Final interim presentation_e07410014

A. M. T. N. De Silva

Supervised byDr. Sameera de Alwis

1

Centralized Enterprise Syslog Manipulation Engine

BIT28/06/2010

2

• Introduction• Aim and Objectives• Current issues in System Log Manipulation• Technology adapted• CESM Engine for Secure Environment• Design of CESM Engine• Implementation of CESM Engine• Evaluation• Concussion

Overview

Introduction

3

Background and Motivation

Any system in the world could be failed or attacked.

Lack of diagnostic data could experience excessive downtime.

Securely logged data will help to investigate what went wrong .

Problem in brief

Decentralized system logs make audits, log backups and investigations harder.

High license cost of Commercial System Log Manipulation Suites.

Administrator level privilege escalation allow attackers to destroy system logs,

footprints and tracks.

4

Cont…Why the Problem is worth addressing

Syslogs will show some evidence of intrusion activity and what went wrong. Syslogs are prime targets for attackers to cover their activities. Applications and devices log their messages and events differently.

Technology used I suggest a Centralized Syslog Manipulation Engine based on Debian Linux,

Apache, PHP, MySQL, Hardware and Networking Technologies for improved Secure Environment.

Aim and Objectives

5

Aim The aim of this project is to develop a Centralized Enterprise Syslog Manipulation

Engine which manipulates and secures Syslogs in Enterprise environments under an extremely low budget, with the use of PHP, HTML, MySQL, Debian Linux and Hardware and Networking technology.

Objectives Study of the role of Enterprise Syslog Manipulation Engine Study of technologies that can be used for Syslog Manipulation Engine Design and develop Enterprise Syslog Engine for Manipulation & Securing

Syslogs Evaluation of the proposed Syslog Engine Preparation of final documentation

Current issues with System Log Manipulation

6

Existing Solutions

Commercial software suits Number of Hosts can use with system is limited. May be not fulfill Company requirement completely. The Software license cost is high. Availability of specialized underground exploits.

Manual System Log Manipulation It is not update accurately day to day. All Record difficult to analysis at a ones. Can’t provide real time Log Manipulation . Non functional requirements such as reliability , performance, security etc. are very low

Cont…

7

Centralized Enterprise Syslog Manipulation Engine

Real time Log Manipulation . Can use with multiple Hosts and Devices simultaneously. Easy to use and maintains. Zero Software license cost. Fully customizable Provide non functional requirements such as reliability , performance,

security, availability etc.

Technology adapted

8

What are technologies used for Centralized Enterprise Syslog Manipulation Engine ? Debian Linux with Operating Systems hardening and customization Technology . Database Management Technology with MySQL. Web Technology with PHP and Apache HTTPD. Hardware and Networking Technology with Manual Hardware customization

Technology and Physical Security Enhancing Technology. Why use LAMP tools (Linux, Apache, MySQL and PHP )?

Freely available, can be easily configured and very robust. Constant state of development and improvement, adding features suggested by

large user community.

Centralized Enterprise Syslog Manipulation Engine for Secure

Environment

9

Users

System Administrators, Digital Forensics Investigators, Information Security Officers.

InputWindows event logs, System logs, Firewall logs and Device logs.

OutputSyslog reports, Intrusions, Data tampering fingerprints, Critical service failures and

unusual system health conditions.

Cont…Process Log Correlation , Fetching and importing to MySQL database, Generate reports ,

Log sorting, Intrusion detection with external NOC (Network Operation Centre) and SOC (Secure Operation Centre)

Technology

PHP and HTML , Apache HTTPD, MySQL , Debian Linux , Hardware and Networking .

Feature

Log correlation to secure and safe place, Centrality, Log analysis, Intrusion detection with NOC and SOC

10

11

Design of CESM Engine Top level Architecture of CESM Engine

12

Cont…

User Interface Module This module is used to allow users to deal with CESM Engine . This module interacts with Database module and Report generating module.

Log correlation module This module is used to correlate of Event logs and System logs in to Syslog

daemon. This module interacts with database module.

Cont..Database Module

This module handle whole database which is related to CESM Engine. The information which has to store, are concern in this module This interacts with Report generating module, Log correlation module and User

interface module

Report Generating Module This module used to generating reports It is directly interact with database module and User interface module.

13

Implementation of CESM Engine

14

CESM Engine can be implemented as a standalone Engine.

The minimal resource requirements in implementing the system are as follows.Technical RequirementsHardware Configuration:

Processor : Core 2 Duo -Intel Processor RAM : 1 GB Hard Disk : 80 GB

Module ImplementationThe front end of the system is developed with User Interface Module and Apache HTTPD.

Cont…

15

Log correlation module implement

NT Syslog Windows agent Syslog push configuration

Report generating module implement PHP report script

Database module implement MySQL installation and configuration

Cont…

16

Prelog in Page

Cont…

17

User Login Page

Cont…

18

After Login Page

Cont…

19

Report Page

Evaluation

20

Following tests to be performed

Functionality Testing Performance Testing Usability Testing Web Interface Security Testing

Conclusion

21

This new system is Centralized Enterprise Syslog Manipulation Engine. CESM Engine is capable of manipulating and securing under extremely low

budget. Further enhancements can be done to the Report generating. After creating the CESM Engine I will do system validation and verification

process.

Thank You

22