1. The importance of LOG FILES
Rotariu Dan-Andrei
Web Developer @ TOSS Romania
2. What is a Log?
According to Merriam-Webster’s Dictionary the definition of a log is:
“A record, as of the performance of a machine or the progress of an
undertaking: a computer log; a trip log. “
who
where
what W5 …an event occurred.
why
when
Purpose of a log: If a log has the capability to record the W5 events,
then the purpose of a log is to give security professionals the ability to
monitor the activities of the application or device to ensure expected or
normal operations.
3. Why are logs so cryptic?
Because a log can be generated by any device or application, the
developers of that device or application will determine how the output
should be formatted and exactly what content will be released to the logging
processes.
If the developer is only interested in knowing “when” an application or
device fails, and wants to know exactly “where” in the code the failure
occurred, then the log output will most likely not show you the “who, what,
or why” that caused the failure to occur. This leaves you trying to guess or
piece several pieces of the log together to find those answers.
As a result, it seems that two strong standards have emerged in the
computer industry for the more popular UNIX and Windows environments.
4. Syslog is a logging system that
has been standardized so that
any flavor of UNIX operating
system will output the same log
format that can be displayed or
output to standardized log files.
Windows NT operating systems
support the Eventlog format,
and all events output to a
standardized event log
format.
5. Six Mistakes of Log Management
1. Not logging at all
2. Not looking at the logs
3. Storing logs for too short a time
4. Prioritizing the log records before collection
5. Ignoring the logs from applications
6. Only looking at what you know is bad
7. Another type of logs are the everyday messages.
I think that everybody has a
Facebook
Yahoo
Google
Skype
MSN
Twitter
And the list goes on and on.
What do all of these have in common? They keep track of all of your activities over
their services.
On facebook, you have the timeline,
Yahoo stores the messenger chat on their servers
I think that you get my point.. They want to be safe, and at the same time they want
you to keep track of your actions while using their services.
8. HOW TO UNDERSTAND THE LOGS?
If a certain individual wants to understand a log file:
he has a 50% chance of succeeding
or
just FAILING in a very shameful way :D
To be more accurate let's analyse together a log file.
9. How do logs help?
Benefits:
- logs provide clues about performance issues, application function
problems, intrusion and attack attempts etc
- Logs provide vital inputs for managing computer security
incidents,
- When responding to computer incidents, logs provide leads to
activities performed over the system.
- Facilitate cyber crime investigations:
* Determine the activity
* Determine the origin of the attack
10. LOG FORMATS
Some of the questions that might come in your mind are:
Do logs have a specific format?
How are they built?
To be able to answer such questions, we have to be able to
read/understand a log correctly:
What is the source?
The log source can be absolutely everything: starting with
a web-server, going all the way to a industrial level where we have
huge amounts of data in a single day.
12. And to properly end this,
What do you think of a project that could log on a very large scale
everything ?
The concept is very simple, but requires some adjustments:
What if you could see in real time what the victim types?
How can this be done?
For the moment it's in development as my undergraduate license project.
I hope that by the time the next DefCamp edition takes place I shall have a functional
version of the project.
'Till then STAY SAFE and keep good track of your logs!