KFSensor

 

Configuring the Database

Setting up a database for KFSensor is straightforward, but there are a couple of things to watch out for, so please read through the following step by step instructions even if you are very familiar with database configuration.

The instructions below cover both SQL Server and MySQL.

For more information on which database to choose and how to install it please read the Choosing the database system section first.

Configuring the Database Step By Step

1. Install the database server

Follow the standard installation procedure for the database server product and edition that you have selected to use. This can be installed on the same machine, or a different machine as KFSensor. See the section below for details on the issues that is choice may cause.

2. Install the ODBC Drivers

KFSensor only uses 32-bit ODBC drivers to connect to a database. It is important to obtain the correct driver and install it on the same machine that KFSensor is installed on.

If SQL Server is running on the same machine as KFSensor then the ODBC drivers will already be installed and a separate installation will not be nessasary.

For both SQL Server and MySQL there is a choice of 32 and 64 bit driver installations:

For SQL Server choose
ODBC Driver 11 for SQL Server
ENU\X86\msodbcsql.msi
(Older version of Windows will need an older driver, SQL Server Native Client 11.0)
For MySQL choose
Connector/ODBC 5.3.6
Windows (x86, 32-bit), MSI Installer
(mysql-connector-odbc-5.3.6-win32.msi)

It is important to define a DSN with a 32bit driver. The actual database system and KFSensor can be running on 64bit Windows, but the driver itself needs to be the 32bit one.

3. Create a blank database

Create a new database on the Database Server for KFSensor.

Either use the menu option on the management interface, or use the following SQL command 

create database kfsensor

There is no need to create any tables as KFSensor will do that once it connects. It is important to create the blank database in order to set up the correct security access.

4. Establish security rights

An SQL user account needs to be set up for KFSensor to access the database. There are two options, either native security or Windows security.
SQL Server Native Security

For SQL Server the use of Native Mode security (SQL username/password) is the simplest and most reliable method, but it does mean that the username/password has to be stored within the KFSensor configuration file, which could make it available if the KFSensor machine was compromised. To mitigate that risk ensure that a new SQL server user account is created which only has access to the KFSensor database and no other. Never use the sa account.

In SQL Server create a new 'Login' set to SQL Server authentication. Give it the login name 'kfsensor' and a unique password. Set up this Login with a user mapping to the new kfsensor database and give it membership of public and db_owner.

SQL Server Windows Security

Using Windows authentication is the most secure form of security. It is easy to configure, but there are complications. See the section 'Issues with SQL Server Window Authentication' below for more details if choosing this option.

Create a new Login set to Windows authentication. Enter the Windows user name as the login name. It is best to use the search option to ensure that this is entered correctly. There is no need to set a password. Set up this Login with a user mapping to the new kfsensor database and give it membership of public and db_owner.

MySQL

MySQL has its own native security and this is almost identical to the SQL Server option described above.

Add a new account in 'Users and Privileges'. Give it the login name 'kfsensor' and a unique password. Give it all the available chema privileges to the kfsensor schema.

5. Define an ODBC DSN

  1. In KFSensor, select the menu 'Settings -> Log Database'
  2. In the dialog box 'Database Log' press the button 'Define ODBC DSN'
  3. In the dialog box 'ODBC Data Source Administrator (32-bit)' select the 'System DSN' tab.
  4. Press the 'Add' button
  5. Select the driver for you database; e.g. 'SQL Server Native Client 11.0'
  6. Follow the instructions of the new data source wizard.
    In particular ensure the following:
    1. Set the name file to 'kfsensor'. This name will be needed in the next step.
    2. Set the default database to 'kfsensor'. This is the most import step as it tells KFSensor which database to use.
  7. The new data source wizard has a 'Test Connection' option as a last step. Make sure this reports a success.

n.b. The use of a 'System DSN' is vital as the KFSensor Server runs under a different user account to yours and therefore a 'User DSN' is not visible to it.

6. Configure the KFSensor database

  1. If you have followed the previous step the 'Database Log' dialog should still be visible, if not then select the menu 'Settings -> Log Database'.
  2. Enter the name of the ODBC DSN you have just created in the DSN field.
  3. If you are using native security enter the database Login account name in the User Name field and its password in the Password field. If you are using Windows Authentication both fields should be left blank.
  4. Select the correct Type to match your database system.
  5. Press the 'Configure' button.
  6. KFSensor will attempt to connect to the database and create all the tables and other objects required to store the logs. If all goes well then the message 'The database has been configured for KFSensor' will be displayed.
  7. If an error message is displayed then there will be something wrong with either the ODBC DSN, or the login account permissions to your database.
  8. Ensure the following radio buttons are ticked; 'Enable database logging', 'Monitor uses database' and 'Memory conservation'.
  9. Press the OK button.
  10. The system will then shut down and will need to be run again from the Start menu.

7. Import existing logs

Once a new database is configured it will have no events in it. It is useful to import you old event log data into the database so there is no loss in your records.

  1. Select the menu 'File -> Import Logs Into Database...'
  2. Press the 'Select..' button.
  3. In the file open dialog, ensure the 'C:\kfsensor\logs' directory is selected
  4. Select the all the logs files to import, which match this pattern 'kfsenslog_*.log'
  5. Press 'OK' and then the 'Import' button

8. View the Reports

Select the 'View -> Reports' menu option.

Issues with SQL Server Window Authentication

SQL Server can be configured to use Windows authentication, which is more secure as it does not require a password to be stored by KFSensor and it can make use of the same security infrastructure that is already in place to protect the hosts.

The big issue to watch out for with Windows Authentication is that the KFSensor Server runs under a different account from your user account which is used to run the KFSensor monitor. A common support issue is for the KFSensor monitor to be working fine, but with no events being logged to the database. It is important that access rights to the database are given to both the Logins of the users and the system accounts used to run the KFSensor Server

SQL Server running on the Local Host

By default KFSensor Server runs under the account 'Local System'. For this account create a windows authentication SQL Login for 'NT AUTHORITY\SYSTEM' and give it access to the kfsensor database.

If the KFSensor Server is running under the 'Network Service' account then create a windows authentication SQL Login for 'NT AUTHORITY\NETWORK SERVICE' and give it access to the kfsensor database.

SQL Server running on a Remote Host

If KFSensor is to be connected to a database service running on a different machine then careful consideration needs to be given to security access configuration. The default 'Local System' account is different on each machine and so cannot be used to access an SQL Server on a remote host. Assuming that both servers are part of a Windows domain then the solution is to use a Windows domain user account. It is best to create a special domain user account for this purpose and not to reuse an existing user's account. Care must be take to not enforce password expiry otherwise the system will stop functioning when the password expires.

Once a domain account has been created, it should be given permission to access the kfsensor database on the SQL Server.

Each KFSensor service needs to be then configured to run as the new domain user as follows:

  1. Open 'Services' from the start menu or the Control Panel
  2. Select 'KFSensor' and double click to open the Properties dialog box.
  3. Select the 'Log On' tab.
  4. Select the 'This account:' radio controller
  5. Enter the fully qualified domain user account name
  6. Enter the account password and press OK.
  7. Repeat this process for the services 'KFSensor Collator' and 'KFSensor Monitor Service'

Issues with Database Server running on the local host

It is common to install KFSensor and the database system it uses onto the same machine. There are several advantages to this such as the need for only one machine and the inherent security of not having both systems communicate over the network.

There are however two issues with running both systems on the same machine that can make life difficult, but are easy to resolve.

Database ports

KFSensor opens the ports used by the two most popular database systems, MySQL's 3306 and SQL Server's 1433.
Only one system can use these ports and it should be KFSensor as there are a popular attack target. It if KFSensor that should be exposed to attack and not the database server.

There are three possible ways around this problem.

  1. Disable the use of TCP/IP by the database server. SQL Server can be configured to just use Named Pipes and Shared Memory and for TCP/IP to be disabled. This is the most secure and easiest option.
    1. To do this start the 'SQL Server Configuration Manager'.
    2. Expand each of the client configurations in the tree
    3. Select each 'Client Protocols' node in the tree
    4. Select TCP/IP and edit its properties
    5. Set Enabled to No.
  2. Configure the database system to listen to a different port number, one not associated with any other service, or is defined in KFSensor.
  3. Configure the database to only listen to certain IP addresses. For example by allowing it to only listen to 127.0.0.1 then it will not be accessible from a public IP, but will still be usable by KFSensor.
Service load order

By default at boot up time, Windows will start KFSensor and the database at the same time which often results in errors in the log files and a slow down in start up times as KFSensor keeps trying to make a database connection.

The KFSensor server service should start after the database system has started.
To fix this configure the Service Dependencies field in the Server Settings dialog.

See Also: Reports Overview


KFSensor On-Line Manual Contents