Regulatory compliance and system logging                                                     Second Edition               ...
Table of Contents1. Preface .................................................................................................
Preface1. PrefaceThis paper discusses the advantages of using the syslog-ng Store Box to collect, store, and manage system...
Introduction2. Introduction2.1. What is system loggingOperating systems, applications, and network devices generate text m...
Problems to be solved by log management      ■ Inconsistent timestamps and message format. Different log messages often us...
Problems to be solved by log management      ■ Helping SIEM devices to analyze the log messages. Analyzing logs is an esse...
Using the syslog-ng Store Box for policy compliance3. Using the syslog-ng Store Box for policy complianceCompliance is bec...
PCI-DSS compliance and loggingPCI requirement                          How the syslog-ng Store box supports it            ...
COBIT 4.1 compliance and loggingPCI requirement                         How the syslog-ng Store box supports it10.5.3 Prom...
COBIT 4.1 compliance and loggingnot specify exact technical requirements, and compliance to these regulations is often ach...
COBIT 4.1 compliance and loggingCOBIT 4.1 control objective                 How syslog-ng Store Box supports itDS13.3 IT I...
HIPAA compliance and logging4. HIPAA compliance and loggingThe Health Insurance Portability and Accountability Act (HIPAA)...
Other important features5. Other important featuresThis section highlights some of the features of the syslog-ng Store Box...
Agent for Microsoft Windows platforms5.6. Agent for Microsoft Windows platformsThe syslog-ng Agent for Windows is a log co...
Further information6. Further information6.1. About BalaBitBalaBit IT Security Ltd. is a developer of network security sol...
Upcoming SlideShare
Loading in...5
×

Regulatory compliance and system logging

288

Published on

Log messages can be used to detect security incidents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations.

From this white paper you can learn the advantages of using the syslog-ng Store Box logserver appliance to collect, store, and manage system log (syslog) and eventlog messages for policy compliance.

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
288
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Regulatory compliance and system logging

  1. 1. Regulatory compliance and system logging Second Edition Publication date December 14, 2010 AbstractThe advantages of using the syslog-ng Store Box logserver appliance to collect, store, and manage system log (syslog) and eventlog messages for policy compliance.Copyright © 2010 BalaBit IT Security Ltd.
  2. 2. Table of Contents1. Preface ............................................................................................................................................. 3 1.1. Summary of contents .............................................................................................................. 32. Introduction ..................................................................................................................................... 4 2.1. What is system logging ............................................................................................................ 4 2.2. Why is system logging important when dealing with policy compliance ......................................... 4 2.3. What syslog-ng and the syslog-ng Store Box are ......................................................................... 4 2.4. Problems to be solved by log management ................................................................................. 43. Using the syslog-ng Store Box for policy compliance ............................................................................. 7 3.1. PCI-DSS compliance and logging ............................................................................................. 7 3.2. COBIT 4.1 compliance and logging .......................................................................................... 94. HIPAA compliance and logging ........................................................................................................ 125. Other important features .................................................................................................................. 13 5.1. Managing SSB ....................................................................................................................... 13 5.2. Fine-tuned access control ....................................................................................................... 13 5.3. LDAP integration ................................................................................................................. 13 5.4. Real-time log monitoring and alerting ...................................................................................... 13 5.5. Log collector agent for several platforms ................................................................................. 13 5.6. Agent for Microsoft Windows platforms ................................................................................. 14 5.7. Agent for IBM System i platforms .......................................................................................... 14 5.8. Automatic data and configuration backups ............................................................................... 14 5.9. Automatic data archiving ........................................................................................................ 14 5.10. Ability to handle extreme load .............................................................................................. 146. Further information ......................................................................................................................... 15 6.1. About BalaBit ....................................................................................................................... 15 www.balabit.com 2
