• Part 1: Experience with Log Management
• Part 2: Requirements, Costs and Tools

This article is the second in a series of two. In the first part we discussed how to approach log management and our experience with it. In this part, we’ll look more specifically at the requirements and costs of the various stages as well as provide an overview of some open-source tools.

Foreword

Drawing a log management infrastructure is a complex task and requires the collection and analysis of requests from different company departments. After the preparation phase and the definition of the requirements, the design of the infrastructure can begin.

Since 2005, the SANS Industry Analyst Team conducts annual surveys on installed Log management solutions; looking at the results by year, we can extrapolate the main reasons, or expectations, behind a log management solution deployment.

The graph illustrates how the various request priorities have changed over the years. Note how it has gone from Important to Critical, while the overall trend is upward for the first three and falling for the last two.

In a first phase, the systems were used for the optimization and monitoring IT infrastructure. with time, it became more important to be compliant with regulations and to track complex suspicious activity (increase of Critical versus detriment of Important). Keep this trend in mind when planning your solution.

Without pretending to exhaust the subject in these few lines, below we list, without extensive discussions, some basic criteria that we consider necessary for each component of the solution.

Infrastructure

Collect and Store

A good solution should be able to collect log data from across an enterprise regardless of their source. Syslog is the well known protocol for collecting systems log records in the UNIX world. Thanks to its relative simplicity, it has also been used in the Windows world. It is also simple to build interfaces from the different applications to send logs trough syslog infrastructure.

The system administrators should be able to remove or compress reports of events known to be uninteresting in favor of alert monitoring for events known to be interesting. But be conservative in discarding useless events, remember that the log is a friend so keep all possible messages.

Based on the requirements, tune your applications to generate the required information:

• Audit
• Transaction
• Intrusion
• Connection
• User activity log
• etc.

About 3/4 of organizations implementing log management solutions, collect logs from:

• UNIX systems
• Security devices (firewalls)
• Network devices (switches/routers)
• Network system/services (IDS/IPS/AV)
• Security applications
• Windows servers

Therefore, it is very important to not forget to sync time across devices and take care of the timezone.

Key points to consider while designing/choosing a log solution:

• Normalize collected event data into a consistent format, possibly following NIST SP-800-92.
• Collect log data with or without installing an agent on the log source.
• Reduce event data through filtering or aggregation.
• Handling peak event rates EPS; this is fundamental in case of attack.
• Transmit in a secure manner, preferable over secure TCP
• Collect from any flat-file ascii text log in real time (e.g. web server and application logs)
• Aggregate and forward logs from multiple sources from any remote site and schedule transmission if needed.
• Support of audit quality integrity mechanisms in accordance with NIST SP-800-92.
• Support chained triggers.

Report

A robust infrastructure will perform both logging and auditing and store data using configurable automated methods to summarize them. At its simplest, reporting is a selection and formatting of the data stored. Its primary goal is to make a huge amount of data readable, rendering them in graphical format or extract just a few lines having very important content.

Building a report is not trivial, it involves a deep understanding of the data and how it is stored. Good tools provide standard reports out of the box. It is preferable to pick up 10/15 of those reports, tune and use them, not start playing with Jasper Report to get a customized 3 columns table and a pie graph with company logo. Reports should:

• be concise
• point to key information with graphs (if possible)
• explain with tables

In very special cases it is preferable to create customised reports and the tool should be flexible enough to permit the creation of that report without much effort.

Key points to consider while designing/choosing a log solution:

• An intuitive reporting interface for simple queries
• A well documented database structure for complex SQL queries.
• The ability to generate baselines and trends for group of hosts, specific protocols or combination in minutes.

Interact

The first place to start for an investigation or analysis of any security incidents will be the log tool, its performance and general UI design should be intuitive enough so as to not slow down the operator. The tool must provide the ability to create customized dashboards. Ideally, the dashboards should operate in real-time and provide drill-down capabilities.

Key points to consider while designing/choosing a log solution:

• Simple, intuitive search interface usable by different users with varying skill sets.
• Search performance must be capable of searching through millions of messages in less than a minute.
• Logical segregation of log data that can be viewed by different teams.
• Search interface must provide the ability to drill-down on output data.
• Regular expression searches.
• Logical concatenation.
• Provide attack visualization
• Guided retrieval of any archived logs in seconds

Correlate

A systems administrator was told his servers will soon be outsourced. Three days later, the administrator launches a SSH session to a MySQL server, runs a mysqldump and logs the output on the desktop. Then sends 10 emails to different accounts, each containing 30 lines of what looks like garbage.

Do you want an alert? To start coding this case a lot of information must be collected from different devices, stored long enough and interpreted. The system should maintain a tree of possibilities and react if a branch ends in a case.

The correlation engine depends mainly on rules the product can use. A critical point is to have an easy rule creation process. The search function available for events is also very important, as you will need the ability to search across multiple devices, logs and timeframes.

Key points to consider while designing/choosing a log solution:

• Out of the box support of correlation policy including authentication failures, firewall security, worms.
• Correlate messages from different devices.
• Automatically define a “baseline” (Statistical/Historical correlation).
• Monitoring attack history against critical asset or by particular users.
• Correlation of different information regarding a single connection: ex. User/VPN/DHCP.
• Beyond the real time data, it must be possible to correlate with short-term historical data to detect attack pattern.

Additional points

Additional key points to consider while designing/choosing a log solution:

• Role based security model providing user accountability and access control; protect the data from the system administrator.
• Open architecture allowing direct and secure access to log data via third-party analysis and reporting tools.

Costs

Calculating how much a solution will cost is hard. Talks with our customers about SIEM experience have pointed out a minimal model:

Initial costs

• Hardware: servers/disks/databases, …
• Software: pay attention to the license model (user/CPU/cores/clients/…)
• Additional software requirements
• Training / Time to familiarize
• Initial setup of SIEM and clients/applications
• Tuning of SIEM and clients/applications
• Solution of first-time issues

Ongoing costs

• License/Support/Professional services
• Operators/Maintenance
• Review results: 50% of organizations use to invest at least 1 day/week in log analysis
• Respond to alerts

Occasional costs

• Updates (time to test new update and to apply to production systems)
• Customization/Optimization
• Expansions (add disks, CPUs, satellites)

Summary

Being tasked with planning a log management solution for your organization can be a bit overwhelming. Approaching the problem with sed/grep/awk, sorting and coloring a .csv file or directly installing a SIEM are all valid used solutions – But starting with the first one can help developing a mature concept and clarify the requests that a SIEM must satisfy.

With time, you will learn to understand your network, how different devices must work togheter to make an application run well, how they are interconnected, from which you need what information and so on. This takes time, but in the meantime you will look deep inside your infrastructure, understand how things work and prevent or resolve problems faster than before.

Once you know what you’re looking for, it will be easier to configure a SIEM, set alerts, correlate events and receive useful alerts.

In fact, before you can perform real-time analysis on all of the logs to detect threats as they occur, you need to capture all of the event data from the plethora of heterogenous event sources and store the logs in a centralized location, so start collecting today, then look inside the log, note how something should work and at the end configure a computer to check if the expectations are met.

Open-source tools

A list of useful open-source tools you can download and install on a Linux machine with relatively low effort. With these tools, you should be able to realise a pretty honest log management solution.

• Graylog2 is an open source log management solution that stores your logs in ElasticSearch. It consists of a server written in Java that accepts your syslog messages via TCP, UDP or AMQP and stores it in the database.
• ELSA is a centralized syslog framework built on Syslog-NG, MySQL, and Sphinx full-text search. It provides a fully asynchronous web-based query interface that normalizes logs and makes searching billions of them for arbitrary strings as easy as searching the web.
• OSSEC an open source tool for analysis of real-time log data from Unix systems, Windows servers and network devices. A set of useful default alerting rules is included in standard configuration.
• syslog-ng is a replacement and improvement of classic syslog service. I use to ping-pong between syslog-ng and rsyslog.
• Snare agent is used to convert Windows Event Logs into syslog.

Some older tools you can also consider:

• Simpler Log Watch
• Some useful summarizing tools: Logwatch, Lire and LogSurfer.
• Log2timeline is a useful tool for investigative review of logs; it can create a timeline view out of raw log data.
• LogZilla (aka php-syslog-ng) is a frontend for viewing syslog-ng messages logged to MySQL in realtime. It features customized searches based on device, priority, date, time, and message.

References

• NIST SP-800-92, Guide to Computer Security Log Management
• Are you currently using a Security Information and Event Management (SIEM) solution to collect security logs?
• Sorting Through the Noise
• Benchmarking Security Information Event Management
• Dr Anton Chuvakin Blog PERSONAL Blog
• Logging and Log Management, By Anton Chuvakin, Kevin Schmidt
• Security Information and Event Management (SIEM) Implementation
• Security Monitoring: Proven Methods for Incident Detection on Enterprise Networks
• Security Log Management: Identifying Patterns in the Chaos
• Unifying the Audit & Event Lifecycle for Electronic Systems
• SANS Reading Room – Analysts Program

{$t:Security log - part 2,$a:rcc,$v:1.0}

About the Author

Rocco Gagliardi has been working in IT since the 1980s and specialized in IT security in the 1990s. His main focus lies in security frameworks, network routing, firewalling and log management.

Links

• http://balabit.com/network-security/syslog-ng/
• http://cee.mitre.org/
• http://chuvakin.blogspot.ch/
• http://code.google.com/p/enterprise-log-search-and-archive/
• http://code.google.com/p/php-syslog-ng
• http://crypt.gen.nz/logsurfer
• http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
• http://demo.logzilla.pro/index.php
• http://graylog2.org/
• http://intersectalliance.com/projects/index.html
• http://isc.sans.edu/poll.html?pollid=334&results=Y
• http://log2timeline.net/
• http://logwatch.org
• http://ossec.net
• http://sourceforge.net/projects/swatch/
• http://www.amazon.com/Security-Information-Management-Implementation-Network/dp/0071701095/ref=sr_1_1?ie=UTF8&qid=1352988438&sr=8-1
• http://www.amazon.com/Security-Log-Management-Identifying-Patterns/dp/1597490423/ref=sr_1_1?s=books&ie=UTF8&qid=1352988621&sr=1-1
• http://www.amazon.com/Security-Monitoring-Incident-Detection-Enterprise/dp/0596518161/ref=pd_rhf_ee_s_cp_1
• http://www.sans.org/reading_room/analysts_program/
• http://www.sans.org/reading_room/analysts_program/SortingThruNoise.pdf
• http://www.sans.org/reading_room/analysts_program/eventMgt_Feb09.pdf
• http://www.syngress.com/information-security-and-system-administrators/Logging-and-Log-Management/