995; # The heartbeat-frequency option defines the number of seconds between each pair # of client heartbeat log messages that are sent to the server. heartbeat-frequency 300; # The LCE client provides the option of periodically sending a log file containing # performance statistics to the LCE server. The following option determines the # number of minutes between each performance statistics report. When the next line # is commented out or removed, performance reporting is disabled. statistics-frequency 60; # The NetFlow agent implements a white list of matching IP Copyright Tenable Network Security, Inc. 38

39 elements, # including IP protocol, IP address and port numbers. If multiple elements # are specified, then only sessions matching at least one variable in each # element will be matched. Only one include-filter can be used per agent. # Example #1: Logging TCP traffic excluding a number of ports. include-filter { proto 6; } exclude-filter { port 20; port 21; #port 22; #port 25; port 80; port 53; port 110; port 123; port 161; port 143; port 443; port 1434; port 1863; port 5050; port 5190; port 8200; } # Example #2: Logging all FTP, web, SMTP and DNS traffic # include-filter { # port 21; # port 25; # port 53; # port 80; # port 443; # } # Example #3: Logging all FTP, web, SMTP and DNS traffic from /8 # include-filter { # cidr /8; # port 21; # port 25; # port 53; # port 80; # } # NetFlow data reported by the NetFlow agent, along with other verbose output, # may be printed to the NetFlow agent log if desired. By default, this option # is disabled because it can generate very large agent logs. Copyright Tenable Network Security, Inc. 39

40 } # This should be uncommented only with care, or if directed by Tenable Network Security. # debug; tfm.conf The following table describes the configuration options available in the tfm.conf configuration file: Option log-directory lce-server server-port netflow-server-port heartbeat-frequency statistics-frequency include-filter exclude-filter Debug Description Directory where LCE client logs are stored. If the logdirectory keyword is commented out, then the client install directory will be used. Otherwise, ISO9000 compliant log files will be saved in the specified directory. Directs the TFM client to the IP address or hostname of the LCE, and specifies the password used to connect. Note: Each client can only connect to one server, and will connect to the first available server specified if multiple lce-server directives exist. The port that the LCE server, as designated by the lceserver directive, listens on. Specifies the NetFlow port to monitor. Do not change the netflow-server-port keyword unless you have specifically modified the configuration of your networking devices to report NetFlow data on non-standard ports. The TFM client can be configured to send a heartbeat message to the LCE. This message indicates that the client is still alive and performing normally. The frequency with which the LCE client sends a log entry containing performance statistics to the LCE. The filtering section is used to limit the amount of data logged. Unlike the TNM that has command line filtering courtesy of the libcap packet capture library, TFM filtering is specified inside the tfm.conf file. NetFlow data reported by the NetFlow agent, along with other verbose output, may be printed to the NetFlow agent log if desired primarily for troubleshooting purposes. By default this option is disabled because it can generate very large agent logs. Filtering is accomplished by specifying one or more protocol, network or port combinations. In the provided tfm.conf file, several examples are given that look for generic matches. The filtering logic works such that any reported NetFlow session must match at least one of the specified filters in each section. Copyright Tenable Network Security, Inc. 40

41 Negative filtering can also be used. Consider the following section from a tfm.conf file: include-filter { proto 6; } exclude-filter { port 20; port 21; port 22; port 25; port 80; port 53; port 110; port 123; port 161; port 143; port 443; port 1434; port 1863; port 5050; port 5190; port 8200; } In this example, the tfm would look for all TCP traffic, but would also ignore any sessions occurring on the ports listed in the exclude filter. Tenable NetFlow Monitor Event Types These are the event types that the Tenable NetFlow Monitor can currently generate: > TFM-TCP_Session_Whole > TFM-TCP_Session_Partial > TFM-UDP_Activity > TFM-TCP_Session_Whole_1MB > TFM-TCP_Session_Whole_10MB > TFM-TCP_Session_Whole_100MB > TFM-TCP_Session_Whole_1000MB > TFM-TCP_Session_Whole_Long > TFM-TCP_Session_Partial_Long Usage Once the tfm.conf file is configured correctly, simply invoke the tfmd binary from the command line. Traffic from NetFlow version 9 will produce records that will have a trailing 0. This will be seen in the LCE host when viewing log data from the LCE. An example of these records is shown below: Copyright Tenable Network Security, Inc. 41

