• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Best Practices: Security Log Management and Compliance

Best Practices: Security Log Management and Compliance



You know you should do something with your Log Files. After all, they contain a wealth of knowledge concerning your infrastructure. But do you know what to do with them? ...

You know you should do something with your Log Files. After all, they contain a wealth of knowledge concerning your infrastructure. But do you know what to do with them?

If you don’t, you’re not alone. Over half of recent webinar attendees admitted they were uncertain of what to do with their log data. Learn more about log management best practices in this presentation.



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Best Practices: Security Log Management and Compliance Best Practices: Security Log Management and Compliance Presentation Transcript

    • Best Practices: Security Log Mgmt & Compliance Webinar
      Andy Milford
      WhatsUp Event and Syslog Management Lead Engineer
      Rich Makris
      Sales Engineer
    • Where Are We Headed Today?
      Log Management in a Nutshell
      Compliance Initiatives
      Log Management Best Practices
      See our WhatsUp Event Log Management Capabilities in Action
    • Log Management in a Nutshell
      What are event logs?
      On a Windows network, an event is an action, and a grouping or listing of such actions is an event log (sometimes called event log file, .EVT, or .EVTX file).
      The action itself can be as simple as a successful (or failed) print job by someone at their machine in an office or a successful (or failed) logon by a computer user.
      The Microsoft Windows platform generates log files in several categories: Application, System, Security, DNS Server, Directory Service, and File Replication Service. Additionally, logs are generated by Microsoft Internet Information Services (also called Microsoft IIS).
    • Log Management in a Nutshell cont
      What is syslog?
      The syslog (also known as the UNIX System Logger or GNU/Linux System Logger) is the system resource for all messages or errors generated by UNIX based systems, or hardware components such as routers and firewalls
      Why is event log and syslog management such a big deal?
      Behind the scenes every day, computer networks across the globe are generating records of the events that occur. Some are routine. Others are indicators of a decline in network health or attempted security breaches.
      A log mgmt strategy that includes event and syslog monitoring is the only way to rapidly detect and neutralize threats inside & outside the perimeter
    • Compliance Initiatives
      • Sarbanes-Oxley   
      • Gramm-Leach-Bliley (GLBA)
      • FISMA
      • HIPAA
      • NISPOM
      • PCI
      • Massachusetts Privacy Law – MA 201 CMR 17
      • NERC CIP
      • MiFID (applies to the Eurozone)
      Even if you don’t have to meet compliance standards, log management is critical for network security.
    • Best Practices Overview
      Enable Audit Policy Categories
      Configure which events to record
      Log Data Collection
      Automatically consolidate event records centrally
      Utilize both flat file formats & database storage
      Event monitoring- generate rapid alerts as needed
      Which criteria should you alert on and how?
      Generating reports for key stakeholders: auditors, security/compliance officers and management teams
      Types of reports, scheduling and distribution
      Auditing Log Data
      Centralized log analysis
      Ad-hoc forensics
    • Best Practices: Windows Audit Policies
      Configure which events to record in your security event logs
      Account Logon Events (Windows 2000 and later only)
      Record when a domain user attempts to logon or logoff
      Account Management
      Track changes to users, groups, and computer accounts on domain controllers and member servers and workstations
      Directory Service Access (Windows 2000 and later only)
      Track changes to other objects in the directory, such as contacts
      Object Access
      Track changes to key files and folders on file and application servers.
    • Best Practices: Windows Audit Policies Continued
      Logon Events
      Trails logons from both domain and non-domain accounts – lets you monitor attempted access to unauthorized resources
      Policy Change
      Major changes in policies governing account lockouts, password changes, and even the audit policy itself by administrators (super-users) are recorded in the event logs
      System Events
      Records when it is shutdown and restarted, as well as when an administrator attempts to clear the security event log
    • Best Practices – Log Data Collection
      Consolidate Event Records Centrally
      • Automatically gather log records in near real time or on a scheduled basis from devices, servers and workstations
      • Keep your data for years for auditing purposes
      • Keep your log data in two formats:
      • As database records – fast, centralized reporting and analysis
      • As compressed flat files – for longer-term storage (e.g. 7+ years)
      TIP: Keep an active working set of log data in a DB (often 60 to 90 days), and the rest as a set of flat files. Look for a tool that will let you rapidly re-import older saved log files back into your database should they ever be needed (e.g. in the event of an audit).
    • Best Practices: Event Monitoring & Alerts
      • Each defined event should be polled at a regular interval and will generate an alert or notification when an entry of interest is detected
      • Key to secure your network and initiate rapid response processes
      TIP: If you are establishing your event monitoring for the first time, it may better to start by alerting on more events and then throttling back as needed.
    • Best Practice: Reporting for Security & Compliance Officers
    • Best Practice: Reporting for Security & Compliance Officers
      Some questions to ponder during your evaluation process
      What report formats are available?
      Can you quickly access pre-canned reports and create custom reports as needed?
      Are you tied to a particular reporting format? Will HTML and the availability of that HTML report to multiple users play a role?
      Can customized filters be easily recalled for repeat use?
      From what data sources can reports be generated? Do those sources include EVT, EVTX, CSV, Microsoft Access, and ODBC databases?
    • Auditing Log Data
      Manually sifting through log files to locate relevant information for auditors and management is tedious.
      Log data should be being collected and indexed within a central repository such as a database, so that reporting on trends and other key categories of activities becomes much more manageable.
      A solution should provide predefined and configurable search and filtering capabilities out of the box. In addition, pre-built reports that correspond to categories of activity sought after by auditors should be available. Basic “IT search” is not enough.
    • Auditing Log Data- Central Log Viewing
      The old event viewer is a tedious way to spot check log files. In a network of any size, you must be able to schedule recurring reports that can quickly show trends and display consolidated event activity of interest for management. Thus the importance of a central database log repository
      The shift from .EVT to .EVTX format -- EVTX logs generated from Windows Vista and later operating systems cannot be viewed on Windows XP and older operating systems. Complications caused by the format change can be eased based on your choice of log reporting and reviewing tools.
    • Auditing Log Data- Ad hoc forensics
      Tools used for the spot-checking of individual log files, in the case of casual review or during a specific audit, must have comprehensive support for both the EVT and EVTX log format, regardless of the operating system where said tool is installed. Different field structures between logging formats and other transformations should be performed automatically to aid the administrator.
      Furthermore, log data should be automatically grouped into related sections, with event identifier codes translated into human readable explanations.
    • A Modular Approach to Log Management
      Four titles comprise our *patented*Total Event Log Management Suite:
      These tools are modular – they work well independently or together.
    • A Modular Approach to Log Management
      And, our approach is agent-optional. This provides a level of flexibility that most other packages simply can’t, because...
    • Automate Log Collection withWhatsUp Event Archiver
      Automatically collect log files with Event Archiver.
      Log files are then consolidated automatically in a database – we recommend SQL, though Oracle is also supported.
      Automating collection eliminates the process of manually “clearing” and moving log files. This translates into quick return on investment.
    • Event-Based Monitoring withWhatsUp Event Alarm
      Monitor event log data and notifyin near real-time with Event Alarm.
      The WhatsUp Event Alarm Listener Console also provides a comprehensive, console-based view of pertinent events in real-time.
      Gives you event-based monitoring. WhatsUp Gold customers are already seeing the value in having this alongside existing system and performance monitoring.
    • Report on Log File Data withWhatsUp Event Analyst
      Filter and report on event log data withEvent Analyst. Reports may be scheduled or run ad hoc.
      WhatsUp Event Analyst filters and reports to assist with longer-term trending and activity review.
      WhatsUp Event Rover on the other hand is more appropriate for hands-on viewing of a machine’s logs.
    • Mine Log Data withWhatsUp Event Rover
      View and mine log data withEvent Rover for on-the-fly forensics.
      Quickly discover important events, as they are grouped logically into related tree branches. Define “incidents” and allow Event Rover to automatically correlate certain types of issues. Plus, know that Event Rover can handle EVT/EVTX logs, regardless where it is installed.
    • EVTX Capability: Not Just “A Nice To Have”
      A third factor is differentiating the WhatsUp log management offering in the marketplace.
      With Windows Vista, Windows Server 2008, and Windows 7, the event log format changed from .EVT to .EVTX. Microsoft completely changed the structure, format, and data included in the .EVT format.
      Therefore, existing log management strategies – scripted and software-based - are breaking.
      Did Your Know: You cannot open a Windows Server 2008 log file on a Windows XP machine?This is just one of the problems that networks are running into with the EVTX log format.
    • EVTX Capability: Not Just “A Nice To Have”
      The WhatsUp Event Log Management components feature EVTX log capabilities beyond what other vendors can even claim. Our LogHealer and LogRefiner Technologiesare exclusively dedicated to addressing this difficult challenge.
      Be sure to check out our separate, more in-depth webinar on the challenges that the EVTX format is creating:“Exploring the Mysteries of EVTX”http://www.whatsupgold.com/resources/
    • WhatsUp Event Log ManagementWow Factors
      Cost-effective, modular approach, easy to use & install
      • Automatically collect, store and archive log files to save time and eliminate human errors
      • Remote & Agent-Based Collection of syslog and Windows Events  you don’t have to deploy an agent on each node
      • Receive real-time alerts to ensure rapid response to a network outage or a security threat
      • Discover potential security incidents during routine review
      • Automated report distribution for IT personnel, compliance or security officers and even law enforcement agencies or upper mgmt
      • Central analysis platform for on-the-fly forensics across heterogeneous Windows environment—2008, XP, Vista, Server 2003
      • Includes patented Log Healer Technology to handle and even repair corrupted Microsoft EVTX event logs
    • Technical Demonstration
    • Where Do We Go Now?
      Find out more about WhatsUp Event Log and Syslog Management Solutions
      Visit the “Products” section at http://www.whatsupgold.com/
      Download our white paper: Best Practices: Event and Log Mgmt for Security and Compliance. Look for a “thank you” email from us with the download link.
      • Try - free 30 day evaluation!
      • Buy – Three ways to purchase
      1. WhatsUp Gold Representative2. An Ipswitch Reseller Partner of your choice3. Online via our e-commerce shop