Logging

What is a log?

What gets logged?

What gets logged?

• Logins / logouts

• Privilege escalation

• Security relevant events

What goes in a log?

Why keep logs?

Why look at logs? (Marcus)

• Policy

• Legality

• Cost saving

Common mistakes (Marcus)• #1 – collecting it and not looking atit (might as well log to /dev/null)

• #2 – watching logs from perimeter systems while ignoring internal systems

• #3 – Designing your log architecture before you decide what you’re going to collect

• #4 – Only looking for what you know you want to find instead of just looking to see what you find.

Common Mistakes 2:

• #5 – Proceeding without doing envelope estimates with of load.

• #6 – thinking your logs are evidence if you don’t collect them right

• #7 – forgetting that this is just a data management problem

• #8 – Drinking the XML Kool-ade

How are things logged?

• f = fopen(“logfile”,”w+”)

• syslog()

• Logger

Web Logs

Mail Logs

Radius Logs

Melissa

Log architectures

• UDP log issues

• Windows

Logging on Unix

• /etc/syslog.conf

• /etc/newsyslog.conf

• Grep

• swatch

Logging on Windows:

• Event Viewer

• Local security settings

Log hosts & Aggregation

Federal Rules of Evidence

What is Hearsay?

Can you trust these logs?