In this Issue:
  • Perspective:Taming Event Log Chaos
  • Coming this Month
  • September 2007 Articles in Print-Friendly Format
  • Share Your Security Tips and Get $100
  • The Security Pro VIP Forum

 

Perspective: Taming Event Log Chaos

One difficulty of monitoring device and application events is that each device and app has its own log and often its own event format. To view all these disparate events often means collecting and sifting through each log separately. "Security Log Collection," November 2006 does a great job of stating the problem, if you're not familiar with it already.

Various entities have tried to solve this problem by proposing an event-logging standard. Most recently, eIQnetworks announced the Open Log Format (OLF), which the company described as "the industry's first open source event logging standard," saying that it "promotes interoperability that enables organizations to more easily manage and understand the log data collected from network devices, systems, and applications."

An event-logging standard is helpful only if the companies that sell the network devices, systems and applications that generate event logs support it. eIQnetworks reports that Astaro, Clavister, Cyberoam, iPolicy Networks, Secure Computing, and Top Layer Networks will use the new OLF standard. You can find out more and download the standard at http://www.openlogformat.org.

This past spring and summer, there was some noise on various blogs about Common Event Expression (CEE), a standard being developed by MITRE and the CEE Working Group. You won't easily find information about CEE on the MITRE Web site, but blogger Raffael Marty posted some information about it on his site at http://raffy.ch/blog/wp-content/uploads/2007/05/cee-r2.pdf. The PDF file says:

"The CEE Initiative recommends that the industry coordinate in four areas to facilitate log transmission and interpretation:

  • Create an event expression taxonomy for uniform and precise log definitions that lead to a common event representation.
  • Create log syntaxes utilizing a single data dictionary to provide consistent event specific details.
  • Standardize flexible event transport mechanisms to support multiple environments.
  • Propose log recommendations for the events and attributes devices generate."

The Open Group has the Distributed Auditing Standard (XDAS), which it terms a "preliminary specification" and describes as follows: "The XDAS specification defines a set of generic events of relevance at a global distributed system level, and a common portable audit record format to facilitate the merging and analysis of audit information from multiple components at the distributed system level. Four groups of APIs are provided to accomplish this." Find out more about this standard at http://www.opengroup.org/pubs/catalog/p441.htm.

About a year ago, ArcSight introduced the Common Event Format (CEF), "an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. ... CEF enables technology companies and customers to use a common event log format so that data can be easily collected and aggregated for analysis by an enterprise security management system." At the time, ArcSight said that AirTight Networks, CipherOptics, DeepNines, Intrusic, Reconnex, Vericept, and Vontu would support the CEF standard. Look for more information about this standard at http://www.arcsight.com/solutions_cef.htm.

For a sampling of what bloggers are saying about these standards, go to "An Auditing Standard: Has this rough beast's hour come round at last?" July 17, 2007 and "Open Log Format - What a Great Standard - Not," September 14, 2007.

The CEE and XDAS standards arguably have the best chance of eventually making security administrators lives a little easier. They're sponsored by not-for-profit organizations and are being worked on by groups of contributors. CEE in particular seems to have some energy behind it, if blog posts are any indication. Until you begin to see the effect of these standards, the following articles on our Web site can help you get your event logs and events under control.

For help collecting events in multiple formats:

"Security Log Collection," November 2006
describes practices and free tools that small and midsized businesses (SMBs) can use to gather and work effectively with a variety of event formats and event logs.

"Enterprise Event Logging for SMBs," May 3, 2007
describes six third-party log collection and management suites: GFI EventsManager 7.0, Dorian Software Creations' Total Event Log Management Suite, Engagent’s Sentry II, TNT Software’s ELM Log Manager 4.0, Prism Microsystems’ EventTracker, and RippleTech’s LogCaster for Security Auditing & Systems Management.

For help with centralized Windows event collection:

"Collecting and Analyzing Event and System Logs,"March 28, 2006
and "Take Advantage of the EventCombMT Utility," February 2003
cover Microsoft's free EventCombMT utility for gathering Windows event logs from multiple systems.

"Windows Eventing 6.0," September 6, 2007
describes Windows Server 2008's and Windows Vista's new event-forwarding capability, which lets you set up a collection server and forward events to it from other machines.

Renee Munshi, Security Pro VIP Editor

 

Coming this Month

"Unleash the Power of Microsoft Internet Information Services 7.0's Security Features" by Jan De Clercq
The latest version of IIS includes several new security features including componentization, feature delegation, URL authorization, and request filtering.
This article is now live on the Web.

"Reduce Admin Risks" by Russell Smith
Increase security and limit risks from administrative users—check out several strategies that can help, including virtualization, running Windows Vista with User Account Control enabled, and using Group Policy to restrict access.
Coming October 11.

"Securing Exchange Server 2007 Services with ISA Server 2006" by Damir Dizdarevic
Take steps to publish OWA, Outlook Anywhere, and other applications to Internet users, and move the encryption and authentication off your Exchange servers.
Coming October 18.

Access Denied
Randy Franklin Smith answers your Windows security questions.
Coming October 25.

 

September 2007 Articles in Print-Friendly Format

If you're someone who prefers your newsletters in printed form, check out this .pdf file. It contains all the security articles posted on the Security Pro VIP Web site in September. Print and enjoy!

 

Share Your Security Tips and Get $100

Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to r2r@securityprovip.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

 

The Security Pro VIP Forum

The Security Pro VIP forum is your place to ask questions about security topics and about articles posted on the Security Pro VIP Web site and to get answers from other forum members, including Orin Thomas, forum moderator, and article authors. Let's talk!