CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin

Download as PPT, PDF

•4 likes•2,129 views

The document discusses six common mistakes in log management: 1) Not logging at all, 2) Not looking at the logs, 3) Storing logs for too short a time, 4) Prioritizing log records before collection, 5) Ignoring logs from applications, and 6) Only looking at what is known to be bad. It provides an overview of why logs are important, what types of events are typically logged, and regulations around logging. Basic approaches to log analysis are also outlined.

Business Technology

Six Mistakes of Log Management Dr Anton Chuvakin, GCIA, GCIH, GCFA Six Mistakes of Log Management

Summary The World of System, Network and Security Logs Why Look at Logs? Brief Log Analysis Overview From Log Analysis to Log Management Log Management Mistakes: from 0 to 5 Conclusions

Log Data Overview Audit records Transaction logs Intrusion alerts Connection logs System performance records User activity logs Various alerts and other messages Firewalls/NIPS Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs What logs? From Where?

What Commonly “Gets Logged”? System or software startup, shutdown, restart, and abnormal termination (crash) Various thresholds being exceeded or reaching dangerous levels such as disk space full, memory exhausted, or processor load too high Hardware health messages that the system can troubleshoot or at least detect and log Access to resources and authentication decisions Network connections , failed and successful User access privilege changes such as the su command—both failed and successful User credentials and access right changes , such as account updates, creation, and deletion—both failed and successful System configuration changes and software updates—both failed and successful

Regulations Mandate Logging and Log Review ISO 17799 Maintain audit logs for system access and use, changes, faults, corrections, capacity demands Review the results of monitoring activities regularly Ensure the accuracy of the logs NIST 800-53 Capture audit records Regularly review audit records for unusual activity and violations Automatically process audit records Protect audit information from unauthorized deletion Retain audit logs PCI Requirement 10, etc Logging and user activities tracking are critical Automate and secure audit trails for event reconstruction Review logs daily Retain audit trail history for at least one year COBIT Provide adequate audit trail for root-cause analysis Use logging and monitoring to detect unusual or abnormal activities Regularly review access, privileges, changes Monitor performance Verify backup completion and NIST 800-92 “Guide to Security Log Management!”

NIST 800-92 “Guide to Computer Security Log Management” The first ever official guidance on solving logging challenges Logging configurations Logging policies and procedures Log analysis tools and resources

Log Analysis Basics Manual ‘ Tail’, ‘more’, ‘grep’, ‘notepad’, etc Filtering Positive and negative (“Artificial ignorance”) Summarization and reports “ Top X of Y” Simple visualization “… worth a thousand words?” Correlation Rule-based and other Log data mining

Looks Complicated?! No Wonder People Make Mistakes …

Six Mistakes of Log Management 0. Not logging at all. 1. Not looking at the logs 2. Storing logs for too short a time 3. Prioritizing the log records before collection 4. Ignoring the logs from applications 5. Only looking at what you know is bad

Conclusions Now you know: What are the logs? Where they come from? Why look at them? How people do it? What are some of the relevant regulations? How to deal with them? And how to AVOID MISTAKES in log management !

Thanks for Attending!!! Dr Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist http://www.chuvakin.org Author of “Security Warrior” (O’Reilly, 2004) – http://www.securitywarrior.org See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon!

More Related Content

Similar to CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin (20)

PPT

Six Mistakes of Log Management 2008Anton Chuvakin

PPT

Six Mistakes of Log Management Teaser PresoAnton Chuvakin

PPT

O'Reilly Webinar Five Mistakes Log AnalysisAnton Chuvakin

PPTX

Log managementepoxxy

PPT

NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin

PPTX

Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin

PPT

What Every Organization Should Log And MonitorAnton Chuvakin

PPT

FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin

PDF

UNIT -III SIEM aur baato kaise hai aap log.pdfhefagi6193

PPTX

Log maintenance network securiyMohsin Ali

DOC

Audit logs for Security and ComplianceAnton Chuvakin

PPT

Logs for Information Assurance and Forensics @ USMAAnton Chuvakin

PPT

1556 a 09Lê Liêu

PPTX

How to Gain Visibility and Control: Compliance Mandates, Security Threats and...Anton Chuvakin

PPTX

Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Anton Chuvakin

PDF

Leveraging Log Management to provide business valueEnterprise Technology Management (ETM)

PPT

Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin

PPT

Log Forensics from CEIC 2007Anton Chuvakin

PPTX

Log management & SIEMBarakatAbweh

PPT

Making Logs Sexy Again: Can We Finally Lose The Regexes?Anton Chuvakin

Six Mistakes of Log Management 2008Anton Chuvakin

Six Mistakes of Log Management Teaser PresoAnton Chuvakin

O'Reilly Webinar Five Mistakes Log AnalysisAnton Chuvakin

Log managementepoxxy

NIST 800-92 Log Management Guide in the Real WorldAnton Chuvakin

Log management and compliance: What's the real story? by Dr. Anton ChuvakinAnton Chuvakin

