6 days to save $500 for SANS Rocky Mountain 2013

SANS InfoSec Reading Room - Logging Technology and Techniques

<<Reading Room Home
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

CounterTrack

Featuring 38 papers as of May 24, 2013
PDF Custom Full Packet Capture System
By: Derek Banks (posted on April 16, 2013)
The goal of a full packet capture system is to acquire the total sum of raw network traffic as it flows from the computers and devices on one network to the destinations on another network.
PDF Creating a Bastioned Centralized Audit Server with GroundWork Open Source Log Monitoring for Event Signatures
By: Christopher Duffy (posted on March 25, 2013)
Setting up an Audit server is more than just pulling a piece of hardware off a shelf, slapping it in a rack, hooking it up to the network and off to work it goes.
PDF Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment
By: Sunil Gupta (posted on August 8, 2012)
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.
PDF Evil Through the Lens of Web Logs
By: Russ McRee (posted on May 23, 2012)
Much is revealed when analyzing web logs with specific attention to what can be referred to as Internet Background Abuse, a term derived by the author and to be defined herein as a subset of the academic term Internet Background Radiation (IBR).
PDF Shedding Light on Security Incidents Using Network Flows
By: Kevin Gennuso (posted on May 16, 2012)
Incident handlers, and information security teams in general, face significant challenges when dealing with incidents in modern networks.
PDF Computer Forensic Timeline Analysis with Tapestry
By: Derek Edwards (posted on November 29, 2011)
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
PDF Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools
By: Jonny Sweeny (posted on June 28, 2011)
When an information security analyst is investigating incidents, he or she needs to have an organized set of tools.
PDF Successful SIEM and Log Management Strategies for Audit and Compliance
By: David Swift (posted on November 9, 2010)
While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.
PDF Mastering the Super Timeline With log2timeline
By: Kristinn Guðjónsson (posted on August 25, 2010)
Timeline analysis is a crucial part of every traditional criminal investigation. The need to know at what time a particular event took place, and in which order can be extremely valuable information to the investigator. The same applies in the digital world, timeline information can provide a computer forensic expert crucial information that can either solve the case or shorten the investigation time by assisting with data reduction and pointing the investigator to evidence that needs further processing. Timeline analysis can also point the investigator to evidence that he or she might not have found using other traditional methods.
PDF Effective Use Case Modeling for Security Information & Event Management
By: Daniel Frye (posted on March 10, 2010)
With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.
PDF SIEM Based Intrusion Detection with Q1Labs Qradar
By: Jim Beechey (posted on February 18, 2010)
Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch today’s sophisticated and well funded attackers.
PDF Check Point Firewall Log Analysis In-Depth
By: Mark Stingley (posted on November 10, 2009)
This is a short guidebook for network security analysts who want to find answers about their networks and systems quickly. Using open-source software and off-the-shelf components, an outstanding Check Point firewall log analysis platform can be built...
PDF Harness the Power of SIEM
By: Dereck Haye (posted on October 6, 2009)
Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.
PDF EVTX and Windows Event Logging
By: Brandon Charter (posted on November 13, 2008)
This paper will explore Microsoft’s EVTX log format and Windows Event Logging framework.
PDF Cisco Pix Log Analysis In a University Setting
By: Jack Vant (posted on July 29, 2008)
PDF Detecting Attacks on Web Applications from Log Files
By: Roger Meyer (posted on January 31, 2008)
PDF Configuring and Tuning Cisco CS-MARS
By: John Jarocki (posted on January 4, 2008)
PDF Log Analyzer for Dummies
By: Emilio Valente (posted on December 20, 2007)
PDF Log Management SIMetry: A Step by Step Guide to Selecting the Correct Solution
By: Jim Beechey (posted on October 25, 2007)
PDF A Practical Application of SIM/SEM/SIEM Automating Threat Identification
By: David Swift (posted on May 21, 2007)
Proper deployment of a SEM tool prior to an incident can radically increase one's effectiveness at identifying an incident in progress.
PDF Visual Baselines - Maximizing Economies of Scale Using Round Robin Databases
By: Kirsten Hook (posted on January 11, 2007)
One of the most critical aspects of any security professional's job is to have a solid understanding of their network. This is where creating a baseline of your network becomes vital.
PDF Building a Secure Nagios Server
By: Chris Dahlke (posted on May 17, 2005)
The objective of this paper is to document a secure installation and deployment strategy for Nagios, which is a very comprehensive and flexible network monitoring application.
PDF Configuring a Free Automated Host Auditing System for windows 2000 Server and 2003 Server.
By: Ryan Mortensen (posted on May 5, 2005)
This project will bring together a collection of tools that monitor different aspects of a host. This host auditing system has been deployed on our more critical servers in order to reduce the time between an intrusion and its detection as well as to monitor the system state in order to more easily identify important changes to the operating system.
PDF How to Configuring Local Logging on Solaris 8 and Use Symantec Intruder Alert for Centralized Logging
By: Nolan Haisler (posted on May 5, 2005)