42 Tue Jul 18 13:30:27 - TFM-TCP_Session_Partial[46 0]: :5190 -> : Tue Jul 18 13:30:39 - TFM-TCP_Session_Partial[9492 0]: : > : Tue Jul 18 13:31:05 - TFM-TCP_Session_Partial[0 757]: :4136 -> : Available fields within this raw output include (from left to right): > Alert date/time > Alert name > [Bytes downloaded Bytes uploaded] > Source IP:port > Destination IP:port > Start time (Unix timestamp) > End time (Unix timestamp) > Length of session (in seconds) Running the tfmd binary with the h switch will provide you with a list of the available command line options as shown here: [root@linux]# /opt/netflow_monitor/tfmd -h usage:./tfmd [ -v ] [ -e ] [ -f <pcap file> ] [ -p <port> ] -v Display version information and exit -e Enable event reporting on the terminal. All events reported to the LCE server are also printed to the screen. -f Allows the user to feed a pcap file to the agent as the event source, in lieu of using live NetFlow data. -p Allows the user to specify the live NetFlow traffic port on the command line. This is the same as, and will override, netflow-serverport in the tfm.conf file. -h Display this help information and exit. Tenable Network Monitor The Tenable Network Monitor (TNM) is designed to monitor network traffic and send session information to the LCE server. It can also sniff syslog messages sent from one point to another and treat them as if they were originally sent directly to the LCE. The following is an example of the tnm.conf configuration file: options { Copyright Tenable Network Security, Inc. 42

43 # Network Monitor log messages are stored in files named according # to the date in the following directory. log-directory "./"; # The heartbeat-frequency option defines the number of seconds # between each pair of client heartbeat messages that are sent to # the server. heartbeat-frequency "300"; # The network monitor provides the option of periodically sending a # log file containing performance statistics to the LCE server. The # following option determines the number of minutes between each # performance statistics report. When the next line is commented # out or removed, performance reporting is disabled. statistics-frequency "60"; # The network monitor automatically generates a TCPDUMP filter # expression that selects which network packets will be processed. # This expression is based on the syslog monitoring settings below. # The following option allows the default filter to be # overridden with a custom expression. filter-expression "tcp or icmp or udp port 514"; # This section defines the IP address and authentication password # for connections to the Log Correlation Engine server. In the # example, the server is located at (localhost), where a # password of "tenable" has been set for the client. Only one LCE # server is currently supported. lce-server { client-auth auth-secret-key "tenable"; } # The LCE server can be configured to listen on a user-specified # port. The setting below should match the server setting, which is # by default. server-port "31300"; # The network monitor will report traffic from only the interfaces # listed below. #interface "eth0"; interface "vxn0"; # Traffic containing syslog messages is forwarded to the LCE server # for the hosts matching the filtering criteria in the final # section. The following specifies the protocol/port pairs for which # all traffic will be processed as syslog messages. # These settings should match the syslog or syslog-ng configuration. monitor-syslog-port "udp/514"; monitor-syslog-port "tcp/1468"; Copyright Tenable Network Security, Inc. 43

44 } # When the below option is set to yes, only syslog messages are # reported, and all all other traffic is ignored. syslog-only "no"; # The following section defines the networks on which syslog will be # monitored. The network monitor will report syslog messages received at the # above specified ports for any IP address matching the filter criteria. include-networks { " /32"; " "; } exclude-networks { } tnm.conf The following table describes the configuration options available in the tnm.conf configuration file: Option log-directory heartbeat-frequency statistics-frequency filter-expression lce-server server-port interface monitor-syslog-port Description Directory where LCE client logs are stored. If the logdirectory keyword is commented out, then the client install directory will be used. Otherwise, ISO 9000 compliant log files will be saved in the specified directory. The Tenable Network Monitor can be configured to send a "heartbeat" message to the LCE. This message indicates that the client is still alive and performing normally. The frequency with which the Tenable Network Monitor sends a log entry containing performance statistics to the LCE. The network monitor automatically generates a TCPDUMP filter expression that selects which network packets will be processed. This expression relies on the syslog monitoring settings being enabled. Directs the Tenable Network Monitor to the IP address or hostname of the LCE, and specifies the password used to connect. The port the LCE listens to as designated by the lce-server directive. The network interface(s) from which the Tenable Network Monitor will report traffic. The protocol/port designation that is used to forward syslog messages to the LCE server. Copyright Tenable Network Security, Inc. 44

45 syslog-only include-networks exclude-networks Directive to only report syslog messages; yes or no. Specify which networks are to be included in monitoring activity. Designate specific networks to exclude from monitoring activity. Functionality The tnmd tool will report on TCP sessions it sees. For example, if there is an FTP session, it will report when the session starts and when it is completed. If the session has no activity for a certain amount of time, tnmd will time out the session and log it as complete. For UDP and ICMP protocols, tnmd will log the individual packets. An example TNM alert is included in the screen capture below: Available fields within this raw output include (from left to right within the Message field): > Alert date/time > Alert name > Amount of traffic captured > Source IP:port > Destination IP:port > Uploaded bytes > Downloaded bytes > Start time (Unix timestamp) > End time (Unix timestamp) > Length of session (in seconds) Alerts can indicate many traffic anomalies including TCP data flows that occurred where more than a gigabyte of traffic was detected within the flow, an unusual traffic pattern that could indicate malicious or non-compliant activity. Using this information within the raw output enables the user to get a better picture of what actually happened during the session and increases network traffic visibility. Copyright Tenable Network Security, Inc. 45

46 When sending network traffic activity to the LCE, it is important to carefully consider the traffic source to monitor. The amount of network logs generated while monitoring a busy T3, 100 Mb or even Gigabit link can vastly outweigh the total amount of firewall, web log and IDS logs. However, monitoring activity on key servers, key protocols or even known malicious IP addresses is extremely useful. When used to aggregate syslog messages from another set of servers, make sure to specify the correct destination IP addresses for the syslog messages. Otherwise, the Tenable Network Monitor may ignore syslog messages you actually want gathered. Tenable also recommends deploying the TNM directly in front of or on any syslog gathering servers. The advantage of this is to work with the logs directly as they arrive from their source servers. syslog servers that forward messages often add additional data in front of the log, which increases the overall log size. In addition, logs that are forwarded often include source names for systems they may not be resolvable via DNS, making it harder to understand which system generated a log file. Using the TNM to sniff logs in motion preserves the source IP address of the original log. Command Line Options The tnmd binary has several command line options that are printed out when it is invoked with the help option. Here is a list of the current options: usage:./tnmd [ -v ] [ -e ] [ -r <pcap file> ] [ -t <TCP timeout> ] [ expression ] The v option displays the version of the TNM. The e will display the logs sent to the LCE on the local console via stderr. The r option specifies a TCPDUMP binary file that can be used to send older logs to the LCE. The t option specifies the amount of time of inactivity to be used by tnm before considering a TCP session dead. The last part of the command line allows for specification of a specific packet filter. Command line filtering options must be enclosed in quotation marks. For example, the following command line can be used to run tnmd and log all network data except for UDP packets and ports 80 and #./tnmd "not proto 17 and not port 80 and not port 6346" & A list of decimal protocol enumerations is found here: The tnmd is usually started via the network_monitor RC script in the system startup directory (for example, /etc/rc.d/init.d on Red Hat Linux systems). To change the default packet filter in the startup script, edit this script and go to the following entry on or about line 21: $NETWORK_MONITOR_DIR/$NETWORK_MONITOR_BIN &> /dev/null & To modify this default setting, add your filter statement after the command statement such as this: Copyright Tenable Network Security, Inc. 46

47 $NETWORK_MONITOR_DIR/$NETWORK_MONITOR_BIN tcp or icmp or udp port 514 &> /dev/null This particular statement matches on any TCP or ICMP traffic and also collects any UDP based syslog traffic. Performance Considerations When running the TNM, it is important to consider how much data you are collecting and what you are doing with the data. If you are not doing anything with a certain set of data and you do not have a requirement to collect it, you can improve the performance of your LCE and the total useful storage capacity by not collecting it. Consider these strategies when collecting logs: > Ignoring UDP traffic in general, or at least UDP protocols to your basic services can save you many records. For example, ignoring DNS lookups to your DNS servers will save you logging these events that are repetitious. > If you have acceptable logs from your , web and other services, consider ignoring port 80, port 443 and port 25 to these servers. > If you have a long term requirement to store logs but not necessarily network traffic, consider deploying a single LCE for log aggregation and then add a secondary LCE to gather network traffic. You might be able to store your logs much longer than your network traffic. With two LCEs, the LCE host can also query both of these and unify their results in a user-friendly graphical display. Tenable RDEP Monitor The Cisco RDEP protocol has been deprecated as of IDS version 5.x and is no longer available for legacy mode with Cisco version 7.x and greater. Use Tenable s SDEE Monitor instead for these Cisco IPS devices. Cisco s legacy intrusion detection appliances make use of a protocol known as RDEP. The Tenable RDEP Monitor (TRM) client is designed to connect into a Cisco IDS appliance and retrieve new events for processing by the LCE. The trm.conf file has several configuration options as shown in the following example: options { # Log messages will be stored in a file named according to date in the # following directory. log-directory "./"; # This section defines the login information for the LCE server. Only # one LCE server is currently supported. lce-server ; lce-password "tenable"; # The LCE server can be configured to listen on a user-specified port. # The setting below should match the server setting, which is by # default. server-port 31300; Copyright Tenable Network Security, Inc. 47

