LogChaos: Challenges and Opportunities of Security Log Standardization<br />Dr. Anton Chuvakin<br />Security Warrior Consu...
Outline<br />World of logs today<br />Log chaos? Why? Why order is sorely needed!<br />Past attempts to bring order chaos!...
Log Data Overview<br />From Where?<br />What Logs?<br /><ul><li>Firewalls/intrusion prevention
Routers/switches
Intrusion detection
Servers, desktops, mainframes
Business applications
Databases
Anti-virus
VPNs
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance records
User activity logs
Various alerts and other messages</li></li></ul><li>From Log Analysis to Log Management<br />Threatprotection and discover...
Log Chaos I - Login?<br />&lt;18&gt; Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Adm...
Log Chaos II - Accept?<br />messages:Dec 16 17:28:49 10.14.93.7 ns5xp: NetScreen device_id=ns5xp  system-notification-0025...
Log Format Consistency<br />
Log Chaos Everywhere!<br />No standard format<br />No standard schema, no level of details<br />No standard meaning<br />N...
Result?<br />%PIX|ASA-3-713185 Error: Username too long - connection aborted<br />%PIX|ASA-5-501101 User transitioning pri...
More results?<br />userenv[error] 1030 RCI-CORPwsupx No description available<br />Aug 11 09:11:19 xx null pif ? exit! 0 <...
But This … This Here Takes The Cake…<br />Logging username AND passwords to “debug” authentication (niiiice! )<br />Loggi...
Chaos2order: Why Logging Standards?<br />Common language<br />Easier to report on logs and explain the reports<br />Deeper...
What Becomes Possible?<br />All those super-smart people at SIEM  vendors can stop parsing and start analyzing<br />What t...
Example Logging for Developers<br />
Definitions<br />Log = message generated by an IT system to record whatever event happening <br />Log format = layout of l...
Various Logging Standards by Type<br />Log format<br />Example: Syslog, a non-standard standard <br />Example: IDMEF, a fa...
Old, Dead and Vendor Log Standards<br />Vendor “standard” efforts:<br /><ul><li>CBE - IBM
WELF - Webtrends
Upcoming SlideShare
Loading in …5
×

LogChaos: Challenges and Opportunities of Security Log Standardization

4,146 views

Published on

LogChaos: Challenges and Opportunities of Security Log Standardization

Abstract: The presentation will discuss how to bring order (in the form of standards!) to the chaotic world of logging. It will give a brief introduction to logs and logging and explain how and why logs grew so chaotic and disorganized. Next it will cover why log standards are sorely needed. It will offer a walkthrough that highlights the critical areas of log standardization. Past failed standards will be looked at and their lessons learned. Finally, current logging standard efforts will be presented briefly.

Published in: Technology, Education
0 Comments
14 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,146
On SlideShare
0
From Embeds
0
Number of Embeds
505
Actions
Shares
0
Downloads
0
Comments
0
Likes
14
Embeds 0
No embeds

