F-Deets Evaluation guide Guide Version: 1.0.2 Software version: 0.6.3 Last Revision: 08/11/2011
Contents 1 Introduction... 3 2 Getting started... 4 2.1 Installation... 4 2.2 Platform Support... 5 2.3 License... 5 3 Using F-Deets... 6 3.1 The Configuration Wizard... 6 3.2 Uploading a license... 9 3.3 Defining a first view... 9 3.4 Displaying data... 11 3.5 Working with F-deets... 12 3.6 Generating reports... 14 3.7 Advanced functions... 15 4 F-Deets components and configuration...16 4.1 Parser & Server... 17 4.2 Syslog... 17 4.3 GUI Client... 18 4.4 Windows Services... 19 5 Troubleshooting... 20 6 Uninstall... 20 2/20
1 Introduction F-Deets is a tool for network administrators, it gathers and analyzes log messages. It provides the means to quickly analyze and extract data from multiple system- and device logs. With F-Deets you can access and analyze any subset of collected logs through either default or user-defined filters. The F-Deets architecture is comprised of: syslog server aggregates network generated events event parser and event store extracts, parses and stores in a built-in relational database events in a field-by-field format (e.g.: IP addresses, TCP/UDP ports, etc. are extracted and made available for searching and filtering) GUI a Windows interface for viewing, sorting, filtering and analyzing events. F-Deets Server presents the parsed database data to the client, hence it can be treated as an intermediary between the processed syslog data and the directly available user GUI. F-Deets components can be installed on one server (the default) or on multiple servers. Notice: All components except the GUI may be installed on Linux or MS Windows machine. The GUI is currently supported only under Windows. Two key F-Deets terms are: Connection and View : A connection is defined by F-Deets server address and user credential data. Connection represents an authenticated session to the F-Deets server. Please note that under one connection you can view data from multiple syslog-compatible sources because F- Deets syslog, database and server can integrate multisource data. Under the F-Deets GUI you may define multiple connections. A view is always defined in a context of a connection. View is a filtered data obtained from a given connection i.e. from a given F-deets server. View may represent current data (constantly updated - as in the Unix tail tool) or a set of historic data from a given time period. You may define multiple views per connection. 3/20
More information on F-Deets architecture can be found in chapter 4 of this guide. 2 Getting started 2.1 Installation F-Deets is distributed as a single-file installation setup. To install F-Deets simply run it and the setup will guide you through the fairly standard step-by-step process. If you are installing F-Deets for the first time, the default settings need not be changed. During the installation you may be prompted to install Microsoft.NET 3.5. It is necessary to install it in order to use F-Deets Client. If you selected only the server part of the installation, the.net framework will not install. Microsoft C++ Redistributables will be installed without prompting the user. After all the necessary files are copied on disk, three Windows Services will be registered and ran. Additionally, Windows Firewall exceptions will be created so that F-Deets syslog may work properly. If you are using custom desktop-firewall, make sure you add appropriate exceptions manually and then restart the Syslog and ConnectionDaemon services. F-Deets comes with a small set of sample data, so you can test it without providing any actual log files or logging real-time data to the F-Deets syslog server. See instruction in the Using F-Deets chapter. Notice: When choosing the install directory make sure that the disk you are installing F-Deets to has enough space left for the incoming log messages and database files. Parsed data takes roughly four times the space the plain logs files do. Therefore if you have 100MB of logs per month, be prepared for 500 MB of disk space consumed each month and 6 GB per year. Installing F-Deets on non-system drive may improve performance, especially if there is a large amount of logs generated. 4/20
2.2 Platform Support The platform Support for F-deets modules is shown below: Module Windows XP/200x Windows 7 Linux syslogd Yes Yes System Parser & database Yes Yes Yes Server Yes Yes Yes GUI Yes Yes No F-Deets supports both 32 and 64-bit environments. F-Deets used on a 64bit machine tends to work slightly faster. 2.3 License F-Deets requires a license file to work. You can obtain a demo license from the F-Deets web-site. You will be asked for a license when you first connect to F-Deets server. 5/20
3 Using F-Deets 3.1 The Configuration Wizard To start F-Deets client, select F-Deets from the Start menu. When you first start the program a configuration wizard will appear. It will guide you through basic configuration steps like defining a server connection, creating non-admin user and selecting directories in which logs are stored. In general it is safe to assume that the wizard's default values are correct. The first dialog is used to setup connection parameters of the F-Deets server. Typically you have installed the sever on the same machine as the client (and the rest of F-Deets components), so all the default parameters should be used. 6/20
