Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Authors Leonard Chvilicek

Overview

This version will now parse over 1,400 events from the devices, however the parser does not parse audit events that are generated in the "Administration-->Security" user interface.  Those events are handled by the Global Audit, Global Notification settings and parsed by the CEF parser.  However, if you made modifications to the "Security" settings on the individual device, that event will be parsed by this parser.

This version was developed and tested on 10.6.2.0 using available log samples from 10.4.x thru 10.6.2.0.

 

Improvements

New Headers have been added to accommodate the log format change in 10.5.1 and above.

Logs from the Virtual Log Collector are now parsed, particularly Windows Collection Errors.

Error/Failure Logs are consolidated under the Event Category Name of "System.Errors"

Puppet Logs are parsed

Collectd Logs are parsed

Added "maxValues" kb 00031300 modification

Custom Index reduction in size and maxValues adjusted accordingly

Overall cleanup of some variable/index clutter

Improved accuracy for parsing of Query and Queue Times

Duration added for Query Times, they are now converted to seconds under the "duration.time" metakey

 

Contents

This package includes:

   Custom Log parser

   Custom Index for Concentrator*

   Custom Table Map*
   Event Categories Spreadsheet

  

*I have revised the custom index and table map to reflect the new changes in the default settings for 10.6.2.  If you are using a prior version to 10.6, you may need to add some additional index keys to the custom index.

 

Parser Content

Content, such as reports and dashboards, written by me for this parser will be published separately and links will be added here.  Currently content for Index operations, queries, cancelled queries, system errors, configuration changes, security changes, service restarts, and content updates for feeds/parsers are being tested on an enterprise system at the time of this writing.  These will start appearing in the next few days.

 

Report:  ValueMax Has Been Reached 

 

Installation

Log Decoder

Remove the prior version of the parser

  1. SSH into each log decoder as "root" that has the prior version.
  2. Remove the old parser directory
    rm -r /etc/netwitness/ng/envision/etc/devices/rsasecurityanalytics/
    You should see the prompts like below:
    [root@logdecoder60 SA_Logs]# rm -r /etc/netwitness/ng/envision/etc/devices/rsasecurityanalytics/
    rm: descend into directory `/etc/netwitness/ng/envision/etc/devices/rsasecurityanalytics'? y
    rm: remove regular file `/etc/netwitness/ng/envision/etc/devices/rsasecurityanalytics/rsasecurityanalytics.ini'? y
    rm: remove regular file `/etc/netwitness/ng/envision/etc/devices/rsasecurityanalytics/rsasecurityanalyticsmsg.xml'? y
    rm: remove directory `/etc/netwitness/ng/envision/etc/devices/rsasecurityanalytics'? y

Download and unzip parser

  1. Download the parser file "rsasecurityanalytics_2.3.99.zip" from the bottom of this page.
  2. Unzip the file using Winzip, or 7zip.
    The unzipped parser file name will be "rsasecurityanalytics.envision"

Upload the parser on the Log Decoder

  1. Login to the Web Interface as "admin" or user who is a member of the "Administrators" Role.
  2. Choose "Administration-->Services" from the navigation menu in the upper left corner of the screen.
  3. Locate the Log Decoder and click on the gear icon, located at the far right of the screen.
  4. Hover over "View", then click "Config".
  5. Click on the "Parsers" Tab.
  6. Click on the "Upload" icon in the upper left portion of the window.
  7. Click on the "+" in the upper left of the "Upload Parsers" dialog box.
  8. Navigate to the folder where the "rsasecurityanalytics.envision" is located and select it.  Click "Open"
  9. Click on "Upload"
  10. Click on the "X" in the upper right corner of the dialog box or click "Cancel"

Remove prior version custom table map entries

  1. On the same screen as above, Click on the "Files" Tab
  2. On the left side of the screen click on the dropdown and select "table-map-custom.xml".
  3. Locate the section related to the custom table entries for the log parser typically labelled
    RSA Security Analytics Log Parser Revision 2.1.63 xx/xx/xx
  4. Remove that section.
  5. Replace with new table map entries from the table-map-custom.xml file.
  6. Click "Apply"

Load the new log parser and custom table map.

