Advanced

Collecting Logs and Events from Windows Machines

The Windows Agent plus Sysmon is for all Windows Servers*, Workstations and Laptops. For some servers (DHCP, IIS, etc) utilize NXLog in addition to the Windows Agent and Sysmon. 

* Some servers, such as a primary domain controller in a large network, generate a large volume of Windows Events. Check with DefenseStorm Engineering to find out if the Windows Agent can be installed.

This includes Windows Vista SP2 and higher, Windows 7 SP1 and higher, Windows 8 (all versions, but 8.1 or higher recommended), Windows 10 (all versions), and Servers 2008 and higher.

Upgrading NXLog/PWT to Windows Agent

  1. Uninstall NXLog
  2. Uninstall Praesidio Windows Tool
  3. Install Windows Agent. 

If you would like assistance with this procedure, please contact support@defensestorm.com.


Windows Agent

The Windows Agent is a program installed on Windows laptops to collect and forward local Windows event activity to the DefenseStorm GRID. To ensure all event data is logged and tracked, it is still captured when a device is offline. 

The Windows Agent automatically checks for updates within 2-4 hours of the service starting, and then every 24 hours. If an update is found it is installed automatically. Not all agents update at the exact same time.

Features

  • Windows based installer file that supports both full GUI and command line installations
  • Full documentation for installer usage with options
  • Two-factor authentication
  • Login via username/password
  • Login via token/secret/orgId
  • Local event log collection
  • Windows event logging
  • Full offline logging. All available data is sent upon reconnection to the network.
  • Application auto updates itself from the DefenseStorm cloud
    • The system checks for automatic updates within 2-4 hours of the service starting, and every 24 hours after that. If the Agent is restarted, the timeline restarts as well. 
  • Auto updates can be turned off upon installation.
  • Send data via DVM or direct to the Cloud.
    • Fallback to the available method

Requirements & Limitations

  • NET 4.5.2 must be installed
  • User needs administrative permissions
  • Internet connection for authentication during installation
  • Offline Logging:
    • Local file logging requires edits to the configuration file, and then a service restart to take effect

Pre-instal Procedures 

Before following the cmd line or GUI installation, you must download the msi from DefenseStorm and obtain your Key, Secret, and Org ID from the GRID UI. If you are using the fallback method, or entering Proxy settings, you must also obtain your DVM IP address. 

Obtaining your Key, Secret, Org ID

The key, secret, and org id are required for all installation types. Follow the steps below:

  1. Log into the GRID UI > Settings > Input Tokens > Get Agent Tokens (top right of the window).
  2. Keep this information on-hand for the instal procedures. 

Downloading the msi 

The msi is required for all installation types.  

  1. Download the msi to your local machine so it can be found for installation. 
  2. Obtain DWA installer files > click link for DefenseStorm Windows Agent 
  3. Make note of the path to the msi location on your local machine. This will be used in the install process.
    For example, /Users/joetester/Downloads/DefenesStorm

Obtaining your DVM IP address

This is only required for fallback installation and entering proxy settings. 

  1. Login to the GRID
  2. Events > search pvm_stats> filter by hostname

Command-line Installation

Utilizing the command-line installation method allows for silent installation across your network. There are three different methods for sending data to the DefenseStorm GRID. 

  • Direct to Cloud (default)
    Data comes from your network directly to the DefenseStorm Cloud
  • Through DVM
    Data flows from your network to the DVM, then to the Cloud
  • Fallback from DVM to Cloud
    Data flows from your network, to the DVM, then to the Cloud unless the DVM is unavailable. In that instance, the data goes directly to the Cloud until the DVM becomes available. 


NOTE: To verify that the Windows Agent was installed correctly, view Windows events in the GRID UI. 

Direct to Cloud (default)

Enter the following command with your specified network information to send your data direct through the Cloud:

msiexec /package <path to DefenseStorm.msi> APIKEY=keyAPISECRET=secret ORGID=organization id/quiet 

Through DVM

Enter the following command with your specified network information to send your data through the DefenseStorm Virtual Machine:

msiexec /package <path to DefenseStorm.msi> APIKEY=keyAPISECRET=secret ORGID=organization id SENDEVENTS=dvm DVMHOST=your dvm ip address/quiet

Fallback from DVM to Cloud

Enter the following command with your specified network information to send your data through the DVM unless the DVM is down. If the DVM goes down, it sends data directly to the Cloud until the DVM becomes available. 

msiexec /package <path to DefenseStorm.msi> APIKEY=keyAPISECRET=secret ORGID=organization id SENDEVENTS=both DVMHOST=your dvm ip address/quiet

Proxy Settings

If you are using a proxy on your network, you can manually enter the proxy settings via the command line interface. 

msiexec /i DefenseStorm.msi  /l*v mylog.txt /quiet apikey=XX apisecret=YY orgid=ZZ  proxy=http://10.10.10.10:3128


Comprehensive list of the command line switches

  • UPDATES {bool, default True. Toggles automatic application updates}
  • WINDOWSUSER {string, default LocalSystem. Specifies user account to run the agent under. This is not recommended.}
  • WINDOWSPASSWORD {string, default NULL. Specifies user account to run the agent under's password. This is not recommended}
  • APIUSER {string, default NULL. DefenseStorm Username for API access- must have accompanying APIPASSWORD.}
  • APIPASSWORD {string, default NULL. DefenseStorm Password for API access- must have accompanying APIUSER.}
  • APIKEY {string, default NULL. DefenseStorm Key for API access- must have accompanying APISECRET and ORGID.}
  • APISECRET {string, default NULL. DefenseStorm Secret for API access- must have accompanying APIKEY and ORGID.}
  • ORGID {string, default NULL. DefenseStorm org id for API access- must have accompanying APISECRET and APIKEY.}
  • SENDEVENTS {string, default NULL. DefenseStorm org id for API access- must have accompanying APISECRET and APIKEY.}
    • Inserting BOTH allows for fallback from the DVM to the cloud, DS means your data is sent to the cloud, DVM is only the DVM.
    • If choosing DVM or BOTH, you must enter DVMHOST into the command line. This option defaults to the DVM first, then to the cloud as fallback.


GUI Installation

Follow the instructions here to install the Windows Agent manually through the GUI.

  1. Click here to Obtain DWA installer files.
  2. Download msi > double-click to run. 
  3. Select Next on the following window to begin installation.
  4.  Terms and Conditions. Select the checkbox to agree, then click Next.
      
  5. Installation folder. Select Next to keep the default folder location.

  6. Sending data. Chose to either send data 'Directly to DefenseStorm', "Through the DVM', or 'Through the DVM if available, directly otherwise'. If you chose to send data through the DVM only, or through the DVM if available, directly otherwise, you must input your DVM IP Address.
  7. Input Token/Key/OrgID from the GRID UI. 
    Installation Window View
  8. After the information is placed in the installer window, select Next.
  9. Select Auto-Updates, click Next.
  10. Complete install. Select Yes on the following pop-up.

  11. The installation completes.
  12. Verify that the Windows Agent is installed correctly by viewing Windows events in the GRID.

Advanced Configuration - Additional log sources

You have the ability to add additional events through either Windows Event Log or from an arbitrary text file.

Windows Event Logs

The Windows Agent is configured by default to read from default log sources we deem most important.  However, you may choose to expand beyond the sources we configure by modifying the ClientLogSources.json file. 

Windows Audit File View


Any of these log sources can be added by editing the ClientLogSources.json file within the C:\Programfiles\DefenseStorm\Data folder. There are 5 fields for each log source entry:

{
    "comment": "Comment 1",
    "log_name": "Application",
    "source": "DefenseStorm",
    "level": [ "error", "warning" ],
    "event_id": [ 7022, 7023 ]
  }
  • "comment" can have any text
  • "log_name" is the same that appears in the `Log` column. Mandatory field.
  • "source" is the `Source` column
    • Omitting means all sources
  • "level" column, whose valid values are: Critical, Error, Warning, Information, LogAlways, Verbose.
    • Omitting means all levels
  • "event_id" is an array of numbers from the `Event ID` column
    • Omitting means all events


Arbitrary Text Files and DNS files

The second method to ingest logs is from an arbitrary text file. The file "Config.json" is where you can set which files you want the Windows Agent to monitor.

The DNS files are in a specific format, it's the default "Debug Log" format of Windows DNS. The "Generic" files can be in any format as long as they are composed of lines. There are two lists, one for DNS files (they have a special format), and “Generic” is for all other file types.

{
  "AutoUpdate": true,
  "MonitoredFiles": {
    "Generic": [ "C:/logs/file1.txt", "C:/logs/file2.txt" ],
    "DnsDebugLog": [ "C:/logs/dns/file3.txt",  "C:/logs/dns/file4.txt" ]


Sysmon

Sysmon does not require an installation package, so the executable can be pushed out over a network and easily scripted by the command in this procedure. Sysmon can be placed anywhere on the disk, the locations listed below are TRAC TEAM recommendations.

To install Sysmon, perform the following steps:

  1. Download and unzip Sysmon from Microsoft
  2. Copy the unzipped file to windows\system32
  3. Download the custom sysmon config file here: github
  4. Copy the unzipped .xml file to windows\system32
  5. As admin, run the following command:
    sysmon.exe -accepteula -i sysmonconfig-export.xml


NXLog

For Windows Servers utilizing DHCP, IIS, or additional log files, NXLog assists the Windows Agent in gathering applicable and usable data. The instructions below explain how to download and instal NXLog on the DVM. 

  1. Download NXLog (here)
  2. Install NXLog
  3. Download the NXLog Config File (DefenseStorm NXLog Conf.zip)
  4. Unzip and place files into NXLog conf directory (typically, c:\Program Files (x86)\NXLog\conf)
  5. Edit nxlog.conf
    1. Change the 'define DVM  10.1.50.100' to your DVM IP
    2. If NXLog was installed some where other than default, modify the following line, 'define ROOT C:\Program Files (x86)\nxlog'
    3. Under the Include Files section, uncomment the applicable conf file(s):
      #include %ROOT%\conf\nxlog-dhcp.conf
      #include %ROOT%\conf\nxlog-iis.conf
    4. Save
  6. Restart NXLog service
  7. Verify no errors in NXLog log file (typically, c:\Program Files (x86)\NXLog\log)


Managing Powershell

Current reports on the use of Windows PowerShell as an attack platform bring up the increased need to detect and prevent the abuse of our system administration ecosystem. The recent release of Mandiant’s M-Trends 2017 annual report highlights the development of more sophisticated tactics, techniques, and procedures (TTP) by financial threat actors against banking targets in Asia and Europe. These attacks are employing internal system administration tools, specifically Windows PowerShell, to fly under the radar and maintain persistence.

“Windows PowerShell is a good example of a relatively new attack vector that many organizations are not monitoring and logging. Attackers are increasingly leveraging Windows PowerShell to conduct their operations when undertaking malicious activity within a victim’s environment. In many environments, PowerShell does not leave artifacts indicating its usage. This situation can be improved by upgrading older versions of PowerShell (such as 2.0) to later, more robust logging versions (5.0 offers a much broader range of security information) and by implementing additional logging features such as Sysmon. The bottom line from an incident response perspective is that while PowerShell logging was not a typically monitored event to maintain effective cyber threat visibility five years ago, it most definitely is now.”

 

Windows PowerShell was developed by Microsoft to provide a system administration infrastructure that provides more power and flexibility to perform automated routine tasks and configuration management across their entire domain.  PowerShell is based on the .NET framework and provides a command-line shell as well as a powerful scripting language. The PowerShell Gallery gives system administrators a list of modules and scripts to deploy on their domain and the ability to contribute their own for the community.

However, many security researchers and penetration testers have developed a number of post-exploitation tools using PowerShell—PowerSploit, Empire, PoshSec, PowerUp and PowerView are just a few examples. Blue Teams need to actively search for the execution of these modules and react quickly when they appear in their log data.


PowerShell Version Updates

Thankfully, Microsoft added some instrumentation capabilities to PowerShell starting in version 3.0. Windows 7 and Server 2008 ship with PowerShell version 2.0, so system administrators need to upgrade the .NET framework and the Windows Management Framework to version 5.0.

Threat actors are aware that PowerShell version 2.0 does not log and are taking advantage of that by forcing the use of version 2.0; which is supported for backwards compatibility reasons. The command to do so is quite simple and may be run in a command shell or PowerShell:

PowerShell.exe -Version 2 “your command arguments here”

Incident responders need greater visibility to detect the use of PowerShell version 2 in addition to current versions. Instrumenting Windows Powershell is fairly straight forward because the tool leverages Microsoft’s existing event logging capabilities.  We recommend that you enable PowerShell logging according to the procedures outlined by Matthew Dunwoody (Mandiant/FireEye).

To obtain the visibility necessary to audit PowerShell command line, module, and script execution, do the following:

  • Upgrade to the current version
  • Enable logging capabilities through group policy
  • Increase windows instrumentation through Sysmon


External Procedure Links

See below for the procedures to enable PowerShell logging: https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

We also recommend installation and configuration of the current version of Microsoft’s System Monitoring tool called Sysmon. See the Collecting Windows Logs and Events from Windows Machine article. 


Suspicious Cmd Line Arguments

Execution of PowerShell with command line arguments that include the following should be regarded as suspicious and prompt further investigation:

PowerShell.exe -Version 2
PowerShell.exe -EncodedCommand
PowerShell.exe -ExecutionPolicy Bypass
PowerShell.exe -NonInteractive
PowerShell.exe -NoProfile
PowerShell.exe -WindowStyle Hidden



DVM Modifications (SNMP & accepting SSL)

One of the many advantages of the DefenseStorm GRID is the level of customization and modifications available. Two of those options include, 

  • Enabling the DVM to accept Syslog over SSL 
  • Setting to Receive SNMP Traps 


Enabling DVM to accept Syslog over SSL

For advanced users that need to enable Syslog over SSL on their DVM, the following instructions are provided.  It is recommended you contact DefenseStorm and we can work with you to enable this configuration.

put ssl.conf into /etc/syslog-ng/conf.d

Follow these steps to generate a cert and put it in the correct place:

# cd /etc/syslog-ng
# mkdir cert.d
# mkdir key.d
# mkdir ca.d
# cd cert.d
# openssl req -new -x509 -out cacert.pem -days 1095 -nodes
# mv privkey.pem ../key.d
# sudo ufw allow 6514
@version: 3.5

# Automatically generated by Praesidio on 2014-12-17T17:01:32Z

# Basic source definition for syslog compliant systems
source s_net_ssl {
        tcp(ip(0.0.0.0) port(6514)
        tls( ca_dir("/etc/syslog-ng/ca.d")
        key_file("/etc/syslog-ng/key.d/privkey.pem")
        cert_file("/etc/syslog-ng/cert.d/cacert.pem")
        peer_verify(optional-untrusted)) );
};

log {
    source(s_net_ssl);
    rewrite(r_praesidio);
    log { filter(f_0); destination(d_praesidiosqs_0); };
    log { filter(f_1); destination(d_praesidiosqs_1); };
    log { filter(f_2); destination(d_praesidiosqs_2); };
    log { filter(f_3); destination(d_praesidiosqs_3); };
    flags("flow_control");
};


Setting up to receive SNMP Traps

Prerequisites

  • SNMP client auth config details (if SNMP traps already set up in org, and/or this is a DVM migration)
  • DVM credentials & access

Procedure

  1. Execute the following commands to install the required modules
$ sudo apt-get install snmp snmpd snmp-mibs-downloader


  1. Edit the file at /etc/default/snmpd and change the following 3 values for these variables  (the last line, set TRAPDOPTS, is a long line and is wrapped):

 >> /etc/default/snmpd

set SNMPDRUN=no
set TRAPDRUN=yes
set TRAPDOPTS='-Lsd -Oq -p /var/run/snmptrapd.pid -M /usr/share/mibs/ietf:/usr/share/mibs/iana:/usr/share/mibs/defensestorm -m ALL'


  1. Create a new config file for syslog-ng to pick up SNMP Traps from the log file:

>> /etc/syslog-ng/conf.d/snmpd.conf

log {
    source(s_src);
    filter(f_daemon);
    rewrite(r_praesidio);
    log { filter(f_0); destination(d_praesidiosqs_0); };
    log { filter(f_1); destination(d_praesidiosqs_1); };
    log { filter(f_2); destination(d_praesidiosqs_2); };
    log { filter(f_3); destination(d_praesidiosqs_3); };
    flags("flow_control");
};


  1. Edit the /etc/snmp/snmp.conf and comment the mibs line out
  1. Edit the /etc/snmp/snmptrapd.conf and add lines following the example below.
    DefenseStorm recommends SNMP v3 with authentication.  If the system you want to send traps from does not support authentication, use the SNMP v2c setup and change the community string.For SNMP v2c

    For unauthenticated SNMP, add the following line
    disableAuthorization yes
    Next, edit the /etc/snmp/snmpd.conf file and change the Community String from “public” to a string specific to the organization.
    For SNMP v3

    If this is a new SNMP trap integration
    Change the username SHA and AES passphrases to private values for your environment.  SNMP sources will need to be configured to use these new values.

    If this is a migration from a previous DVM version
    Change the username SHA and AES passphrases to the values in the old DVM’s /etc/snmp/snmptrapd.conf. These should match the auth credentials saved in the SNMP trap message sources.
    You will need 3 values
    User name: ds
    SHA Pass: "defensestorm"
    AES Pass: "defensestorm"

    Example: file edits for creating new SNMP configuration
    >> /etc/snmp/snmptrapd.conf

    createUser -e 0x800013700465504f5f536572766572 ds SHA "defensestorm" AES "defensestorm"
    authUser log ds

  2. Copy any MIBS you obtain from your software vendors into the following directory:
mibs go into /usr/share/mibs/defensestorm

If this is a DVM migration, copy MIB files in folders from the old DVM into /usr/share/mibs/defensestorm.  Check old DVM snmpd file for other MIB locations under TRAPDOPTS. 

  1. Allow the SNMP Traps in UFW
$ sudo ufw allow 162


  1. Restart snmpd and syslog-ng
$ sudo system syslog-ng restart
$ sudo system snmpd restart


Gathering Data from Third-Party IT Systems

This article provides links to third-parties for device setup as well as DefenseStorm specific instructions to ensure data is gathered. 

Checkpoint

WhatFirewall Logs
Howvia Syslog
ReferenceCheckpoint SK87560.pdf
NotesSee referenced PDF.  Specific configurations, modules, and/or hotfixes may be required to export firewall logs directly from a Secure Gateway.


Cisco

Meraki 

WhatLog/Event data from from MX Security Appliances, MR Access Points, and MS switches
Howvia Syslog
ReferenceLink to third party instructions
NotesDirect the syslog data to the DVM port 516

Routers & Switches

Reference
Notes

Required for timestamps to be correct. Products using this configuration:

  • Cisco 2901 Routers
  • Cisco 2921 Router
  • Cisco 2960 switches
  • Cisco 2504 Wireless Controller
  • Cisco 3560
  • Cisco 4331 ISR
  • Cisco 4451
  • Cisco 5515

Configuration Commands:

  • clock timezone EDT -4 0
  • clock summer-time EST recurring
  • service timestamps log datetime localtime
  • logging host <IP of DVM> transport tcp port 514
  • logging source-interface <INTERFACE NAME>

  • Use NTP server from NIST 
  • If no data, try UDP 516

  • Get NTP config
  • show ntp config

ASA's: 

  • logging host <IP of DVM> interface_name <INTERFACE NAME> 
  • logging trap informational

  • #enable logging of enable command and additional 
  • logging userinfo

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swlog.html


Command Logging:

  • archive
  • log config
  • logging enable
  • notify syslog
  • hidekeys


Cisco Nexus

WhatSwitch and Router events/logging
Howvia Syslog
ReferenceLink to third party instructions
Notes

First figure out which VRF to use:

  • ping <DVM> vrf management

If works, use the management VRF, if not, you need to determine which VRF to use:

  • show vrf

Configure the Logging

  • logging server <DVM> 6 use-vrf default
  • logging module 6
  • Logging monitor 6
  • logging level all 6
  • copy run start

NOTE: If you want to change logging, set to "no" then enable again otherwise the change may not take affect.


Cisco Nexus Router

WhatCisco Nexus Routers
NotesNTP Configuraiton:

ntp server <NTPIP> prefer

show ntp peers

show ntp peer-status


Check the Time:

sh clock


Lookup VRF:

sh vrf interface


Enable Syslog Logging:

logging server <DVM> 6 use-vrf <VRFINTERFACE?


Set Module Severity Level:

logging level all 6


 If not working before you add vrf, do a “no” to remove the command and put in the whole new command

Cisco Call Manager

WhatCall Detail Records and logs/events
Howvia syslog
Referencehttp://www.cisco.com/c/en/us/support/docs/voice/h323/14068-cdr-logging.html
Notes

The configuration needs to be completed on the router that is configured with the PRIs.

Ensure timestamps are included in logging messages.

Example Configuration:

  • service timestamps log datetime msec localtime
  • logging 10.64.6.250


CrowdStrike

WhatFalcon Solutions 
Howvia CrowdStrike provided module installed on the DVM
Reference
Notes

Install

sudo dpkg --install crowdstrike-cs-falconhoseclient_71-siem-release-1.0_amd64.deb

Edit /opt/crowdstrike/etc/cs.falconhoseclient.cfg

  • Set API Key and UUID
  • Set log format to “syslog” from json
  • Set send to syslog server to “true”

Add the following to rc.local just above the exit line:

  • nohup /opt/crowdstrike/bin/cs.falconhoseclientd --nodaemon  --config=/opt/crowdstrike/etc/cs.falconhoseclient.cfg &
  • mv /etc/init/cs.falconhoseclientd.conf /etc/init/cs.falconhoseclientd.conf.orig

Create new logrotate config with the following contents for the client log files: /etc/logrotate.d/crowdstrike

/var/log/crowdstrike/falconhoseclient/cs.falconhoseclient.log
/var/log/crowdstrike/falconhoseclient/output
{
  rotate 12
  monthly
  compress
  missingok
  notifempty
}

Reboot to verify that the program starts on boot

Verify that log file are created in /var/log/crowdstrike/falconhoseclient


Dell PowerConnect Switch

WhatSwitch logs/events
Howvia Syslog
Notes

CLI Configuration Reference:

logging <IP>

  • description DefenseStorm
  • exit
  • exit
  • logging cli-command
  • logging web-session



Dell SonicWall

WhatFirewall 
Howvia Syslog
Referencehttps://support.software.dell.com/kb/sw5106


Microsoft Exchange Audit Events

WhatMicrosoft Exchange Mailbox Audit Events
Howvia PowerShell script to Windows Event log and then DefenseStorm Agent
Referencehttps://kb.defensestorm.com/help/collecting-event-data-from-exchange
NotesInstructions for configuration provided in Referenced DefenseStorm KB article.


Extreme Networks

WhatSwitch Logs
Howvia Syslog
NotesEnabling Syslog
  • configure syslog add <DVM IP> local0
  • configure syslog <DVM IP> local0 severity info
  • enable log target syslog <DVM IP> local0
  • configure log target syslog <configure-target-ip> from <source-ip-to-use>
Enabling Time with SNTP
  • enable sntp-client
  • configure sntp-client primary <ip-address> vr <vr-route>


Fortigate

WhatFirewall Events/Logs
Howvia Syslog
Referencehttp://docs.fortinet.com/uploaded/files/1084/fortigate-loggingreporting-509.pdf section on Advanced Logging for configuring multiple logging servers.
Notes

CLI config example for syslog:

  • config log syslogd{n} setting
  • set status enable
  • set csv disable
  • set facility local{n}
  • set server <ip-address of the dvm>
  • set reliable disable (This is UDP and the port will default)
  • set port 514

end

NOTE: {n} is a number to specify which syslog setting to configure.  Fortigate supports up to 4 where "n" is not specified or is "1" - "3".


HP Lefthand SAN

WhatSAN Log/Event Data
Howvia Syslog
Referencehttp://h20564.www2.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0110324


HP Procurve Switch

WhatSwitch Events/Logs
Howvia Syslog
Notes

configure

logging <IP of DVM>

logging system-module all-pass

write mem


IronPort

IronPort Mail Filter

WhatMail Filter and administration logs
Howvia Syslog
Notes

Configure via Administration Web Interface:

System Administration -> Log Subscription -> System Logs

Configure the following Logs:

  • antispam
  • antivirus
  • cli_logs
  • dlp
  • error_logs
  • gui_logs
  • mail_logs
  • scanning
  • system_logs
  • web_client


Juniper

SSL VPN / Pulse Secure

WhatVPN Logs/Events
Howvia Syslog
Referencehttps://kb.pulsesecure.net/articles/Pulse_Secure_Article/KB22227
Notes

Use UDP protocol, port 514


McAfee

ePO

WhatMcAfee ePO
Reference
  1. Enabling DVM to accept Syslog over SSL
  2. Link to third party instructions


MillenniumUltra

WhatMillenniumUltra Log Files
Howvia NXLog
Notesmillenniumultra.conf
<Extension multiline>
    Modulexm_multiline
    HeaderLine/^<event>/
    EndLine/^</event>/
</Extension>

<Extension xmlparser>
    Modulexm_xml
</Extension>

<Input millenniumultra>
    Moduleim_file
    File"\MPWNetCustomers\1\HistoricalLog\HistoricalLog.xml"
    SavePosFALSE
    ReadFromLast FALSE
    InputTypemultiline
    <Exec>
      # Discard everything that doesn't seem to be an xml event   
      if $raw_event !~ /^<HistoricalLog>/ drop();

      # Parse the xml event
      parse_xml();

      # Rewrite some fields 
      $EventTime = parsedate($timestamp);
      delete($timestamp);
      delete($EventReceivedTime);

      $SourceName="MillenniumUltra";

      # Convert to JSON
      to_json();
    </Exec>
</Input>

<Route MSEvents>
     Path       millenniumultra => syslogng-out
</Route>

Microsoft Exchange Message Tracking

WhatExchange Message Tracking Logs
Howvia NXLog
Referencehttps://elijahpaul.co.uk/analysing-exchange-2013-message-tracking-logs-using-elk-elasticsearch-logstash-kibana/
NotesEnable Message Tracking in Exchange 2013 as defined in the above link

Add the following configurations to NXLog:

<Input in_exchange>  
   Module     im_file
   File       '%BASEDIR%\MSGTRK????????*-*.LOG' # Exports all logs in Directory
   SavePos    TRUE
   Exec       if $raw_event =~ /HealthMailbox/ drop();
   Exec       if $raw_event =~ /^#/ drop();
</Input>
<Output out_exchange>  
    Module    om_udp
    Host      192.168.0.2 # Replace with your DVM hostname/IP
    Port      514
    Exec      $SourceName = 'exchange_msgtrk_log';
    Exec      to_syslog_bsd();
</Output>
<Route exchange>  
    Path      in_exchange => out_exchange
</Route>  


PaloAltoNetworks

WhatFirewall Events/Logs
Howvia Syslog
Referencehttps://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Forward-Firewall-Logs-from-Panorama-through-Syslog/ta-p/55713


QRadar

Information

WhatMirror logs sent to QRadar to DefenseStorm DVM
Howvia Syslog
Referencehttp://www-01.ibm.com/support/knowledgecenter/SS42VS_7.2.1/com.ibm.qradar.doc_7.2.1/c_qradar_adm_frwd_event_data.html?cp=SS42VS_7.2.1%2F4-0-15
Notes

Configure QRadar for Raw Forwarding

Configuration Information

To send data to DVM:

- Destination Target

- Routing Rule

QRadar needs to send to the DVM on port 514 UDP.  This allows us to receive unformatted, multi-line log information.


Rapid7

Nexpose

WhatScan Alerts
Howvia Syslog
Referencehttps://nexpose.help.rapid7.com/docs/setting-up-scan-alerts


RSA Authentication Manager

Setting up for syslog

WhatAuthentication Logs/Events
Howvia Syslog
Referencehttps://community.rsa.com/docs/DOC-46055


rsyslog

WhatAny log data on a system that is deployed with rsyslog (Carbon
Black, some flavors of Linux, etc.)
Howvia Syslog event forwarding
Notes

Add a line to the bottom of the /etc/rsyslog.conf file to forward all log event data to the DVM that follows this style::

*.*   @@IP_ADDRESS:514


Where IP_ADDRESS should be replaced with the IP address of your DVM.  For example, if your DVM IP address was 192.168.10.12, then the line would look like:

*.*   @@192.168.10.12:514


Shortel

WhatCall Detail Records
Howvia NXLog
NotesNXLog Configuration
#############################################################
# Define the Input for the Shortel log files
#############################################################
<Input in-shortel>
#Read Shortel CDR Log Files
Module im_file
 
File 'C:\\Shoreline Data\\Call Records 2\\*.Log'
 
ReadFromLast TRUE
SavePos TRUE
InputType LineBased
Exec if $raw_event =~ /^#/ drop(); \
      else \
     { \
         $message = $raw_event; \            
         $clienthostname = $hostname; \
         $hostname = hostname_fqdn(); \
         $SourceName = "Microsoft-Windows-Logs-Shortel"; \
     }
</Input>
#############################################################
# Defne the Route for the Shortel log files
#############################################################
<Route out>
 Path   in-shortel => syslogng-out
</Route>


SMTP Email Forwarding

WhatSMTP Email Messages
Howvia SMTP email forwareded from internal Exchange Server
Notes

The DVM will accept any email on port 25 and convert that email to an event to send up to the DefenseStorm cloud.  There are many ways to route email to the DVM depending on your email infrastructure.  This document describes one method that can be used with Microsoft Exchange.

The steps are as follows:

Configure your Exchange environment to route a ‘dummy’ email domain to the DVM.  for example, if your email domain is “mybank.com”, then you might use “defensestorm.mybank.com” or even simply “defensestorm.mybank”.  This email domain will never be delivered to the Internet, so you should select a non-valid domain.

(here are some instructions we can borrow from to describe this process for Exchange 2000)

http://www.techrepublic.com/article/forward-mail-to-a-smart-host-for-specific-domains/

In step 9 of these instructions, we will be using the domain that is described above (defensestorm.mybank).

Once this is complete, send a test email message to any email address at your domain, for example, “test@defesenstorm.mybank”.  You should be able to verify in Exchange that this message was delivered to the DVM.  You should also be able to see the email message converted to an event on the DefenseStorm Console

Now simply configure any of your internal systems that you want to send SMTP/Email based alerts to use a recipient address at the configured domain.  Any email messages that are send to that domain will be routed by your internal exchange system to the DVM and will be forwarded as Events to the DefenseStorm Console.



Sourcefire

WhatFireSIGHT Events/Logs
Howvia Syslog
Reference

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118464-configure-firesight-00.html

NotesEvent Data is only provided in UTC and without a timezone specified.  The DVM is configured with a local timezone to support Windows event logging.  The following configuration can be added to the Syslog-NG configuration on the DVM to support UTC events without a timezone.

@version: 3.5


# Custom syslog setup to take in UTC timestamp and send it out properly


source s_sourcefire {
    network(
        port(518)
        time-zone("UTC")
        transport("udp")
        keep-hostname(yes)
        flags("syslog-protocol")
        tags("udp514")
    );
    network(
        port(518)
        time-zone("UTC")
        transport("tcp")
max_connections(100)
log_iw_size(2000)
        keep-hostname(yes)
        flags("syslog-protocol")
        tags("tcp514")
    );
};


log {
    source(s_sourcefire);
    rewrite(r_praesidio);
    destination(d_praesidiosqs);
    flags("flow_control");
};


Splunk

WhatSplunk collected event data via Event Mirroring
Howvis Syslog
Notes
$SPLUNK_HOME/etc/system/local/outputs.conf  (typically /opt/splunk…)

Add:

If they have a license that supports Syslog (not the free version):

[syslog]
defaultGroup=syslogGroup

[syslog:syslogGroup]
server = 10.1.1.197:516

If they have the free version (add the first part under the current tcpout):

[tcpout]
defaultGroup=syslogGroup
[tcpout:fastlane]
server = 10.1.1.35:516
sendCookedData = false


Varonis

WhatVaronis Events
Howvis Syslog
Referencehttp://castletips.blogspot.com/2015/08/datalert-alert-template-for-syslog.html
NotesThe default Alert Template for syslog messages contains line feeds and carriage returns.  Use the referenced Alert Template to provide a parsable Alert to the DVM via Syslog


VMWare vCenter

ESXi Syslog Configuration

WhatLogs/Events for the ESXi host
Howvia Syslog
Reference

ESXi 5 Instructions:

http://www.vkernel.ro/blog/configure-syslog-on-esxi-5-x-hosts

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2003322

ESXi 6 Instructions:

http://everythingshouldbevirtual.com/vsphere-6-0-syslog-configuration

Notes

Configure with udp://<DVM IP>:514


VCSA Appliance

WhatEvents/Logs from the vCenter Server Appliance
Howvia Syslog
Reference

https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.vcsa.doc%2FGUID-9633A961-A5C3-4658-B099-B81E0512DC21.html


vSphere logging via nxlog

WhatvSphere Administration logging on Windows Based vSphere Servers
Howvia NXLog
Notes

NXLog configurations

<Input VPXD>
Module im_file
File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-[0-9]*.log"
SavePos TRUE
Exec $Message = 'vpxd ' + $raw_event;
</Input>
<Input VPXDALERT>
Module im_file
File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-alert-[0-9]*.log"
SavePos TRUE
Exec $Message = 'vpxd-alert ' + $raw_event;
</Input>
<Input VPXDPROFILER>
Module im_file
File "C:\\ProgramData\\VMware\\VMware VirtualCenter\\Logs\\vpxd-profiler-[0-9]*.log"
SavePos TRUE
Exec $Message = 'vpxd-profiler ' + $raw_event;
</Input>
<Route nxlog_out>
Path VPXD,VPXDALERT,VPXDPROFILER,in-nxlog => syslogng-out
</Route>


DefenseStorm ThreatMatch API

Using the DefenseStorm ThreatMatch API

DefenseStorm allows you to  programmatically script queries into ThreatMatch to access subscribed ThreatMatch threat feeds via a REST API.

To begin utilizing the ThreatMatch API, you must first copy or generate an API token through the DefenseStorm UI for authentication and authorization purposes. Once authenticated, the API can be used to submit an IP address, hostname, or signature to find out if it's active in a subscribed feed at any given time. The output describes the host, if there was a match, the feed(s) the host was found in, and a rating.

While one API Token may be sufficient for your network, we recommend creating an API Token for each system you have querying us. This allows for increased organization and data analysis. For example, you could create an API Token for your Firewall, custom thread analysis tool, etc. 

How to use the ThreatMatch API

  1. Login to the DefenseStorm GRID (https://console.defensestorm.com)
  2. Go to Settings > Input Token
  3. If you have an API Token already generated, copy it, skip to step 5.
  4. Within Settings > Input Token, select Get API Token
  5. Use API with the URL (https://api.defensestorm.com/threat/host/) and passing in a threat query parameter.


Example Query

curl -X GET  “https://api.defensestorm.com/threat/host/?threat=1.2.3.4” -H 'cookie: AK=omitted; AS=omitted'

Query Parameter: 1.2.3.4

Output:  "threat" the potential threat to be analyzed
                “threat_matched” determines if the threat was found in our collection of known threats. 

Possible values: true or false

Sources indicates what feed the host was found in from the subscribed feeds. 

Rating: Any user ratings of that threat indicator. 

Possible values: NA, harmless, low, medium, or high

Example Threat Found

{"threat": "1.2.3.4",
  "threat_matched": true,
  "sources": ["DHS AIS", "InfraGard"]
  "rating": "medium"}

Example Threat Not Found

{"threat": "1.2.3.4",
  "threat_matched": false,
  "sources": []
  "rating": “NA”}


Status Codes

200 - Request was good 

{"threat": String,
  "threat_matched": Boolean,
  "sources": String Array
  "rating": String}


401 - Not Authorized 

Unauthorized


403 - Incorrect Token Type 

Forbidden


429 - Throttled Response 

{"message": “Too many requests”}


500 - Server Error 

{"Status":500,

  "error":"Server Error",

  "Error_id":"error_id_value_here"}



Installing Security Onion w/ BRO

What is Security Onion?

Security Onion (SO) is a Linux distrobution for intrusion detection, network security monitoring, and log management. It’s based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, ELSA, Xplico, NetworkMiner, and many other security tools.

DefenseStorm encourages our customers to use Bro, one of the applications contained in the SO distribution for network monitoring, providing an additional layer of instrumentation and greatly enhancing the ability to detect malicious behavior.

Security Onion is a network monitoring platform that scans your network for security related events. Traffic seen by Security Onion is captured and stored for analysis.  Your entire network is scanned for possible threats. It also offers both network and host-based intrusion detection (NIDS/HIDS) to help analyze the traffic that has been captured and stored. In addition to NIDS/HIDS, Security Onion offers the following analysis tools Squil, Squert, and Enterprise log search and archive (ELSA). Click the link for additional information on Security Onion

What is Bro and why should I enable it with Security Onion?

Bro is an open-source network analyzer. It benefits your network security to have it enabled when installing Security Onion because it assists with analysis of the traffic captured from your network. Click the link for additional information on Bro.

Installing Security Onion

The following steps walk you through how to install Security Onion, enable Bro, and make sure syslog data is being sent to the DefenseStorm Virtual Machine. 

Install

  1. Obtain distribution for Security Onion, by following the steps outlined here

  2. Boot CD, select English

  3. Preparing to install Security Onion – Continue

  4. Select Download updates while installing

    1. DO NOT install 3rd party software

  5. Select Erase disk and install Security Onion

  6. Click - Install Now

  7. Timezone doesn’t matter - going to reset to UTC later

  8. Keyboard - use default

  9. Who are you?

    1. Your Name: 

    2. Your computer's name: defensestorm_onion

    3. Pick a username: 

    4. Pick a password: 

  10. Reboot

  11. Login


Setup

  1. Configure network interfaces

  2. eth0 management interface

    1.  set to Static – Need to select an available IP address on the network

    2.  select default gateway to network 

    3.  select DNS 

    4.  select domain      

  3. eth1 sniffing interface

  4. Reboot

  5. Continue Setup

  6. Production Mode

  7. Standalone

  8. Custom

  9. Sguil username: DefenseStorm

  10. Sguil password: Same as System Username

  11. Days of data to keep: 30 (default)

  12. Days of data to repair: 7 (default)

  13. Select Snort

  14. Select "Emerging Threats GPL"

  15. PF_RING: 4096 (default)

  16. Interface to be monitored: eth1

  17. Yes, enable IDS engine

  18. IDS engine processes to run: 1

  19. Enable Bro: Yes – Select 3 cores for Bro

  20. Enable File Extraction: Yes

  21. Disable http_agent

  22. Disable Argus

  23. Disable Prads

  24. Enable full capture

  25. pcap file size: 150 (default)

  26. Enable mmap i/o: Yes

  27. PCAP ring buffer: 64 (default)

  28. Purge Logs: 90 (default)

  29. Enable Salt: No

  30. Enable ELSA: Yes

  31. Disk space for ELSA: 237 (default)

  32. Yes, make changes


Post-Setup for Security Onion

To ensure that your box has the most up to date information, perform the following steps:

  1. To pull up the command line: Ctrl-Alt-T

  2. To install any updates: $ sudo soup 

  3. To shutdown the system after the installation of updated: $ sudo shutdown -h now 

For Security Onion 16.04 or Higher, use the following:

This version of Bro writes events in JSON format. DefenseStorm currently supports the older Bro format in TSV (tab separated variable format). To modify Bro to use TSV output run the following command line.

sudo sed -i ‘s|@load json-logs|#@load json-logs|g’ /opt/bro/share/bro/site/local.bro

Then restart Bro:
sudo so-bro-restart

Finalize the configuration to log to DVM as a syslog receiver. 

  1. Change directory to /etc/syslog-ng/
  2. Use an editor to modify the configuration file
    1. sudo vi /etc/syslog-ng/syslog-ng.conf
    2. Modify the configuration file as per this example:
      Below the Sources section of the file add this destination:
      destination d_dvm { network("DVM IP Address" transport (tcp) port(514) flags("syslog-protocol") ); };
      (Replace <DVM IP ADDRESS> with the IP address of the DVM and leave in the quotes):
    3. Under Log section of the file add the following line:
       log { destination(d_dvm); };
    4. Write your changes to the file
  3. $ sudo service syslog-ng restart


For Security Onion 14.04 or Lower, use the following:

Finalize the configuration to log to the DVM as a syslog receiver.

  1. Change directory to /etc/syslog-ng/

  2. Use an editor to modify the configuration file.

    1. sudo vi /etc/syslog-ng/syslog-ng.conf

    2. Modify the configuration file to comment out the configuration lines using the # sign for ELSA and remove the comment from the syslog configuration lines as per this example:

Under Log section of the file comment out the following lines (4 total):

# rewrite(r_host);
# rewrite(r_from_pipes);
# rewrite(r_pipes);
# log { destination(d_elsa); };

In the same Log section. directly under the line you just commented, add the following line:

 log { destination(d_pvm); };

 

Under destinations section of file (right below the line that begins with destination d_elsa) (Replace <DVM IP ADDRESS> with the IP of the DVM and leave in the quotes):

destination d_dvm { network("<DVM IP ADDRESS>" transport (tcp) port(514) flags("syslog-protocol") ); };

example:

destination d_dvm { network("172.16.10.119" transport (tcp) port(514) flags("syslog-protocol") ); }; 

Write your changes to the file.

 

Then:

$ sudo service syslog-ng restart

  

Verify that SecurityOnion is working on the Network

The followings steps are necessary to verify and test the Security Onion server on the customer network.

  1. Assign a static IP Address for Eth0 for management of SO server.

  2. Set up span/mirror ports on your switching infrastructure for Eth1 to perform its packet capture and analysis function. (Recommended no more than 600 Mbps sustained packet rate due to hardware limitations.)*

  3. Verify functionally of Bro packet capture and analysis engine:

    1. Change directory to /nsm/bro/logs/current

    2. tail –f conn.log

    3. Result: Log data rolling through the conn.log



Setup Exchange Audit Logging

Setup Exchange Audit Logging

Exchange audit logging must be setup at the mailbox level and is outside the scope of this document. Please refer to help that is available from Microsoft for setting up Exchange Audit Logging.

To verify if you have Audit Logging enabled for some/all users, please use the following PowerShell command: Get-Mailbox | Format-List Audit*

The output would look like this:


Setup the PowerShell Script

  1. Create a new file on the system called
    “C:\ExchangeAudit\Write-MailboxAuditLogEvents.ps1” and paste the contents of the script provided to you. You need to do this step so the system trusts the PowerShell script as locally created rather than download to the system.
  2. Create a new Event Source
    1. Open a PowerShell as Administrator
    2. Run the following command: New-EventLog -LogName Application -Source “Exchange Audit”


Setup Task Scheduler

  1. Open Task Scheduler and “Create Basic Task..”
    1. Name "Exchange Audit Logging". Click Next.
    2. Select "When the Computer Starts". Click Next.
    3. Select "Start a program". Click Next.
    4. Program/Script "PowerShell"
      Add Arguments:
      -command "& C:\ExchangeAudit\Write-MailboxAuditLogEvents.ps1"
      Click Next.
    5.  Click “Open the Properties dialog for this task when I click Finish”. Click Finish.
    6. Verify/Set the following Properties settings
      General Tab:
             Click “Run whether user is logged on or not”
            Check “Run with highest privileges”
            Select “Configure For:” Windows Server 2012 R2
      Conditions Tab:
            All are checked
      Settings Tab:
           Check "Allow task to be run on demand"
           Check "If the running task does not end when requested, force it to stop"
           Select "Do not start a new instance"
      Click OK
    7. When the Properties Open, Select 'Triggers' Tab
      Edit the 'At startup' trigger
      Select 'Repeat Task every:' 1 hour
      Select 'Stop task if runs longer than' 30 minutes
    8. Verify Settings with the screen shots at the end of this document

Verify Setup

  1. Reboot system
  2. Verify Task was run at startup by checking the Task Scheduler
    1. Clock on Task Scheduler Library on left and Exchange Audit Logging should show Status of “Running”
  3. Verify Events are being written to the Event Log
    1. Open the Event Viewer and open the Application Events
    2. Verify that events with source 'Exchange Audit' are being written to the event


TXT FILES

<#
.SYNOPSIS
Get-MailboxAuditLoggingEvents.ps1 - Generate an Exchange Server mailbox audit logging report


.DESCRIPTION 
This PowerShell script will generate Application Events for each Audit Log Entry for Each User


.OUTPUTS
Results are output to Event Log - Application Events, "Exchange Audit" Source.
Source must be created prior to using this script.  Source can be created with the following command:
New-EventLog -LogName Application -Source "Exchange Audit"


.PARAMETER Hours
How many hours in the past you want to query for. Default is 24 hours.


.PARAMETER Mailbox
The mailbox to pull audit data for.  Default is all mailboxes


.PARAMETER LogonTypes
The Logontypes to pull data for.  Default is All: Delegate,Owner,Admin


.EXAMPLE
.\Get-MailboxAuditLoggingReport.ps1 -Mailbox Payroll -Hours 48
Checks the Payroll mailbox for mailbox audit log entries from the last 48 hours.


.EXAMPLE
.\Get-MailboxAuditLoggingReport.ps1 -Mailbox Payroll -hours 48 -SendEmail -MailFrom exchange@exchangeserverpro.net -MailTo administrator@exchangeserverpro.net -MailServer smtp.exchangeserverpro.net
Checks the Payroll mailbox for mailbox audit log entries from the last 48 hours
and sends the report email with the CSV file attached.


.NOTES
Originally Written by: Paul Cunningham
Find me on:
* My Blog:  http://paulcunningham.me
* Twitter:  https://twitter.com/paulcunningham
* LinkedIn: http://au.linkedin.com/in/cunninghamp/
* Github:   https://github.com/cunninghamp
For more Exchange Server tips, tricks and news
check out Exchange Server Pro.
* Website:  http://exchangeserverpro.com
* Twitter:  http://twitter.com/exchservpro
Modified by: Alex Hernandez
Change Log
V1.00, 12/02/2015 - Initial version.
V2.00, 12/10/2016 - Modified to support writing to Event Logs and query all mailboxes
#>
#requires -version 2
[CmdletBinding()]
param (
    
    [Parameter( Mandatory=$false)]
    [string]$Mailbox,
    [Parameter( Mandatory=$false)]
    [string]$LogonTypes = "Delegate,Owner,Admin",
    [Parameter( Mandatory=$false)]
    [int]$Hours = 48
    )
#...................................
# Variables
#...................................
Write-Verbose "Variables"
$now = Get-Date                                         #Used for timestamps
$date = $now.ToShortDateString()                        #Short date format for email message subject
$localUtcOffset = [System.TimeZone]::CurrentTimeZone.GetUtcOffset([datetime]::Now).TotalHours
Write-Verbose $localUtcOffset
#...................................
# Script
#...................................
#Add Exchange 2010/2013 snapin if not already loaded in the PowerShell session
if (!(Get-PSSnapin | where {$_.Name -eq "Microsoft.Exchange.Management.PowerShell.E2010"}))
{
    try
    {
        Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction STOP
    }
    catch
    {
        #Snapin was not loaded
        Write-Warning $_.Exception.Message
        EXIT
    }
    . $env:ExchangeInstallPath\bin\RemoteExchange.ps1
    Connect-ExchangeServer -auto -AllowClobber
}
$auditlogentries = @()
$mailboxes = @()
if ([string]::IsNullorEmpty($Mailbox)) {
    $mailboxlist = Get-Mailbox -ResultSize Unlimited
        foreach ($alias in $mailboxlist)
        {
        $thisuser = Select-Object -InputObject $alias -Property Alias | %{$_.Alias}
        $mailboxes += $thisuser
    }
}
else {
    $mailboxes += $mailbox
}
foreach ($thismailbox in $mailboxes)
{
    Write-Verbose $thismailbox
    $identity = (Get-Mailbox $thismailbox).Identity
    $auditlogentries = Search-MailboxAuditLog -Identity $identity -LogonTypes $logontypes -StartDate ($now).AddHours(-$hours) -ShowDetails
    if ($($auditlogentries.Count) -gt 0)
    {
        foreach ($line in $auditlogentries)
        {
            Write-Verbose $line
            $tmpitem = $line | Select-Object *
            $tmpline =  ([string]$tmpitem).trim("@","{","}") + $localUtcOffset
            Write-Verbose $tmpline
            Write-EventLog -LogName Application -Source "Exchange Audit" -EntryType Information -EventId 1 -Message $tmpline
        }
    }
}
$tmpitem = "This is a test event;"
$tmpline =  ([string]$tmpitem).trim("@","{","}") + "; localUtcOffset=" + $localUtcOffset
Write-Verbose $tmpline
Write-EventLog -LogName Application -Source "Exchange Audit" -EntryType Information -EventId 1 -Message $tmpline
exit