On the next dialog F-Deets client will try to connect to the server with provided parameters. If you have problems at this point make sure that the F-Deets server is running and that the client is able to connect to the specified port. In the third step you should input the new admin account password. The admin account will be used to manage other users for the default connection. The next step is to create the connection's default user. This is the working account for log browsing and all typical tasks: 7/20
In the last step the default log directory should be initialized. This is the directory for the unprocessed syslog files. Please note that F-deets syslog service is used to receive syslog connections from the network and store syslog-formated logfiles on the local disk. However, you can manually copy syslogformat files to the same directory, they will be parsed and processed by F-deets like all other syslog files. You can define up to 3 directories, one is created by default: Notice: After this step you may copy the sample log file to the syslog source data directory the logfile will be automatically parsed and sample log records will be added to the F-Deets database. Defining syslog directories is the last step of the configuration wizard. Please press Finish on the confirmation dialog to proceed to the main application window: 8/20
3.2 Uploading a license F-Deets server requires a license to work. After a fresh install, when the license expires or if the event limit is exceeded, a dialog prompting for a new license will appear. It can be used to upload a new license. To upload a new license you must first click the Select license button and select a license file on your disk. The license will then be verified and, if it is valid, the Upload license button will activate. Clicking it will cause the new license to be uploaded and activated. To manually upload a new license to a server right-click a server in F-Deets gui connections list, select Upload license and proceed as described above. Remember, that configuration privileges are required to upload a license. Event count is calculated on a weekly-average basis. Exceeding the event limit by more than 10% will invalidate the license until the event count lowers. If the event limit is exceeded by less than 10%, a warning message will appear, but the server will still work normally. 3.3 Defining a first view To begin work with F-Deets a View term needs to be explained: A view is representation of a subset of logs you wish to view. It is defined by a name, description, set of columns that are to be displayed and a set of filters, that narrow the results. For example a filter called IKE may show it's time, type, number and the message while showing only IKE category. To start using F-deets after a fresh install and running the configuration wizard you must create at least one view. To do this: 9/20
Right-click on the local connection in the connection/view list on the left Choose connect and enter the admin password (the window title should change from No active connection set to Local/admin Click the Define new view icon or use the right-click menu again Enter the view name and optionally a description, you can also define more view options, but at this point simply confirm and close the dialog. Tthe view will appear under the connection name. Double click on the view name to bring up the view window 10/20
3.4 Displaying data With the view window open it is time to get a look at some log data! To do this a time frame must be defined. This may be a bit tricky if you enter a very short or very recent time frame - for example 1 hour there is a chance that no log events were actually recorded in that time (especially if you use built-in sample log data). For the start use a long time frame: for example 2 weeks or enter a custom time interval. Click on the search logs icon to get the data. Selecting the data time interval. Filtered data in the view pane. 11/20
3.5 Working with F-deets The main window consists of four major panes: a horizontal toolbar at the top is used to manage user and log directory configuration, there's also a current server information label and a button toggling server/views tree. A new view wizard can also be run from here. To the bottom of the window a status bar is visible. It shows application version, current time and F-Deets services states. The left pane contains a connection/view tree showing available log-server connections and data views. When you open a view a log view window will appear in the middle. At it's top another toolbar is visible, providing options like tail mode, jumping to specified log, etc. In the middle there's a grid showing current view's results. 12/20
The log view window also contains a status bar, which shows current server time, connection state, messages count and active filters count. Right clicking on any cell in the messages grid will make a popup menu appear. It will contain various filter-related options like creating a new filter based on the cell's value, editing or removing existing filters, etc. 13/20
Take a minute or two and try out the options. The view you create can then be saved with a new name, so that you don't have to repeat the same steps again and again. 3.6 Generating reports Report generation is a feature available since version 6.0. A sample view of the generate report window can be seen below. There are four possible output formats for a report: pdf, html, cvs and xml. There are also several options available for the reports, though not each of them is valid for each file format. A generated report will contain exactly the same events as the view for which it was generated. The columns visible depend on the Report content option - Columns from view mean that the same columns that are visible in view will be included, and Typical columns is a predefined set of columns that contain the most useful information. After clicking the export button you will be prompted to specify the report's save location and file name. 14/20