  1. On the same screen as above, click on "Config" just above the "App Rules" Tab.
  2. Click on "System"
  3. Click on "Stop Capture" at the top left of the screen.
  4. Wait for capture to stop.
  5. Click on "Shutdown Service" at the top center of the screen.
  6. On the "Confirm Shutdown" dialog, type "RSA Security Analytics Parser update"
  7. Click "OK"

Concentrator

Update The Concentrator Custom Index

  1. Login to the Web Interface as "admin" or user who is a member of the "Administrators" Role.
  2. Choose "Administration-->Services" from the navigation menu in the upper left corner of the screen.
  3. Locate the Concentrator and click on the gear icon, located at the far right of the screen.
  4. Hover over "View", then click "Config".
  5. Click on the "Files" Tab
  6. On the left side of the screen click on the dropdown and select "index-concentrator-custom.xml".
  7. Locate the section related to the custom table entries for the log parser typically labelled
    RSA Security Analytics Log Parser Revision 2.1.63 xx/xx/xx
  8. Remove that section.
  9. Replace with new custom index entries from the index-concentrator-custom.xml file.
  10. Click "Apply"

Load The New Custom Index.

  1. On the same screen as above, click on "Config" just above the "Correlation Rules" Tab.
  2. Click on "System"
  3. Click on "Stop Aggregation" at the top left of the screen.
  4. Wait for aggregation to stop.
  5. Click on "Shutdown Service" at the top center of the screen.
  6. On the "Confirm Shutdown" dialog, type "RSA Security Analytics Parser update"
  7. Click "OK"

ALL Appliances

Configure Rsyslog to Forward Logs

  1. SSH into each NetWitness Appliance.
  2. Modify the /etc/rsyslog.conf file.  
    vi /etc/rsyslog.conf
  3. Press the letter "i" or the "Insert" key.  You should see "-- INSERT --" at the bottom left of your screen.
  4. Scroll to the bottom of the file and look for the following line:
    #*.* @@remote-host:514
  5. Remove the "#" and change "remote-host" to the destination Log Decoder or Virtual Log Collector (VLC).
    *.* @@<Log Decoder or VLC IP Address Here>:514
  6. Press the  "ESC" key
  7. You should see a colon ":" in the lower left of the screen.
  8. Save the file by typing ":wq"
    :wq
  9. Restart the Rsyslog service.
    service rsyslog restart
  10. Rsyslog is now forwarding logs to the Log Decoder or VLC.

If you have done anything on an iDRAC that requires the mounting of an ISO file or some remote/virtual media, it is painfully slow.  What I have discovered is that the iDRAC's on the appliances are initially configured to only operate at 100mb Full, but they are 1000mb/1G capable, you just have to turn on "Auto Negotiation".  I have seen this on every appliance I have installed or encountered.  A quick way to tell if your iDRAC is running at 100mb or 1000mb is to look at the link light.  See the picture below.

 

iDRAC Link Lights

 

Bellow is a screenshot of a freshly installed appliance with the default iDRAC settings.

Default Settings (100Mb) - Orange Link Light

 

Below is the screenshot of the iDRAC after I turned on "Auto Negotiation".

New Settings (1Gb) - Green Link Light

 

Notes

You can set "Auto Negotiation" by using the "Lifecycle Manager" (F10) at boot and by using the iDRAC web interface.  When using the web interface you will have to reconnect to the iDRAC as it will reset the network interface you are using to access the UI.  I have not been able to find a way to do this using the ipmitool.

NwLogPlayer is a log replay utility that is available for RSA NetWitness Logs. This utility reads a log event text file that you have created by exporting the logs from Investigation. The first question that comes to mind is "Why would I want to do that?". There are three typical reasons why I use it. First, is when you are developing ESA rules and you need a specific set of crafted events to reproduce your conditions for your alert. Second, is when you are developing a custom parser for those "unknown" device types. Third, is when you have a system that is a lab or development system that does not have an event source or the event source that you need.  I actually prefer to use an isolated lab/development system that has no other log sources other than what I replay to do my development work.  This way I can accurately track my replayed events vs my parsed events, so 100 replayed events should equal 100 parsed events.

