What is Log Management?
Log management is the collective processes and policies used to administer and facilitate the generation, transmission, analysis, storage, archiving and ultimate disposal of the large volumes of log data created within an information system.
Why Log Management?
It is critical for every organization to define how and what will be logged and how these logs are maintained. Effective log management is essential for both monitoring and compliance.
Organizations primarily store logs for security purposes. Reviewing these logs, whether before or after a security breach, are important in showing whether someone is an internal employee or an outside threat. After all, network and system administrators could look like hackers, if looking solely at the actions they regularly perform.
Sources of Logs
Switches
Switches provides valuable information about network traffic – accepted and denied connections. You can also monitor switch traffic based on protocol which give details about TCP, UDP and ICMP traffic. Switch can aid an incident investigation by facilitating network traffic capture.
Application Servers
Organizations uses a wise range of applications ranging from email to web application. Your application log should include:
- Request: Each request of any service within the application. These logs consist of information such as date and time, IP address, requester identity (User ID), endpoint URL and context header among others
- Events:This are activities that takes place on your application. there is no fixed definition on what to record exactly. What event to log is entirely limited to the imagination and requirements of the business.
- Audit Trail : This are records of the changes that are made to your data. Any change to data including creating new data, updating or deleting data, and in some cases exporting data, must be recorded.
- Threats: Threat logs track suspicious activities or attempts at undermining the security of an application. Some common threat logs include unauthorized access to restricted processes or data, invalid parameters or input, failed authentication, failed security verification such as invalid API key and other warnings triggered by the application’s security mechanisms.
- Availability: Availability logs consist of faults and exceptions that can impact the availability and stability of the system. These include exceeded capacity limit or resource usage, system errors or bugs, connectivity issues, and slow response times.
Routers
Router logs contain information on the traffic that has passed through your network. So, when something goes wrong, they and other network device logs play a crucial role in conducting a forensic investigation. Event Log Analyzer lets you backtrack security incidents with its powerful log search engine to find out exactly what happened.
Firewalls
Firewall monitors traffic into and out of an organization it is deployed. Some firewalls also offer visibility into the source and type of traffic coming into an organization. A firewall is configured using rules and the rule set of a firewall must be augmented with a successful logging feature. The success of any firewall, therefore, typically relies on the rules used to configure it. Firewall logs can help to see if new firewall rules work well or to debug them if they do not work properly, to discover if any malicious activity is occurring within your network among others.
Domain Controllers/ Authentication Servers
Serving the entire network domain, authentication servers are the primary location that incident res-ponders can leverage for details on successful or unsuccessful logins, credentials manipulation, or other credentials use.
Network Intrusion Detection/Prevention System(NIPS/NIDS.)
These systems were purposefully designed to provide security personnel and incident responders with information concerning potential malicious activity on the network infrastructure. These systems utilize a combination of network monitoring and rulesets to determine whether there is malicious activity. Intrusion Detection. Systems (IDSes) are often configured to alert to specific malicious activity while Intrusion Prevention Systems (IPSes) can detect, but also block potential malicious activity. In either case, both types of platform’s logs are an excellent place for incident responders to locate specific evidence on malicious activity.
DHCP Servers
The DHCP servers often contain logs on the assignment of IP addresses mapped to the MAC address of the host’s NIC. This becomes important if an incident responder has to track down a specific workstation or laptop that was connected to the network at aspecific data and time.
Web Proxy Servers
Proxy server logs contain the requests made by users and applications on your network. This does not only include the most obvious part: web site request by users but also application or service requests made to the internet.
A review of web proxy logs in conjunction with a possible compromised host may identify a source of malicious traffic or a C2 server exerting control over the host.
Event Types to Consider when Setting Log Management System
Here are some event types you will want to consider when setting up your log management system:
- Password changes
- Unauthorized logins
- Login failures
- New login events
- Malware detection
- Malware attacks seen by IDS or other evidence
- Scans on your firewalls open and closed ports
- Here are some event types you will want to consider when setting up your log management system:
- Password changes
- Unauthorized logins
- Login failures
- New login events
- Malware detection
- Malware attacks seen by IDS or other evidence
- Scans on your firewalls open and closed ports
Security Information and Event Management (SIEM).
A SIEM is a software solution that simply collect data(logs) from all the number of sources (security devices, network devices, endpoints such as workstation and servers) you can plug to it, do the correlation and logs arrives at the dashboard for the analysts to attend.
The number of alerts that on the SIEM depends on how fast the logs arrives at the SIEM and how fast the SIEM is able to correlate them into events/incidence?
Without the right set of analysts, a good SIEM product with inbuilt capability for threat intelligence and proper definition of use cases, it becomes very difficult to get value out of your SIEM.
At the most basic level, a SIEM system can be rules-based or employ a statistical correlation engine to establish relationships between event log entries. Advanced SIEMs have evolved to include user and entity behavior analytics (UEBA) and security orchestration and automated response (SOAR).
