ia ian pS MODULE OBJECTIVE Log management is at the core of SIEM. Thus, iti essential to become aware of log management concepts. The objective of this module's to let students build their knowledge around log management conceots, In this medule, you will earn @ Relation between incidents, events, and logs @ Importance of gs in incident detection © pica sources oflogs © Typical format of logs © Logging challenges and requirements ® Local and centralized logging concepts oe eeeLog> Event> Incident C Log Event Incident © Lpisttecotectonotinematon/ttaon {| @ anewrticanctrense cangeintte cay: {1 @ inazenisany even hateanafet the vers seernginteform faust by || tay operations of stm eto ia aa ‘se aroucmponere titan arocie orlowepenen,estg ht seven fala eceicpdeioms 08 Sere meybeavisatin afscurty ply {1 @ Ora cr mare nat car beards on sees et, Slag Hr seeaty Stand inden Logeng is the process of recording and © rica typo of loguith specific contoxt, © it canbe generated intentionally or storing logs ofthe events that cecur inthe unirtertionally f | seneatestiom vatous eves entne rewert i cee amok of nese © eesringorantawcettatwosienie || © wrt terce stack ieato 5c stout thers orpratiems ara} | © These events are stored as logs asonels toceret ihe attack tava ara || | leaporopriate uses of sata ample of event: S Login success Example of Log & raaiiot Losin Faiure events tolowes by gin Successful avert ila mn i> held evidence of the incidents in log files er ryTypical Log Sources C ep ontaings Mable tos Sewerage os tn Unk window” anu ewan VASA" ‘ a Fis ts ( Rm gs Websense cae remy tgsNeed ofLog & Toldeny secu cdents ® Ta RAO enNncac To identity operational and long-term problems To establish baselines © eas ps wana ma Rg errLogging Requirements 1B efor enabinglogsingcopabity,you should know: © what to lee ) (© Where to stove the logs ) © Methods for oggine: ) © Teo’ reculraé fer egaing © log format ) 1D You should be able to: (© Perfor cegular tung ane review cflogs ) © Sypeheniea time temps ofa thasaurees te serform eavrelation ) © Prevent urauthavived sceess ard manipustion to the logs ) © Coreate the data sources to identify any malicious sei (© Araiye tha gaculytated everts that ara tobe storad ie the avant legs )Typical Log Format ia in i> | 1D og fe coreains vaiious types of information which hele provide vlusble and actionable rrmation | (2 Toieriy axonal ntrmatin fom he gs pope log analysis and monitorngisreauired 1 allog includes following type of information: © Leerisenifeston inermation © cate ans rime @ type oFavert © sueeucs or fire incestion © Event ovigination point @ vscciption 8 sweriy @ service name 8 pretoeo @ user eyLogging Approaches C S A 5 “a Loca oasiog the machaniem cf logging user activites Inthe rest machine 1B cartraized loggingisa mechanism of storing the logs sgerevatec 6 the natcrk coves Ins ceria server | beamoles cFinstances wana hort machine geneetes loge 1a Examples ef instances whan a natwork Seis rere igs i cera server: 2 System ers, shutoown, estar orsterup © Adahion/deleton afratwork devices © Fated andaveceusfulmadifeation ofusereedertile ad access right suchas 2cceunt updates, creation, td deletion ° onetworksetiings © Changasts tha tr secusete tha network Falls anc succes war acess tothe netwerk ter ear eves plegatin both eves and fled ei Iritatedto rem theeampu (© Gxceedingthe threshold orstrking the dangerous Instance when netwarkerashes lbyelesschas ssesneee fll memory exhausted, ot process osc too high ‘Aeplestions instal / rinallesin the network ‘Chargesto the frewal seiey ‘Addtiors deletions and chengesofediitratve © Mody the tem configurations nd sefware updates infalae a svetestuinstances © nstalingendurinsilavonafsattvareLocal Logging: Windows Log eeWindows Log ia in > |B Windows 05 racks varcus events, actives, anc functions through oes | Wircous event ios, corsisting ofa nascar ara 2 series of event recores,croice a standard, centralized way tr apelations fanc the oneratirg system) 1¢ record important sofware ard harcvare events |G Windus Event log auclt contgurations (log etentin, lg sie, et) ae recorded based onthe Registry key KEY, LOCAL, MACHT¥B \S¥OTEU\CurrentControlsat\Servicea\Eveatleg\ Ba Eft Vow fyi thy [omer Toca Nac ne STN Carentan em] Ty tn | | Name Te J toes Sean rast sist = az eciguen wos. Foes 1 lgtine nce (Sneynmtenthttentorde 39 ayes. rife ‘ oem] is moos Sanoee aWindows Event Log Types and Entries C "@ Event Viewer provices a cuick overview ofwhen, where, andhow en event leer oteured Ie noe vor 4p eeamen | Check Windows Event Log fr various types at logs: te do syste gs nos ane ito ste sevice les oo eet fa ||\esss ceases ae Setup logs: Configvation oes 4 Somecurne Security logs Aust logs based on succes/faled events e e ae © Application logs Events tased cn seveity categorized Buon Somsciee en e ™ e Forwarded event loge: Everts ferwartied by other computer ina natwork _ nee pial log entries contain folowing types of information about the events: Level: defines the severity of event Varcus tyzes of severity levels are Ever, Viren, information, Suecese Ava ane Fallure Ausit eywards tcetres type of event acurrec. Varous toes otevents are Eases AuhFalure, Ausisucess, Cbssic, Coneatlon Hint, Response Tine, SAM, WO! a ee Context, ang WI Diag Se ie Data and Times|t defines dito of aventeeeeurod See Source: K cores the ures of event See eres EventID: An unique avent [Die signed fer each toe af evert ‘ask Category: defines task catazories eeEvent Types C Weer Cer [9 aie Gi ‘an event that ind estes 2 Senifiant problem suc 2s lsscf deta rless of Bosciensos0 ‘urciona, for example, laservice ast nad during starup, 290! 1 coc lsrent sossed 2d etsonee tee! ine An event that snot necessarily nificant but mayinicate = possible future Nem | Senanstcctim problem For exmale when dak pace nbn, eVlerning eens ogeed en E mcrae | sanerst 2 Dalian cr rete terns ert atau lon factory do Feet ots Macon 2 (an severly classivine erent as aWerringevent ‘fn event nat descrites he sucess opeation a2 plication erat or ps drama eee fr rede iu nciwertivcriondomleeeoiMy raya aeaesconn “opropratete lg aninformston event Note that zene inagraprate vamenoom for adescop sppicaionto logan event each me tates vacant ‘> event at records an audted secur acces stomps tts sucesstl nore | scsatestsen Fer carla aar'snocshlaticaptiolacen ie he satan islogecl ass Drmemaen | Seazasesean Sica hudtorent iy | sensu ‘on event nat records an autedsecurty acces temp thet fl For rrammesissan forbs fz usrter te access sroteotk arveand alg the stare logged a2 Folure Austere Te eee ToeMonitoring and Analysis of Windows Logs C S A @ Open Event Viewer, click the required log you want to view @ inthe detalls pane, click the event tat you want to view. Descriotion tion tect and header information Is displayed in the Preview Pane Fens af |The information displayed in the Preview Pane about the eventis as ‘sllowe: lag Name: The type ef Window logs Soutes:Source isthe cause tat response for the 2 z ater an incMcul, ora system, or 2 program a ee eT vent 0: The type of event that occurres Level Evert Love! Type Is chiced Into five pes: Evot, Warring, eee Information, Sucess Aust, and Faure Auclt vt pan User: User resporsible and who logged on the computer at the htance cf on { Logged: The timestamp of the evert ‘Task Caregory: Primarily ueod Is cate of ecurity ng, whieh elasifes a6 ‘ert bated en avert source ‘Computer: The name assignes tote computer where the event occurred ereMonitoring and Analysis of Windows Logs (Cont'd) Finding Events in a Log ‘The iter feature In theevent viewer allows the removal cluter fom the evert log oe sisplay Lesnet nya ach log canbe independently commgures with ceren ner properves tot Cheat Ue iter and Find features In Event Viewer, uncer the Ations pane ‘ater apalyng the fey, the Evert Viewer wl how the log wth matching properies Wein ears eS wa nce s iMonitoring and Analysis of Windows Logs (Cont'd) C Examining Event Log Entries ‘system Log Envies ‘Application Log Entries (a The System log contains events logged by Windows systems components |e The Appleton logeantains events logged ky applications or programs |W Sen log netuces | Appleaion og induces: Cineetiore ts. © instalation and emave ofa sertcus sottware pacase Cangesto the hardware configuration es © Cention /Reftston afvirusinfction Service rac update neta tion © Starupend shutdown effreral “Sofware and nerdware installations © Detection othacing tiers Stetingand sopsingofseviees sytem shitdown/rerbt Losontalures -Aterationofmachine information Pintingiabe eae| Monitoring and Analysis of Windows Logs (Cont'd) C S A ome | oe | The secu [og isthe mother ofa logsin forensic terms © Logens, og-off attempted connections, and poy changes areal efeted nthe event contained therein 1 Unfortunate, secuty logging turned off by cetautt “& ‘eneeds to be enabled by Group or Local Pole tobe useful ‘Tosupport later investigations, enabling Local [or Group) Policy for Audit Policy ie recommended with same ofthe minimum actions 3 follows ‘Ai account logo events sucess, Faure ‘Ait acount management Success, Fallure ‘uit policy henge Success File ‘nut priviege use sucess falureLocal Logging: Linux Log cept args esr.Linux Log C S A @ Linuxlogs ere the f or event in Linux 08 SF Most of the Linux logs are located at in plain ASCII text format I system log daemon (syslogd) produces logs for the system and diferent programs an the Linuxoperating systemDifferent Linux Log Files ‘Drrarfozimessazes Genaral messaee and