Security Log Management: Identifying Patterns in the Chaos
By Jacob Babbin
HIGHLIGHT
Every day, security professionals and system administrators must analyze hundreds of “Log Files” detailing all activity (malicious or not) from multiple devices and applications including: File and Web servers, intrusion detection systems, firewalls, routers, and workstations. The volume of data can be overwhelming resulting in critical pieces of information being ignored. This book details how open source tools and scripts can provide useful, repeatable information from the seemingly endless data. |
Can You See the Forest Through the Trees?
Date: Jan 2006
Pages: 450 (est.)
User level: All |
|
DESCRIPTION
This book teaches IT professionals how to analyze, manage, and automate their security log files to generate useful, repeatable information that can be use to make their networks more efficient and secure using primarily open source tools. The book begins by discussing the “Top 10” security logs that every IT professional should be regularly analyzing. These 10 logs cover everything from the top workstations sending/receiving data through a firewall to the top targets of IDS alerts. The book then goes on to discuss the relevancy of all of this information. Next, the book describes how to script open source reporting tools like Tcpdstats to automatically correlate log files from the various network devices to the “Top 10” list. By doing so, the IT professional is instantly made aware of any critical vulnerabilities or serious degradation of network performance. All of the scripts presented within the book will be available for download from the Syngress Solutions Web site.
KEY SELLING POINTS
- Provides turn-key, inexpensive, open source solutions for system administrators to analyze and evaluate the overall performance and security of their network.
- Dozens of working scripts and tools presented throughout the book are available for download from Syngress Solutions Web site.
- This book and accompanying scripts will save system administrators countless hours by scripting and automating the most common to the most complex log analysis tasks.
MARKET INFORMATION
Almost every operating system, firewall, router, switch, intrusion detection system, mail server, Web server, and database produces some type of “log file.” This is true of both open source tools and commercial software and hardware from every IT manufacturer. Each of these logs is reviewed and analyzed by a system administrator or security professional responsible for that particular piece of hardware or software. As a result, almost everyone involved in the IT industry works with log files in some capacity.
ABOUT THE AUTHOR
Jacob Babbin works as a contractor with a government agency filling the role of Intrusion Detection Team Lead. He has worked in both private industry as a security professional and in government space in a variety of IT security roles. He is a speaker at several IT security conferences and is a frequent assistant in SANS Security Essentials Bootcamp, Incident Handling and Forensics courses. Jake lives in Virginia. Jake is co-author of Snort 2.1 Intrusion Detection Second Edition (Syngress Publishing, ISBN: 1-931836-04-3), Intrusion Detection and Active Response (Syngress, ISBN: 1-932266-47-X) and Snort Cookbook (O’Reilly, ISBN: 0-596007-91-4).
TECHNOLOGY BACKGROUND
Log files record all of the "events" that take place during a given period of time from products like Windows Server, Exchange Server, IIS, ISA Server, Snort, etc. Log files maintain a record of all user inputs and all events. An example of user input would be someone typing a password into a Web browser. An event would be an application being launched in Windows Server. The log files generated from any of these products can be literally hundreds of pages long for a 24-hour period. This book shows readers how to use open source tools to organize and correlate these logs to produce concise, informative reports on the overall performance and security of their network. |
