Last year we launched the Audit Collection Syslog Gateway™ which provides the ability to centrally collect SYSLOG events via the Audit Collection Service (ACS) within Operations Manager 2007 SP1. This enables organizations to centralize Windows, UNIX/LINUX and network security events within System Center for audit and reporting purposes. As an agent-less solution customers can simply deploy the Syslog Gateway, enable forwarding on target devices, applications or from an existing Syslog server and start to use ACS as a central cross-platform audit repository within the enterprise.

Download Flyer

Visit Solutions Page

In a couple weeks an updated build for the Audit Collection Syslog Gateway, Service Pack 1, will be released that improves the core service and gateway logging with an improved installation wizard. The SP1 also introduces a health MP which includes security alerting rules for UNIX operating Systems, Cisco Firewalls and Routers plus an MP Template which enables users to create custom alerts and views for any Syslog event.

Below is a general overview on the Audit Collection Syslog Gateway architecture and features.

Audit Collection Syslog Gateway Overview

·         Provides SYSLOG event collection, alerting and reporting for UNIX/LINUX and network devices via ACS

·         Includes Secure Vantage Syslog Gateway Service, Generic Syslog Report and alerting Management Pack

·         Requires Operations Manager 2007 SP1 with ACS, and a Windows Server with Forwarder to act as Gateway

Common Syslog Sources

·         UNIX/Linux Operating Systems like AIX, BSD, HPUX, Mac OS X, RedHat, SuSE, Solaris, zOS and others

·         Network devices like Cisco Routers, Switches and Firewalls

·         Environmental devices and 3^rd party applications like Citrix Application Gateways or Web Servers

·         Most hardware and applications running on a UNIX/Linux OS

Deployment Considerations

·         Must enable SYSLOG forwarding on endpoint (User Guide has instructions for Unix and Cisco devices)

·         Default SYSLOG collection is UDP on port 514, TCP is optional in most cases but must be configured

·         Single Gateway supports up to 200 devices or 1000 Events Per Second (EPS)

Syslog Gateway Reporting

The Audit Collection Syslog Gateway includes one generic report that enables users to filter on any Syslog message pattern or all events. For example users could filter for all Cisco ASA events, all events with ‘root’ or from a specific device. Users can then save these filters as report subscriptions and quickly establish a standardized set of reports for auditing purposes.

Syslog Gateway Management Pack (included with upcoming SP1)

The Audit Collection Syslog Gateway MP provides health and performance monitoring of the Gateway Service plus security alerting for the Syslog events. The security alerting includes canned rules and knowledge articles for UNIX/Linux operating systems security events like logon failures, root access and suspicious activities; alerting rules for Cisco routers and firewall IDS events, plus an MP Template that enables users to quickly create custom views and alert rules for any Syslog event pattern. Users can easily override existing rules and use the MP Template to implement custom alerting and security auditing within their SCOM environment.

Below is a sample of Syslog facilities and priority codes which can be used for alert filtering and reporting.

Useful Syslog Links and Resources

·         NIST: Guide to Computer Security Log Management

o    http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf 

·         IETF RFCs: 3164 The BSD syslog protocol & 3195 Reliable delivery of syslog

o    http://www.ietf.org/rfc/rfc3164.txt  & http://www.ietf.org/rfc/rfc3195.txt 

·         SANS Institute: The Ins and Outs of System Logging Using Syslog

o    http://www.sans.org/reading_room/whitepapers/logging/1168.php

·         Cisco: Identifying Incidents using Firewall and IOS Router Syslog Events

o   http://www.cisco.com/web/about/security/intelligence/identify-incidents-via-syslog.html

Looking towards SCOM R2

This year at MMS Microsoft announced ACS for Cross Platform, a post SCOM R2 feature, which enables partners to integrate non-Windows security events into the ACS collection stream. With this capability any cross platform log file source exposed via SCOM R2 could be integrated into ACS, allowing organizations to centralize all security auditing events into a single repository which can be alerted, reported and archived as needed. The feature enables parsing of the event messages to extract key attributes and strings for improved reporting and analytics. The diagram below illustrates the high-level concept of this upcoming feature; in general it’s the same architecture as our Syslog Gateway, except the event source is from the SCOM agent vs Syslog and the event transformation is optimized to enable more granular data mining.

For users planning to leverage the new cross platform capabilities of SCOM R2 you’ll soon have the ability to integrate security events from those devices and application into ACS natively and will be pleased to know we’re migrating our alerting and reporting functionality to leverage this new feature as well. Users wanting to leverage the new SCOM R2 feature should enroll in our TAP program or stay tuned for more details and announcements.

Users needing a solution today or who have agent-less requirements can use the Audit Collection Syslog Gateway, which provides a very cost effective option that is licensed per Gateway (not per device) that’s easy to deploy and simple to use. And remember, regardless of how you collect your security events, once they’re in ACS our entire suite of Security Auditing solutions can be used for alerting, archiving and data analysis.

If you need more than just security auditing we have two partners who provide great health and performance monitoring solutions for cross platform devices and applications: BridgeWays and JalaSoft. By combining the breadth of partner monitoring solutions with our security auditing features in ACS, users can standardize and simplify systems management, auditing and compliance within System Center which reduces the cost, complexity and overhead associated with managing your heterogeneous environment.

MMS 2009 was another big year for Secure Vantage Technologies Inc. This year we launched several product updates and new features including a VMM PRO pack and extended support for Cross Platform security auditing. It was great to see all our customers and partners at the event and hear all your positive feedback. For those who couldn’t make the show or are looking for more information, we’ve put our MMS 2009 highlights below. Big thanks to the community for their support with helping make this another successful event for Secure Vantage. We hope everyone liked the bags. J

Read MMS Press Release: Secure Vantage Adds Unix, Linux, Cisco and Virtualization For Cost-Effective Enterprise Data Center Compliance and Auditing Solution Using System Center

Secure Vantage MMS 2009 Highlights

Product Showcase

The demo environment we had at our booth and breakout session this year was something we worked on over four weeks in conjunction with several other ISVs. Built on VMM and SCOM R2, the virtual environment had Windows Server 2003 and 2008 systems and even a Linux RedHat server. We loaded all our current builds plus Savision LiveMaps, BridgeWays MPs for Apache and Oracle, JalaSoft MP for F5, Silect Software’s MP Studio and the new OpsLogix Ping MP.  We even set up a Microsoft Office SharePoint Server to show a sample portal that has integrated SCOM and SCCM views for team sites with a central control list for tracking auditing activity that had KPIs (Key Performance Indicators) used to track various GRC auditing benchmarks.

We’ll be posting some screenshots and videos of the showcase soon; just waiting for our demo boxes to return from the event. For those interested we already saw one recording posted online at http://www.mmsnews.info/video/securevantage-1

The list below summarizes the Secure Vantage solutions we demoed last week in the MMS expo hall that will be coming available for general download soon. Stay tuned for more solution announcements, updates and releases.

·         Audit Collection Admin, RC2

The Audit Collection Admin centralizes ACS administration, improves health monitoring and reduces the complexity associated with ACS management. This is a must-have for every ACS environment that helps ensure your audit infrastructure is healthy and available, reduces the complexity of managing multi-Collector environments and simplifies administrative tasks.

·         Audit Collection Syslog Gateway, SP1

The Audit Collection Syslog Gateway is an agent-less solution that enables users to forward Syslog events from any UNIX/Linux Server, network and firewall device, OS and any Syslog enabled device or application like Citrix Access Gateways to ACS for centralized collection, storage, reporting and alerting. The Syslog Gateway now includes an alerting MP with canned rules and knowledge articles for common UNIX/Linux security events and Cisco Firewall and Router IDS events.

·         Security Management PRO pack

The PRO feature for our Security Management packs allows users to restore or revert a VM based on security audit violations like specific GPO changes or compromised systems. The PRO pack tip is available for customer testing and will eventually be incorporated into the Security Management packs.

·         Audit Collection Archiver, SP2

The Audit Collection Archiver has had some general improvements to the core service, plus we showcased the new user interface that is now supported both standalone and in the SCOM console while providing significantly more functionality and ease of use for users.

·         Audit Collection Data Miner, Beta1

A new addition to the Security Auditing family of products, the Audit Collection Data Miner enables ad-hoc query analysis of both online and historical audit databases directly from the SCOM console. This enables users to quickly search both Windows and Cross Platform security event data without having to run a custom report or SQL query.