What Every Organization Should Log And MonitorAnton Chuvakin

FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin

UNIT -III SIEM aur baato kaise hai aap log.pdfhefagi6193

Log maintenance network securiyMohsin Ali

Audit logs for Security and ComplianceAnton Chuvakin

Logs for Information Assurance and Forensics @ USMAAnton Chuvakin

1556 a 09Lê Liêu

How to Gain Visibility and Control: Compliance Mandates, Security Threats and...Anton Chuvakin

Navigating the Data Stream without Boiling the Ocean:: Case Studies in Effec...Anton Chuvakin

Leveraging Log Management to provide business valueEnterprise Technology Management (ETM)

Application Logging Good Bad Ugly ... Beautiful?Anton Chuvakin

Log Forensics from CEIC 2007Anton Chuvakin

Log management & SIEMBarakatAbweh

Making Logs Sexy Again: Can We Finally Lose The Regexes?Anton Chuvakin

More from Anton Chuvakin (20)

PPTX

Detection Engineering Maturity - Helping SIEMs Find Their Adulting SkillsAnton Chuvakin

PPTX

Future of SOC: More Security, Less OperationsAnton Chuvakin

PPTX

SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin

PPTX

Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin

PPTX

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin

PPTX

SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin

PPTX

Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin

PPTX

20 Years of SIEM - SANS Webinar 2022Anton Chuvakin

PPTX

10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin

PPTX

SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin

PPTX

SOCstock 2021 The Cloud-native SOC Anton Chuvakin

PPTX

Modern SOC Trends 2020Anton Chuvakin

PPTX

Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin

PPTX

Generic siem how_2017Anton Chuvakin

PPTX

Tips on SIEM Ops 2015Anton Chuvakin

PPTX

Five SIEM Futures (2012)Anton Chuvakin

PPTX

RSA 2016 Security Analytics PresentationAnton Chuvakin

PPTX

Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin

PPTX

Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin

PPTX

Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin

Detection Engineering Maturity - Helping SIEMs Find Their Adulting SkillsAnton Chuvakin

Future of SOC: More Security, Less OperationsAnton Chuvakin

SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin

Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin

SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...Anton Chuvakin

SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin

Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothAnton Chuvakin

20 Years of SIEM - SANS Webinar 2022Anton Chuvakin

10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin

SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsAnton Chuvakin

SOCstock 2021 The Cloud-native SOC Anton Chuvakin

Modern SOC Trends 2020Anton Chuvakin

Anton's 2020 SIEM Best and Worst Practices - in BriefAnton Chuvakin

Generic siem how_2017Anton Chuvakin

Tips on SIEM Ops 2015Anton Chuvakin

Five SIEM Futures (2012)Anton Chuvakin

RSA 2016 Security Analytics PresentationAnton Chuvakin

Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin

Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinAnton Chuvakin

Recently uploaded (20)

PPTX

E-commerce and its impact on business.pandeyranjan5483

PPTX

Memorandum and articles of association explained.pptxKeerthana Chinnathambi

DOCX

India's Emerging Global Leadership in Sustainable Energy Production The Rise ...Insolation Energy

PDF

Using Innovative Solar Manufacturing to Drive India's Renewable Energy Revolu...Insolation Energy

PPTX

Appreciations - July 25.pptxdddddddddddssanushavnayak

PDF

ANÁLISIS DE COSTO- PAUCAR RIVERA NEISY.pdfneisypaucarr

PDF

Retinal Disorder Treatment Market 2030: The Impact of Advanced Diagnostics an...Kumar Satyam

PDF

Alan Stalcup - Principal Of GVA Real Estate InvestmentsAlan Stalcup

PPTX

The Rise of Artificial Intelligence pptxdivyamarya13

PPTX

Lecture on E Business course Topic 24-34.pptxMuhammadUzair737846

PPTX

Andrew C. Belton, MBA Experience Portfolio July 2025Andrew C. Belton

DOCX

Apply for a Canada Permanent Resident Visa in Delhi with Expert Guidance.docxWVP International

PPTX

Piper 2025 Financial Year Shareholder PresentationPiper Industries

PDF

Top 10 Corporates in India Investing in Sustainable Energy.pdfEssar Group

PPTX

Social Media Marketing for Business Growthvidhi622006

PDF

Agentic AI: The Autonomous Upgrade Your AI Stack Didn’t Know It NeededAmnic

PDF

A Study on Analysing the Financial Performance of AU Small Finance and Ujjiva...AI Publications

