Firstly, if you do not trust the third party who is analyzing your logs, or do not feel that the company's service level agreement (SLA) provides you with enough assurances, then you need to find another organization to deliver the log-analysis service. Secondly, if you feel that it is imperative to hide internal IP address information, then you should look at undertaking log analysis on your own.
If this is not an option, you could simply use a text editor to do a "search and replace" of key IP addresses. Then, for each found address, you could substitute the IP string with a false one. There are some issues that you should be aware of, though, before you alter your log files.
When doing any log file analysis, you must never work with the original files. In the event of a security incident, log files will be an essential aid in forensic analysis. Therefore, you need to make copies before performing any post-processing or analysis. When used as court evidence, files must be presented in their original form. By making sure that your original logs are never altered, you can be sure that they are still authentic.
If you are running several Web servers, it would be my preference to send the log files to a central syslog server rather than have them written to the local file system. Many attackers now try to hide their tracks by altering or deleting the server's log files. Storing the files on a secure log server therefore makes it a lot harder for malicious hackers to hide their activities.
If you use a central server, it is important that you keep your system clocks synchronized using the Network Time Protocol (NTP). Otherwise, log entries will inevitably appear to be recorded out of order, causing difficulties for many analytical software programs. If you move your logs offline -- to a tape, for example -- you will need to record how the files were moved and where they were moved to. In a criminal investigation where the contents of a backup may need to be investigated, tracking custody of evidence is especially important.
One way to be absolutely sure that a log file has not been modified is to sign and encrypt it using a public-key encryption program such as PGP.
- Learn how service-level agreements (SLAs) can ensure compliance across the extended enterprise.
- Can a security administrator be granted exclusive access to a Windows 2000 security log? Joel Dubin explains why access is all or nothing.
Related Q&A from Michael Cobb
A new programming language called Wyvern is helping developers use multiple languages in one app securely. Application security expert Michael Cobb ...continue reading
Gartner predicts more than half of all mobile apps will use HTML5 by 2016, but what threats will this cause the enterprise? Expert Michael Cobb ...continue reading
Public key pinning aims to reduce the lack of trust associated with digital certificates and certificate authorities. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.