6. Syslog (OBJ 3.1)
Configuring a seam agent In this lesson, I’m going to go into my lab environment and show you how to configure a security information and event management system. Now we’ll make sure that the agents on the systems in our network are configured so that they can report back to that server, which we can use for later analysis. Now in this lesson, I’m going to use Security Onion, which is an appliance that comes as a VM and implements things like elastic stack cabana and other seam functionalities within it. Now, the first thing we’ll do is go configure our sensor.
Now, I’ve already done this for us, but if you look on the right side of this diagram, you’re going to see the Unified Threat Management System up at the top. On that, we have a connection going to V Local, and V Local has a sensor feeding data into my theme. Now, in addition to that, I’m also going to be collecting information from the Windows virtual machines at the bottom, MS One and DC One. Both of those have data that’s being fed into Vlocal. And using that sense report, I’m going to collect that information and send it to my ship. Alright? So the next thing I want to do is go into my theme, open a terminal, and start dumping that information from the network that we’re capturing over that sensor wire.
So I’m going to type in a pseudo-TCP dump of NiETH One IP and hit Enter using the Nswitch, which is going to tell us that we don’t want to use name resolution because I’m not connected to the Internet, so I can’t look up things like Google.com. I have to use IP addresses, and by using the IP at the end, this is going to filter out any IPV6 fixed traffic. So I’m just going to be focused on IPV4 traffic. This will ensure that I see traffic to and from my host on those two Windows machines as well as in the unified threat management system. All right, once I’m done capturing this, I’m going to hit Ctrlz, and that will stop this traffic capture. Now this traffic is going to be monitored by Bro. Bro is a passive network sensor that we’re going to basically use as an intrusion detection system. It’s part of that unified threat. Manager, now those events have already been configured, so it’s going to write them into the seam. The seam is going to allow me to see what’s in there, and we’re going to use elasticstack to do that.
So if I go ahead and see if Elasticstack is running properly, I can do this by typing in pseudo-space, “status,” and hitting Enter. This will give me the output that shows that each service is up and running well. If I get some kind of warning message, that means one of the things that I’m using to collect this, things like log stash, which is part of elasticstack, might not be quite ready yet, so I would have to wait and then run that status again. All right, from my desktop, I’m going to go ahead and open up Cabana inside a cabana. I’m going to log in with my username and password, and this is going to bring me to a dashboard. Cabana is a virtualization tool, and it’s part of Elasticstack. It’s going to be used to configure the dashboards for different categories, showing us different information in a graph format or a table format. Now, if I go down under “Bro Hunting,” I can select connections, and from here I can scroll down to verify that the hosts from the 10:10:24 network are present and accounted for. This will make sure that I see the information being sent to me by my intrusion detection system. Okay, now that we’ve confirmed that the Cabana is properly configured, I’d like to begin performing some scans to ensure that Cabana is seeing this inside of there with live data. So I’m going to go into Zen Map, which is on my Windows machine, and I’m going to run a scan using a default intent scan against ten 10 one.Now, Zen Map is essentially just a graphical version of Nmap, which is a network scanner.
So it’s going to go through and perform this scan for me. And now I’m going to go back to Cabana. If I go there under Alert Data, I can then view the Bro notices and NIDS categorization for scanning activity alerts. Now, if there are no results, you want to click on the update button. Now as we do this, we should be able to detect the scan that the Windows machine is doing against this network. And Cabana, as a server, is seeing all that data because we have port mirroring enabled off of that switch. Now, as you can see here, the nib alerts are being counted, and we can see those scans because we have this scan being run by our Zen Map. So this is telling me this process is working, and we’re able to see it in real time. Now the next thing we want to look at is how to install a Beats agent so we can capture network traffic directly from the host. Instead of just capturing things off of the network switch using port mirroring, like we were doing up to this point, To do this, we want to capture that log information.
So we’re going to install the Beats agent. So let me go ahead and log into my DC one, and from here I want to configure Beats, and I do that by going under my lab files and then Winlogbeat in here, where you’ll see Winlogbeat YML, which is a configuration file, and I’m going to right-click it and edit it with Notepad plus plus. Now, as I edit this file, you have to remember that YAML files are very sensitive to white space. So every space is actually used and counted. So you can’t just add spaces willy-nilly; you’ve got to make sure you count correctly. These files use two spaces per indentation level. So if you want to use two, that would be the first column.
