Security Log Management

Security Log Management

by Jacob Babbin
Released January 2006
Publisher(s): Syngress
ISBN: 9780080489704

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

This book teaches IT professionals how to analyze, manage, and automate their security log files to generate useful, repeatable information that can be use to make their networks more efficient and secure using primarily open source tools. The book begins by discussing the “Top 10” security logs that every IT professional should be regularly analyzing. These 10 logs cover everything from the top workstations sending/receiving data through a firewall to the top targets of IDS alerts. The book then goes on to discuss the relevancy of all of this information. Next, the book describes how to script open source reporting tools like Tcpdstats to automatically correlate log files from the various network devices to the “Top 10” list. By doing so, the IT professional is instantly made aware of any critical vulnerabilities or serious degradation of network performance. All of the scripts presented within the book will be available for download from the Syngress Solutions Web site.

Almost every operating system, firewall, router, switch, intrusion detection system, mail server, Web server, and database produces some type of “log file.” This is true of both open source tools and commercial software and hardware from every IT manufacturer. Each of these logs is reviewed and analyzed by a system administrator or security professional responsible for that particular piece of hardware or software. As a result, almost everyone involved in the IT industry works with log files in some capacity.

* Provides turn-key, inexpensive, open source solutions for system administrators to analyze and evaluate the overall performance and security of their network
* Dozens of working scripts and tools presented throughout the book are available for download from Syngress Solutions Web site.
* Will save system administrators countless hours by scripting and automating the most common to the most complex log analysis tasks

Table of contents

  1. Cover (1/2)
  2. Cover (2/2)
  3. Contents (1/2)
  4. Contents (2/2)
  5. Foreword
  6. Chapter 1 Log Analysis: Overall Issues
    1. IT Budgets and Results: Leveraging OSS Solutions at Little Cost
    2. Reporting Security Information to Management
    3. Combining Resources for an “Eye-in-the-Sky” View
    4. Blended Threats and Reporting
    5. Conclusion
    6. Code Solutions
    7. Commercial Solutions: ArcSight and Netforensics (1/2)
    8. Commercial Solutions: ArcSight and Netforensics (2/2)
  7. Chapter 2 IDS Reporting
    1. Session/Flow Logging with Snort
    2. Session/Flow Logging with Argus (1/2)
    3. Session/Flow Logging with Argus (2/2)
    4. Can You Determine When a DDoS/DoS Attack Is Occurring?
    5. Using Snort for Bandwidth Monitoring (1/2)
    6. Using Snort for Bandwidth Monitoring (2/2)
    7. Using Bro to Log and Capture Application-Level Protocols (1/2)
    8. Using Bro to Log and Capture Application-Level Protocols (2/2)
    9. Tracking Users’ Web Activities with Bro
    10. Using Bro to Gather DNS and Web Traffic Data (1/3)
    11. Using Bro to Gather DNS and Web Traffic Data (2/3)
    12. Using Bro to Gather DNS and Web Traffic Data (3/3)
    13. Using Bro for Blackholing Traffic to Malware-Infested Domains (1/3)
    14. Using Bro for Blackholing Traffic to Malware-Infested Domains (2/3)
    15. Using Bro for Blackholing Traffic to Malware-Infested Domains (3/3)
    16. Using Bro to Identify Top E-Mail Senders/Receivers (1/3)
    17. Using Bro to Identify Top E-Mail Senders/Receivers (2/3)
    18. Using Bro to Identify Top E-Mail Senders/Receivers (3/3)
  8. Chapter 3 Firewall Reporting
    1. Firewall Reporting: A Reflection of the Effectiveness of Security Policies
    2. The Supporting Infrastructure for Firewall Log Management (1/6)
    3. The Supporting Infrastructure for Firewall Log Management (2/6)
    4. The Supporting Infrastructure for Firewall Log Management (3/6)
    5. The Supporting Infrastructure for Firewall Log Management (4/6)
    6. The Supporting Infrastructure for Firewall Log Management (5/6)
    7. The Supporting Infrastructure for Firewall Log Management (6/6)
  9. Chapter 4 Systems and Network Device Reporting
    1. Web Server Logs
    2. Recon and Attack Information
    3. Correlating Data with the Host System (1/3)
    4. Correlating Data with the Host System (2/3)
    5. Correlating Data with the Host System (3/3)
  10. Chapter 5 Creating a Reporting Infrastructure
    1. Creating IDS Reports from Snort Logs—Example Report Queries (1/3)
    2. Creating IDS Reports from Snort Logs—Example Report Queries (2/3)
    3. Creating IDS Reports from Snort Logs—Example Report Queries (3/3)
    4. Creating IDS Reports from Bro Logs—Application Log Information (1/3)
    5. Creating IDS Reports from Bro Logs—Application Log Information (2/3)
    6. Creating IDS Reports from Bro Logs—Application Log Information (3/3)
  11. Chapter 6 Scalable Enterprise Solutions (ESM Deployments)
    1. What Is ESM? (1/2)
    2. What Is ESM? (2/2)
    3. When Deploying ESM Makes Sense (1/3)
    4. When Deploying ESM Makes Sense (2/3)
    5. When Deploying ESM Makes Sense (3/3)
    6. Which Security Reporting Tools to Aggregate into ESM
    7. Using ESM Reporting for Maximum Performance (1/2)
    8. Using ESM Reporting for Maximum Performance (2/2)
    9. Special Considerations for Using ESM
    10. Lessons Learned Implementing ESM (1/3)
    11. Lessons Learned Implementing ESM (2/3)
    12. Lessons Learned Implementing ESM (3/3)
  12. Chapter 7 Managing Log Files with Microsoft Log Parser
    1. Log File Conversion (1/3)
    2. Log File Conversion (2/3)
    3. Log File Conversion (3/3)
    4. Log Rotation and Archival (1/3)
    5. Log Rotation and Archival (2/3)
    6. Log Rotation and Archival (3/3)
    7. Separating Logs (1/2)
    8. Separating Logs (2/2)
  13. Chapter 8 Investigating Intrusions with Microsoft Log Parser
    1. Locating Intrusions
    2. Monitoring IIS (1/4)
    3. Monitoring IIS (2/4)
    4. Monitoring IIS (3/4)
    5. Monitoring IIS (4/4)
  14. Chapter 9 Managing Snort Alerts with Microsoft Log Parser
    1. Building Snort IDS Reports (1/6)
    2. Building Snort IDS Reports (2/6)
    3. Building Snort IDS Reports (3/6)
    4. Building Snort IDS Reports (4/6)
    5. Building Snort IDS Reports (5/6)
    6. Building Snort IDS Reports (6/6)

Product information

  • Title: Security Log Management
  • Author(s): Jacob Babbin
  • Release date: January 2006
  • Publisher(s): Syngress
  • ISBN: 9780080489704