Centralising windows logs securely using NXLog and LogStash (Part 1 - Overview)

At work, I have many Windows servers.  I've started to investigate ways of getting the logs from the servers into a central place.

I'm going to use nxlog to gather the logs on the Windows hosts, and then send them to a LogStash server (running on Debian).

LogStash will do some filtering, parsing out of fields, and then the logs will sent to an Elastic Search cluster.

These posts will detail how I've configured the nxLog and LogStash parts, focusing on securing the transport so the logs are protected in transport.


Part 2 - Creating a self-signed certificate

Centralising windows logs securely using NXLog and LogStash (Part 2 - Creating a self-signed certificate)

There are other ways of creating a 'self signed' certificate.  But I'll be using a Debian Wheezy box, and using the 'openssl' utility

1. Create a private key

This will create a 2048-bit private key, and save it in a file called 'logstash-server.key'

# openssl genrsa -out logstash-server.key 2048

2. Create a certificate signing request

# openssl req -new -key logstash-server.key -out logstash-server.csr

Fill out the details as required.  I've highlighted & obfuscated my input on the screen shot below

There are now two files - the private key file and the CSR file

The private .key file needs to be kept in a secure place, and the contents of the file should be similar to shown below

The CSR file can be viewed as well

...and can be checked by typing this command

# openssl req -in logstash-server.csr -noout -text

 3)  Self-sign the request

Now we need to sign the CSR, with the private key generated earlier.  (note - for none self-signed certificates, the CSR would be signed by a trusted certificate authorities private key).

# openssl x509 -req -days 1830 -in logstash-server.csr -signkey logstash-server.key -out logstash-server.crt

A certificate file (ending crt) will be generated

And openssl can show details of the signed certificate.

# openssl x509 -in logstash-server.crt -text -noout

Notice the Issuer is the same as the Subject (i.e. self signed) and the expiry date 1830 days from now

4) So where are we now? 

We have a private key, and a self-signed certificate.  The .csr can be deleted if you want.  The only need to keep it is if the certificate needs to be renewed

Next....lets configure LogStash to use the certificate

Server 2012 (and 2012R2) basic unattend.xml for unattended server build

I was after templating a machine in VMware (no reason why this shouldn't work for other build methods) to minimise the time it took to build a new machine.  I initially wanted to do the bare minimum:-

• Accept the EULA
• Set the regional settings and time zone to be en-GB (the machines are for a UK audience)
• Set a password of 'Pa$$w0rd' (it's changed later by a different build script)

The code I've placed at the bottom of this post does just this.  It was saved into a file I called 'myUnattended.xml' which I saved in C:\windows\System32\SysPrep (but it can be saved anywhere).  I then ran:-

sysprep /generalize /oobe /shutdown /unattend:myUnattended.xml

which then prepares the machine, and shuts down.  Convert the machine to a template, and it's ready for machines to be built from it.

<xml version="1.0" encoding="utf-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="oobeSystem">
 <component name="Microsoft-Windows-International-Core" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <InputLocale>en-GB</InputLocale>
  <SystemLocale>en-GB</SystemLocale>
  <UILanguage>en-GB</UILanguage>
  <UILanguageFallback>en-GB</UILanguageFallback>
  <UserLocale>en-GB</UserLocale>
 </component>
 <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <OOBE>
   <HideEULAPage>true</HideEULAPage>
  </OOBE>
  <TimeZone>GMT Standard Time</TimeZone>
  <UserAccounts>
   <AdministratorPassword>
    <Value>Pa$$w0rd</Value>
   </AdministratorPassword>
  </UserAccounts>
 </component>
</settings>
</unattend>

Create a new Exchange receive connector using EMC

New-ReceiveConnector -Name MyReceiveConnector -Usage 'Internal' -RemoteIPRanges '10.0.0.30-10.0.0.31'

Testing if a variable is a specific type in Powershell

if ($variable -is [int]) {
  write-host "the variable is an integer
}


Found on http://www.computerperformance.co.uk/powershell/powershell_syntax.htm under Powershell Operators

Powershell - Creating a custom system module

First, make a new directory in [Powershellroot]\Modules with the name being the name of the module


mkdir c:\windows\system32\windowspowershell\v1.0\Modules\ADComputerObjects

Create a module manifest file

PS > new-modulemanifest -path $pshome\Modules\ADComputerObjects\ADComputerObjects.psd1


cmdlet New-ModuleManifest at command pipeline position 1 Supply values for the following parameters:
NestedModules[0]:
Author: Stuart Clarkson
CompanyName: Zen Internet
Copyright: (c) 2011 Stuart Clarkson.  All Rights Reserved
ModuleToProcess: ADComputerObjects.psm1
Description: Custom functions to find, disable and delete unused computer objects
TypesToProcess[0]:
FormatsToProcess[0]:
RequiredAssemblies[0]:
FileList[0]:

Lets see whats been created:-

PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ADComputerObjects> dir





    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ADComputerObjects




Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        11/04/2011     13:23       4942 ADComputerObjects.psd1


Create a .psm1 file in this directory with the functions written in



PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ADComputerObjects> ls




    Directory: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ADComputerObjects




Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---        11/04/2011     13:23       4942 ADComputerObjects.psd1
-a---        11/04/2011     12:56       1441 ADComputerObjects.psm1

Lets see what modules are available now:-

PS C:\Windows\System32\WindowsPowerShell\v1.0\Modules\ADComputerObjects> Get-Module -ListAvailable

ModuleType Name                      ExportedCommands

---------- ----                      ----------------

Manifest   ActiveDirectory           {}

Manifest   ADComputerObjects         {}

Manifest   AppLocker                 {}

Manifest   BitsTransfer              {}

Manifest   PSDiagnostics             {}

Manifest   TroubleshootingPack       {}

Manifest   WebAdministration         {}

....and import....

PS> Import-Module ADComputerObjects

MSDN site on Powershell Modules

http://msdn.microsoft.com/en-us/library/dd901839(v=vs.85).aspx

Try these sties for more information on the manifest file

http://msdn.microsoft.com/en-us/library/dd878297(v=vs.85).aspx

http://technet.microsoft.com/en-us/library/dd819477.aspx

Find and disable old computer objects in AD

If you need to find computer objects in the AD which are no longer in use and then disable them, this could be a useful command:-

dsquery computer -stalepwd xx | dsmod computer -disabled yes [-desc "Disabled because its password is stale"]

This query's the domain for computer objects with a stale password over xx days.  Then modifies those objects so they are disabled, and optionally sets a description on the object with some text.

It would be best to run the query part first (to check its output!) before piping the output to dsmod :)