Two more, for a total of four spaces; this is the second column, and so on. All right, so we’re going to scroll down and locate where it says “output log.” Now I’m going to findline 111, which is the hashtag host, in this section. And I want to change where it says localhost to my IP address for my theme. So I can send the data from this machine over to the seam. That seam occurs at 10:02:46. So my line should now read “host space quote: 1010 246 544 quote,” and that 544 is the port that my theme is configured to listen on. Now this will allow me to get data from any of the log files and send it back to that seam, which gives me another way to collect data. So I’m going to save this and close the file. And then I’m going to copy the Winlogon folder to the C:ProgrammersX86 directory. Now I’m going to go into PowerShell and run a command to be able to start this up. So I’m going to change directories into the C:ProgramFilesX86Winlogbeat directory that I just started. Then I’m going to run Winlogo, and to do this, I’m going to use a Linux down notation.
So Winlogbeat spacetest, spaceconfigs CSP, Winlogbeat YML, space e, and this says that I’m going to run Win LogBeat, use it in a test in configuration mode, and the configuration file is going to be WinlogbeatYML, and then execute this. So this last part is going to say “configure.” OK? Now if there is an error, that means I messed up the configuration file, but if not, I’m ready to keep going. Now at this point, I’m going to run two more commands because I need to install that agent as a service inside Windows. So it starts up every time I reboot this computer. To do this, I’m going to do “install service Winlogbeat” and then “start service Winlog Beat.” All right, now that I have that running, I have started this up, I have configured it as a service, and anytime I restart this computer, Beat is going to be running for me. So let me go back into my seam now. And I want to run the command sudo space, so allow viewing. Now this is going to show me the output that has the firewall that’s already been configured to allow the traffic from Beats over port 544 into my theme.
Now, if I go back into Cabana, I should again see those NIDS dashboards and those Bro notices for those scanning alerts that I saw before from those scanning alerts that I caused by using Zen Map. Now, if I go under the Beats dashboard under “Host Hunting,” I can start seeing events from DC One, where I just started, that Beats agents sent out a report. Now, it may take some time for that to come in, and if yours aren’t there yet, you can click on “Update” or “Refresh” and keep checking for those alerts. Over time, they’re going to start coming in, and you’ll see those different logs from that system. Now, the next thing I’m going to do is configure some application logging. Now, by default, Beats is going to capture the application system and security logs when you set it up on a Windows server.
Now, this is going to collect a lot of data and send a lot of it back to our team. And some of it may or may not be relevant to what you want to do. If you’re doing incident detection or threat hunting, a lot of this just isn’t something you need. If you’re doing system troubleshooting, it’s stuff you may need. So you need to figure that out inside your organisation and determine what you want to log and how much. So let’s say we want to configure our application logs. So we’re starting to send data to the theme. Well, let’s go over to “Ms. One,” which was my IIS Server machine. And I want to go in there and look at the access logs from the event viewer, and then have Beats forward that to the theme. That way, I can get data about my web server. So let me go ahead and go into MS One, and from here I’m going to go under Server Manager, select Tools, and then Internet Information Services, or IIS Manager. Inside the IIS Manager, I’m going to select the server, Ms. One, and I’m going to double-click on the logging applet in the middle pane. This will show me the different options I have for log formats.
Now, if you remember from our log formatting lesson, you’re going to see that there are lots of different formats you can use. But I’m going to use the standard W3C, which is really good for web application logs. Now, under the log event destination, I can select both the log file and an ETW event and click Apply. This means I’ll log it locally to the computer and send it to Beats as this type of event. Now, if I go to Explore, I can copy the Windows login beat from my domain controller that I installed before to the local system here with Ms. One, my web server. I’m then going to go into PowerShell as an administrator, and I need to run this big, long, scary command. Now, again, this is something you don’t have to memorise for the exam.
But it is what we need to run to be able to check the name of the event log that’s capturing those IIS events. So I’m going to go get Space, list, log, space, star, pipe space, where object space, curly, bracket space, dollar sign underscore LOGNAME, spacelike, space, quote star IIS, quote star IIS, star, quote, curly, bracket, space, pipe space, format, list, space, property, space, log, name—that was a long one. So what is this saying? Well, I want to get all of the Windows events that meet these conditions. If it’s listing the logs that have “astar” meaning anything, I want to grab those. Or I want to grab things where there’s an object and the log name has something like “IIS” in it. Or I want to get anything that’s formatted as a list with the property “logname.” So if I take all those things, I can gather those events, and then I can figure out what I want. This query is going to match a couple of logs—in fact, three of them.
