d

Logging System: The Complete Documentation

• This category contains 9 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Advanced Log Processing

Published on August 01, 2002, by Anton Chuvakin, ©SecurityFocus.

One of Murphy's laws advises to "only look for those problems that you know how to solve." In security, this means to only monitor for those attacks that you plan to respond to. It is well known that any intrusion detection system is only as good as the analyst watching its output. Thus, having nobody watching the IDS is equivalent to having no IDS at all. But what should an IDS administrator do if he or she is drowning in a flood of alerts, logs, messages and other attention grabbers?

Creating a Centralized Secure Log Server with syslog-ng and Stunnel

Published on 2004, by Amy Rich, ©Sun Microsystems, Inc..

UNIX system administrators are quite familiar with the syslog daemon, but information that it collects often remains unprocessed unless someone reports a problem. At any site with more than a handful of machines, no one devotes the time to log in and check multiple log files each day or even each month. Automated scripts that might correlate data across these machines are difficult to write because they must access each machine individually. To lessen the burden of both automatic and manual data processing, many sites implement a central log server that collects data for all machines (preferably running NTP to make time/date correlation easier) on a network, including UNIX servers, Windows and Mac desktops, and even networking equipment like routers and switches. Centralized logging is fairly trivial with most stock UNIX syslog daemons, but syslogd is little changed from early incarnations and has some shortcomings.

Identify and enable Web-server-specific logging mechanisms

Published on May 03, 2001, by Carnegie Mellon University, ©CERT.

Collecting data generated by the Web server provides you with critical information that is essential for analyzing the security of the Web server and detecting signs of intrusion.

Identify data that characterize systems and aid in detecting signs of suspicious behavior

Published on October 18, 2001, by Carnegie Mellon University, ©CERT.

Collecting data generated by system, network, application, and user2 activities is essential for analyzing the security of your information assets and detecting signs of suspicious and unexpected behavior. Log files contain information about past activities. You should identify the logging mechanisms and types of logs (system, file access, process, network, application-specific, etc.) available for each asset and identify the data recorded within each log.

Know Your Enemy II : Tracking the blackhat's moves

Published on June 18, 2001, by Lance Spitzner, Project Honeynet.

This article is the second of a series of articles. In the first article, Know Your Enemy, we covered the tools and methodologies of the Script Kiddie. Specifically, how they probe for vulnerabilities and then attack. The third paper covers what script kiddies do once they gain root. Specifically, how they cover their tracks and what they do next. This, the second paper, will cover how to track their movements. Just as in the military, you want to track the bad guys and know what they are doing. We will cover what you can, and cannot determine, with your system logs. You may be able to determine if you are being probed, what you were being probed for, what tools were used, and if they successful. The examples provided here focus on Linux, but can apply to almost any flavor of Unix. Keep in mind, there is no guaranteed way to track the enemy's every step. However, this article is a good place to start.

Log Consolidation with syslog

Published on December 23, 2000, by Donald Pitts, ©SANS Institute.

There may be more elaborate third party proprietary solutions for log consolidation, but the syslog capability within UNIX is simple and ubiquitous on UNIX platforms. This paper will specifically deal with the Sun Solaris environment when not noted otherwise.

Manage logging and other data collection mechanisms

Published on May 01, 2001, by Carnegie Mellon University, ©CERT.

Once you have identified1 the data to be collected, you need to enable the corresponding logging and data collection mechanisms as well as log filters and alert tools. All of these mechanisms can produce a large volume of recorded information. You need to determine how to best capture, manage, and protect all recorded information, and determine how to alert security staff and administrators when appropriate.

Secure Audit Logs to Support Computer Forensics

Published on 1999, by Bruce Schneier, John Kelsey, ©Counterpane Internet Security,.

In many real-world applications, sensitive information must be kept in log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all log entries generated prior to the logging machine's compromise impossible for the attacker to read, and also impossible to undetectably modify or destroy.

Secure Remote Log Servers Using SCP

Published on February 14, 2001, by Kristy Westphal, ©SecurityFocus.

A few months ago, a problem was presented. It became a necessity to implement a centralized system log server that would securely store logs. The design needed to provide a level of security that would prevent tampering or mischief, while preserving integrity. . It was necessary to find a solution that fit into my company's tight budget that would also be a) secure, b) affordable and c) easy to run, especially on a Solaris system. While these constraints made it difficult to discover a viable solution, I was nevertheless able to do so. This article will discuss a solution that meets these criteria and will work well in other environments as well. It should be noted that since I implemented the solution I have in place now, I have discov