systomualated stl ‘Ahrarjozsretoay @ space access ant error logs directory Drarreziaurice @ sutnanteaten logs Drrarnogrentear ugttos acess and eror logs tetany (Bpvar cg erntog @ verre logs (Grearjieg/tootiog @ ssien vost log Dra hegjconiog @ cro logs (ren eb Grrerivatsataicr @ nyscr database sever og Ne Dhrerfeg/sitiog @ ial server logs Wi jroteclcco rf oxlovtlog © thereon toe Brae fes/errsi/ © ainsilogdreetery (nore fey isi this rector) TG jrarjeg/ amp or /ar/log/utme @ Login records fle Daries/ywmiog 8 vam commane ing fleLinux Log Format ‘The format of the Linux log files: sypecttag ‘every of og tog me tocauen doysype of Le erty £" jorjtog/maitiog All severty logs pertaining to mail are written to /var/log/moillog en eensSeverity Level and Value of Linux Logs sewn] swerve | sewn | ame Emergency 0 emer system is unusable Alert a ‘Action mus be taken remetiately rial Cites! cenditione nor mor conditions warning waring \arning condtlons tice notice Normal but senieant condition Info info Informational messzees Debug debug Debug-evel mestagee cnr byMonitoring and Analysis of Linux Logs C {© Commands used to monitor and analyze Linux logfiles less command displays the contents of textfle one page (one seen) per ime Less [s:1enane] ‘more command displays number ef lines froma text file as much as the screen can ft more [filename] sep commandis used for searching a specfestingin a fle ‘grep “search_string” [filenanel head {-n] [filename]nA D> Local Logging: Mac Logs parr earMac Logs ¢ 'S A |@ MACOS events can be configured manually to log activities such as: JED User privieges escalation Aopletonmatunetning al a J rowiesnotng evens Irtalaton, fle caiman QE 2 " We JS rated opin stemson > Types of Logs in Mac C © Frowall og avals stored in apfirewalliog Me anc found at /private/var/log/appfrewall.g © Aspe ul progam espdcgeerd gs real evets eed (© Users nome cirectory contains operating system component ard thrd-sany applications’ log iforation that are founc In the ~/ibrary/iogs ‘ower eto mare soy ethae upto candies, i Altera logeare ees in tah iy lame ri ote eee i | esa lr cpsinary shred pa twin nuchal rv peg tat trio econ cn ana | SeoleationsMac Log Files —— cashreerterlog ‘arnogieastreponteriog eplcatlon usage history ard aplication crash information witten to this Mle cess log ‘Hashoaiesesiecess_loe Pinter aces ot information errr_ioe ‘Hashoaiesesierr lot Perter conection Information an¢ is ero los fund here dalout Harhoeidaivost Networe interface History log nme Harhoeisamtaliog bs Serbs (Windowstesed rachine) connetien information Lege “Aiver/teas Home dimcteryucore and aopletionspadfé logs can found bi DeeRoconting log “fitraryoss/DiseRecorting log Home usar €0 2 BUD macis buming leg witten tthe Bla This fe corti hard dk prttionng logs, CD/OVD bumed media eg, SO/OMG Dette ‘s[ibraryoas/Diiti og ed ont image les mount, unmount Hstory and fle permission rar history Ionetconnectentirers faryhogi/ChstConneciiontrars leg hsteryaf Chet connection axterpts ats such es werram, IP adsress, nd ate eo ee Time ofthe attemot Ts leg Me gvasinformatin on eynchreiaed Mze systems ard mebile device: tuck a¢ ibnrvhoesiine ae tall phones an Poes, and thai tiles with date an time ry reerarasLog Format in Mac System ta mn i> @ Mac computer system follows standard Unix log format; most of the logs can be found in the plaintext form @ Syntax: maar DD HH: 4:58 Host Service: Message ‘nach_Fernel :7i4000000: 00800000, nach kernel:ii,0.splay Ragel2€: user ranges mum:2 start:b6408000 eize:160 ch_kerne!:i.Display Ragel26: using (Lx1002,32 bop) ach kernal ::i10Yerdordurface::aet_id-node: surface node contains obsoleta bit nach kernel /iniNEnet; Ethernet address 00:0ai27:61; 09:52, nye a a| Monitoring and Analysis of Mac Logs | System Logs systemlog ves the celal cf issues razating whole Mac system such 2s ONS, networking, and Ad um messages, te 1a The Me is ouated at /orivete/ver/log/ystersiog ei tn IT syncronization Paera rt arMonitoring and Analysis of Mac Logs (Cont'd) Finding Logs Using "Go to folder” (@ Use “Go to folder’ utility for opening required log Felder or use “CmdsShift+G” key combination te open ‘Ga to fee” utility |@ Examale, To find the applzation logs 5 the Ga te the folder box ch as web Server, Windows sharing components, firewallapache, samba iff) exc speaty the “/private/var”in [Window tee | Incosng Fle 8 Gainyties or SOccsmets 080 Bidsip 2x0 Downloade XSL Secrpw one Canes Barton OR ONdwok ORK Atspiators O8A Sushi ORL Go to the folder: fecentfeles > CoE IOSeNerMonitoring and Analysis of Mac Logs (Cont'd) C | S A Searching for 2 Particular Log Method 1 Searchin: (Fone 5) option Sear fr ters whose \G Provide the adsitional parameters to reine the search lane 15) (eomars 2) Conte 7) cues | Senrch she epactic interest of lage by fdt-ind Venu a ae Method 2 1B Comple log search can be done bysslacing Flettew Database Search @ Custorized lterean be implement inthe popped vp daiog box (© Crorular search i pessitle rt aria 7, iS Local Legging:Firewall Logs ery reyFirewall Logging ta wm i> {© Logging capabiity ofthe frawall avout uses activity In#retwerk Is tnown asfewall beeing 1a Arackers leave thet footorints when trying to ss through a firewall Investigate Freval 02s to get base information an toinvestignte about the attack 1B Frowsll logging, cagarding "aw! avant, le usefl fer peting us on petertlalcaculty threats of tha network Scere Private acl Aes tenvork PatlenetworkMonitoring and Analysis of Firewall Logs ta wm i> |W Convert the rewall logs into a standerd format jnormelizetion|, a it simplifies the reviewing and analyzing process 1B Reviewing and analyzing the rewall logs lists out the source IP addresses that accessed the network, bandwidth used, events occurred, et. Steps of Firewall Log Analysis Fd the location ofthe og fle in the Leal cormputer/server erty anc analy the fli in the frewal logs to colect evidence S soa )Seeeteie Reel es tees Sees estas rar ers } ce acdres, gestnalen IP avis, andthe action period by the renal S steps dary the location ofthe source adres sing IP adée tracking tele Note Firesllogs 2 cored anywnenfiuallogne enables conven eeeWindows Firewall Log ta mm i> @ wingens Nreval (enables) logs al acevties eceurred in 2 eatwork/ eystere © ery tine when an attacker tas to break through a windows ‘eva, the cetals ofthe artry are recorded nae fe @ bastion of Windows Frewall Log © DelaultFeewal og location Ia windows is Clinindowsigster32\leaFies\Fewal © Coen the fle named sepFirewall.og Note windows rewaogang sou veenabeate acre trawalegs erMonitoring and Analysis of Windows Firewall Log C SA Firewall log pens -Retged ie Est fomst_ten Help Pression 15 Petetes: dete time action protocol src-ip dst-Ip arc-port dst-port alse tcpflags tcpayn tcpack teprin Heaptype Acapcote info path fae aie nie aia aie 18 aia ‘ais 30 10/24;00 Allow WO? 492.369,0,408 290,255,295, 250 Globe iob ~~~ - SiN 38 124208 ALLO4 UD? 172.25, 85,29 239.255.955.250 68565 1900 @ = sei0) Body 38 16:26:85 ALLOW UO? 192.165.0.126 74,125.68-189 68569 44) 2 Sab 48 18:25:02 ALLO4 UO? 192.768-0, 194 269.438.163.100 65489 $3.6 - ~~ - - ~~ SEWO 38 10.25.02 ALLO4 UDP 492,268.0,428 172.217.163.295 65499 440.0 - ~~~ ~~ ~ SEXO 38 16:25:06 ALLOW UO? 192.765.0.124 262° 138.163, 100 51553 53 € ~~ ~ sew 3B 15:25:38 ALLOW UD? 192.26510,126 222.136.103.100 49237 53.6 = = = se0 48 18:96:38 ALLO4 UO? 192.368-0, 124 172.217 163.206 66738 423 0 - ~ S210) 38 18 LOW OP 192° 165.0. 12 202.138.103.100 93437 53 © bes 83 8S3 83 8S3' aren eer| Mac O8 X Firewall Logs CSA {& Defoe oeston a the fewall lag fle in Mec s/private/var/log/ @ Lag fies sved 2s appfirewellog, open the cent log fleLinux Firewall: iptables £ Wn D> 1G iptables is s rule-based inbuilt firewall in citferent versions of linux operating system © Iptables log messages to a /ar/log/messoges fle through Linux sysiogd daemon Sample Firewall Log File jlocaihoce Kernel: ineeth0 Gos bacwO0:4613e:03: £4110 00:30: t0:57 20 67:00:00 SREMEE BE AL TE HIENeG0 7OSe(X00 PRECwIx00 TTiwS7 1DeS893S DF EROTOWICE SPTWS1361 DPTWSLI2 WINDOWMSECO BESMCxO0 Sep 29 18:08:43 localhost Kernel: sHwetho OUDe MAcmOD:26:2¢:03:£4:30:C0: 20:68:57 £2187: 08:00 SROMEB.89.22.85 Sep $2 18:08:42 Losaahose Kernel: smmetho cure sace00:26:26:08:£4:40:¢0: 30; 4€:57 42:87: 08:00 sncmeD 09.95.65 Maine Shoat amet: tineth0 ore sacede 40:46:24: 48:00 00:36: 20:38 08 08: 08:00 IRREUSRS te Sastaae onecwsaco sauce soso cr tmoronson seis? ovaw.s? ane | sep 19 19:08:50 lowalhace kere]: Ilwath0 Ura MAOmfe: #6: £4: ¢¢:€9°£6 C0: 76: 30:5¢:19'<0: 08:00 SROm20€.283.168.168 conven obMonitoring and Analysis of iptables logs @ se #281 Command forfinding cert PTables las (@ Execute the commande gat the deta of ent logsin Tablas gs storee Recent Sens of Tables oss Output: HRWAR AiaB tgs P82 heme? ROLE Ooh E ‘enese ! Tosedx00 PRECmOKdC TiLMEl TOMELISE OFCisco ASA Firewall la na i> "@.dsco ASA provides advanced epalication-aware firewall services with identty-based access contral and denialof service (O0S) attack protection |G Frewalls support multiple levels of logging, Ithelpsto address this issue by acdressing the most critical events first CISCO FirewallLog Format Eg oe 1. Time Stamp: The date and time fram the firewall clock, The defaultis notime stamp 2. Deviee ID: Frewal's host rame, anintertsce IPaddress, eran aitrary tent sting. The defauttis no deviceid 3. Message ID:Becins with XASA, PIX or KFWSM, folloned by severity level ardsi det message rumoer 4, Message Text: Description cf the event or conditon that generated the message tne aCisco ASA Firewall (Cont’d) €1SCO Firewall Logging Levels ence Ce verges (0) System unusable messages densa) Imomait sation regula messages crea!) Chel cendtion messages feron (3) for ceniton moteagar Werings arming coeiion ressiges ouster 6 Normal but igniicant messages Informations! (6) ifermatorai messages Debugsing 0) Debugging messegesMonitoring and Analyzing Cisco ASA Firewall Logs show logging commard generates valuable loge whieh 20 analyzed to now about the present condition (enables or cisaled) of the devise [rhe in investigating state of sysioz erm, console loeeing, event ‘ging, monker ogsing, ete Use stow Logging command withthe requlred (Deny, Outside, Sucpicous, ete) laywords te fn the required frawal log message grepcommand olowad by 2 mgular expression vl yal optimum raculte ery ener| Monitoring and Analyzing Cisco ASA Firewall Logs (Cont'd) CSA Example: Viewing the firewall log of the required severity by using rep command : Firewall loginglevel Access Denied Bizewaill show logging Vo pet 24 2018 60: 34c48: SAS Oct 24 2018. det 24 2018) sre outside $2 7i48"20873¥2e6067 "OUTSIDE" [0x8063b32¢, O26] i are outside OUTSIDE" [Oxs0e sre outside sowee Adérest 256,283,483) © Source pers (46855, 6356, 46857, 6363 46467) castinaton port (0, © The connection fem the machine wth the IP acdress 192.168.208.631 dariegatcass to 192.288.150.77 aryCheck Point Firewall Check Point frewallexamines al communication layers’ packets and extracts the relevant communication and application state fRformation ‘Check Point Firewall uses the stateful insnection technology for packet analysis JeIs integrated with an inspection module thet lives in the O/S kernel Inspection modules operates below the network layer inspecting allthe traffic before reaching to 0/$ This leverages to high performance a: it saves OS's processing time and resources copie by Ie-camel Al Ree ResendMonitoring and Analyzing Check Point Firewall Logs la im > 1B fy 20g command is used to cepa :heLogHlecontent J © syntax fe tog o£ (-t]) (oa) (1) (ol (+e ation) +h host) (oa atarthine) (-s endtine) [-b starttine andtine!.(-u Sisitation|pehenn alte] [-s unldication pide (dnitied{sendfen)] fre) [2k (alertyauneleii)] (og) Tegetiel Contnue dptyingthefileslthe legs being wetn, Scitation of tpermete’ cislay ary newly eened record ‘used t speedup he process by ot serfering\P adresses DNS resolution inthe Log les ‘Bade bth thee aed time for each bx tere Dsplavsdetaledlogchans al the lg segments alo retardconsstsof) action erevesscdonenens ice, dtp, eect autora, desta, cry and decyot only host Cniydplaythelogsof species hast nara addrase Sen eer ay wen tat were logged flr heaped ine bamtemeenctine ‘tows erent thet weelogged between te sgesiedstart ander ines eer eeeMonitoring and Analyzing Check Point Firewall Logs (Cont'd) la an i> a cusnfeaton aches fle Uniieaton heme filename Tis far neces theuniteatonmede eee pre cee ave ceere ens dey ee een per -munifeaton mace + somi-stepby-step unfiaton that, for ealeg record, outputs recordthatuniesthsrererd witha prenousy-xccuntered + raw cuputal reas, witha unfezton Deslevaceuntlogrecrdsorly Dspleyonl events thatraich 2 specfcaletiyne. The default sal Dy not use delimited stile The defautis Ue login = defaltLog le SFO) oe (ei This far oecfis theuniteatonmede ESR edit ee ee veel (epored luiccince oc ete caer per -munifeaton mace + semi-stepbystepuntiaton tht, or exces record, outpur a record thatuniesthsrererd witha prevouzy aes rare wih the ome + raw -cuputal reas witina anvfeztor| Monitoring and Analyzing Check Point Firewall Logs (Cont'd) CSA Isdate>) cerigin> (alert) [tieid name: fie14 vatue;] Eath line of 9g commands utp repreens a Sle end each li flog appensin the allowing format ] fu tog Sample O tim © vetion © oven @ rertace rectory and name @ Aer ee aeLocal Legging:Router LogsCisco Router Log ta mn i> @ Router log massages do not contain numerical identifiers 2ssitn identifying the messa W feincludes maximum 80 chara and a percentage sign (%),folcwed by opticnal sequence numbe or timestamp information, ifconfigured Router Log Mestages that are most likely to be useful when analyzingSecurityrelatedincidents ‘Besetption ‘SEC PACCESLOGDP ‘Apaclet matching og ctr forthe gvenaccessthas ten deteted SECS PACCESLOGN? [Apadlet matinette log enters for the ven sccesisthas been deterted satce maccestocr Apatlstmathinstte log enter forthe sven acces cthar bean detected (TC? OF UCP) omar some paclev-naichinglogs weremissed because te acess stg mesiages were te ini Fo access {etlg bufersmeresissle setce paccesiocee [Apstletathingtte og enter fr the gven acces lsthas been detected ‘Apaclet achingte og crtena forthe gvan ccesisthas been cetrted ‘662 TDOMANY -Apadlatmathinathe og erteria fr theevenscceslisthas ten detected $806 PACCESLOGDP [Apadletmathingite og crite forthe given atcesisthas ten detrea SECS PACCESLOGN? Apaclet mathingtte log crteris forthe avenaccesisthas teen deterted nye a aMonitoring and Analysis of Router Logs |@ show Logging telpsin investigatingstate of syslog error, console logging, event loggirg end host addresses |G Iewill hp in Finding to what levels verious outputs areset, where uitimately output is sent aiusmogiene et eaMonitoring and Analysis of Router Logs (Cont'd) (@ Use snow Logging commane with anclude Mter to search for soeetiekeywerds i the router logs @ brthsexamala, how logging | ine! o)71.a5.210.4(427), 3 paekat o> 7Las.2i0 ipacket " : ° 02094: 20:50.632 EDT: $SEC~6-TPACCESSLOGE: Lat 185 denied too (fastatneraeeo/1 0007-6580. sea) => 71.15.210.4(500), 1 packet (Fas etherset0/1 0007-8580. 9ead) => 71.18.210-4(8i0), 1 packet 002097: nec 28 2018 12:20:58.994 EDT: 4S2C~G-IERCCESSLOGD: Liat 185 canted tep 369.215, (Gastmenernat0/1 0007 #680. tead) 3 72 38.795-4(820), 1 pac ide 188 command displays athe oes genassted bythe access contol Ist 185 2.219 (.ue7a) 5.208 (7782 28.26 (41202)Monitoring and Analysis of Router Logs (Cont'd) ta i” > |] Ue include command w regular xpressons for idertltvng htrusions ‘evapo tr regular epessions ns Routerdstow logging TH 002064: Mar 20 2 sha. ie8.2- 20839) 392. 168.2.4(337) 492.168.2207) ‘ta mn i> Local Logging: Web Servers Logs eTInternet Information Services (IIS) Logs ‘tert Inforation Series (lS 2 web serveror Windows) 1G The log files are located by default at: sepa aahing Sot ee [SESE {Scorsists of many og ls, og THe formats prove clrerent iis 6.0 blormation ofthe users Pedsress, ferent sas vaited by fhe user with date ang time {Slog fe proves useful information regerirg person who visite your ste, whet information & vad and whan @ ie vewed, te activty ofvarious web applets, etc. sa. Proper eras ef Seg les wilabe previde demegraphle ‘formation ard the usage of IS serverMonitoring and Analyzing Log Files in IS 1B Openthe lg file inthe taxt editor, the sx digits of the log fle name represents the day, menth, and year when the fle vas crested (eg "ex BOSS log | Trace the header informaticn line that starts with "fields", the line ic ured to determine the corresponding values af exh columa |B tertty when the request iscreared with the date and ime, “Stename” and “camautername” indicate which server responded tothe request 1 ‘erty who vistes the web server with “eip"(vistor computers Paderess) | cssmethod column centairs “post” or ‘gat” based on the request made by the visitor browser, "cswuristern” and "csurinquery" represent the resource limage/ website) requested by che visitor |B Use “se-satus" colum to find out the capability ofthe server in responding tothe request to find out which type of browser is used by the visitor Tremaine ere reeMonitoring and Analyzing Log Files in IIS (Cont’d) la ine ‘he Server iene adress some a 4 Wersion: 2.0 soeee. 2020-04-08 12.42.22 seloe: cate tine acip ceviethoe cavurinaten ca-urtequery sport ce ce maseren) sem st eesetat/s on essaeass/s97 2.2 eesaeass/s97 joke senetioduser—Theserver sortApache Logs C on i> |@ Apache maintzins error log and access log to monitor server Two primary log files of Apache Server ‘Access Log errortog (© Fecord Me ofa incoming ard processes requests (© Apache eor lg records the problems encourtered inthe (© Lbeation en content ofthe access log dasende on Custorn a log craetive © ro: Log configuration dredive is sed to ereata rer leesMonitoring and Analysis of Apache Log Access Logs |B Default apache access logfile location in various OS 0S0: /ver/iog/sttpd-soceas. log (© Debian /Ubunt Linus (vaz/10g/apsche2 /accese. tog © RHEL Rod Het ContOS faders Lnuse/var/log/nttpd/accaea_ log emote sername Metloser Host ‘tthe (POST/HEAD * “er ent * es af spectre: timezone PROTOCOL, aa eryMonitoring and Analysis of Apache Log (Cont'd) Error Logs ‘Time Stomp of the youle that produces sevetty rressage cf erarorlogteve valve ‘0 ips 1326636816) 7ssz/iocai /epachb2/aedocs /Eavicon ice [eas Ape 68 11:22:98.3 igiient 72,21,02 223] ¥ ¥ ‘lient’sadaress that Detaled errormessage Thread io requested carver erycre PAC Tee OO EO oy Oey Circe ca PRE DOR cr OS sccm arent ime rse pearCentralized LoggingWhy Centralized Logging? Virtually every device or anpication on the network has 2 capability to generateits ‘own logs in some form or another Each of these devices can generate thousands to tens of thousands of events per day in the'r log fles it. Hejshe will Anelyzing these log fles can overwhelm staff who moritor end enaly hve hundreds of logfiles to choose from to detect sign of incidentCentralized Logging ta i” > ‘Din centralized logging, logs from different devices anc zpolications on the network are collected to the cne central location (Dthis helns staff to clearly and quickly monitor, analyze, and review the logs for eny anomalies Centralized log management capabilities: stores logs trom siferent sources tone cencral location © ‘zsily access the important data from logs files © Generates the alerts based on the metrics defined onthe log © auichy shares the dashbeard and log ifarmation with others ere areCentralized Logging Infrastructure |@ Log management architecture generally consist of three different tiers such as: Log Generator: It consists of the host that generates che log data Galectionserver Sore Sever @ consist of oneormorelon servers that caves lor data © testes the cotienes og caren logsener oron separate database Ome vars witha lets clectthe og eatleacallecatlog senarike log Monitoring: eis wes to monitor and review te og data Qe cam aico se uced to genanta thereports ey meeCentralized Logging Infrastructure (Cont’d) Tog Anais Sere 9 e@msm-04 sanuas, ts] ta) -----+-9} imotaat ue 2048018 301 -->| odoPee mse eee Cr cs| Centralized Logging, Monitoring, and Analysis Process C SA Alertingand Reporting Log Collection Log Storage Log Correlation tog Loz Log Transmission Normalization Avalysis rrStep 1: Log Collection ta mw” i> 1G Lox collection is ne process of collecting log messages from she dlfferent sources to the databasein @ central location HD swren |] srevat |] os | JIU Ea Areevtes peg 226 SMP RECS, vive v3) conven lattsresenetStep 2: Log Transmission (Dre iogs are transmitted to central location using various log transport mecianisms (Drypicel jog transport mechanisms ee: @ sysieg uo @ syslog TcP © encryered syslog une Ours @ soap over wTTP @ suwe @ File transfer protocels such as FTP or SCP (Dan etfcient loe transport mechanism shoul © waincain incegnity, avallaplity, ang cortidentialty of log cata © Maintain log format and mesrirg @ Reprasent all the events correctly with perfect timings and event sequence ary| Example: Syslog Log Transport Mechanism C S A 1 Syslog is a date logging service which enables network devices such 2: @ Components of Syslog: routers, switches, firewall, printers, web-servers, et. to send and store lagging of events anc information on 2 logzng server © Spog listener |B Logging servers 2 dedicated server called Syslog Server and events ae send are called Syslog Messages © Management and fikering software 1@ Syslog stores consolicate logs from mutiple devices intoa single location | (eS. see ED een ayExample: Syslog Log Transport Mechanism (Cont'd) Syslog Message Format: See SUL a ScD Cen ou Syslog Message Exampla: ee og seuaureaoots t t t + Ser Set ea ee ee i ce ee ecco ery Pereynumber rom heme Messige10 Netiogeon > Step 3: Log Storage C (Gaiithe logs tiles collected from various devices are stored in 2 central repository/databases (Dog messages are stored and retrieved from databases in structured way (Dithe storage requirements for log data selected based on its size, importance, accessibility: a. | @ biteren:sterage systems ara used | forthe applications tnetzenarate 1 Poem ceetieteed The storage system sheuid be selectec based upon the accass 1 Some storage sysioms cornet be seator real umeanalyss © storage durstonfer igs ean be Afferent cepending upon the type a oes © Te logs mat requies 0 be snayzae Inter are archived and can be storag on cleus whieh costs low forlarge amourtof cata © The ogsrequres to beanalyze ‘reuentlyortobestors fer ese ratlod of time are storec Ina strbuted storage system «afferent rountot logs @ storage system tha bused for storing loge shoulave highly sealable ane shoul beable to furtion properly even with age srrourt of cata eeStep 4: Log Normalization * 8 ww la mn > Log normalization isthe process accepting oat from heterogeneoussourceswith differert forrrats and converting them inte commen format Daring norma ization, raw log data scollected from diferent sources and uses proper parsing expression to Most of the: normalize thedsta. Theloge are mapped withthe standard scheme or framework to parse the det log analysis systems use 2 regular expression to parse the date Lag messages are categorized into a more meaningful, predictable, and consistent plece of information after rarmalizetion ry earnsStep 4: Log Normalization (Cont'd) — ' ' 1 log Normalization Steps: 1 1 \ ' wesune | 1 [seresteen| 1 ernaizator 1 eet 1 ' 1 © The logcollectorcollects logs from ' ‘ various sources Ipeeeeeest wees i itonaae 11 i © source types idence based on the {ete vente ipatt 1 =e ee " ' nee: | | ame [eee feces HY Beacons spassie | == © horserislosded and regexisset 0 cemtae| (ae rr identy the ial in the event HiSoeeeaongo | Vecelelsnacane 1 | eemenie | ess iSieeoaee: tT 1) =a) [eters Veash 8 Thenormalzston is cone and the ean) REE eae | logs sre categorized ees ! ' ' pore aupoee tS he : © Aggregation and teringisaplied & The same s repeated for each event aa Ali Resend Reproduton Stich PrehibedStep 5: Log Correlation C SA J sssorecone nent mnie ctaiasn idea rn wslnuclenacensaesol ike | | SR ies a ac RT cA eS er aa er | Types of Correlation Micro-evel Correation Macro-level Correlation © ivacro-bve! coreleton eans information trom rule conelation, vulnerbllty correlation, profie (irgerannt) coraation, art port correlator, wach Ist orrelation, ane geogreptie locaton oraation to validate anc gah intelligence on event stream & recorroletes fields within a single evart or set of events. tis also Inown asatomecomeation It comprises fe corcation an rub correatien gra Yexened| Step 6: Log Analysis C SA @ Log enalysis is « process of identifying the petterns end anomalies in the correlated log dete that signifies the activity of eny intrusion attempt or policy vialation @ An inteligent decision is made based on patterns and anomalies found in log data to identify and confirm theincident @ Log analysis can faciitate system troubleshooting, forensics, security incident response, and etfective managementof applications and infrastructure Loganalysis an facilitate: © crecking whetherinternal policies, regulations, ang eusiesare being followee or not \} Q toenttying ane esovng the securty inicents occurred Q Troablesnecting the systens, comauters, or networks @ ieentfyinathe user behavior © perfering security aventforensles In incident investigation Q teenetyingachange in pattam of logs which inceates an incre © enhancing secuity aarenass er ee nylog Analysis Approaches © Automated log analysis overcomes the {anc analysis of tne retrieved logs based on difficulties of manual log analysis the experience and knowledge of the examiner without using any software tools © In automatic log analysis, al the phasesin log analysis re executed sequentially with ‘minimal human interaction © Manual loganalsisis considered as complex es there are diferent log form: and orly experts can carryit out aes Rese routesLog Analysis Best Practices Log analysis system should be synchronized withthe NTP server, to sort-out uming differences between the systems Log analysis should always be considared as a proactive secunty initiative rather than a reactive one as t is often performed attar the occurrence of the incident ‘Automate the log analyse process 2¢ it taxes lass time, and human Interaction ls minimal Review and analyze the logs at regular intervaleStep 7: Alerting and Reporting Zn alerting system in a centralized logging application alerts the user if any suspicious event is observed in the lags or calculated matrices Purpose of the alerting system: @ cror reporting 8 monttoring aaWhat is an Alert? fe) Aere isa waduated event wich notes that partcuar even (or res of evens) has reached a speced thraold nd ed proper tore by mtporale artis ‘i it generates incidents and/or issue tickets, indicating that something is wrong end requires immediate ‘attention nd mentoring aeCentralized Logging Best Practices @ —_xiretossng testes enabled on the network devices | ©. Sachem shyness fis | © emeemansumnunsueasnmene err re eryCentralized Logging/Log Management Tools | Gam | | & xs ei. ee |. oe. | [a oe. | [eee | | Lo =. | 6 =. [eo ox | [Ss ste | [oe |Centralized Logging Challenges Existence of many log sources due 10 many hosts throughout the organization Different log sources ganerate logs of diferat log format, which makes dificult to review Managing the available resources with the-cortinucuthInerating log data \With the charging threst landscape, it's ficult to perform monitoring ising existing caabilties Difficulty in determining the purpose and importance of data sources The timestamp everylog i set using its intemal clack, (she host's clack is incorrect, ther it male mare complicated when the logs 2re collecced fram multiple haste) CCCCCES conte © jult to analyze the logs and evenModule Summary la an i> ‘@ Logs play 2 pivotal role in incident detection | Almost every device on the network has the capability to produce logs | The log file contains various types of information which help provide valuable and actionable Information {@ Monitoring and analyzing log fies of different devices locally can be a difficult task. Centralized logging helps you to simplify the process @ in centralized loging, logs from different devices and applications on the network are collected to the ane central location @ Centralized logging, monitoring, and analysis ar= done through a series of steps, which includes Log Collection, Log Transmission, Log Storage, Log Normalization, Log Correlation, Log Analysis, Alerting, and Regorting arr