One More Week for MacBook Air, $400 Amazon Gift Card, or Take $400 Off with OnDemand Training

Reading Room

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Sorry! The requested paper could not be found.

Logging Technology and Techniques

Featuring 80 Papers as of April 16, 2021

  • Detecting System Log Loss Through One-Way Communication Channels Graduate Student Research
    by Jason Leverton - December 16, 2020 

    Organizations are consolidating log collecting, monitoring, and incident response activities. There are many reasons an organization could find itself in this situation, whether they are attempting their first deployment of security architecture or they are shifting to a SaaS Cybersecurity product. These data collection points may not always be located within the same trust boundary, or even within the same organization. They may also be communicating through highly restrictive gateways. These collection points could gather information from multiple networks, all with different classifications, security postures, or network owners. There are incidents when communication flowing from one organization to another may have restrictions on two-way communication and rely entirely on a one-way communication channel. The lack of a two-way connection presents a challenge when continuous monitoring is required. Most host-based agents and log transfer mechanisms rely solely on established connections (TCP). This paper examines the transfer of logs through a one-way communication channel. It aims to detect and measure the amount of log loss on the channel and intuit the time, size, and volume of log messages lost. The goal is not to provide error correction but instead to introduce error detection.

  • Detecting DLL Search Order Hijacking: How using a purple team approach can help create better defensive techniques and a more tactical SIEM by Lasse Hauballe Jensen - May 4, 2020 

    Many SIEM analysts will recognize the feeling of being overwhelmed with security logs and alerts, and having to deal with them using a SIEM that gets slower and slower. For many, it may even seem that the SIEM has transitioned into being an overpriced log storage system. Figuring out how to make the SIEM faster, more tactical, and defensive-oriented will also be a way to make the analysts better and happier. It will also provide more accurate reporting for managers, and lastly, it will reduce storage and processing requirements reducing the overall cost of running a SIEM.

  • Defense in Depth: Can Geolocation Help Prevent Tax Fraud? Graduate Student Research
    by Jon Glas - January 3, 2020 

    Abstract: Accountants and tax filing businesses use complex software to automate the preparation and electronic filing of tax returns. Cybercriminals harvest identities, breach networks, and impersonate legitimate users to leverage tax software to defraud the government, the affected businesses, and citizens for over $1 billion annually (McTigue, 2018). The IRS and tax software companies have partnered to implement controls focused on authentication, authorization, and detection to identify fraudulent tax returns before they are processed. These controls successfully prevent upwards of $10 billion of fraudulent filing a year (McTigue, 2018), but those controls focus on an analysis of the ‘who’ and ‘what’ components of tax returns. This paper uses Geolocation tools to look at the ‘where’ component of tax returns by analyzing legitimate and fraudulent tax return electronic filing data to look for trends and patterns. The goal of this paper is to determine if Geolocation technologies can be used as an additional layer of controls to support a defense in depth approach of fraud prevention.

  • Defending with Graphs: Create a Graph Data Map to Visualize Pivot Paths Graduate Student Research
    by Brianne Fahey - June 26, 2019 

    Preparations made during the Identify Function of the NIST Cybersecurity Framework can often pay dividends once an event response is warranted. Knowing what log data is available improves incident response readiness and providing a visual layout of those sources enables responders to pivot rapidly across relevant elements. Thinking in graphs is a multi-dimensional approach that improves upon defense that relies on one-dimensional lists and two-dimensional link analyses. This paper proposes a methodology to survey available data element relationships and apply a graph database schema to create a visual map. This graph data map can be used by analysts to query relationships and determine paths through the available data sources. A graph data map also allows for the consideration of log sources typically found in a SIEM alongside other data sources like an asset management database, application whitelist, or HR information which may be particularly useful for event context and to review potential Insider Threats. The templates and techniques described in this paper are available in GitHub for immediate use and further testing.