·         Audit Collection Base Reporting, SP2 – Consolidated Win2003/2008 audit reporting

Our ACS reports have been extremely optimized with new indexing and queries resulting in over 80% improvement in run-time. We’ve also worked very hard on providing consolidated Windows Server 2003 and 2008 audit reporting for customers with mixed environments.

·         GRC Portals for Microsoft Office SharePoint Server (MOSS)

This year we demonstrated how customers can build GRC (Governance, Risk and Compliance) portals using Microsoft Office SharePoint Server and System Center. We showcased integrating dashboards and state views as well as how users can automate report delivery and review tracking, providing the organization KPIs on current compliance state and auditing objectives. This is a great demonstration of how any organization using MOSS can quickly implement an internal control list for workflow tracking with automated audit assessment and report delivery.

Cool Announcements

To Watch the MMS KeyNotes and other MS videos visit the virtual press room, http://www.microsoft.com/presspass/presskits/infrastructure/videoGallery.aspx 

1)       SCOM Visio Integration – Day 1 Keynote, about 1hr and 2 minutes in

In the day one keynote by Bob Kelly, Lorenzo Rizzi with the SCOM product team demoed a new feature in SCOM R2 that enables users to integrate Visio diagrams with dynamic state and alert data from Operations Manager. While not nearly as feature rich as the Savision LiveMaps, this definitely got a good applause and is something many customers will take advantage of.

2)       Compliance Management with Service Manager – Day2 Keynote, about 58 minutes in

In the day 2 Keynote by Brad Anderson, Claire Harte with the Service Manager team presented how customers can automate compliance assessments, audit lifecycle and control enforcement using workflow in Service Manager that ties together data from SCOM, SCCM and Active Directory to enable organizations to better manage, mitigate and report on risks in the enterprise. This introduces the final layer in the System Center fabric for managing audit and compliance lifecycles for GRC related activities. This is a very exciting announcement, and you can expect we’ll be talking a lot more about this moving forward.

3)       ACS for Cross Platform – ACS Breakout Session

On Friday Maarten Goet, a SCOM MVP with Inovativ, presented the Audit Collection Services breakout session and demoed cool dashboards for ACS using Savision and Secure Vantage plus an extensive overview on Syslog auditing and the upcoming ACS for Cross Platform, a post R2 feature that enables partners like Secure Vantage to integrate event log sources from UNIX/Linux and cross platform applications natively into ACS for alerting, archiving and analysis. Now SCOM users will be able to audit from any Syslog device or CrossPlat source. We’ve been chipping away preparing for this one, so upgrade to SCOM R2 today and get ready.

4)       System Center Central

If you’re a System Center user, engineer or administrator then you gotta check out this new site. System Center Central is a combination of a bunch of community MVPs, bloggers and partners that have consolidated their sites into a central community portal. Keep watch as the content is growing daily and we’re working away on an ACS Wiki too. www.systemcentercentral.com

Cool Partner Solutions on Expo Floor

I’m sure there were lots of great demos on the expo floor, but two really made an impression on me.

1)       New Vista Gadget for Savision LiveMaps that provides small alert/state widget that expands to show specific LiveMaps view with full operator functions. Very slick, guys.

2)       Nice password management feature from Lieberman Software that enables users to easily reset and apply random passwords for SCOM and SCCM service accounts. Let us know what you think; we get lots of requests for password management tools and these solutions look great.

Raffle Winners

Every year we have cool booth swag and great raffles for attendees. This year was no exception where we offered the two prizes everyone has been asking for.

Congratulations to all the winners or our MMS 2009 raffles!

Booth Raffles

·         MMS 2010 Attendee Pass: Jeffrey Howell , already coined best MMS 2009 giveaway

·         Zune for your Tunes: Jeffrey Barlow and Ricky Moolraj

·         Gondola Ride with the Angels, lost the names but posted some pics in the MMS 2009 album

Partner Raffles

·         Chris Angel Show Tickets: Shay Byrne

·         Microsoft Zune Player: Gordon McKenna

·         $100 Poker Chip: Derek Cullen

MMS 2009 ISV Über Demo

This year we decided to show our partners and customers how System Center Operations Manager R2 can be optimized with partner solutions to address cross platform monitoring, security and enhanced visualizations. We had about 40 folks in attendance and outside a few prep slides mostly did demos of the individual ISV solutions and how they can be wrapped together and presented in SharePoint. The session included over 50 minutes of demos, including: BridgeWays for Apache and Oracle, Savision LiveMaps for enhanced presentation layer and Secure Vantage Technologies for security auditing and compliance.

Given the session feedback and content we decided to host a webcast for those who couldn’t attend. Stay tuned for more details and registration info.

Download Session Deck: TS 40, ISV solutions for cross-platform monitoring, regulatory auditing and advanced visualizations

On a related note we are also working on full SQL 2008 support across the suite and plan to release several updates moving through the year. Stay tuned for more details on SCOM R2 and SQL 2008 support or contact us to learn more about our early adopter program.

Do you need an attendee pass for MMS 2009?

We’ve had a lot of requests and with only one pass left we figured it was a good time to do another community raffle. This is open to anyone who registers online and provides the winner one full attendee pass to the Microsoft Management Summit 2009 in Las Vegas Nevada held April 27^th through May 1^st.

This could save you or your company over $1000 on the System Center training event of the year. Don’t miss this great opportunity and register online now for your chance to win! http://www.myitforum.com/contest/swag/MMS2009.asp

Entrants: Please note this raffle does not include travel, lodging or any other costs associated with MMS. All costs outside the attendee pass are sole responsibility of the entrant.

Attendees stay tuned for more details on MMS 2009 from Secure Vantage.

We are pleased to announce general availability of the Secure Vantage Security Dashboard Accelerator for Savision Live Maps 3.0. This new accelerator enables users to quickly deploy canned dashboard packs for the Secure Vantage Security Management packs to gain high-level visibility into security operations, auditing and compliance state within your System Center Operations Manager environment.

Read Press Release

Security Dashboard Accelerator Online

The Security Dashboard Accelerator is a free download for Secure Vantage customers and partners. It includes a dashboard pack xml file which imports into Savision Live Maps Authoring console (image below on left), a user guide plus Secure Vantage icons and images to create your own custom dashboards as shown below on right.

With the launch of this new accelerator we also now bundle Live Maps with our Security Management package. This ensures every user can benefit from this accelerator and has the ability to add more intelligent presentation layers on top of our security auditing and compliance solutions for System Center Operations Manager.

To learn more about Savision and how Live Maps can help you visit their Homepage or Team Blog.

Savision Bundling & Accelerator FAQ

·         If I already own both products can I just download the accelerator? Yes, contact sales

·         If I already own the Security MPs can I purchase a Live Maps upgrade directly from Secure Vantage? Yes, contact sales for upgrade options

·         How many Live Maps ‘View Licenses’ does the Accelerator use? Five (5), 4 for core dynamic lists and 1 for dashboard that consolidates lists.

·         How do we get the ‘Security Compliance’ dashboard sample shown above? This is a sample built using the Security Dashboard Accelerator

·         Can we link specific SCOM Views and Reports? Yes, you can link any URL or Web Console view

When planning an audit environment using the Audit Collection Service (ACS) provided within System Center Operations Manager (SCOM), numerous needs for data collection, retention and reporting arise which extend beyond the solution’s native capabilities. In this blog, we take a look at new configuration options available when using our Security Auditing solutions for ACS. Specifically, we’ll examine how ACS can be optimized to support enterprise reporting and retention requirements using the Audit Collection Archiver™.

Online Reporting Considerations

First we need to understand how ACS provides online reporting given its core design. The ACS online audit database is designed for optimal insertion and online storage efficiency. This is achieved by processing all events through a normalization schema (EventSchema.xml) that parses through the event attributes and maps the values to an online data model. This model includes partitions of data (by default 1 partition per 24hrs) with individual tables that store the event header and detailed attributes from the event description.

To support reporting, the audit database includes 3 core views: dvEventHeader, dvAll5, and dvAll. These views combine all existing partitions in an ACS database, allowing the information to be accessed for reporting and data mining. The views include data from the active partition that has events being inserted along with data from all other partitions, indexed and non-indexed (see KB 949969, which resolves the impact of non-indexed partitions being improperly groomed but doesn’t actually re-index the partitions). The views include all event strings, not only the strings used in the report. Additionally, every partition in the view creates another partitioned table in the query, eventually reaching the SQL 2005 limit of 256 tables (see KB 954958).

