Monitoring System Logs – CompTIA Security+ SY0-401: 3.6

Your system logs contain a wealth of security details. In this video, you’ll learn about the different log types and how they can be used to security your network.

<< Previous Video: Arbitrary and Remote Code ExecutionNext: Operating System Hardening >>

In most organizations, we’re collecting logs from every device that we have– the routers, the firewalls, the file servers themselves, and many other pieces of information. And this information can be very valuable for us to use not only for what we’re doing internally, but also for making plans for the future. One of the challenges, of course, is that there are a lot of logs, so it takes some very specialized devices and technologies to be able to collect all of those logs, to parse through them, and store them, and then ultimately, to provide us with reports and information from what we’ve gathered over such a very large area.

You’ll generally find different categorizations of logs, things like event logs, and auditing logs, and security logs. And each one of those log types provides us with a different kind of information that we could use for different scenarios. There’s many options for automating the collection and the reporting of this log data. And you can find many open source and commercial packages that can collect all of this information, parse through it, and be able to provide you with some actionable data that you can use in your business.

An event log tells us any time something happens on the network. These are usually very normal operations. Someone logs into the network. Someone opens a file. A file is copied from one server to another. These types of situations are relatively innocuous. This is the normal operation of what’s happening. We’re simply logging every time one of these events occurs.

This might be useful to use, though, after the fact. If we’re trying to determine, how did this file get transferred from one place to the other, we might have an event log that shows us exactly that information. Now, as it sounds, every time you store this information, you’re collecting a larger and larger and larger log file. Event logs can be very large. And so you want to be sure that if you’re planning to collect these, that you have plenty of storage set aside to collect as much information as you need.

You may be gathering these logs from many different places. They can come from your routers, in your firewalls, in your switches, in your servers. All of this is used to ultimately, after the fact, determine what happened on your network. And if you have a security event, these event logs will be very, very useful to help understand what happened before all of the alarms went off.

An audit log is very similar to an event log, but an audit log is only going to tell us when things change. And usually, these are things that are very important for us to be able to watch, so that later on, we can go back and see, who made that change, what type of change was it, what time of the day did that change occur? These audit logs might tell us when absolutely legitimate activity might be going on. If we’re planning to make some firewall changes, the audit logs will be able to determine who made the changes and why they made them.

These audit logs can also tell us when unapproved activity has occurred. If suddenly, our log shows that a change was made to the firewall, yet nobody has any paperwork or any knowledge that any change was to be made, then you’ve got a problem. And that’s where you may be able to find someone who’s making unapproved changes, all from the information you’re gathering from your audit logs.

You’re not going to get quite as many audit logs as you have event logs. But in a way, your audit logs are almost more important, because we’re looking for very specific changes to occur in very specific places. And generally, these types of logs have very critical information inside of them.

As the name implies, an access log is going to tell us when somebody gains access to a resource. They may be gaining access to a file server. Perhaps they’re logging in to use a VPN. There’s going to be a log somewhere that tells us that that particular event occurred. This can come from web servers, which have their own set of access logs inside of them. There could be VPN concentrators. There could be applications that store log information when somebody logs into the application and gains access to certain types of data.

This could be very useful to tell who’s gaining access, to make sure that people are getting the access they require from their resources. But it can also tell us who’s not getting access to those resources. If somebody’s constantly trying the same username but the wrong password to access a VPN, and they’re doing it over and over and over again, you’ll see that information in your access log. This way, you can start to limit the attack vectors available to you.

If somebody’s trying to gain access to your web server and they’re constantly trying to authenticate, and your access log shows that they’ve been denied access constantly over and over, you can create automation that might block that IP address, or limit access from that particular IP address, or slow down the process for them to make it very frustrating for what they’re doing, or maybe you lock them out completely, so that nobody can log in with that particular username any longer.

If you’re going back and trying to rebuild what happened during an attack, what did we see change, when did the bad guys gain access to a particular resource, all of that information is going to be inside of your access logs.

As a security professional, you’re going to be looking through a lot of security logs. These are very focused logs, and they generally focus on very specific events that are occurring that are important from a security perspective. Usually, the file server team and the router team aren’t necessarily interested in the security-related events. They may be more interested in the performance-related events.

So you’ll find that you’ll get security logs from all kinds of different places. They’ll generally come from your security devices like your firewalls, or your VPN concentrators, or your IPS systems. These types of logs can tell us a lot about the security of our system, so it’s very useful to be able to monitor these security logs over time.

There can sometimes be a completely separate logging system for the security team, especially since the information that the security team needs is so different than other parts of the organization. You might have a file server team that has a file server log collector. They’re collecting performance information and availability for their file servers.

And you may instead create an entirely separate system just to gather security logs from those file servers. This not only is going to allow you to manage your own set of data, but it’s going to allow you to find just the security pieces that are important to you and ensure that all of that data is being collected.