  • Onion-Zeek-RITA: Improving Network Visibility and Detecting C2 Activity Graduate Student Research
    by Dallas Haselhorst - January 4, 2019 

    The information security industry is predicted to exceed 100 billion dollars in the next few years. Despite the dollars invested, breaches continue to dominate the headlines. Despite best efforts, all attempts to keep the enemies at the gates have ultimately failed. Meanwhile, attacker dwell times on compromised systems and networks remain absurdly high. Traditional defenses fall short in detecting post-compromise activity even when properly configured and monitored. Prevention must remain a top priority, but every security plan must also include hunting for threats after the initial compromise. High price tags often accompany quality solutions, yet tools such as Security Onion, Zeek (Bro), and RITA require little more than time and skill. With these freely available tools, organizations can effectively detect advanced threats including real-world command and control frameworks.

  • An Evaluator's Guide to NextGen SIEM Analyst Paper (requires membership in community)
    by Barbara Filkins - December 6, 2018 

    A traditional SIEM often lacks the capability to produce actionable information and has a limited shelf life. To be effective, a SIEM must stay relevant in the face of new threats and changes in an organizations technical and support infrastructures. Learn about the key questions to ask as you research adding a next-generation SIEM, one that captures data and generates information that security teams can use as intelligence to detect potentially malicious activity.

  • Generating Anomalies Improves Return on Investment: A Case Study for Implementing Honeytokens Graduate Student Research
    by Wes Earnest - October 11, 2018 

    Putting the right information security architecture into practice within an organization can be a daunting challenge. Many organizations have implemented a Security Information and Event Management (SIEM) to comply with the logging requirements of various security standards, only to find that it does not meet their information security expectations. According to a recent survey, more than half of respondents say they are not satisfied with their organization's SIEM. The following case study deconstructs these logging requirements and the assumptions that lead to a typical SIEM implementation, and discusses an alternative approach focused on improving the organization’s return on investment, decreasing security risk, and decreasing mean time to detection of a potential security breach.

  • All-Seeing Eye or Blind Man? Understanding the Linux Kernel Auditing System Graduate Student Research
    by David Kennel - September 21, 2018 

    The Linux kernel auditing system provides powerful capabilities for monitoring system activity. While the auditing system is well documented, the manual pages, user guides, and much of the published writings on the audit system fail to provide guidance on the types of attacker-related activities that are, and are not, likely to be logged by the auditing system. This paper uses simulated attacks and analyzes logged artifacts for the Linux kernel auditing system in its default state and when configured using the Controlled Access Protection Profile (CAPP) and the Defense Information Systems Agency’s (DISA) Security Implementation Guide (STIG) auditing rules. This analysis provides a clearer understanding of the capabilities and limitations of the Linux audit system in detecting various types of attacker activity and helps to guide defenders on how to best utilize the Linux auditing system.

  • Extracting Timely Sign-in Data from Office 365 Logs by Mark Lucas - May 22, 2018 

    Office 365 is quickly becoming a repository of valuable organizational information, including data that falls under multiple privacy laws. Timely detection of a compromised account and stopping the bad guy before data is exfiltrated, destroyed, or the account used for nefarious purposes is the difference between an incident and a compromise. Microsoft provides audit logging and alerting tools that can assist system administrators find these incidents. An examination of the efficacy and efficiency of these tools and the shortcomings and advantages provides insight into how to best use the tools to protect individual accounts and the organization as a whole.

  • Building a Custom SIEM Integration for an API-Based Log Source Azure AD Graph Sign-In Events by Jason Mihalow - February 3, 2018 

    Enterprise security breaches can quickly paralyze operations and cripple the ability to do business if security teams are not adequately equipped to collect all critical log data from the services an organization uses. Vendors lead us to believe that we are comprehensively covered with their "out-of-the box" log source integrations. It can be challenging for security professionals to find issues with these integrations and it is usually not until a security incident that we realize that crucial log data is missing. This paper takes a critical look at a hidden gap in "out-of-the-box" integrations in SIEM platforms for API log sources, which we, as security professionals, rely on for our detection and analysis of security incidents. As organizations turn from on premises log sources with push style log delivery methods to cloud-based solutions where logs are pulled from an API endpoint, new issues arise that have not been seen before. These issues can lead to undetected gaps of missing data between the true record of API log data and what is found in the SIEM platform.

  • Creating a Logging Infrastructure Graduate Student Research
    by Brian Todd - November 3, 2017 

    Logs are an essential aspect of understanding what is occurring in a company's network infrastructure and a company's applications. Log events help analysts to understand the health of the network and give insight into many types of issues. This paper explains how to set up a logging infrastructure by covering log formats and data sources. Then the discussion includes different ways to collect logs and transmit them. This paper then goes over how to pick relevant log sources and events to enable for collection. A company-wide architecture describes the process of collecting logs from offices across the world. Once the company-wide architecture is set up, the paper goes over some correlations using data from a real production network. The paper finishes by reviewing tools that are used to process, index, and correlate all the events that are received.

  • OSSIM: CIS Critical Security Controls Assessment in a Windows Environment. Graduate Student Research
    by Kevin Geil - September 22, 2017 

    Use of a Security Information and Event Management (SIEM) or log management platform is a recommendation common to several of the “CIS Critical Security Controls For Effective Cyber Defense” (2016). Because the CIS Critical Security Controls (CSC) focus on automation, measurement and continuous improvement of control application, a SIEM is a valuable tool. Alienvault's Open Source SIEM (OSSIM) is free and capable, making it a popular choice for administrators seeking experience with SIEM. While there is a great deal of documentation on OSSIM, specific information that focuses on exactly what events to examine, and then how to report findings is not readily accessible. This paper uses a demo environment to provide specific examples and instructions for using OSSIM to assess a CIS Critical Security Controls implementation in a common environment: A Windows Active Directory domain. The 20 Critical Security Controls can be mapped to other controls in most compliance frameworks and guidelines; therefore, the techniques in this document should be applicable across a wide variety of control implementations.

  • Node Router Sensors: What just happened? by Kim Cary - November 22, 2016 

    When an airliner crashes, one of the most important tasks is the recovery of the flight recorder or black box. This device gives precise & objective information about what happened and when before the crash. When an information security incident occurs on a network, it is equally important to have access to precise information about what happened to the victim machine and what it did after any compromise. A network of devices can be designed, economically constructed and managed to automatically capture and make available this type of data to information security incident handlers. In any environment, this complete record of network data comes with legal and ethical concerns regarding its use. Proper technical, legal and ethical operation must be baked into the design and operational procedures for devices that capture information on any network. These considerations are particularly necessary on a college campus, where such operations are subject to public discussion. This paper details the benefits, designs, operational procedures and controls and sample results of the use of "Node Router Sensors" in solving information security incidents on a busy college network.

  • Detecting Penetration Testers on a Windows Network with Splunk Graduate Student Research
    by Fred Speece - October 31, 2016 

    Through data collection, reports, and alerts, an InfoSec team can have a better idea of what Penetration Testers are doing and hopefully in turn stop real bad guys that may get on their network. This paper discusses the configuration and setup of those alerts and the logging behind them. It also covers the thought process behind the alert and attack(s) it is trying to defend against. If an InfoSec department picked up this paper before their first Penetration Test, they would have better visibility into their network and alert on possible changes that an adversary could make. Splunk should not alert on everything, but it should alert on behavior that is abnormal. This paper is targeted for a Windows majority network with Active Directory in an organization with an immature security posture, using Splunk as their SIEM.

  • Boiling the Ocean: Security Operations and Log Analysis by Colin Chisholm - April 6, 2016 

    Incident handling is a difficult and challenging job. One of the many challenges of incident response, and the root of this paper, is obtaining access to the data needed to identify an incident.

  • IPv6 and Open Source IDS Graduate Student Research
    by Jon Mark Allen - May 14, 2015 

    This paper will examine the current support of IPv6 amongst three of the most popular open source intrusion detection systems: Snort, Suricata, and Bro. It will also examine support of the IPv6 protocol within the publicly available signatures and rules for each system, where applicable.

  • Improving the Effectiveness of Log Analysis with HP ArcSight Logger 6 Analyst Paper (requires membership in community)
    by Dave Shackleford - April 1, 2015 

    A review of HP ArcSight Logger 6 by SANS analyst and instructor Dave Shackleford. It discusses the latest release of ArcSight Logger and its usefulness to security analysts who need to collect and monitor logs.

  • Faster than a speeding bullet: Geolocation data and account misuse Graduate Student Research
    by Tim Collyer - December 1, 2014 

    Today's global economy and mobile workforce have a large impact on modern network security, elevating the importance of a "defense in depth" approach. Geolocation information has become an important element to monitor as part of such a layered defense. Incorporating geolocation information into network security programs does not necessarily require additional expenditure if the appropriate resources (such as a SIEM) are already in place. By tracking the geographic location for account logins, it is possible to discover anomalies by calculating the distance between two logins from the same account.

  • A Qradar Log Source Extension Walkthrough by Michael Stanton - September 22, 2014 

    The acronym SIEM refers to "Security Information and Event Management". Due to the many and varied functions provided, a concise definition is illusive.

  • Combining Security Intelligence and the Critical Security Controls: A Review of LogRhythm's SIEM Platform Analyst Paper (requires membership in community)
    by Dave Shackleford - April 23, 2014 

    Review of LogRhythm’s security information and event management (SIEM) platform with new security intelligence features built in for compliance.

  • Champagne SIEM on a Beer Budget Analyst Paper (requires membership in community)
    by Jerry Shenk - March 12, 2014 

    Review of SolarWinds' Log & Event Manager (LEM) ability to provide small-to-medium-size businesses the forensic intelligence, compliance and security information necessary to manage operations.

  • Setting up Splunk for Event Correlation in Your Home Lab Graduate Student Research
    by Aron Warren - November 25, 2013 

    Splunk is an ideal event correlation instrument for use in large enterprise environments down to small home laboratory networks such as those used by students. Splunk's appeal has grown over the past few years due to a number of factors: speed and amount of collectable data, a growing user base as well as new ways of exploiting its capabilities are discovered. This paper will overview a student research home network Splunk installation including Internet taps, creation and automation of queries and finally pulling multiple data sources together to track security events.

  • Correlating Event Data for Vulnerability Detection and Remediation Analyst Paper (requires membership in community)
    by Jacob Williams - October 8, 2013 

    Examination of how 2012 Saudi Aramco “spearphishing” attacks could have been thwarted with the help of a SIEM platform that combines the power of historical data with real-time data from network data sources and security policies.

  • Discovering Security Events of Interest Using Splunk Graduate Student Research
    by Carrie Roberts - July 16, 2013 

    Servers and the applications that run on them are under attack by malicious users through a variety of techniques (Mitnik & Simon, 2006).

  • Detecting Security Incidents Using Windows Workstation Event Logs by Russ Anthony - July 9, 2013 

    Windows event logs are a critical resource when investigating a security incident and aide in the determination of whether or not a system has been compromised.

  • Custom Full Packet Capture System by Derek Banks - March 28, 2013 

    The goal of a full packet capture system is to acquire the total sum of raw network traffic as it flows from the computers and devices on one network to the destinations on another network.

  • Creating a Bastioned Centralized Audit Server with GroundWork Open Source Log Monitoring for Event Signatures by Christopher Duffy - March 20, 2013 

    Setting up an Audit server is more than just pulling a piece of hardware off a shelf, slapping it in a rack, hooking it up to the network and off to work it goes.

  • Security Intelligence in Action: A Review of LogRhythm's SIEM 2.0 Big Data Security Analytics Platform Analyst Paper (requires membership in community)
    by Dave Shackleford - December 12, 2012 

    Review of LogRhythm's SIEM 2.0 Big Data Security Analytics Platform -- the fundamental capabilities and the innovative new features.

  • Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment by Sunil Gupta - August 8, 2012 

    Intrusion detection is the process of monitoring the events occurring in a computer system or network and analyzing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.

  • Evil Through the Lens of Web Logs Graduate Student Research
    by Russ McRee - May 23, 2012 

    Much is revealed when analyzing web logs with specific attention to what can be referred to as Internet Background Abuse, a term derived by the author and to be defined herein as a subset of the academic term Internet Background Radiation (IBR).

  • Shedding Light on Security Incidents Using Network Flows by Kevin Gennuso - May 16, 2012 

    Incident handlers, and information security teams in general, face significant challenges when dealing with incidents in modern networks.

