Log Analysis – CompTIA Security+ SY0-401: 1.2

The event and access logs from network devices can provide a wealth of information. In this video, you’ll learn how post-event analysis and real-time analysis of logs can provide valuable security information.

<< Previous Video: Network SeparationNext: DMZ >>

There are a number of universal truths in network security, and one of those is that you’re going to have a lot of log files. You’re going to have log files from your switches, from your routers, from your firewalls, from your IPS systems, from your proxy server, from your URL filtering devices. Every device you have on your network has a bunch of log files associated with it.

As a security professional, you want to have these log files. There’s an amazing amount of intelligence, and certainly a lot of history that you may have to go back and reference, in those log files.

One of the challenges we have as security professionals then, is keeping it all straight. Usually, you want some way to analyze these log files, without you having to pore through pages, and pages, and pages of logs. There’d be no way a human being could ever read through all of those logs.

So there are systems in place. That you can get to analyze the logs for you. This happens to be a chart that was created from one of those, called Splunk, that is designed to take a lot of different log files, consolidate them together, and allow you to put these in a human-readable form, so that you can really see what’s going on.

These log files are incredibly useful. If there happens to be a breach, or something that happens, and you’d like to go back in time and understand– what happened during that time frame, what flow of traffic was allowed through, what firewall rule allowed that bad guy to get to our web server. This would be a great use of having all of those logs in one place.

In real time, it becomes a little more difficult. You can imagine the huge amounts of log files that are streaming into these devices. Being able to do any type of real-time analysis of those logs is a pretty complex thing to have happen.

There are tools out there, however, that can parse these logs, and try to keep track of things, at least in near-real time. And sometimes that that’s very useful. If you’d like to be able to be identified and alerted as quickly as possible, should something odd be happening, sometimes the only way to know that is if you have something automatically going through all of those log files.

The real key, if you ever get into dealing with tons of log files as a security professional, is just– find a way to automate it. One of the worst things you can do is have all those log files, and not be able to take advantage of them.

So you want to really think about– what would you like to do with the log files? What type of information would you like to glean out of the log files? Do you want to have a real-time view of the world in those log files? You answer those questions first, and you’ll be in a better position to understand the type of system you want to have in place to collect the data, and then provide you with some analysis.