Logging Technology and Techniques
Featuring 68 Papers as of November 22, 2016
Node Router Sensors: What just happened? by Kim Cary - November 22, 2016
When an airliner crashes, one of the most important tasks is the recovery of the flight recorder or black box. This device gives precise & objective information about what happened and when before the crash. When an information security incident occurs on a network, it is equally important to have access to precise information about what happened to the victim machine and what it did after any compromise. A network of devices can be designed, economically constructed and managed to automatically capture and make available this type of data to information security incident handlers. In any environment, this complete record of network data comes with legal and ethical concerns regarding its use. Proper technical, legal and ethical operation must be baked into the design and operational procedures for devices that capture information on any network. These considerations are particularly necessary on a college campus, where such operations are subject to public discussion. This paper details the benefits, designs, operational procedures and controls and sample results of the use of "Node Router Sensors" in solving information security incidents on a busy college network.
Detecting Penetration Testers on a Windows Network with Splunk STI Graduate Student Research
by Fred Speece - October 31, 2016
Through data collection, reports, and alerts, an InfoSec team can have a better idea of what Penetration Testers are doing and hopefully in turn stop real bad guys that may get on their network. This paper discusses the configuration and setup of those alerts and the logging behind them. It also covers the thought process behind the alert and attack(s) it is trying to defend against. If an InfoSec department picked up this paper before their first Penetration Test, they would have better visibility into their network and alert on possible changes that an adversary could make. Splunk should not alert on everything, but it should alert on behavior that is abnormal. This paper is targeted for a Windows majority network with Active Directory in an organization with an immature security posture, using Splunk as their SIEM.
Boiling the Ocean: Security Operations and Log Analysis by Colin Chisholm - April 6, 2016
Incident handling is a difficult and challenging job. One of the many challenges of incident response, and the root of this paper, is obtaining access to the data needed to identify an incident.
IPv6 and Open Source IDS STI Graduate Student Research
by Jon Mark Allen - May 14, 2015
This paper will examine the current support of IPv6 amongst three of the most popular open source intrusion detection systems: Snort, Suricata, and Bro. It will also examine support of the IPv6 protocol within the publicly available signatures and rules for each system, where applicable.
Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 Analyst Paper
by Dave Shackleford - April 1, 2015
- Associated Webcasts: Analyst Webcast: Simplifying Compliance and Forensic Requirements with HP ArcSight Logger
- Sponsored By: Hewlett Packard
A review of HP ArcSight Logger 6 by SANS analyst and instructor Dave Shackleford. It discusses the latest release of ArcSight Logger and its usefulness to security analysts who need to collect and monitor logs.
Faster than a speeding bullet: Geolocation data and account misuse STI Graduate Student Research
by Tim Collyer - December 1, 2014
Today's global economy and mobile workforce have a large impact on modern network security, elevating the importance of a "defense in depth" approach. Geolocation information has become an important element to monitor as part of such a layered defense. Incorporating geolocation information into network security programs does not necessarily require additional expenditure if the appropriate resources (such as a SIEM) are already in place. By tracking the geographic location for account logins, it is possible to discover anomalies by calculating the distance between two logins from the same account.
A Qradar Log Source Extension Walkthrough by Michael Stanton - September 22, 2014
The acronym SIEM refers to "Security Information and Event Management". Due to the many and varied functions provided, a concise definition is illusive.
Combining Security Intelligence and the Critical Security Controls: A Review of LogRhythm's SIEM Platform Analyst Paper
by Dave Shackleford - April 23, 2014
- Associated Webcasts: SIEM, Security Intelligence and the Critical Security Controls
- Sponsored By: LogRhythm
Review of LogRhythm’s security information and event management (SIEM) platform with new security intelligence features built in for compliance.
Champagne SIEM on a Beer Budget Analyst Paper
by Jerry Shenk - March 12, 2014
Review of SolarWinds' Log & Event Manager (LEM) ability to provide small-to-medium-size businesses the forensic intelligence, compliance and security information necessary to manage operations.
