4

In the need to centralize logs we have selected syslog as the collector and Splunk (free for now) as the analysis tool, but there's always the question about which events should get to the central repository and from which systems.

The selection should address only those logs of interest from a security point of view.

Which logs do you centralize and how do you select them?

The answers should indicate types of devices, systems or software, types of logs/events and the reason for choosing them.

HopelessN00b
  • 53,795
  • 33
  • 135
  • 209
chmeee
  • 7,370
  • 3
  • 30
  • 43

5 Answers5

3

Windows:

  1. Security Log (specifically looking for Audit Failures)
  2. System Log (To correlate with the Security Log)
  3. IIS Logs
  4. Any Application Logs for Network facing applications.

On Linux:

  1. /var/log/auth.log (logins)
  2. /var/log/errors.log ( for ... errors)
  3. SSH Logs
  4. Application Logs

Generally you want to monitor:

  1. Logins
  2. System Errors
  3. Application Logs

These will be the most important logs to monitor, and the most telling using splunk.

A log system is only as good as the time source. Using NTP and making sure all your servers are set to the same time zone will make your job ten times easier. I like to set my BIOS clocks to UTC and then set the OS to the local time zone.

EDIT: This is now a wiki. Add your own advice!

Joseph Kern
  • 9,899
  • 4
  • 32
  • 56
  • Anything disk oriented in Windows! Catch bad clusters, write problems etc. Also anything form anti-virus. – Kyle Jun 17 '09 at 18:16
2

All logs are of interest for security purposes. At least they are on a unix/lnx box.

Jason Tan
  • 2,752
  • 2
  • 17
  • 24
2

On Linux you might as well send everything from syslog to the central collector and analyze for patterns. You never know what you will need ahead of time and you may find yourself missing some information if you only include certain services. While there are general guidelines as to which facility a particular type of application should be logging to, there's no hard and fast rules.

If an application of interest writes its own log files, I usually ingest those in to the syslog daemon as well and forward them to the central collector.

This is useful not only for security purposes but also for finding configuration errors as well as hardware and software faults.

Kamil Kisiel
  • 12,184
  • 7
  • 48
  • 69
2

It really depends on what you are trying to detect.

If you are looking for resource access then (eg. payroll files, product documents):

  • collect the logs for user and access time from the server where the resource is located
  • collect email tracking information so you can see if and where the resource is going

If you are looking for external access then:

  • vpn logs for who and when the persons login
  • firewall logs for access attempts
  • ids logs for unusual traffic
  • AD login logs so brute force attempts are found
  • wifi logs
  • dhcp logs

Again, first determine what you want to detect and then go for the logs that can show you who what and where the information/resource was accessed. Then go for the next one. From experience if you just want everything you will fail in getting the detection you need for anything.

Brad Bierman
  • 21
  • 1
0

This is far to general a question.

You should already know which logs you need to feed into splunk. What logs do you search through by hand when looking for security events? Those are the ones you need to feed into splunk.

goo
  • 2,868
  • 19
  • 15