Logging is often a forgotten security friend for system administrators until a security breach has occurred. The security administrator then goes to look at the logs only to find that there are no logs, the logs are incomplete, or that the logs have been modified by the attacker himself to cover his tracks.
PDF Securing a Network Device Support Server Running Debian Linux
By: Douglas Ridgeway (posted on May 5, 2005)
This paper fulfills the requirements for SANS Securing Unix (GCUX) Certification. It covers building a Debian Linux tftp server in a secure manner. It includes policy based auditing and monitoring the server with a syslog infrastructure. Inorder to accomplish the security goals of the fictitious business GIAC Enterprises.
PDF Creating A Secure Linux Logging System
By: Nathaniel Hall (posted on January 19, 2005)
The purpose of this paper is to identify and demonstrate methods that can be used to create a secure Linux logging system that can be expanded to other types of systems for secure logging. Using logs, data can be collected to figure out why a server crashed.
PDF The Importance of Logging and Traffic Monitoring for Information Security
By: Seham GadAllah (posted on April 19, 2004)
This paper discusses one of the important aspects in any security model, which is the monitoring of the network and systems. If you ask your self how you can get a complete view for your network, the answer will be almost through using a complete logging system and through using almost all the available traffic monitoring tools.
PDF Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues
By: Edgar Glasheen (posted on December 14, 2003)
This is a description of the inexpensive methods I devised to extract and tally records of interest in order to analyze webserver logfiles for potential security problems, compromise attempts, while also obtaining IP address statistics.
PDF Case Study: Using Syslog in a Microsoft & Cisco Environment
By: Dan Rathbun (posted on October 31, 2003)
This case study details the development of a centralized logging infrastructure using Syslog in a Microsoft and Cisco based environment.
PDF A Security Analysis of System Event Logging with Syslog
By: Kenneth Nawyn (posted on October 31, 2003)
This paper provides an analysis of the system event logging protocol, discusses some of the problems with the syslog protocol and then addresses how one might go about creating a reasonably secure logging infrastructure.
PDF Log Analysis as an OLAP Application - A Cube to Rule Them All -
By: Clement Leong (posted on October 31, 2003)
This paper discusses a specific implementation of using OLAP technology on log analysis, in particular by using the Seagate Analysis OLAP client.
PDF Centralizing Event Logs on Windows 2000
By: Gregory Lalla (posted on October 31, 2003)
This case study will detail how I setup a central repository for server logs and daily notifications of events that might indicate a security incident.
PDF The Ins and Outs of System Logging Using Syslog
By: Ian Eaton (posted on October 31, 2003)
The intent of this paper is to help the reader follow a process of thinking that will provide them with the tools to understand the fundamentals of system logging.
PDF Security Management Systems: An Oversite Layer for Layers of Defense
By: Dan Keldsen (posted on October 31, 2003)
This paper discusses ways to make IDS and "traditional" security solutions more effective by "rolling up" security event information into an overall view of your organization's security stance.
PDF Syslog and Netsaint: How to Integrate Centralized Logging with Centralized Monitoring
By: Richard Murphy (posted on October 31, 2003)
This paper will address three aspects of centralized management: 1) centralized log management 2) centralized monitoring and 3) the integration of the two technologies.
PDF Cisco Pix: Logging and Beyond
By: Ben Carlsrud (posted on October 31, 2003)
This document will present a "how to" on logging of a Cisco Pix Firewall version 6.1. It will show how to implement logging via a SYSLOG locally and remotely (VPN Solution). It will also discuss some of the logging that can be done with the Cisco Pix Device Manager (PDM)
PDF Importance of Understanding Logs from an Information Security Standpoint
By: Stewart Allen (posted on October 31, 2003)
This document will discuss the importance of logs in the 21st century, and give an idea of what problems Information Security professionals face when trying to analyze them.
PDF Effective Logging & Use of the Kiwi Syslog Utility
By: Brian R. Wilkins (posted on October 31, 2003)
After reading this document, a security professional should have a good understanding of how Kiwi's syslog utility could be implemented to provide an effective means of providing network information used for a wide range of tasks.
SANS Reading Room

I have never seen such high quality training, distilled to a perfected message, and compressed into a timeframe that any organization should willingly commit employee time to taking as a risk reduction strategy.
-- Jim Richards III

SANS Critical Security Controls Summit 2013 - Washington

Latest Whitepapers

Securing BYOD With Network Access Control, a Case Study
By Lawrence Orans

Event Monitoring and Incident Response
By Ryan Boyle

Dead Linux Machines Do Tell Tales
By James Fung

Latest Tweets

SANS San Francisco 2013 offers 7 courses to boost your Cyber [...]
May 23, 2013 - 3:06 PM

Excellent blog post by @MarkBaggett on pen testing MS SQL vi [...]
May 22, 2013 - 7:39 PM

#appsec "WhatWorks in AppSec: Log Forging" http://t.co/Gsq91O7UAH
May 22, 2013 - 10:00 AM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
- Manuja Wikesekera, Melbourne Cricket Club

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"SANS is far more in-depth than other training I have attended."
- Frank Rajnai, Sears Canada Inc