LogChaos: Challenges and Opportunities of Security Log Standardization

Anton Chuvakin
Anton ChuvakinSecurity Strategy
LogChaos: Challenges and Opportunities of Security Log Standardization,[object Object],Dr. Anton Chuvakin,[object Object],Security Warrior Consulting,[object Object],Oct 2009,[object Object],5th Annual IT Security Automation Conference,[object Object],Baltimore, MD,[object Object],October 26-29, 2009,[object Object]
Outline,[object Object],World of logs today,[object Object],Log chaos? Why? Why order is sorely needed!,[object Object],Past attempts to bring order chaos!,[object Object],Why ALL failed?,[object Object],What does the future hold?,[object Object],You already know about CEE ,[object Object]
LogChaos: Challenges and Opportunities of Security Log Standardization
Log Data Overview,[object Object],From Where?,[object Object],What Logs?,[object Object],[object Object]
Routers/switches
Intrusion detection
Servers, desktops, mainframes
Business applications
Databases
Anti-virus
VPNs
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance records
User activity logs
Various alerts and other messages,[object Object]
Log Chaos I - Login?,[object Object],<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) ,[object Object],<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:yellowdog] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006,[object Object],<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for kyle from ::ffff:192.168.138.35 port 2895 ssh2,[object Object],<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  POWERUSER   ,[object Object]
Log Chaos II - Accept?,[object Object],messages:Dec 16 17:28:49 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-notification-00257(traffic): start_time="2002-12-16 17:33:36" duration=5 policy_id=0 service=telnet proto=6 src zone=Trust dst zone=Untrust action=Permit sent=1170 rcvd=1500 src=10.14.94.221 dst=10.14.98.107 src_port=1384 dst_port=23 translated ip=10.14.93.7 port=1206,[object Object],Apr 6 06:06:02 Checkpoint NGX SRC=Any,DEST=ANY,Accept=nosubstitute,Do Not Log,Installspyware,lieonyourtaxes,orbetteryet,dontpaythem,[object Object],Mar 6 06:06:02 winonasu-pix %PIX-6-302013: Built outbound TCP connection 315210 596 for outside:172.196.9.206/1214 (172.196.9.206/1214) to inside:199.17.151.103/1438 (199.17.151.103/1438),[object Object]
Log Format Consistency,[object Object]
Log Chaos Everywhere!,[object Object],No standard format,[object Object],No standard schema, no level of details,[object Object],No standard meaning,[object Object],No taxonomy,[object Object],No standard transport,[object Object],No shared knowledge on what to log and how,[object Object],No logging guidance for developers,[object Object],No standard API / libraries for log production,[object Object]
Result?,[object Object],%PIX|ASA-3-713185 Error: Username too long - connection aborted,[object Object],%PIX|ASA-5-501101 User transitioning priv level,[object Object],ERROR: transport error 202: send failed: Success,[object Object],sles10sp1oes oesaudit: type=CWD msg=audit(09/27/07 22:09:45.683:318) :  cwd=/home/user1 ,[object Object]
More results?,[object Object],userenv[error] 1030 RCI-CORPsupx No description available,[object Object],Aug 11 09:11:19 xx null pif ? exit! 0 ,[object Object],Apr 23 23:03:08 support last message repeated 3 times,[object Object],Apr 23 23:04:23 support last message repeated 5 times,[object Object],Apr 23 23:05:38 support last message repeated 5 times,[object Object]
But This … This Here Takes The Cake…,[object Object],Logging username AND passwords to “debug” authentication (niiiice! ),[object Object],Logging numeric error codes – and not having documentation ANYWHERE (please read my mind!),[object Object],Logging chunks of source code to syslog (care to see a 67kB syslog message? ),[object Object]
Chaos2order: Why Logging Standards?,[object Object],Common language,[object Object],Easier to report on logs and explain the reports,[object Object],Deeper insight into future problems ,[object Object],Easier system interoperability,[object Object],Common logging practices,[object Object],Easier to explain what is in the logs to management and non-IT people,[object Object]
What Becomes Possible?,[object Object],All those super-smart people at SIEM vendors can stop parsing and start analyzing,[object Object],What the events mean? Consequences? Actions? Maybe even prediction?,[object Object],Different systems can mitigate consequences of each others’ failures,[object Object],We can finally tell the developers “what to log?” and have them “get it!”,[object Object]
Example Logging for Developers,[object Object]
Definitions,[object Object],Log = message generated by an IT system to record whatever event happening ,[object Object],Log format = layout of log messages in the form of fields, separators, delimiters, tags, etc,[object Object],Log syntax = fields and values that are present in logs,[object Object],Log taxonomy = a taxonomy of log messages that categorizes log messages and codifies their meaning,[object Object],Log transport = a method of moving logs from one system to another; typically a network protocol,[object Object]
Various Logging Standards by Type,[object Object],Log format,[object Object],Example: Syslog, a non-standard standard ,[object Object],Example: IDMEF, a failed standard ,[object Object],Log contents,[object Object],No standard to speak of: logs = trash can because application developers dump what they want there (and how they want!),[object Object],Log transport,[object Object],Example: Syslog (TCP/UDP port 514),[object Object],Logging practices / recommendations,[object Object],Example: NIST 800-92 (for security only),[object Object]
Old, Dead and Vendor Log Standards,[object Object],Vendor “standard” efforts:,[object Object],[object Object]
WELF - Webtrends
1 of 32