 

To use the utility, all you need to do is install it on the system that you want to run it from. This can be any system in the NetWitness Logs stack. I typically use the Log Decoder, as it the system I am working with the most. If the total space of the log sample files are not very large (less than 100M total), I just create a "/root/logsamples" directory and put them there, then delete them when I am finished. If I am working with large log sample files, I create a "/var/netwitness/warehouseconnector/logsamples" directory as the warehouseconnector is not typically used on most Log Decoders unless you're exporting data to a Hadoop environment.

 

Installation

NetWitness 10.x

To Install NwLogPlayer:

  1. SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
  2. Type "yum install nwlogplayer"
  3. Type "y" to install
  4. Press "Enter"

 

NetWitness 11.x

To Install NwLogPlayer:

  1. SSH into system you wish to run it from. (Typically a Log Decoder or Main Broker)
  2. Type "yum install rsa-nw-logplayer"
  3. Type "y" to install
  4. Press "Enter"

 

To use NwLogPlayer:

  1. Upload your Log sample text files to your sample directory on system that you installed NwLogPlayer
  2. SSH into system that you installed NwLogPlayer
  3. Type "NwLogPlayer --file <Your Sample Log Text file> --server <Log Decoder IP or FQDN>"

 

Examples 

Target and Destination:

Path = "/root/logsamples"
Log Sample File = "ESA-Alert-Firing-Sample.txt"
Virtual Log Collector = "VLC60.local"

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local

The above example will send logs to destination with the device IP being the system you ran the command from.

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local --ip 10.1.1.1 -r4

The above example will send logs to destination with the device IP of 10.1.1.1.

NwLogPlayer --file /root/logsamples/ESA-Alert-Firing-Sample.txt --server VLC60.local --rate 100 --ip 10.1.1.1 -r4

The above example will send logs to destination with the device IP of 10.1.1.1 at the rate of 100 EPS.

 

NwLogPlayer command line syntax:
--priority argset log priority value
-h [ --help ]how this message
-f [ --file ] arg (=stdin)input file
-d [ --dir ] arginput directory
-s [ --server ] arg (=localhost)remote server
-p [ --port ] arg (=514)remote port
-r [ --raw ] arg (=0)Determines raw mode. 1= File contents will be copied line by line to the server. 0 = add priority mark. 3 = auto detect. 4 = envision stream. 5 = binary object. 6 = protobuf stream
-m [ --memory ] argSpeed test mode. Reads up to MB of messages from the file contents and replays.
--rate argNumber of events per second. No effect if rate > eps which program can achieve at continuous mode
--maxcnt argmax number of messages to be sent
-c [ --multiconn ]multiple connection
-t [ --time ] argsimulate time stamp time. Format as yyyy-m-d-hh:mm:ss
-v [ --verbose ]if true will verbose output
--ip argsimulate ip tag.
--devicetype argsimulate device type. Applies only to envision heades (raw=4).
--cid arg simulate collector id. Applies only to
envision headers (raw=4). (NetWitness 11.x versions)
--sslconnect with SSL
--certdir argOpenSSL certificate authority directory.
--clientcert arguse this PEM-encoded SSL client certificate
--clientkey arguse this PEM-encoded private key file. If not specified the clientcert path is used.
--udpsend in udp
-g [ --gzip ]treat input stream as compressed gzip
--versionoutput the version of this program

Overview

This report shows the metakeys that have reached their "valueMax" setting in the index of the Concentrators or Archivers.  The purpose of this report is to show which metakeys you need to increase their "valueMax" setting to accommodate all the unique values that it will receive within its index slice. Read more about the "valueMax" in the RSA Link Posting Core DB: Index Customization .

 

Use Case

This report ran daily can catch the "ValueMax Has Been Reached" condition in the last 24 hours.  This report also can give you the times when the metakey had reached this condition.  The example below demonstrates how the "ValueMax" reached issue looks when you encounter it.

