Security

SolutionBase: Monitor your network with Kiwi Syslog

Monitor your network for free with Kiwi Syslog.

Keeping track of what's going on with your network and catching a problem before it becomes critical can mean the difference between dealing with an annoyance or handling a three-alarm fire. Unix administrators have long been able to take advantage of the Syslog utility for network monitoring. Thanks to the folks at Kiwi Software and their Kiwi Syslog Daemon program, Windows administrators can have this type of functionality as well.

What's Kiwi Syslog?
Kiwi Syslog is available in two versions—application and service. The application version requires you to be logged in to a PC and have the application running for any alerts to be received and recorded. The service version (available only on NT 4 and above) can run exactly as it sounds, as a service, and can be left on a PC that is locked from keyboard access. Kiwi Syslog can also receive alerts sent via SNMP as well as Cisco PIX firewalls and other devices. In the course of this article, I'll go over installing and setting up Kiwi Syslog, as well as getting it to work with a device that supports Syslog functionality.

Installing Kiwi Syslog
Setting up Kiwi Syslog begins by going to Kiwi's Web site. There, you'll download the latest version of Kiwi Syslog. Depending on the speed of your Internet connection, the 4-MB download shouldn't take too long. Before installing the software from Kiwi, make sure you've installed the latest Service Pack and all of the hot fixes on the system that will run Kiwi Syslog.

If you haven't already downloaded and installed Microsoft's Baseline Security Analyzer, now would be a good time to do so to make sure you have everything applied that is appropriate for your system and to give you a way to make sure you stay current on the available patches. To find out more about the Microsoft Baseline Security Analyzer, see the Daily Drill Down "Make sure your network is secure with the Microsoft Baseline Security Analyzer".

Once you are current on the patches, purchase your registration key to unlock all the features that Kiwi Syslog contains. After you purchase the key, Kiwi will e-mail it to you. There are two different ways you can enter the key information. First, you can cut and paste the registration info into registration screen. The alternative is to enter the information from the e-mail (about four lines worth) and then click OK.

After that, the installation program works like every other Windows Setup wizard you've ever run. Just follow the onscreen instructions.

Filtering the info coming into Kiwi Syslog
Start Kiwi Syslog after you have installed it. After the splash screen appears and then goes away, you'll see what looks like a spreadsheet screen similar to the one in Figure A. As you can see there are several columns—Date, Time, Priority, Hostname of the device sending the alert, and a Message column carrying the details of the alert.

Figure A
Kiwi Syslog starts off with a blank spreadsheet.


If the device you want to use with Syslog doesn't tell you much about the type of alerts it can generate, let the information from the device go into the default screen that Kiwi Syslog gives you. Kiwi Syslog gives you ten different screens or views to sort out all of the information coming in, which lets you drill down to get to what you need.

In the case of the MultiTech VPN router we are working with, all that you have to do to get the Syslog functionality working is to turn it on in the MultiTech unit and give the address of the Syslog server. There is also an intrusion detection/hacker feature available that you may want to turn on as well. After letting the Kiwi Syslog and the MultiTech run for a few minutes, you should start seeing messages show up on the screen.

Look at the priority column and you should see two different entries—User.Info and Daemon.Alert. In the MultiTech's case, the User.Info is a record of the traffic passing through the device. The Daemon.Alert is a record of the activity that the MultiTech believes to be hacker related. By default this information will consist of the TCP/IP address and port number of the sender and receiver of the packet.

To break down the information, click File | Properties. There you'll set up a filter that will send the information you want to a separate screen so that you can drill down on it further.

I would recommend the follow strategy for handling the breakdown of information—leave one screen set to receive all of the information, and then use the remain nine screens (Kiwi can use up to 10 screens) to break out individual pieces of information that you seek.

Creating rules and filters
Right-click Rules, then click on Add Rule. You should a see New Rule appear on the screen as shown in Figure B. Right-click this rule and rename it to reflect its purpose (e.g., Hacker Alert).

Figure B
Create new filters.


Under the new Hacker Alert, you'll see two options—Filters and Actions. The first thing we need to do is filter out what we are looking at. Right-click Filters and click Add Filters. An item will appear that says New Filter. Click the New Filter item, click the drop-down arrow at the top of the window that says Field, then choose Priority.