LogChaos: Challenges and Opportunities of Security Log Standardization

TechnologyEducation

LogChaos: Challenges and Opportunities of Security Log Standardization Abstract: The presentation will discuss how to bring order (in the form of standards!) to the chaotic world of logging. It will give a brief introduction to logs and logging and explain how and why logs grew so chaotic and disorganized. Next it will cover why log standards are sorely needed. It will offer a walkthrough that highlights the critical areas of log standardization. Past failed standards will be looked at and their lessons learned. Finally, current logging standard efforts will be presented briefly.

Anton Chuvakin
Anton ChuvakinSecurity Strategy

Recommended

Log Standards & Future Trends by Dr. Anton Chuvakin by
Log Standards & Future Trends by Dr. Anton ChuvakinLog Standards & Future Trends by Dr. Anton Chuvakin
Log Standards & Future Trends by Dr. Anton ChuvakinAnton Chuvakin
2.2K views27 slides
Microsoft Security Development Lifecycle by
Microsoft Security Development LifecycleMicrosoft Security Development Lifecycle
Microsoft Security Development LifecycleRazi Rais
1.5K views29 slides
Real World Application Threat Modelling By Example by
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
18K views61 slides
Security Architecture by
Security ArchitectureSecurity Architecture
Security Architectureamiable_indian
2.5K views32 slides
Understanding Application Threat Modelling & Architecture by
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
2.5K views49 slides
Cissp cbk final_exam-answers_v5.5 by
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
11.8K views53 slides

More Related Content

What's hot

Mobile application security and threat modeling by
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modelingShantanu Mitra
1.5K views8 slides
CSSLP & OWASP & WebGoat by
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoatSurachai Chatchalermpun
2K views58 slides
Bulding Soc In Changing Threat Landscapefinal by
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat LandscapefinalMahmoud Yassin
1.1K views35 slides
STRIDE And DREAD by
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREADchuckbt
31.8K views8 slides
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C... by
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Anton Chuvakin
5.1K views64 slides
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting by
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingAlienVault
4.5K views66 slides

What's hot(20)

