Post on 16-Apr-2017
Log Management OperationLog Collecting/Archiving
Log Normalization
Log Intelligence/Forensics and Monitoring
Log Archiving● Collect numerous logs in raw from from
different sources.● Includes system event logs, SNMP traps, Flow
data etc.● Different tools deployed to collect logs,
fetchers or collectors,
Log NormalizationRaw Windows 2003 log
<13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr 02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.Cloud\CQ899$ N/A Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S-1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 34790802
Normalized logs
LogTime=2015/04/02 10:10:31
object=account
Action=logged off |
EventLog=Security |
User= CQ899$ |
Domain=St.Cloud
EventCategory=Logoff |
EventId=4634
EventSource=Microsoft-Windows-Security
EventType=Success
Application Fields✘Threat protection and discovery✘Incidence response and forensics✘Regulatory compliance and audit✘It system and network troubleshooting✘System performance and management
Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-by-dr-anton-chuvakin
Plain old log investigation method
✘ collect logs from all associated computers ( will not be few)
✘ Go through each logs searching for evidence (might take years to complete)
✘ finally give up, as the information was stored in a binary value not readable to human eyes.
A curious case of auditing with logs
Using log management tool✘ point all your devices to a
central log collection server.✘ all cryptic logs are normalized to
human readable format✘ Search for particular keyword, or
event on a specific time. ✘ Complete the forensic in no
time.
Use Case: Monitoring Users logging to eros server✘user smmsp has
logged into eros server for almost 6000 times.
✘user charles.kangas have logged into the system for almost 2500 times
Use case: Continued, Drilling down
✘further investigation for charles.Kangas was done.
✘the originating source ips were searched on arin-whois and the further information were collected
Use case: Continued, User Information ✘The result of whois
lookup for user Charles.
✘Origin of request seems fair enough.
What if the originating IP was from North Korea?
AdvanceD Operation
LookupLog Correlation Reporting
● 10 logins on last 5 second
● connect to external databases
● present the finding on a neat report that can be send to BOSSes
Advantages of Log Management Tool✘cool dashboard to visualize queries✘deployed in your private server so the integrity of data
is maintained✘can be configured to generate alerts and triggers
according to your business requirement✘supports your compliance requirement
Challenges of Log Management✘Lack of common log format✘Not all activities generate logs✘Not all activities are logged✘Requires user to learn new script for every log
management tool✘High volume of irrelevant data
Conclusion
✘ A versatile tool to approach various challenges.✘ Provides IT security with forensics and
investigative platform✘ Quicker and faster alternative to plain old
auditing system