No notes for slide
  • Some Logging RulesI seem to be building logging infrastructure today.  I keep recalling one or another of the rules for playing this game.  Might as well try to put them down.Who? – The speaker’s unique ID and type should be in each log line.Transcript – The speaker’s utterances should have a serial number, so you can notice gaps.Checksum – A running check sum is a big help in proving things.When – The utterances should have a time stamp (daemontoolsmultilog t is good)Synchronize our watches – NTP is a must everywhere.Breadcrumbs – Jobs/tasks/work-items/requests should have a unique ID that is threaded these across to the logs and across process/module/machinesHealth – All processes (machines, threads …) should emit a heart beat; heart beats should include some health indicators so other parties can notice when they expire or get sickReplay – Logs that enable a rebuild from last snapshot will save your butt.  Often your close and only some minor optimization (truncating output, discarding binary info, say) is preventing it.  I once rebuilt an entire source repository from years of mail to prove an intrusion had not touched the sources.Syntax – It’s good if the logs are well tokenized, i.e. embedded strings are escaped; and character encodings are worked out.Standardized – It’s good, but it’s hopeless. This is the worst case of the 2nd part of “”Be strict in what you send, but generous in what you receive”Innummerable – You can lay an ontology over the space of exceptions.  Accept that, and then proceed as usual.Now – The sooner the log analysis takes place the better.  Don’t wait until your patient is in intensive care.  Analogy: test driven development.Email – The accumulated headers in modern email are full of lessons learnedFSEvents – the asynchronous file system journaling/notifications of (BeOS, et. al.) are worth looking at closely.Fast – I tend to embrace that writing the log is not transactional or even particularly reliable so I can have volume instead.
  • <?xml version="1.0" encoding="UTF-8"?><!DOCTYPE IDMEF-Message PUBLIC "-//IETF//DTD RFC XXXX IDMEFv1.0//EN“ "idmef-message.dtd"><IDMEF-Message version="1.0"><Alert ident="abc123456789"><Analyzer analyzerid="hq-dmz-analyzer62"><Node category="dns"><location>Headquarters Web Server</location><name>analyzer62.example.com</name></Node></Analyzer><CreateTimentpstamp="0xbc72b2b4.0x00000000"> 2000-03-09T15:31:00-08:00</CreateTime><Source ident="abc01"><Node ident="abc01-01"><Address ident="abc01-02" category="ipv4-addr"><address>192.0.2.200</address></Address></Node></Source><Target ident="def01"><Node ident="def01-01" category="dns"><name>www.example.com</name><Address ident="def01-02" category="ipv4-addr"><address>192.0.2.50</address></Address></Node><Service ident="def01-03"><portlist>5-25,37,42,43,53,69-119,123-514</portlist></Service></Target><Classification origin="vendor-specific"><name>portscan</name><url>http://www.vendor.com/portscan</url></Classification></Alert></IDMEF-Message>
  • WTsyslog[1998-08-01 00:04:11 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 00:08:52" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com arg=/selfupd/x86/en/WULPROTO.CAB op=GET result=304 sent=898 WTsyslog[1998-08-01 00:04:12 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 00:08:52" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com arg=/selfupd/x86/en/CUNPROT2.CAB op=GET result=304 sent=853 WTsyslog[1998-08-01 00:04:23 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 00:09:03" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com arg=/R510/v31content/90820/0x00000409.gng op=GET result=304 sent=2983 WTsyslog[1998-08-01 03:02:03 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 03:06:43" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.4 dstname=2.example.com arg=/ op=POST result=200 sent=2195 WTsyslog[1998-08-01 16:25:33 ip=10.0.0.1 pri=6] id=firewall time="1998-08-01 06:30:09" fw=WebTrendsSamplepri=6 proto=http src=10.0.0.5 dst=10.0.0.6 dstname=3.example.com arg=/portal/brand/images/logo_pimg.gif op=GET result=304 rcvd=1036
  • Example of converting a DB2 Content Manager event to a CBE-formatted eventA DB2® Content Manager event is converted to a Common Base Event (CBE) formatted event. A CBE-formatted event contains additional information about the host name, product name, and the environment.The following example shows how a DB2 Content Manager event is converted to a CBE-formatted event. Information in the CBE-formatted event is entered by the event monitor:<CommonbaseEventcreationTime="2008-03-19T01:03:11:256Z" extensionName="CMEvent" globalInstanceId="AA1234567890123456789012345678901234567890123001" priority="100" version="1.0.1"> <contextDataElements name="cmevent" type="string"> <contextValue>placeholder for DB2 Content Manager event</contextValue> </contextDataElements> <sourceComponentId application="Content Manager Event Monitor" component="Content Manager V8.4.01.000" componentIdType="Productname" executionEnvironment="Windows XP[x86]" instanceId="1" location="myhost/9.30.44.123" locationType="Hostname" subComponent="Event Monitor" componentType="Content Manager"/> <situation categoryName="OtherSituation"> <situationTypexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="OtherSituation" reasoningScope="EXTERNAL"> Application Event </situationType> </situation> </CommonBaseEvent> Parent topic: CBE XML element format
  • LogChaos: Challenges and Opportunities of Security Log Standardization

    1. 1. LogChaos: Challenges and Opportunities of Security Log Standardization<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />Oct 2009<br />5th Annual IT Security Automation Conference<br />Baltimore, MD<br />October 26-29, 2009<br />
    2. 2. Outline<br />World of logs today<br />Log chaos? Why? Why order is sorely needed!<br />Past attempts to bring order chaos!<br />Why ALL failed?<br />What does the future hold?<br />You already know about CEE <br />
    3. 3.
    4. 4. Log Data Overview<br />From Where?<br />What Logs?<br /><ul><li>Firewalls/intrusion prevention
    5. 5. Routers/switches
    6. 6. Intrusion detection
    7. 7. Servers, desktops, mainframes
    8. 8. Business applications
    9. 9. Databases
    10. 10. Anti-virus
    11. 11. VPNs
    12. 12. Audit logs
    13. 13. Transaction logs
    14. 14. Intrusion logs
    15. 15. Connection logs
    16. 16. System performance records
    17. 17. User activity logs
    18. 18. Various alerts and other messages</li></li></ul><li>From Log Analysis to Log Management<br />Threatprotection and discovery<br />Incident response<br />Forensics, “e-discovery” and litigation support<br />Regulatory compliance and audit<br />Internal policies and procedure compliance<br />IT system and network troubleshooting<br />IT performance management<br />
    19. 19. Log Chaos I - Login?<br />&lt;18&gt; Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br />&lt;57&gt; Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:yellowdog] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br />&lt;122&gt; Mar 4 09:23:15 localhost sshd[27577]: Accepted password for kyle from ::ffff:192.168.138.35 port 2895 ssh2<br />&lt;13&gt; Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  POWERUSER   <br />
    20. 20. Log Chaos II - Accept?<br />messages:Dec 16 17:28:49 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-notification-00257(traffic): start_time=&quot;2002-12-16 17:33:36&quot; duration=5 policy_id=0 service=telnet proto=6 src zone=Trust dst zone=Untrust action=Permit sent=1170 rcvd=1500 src=10.14.94.221 dst=10.14.98.107 src_port=1384 dst_port=23 translated ip=10.14.93.7 port=1206<br />Apr 6 06:06:02 Checkpoint NGX SRC=Any,DEST=ANY,Accept=nosubstitute,Do Not Log,Installspyware,lieonyourtaxes,orbetteryet,dontpaythem<br />Mar 6 06:06:02 winonasu-pix %PIX-6-302013: Built outbound TCP connection 315210 596 for outside:172.196.9.206/1214 (172.196.9.206/1214) to inside:199.17.151.103/1438 (199.17.151.103/1438)<br />
    21. 21. Log Format Consistency<br />
    22. 22. Log Chaos Everywhere!<br />No standard format<br />No standard schema, no level of details<br />No standard meaning<br />No taxonomy<br />No standard transport<br />No shared knowledge on what to log and how<br />No logging guidance for developers<br />No standard API / libraries for log production<br />
    23. 23. Result?<br />%PIX|ASA-3-713185 Error: Username too long - connection aborted<br />%PIX|ASA-5-501101 User transitioning priv level<br />ERROR: transport error 202: send failed: Success<br />sles10sp1oes oesaudit: type=CWD msg=audit(09/27/07 22:09:45.683:318) :  cwd=/home/user1 <br />
    24. 24. More results?<br />userenv[error] 1030 RCI-CORPwsupx No description available<br />Aug 11 09:11:19 xx null pif ? exit! 0 <br />Apr 23 23:03:08 support last message repeated 3 times<br />Apr 23 23:04:23 support last message repeated 5 times<br />Apr 23 23:05:38 support last message repeated 5 times<br />
    25. 25. But This … This Here Takes The Cake…<br />Logging username AND passwords to “debug” authentication (niiiice! )<br />Logging numeric error codes – and not having documentation ANYWHERE (please read my mind!)<br />Logging chunks of source code to syslog (care to see a 67kB syslog message? )<br />
    26. 26. Chaos2order: Why Logging Standards?<br />Common language<br />Easier to report on logs and explain the reports<br />Deeper insight into future problems <br />Easier system interoperability<br />Common logging practices<br />Easier to explain what is in the logs to management and non-IT people<br />
    27. 27. What Becomes Possible?<br />All those super-smart people at SIEM vendors can stop parsing and start analyzing<br />What the events mean? Consequences? Actions? Maybe even prediction?<br />Different systems can mitigate consequences of each others’ failures<br />We can finally tell the developers “what to log?” and have them “get it!”<br />
    28. 28. Example Logging for Developers<br />
    29. 29. Definitions<br />Log = message generated by an IT system to record whatever event happening <br />Log format = layout of log messages in the form of fields, separators, delimiters, tags, etc<br />Log syntax = fields and values that are present in logs<br />Log taxonomy = a taxonomy of log messages that categorizes log messages and codifies their meaning<br />Log transport = a method of moving logs from one system to another; typically a network protocol<br />
    30. 30. Various Logging Standards by Type<br />Log format<br />Example: Syslog, a non-standard standard <br />Example: IDMEF, a failed standard <br />Log contents<br />No standard to speak of: logs = trash can because application developers dump what they want there (and how they want!)<br />Log transport<br />Example: Syslog (TCP/UDP port 514)<br />Logging practices / recommendations<br />Example: NIST 800-92 (for security only)<br />
    31. 31. Old, Dead and Vendor Log Standards<br />Vendor “standard” efforts:<br /><ul><li>CBE - IBM
    32. 32. WELF - Webtrends
    33. 33. CEF - ArcSight
    34. 34. OLF – eIQnetworks
    35. 35. SDEE – Cisco+</li></ul>Old, mostly dead standards: <br />CIDF – DARPA (became IDMEF)<br />IDMEF – IETF (never adopted by anybody)<br />CIEL – MITRE (cancelled early)<br />XDAS – Open Group<br />
    36. 36. Example: IDMEF<br />&lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&gt;<br />&lt;!DOCTYPE IDMEF-Message PUBLIC &quot;-//IETF//DTD RFC XXXX IDMEF v1.0//EN“ &quot;idmef-message.dtd&quot;&gt;<br />&lt;IDMEF-Message version=&quot;1.0&quot;&gt;<br />&lt;Alert ident=&quot;abc123456789&quot;&gt;<br />&lt;Analyzer analyzerid=&quot;hq-dmz-analyzer62&quot;&gt;<br />&lt;Node category=&quot;dns&quot;&gt;<br />&lt;location&gt;Headquarters Web Server&lt;/location&gt;<br />&lt;name&gt;analyzer62.example.com&lt;/name&gt;<br />&lt;/Node&gt;<br />&lt;/Analyzer&gt;<br />….<br />
    37. 37. Outcome: Died of Old Age in Obscurity<br />Lessons learned:<br />When building a standard, think about adoption<br />Think about use cases, current and hopefully future<br />Complexity =/= broad use (the opposite!)<br />Limit academic input <br />
    38. 38. Example: WELF<br />WTsyslog[1998-08-01 00:04:11 ip=10.0.0.1 pri=6] id=firewall time=&quot;1998-08-01 00:08:52&quot; fw=WebTrendsSamplepri=6 proto=http src=10.0.0.2 dst=10.0.0.3 dstname=1.example.com arg=/selfupd/x86/en/WULPROTO.CAB op=GET result=304 sent=898 <br />
    39. 39. Outcome: Lives Happily in Oblivion <br />Lessons learned:<br />If you use something and like it, it does not make it a standard<br />If you go outside of intended use cases, FAIL happens.<br />
    40. 40. Example: CBE<br />&lt;CommonbaseEventcreationTime=&quot;2008-03-19T01:03:11:256Z&quot; extensionName=&quot;CMEvent&quot; globalInstanceId=&quot;AA123456…3001&quot; priority=&quot;100&quot; version=&quot;1.0.1&quot;&gt; <br />&lt;contextDataElements name=&quot;cmevent&quot; type=&quot;string&quot;&gt; &lt;contextValue&gt;placeholder for DB2 Content Manager event&lt;/contextValue&gt; &lt;/contextDataElements&gt; <br />&lt;sourceComponentId application=&quot;Content Manager Event Monitor&quot; component=&quot;Content Manager V8.4.01.000&quot; componentIdType=&quot;Productname&quot; executionEnvironment=&quot;Windows XP[x86]&quot; instanceId=&quot;1&quot; location=&quot;myhost/9.30.44.123&quot; locationType=&quot;Hostname&quot; subComponent=&quot;Event Monitor&quot; componentType=&quot;Content Manager&quot;/&gt; <br />&lt;situation categoryName=&quot;OtherSituation&quot;&gt; &lt;situationTypexmlns:xsi=&quot;http://www.w3.org/2001/XMLSchema-instance&quot; xsi:type=&quot;OtherSituation&quot; reasoningScope=&quot;EXTERNAL&quot;&gt; Application Event &lt;/situationType&gt; &lt;/situation&gt;<br />&lt;/CommonBaseEvent&gt;<br />
    41. 41. Outcome: MIA<br />Lessons learned:<br />Just because you are big doesn’t mean that anybody would care about your creations<br />If you don’t use it yourself, others won’t either<br />
    42. 42. What Killed’em ALL?<br />Lack of adoption – BIG one!<br />“Solution in search of a problem”<br />“Overthinking” designers <br />Standard complexity<br />Emphasis on XML<br />Vendors and their tactical focus (or “marketing standards”)<br />Narrow approach (e.g. just security)<br />
    43. 43. What Worked? NIST 800-92 Guide to LM<br />“This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. “<br />
    44. 44. Pause …<br />How we want the world of logging to look like?<br />
    45. 45. What is a Common Event Expression – CEE?<br />CEE = Syntax + Vocabulary + Transport + Log Recommendations <br /><ul><li>Common Event Expression Taxonomy
    46. 46. To specify the event in a common representation
    47. 47. Common Log Syntax
    48. 48. For parsing out relevant data from received log messages
    49. 49. Common Log Transport
    50. 50. For exchanging log messages
    51. 51. Log Recommendations
    52. 52. For guiding events and details needed to be logged by devices (OS, IDS, FWs, etc)</li></ul>Common Event Expression Impacts<br /><ul><li>Log management capabilities
    53. 53. Log correlation (SIEM) capabilities
    54. 54. Device intercommunication enabling autonomic computing
    55. 55. Enterprise-level situational awareness
    56. 56. Infosec attacker modeling and other security analysis capability</li></li></ul><li>Key Area of CEE<br />Common Event Expression (CEE) by MITRE <br />Key standard areas:<br /><ul><li>“Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation.</li></ul>Create log syntaxes utilizing a single data dictionary to provide consistent event specific details.<br />Standardize flexible event transport mechanisms to support multiple environments.<br />Propose log recommendations for the events and attributes devices generate.”<br />
    57. 57. Conclusions: Future of Log Standards<br />Log standard is sorely needed<br />About 30 years of IT has passed by without it<br />CEE standard will be created; CEE team has learned the lessons of others<br />CEE standard has a higher chance than any standard to be adopted<br />OK fine: “CEE standard will be adopted!” <br />Let’s get to work!<br />LogChaos must die! <br />
    58. 58. Questions?<br />Dr. Anton Chuvakin <br />Principal @ Security Warrior Consulting<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />LinkedIn:http://www.linkedin.com/in/chuvakin<br />Twitter:@anton_chuvakin<br />
    59. 59. More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />

    ×