Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Information systems events


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Information systems events

  1. 1. Vicente Aceituno Canal FIST Conference September/Madrid 2007 @ Sponsored by: Events Logging Markup Language
  2. 2. 3 Index Log Management Standards Information System Model XML Markup Vocabulary
  3. 3. 4 What gets logged A Record contains a series of events. Startup, restart, abnormal termination. Physical and Logical thresholds being exceeded. Access attempts to resources. Network connections. Privilege and access rights changes. Configuration changes.
  4. 4. 5 Log Management Logs are generated everywhere. Logs have very different formats. There are hundreds of logs APIs. There are many logs transports. Logs are a trail and a measure. Log collection, correlation, aggregation.
  5. 5. 6 Standards CEE (MITRE initiative in the making) CEF (ArcSight) Extended Log File Format (W3C) ELML – Events Logging Markup Language (ISM3 Consortium) WebTrends Enhanced Log file Format. WSDM Event Format (OASIS) XDAS – Distributed Audit Service (The Open Group) RFC3164 – syslog (IETF)
  6. 6. 7 Information System Model (UNIX) Processes Files
  7. 7. 8 Information System Model (ELML) Interfaces Repositories Services Channels Messages Sessions
  8. 8. 9 Information System Model (ELML) Interface Web-based interface System call Monitor, keyboard and mouse Connector Keyboard Printer Scanner Data acquisition board DB9 RJ-45
  9. 9. 10 Information System Model (ELML) Repository Payroll Database Database Replica File system Directory File Hard drive Cluster CD DVD RAM Registers
  10. 10. 11 Information System Model (ELML) Service Bank Account SOAP API Interface Ethernet Port Application System process Threads Running instruction
  11. 11. 12 Information System Model (ELML) Channel Phone call HTTPS TCP connection SFTP connection Frame relay PVC Optic fiber Ethernet cable IDE cable
  12. 12. 13 Information System Model (ELML) Message Transfer from another account Mail SOAP Call TCP packet IP Packet Ethernet Packet 802.11g Packet
  13. 13. 14 Information System Model (ELML) Session Work session between user and application Session between processes TCP Transmission session Frame transmission session su (nested session) Software agent session WAP2 session etc…
  14. 14. 15 XML Markup Agent Subject Logger
  15. 15. 16 XML Markup Every event can have an eventID. If the event is not logged by the agent of the event, the logger can be identified using a loggerID. The agent of the event can be identified using a sourceID. The agent of the event can stay in different locations, identified using a addressID. The credential used by the source to perform a request can be identified using a credentialID. The resource (subject) of the event is identified using a resourceID.
  16. 16. 17 XML Markup The request (access attempt) performed has a RequestType and a Result. The reason for the Result is stated in the ResultText. The payload contains the information necessary to perform the request. dateTime is the date and time when the request is performed. signature is the digital signature of the event using the credentialID. hash is the digital summary of the event. It is recommended that the hash of the previous event in the Record is used to calculate it.
