Top 10 Things Logs Can Do for You, Today
•
0 likes•461 views
There's no argument that log data is extremely useful for troubleshooting, but what else can it do for you while it sits there consuming space? We'll give you the Top 10 things to look for in your logs that can help spot trouble before it becomes serious.
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (10)
Similar to Top 10 Things Logs Can Do for You, Today
Similar to Top 10 Things Logs Can Do for You, Today (20)
More from SolarWinds
More from SolarWinds (20)
Recently uploaded
Recently uploaded (20)
Top 10 Things Logs Can Do for You, Today
- 1. Top 10 Things Logs Can Do For You, Today Presented by: Nicole Pauls, Director, Product Management COPYRIGHT © 2012, SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 1
- 2. Agenda » Background Why Collect Logs? Collection, aggregation, and analysis methods » Get to the Top 10 Already! » Implementing the Top 10 with SolarWinds® © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 2
- 3. Background: Why Collect Logs? » For boring reasons Compliance mandates, internal or external - PCI, HIPAA, GLBA, FISMA, etc » For security reasons Use log data to identify security issues Use log data to investigate security issues » For operations reasons Use log data to identify outages and issues Use log data to troubleshoot » All of the above, and more! © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 3
- 4. Background: Collection, Aggregation, and Analysis Methods » Collection Syslog, SNMP traps, text log files, databases, APIs » Aggregation Syslog server, log management platform, SIEM (Security Information & Event Management) » Analysis Search Reporting Alerting Correlation © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 4
- 5. #1: Users Are The Gateway To The Network » Detect Changes to Users & Groups New users being added at domain or local level New machines being joined to the domain Users being added to/removed from groups, especially Domain and Local Admins User password changes (and failures) © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 5
- 6. #2: No, Devices Are The Gateway To The Network » Detect changes to Devices and Device Policy Commands being ran Changes to device settings (interface speeds, down/up, VLANs) Changes to ACLs Policy save/restore © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 6
- 7. #3: Normal Authentication Activity That’s Not So Normal » Successful logon activity Any authentication to accounts with administrative privileges, especially domain admin Remote authentication to servers and systems with sensitive data Access to accounts reserved for services, especially “interactive” logons of ANY kind Use of regular user accounts, especially administrators, to run scheduled tasks or services Local physical logons to servers and systems with sensitive data Logons to network devices for management © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 7
- 8. #4: Find Clues In Authentication Failures » Failed logon activity Excessive logon failures to normal user accounts (everything from brute force to a stupid phone) Failed logons to administrative accounts, especially from unexpected sources Failed logon activity to network devices Account lockouts © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 8
- 9. #5: Watch The Weird Wide Web » Proxy data – not just for HR Excessive hits to blocked categories or URLs (okay, this one is for HR) Attempts to download malware (by name, domain, or category) Outbound web traffic from servers or limited admins “Watch List” certain users and look for more key behavior © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 9
- 10. #6: Track Service Availability » Service activity Services that failed to start on boot (or otherwise) Repeat failures to start services Services stopping unexpectedly Informational messages about status of services © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 10
- 11. #7: Identify System-Level Changes » System activity System restarts or shutdowns – and who initiated them Software installation and removal Device updates Event log full or cleared (events lost or no longer being logged!) Audit policy or logging configuration changes © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 11
- 12. #8: Find The Needle In The Network Traffic Haystack » Suspicious Network Traffic Outgoing traffic from servers directly Any outbound web traffic requests not going through your proxy server Remote access ports to IPs you don’t expect (RDP, SSH®/Telnet™, VPN, FTP, etc) Excessive hits to perimeter egress filters (from the same IP, to the same IP) Triggers from IDS/IPS systems © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 12
- 13. #9: Things Specific To YOUR Organization » Do you have core systems (banking, records, etc) that should have limited access? Most of these have audit trails, too. Some of these systems are not trivial and will require third party agents. » Do you have external systems, systems in the cloud, DMZ? More carefully monitor remote access and unexpected changes Consider how connected these systems are to your core network and monitor those points » Do you have custom or third-party applications that interface with your data or systems? These apps SHOULD generate basic audit trail data – who is accessing, from where, and what changes are being made. After the audit trail, logs should help you solve a problem, not just generate more noise for you. © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 13
- 14. #10: Make Auditors Happy (or At Least Happier) » Compliance… Any changes, expected or otherwise, to devices, servers, and accounts • YOU are especially looking for unauthorized or unexpected changes. • THEY want to know what was changed, where, and why. Access to critical system resources (anywhere high value data is stored) • YOU are looking to make sure only people who should have access have access, and you know why. • THEY want to know you’re looking at critical systems and ensuring limited access. Access to high value data itself • YOU are looking for unexpected access, deletes, moves, copies. • THEY want to know you’re looking at the right files and what changes you’re auditing. Remote access, approved or otherwise • YOU are looking for activity from outside the network that could leak data. • THEY want to know who is accessing your data from where. All administrative access • YOU want to make sure your administrators are only doing what they should be. • THEY want to track all the activity your administrators have done. © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 14
- 15. Implementing The Top 10 With SolarWinds » Event Log Consolidator Free tool! View events from 5 Windows® systems in one place. Basic search, basic export » Kiwi Syslog® Free and paid versions; basic features (no reporting, basic alerting) Windows Event Log Forwarder (paid) can be used to aggregate Event Log data » Orion® Products (Server & Application Monitor, Network Performance Monitor) Can aggregate syslog and SNMP Traps, and do some basic searching and alerting » Log & Event Manager Full-on SIEM for everyone – real-time aggregation of all types of logs, extensive searching, reporting, alerting, correlation © 2012 SOLARWINDS WORLDWIDE, LLC. ALL RIGHTS RESERVED. 15
- 16. Thanks for your attention! » Q&A Q&A 16
- 17. Continue the Conversation… » Chat with product experts in the thwackCamp Product Showcase » Join us in the thwackCamp group on thwack® to continue Q&A for this session » Discover additional information in the SolarWinds® Resource Center 17