Mobile application security and threat modeling by Shantanu Mitra
Mobile application security and threat modelingMobile application security and threat modeling
Mobile application security and threat modeling
Shantanu Mitra1.5K views
CSSLP & OWASP & WebGoat by Surachai Chatchalermpun
CSSLP & OWASP & WebGoatCSSLP & OWASP & WebGoat
CSSLP & OWASP & WebGoat
Surachai Chatchalermpun2K views
Bulding Soc In Changing Threat Landscapefinal by Mahmoud Yassin
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin1.1K views
STRIDE And DREAD by chuckbt
STRIDE And DREADSTRIDE And DREAD
STRIDE And DREAD
chuckbt31.8K views
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C... by Anton Chuvakin
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Anton Chuvakin5.1K views
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting by AlienVault
PCI DSS Reporting Requirements for People Who Hate PCI DSS ReportingPCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
PCI DSS Reporting Requirements for People Who Hate PCI DSS Reporting
AlienVault4.5K views
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017 by FRSecure
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 12 – FRSecure CISSP Mentor Program 2017
FRSecure1.4K views
Slide Deck CISSP Class Session 4 by FRSecure
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4
FRSecure1.8K views
Finacle - Secure Coding Practices by Infosys Finacle
Finacle - Secure Coding PracticesFinacle - Secure Coding Practices
Finacle - Secure Coding Practices
Infosys Finacle4.4K views
Threat modelling(system + enterprise) by abhimanyubhogwan
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
abhimanyubhogwan156 views
Software Development Life Cycle – Managing Risk and Measuring Security by Thomas Malmberg
Software Development Life Cycle – Managing Risk and Measuring SecuritySoftware Development Life Cycle – Managing Risk and Measuring Security
Software Development Life Cycle – Managing Risk and Measuring Security
Thomas Malmberg1.7K views
Beginner's Guide to SIEM by AlienVault
Beginner's Guide to SIEM Beginner's Guide to SIEM
Beginner's Guide to SIEM
AlienVault24.8K views
5 things i wish i knew about sast (DSO-LG July 2021) by Michael Man
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
Michael Man145 views
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin by Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Anton Chuvakin2.9K views
Wfh security risks - Ed Adams, President, Security Innovation by Priyanka Aash
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
Priyanka Aash1.9K views
Practical Enterprise Security Architecture by Priyanka Aash
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
Priyanka Aash2.4K views
Security Culture from Concept to Maintenance: Secure Software Development Lif... by Dilum Bandara
Security Culture from Concept to Maintenance: Secure Software Development Lif...Security Culture from Concept to Maintenance: Secure Software Development Lif...
Security Culture from Concept to Maintenance: Secure Software Development Lif...
Dilum Bandara2.2K views
Advanced red teaming all your badges are belong to us by Priyanka Aash
Advanced red teaming all your badges are belong to usAdvanced red teaming all your badges are belong to us
Advanced red teaming all your badges are belong to us
Priyanka Aash1.6K views
Security Development Lifecycle Tools by n|u - The Open Security Community
Security Development Lifecycle ToolsSecurity Development Lifecycle Tools
Security Development Lifecycle Tools
n|u - The Open Security Community2.7K views
7 Steps to Threat Modeling by Danny Wong
7 Steps to Threat Modeling7 Steps to Threat Modeling
7 Steps to Threat Modeling
Danny Wong8.1K views

Similar to LogChaos: Challenges and Opportunities of Security Log Standardization

CEE Logging Standard: Today and Tomorrow by
CEE Logging Standard: Today and TomorrowCEE Logging Standard: Today and Tomorrow
CEE Logging Standard: Today and TomorrowAnton Chuvakin
3K views29 slides
Application Logging Good Bad Ugly ... Beautiful? by
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin
6.2K views26 slides
Six Mistakes of Log Management 2008 by
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
2.1K views31 slides
Start Up Austin 2017: Security Crash Course and Best Pratices by
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best PraticesAmazon Web Services
312 views46 slides
Crypt tech technical-presales by
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presalesMustafa Kuğu
2.1K views66 slides
Operations: Security by
Operations: SecurityOperations: Security
Operations: SecurityAmazon Web Services
238 views47 slides

Similar to LogChaos: Challenges and Opportunities of Security Log Standardization(20)

