Tag Archives: WLS

WLS 3.3 Released

New

  • Burn folder support for FileMonitor
  • FileData
    • Log file metadata for files found in command line parameters and event logs
  • Fixed (non-removable) disk monitoring
  • Load balancing
  • Network location awareness by joined domain
  • Optional host name set by DNS resolution
  • Optional alternate static host name
  • Monitoring UDF optical media changes
  • Support for non-FIPS hashing algorithms when FIPS mode is enabled
  • Suspended process checking (potential process hollowing)

Changes

  • Command line string handling
  • Database quota handling and maintenance
  • Error reporting
  • Event log extra data parsing
  • Event log XML parser
  • Installer
  • Network adapter reporting
  • New event log provider string resources (dynamic loading)
  • NewHash checking accuracy
  • Optimized syslog string generation
  • SessionMonitor reporting
    • All available session data logged for each session change event
    • Source IP address, optional source name (by resolution)
  • SQLite driver update
  • WMI reporting
    • Array handling
    • Nested WMI object support
    • Result count and index

Fixes

  • Database over quota issues
  • Drive monitor errors for unsupported file systems (HFS+, etc.)
  • Event log subsystem error detection
  • Potential WTS memory leak

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.2 Released

Performance

  • Replaced WMI calls with native API calls where applicable
  • Faster database maintenance procedures

Features

  • CPU utilization tracking and reporting
  • New process metadata
    • ConsoleProcessId
    • SessionId
    • WindowStation

Fixes

  • Disconnected client resource utilization
  • Additional handling of SEHExceptions
  • Errors for EventRecordIDs > int32.Max

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.1 Released

Performance

  • Over 10x increase in internal throughput
  • Reduced internal latency
  • Improved read/write concurrency
  • Reduced I/O writes

Features

  • Advanced log filtering
  • Detailed statistic logs of log filter matches
  • Certificate monitoring enhanced – all stores now available
  • Configuration hashing – ensure hosts are running the correct configuration
  • Enhanced CommandMonitor – Faster memory searches, includes process name, support for cmd, powershell, and more!
  • Detailed network interface logs on start-up and network change
  • Display names for coded values
  • ETL monitoring for Event Logs and files
  • Per server bandwidth and maximum log length settings
  • Full SSL connection details logged on first connection
  • Input rate limiting – prevent unexpected log floods
  • PrivateMBLimit – prevent WLS from consuming resources on a troubled system
  • SSDeep hashing
  • SessionMonitor – now includes all remote session details for RemoteConnect
  • User SID resolution to user name when present in log
  • Versioning changed – Major.Minor.[Year][DayOfYear].[MinuteOfDay]
  • Registry and file locations now restricted to Local System and Administrators

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Finding vulnerable OpenSSL DLLs (Heartbleed) with WLS and Splunk

If you are running WLS with ModuleMonitor enabled, you already have logs of all loaded DLLs.

Simply run the following search:

WLS_ModuleMonitor “openssl” FileVersion=”1.0.1*” NOT FileVersion=”1.0.1g”

Results will look similar to:

2014-04-24T11:28:38-05:00 [host] WLS_ModuleMonitor: LogType=”WindowsEventLog”, BaseFileName=”ssleay32.dll”, ChangeType=”Added”, CompanyName=”The OpenSSL Project, http://www.openssl.org/”, FileDescription=”OpenSSL Shared Library”, FileName=”C:\Program Files\MakerBot\MakerWare\ssleay32.dll”, FileVersion=”1.0.1e”, InternalName=”ssleay32″, Language=”English (United States)”, Length=”343040″, MD5=”A49B52FB216AD1524C902A41A433A1E1″, Process=”makerware”, ProductVersion=”1.0.1e”, SHA1=”F21CBCC5F291C1D841581FDBBBF854B315D71248″, WLSKey=”35505″, Zone=”0″


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

Decoding Event Log Provider Message IDs

When reviewing event logs in Event Viewer, the General tab shows event details in a human readable format, including displaying localized strings.

general_tab

However, when viewing the log on the Details tab in Friendly or XML view some of this “decoding” is not performed.

detail_friendly detail_xml

The Problem

WLS uses the XML version of logs, so these same codes were passed along instead of the localized string. For many logs this was OK since it was fairly easy to find the code in question and the corresponding value. While exploring this further (at customer request), I found that for some logs these values can change by host and version of the software generating the logs, as it is dependent on the provided message files. This made my previous plan to use static lookup tables unfeasible.

The Solution

The files that contain localized event log messages are identified for each event source in the registry at HKLM\SYSTEM\CurrentControlSet\services\eventlog\$logname$\$channel$. For example, Security log message files are identified at:

HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security\Security

registry_eventlog_parameter_file

If you open the file identified as the ParameterMessageFile in a resource viewer you’ll see a message table for each language code with a list of messaged IDs and values.

resource

Now that we have the message IDs and the file to decode them, decoding them is easy with a call to FormatMessage, which expects a handle to the message file and a message ID. The message file is loaded as a data file with LoadLibraryEx and the returned handle and a message ID are passed to FormatMessage. If successful, our string buffer now contains the message.

WLS performs the above actions if DecodeProviderString is enabled. A new field will be created with the decoded value, or if ReplaceProviderString is enabled, the original field value will be replaced with the decoded value.

Example

Field added:

[host] Security: LogType="WLS", BaseFileName="audiodg.exe", Channel="Security", CompanyName="Microsoft Corporation", Computer="[host].[domain]", CreatorProcessName="svchost", EventID="4688", EventRecordID="11668699", ExecutionProcessID="4", ExecutionThreadID="56", FileDescription="Windows Audio Device Graph Isolation", FileVersion="6.1.7600.16385 (win7_rtm.090713-1255)", InternalName="audioadg.exe", Keywords="0x8020000000000000", Language="English (United States)", Length="126464", Level="0", MD5="D5CCA1453B98A5801E6D5FF0FF89DC6C", NewProcessId="0x3188", NewProcessName="C:\Windows\System32\audiodg.exe", Opcode="0", ProcessId="0x214", ProductVersion="6.1.7600.16385", ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}", ProviderName="Microsoft-Windows-Security-Auditing", SHA1="F033FD30AACD0183BFC30861891A92B56AC2468B", Signed="Catalog", SubjectDomainName="NT AUTHORITY", SubjectLogonId="0x3e5", SubjectUserName="LOCAL SERVICE", SubjectUserSid="S-1-5-19", Task="13312", TokenElevationType="%%1936", TokenElevationTypeValue="TokenElevationTypeDefault (1)", ValidSignatureDate="False", Version="0", Zone="0"

Value replaced:

[host] Security: LogType="WLS", BaseFileName="audiodg.exe", Channel="Security", CompanyName="Microsoft Corporation", Computer="[host].[domain]", CreatorProcessName="svchost", EventID="4688", EventRecordID="11668699", ExecutionProcessID="4", ExecutionThreadID="56", FileDescription="Windows Audio Device Graph Isolation", FileVersion="6.1.7600.16385 (win7_rtm.090713-1255)", InternalName="audioadg.exe", Keywords="0x8020000000000000", Language="English (United States)", Length="126464", Level="0", MD5="D5CCA1453B98A5801E6D5FF0FF89DC6C", NewProcessId="0x3188", NewProcessName="C:\Windows\System32\audiodg.exe", Opcode="0", ProcessId="0x214", ProductVersion="6.1.7600.16385", ProviderGuid="{54849625-5478-4994-A5BA-3E3B0328C30D}", ProviderName="Microsoft-Windows-Security-Auditing", SHA1="F033FD30AACD0183BFC30861891A92B56AC2468B", Signed="Catalog", SubjectDomainName="NT AUTHORITY", SubjectLogonId="0x3e5", SubjectUserName="LOCAL SERVICE", SubjectUserSid="S-1-5-19", Task="13312", TokenElevationType="TokenElevationTypeDefault (1)", ValidSignatureDate="False", Version="0", Zone="0"


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.0.0.58 Released

WLS 3.0.0.58 has been released!