Setting up Splunk for Event Correlation in Your Home Lab STI Graduate Student Research
by Aron Warren - November 25, 2013
Splunk is an ideal event correlation instrument for use in large enterprise environments down to small home laboratory networks such as those used by students. Splunk's appeal has grown over the past few years due to a number of factors: speed and amount of collectable data, a growing user base as well as new ways of exploiting its capabilities are discovered. This paper will overview a student research home network Splunk installation including Internet taps, creation and automation of queries and finally pulling multiple data sources together to track security events.
Correlating Event Data for Vulnerability Detection and Remediation Analyst Paper
by Jacob Williams - October 8, 2013
- Associated Webcasts: Correlating Real-Time Event Data with SIEM for Forensics and Incident Handling
- Sponsored By: McAfee
Examination of how 2012 Saudi Aramco “spearphishing” attacks could have been thwarted with the help of a SIEM platform that combines the power of historical data with real-time data from network data sources and security policies.
Discovering Security Events of Interest Using Splunk STI Graduate Student Research
by Carrie Roberts - July 16, 2013
Servers and the applications that run on them are under attack by malicious users through a variety of techniques (Mitnik & Simon, 2006).
Detecting Security Incidents Using Windows Workstation Event Logs by Russ Anthony - July 9, 2013
Windows event logs are a critical resource when investigating a security incident and aide in the determination of whether or not a system has been compromised.
Custom Full Packet Capture System by Derek Banks - March 28, 2013
The goal of a full packet capture system is to acquire the total sum of raw network traffic as it flows from the computers and devices on one network to the destinations on another network.
Creating a Bastioned Centralized Audit Server with GroundWork Open Source Log Monitoring for Event Signatures by Christopher Duffy - March 20, 2013
Setting up an Audit server is more than just pulling a piece of hardware off a shelf, slapping it in a rack, hooking it up to the network and off to work it goes.
Security Intelligence in Action: A Review of LogRhythm's SIEM 2.0 Big Data Security Analytics Platform Analyst Paper
by Dave Shackleford - December 12, 2012
- Sponsored By: LogRhythm
Review of LogRhythm's SIEM 2.0 Big Data Security Analytics Platform -- the fundamental capabilities and the innovative new features.
Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment by Sunil Gupta - August 8, 2012
Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.
Evil Through the Lens of Web Logs STI Graduate Student Research
by Russ McRee - May 23, 2012
Much is revealed when analyzing web logs with specific attention to what can be referred to as Internet Background Abuse, a term derived by the author and to be defined herein as a subset of the academic term Internet Background Radiation (IBR).
Shedding Light on Security Incidents Using Network Flows by Kevin Gennuso - May 16, 2012
Incident handlers, and information security teams in general, face significant challenges when dealing with incidents in modern networks.
SANS Eighth Annual 2012 Log and Event Management Survey Results: Sorting Through the Noise Analyst Paper
by Jerry Shenk - May 9, 2012
SANS’ Eighth Annual Log and Event Management Survey highlights inability of many organizations to separate normal log data from actionable events
Computer Forensic Timeline Analysis with Tapestry by Derek Edwards - November 29, 2011
One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.
Optimized Network Monitoring for Real-World Threats Analyst Paper
by Dave Shackleford - July 1, 2011
- Sponsored By: VSS Monitoring, Inc.
This paper explores current threats today’s networks face that impact monitoring capabilities, the types of gaps that exist in many current monitoring architectures, and ways that network and security monitoring can be improved through advances in trafﬁc capture and delivery technologies such as intelligent distributed taps.
Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools by Jonny Sweeny - June 28, 2011
When an information security analyst is investigating incidents, he or she needs to have an organized set of tools.
SANS Seventh Annual Log Management Survey Report Analyst Paper
by Jerry Shenk - April 30, 2011
This annual survey has consistently identified areas in which organizations are focusing their log management initiatives and continues to provide a roadmap to the industry for future improvement.
Successful SIEM and Log Management Strategies for Audit and Compliance by David Swift - November 9, 2010
While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.