PDF

Infrastructure and geopolitics.AM.ENG.docx.pdfAndrea Mennillo

PDF

New Royals Distribution Plan Presentationksherwin

PDF

How BrainManager.io Boosts Productivity.brainmanagerious

E-commerce and its impact on business.pandeyranjan5483

Memorandum and articles of association explained.pptxKeerthana Chinnathambi

India's Emerging Global Leadership in Sustainable Energy Production The Rise ...Insolation Energy

Using Innovative Solar Manufacturing to Drive India's Renewable Energy Revolu...Insolation Energy

Appreciations - July 25.pptxdddddddddddssanushavnayak

ANÁLISIS DE COSTO- PAUCAR RIVERA NEISY.pdfneisypaucarr

Retinal Disorder Treatment Market 2030: The Impact of Advanced Diagnostics an...Kumar Satyam

Alan Stalcup - Principal Of GVA Real Estate InvestmentsAlan Stalcup

The Rise of Artificial Intelligence pptxdivyamarya13

Lecture on E Business course Topic 24-34.pptxMuhammadUzair737846

Andrew C. Belton, MBA Experience Portfolio July 2025Andrew C. Belton

Apply for a Canada Permanent Resident Visa in Delhi with Expert Guidance.docxWVP International

Piper 2025 Financial Year Shareholder PresentationPiper Industries

Top 10 Corporates in India Investing in Sustainable Energy.pdfEssar Group

Social Media Marketing for Business Growthvidhi622006

Agentic AI: The Autonomous Upgrade Your AI Stack Didn’t Know It NeededAmnic

A Study on Analysing the Financial Performance of AU Small Finance and Ujjiva...AI Publications

Infrastructure and geopolitics.AM.ENG.docx.pdfAndrea Mennillo

New Royals Distribution Plan Presentationksherwin

How BrainManager.io Boosts Productivity.brainmanagerious

CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin

1. Six Mistakes of Log Management Dr Anton Chuvakin, GCIA, GCIH, GCFA Six Mistakes of Log Management

2. Summary The World of System, Network and Security Logs Why Look at Logs? Brief Log Analysis Overview From Log Analysis to Log Management Log Management Mistakes: from 0 to 5 Conclusions

3. Log Data Overview Audit records Transaction logs Intrusion alerts Connection logs System performance records User activity logs Various alerts and other messages Firewalls/NIPS Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs What logs? From Where?

4. What Commonly “Gets Logged”? System or software startup, shutdown, restart, and abnormal termination (crash) Various thresholds being exceeded or reaching dangerous levels such as disk space full, memory exhausted, or processor load too high Hardware health messages that the system can troubleshoot or at least detect and log Access to resources and authentication decisions Network connections , failed and successful User access privilege changes such as the su command—both failed and successful User credentials and access right changes , such as account updates, creation, and deletion—both failed and successful System configuration changes and software updates—both failed and successful

5. “ Arrgh! Why Don’t We Just Ignore’Em?”

6. Regulations Mandate Logging and Log Review ISO 17799 Maintain audit logs for system access and use, changes, faults, corrections, capacity demands Review the results of monitoring activities regularly Ensure the accuracy of the logs NIST 800-53 Capture audit records Regularly review audit records for unusual activity and violations Automatically process audit records Protect audit information from unauthorized deletion Retain audit logs PCI Requirement 10, etc Logging and user activities tracking are critical Automate and secure audit trails for event reconstruction Review logs daily Retain audit trail history for at least one year COBIT Provide adequate audit trail for root-cause analysis Use logging and monitoring to detect unusual or abnormal activities Regularly review access, privileges, changes Monitor performance Verify backup completion and NIST 800-92 “Guide to Security Log Management!”

7. NIST 800-92 “Guide to Computer Security Log Management” The first ever official guidance on solving logging challenges Logging configurations Logging policies and procedures Log analysis tools and resources

8. So, How Do People Do It?

9. Log Analysis Basics Manual ‘ Tail’, ‘more’, ‘grep’, ‘notepad’, etc Filtering Positive and negative (“Artificial ignorance”) Summarization and reports “ Top X of Y” Simple visualization “… worth a thousand words?” Correlation Rule-based and other Log data mining

10. Looks Complicated?! No Wonder People Make Mistakes …

11. Six Mistakes of Log Management 0. Not logging at all. 1. Not looking at the logs 2. Storing logs for too short a time 3. Prioritizing the log records before collection 4. Ignoring the logs from applications 5. Only looking at what you know is bad

12. Conclusions Now you know: What are the logs? Where they come from? Why look at them? How people do it? What are some of the relevant regulations? How to deal with them? And how to AVOID MISTAKES in log management !

13. Thanks for Attending!!! Dr Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist http://www.chuvakin.org Author of “Security Warrior” (O’Reilly, 2004) – http://www.securitywarrior.org See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon!