Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 16, 2006

Security Log Collection

Choose the right security log management tool and use it wisely
A Web Exclusive from Windows IT Pro
John Howie
Feature
InstantDoc #93330
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
View this exclusive article with VIP access -- click here to join |
See More Security Articles Here | Reprints | Or sign up for our VIP Monthly Pass!

Step 4: Identify security log and event platforms. Identify the platforms on which the security logs and sources of security event data reside. Most business environments are heterogeneous, having a mix of Windows, UNIX, Linux, Cisco Systems, and NETGEAR hardware and software, for instance. Count appliances, workstations, and servers alike. For each platform, determine whether there's a security log of interest. If the platforms don't use SNMP, syslog, or another protocol to export their logs, you need to make sure that your chosen log management solution will work on those platforms.

Step 5: Determine how you want to use the data. Do you want to analyze security data in real time—perhaps using a security event management tool—or simply collect it for analysis (to be done later or only if a particular need arises)? If you have multiple systems, each running a different OS and each with a security log, you might want a tool that lets you configure and manage the security log on each system as well as collect data.

After you've identified the security log data you're interested in, where it can be found in your environment, and what you want to do with it, compile all the information into a reference table similar to Table 1. You'll use this table when you're evaluating security log collection tools so that you'll be sure to choose a product that can collect the necessary events in the proper formats for the required realtime or batch analysis.

There are four additional questions unrelated to your security logs and the data contained within them that you must ask yourself before choosing a management tool. Security logs can contain sensitive information, so the first question is: Does the tool need to encrypt log data that it collects and moves across the network? The second question is: Does the tool need to authenticate the source of the data? If the data source isn't authenticated, an attacker could anonymously mount a Denial of Service (DoS) attack or at least spam the system with falsified data, making it difficult for you to find real data of interest admidst all the noise.

The third question is: Must the tool authenticate itself to a central collection server component, and must the server authenticate itself to the tool? Mutual authentication, combined with encryption, guarantees that the tool will supply the collected logs— which can contain sensitive information—to a legitimate server and that no one can eavesdrop on communications.

Finally, ask yourself whether maintaining the integrity of security logs during transit and in storage is a requirement. If you can't guarantee the integrity of the data, it might not satisfy your external auditors or be admissible in a court case. The answer to each of these questions is probably yes.

Security Log Management Tools
Now that you have your criteria, you can begin evaluating management tools. There are several high-quality free or inexpensive tools that you can download and use. I recommend experimenting with each in a test lab environment before choosing one and deploying it in a production environment.

No discussion of security log management tools can omit syslog. Designed as a log collection tool for UNIX systems, syslog captures security log data from UNIX and Linux hosts and appliances such as firewalls and routers but suffers from many of the security problems that other UNIX management tools do, including lack of confidentiality, integrity, and availability. Windows implementations of syslog are also available.

Request for Comments (RFC) 3195, which you can read at http://www.ietf.org/rfc/rfc3195.txt, defines a newer standard for syslog. There are other proposed extensions and standards, including San Diego Supercomputer Center (SDSC) Secure Syslog (http://security.sdsc.edu/software/sdscsyslog) and BalaBit IT Security's syslogng (http://www.balabit.com/products/syslog_ng). All proposed extensions and standards were designed to address the weaknesses of the original syslog. You need to be aware of the differences between standards when selecting products that claim to be syslog-compatible.

You already have a syslog server on your network if you're running Microsoft Operations Manager (MOM) 2005, including MOM 2005 Workgroup Edition. You can create a syslog data provider and create and configure a rule group to log syslog messages to the MOM Operator Console. Unfortunately, MOM 2005 supports only classic syslog with all its security problems. If you can wait, the upcoming version of MOM, MOM System Center 2007 (currently in Beta 2), comes with Audit Collection—formerly known as Audit Collection System— which lets you securely consolidate security event logs from Windows systems for central analysis.

   Previous  1  [2]  3  Next 


Reader Comments
Very Useful site

rcalcantara May 14, 2008 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Microsoft Kills OneCare, Will Launch Free Security Solution

Microsoft on Tuesday announced that it would retire its $50-a-year security subscription product, Windows Live OneCare, and replace it with a free solution codenamed "Morro." Unlike OneCare, however, Morro will focus only on core anti-malware features and ...

The website is down because someone removed the X-Box

What happens when a manager mistakes a server for a games console. ...

Xbox 360 Overhaul Arrives with New UI, Avatars

Xbox 360 owners who logon to the system's Xbox Live system this morning will receive the most significant functional change yet to the console's user interface, or dashboard. Dubbed the New Xbox Experience, this new front-end features a completely new ...
Related Articles New Security Log Illuminates Windows Events
Security Whitepapers The Impact of Messaging and Web Threats

Why SaaS is the Right Solution for Log Management

Protecting (You and) Your Data with Exchange Server 2007
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.



ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Free Download –VS 2008 Training
Experts Ken Getz & Robert Green plus labs, code, courseware

Maximize speed, performance and reliablity of your PCs and servers—automatically!
Speed Up Your PC! Try Diskeeper 2008 with InvisiTasking Free Now!

Register for SolarWinds VM Monitor
Get X-Ray Vision into Your ESX Servers with SolarWinds FREE VM Monitor

GoGrid Offers FREE Trial for Windows Cloud Servers
Deploy Windows Server 2003 and 2008 with free load balancing through GoGrid’s award winning web-based GUI – all in less than 5 minutes

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

How healthy is your Exchange Server? Find out Now!
Automatic Exchange Server Maintenance helps prevent disasters and improves performance. Download a FREE Exchange Server analysis tool.
You've Deployed SharePoint...Now What?
This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions

Ease Your Scripting Pains with the Flexibility of PowerShell!
Paul Robichaux equips you with PowerShell basics in 3 introductory lessons, each followed by live Q&A—all on your own computer! Register today!

What Would You Do If You Ran Microsoft?
ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.

Maximize Your SharePoint Investment
This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.

Rock Your Knowledge, and Compete with Friends and Colleagues!
Are you the Web Application Performance Guru in your office? It's time to have fun! Download now to access the crossword puzzle. Challenge yourself and complete this fun activity!
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technology Resource Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing