Last week I introduced our normalized output for enterprise SEMs. Once we created this new format, we had to get the output from Portaledge to Tenable’s Security Center.

Portaledge runs within OSIsoft’s PI Advanced Computing Engine (ACE) and generates the normalized logs on the system that executes the ACE modules. Tenable has a log correlation client built for Windows that will send application logs, security logs, log files and system statistics to Tenable’s Log Correlation Engine (LCE). We leverage the ‘Log Files’ feature of Tenable’s log correlation client. The client sits on the system running the ACE modules and scans at a specified interval for data that has been written to the normalized output file. If there is new data in the file, that data is then sent to the LCE.

Once the data has been sent to the LCE, a library file (also known as a .prm file) is needed to analyze the data and populate the relevant fields within Security Center. Creating the library file was surprisingly easy. I am no regular expression expert but it only took a few days of tweaking the library file to get it to correctly extract all of the data needed to populate the appropriate fields. Below is another example of the normalized output and the regular expression that is being used to extract the necessary fields.

03/14/2010 13:12:24 | Type: Portaledge | Event: AvailabilityClass | Sensor: Avail_ByIP | DstIP: 192.168.10.21 | DstPort: 0 | SrcIP: 0.0.0.0 | SrcPort: 0 | Proto: 0 | Msg: Availability Class Event by IP: 192.168.10.21 with severity: 5

regex=Sensor\:\ ([a-zA-Z\_]+)\ \|\ DstIP\:\ ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\ \|\ DstPort\:\ ([0-9]{1,5})\ \|\ SrcIP\:\ ([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})\ \|\ SrcPort\:\ ([0-9]{1,5})\ \|\ Proto\:\ ([0-9]{1,3})

The LCE library files use the keyword match= to quickly match logs to the appropriate plugin. Once the match requirements have been met, regular expressions are then used to extract information like sensor, source and destination IP addresses, source and destination ports and the protocol being used. The regular expression above will extract the fields previously mentioned and send that information to Security Center.

Here are a couple screen shots of Tenable’s Security Center displaying the normalized logs from Portaledge:

Once the information is in Security Center, it becomes simple to monitor the events that are being generated and get a detailed log of the normalized messages that were initially created by Portaledge.

FD: Tenable is a partner with Digital Bond on the US DoE funded Portaledge project.