NLS for auditing

[WillemDH]

Hello,

I've been expanding my Windows Server audit script and changed it a bit. The custom ps object which contains all the server information is converted to json and i'm sending it to NLS . The problem is that some fields have an array of objects in it giving results like these in a field: (DNS cache)

Code: Select all

{"Name":" urladdress01","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.68"}, {"Name":" urladdress02","Section":" Answer","TTL":" 594","Type":" 1","Length":" 4","HostRecord":" 77.77.98.45"}, {"Name":" urladdress03","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.133"}

Or installed software::

Code: Select all

{"ComputerName":"server1","Name":"7-Zip 9.20 (x64 edition)","Publisher":"Igor Pavlov","InstallDate":"20150331","EstimatedSize":4.5,"Version":"9.20.00.0","Wow6432Node":null}, {"ComputerName":"server1","Name":"VMware Tools","Publisher":"VMware, Inc.","InstallDate":"20141113","EstimatedSize":54.6,"Version":"9.0.12.35149","Wow6432Node":null}, {"ComputerName":"server1","Name":"Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161","Publisher":"Microsoft Corporation","InstallDate":"20141113","EstimatedSize":13.2,"Version":"9.0.30729.6161","Wow6432Node":null}, {"ComputerName":"server1","Name":"NSClient++ (x64)","Publisher":"MySolutions NORDIC","InstallDate":"20150202","EstimatedSize":60.9,"Version":"0.4.3.127","Wow6432Node":null}

Same for service and process information

Any tip what would be the best way to handle something like this in nls? Most of the fields which contain one value are very nicely imported. Created a Reactor event chain for it and I'm planning to run it every day on all our Windows server, effectively creating a daily audit in NLS for each server. i'm just looking for a better way to import the installed software and dnscacheobjects and show them. I had no experience with arrays in a field. I was thinking to make a separate json export for each installed software, but I'm not sure if there is no better way to handle it, as I'd prefer to keep the installed software in the same export as the other audit info.

EDIT:
Things that popped up where:
1) Send separate json for each element in the array, for example for each installed software => This would create a lot of nls log entries for each audit
2) Create a field in ps starting with the name of the software and send that to nls, for example installed_software_7-zip_version, installed_software_nsclient_version, same for size, installdate etc.. => This would create a massive amount of fields though
3) Leave the json array in the field as it is

Grtz

Willem

[jolson]

For the sake of example, let's say you have a logline that looks like this:

Code: Select all

"Name":"/some/url","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.68", "Name":"/some/url","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.68"

A quick filter to match the above log might look something like this:

Code: Select all

.*\"Name\":\"%{URIPATH:Name}\",\"Section\":\" %{WORD:Section}\",\"TTL\":\" %{NUMBER:TTL:int}\",\"Type\":\" %{NUMBER:Type:int}\",\"Length\":\" %{NUMBER:Length}\",\"HostRecord\":\" %{IP:HostRecord}\"

Which matches:

Name /some/url
Length 4
HostRecord 77.77.17.68
Section Answer
TTL 14
Type 1

I asked around, and couldn't find a way to make the above pattern repeat - so I looked at the filter library and came across the 'kv' filter: https://www.elastic.co/guide/en/logstas ... ield_split

I generated the following filter configuration:

Code: Select all

  kv {
    trim => "\"\ "
    trimkey => "\"\ "
    field_split => ","
    value_split => ":"
  }

2015-06-09 10_46_01-Instance Configuration • Nagios Log Server - Firefox Developer Edition.png

Picture related.

This filter will strip out spaces and " characters, and assign each value to a field based on the resulting FIELD:value combination. I got this working on my Log Server and the results is as follows:

2015-06-09 10_53_34-Dashboard • Nagios Log Server - Firefox Developer Edition.png

I figure you could incorporate the 'kv' filter wherever it might be appropriate, since it's good at matching log lines that there could be one or more of.

[WillemDH]

I'll definitely look into this. Thanks for the suggestion. But I'm only seeing one of the entries parsed in your example?

What if the example was:

Code: Select all

"Name":"/some/url1","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.68", "Name":"/some/url2","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.69"

Where Name etc have different values. I don't have access to my nls at the moment otherwise I would have tested it. What happens to the second dnscacheobject or the second installedsoftware? I'm guessing you can only have 1 field name? The problem is also it is unknown how many installed softwares etc there are

Grtz

[jolson]

I sent the following to my NLS cluster:

Code: Select all

"Name":"/some/url1","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.68", "Name":"/some/url2","Section":" Answer","TTL":" 14","Type":" 1","Length":" 4","HostRecord":" 77.77.17.69"

Which resulted in:

2015-06-09 11_57_57-Dashboard • Nagios Log Server - Firefox Developer Edition.png

Will the above result work for you? The 'kv' filter recommended will any number of log lines following the defined format.

