Log management principle and usage
Download as PPTX, PDF1 like1,642 views
Log management involves collecting logs from various sources, normalizing the data into a readable format, and using log intelligence and monitoring tools to detect threats, enable incident response and forensic investigations, and ensure regulatory compliance. It provides a centralized way to search logs, correlate events, and generate reports which can help security teams more efficiently investigate issues compared to traditional methods of reviewing raw logs. Challenges include a lack of standard log formats and capturing all activity, but the market for log management software is large and growing due to its importance for compliance needs.
Log management principle and usage
- 1. Log Management Principle and Usage Bikrant Gautam, MSIA Fall, SCSU
- 2. Log Sources: What is log? records of events.
- 3. ? But why Log Management? ● Numeros computers ● Numerous logs ● Hard to pinpoint a single log
- 4. Log Management Operation Log Collecting/Archiving Log Normalization Log Intelligence/Forensics and Monitoring
- 5. Log Archiving ● Collect numerous logs in raw from from different sources. ● Includes system event logs, SNMP traps, Flow data etc. ● Different tools deployed to collect logs, fetchers or collectors,
- 6. Log Normalization Raw Windows 2003 log <13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr 02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.CloudCQ899$ N/A Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S- 1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 34790802 Normalized logs LogTime=2015/04/02 10:10:31 object=account Action=logged off | EventLog=Security | User= CQ899$ | Domain=St.Cloud EventCategory=Logoff | EventId=4634 EventSource=Microsoft-Windows-Security EventType=Success
- 7. Application Fields ✘Threat protection and discovery ✘Incidence response and forensics ✘Regulatory compliance and audit ✘It system and network troubleshooting ✘System performance and management Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-b dr-anton-chuvakin
- 8. Plain old log investigation method ✘ collect logs from all associated computers ( will not be few) ✘ Go through each logs searching for evidence (might take years to complete) ✘ finally give up, as the information was stored in a binary value not readable to human eyes. A curious case of auditing with logs Using log management tool ✘ point all your devices to a central log collection server. ✘ all cryptic logs are normalized to human readable format ✘ Search for particular keyword, or event on a specific time. ✘ Complete the forensic in no time.
- 9. Use Case: Monitoring Users logging to eros server ✘user smmsp has logged into eros server for almost 6000 times. ✘user charles.kangas have logged into the system for almost 2500 times
- 10. Use case: Continued, Drilling down ✘further investigation for charles.Kangas was done. ✘the originating source ips were searched on arin-whois and the further information were collected
- 11. Use case: Continued, User Information ✘The result of whois lookup for user Charles. ✘Origin of request seems fair enough. What if the originating IP was from North Korea?
- 12. AdvanceD Operation Lookup Log Correlation Reporting ● 10 logins on last 5 second ● connect to external databases ● present the finding on a neat report that can be send to BOSSes
- 13. Advantages of Log Management Tool ✘cool dashboard to visualize queries ✘deployed in your private server so the integrity of data is maintained ✘can be configured to generate alerts and triggers according to your business requirement ✘supports your compliance requirement
- 14. Challenges of Log Management ✘Lack of common log format ✘Not all activities generate logs ✘Not all activities are logged ✘Requires user to learn new script for every log management tool ✘High volume of irrelevant data
- 15. The future?
- 17. 1.3 billion Projected revenue of Log management softwares in 2015
- 18. Conclusion ✘ A versatile tool to approach various challenges. ✘ Provides IT security with forensics and investigative platform ✘ Quicker and faster alternative to plain old auditing system
- 19. Questions?