CEE Logging Standard: Today and Tomorrow by Anton Chuvakin
CEE Logging Standard: Today and TomorrowCEE Logging Standard: Today and Tomorrow
CEE Logging Standard: Today and Tomorrow
Anton Chuvakin3K views
Application Logging Good Bad Ugly ... Beautiful? by Anton Chuvakin
Application Logging Good Bad Ugly ... Beautiful?Application Logging Good Bad Ugly ... Beautiful?
Application Logging Good Bad Ugly ... Beautiful?
Anton Chuvakin6.2K views
Six Mistakes of Log Management 2008 by Anton Chuvakin
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
Anton Chuvakin2.1K views
Start Up Austin 2017: Security Crash Course and Best Pratices by Amazon Web Services
Start Up Austin 2017: Security Crash Course and Best PraticesStart Up Austin 2017: Security Crash Course and Best Pratices
Start Up Austin 2017: Security Crash Course and Best Pratices
Amazon Web Services312 views
Crypt tech technical-presales by Mustafa Kuğu
Crypt tech technical-presalesCrypt tech technical-presales
Crypt tech technical-presales
Mustafa Kuğu2.1K views
Operations: Security by Amazon Web Services
Operations: SecurityOperations: Security
Operations: Security
Amazon Web Services238 views
Meetup DotNetCode Owasp by dotnetcode
Meetup DotNetCode Owasp Meetup DotNetCode Owasp
Meetup DotNetCode Owasp
dotnetcode111 views
Operations: Security Crash Course — Best Practices for Securing your Company by Amazon Web Services
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
Amazon Web Services367 views
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane... by Felipe Prado
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado76 views
Three SOA Case Studies by Paul Fremantle
Three SOA Case StudiesThree SOA Case Studies
Three SOA Case Studies
Paul Fremantle4.5K views
Logicalis Security Conference by Paul Dutot IEng MIET MBCS CITP OSCP CSTM
Logicalis Security ConferenceLogicalis Security Conference
Logicalis Security Conference
Paul Dutot IEng MIET MBCS CITP OSCP CSTM381 views
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows by BeyondTrust
Avoiding the 10 Deadliest and Most Common Sins for Securing WindowsAvoiding the 10 Deadliest and Most Common Sins for Securing Windows
Avoiding the 10 Deadliest and Most Common Sins for Securing Windows
BeyondTrust645 views
A Deep Dive in the World of IT Networking (Part 2) by Tuan Yang
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)
Tuan Yang591 views
CRYPTTECH PRODUCTS by Mustafa Kuğu
CRYPTTECH PRODUCTSCRYPTTECH PRODUCTS
CRYPTTECH PRODUCTS
Mustafa Kuğu1.7K views
NIST 800-92 Log Management Guide in the Real World by Anton Chuvakin
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin8.9K views
First Responders Course - Session 6 - Detection Systems [2004] by Phil Huggins FBCS CITP
First Responders Course - Session 6 - Detection Systems [2004]First Responders Course - Session 6 - Detection Systems [2004]
First Responders Course - Session 6 - Detection Systems [2004]
Phil Huggins FBCS CITP148 views
Os note by kaiderellachan
Os noteOs note
Os note
kaiderellachan545 views
powershell-is-dead-epic-learnings-london by nettitude_labs
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
nettitude_labs2K views
Building an Observability Platform in 389 Difficult Steps by DigitalOcean
Building an Observability Platform in 389 Difficult StepsBuilding an Observability Platform in 389 Difficult Steps
Building an Observability Platform in 389 Difficult Steps
DigitalOcean29 views
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM by mfrancis
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBMData Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM
Data Capture in IBM WebSphere Premises Server - Aldo Eisma, IBM
mfrancis812 views

More from Anton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin
33 views22 slides
SOC Lessons from DevOps and SRE by Anton Chuvakin by
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
265 views18 slides
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin
139 views10 slides
20 Years of SIEM - SANS Webinar 2022 by
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022Anton Chuvakin
283 views21 slides
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
394 views25 slides
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends by
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin
286 views14 slides

More from Anton Chuvakin(20)

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En... by Anton Chuvakin
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
Anton Chuvakin33 views
SOC Lessons from DevOps and SRE by Anton Chuvakin by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
Anton Chuvakin265 views
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth by Anton Chuvakin
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Anton Chuvakin139 views
20 Years of SIEM - SANS Webinar 2022 by Anton Chuvakin
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
Anton Chuvakin283 views
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin by Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
Anton Chuvakin394 views
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends by Anton Chuvakin
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
Anton Chuvakin286 views
SOCstock 2021 The Cloud-native SOC by Anton Chuvakin
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
Anton Chuvakin430 views
Modern SOC Trends 2020 by Anton Chuvakin
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
Anton Chuvakin758 views
Anton's 2020 SIEM Best and Worst Practices - in Brief by Anton Chuvakin
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton Chuvakin340 views
Generic siem how_2017 by Anton Chuvakin
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
Anton Chuvakin1K views
Tips on SIEM Ops 2015 by Anton Chuvakin
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
Anton Chuvakin365 views
Five SIEM Futures (2012) by Anton Chuvakin
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
Anton Chuvakin609 views
RSA 2016 Security Analytics Presentation by Anton Chuvakin
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
Anton Chuvakin497 views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin10K views
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Anton Chuvakin14K views
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin by Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Anton Chuvakin3.4K views
SIEM Primer: by Anton Chuvakin
SIEM Primer:SIEM Primer:
SIEM Primer:
Anton Chuvakin4.7K views
Log management and compliance: What's the real story? by Dr. Anton Chuvakin by Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton ChuvakinLog management and compliance: What's the real story? by Dr. Anton Chuvakin
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin1.5K views
On Content-Aware SIEM by Dr. Anton Chuvakin by Anton Chuvakin
On Content-Aware SIEM by Dr. Anton ChuvakinOn Content-Aware SIEM by Dr. Anton Chuvakin
On Content-Aware SIEM by Dr. Anton Chuvakin
Anton Chuvakin1.7K views
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin by Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton ChuvakinMaking Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Making Log Data Useful: SIEM and Log Management Together by Dr. Anton Chuvakin
Anton Chuvakin2.6K views

