Reading Room

Logging Technology and Techniques

Featuring 41 Papers as of December 4, 2013

Click Here

  • Setting up Splunk for Event Correlation in Your Home Lab Masters Aron Warren - December 4, 2013

    Splunk is an ideal event correlation instrument for use in large enterprise environments down to small home laboratory networks such as those used by students. Splunk's appeal has grown over the past few years due to a number of factors: speed and amount of collectable data, a growing user base as well as new ways of exploiting its capabilities are discovered. This paper will overview a student research home network Splunk installation including Internet taps, creation and automation of queries and finally pulling multiple data sources together to track security events.

  • Discovering Security Events of Interest Using Splunk Masters Carrie Roberts - July 17, 2013

    Servers and the applications that run on them are under attack by malicious users through a variety of techniques (Mitnik & Simon, 2006).

  • Detecting Security Incidents Using Windows Workstation Event Logs Russ Anthony - July 9, 2013

    Windows event logs are a critical resource when investigating a security incident and aide in the determination of whether or not a system has been compromised.

  • Custom Full Packet Capture System Derek Banks - April 16, 2013

    The goal of a full packet capture system is to acquire the total sum of raw network traffic as it flows from the computers and devices on one network to the destinations on another network.

  • Creating a Bastioned Centralized Audit Server with GroundWork Open Source Log Monitoring for Event Signatures Christopher Duffy - March 25, 2013

    Setting up an Audit server is more than just pulling a piece of hardware off a shelf, slapping it in a rack, hooking it up to the network and off to work it goes.

  • Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment Sunil Gupta - August 8, 2012

    Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.

  • Evil Through the Lens of Web Logs Masters Russ McRee - May 23, 2012

    Much is revealed when analyzing web logs with specific attention to what can be referred to as Internet Background Abuse, a term derived by the author and to be defined herein as a subset of the academic term Internet Background Radiation (IBR).

  • Shedding Light on Security Incidents Using Network Flows Kevin Gennuso - May 16, 2012

    Incident handlers, and information security teams in general, face significant challenges when dealing with incidents in modern networks.

  • Computer Forensic Timeline Analysis with Tapestry Derek Edwards - November 29, 2011

    One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

  • Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools Jonny Sweeny - June 28, 2011

    When an information security analyst is investigating incidents, he or she needs to have an organized set of tools.

  • Successful SIEM and Log Management Strategies for Audit and Compliance David Swift - November 9, 2010

    While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.

  • Mastering the Super Timeline With log2timeline Kristinn Guðjónsson - August 25, 2010

    Timeline analysis is a crucial part of every traditional criminal investigation. The need to know at what time a particular event took place, and in which order can be extremely valuable information to the investigator. The same applies in the digital world, timeline information can provide a computer forensic expert crucial information that can either solve the case or shorten the investigation time by assisting with data reduction and pointing the investigator to evidence that needs further processing. Timeline analysis can also point the investigator to evidence that he or she might not have found using other traditional methods.

  • Effective Use Case Modeling for Security Information & Event Management Daniel Frye - March 10, 2010

    With todays technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the systems actions at both the host and network layers and then correlating those two layers to develop a thorough view into the systems actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

  • SIEM Based Intrusion Detection with Q1Labs Qradar Masters Jim Beechey - February 18, 2010

    Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch todays sophisticated and well funded attackers.

  • Check Point Firewall Log Analysis In-Depth Mark Stingley - November 10, 2009

    This is a short guidebook for network security analysts who want to find answers about their networks and systems quickly. Using open-source software and off-the-shelf components, an outstanding Check Point firewall log analysis platform can be built...

  • Harness the Power of SIEM Dereck Haye - October 6, 2009

    Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.

  • EVTX and Windows Event Logging Brandon Charter - November 13, 2008

    This paper will explore Microsofts EVTX log format and Windows Event Logging framework.

