I want a "Red Teaming"
Michael Schneider
This is how you log your firewalls professionally
To set up a separate Graylog instance, you can refer to the instructions from the relevant manufacturer. For the test lab, we installed a current CentOS on a VM and installed a current version of Graylog. We chose NXLog Community Edition as the log shipper on the Windows client.
You may (or may not) be surprised that logging of the on-board firewall is not activated on Windows clients and servers by default. That means you have to activate in order to collect log data.
Windows Firewall logging can be activated by going to Windows Defender Firewall with Advanced Security -> Properties -> [Domain/Private/Public] Profile tab -> Logging Customize.
Then change the value No (Default)
for the items Log dropped packets and Log successful connections to Yes
. It is also a good idea to change the size limit of the log file to at least 16384 KB.
You can also achieve the same result with the following group policies:
Setting | Group Policy | Recommendation |
---|---|---|
Log file size limit | Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Logging Customize\Size limit (KB) | 16384 KB or greater |
Log dropped packets | Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Logging Customize\Log dropped packets | Yes |
Log successful connections | Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security\Windows Firewall Properties\Domain Profile\Logging Customize\Log successful connections | Yes |
Once you have installed NXlog on the Windows system following the manufacturer’s instructions, you will also need to configure it. Since the recipient will be a Graylog instance, the Firewall logs should be sent using the Graylog Extended Log Format (GELF) via UDP.
The relevant settings are found in the NXLog configuration file located in its installation directory (default path):
C:\Program Files (x86)\nxlog\conf\nxlog.conf
The following changes are made in nxlog.conf
. The default configuration file serves as the starting point.
_syslog
to _gelf
<Extension _gelf> Module xm_gelf #Module xm_syslog </Extension>
im_vistalog
module was replaced by im_file
to allow reading from a file logFile "C:\Windows\system32\LogFiles\Firewall\pfirewall.log"
<input>
is changed to WinFirewallLog<Input WinFirewallLog> Module im_file File "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" Exec if $raw_event =~ /(\d\d\d\d\-\d\d-\d\d \d\d:\d\d:\d\d)/ {$EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S');} # For windows 2003 and earlier use the following: # Module im_mseventlog </Input>
om_tcp
module was replaced by om_udp
#
characters to disable itExec $ShortMessage = $raw_event;
statement is added. This ensures that the entire log line is sent in the Message field. Without this statement, the message would be truncated to 64 characters.out
<Output out> Module om_udp Host 192.168.1.10 Port 12202 Exec $ShortMessage = $raw_event; #Exec to_syslog_snare(); OutputType GELF </Output>
If you are already sending Windows event logs via NXLog or would like to do so, make sure to define a separate <input>
, <output>
and <route>
for each log item in the NXLog configuration.
This could look as follows:
<input>
is defined with a corresponding name – here they are <Input WinEventLog>
and <Input WinFirewallLog>
<Output>
, each defined with a different port. This means that in Graylog you can define a specific input for each port for the different log items and analyze them separately. Here they are <Output out1>
and <Output out2>
.<Route>
definitions with the format Input ⇒ Output. So one <Route>
is defined with Path WinEventLog => out1
and one with Path WinFirewallLog => out2
.<Input WinEventLog> Module im_msvistalog </Input> <Input WinFirewallLog> Module im_file File "C:\Windows\system32\LogFiles\Firewall\pfirewall.log" Exec if $raw_event =~ /(\d\d\d\d\-\d\d-\d\d \d\d:\d\d:\d\d)/ {$EventTime = strptime($1, '%Y-%m-%d%t%H:%M:%S');} </Input> <Output out1> Module om_udp Host 192.168.1.10 Port 12201 OutputType GELF </Output> <Output out2> Module om_udp Host 192.168.1.10 Port 12202 Exec $ShortMessage = $raw_event; OutputType GELF </Output> <Route 1> Path WinEventLog => out1 </Route> <Route 2> Path WinFirewallLog => out2 </Route>
So that Graylog can now receive the logs, you need to define a corresponding input:
UDP GELF
in the dropdown and click on Launch new inputWindowsClient_FirewallLogs
192.168.1.10
(from the <output>
in nxlog.conf)<output>
in nxlog.conf)Now Graylog is ready to receive the first logs. Because the test lab is using a CentOS for Graylog, it is also important to ensure that a corresponding port has been opened on the CentOS firewall.
Currently, the individual fields of the log line are displayed as a string in the Message field. However, this prevents Graylog from being used to analyze all fields. Graylog also comes with an extractor which can read the incoming logs, using GROK for instance, and write them to the corresponding fields in Graylog.
Graylog already offers a selection of GROK patterns. These need to be modified somewhat for the log lines of the Windows Firewall log, so that –
is sent as a placeholder for unpopulated values. This means that the minus sign is added to the GROK pattern that is used for the firewall log extractor.
In the Graylog web console, you can manage GROK patterns under System->GROK Patterns. To map all fields of the Windows Firewall log line with a GROK pattern, the following new GROK patterns were created on the basis of existing patterns.
Original GROK pattern | With minus sign | Name of the GROK pattern |
---|---|---|
INT | %{INT}|[-] | WINFIREWALL_INT |
WORD | %{WORD}|[-] | WINFIREWALL_WORD |
IP | (?:%{IPV6}|%{IPV4})|[-] | WINFIREWALL_IP |
Now you should be able to create the extractor:
%{DATESTAMP:UNWANTED} %{WINFIREWALL_WORD:action} %{WINFIREWALL_WORD:protocol} %{WINFIREWALL_IP:src-ip} %{WINFIREWALL_IP:dst-ip} %{WINFIREWALL_INT:src-port} %{WINFIREWALL_INT:dst-port} %{WINFIREWALL_INT:size} %{WINFIREWALL_INT:tcpflags} %{WINFIREWALL_INT:tcpsyn} %{WINFIREWALL_INT:tcpack} %{WINFIREWALL_INT:tcpwin} %{WINFIREWALL_INT:icmptype} %{WINFIREWALL_INT:icmpcode} %{WINFIREWALL_WORD:info} %{WINFIREWALL_WORD:path}
To avoid a possible off-set in the Graylog Message Timestamps, the Graylog time zone needs to be changed accordingly. In our case to CET
. The change needs to happen in a configuration file of Graylog, which can be found under /etc/graylog/server/server.conf
.
root_timezone = CET
After a restart of the Graylog service one can use all features of Graylog to analyse the fields of Windows Firewall log-lines.
In the context of a lab set-up you can quickly and easily create and operate central security log monitoring through the firewall logs of your own Windows population – as soon as you have worked out how to process logs in a useful format in Graylog. There may well be simpler or more efficient methods for the format problems present in Windows Firewall logs, but for an initial test this approach is certainly adequate. If you are planning something similar in a production environment, don’t forget hardening for both Graylog itself and its host.
You can find more information on security logging in our articles.
Our experts will get in contact with you!
Michael Schneider
Marisa Tschopp
Michèle Trebo
Andrea Covello
Our experts will get in contact with you!