DOCSLIB.ORG

Outputting Event Log Events to a Remote SQL Database Using Powershell

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Outputting Event Log Events to a Remote SQL Database Using Powershell Peter McEldowney Mark Waddington | Capstone CSNT 255 Outputting Event Log Events to a Remote SQL Database Using PowerShell Objective: After completing this lab, the Administrator will have the Event Log from the computer of their choice uploading information to a SQL database. The step-by-step outlines how to create the tables that will be used to organize the data and will cover how to create a basic SQL script to create these tables. Within the script to create the tables, indexes will be covered to ensure quick access to the data by a particular column that is indexed and will also cover items to be aware of. After creating these tables, a script to upload the event log items to the SQL server will be created so that the script can be run from any machine to ensure scalability. After the script is created and tested, this step-by-step will go through how to create a trigger that will run the script whenever a new event log entry is created. Requirements: PowerShell 3.0, Microsoft SQL Server [w/ Management Tools] Step 1 : Create a diagram of the tables that will be used to store the data Considerations when designing your tables: a) What data is available? b) How will you identify the machine once the data is in the database? c) What log did the data come from and how will this be stored in the database? d) Is there an efficient way to organize the data to make retrieving the data quicker? e) What columns will people be searching from? f) What should the Primary Keys for the table(s) be? What is a Primary Key? A primary key is basically an index number. This is the unique number that identifies a particular row. For example, if 2 rows have the same information, how would we identify which row is which? g) What should the Foreign Keys be? What is a Foreign Key? Foreign Keys refer to data from another table. These are primarily used to link tables. For example, say you have data in one table and the computer that uploaded the data in another. The foreign key in the data table would reference an identifying key in another so that the data can be linked to the associated machine. 1 | P a g e The tables and relationships that are being made are referred to as an Entity-Relation Diagram. Not only will creating this make building the SQL script to create the databases easier, but it will also allow for future database users to access the data efficiently and know what data is available. a) What data is available? The best way to identify the available data is by looking at the data. For example, using PowerShell, we can pull event log data and look at what is available. Try this command in PowerShell to find the available data: Ex: Get-EventLog –LogName System –Newest 1 | Format-List Now we must decide what information we want to log in our database. [Remember: Databases can grow to be massive so far large environment, it may be more efficient to only take critical information. In this tutorial, we will be uploading all information because we can.] 2 | P a g e We can actually call specific values that are defined by incorporating the text before the pipe | within parenthesis () and then appending a period. to identify we want to call a value. Ex: (Get-EventLog –LogName System –Newest 1).Index Now since we have the information available, we can start grouping particular items together and deciding how we want to arrange everything. b) Identifying the original machine This can be done within the PowerShell script that will be created in Step 3. Try this command in PowerShell for a preview on how this will be accomplished. Ex: [Environment]::MachineName c) Identifying the originating system log Different logs are kept for different aspects of the system. For example, DNS has its own log. PowerShell has its own log, and so do System tasks. The available logs on a system can be obtain by running the following: Ex: Get-EventLog -LogName * 3 | P a g e d) Organizing the Data for efficiency. This step all depends on the volume of data that will be stored within the database. For centralize Event Log management, it may be beneficial to store only EntryType, Message, Source, and Username within 1 table so that less data is retrieved when searching for errors. An example is portrayed below. Notice how only crucial information is stored in the primary table. All other data must be referenced by joining tables together by their similar keys (foreign keys). e) Frequent columns. Generally people will be searching for information based off specific columns. These columns (like name of the computer, the type of entry, source, etc) are columns that should contain indexes. An index is simply a tag put onto a column so that it is monitored for efficient data retrieval. One caution of using indexes is that every time new data is entered, the index must be re-evaluated. As you can imagine, this can cause a great deal of decreased performance and may even crash systems that are inadequate for supporting the amount of data being uploaded. Indexes are not required (and are not covered here) but are an important aspect to consider if deploying on a large scale as it is much easier to incorporate when designing than trying to implement during production. f) Primary Keys Primary key columns are (as described above) a unique identifying key. No 2 primary keys in a table can be the same or the data would be inconsistent. This 4 | P a g e is why it is best to create a special column for the primary key and set it to auto- increment. In the entity-relationship diagram below, you can see how columns with PK are identified with some sort of text that is followed by_id g) Foreign Keys FK’s should be easy to identify and associate with other tables. The most difficult part is coding Foreign Keys. One nice part about foreign keys is that you can set constraints on the data that is referenced. For example, if we use the code exemplified below, then when the referenced data in the other table is deleted, the delete is cascaded that the table with the foreign key and all associated data is also removed. This helps with normalization to ensure that all data that is stored is related to other data and is not just fluff data. evl_id_fk INT FOREIGN KEY (evl_id_fk) REFERENCES [evl_data] ON DELETE CASCADE Step 2: Create the Database Script [This script should be based off the information outlined in your Entity-Relationship Diagram] Considerations when creating the database script: a) Identify what type of data will be stored in each column. b) Are there any columns where data entry should be mandatory? c) What are the constraints on the table and how are these foreign keys identified in the script? Will a delete of data from one table cascade to the others? How to create a SQL database from a script: [Reference your diagram and use the tables below to help with data types and optional parameters] 5 | P a g e The first item in order is to create the database. This can be done with CREATE DATABASE [dbname]; You must then USE [dbname]; to work with the database. This is demonstrated on Page 7. Generic CREATE TABLE structure for Microsoft SQL Server (or T-SQL): CREATE TABLE [table_name] ( [column_name] [data type] [optional parameters] [table delimitated by a comma , to indicate next column] index_number INT PRIMARY KEY IDENTITY, other_table_index INT FOREIGN KEY (other_column_name) REFERENCES [other_table_name], timestamp DATETIME NOT NULL, logname VARCHAR(50) NOT NULL, username VARCHAR(50) ) What are Data Types? A data type is what is held by that particular variable, column, etc. For example, if a column will always hold a number, it will have INT (or integer) as its data type to limit what the cell can hold. A field can also have DECIMAL(9,2) (where 9,2 represents up to 9 numbers and 2 decimal points). Things like DATETIME are data types (DATE only stores the date but DATETIME stores both depending on your needs). These can be found very easily through a quick search for almost any programming language. Some of the most common data types for SQL are below: Syntax Data Type Meaning (remember, variables are a number of your choice) INT(n) Integer of n length An Integer is just a whole number (not a fraction) CHAR(n) n Characters This is a fixed length field of length n VARCHAR(n) Up to n Characters This is a variable length character field with a max length of n DECIMAL(n,d) Number with a decimal Use this data type to specify a number of length n with the number of decimal points to store as d DATE Only stores date This field stores month, day, and year. Nothing more DATETIME Stores date and time This field can store date and hour, minute, second, & split second There are many more but these should handle your needs for this task. What kind of optional parameters are available? Parameter Meaning PRIMARY KEY A reference number for a row (there cannot be 2 identical values of a primary key) Indicates that the value should be auto -incremented for each new entry [default (1,1)] IDENTITY(s,i) s = seed [or starting number], i = increment [the number the value goes up by] Identifies a relationship to another table FOREIGN KEY (with constraints set, value must exist in another table) (col_name) (col_name) references a column in another table REFERENCES Comes after a Foreign Key to indicate the table that should be referenced when [table_name] associating the row with another table.
Load more

Recommended publications
  • Attack Tactics 7! the Logs You Are Looking For
    Attack Tactics 7! The Logs You Are Looking For © Black Hills Information Security @BHInfoSecurity Brought To You By! © Black Hills Information Security| @BHInfoSecurity Brought To You By! Just type “‘Demo,<script>alert(document.cookie);</script> or ‘ 1=1;--” into the Questions box DEMO will work fine too…. © Black Hills Information Security| @BHInfoSecurity Brought To You By! https://www.blackhat.com/us-19/training/schedule/index.html#a-guide-to- active-defense-cyber-deception-and-hacking-back-14124 © Black Hills Information Security| @BHInfoSecurity © Black Hills Information Security| @BHInfoSecurity Problem Statement © Black Hills Information Security @BHInfoSecurity JPcert to the rescue… Sort of.. © Black Hills Information Security @BHInfoSecurity A helpful diagram Forensics Testing Defense © Black Hills Information Security @BHInfoSecurity Executive Problem Statement Basic Questions: ● Are our tools working? ● What can we detect? ● How can we test this? ● What are our gaps? ● What existing tools can fill them? ● What do we have to buy? ● Can we buy ourselves out of this problem? © Black Hills Information Security @BHInfoSecurity TryingA helpful to diagramtie it all together Forensics Testing Defense © Black Hills Information Security @BHInfoSecurity Adventures in (just enabling proper) Windows Event Logging Important Event IDs ● 4624 and 4634 (Logon / Logoff) ● 4662 (ACL’d object access - Audit req.) ● 4688 (process launch and usage) ● 4698 and 4702 (tasks + XML) ● 4740 and 4625 (Acct Lockout + Src IP) ● 5152, 5154, 5156, 5157 (FW
    [Show full text]
  • Teradici Remote Workstation Card Agent for Windows
    Teradici PCoIP Remote Workstation Card Agent for Windows Documentation Teradici PCoIP Remote Workstation Card Agent for Windows Documentation This documentation is intended for administrators who are installing the Remote Workstation Card Agent for Windows as part of a Teradici Remote Workstation Card system. It assumes thorough knowledge of conventions and networking concepts, including firewall configuration. Although many agent features and settings can be configured using the Windows user interface, some administrative tasks require use of Windows command line tools. Users should be familiar with both cmd and PowerShell. About the PCoIP Remote Workstation Card Agent for Windows The PCoIP Remote Workstation Card Agent for Windows introduces Teradici brokering to a Teradici Remote Workstation Card deployment, allowing the desktop to be managed by Teradici Cloud Access Manager or by third-party brokers like Leostream. A complete PCoIP Remote Workstation Card deployment includes these components: • A physical host machine, which provides the desktop to remote clients. See System Requirements for more information. • A PCoIP Remote Workstation Card installed on the host machine. • The PCoIP Remote Workstation Card software for Windows installed on the host machine. • The Remote Workstation Card Agent for Windows installed on the host machine. About PCoIP Licensing When the Remote Workstation Card Agent for Windows is installed, the Remote Workstation Card can be licensed using a Remote Workstation Card license. With this flexibility, you can
    [Show full text]
  • Cruise Shipboard Property Management System Security Guide Release 19.1 F20778-01
    Oracle® Hospitality Cruise Shipboard Property Management System Security Guide Release 19.1 F20778-01 February 2020 Copyright © 1995, 2020, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government. This software or hardware is developed for general use in a variety of information management applications.
    [Show full text]
  • Tools User Guide Release 8.0 E84869-03
    Oracle® Hospitality Cruise Shipboard Property Management System Tools User Guide Release 8.0 E84869-03 December 2019 Copyright © 1995, 2019, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided under a license agreement containing restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. If this software or related documentation is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, then the following notice is applicable: U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication, disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.
    [Show full text]
  • Accessdata Forensic Bootcamp
    Windows Forensics—Vista Forensic Toolkit, FTK Imager and Registry Viewer Advanced • One-day Instructor-led Workshop his one-day AccessData® workshop follows up on the AccessData T Windows® Forensic Training by covering the Microsoft® Windows Vista operating system. It provides the knowledge and skills necessary to use AccessData tools to conduct forensic investigations on Vista systems. Participants learn where and how to locate Vista system artifacts using AccessData Forensic Toolkit® (FTK®), FTK Imager, Registry Viewer®, and Password Recovery Toolkit® (PRTK®). During this one-day workshop, participants will review the following: GUID Partition Tables (GPT): Students will use FTK Imager to navigate the new GPT formatted drive partitioning scheme. File Structure Changes: Students will learn the mechanics of reparse and mount points in the Windows Vista file structure. BitLocker Full Volume Encryption (FVE): Students will use FTK Imager and Windows Vista technology to decrypt and acquire a sector-by-sector image of an FVE drive. Windows Vista feature changes such as: - Recycle Bin - Structure and Content Changes - Thumbcache - Reparse Points - Link and Spool Files - Vista File Structure - Windows Event Logs - Vista Registry Entries, PSSP, and IntelliForms data - Updated SuperFetch Structure - New Locations for Old Windows Artifacts - Enhanced Thumbs.db Functionality - Device Identification and Protection - Vista security model The class includes multiple hands-on labs that allow students to apply what they have learned in each module.
    [Show full text]
  • Forensic Attribution Challenges During Forensic Examinations of Databases
    Forensic Attribution Challenges During Forensic Examinations Of Databases by Werner Karl Hauger Submitted in fulfilment of the requirements for the degree Master of Science (Computer Science) in the Faculty of Engineering, Built Environment and Information Technology University of Pretoria, Pretoria September 2018 Publication data: Werner Karl Hauger. Forensic Attribution Challenges During Forensic Examinations Of Databases. Master's disser- tation, University of Pretoria, Department of Computer Science, Pretoria, South Africa, September 2018. Electronic, hyperlinked versions of this dissertation are available online, as Adobe PDF files, at: https://repository.up.ac.za/ Forensic Attribution Challenges During Forensic Examinations Of Databases by Werner Karl Hauger E-mail: [email protected] Abstract An aspect of database forensics that has not yet received much attention in the aca- demic research community is the attribution of actions performed in a database. When forensic attribution is performed for actions executed in computer systems, it is nec- essary to avoid incorrectly attributing actions to processes or actors. This is because the outcome of forensic attribution may be used to determine civil or criminal liabil- ity. Therefore, correctness is extremely important when attributing actions in computer systems, also when performing forensic attribution in databases. Any circumstances that can compromise the correctness of the attribution results need to be identified and addressed. This dissertation explores possible challenges when performing forensic attribution in databases. What can prevent the correct attribution of actions performed in a database? The first identified challenge is the database trigger, which has not yet been studied in the context of forensic examinations. Therefore, the dissertation investigates the impact of database triggers on forensic examinations by examining two sub questions.
    [Show full text]
  • Red Teaming for Blue Teamers: a Practical Approach Using Open Source Tools
    SESSION ID: LAB4-W10 Red Teaming for Blue Teamers: A Practical Approach Using Open Source Tools Travis Smith Manager, Security Content and Research Tripwire, Inc @MrTrav #RSAC #RSAC Agenda 14:00-14:10 – Access Learning Lab Virtual Environment 14:10-15:00 – Run Through Red Team Activities 15:00-16:00 – Run Through Blue Team Activities #RSAC Accessing the Lab https://tripwire.me/vhX X will be you’re specific student number on your desk Password: rsalearninglab OS Credentials: rsa/learninglab OS Hostname: host-X OS IP Address: 10.0.0.X 3 #RSAC Log Into SkyTap https://tripwire.me/vh1 rsalearninglab #RSAC Launch Victim Host Console Username: rsa Password: learninglab #RSAC #RSAC Today’s Red Team Toolset #RSAC Today’s Blue Team Toolset Elastic Stack Windows Sysmon Kibana Beats Elasticsearch @SwiftOnSecurity #RSAC Disable Windows Defender* Start Menu > Settings > Update & Security Click Windows Security on left side menu Click Virus & threat protection Click Manage settings Turn Off: – Real-time protection – Cloud-delivered protection #RSAC Red Team Exercise #1 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md #RSAC Red Team Exercise #1 Launch Event Viewer, confirm it launches #RSAC Red Team Exercise #1 Run atomic command – reg add hkcu\software\classes\mscfile\shell\open\command /ve /d ”C:\Windows\System32\cmd.exe” /f #RSAC Red Team Exercise #1 Launch Event Viewer, confirm CMD.exe launches Launch other executables from here: • notepad • calc • whoami • ping #RSAC Red Team Exercise #2 https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1015/T1015.md
    [Show full text]
  • LIFENET® AED Event Viewer
    LIFENET ® AED Event Viewer User guide Contents Overview ..................................................................................................................2 What is LIFENET AED Event Viewer? ..........................................................................................2 How does it work? ..........................................................................................................................2 What can I do with it? ....................................................................................................................2 Before you start ....................................................................................................2 Use cases .........................................................................................................................................2 IT requirements ..............................................................................................................................2 Getting started ........................................................................................................2 Starting LIFENET AED Event Viewer ...........................................................................................2 Calibrating the screen .....................................................................................................................3 Working with LIFENET AED Event Viewer ........................................................3 Receiving cases ...............................................................................................................................3
    [Show full text]
  • Event Log Explorer Help
    Welcome to Event Log Explorer Help This help system is a place to find information about Event Log Explorer. Introduction Concept Event Log Explorer basics License agreement © 2005-2018 FSPro Labs. All rights reserved. Introduction Event Log Explorer is a software for viewing, monitoring and analyzing events recorded in Security, System, Application and other logs of Microsoft Windows operating systems. It extends standard Event Viewer monitoring functionality and brings new features. Main features of Event Log Explorer: Multiple-document or tabbed-document user interface depending on user preferences Favorites computers and their logs are grouped into a tree Viewing event logs and event logs files Merging different event logs into one view Archiving event logs Event descriptions and binary data are in the log window Event list can be sorted by any column and in any direction Advanced filtering by any criteria including event description text Quick Filter feature allows you to filter event log in a couple of mouse clicks Log loading options to pre-filter event logs Switching between disk and memory for temporary data storing Fast search by any criteria Fast navigation with bookmarks Compatibility with well-known event knowledgebases Sending event logs to printer Export log to different formats Multiple-document or tabbed-document user interface depending on user preferences Event Log Explorer provides you with 2 user interface types. Multiple- document interface (MDI) allows you to open unlimited number of event logs and place them all inside the main window of Event Log Explorer. Tabbed-document interface (TDI) allows you to open unlimited number of event logs and features the best way of navigation between logs.
    [Show full text]
  • INFORMATION TECHNOLOGY CONCEPTS-OPEN - REGIONAL 2019 Page 1 of 8
    INFORMATION TECHNOLOGY CONCEPTS-OPEN - REGIONAL 2019 Page 1 of 8 INFORMATION TECHNOLOGY CONCEPTS (391) —OPEN EVENT— REGIONAL – 2019 DO NOT WRITE ON TEST BOOKLET TOTAL POINTS _________ (100 points) Failure to adhere to any of the following rules will result in disqualification: 1. Contestant must hand in this test booklet and all printouts. Failure to do so will result in disqualification. 2. No equipment, supplies, or materials other than those specified for this event are allowed in the testing area. No previous BPA tests and/or sample tests or facsimile (handwritten, photocopied, or keyed) are allowed in the testing area. 3. Electronic devices will be monitored according to ACT standards. No more than sixty (60) minutes testing time Property of Business Professionals of America. May be reproduced only for use in the Business Professionals of America Workplace Skills Assessment Program competition. INFORMATION TECHNOLOGY CONCEPTS-OPEN - REGIONAL 2019 Page 2 of 8 MULTIPLE CHOICE Identify the choice that best completes the statement or answers the question. Mark A if the statement is true. Mark B if the statement is false. 1. Which of the following appears on the right side of any Windows 8 screen when you move your pointer to a right corner? A. Live tile B. Memory Manager C. Charms bar D. System tray 2. Which element of the Windows 7 GUI gives windows a glassy appearance, but also consumes more hardware resources? A. Control panel B. Aero user interface C. Charms interface D. Logic interface 3. The top of a top-down hierarchical structure of subdirectories is called which of the following? A.
    [Show full text]
  • Lighting Application Suite
    Lighting Application Suite 7.0 System Manual Lighting Application Suite 7.0 System Manual (original version) Edition: 04.03.15 Published by: Traxon Technologies Europe GmbH Karl Schurz-Strasse 38 Paderborn, Germany ©2014, Traxon Technologies Europe GmbH All rights reserved Comments to: [email protected] Available for free download from www.traxontechnologies.com Subject to modification without prior notice. Typographical and other errors do not justify any claim for damages. All dimensions should be verified using an actual part. Except for internal use, relinquishment of the instructions to a third party, duplication in any type or form - also extracts - as well as exploitation and/or communication of the contents is not permitted. e:cue Lighting Application Suite: - Contents 1 Changes in LAS 7.0 9 1.1 Programmer .................................................................................................. 9 2 Introduction 11 2.1 The Lighting Application Suite ....................................................................... 11 2.2 About this book ............................................................................................. 11 3 How to use this manual 12 3.1 Previous knowledge ...................................................................................... 12 3.2 Levels............................................................................................................ 12 4 About the LAS 13 4.1 Objectives ....................................................................................................
    [Show full text]
  • Postgresql Replication Second Edition
    www.allitebooks.com PostgreSQL Replication Second Edition Leverage the power of PostgreSQL replication to make your databases more robust, secure, scalable, and fast Hans-Jürgen Schönig BIRMINGHAM - MUMBAI www.allitebooks.com PostgreSQL Replication Second Edition Copyright © 2015 Packt Publishing All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews. Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book. Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information. First published: August 2013 Second edition: July 2015 Production reference: 1240715 Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-78355-060-9 www.packtpub.com www.allitebooks.com Credits Author Project Coordinator Hans-Jürgen Schönig Vijay Kushlani Reviewers Proofreader Swathi Kurunji Safis Editing Jeff Lawson Maurício Linhares Indexer Priya Sane Shaun M. Thomas Tomas Vondra Graphics Sheetal Aute Commissioning Editor Kartikey Pandey Production Coordinator Komal Ramchandani Acquisition Editor Larissa Pinto Cover Work Komal Ramchandani Content Development Editor Nikhil Potdukhe Technical Editor Manali Gonsalves Copy Editors Dipti Mankame Vikrant Phadke www.allitebooks.com About the Author Hans-Jürgen Schönig has 15 years of experience with PostgreSQL.
    [Show full text]