  3. 3. Preface1. PrefaceThis paper discusses the advantages of using the syslog-ng Store Box to collect, store, and manage system log(syslog) and eventlog messages in compliance with regulations like the Sarbanes-Oxley Act (SOX), the Health In-surance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI-DSS). The document is recommended for technical experts and decision makers working on implementing centralizedlogging solutions, but anyone with basic networking knowledge can fully understand its contents. The proceduresand concepts described here are applicable to version 1.x of the syslog-ng Store Box (SSB).1.1. Summary of contentsThis paper is organized into the following sections:Section 2, Introduction (p. 4) briefly describes what system logging is, and why it is an important part of policy com-pliance.Section 3, Using the syslog-ng Store Box for policy compliance (p. 7) is a detailed list of policy requirements, including therequirements of the Payment Card Industry Data Security Standard (PCI-DSS), COBIT 4.1, and the Health InsurancePortability and Accountability Act (HIPAA) that you can address with the syslog-ng Store Box and syslog-ngPremium Edition.Section 5, Other important features (p. 13) discusses further features of syslog-ng Store Box that can come handy foryou when designing and implementing your system logging architecture.Section 6, Further information (p. 15) contains a brief description of BalaBit IT Security and provides links where youcan find out more about syslog-ng Store Box, request an evaluation version, or find a reseller. www.balabit.com 3
  4. 4. Introduction2. Introduction2.1. What is system loggingOperating systems, applications, and network devices generate text messages of various events that happen to them:a user logs in, a file is created, a network connection is opened to a remote host, and so on. These messages, calledlog messages, are usually stored in a file on the local hard disk of the system. The aim of central system logging isto collect the log messages to a single, central log server.Fo r a more detailed introduction into syslog a r c h i t e c t u r e s, see theDistributed syslog architectures with syslog-ng Premium Edition whitepaper.2.2. Why is system logging important when dealing with policy complianceLog messages provide important information about the events of the network, the devices, and the applicationsrunning on these devices. Log messages can be used to detect security incidents, operational problems, and otherissues like policy violations, and are useful in auditing and forensics situations. But collecting and analyzing logmessages is also required directly or indirectly by several regulations, including the Sarbanes-Oxley Act (SOX), theBasel II Accord, the Health Insurance and Portability Act (HIPAA), or the Payment Card Industry Data SecurityStandard (PCI-DSS).2.3. What syslog-ng and the syslog-ng Store Box areThe syslog-ng application is a system log collector and forwarder tool that can collect log messages from files andother sources, and also receive the log messages sent by remote hosts. It also has powerful message-filtering andmessage routing capabilities. The syslog-ng Store Box is a log server appliance built around syslog-ng, offering aweb-based configuration and log-browsing interface, encrypted and digitally signed log storage, and more.2.4. Problems to be solved by log managementThere are several problems and difficulties that have to be solved when creating a usable logging infrastructure.The main problems to consider are summarized below, along with a brief description about how the syslog-ngPremium Edition (PE) application can help you to overcome these problems. ■ Many different devices and applications running on a variety of operating systems. To start collecting log messages into a central log server, the logs must be retrieved somehow from the devices where the messages are generated. These devices (desktop computers, servers, networking devices like switches and routers, firewalls, and so on) usually use many different operating systems – all of which should send the logs to the central server. The problem with the variety of operating systems is that they use different logging solutions, with different configuration requirements and capabilities. To address this problem, syslog- ng can be installed on most common operating systems, including Linux, Solaris, HP-UX, BSD, IBM AIX, and has dedicated agent applications to collect the logs from Microsoft Windows and IBM System i platforms. Using a single logging application vastly simplifies configuration and management problems, and ensures that advanced logging capabilities (like TLS-encrypted log transfer or disk-based buffering) is available on every device. If syslog-ng cannot be installed on a device for some reason (for example, it is running a pre-built firmware which cannot be modified), a local computer running syslog-ng can accept the syslog messages from devices and relay them to the central log server. www.balabit.com 4
