Logs come in a dizzying variety of formats, they look and mean different – how do we understand them? Some of them are just “bad!”
Why a grand challenge?
Lack of log standards make log analysis unreliable and complex art
Take logs one by one; write regexes or index
Why still a challenge?
No credible log standard emerged (work ongoing)
Example Log Chaos - Login? <122> Mar 4 09:23:15 localhost sshd: Accepted password for kyle from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account : POWERUSER <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:yellowdog] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
Read any logs lately? Got bored in 5 minutes - or survived for the whopping 10? Congrats, you score a point! But logs are still boooooooooooooooooooooooooooooring .
One log, two logs, 10 logs.... 1,000,000,000 logs: rabbits and hamsters cannot match the speed with which logs multiply . Don't you just hate that?
You keep hearing people refer to "log data." Then you run 'tail /var/log/messages' and see text in pidgin English. Where is my data ? Hate it!
"Real hackers don't get logged ": thus logs are seen as useless - and hated by some "hard core" security pros!
If people lie to you, you hate it. Logs do lie too (see 'false positives') - and they are hated too.
'Transport error 202 message repeated 3456 times.' Niiiiice. Now go fix that! Fix what? Ah, hate the log obscurity !
Why are there 47 different ways to log that "connection from A to B was established OK?" Or 21 way to say "user logged in OK?" No, really? Why? Who can I kill to stop this insanity?
You MUST do XYZ with logs for compliance . Or you are going to jail, buddy! No, sorry, we can't tell you what XYZ is. Maybe in 7 years; for now, just store everything.
'Critical error: process completed successfully' and 'Operation successfully failed' engender deep and lasting hatred of logs in most people. They just do ...
The book called " Ugliest Logs Ever !" is a fat tome, covering every log source from a Linux system all the way to databases and CRM. Bad logs are popular! Bad logs are all the rage among the programmers! Bad logs are here to stay. Bad logs that mean nothing power the log hatred.
"Logs: can't live with them, can't live without them" :-) Hate them we might for different reasons, but we still must collect , protect , review , and analyze them ...