Since we want to filter on the Daemon.Alert message that is coming from the MultiTech, we will need to work with the Priority field. Go down the screen until you see the Daemon label, then go across until you are under the Alert column. Double-click that cell and a blue dot will appear. This indicates that you'll be looking only for Syslog messages that have the Daemon.Alert text in the Alert field.

At this point, you can click the Apply button to save what you have done so far. The next thing to do is to rename the filter you just created to reflect what it is. In our case, label it as Daemon.Alert.

At this point, all the Daemon.Alerts from all the of Syslog-enabled devices on the network will be sent to this rule. Since we want to look at just the Daemon.Alerts from the MultiTech only, we need to create another filter.

Repeat the process you used to create the first filter and, this time, select hostname. Enter just the TCP/IP address of the MultiTech and click Apply. Make sure to enclose the TCP/IP address of the device in double quotation marks.

Right-click Actions under the Hacker Alert rule. Click the Add Action option. When the screen refreshes, click the drop-down arrow beside Action and select Display. On that screen, select the screen to which you want the information.

In this case, we will send the Daemon.Alerts to Display01. Click Apply to save this setup. The action you have just created will now show as a new action.

Right-click New Action and rename it to Display to make it reflect what it is actually doing. Because Display01 isn't a very descriptive name either, you can rename Display01 to something more to your liking.

On the Daemon Setup screen where you are, click the Display option that will be about halfway down the screen. Under Modify Display Names, click the drop-down arrow, then click Display01. In the field to the right of that, you can enter Hacker Alert and click Update. The action you just created will automatically have the screen name changed in it as well.

Now you've filtered the incoming Daemon.Alerts to a specific screen, but once the messages scroll off the screen or you restart the system, the messages will be gone. To avoid this, you must change a basic text logging option that will save the Syslog messages for later review. Right-click Action under the Daemon.Alert rule, then click Add Action. Click the drop-down arrow beside Action and select Log To File.

By default, Kiwi Syslog will insert the drive, path, and file name used by the default Rule that Kiwi Syslog initially puts in place during the installation process. Change the name of the file from KiwiCatchAll to the name of the Rule you have created. Click the Apply button to save your changes.

You'll also want to rename this new action from Default action to Log To File to reflect what the action is doing for you. Right-click New Action and click Rename to label it to reflect what the action is doing. Click OK when you are finished.

Recording the information into a database
Searching for information over a text file can be time-consuming and inefficient if you want to search for a particular field of data. The registered version of Kiwi Syslog provides additional ways of saving the message received by Syslog to a variety of databases ranging from Access to SQL. The way that Syslog manages this is through the use of an ODBC link, which doesn't require you to have a copy of Access installed on the Syslog server in order to be able to write to an Access database. You can also view the database economically by obtaining a program that can view the database file but isn't capable of writing back to the file.

Configuring Kiwi Syslog to write to an Access database is a pretty straightforward process. You'll use the ODBC administrator on the NT/2000 system that Syslog is installed on to create the database file and create the ODBC link that Syslog will use to get the data written to the file.

The process is started by clicking File | Properties or pressing [Ctrl]P to get into the Kiwi Syslog Daemon Setup screen. Expand the Actions area under the Rule you want write to a database file. Right-click Actions and select Add Action. When the screen refreshes, click the down arrow beside the Action label and select Log To ODBC Database.

You'll need to create the Access .mdb file for Kiwi Syslog to write the messages to. Click the ODBC Control Panel button. When the ODBC Data Source Administrator screen appears, click the System DSN button. Click Add on that screen, scroll down the list of available drivers, and click the one that says Microsoft Access Driver (.mdb). Click Finish.

When the ODBC Microsoft Access screen appears, enter Syslogd in the Data Source Name field. Click Create in the Database portion of the screen. When the New Database screen appears, enter the name you want the database to be known by in the Database Name field.

Verify that the path currently shown is where you want the database to be created. Change it if you want it to be placed somewhere else. Click OK to continue. Once the database has been created, a message to that affect will be displayed on the screen. Click OK to clear the message. Click OK again to close the ODBC Microsoft Access Setup screen.

When you are returned back to the ODBC Data Source Administrator screen, you should now see a Microsoft Access link to the Syslogd Access database you just created. Click OK to close this screen and return to the Kiwi Syslog Daemon Setup screen from which you started this process.

