How to Send Windows Events to Syslog Server

Once we have our Syslog server up and running we can easily configure all our network devices and Linux/Unix like servers to send their events to the Syslog server but this is not true for Microsoft Windows Servers as Microsoft do not support Syslog.
There are free softwares to convert Microsoft Windows Event Viewer logs into Syslog format and send it over to our Syslog server though.
I am going to introduce three different windows to Syslog forwarders here.
I have introduced the first one before and still insist on using the first one since it has more flexibility over the others like filtering out any messages we don't like to be forwarded or adding other applications log files and its development team is more active:
1- Datagram SyslogAgent
2- Eventlog to Syslog (Purdue University)
One of my visitors noted this one and I ran an initial test on it and it seems to be working fine and it is worth to see what he/she has commented:

"Purdue University has an outstanding Eventlog to Syslog utility. It's lightweight and completely free. It also runs on Win2k3, Vista, 32-bit and 64-bit systems.
I use it to forward event logs from about 160 servers, and have had no issues whatsoever."

3- NTSyslog
I had some issues with this one last time I tried to set it up so I gave up on this one.

Make Putty Tab Based!

Everyone knows Putty well but I always prefer to use SecureCRT because I can open different connections in a tab based manner, I can easily clone my sessions in case I need more than one session to the same device mainly for debugging or diagnostic reasons and I can save my connections into a database which easily can be backed up (Putty stores the sessions into registery!).
The good part about Putty is free, it is handy and requires no installation!
Well there are always great people out there to make things work better and thanks to Ramesh I have leaned that there is a free add-on called "Putty Connection Manager" which does all the job I pointed out earlier. You have your Tabbed based interface, You can clone your sessions and everything is stored in a database and above all it makes putty look more modern ;)
There are many other useful add-ons for Putty and you can learn about them through the following link:
The Geek Stuff » Turbocharge PuTTY with 12 Powerful Add-Ons - Software for Geeks #3:

TCPDUMP Tutorial

TCPDUMP is a wonderful command line tool which helps analyzing and troubleshooting network traffic on a Linux host.

The tcpdump options I use the most are:

• -n : Don't resolve hostnames.

• -nn : Don't resolve hostnames or port names.

• -v, -vv, -vvv : Increase the amount of packet information you get back.

The followings are the most tcpdump expressions I use:

Display any traffic souring and destining a specific host:

• tcpdump host "Host Address"

Display any traffic sourcing a specific host:

• tcpdump src "Host-address"

Display any traffic destining a specific host:

• tcpdump dst "Host-address"

Display any ICMP traffic:

• tcpdump icmp

Display traffic sourced or destined a specific network:

• tcpdump net "net-address"

Display any traffic sourcing or destining a specific port:

• tcpdump port "port-number"

Display any traffic sourcing a specific port:

• tcpdump src port "port-number"

Display any traffic destining a specific port:

• tcpdump dst port "port-number"

It is also possible to use "AND", "OR", and "Excpet":

You can learn more about tcpdump options and expressions with great examples at this location: http://dmiessler.com/study/tcpdump/

Dig DNS Lookup in Windows!

Every System Administrator dealing with DNS administration knows the power of "dig" command-line tool in Linux/Unix environment. But there are times when an administrator needs to monitor and troubleshoot DNS from a Windows station and she would then realizes the deprivation!
The good news is that many Linux/Unix tools have been ported to windows (Check my post about Windows IPFW) and one of them is the "dig" utility.

The windows version of "dig" can be downloaded and installed from here: http://members.shaw.ca/nicholas.fong/dig/


For those who are new to "dig" the following link helps:
Dig Howto: http://www.madboa.com/geek/dig/

Perl and Regular Expressions

I have been drawn into an exciting area called "Perl scripting!". It is a great fun and until I started studying Perl I didn't know how much I was lost in system and network administration!
Currently, what I mostly need to do with Perl is text processing.
In my first project I needed to telnet into a Fortigate firewall, send a couple of commands, fetch the output, process and reorder the output which was the main purpose of the job and store it in a file and trigger an action if specific pattern observed in the output.
All these required complex text processing which could not have been accomplished without "Regular Expressions".
The following are the references I found very useful for me to get a grasp on "Regular Expressions" in Perl.

Regular expressions in Perl
Perl regular expressions tutorial
Steve Litt's Perls of Wisdom: Perl Regular Expression

Fighting Spam with Barracuda Spam Firewall

It's been a couple of weeks since I started working on a dedicated solution to fight incoming spam and I did some study on the history and mechanisms available to block spam and which methods are efficient for an Internet Data Center. I was thinking of implementing Spamassassin using Qmail as MTA, but our company policy has changed and now I am considering an Anti-spam Appliance. There are many appliances available and most of them have other security features like Firewalling, Virus scanning and DoS protection.
Spam Firewall from Barracuda Networks seems a great option to me with different mechanisms including Bayesian and great control over what should be considered spam and non-spam (ham) and provides a good visibility to what is happening on the box by its statistics. Its control panel has got a lot of screens which might bring complexity but it also gives great control and make any policy enforcement possible!
I am really impressed with the administration options and I like to get my hands on it!
Spam Firewall is actually a Linux platform running spamassassin in its core.

Free Windows TFTP and Syslog server!

It might sound crazy but I got a Cisco PIX firewall at home (PIX 501) and my internet traffic is running through it with a PPPoE connection and I have configured it to accept remote VPN connections as well in case I need to access my data at home while at work.
I was looking for a free and light TFTP server to backup my PIX configuration regularly and I found exactly what I was looking for at http://tftpd32.jounin.net/. tftpd32 is not just a TFTP server but also a DHCP and Syslog server as well. The next question was running TFTP as a service which I found the answer here: HOW TO install Windows tftpd as service.

Exinda Networks WAN Optimizer Applicance!

We are providing Internet bandwidth to different organizations and individuals and provide a variety of services over that bandwidth like Web, Email, and Voice. Customers can select from a category of services with different pricing matching their bandwidth or quality requirements and we need to make sure customer are receiving what they have signed with us.
Some are receiving Dedicated Bandwidth and some Shared Bandwidth and no matter in which of these two categories they fall, they expect good quality on delay sensitive services like Voice and Conferencing traffics which needs to be guaranteed. These policies can be imposed on DSLAMs and Routers close to the customer but not every detail can be addressed on Routers and DSLAMs besides it makes sense to have an appliance standing on top of the network hierarchy as a single point of policy enforcement.
Many vendors provide appliances which are called WAN Accelerators or Optimizers and they all optimize or accelerate traffic by features such as Compression, Caching, Changing TCP headers and enforcing QoS.
I have one of these appliances from "Exinda Networks" in my network for evaluation. It provides reporting through statistics and graphs and it does it really great! There are a variety of different report categories available such as Realtime, Applications, Hosts, Subnets, Conversations, and Application Statistics and in each category it is possible to get more detailed into a specific traffic type. All these reports help build up a network traffic profile and then develop and enforce proper optimizer policies to meet the concerns, criteria, and requirements.

How to Implement Source Routing With Linux

As mentioned in my previous post I got an Internet gateway which is a Linux box and I have two Internet connections connected to that server. One is a 2Mbps Leased-Line and the other a 1Mbps wireless connection. I want hosts from specific subnets have their Internet traffic directed to the wireless Internet connection while others go through the Leased-Line link.

This is easily done with Linux and iproute2 suit which is installed by default on Fedora.

By default all routes are stored in a table called "main" and by issuing the following command the routes stored inside this table can be displayed:

• ip route list table main
  

The results are exactly that same as just running the "route" command.

Any queries coming to this server for routing decisions will be looked up in the "main" table unless mentioned otherwise. But how is this possible?

