Windows IT Pro is the authoritative and independent resource for windows nt, windows 2000, windows 2003, windows xp. Features a collection of resources and magazines for windows IT professionals.
  
  
  Advanced Search 


October 16, 2006

Security Log Collection

Choose the right security log management tool and use it wisely
A Web Exclusive from Windows IT Pro
John Howie
Feature
InstantDoc #93330
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More Security Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

The growing requirement for statutory and regulatory compliance has many systems administrators scrambling for a way to manage their security logs more effectively. Security logs can be a great way to prove compliance and detect noncompliance. Even for companies that aren't subject to regulatory compliance requirements, security logs are an effective means of detecting violations of security policy and attempted and successful intrusions by attackers. The Windows event logs provide comprehensive security logging, but managing logs across many systems has always been challenging.

Solutions have sprung up to address this difficulty. Many are designed for larger enterprises and are quite expensive; fewer are what I would consider affordable for small-to-midsized businesses (SMBs). Fortunately, some free tools fill the gaps.

Let's look at how to identify some criteria you can use to help choose a security log management tool. I'll also show you some free and low-cost security log management tools and describe some security log management best practices.

Evaluating Your Security Log Management Needs
Before you begin testing security log management tools, you should spend some time thinking about your security log data collection requirements. The following five steps outline a process that can help you identify which security event data you need to collect. This exercise will give you some criteria to use to determine which collection tool is right for you.

Step 1: Identify the security event data you're interested in. Windows and other systems generate a wealth of security data. Typically you'll want to log the results of authentication and authorization operations, such as user logon and logoff activity; access to restricted pages on Web sites; and database and Internet access. Think about what data you actually need. Do you need all authentication and authorization-related data, or are you interested in only failed attempts? Do you need both logon and logoff data for all logon and logoff events (e.g., interactive, network, services, batch) or only interactive logon data?

In this step, I recommend thinking at a high level instead of very specifically—for example, think failed user authentication instead of failed interactive logon to a Windows XP Professional Edition desktop—so that you'll be less likely to miss or overlook sources of data. If you aren't sure what security event data you actually need, consult business decision makers and other stakeholders, such as your inhouse legal counsel or audit group for guidance about what data might be required to prove compliance or look for policy violations.

Step 2: Identify available security logs and the format of each. You might find that there are more security logs in your environment than you originally thought. For starters, there's a Security event log on every Windows system. On UNIX and Linux systems, there's probably a file called Messages (or something similar) that might contain security information. Microsoft IIS and Internet Authentication Service (IAS) also have log files containing security information. These logs can be written in a variety of text and database-compatible formats. You can use the Microsoft Management Console (MMC) snap-ins for IIS and IAS to configure the format used by the services. Generally, it's easier to search text files for items of interest.

Firewalls, access points (APs), routers, and so forth typically create security log data. If these are devices that send their security log data to a logging host—as opposed to services running on a host—note the protocols used and make sure that your log management system can support those protocols. Chances are the devices use the syslog protocol (or a variant of it) or SNMP. You should also record potential sources of security log data, even if the data isn't currently available. For example, a Web server or database might be able to generate security log data even though it isn't currently configured to do so.

Step 3: Map the needed security data to its specific sources. If you need to manage security log data to identify potential attacker activity related to failed authentication attempts, list each source that provides that data. You also might be able to eliminate some sources of data in this step. For example, if you decide to keep a record of user logon and logoff activity in your forest or domain, you could record all activity from the Windows Security event log on each XP and Windows Server system. Alternatively, if everyone has a domain account, each system is a member of a domain, and resources are centralized, you could record logon and logoff activity from the Windows Security event log only on key servers and domain controllers (DCs).

Map the high-level data requirements to the specific logs and events that provide that information. This step is perhaps the most difficult because it requires you to understand what data is available in each log.

   Previous  [1]  2  3  Next 


Reader Comments
Very Useful site

rcalcantara May 14, 2008 (Article Rating: )

You must log on before posting a comment.

If you don't have a username & password, please register now.




Top Viewed ArticlesView all articles
Accessing Database Data with ADO

...

The Memory-Optimization Hoax

Don't believe the hype. At best, RAM optimizers have no effect. At worst, they seriously degrade performance. ...

Friday at PASS Europe 2006

Kevin talks about the closing day of the event and shares a funny Microsoft film. ...
Related Articles New Security Log Illuminates Windows Events
Security Whitepapers Anti-Virus Is Dead: The Advent of the Graylist Approach to Computer Protection

Getting the Job Done: Comparing Approaches for Desktop Software Lockdown

Instant Messaging, VoIP, P2P, and games in the workplace: How to take back control
Related Events Check out our list of Free Email Newsletters!
Security eBooks Spam Fighting and Email Security for the 21st Century

Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys
Related Security Resources Become a VIP member of the Windows IT Pro community!
Get it all with the VIP CD and VIP access. A $500+ value for only $279!

Subscribe to Windows IT Pro!
Solve your toughest technical problems with our experts and access 10,000 + articles online. 30% off

Monthly Online Pass - Only $5.95!
Get instant access to 10,000+ articles from Windows IT Pro Magazine!

TechNet Virtual Labs
Evaluate and test Microsoft's newest products.

Job Openings in IT

ADS BY GOOGLE SPONSORED LINKS FEATURED LINKS

Maximize your SharePoint Investment – 8 Cities
Discover best practices and tips for both architecting and administering SharePoint. Early Bird Price of $99 through Sept 15th.

Find a new job now on the all new IT Job Hound!
Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars
Learn how to build a better SharePoint infrastructure and enable powerful collaboration with MVPs Dan Holme and Michael Noel. Register today!

Top Tools for Virtualization Disaster Recovery & Replication
View this web seminar on August 14th to learn about two tools that will result in faster backup and restore with P2V disaster recovery.

SharePointConnections Conference Fall 2008
Don’t miss the premier event for Microsoft IT Professionals in Las Vegas, November 10-13. Register and book your room by August 25 and receive a FREE room night (based on a three night minimum stay).

VMworld 2008 - Sign Up Today!
Join your peers on September 15-18 at The Venetian Hotel in Las Vegas as VMware hosts VMworld 2008, the leading Virtualization event.



Entrust Unified Communications Certs
Secure Exchange 2007 and save 20%. Now through Sept. 2008.

Increase Application Performance
Free White Paper by Editor's Best winner, Texas Memory Systems.

Need to convert between XML, DBs, EDI, and Excel? Try MapForce free!
Drag & drop to transform between popular data formats – get results instantly or generate code.

Microsoft® Tech•Ed EMEA 2008 IT Professionals
Advance your thinking with new ideas and practical real-world solutions at Microsoft’s FIVE day technical infrastructure conference 3-7 Nov., 2008. Register before 26 September 2008 to save €300.

Order Your SQL Fundamentals CD Today!
Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.

Are You Really Compliant with Software Regulations?
View this web seminar that will help you with compliance best practices and check out a management solution to assure that you won’t be in jeopardy of an audit.

Virtualization Congress Oct. 14-16 in London
Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro Windows Dev Pro IT Job Hound ITTV
IT Library Technical Resources Directory Connected Home Windows Excavator Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 Copyright © 2008 Penton Media, Inc., All rights reserved. Terms and Use | Privacy Statement | Reprints and Licensing