  • Cisco Pix Log Analysis In a University Setting Jack Vant - July 29, 2008

    This paper describes a study I conducted over a period of two months which attempted to determine whether an IDS system is necessary for one subnet on campus which is currently protected by a Cisco PIX firewall.

  • Detecting Attacks on Web Applications from Log Files Roger Meyer - January 31, 2008

    This paper explains how to detect the most critical web application security flaws. Web application log files allow a detailed analysis of a users actions. Log files have its limits, though. Web server log files contain only a fraction of the full HTTP request and response. Knowing those limits, the majority of attacks can be recognized and acted upon to prevent further exploitation.

  • Configuring and Tuning Cisco CS-MARS Masters John Jarocki - January 4, 2008

    CS-MARS (Cisco Security Monitoring, Analysis and Response System) and referred to as MARS, receives real-time alerts from IDS sensors, firewalls, Windows domain controllers, and many other devices. SNMP traps and syslog alerts can be forwarded to MARS, and vulnerability scanning information can also be imported. MARS groups events into sessions, and it uses endpoint vulnerability and network topology information to identify false positives automatically when possible. For example, an IDS sensor might report a PC attempting peer-to-peer file sharing, but the firewall log shows those packets were dropped [2]. CS-MARS would mark this as a System Identified False Positive. In another case, a Windows RPC DCOM Overflow might be seen by an IDS system, but the target vulnerability scan shows the host is not running an affected version of Microsoft Windows another false positive (at least for the attack itself). From mountains of IDS, IPS, firewall, router, and system event logs, a properly tuned CS-MARS installation produces a correlated set of incidents that are likely to need real attention. The key to this degree of data reduction is the proper configuration and tuning of the CS-MARS device. The following configuration and tuning steps will be covered in depth, based on tuning work done by the author and his team in a large, worldwide installation.

  • Log Analyzer for Dummies Masters Emilio Valente - December 20, 2007

    With a few simple existing tools I will explain how even an entry-level sys-administrator can easily build an effective and inexpensive network log analyzer. What I call "Log Analyzer for dummies"; is a versatile and stable tool, with a minimal cost, it can be easily installed in any environment, it can support most devices, and almost any vendor, with large storage capability.

  • Log Management SIMetry: A Step by Step Guide to Selecting the Correct Solution Masters Jim Beechey - October 25, 2007

    The information security profession continues to evolve and advance as organizations place greater value on their information security programs. These programs have grown significantly in the past few years, especially in small to medium sized organizations. Technical solutions such as: firewalls, VPNs, antivirus, patch management systems, intrusion detection/preventions systems and vulnerability scanners have all helped to address specific security issues. These technologies have also created a mountain of alerts and logs requiring a significant time investment to properly address important issues. As compliance, incident response and an increasing demand for IT security efficiency become more prevalent, organizations struggle with how to manage these disparate technologies efficiently and effectively. This is where a security information and event management system can help solve some of those challenges.

  • A Practical Application of SIM/SEM/SIEM Automating Threat Identification David Swift - May 21, 2007

    Proper deployment of a SEM tool prior to an incident can radically increase one's effectiveness at identifying an incident in progress.

  • Visual Baselines - Maximizing Economies of Scale Using Round Robin Databases Kirsten Hook - January 11, 2007

    One of the most critical aspects of any security professional's job is to have a solid understanding of their network. This is where creating a baseline of your network becomes vital.

  • Building a Secure Nagios Server Chris Dahlke - May 17, 2005

    The objective of this paper is to document a secure installation and deployment strategy for Nagios, which is a very comprehensive and flexible network monitoring application.

  • Configuring a Free Automated Host Auditing System for windows 2000 Server and 2003 Server. Ryan Mortensen - May 5, 2005

    This project will bring together a collection of tools that monitor different aspects of a host. This host auditing system has been deployed on our more critical servers in order to reduce the time between an intrusion and its detection as well as to monitor the system state in order to more easily identify important changes to the operating system.

