Logging and Log Management
eBook - ePub

Logging and Log Management

The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management

  1. 460 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Logging and Log Management

The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management

About this book

Logging and Log Management: The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management introduces information technology professionals to the basic concepts of logging and log management. It provides tools and techniques to analyze log data and detect malicious activity. The book consists of 22 chapters that cover the basics of log data; log data sources; log storage technologies; a case study on how syslog-ng is deployed in a real environment for log collection; covert logging; planning and preparing for the analysis log data; simple analysis techniques; and tools and techniques for reviewing logs for potential problems. The book also discusses statistical analysis; log data mining; visualizing log data; logging laws and logging mistakes; open source and commercial toolsets for log data collection and analysis; log management procedures; and attacks against logging systems. In addition, the book addresses logging for programmers; logging and compliance with regulations and policies; planning for log analysis system deployment; cloud logging; and the future of log standards, logging, and log analysis. This book was written for anyone interested in learning more about logging and log management. These include systems administrators, junior security engineers, application developers, and managers. - Comprehensive coverage of log management including analysis, visualization, reporting and more - Includes information on different uses for logs -- from system operations to regulatory compliance - Features case Studies on syslog-ng and actual real-world situations where logs came in handy in incident response - Provides practical guidance in the areas of report, log analysis system selection, planning a log analysis system and log data normalization and correlation

Trusted by 375,005 students

Access to over 1.5 million titles for a fair monthly price.

Study more efficiently using our study tools.

Information

Publisher
Syngress
Year
2012
Print ISBN
9781597496353
eBook ISBN
9781597496360
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

Chapter 1

Logs, Trees, Forest: The Big Picture

Information in this chapter:

ent
Log Data Basics
ent
A Look at Things to Come
ent
Logs Are Underrated
ent
Logs Can Be Useful
ent
People, Process, Technology
ent
Security Information and Event Management (SIEM)
ent
Case Studies

Introduction

This book is about how to get a handle on systems logs. More precisely, it is about how to get useful information out of your logs of all kinds. Logs, while often under-appreciated, are a very useful source of information for computer system resource management (printers, disk systems, battery backup systems, operating systems, etc.), user and application management (login and logout, application access, etc.), and security. It should be noted that sometimes the type of information can be categorized into more than one bucket. User login and logout messages are both relevant for both user management and security. A few examples are now presented to show how useful log data can be.
Various disk storage products will log messages when hardware errors occur. Having access to this information can often times mean small problems are resolved before they become really big nightmares.
As a second example, let’s briefly consider how user management and security logs can be used together to shed light on a user activity. When a user logs onto a Windows environment, this action is logged in some place as a logon record. We will call this a user management log data. Anytime this user accesses various parts of the network, a firewall is more than likely in use. This firewall also records network access in the form of whether or not it allowed network packets to flow from the source, a user’s workstation, to a particular part of the network. We will call this as security log data. Now, let’s say your company is developing some new product and you want to know who attempts to access your R&D server. Of course, you can use firewall access control lists (ACLs) to control this, but you want to take it a step further. The logon data for a user can be matched up with the firewall record showing that the user attempted to access the server. And if this occurred outside of normal business hours, you might have reason to speak with the employee to better understand their intent. While this example is a little bit out there, it does drive home an important point. If you have access to the right information, you are able to do some sophisticated things.
But getting that information takes some time and some work. At first glance (and maybe the second one too) it can seem an overwhelming task—the sheer volume of data can alone be daunting. But we think we can help “de-whelm” you. We’ll present an overall strategy for handling your logs. We’ll show you some different log types and formats. The point of using different log types and formats is twofold. First, it will get you accustomed to looking at log messages and data so you become more familiar with them. But, second it will help you establish a mindset of understanding basic logging formats so you can more easily identify and deal with new or previously unseen log data in your environment. It’s a fact of life that different vendors will implement log messages in different formats, but at the end of the day it’s all about how you deal with and manage log data. The faster you can understand and integrate new log data into your overall logging system, the faster you will begin to gain value from it.
The remainder of this chapter is geared toward providing a foundation for the concepts that will be presented throughout the rest of this book. The ideas around log data, people, process, and technology will be explored, with some real-world examples sprinkled in to ensure you see the real value in log data.