  5. 5. Problems to be solved by log management ■ Inconsistent timestamps and message format. Different log messages often use different timestamp formats to date the messages (for example, some timestamp formats do not contain year or timezone information), making it difficult to locate the messages later, and to properly see their place in the flow of events. With syslog-ng, it is possible to convert the timestamps to a single format (for example as specified in the ISO 8601 standard), and also to use the date when the syslog-ng Store Box has received the message from the application or the remote host, so the stored messages will contain accurate date information even if the clock of the remote host or the application is inaccurate. The syslog-ng application provides macros and powerful message-rewriting capabilities to reformat and normalize the messages in order to convert them to a common format to ensure that the order of the data fields in the message is con- sistent with other messages. Supporting the new IETF syslog protocol standard, syslog-ng and the syslog- ng Store Box make it easy to integrate all kinds of log messages and logging clients into a common framework. ■ Protecting the integrity and confidentiality of the messages during transmission. Log messages are important from the network-security point of view, but they may also contain sensitive information and private data like passwords, usernames, and so on. Therefore, it is important that they are protected against eavesdropping when they are transmitted over the network. It is also important to verify the identity of the communic- ating parties (that is, the host sending the message, and the central log server) to ensure that the message is received only by its intended target (the log server), and that the message received by the server was indeed sent by the client host. The integrity of the message must be also maintained so that no unauthor- ized modification of the message is possible. To address these issues, the syslog-ng PE application uses the secure Transport Layer Security (TLS) protocol to encrypt the communication with the the syslog- ng Store Box log server. Both the syslog-ng client and the server can be authenticated using X.509 cer- tificates. ■ Protecting the integrity and confidentiality of the messages stored on the log server. Log messages must be protected even after they arrive to the log server to prevent manipulation and unauthorized access. For this reason, the syslog-ng Store Box can store the log messages in encrypted and digitally signed log files. Encrypting the log files ensures that the log messages can be accessed only by authorized personnel who has the appropriate decryption key; while the digital signature prevents the unnoticed modification of the mes- sages. It is also possible to request timestamps from an external Timestamping Authority (TSA) to add further reliability to the date of the log messages. ■ Ensuring that no messages are lost. The syslog-ng PE application assigns a unique identifier to every message and ensures that you do not lose messages during network or system outages, because syslog-ng PE can store unsent messages on the local hard disk until the log server becomes available again. The syslog-ng PE application and SSB can also apply flow-control on the messages. Flow-control means that if the destination server or database becomes overloaded, syslog-ng PE and SSB can stop accepting messages from the sending applications or hosts. That way the senders are notified that there is a problem in the logging infrastructure and can act accordingly: for example, in an environment where policy compliance mandates all events to be logged, the applications may temporarily halt until the logging can be resumed, so there are no actions that are not logged. As an alternative to handle server downtime, syslog-ng PE can send the log messages to a backup log server if the primary server becomes unavailable. To avoid losing messages on the server side, the syslog-ng Store Box (SSB) appliances use hot-swappable hard disks in RAID configuration to protect against disk failures, and out-of-the-box high-availability support in failover cluster configurations. The nodes of the cluster use a common block-device subsystem that is automatically synchronized on-the-fly. In addition, SSB can periodically archive the received messages into a remote backup server.www.balabit.com 5
  6. 6. Problems to be solved by log management ■ Helping SIEM devices to analyze the log messages. Analyzing logs is an essential element of network security. While SSB is not a log analyzing appliance, it has a number of features – including message normalization – that can aid log-analyzing engines. The syslog-ng application has powerful message filtering and sorting capabilities that make it possible to ignore trivial or low-priority messages. Since message filtering can take place already on the clients, it can save a significant amount of bandwidth by dropping unimportant messages, and decrease the load on the SIEM device at the same time. Also, since the capacity of log analyzing applications is often limited, the syslog-ng Store Box can limit the number of messages sent per second. This has the benefit of flattening out message bursts and protecting the log-analyzing engine from becoming overloaded. Certain SIEM devices prefer to receive log messages from databases; SSB can send the log messages directly to a database, and supports most popular databases, including MSSQL, MySQL, Oracle, and PostgreSQL. An even more powerful capability of SSB and syslog-ng is the ability to classify messages almost real-time, and apply artificial ignorance on the results. This allows you to create a pattern database of the log messages that appear normally in your log traffic, and label them as normal, security-related, violation and so on, and then compare every incoming message to this database. That way messages labeled as important can instantly generate alerts if needed, and also unknown messages – that might sign an event occurring for the first time on your network and thus be important – can be collected for review. ■ Storing the messages. Organizations often store log messages for a long time to be able to review security incidents that are not immediately discovered, and several regulations also require the logs to be available for several months or years. Storing the log messages becomes an issue especially if the volume of log traffic is very high (for example a few Gigabytes of raw logs per hour). To reduce the amount of logs to be stored, the syslog-ng Store Box provides powerful message filtering and sorting capabilities: it can drop or separate unimportant messages, organize messages into different files or databases based on their sending host, application, or content. It can also automatically compress and encrypt the log files, and periodically start a new file so that the older files can be archived and removed from the server. The SSB appliances have large internal hard disk space (up to 10 Terabytes), and also offer the possibility to directly connect to your SAN solution via an iSCSI or fibrechannel interface.www.balabit.com 6
  7. 7. Using the syslog-ng Store Box for policy compliance3. Using the syslog-ng Store Box for policy complianceCompliance is becoming more and more important in several fields – laws, regulations and industrial standardsmandate increasing security awareness and the protection of sensitive data. As a result, companies have to increasethe control over and the auditability of their business processes, and this makes thorough log management necessary– especially since several regulations require the centralized collection of logs (including retaining logs for an extendedamount of time often spanning several years).The syslog-ng Store Box logserver appliance and the syslog-ng Premium Edition log collector application give youthe tools you need to create a complete, reliable, and trusted log infrastructure to collect the log messages from theclients to a central log server, ensuring the secure transmission and storage of the log messages from a wide varietyof operating systems.3.1. PCI-DSS compliance and loggingThe following table provides a detailed description of the requirements of the Payment Card Industry Data SecurityStandard (PCI-DSS, available here) relevant to log management and auditing. Other compliance regulations like theSarbanes-Oxley Act (SOX) or the Basel II Accord imply similar requirements.PCI requirement How the syslog-ng Store box supports it3. Protect stored cardholder data System logs may contain sensitive information such as personal identification numbers (PIN) and card validation codes. The syslog-ng Store Box protects these messages by storing them in an encrypted file instead of plain text files commonly used to store log messages. It is also possible to rewrite messages and automatically remove sensitive cardholder data using the message-rewriting capabilities of syslog-ng.4. Encrypt transmission of cardhold- Transport layer security (TLS) can be used to encrypt the communicationer data across open, public networks between the clients and the log server and to protect the integrity of the messages. Using TLS-encryption also prevents third-parties from accessing4.1 Use strong cryptography and se- or modifying the communication. The communication between the syslog-curity protocols such as secure ng client and the SSB logserver can be mutually authenticated using X.509sockets layer (SSL) / transport layer certificates to verify the identity of the communicating parties and preventsecurity (TLS) / secure shell (SSH) attackers from injecting fake messages into the log files.10.2 Implement automated audit Log messages have an important role in reconstructing events of an applica-trails for all system components. tion, host, or a network. The syslog-ng application aids this process by ensuring that the log messages arrive to the central log server without any unwanted modification. Messages are sent encrypted using the secure TLS protocol, which is based on the reliable TCP networking protocol that ensures that the messages arrive to the log server. The disk-based buffering feature of syslog- ng PE buffers messages to the hard disk of the client, ensuring that no mes- sages are lost even if the log server or the network connection becomes un- available. The syslog-ng Store Box can organize the messages into audit trails based on the sending host, the application, and its web-based search interface makes it easy to browse the log messages and to execute targeted queries to review the log messages, or to find the details of an event. www.balabit.com 7
  8. 8. PCI-DSS compliance and loggingPCI requirement How the syslog-ng Store box supports it As for its own audit trails, SSB logs every change of its configuration, and can require the administrators to enter a changelog entry. These log messages are stored separately to make it easy to review and audit the changes. The administrators of SSB can be authenticated to an LDAP database (for example Microsoft Active Directory). SSB also receives automatic notifications of the syslog-ng Premium Edition log collector clients whenever the configuration of a client is modified.10.3 Record at least the following The syslog-ng PE application can automatically add the following to logaudit trail entries for all system messages that omit this information:components for each event: ■ date and time in various standard formats (for example ISO), in-10.3.1 User identification cluding timezone information ■ highly customizable date and time information using macros10.3.2 Type of event ■ the name of the client host that generated the message10.3.3 Date and time ■ the name of the application or facility that generated the message10.3.4 Success or failure indication SSB automatically logs the required entries whenever an administrator modifies its configuration. The identity of the administrator can be verified to an LDAP10.3.5 Origination of event database (for example Microsoft Active Directory). The IP address from where the administrator accessed SSB is also recorded.10.3.6 Identity or name of affecteddata, system component, or resource.10.4 Using time-synchronization The syslog-ng PE server can automatically add the date and time when it re-technology, synchronize all critical ceived the message, so the log messages contain accurate time information –system clocks and times and ensure even if the clock of the client host or the application is mistimed. Naturally,that the following is implemented SSB itself can synchronize its system clock to NTP servers.for acquiring, distributing, and stor-ing time.10.5 Secure audit trails so they can- All log messages can be encrypted using public-key encryption on the centralnot be altered. log server in a so-called logstore file. The syslog-ng application can also request timestamps for the stored data from an external Timestamping Authority (TSA) to include reliable dates in the log files.10.5.1 Limit viewing of audit trails SSB has detailed privilege-management capabilities to enable only those re-to those with a job-related need. quired to access a set of log messages. Encrypted log messages can be viewed only if the user has the required encryption key.10.5.2 Protect audit trail files from The syslog-ng Store Box (SSB) logserver can store the log messages in encryp-unauthorized modifications ted logstore files, and log messages are also digitally signed to prevent modi- fications. The integrity of the messages is also checked when they are trans- mitted from the clients to the log server. The communication between the syslog-ng clients and SSB can be mutually authenticated using X.509 certific- ates to prevent log-injection attacks.www.balabit.com 8
  9. 9. COBIT 4.1 compliance and loggingPCI requirement How the syslog-ng Store box supports it10.5.3 Promptly back-up audit trail The SSB appliance was created exactly for this purpose: it is a log server thatfiles to a centralized log server or can receive the log messages from reliable sources and store them in encrypted,media that is difficult to alter. digitally signed and timestamped log files to prevent modifications. To ensure that no log messages are lost, SSB can receive messages using the reliable TCP networking protocol. To avoid third parties gaining access or modifying the messages on the network, the clients can send the messages over mutually authenticated, TLS-encrypted connection as well. To guarantee that the log server is continuously available, SSB appliances can be set up in a high availability cluster, where the backup log server goes online in case the primary server becomes unavailable. To minimize the risk of losing messages, the units of the SSB cluster use a common disk subsystem. SSB can receive log messages from any client application that uses the standard syslog protocols (RFC 3164 or RFC 5428-5428), but it is recommen- ded to use the syslog-ng Premium Edition log collector application whenever possible. During network outages, syslog-ng PE buffers the messages to the hard disk, and sends the messages when the server becomes available. De- pending on the volume of the log traffic and the available disk space on the host, your messages are safe even in case of very long network downtime.10.5.4 Copy logs for wireless net- The syslog-ng PE application can relay log messages received from wirelessworks onto a log server on the intern- devices and transfer them to the central log server.al LAN.10.5.5 Use file integrity monitoring Using TLS encryption between the clients and the log server ensures that theand change detection software on log messages are not modified on the network. On the log server, syslog-nglogs to ensure that existing log data can store messages in special encrypted and digitally signed log files to preventcannot be changed without generat- modifications. Timestamps for the stored data can be requested also from aning alerts (although new data being external Timestamping Authority (TSA). When its configuration is changed,added should not cause an alert). syslog-ng PE application automatically sends a log message to simplify the auditing of your logging infrastructure.10.7 Retain audit trail history for at When stored in the logstore of SSB, log messages can be compressed to saveleast one year, with a minimum of disk space. Messages archived to a remote server remain available in the SSBthree months online availability. web interface as long as the server is online. SSB has large internal hard disks, but can also directly connect to external SAN systems. Table 1. PCI-DSS compliance and logging3.2. COBIT 4.1 compliance and loggingAlthough the compliance of logging infrastructures to COBIT is seldom required by authorities, COBIT-complianceis still important, as there are certain regulations (such as the Sarbanes-Oxley Act, or the Basel II Accord) that do www.balabit.com 9
  10. 10. COBIT 4.1 compliance and loggingnot specify exact technical requirements, and compliance to these regulations is often achieved by adopting a well-established framework like COBIT.The following table discusses some sample control objectives of the Control Objectives for Information and relatedTechnology (COBIT) 4.1, how they affect the logging infrastructure of the organizations, and how can syslog-ngPE be used to address these requirements. Please note that this list is by no means exhaustive, and other objectivesmay have further requirements on the logging infrastructure and log management.COBIT 4.1 control objective How syslog-ng Store Box supports itAI6 Manage Changes The syslog-ng Store Box can organize the messages into audit trails based on the sending host, the application, and its web-based searchChanges (including those to procedures, interface makes it easy to browse the log messages and to execute tar-processes, system and service parameters) geted queries to review the log messages, or to find the details of anare logged, assessed and authorized prior event.to implementation and reviewed againstplanned outcomes following implementa- As for its own audit trails, SSB logs every change of its configuration,tion. and can require the administrators to enter a changelog entry. These log messages are stored separately to make it easy to review and audit the changes. The administrators of SSB can be authenticated to an LDAP database (for example Microsoft Active Directory).DS9.3 Configuration Integrity Review The syslog-ng PE application automatically detects if its configuration is changed, and sends a log message to SSB. That way it is easy to recog-Periodically review the configuration data nize any changes to the logging infrastructure, and detect unauthorizedto verify and confirm the integrity of the changes.current and historical configuration. To support configuration reviews, SSB has an auditor role that allows only the browsing of its configuration, without any access to the collected log messages.DS5.11 Exchange of Sensitive Data Transport layer security (TLS) can be used to encrypt the communication between the clients and the SSB log server and to protect the integrityExchange sensitive transaction data only of the messages. Using TLS-encryption also prevents third-parties fromover a trusted path or medium with con- accessing or modifying the communication. The communication betweentrols to provide authenticity of content, the client and the server can be mutually authenticated using X.509proof of submission, proof of receipt and certificates to verify the identity of the communicating parties and pre-non-repudiation of origin. vent attackers from injecting fake messages into the log files, and also from obtaining syslog data. The use of the TCP networking protocol, disk-based buffering, and the ability to send the messages to a backup server in case the primary log server becomes unavailable ensures that the log server indeed receives the sent messages. SSB can store the received log messages in encrypted, digitally signed and timestamped files to prevent modifications to the messages after they have been received. The timestamps can be received from an ex- ternal Timestamping Authority (TSA) as well. www.balabit.com 10
  11. 11. COBIT 4.1 compliance and loggingCOBIT 4.1 control objective How syslog-ng Store Box supports itDS13.3 IT Infrastructure Monitoring The syslog-ng PE log collector application was created exactly for this purpose: to transfer the log messages generated on the host to theDefine and implement procedures to central log server, where they can be stored in encrypted and digitallymonitor the IT infrastructure and related signed log files to prevent modifications.events. Ensure that sufficient chronologic-al information is being stored in opera- SSB has a powerful log classification engine that can classify thousandstions logs to enable the reconstruction, of messages per second, and raise alerts for certain message types. It canreview and examination of the time se- also use the principles of artificial ignorance to detect unknown messagesquences of operations and the other that may require attention or further investigation.activities surrounding or supporting oper-ations. To help the review of time sequences and events, SSB has a web-based search interface. SSB also stores the timestamp when a particular message was received: that way the time information of the