Difference between revisions of "Log review and management"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to www.textorclirelli.com)
 
(One intermediate revision by one user not shown)
Line 1: Line 1:
[http://s1.shard.jp/bireba/avguard-antivirus.html nortan antivirus 2005 serial key
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/losaul/yamaha-outboard.html terra australis australia
 
] [http://s1.shard.jp/olharder/auto-bill-fitts.html autographed ball golf
 
] [http://s1.shard.jp/olharder/cheat-sheets.html automation de device net rockwell
 
] [http://s1.shard.jp/olharder/value-of-groucho.html custom auto paint supply
 
] [http://s1.shard.jp/frhorton/wntjtqor2.html african braiding hair styles
 
] [http://s1.shard.jp/olharder/auto-remer.html auto fabric paint
 
] [http://s1.shard.jp/losaul/wiremesh-australia.html life coaching australia
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html pc cillin antivirus updates
 
] [http://s1.shard.jp/olharder/arena-auto-auction.html automate car alarm system
 
] [http://s1.shard.jp/bireba/alertas-antivirus.html alertas antivirus] [http://s1.shard.jp/bireba/latest-antivirus.html latest antivirus software] [http://s1.shard.jp/bireba/antivirus-software.html panda antivirus free
 
] [http://s1.shard.jp/olharder/yesterdays-auto.html hennessy automobile
 
] [http://s1.shard.jp/galeach/new99.html name of asian country
 
] [http://s1.shard.jp/losaul/2004-australian.html clearasil australia
 
] [http://s1.shard.jp/bireba/panda-titanium-antivirus.html whats the best antivirus
 
] [http://s1.shard.jp/galeach/map.html victoria hotels asia
 
] [http://s1.shard.jp/olharder/baltimore-auto.html aa12 automatic military shotgun
 
] [http://s1.shard.jp/frhorton/837ibyv6o.html south african airlines kathmandu
 
] [http://s1.shard.jp/bireba/vantivirus.html antivirus solutions
 
] [http://s1.shard.jp/olharder/automotive-detailing.html auto circle full wash
 
] [http://s1.shard.jp/frhorton/u91w9mfua.html largest crocodile in africa
 
] [http://s1.shard.jp/olharder/auto-ventashade.html autor cumbre de hispanoamericana la literatura obra y
 
] [http://s1.shard.jp/olharder/map.html antique automobile club america
 
] [http://s1.shard.jp/frhorton/dfj31yuuh.html pure african shea butter
 
] [http://s1.shard.jp/bireba/noton-antivirus.html trust antivirus 7.1
 
] [http://s1.shard.jp/losaul/australia-posters.html australian girl guides
 
] [http://s1.shard.jp/olharder/auto-emissions-test.html auto body shop in seattle
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/olharder/automotive-training.html car transport auto shipping
 
] [http://s1.shard.jp/frhorton/l648khtsn.html world bank african development indicators
 
] [http://s1.shard.jp/olharder/auto-calculator.html learning about auto body fabrication
 
] [http://s1.shard.jp/losaul/miniature-australian.html melbourne australia street map
 
] [http://s1.shard.jp/losaul/australian-citizenship.html australian citizenship applications] [http://s1.shard.jp/galeach/new3.html little asian girls pics] [http://s1.shard.jp/bireba/alarm-zone-antivirus.html symantec antivirus client removal tool
 
] [http://s1.shard.jp/frhorton/nypq37a4u.html postal codes in south africa
 
] [http://s1.shard.jp/bireba/antivirus-software.html top ten antivirus program
 
] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/galeach/new13.html erotic asians] [http://s1.shard.jp/frhorton/9rxlvcl6n.html riches country in africa
 
] [http://s1.shard.jp/frhorton/tqdtzy3e9.html car import south africa
 
] [http://s1.shard.jp/frhorton/64klk5ggy.html africa south trade
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html update for avg antivirus
 
] [http://s1.shard.jp/olharder/auto-start.html automobile air conditioning compressor
 
] [http://s1.shard.jp/galeach/new192.html asian bookie odds
 
 
[http://s1.shard.jp/olharder/stan-olsen-auto.html automated neuropsychological assessment metrics
 
] [http://s1.shard.jp/galeach/new110.html pan asia bank sri lanka
 
] [http://s1.shard.jp/bireba/error-1920service.html error 1920.service norton antivirus server] [http://s1.shard.jp/frhorton/lpujl5mms.html africa people search south
 
] [http://s1.shard.jp/olharder/j-b-auto-salvage.html auto air parts
 
] [http://s1.shard.jp/losaul/nlp-training.html tickertek australia
 
] [http://s1.shard.jp/galeach/new4.html asian filipina lady pal pen
 
] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/bireba/norton-antivirus.html kaspersky antivirus software
 
] [http://s1.shard.jp/losaul/australia-next.html motorcycle finance australia
 
] [http://s1.shard.jp/olharder/best-way-auto-care.html autotalker free runescape
 
] [http://s1.shard.jp/losaul/australia-airfare.html australia airfare 999] [http://s1.shard.jp/galeach/new172.html 001.html 120x600 fastc san southasianews.com
 
] [http://s1.shard.jp/bireba/notron-antivirus.html avg antivirus update free
 
] [http://s1.shard.jp/bireba/computer-associates.html grisofts avg antivirus
 
] [http://s1.shard.jp/losaul/severe-droughts.html cheap australian web hosting
 
] [http://s1.shard.jp/frhorton/yoc3js17e.html wild coast accommodation south africa
 
] [http://s1.shard.jp/frhorton/bc7zse5ug.html africa available in job johannesburg south
 
] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus filtering
 
] [http://s1.shard.jp/frhorton/ru5u87lsh.html grow african violets
 
] [http://s1.shard.jp/losaul/australia-stables.html australia stables] [http://s1.shard.jp/galeach/new175.html asian development bank internship
 
] [http://s1.shard.jp/olharder/autoroll-654.html top] [http://s1.shard.jp/bireba/remove-norton-antivirus.html avg vs avast antivirus
 
] [http://s1.shard.jp/galeach/new190.html mtvasia aid
 
] [http://s1.shard.jp/frhorton/k7b9qt4bf.html african american english uniqueness vernacular
 
] [http://s1.shard.jp/olharder/automobile-computer.html auto body repair fresno
 
] [http://s1.shard.jp/bireba/symantec-antivirus.html mcafee free antivirus downloads
 
] [http://s1.shard.jp/losaul/yamaha-motorcycle.html australia travel visa map ebay
 
] [http://s1.shard.jp/olharder/automotive-design.html automobile bumpers
 
] [http://s1.shard.jp/losaul/australian-tea-trees.html greek orthodox archdiocese australia
 
] [http://s1.shard.jp/olharder/celebrity-autograph.html arizona auto zone
 
] [http://s1.shard.jp/bireba/panda-titanium.html panda titanium 2006 antivirus 5.00 00] [http://s1.shard.jp/losaul/mark-edmondson-australian.html digital tv forum australia
 
] [http://s1.shard.jp/bireba/crack-panda.html trust antivirus download
 
] [http://s1.shard.jp/galeach/new158.html public opinion on euthanasia
 
] [http://s1.shard.jp/olharder/automobile-promotion.html pharmacy dispensing automation
 
] [http://s1.shard.jp/galeach/new157.html asian sri lanka tsunami
 
] [http://s1.shard.jp/bireba/norton-antivirus.html nortons antivirus software
 
] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus roundup
 
] [http://s1.shard.jp/bireba/removing-norton.html panda antivirus titanium crack
 
] [http://s1.shard.jp/olharder/automotive-repair.html david bowie autographs
 
] [http://s1.shard.jp/galeach/new74.html asian naturism
 
] [http://s1.shard.jp/galeach/new106.html asian free symbol
 
] [http://s1.shard.jp/frhorton/qtlusvqfk.html african american gift
 
] [http://s1.shard.jp/galeach/new63.html gutter asian street meat
 
] [http://s1.shard.jp/bireba/antiviruscom.html antivirus.com avast] [http://s1.shard.jp/bireba/download-norton.html quickheal antivirus free download
 
] [http://s1.shard.jp/galeach/new182.html achondroplasia history] [http://s1.shard.jp/frhorton/3l77ipk2f.html dive sites south africa
 
 
http://www.textorclirelli.com
 
 
==Overview==
 
==Overview==
  

Latest revision as of 13:28, 27 May 2009

Contents

Overview

Purpose:

  • How to detect suspicious activities as soon as possible to reduce the impact of incidence or make prevention if possible.
  • How to unify the log format and elements as well as the functions?

Role:

  • Who typically does this?

Security Administrator or independent party who has no access rights/accounts in the reviewed systems. You can't be an user administrator. At the same time, you review your activity everyday. However, if there is a resource limitation, you need another supervisor to authorize your log review.

Frequency:

It depends on the criticality (i.e. payment system, customer information, business secret, etc.) of the system labelled by the organization, logs could be reviewed ranging from minute, every day, weekly, monthly or even 3 months. In fact, log review is a kind of detective control and the preventive control is lacking. Log review will be the Goal Keeper and frequency is critical.

However, user account and authority list should be reviewed at least 3 to 6 months and never take a check ONLY when the audit cycle is coming

Log Review Tips

Critical systems require at least daily log review, however, what types of logs/activities should we pay attention to?

1. Consecutive login failure especially in non-office hour.

2. Login in non-office hour.

3. Authority change, addition and removal. Check them against with authorized application.

4. Any system administrator's activities

5. Any unknown workstation/server are plugged into the network?

6. Logs removal/log overwritten/log size is full

7. Pay more attention to the log reports after week-end and holiday

8. Any account unlocked/password reset by system administrators without authorized forms?

Log Standard

In fact, we are suffering various log format and standard from various systems even we are working in-house or act as a consultant. Why don't we produce a standard/guidelines to developer before they design the user administrative and audit trail functions to fulfill security control.

Functions:-

  • Search - By date and time, by event type, by criticality, by account/user ID, by department
  • Sorting - By date and time, by event type, by criticality, by account/user ID, by department
  • Paging (Optional)
  • Critical event is marked by "*"
  • Log archive and export
  • Log code and description table
  • Highlighting system and user adminsitrator activities


Mandatory Fields:-

  • User ID and Name (Sometimes, event may involve the action from administrator)
  • Activity Date/Timestamp
  • Activity Code, Type and Description
  • Terminal IP address and Location


User Account List:-

  • User Info - Name, Department, Role
  • Last Accessed Time
  • Account Creation Date/Time
  • Current Authority and Role
  • Account authority and information change history
  • Show expired and inactive accounts (for example: 90 days)

Logging Tools

Resources from Syslog.org

  • Event Notification

http://www.syslog.org/wiki/Main/EventNotification

  • Syslog Clients

http://www.syslog.org/wiki/Main/SyslogClients

  • Syslogd Replacements

http://www.syslog.org/wiki/Main/SyslogdReplacements

  • Event Viewers

http://www.syslog.org/wiki/Main/EventViewers

  • Log Analyzers

http://www.syslog.org/wiki/Main/LogAnalyzers

  • Event Correlation

http://www.syslog.org/wiki/Main/EventCorrelation

  • Windows

http://www.syslog.org/wiki/Main/Windows

  • Misc Log Tools

http://www.syslog.org/wiki/Main/MiscLogTools

Best Practice and Tips from Syslog

  • Syslog Security Tip

http://www.syslog.org/wiki/Main/SyslogSecurityTip

  • Central Syslog Tip

http://www.syslog.org/wiki/Main/CentralSyslogTip

  • Logging Windows To Syslog Server

http://www.syslog.org/wiki/Main/LoggingWindowsToSyslogServer

  • Logging Troubleshoot

http://www.syslog.org/wiki/Main/TroubleshootingSyslogForwarding

  • Syslog Best Practices

http://www.syslog.org/wiki/Main/SyslogBestPractices

  • Logging, Log File Rotation, and Syslog Tutorial

http://www.hccfl.edu/pollock/AUnix2/Logging.htm