5. Log Archiving
● Collect numerous logs in raw from from different
sources.
● Includes system event logs, SNMP traps, Flow data etc.
● Different tools deployed to collect logs, fetchers or
collectors,
6. Log Normalization
Raw Windows 2003 log
<13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr
02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.CloudCQ899$ N/A
Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S-
1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky
Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It
may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between
reboots on the same computer. 34790802
Normalized logs
LogTime=2015/04/02 10:10:31
object=account
Action=logged off |
EventLog=Security |
User= CQ899$ |
Domain=St.Cloud
EventCategory=Logoff |
EventId=4634
EventSource=Microsoft-Windows-Security
EventType=Success
7. Application Fields
✘Threat protection and discovery
✘Incidence response and forensics
✘Regulatory compliance and audit
✘It system and network troubleshooting
✘System performance and management
Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-b
dr-anton-chuvakin
8. Plain old log investigation method
✘ collect logs from all associated
computers ( will not be few)
✘ Go through each logs searching for
evidence (might take years to
complete)
✘ finally give up, as the information was
stored in a binary value not readable
to human eyes.
A curious case of auditing with logs
Using log management tool
✘ point all your devices to a central log
collection server.
✘ all cryptic logs are normalized to
human readable format
✘ Search for particular keyword, or
event on a specific time.
✘ Complete the forensic in no time.
9. Use Case: Monitoring Users logging to eros server
✘user smmsp has
logged into eros
server for almost
6000 times.
✘user charles.kangas
have logged into the
system for almost
2500 times
10. Use case: Continued, Drilling down
✘further investigation
for charles.Kangas
was done.
✘the originating source
ips were searched on
arin-whois and the
further information
were collected
11. Use case: Continued, User Information
✘The result of whois
lookup for user
Charles.
✘Origin of request
seems fair enough.
What if the originating IP was
from North Korea?
13. Advantages of Log Management Tool
✘cool dashboard to visualize queries
✘deployed in your private server so the integrity of data is
maintained
✘can be configured to generate alerts and triggers according to
your business requirement
✘supports your compliance requirement
14. Challenges of Log Management
✘Lack of common log format
✘Not all activities generate logs
✘Not all activities are logged
✘Requires user to learn new script for every log management
tool
✘High volume of irrelevant data
18. Conclusion
✘ A versatile tool to approach various challenges.
✘ Provides IT security with forensics and investigative
platform
✘ Quicker and faster alternative to plain old auditing
system