Filtering log data: Looking for the needle in the haystack

More on logging and audit: Join us for a live webcast Wednesday, Oct. 31, 2007, as expert David Strom explains how to gain security intelligence with logging and audit. In this excerpt from our Ask the Experts section, Mike Rothman explains how to prevent audit-logging systems from storing passwords.

Let's illustrate how it is possible to drill down and find that single suspect packet through a series of screenshots. As an example interface, we'll use NetIQ's Security Manager v 6.0 to demonstrate the filtering process, but other vendors in this market offer similar interfaces and capabilities. Regardless of the product your organization uses, this tip will provide a blueprint for how to drill down and obtain the log information you need.

Let's start with the main dashboard screen. Here you can get a quick summary of all current security alerts, whether the various agents are operating properly, and what alerts have yet to be resolved.

If we drill into the open alerts, we see the next screen, which shows all unresolved alerts, as well as links to a corporate knowledge base.

In the illustration, a user has made changes to a sensitive file and that is why it is flagged as an alert. As we move further into analyzing what happened with this file, the next screen shows where we see what the file was and who renamed it and what program (in this case, Windows Explorer) did the deed. In this screen, we see that the event was "unmanaged," meaning that it wasn't authorized.

Many log-management tools also can collect reports from other network-protective devices, such as firewalls and IDSes. In the next screen, we see the collection of log data from a sample Cisco PIX firewall during the last two hours. The particular event that is highlighted in the screenshot is an access denied request.

One part of any good security management tool is the ability to make some sense about disparate events that happen on the network that may have a single underlying cause. A number of log-management tools have correlation and analysis tools that can be used to determine what happened after the fact. In the next screen, we can construct custom queries, which in this case we would use to determine if three particular events occurred within 30 seconds from the same source IP address.

So far we have explored the logging data, and conducted some lightweight analysis. Next we'll start to dig deeper to find out what kind of activity is really going on. The next screen is good place to start comparing our logs and normalizing them for further analysis. You can rotate the graphical display, add and delete columns and rows and do other manipulations to expose patterns and potential network issues.

Many of these log management tools have reporting capabilities as well. For instance, when an employee may be suspected of wrongdoing, it's possible to use a forensics wizard to filter the logs for all traffic originating from the suspect user's ID.

When this report is run, we get the results in the next screen. From there,it's possible to expand and sort the various lines in the report and drill down further to determine exactly what the mysterious J. Smith has been up to.

These types of reports are useful when you know ahead of time what to look for, such as providing evidence for an electronic discovery request or other external reasons.

All log analyzers are actually mini development environments and come with report builders, rule creation engines, alert managers and other forensic add-ons. With some products, separate pieces of software are needed to run these tools, while others have some of them built-in. For example, you have rule sets that can control what information is filtered, what alerts are activated and how often they are acted upon, and how information is aggregated for auditing or compliance purposes. In addition, there are other tools to automate or script some of the more common processes for collecting data or parsing the logs from various servers and network devices.

About the author:
David Strom is one of the leading experts on network and Internet technologies and has written extensively on the topic for nearly 20 years. He has held several editorial management positions for both print and online properties, most recently as Editor-in-Chief for Tom's Hardware. In 1990, Strom created Network Computing magazine and was the first Editor-in-Chief establishing the magazine's networked laboratories. He is the author of two books: Internet Messaging (Prentice Hall 1998) which he co-authored with Marshall T. Rose and Home Networking Survival Guide (McGrawHill/Osbourne; 2001). Strom is a frequent speaker, panel moderator and instructor and has appeared on Fox TV News Network, NPR's Science Friday radio program, ABC TV's World News Tonight and CBS-TV's Up to the Minute.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Easing e-discovery preparation by mapping enterprise data Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Partner access: Balancing security and availability Enterprise data management: Analyzing business processes and infrastructure for data protection Guide to passing PCI's five toughest requirements Security Audit Architect Security and Compliance Programs to Be Complementary The road to compliance Hannaford breach illustrates dangerous compliance mentality Data breach costs soar IBM to boost security spending, push PCI DSS program Preparing for a network security audit starts with monitoring and remediation Code Green pitches data protection for SMBs Dissecting compliance workflow processes Report: Companies still stumped by PCI DSS Guide to passing PCI's five toughest requirements Monitoring Network Traffic and Network Forensics Screencast: Catching network traffic with Wireshark Windows registry forensics guide: Investigating hacker activities More built-in Windows commands for system analysis Is security improved when the number of Internet gateways is reduced? Screencast: Using Nessus to scan for vulnerabilities What are the pros and cons of shaping P2P packets? Built-in Windows commands to determine if a system has been hacked How will the centralized logging of network flow data benefit an enterprise? The forensics mindset: Making life easier for investigators Data Loss Prevention Tools Offer Insight into Where Data Lives RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary computer forensics  (SearchSecurity.com) Einstein  (SearchSecurity.com) footprinting  (SearchSecurity.com) information signature  (SearchSecurity.com) intrusion detection  (SearchSecurity.com) network forensics  (SearchSecurity.com) port scan  (SearchSecurity.com) probe  (SearchSecurity.com) promiscuous mode  (SearchSecurity.com) snoop server  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.