It is also possible to define a new routing tables and have different routing entries inside the new defined table and apply rules so that traffic from specific sources are directed to this new table for route look up!

First:

we need to create a new table which easily handled by adding the name at the end of /etc/iproute2/rt_table. It may look like this:

10 wireless-link

Second:

New routes should be added to this table:

• ip route add 192.168.120.0/24 via 192.168.10.1 table wireless-link
• ip route add default via 80.120.99.12 table wireless-link (This defines the default route for "wireless-link" routing table)
• ip route list table wireless-link (This will display routes added to wireless-link)

Third:

Route rules must define when requests must be looked up in the "wireless-link" table!

• ip rule add from 192.168.120.0/24 table wireless
• ip rule list (display ip rules)

From now on, every traffic coming from 192.168.120.0/24 will be leaded to wireless-link table so its default route will be 80.120.99.12 while traffic from other sources will be still lookup routes in the "main" table which has its own default route (Leased-Line).

To undo ip rules and routes the following syntax must be followed:

• ip rule del from 192.168.120.0/24 table wireless
• ip route del default via 80.120.99.12 table wireless-link

Route Policy With Linux

In one of our premises I have two firewalls; A Linux iptable and a Microsoft ISA Server.
I got two Internet connections, each connected to one firewall and the plan is to remove the ISA server and add the Internet connection (currently servicing ISA server users) to the Linux box which makes two internet connections on the same server. I got around 20 VLANs and I want to split Internet traffic between these two connections based on the source address. This can easily be done by iproute2 suite. I have not done this before but I am studying it and it seems easy and straightforward. I will post more on this later.

Started CCSP Path with SNPA

After a relatively long time I took the 642-522 exam known as "Securing Networks with PIX and ASA - SNPA" today and passed smoothly. I could achieve this by studying Cisco Press SNPA official certification study guide and hands on experience on cisco PIX devices.
SND is the next stop...

How To Set Up A Linux Syslog Server

Any network administrator in charge of a few network devices would like to keep a record of the events on these devices like:

• who logged into devices (or tried to connect to network devices)
• when does he/she try to login
• what did she/he do after login
• what changes and events have been announced on the device (like interface status change)

And lots of other information that might give a clue about a policy violation or tracking a series of events that led to a network disruption incident.
What I am talking about is to have a simple SYSLOG server in place to collect all log messages to a central location.
If you need to setup a quick and easy syslog server just follow the link bellow. It is meant for Debian but will work on almost all Linux distributions :
Linux Syslog Server - How To Set Up A Debian Linux Syslog Server

Linux Traffic Control, DNS ALG issue , and Service Monitoring

I am busy with a couple of interesting stuff that keeps me away from posting here.
First,
I am working on a linux box which is an internet gateway and controls traffic using iptable and at same time it acts as the inter VLAN router for around 10 VLANs using 802.1Q. I am trying to run some sort of QoS to put traffic control on every VLAN for their internet usage. And with Linux this will be easily done with a tool called TC.
I have expressed that before but it is worth to mention again that with linux we will get tons of outstanding networking features that gives us full control on our network and what is running behind the scene on the wires! I am really impressed!!!
Second,
My firewall is not handling DNS ALG as expected so it has brought us some disturbance. Everything is fine with outside to inside regular DNS queries but when a DNS query for PTR record comes in, DNS ALG does not translate the IP address in the response payload while it does so when it comes to Forward queries. According to RFC 2694 this should work unless our Firewall is not RFC compliant. I am documenting the issue regarding RFC to send it over to our Firewall Vendor.
Third,
I was studying available service monitoring tools to monitor our IDC services and servers and nearly reached to the conclusion to implement "ManageEngine Applications Monitror" and I already have a pilot server in place. I will post on it later.

Monitoring in a Data Center

I was thinking what we need to consider for a thorough monitoring strategy in an IT environment like a Data Center. There are various areas that should be monitored to meet High Availability. Monitoring can be categorized as follow:

• Physical Access
• Environmental Parameters
• Hardwares
• Bandwidth Usage
• Server Connectivity
• Server Resources Usage
• Service Availability
• Traffic Analyzing
• Log Analyzing

For each monitoring category there are many tools available both commercial and free (Mainly Open Source) that can be obtained and implemented. Some tools might cover more than one of the above categories and some just limited to a single category.
Having all of these monitoring services and procedures in place might be too expensive for some organizations and based on priorities and needs one or some of the above might be picked up.
I will post more about monitoring later.

RFC 4732 - Internet DoS Consideration

I came across RFC 4732 which is titled as "Internet Denial-of-Service Consideration". In the abstract it says "The aim (of this document) is to encourage protocol designers and network engineers towards designs that are more robust".
This is an appetizing topic for every network administrator.

Internet Denial-of-Service Considerations

The Challenges of a Firewall Administrator

A firewall administrator must have a good understanding of the applications and the way they work behind the scenes. Some protocols are unruly in their communication pattern and some put layer 3 and layer 4 addressing in payload which adds another twist to the problem. at last, sometimes the direction which the protocol is initiated is unclear!
When working with firewalls to provide access to services and applications the following must be considered carefully :

1. Some protocols are untruly in their communication (FTP)
   
2. Some put addressing in payload (FTP, SIP, PPTP)
   
3. Some confuse us about the direction of the communication (SNMP, SNMPTrap)

So anyone who is in complete charge of a firewall needs to know how the communication of protocols happens.
Do we need an inbound or outbound connection? (Where will the traffic be initiated?)
Is it TCP or UDP or do we need to put a protocol number?
Do we also need to handle address translation in payload?

All this brings up a great challenge to a firewall administrator which makes him to get to know applications and protocols well enough to tackle the problems.

How to Add Persistant Static Routes in Linux

At times, when I work on my linux box I forget about the configuration file game and expect some tasks to be completed just by putting some commands in the line!
This is the second time that I forget adding my static routes to the config file and wake up after my server needs a reboot and things start going wrong afterwards!
The easy way, which works in any distribution is to simply add routes in /etc/rc.local but this is not welcomed by many professionals:
route add -net 192.168.125.0 netmask 255.255.255.0 gw 192.168.110.1
route add -net 192.168.145.0 netmask 255.255.255.0 gw 192.168.110.1

But to do it properly in Redhat and Fedora distributions we have to create a configuration file for each interface. For example, for all routes that need to go out from "eth1" a config file named "route-eth1" must be created in "/etc/sysconfig/network-scripts/route-eth1" containing the following:
(I will take the above route as example)

GATEWAY0=192.168.110.1
NETMASK0=255.255.255.0
ADDRESS0=192.168.125.0

GATEWAY1=192.168.110.1
NETMASK1=255.255.255.0
ADDRESS1=192.168.145.0

So if there are different interfaces that correspond to different routes we should expect config files like "route-eth0", "route-eth1","route-eth2" in "/etc/sysconfig/network-scripts/"

GRE Tunnel Problem

I have got two GRE tunnels from NOC to two remote sites and since I set these tunnels up, I got problem with one of the management softwares. It happens that it stops responding and generates "Time Out" messages when it is left idle for about 10 minutes and after 2 or 3 unsuccessful tries it comes back to life. All other connections (RDP, FTP, SSH) through these tunnels function smoothly at any given time but our NGN department engineers are getting annoyed once a customer calls, since they need to send their commands a couple of times until their software responds!
One GRE tunnel is setup between two Huawei Eudemon firewalls and another between a Huawei Access Router and an Eudemon firewall.
My studies show that this behaviour is due to over sized packets as a result of added tunneling headers.
I will be posting more on this issue once any progress made.

Syslog Message Header Format

Finally I fixed my problem with huawei syslog messages! Actually I found a work around to it on my Syslog-NG server. There is a bad_hostname("regexp") directive in syslog-ng configuration file which can be used to ignore wrong hostnames extracted from syslog header messages if specified, and the cool thing is that you can use regular expresions to specify a range of hostnames matching your criteria. Once a bad_hostname matched syslog-ng will look into the IP header instead for the source address and places this address as the hostname.

But to realize what exactly the problem was I decided to take a close look into RFC 3164. Section 4.1.2 says:

• The HEADER contains two fields called the TIMESTAMP and the HOSTNAME.
• The TIMESTAMP field is the local time and is in the format of "Mmm dd hh:mm:ss" (without the quote marks)
• A single space character MUST follow the TIMESTAMP field
• The HOSTNAME field will contain only the hostname, the IPv4 address, or the IPv6 address of the originator of the message. The preferred value is the hostname
• Example: <34>Oct 11 22:14:15 mymachine su: 'su root' failed for lonvick on /dev/pts/8

It has firmly defined how a syslog message format should be and to see how Huawei is complying with this format I have captured traffic from huawei routers and switches with tcpdump:
>Oct 28 16:15:03 2006 SHZ-C2H-Router IFNET/5/UPDOWN:S[|syslog]

OK! instead of the HOSTNAME stgraight after the TIMESTAMP I see "2006" which is the YYYY part of the current date on huawei devices!
Anyway, as soon as the bad_hostname directive is there no need to bother for this kind of problem!

Huawei Devices and Strange Syslog Message Format!

My php-syslog-ng is up and running and I am in the process of configuring all my nodes to send their syslog messages to syslog-ng server but there seems to be some problems on some devices. No problem with my Linux servers and my Huawei firewalls but Huawei switches and routers are apparently using the wrong syslog message format. I can see all my switches and routers as a host named "2006" which is the YYYY part of the date in my php-syslog-ng web interface! and the hostname appears in the message string which is different from what RFC 3164 says about the syslog packet header. It seems that Huawei managed to have its own syslog message format on some of their devices. I am looking for some way to change this behavior.

D-Link 16-Port IP DSLAM

D-Link IP DSLAMs come in stand-alone (8, 16, 24 Ports) and Stackable (48 Ports) and there is no Modular option available. Well suited and affordable for small and small to medium businesses.

NetDefend: D-Link Firewall/VPN Solution

NetDefend series are D-Link firewall and VPN solution products. unfortunately D-Link is not a trusted brand in my country but I have received unexpected feedbacks on D-Link firewalls expressing satisfaction. A couple of days ago one of these customers told me that he is experiencing a better performance on their DFL-1500 firewall comparing with their Cisco PIX firewall! I couldn't take this serious but he meant it.
Personally I don't believe that D-Link firewalls deserve to get a better rating than Cisco PIX firewalls but this is a good message for those unfairly underestimating D-Link products.

D-Link DI-624 Router

I do not have a broadband Internet connection at home yet but once I get it I would put D-Link's DI-624 Router in my Must Have List! DI-624 is a "Basic Firewall", "Internet Sharing Server", "802.11g Access Point with Super G (108Mbps) support", "4-port Switch" and many other great features like "MAC Filtering, URL and Domain Blocking, Scheduling, IP Filtering for more internet access control" that makes it a great residential gateway for home and small office users.

Top Ten Cisco IOS Tips

I was digging into my old favorite entries and got to this old topic from James Boney the author of "Cisco IOS in a Nutshell". A great book for both Cisco newcomers and veterans. In the first part of the book some IOS and Router basics and configurations are explained and the second part is a command reference which I really like it.
Basic tips but not bad to take a look at:
O'Reilly Network: Top Ten Cisco IOS Tips

Explaining IP Helper Addresses!!!

An innovative way to explain what "Cisco Router IP Helper-Address Command" is and how it should be configured! Let your UDP broadcasts pass through:
Trinity explains IP Helper Addresses
Well, Some people have their own way to explain things!