Best practises for log management

4,947 views
4,734 views

Published on

An outline of how to manage your log files to improve your security

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,947
On SlideShare
0
From Embeds
0
Number of Embeds
163
Actions
Shares
0
Downloads
89
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Best practises for log management

  1. 1. Best Practices for Log Monitoring
  2. 2. Introduction <ul><li>What are logs? </li></ul><ul><li>Why are logs important? </li></ul><ul><li>The Challenges </li></ul><ul><li>Recommended Best Practises </li></ul><ul><li>Further Reading </li></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  3. 3. What Are Logs? <ul><li>Historical Record of events that happened. </li></ul><ul><li>Records events and status of systems in a time sequential format. </li></ul><ul><li>Record of activity on the system/network. </li></ul><ul><li>Provide an Audit trail of who done what, where, when and why (5 Ws) </li></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  4. 4. Why are Logs Important? <ul><li>Logs can assist us in; </li></ul><ul><ul><li>Determining what happened - Audit Trail </li></ul></ul><ul><ul><li>Intrusion Detection </li></ul></ul><ul><ul><li>Incident Containment </li></ul></ul><ul><ul><li>Forensic Analysis </li></ul></ul><ul><ul><li>Proactive Protection </li></ul></ul><ul><ul><li>Real Time Alerts </li></ul></ul><ul><ul><li>Providing a Network Baseline </li></ul></ul><ul><ul><li>Determining the Health of the Network </li></ul></ul><ul><ul><ul><li>Troubleshooting issues </li></ul></ul></ul><ul><ul><ul><li>Proactive maintenance </li></ul></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  5. 5. Monitoring as Part of Security Process 20/06/11 Copyright © 2005 BH IT Consulting Ltd Develop Security Policy Secure The Network Improve Based on Feedback Test Security Monitor
  6. 6. Why are Logs Important? <ul><li>Logs are everywhere; </li></ul><ul><ul><li>Operating Systems </li></ul></ul><ul><ul><li>Applications </li></ul></ul><ul><ul><li>Device logs </li></ul></ul><ul><ul><ul><li>Routers </li></ul></ul></ul><ul><ul><ul><li>Firewalls </li></ul></ul></ul><ul><ul><ul><li>IDS </li></ul></ul></ul><ul><ul><ul><li>Switches </li></ul></ul></ul><ul><li>All this information should be making our jobs easier. Right? </li></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  7. 7. Typical Network 20/06/11 Copyright © 2005 BH IT Consulting Ltd
  8. 8. The Challenges <ul><li>Different vendors different log formats. </li></ul><ul><li>Regulatory Requirements. </li></ul><ul><li>Logs were written by developers </li></ul><ul><ul><li>Format is not easy to read </li></ul></ul><ul><ul><li>Messages can be obscure </li></ul></ul><ul><li>Logs contain enormous amount of information. </li></ul><ul><li>Identifying anomalies can be difficult </li></ul><ul><ul><li>Probes over time </li></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  9. 9. The Challenges <ul><li>Managing Logs can be Expensive; </li></ul><ul><ul><li>Log analysis is a unique skill. </li></ul></ul><ul><ul><li>Looking at all events takes time. </li></ul></ul><ul><ul><li>Logs can consume a lot of disk space. </li></ul></ul><ul><li>Volume of information is huge </li></ul><ul><li>No one size fits all. </li></ul><ul><ul><li>Each network is unique </li></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  10. 10. 20/06/11 Copyright © 2005 BH IT Consulting Ltd Too Much Information !!!
  11. 11. Best Practices <ul><li>Develop logging Policy </li></ul><ul><li>Determine what information is relevant to you. </li></ul><ul><ul><li>What devices are important? </li></ul></ul><ul><ul><li>What events are important? </li></ul></ul><ul><ul><li>Don’t forget to turn on logging! </li></ul></ul><ul><ul><li>Timing of events, e.g. user logons in morning. </li></ul></ul><ul><ul><li>What reports you and the business want/need? </li></ul></ul><ul><ul><li>Group servers into zones based on their function or criticality and prioritise events accordingly. </li></ul></ul><ul><li>Baseline your systems & network. </li></ul><ul><ul><li>Determine how your network normally behaves. </li></ul></ul><ul><ul><li>Repeat at regular intervals </li></ul></ul><ul><li>Secure log files on all devices. </li></ul><ul><ul><li>Encrypt logs </li></ul></ul><ul><li>Ensure all devices use same time source. </li></ul><ul><ul><li>If using more than one time zone use UTC . </li></ul></ul><ul><ul><li>Use NTP protocol from a secure source to synchronise time. </li></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  12. 12. Best Practices <ul><li>Centralise log collection </li></ul><ul><ul><li>Dedicated server to collect all logs. </li></ul></ul><ul><ul><ul><li>Be careful of network traffic volumes. </li></ul></ul></ul><ul><ul><ul><li>Be aware of limitations of server to process number of events. </li></ul></ul></ul><ul><ul><li>Configure all devices send logs to central log server. </li></ul></ul><ul><ul><li>Make sure central server is secure. </li></ul></ul><ul><ul><li>Secure transmission of logs. </li></ul></ul><ul><ul><ul><li>e.g. Syslog uses UDP by default. Consider using IPSec or next generation Syslog (Syslog-NG) </li></ul></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  13. 13. Best Practices <ul><li>Normalise the data </li></ul><ul><ul><li>All events such as Windows, Syslog, SNMP etc. should be normalised into same format. </li></ul></ul><ul><li>Review the Logs </li></ul><ul><ul><li>Ensure logs are regularly reviewed </li></ul></ul><ul><ul><ul><li>Manually </li></ul></ul></ul><ul><ul><ul><li>Automatically </li></ul></ul></ul><ul><ul><ul><ul><li>Scripts </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Commercial Tools </li></ul></ul></ul></ul><ul><ul><ul><ul><li>Freeware Tools </li></ul></ul></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  14. 14. Best Practices <ul><li>Log Rotation </li></ul><ul><ul><li>Determine time schedule </li></ul></ul><ul><ul><ul><li>Based on volume of data </li></ul></ul></ul><ul><ul><li>Develop meaningful naming convention. </li></ul></ul><ul><ul><li>Move data to rotated file </li></ul></ul><ul><li>Log Retention </li></ul><ul><ul><li>Based on disk space. </li></ul></ul><ul><ul><li>May be regulatory requirements. </li></ul></ul><ul><ul><li>Archive onto WORM type devices and store in secure area. </li></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  15. 15. Important Windows Events <ul><li>Local Logon Attempt Failures </li></ul><ul><ul><li>Event IDs 529, 530, 531, 532, 533, 534 & 537. </li></ul></ul><ul><li>Domain Logon Account Failures </li></ul><ul><ul><li>Event IDs 675, 677 </li></ul></ul><ul><li>Account Misuse </li></ul><ul><ul><li>Event IDs 530, 531, 532, 533 </li></ul></ul><ul><li>Account lockout </li></ul><ul><ul><li>Event ID 539 </li></ul></ul><ul><li>Terminal Services </li></ul><ul><ul><li>Event IDs 682, 683 </li></ul></ul><ul><li>Creation of a User Account </li></ul><ul><ul><li>Event IDs 624, 626 </li></ul></ul><ul><li>User Account password Change </li></ul><ul><ul><li>Event IDs 627, 628 </li></ul></ul><ul><li>User Account Status Change </li></ul><ul><ul><li>Event IDs 626, 629, 630 </li></ul></ul><ul><li>Modification of Security Groups </li></ul><ul><ul><li>Event IDs 632, 633, 636, 637 </li></ul></ul><ul><li>Modification of Security Log </li></ul><ul><ul><li>Event IDs 612, 517 </li></ul></ul><ul><li>Policy Change </li></ul><ul><ul><li>Event IDs 608, 609 </li></ul></ul><ul><li>Process Tracking </li></ul><ul><ul><li>Event IDs 592, 593 (note due to volume of log entries only monitor process tracking during an investigation.) </li></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  16. 16. Tools <ul><li>Convert Windows Events to Syslog </li></ul><ul><ul><li>WinSyslog http://winsyslog.com/en/ </li></ul></ul><ul><ul><li>EventReporter http://www.eventreporter.com/en/ </li></ul></ul><ul><li>Commercial Monitoring tools </li></ul><ul><ul><li>GFI LANguard (Windows Only) - http://www.gfi.com/lanselm/ </li></ul></ul><ul><ul><li>Symantec - http://www.symantec.com </li></ul></ul><ul><ul><li>HP Openview - http://www.managementsoftware.hp.com/products/a-z.html </li></ul></ul><ul><ul><li>IBM Tivoli - http://www-306.ibm.com/software/tivoli/ </li></ul></ul><ul><ul><li>CA Unicentre - http://www3.ca.com/solutions/product.asp?id=2869 </li></ul></ul><ul><ul><li>Intellitactics Security Manager - http://www.intellitactics.com/blue.asp?PageID=26 </li></ul></ul><ul><ul><li>Netforensics - http://www.netforensics.com/ </li></ul></ul><ul><ul><li>ArchSight - http://www.arcsight.com/ </li></ul></ul><ul><li>Open Source </li></ul><ul><ul><li>Nagios (Open Source) - http://www.nagios.org/ </li></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  17. 17. Links <ul><li>Log Analysis website - Tina Bird & Marcus Ranum </li></ul><ul><ul><li>http://loganalysis.org/ </li></ul></ul><ul><li>Counterpane's website </li></ul><ul><ul><li>http://www.counterpane.com/literature.html </li></ul></ul><ul><li>CERT Coordination Centre </li></ul><ul><ul><li>Establish a policy and procedures that prepare your organization to detect signs of intrusion </li></ul></ul><ul><ul><ul><li>http://www.cert.org/security-improvement/practices/p090.html </li></ul></ul></ul><ul><ul><li>Detecting signs of suspicious behavior </li></ul></ul><ul><ul><ul><li>http://www.cert.org/security-improvement/practices/p091.html </li></ul></ul></ul><ul><ul><ul><li>http://www.cert.org/security-improvement/practices/p092.html </li></ul></ul></ul><ul><ul><li>Monitor for unexpected behavior </li></ul></ul><ul><ul><ul><li>http://www.cert.org/security-improvement/practices/p095.html </li></ul></ul></ul><ul><li>The SANS reading room </li></ul><ul><ul><li>http://www.sans.org/rr/whitepapers/logging/ </li></ul></ul><ul><li>Event ID website given explanations to MS events </li></ul><ul><ul><li>http://www.eventid.net/ </li></ul></ul>20/06/11 Copyright © 2005 BH IT Consulting Ltd
  18. 18. Questions ? 20/06/11 Copyright © 2005 BH IT Consulting Ltd

×