  • SANS Eighth Annual 2012 Log and Event Management Survey Results: Sorting Through the Noise Analyst Paper (requires membership in community)
    by Jerry Shenk - May 9, 2012 

    SANS’ Eighth Annual Log and Event Management Survey highlights inability of many organizations to separate normal log data from actionable events

  • NetIQ Sentinel 7 Review Analyst Paper (requires membership in community)
    by Jerry Shenk - January 28, 2012 

    A functional review of the latest NetIQ offering in the SEIM space that effectively addresses issues organizations are having with log collection and management.

  • Computer Forensic Timeline Analysis with Tapestry by Derek Edwards - November 29, 2011 

    One question commonly asked of investigators and incident responders is, "What happened?" The answer often takes the form of a story designed to convey understanding of complex mechanisms and interactions in a simple, straightforward way.

  • Optimized Network Monitoring for Real-World Threats Analyst Paper (requires membership in community)
    by Dave Shackleford - July 1, 2011 

    This paper explores current threats today’s networks face that impact monitoring capabilities, the types of gaps that exist in many current monitoring architectures, and ways that network and security monitoring can be improved through advances in traffic capture and delivery technologies such as intelligent distributed taps.

  • Creating Your Own SIEM and Incident Response Toolkit Using Open Source Tools by Jonny Sweeny - June 28, 2011 

    When an information security analyst is investigating incidents, he or she needs to have an organized set of tools.

  • SANS Seventh Annual Log Management Survey Report Analyst Paper (requires membership in community)
    by Jerry Shenk - April 30, 2011 

    This annual survey has consistently identified areas in which organizations are focusing their log management initiatives and continues to provide a roadmap to the industry for future improvement.

  • Successful SIEM and Log Management Strategies for Audit and Compliance by David Swift - November 9, 2010 

    While there are any number of compliance regulations (SOX, GLBA, PCI, FISMA, NERC,HIPAA...see Appendix E for and overview and links to regulations), and auditors follow various frameworks (COSO,COBIT,ITIL...see Appendix F for and overview and reference links), there are a few common core elements to success.

  • Mastering the Super Timeline With log2timeline by Kristinn Guðjónsson - August 25, 2010 

    Timeline analysis is a crucial part of every traditional criminal investigation. The need to know at what time a particular event took place, and in which order can be extremely valuable information to the investigator. The same applies in the digital world, timeline information can provide a computer forensic expert crucial information that can either solve the case or shorten the investigation time by assisting with data reduction and pointing the investigator to evidence that needs further processing. Timeline analysis can also point the investigator to evidence that he or she might not have found using other traditional methods.

  • SANS Log Management Survey: Mid-Sized Businesses Respond Analyst Paper (requires membership in community)
    by Jerry Shenk - June 5, 2010 
    • Sponsored By: RSA

    Annual log management survey on how organizations collect and use their logs; what they aren’t currently using their log for but would like to; what they see as the biggest problems; and the impact Log Management issues have on small- and mid-sized businesses.

  • SANS Sixth Annual Log Management Survey Report Analyst Paper (requires membership in community)
    by Jerry Shenk - April 1, 2010 

    Results of the annual log management survey.

  • Effective Use Case Modeling for Security Information & Event Management by Daniel Frye - March 10, 2010 

    With today’s technology there exist many methods to subvert an information system which could compromise the confidentiality, integrity, or availability of the resource. Due to the abstract nature of modern computing, the only way to be reliably alerted of a system compromise is by reviewing the system’s actions at both the host and network layers and then correlating those two layers to develop a thorough view into the system’s actions. In most instances, the computer user often has no indication of the existence of the malicious software and therefore cannot be relied upon to determine if their system is indeed compromised.

  • SIEM Based Intrusion Detection with Q1Labs Qradar Graduate Student Research
    by Jim Beechey - February 18, 2010 

    Attackers continue to find new methods for penetrating networks and compromising hosts. Therefore, defenders need to look for indications of compromise from as many sources as possible. Collecting and analyzing log data across the enterprise can be a challenging endeavor. However, the wealth of information for intrusion detection analysts is well worth the effort. SIEM solutions can help intrusion detection by collecting all relevant data in a central location and providing customizable altering and reporting. In addition, SIEM solutions can provide significant value by helping to determine whether or not an incident occurred. The challenge for analysts is creating effective alerts in order to catch today’s sophisticated and well funded attackers.

  • Sentinel Log Manager Review Analyst Paper (requires membership in community)
    by Jerry Shenk - January 5, 2010 

    This paper is a review of the stand-alone Sentinel Log Manager and how it stands up to key concerns that survey respondents raised about log managers, including collection, storage and searching/reporting capabilities.

  • Check Point Firewall Log Analysis In-Depth by Mark Stingley - November 10, 2009 

    This is a short guidebook for network security analysts who want to find answers about their networks and systems quickly. Using open-source software and off-the-shelf components, an outstanding Check Point firewall log analysis platform can be built...

  • Harness the Power of SIEM by Dereck Haye - October 6, 2009 

    Defend against the Conficker worm and other viruses. How it is possible to take individual security updates and, in Siem architecture combine them with other metrics to enhance and tune detection capabilities.

  • SANS Annual 2009 Log Management Survey Analyst Paper (requires membership in community)
    by Jerry Shenk - April 17, 2009 

    Annual log management survey shows companies far more successful collecting log data, but indicate concerns around normalization, indexing and access, creating reports and log management lifecycle.

  • Benchmarking Security Information Event Management (SIEM) Analyst Paper (requires membership in community)
    by J. Michael Butler - February 12, 2009 

    SIEM is benchmarked by setting one baseline environment with equations for organizations to extrapolate benchmark requirements.

  • ArcSight Logger Review Analyst Paper (requires membership in community)
    by Jerry Shenk - January 1, 2009 

    ArcSight Logger 7100 v.3.0 can help organizations get valuable usage from log collection.

  • EVTX and Windows Event Logging by Brandon Charter - November 13, 2008 

    This paper will explore Microsoft’s EVTX log format and Windows Event Logging framework.

  • Log Management in the Cloud: A Comparison of In-House versus Cloud-Based Management of Log Data Analyst Paper (requires membership in community)
    by Jerry Shenk - October 28, 2008 

    Organizations have many questions to consider regarding business needs before switching to log management in-the-cloud (otherwise known as Software as a Service or SaaS.

  • Cisco Pix Log Analysis In a University Setting by Jack Vant - July 29, 2008 

    This paper describes a study I conducted over a period of two months which attempted to determine whether an IDS system is necessary for one subnet on campus which is currently protected by a Cisco PIX firewall.

  • Leveraging Event and Log Data for Security and Compliance Analyst Paper (requires membership in community)
    by Dave Shackleford - April 20, 2008 

    This paper explores steps for using compliance to improve security incrementally over time, giving auditors and security teams alike more current and relevant event data to assess and act upon.

  • Detecting Attacks on Web Applications from Log Files by Roger Meyer - January 31, 2008 

    This paper explains how to detect the most critical web application security flaws. Web application log files allow a detailed analysis of a users actions. Log files have its limits, though. Web server log files contain only a fraction of the full HTTP request and response. Knowing those limits, the majority of attacks can be recognized and acted upon to prevent further exploitation.

  • Configuring and Tuning Cisco CS-MARS Graduate Student Research
    by John Jarocki - January 4, 2008 

    CS-MARS (Cisco Security Monitoring, Analysis and Response System) and referred to as “MARS,” receives real-time alerts from IDS sensors, firewalls, Windows domain controllers, and many other devices. SNMP traps and syslog alerts can be forwarded to MARS, and vulnerability scanning information can also be imported. MARS groups events into sessions, and it uses endpoint vulnerability and network topology information to identify false positives automatically when possible. For example, an IDS sensor might report a PC attempting peer-to-peer file sharing, but the firewall log shows those packets were dropped [2]. CS-MARS would mark this as a System Identified False Positive. In another case, a Windows RPC DCOM Overflow might be seen by an IDS system, but the target vulnerability scan shows the host is not running an affected version of Microsoft Windows – another false positive (at least for the attack itself). From mountains of IDS, IPS, firewall, router, and system event logs, a properly tuned CS-MARS installation produces a correlated set of incidents that are likely to need real attention. The key to this degree of data reduction is the proper configuration and tuning of the CS-MARS device. The following configuration and tuning steps will be covered in depth, based on tuning work done by the author and his team in a large, worldwide installation.