And then I want to copy the text “Microsoft IIS logs” and copy the value from the prompt, select it, and press Enter. Now I’m going to open up the programme files directory under Winlogbeat that I just installed and find that configuration file. I want to go ahead and go into that file, and under the Winlogbeat event logs, I want to add the text that says “Name Microsoft Iislogging logs.” All right, now that I have this file configured the way I want, I’m going to close it and say yes to saving it. And then I’m going to go back into administrator mode and go into my PowerShell prompt. I now want to run the command to get into the directory for Winlogbeat, which is CD spaceclon, backslash programme file Winlogbeat. And then I want to run the configuration file and load it up. So, dot slash Winlogbeat, test config c winlogbeat YML E, just like I did on the domain controller. If I did everything correctly, I should see output that says “config.” OK, this means I’m ready to move on.
Now I need to start it up as a service, just like I did on the domain controller. Dot-slash-install service Wingbeat, then Enter, followed by the dash service space Winlogbeat, then Enter. Now we have Winlogo, or Beats, running on both the domain controller and the web server. Now, I want to be able to start generating some traffic here. So I’m going to go over to my PC One and my PC Two, and I’m going to do some things like going and accessing Share drives, browsing to different websites, or using Zen Map to start scanning some things. And when I do this, this is going to generate some traffic for this lab environment. And it should generate both network traffic that’s captured by the seam based on that port metering, and it’s going to capture application logs and event logs from the domain controller and from the web server.
All right, the next thing I want to do is install a host-based intrusion detection system, and I’m going to do this by using an agent on one of these clients. So with the Windows clients, we’re going to install OS SEC, which is a HIDs agent. Now, this is going to produce only security-relevant information for us. And again, we want to configure that to send that data back to our seam. So I’m going to go into PC One, and I’m going to go ahead and run this programme called Waza, which is Wazuh. To run it, I’m going to go into my lab files directory, Waza-Agent-Version Number (MSI).This will start the installer. I’m going to go through this installer pretty basically, and I’m going to accept and install it. And when the setup is complete, I’m going to click Run Agent Configuration Interface and then click Finish. If I get a UAC prompt, I’m going to go ahead and approve it and say yes. The next step is to launch a command prompt as administrator and run C programme files for x86 OS SEC agent off exe m ten, ten, and 246.
Remember, that’s the IP address of my server. So where am I sending these things? I’m going to send them back to that same server. All right, now that we’ve done that, we’ve associated this agent with the manager that’s running on the theme. That’s what that dash “m” is for. This will ensure that there is a connection between the two so that I can send the data there. Now, if I switch back to the Wizard Agent Manager dialogue, I can click the refresh button, and I should see a key that’s loaded in the authentication keybox. I can enter my Manager’s IP address in the Manager’s IP box, which is 10: 10, 246. Once I do that, I’m going to save it and then select Manage Start and OK. Now, if I wanted to do this on the other PCs in my network, I would do the exact same thing and configure them all the same way.
And that way, all of my devices can go back and reach that seam. All right, now that we’ve done that, let’s go back to our theme and start looking at some data. We want to start extracting data and aggregating these records to make use of our theme and understand what’s in there. So inside my theme, I’m going to go under the OSEC dashboard under Host Hunting here, and I’m going to use the update or refresh button to check for any new alerts. Now once I do that, I’m going to click the Management tab, select Index Patterns, and then create an index pattern. Now, in the index pattern box, I want to typelog stash OS SEC star and then click the next step. This is the pattern I’m identifying. Then, from the time filter, I can select that I don’t want to use a time filter because I want everything to show up, or I might just want to look at today’s stuff, the last 3 hours’ stuff, or a certain time period based on what we saw from some kind of malicious event.
Now once I’ve done that, I can click the “Create Index Pattern” button, and this creates my pattern. From here, I can click the Discovery tab. Now, from the list box, I want to select Log StashOSC Star, which is the index pattern that I just created. Now under my search box, I want to create a filter string, and then I’m going to update it. So I’m going to do this by typing in the agent name, the colon Pcstar, and the alert underscorelevel greater than or equal to five. What this says is that anytime you find an agent that is PC something in my network, whether it’s PC One or PC Two, and the alert level is greater than or equal to five, I want you to display it. Now, as I look at these results, I can see some results here, and I can click the small black arrow to expand the record and view all of the different event data around it.
And so you can see pretty quickly here how we can start slicing and dicing data and searching for things on a particular machine, such as PC One or PC Two. Or if you want to look at all machines by using wildcard characters and then identify what looks malicious across your network, The great thing about a seam is that I’m not looking at everything as individual pieces. All that data is in one place, so I could see it across the entire network and start looking for patterns. Next, let’s configure a syslog source. Now this is important because a lot of the hosts you’re going to deal with may not have the capability to install an agent, but most things can be configured for remote syslog monitoring. So to do this, I’m going to go ahead and do that on my Pfsense security appliance, which is my Unified Threat Management System.
So when I go into that Unified Threat Management System, I can click on Status and System Logs and then click on the Settings tab here. If I scroll down, I’ll find the option for remote logging. When I click that, I can enable remote logging. Then I can type in my server name, “10, 246,” and I’m going to put that on port 51, because that is the port for syslog. Now, from the remote syslog contents, I can check the system events and the firewall events because those are the ones I want. And then I’ll click save. Now if I go back into my seam and I go back into Cabana, I can click on the Management tab and then select index patterns, and then we can create a new index pattern. So in this index pattern, I’ll call it logstash syslog star and proceed to the time filter. Again, I don’t want to use the time filter. And then click “Create an index pattern.” If I go to the discovery tab here, I can find the log stash syslog star.
Now, if I search for something, for instance, “Syslog source IP 10 254” and then hit Update, I can find all of the Syslog things that are associated with that IP address. So at this point, we have looked at some different options for taking information into our scene. We can do it based on traffic sources with a network tap. We can use agents like Beats, and we can use Syslog for our more generic systems that don’t have Beats installed. Now, once we’ve done all that, we might have a lot of log data coming in. So it will be important for us to define our use cases and tune our sensors and logging to exactly what we’re looking for. However, this lab should have provided you with an excellent introduction to Security Onion and how to configure it on your network.
7. Configuring a SIEM Agent (OBJ 3.1)
Configuring a seam agent In this lesson, I’m going to go into my lab environment and show you how to configure a security information and event management system. Now we’ll make sure that the agents on the systems in our network are configured so that they can report back to that server, which we can use for later analysis. Now in this lesson, I’m going to use Security Onion, which is an appliance that comes as a VM and implements things like elastic stack cabana and other seam functionalities within it. Now, the first thing we’ll do is go configure our sensor.
Now, I’ve already done this for us, but if you look on the right side of this diagram, you’re going to see the Unified Threat Management System up at the top. On that, we have a connection going to V Local, and V Local has a sensor feeding data into my theme. Now, in addition to that, I’m also going to be collecting information from the Windows virtual machines at the bottom, MS One and DC One. Both of those have data that’s being fed into Vlocal. And using that sense report, I’m going to collect that information and send it to my ship. Alright? So the next thing I want to do is go into my theme, open a terminal, and start dumping that information from the network that we’re capturing over that sensor wire. So I’m going to type in a pseudo-TCP dump of NiETH One IP and hit Enter using the Switch, which is going to tell us that we don’t want to use name resolution because I’m not connected to the Internet, so I can’t look up things like Google.com. I have to use IP addresses, and by using the IP at the end, this is going to filter out any IPV6 fixed traffic. So I’m just going to be focused on IPV4 traffic.
This will ensure that I see traffic to and from my host on those two Windows machines as well as in the unified threat management system. All right, once I’m done capturing this, I’m going to hit Ctrlz, and that will stop this traffic capture. Now this traffic is going to be monitored by Bro. Bro is a passive network sensor that we’re going to basically use as an intrusion detection system. It’s part of that unified threat. Manager, now those events have already been configured, so it’s going to write them into the seam. The seam is going to allow me to see what’s in there, and we’re going to use elasticstack to do that. So if I go ahead and see if Elasticstack is running properly, I can do this by typing in pseudo-space, “status,” and hitting Enter. This will give me the output that shows that each service is up and running well. If I get some kind of warning message, that means one of the things that I’m using to collect this, things like log stash, which is part of elasticstack, might not be quite ready yet, so I would have to wait and then run that status again. All right, from my desktop, I’m going to go ahead and open up Cabana inside a cabana.
I’m going to log in with my username and password, and this is going to bring me to a dashboard. Cabana is a virtualization tool, and it’s part of Elasticstack. It’s going to be used to configure the dashboards for different categories, showing us different information in a graph format or a table format. Now, if I go down under “Bro Hunting,” I can select connections, and from here I can scroll down to verify that the hosts from the 10:10:24 network are present and accounted for. This will make sure that I see the information being sent to me by my intrusion detection system. Okay, now that we’ve confirmed that the Cabana is properly configured, I’d like to begin performing some scans to ensure that Cabana is seeing this inside of there with live data. So I’m going to go into Zen Map, which is on my Windows machine, and I’m going to run a scan using a default intent scan against ten 10 one.Now, Zen Map is essentially just a graphical version of Nmap, which is a network scanner. So it’s going to go through and perform this scan for me. And now I’m going to go back to Cabana.
If I go there under Alert Data, I can then view the Bro notices and NIDS categorization for scanning activity alerts. Now, if there are no results, you want to click on the update button. Now as we do this, we should be able to detect the scan that the Windows machine is doing against this network. And Cabana, as a server, is seeing all that data because we have port mirroring enabled off of that switch. Now, as you can see here, the nib alerts are being counted, and we can see those scans because we have this scan being run by our Zen Map. So this is telling me this process is working, and we’re able to see it in real time. Now the next thing we want to look at is how to install a Beats agent so we can capture network traffic directly from the host. Instead of just capturing things off of the network switch using port mirroring, like we were doing up to this point, To do this, we want to capture that log information. So we’re going to install the Beats agent. So let me go ahead and log into my DC one, and from here I want to configure Beats, and I do that by going under my lab files and then Winlogbeat in here, where you’ll see Winlogbeat YML, which is a configuration file, and I’m going to right-click it and edit it with Notepad plus plus. Now, as I edit this file, you have to remember that YAML files are very sensitive to white space.
So every space is actually used and counted. So you can’t just add spaces willy-nilly; you’ve got to make sure you count correctly. These files use two spaces per indentation level. So if you want to use two, that would be the first column. Two more, for a total of four spaces; this is the second column, and so on. All right, so we’re going to scroll down and locate where it says “output log.” Now I’m going to findline 111, which is the hashtag host, in this section. And I want to change where it says localhost to my IP address for my theme. So I can send the data from this machine over to the seam. That seam occurs at 10:02:46. So my line should now read “host space quote: 1010 246 544 quote,” and that 544 is the port that my theme is configured to listen on. Now this will allow me to get data from any of the log files and send it back to that seam, which gives me another way to collect data. So I’m going to save this and close the file. And then I’m going to copy the Winlogon folder to the C:ProgrammersX86 directory.
Now I’m going to go into PowerShell and run a command to be able to start this up. So I’m going to change directories into the C:ProgramFilesX86Winlogbeat directory that I just started. Then I’m going to run Winlogo, and to do this, I’m going to use a Linux down notation. So Winlogbeat spacetest, spaceconfigs CSP, Winlogbeat YML, space e, and this says that I’m going to run Win LogBeat, use it in a test in configuration mode, and the configuration file is going to be WinlogbeatYML, and then execute this. So this last part is going to say “configure.” OK? Now if there is an error, that means I messed up the configuration file, but if not, I’m ready to keep going. Now at this point, I’m going to run two more commands because I need to install that agent as a service inside Windows. So it starts up every time I reboot this computer. To do this, I’m going to do “install service Winlogbeat” and then “start service Winlog Beat.” All right, now that I have that running, I have started this up, I have configured it as a service, and anytime I restart this computer, Beat is going to be running for me. So let me go back into my seam now.
And I want to run the command sudo space, so allow viewing. Now this is going to show me the output that has the firewall that’s already been configured to allow the traffic from Beats over port 544 into my theme. Now, if I go back into Cabana, I should again see those NIDS dashboards and those Bro notices for those scanning alerts that I saw before from those scanning alerts that I caused by using Zen Map. Now, if I go under the Beats dashboard under “Host Hunting,” I can start seeing events from DC One, where I just started, that Beats agents sent out a report. Now, it may take some time for that to come in, and if yours aren’t there yet, you can click on “Update” or “Refresh” and keep checking for those alerts. Over time, they’re going to start coming in, and you’ll see those different logs from that system. Now, the next thing I’m going to do is configure some application logging. Now, by default, Beats is going to capture the application system and security logs when you set it up on a Windows server. Now, this is going to collect a lot of data and send a lot of it back to our team. And some of it may or may not be relevant to what you want to do. If you’re doing incident detection or threat hunting, a lot of this just isn’t something you need. If you’re doing system troubleshooting, it’s stuff you may need.