Before this Access database file will be usable by Syslog, you'll need to create a table for the information to be written to. Creating a table space creates the database fields and specifications necessary for the ODBC link to write data to the file. Click Create Table to begin that process.

A message will appear on the screen asking you to confirm creating a table by the name of Syslogd in the database file specified in the DSN (Data Source Name) connect string at the top of the screen. Click Yes to complete this task.

When the table has been created, which should on take a few seconds as a general rule, a message will appear on the screen advising you that the creation was successful. Click OK to continue. Click the Apply button to save your configuration work up to this point.

Next, you'll want to rename the task so that you can clearly identify what it does without having to go into details at a later point. Right-click the New Action, rename it to Write To Access Database, and click OK to complete the task.

One way that you verify that the Access file is being written to is to use the Query Table button under the Action that writes the information to the database base file. This will attempt to return the last five rows written to the file and display them on screen.

Enabling the advanced features in Kiwi Syslog
To help make the logging easier to read, you can instruct Kiwi Syslog to resolve the TCP/IP address to a fully qualified domain name for the address (if one exists). Click File | Properties | DNS to get to the Configuration option.

Under Syslog Message text options, you can tell it to resolve the TCP/IP address to a host name and either replace the TCP/IP address with the host name or put the host name out to the side of the TCP/IP address. I prefer the latter because it can make things easier to troubleshoot for both parties since you won't have to reconvert the hostname back to a TCP/IP address if the device in question has more than one name associated with the same address.

Since you may not always be nearby to watch the Syslog messages as they come through, it becomes handy to have some way for Syslog to alert you. You can set up a rule that only applies to messages of a certain type, say a hacker alert message coming from the MultiTech VPN device.

For example, to control how many Syslog messages show up in your Inbox, open up the rule that you want to get the e-mails from and expand the Actions area. Right-click Actions and click the Add Actions option. Click the drop-down arrow beside the Action label at the top of the screen and click on the e-mail message option.

When the screen refreshes, you'll first enter the e-mail address(es) that you want to send the messages to in the E-mail Recipients field. Enter the name or e-mail address that you want the e-mail to be from in the E-mail From: field. You can leave the remainder of the information at the defaults until you get a deeper understanding of how Kiwi Syslog works.

One reason for changing this would be if you were sending these messages to a text pager with a limited message side. Click the Apply button to save what you have configured.

As with the other times that you created a rule, filter, or action, rename this action to indicate that it does (e.g., E-mail Alerts) and click OK. Once you do this, you can go back into the Action you just created and click the Test Setup button to generate a test e-mail so that you can ensure that the connection between Kiwi Syslog and your mail server is working correctly.

As an additional safeguard that things are working correctly, you can have Kiwi Syslog automatically e-mail you once a day with a statistics message on how many messages came in, what priority level they were, etc. Even more important is that you can have the server e-mail you when it gets low on disk space or when it receives less than x messages or more than x messages per hour, which could indicate a problem with things not working correctly.

That's just the start
As you can see, we have just scratched the surface of what Kiwi Syslog can do for you. This is a very versatile and affordable package that can help you get additional information from equipment all over your network into a form that you can use to proactively manage your network. If you are on a tight budget, you can use the free version to get started, but upgrading to the full version should be within range of your budget because it's only $70 for a single license. This is a tool that should be a part of your network management toolkit.
2 comments
wsam
wsam

The following information is logged to Sql in the format supplied. I need to be able to reduce the column. I need information like the event id, user name, and audit type. Msgtext is the field that I am having trouble with. I need to trim down the Message text field for Kiwi. I am currenly using snare to pull the Windows security event logs. Msgtext Apr 17 08:38:56 ITAdmin2.votepinellas.local MSWinEventLog1Security4Tue Apr 17 08:38:56 2007528SecuritywsamUserSuccess AuditITADMIN2Logon/LogoffSuccessful Logon: User Name: wsam Domain Apr 17 08:39:24 ITAdmin2.votepinellas.local MSWinEventLog1Security5Tue Apr 17 08:39:24 2007528SecuritywsamUserSuccess AuditITADMIN2Logon/LogoffSuccessful Logon: User Name: wsam Domain Apr 17 08:39:29 ITAdmin2.votepinellas.local MSWinEventLog1Security6Tue Apr 17 08:39:24 2007528SecuritywsamUserSuccess AuditITADMIN2Logon/LogoffSuccessful Logon: User Name: wsam Domain

Editor's Picks