My next class:
LINUX Incident Response and Threat HuntingBaltimoreMar 3rd - Mar 8th 2025

Critical Control 6 - Maintenance, Monitoring, and Analysis of Security Audit Logs

Published: 2011-10-10. Last Updated: 2011-10-10 18:31:01 UTC
by Jim Clausing (Version: 1)
4 comment(s)

The next of our critical controls for Cyber Security Awareness Month is log management/monitoring/analysis.  This has been a interest/passion of mine for a long time. As Eric Cole (among others) is fond of saying in SEC 401, prevention is ideal, but detection is a must.  If you aren't logging as much as possible, how will you ever know when something bad happens? 

As mentioned in a couple previous diaries this month, one of the keys for this control is that all of the log generating devices (routers, switches, firewalls, servers, workstations, ...) be synchronized, so NTP is your friend.

The third key is to collect the logs somewhere other than the device that generates them, our "central log server."  This server should be one of your most locked down, best protected servers in the enterprise.  This way, even if the bad guys breach one of the servers and are able to modify the logs on the server to hide their tracks, there will still be the unmodified copy of the logs on the log server.

All of this does you no good if you aren't actually looking at the logs and this is where you need both some software to automate things and an experienced analyst.  The software is going to be necessary because sheer volume can quickly overwhelm an analyst.  This doesn't necessarily mean you need to spend a lot of money though.  While the commercial SEIM packages are good, you can accomplish a lot with a free software like awk and grep.  In 1997, Marcus Ranum introduced the notion of "artificial ignorance," the idea of using software to remove the "known good" entries to let the analyst concentrate on the new/unusual stuff.  For a number of years, I used his nbs (never before seen) software on my home system (though I recently tried to recompile it and ran into an issue that I haven't taken the time to track down yet).  Just last week I saw announcement of some new software, called LogTemplater, that implements a similar idea.  I've just started looking at it, but it looks like it has some promise. 

Once you've cut the logs down to a manageable volume, the analyst is also still crucial.  Analysis is an area where I personally think you are doing your enterprise a disservice by making this the job of the newbie.  An analyst who knows the environment and has developed a feel for what is normal can much more quickly hone in on where the real problems are.  On the other hand, if the newbie can work with an experienced analyst, this is a good way to quickly learn the environment.

There is no point in me repeating everything that is already at the SANS critical controls page linked below, so please check out the page linked below.

So, what do you use for your log analysis?  Let us know either in the comments section below or via our contact page.

Reference:

http://www.ranum.com/security/computer_security/papers/ai/

http://www.uberadmin.com/Projects/logtemplater/index.html

http://www.sans.org/critical-security-controls/control.php?id=6

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

4 comment(s)
My next class:
LINUX Incident Response and Threat HuntingBaltimoreMar 3rd - Mar 8th 2025

Comments

splunk, ossec, many grep+awk+sed, perl hand made scripts
I use logcheck. It took some time to get the regexps tweaked to eliminate all the messages I don't care about, but I've got it down to a very manageable level now. It does have some weaknesses when it comes to using it on a log aggregating machine, though; being able to specify the logfiles to inspect using wildcards would be very handy.
I use logcheck. It took some time to get the regexps tweaked to eliminate all the messages I don't care about, but I've got it down to a very manageable level now. It does have some weaknesses when it comes to using it on a log aggregating machine, though; being able to specify the logfiles to inspect using wildcards would be very handy.
splunk all the way...but would like to get my hands on some perl scripts.

Diary Archives