  • Log Analyzer for Dummies Graduate Student Research
    by Emilio Valente - December 20, 2007 

    With a few simple existing tools I will explain how even an entry-level sys-administrator can easily build an effective and inexpensive network log analyzer. What I call "Log Analyzer for dummies"; is a versatile and stable tool, with a minimal cost, it can be easily installed in any environment, it can support most devices, and almost any vendor, with large storage capability.

  • Log Management SIMetry: A Step by Step Guide to Selecting the Correct Solution Graduate Student Research
    by Jim Beechey - October 24, 2007 

    The information security profession continues to evolve and advance as organizations place greater value on their information security programs. These programs have grown significantly in the past few years, especially in small to medium sized organizations. Technical solutions such as: firewalls, VPNs, antivirus, patch management systems, intrusion detection/preventions systems and vulnerability scanners have all helped to address specific security issues. These technologies have also created a mountain of alerts and logs requiring a significant time investment to properly address important issues. As compliance, incident response and an increasing demand for IT security efficiency become more prevalent, organizations struggle with how to manage these disparate technologies efficiently and effectively. This is where a security information and event management system can help solve some of those challenges.

  • NetDetector/NetVCR 2005 Traffic Analyzer Analyst Paper (requires membership in community)
    by Jerry Shenk - August 5, 2007 

    NIKSUN NetDetector/NetVCR 2005 collects all types of data and offers a different approach to storing and making event and traffic data accessible.

  • The SANS 2007 Log Management Market Report Analyst Paper (requires membership in community)
    by Jerry Shenk - June 5, 2007 

    An analysis of survey data to unlock how log data is being used successfully, key problems holding enterprises back from log management, what is needed from vendor community and how vendors are working to resolve issues.

  • A Practical Application of SIM/SEM/SIEM Automating Threat Identification by David Swift - May 21, 2007 

    Proper deployment of a SEM tool prior to an incident can radically increase one's effectiveness at identifying an incident in progress.

  • Visual Baselines - Maximizing Economies of Scale Using Round Robin Databases by Kirsten Hook - January 11, 2007 

    One of the most critical aspects of any security professional's job is to have a solid understanding of their network. This is where creating a baseline of your network becomes vital.

  • Building the Business Case for Log Management Intelligence (LMI) - November 2006 Analyst Paper (requires membership in community)
    by Steve Mancini, Jerry Shenk - November 6, 2006 

    An outline of key business drivers for deploying an Log Management Intelligence (LMI) solution.

  • The Log Management Industry: An Untapped Market Analyst Paper (requires membership in community)
    by Stephen Northcutt, Jerry Shenk, Dave Shackleford - June 1, 2006 

    The Log Management market has increased dramatically because advantages of log management extend well beyond security to health monitoring forensics, regulatory compliance and marketing.

  • Building a Secure Nagios Server by Chris Dahlke - May 17, 2005 

    The objective of this paper is to document a secure installation and deployment strategy for Nagios, which is a very comprehensive and flexible network monitoring application.

  • Configuring a Free Automated Host Auditing System for windows 2000 Server and 2003 Server. by Ryan Mortensen - May 5, 2005 

    This project will bring together a collection of tools that monitor different aspects of a host. This host auditing system has been deployed on our more critical servers in order to reduce the time between an intrusion and its detection as well as to monitor the system state in order to more easily identify important changes to the operating system.

  • How to Configuring Local Logging on Solaris 8 and Use Symantec Intruder Alert for Centralized Logging by Nolan Haisler - May 5, 2005 

    Logging is often a forgotten security friend for system administrators until a security breach has occurred. The security administrator then goes to look at the logs only to find that there are no logs, the logs are incomplete, or that the logs have been modified by the attacker himself to cover his tracks.

  • Securing a Network Device Support Server Running Debian Linux by Douglas Ridgeway - May 5, 2005 

    This paper fulfills the requirements for SANS Securing Unix (GCUX) Certification. It covers building a Debian Linux tftp server in a secure manner. It includes policy based auditing and monitoring the server with a syslog infrastructure. Inorder to accomplish the security goals of the fictitious business GIAC Enterprises.

  • Creating A Secure Linux Logging System by Nathaniel Hall - January 19, 2005 

    The purpose of this paper is to identify and demonstrate methods that can be used to create a secure Linux logging system that can be expanded to other types of systems for secure logging. Using logs, data can be collected to figure out why a server crashed.

  • The Importance of Logging and Traffic Monitoring for Information Security by Seham GadAllah - April 19, 2004 

    This paper discusses one of the important aspects in any security model, which is the monitoring of the network and systems. If you ask your self how you can get a complete view for your network, the answer will be almost through using a complete logging system and through using almost all the available traffic monitoring tools.

  • Low- to No-Cost Methods to Review Webserver Logs for Potential Security Issues by Edgar Glasheen - December 14, 2003 

    This is a description of the inexpensive methods I devised to extract and tally records of interest in order to analyze webserver logfiles for potential security problems, compromise attempts, while also obtaining IP address statistics.

  • Security Management Systems: An Oversite Layer for Layers of Defense by Dan Keldsen - September 4, 2003 

    This paper discusses ways to make IDS and "traditional" security solutions more effective by "rolling up" security event information into an overall view of your organization's security stance.

  • The Ins and Outs of System Logging Using Syslog by Ian Eaton - August 14, 2003 

    The intent of this paper is to help the reader follow a process of thinking that will provide them with the tools to understand the fundamentals of system logging.

  • Log Analysis as an OLAP Application - A Cube to Rule Them All - by Clement Leong - August 8, 2003 

    This paper discusses a specific implementation of using OLAP technology on log analysis, in particular by using the Seagate Analysis OLAP client.

  • Case Study: Using Syslog in a Microsoft & Cisco Environment by Dan Rathbun - June 27, 2003 

    This case study details the development of a centralized logging infrastructure using Syslog in a Microsoft and Cisco based environment.

  • A Security Analysis of System Event Logging with Syslog by Kenneth Nawyn - June 27, 2003 

    This paper provides an analysis of the system event logging protocol, discusses some of the problems with the syslog protocol and then addresses how one might go about creating a reasonably secure logging infrastructure.

  • Centralizing Event Logs on Windows 2000 by Gregory Lalla - April 4, 2003 

    This case study will detail how I setup a central repository for server logs and daily notifications of events that might indicate a security incident.

  • Effective Logging & Use of the Kiwi Syslog Utility by Brian Wilkins - June 7, 2002 

    After reading this document, a security professional should have a good understanding of how Kiwi's syslog utility could be implemented to provide an effective means of providing network information used for a wide range of tasks.

  • Importance of Understanding Logs from an Information Security Standpoint by Stewart Allen - October 5, 2001 

    This document will discuss the importance of logs in the 21st century, and give an idea of what problems Information Security professionals face when trying to analyze them.

  • Cisco Pix: Logging and Beyond by Ben Carlsrud - September 26, 2001 

    This document will present a "how to" on logging of a Cisco Pix Firewall version 6.1. It will show how to implement logging via a SYSLOG locally and remotely (VPN Solution). It will also discuss some of the logging that can be done with the Cisco Pix Device Manager (PDM)

  • Syslog and Netsaint: How to Integrate Centralized Logging with Centralized Monitoring by Richard Murphy - July 27, 2001 

    This paper will address three aspects of centralized management: 1) centralized log management 2) centralized monitoring and 3) the integration of the two technologies.

Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large. SANS attempts to ensure the accuracy of information, but papers are published "as is". Errors or inconsistencies may exist or may be introduced over time as material becomes dated. If you suspect a serious error, please contact

All papers are copyrighted. No re-posting or distribution of papers is permitted. Graduate Student Research - This paper was created by a SANS Technology Institute student as part of the graduate program curriculum.