48 # The heartbeat-frequency option defines the number of seconds between # each pair of client heartbeat messages that are sent to the server. heartbeat-frequency 300; # The LCE client provides the option of periodically sending a log file # containing performance statistics to the LCE server. The following # option determines the number of minutes between each performance # statistics report. When the next line is commented out or removed, # performance reporting is disabled. statistics-frequency 60; # run forever #daemonize; # print parsed events to standard error debug; # only parse and forward the latest events latest-events-only; # The next option sets the amount of time in seconds between each # interval at which the IDS device is checked for new events. This # option is only meaningful if daemonize is set above. poll-interval 300; # In addition to the Log Correlation Engine, events downloaded from the # RDEP device can also be forwarded to up to 8 syslog servers. The # syslog-server keyword defines the address at which each is located. # syslog-server ; # The following section sets configuration information for an RDEP # server. Multiple servers can be added by providing an RDEP-server {} # block for each. RDEP-server { address ; port "443"; use-ssl; user "cisco"; password "Att@ck!"; # subscription based retrieval retrieval-method subscribe; event-types { evalert; } alert-severities { # or all # informational # low; Copyright Tenable Network Security, Inc. 48

49 } } } medium; high; trm.conf The following table describes the configuration options available in the trm.conf configuration file: Option log-directory lce-server lce-password server-port heartbeat-frequency statistics-frequency daemonize debug latest-events-only poll-interval syslog-server Description Directory where LCE client logs are stored. If the logdirectory keyword is commented out, then the client install directory will be used. Otherwise, ISO 9000 compliant log files will be saved in the specified directory. Specifies which LCE server this client will send events to. Specifies the password for the LCE server, if used. Specifies the port that the LCE server listens on. Determines how often the TRM client sends a heartbeat message to the LCE to indicate that the client is still alive and performing normally. Determines how often the TRM client sends performance statistics to the LCE server. Specifies that the trm client is to run in the background as a daemon, if uncommented. Prints out a variety of status messages to the command line, if enabled. It is recommended that this be enabled when connecting to the remote Cisco IDS sensors for the first time. Causes the trm binary to skip to the most recent event and then only report new events. Tenable recommends that the trm be configured to skip forward to the last event by enabling this option. Specifies how often (in seconds) the trm shall attempt to connect to the remote Cisco IDS sensors. Tenable recommends five minute intervals on busy or heavily loaded Cisco IDS sensors. However, smaller time intervals such as 30 seconds will provide more fidelity in event logging. If syslog event forwarding is desired, the IP address of this server can be specified with this keyword. Copyright Tenable Network Security, Inc. 49

50 RDEP-server This section specifies a single Cisco IDS sensor to aggregate events from. Multiple RDEP-server entries can be specified in a single trm.conf file. This particular construct specifics the IP address, account and password for the trm to log into the sensor. In addition, there are some default parameters such as which port, the type of encryption (the use-ssl keyword) and the event-type keyword that specify how the events are to be retrieved. Last, the alert-severity keyword is used to specify what type of IDS events from the Cisco sensor are to be retrieved. Tenable SDEE Monitor Cisco s line of intrusion detection appliances makes use of a protocol known as Security Device Event Exchange (SDEE). The SDEE is a Simple Object Access Protocol (SOAP) based intrusion detection system (IDS) alert format and transport protocol specification. The Cisco SDEE protocol is a replacement for the Cisco RDEP protocol. The Tenable SDEE Monitor client is designed to connect into a Cisco IDS appliance and retrieve new events for processing by the LCE. The sdee_monitor.conf file has several configuration options as shown in the following example: options { # SDEE Monitor log messages are written to a file named according to # the date in the directory specified below. log-directory./ # The following section defines the IP at which the LCE server is # located, as well as the authentication required to log in. Only # one LCE server is currently supported. For example, use the # following to configure an LCE server at (localhost) # using the password "s3kret" lce-server { client-auth auth-secret-key tenable } # The LCE server can be configured to listen on a user-specified port. # The setting below should match the server setting, which is by # default. server-port # Each SDEE-server block describes a security device that should be # queried for events. SDEE-server { address port 443 the # When the SSL keyword is present, all communication between # SDEE Monitor and the security device will be encrypted. SSL Copyright Tenable Network Security, Inc. 50

51 username admin password password # The retrieval-start-time option sets the time of the earliest # event that should be retrieved. Setting this option to 0 will # result in all events on the security device being downloaded. # Leaving this value undefined will cause only new events to be # obtained. Otherwise, the time is specified in epoch seconds. # retrieval-start-time 0 } # Only events matching the following alert severities will be # retrieved. alert-severities { all # informational # low # medium # high } # The next option sets the amount of time in seconds for the # interval at which the configured security devices are checked for # new events. poll-interval 150 # In addition to the Log Correlation Engine, events downloaded from # the security device can also be forwarded to one or more syslog # servers. # The syslog-server keyword defines the address at which each is # located. # syslog-server # syslog-server # The heartbeat-frequency option defines the number of seconds # between each # pair of client heartbeat messages that are sent to the LCE server. heartbeat-frequency 300 # The SDEE monitor provides the option of periodically sending a log # file containing performance statistics to the LCE server. The # following option determines the number of minutes between each # performance statistics report. When the next line is commented out # or removed, performance reporting is disabled. statistics-frequency 60 Copyright Tenable Network Security, Inc. 51

52 } # When the following line is uncommented, extra debugging # information is logged. # debug sdee_monitor.conf The following table describes the configuration options available in the sdee_monitor.conf configuration file: Option log-directory lce-server lce-password server-port SDEE-server Description SDEE Monitor log messages are written to a file named according to the date in the directory specified. Specifies which LCE server by IP address or hostname where this client will send events. A LCE server is not required to use this tool. Specifies the password for the LCE server, if used. Specifies the port that the LCE server listens on (default: 31300). This section specifies a single Cisco IDS sensor from which to aggregate events. Multiple SDEE-server entries can be specified in a single sdee_monitor.conf file. This particular construct specifics the IP address, port (443), encryption (SSL), username/password for the sdee_monitor to log into the sensor, retrieval-start-time and alert-severities. The retrieval-start-time option sets the time of the earliest event that should be retrieved. Setting this option to 0 will result in all events on the security device being downloaded. Leaving this value undefined will cause only new events to be obtained. Otherwise, the time is specified in epoch seconds. The alert-severities keyword is used to specify what type of IDS events from the Cisco sensor are to be retrieved. Severities include: all (default), informational, low, medium and high. poll-interval syslog-server Specifies how often (in seconds) the SDEE Monitor will attempt to connect to the remote Cisco IDS sensors. Tenable recommends five minute intervals on busy or heavily loaded Cisco IDS sensors. However, smaller time intervals such as 30 seconds will provide more fidelity in event logging. If syslog event forwarding is desired, the IP address of one or more servers can be specified with this keyword. Copyright Tenable Network Security, Inc. 52

53 heartbeat-frequency statistics-frequency debug Determines how often the SDEE Monitor sends a heartbeat message to the LCE to indicate that the client is still alive and performing normally. Determines how often the SDEE Monitor sends performance statistics to the LCE server. Prints out a variety of status messages to the command line, if enabled. It is recommended that this be enabled when connecting to the remote Cisco IDS sensors for the first time. LCE UNIX CLIENT OPERATIONS This section describes the administrative functions of the LCE Unix clients including starting, halting and monitoring. Starting the LCE Unix Clients As noted earlier in this document, the LCE 3.4 package includes start-up scripts that are installed in the system start-up directory (e.g., /etc/init.d) on the respective platform. The provided start-up scripts are designed to check if the LCE client is already running and will not start a second instance. Although it is possible to manually start the LCE client without using the provided script, it is not recommended to do so as it could result in multiple instances of the LCE client daemon running. If there are errors in the configuration file, they will be displayed in the LCE Client log, which is under the appropriate client directory (e.g., /opt/lce_client for the LCE Log Agent, /opt/network_monitor for the Tenable Network Monitor client, etc. by default) in the format of YEARMon.log. At the LCE server, using the netstat pan grep command will list all of the established LCE client connections. At any time, the version of the LCE client can be determined by running it with the -v option, as follows: # /opt/lce_client/lce_clientd -v LCE Client # Below is a table that displays how to start the client software on the various platforms: LCE Client Starting Methods Red Hat LCE OPSEC Client # service lce_client start or # /etc/init.d/lce_client start # service lce_opsec start or Copyright Tenable Network Security, Inc. 53

54 # /etc/init.d/lce_opsec start LCE Splunk Client LCE WMI Monitor Agent Tenable NetFlow Monitor Tenable Network Monitor Tenable RDEP Monitor Tenable SDEE Monitor # service lce_splunk start or # /etc/init.d/lce_splunk start # service wmi_monitor start or # /etc/init.d/wmi_monitor start # service netflow_monitor start or # /etc/init.d/netflow_monitor start # service network_monitor start or # /etc/init.d/network_monitor start # service rdep_monitor start or # /etc/init.d/rdep_monitor start # service sdee_monitor start or # /etc/init.d/sdee_monitor start FreeBSD Tenable NetFlow Monitor Tenable Network Monitor # /usr/local/etc/rc.d/lce_client start # /usr/local/etc/rc.d/netflow_monitor start # /usr/local/etc/rc.d/network_monitor start AIX # /etc/rc.d/init.d/lce_client start Fedora # service lce_client start or # /etc/init.d/lce_client start Solaris # /etc/init.d/lce_client start Mac OS X Copyright Tenable Network Security, Inc. 54

55 # SystemStarter start LCEClient Debian Tenable Network Monitor # /etc/init.d/network_monitor start Ubuntu # /etc/init.d/lce_client start Dragon Appliance # /etc/rc.d/rc.lce_client start Halting the LCE Unix Clients LCE client software can be halted using any one of three methods; Use the kill command to cause the process of the lce_client program to stop running, use the service command or use the init.d script. The following table demonstrates how to halt the various client software: LCE Client Halting Methods Red Hat LCE OPSEC Client LCE Splunk Client LCE WMI Monitor Agent Tenable NetFlow Monitor Tenable Network Monitor # service lce_client stop or # /etc/init.d/lce_client stop # service lce_opsec stop or # /etc/init.d/lce_opsec stop # service lce_splunk stop or # /etc/init.d/lce_splunk stop # service wmi_monitor stop or # /etc/init.d/wmi_monitor stop # service netflow_monitor stop or # /etc/init.d/netflow_monitor stop # service network_monitor stop or # /etc/init.d/network_monitor stop Copyright Tenable Network Security, Inc. 55

56 Tenable RDEP Monitor Tenable SDEE Monitor # service rdep_monitor stop or # /etc/init.d/rdep_monitor stop # service sdee_monitor stop or # /etc/init.d/sdee_monitor stop FreeBSD Tenable NetFlow Monitor Tenable Network Monitor # /usr/local/etc/rc.d/lce_client stop # /usr/local/etc/rc.d/netflow_monitor stop # /usr/local/etc/rc.d/network_monitor stop AIX # /etc/rc.d/init.d/lce_client stop Fedora # service lce_client stop or # /etc/init.d/lce_client stop Solaris # /etc/init.d/lce_client stop Mac OS X # SystemStarter stop LCEClient Debian # /etc/init.d/lce_client stop Ubuntu # /etc/init.d/lce_client stop Dragon Appliance # /etc/rc.d/rc.lce_client stop Copyright Tenable Network Security, Inc. 56

57 On most Unix or Linux systems running the command ps -e grep lce_clientd will provide output similar to 32321? 00:00:15 lce_clientd. The first set of numbers is the process ID. Once the process ID is known, the command kill can be used to kill the client process. Monitoring Log Correlation Engine Client Status While running, the lced process will keep track of LCE client status in a file named client.status located in the /opt/lce/admin/log directory. Below is an example listing: # pwd /opt/lce/admin/log # cat client.status Client[ ]: HeartBeatTime[Jul 07, 08 13:43] : Logged in Alive Client[ ]: Not logged in Client[ ]: Not logged in Client[ ]: Not logged in Client[ ]: HeartBeatTime[Jul 07, 08 13:44] : Logged in Alive Client[ ]: Not logged in Client[ ]: HeartBeatTime[Jul 07, 08 13:44] : Logged in Alive Client[ ]: Not logged in Client[ ]: HeartBeatTime[Jul 07, 08 13:43] : Logged in Alive # For each configured LCE client, the IP address specified in the lce.conf file will be displayed as well as if it has logged in, the time of the last heartbeat and if the client is considered alive or dead. The tail -f command is not effective on this log file since it is completely rewritten each time the lced process detects a change in a client s status. The following are possible status messages and their descriptions: Message Not logged in Logged in Dead Logged in Alive Description The client has not logged in at all yet, or has been shutdown gracefully. The client has logged in before but, for some reason, has not sent in any data. This could be an indication of an issue on the client side. The client is working and sending data when it needs to. Log Correlation Engine Client Reconnection Attempts The LCE client will attempt to reconnect every minute until it can re-establish a connection with the server if the following conditions occur: Copyright Tenable Network Security, Inc. 57

58 > The LCE server lced process stops > The network connection between the client and the server breaks > The client is removed from the server s configuration file (this requires a restart of the service to take affect) LOG CORRELATION ENGINE WINDOWS CLIENT The Log Correlation Engine Windows Log Agent client monitors events as well as specific log files or directories for new logs. Tenable currently has two Windows s, one for Windows XP/2003 platforms and one for Windows Vista/2008/7 platforms. Platform LCE Client Type Install File Name and Utility MS Windows XP Professional, Windows Server 2003 MS Windows Server 2008, Windows Vista, Windows 7 lce_client-3.x.x-windows_2003_x86.msi lce_client-3.x.x-windows_2008_x86.msi lce_client-3.x.x-windows_2008_x64.msi INSTALLING THE WINDOWS CLIENT The LCE Windows Log Agent client installs by clicking on the.msi distribution file, which will launch the InstallShield Wizard. A license agreement will be displayed that the user must agree to before installation can commence. The user will be asked to choose if the application is to be shared or not, as shown in the following screen: Copyright Tenable Network Security, Inc. 58

59 Installation Location The next screen allows the user to change the default installation location: If you wish to use the default location, simply click on Next and a screen will be displayed to begin the installation by clicking on Install. After a few minutes, the InstallShield Wizard will display a screen indicating that the installation is complete. You may be prompted to restart your system for the configuration changes to take effect once installation is complete. Service Location Once installation is complete, a new Windows Service named the Tenable LCE Client will be added that can be viewed through the Control Panel -> Administrative Tools -> Services window as shown below: Copyright Tenable Network Security, Inc. 59

60 REMOVING THE LCE WINDOWS CLIENT To remove the LCE Windows Log Agent client, under the Control Panel open Add or Remove Programs or Programs and Features depending on your version of Windows. Select Tenable LCE Client and then click on the Change/Remove button. This will open the InstallShield Wizard. Follow the directions in this wizard to completely remove the LCE client. WINDOWS CLIENT CONFIGURATION To configure the LCE Windows Log Agent client launch the LCE Configuration tool located at C\Program Files\Tenable\LCEClient\LCEConfig.exe. This tool allows configuration of LCE server connectivity as well as configuration of the Windows event logs, file logs and directories to be monitored. An example startup screen for the LCE Windows Client Configuration tool is shown below: General Copyright Tenable Network Security, Inc. 60

61 By default, the client is configured to connect to with a password of password. This must be modified to the IP address or hostname of the LCE server, and the password configured on the LCE server for this particular LCE Windows Log Agent client. When configuring the client, the default screen also includes the following three parameters: > Send new events only this causes the client to monitor the Windows event log from the very moment it starts. It ignores all events that were previously in the event log. For testing purposes, it may be useful to send all of the events currently in the event log by unchecking this box. > Poll every some number of seconds this causes the client to poll the local system to see if any USB or disk drives were removed or added since the last polling. If any changes were detected, the client will send a log that results in a Windows-LCE_Client_Detected_Attached_Drive or a Windows- LCE_Client_Detected_Removed_Drive event. > Send performance data every some number of seconds this specifies how often the performance data is sent to the LCE. Heartbeats The Heartbeats tab of the LCE Client Configuration tool allows you to set how often a heartbeat message will be sent to the LCE server indicating that the client is still alive and functioning normally, as shown in the screen below: Copyright Tenable Network Security, Inc. 61

62 The following is an example of the heartbeat message sent from the LCE Windows Log Agent client to the LCE: LCE Client Heartbeat Hostname: ga2k3ten IP: Revision: Windows LCE Client v Due to the design of the LCE client for Windows, the heartbeat will not be sent at a faster rate than the Poll Every setting in the General section. Therefore, if the heartbeat is set for less time than the Poll Every setting, heartbeats will not be seen at that rate. Local Event Logs The LCE Windows Log Agent client can also be configured to send any combination of event logs that are available. The Local Event Logs tab displays a list of available event log sources to send to the LCE server. By default, the security, application and system logs will be present, but other applications may add their own log file sources. An example of the Local Event Logs tab is shown below: Copyright Tenable Network Security, Inc. 62

63 Remote Event Logs The Remote Event Logs tab can be used to configure forwarding of Windows events from remote hosts using WMI. To enable remote WMI access on the remote host, add a new registry key named LocalAccountTokenFilterPolicy and set its value to 1. This key should be created in the registry at the following location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\LocalAccountT okenfilterpolicy For more information on this technique, please consider the following MSDN blog entry: Copyright Tenable Network Security, Inc. 63

64 To add a host, click on the New button and fill in the information in the following screen: After submitting the host details, the LCE client will restart and new log information will be forwarded via WMI calls. This process will create an XML file called lce_wmi_config.xml, Copyright Tenable Network Security, Inc. 64

65 located in the LCE client folder (usually C:\Documents and Settings\All Users\Application Data\Tenable\LCE Client on Windows XP/2003 or C:\ProgramData\Tenable\LCE Client on Vista/2008/7). Each time you add a new host, it will be appended to the lce_wmi_config.xml file. The lce_wmi_config.xml file for Windows Vista/2008/7 is stored in a hidden folder and will not show up under a default Windows search or file browsing. Ensure that Show hidden files and folders or its equivalent is enabled within your folder options. To add a list of hosts from a file, use the Add hosts from file.. button to select an XML formatted file with multiple hosts. For example, a user could individually add each remote host in the LCE client on one system and manually copy the XML file to another system and use the Add hosts from file button to import it to that system s LCE log Agent client. See Appendix 3 for an example of the lce_wmi_config.xml file. If the system where the LCE client is running is part of a workgroup, the client service needs to run as an administrator account in order to receive events from remote hosts. By default, the LCE client is configured to log on and run as the Local System account. To change this to log on as an administrator account, go to the Services utility under Administrative Tools, right-click on the Tenable LCE Client service, select Properties and then select the Log On tab. An example screen capture is shown below: Restart the LCE client service for the setting to take effect. Copyright Tenable Network Security, Inc. 65

66 Log Files The Log Files tab in the LCE Client Configuration tool allows you to select which log files you wish to send to the LCE server. It can be directed to tail specific log files or all of the log files in a given directory. When tailing a log file, the LCE Windows Log Agent client will continuously check the file for any new data written to it. When tailing an entire directory of log files, the LCE Windows Log Agent client will tail all of the files present in that directory, including new files. To add a specific log file to tail, click on the Add log file tab and select which log file you want to have tailed. To tail an entire directory of log files, click on the Add log folder tab and select the log file folder you wish to tail. An example screen capture showing the LCE Windows Log Agent client configured to tail both a specific log file and a log folder is shown below: If you choose to add a log folder, a dialog box will be displayed allowing you to specify which log files you wish to include or exclude. This display box supports the asterisk (*) and question mark (?) as regex qualifiers. If you do not wish to include or exclude any specific log files in this folder, simply close this box and the log files for the entire folder will be tailed. A sample of this dialog box is shown below: Copyright Tenable Network Security, Inc. 66

67 Ensure that any binary or other unnecessary files within the monitored folder are excluded from the list of log files. This is particularly important when specifying a folder that contains a large number of files. Newly created/added files within a monitored folder that are not explicitly excluded will be logged by default. Monitor Files and Folders As of LCE Client version 3.4.2, the following Windows folders are monitored by default when Monitor the default is selected: > C:\Program Files\Tenable\LCEClient > C:\WINDOWS\system32 > C:\WINDOWS\system This list cannot be edited if LCE client or greater is installed; however, deselecting Monitor the default and adding a list of files/folders specific to the system serves the same general purpose. LCE 3.4 and greater clients have the ability to monitor individual files or entire folder content to detect unauthorized changes and validate file integrity. The attributes that are monitored include the following: 1. File md5sum 2. File attribute changes (Hidden, Archive, System, Read only or Compressed) 3. File ownership/permission changes 4. File additions (monitored, but do not trigger an alert) 5. File removals 6. File moves 7. Directory ownership/permission changes File additions to a monitored folder are silently indexed, but do not trigger an alert. Subsequent modification or deletion of these files will trigger an alert. Copyright Tenable Network Security, Inc. 67

68 A sample screen capture of the Monitor Files interface is shown below: The following options are available from the Monitor Files screen: Option Interval (Sec) Monitor the configuration file Description The interval in seconds between times when the LCE client performs its checks. An integer value between 1 and is required. Checkbox that directs the LCE client to monitor its own configuration file and registry entries for any changes. The following two items are monitored for changes: > The lce_wmi_config.xml file > The registry entries under the following key: HKEY_LOCAL_MACHINE/Software/Tenable/LCEClient This registry path is the default for 32-bit Windows systems. The path can differ depending on the host s system architecture or configuration. Monitor the default This option tells the LCE client to monitor a predefined set of folders/files. If Monitor the default is selected, the default set Copyright Tenable Network Security, Inc. 68

69 of folders to monitor is added to your list of monitored files or folders. The default list covers some well-known locations that are important to protect. The default monitor list is not editable for the LCE client or greater. Monitor Sub Folders Add File Add Folder Delete Set Filters This option will monitor subfolders of the folders selected for monitoring. Option to monitor any files on the existing file system for changes. Option to monitor one or more files under the selected folder. By default, all files are monitored, but the Set Filters option can be used to narrow down the file selection based on desired parameters (e.g., file mime type or file name). Remove one or more files or folders from the monitored list. Narrow down the selection of files to be monitored in a directory based on wildcard parameters. For example, setting an Include filter of *.* instructs the LCE client to monitor all files within the selected folder. Adding an Exclude filter with *.com, *.dll and *.exe will exclude files with those extensions in the directory from being monitored. See the example screen capture below: Adding a specific file or file extension to be included will automatically exclude all other files and file types in the directory. LCE WINDOWS CLIENT OPERATIONS This section describes the administrative functions of the LCE Windows Log Agent client, including starting, halting and monitoring. Copyright Tenable Network Security, Inc. 69