Monthly Archives: July 2013

Configuring WLS – Server Configuration


This is what I intend to be the first of a series of posts on configuring WLS. Configuration before installation is done via the initial.xml file, post-installation configuration changes are done via the registry; the names and basic structure remain the same.

The first and only required change to the initial.xml file is changing the “Network” section to match your environment. Also, only non-default settings need to be set; any missing settings will be set to defaults on start-up by WLS. The term Network was chosen instead of server since it defines a source network and where hosts that meet the definition should send their logs. Multiple networks can be defined, allowing for single configuration deployment across an enterprise and server redundancy in the event a server becomes unreachable for an extended period.

Global network settings

  • FailedSendTimeout: If ALL configured and qualified networks are out of range or connectivity attempts have failed, wait x seconds before retrying.
  • SendAsync: Use asynchronous sockets to send data
  • SocketTimeout: If no data has been sent for X seconds, close the socket

Per-instance network settings

  • The registry key name is how this will be referred to in the logs; name it appropriately.
  • AcceptInvalidCertificates: Allow expired, non matching domains, etc
  • ClientCertificate: Only applicable if UseSSL is enabled.
    • Blank: (default) No client certificate
    • UseLocal: Retrieve the client certificate from the local certifcate store
    • File path to use a certificate on disk
  • IPRange: The IP range that the local host’s IP address MUST fall within to use this “network”
    • Any – Any IPv4 or IPv6 address
    • 0.0.0.0/0 – Any IPv4 address
    • ::/0 – Any IPv6 address
    • Valid CIDR
    • Min-max IP range
  • LogFormat
    • syslog (default)
    • json
  • Priority: If the hosts IP address falls into multiple ranges, this determines which order to try and use them. If multiple same priority networks qualify, alphabetical order is used.
  • Protocol
    • TCP (default)
    • UDP
  • ServerNameOrIP: The host name or ip address of the destination server
  • ServerPort: The port on the destination server
  • UseSSL: Use SSL when sending logs

Examples!

Example 1

I run a local Splunk instance for testing and want my logs sent to it regardless of my IP address. I’ll set the IPRange to “Any” to allow any IPv4 or IPv6 source range and define the local server configuration. That’s it, all other values are defaults.

<Network>
  <FailedSendTimeout>300</FailedSendTimeout>
  <SendAsync>1</SendAsync>
  <SocketTimeout>5</SocketTimeout>
  <LocalSplunk>
    <IPRange>Any</IPRange>
    <ServerNameOrIP>localhost</ServerNameOrIP>
    <ServerPort>514</ServerPort>
  </LocalSplunk>
</Network>

Example 2

I have a work laptop that when used internally, should log directly to the log server without encryption; if it’s taken off-network, it should use an externally visible log server with SSL.

Note: If the laptop obtains an IP in the range defined by “Inside” while off the work network, it will not send data unless the server is available and a connection succeeds; when that fails, it will use the next range – “Outside”.

<Network>
  <FailedSendTimeout>300</FailedSendTimeout>
  <SendAsync>1</SendAsync>
  <SocketTimeout>5</SocketTimeout>
  <Inside>
    <IPRange>192.168.0.1/24</IPRange>
    <Priority>0</Priority>
    <ServerNameOrIP>MyInsideServer.domain.com</ServerNameOrIP>
    <ServerPort>514</ServerPort>
  </Inside>
  <Outside>
    <IPRagnge>Any</IPRange>
    <Priority>1</Priority>
    <ServerNameOrIP>MyOutsideServer.domain.com</ServerNameOrIP>
    <ServerPort>9514</ServerPort>
    <UseSSL>1</UseSSL>
  </Outside>
</Network>

New WLS features


Arbitrary tagging based on log content

You can now specify a tag and choose which field(s) to compare with a regular expression. If a match is found for any field, the tag will be added to the log entry.

Example:

Name Type Data
AlternateDataStream REG_SZ BaseFileName;(:)

Certificate Monitoring

Certificates for all logged in users will be reported for the certificate store(s) specified. This includes extensions, key usages, enhanced key usages, user-defined metadata, etc. Periodic checks for changes will report any new certificates based on thumbprint.

Drive Monitoring

The former “WatchDevices” has been split into DeviceMonitor and DriveMonitor. The new DriveMonitor will report drive changes and optionally report file system changes (create, delete, rename) for removable drives.

Port Monitoring with process association

The previous port monitor did not report the process associated, now it does.

The features above were implemented based on user feedback and trends I’ve noticed in recent malicious activity. Does your Windows logging tool provide all the data you need? If you are doing enterprise DFIR, why not have your hosts log the information you need before an incident occurs? If you’d like more information on WLS, use the Contact Me! form.