SANS InfoSec Reading Room - Logging Technology and Techniques

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact webmaster@sans.org.

Featuring 29 papers as of Mar 15, 2010

Effective Use Case Modeling for Security Information & Event Management

By: Daniel Frye (posted on March 10, 2010)

With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

SIEM Based Intrusion Detection with Q1Labs Qradar

By: Jim Beechey (posted on February 18, 2010)

Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch today’s sophisticated and well funded attackers.

Check Point Firewall Log Analysis In-Depth

By: Mark Stingley (posted on November 10, 2009)

This is a short guidebook for network security analysts who want to find answers about their networks and systems quickly. Using open-source software and off-the-shelf components, an outstanding Check Point firewall log analysis platform can be built...

Harness the Power of SIEM

By: Dereck Haye (posted on October 6, 2009)

Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.

EVTX and Windows Event Logging

By: Brandon Charter (posted on November 13, 2008)

This paper will explore Microsoft’s EVTX log format and Windows Event Logging framework.

Cisco Pix Log Analysis In a University Setting

By: Jack Vant (posted on July 29, 2008)

Detecting Attacks on Web Applications from Log Files

By: Roger Meyer (posted on January 31, 2008)

Configuring and Tuning Cisco CS-MARS

By: John Jarocki (posted on January 4, 2008)

Log Analyzer for Dummies

By: Emilio Valente (posted on December 20, 2007)

Log Management SIMetry: A Step by Step Guide to Selecting the Correct Solution

By: Jim Beechey (posted on October 25, 2007)

A Practical Application of SIM/SEM/SIEM Automating Threat Identification

By: David Swift (posted on May 21, 2007)

Proper deployment of a SEM tool prior to an incident can radically increase one's effectiveness at identifying an incident in progress.

Visual Baselines - Maximizing Economies of Scale Using Round Robin Databases

By: Kirsten Hook (posted on January 11, 2007)

One of the most critical aspects of any security professional's job is to have a solid understanding of their network. This is where creating a baseline of your network becomes vital.

Building a Secure Nagios Server

By: Chris Dahlke (posted on May 17, 2005)

The objective of this paper is to document a secure installation and deployment strategy for Nagios, which is a very comprehensive and flexible network monitoring application.

Configuring a Free Automated Host Auditing System for windows 2000 Server and 2003 Server.

By: Ryan Mortensen (posted on May 5, 2005)

This project will bring together a collection of tools that monitor different aspects of a host. This host auditing system has been deployed on our more critical servers in order to reduce the time between an intrusion and its detection as well as to monitor the system state in order to more easily identify important changes to the operating system.

How to Configuring Local Logging on Solaris 8 and Use Symantec Intruder Alert for Centralized Logging

By: Nolan Haisler (posted on May 5, 2005)

Logging is often a forgotten security friend for system administrators until a security breach has occurred. The security administrator then goes to look at the logs only to find that there are no logs, the logs are incomplete, or that the logs have been modified by the attacker himself to cover his tracks.

Securing a Network Device Support Server Running Debian Linux

By: Douglas Ridgeway (posted on May 5, 2005)

This paper fulfills the requirements for SANS Securing Unix (GCUX) Certification. It covers building a Debian Linux tftp server in a secure manner. It includes policy based auditing and monitoring the server with a syslog infrastructure. Inorder to accomplish the security goals of the fictitious business GIAC Enterprises.

Creating A Secure Linux Logging System

By: Nathaniel Hall (posted on January 19, 2005)

The purpose of this paper is to identify and demonstrate methods that can be used to create a secure Linux logging system that can be expanded to other types of systems for secure logging. Using logs, data can be collected to figure out why a server crashed.

The Importance of Logging and Traffic Monitoring for Information Security

By: Seham GadAllah (posted on April 19, 2004)

This paper discusses one of the important aspects in any security model, which is the monitoring of the network and systems. If you ask your self how you can get a complete view for your network, the answer will be almost through using a complete logging system and through using almost all the available traffic monitoring tools.

Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues

By: Edgar Glasheen (posted on December 14, 2003)

This is a description of the inexpensive methods I devised to extract and tally records of interest in order to analyze webserver logfiles for potential security problems, compromise attempts, while also obtaining IP address statistics.

Case Study: Using Syslog in a Microsoft & Cisco Environment

By: Dan Rathbun (posted on October 31, 2003)

This case study details the development of a centralized logging infrastructure using Syslog in a Microsoft and Cisco based environment.

A Security Analysis of System Event Logging with Syslog

By: Kenneth Nawyn (posted on October 31, 2003)

This paper provides an analysis of the system event logging protocol, discusses some of the problems with the syslog protocol and then addresses how one might go about creating a reasonably secure logging infrastructure.

Log Analysis as an OLAP Application - A Cube to Rule Them All -

By: Clement Leong (posted on October 31, 2003)

This paper discusses a specific implementation of using OLAP technology on log analysis, in particular by using the Seagate Analysis OLAP client.

Centralizing Event Logs on Windows 2000

By: Gregory Lalla (posted on October 31, 2003)

This case study will detail how I setup a central repository for server logs and daily notifications of events that might indicate a security incident.

The Ins and Outs of System Logging Using Syslog

By: Ian Eaton (posted on October 31, 2003)

The intent of this paper is to help the reader follow a process of thinking that will provide them with the tools to understand the fundamentals of system logging.

Security Management Systems: An Oversite Layer for Layers of Defense

By: Dan Keldsen (posted on October 31, 2003)

This paper discusses ways to make IDS and "traditional" security solutions more effective by "rolling up" security event information into an overall view of your organization's security stance.

Syslog and Netsaint: How to Integrate Centralized Logging with Centralized Monitoring

By: Richard Murphy (posted on October 31, 2003)

This paper will address three aspects of centralized management: 1) centralized log management 2) centralized monitoring and 3) the integration of the two technologies.

Cisco Pix: Logging and Beyond

By: Ben Carlsrud (posted on October 31, 2003)

This document will present a "how to" on logging of a Cisco Pix Firewall version 6.1. It will show how to implement logging via a SYSLOG locally and remotely (VPN Solution). It will also discuss some of the logging that can be done with the Cisco Pix Device Manager (PDM)

Importance of Understanding Logs from an Information Security Standpoint

By: Stewart Allen (posted on October 31, 2003)

This document will discuss the importance of logs in the 21st century, and give an idea of what problems Information Security professionals face when trying to analyze them.

Effective Logging & Use of the Kiwi Syslog Utility

By: Brian R. Wilkins (posted on October 31, 2003)

After reading this document, a security professional should have a good understanding of how Kiwi's syslog utility could be implemented to provide an effective means of providing network information used for a wide range of tasks.