So while these views provide access into the ACS data, they are not optimized for data analysis. All this data needs to be indexed for optimal query and report performance. Unfortunately, you always have one partition with active events being inserted and possibly 1-2 partitions waiting to be indexed. This means regardless of how much data you have, the 2-3 most recent partitions are not staged for data mining and will always impact performance of queries and reports.

Now let’s look at an example. Say you retain 30 days of information and are running an investigation for activity in the last 5 days. Any query you run using the default views in ACS will query the entire ACS database, not just the partitions pertinent to the query. Additionally, the configuration, resources and indexing status of the ACS audit database can further hinder performance. To put this in perspective, let’s say you collect 5GB of events per day, which is roughly 3.5 million records. This means by default your report runs a query against 150 gigs and 90 million rows, of which only 1/10 are likely un-indexed (as opposed to just the 25GB and 15 million rows of data that actually matter). That’s a huge difference and a significant delta for optimal data mining. Although you can customize your own queries, you still run into fundamental challenges given the active event insertion, data volume and indexing status.

In the end, reporting via the online database is a question of data insertion rate and volume, database health and raw horsepower. Make sure you review the ACS Master Class Series, Session 2 (ACS Design & Planning) for common best practices and planning considerations.

So now the questions we tend to ask ourselves are: Is the online audit database the best place to run reports? How much data can I keep online without impacting ACS performance? How can I store and use this data beyond the default retention period of 14 days? And so on……..

Online vs. Near-Online vs. Offline

Because the online system has the active event insertion data, this repository is the best location for short-term audit needs under 72 hours but is not well suited for historical reporting or offline storage.  As we now know, out-of-box ACS is only intended for online event collection and really only provides the core architecture for collecting Windows security logs into a central repository. What you do with the data and how it’s managed from there will vary depending on how you plan and optimize that architecture.

Here’s where Secure Vantage comes in. The Audit Collection Archiver provides the ability to save event partitions offline in compressed files and also set up a historical audit reporting database. With these two options, we can now plan and optimize our audit environment to support online, near-online and offline auditing needs. Users will also feel safe knowing the Archiver is the only ACS solution available that’s Microsoft Certified for SQL Server 2005.

Typically we see organizations using the Archiver for one of these three reasons:

1.       Their online database supports reporting and subscriptions, but the data must also be archived.

2.       Their reporting requirements exceed online database capabilities and require historical reporting.

3.       They wish to consolidate reporting across multiple collectors.

In a standard ACS environment, we usually see some form of the below approach when using the Archiver to manage the ACS event data lifecycle.

You can significantly optimize your audit infrastructure by using the Archiver to extend the native storage, retention and reporting capabilities of ACS to support the preceding three scenarios and more. The diagram below helps illustrates these basic design principles and how they relate to managing the ACS security log data. 

This capability enables organizations to implement a far more effective ACS archiving, retention and grooming policy that supports your unique business needs. While design always takes into consideration factors such as performance, scalability, available resources, and disaster recovery, the Archiver provides a strong foundation for a robust audit infrastructure leveraging ACS as the backbone. The diagram below illustrates one example of how this technology can support the online, near-online and offline data requirements for an enterprise environment more effectively.

Storage Requirements

With the ability to store data longer than the online database and set up a historical repository comes the need to plan for storing all this data. In general, the historical database has relatively the same overhead as an online database but will typically be much larger as more information is maintained for reporting. Archives, however, are only a fraction of the online data size and can be stored to any form of media.

So given the previous scenario where the ACS Collector creates 5GB of security event data per day, you keep the default 14 days online, want 90 days of data available for reporting, and need to keep all data 13 months. The table below would summarize the components and general storage estimates we’re working with.

To assist customers in planning for these new storage needs, we’ve extended the ACS Disk & Data Storage Planning Calculator released on System Center Forum to include an additional worksheet with the formulas and variables to compute these storage requirements. You can find this worksheet in the ACS Resource Kit, a free community download.

Optimized Historical Reporting

So we have the option to set up a Historical Audit database, but how does this really help improve reporting, knowing how the online database functions? In the upcoming SP2 of the Audit Collection Archiver, you can set up a custom historical database with optimized indexing, data aggregation and flexible grooming to support your specific audit requirements. Additionally, you’ll get advanced views that only query the partitions with pertinent data and the strings applicable to the report, further improving report run-time.

Another nice feature is the option to run the reports against the online or historical database along with full date/time and localization support. That means you can configure reports for the UK date/time format to show data as Day/Month/Year as opposed to the US default of Month/Day/Year (see our team blog Modifying the DateTime Format on ACS Reports for more information). We also resolved the data mapping issue between Windows 2003 and Windows 2008 security events by providing consolidated reporting and attribute mapping (i.e. ACS writes the Primary User info of a security event from Win2003 and Win2008 differently, resulting in discrepancies when comparing security data across operating systems; we remap this data in our reports for optimized forensics and investigations).

The diagram below illustrates the ACS historical database design and shows how different report scenarios might query the historical audit database.

In Conclusion

If you’re using ACS and need historical reporting and archiving, get a solution that's proven and easily scales to your organization’s needs. Check out the Audit Collection Archiver and the rest of our Security Auditing solutions for ACS.

We posted another ACS Master Class Series session today, ACS Access Hardening. For those of you looking to lockdown or harden the Audit Collection Service (ACS) this is a must see. The rerecording is presented by ACS guru and SCOM expert Graham Davies a Sr. Engineer with AKCSL based in the UK. Graham’s worked on some very large and ‘secure’ ACS environments, is a frequent contributor on Microsoft technet forums and presents a great session on how to harden ACS.

Download Video: ACS Access Hardening

In roughly 15 minutes this session walks through general ACS vulnerabilities and hardening options plus two demo’s covering Forwarder hardening and SCOM Reporting lockdown. The information below summarizes the content and information covered in this session.

1.       Forwarder Service can be stopped or reconfigured to undesired state

2.       Collector Service can be stopped, noise filters manipulated

3.       Collector to DB communications is unencrypted

4.       Audit Database is governed via SQL security

5.       Reporting via OpsMgr opens all reports to all users using console

6.       Archived files should be secured and monitored for any miss use

Session Demo’s

·         Demo 1: Locking down the ACS Forwarder service

·         Demo 2: Locking down ACS report access in the SCOM console

We’ve had a lot of customers and partners ask about locking down ACS reports in SCOM and the second demo shows you exactly how to do it. The demo walks through how to create a new SCOM Role and modify Reporting Access Rights associated with Roles. This enables you to remove the default user access in SCOM reporting and provide a specific Role to assign users access to ACS audit reporting. Please note Demo 2 is based on guidance and resources available in the Security Reporting in Operations Manager 2007 guide posted on System Center Forum.

Stay tuned as we continue posting the rest of the ACS Master Class Series online and make sure you check out the Secure Vantage Technical Tuesdays for our 2009 training sessions.

We’ve released an update to the ACS Resource Kit for the community.

The ACS Resource Kit now includes a revised version of the ACS Disk Planning Calculator originally posted on System Center Forum, new database utilities for ad-hoc queries and advanced grooming, plus the ACS Visio Stencils previously posted on our blog.

For more information and to download the latest version of the ACS Resource Kit please visit http://www.securevantage.com/Products/ACSResourceKit.aspx

ACS Resource Kit v1.1, Contents

1.        ACS Administrators Quick Reference – ACS newbie cheat sheet of common commands and configurations

2.        ACS Database and Disk Planning Calculator – preplan online, offline and archive storage needs plus disk requirements for the online audit database

3.        ACS Database Event Analysis

a.        ACS Summary Stats - XLS you can connect to ACS DB for event load analysis

b.        Query Active Partition for Event Counts

c.        Query Active Partition for Specific Events

d.        Windows Security Auditing Reference List – List of windows security events, settings and common configuration items for Windows XP, Vista, Windows Server 2003 & 2008

4.        ACS Database Utilities

a.        Groom Specific Events from Audit Historical Database

5.        ACS Noise Filtering

a.        ACS Noise Filter Guide

b.        My Generic Filter – Sample noise filter

c.        Filter Setup Kit – Auto apply generic filter sets after ACS installation

6.        ACS Security Event Creation Testing – Scripts to create events for over 50 audit scenarios

7.        ACS Visio Stencils – Microsoft Office Visio Stencils of common ACS components