Log Management Principle and Usage

Bikrant Gautam, MSIA Fall, SCSU

Log Sources:

What is log?records of events.

?But why Log

Management?●Numeros computers●Numerous logs●Hard to pinpoint a single log

Log Management OperationLog Collecting/Archiving

Log Normalization

Log Intelligence/Forensics and Monitoring

Log Archiving● Collect numerous logs in raw from from

different sources.● Includes system event logs, SNMP traps, Flow

data etc.● Different tools deployed to collect logs,

fetchers or collectors,

Log NormalizationRaw Windows 2003 log

<13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr 02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.Cloud\CQ899$ N/A Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S-1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 34790802

Normalized logs

LogTime=2015/04/02 10:10:31

object=account

Action=logged off |

EventLog=Security |

User= CQ899$ |

Domain=St.Cloud

EventCategory=Logoff |

EventId=4634

EventSource=Microsoft-Windows-Security

EventType=Success

Application Fields✘Threat protection and discovery✘Incidence response and forensics✘Regulatory compliance and audit✘It system and network troubleshooting✘System performance and management

Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-by-dr-anton-chuvakin

Plain old log investigation method

✘ collect logs from all associated computers ( will not be few)

✘ Go through each logs searching for evidence (might take years to complete)

✘ finally give up, as the information was stored in a binary value not readable to human eyes.

A curious case of auditing with logs

Using log management tool✘ point all your devices to a

central log collection server.✘ all cryptic logs are normalized to

human readable format✘ Search for particular keyword, or

event on a specific time. ✘ Complete the forensic in no

time.

Use Case: Monitoring Users logging to eros server✘user smmsp has

logged into eros server for almost 6000 times.

✘user charles.kangas have logged into the system for almost 2500 times

Use case: Continued, Drilling down

✘further investigation for charles.Kangas was done.

✘the originating source ips were searched on arin-whois and the further information were collected

Use case: Continued, User Information ✘The result of whois

lookup for user Charles.

✘Origin of request seems fair enough.

What if the originating IP was from North Korea?

AdvanceD Operation

LookupLog Correlation Reporting

● 10 logins on last 5 second

● connect to external databases

● present the finding on a neat report that can be send to BOSSes

Advantages of Log Management Tool✘cool dashboard to visualize queries✘deployed in your private server so the integrity of data

is maintained✘can be configured to generate alerts and triggers

according to your business requirement✘supports your compliance requirement

Challenges of Log Management✘Lack of common log format✘Not all activities generate logs✘Not all activities are logged✘Requires user to learn new script for every log

management tool✘High volume of irrelevant data

The future?

Required by Compliances

1.3 billionProjected revenue of Log management softwares in 2015

Conclusion

✘ A versatile tool to approach various challenges.✘ Provides IT security with forensics and

investigative platform✘ Quicker and faster alternative to plain old

auditing system

Questions?