- Reading Logs From A File In Syslog-NG
- I had previously written a little snippet on how to pull logs in from a file, however there is a substantial amount more to consider when configuring syslog-ng to read from a file, so I have dedicated this post to reading logs from a text file. The basic structure for reading logs from a text [...]
Post from: Logged - Log Management Blog
Reading Logs From A File In Syslog-NG - Pot Of Syslog-NG Tricks Version 3
- Retaining the original hostname of the origin of syslog messages through a Syslog-NG relay
In some environments, syslog messages are concentrated and relayed through an intermediate syslog server. One of the big deficiencies of the stock syslogd that comes with many Linux/UNIX operating systems is that they don’t provide the ability to keep the hostname or [...]
Post from: Logged - Log Management Blog
Pot Of Syslog-NG Tricks Version 3 - Spam Attack Update
- In a previous post, I described a spam attack the syslog forum was under. The attack intensified pretty dramatically after that post. This time, though, it was a focused attack by a bot-net registering dozens of accounts per hour. I had read that the CAPTCHA system in SMF, even at the highest setting, [...]
- Forum Spammers Abound
- I have managed the syslog.org site for over a decade now and I have seen a lot of spammers. Fighting the spam battle used to be pretty straight forward on this low volume forum. When a forum only gets a few posts a week, it’s pretty easy to pick out the spam. For a while, [...]
Post from: Logged - Log Management Blog
Forum Spammers Abound - Determining What To Monitor
- Earlier in my career, I was the IT director for a medium sized enterprise and had responsibility for information security, in addition to networking, server ops, help desk, etc. I was fortunate to be able to start with a mostly clean slate and had the help of many talented and energetic thinkers. The company was [...]
Post from: Logged - Log Management Blog
Determining What To Monitor - Windows Syslog
- Windows does not natively support either sending logs out as syslog messages. There are a number of applications that will translate Windows Event Logs to syslog. A partial list is:
EventReporter
Snare
NTSyslog
Why Send Event Logs To A Syslog Server?
There are a few good reasons to export Windows Event Logs as syslog messages. Syslog is a basic format [...]
Post from: Logged - Log Management Blog
Windows Syslog - Log Analysis and Log Correlation Basics
- Log data can provide benefits beyond the obvious notification of system events and security happenings. Aggregated logs from a system or from multiple systems can provide a more complete picture of problems when those logs are correlated together. To any experienced administrator, this is obvious. Consider the following environment:
In this scenario, the administrator is primarily [...]
Post from: Logged - Log Management Blog
Log Analysis and Log Correlation Basics - Using Trends In Logs To Define New Security Requirements For Internet Facing Hosts
- I have a few servers at a colocation datacenter for running a number of sites, including this one. I have written before about detecting brute force attacks in logs. I have been watching the attacks continue in my logs, and have noticed a few things:
1. The attacks, as before, are coming from many different sources, [...]
Post from: Logged - Log Management Blog
Using Trends In Logs To Define New Security Requirements For Internet Facing Hosts - Pot Of Syslog-NG Tricks Version 2
- Correcting bad or duplicate time and date stamps
Trying to accept logs from applications or devices into syslog-ng, but end up seeing two date and time fields in the resulting log coming out of syslog-ng? This happens because syslog-ng is not able to understand the format that the date and time stamp arrive in. Here’s an [...]
Post from: Logged - Log Management Blog
Pot Of Syslog-NG Tricks Version 2 - Designing A Log and Event Monitoring Program
- Ultimately, as with all IT security programs, log monitoring programs are designed to address risks to data confidentiality, integrity and availability. Risks come in many types:
Hardware failure
System compromise
User error
Rogue administrator
An organization’s program around log & event monitoring needs to be based on the specific risks that exist in that organization. Consider two these two scenarios:
Scenario [...]
Post from: Logged - Log Management Blog
Designing A Log and Event Monitoring Program - Running Syslog-NG on Windows
- There are many great commercial syslog servers for Windows. There are not many options for those looking for a free alternative. One option is Aonaware. Another option is to install syslog-ng through cygwin. Cygwin is a Linux-like environment run inside a windows command shell. Cygwin runs on all current desktop and server versions of Windows. [...]
Post from: Logged - Log Management Blog
Running Syslog-NG on Windows - Pot Of Syslog-NG Tricks Version 1
- Fixing Duplicate Date and/or Hostname Problems
Some devices send syslog messages with improperly formatted headers, which can cause syslog-ng to append a new set of header information, meaning that the host name and/or date appear twice in the logs. A simple way to solve this is using a template:
source s_net { udp();};
destination d_file { file(“/var/log/file.log” template(“$MSG\n”)); [...]
Post from: Logged - Log Management Blog
Pot Of Syslog-NG Tricks Version 1 - Defining Log Management and Log Monitoring Objectives
- System logs are good for more purposes that many people realize. In this post, I’ll describe the four broad categories of log usage.
Forensic Record Keeping
Many organizations choose to archive log data for a period of time for future reference. Generally, the usefulness of keeping archived logs comes from the situation where a system problem is [...]
Post from: Logged - Log Management Blog
Defining Log Management and Log Monitoring Objectives - Configuring SUDO for Effective Activity Monitoring Via Syslog
- I have discussed in previous posts the importance of administrators using SUDO to provide individual accountability. SUDO provides command-by-command accounting of actions performed by administrators, with logs sent as standard syslog events looking like this:
Feb 4 19:23:23 bsd sudo: jerry : TTY=pts/0 ; PWD=/usr/home/jerry ; USER=root ; COMMAND=/bin/ps -x
Feb 4 19:23:34 bsd sudo: jerry : [...]
Post from: Logged - Log Management Blog
Configuring SUDO for Effective Activity Monitoring Via Syslog - Building A Program To Manage And Monitor Administrators
- Monitoring the activities of privileged users or server administrators is becoming a common requirement in many organizations for a few reasons:
Compliance with legal or regulatory requirements, such as PCI, HIPAA, etc
Performing outsourcing services to clients who require controls to prevent the service provider’s employees from causing harm to the client.
A recent experience where a trusted [...]
Post from: Logged - Log Management Blog
Building A Program To Manage And Monitor Administrators - Segregating Logs From Different Log Files On A Centralized Log Server Using Syslog-NG
- In this post, I will demonstrate a way to capture logs from a series of log files, and relay those logs to a central log server, where the logs will be separated into log files, as they existed on the original host.
Reading from files
Syslog-ng has the ability to pull log data from files, then treat [...]
Post from: Logged - Log Management Blog
Segregating Logs From Different Log Files On A Centralized Log Server Using Syslog-NG - Using Syslog Logs For Validation of Security Policy Compliance
- In a previous post, I wrote about the general use of syslog logs as a method of ensuring compliance with policy. This is a specific example of how one might use syslog to do that.
As IT operations mature, particularly in regulated environments, it is not uncommon for an organization’s security policy to require controls on [...]
Post from: Logged - Log Management Blog
Using Syslog Logs For Validation of Security Policy Compliance - How To Avoid Source Spoofing In Centralized Syslog Environments
- An obvious weakness of the syslog network protocol is the ease of spoofing messages into a central syslog server. The default use of UDP as a transport and lack of any sort of authentication, in fact, make it trivial to spoof any part of a syslog message.
The most concerning issue with spoofing is faking the [...]
Post from: Logged - Log Management Blog
How To Avoid Source Spoofing In Centralized Syslog Environments
- Configuring The Snare Windows Client And Syslog-NG To Work Together
- In a previous post, we looked at installing Snare to log Windows events to a syslog server. Here, we will configure syslog-ng to accept messages from Snare and implement a few simple customizations, including storing the logs in individual files. We will assume that Snare is operational for the purposes of this guide. Please see [...]
Post from: Logged - Log Management Blog
Configuring The Snare Windows Client And Syslog-NG To Work Together
- Establishing a Hardened Syslog Log Server
- Maintaining a reliable and secure repository of logs is important for many reasons: establishing a foresnic trail of evidence in the case of fraud or attack, and enabling event correlation across many devices, among others. Particularly in regulated industries, management should enact controls that prevent security, application and system logs from being tampered with.
Many organizations [...]
Post from: Logged - Log Management Blog
- On The Importance of Centralized Windows Event Logging
- I was just catching up on my reading on Technorati and came across this article that details the ways attackers can cover their tracks upon compromising a Windows server. This article should server as a warning: if your logs are not moved off to a central server, you will lose visibility and key evidence on [...]
Post from: Logged - Log Management Blog
- Logging Windows Events To Syslog Using Snare
- There are now a bunch of commercial and open source agents that can run on a Windows system to take in Windows Event Logs and send them off to a syslog server. We'll be looking at the Snare agent in this post. As of this writing, Snare is compatible with Windows ...
- What To Look For In A Compliance Report From Logs
- Reports from system logs for compliance generally have the same basic requirements regardless of the standard being measured - whether PCI, SOX or FFIEC. There are some foundational requirements for compliance reporting of logs to be considered effective: The data/time are synchronized throughout the environment. This is vital to be able ...
- Why Using A Log Management Service Might Be Right For You
- There are a growing number of Managed Security Service Providers (MSSP's), such as IBM and Symantec, and Verisign, and other companies, such as Savvis, offering an outsourced service to collect and retain system logs, generally called a log management service (LMS). The initial instinct for many would be to reject ...
- Interesting ssh Brute Force Attack From Botnet
- I have been the subject of a pretty persistent brute force attack, where the attacker is attempting to ssh in with thousands of different host names and presumably weak passwords. Anyone who has run a server for a while has been the subject of such attacks. Typically, you can see ...
- Native MySQL support in syslog-ng
- So, apparently I've been living under a rock. One of the biggest criticisms I've had about syslog-ng for a long time is the terribly convoluted process to get logs into MySQL. I was looking through the syslog-ng mailing list and saw someone asking for help with getting the script to ...
- A Simple Way To Detect Web Server Compromise
- When an attacker finds a vulnerability that can be exploited on your site, he normally does a few things: Upload some remote control software Look for interesting files, or additional sites on the server, etc Upload a defacement page, rootkit, iframe browser exploits, or any number of things You can use your web logs ...
- Creative Use of System Logs to Ensure Policy Compliance
- Organizations that need to minimize the risks associated with managing technology infrastructure implement robust policies on access management, change management and the like. Having robust and well understood policies is important and expected of most organizations. However, organizations such as the FFIEC expects that financial institutions apply detective controls to affirmatively ...