The Readme for the LogonTracer project is missing a couple of steps so I'm jotting down all the kinks. I'm glossing over installing Debian into a VM.
There is little thought for security in this setup, all actions are taken as root user, if using in production you'll probably need to 'sudo' a few places.
I set this up in about 30 minutes using a VM in VMware workstation. I was able to connect to the Logontracer webpage from my host OS.
Create a new VM. I set it to NAT networking so it can get internet access and my host OS can access it as well. 1 GB RAM, 1 vCPU, 20GB HDD.
Install debian stretch into the VM. I used debian-9.2.1-amd64-netinst.iso. I did not install a desktop window manager, only SSH and standard packages from task selector.
apt-get install apt-transport-https python3-pip git curl build-essential libssl-dev
Steps from http://debian.neo4j.org/
wget -O - https://debian.neo4j.org/neotechnology.gpg.key | apt-key add -
echo 'deb https://debian.neo4j.org/repo stable/' | tee /etc/apt/sources.list.d/neo4j.list
apt-get update
If you're not on debian stretch you'll run into some problems with Java apparently (see the Neo4J docs)
apt-get install neo4j
nano /etc/neo4j/neo4j.conf
Find the line for the Bolt protocol and enable it to listen on all interfaces (ctrl + w, search for 7687)
# Bolt connector
dbms.connector.bolt.enabled=true
#dbms.connector.bolt.tls_level=OPTIONAL
#dbms.connector.bolt.listen_address=:7687 <-- this line
Change it to:
dbms.connector.bolt.listen_address=0.0.0.0:7687 <-- remove the # and insert 0.0.0.0 before the colon
Fine the line for the http protocol and enable it to listen on all interfaces (ctrl + w, search for 7474)
# HTTP Connector. There must be exactly one HTTP connector.
dbms.connector.http.enabled=true
#dbms.connector.http.listen_address=:7474 <-- this line
Change it to:
dbms.connector.http.listen_address=0.0.0.0:7474 <-- remove the # and insert 0.0.0.0 before the colon
Restart neo4js
systemctl restart neo4j
From the host OS browse to the ip of your linux VM in Chrome (Brave had some issues) with the port 7474
http://<ip of linux box>:7474
Logon with the default neo4j / neo4j and you'll be prompted to change the password. Change it to 'password'.
git clone https://github.com/JPCERTCC/LogonTracer.git
pip3 install -r LogonTracer/requirements.txt
Steps from https://linuxconfig.org/how-to-install-nodejs-on-debian-9-stretch-linux
curl -O -sL https://deb.nodesource.com/setup_6.x
chmod +x setup_6.x
./setup_6.x
apt-get install nodejs
cd LogonTracer/static
npm install neo4j-driver
cd ../..
The web import/parsing of security events seems broken as of writing (2017/12/02), so I imported the event log using the python script. There is an example Security.evtx in the sample directory.
cd LogonTracer
python3 logontracer.py -e sample/Security.evtx -z +9 -u neo4j -p password -s <ip of linux VM>
Sample output from the import
root@disposablelinux:/home/bob/LogonTracer# python3 logontracer.py -e sample/Security.evtx -z +9 -u neo4j -p password -s 192.168.131.137
/usr/local/lib/python3.5/dist-packages/statsmodels/compat/pandas.py:56: FutureWarning: The pandas.core.datetools module is deprecated and will be removed in a future version. Please use the pandas.tseries module instead.
from pandas.core import datetools
[*] Script start. 2017/12/02 13:15:40
[*] Parse the EVTX file sample/Security.evtx.
[*] Next recode number is 289157.
[*] Time zone is 9.
[*] Start parsing the EVTX file.
[*] Now loading 1000 records.
Once the import completes run the server process and connect with your browser
python3 logontracer.py -r -o 8080 -u neo4j -p password -s <ip of linux VM>
From host OS go to
http://<ip of linux VM>:8080
You can import your own security log file and you probably want to wipe out the test data.
python3 logontracer.py --delete -e ../cases/Security.evtx -z +9 -u neo4j -p password -s <ip of linux VM>
Error
[*] Script start. 2017/12/08 16:20:49
[!] Can't runnning web application.
when running python3 logontracer.py -r -o 8080 -u neo4j -p password -s localhost