Recently uploaded

Empathic Computing: Delivering the Potential of the Metaverse by
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the MetaverseMark Billinghurst
478 views80 slides
PRODUCT LISTING.pptx by
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptxangelicacueva6
14 views1 slide
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院IttrainingIttraining
52 views8 slides
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Safe Software
263 views86 slides
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...Bernd Ruecker
37 views69 slides

Recently uploaded(20)

Empathic Computing: Delivering the Potential of the Metaverse by Mark Billinghurst
Empathic Computing: Delivering the Potential of the MetaverseEmpathic Computing: Delivering the Potential of the Metaverse
Empathic Computing: Delivering the Potential of the Metaverse
Mark Billinghurst478 views
PRODUCT LISTING.pptx by angelicacueva6
PRODUCT LISTING.pptxPRODUCT LISTING.pptx
PRODUCT LISTING.pptx
angelicacueva614 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining52 views
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ... by Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
METHOD AND SYSTEM FOR PREDICTING OPTIMAL LOAD FOR WHICH THE YIELD IS MAXIMUM ...
Prity Khastgir IPR Strategic India Patent Attorney Amplify Innovation29 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software263 views
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas... by Bernd Ruecker
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
iSAQB Software Architecture Gathering 2023: How Process Orchestration Increas...
Bernd Ruecker37 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil368 views
Attacking IoT Devices from a Web Perspective - Linux Day by Simone Onofri
Attacking IoT Devices from a Web Perspective - Linux Day Attacking IoT Devices from a Web Perspective - Linux Day
Attacking IoT Devices from a Web Perspective - Linux Day
Simone Onofri16 views
The details of description: Techniques, tips, and tangents on alternative tex... by BookNet Canada
The details of description: Techniques, tips, and tangents on alternative tex...The details of description: Techniques, tips, and tangents on alternative tex...
The details of description: Techniques, tips, and tangents on alternative tex...
BookNet Canada127 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH41 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.53 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp55 views
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf by Dr. Jimmy Schwarzkopf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdfSTKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
STKI Israeli Market Study 2023 corrected forecast 2023_24 v3.pdf
Dr. Jimmy Schwarzkopf19 views
Evolving the Network Automation Journey from Python to Platforms by Network Automation Forum
Evolving the Network Automation Journey from Python to PlatformsEvolving the Network Automation Journey from Python to Platforms
Evolving the Network Automation Journey from Python to Platforms
Network Automation Forum13 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP23 views
Democratising digital commerce in India-Report by Kapil Khandelwal (KK)
Democratising digital commerce in India-ReportDemocratising digital commerce in India-Report
Democratising digital commerce in India-Report
Kapil Khandelwal (KK)15 views
Info Session November 2023.pdf by AleksandraKoprivica4
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdf
AleksandraKoprivica412 views
handbook for web 3 adoption.pdf by Liveplex
handbook for web 3 adoption.pdfhandbook for web 3 adoption.pdf
handbook for web 3 adoption.pdf
Liveplex22 views

LogChaos: Challenges and Opportunities of Security Log Standardization

Editor's Notes

  1. Some Logging RulesI seem to be building logging infrastructure today.  I keep recalling one or another of the rules for playing this game.  Might as well try to put them down.Who? – The speaker’s unique ID and type should be in each log line.Transcript – The speaker’s utterances should have a serial number, so you can notice gaps.Checksum – A running check sum is a big help in proving things.When – The utterances should have a time stamp (daemontoolsmultilog t is good)Synchronize our watches – NTP is a must everywhere.Breadcrumbs – Jobs/tasks/work-items/requests should have a unique ID that is threaded these across to the logs and across process/module/machinesHealth – All processes (machines, threads …) should emit a heart beat; heart beats should include some health indicators so other parties can notice when they expire or get sickReplay – Logs that enable a rebuild from last snapshot will save your butt.  Often your close and only some minor optimization (truncating output, discarding binary info, say) is preventing it.  I once rebuilt an entire source repository from years of mail to prove an intrusion had not touched the sources.Syntax – It’s good if the logs are well tokenized, i.e. embedded strings are escaped; and character encodings are worked out.Standardized – It’s good, but it’s hopeless. This is the worst case of the 2nd part of “”Be strict in what you send, but generous in what you receive”Innummerable – You can lay an ontology over the space of exceptions.  Accept that, and then proceed as usual.Now – The sooner the log analysis takes place the better.  Don’t wait until your patient is in intensive care.  Analogy: test driven development.Email – The accumulated headers in modern email are full of lessons learnedFSEvents – the asynchronous file system journaling/notifications of (BeOS, et. al.) are worth looking at closely.Fast – I tend to embrace that writing the log is not transactional or even particularly reliable so I can have volume instead.
  2. <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFC XXXX IDMEFv1.0//EN“ "idmef-message.dtd"><IDMEF-Message version="1.0"><Alert ident="abc123456789"><Analyzer analyzerid="hq-dmz-analyzer62"><Node category="dns"><location>Headquarters Web Server</location><name>analyzer62.example.com</name></Node></Analyzer><CreateTimentpstamp="0xbc72b2b4.0x00000000"> 2000-03-09T15:31:00-08:00</CreateTime><Source ident="abc01"><Node ident="abc01-01"><Address ident="abc01-02" category="ipv4-addr"><address>192.0.2.200</address></Address></Node></Source><Target ident="def01"><Node ident="def01-01" category="dns"><name>www.example.com</name><Address ident="def01-02" category="ipv4-addr"><address>192.0.2.50</address></Address></Node><Service ident="def01-03"><portlist>5-25,37,42,43,53,69-119,123-514</portlist></Service></Target><Classification origin="vendor-specific"><name>portscan</name><url>http://www.vendor.com/portscan</url></Classification></Alert></IDMEF-Message>
  3. WTsyslog[1998-08-01 00:04:11 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 00:08:52" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com arg=/selfupd/x86/en/WULPROTO.CAB op=GET result=304 sent=898 WTsyslog[1998-08-01 00:04:12 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 00:08:52" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com arg=/selfupd/x86/en/CUNPROT2.CAB op=GET result=304 sent=853 WTsyslog[1998-08-01 00:04:23 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 00:09:03" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com arg=/R510/v31content/90820/0x00000409.gng op=GET result=304 sent=2983 WTsyslog[1998-08-01 03:02:03 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 03:06:43" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.4 dstname=2.example.com arg=/ op=POST result=200 sent=2195 WTsyslog[1998-08-01 16:25:33 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 06:30:09" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.5 dst=10.0.0.6 dstname=3.example.com arg=/portal/brand/images/logo_pimg.gif op=GET result=304 rcvd=1036
  4. Example of converting a DB2 Content Manager event to a CBE-formatted eventA DB2® Content Manager event is converted to a Common Base Event (CBE) formatted event. A CBE-formatted event contains additional information about the host name, product name, and the environment.The following example shows how a DB2 Content Manager event is converted to a CBE-formatted event. Information in the CBE-formatted event is entered by the event monitor:<CommonbaseEventcreationTime="2008-03-19T01:03:11:256Z" extensionName="CMEvent" globalInstanceId="AA1234567890123456789012345678901234567890123001" priority="100" version="1.0.1"> <contextDataElements name="cmevent" type="string"> <contextValue>placeholder for DB2 Content Manager event</contextValue> </contextDataElements> <sourceComponentId application="Content Manager Event Monitor" component="Content Manager V8.4.01.000" componentIdType="Productname" executionEnvironment="Windows XP[x86]" instanceId="1" location="myhost/9.30.44.123" locationType="Hostname" subComponent="Event Monitor" componentType="Content Manager"/> <situation categoryName="OtherSituation"> <situationTypexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="OtherSituation" reasoningScope="EXTERNAL"> Application Event </situationType> </situation> </CommonBaseEvent> Parent topic: CBE XML element format