How to improve Microsoft Virtual Server security by monitoring virtual machine log files

In this tip, Harley Stagner teaches you about proactive event log collection so that if your virtual machines are breached, you'll know how to find out what happened.

Have you discovered a hole in your Virtual Server 2005 security? This article will offer some advice on proactive

event log collection for Virtual Server 2005 so that if a security breach does occur, you will be able to collect more evidence on what actually happened. The previous article in this series taught you how to secure remote access to the Virtual Server 2005 host machine.

You will have a much easier time reconstructing a security breach if you have been monitoring and collecting the appropriate log information. In this case we are interested in information pertaining to Virtual Server 2005. Culling appropriate information from log files is tricky enough. If you do not have the appropriate information to begin with, it can be an exercise in frustration. Most of the information is logged by default. However, the security log in event viewer, in particular, is no good unless appropriate auditing is taking place before a breach.

To begin you will want to turn on the appropriate auditing for the security events. This can be done through the "local security policy" mmc snap-in, which can be found in "Administrative Tools - Local Security Policy. The figure below shows the settings that we are looking for.

At the very least, you will want to audit "Success and Failure" of "process tracking" and "object access." The reason will become apparent shortly. After you have set up the auditing policy, you will need to set up which folders you want to audit for "object access." You will probably want to audit the root directory where your virtual machines are stored along with the subfolders under that root directory and the root directory where Virtual Server 2005 is installed along with the subfolders under that root directory.

To set the auditing, right-click on the root folder in question and select properties. Click on the security tab. Click the Advanced button. Click on the Auditing tab and then click on the Add button. In the "enter object name to select" box, type "everyone" and then click ok. In the auditing entry window, click "Full Control" for both success and fail. Make sure that "Apply onto:" is set to "This folder, subfolders and files" and then click ok until you exit the folder properties dialogue. The final selection for auditing the folder will look similar to the figure below.

Now that the appropriate security auditing is set up, your Virtual Server 2005 Host Machine will be doing some extra logging. Without proper event log management, the most useful information in the event logs might be overwritten. You will probably want to archive the event logs from the Virtual Server 2005 Host Machine periodically so that you can safely clear the event logs.

While this could be accomplished manually, human error suggests that this kind of task will be forgotten at least once in a lifetime. There are many commercial products for aggregating and archiving event logs, however, on a limited budget, such luxuries are usually must be homebrewed by the creative system administrator.

Whenever I need to automate a task I usually turn to some form of scripting. The following script will backup the Virtual Server, Application, System, and Security event logs to a location on the system drive where the script is run. Then, the event logs will be cleared. To use this script the following items need to be in place. A folder named "c:\event_log_backups" and a text file named "servers.txt" with a list of servers to be backed up. The "servers.txt" file needs to be in the same directory where the script will run. These requirements can, of course, be changed to suit your preferences by editing the script. An example of the format of the "servers.txt" file is listed below.

hostname1
hostname2
hostname3
hostname4

The script is listed below.

'===========BEGIN CODE===========
'=================================
'
' NAME: VS2005_evtlogbackup.vbs
'
' AUTHOR: Harley Stagner   
' DATE  : 9/1/2006
'
' COMMENT: This script will backup the selected 
'     servers' event logs with a unique filename '
'     of "year_month_day_computername_eventlogname.evt".
'     Then, it will clear the selected event logs.
'
'=================================
'=================================
'
'***********************************
'*************Header Section*****
'***********************************

Option Explicit
On Error Resume Next 
Dim dtmThisDay, dtmThisMonth, dtmThisYear 'Used
         to store day, month, and year.
Dim objFSO, objServFile, objWMIService, objLogFile
Dim colLogFiles 'Used to query the log file.
Dim strServer 'Used for storing server name to connect to.
Dim strBackupName 'Used for storing the 
           name of the backup file.
Dim serverlist 'Used for storing the location of the server list.

'***********************************
'**********Reference Section*****
'***********************************
'* In this section I define the day, month, year variables,
'* as well as the server list.  I also set up the constant 
'* for reading the "serverlist"   
'* Finally, I also create and set up the file system
'* object to read from the serverlist file.
'*************************************



dtmThisDay = Day(Now)
dtmThisMonth = Month(Now)
dtmThisYear = Year(Now)
serverlist = "servers.txt"

Const forReading = 1

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objServFile = objFSO.OpenTextFile(serverlist, forReading)
 

'***********************************
'****Worker Section***************
'***********************************
'* In this section I run a query for the
'* Virtual Server, Application,         
'* System, and Security logs for the computers
'* listed in the serverlist 
'* file.  Then, I backup the event log to
'* "c:\event_log_backups".  Finally,  
'* I clear the event log.                       
'**********************************

Do Until objServFile.AtEndOfStream
 
strServer = objServFile.ReadLine
strBackupName = dtmThisYear & "_" & dtmThisMonth
      & "_" & dtmThisDay & "_" & strServer

Set objWMIService = GetObject("winmgmts:" _
  & "{impersonationLevel=impersonate,(Backup, Security)}!\\" & _
    strServer & "\root\cimv2")
 
 Set colLogFiles = objWMIService.ExecQuery _
 ("SELECT * FROM Win32_NTEventLogFile
        WHERE LogFileName='Virtual Server'")
  
For Each objLogfile in colLogFiles

objLogFile.BackupEventLog("c:\event_log_backups\" &
         strBackupName  "_VirtualServer.evt")
objLogFile.ClearEventLog()

Next

Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile
          WHERE LogFileName='Application'")
  
For Each objLogfile in colLogFiles

objLogFile.BackupEventLog("c:\event_log_backups\"
            & strBackupName  "_Application.evt")
objLogFile.ClearEventLog()

Next
   
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile
              WHERE LogFileName='System'")
 
For Each objLogfile in colLogFiles

objLogFile.BackupEventLog("c:\event_log_backups\"
               & strBackupName "_System.evt")
objLogFile.ClearEventLog()

Next
   
Set colLogFiles = objWMIService.ExecQuery _
("SELECT * FROM Win32_NTEventLogFile
                WHERE LogFileName='Security'")
 
For Each objLogfile in colLogFiles

objLogFile.BackupEventLog("c:\event_log_backups\"
                & strBackupName "_Security.evt")
objLogFile.ClearEventLog()
 
Next

Loop

WScript.Quit

'======== END CODE================

In the next article, Examining the compromised Virtual Server host, I will walk you through some steps that you might want to take before powering down a Virtual Server 2005 host for a security breach investigation.

About the author: Harley Stagner has been an IT professional for almost eight years. He has a wide range of knowledge in many areas of the IT field, including network design and administration, scripting and troubleshooting. Of particular interest to Harley is virtualization technology. He was the technical editor for Chris Wolf and Erick M. Halter's book Virtualization: From Desktop to the Enterprise and currently writes his own blog at www.harleystagner.com.

This was first published in February 2007

Dig deeper on Server virtualization risks and monitoring

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchVMware

SearchWindowsServer

SearchCloudComputing

SearchVirtualDesktop

SearchDataCenter

Close