Monitoring Log Files

- [Instructor] We've spent a lot of time so far in this course, learning about different threats and vulnerabilities. Now let's turn our attention to the security controls that administrators can put in place to protect against those vulnerabilities. We'll start our conversation with one of the most important, but most often overlooked controls: log monitoring. And let's face it, log monitoring is not an exciting activity. In fact, it's usually pretty dull. And, as such, the newest member of any security team usually draws this short straw. But log monitoring is incredibly important because logs often contain critical information that allows administrators to both detect security breaches and penetration attempts, and conduct analysis of events that have already taken place. I'm going to show you how both Windows and Linux systems record log entries. Let's begin with a Windows server. You can access Windows logs using a tool called event viewer. When you open the Windows log folder and event viewer, you see that logs are organized into several different categories. We're going to take a look at the application log, the security log and the system log. The application log contains messages from software running on the server. The system log contains troubleshooting information about your system, such as storage problems, network issues, or other systems events. The security log contains issues relating to operating system security. This includes audit success and audit failure events. These are events where we configure our server to keep detailed track of activity. You can configure audit logging by using server manager and creating audit policies. We do this by selecting tools and then local security policy. Then under local policies, select audit policy. Here you can see a variety of settings that Windows allows you to track success and failure for. As you can see, I've already configured the system to track successful and failure attempts to log onto accounts on this server. If we wanted to, we could change other settings. For example, if we wanted to audit privilege use, we would double click on this line and then choose whether we want to track successful and failed audit events. Once we apply this setting and click, okay, notice that the security setting has changed to success and failure. Privilege use events will now appear in the security log. There is one other type of log that appears outside of event viewer. The firewall log, once enabled, contains detailed information about connections that are allowed and blocked by the firewall. You can enable firewall logging in server manager. We choose Windows firewall with advanced security, then click on Windows firewall properties. In the logging section, click customize. If you'd like to log successful connections to your server, choose the yes box from this dropdown. If you'd also like to log failed attempts to go through the firewall, click yes for log dropped packets. You're also given the option to provide the name of the file that will store the firewall logs and the maximum size of that file. Let's go take a look at the contents of the Windows firewall log. I'm going to go ahead and change to the directory that contains that log file, which on my system was Windows system 32 log files firewall. And that's the default directory. When I look at the contents of this directory, I see that there are several files. I'm going to go look at the old log file. Each line in this log file represents one attempt for a packet to pass through the firewall. Each line shows the source and destination IP addresses, the source and destination ports, and then whether the connection was allowed or denied. Linux systems also organize logs by category and they store those logs in text files located in the VAR log directory. Let's take a look at system logs on a Linux server. I'm already connected here to a Linux server and have a root prompt. I'm going to go ahead and change directory to VAR log. When I look at the contents of this directory, I see several different types of log files maintained by the Linux server. For example, the messages file is roughly equivalent to the system log on Windows. You see here, several log entries related to DHCP network settings. Other log files in this directory contain information from other services. For example, the secure file contains security related information and the httpd file contains system logs created by the Apache web server. One of the ways that you can enhance your ability to monitor these logs is through reporting automation. In particular, you can set alarms to alert you when certain events occur. For example, you might create an alert that notifies you when there is an unsuccessful attempt to log in to an administrator account. This doesn't necessarily indicate a compromise, but it's a situation that certainly worthy of further investigation. You can also use trend analysis to help you interpret log data. For example, you might monitor the amount of data leaving your organization on a daily basis. If you suddenly see a significant increase that goes against the trend, that's another item worthy of further analysis. Security logs are a critical security control for detecting and investigating security issues on a system. The exam does emphasize log files. Expect to find questions on the exam that ask you to analyze log files. The best way to prepare for these questions is simply to become familiar with logging. If you don't have hands-on experience from your job, configure logging on your own systems. Try two things. First, generate some legitimate and illegitimate activity, and then try to track those records down in the logs. Second, pick some random log entries and try to figure out what they mean. Practicing this on both Windows and Linux systems, will give you the necessary to answer those questions correctly on the exam.