message and the flow of the event is accurate even if the clock of the sending client is inaccur- ate.PO2.4 Integrity Management Using TLS encryption between the clients and the log server ensures that the log messages are not modified on the network. On the logDefine and implement procedures to en- server, syslog-ng can store messages in special encrypted and digitallysure the integrity and consistency of all signed log files to prevent modifications. It is also possible to store adata stored in electronic form, such as copy of the messages digitally signed and encrypted in the logstore, anddatabases, data warehouses and data another copy in a database (syslog-ng can directly send messages intoarchives. Oracle, MySQL, and other databases); the database can be used for everyday log processing, analyzing, and reporting purposes, and the messages can be compared to the copies stored in the logstore to detect any unwanted changes. Table 2. COBIT 4.1 compliance and loggingwww.balabit.com 11
  12. 12. HIPAA compliance and logging4. HIPAA compliance and loggingThe Health Insurance Portability and Accountability Act (HIPAA) has few direct requirements about logging, butit requires the protection and encryption of sensitive information as it is transmitted over the network and storedon a computer. As log messages may contain such information, the logging infrastructure must comply with theserequirements as well.The following table discusses some sample requirement of HIPAA, how they affect the logging infrastructure ofthe organizations, and how can syslog-ng PE address these requirements. Please note that this list is by no meansexhaustive, and other requirements may be applicable to the logging infrastructure and log management.HIPAA Security Rule How the syslog-ng Store Box supports it164.312(e)(1) Transmission Security: Im- Transport layer security (TLS) can be used to encrypt the communicationplement technical security measures to between the clients and the syslog-ng Store Box (SSB) log server and toguard against unauthorized access to protect the integrity of the messages. Using TLS-encryption also preventselectronic protected health information third-parties from accessing or modifying the communication. Thethat is being transmitted over an electronic communication between the client and the server can be mutually au-communications network. thenticated using X.509 certificates to verify the identity of the commu- nicating parties and prevent attackers from injecting fake messages into the log files, and also from obtaining syslog data. The use of the TCP networking protocol, disk-based buffering, and the ability to send the messages to a backup server in case the primary log server becomes unavailable ensures that the log server indeed receives the sent messages.164.312(e)(2)(i) Integrity Controls (A): Using TLS encryption between the clients and the log server ensuresImplement security measures to ensure that the log messages are not modified on the network. SSB can storethat electronically transmitted electronic messages in special encrypted and digitally signed log files to preventprotected health information is not im- modifications. It is also possible to store a copy of the messages digitallyproperly modified without detection until signed and encrypted in the logstore, and another copy in a databasedisposed of. (SSB can directly send messages into Oracle, MySQL, and other data- bases); the database can be used for everyday log processing, analyzing, and reporting purposes, and the messages can be compared to the copies stored in the logstore to detect any unwanted changes.164.312(e)(2)(ii) Encryption (A): Imple- The syslog-ng PE log collector application can encrypt log messagesment a mechanism to encrypt electronic while they are transferred from their origin to the SSB log server, andprotected health information whenever SSB can store in an encrypted, digitally signed format. Timestamps fordeemed appropriate. the stored data can be requested also from an external Timestamping Authority (TSA). Table 3. HIPAA compliance and logging www.balabit.com 12
  13. 13. Other important features5. Other important featuresThis section highlights some of the features of the syslog-ng Store Box (SSB) that were not discussed in detail sofar, but are useful to know about.5.1. Managing SSBSSB is configured from a clean, intuitive web interface. The roles of each SSB administrator can be clearly definedusing a set of privileges, such as manage SSB as a host; manage log collection, forwarding and storage; configurevarious alerts; browse the collected logs reports.The web interface is accessible via a network interface dedicated to the management traffic. This management in-terface is also used for backups, sending alerts, and other administrative traffic. All configuration changes areautomatically logged, simplifying the auditing of SSB.5.2. Fine-tuned access controlThe SSB web interface features highly customizable access control. Using this together with the powerful message-sorting capabilities of syslog-ng, you can exactly specify which log messages a user has access to. For example, it ispossible to grant access only to the logs of a specific application to the support engineer of that application – it iseven possible to narrow the time frame of the data only to the relevant period.5.3. LDAP integrationSSB can connect to a remote LDAP database (for example a Microsoft Active Directory server) to resolve groupmemberships of the users who access the SSB web interface. Privileges to configure SSB or browse different logscan be defined based on group memberships.5.4. Real-time log monitoring and alertingEven though SSB is not a log analyzing engine, it is able to classify individual log messages using artificial ignorance,much like the popular logcheck application of the Unix world. SSB comes with a built-in database of log messagepatterns that are considered “normal”. Messages matching these patterns are produced during the legitimate useof the applications (for example sendmail, Postfix, MySQL, and so on), and are unimportant from the log monitoringperspective, while the remaining messages may contain something “interesting”. The administrators can define logpatterns on the SSB interface, label matching messages (for example security event, and so on) and request alertsif a specific pattern is encountered. For thorough log analysis, SSB can also forward the incoming log messages toexternal log analyzing engines.5.5. Log collector agent for several platformsSSB uses the syslog-ng Premium Edition application to collect logs from different operating systems and hardwareplatforms, including Linux, Unix, BSD, Sun Solaris, HP-UX, IBM AIX, IBM System i, as well as Microsoft WindowsXP, Server 2003, Vista, and Server 2008. www.balabit.com 13
  14. 14. Agent for Microsoft Windows platforms5.6. Agent for Microsoft Windows platformsThe syslog-ng Agent for Windows is a log collector and forwarder application for Microsoft Windows platforms,including Windows Vista and Windows Server 2008. It collects the log messages from eventlog groups and log filesand forwards them to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog-ng Agentcan be managed from a domain controller using group policies, or run as a standalone application.5.7. Agent for IBM System i platformsThe syslog-ng agent for IBM System i is a system log collector and forwarder application for the IBM System i(formerly known as AS/400 and IBM iSeries) platform. It collects application and system messages, as well asmessages from the System i security audit journal (QAUDJRN) and the operator message queue (QSYSOPR). Thecollected messages are forwarded to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog-ng server can run on a separate machine, or directly on IBM System i in the Portable Application Solutions Envir-onment (PASE). The syslog-ng Agent for IBM System i is available as a standalone product and must be licensedindependently from syslog-ng Store Box.5.8. Automatic data and configuration backupsThe recorded log messages and the configuration of SSB can be periodically transferred to a remote server usingthe following protocols: ■ Network File System protocol (NFS); ■ Rsync over SSH; ■ Server Message Block protocol (SMB/CIFS).The latest backup – including the data backup – can be easily restored via SSBs web interface.5.9. Automatic data archivingSSBs configuration and the recorded log messages are automatically archived to a remote server. The data on theremote server remains accessible and searchable; several terabytes of audit trails can be accessed from the SSB webinterface. SSB uses the remote server as a network drive via the Network File System (NFS) or the Server MessageBlock (SMB/CIFS) protocol.5.10. Ability to handle extreme loadThe syslog-ng Store Box is optimized for performance, and can handle enormous amount of messages. Dependingon its exact configuration, it can process over 75,000 messages per second real-time, meaning over 24 GB raw logsper hour, and index and classify over 30,000 messages per second. Larger versions of the appliance (SSB5000 andSSB10000) include their own storage solutions capable of storing up to 10 Terabytes of data. www.balabit.com 14
  15. 15. Further information6. Further information6.1. About BalaBitBalaBit IT Security Ltd. is a developer of network security solutions satisfying the highest standards. BalaBit wasfounded and is currently owned by Hungarian individuals. Its main products are the syslog-ng system logging software,which is the most widely used alternative syslog solution of the world; the syslog-ng Store Box logserver appliance;Zorp, a modular proxy gateway capable of inspecting over twenty protocols, including encrypted ones like SSL andSSH, and the Shell Control Box, an appliance that can transparently control, audit, and replay SSH, RDP, VNC, andTelnet traffic.To learn more about commercial and open source BalaBit products, request an evaluation version, or find a reseller,visit the following links: ■ The syslog-ng homepage ■ Shell Control Box homepage ■ syslog-ng Store Box (SSB) homepage ■ Product manuals, guides, and other documentation ■ Register and request an evaluation version ■ Find a reseller All questions, comments or inquiries should be directed to <info@balabit.com> or by post to the following address: BalaBit IT Security 1115 Budapest, Bártfai str. 54 Phone: +36 1 3710540 Fax: +36 1 2080875 Web: http://www.balabit.com/ Copyright © 2010 BalaBit IT Security Ltd. Some rights reserved. This document is published under the Creative Commons Attribution Noncommercial No Derivative Works (byncnd) 3.0 license. All other product names mentioned herein are the trademarks of their respective owners. The latest version is always available at the BalaBit Documentation Page. www.balabit.com 15

×