New Features

Database alternate location

An alternate DB location can now be specified.

Decoding for provider message IDs

Some Vista+ logs contain values that start with %%. These can now be optionally decoded and added as a field or replace the %% values.

Disk space limits

A minimum disk space may now be specified, and if the disk space falls below the threshold, WLS will stop queuing logs and send a notification directly to the syslog server. Normal behavior will resume when disk space returns above the threshold.

Enhanced network interface logs

Logging of network interfaces on start-up and after a network change now includes more data about each adapter.

Legacy log parsing

Optionally now include the remaining log data from XP logs after all replacement strings have been parsed.

MemberName resolution

When a user is added or removed from a group, the log did not always contain the user name. Now when a log contains MemberSid but not MemberName, WLS will fill-in MemberName.

Workstation IP resolution

Disabling workstation IP resolution for logs containing WorkstationName is now an option.

Improvements

CommandMonitor

CommandMonitor now includes the user name associated with each command.

DebugMode

When debugging interactively, output now includes greater detail.

JSON

JSON output has been improved.

Rewritten log parsers and db caching

Faster parsers for XP and Vista+. Higher concurrency log processing through the caching database.

SessionMonitor

SessionMonitor now caches information where applicable to maintain user tracking.


For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

WLS 3.0.0.57 Released

WLS 3.0.0.57 has been released!

New Features:

Command Monitor

As detailed in a previous post, commands entered at the command prompt are now monitored and reported along with the cmd.exe process ID. This includes tracking the last command added and last command displayed; if command processes exist when WLS is started, all existing commands will be logged, then as they change.

Drive Monitor

Monitor removable drive file system changes; monitor fixed disk file system changes by interface type (1394, IDE, SCSI, USB); optionally log the interactive user

Licensing

License information must now be entered for WLS to run.

Log Backfill

When enabled, Event Logs generated while WLS was not running (OS startup, shutdown, etc.) will be processed on WLS startup. On the first run, no logs are backfilled.

Session Monitor

When running as a service as LocalSystem (normal operation), user session changes will be logged. The logs will be tagged with WLS_SessionMonitor and include the session ID and associated user. This includes ConsoleConnect, ConsoleDisconnect, RemoteConnect, RemoteDisconnect, SessionLock, SessionLogoff, SessionLogon, SessionRemoteControl, and SessionUnlock.

Signed Binary Detection

Signed binary detection by catalog. Previously files were only checked for an embedded signature; now if a file’s hash is included in a signature catalog, the Signed flag will be set to Catalog. Signed flag options are now Catalog, False, True.

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.

USB Device Tracking with WLS and Splunk

WLS provides the option to monitor plug and play devices. When enabled, a log will be generated for each state change containing the current state and detailed device information.

Enabling Device Monitoring

If WLS is already installed, device monitoring can be enabled by changing the registry value at HKLM\Software\KCP\WLS\Config\DeviceMonitor\Enabled from 0 to 1.

EnableDeviceMonitoring

If WLS hasn’t been installed, adding (or changing) the DeviceMonitor section and setting Enabled to 1 in the initial.xml will enable this feature when WLS is installed.

<WLS>
 <Config>
  <DeviceMonitor>
   <Enabled>1</Enabled>
  </DeviceMonitor>
 </Config>
</WLS>

Reading the logs

Once device monitoring is enabled, when a device state changes, entries like the following will appear in your logs. Each entry should include at least one key/value pair that contains a product id (PID), a vendor id (VID), and a serial number as well as another key/value pair that contains the Class, SubClass, and Protocol.

Device added

Sep 18 15:15:46 [host] WLS_DeviceMonitor: LogType=”WindowsEventLog”, Caption=”USB Mass Storage Device”, ChangeType=”Added”, ClassGuid=”{36fc9e60-c465-11cf-8056-444553540000}”, CompatibleID=”USB\Class_08&SubClass_06&Prot_50″, CompatibleID1=”USB\Class_08&SubClass_06″, CompatibleID2=”USB\Class_08″, ConfigManagerErrorCode=”0″, ConfigManagerUserConfig=”False”, CreationClassName=”Win32_PnPEntity”, Description=”USB Mass Storage Device”, DeviceID=”USB\VID_1043&PID_8012604261021070038″, HardwareID=”USB\VID_1043&PID_8012&REV_0100″, HardwareID1=”USB\VID_1043&PID_8012″, Manufacturer=”Compatible USB storage device”, Name=”USB Mass Storage Device”, PNPDeviceID=”USB\VID_1043&PID_8012604261021070038″, Service=”USBSTOR”, Status=”OK”, SystemCreationClassName=”Win32_ComputerSystem”, SystemName=”[host]”, TIME_CREATED=”130240089461584098″, WLSKey=”23559″

Device removed

Sep 18 15:16:01 [host] WLS_DeviceMonitor: LogType=”WindowsEventLog”, Caption=”USB Mass Storage Device”, ChangeType=”Removed”, ClassGuid=”{36fc9e60-c465-11cf-8056-444553540000}”, CompatibleID=”USB\Class_08&SubClass_06&Prot_50″, CompatibleID1=”USB\Class_08&SubClass_06″, CompatibleID2=”USB\Class_08″, ConfigManagerErrorCode=”0″, ConfigManagerUserConfig=”False”, CreationClassName=”Win32_PnPEntity”, Description=”USB Mass Storage Device”, DeviceID=”USB\VID_1043&PID_8012604261021070038″, HardwareID=”USB\VID_1043&PID_8012&REV_0100″, HardwareID1=”USB\VID_1043&PID_8012″, Manufacturer=”Compatible USB storage device”, Name=”USB Mass Storage Device”, PNPDeviceID=”USB\VID_1043&PID_8012604261021070038″, Service=”USBSTOR”, Status=”OK”, SystemCreationClassName=”Win32_ComputerSystem”, SystemName=”[host]”, TIME_CREATED=”130240089617443014″, WLSKey=”23569″

Device error

If the device fails to load properly, the Status field will be set to Error instead of OK.

Sep 18 15:15:45 [host] WLS_DeviceMonitor: LogType=”WindowsEventLog”, Caption=”USB Mass Storage Device”, ChangeType=”Added”, ClassGuid=”{36fc9e60-c465-11cf-8056-444553540000}”, CompatibleID=”USB\Class_08&SubClass_06&Prot_50″, CompatibleID1=”USB\Class_08&SubClass_06″, CompatibleID2=”USB\Class_08″, ConfigManagerErrorCode=”0″, ConfigManagerUserConfig=”False”, CreationClassName=”Win32_PnPEntity”, Description=”USB Mass Storage Device”, DeviceID=”USB\VID_1043&PID_8012604261021070038″, HardwareID=”USB\VID_1043&PID_8012&REV_0100″, HardwareID1=”USB\VID_1043&PID_8012″, Manufacturer=”Compatible USB storage device”, Name=”USB Mass Storage Device”, PNPDeviceID=”USB\VID_1043&PID_8012604261021070038″, Service=”USBSTOR”, Status=”Error”, SystemCreationClassName=”Win32_ComputerSystem”, SystemName=”[host]”, TIME_CREATED=”130240089461584098″, WLSKey=”23558″

Add more data!

Splunk is great for combining data from multiple sources, and in this case, data will be added to decode VID, PID, Class, SubClass, and Protocol.

The best place (I’m aware of) to get VID and PID information is http://www.linux-usb.org/usb-ids.html. Download the usb.ids file, work some spreadsheet magic, and you have a nice csv file for a Splunk lookup table.