So you need to figure that out inside your organisation and determine what you want to log and how much. So let’s say we want to configure our application logs. So we’re starting to send data to the theme. Well, let’s go over to “Ms. One,” which was my IIS Server machine. And I want to go in there and look at the access logs from the event viewer, and then have Beats forward that to the theme. That way, I can get data about my web server. So let me go ahead and go into MS One, and from here I’m going to go under Server Manager, select Tools, and then Internet Information Services, or IIS Manager. Inside the IIS Manager, I’m going to select the server, Ms. One, and I’m going to double-click on the logging applet in the middle pane. This will show me the different options I have for log formats. Now, if you remember from our log formatting lesson, you’re going to see that there are lots of different formats you can use.
But I’m going to use the standard W3C, which is really good for web application logs. Now, under the log event destination, I can select both the log file and an ETW event and click Apply. This means I’ll log it locally to the computer and send it to Beats as this type of event. Now, if I go to Explore, I can copy the Windows login beat from my domain controller that I installed before to the local system here with Ms. One, my web server. I’m then going to go into PowerShell as an administrator, and I need to run this big, long, scary command. Now, again, this is something you don’t have to memorise for the exam. But it is what we need to run to be able to check the name of the event log that’s capturing those IIS events.
So I’m going to go get Space, list, log, space, star, pipe space, where object space, curly, bracket space, dollar sign underscore LOGNAME, spacelike, space, quote star IIS, quote star IIS, star, quote, curly, bracket, space, pipe space, format, list, space, property, space, log, name—that was a long one. So what is this saying? Well, I want to get all of the Windows events that meet these conditions. If it’s listing the logs that have “astar” meaning anything, I want to grab those. Or I want to grab things where there’s an object and the log name has something like “IIS” in it. Or I want to get anything that’s formatted as a list with the property “logname.” So if I take all those things, I can gather those events, and then I can figure out what I want. This query is going to match a couple of logs—in fact, three of them. And then I want to copy the text “Microsoft IIS logs” and copy the value from the prompt, select it, and press Enter. Now I’m going to open up the programme files directory under Winlogbeat that I just installed and find that configuration file. I want to go ahead and go into that file, and under the Winlogbeat event logs, I want to add the text that says “Name Microsoft Iislogging logs.” All right, now that I have this file configured the way I want, I’m going to close it and say yes to saving it.
And then I’m going to go back into administrator mode and go into my PowerShell prompt. I now want to run the command to get into the directory for Winlogbeat, which is CD spaceclon, backslash programme file Winlogbeat. And then I want to run the configuration file and load it up. So, dot slash Winlogbeat, test config c winlogbeat YML E, just like I did on the domain controller. If I did everything correctly, I should see output that says “config.” OK, this means I’m ready to move on. Now I need to start it up as a service, just like I did on the domain controller. Dot-slash-install service Winlogbeat, then Enter, followed by the dash service space Winlogbeat, then Enter. Now we have Winlogo, or Beats, running on both the domain controller and the web server. Now, I want to be able to start generating some traffic here. So I’m going to go over to my PC One and my PC Two, and I’m going to do some things like going and accessing Share drives, browsing to different websites, or using Zen Map to start scanning some things.
And when I do this, this is going to generate some traffic for this lab environment. And it should generate both network traffic that’s captured by the seam based on that port metering, and it’s going to capture application logs and event logs from the domain controller and from the web server. All right, the next thing I want to do is install a host-based intrusion detection system, and I’m going to do this by using an agent on one of these clients. So with the Windows clients, we’re going to install OS SEC, which is a HIDs agent. Now, this is going to produce only security-relevant information for us. And again, we want to configure that to send that data back to our seam. So I’m going to go into PC One, and I’m going to go ahead and run this programme called Waza, which is Wazuh. To run it, I’m going to go into my lab files directory, Waza-Agent-Version Number (MSI).This will start the installer. I’m going to go through this installer pretty basically, and I’m going to accept and install it. And when the setup is complete, I’m going to click Run Agent Configuration Interface and then click Finish.