Example Scenario

You are working on an investigation and you need to find a particular host "somejunkhost" in the alias.host metakey.  You start out with your Investigation window, set your date range for one month, and open the metakey "Hostname alias" (alias.host).  You locate the "somejunkhost" in the Investigation window and you see something like this:

   

   host7 (418000) - host4 (50500) - host5 (30567) - somejunkhost (2052) - host1 (1400) - host17 (100)

 

You click on the "somejunkhost" name (Blue Text) to narrow your query and then you see something like this:

 

   somejunkhost (1895)   <---Notice the number is no longer 2052 as it should be?

 

When the session numbers (in green) do not maintain consistency when drilling into the metakey value (blue), this is an indication that the "ValueMax" has been reached.  The 1 month query has spanned multiple index slices and one or more of those slices does not have the information for "somejunkhost" in the alias.host metakey.  The information is in the metadb but not in the index.  To access the information you can use another metakey, like ip.src/ip.dst or something that is directly associated with the hostname.  Accessing or pivoting from those keys will make the values visible like a metakey that has been indexed with a "indexkeys" setting.

 

Requirements

This report requires the RSA Netwitness Suite Log Parser 2.3.99 

 

Installation

  1. Download the attached zip file.
  2. Follow the directions in the Article Reporting: Import Reports and Report Groups 
  3. Select the zip file when prompted, there is no need to unzip the file prior to importing the Report file.

 

Report Contents

   1 Report List used to exclude metakeys that you do not care about reaching the "ValueMax" setting

   1 Report showing a Summary, Detailed, and a Device tabular list in the report.

   3 Report Rules

These items will be imported into a Group called "Netwitness Suite" in the Report Engine.

 

Overview

We all are so familiar with the 4625 as a failed logon, but did you know that the 4625 has more details relating to why the login failed?  I kept these notes regarding this event to write reports for a customer.  These notes show the metakeys of interest and also break down the event status and sub status codes.

 

Parser Version Notes

Recently there were some parser modification to the windows event parsers that changed the metakeys that the status code and sub status code were kept.  This table below was compiled from what I have seen in the field.  

 

Parser NameUpdateStatus Code MetakeySub Status Code Metakey

winevent_nic

winevent_er

winevent_snare

102 and earlierdispositionresult.code

winevent_nic

winevent_er

winevent_snare

some versions between 102-106result.codefld (throw away)

winevent_nic

winevent_er

winevent_snare

106 (5/24/17) and laterresult.code

context

(currently not in default Concentrator index)

 

Metakeys of Interest

Metakey NameDescription
device.ipDevice IP - System that reported this event
reference.idWindows EventID
domainWindows domain name or local computername for local computer logon
user.dst

User account that is failing to login.  This can also be a computer account, which ends with a "$".

logon.type

Windows Logon Types:

2 - Interactive Console Logon

3 - Network Logon - Background logon, usually for network drives and other shared resources.

4 - Batch - Job scheduling systems or other applications.

5 - Service - Applications that run as a service with user credentials.

7 - Unlock - Console Unlock of password protected screen using local keyboard.

8 - Network Clear Text - Credentials are sent in the clear, IIS basic authentication mode for example.

9 - RunAs - When you right click and use "Run As" on an application.

10 - Remote - Using RDP session to remotely logon.

 

Logon Types 2,3,10 are the most common

ip.src

Source IP of system that attempted to logon

alias.host

Hostname of the system that attempted to logon

event.computer

Computer that this event 4625 occurred on - someone failed to logon to this system.

disposition

Status Code - See the table above regarding this metakey

result.code

Status Code or Sub Status Code - See the table above regarding this metakey

context

Sub Status Code - See the table above regarding this metakey

NOTE:  The following metakeys are not in the default index and will need to be added to the custom table map and custom concentrator/broker indexes.

   event.computer

   context

   disposition

 

Status\Sub-Status Code Description

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/event-4625

 

Status/Sub Status CodeDescription
0XC000005EThere are currently no logon servers available to service the logon request.
0xC0000064User logon with misspelled or bad user account (Uknown User)
0xC000006AUser logon with misspelled or bad password
0XC000006DThis is either due to a bad username or authentication information
0XC000006EUnknown user name or bad password.
0xC000006FUser logon outside authorized hours
0xC0000070User logon from unauthorized workstation
0xC0000071User logon with expired password
0xC0000072User logon to account disabled by administrator
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133Clocks between DC and other computer too far out of sync
0XC000015BThe user has not been granted the requested logon type (aka logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192An attempt was made to logon, but the Netlogon service was not started.
0xC0000193User logon with expired account
0XC0000224User is required to change password at next logon
0XC0000225Evidently a bug in Windows and not a risk
0xC0000234User logon with account locked
0XC00002EEFailure Reason: An Error occurred during Logon
0XC0000413Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.
0x0Status OK.

 
Sample Queries

The sample queries below cover both sets of metakeys generated by the older and newer updated parsers.

 

User Does Not Exist - Status Code 0xc000006D Sub Status Code 0xC0000064

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((result.code = '0xc000006d' && context = '0xC0000064') || (disposition = '0xc000006d' && result.code = '0xC0000064')) && (not(user.dst ends '$'))

 

User Bad Password-Status Code 0xc000006D Sub Status Code 0xC000006A

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006d' && context = '0xC000006A') || (disposition = '0xc000006d' && result.code = '0xC000006A')) && (not(user.dst ends '$'))

 

Disabled User Accounts - Status Code 0xc000006E Sub Status Code 0xc0000072

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000072') || (disposition = '0xc000006e' && result.code = '0xC0000072')) && (not(user.dst ends '$'))

 

Logon with Expired Password - Status Code 0xc000006E Sub Status Code 0xc0000071

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000006e' && context = '0xC0000071') || (disposition = '0xc000006e' && result.code = '0xC0000071')) && (not(user.dst ends '$'))

 

User Must Change Password at Next Logon

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && ((disposition = '0xc0000224' && result.code = '0x0') || ((not(disposition exists)) && result.code = '0xc0000224' && context = '0x0')) && (not(user.dst ends '$'))

 

User Was Not Granted Rights to Logon - Status Code 0xc000015B Sub Status Code 0x0

medium = 32 && device.class = 'windows hosts' && reference.id = '4625' && (((not(disposition exists)) && result.code = '0xc000015b' && context = '0x0') || (disposition = '0xc000015b' && result.code = '0x0')) && (not(user.dst ends '$'))

 

Attachments

Windows4625CustomColumns-EventView.jsn.zip - Custom column view for the "Events" view in Investigation.

Investigation-->Events, it's the drop down right next to "Profile".  Choose "Manage Column Groups" and import the .jsn file.

 

Report-User Failed Logon Attempts (4625) FINAL.zip - Windows 4625 Report based on the sample rules in this post. Just import into the Report Engine.

When you can't get to the data center and attach a monitor to configure the network settings for the iDRAC, you can use the IPMITool command line utility from an SSH terminal window, like PuTTY.

 

Listed below are the network configuration commands I found helpful.

 

Set the iDRAC Network Configuration

Commands:

      ipmitool lan set <command> <parameter>

      ipmitool mc reset warm

 

Example:

[root@APPLIANCE14 ~]# ipmitool lan set 1 ipsrc static

[root@APPLIANCE14 ~]# ipmitool lan set 1 ipaddr 10.0.0.100

[root@APPLIANCE14 ~]# ipmitool lan set 1 netmask 255.255.255.0

[root@APPLIANCE14 ~]# ipmitool lan set 1 defgw ipaddr 10.0.0.1

[root@APPLIANCE14 ~]# ipmitool mc reset warm

 

List the iDRAC Network Configuration

Command:

      ipmitool lan print

 

Example:

[root@APPLIANCE14 ~]# ipmitool lan print

Set in Progress : Set Complete
Auth Type Support : NONE MD2 MD5 PASSWORD
Auth Type Enable : Callback : MD2 MD5
: User : MD2 MD5
: Operator : MD2 MD5
: Admin : MD2 MD5
: OEM :
IP Address Source : Static Address
IP Address : 10.0.0.100
Subnet Mask : 255.255.255.0
MAC Address : 54:00:00:00:00:00
SNMP Community String : public
IP Header : TTL=0x40 Flags=0x40 Precedence=0x00 TOS=0x10
BMC ARP Control : ARP Responses Enabled, Gratuitous ARP Disabled
Gratituous ARP Intrvl : 2.0 seconds
Default Gateway IP : 10.0.0.1
Default Gateway MAC : 00:00:00:00:00:00
Backup Gateway IP : 0.0.0.0
Backup Gateway MAC : 00:00:00:00:00:00
802.1q VLAN ID : Disabled
802.1q VLAN Priority : 0
RMCP+ Cipher Suites : 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14
Cipher Suite Priv Max : Xaaaaaaaaaaaaaa
: X=Cipher Suite Unused
: c=CALLBACK
: u=USER
: o=OPERATOR
: a=ADMIN
: O=OEM

