Presentation is loading. Please wait.

Presentation is loading. Please wait.

AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

Published byFrederick Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in."— Presentation transcript:

1 AfChix 2011 Blantyre, Malawi Log management

2 Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in a safe place, putting them where you can easily inspect them with tools ● Keep an eye on your log files ■ They tell you something important... ● Lots of things happen, and someone needs to keep an eye on them... ● Not really practical to do it by hand!

3 Log management and monitoring ■ On your routers and switches ● Sep 1 04:40:11.788 INDIA: %SEC-6-IPACCESSLOGP: list 100 denied tcp 79.210.84.154(2167) -> 169.223.192.85(6662), 1 packet ● Sep 1 04:42:35.270 INDIA: %SYS-5-CONFIG_I: Configured from console by pr on vty0 (203.200.80.75) ‏ ● %CI-3-TEMP: Overtemperature warning ● Mar 1 00:05:51.443: %LINK-3-UPDOWN: Interface Serial1, changed state to down ■ On your servers as well ● Aug 31 17:53:12 ubuntu nagios2: Caught SIGTERM, shutting down... ● Aug 31 19:19:36 ubuntu sshd[16404]: Failed password for root from 169.223.1.130 port 2039 ssh2

4 Log management ■ First, need to centralize and consolidate log files ■ Log all messages from routers, switches and servers to a single machine – a log server ■ All logging from network equipment and UNIX servers is done using syslog ■ Windows can be configured to use syslog as well, with some tools ■ Log locally, but also to the central server

5 Centralized logging Local disk serv er syslog rout er swit ch Syslog storage Sysl og serv er

6 Configuring centralized logging ■ Cisco equipment ● Minimum:  logging ip.of.log.host ■ UNIX host ● Edit syslog.conf ● Add “ip.of.log.host” ● Restart syslogd ■ Other equipments have similar options ● Options to control facility and level

7 Receiving the messages ■ Identify the facility that the SENDING host or device will send their message on - logger ■ Reconfigure syslogd to listen to the network ■ Add an entry to syslogd indicating where to write messages: ●local7.*/var/log/routers ■ Create the file or directory: ●touch /var/log/routers ■ Restart syslogd ●/etc/rc.d/syslogd restart

8 Syslog basics ■ UDP protocol, port 514 ■ Syslog messages contain: ● Facility: AuthLevel:Emergency(0) Authpriv|Alert (1) Console| Critical(2) Cron| Error(3) Daemon| Warning(4) Ftp| Notice(5) Kern| Info(6) LprMail| Debug(7) News Ntp | SecuritySyslog UserUUCP Local0...Local7

9 Best Practices * Forward syslog messages from clients to a secure syslog server. * Enable NTP clock synchronization on all clients and on the syslog server so that logs are all synchronized. Without doing this, it can be difficult or impossible to accurately determine the sequence of events across systems or applications. * Group “like sources” into the same log file. (i.e. mail server, MTA, spamassassin and A/V scanner all report to one file) * Use an automated tool to establish a baseline of your logs and escalate exceptions as appropriate.

10 Best Practices * Review your records retention policy, if applicable, and determine if anything kept in logs falls under that policy. If so, establish retention periods based on the records policy. Legal requirements for keeping logs vary by jurisdiction and application. * The “sweet spot” for log retention appears to be one year. Shorter than 1 year, and it is likely that key data would be unavailable in the wake of a long running attack, and longer than one year is most likely wasting disk space. * Include logs and log archives in a standard backup process for disaster recovery. * Change read/write permissions on logs files so they are not accessible to unprivileged user accounts.

11 Sorting logs ■ Using facility and level, sort by category into different files ■ With tools like syslog-ng, sort by host, date,... automatically into different directories ■ Grep your way through the logs. ■ Use standard UNIX tools to sort, and eliminate, things you want to filter out: ● egrep -v '(list 100 denied|logging rate- limited)' mylogfile ● Other tools exist, like ”Swatch” to make this automatic

12 SWATCH ■ Simple Log Watcher ● Written in Perl ● Monitors log files, looking for patterns (”regular expressions”) to match in the logs ● Perform a given action if the pattern is found

13 Sample config ■ watchfor /%LINK-3-UPDOWN/ mail addresses=inst,subject=Link updown throttle 1:00 watchfor /%SEC-6-IPACCESSLOGP/ exec /usr/bin/echo $* >> /tmp/accesslist.log watchfor /%SYS-5-CONFIG/ mail addresses=inst,subject=Configuration of router

14 References ■ http://www.loganalysis.org/ ■ Syslog NG ● http://www.balabit.com/network-security/syslog-ng/ ■ Windows Event Log to Syslog: ● https://engineering.purdue.edu/ECN/Resources/Docum ents/UNIX/evtsys ■ SWATCH log watcher ● http://swatch.sourceforge.net/ ● http://www.loganalysis.org/sections/signatures/log -swatch-skendrick.txt ● http://www.loganalysis.org/ ● http://sourceforge.net/docman/display_doc.php?doci d=5332&group_id=25401

15 Questions ? ?

Download ppt "AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in."

Similar presentations

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.

Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.

Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
NetComm Wireless Logging Architecture Feature Spotlight.

NetComm Wireless Logging Architecture Feature Spotlight.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.

Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.

CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.

1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.

Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.
Voyager Server Security and Monitoring Best practices and tools.

Voyager Server Security and Monitoring Best practices and tools.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.

© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
NOC TOOLS syslog AfNOG 2009 - Cairo, SI-E, 2 of 5 Sunday Folayan.

NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.
Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management.

Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management.
Security Guidelines and Management

Security Guidelines and Management
Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.

Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,

Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.

New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.

CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
System Monitoring and Automation CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.

System Monitoring and Automation CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.

Similar presentations

Ads by Google