Setting up Alienvault / OSSIM and Snare to collect Windows Event Logs

Recently, I implemented a Security Information and Event Management (SIEM) tool called Alienvault / OSSIM  to monitor servers/event logs to ensure compliance with several customer security agreements.  I chose Alienvault because it combined several open source tools, providing a single pane of glass view into what would otherwise be several different tools (oh and I had no budget to do this with).  During the implementation I hit a snag when configuring Alienvalt to monitor Windows Server event logs.  After combing through the forums I found a combination of problems that needed to be fixed – hopefully this will help out others (while giving credit to all the posts we used to find the solution to our problem).

First, follow the documentation for setting up Alienvault and Snare (here).  When you get to the ‘That’s all’ line, that is where the fun begins (c’mon did you expect it to be THAT easy…it is Linux).  First off, I found that the Registry file you were told import did not import properly, I had to change the following key in the Windows Registry: HKLM\SOFTWARE\InterSect Alliance\AuditService\Network\DestPort – change this key to 514.  It was set to 6161.  Now I could see events appearing in the SYSLOG on our OSSIM server (you can do this by SSHing to your OSSIM server and running a tail -f ./var/log/syslog).

The second problem was the SNARE plugin was set to read and normalize the information from a log file that did not exist.  To correct, again SSH to your OSSIM server and edit the snare.cfg file by typing vi ./etc/ossim/agent/plugins/snare.cfg (quick vi reference sheet).  Comment out the source log line that reads location=/var/log/snare.log by placing a # in front of it, and entering a new line which reads location=/var/log/syslog and restart the OSSIM agent by running ./etc/init.d/ossim-agent restart.

Now all seemed swell, BUT (again c’mon its linux there is always a but) when we tried to add custom events to the SNARE configuration they would not appear even though I could see them hit the SYSLOG.  I tested the config file against the rules thanks to this post.  The first step was to create a test log file which I did by running grep -i 011104 ./var/log/syslog >> ./var/log/logtest.log.  Replace 011104 with the category ID from SNARE that matches your specific event.  Now I ran ./usr/share/ossim/scripts/regexp.py ./var/log/logtest.log /etc/ossim/agent/plugins/snare.cfg V to make sure it was matching the rules in the SNARE config file (snare.cfg) – which it was.  I found this updated config file thanks to ithowto.ro and replaced all of the events (just the last section of the file) in our SNARE config (for my Windows friends use FileZilla to SSH to your OSSIM server and navigate to the snare.cfg file, backup and replace it) and restarted the ossim agent again, but now we were not matching any of the rules.  After comparing the original snare.cfg with the one from the previous website, we pulled out the [Snare -zzz- Generic Rule] which we were matching to previously, dropped it at the top of the new list and renamed it it to [Snare-whywontyouwork] (I was a little grumpy after fighting this for 2 days), replaced the config file again and restarted the agent again and – like magic, our events were now appearing in the OSSIM web interface.  Why….1 word – linux.

A few other shout outs to folks in these posts:

http://labs.alienvault.com/labs/index.php/2007/tutorial-5-windows-event-logging/

https://www.alienvault.com/forum/index.php?t=msg&goto=7781&S=0040ef7607b76619b65b9362027f16ac

http://forums.fedoraforum.org/archive/index.php/t-241555.html

https://www.alienvault.com/forum/index.php?t=msg&goto=11110&S=aeff4b798095bfa89d45711ff32a743f

http://stujordan.wordpress.com/2012/02/15/snare-plugin-not-working-on-alienvault-ossim-3-1/