 

Full List of Options for 'ipmitool lan set'

[root@APPLIANCE14 ~]# ipmitool lan set

 

usage: lan set <channel> <command> <parameter>

 

LAN set command/parameter options:
ipaddr <x.x.x.x>                         Set channel IP address
netmask <x.x.x.x>                     Set channel IP netmask
macaddr <x:x:x:x:x:x>               Set channel MAC address
defgw ipaddr <x.x.x.x>              Set default gateway IP address
defgw macaddr <x:x:x:x:x:x>    Set default gateway MAC address
bakgw ipaddr <x.x.x.x>             Set backup gateway IP address
bakgw macaddr <x:x:x:x:x:x>    Set backup gateway MAC address
password <password>               Set session password for this channel
snmp <community string>           Set SNMP public community string
user                                              Enable default user for this channel
access <on|off>                           Enable or disable access to this channel
alert <on|off>                                Enable or disable PEF alerting for this channel
arp respond <on|off>                    Enable or disable BMC ARP responding
arp generate <on|off>                  Enable or disable BMC gratuitous ARP generation
arp interval <seconds>               Set gratuitous ARP generation interval
vlan id <off|<id>>                         Disable or enable VLAN and set ID (1-4094)
vlan priority <priority>                  Set vlan priority (0-7)
auth <level> <type,..>                  Set channel authentication types
      level = CALLBACK, USER, OPERATOR, ADMIN
      type = NONE, MD2, MD5, PASSWORD, OEM
      ipsrc <source> Set IP Address source   
      none = unspecified source
      static = address manually configured to be static
      dhcp = address obtained by BMC running DHCP
      bios = address loaded by BIOS or system software
cipher_privs XXXXXXXXXXXXXXX Set RMCP+ cipher suite privilege levels
      X = Cipher Suite Unused
      c = CALLBACK
      u = USER   
      o = OPERATOR
      a = ADMIN
      O = OEM

When you don't know the username and password or you need to change them, you can use IPMITool to perform this task along with other user management tasks from an SSH terminal windows, like PuTTY.

 

Listed below are the user management commands I found helpful.

 

Listing the iDRAC User

Command:

      ipmitool user list 2

 

Example:

[root@APPLIANCE14 ~]# ipmitool user list 2

ID       Name                Callin    Link Auth    IPMI Msg    Channel Priv Limit
2         root                    true      true             true              ADMINISTRATOR

 

Enabling the iDRAC User

Command:

      ipmitool user enable 2

 

Example:

[root@APPLIANCE14 ~]# ipmitool user enable 2

 

Disabling the iDRAC User

Command:

      ipmitool user disable 2

 

Example:

[root@APPLIANCE14 ~]# ipmitool user disable 2

 

Set the iDRAC User Password

Command:

      ipmitool user set password 2 <Password>

 

Example:

[root@APPLIANCE14 ~]# ipmitool user set password 2 themaster01

 

Rename the iDRAC Root User

Command:

      ipmitool user set name 2 <newusername>

 

Example:

[root@APPLIANCE14 ~]# ipmitool user set name 2 bueno

[root@APPLIANCE14 ~]# ipmitool user list 2
ID       Name                Callin    Link Auth    IPMI Msg    Channel Priv Limit
2         bueno                true      true             true              ADMINISTRATOR

 

Full List of Options for 'ipmitool user'

[root@APPLIANCE14 ~]# ipmitool user set name

 

User Commands:  summary [<channel number>]
                                       list [<channel number>]
                                       set name <user id> <username>
                                       set password <user id> [<password>]
                                       disable <user id>
                                       enable <user id>
                                       priv <user id> <privilege level> [<channel number>]
                                       test <user id> <16|20> [<password]>

While trying to sort out a system that was rebooting randomly due to a hardware failure, I discovered you can view the System Event Log on the iDRAC using the IPMITool.

 

Listed below are the commands to view the SEL Log on the iDRAC.

 

List the iDRAC System Event Log (SEL)

Commands:

      ipmitool sel list

 

Example:

[root@APPLIANCE14 ~]# ipmitool sel list
1 | 08/19/2015 | 19:06:01 | Event Logging Disabled #0x72 | Log area reset/cleared | Asserted
2 | 10/16/2015 | 19:47:38 | Power Supply #0x63 | Power Supply AC lost | Asserted
3 | 10/16/2015 | 19:47:39 | Power Supply #0x74 | Redundancy Lost
4 | 10/16/2015 | 19:53:20 | Power Supply #0x74 | Redundancy Lost
5 | 10/16/2015 | 19:53:22 | Power Supply #0x62 | Power Supply AC lost | Asserted
6 | 10/16/2015 | 19:56:59 | Power Supply #0x62 | Power Supply AC lost | Deasserted
7 | 10/16/2015 | 19:57:02 | Power Supply #0x74 | Fully Redundant
8 | 03/18/2016 | 18:52:15 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
9 | 03/18/2016 | 18:52:15 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
a | 03/18/2016 | 18:52:15 | Unknown #0x1a |
b | 01/25/2017 | 16:51:51 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
c | 01/25/2017 | 16:51:51 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
d | 01/25/2017 | 16:51:51 | Unknown #0x1a |
e | 01/26/2017 | 15:16:36 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
f | 01/26/2017 | 15:16:36 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
10 | 01/26/2017 | 15:16:36 | Unknown #0x1a |
11 | 01/26/2017 | 15:21:31 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
12 | 01/26/2017 | 15:21:31 | Critical Interrupt #0x18 | Bus Fatal Error | Asserted
13 | 01/26/2017 | 15:21:31 | Unknown #0x1a |

 

Show the iDRAC System Event Log Information

Commands:

      ipmitool sel

 

Example:

[root@APPLIANCE14 ~]# ipmitool sel
SEL Information
Version                   : 1.5 (v1.5, v2 compliant)
Entries                    : 1
Free Space             : 16368 bytes
Percent Used          : 0%
Last Add Time         : 02/28/2017 01:41:15
Last Del Time          : 02/28/2017 01:41:15
Overflow                  : false
Supported Cmds     : 'Reserve'

 

Clear the iDRAC System Event Log

Commands:

      ipmitool sel clear

 

Example:

[root@APPLIANCE14 ~]# ipmitool sel clear
Clearing SEL. Please allow a few seconds to erase.

When doing several changes at a time on several systems you can use the IPMITool to execute commands from a file allowing you to script some of the iDRAC configurations.  In my case I was wanting to change the username and password on the iDRACs of several systems.

 

Listed below are some examples:

 

Rename Root User, Set New Password and Clear the SEL

Commands:

      ipmitool exec <command_file>

 

Example:

[root@APPLIANCE14 ~]# ipmitool exec idracconfiguration.txt

 

Contents of the 'idracconfiguration.txt'

ipmitool user set name 2 bueno

ipmitool user set password 2 BuenoIsG00d

ipmitool user set name 2 enable

ipmitool user list

ipmitool sel clear

 

The above text file shows renaming the 'root' user, changing the password, listing the user to verify the change, and clearing the System Event Log.  You could also do this with network settings as well.

Vertical Scan Dashboard for Firewall Logs

Overview

 

The Vertical Scan Dashboard for Firewall Logs shows vertical scan activity conducted against any firewall class device on the Internet Perimeter. This set of dashlets will display the top 10 port probing/scanning activity over the last 24 hours, broken down into the following categories:

  • Unique port count of individual IP addresses probing/scanning the network and displayed by IP address.
  • Unique port count of countries probing/scanning the network and displayed by country.
  • Unique IP address count of individual Countries probing/scanning the network and displayed by country.
  • Top 10 most denied destination ports, displayed by port.

 

The Dashlets

Top 10 Denied IP High Unique Port Count

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by IP address.  In short, it shows which IP addresses are using the most ports to scan your network on an hourly basis.  Basically a vertical scan, a single IP probing multiple ports.

 

Top 10 Denied High Unique Port Count by Country

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by country.  In short, a unique port count by country and displayed by country.

 

Top 10 Denied Countries by Unique IP Count

It looks at the inbound traffic and every hour it counts the number of unique IP addresses for each Source Country it sees, then it displays them in a Timeline and a Summary format by country.  In short, it’s a count of unique IP addresses used to probe your network displayed by country.

 

Top 10 Denied Destination Ports

It looks at the inbound traffic and every hour it finds the distinct ports and counts how many times they are denied.  Then it displays them in a Timeline and a Summary format as shown below.  In short, it shows the top ten ports that are being probed and denied.

Prerequisites

You must have the items listed below installed and configured for this dashboard to work properly.

Security Analytics/Netwitness

  • Versions 10.5 or higher
  • Log Decoder and Concentrator
  • Firewall Logs

Versions Prior to 10.5 will not have the “distinct” and “countdistinct” available in the Report Engine.

Lua Parser

  • Traffic Flow (RSA Live)
  • lua (RSA Live

 

Directions for installation and configuration of this parser are located in the link below:

https://community.rsa.com/docs/DOC-44948

 

If you already have a parser that defines Internet source IP addresses, you can modify the rules and swap out the “netname='other src'” with your metakey and value.

While working on a solution for collecting logs from a Blue Coat system in a DMZ, we had the requirement that the FTP/FTPS connection needed to traverse a firewall.  The issue that immediately became apparent was that in order to allow the client, using Active FTP/FTPS, to communicate to the Log Collector it would require that almost the entire port range be opened on the firewall to allow the successful communication.  To resolve this, we turned to a Passive FTP/FTPS configuration which would allow us to specify a port range to use for client/Log Collector communication and allow a more acceptable firewall rule.  The explanation below shows how the port assignments work in FTP/FTPS communication.

 

Active FTP/FTPS

Active FTP/FTPS uses random ports to initiate the data channel connection from the Log Collector, this presents a challenge for use through a firewall as you cannot predict which ports the server will use to initiate the data transfer.

                FTP/FTPS Client – Random Port1 --> Port 21 – Log Collector (Communication Channel)

                FTP/FTPS Client – Random Port2 <-- Random Port3 – Log Collector (Data Transfer Channel)

NOTE:  Firewalls that are FTP aware seem to work fine with this random data port communication as they can see the data transfer channel communication coming back from the Log Collector to the client and will allow it.  However when you switch to FTPS the Data Transfer Channel is encrypted and the firewall cannot see that it is a Data Transfer Channel coming back from the Log Collector to the client and will block it.  This is when you have to use Passive FTP/FTPS or open the entire port range to allow the Log Collector initiated Data Transfer Channel to come back to the client.

 

Passive FTP/FTPS

Passive FTP/FTPS uses a defined set of ports for the data channel and the connection is initiated from the client system so that the firewall rules for the ports can be specifically defined instead of random.

                FTP/FTPS Client – Random Port1 --> Port 21 – Log Collector (Communication Channel)

                FTP/FTPS Client – Random Port2 --> Defined Passive Port – Log Collector (Data Transfer Channel)

 

Demonstration of Active FTP/FTPS and Passive Configuration Video

 

 

Passive Configuration Only Video

 

While working on getting some Bluecoat devices to use FTPS, we discovered that the original certificates issued on the Log Collector would not work.  The Bluecoat did not like the self signed certificate for two reasons.  First was that the certificate was not signed by a Certificate Authority that was not itself (the Log Collector was the CA).  Second, the common name (CN) was not an IP address or a hostname that was resolvable by DNS, it was the Puppet Node ID.  To resolve this issue I used the Puppet CA (SA Server) to create a new certificate using the IP address as the CN.  Then I had the puppet CA certificate added to the Bluecoat trusted certificate store.  We then configured the Bluecoat to send the logs to the IP address that matched the certificate along with the proper user credentials and it worked great.  I have created this document and video to provide a guide on what was done to configure the Log Collector.  Enjoy!

 

Filter Blog

By date: By tag: