The importance of logs - DefCamp 2012

735 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
735
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

The importance of logs - DefCamp 2012

  1. 1. The importance of LOG FILES Rotariu Dan-AndreiWeb Developer @ TOSS Romania
  2. 2. What is a Log? According to Merriam-Webster’s Dictionary the definition of a log is:“A record, as of the performance of a machine or the progress of anundertaking: a computer log; a trip log. “ who where what W5 …an event occurred. why when Purpose of a log: If a log has the capability to record the W5 events,then the purpose of a log is to give security professionals the ability tomonitor the activities of the application or device to ensure expected ornormal operations.
  3. 3. Why are logs so cryptic? Because a log can be generated by any device or application, thedevelopers of that device or application will determine how the outputshould be formatted and exactly what content will be released to the loggingprocesses. If the developer is only interested in knowing “when” an application ordevice fails, and wants to know exactly “where” in the code the failureoccurred, then the log output will most likely not show you the “who, what,or why” that caused the failure to occur. This leaves you trying to guess orpiece several pieces of the log together to find those answers. As a result, it seems that two strong standards have emerged in thecomputer industry for the more popular UNIX and Windows environments.
  4. 4. Syslog is a logging system that has been standardized so that any flavor of UNIX operating system will output the same log format that can be displayed or output to standardized log files.Windows NT operating systemssupport the Eventlog format,and all events output to astandardized event logformat.
  5. 5. Six Mistakes of Log Management 1. Not logging at all2. Not looking at the logs3. Storing logs for too short a time4. Prioritizing the log records before collection5. Ignoring the logs from applications6. Only looking at what you know is bad
  6. 6. The Threat
  7. 7. Another type of logs are the everyday messages.I think that everybody has a Facebook Yahoo Google Skype MSN TwitterAnd the list goes on and on.What do all of these have in common? They keep track of all of your activities overtheir services.On facebook, you have the timeline,Yahoo stores the messenger chat on their serversI think that you get my point.. They want to be safe, and at the same time they wantyou to keep track of your actions while using their services.
  8. 8. HOW TO UNDERSTAND THE LOGS?If a certain individual wants to understand a log file: he has a 50% chance of succeeding orjust FAILING in a very shameful way :DTo be more accurate lets analyse together a log file.
  9. 9. How do logs help?Benefits: - logs provide clues about performance issues, application functionproblems, intrusion and attack attempts etc - Logs provide vital inputs for managing computer securityincidents, - When responding to computer incidents, logs provide leads toactivities performed over the system. - Facilitate cyber crime investigations: * Determine the activity * Determine the origin of the attack
  10. 10. LOG FORMATSSome of the questions that might come in your mind are: Do logs have a specific format? How are they built?To be able to answer such questions, we have to be able toread/understand a log correctly: What is the source? The log source can be absolutely everything: starting witha web-server, going all the way to a industrial level where we havehuge amounts of data in a single day.
  11. 11. IO N LU S C FC ON D O ST EAIN
  12. 12. And to properly end this, What do you think of a project that could log on a very large scaleeverything ?The concept is very simple, but requires some adjustments: What if you could see in real time what the victim types? How can this be done?For the moment its in development as my undergraduate license project.I hope that by the time the next DefCamp edition takes place I shall have a functionalversion of the project. Till then STAY SAFE and keep good track of your logs!
  13. 13. refference• http://www.infosecwriters.com• http://www.computerweekly.com/blogs/stuart_king/• http://www.sans.org/reading_room/whitepapers/logging/• http://chuvakin.blogspot.ro/2010/09/on-free-log-management- tools.html• http://andyitguy.blogspot.ro/• http://www.iitg.ernet.in/cse/ISEA/isea_PPT/ISEA_02_09

×