If I get a UAC prompt, I’m going to go ahead and approve it and say yes. The next step is to launch a command prompt as administrator and run C programme files for x86 OS SEC agent off exe m ten, ten, and 246. Remember, that’s the IP address of my server. So where am I sending these things? I’m going to send them back to that same server. All right, now that we’ve done that, we’ve associated this agent with the manager that’s running on the theme. That’s what that dash “m” is for. This will ensure that there is a connection between the two so that I can send the data there. Now, if I switch back to the Wizard Agent Manager dialogue, I can click the refresh button, and I should see a key that’s loaded in the authentication keybox. I can enter my Manager’s IP address in the Manager’s IP box, which is 10: 10, 246. Once I do that, I’m going to save it and then select Manage Start and OK. Now, if I wanted to do this on the other PCs in my network, I would do the exact same thing and configure them all the same way.
And that way, all of my devices can go back and reach that seam. All right, now that we’ve done that, let’s go back to our theme and start looking at some data. We want to start extracting data and aggregating these records to make use of our theme and understand what’s in there. So inside my theme, I’m going to go under the OSEC dashboard under Host Hunting here, and I’m going to use the update or refresh button to check for any new alerts. Now once I do that, I’m going to click the Management tab, select Index Patterns, and then create an index pattern. Now, in the index pattern box, I want to typelog stash OS SEC star and then click the next step. This is the pattern I’m identifying. Then, from the time filter, I can select that I don’t want to use a time filter because I want everything to show up, or I might just want to look at today’s stuff, the last 3 hours’ stuff, or a certain time period based on what we saw from some kind of malicious event.
Now once I’ve done that, I can click the “Create Index Pattern” button, and this creates my pattern. From here, I can click the Discovery tab. Now, from the list box, I want to select Log StashOSC Star, which is the index pattern that I just created. Now under my search box, I want to create a filter string, and then I’m going to update it. So I’m going to do this by typing in the agent name, the colon Pcstar, and the alert underscorelevel greater than or equal to five. What this says is that anytime you find an agent that is PC something in my network, whether it’s PC One or PC Two, and the alert level is greater than or equal to five, I want you to display it. Now, as I look at these results, I can see some results here, and I can click the small black arrow to expand the record and view all of the different event data around it. And so you can see pretty quickly here how we can start slicing and dicing data and searching for things on a particular machine, such as PC One or PC Two. Or if you want to look at all machines by using wildcard characters and then identify what looks malicious across your network, The great thing about a seam is that I’m not looking at everything as individual pieces.
All that data is in one place, so I could see it across the entire network and start looking for patterns. Next, let’s configure a syslog source. Now this is important because a lot of the hosts you’re going to deal with may not have the capability to install an agent, but most things can be configured for remote syslog monitoring. So to do this, I’m going to go ahead and do that on my Pfsense security appliance, which is my Unified Threat Management System. So when I go into that Unified Threat Management System, I can click on Status and System Logs and then click on the Settings tab here. If I scroll down, I’ll find the option for remote logging. When I click that, I can enable remote logging. Then I can type in my server name, “10, 246,” and I’m going to put that on port 51, because that is the port for syslog. Now, from the remote syslog contents, I can check the system events and the firewall events because those are the ones I want. And then I’ll click save. Now if I go back into my seam and I go back into Cabana, I can click on the Management tab and then select index patterns, and then we can create a new index pattern. So in this index pattern, I’ll call it logstash syslog star and proceed to the time filter. Again, I don’t want to use the time filter.
And then click “Create an index pattern.” If I go to the discovery tab here, I can find the log stash syslog star. Now, if I search for something, for instance, “Syslog source IP 10 254” and then hit Update, I can find all of the Syslog things that are associated with that IP address. So at this point, we have looked at some different options for taking information into our scene. We can do it based on traffic sources with a network tap. We can use agents like Beats, and we can use Syslog for our more generic systems that don’t have Beats installed. Now, once we’ve done all that, we might have a lot of log data coming in. So it will be important for us to define our use cases and tune our sensors and logging to exactly what we’re looking for. However, this lab should have provided you with an excellent introduction to Security Onion and how to configure it on your network.