  • How to Configuring Local Logging on Solaris 8 and Use Symantec Intruder Alert for Centralized Logging Nolan Haisler - May 5, 2005

    Logging is often a forgotten security friend for system administrators until a security breach has occurred. The security administrator then goes to look at the logs only to find that there are no logs, the logs are incomplete, or that the logs have been modified by the attacker himself to cover his tracks.

  • Securing a Network Device Support Server Running Debian Linux Douglas Ridgeway - May 5, 2005

    This paper fulfills the requirements for SANS Securing Unix (GCUX) Certification. It covers building a Debian Linux tftp server in a secure manner. It includes policy based auditing and monitoring the server with a syslog infrastructure. Inorder to accomplish the security goals of the fictitious business GIAC Enterprises.

  • Creating A Secure Linux Logging System Nathaniel Hall - January 19, 2005

    The purpose of this paper is to identify and demonstrate methods that can be used to create a secure Linux logging system that can be expanded to other types of systems for secure logging. Using logs, data can be collected to figure out why a server crashed.

  • The Importance of Logging and Traffic Monitoring for Information Security Seham GadAllah - April 19, 2004

    This paper discusses one of the important aspects in any security model, which is the monitoring of the network and systems. If you ask your self how you can get a complete view for your network, the answer will be almost through using a complete logging system and through using almost all the available traffic monitoring tools.

  • Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues Edgar Glasheen - December 14, 2003

    This is a description of the inexpensive methods I devised to extract and tally records of interest in order to analyze webserver logfiles for potential security problems, compromise attempts, while also obtaining IP address statistics.

  • Case Study: Using Syslog in a Microsoft & Cisco Environment Dan Rathbun - October 31, 2003

    This case study details the development of a centralized logging infrastructure using Syslog in a Microsoft and Cisco based environment.

  • A Security Analysis of System Event Logging with Syslog Kenneth Nawyn - October 31, 2003

    This paper provides an analysis of the system event logging protocol, discusses some of the problems with the syslog protocol and then addresses how one might go about creating a reasonably secure logging infrastructure.

  • Log Analysis as an OLAP Application - A Cube to Rule Them All - Clement Leong - October 31, 2003

    This paper discusses a specific implementation of using OLAP technology on log analysis, in particular by using the Seagate Analysis OLAP client.

  • Centralizing Event Logs on Windows 2000 Gregory Lalla - October 31, 2003

    This case study will detail how I setup a central repository for server logs and daily notifications of events that might indicate a security incident.

  • The Ins and Outs of System Logging Using Syslog Ian Eaton - October 31, 2003

    The intent of this paper is to help the reader follow a process of thinking that will provide them with the tools to understand the fundamentals of system logging.

  • Security Management Systems: An Oversite Layer for Layers of Defense Dan Keldsen - October 31, 2003

    This paper discusses ways to make IDS and "traditional" security solutions more effective by "rolling up" security event information into an overall view of your organization's security stance.

  • Syslog and Netsaint: How to Integrate Centralized Logging with Centralized Monitoring Richard Murphy - October 31, 2003

    This paper will address three aspects of centralized management: 1) centralized log management 2) centralized monitoring and 3) the integration of the two technologies.

  • Cisco Pix: Logging and Beyond Ben Carlsrud - October 31, 2003

    This document will present a "how to" on logging of a Cisco Pix Firewall version 6.1. It will show how to implement logging via a SYSLOG locally and remotely (VPN Solution). It will also discuss some of the logging that can be done with the Cisco Pix Device Manager (PDM)

  • Importance of Understanding Logs from an Information Security Standpoint Stewart Allen - October 31, 2003

    This document will discuss the importance of logs in the 21st century, and give an idea of what problems Information Security professionals face when trying to analyze them.

  • Effective Logging & Use of the Kiwi Syslog Utility Brian Wilkins - October 31, 2003

    After reading this document, a security professional should have a good understanding of how Kiwi's syslog utility could be implemented to provide an effective means of providing network information used for a wide range of tasks.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted.

Masters This paper was created by a SANS Technology Institute student as part of their Master's curriculum.