Mastering the Super Timeline With log2timeline by Kristinn Guðjónsson - August 25, 2010
Timeline analysis is a crucial part of every traditional criminal investigation. The need to know at what time a particular event took place, and in which order can be extremely valuable information to the investigator. The same applies in the digital world, timeline information can provide a computer forensic expert crucial information that can either solve the case or shorten the investigation time by assisting with data reduction and pointing the investigator to evidence that needs further processing. Timeline analysis can also point the investigator to evidence that he or she might not have found using other traditional methods.
SANS Log Management Survey: Mid-Sized Businesses Respond Analyst Paper
by Jerry Shenk - June 5, 2010
- Sponsored By: RSA
Annual log management survey on how organizations collect and use their logs; what they aren’t currently using their log for but would like to; what they see as the biggest problems; and the impact Log Management issues have on small- and mid-sized businesses.
Effective Use Case Modeling for Security Information & Event Management by Daniel Frye - March 10, 2010
With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.
SIEM Based Intrusion Detection with Q1Labs Qradar STI Graduate Student Research
by Jim Beechey - February 18, 2010
Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch today’s sophisticated and well funded attackers.
Sentinel Log Manager Review Analyst Paper
by Jerry Shenk - January 5, 2010
- Sponsored By: Novell
This paper is a review of the stand-alone Sentinel Log Manager and how it stands up to key concerns that survey respondents raised about log managers, including collection, storage and searching/reporting capabilities.
Check Point Firewall Log Analysis In-Depth by Mark Stingley - November 10, 2009
This is a short guidebook for network security analysts who want to find answers about their networks and systems quickly. Using open-source software and off-the-shelf components, an outstanding Check Point firewall log analysis platform can be built...
Harness the Power of SIEM by Dereck Haye - October 6, 2009
Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.
SANS Annual 2009 Log Management Survey Analyst Paper
by Jerry Shenk - April 17, 2009
Annual log management survey shows companies far more successful collecting log data, but indicate concerns around normalization, indexing and access, creating reports and log management lifecycle.
Benchmarking Security Information Event Management (SIEM) Analyst Paper
by J. Michael Butler - February 12, 2009
- Sponsored By: NitroSecurity
SIEM is benchmarked by setting one baseline environment with equations for organizations to extrapolate benchmark requirements.
EVTX and Windows Event Logging by Brandon Charter - November 13, 2008
This paper will explore Microsoft’s EVTX log format and Windows Event Logging framework.
Log Management in the Cloud: A Comparison of In-House versus Cloud-Based Management of Log Data Analyst Paper
by Jerry Shenk - October 28, 2008
- Sponsored By: Alert Logic, Inc.
Organizations have many questions to consider regarding business needs before switching to log management in-the-cloud (otherwise known as Software as a Service or SaaS.
Cisco Pix Log Analysis In a University Setting by Jack Vant - July 29, 2008
This paper describes a study I conducted over a period of two months which attempted to determine whether an IDS system is necessary for one subnet on campus which is currently protected by a Cisco PIX firewall.
Leveraging Event and Log Data for Security and Compliance Analyst Paper
by Dave Shackleford - April 20, 2008
- Sponsored By: Intellitactics, Inc.
This paper explores steps for using compliance to improve security incrementally over time, giving auditors and security teams alike more current and relevant event data to assess and act upon.
Detecting Attacks on Web Applications from Log Files by Roger Meyer - January 31, 2008
This paper explains how to detect the most critical web application security flaws. Web application log files allow a detailed analysis of a users actions. Log files have its limits, though. Web server log files contain only a fraction of the full HTTP request and response. Knowing those limits, the majority of attacks can be recognized and acted upon to prevent further exploitation.
Configuring and Tuning Cisco CS-MARS STI Graduate Student Research
by John Jarocki - January 4, 2008
CS-MARS (Cisco Security Monitoring, Analysis and Response System) and referred to as “MARS,” receives real-time alerts from IDS sensors, firewalls, Windows domain controllers, and many other devices. SNMP traps and syslog alerts can be forwarded to MARS, and vulnerability scanning information can also be imported. MARS groups events into sessions, and it uses endpoint vulnerability and network topology information to identify false positives automatically when possible. For example, an IDS sensor might report a PC attempting peer-to-peer file sharing, but the firewall log shows those packets were dropped . CS-MARS would mark this as a System Identified False Positive. In another case, a Windows RPC DCOM Overflow might be seen by an IDS system, but the target vulnerability scan shows the host is not running an affected version of Microsoft Windows – another false positive (at least for the attack itself). From mountains of IDS, IPS, firewall, router, and system event logs, a properly tuned CS-MARS installation produces a correlated set of incidents that are likely to need real attention. The key to this degree of data reduction is the proper configuration and tuning of the CS-MARS device. The following configuration and tuning steps will be covered in depth, based on tuning work done by the author and his team in a large, worldwide installation.
Log Analyzer for Dummies STI Graduate Student Research
by Emilio Valente - December 20, 2007
With a few simple existing tools I will explain how even an entry-level sys-administrator can easily build an effective and inexpensive network log analyzer. What I call "Log Analyzer for dummies"; is a versatile and stable tool, with a minimal cost, it can be easily installed in any environment, it can support most devices, and almost any vendor, with large storage capability.
Log Management SIMetry: A Step by Step Guide to Selecting the Correct Solution STI Graduate Student Research
by Jim Beechey - October 24, 2007
The information security profession continues to evolve and advance as organizations place greater value on their information security programs. These programs have grown significantly in the past few years, especially in small to medium sized organizations. Technical solutions such as: firewalls, VPNs, antivirus, patch management systems, intrusion detection/preventions systems and vulnerability scanners have all helped to address specific security issues. These technologies have also created a mountain of alerts and logs requiring a significant time investment to properly address important issues. As compliance, incident response and an increasing demand for IT security efficiency become more prevalent, organizations struggle with how to manage these disparate technologies efficiently and effectively. This is where a security information and event management system can help solve some of those challenges.
The SANS 2007 Log Management Market Report Analyst Paper
by Jerry Shenk - June 5, 2007
- Sponsored By: LogLogic, Inc.
An analysis of survey data to unlock how log data is being used successfully, key problems holding enterprises back from log management, what is needed from vendor community and how vendors are working to resolve issues.
A Practical Application of SIM/SEM/SIEM Automating Threat Identification by David Swift - May 21, 2007
Proper deployment of a SEM tool prior to an incident can radically increase one's effectiveness at identifying an incident in progress.
Visual Baselines - Maximizing Economies of Scale Using Round Robin Databases by Kirsten Hook - January 11, 2007
One of the most critical aspects of any security professional's job is to have a solid understanding of their network. This is where creating a baseline of your network becomes vital.
Building the Business Case for Log Management Intelligence (LMI) - November 2006 Analyst Paper
by Steve Mancini, Jerry Shenk - November 6, 2006
- Sponsored By: LogLogic, Inc.
An outline of key business drivers for deploying an Log Management Intelligence (LMI) solution.
The Log Management Industry: An Untapped Market Analyst Paper
by Stephen Northcutt, Jerry Shenk, Dave Shackleford - June 1, 2006
- Sponsored By: LogLogic, Inc.
The Log Management market has increased dramatically because advantages of log management extend well beyond security to health monitoring forensics, regulatory compliance and marketing.
Building a Secure Nagios Server by Chris Dahlke - May 17, 2005
The objective of this paper is to document a secure installation and deployment strategy for Nagios, which is a very comprehensive and flexible network monitoring application.
Configuring a Free Automated Host Auditing System for windows 2000 Server and 2003 Server. by Ryan Mortensen - May 5, 2005
This project will bring together a collection of tools that monitor different aspects of a host. This host auditing system has been deployed on our more critical servers in order to reduce the time between an intrusion and its detection as well as to monitor the system state in order to more easily identify important changes to the operating system.
How to Configuring Local Logging on Solaris 8 and Use Symantec Intruder Alert for Centralized Logging by Nolan Haisler - May 5, 2005
Logging is often a forgotten security friend for system administrators until a security breach has occurred. The security administrator then goes to look at the logs only to find that there are no logs, the logs are incomplete, or that the logs have been modified by the attacker himself to cover his tracks.
Securing a Network Device Support Server Running Debian Linux by Douglas Ridgeway - May 5, 2005
This paper fulfills the requirements for SANS Securing Unix (GCUX) Certification. It covers building a Debian Linux tftp server in a secure manner. It includes policy based auditing and monitoring the server with a syslog infrastructure. Inorder to accomplish the security goals of the fictitious business GIAC Enterprises.
Creating A Secure Linux Logging System by Nathaniel Hall - January 19, 2005
The purpose of this paper is to identify and demonstrate methods that can be used to create a secure Linux logging system that can be expanded to other types of systems for secure logging. Using logs, data can be collected to figure out why a server crashed.
The Importance of Logging and Traffic Monitoring for Information Security by Seham GadAllah - April 19, 2004
This paper discusses one of the important aspects in any security model, which is the monitoring of the network and systems. If you ask your self how you can get a complete view for your network, the answer will be almost through using a complete logging system and through using almost all the available traffic monitoring tools.
Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues by Edgar Glasheen - December 14, 2003
This is a description of the inexpensive methods I devised to extract and tally records of interest in order to analyze webserver logfiles for potential security problems, compromise attempts, while also obtaining IP address statistics.
Security Management Systems: An Oversite Layer for Layers of Defense by Dan Keldsen - September 4, 2003
This paper discusses ways to make IDS and "traditional" security solutions more effective by "rolling up" security event information into an overall view of your organization's security stance.
The Ins and Outs of System Logging Using Syslog by Ian Eaton - August 14, 2003
The intent of this paper is to help the reader follow a process of thinking that will provide them with the tools to understand the fundamentals of system logging.
Log Analysis as an OLAP Application - A Cube to Rule Them All - by Clement Leong - August 8, 2003
This paper discusses a specific implementation of using OLAP technology on log analysis, in particular by using the Seagate Analysis OLAP client.
Case Study: Using Syslog in a Microsoft & Cisco Environment by Dan Rathbun - June 27, 2003
This case study details the development of a centralized logging infrastructure using Syslog in a Microsoft and Cisco based environment.
A Security Analysis of System Event Logging with Syslog by Kenneth Nawyn - June 27, 2003
This paper provides an analysis of the system event logging protocol, discusses some of the problems with the syslog protocol and then addresses how one might go about creating a reasonably secure logging infrastructure.
Centralizing Event Logs on Windows 2000 by Gregory Lalla - April 4, 2003
This case study will detail how I setup a central repository for server logs and daily notifications of events that might indicate a security incident.
Effective Logging & Use of the Kiwi Syslog Utility by Brian Wilkins - June 7, 2002
After reading this document, a security professional should have a good understanding of how Kiwi's syslog utility could be implemented to provide an effective means of providing network information used for a wide range of tasks.
Importance of Understanding Logs from an Information Security Standpoint by Stewart Allen - October 5, 2001
This document will discuss the importance of logs in the 21st century, and give an idea of what problems Information Security professionals face when trying to analyze them.
Cisco Pix: Logging and Beyond by Ben Carlsrud - September 26, 2001
This document will present a "how to" on logging of a Cisco Pix Firewall version 6.1. It will show how to implement logging via a SYSLOG locally and remotely (VPN Solution). It will also discuss some of the logging that can be done with the Cisco Pix Device Manager (PDM)
Syslog and Netsaint: How to Integrate Centralized Logging with Centralized Monitoring by Richard Murphy - July 27, 2001
This paper will address three aspects of centralized management: 1) centralized log management 2) centralized monitoring and 3) the integration of the two technologies.
Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact firstname.lastname@example.org.
All papers are copyrighted. No re-posting or distribution of papers is permitted.