Log Data Basics

So far we have been making reference to logging and log data without providing a real concrete description of what these things are. Let’s define these now in no uncertain terms the basics around logging and log data.

What Is Log Data?

At the heart of log data are, simply, log messages, or logs. A log message is what a computer system, device, software, etc. generates in response to some sort of stimuli. What exactly the stimuli are greatly depends on the source of the log message. For example, Unix systems will have user login and logout messages, firewalls will have ACL accept and deny messages, disk storage systems will generate log messages when failures occur or, in some cases, when the system perceives an impending failure.
Log data is the intrinsic meaning that a log message has. Or put another way, log data is the information pulled out of a log message to tell you why the log message generated. For example, a Web server will often log whenever someone accesses a resource (image, file, etc.) on a Web page. If the user accessing the page had to authenticate herself, the log message would contain the user’s name. This is an example of log data: you can use the username to determine who accessed a resource.
The term logs is really used to indicate a collection of log messages that will be used collectively to paint a picture of some occurrence.
Log messages can be classified into the following general categories:
ent
Informational: Messages of this type are designed to let users and administrators know that something benign has occurred. For example, Cisco IOS will generate messages when the system is rebooted. Care must be taken, however. If a reboot, for example, occurs out of normal maintenance or business hours, you might have reason to be alarmed. Subsequent chapters in this book will provide you with the skills and techniques to be able to detect when something like this occurs.
ent
Debug: Debug messages are generally generated from software systems in order to aid software developers troubleshoot and identify problems with running application code.
ent
Warning: Warning messages are concerned with situations where things may be missing or needed for a system, but the absence of which will not impact system operation. For example, if a program isn’t given the proper number of command line arguments, but yet it can run without them, is something the program might log just as a warning to the user or operator.
ent
Error: Error log messages are used to relay errors that occur at various levels in a computer system. For example, an operating system might generate an error log when it cannot synchronize buffers to disk. Unfortunately, many error messages only give you a starting point as to why they occurred. Further investigation is often required in order to get at the root cause of the error. Chapters 7, 8, 9, 10, 11, 12, 13, 15, and 16 in this book will provide you with ways to deal with this.
ent
Alert: An alert is meant to indicate that something interesting has happened. Alerts, in general, are the domain of security devices and security-related systems, but this is not a hard and fast rule. An Intrusion Prevention System (IPS) may sit in-line on a computer network, examining all inbound traffic. It will make a determination on whether or not a given network connection is allowed through based on the contents of the packet data. If the IPS encounters a connection that might be malicious it can take any number of pre-configured actions. The determination, along with the action taken...

Table of contents

  1. Cover image
  2. Title page
  3. Table of Contents
  4. Copyright
  5. Acknowledgments
  6. About the Authors
  7. About the Technical Editor
  8. Foreword
  9. Preface
  10. Chapter 1. Logs, Trees, Forest: The Big Picture
  11. Chapter 2. What is a Log?
  12. Chapter 3. Log Data Sources
  13. Chapter 4. Log Storage Technologies
  14. Chapter 5. syslog-ng Case Study
  15. Chapter 6. Covert Logging
  16. Chapter 7. Analysis Goals, Planning, and Preparation: What Are We Looking for?
  17. Chapter 8. Simple Analysis Techniques
  18. Chapter 9. Filtering, Normalization, and Correlation
  19. Chapter 10. Statistical Analysis
  20. Chapter 11. Log Data Mining
  21. Chapter 12. Reporting and Summarization
  22. Chapter 13. Visualizing Log Data
  23. Chapter 14. Logging Laws and Logging Mistakes
  24. Chapter 15. Tools for Log Analysis and Collection
  25. Chapter 16. Log Management Procedures: Log Review, Response, and Escalation
  26. Chapter 17. Attacks Against Logging Systems
  27. Chapter 18. Logging for Programmers
  28. Chapter 19. Logs and Compliance
  29. Chapter 20. Planning Your Own Log Analysis System
  30. Chapter 21. Cloud Logging
  31. Chapter 22. Log Standards and Future Trends
  32. Index

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.5M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1.5 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Logging and Log Management by Kevin Schmidt,Chris Phillips,Anton Chuvakin in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over 1.5 million books available in our catalogue for you to explore.