[WillemDH]

Aaah yes, that seems better. Tx fr the update. I'll re-release my audit script as soon as I got it completely cleaned up and tested. I'm not saying this alot of my own scripts, but it's getting truly awesome.

[jolson]

Sounds good, I look forward to it.

[WillemDH]

I did not yet come to testing your proposal. Still working on too many other stuff. But I was thinking a bit more about ways to capture an array of elements. Let's take this as example for now the Windows services.

So I have a PS custom object that I will use to store all the info, which will later be converted to json.

Code: Select all

$AuditStruct = New-Object PSObject -Property @{
    startdatetime = (Get-Date -Format 'yyyy/MM/dd HH:mm:ss'); 
    executer = ("$ENV:USERDOMAIN\$ENV:USERNAME")
    hostname = ([System.Net.Dns]::GetHostByName((hostname.exe)).HostName).tolower();	
	outputdate = (Get-Date -Format 'yyyyMMdd.HHmmss');
	exitcode = 3;
    pingtest = 0;
    wmitest = 0;
    eventlogtest = 0;
    hostversion ='';
    hostcaption = '';
    hostservicepackmajorversion = '';
    hostlastboot = '';
    hostsystemdirectory = '';
	hostdomainrole = '';
	hostsystemtype = '';
	hosttimezone = '';
	hostcurrentdomaincontroller = '';
	hostregistrycursize = '';
	hostregistrymaxsize = '';
    hostmanufacturer = '';
    hostmodel = '';
    hostphysicalmemory = '';
    hostassettag = '';
    hostserialnumber = '';
    hostprocessorname = '';
    hostprocessorspeed = '';
    hostprocessorvoltage = '';
    hostprocessorload = '';
	hostlogicaldisks = '';
	hostadapters = @();
	hostcurregsize = '';
	hostmaxregsize = '';
	hostprocessor = '';
	services = @();
	shareobjs = @();
	sharentfsobjs = @();
	installedsoftreg = @();
	softwareobjs = @();
	dnscacheobjs = @();
    hostentries = @();
    enddatetime = '';
    auditduration = ''
}

My idea was to create one field for each service name, of which you can see some result in the attached screenshot. For each service I don't only need the name, but also the state of the service and the startup type.

Code: Select all

	$AuditStruct.Services = Get-Service -ComputerName $AuditStruct.Hostname
	foreach ($service in $AuditStruct.Services) {
		$StartupType = Get-WmiObject -Query "Select StartMode From Win32_Service Where Name='$($service.Name)'"
       
        $servicelower = ($service.Name -replace '\s','').ToLower()
        $AuditStruct | Add-Member -type NoteProperty -name winsvc_$servicelower -Value $service.Name

So in order to also save the startup type and state, I would need to create three fields for each service. svc_<nameofservice>_name, svc_<nameofservice>_state and svc_<nameofservice>_startuptype
Knowing this audit would only run once a day (to start with) on 600 servers, this could create quite some fields. Is there some limit to the amount of fields we can make? Would it slow down NLS? If I would use your option to store all the values in a komma separated list / array, It would be less easy to query and filter for servers which have specific services, as the list would be quite long? And I would not even know how to start querying servers which have service x with staryup type y...?

EDIT: How would I make a query that is searching for logs where a certain field exists?

EDIT 2: Once a field is created, is it 'saved' 'forever', or does it dissappear once the logs is deleted due to retention policy?

Grtz

Willem

[jolson]

Is there some limit to the amount of fields we can make? Would it slow down NLS?

There is no limit that I'm aware of, and I could not find one.

If I would use your option to store all the values in a komma separated list / array, It would be less easy to query and filter for servers which have specific services, as the list would be quite long? And I would not even know how to start querying servers which have service x with staryup type y...?

You mean if all of the values are comma seperated, it might look something like:

Code: Select all

FIELD    VALUE
service   mstsc, iis, dhcpd, httpd, crond, etc
service_status  running, not running, running, etc

I can see querying for a particular service and its' state being very difficult. I suggest making as many fields as you need.

How would I make a query that is searching for logs where a certain field exists?

It should be as easy as filtering by field.

2015-06-12 09_55_06-Dashboard • Nagios Log Server - Firefox Developer Edition.png

Once a field is created, is it 'saved' 'forever', or does it dissappear once the logs is deleted due to retention policy?

If you're viewing logs in the dashboard, the associated fields will be pulled from the index/shards that store them. Otherwise, the fields will disappear. Fields are always going to be relative depending on the data that you're viewing.

Thanks!

[WillemDH]

Thanks for this nice explanation and confirmation about what I was thinking. I'll update this thread if i have some more results.

[tmcdonald]

Sounds good. If we don't hear from you in a week we'll send out a search party :)