Getting the Class, SubClass, and Protocol information isn’t quite as straightforward; I started here: http://www.usb.org/developers/defined_class and generated a csv file for another Splunk lookup table. Luckily these don’t change as often as VID and PID information.

Add these csv files to Splunk by going to “Lookups” in the Splunk Manager page, then choosing “Add new” on the “Lookup table files” line.

Both lookup tables are available to download at the end of this post.

Extracting lookup data

Now that lookup tables exist, the information to lookup needs to be extracted from the source logs. I created two macros, one to extract and lookup the hardware manufacturer and model, another to extract and lookup the class, subclass, and protocol. Both macros split a single field into parts, and lookup the individual parts. I assumed that a new PID may exist for an existing VID, and that the new PID may not be in the lookup table; so a double lookup is performed and the first non-null value is returned.

Extract and lookup VID and PID

eval DeviceModelData=split(HardwareID,”\\”)
| eval USBModelData=split(mvindex(DeviceModelData,1),”&”)
| eval USBMfr=mvindex(USBModelData,0) | eval USBModel=mvindex(USBModelData,1)
| eval USBInterfaces=mvindex(USBModelData,2)
| lookup USBIDS Mfr as USBMfr Model as USBModel OUTPUT MfrName as USBMfrName ModelName as USBModelName
| lookup USBIDS Mfr as USBMfr OUTPUT MfrName as USBMfrName1
| eval USBMfrName=mvindex(coalesce(USBMfrName,USBMfrName1),0)
| eval USBMfrName=coalesce(USBMfrName,USBMfr)
| eval USBModelName=coalesce(USBModelName,USBModel)

Extract and lookup Class, SubClass, and Protocol

eval DeviceData=split(CompatibleID,”\\”)
| eval USBData=split(mvindex(DeviceData,1),”&”)
| eval USBClass=mvindex(split(mvindex(USBData,0),”_”),1)
| strcat “Class_” USBClass USBClass
| eval USBSubClass=mvindex(USBData,1)
| eval USBProtocol=mvindex(USBData,2)
| lookup USBSpec Class as USBClass SubClass as USBSubClass Protocol as USBProtocol OUTPUT ProtocolDescription as ProtocolDescription2
| lookup USBSpec Class as USBClass SubClass as USBSubClass OUTPUT SubClassDescription as SubClassDescription1,ProtocolDescription as ProtocolDescription1
| lookup USBSpec Class as USBClass OUTPUT ClassDescription,SubClassDescription,ProtocolDescription
| eval ClassDescription=mvindex(ClassDescription,0)
| eval SubClassDescription=mvindex(coalesce(SubClassDescription1,SubClassDescription),0)
| eval ProtocolDescription=coalesce(ProtocolDescription2,ProtocolDescription1,ProtocolDescription)
| strcat ClassDescription ” ” SubClassDescription ” ” ProtocolDescription FullUSBDescription

Combined Result

With all the information combined, it’s time to make a dashboard. I created one that displays each class in it’s own titled section for readability. If the lookups are able to decode the VID, PID, SubClass, and Protocol, the decode is shown, otherwise the original undecoded value is shown.

Devices

When deployed enterprise-wide, logs now exist to uniquely track any plug and play hardware across all systems and users. The PID, VID, and serial number can be used to identify new and potentially unwanted devices. Combined with a process to issue hardware from a central location, the issuer can register the device and the end-user. This reduces the noise and false positive alerts, and provides user accountability to a specific device. A word of caution, I have seen serial numbers reused, in mass.

Here are the lookup tables I’m currently using, they may be out of date. They are renamed to .xls files so WordPress would let me upload them; rename to .csv after downloading.

USBIDS
USBSpec

Have other ideas for using the data WLS provides, or data you’d like to have logged? Let me know in the comments below or via the contact form.

For more information on WLS, click “WLS Information” at the top, or here: WLS Information

If you’d like additional information about WLS, send me a note via the contact form. WLS is currently available to US entities, but does require a signed license agreement.