Firstly, if you do not trust the third party who is analyzing your logs, or do not feel that the company's service...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
level agreement (SLA) provides you with enough assurances, then you need to find another organization to deliver the log-analysis service. Secondly, if you feel that it is imperative to hide internal IP address information, then you should look at undertaking log analysis on your own.
If this is not an option, you could simply use a text editor to do a "search and replace" of key IP addresses. Then, for each found address, you could substitute the IP string with a false one. There are some issues that you should be aware of, though, before you alter your log files.
When doing any log file analysis, you must never work with the original files. In the event of a security incident, log files will be an essential aid in forensic analysis. Therefore, you need to make copies before performing any post-processing or analysis. When used as court evidence, files must be presented in their original form. By making sure that your original logs are never altered, you can be sure that they are still authentic.
If you are running several Web servers, it would be my preference to send the log files to a central syslog server rather than have them written to the local file system. Many attackers now try to hide their tracks by altering or deleting the server's log files. Storing the files on a secure log server therefore makes it a lot harder for malicious hackers to hide their activities.
If you use a central server, it is important that you keep your system clocks synchronized using the Network Time Protocol (NTP). Otherwise, log entries will inevitably appear to be recorded out of order, causing difficulties for many analytical software programs. If you move your logs offline -- to a tape, for example -- you will need to record how the files were moved and where they were moved to. In a criminal investigation where the contents of a backup may need to be investigated, tracking custody of evidence is especially important.
One way to be absolutely sure that a log file has not been modified is to sign and encrypt it using a public-key encryption program such as PGP.
- Learn how service-level agreements (SLAs) can ensure compliance across the extended enterprise.
- Can a security administrator be granted exclusive access to a Windows 2000 security log? Joel Dubin explains why access is all or nothing.
Dig Deeper on Web Authentication and Access Control
Related Q&A from Michael Cobb
A malicious app called Black Jack Free was able to bypass Google Play's app store security. Expert Michael Cobb explains the threat and how ...continue reading
SandJacking, a new iOS attack technique, uses an XCode certificate flaw to load malicious apps onto devices. Expert Michael Cobb explains how the ...continue reading
Oracle has moved from using a modified version of CVSS v2.0 to CVSS v3.0. Expert Michael Cobb explains criticism of the old version, and the changes ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.