RE: [logs] Monitoring Windows Security Events

From: Daniele Muscetta (daniele@private)
Date: Thu Oct 09 2003 - 15:21:48 PDT

  • Next message: Frank Heyne: "RE: [logs] Monitoring Windows Security Events"

    On Thu, 2003-10-09 at 22:28, Eric Fitzgerald wrote:
    > Only the security log.  This is a security event collection system, not
    > a general-purpose management system. 
    > 
    
    Little question out of curiosity... is it somehow derived from or based
    on MOM ?
    
    With Best Regards, 
    
    Daniele Muscetta
    
    
    > -----Original Message-----
    > From: Safier, Adam * [mailto:Safier@private] 
    > Sent: Thursday, October 09, 2003 1:23 PM
    > To: Eric Fitzgerald; loganalysis@private
    > Subject: RE: [logs] Monitoring Windows Security Events
    > 
    > Eric,
    > 
    > Will it also capture the other MSFT logs?  (i.e. system and application)
    > or only the security Log?
    > 
    > Adam
    > 
    > -----Original Message-----
    > From: Eric Fitzgerald [mailto:ericf@private]
    > Sent: Thursday, October 09, 2003 1:17 PM
    > To: loganalysis@private
    > Subject: RE: [logs] Monitoring Windows Security Events
    > 
    > 
    > Microsoft is working on a project called the Microsoft Audit Collection
    > System, which will be released at the same time as Windows Server 2003
    > SP1.
    > 
    > This is a client-server application to collect security event logs
    > securely to a central database, and also to provide a platform for
    > real-time intrusion detection.
    > 
    > The design goals for MACS were:
    > 1. Move towards auditor-administrator role separation via real-time
    > audit export 2. Enhance analyzability of security events 3. Provide a
    > platform for real-time distributed HIDS 4. Collect events securely
    > 
    > Non-goals were:
    > 1. Windows NT 4.0 support
    > 2. Support for other event logs
    > 3. Support for syslog, snmp, beep, etc.  (We considered and rejected
    > these and other protocols before implementing our own transport
    > protocol)
    > 4. Support for non-Microsoft SQL databases
    > 
    > Our agent runs as a service on the monitored machine, monitors the
    > security log, packages the events and transfers them to the collector in
    > near-real-time (we hold non-full network buffers for a short time a la
    > Nagle).
    > 
    > The agent mutually authenticates to the collector using Kerberos or SSL.
    > 
    > The agent normalizes the events to a Windows Server 2003 schema, adds
    > additional information (name if only SID/GUID present & vice versa),
    > compresses, encrypts, and transmits the event.  All insertion strings
    > are kept in their original format; we don't combine the event data with
    > the event message.
    > 
    > Encryption is 128-bit RC4 with periodic re-keying.
    > 
    > Connection is a socket connection over a configurable TCP port; service
    > location is via SRV records or local configuration.
    > 
    > The agent pre-allocates all necessary memory at startup (it can't leak).
    > Working set size is <2.9Mb; CPU usage is typically <0.5% even under
    > heavy load.  The agent uses the security log itself as a transmit
    > buffer.  There is a configurable heartbeat mechanism.
    > 
    > The collector receives, decrypts, & decompresses the events.  The
    > collector adds type information to each field of each event (we have
    > developed an XML schema for the security event log, the collector
    > pre-reads this and uses this to add the type information).
    > 
    > The collector acts as a WMI provider; applications can be written to
    > subscribe to the collector and receive a filtered, normalized event
    > stream in real time.  In this way any HIDS logic does not have to run
    > inside the collector but can be placed externally; new logic can be
    > added, changed, or removed dynamically by unsubscribing and
    > re-subscribing.
    > 
    > The collector then loads the events into a database.  The database
    > loader uses a configurable pre-filter to discard unwanted events.  Note
    > that the agent does not support pre-transmit filtering; this introduces
    > complexity and prevents reliable event sequence gap detection.  The
    > database loader then loads the events into a Microsoft SQL Server 2000
    > database.
    > 
    > All string data is stored in a single-instance fashion, reducing the
    > storage overhead in the database and increasing query performance.  Any
    > field of any event can be queried directly by value or type.  The
    > database loader also prunes the database, discarding events over a
    > configurable age.
    > 
    > MACS will be an out-of-band release of a Windows component.  That is,
    > MACS will be part of Windows in future releases.  MACS agent is a
    > no-cost add-on license to Windows 2000 and all later releases.  MACS
    > collector is a no-cost add-on license to Windows Server 2003.  That is
    > to say, if you own a valid Windows 2000 or later license, you may run
    > MACS agent on it.  If you own a valid Windows Server 2003 license, you
    > may run MACS collector on it.  You will have to purchase SQL Server
    > licenses.
    > 
    > MACS is optimized to the security event log.  It collects event log data
    > in a different manner than MOM (which was mentioned earlier in this
    > thread).  MOM is great for system management but is very hefty for
    > security log management and has a number of limitations, such as a 30GB
    > database size limit.  MACS compares very favorably to MOM in terms of
    > database size, network traffic volume, and speed of collection.  However
    > MACS is not a general-purpose management tool.  MACS is designed to work
    > with management systems in general and will include a MOM management
    > pack.  It will also include all necessary documentation to use any other
    > management system that supports Windows, to manage MACS.
    > 
    > If you would like to participate in the MACS beta, please send me the
    > following:
    > 
    > 1. Name
    > 2. Passport-enabled email address (you *MUST* have a Passport; our beta
    > download site uses Passport authentication).
    > 3. Physical address
    > 4. Phone number
    > 
    > I'll be happy to answer any other questions about our project.
    > 
    > Thanks,
    > 
    > Eric Fitzgerald
    > Program Manager
    > Windows Core Security- Auditing & Security Reporting Microsoft
    > Corporation
    > 425-705-9601
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Thu Oct 09 2003 - 19:52:52 PDT