3.7 Advanced functions To view the details of an event, dobule click it in the event view. A properties window will appaer Important information is highlighted by different colors. Right clicking on an event will pup up a menu with many options. It allows for adding filters based on the clicked value and column, removing filters, adding or removing columns. There are two notable options which are useful for debugging or intrusion detection. The first is the Trace connection option. It can be used to track an entire connection through many devices. When opened for an event, it will find all related events from all devices that the connection came through. The second important feature is Count events by this column option. It is appliable only for certain columns (like IPs, ports or category). It will find and count all events grouping by the given column and display them in a new window. More grouping columns can be later added for more detailed results. A sample grouping view can be seen below. 15/20
Through this dialog a column can be added or removed from the grouping view. All filters from the original view are preserved, so the counts are performed only on the data that was viewed before. Furthermore, double-clicking on any of the rows will display a new, standard grid, with filters based on the selected values. In other words, the new grid will contain exactly the same data that was grouped together and clicked. Such view can of course be saved for further reference. 4 F-Deets components and configuration F-Deets comprises of five major components: server, parser, syslog, client and services monitor. Syslog listens for new messages, parser analyzes them and stores them within a database, server handles network communication with client, which is the user's main tool for accessing the log messages. Services monitor is a small application which resides in the system tray and shows the F- Deets services status. 16/20
Log files - From syslog and other sources Configuration Database Syslogd server Log parser Data sources in the network- Syslog compatible Log database Server F-Deets server components GUI Client F-deets architecture scheme 4.1 Parser & Server Parser and server share a common configuration file winaid.cfg. It is located in config directory in the F-Deets installation folder. See reference manual for description of the configuration files. 4.2 Syslog There is currently no configuration for syslog. It listens on port 514, accepts all messages and saves them to syslog/logs directory. Files are rotated on weekly basis and old logs are never deleted (this can be done manually, since old log files are not used by F-Deets). 17/20
4.3 GUI Client Client configuration is available in options preferences menu. There are also two custom screens dedicated for server configuration which can be accessed through client. These are User Management and Log Directories Management. User Management dialog User Management screen can be used to view, add, modify and remove users. To use this dialog one needs the Mange Users permission. Log Directories configuration screen can be used to manage directories in which logs are kept. The syslog's log directory is listed there as well if the entry is deleted, no incoming logs will be parsed. Log Directories configuration If you have some old logs that need to be parsed, you may specify the directory in which they are stored using this dialog. 18/20
4.4 Windows Services When running F-Deets under Windows the server components are available as windows services and may be administered by the standard Windows Service Interface, click: Settings Cntrol Panel Administrative Tools Services to access F-Deets service options: F-Deets component services. 19/20
5 Troubleshooting I can not run the client. If you are experiencing problems running the client, ensure you have.net 3.5 installed. Make sure there you didn't delete any dll's from fdeets/client directory. You might also try reinstalling the program. The client starts, but it tells me that I do not have a license. How can I get one? Visit http://www.f-deets.com/ to obtain an evaluation or demo license The client starts, but I can not connect to the server. Ensure the connection is properly configured. Check if the FdeetsConnectionDaemon service is started. Ensure proper certificate files are in the client directory. I think I connected to the server, but what to do next? Create a new view. For a start, enter all as a name and select all columns. The view will appear below the connection entry. Double click it and a log view window will appear. There are no entries in the log view window Ensure you have configured your network devices so they send messages to the machine F-Deets is installed on. Ensure the fdeets/syslog/logs directory is added to server log directories. Try to choose 1 day instead of 15 minutes in the time span selection. 6 Uninstall To uninstall F-Deets select uninstall option from F-Deets program group in the start menu. After confirmation the application will be removed. Remember that configuration files, log files and database files are not removed during uninstall. If you are certain you do not need them, it can be done manually. 20/20