  17. 17. 18 XML Vocabulary Component Initiate Finalize Freeze Unfreeze Query State Change State Credential create delete block unblock read write Session login logout suspend resume read write Message send listen retain forward read write Repository create delete block unblock read write Interface connect disconnect interrupt continue read write Channel open close hold release read write Service start stop pause resume read write Success Failure Error Source error
  18. 18. 19 Example - ProFTPd Connection closed: May 21 20:22:14 slacker proftpd[25530] ([]): FTP session closed. Login sucessful: May 21 20:22:28 slacker proftpd[25556] ([]): USER dcid-test: Login successful. Login failed: May 21 20:22:44 slacker proftpd[25557] ([]): USER dcid-test (Login failed): Incorrect password. Invalid user login attempt: May 21 20:21:21 slacker proftpd[25530] ([]): no such user 'dcid-inv' May 21 20:21:21 slacker proftpd[31806] ([]): USER abad: no such user found from [] to
  19. 19. 20 Example - ProFTPd Connection closed (native): May 21 20:22:14 slacker proftpd[25530] ([]): FTP session closed. Connection closed (ELMLized): <sourceID></sourceID> <addressID></addressID> <loggerID>slacker proftpd[25530]</loggerID> <Result>success</Result> <ResultText>FTP session closed. </ResultText> <dateTime>21/5/2007 20:22:14</dateTime>
  20. 20. 21 Example - ProFTPd Invalid user login attempt (native): May 21 20:21:21 slacker proftpd[31806] ([]): USER abad: no such user found from [] to Invalid user login attempt (ELMLized): <sourceID></sourceID> <addressID></addressID> <credentialID>abad</credentialID> <loggerID> proftpd[31806]</loggerID> <RequestType>login</RequestType> <Result>failure</Result> <ResultText>no such user found</ResultText> <dateTime>21/5/2007 20:21:21</dateTime>
  21. 21. 22 Example - ProFTPd Exercise: Dec 12 00:00:00 machinename su: [ID 366847] 'su oracle' succeeded for root on /dev/??? Dec 12 00:23:28 machinename su: [ID 366847] 'su oracle' failed for root on /dev/??? Dec 12 00:00:02 machinename sendmail[20512]: [ID 801593] kBC502520512: from=root, size=301, class=0, nrcpts=1, msgid=<>, relay=root@localhost Dec 12 00:00:03 machinename sendmail[20514]: [ID 801593] kBC502520512: to=root, ctladdr=root (0/1), delay=00:00:01, xdelay=00:00:01, mailer=local, pri=120301, relay=local, dsn=2.0.0, stat=Sent Dec 12 00:10:55 machinename sshd[21698]: [ID 800047] User blablabla not allowed because account is locked Dec 12 00:10:55 machinename sshd[21698]: [ID 800047] Failed none for invalid user blablabla from port 40410 ssh2 Dec 12 00:10:55 machinename sshd[21698]: [ID 800047] Failed password for invalid user blablabla from port 40410 ssh2 Dec 12 09:33:48 machinename sshd[18195]: [ID 800047] Failed keyboard-interactive for blablabla from port 1530 ssh2 Dec 12 23:59:54 machinename sshd[24191]: [ID 800047] User blablabla not allowed because account is locked Dec 12 09:33:25 machinename sshd[18094]: [ID 800047] User blablabla password has expired (root forced) Dec 12 01:30:04 machinename sshd[11819]: [ID 800047] Accepted publickey for blablabla from port 4527 ssh2 Dec 12 01:30:04 machinename sshd[11821]: [ID 800047] subsystem request for sftp Dec 12 01:30:06 machinename sshd[15907]: [ID 800047] Postponed publickey for blablabla from port 4528 ssh2 Dec 12 08:00:03 machinename sshd[3399]: [ID 800047] Authentication tried for root with correct key but not from a permitted host (host=hostname, ip= Dec 12 02:23:45 machinename named-xfer[9924]: [ID 140103] send AXFR query 0 to Dec 12 03:13:10 machinename named-xfer[368]: [ID 140103] send AXFR query 0 to Dec 12 03:13:10 machinename named[311]: [ID 295310 local2.warning] default: warning: owner name "" IN (secondary) is invalid - proceeding anyway Dec 12 07:27:49 machinename limdaemon: [ID 701944 user.notice] login by blablabla (pid=24835,cost=1) Dec 12 07:27:52 machinename limdaemon: [ID 709948 user.notice] logout by blablabla (pid=24835) Dec 12 08:43:50 machinename login: [ID 507249 auth.notice] Login failure on /dev/pts/7 from, blablabla
  22. 22. 23 What is ELML good for? Don’t design log syntax ever again. Use a common format, requesttype and result vocabulary. Make it easier for everyone to correlate and integrate logs. Download ELML from
  23. 23. Information Security that makes Business Sense Web Video Blog Blog Twitter Presentations Articles
  24. 24. @ with the sponsorship of: THANKS