I have had a few customers ask about username reporting with Netflow within their incident response system. Collecting user activity and viewing reports filtered on specific users can give administrators insight and convenience when looking at user logged into the network when investigating an incident or providing detailed reports for management. Most authentication systems are supported (E.g. Cisco ISE, Enterasys Mobile IAM). Adam has discussed the advantages to administrators in a previous blog about username reporting with Netflow. In this blog I will go over how to integrate with a Microsoft Domain Controller, and then use an incident response system to utilize username reporting.  

Overview

  • Modifying the Configuration File
  • Applying Domain Login Credentials
  • Downloading Psexec
  • Verify everything was configured properly
  • Installing System Metrics as a Service
  • Viewing the Data

I have gone through the process and will provide the instructions for setting it up. Before beginning here are a few things to prepare:

  1. You will need to have an account with access to query WMI on Active Directory Server
  2. Download a third party tool, psexec.

 

Modifying the Configuration File

  1. Open the <SCRUT_HOME>\files\conf\ipfixify-sysmetrics.cfg file in a text editor.
  2. The first section specifies the IP Addresses and ports of one or more IPFIX Collectors.

Find and modify the following line:

collector=10.100.0.4:4739

Change it to:

collector=<IP_OF_SCRUTINIZER>:4739
  1. Scroll to the end of the ipfixify-sysmetrics.cfg file and on a new line, type in the IP address or addresses of the Active Directory Server(s) with the following format (Only one line is needed):
member=10.1.1.1
member=10.1.2.1
  1. Save the changes to this file and exit the text editor.

 

Applying Domain Login Credentials

You will need domain user that is capable of remotely querying WMI to complete this step. These credentials are stored encrypted in the ipfixify-sysmetrics.cfg file and are managed using the ipfixify.exe executable.

  1. Open an elevated Administrator Command Prompt
  2. Navigate to the <SCRUT_HOME>\bin directory
  3. Execute the following command:
ipfixify.exe --credentials="<SCRUT_HOME>\files\conf\ipfixify-sysmetrics.cfg"

Follow the instructions provided on screen to complete this step and enter credentials.

Applying Credentials to query WMI

 

 

Downloading Psexec

A 3rd party tool is required to collect all the necessary data from any member specified in the ipfixify-sysmetrics.cfg file. If you have already downloaded Psexec you only need to move to the Scrutinizer bin directory.

  1. Download Psexec from Microsoft Sysinternals
  1. Copy psexec.exe to the <SCRUT_HOME>\bin directory

 

Verify everything was configured properly

  1. open an administrator command prompt and navigate to the <SCRUT_HOME>\bin directory.
  2. execute the following command
ipfixify.exe --config "<SCRUT_HOME>\files\conf\ipfixify-sysmetrics.cfg"
--sysmetrics --psexec="<SCRUT_HOME>\bin\psexec.exe" --verbose

If everything is configured properly, feedback will scroll by to indicate data is being collected and exported to the specified IPFIX Collector(s).

If there are issues with the configuration, Scrutinizer will identify the error in the ipfixify-sysmetrics.cfg file.

Verify Configurations

 

Installing System Metrics as a Service

Installing System Metrics as a service will continue to be collected whenever the system is rebooted.

  1. Locate and Copy files\conf\ipfixify-template.cfg to files\conf\ipfixify-sysmetrics.cfg
  2. Open an administrator command prompt and navigate to the <SCRUT_HOME>\bin directory.
  3. Execute the following command:
ipfixify.exe --install auto --name "SystemMetrics" --config
"<SCRUT_HOME>files\conf\ipfixify-sysmetrics.cfg" --sysmetrics
--psexec="<SCRUT_HOME>\bin\psexec.exe"
  1. Open the Windows Services Manager from the control panel, or executing  services.msc from the command prompt.
  2. Locate and double click the IPFIXify:SystemMetrics service.
  3. Click the Log On tab and click the This account radio button.
  4. Type in the username and password used in the Applying Domain Login Credentials section.
  5. Restart the IPFIXify: SystemMetric Service
Install ipfixify as a service

IPFIX as a service

 

Viewing the Data

After several minutes, the User Name by IP will be available from the Source and Destination Reports menus within your Incident Response System.

username reporting with netflow
Username Reporting with Netflow

Reach out to our team if you need help setting this up or if you have any technical questions.

Austin Brooks

Austin Brooks

Austin is a QA Engineer in the R&D department at Plixer. He works on new report types and aids the front end team with changes to the user interface of Scrutinizer. He has worked in Tech Support as well as a Solutions Engineer for the sales team at Plixer before his move to Development. Austin graduated from UNH’s WSBE with a degree in International Business and speaks a bit of German. Outside of work, Austin spends his time honing his coding skills and does website design for friends and family. He enjoys skiing, hockey, playing and writing music as well as traveling to different countries.

Related

Plixer logo
General

Plixer—a fresh perspective

2019 marks Plixer’s 20th year providing network analytics solutions to IT teams all over the world. Today we’re launching a new identity.