There are so many types of log data to monitor and manage, but what are the most important logs to track? These are the top four types of log data that every IT team should be holding on to just in case.
In a recent podcast, Jim Cashman spoke to the top four types of log data that every IT team should keep track of. This discussion covers what logs an admin should be collecting, why to focus on those logs and what specifically to look out for relating to information security. It’s a great answer to the sysadmin who sets up a Log Management solution, watches the logs roll in and then asks “Ok, so now what?”
Jim Cashman thinks you should always start with the basics.
“I always start thinking about servers, where people keep data. Let’s use the canonical example of a Windows server. Windows logs very many things in their standard systems logs, and that’s a great place to start.”
1. Failed Login Attempts
Jim says you should be watching and storing these logs for compliance reasons if nothing else. For instance, failed login attempts are red flags that something is wrong. Failed login attempts can be benign most of the time. However, if there are many login attempts that have failed in a short amount of time, this could be an indication that an attacker is trying to break into a system.
“People have always fat-fingered their password entry since computers have been around. But it can also show a concerted effort to try and break somebody’s password.”
2. Firewalls and Intrusion Detection Devices
Logs from security tools, such as intrusion detection devices and firewalls can present a plethora of data on the security and the overall health of security systems within a business. You should always consider that your firewall is the first wall of security from outside threats, so logs here are a basic necessity. Of course, these days most advanced persistent threats can circumvent the firewall entirely, and even antivirus can’t pick up on all malicious activity.
Jim says you should be holding onto this data for a certain amount of time, whether it be for a few weeks for your records or longer if your industry regulations require it on hand in case of an audit or data breach.
On managing this log data, Jim notes memory and storage is cheap. However, its not without consequence. “You still have to manage it, and you still need to keep track of it all, so it is not without cost.”
3. Switched and Routers
Basic network devices all provide log data. As much as this types of log data may seem inconsequential, you still need to monitor it.
“You need to be able to log a whole chain of data through your organization, from servers, through firewalls, through switches and routers.”
There is also the importance of monitoring configuration changes on these types of network devices. Changes in configurations can show with certainty that sysadmins are doing their jobs, or if they aren’t.
Jim explains, “If you have changed control policies and they’re not following those changed control policies, and some changes are occurring on switch and routers that you didn’t authorize, or didn’t know about, it could tell you that you have some innocent but nonprofessional behavior going on, or some nefarious behavior going on.”
Jim says these changes can be catastrophic. For instance, if a configuration change was made in a device and that happened to bring down the network, and if there wasn’t an easy way to revert back to a previous state you’re going to be in trouble.
4. Application Logs
Application logs can have their own robust log capabilities, while some use the application log section of Windows. Microsoft allows many applications to piggyback on the log infrastructure within Windows.
A good example is if protected medical data is going through an application. Very often the app logs will show much of the same things that Windows logs would show.
“Let’s just say the system has its own user database and that sort of thing. It’s going to show logins, and lof offs. It’s going to show where [the user] traversed, what screens and that sort of thing. What sort of searches they ran. It’s all very application dependent on how much logging is available.”
These are the four basic logs that IT teams should be monitoring and managing regularly. Jim goes on to say that if you have a system that has given you problems in the past, it will make sense to turn on logging capabilities for that particular system so that you can keep track of errors and learn from them. Edge cases can always pop up out of nowhere, so having the comfort of knowing you’re tracking that log data will go a long way in helping you and your IT team quickly evaluate and assess any given situation.