So I was doing my post Defcon reading and Anton Chuvakin wrote a blog post about the recent 2010 Verizon Data Breach Report (in conjunction with the Secret Service). What jumped out right at me was the low amount of people that check their logs. Specifically:
“We’ve observed companies that were hell-bent on getting patch x deployed by week’s end but hadn’t even glanced at their log files in months.” to which Anton says “given that password guessing – seen in logs – trumps vuln exploitation by such a wide margin, this should change. Will it?” (quoted from here.)
I then think about the insanity of this statement. Companies haven’t checked their log files in months? Why have them turned on? But seriously, you or your company should have a plan to review log files regularly. I would even argue if you are big enough this should be one or more person’s job! In addition, if you are not checking logs, how can you even know what’s normal or not normal? Imagine if that nuclear power plant down the street from you didn’t check their logs? Imagine if your car didn’t check it’s logs? (think annual inspection (probably better than some companies)).
The great thing about log management is once you have a system in place, it’s a lot easier! You can now figure out a baseline for what is normal, and then get alerted when you have an anomaly. Most vendor’s actually provide a few different ways, and the big guys MS, Cisco, Firewall vendors, all have either syslogging, or a built in tool to deal with logs. How can you expect to find those 30 brute force attempts thursday night if you don’t know what’s normal?
There are also some great SIEMs out there that will log in addition to running Snort/IDS. There is software out there like OSSEC, GFI EventsManager, and OSSIM to start with. Make sure you define your requirements before you just go and implement though. Do you want to save 30 days of logs? 3 years? Understanding what you want to log and for how long will go a long way in your planning and make deployment of a log management solution much easier.
Do you want a basic primer in Log Management? I found these slides on Anton’s blog. He gave a class in April at the Project Honeynet. Slides here. If you haven’t jumped into log management there is a lot to learn, not just about dealing with logs, but about your network!