Slogging (syslog-ging) through the Mud

Defense in depth -- This concept is the basis of true Information Technology (IT) security. Without multiple levels of security it is folly to believe that our IT systems approach anything close to security. In this paper I'll be focusing on what I feel are some of the most important mechanisms of defense in depth: logging and auditing. Logs are often thought to be things that are consulted after an incident. I suggest that logging is at the root of a much broader tree that encompasses such things as Intrusion Detection Systems (IDS) and Forensics. It is intimately related to security policies. Logging takes many forms and is done differently on various hardware/software platforms. This paper is limited to the Unix system log 'syslog' and the program-tool swatch a program that facilitates the use of logs. Syslog will often be known by different names; depending on the flavor of Unix being run. My plan is to address general logging and auditing concepts and then to explore Unix syslog and swatch. The logging on Unix does go far beyond this one log system and varies depending on the version of Unix being used. The syslog however is virtually universal to all Unix flavors and has tremendous capabilities when properly configured. I will also touch on forensics as it relates to logs.