Filtering log data: Looking for the needle in the haystack

More on logging and audit: Join us for a live webcast Wednesday, Oct. 31, 2007, as expert David Strom explains how to gain security intelligence with logging and audit. In this excerpt from our Ask the Experts section, Mike Rothman explains how to prevent audit-logging systems from storing passwords.

Let's illustrate how it is possible to drill down and find that single suspect packet through a series of screenshots. As an example interface, we'll use NetIQ's Security Manager v 6.0 to demonstrate the filtering process, but other vendors in this market offer similar interfaces and capabilities. Regardless of the product your organization uses, this tip will provide a blueprint for how to drill down and obtain the log information you need.

Let's start with the main dashboard screen. Here you can get a quick summary of all current security alerts, whether the various agents are operating properly, and what alerts have yet to be resolved.

If we drill into the open alerts, we see the next screen, which shows all unresolved alerts, as well as links to a corporate knowledge base.

In the illustration, a user has made changes to a sensitive file and that is why it is flagged as an alert. As we move further into analyzing what happened with this file, the next screen shows where we see what the file was and who renamed it and what program (in this case, Windows Explorer) did the deed. In this screen, we see that the event was "unmanaged," meaning that it wasn't authorized.

Many log-management tools also can collect reports from other network-protective devices, such as firewalls and IDSes. In the next screen, we see the collection of log data from a sample Cisco PIX firewall during the last two hours. The particular event that is highlighted in the screenshot is an access denied request.

One part of any good security management tool is the ability to make some sense about disparate events that happen on the network that may have a single underlying cause. A number of log-management tools have correlation and analysis tools that can be used to determine what happened after the fact. In the next screen, we can construct custom queries, which in this case we would use to determine if three particular events occurred within 30 seconds from the same source IP address.

So far we have explored the logging data, and conducted some lightweight analysis. Next we'll start to dig deeper to find out what kind of activity is really going on. The next screen is good place to start comparing our logs and normalizing them for further analysis. You can rotate the graphical display, add and delete columns and rows and do other manipulations to expose patterns and potential network issues.

Many of these log management tools have reporting capabilities as well. For instance, when an employee may be suspected of wrongdoing, it's possible to use a forensics wizard to filter the logs for all traffic originating from the suspect user's ID.

When this report is run, we get the results in the next screen. From there,it's possible to expand and sort the various lines in the report and drill down further to determine exactly what the mysterious J. Smith has been up to.

These types of reports are useful when you know ahead of time what to look for, such as providing evidence for an electronic discovery request or other external reasons.

All log analyzers are actually mini development environments and come with report builders, rule creation engines, alert managers and other forensic add-ons. With some products, separate pieces of software are needed to run these tools, while others have some of them built-in. For example, you have rule sets that can control what information is filtered, what alerts are activated and how often they are acted upon, and how information is aggregated for auditing or compliance purposes. In addition, there are other tools to automate or script some of the more common processes for collecting data or parsing the logs from various servers and network devices.

About the author:
David Strom is one of the leading experts on network and Internet technologies and has written extensively on the topic for nearly 20 years. He has held several editorial management positions for both print and online properties, most recently as Editor-in-Chief for Tom's Hardware. In 1990, Strom created Network Computing magazine and was the first Editor-in-Chief establishing the magazine's networked laboratories. He is the author of two books: Internet Messaging (Prentice Hall 1998) which he co-authored with Marshall T. Rose and Home Networking Survival Guide (McGrawHill/Osbourne; 2001). Strom is a frequent speaker, panel moderator and instructor and has appeared on Fox TV News Network, NPR's Science Friday radio program, ABC TV's World News Tonight and CBS-TV's Up to the Minute.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Security Audit, Compliance and Standards,   IT Security Audits,   Network Intrusion Detection and Analysis,   Enterprise Network Security,   Monitoring Network Traffic and Network Forensics,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model When to use open source security tools over commercial products Vulnerability test methods for application security assessments Security book chapter: Applied Security Visualization IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game Monitoring Network Traffic and Network Forensics Preventing SQL injection attacks: A network admin's perspective Breach prevention: How to keep track of data and applications Researchers find thousands of flawed embedded devices Network traffic collection, analysis helps prevent data breaches Lifecycle of a network security vulnerability Port scan attack prevention best practices How to prevent network sniffing and eavesdropping DoD urges less network anonymity, more PKI use Chained Exploits: How to prevent phishing attacks from corporate spies PCI compliance requirement 10: Auditing RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bridge  (SearchSecurity.com) computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) inverse mapping  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) network forensics  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.