Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


October 16, 2006

Security Log Collection

Choose the right security log management tool and use it wisely
A Web Exclusive from Windows IT Pro
John Howie
Feature
InstantDoc #93330
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Step 4: Identify security log and event platforms. Identify the platforms on which the security logs and sources of security event data reside. Most business environments are heterogeneous, having a mix of Windows, UNIX, Linux, Cisco Systems, and NETGEAR hardware and software, for instance. Count appliances, workstations, and servers alike. For each platform, determine whether there's a security log of interest. If the platforms don't use SNMP, syslog, or another protocol to export their logs, you need to make sure that your chosen log management solution will work on those platforms.

Step 5: Determine how you want to use the data. Do you want to analyze security data in real time—perhaps using a security event management tool—or simply collect it for analysis (to be done later or only if a particular need arises)? If you have multiple systems, each running a different OS and each with a security log, you might want a tool that lets you configure and manage the security log on each system as well as collect data.

After you've identified the security log data you're interested in, where it can be found in your environment, and what you want to do with it, compile all the information into a reference table similar to Table 1. You'll use this table when you're evaluating security log collection tools so that you'll be sure to choose a product that can collect the necessary events in the proper formats for the required realtime or batch analysis.

There are four additional questions unrelated to your security logs and the data contained within them that you must ask yourself before choosing a management tool. Security logs can contain sensitive information, so the first question is: Does the tool need to encrypt log data that it collects and moves across the network? The second question is: Does the tool need to authenticate the source of the data? If the data source isn't authenticated, an attacker could anonymously mount a Denial of Service (DoS) attack or at least spam the system with falsified data, making it difficult for you to find real data of interest admidst all the noise.

The third question is: Must the tool authenticate itself to a central collection server component, and must the server authenticate itself to the tool? Mutual authentication, combined with encryption, guarantees that the tool will supply the collected logs— which can contain sensitive information—to a legitimate server and that no one can eavesdrop on communications.

Finally, ask yourself whether maintaining the integrity of security logs during transit and in storage is a requirement. If you can't guarantee the integrity of the data, it might not satisfy your external auditors or be admissible in a court case. The answer to each of these questions is probably yes.

Security Log Management Tools
Now that you have your criteria, you can begin evaluating management tools. There are several high-quality free or inexpensive tools that you can download and use. I recommend experimenting with each in a test lab environment before choosing one and deploying it in a production environment.

No discussion of security log management tools can omit syslog. Designed as a log collection tool for UNIX systems, syslog captures security log data from UNIX and Linux hosts and appliances such as firewalls and routers but suffers from many of the security problems that other UNIX management tools do, including lack of confidentiality, integrity, and availability. Windows implementations of syslog are also available.

Request for Comments (RFC) 3195, which you can read at http://www.ietf.org/rfc/rfc3195.txt, defines a newer standard for syslog. There are other proposed extensions and standards, including San Diego Supercomputer Center (SDSC) Secure Syslog (http://security.sdsc.edu/software/sdscsyslog) and BalaBit IT Security's syslogng (http://www.balabit.com/products/syslog_ng). All proposed extensions and standards were designed to address the weaknesses of the original syslog. You need to be aware of the differences between standards when selecting products that claim to be syslog-compatible.

You already have a syslog server on your network if you're running Microsoft Operations Manager (MOM) 2005, including MOM 2005 Workgroup Edition. You can create a syslog data provider and create and configure a rule group to log syslog messages to the MOM Operator Console. Unfortunately, MOM 2005 supports only classic syslog with all its security problems. If you can wait, the upcoming version of MOM, MOM System Center 2007 (currently in Beta 2), comes with Audit Collection—formerly known as Audit Collection System— which lets you securely consolidate security event logs from Windows systems for central analysis.

   Previous  1  [2]  3  Next 


Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 9, 2009

An often irreverent look at some of the week's other news, including some more Windows 7 sales momentum, some Sophos stupidity, Microsoft's cloud computing self-loathing, more whining from the browser makers, Zoho's "Fake Office," and much, much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

Understanding File-Size Limits on NTFS and FAT

A general confusion about files sizes on FAT seems to stem from FAT32's file-size limit of 4GB and partition-size limit of 2TB. ...
Related Articles New Security Log Illuminates Windows Events
Security Whitepapers Reducing the Costs and Risks of Branch Office Data Protection

Solving Desktop Management Challenges in Healthcare

Solving Desktop Management Challenges in Education
Related Events WinConnections and Microsoft® Exchange Connections

Deep Dive into Windows Server 2008 R2 presented by John Savill

The Easiest Way to Save Time and Money on E-mail and SharePoint Management

Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
EMC SAN vs. DAS Exchange 2007 Calculator
Calculate your savings now!

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Disaster Recovery Strategies – Tips and Tricks
Determine how you can achieve your DR objectives as simply and cost-effectively as possible.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement