AfChix 2011 Blantyre, Malawi Log management. Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in.

Slides:



Advertisements
Similar presentations
Cisco Device Hardening Disabling Unused Cisco Router Network Services and Interfaces.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
Managing logs with syslog-ng and SWATCH AfNOG 11, Kigali/Rwanda.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
NetComm Wireless Logging Architecture Feature Spotlight.
Syslog and log files1-1 Syslog and Log Files  From logfiles, you can find m important information m History m Errors/warnings  Logging policies m Reset.
CIS 193A – Lesson3 Vigilance! Logging & Monitoring Syslog Logrotate Logwatch Accounting.
1 Figure 6-16: Advanced Server Hardening Techniques Reading Event Logs (Chapter 10)  The importance of logging to diagnose problems Failed logins, changing.
Syslogd Tracking system events. Log servers Applications are constantly encountering events which should be recorded –users attempt to login with bad.
Voyager Server Security and Monitoring Best practices and tools.
© 2010 VMware Inc. All rights reserved VMware ESX and ESXi Module 3.
NOC TOOLS syslog AfNOG Cairo, SI-E, 2 of 5 Sunday Folayan.
Network Management Workshop intERlab at AIT Thailand March 11-15, 2008 Log management.
Security Guidelines and Management
Maintaining Host Security Logs.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain.
Reconnaissance & Enumeration Baseline, Monitor, Detect, Analyze, Respond, & Recover Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009 Santiago,
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
New SA Training Topic 9: Logging, Monitoring, and Performance  Logging  Windows – “Auditing”  Linux – syslog  Monitoring  MRTG  Big Brother  Performance.
CLI modes Accessing the configuration Basic configuration (hostname and DNS) Authentication and authorization (AAA) Log collection Time Synchronization.
System Monitoring and Automation CSCI N321 – System and Network Administration Copyright © 2000, 2011 by Scott Orr and the Trustees of Indiana University.
© 2008 Cisco Systems, Inc. All rights reserved.CIPT1 v6.0—2-1 Administering Cisco Unified Communications Manager Understanding Cisco Unified Communications.
7 November 2005 Sebastian Büttrich ItrainOnline MMTK 1 Linux logging and logfiles monitoring with swatch Sebastian Büttrich, wire.less.dk.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
System logging and monitoring
Vodafone MachineLink 3G
Saeed Darvish Pazoki – MCSE, CCNA Abstracted From: Cisco Press – ICND 1 – Chapter 9 Ethernet Switch Configuration 1.
System Monitoring and Automation. 2 Section Overview Automation of Periodic Tasks Scheduling and Cron Syslog Accounting.
TELE 301 Lecture 10: Scheduled … 1 Overview Last Lecture –Post installation This Lecture –Scheduled tasks and log management Next Lecture –DNS –Readings:
Inetd...Server of Servers Looks at a number of ports Determines when a service is needed on any of those ports Calls the appropriate server Restarts new.
Day 11 SAMBA NFS Logs Managing Users. SAMBA Implements the ability for a Linux machine to communicate with and act like a Windows file server. –Implements.
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
CIS 290 LINUX Security Tripwire file integrity and change management tool and log monitoring.
Linux Networking Security Sunil Manhapra & Ling Wang Project Report for CS691X July 15, 1998.
CENT 305 Information Systems Security Overview of System Logging syslog 1.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Overview Managing a DHCP Database Monitoring DHCP
Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.
Page 1 Chapter 11 CCNA2 Chapter 11 Access Control Lists : Creating ACLs, using Wildcard Mask Bits, Standard and Extended ACLs.
Security monitoring boxes Andrew McNab University of Manchester.
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
Ch11: Syslog and Logfiles Presented by: Apichana Thiantanawat 06/11/02.
1 Periodic Processes and the cron Daemon The cron daemon is where all timed events are initiated. The cron system is serviced by the cron daemon. What.
Chapter 10 Chapter 10: Managing the Distributed File System, Disk Quotas, and Software Installation.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Chapter 13: LAN Maintenance. Documentation Document your LAN so that you have a record of equipment location and configuration. Documentation should include.
Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:
Configuring AAA requires four basic steps: 1.Enable AAA (new-model). 2.Configure security server network parameters. 3.Define one or more method lists.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (
SWATCH Chris Anderson Matt White. Swatch: Its purpose Log file watcher – Originally, Swatch was written to actively monitor messages as they are written.
Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.
Network Management Tutorial Log management. Log management and monitoring ■ What is log management and monitoring ? ■ It's about keeping your logs in.
VMware ESX and ESXi Module 3.
Chapter Objectives In this chapter, you will learn:
Working at a Small-to-Medium Business or ISP – Chapter 8
CCNA Routing and Switching Routing and Switching Essentials v6.0
APRICOT 2008 Network Management Taipei, Taiwan February 20-24, 2008
ITIS 3110 IT Infrastructure II
Hervey Allen Chris Evans Phil Regnauld September 3 – 4, 2009
Chapter 10: Device Discovery, Management, and Maintenance
CCNA Routing and Switching Routing and Switching Essentials v6.0
Log management AfNOG 2008 Rabat, Morocco.
Chapter 2: Basic Switching Concepts and Configuration
* Essential Network Security Book Slides.
Chapter 10: Device Discovery, Management, and Maintenance
CS580 Special Project: IOS Firewall Setup using CISCO 1600 router
6. Application Software Security
Presentation transcript:

AfChix 2011 Blantyre, Malawi Log management

Log management and monitoring ■ What is log management and monitoring ? ● It's about keeping your logs in a safe place, putting them where you can easily inspect them with tools ● Keep an eye on your log files ■ They tell you something important... ● Lots of things happen, and someone needs to keep an eye on them... ● Not really practical to do it by hand!

Log management and monitoring ■ On your routers and switches ● Sep 1 04:40: INDIA: %SEC-6-IPACCESSLOGP: list 100 denied tcp (2167) -> (6662), 1 packet ● Sep 1 04:42: INDIA: %SYS-5-CONFIG_I: Configured from console by pr on vty0 ( ) ‏ ● %CI-3-TEMP: Overtemperature warning ● Mar 1 00:05:51.443: %LINK-3-UPDOWN: Interface Serial1, changed state to down ■ On your servers as well ● Aug 31 17:53:12 ubuntu nagios2: Caught SIGTERM, shutting down... ● Aug 31 19:19:36 ubuntu sshd[16404]: Failed password for root from port 2039 ssh2

Log management ■ First, need to centralize and consolidate log files ■ Log all messages from routers, switches and servers to a single machine – a log server ■ All logging from network equipment and UNIX servers is done using syslog ■ Windows can be configured to use syslog as well, with some tools ■ Log locally, but also to the central server

Centralized logging Local disk serv er syslog rout er swit ch Syslog storage Sysl og serv er

Configuring centralized logging ■ Cisco equipment ● Minimum:  logging ip.of.log.host ■ UNIX host ● Edit syslog.conf ● Add “ip.of.log.host” ● Restart syslogd ■ Other equipments have similar options ● Options to control facility and level

Receiving the messages ■ Identify the facility that the SENDING host or device will send their message on - logger ■ Reconfigure syslogd to listen to the network ■ Add an entry to syslogd indicating where to write messages: ●local7.*/var/log/routers ■ Create the file or directory: ●touch /var/log/routers ■ Restart syslogd ●/etc/rc.d/syslogd restart

Syslog basics ■ UDP protocol, port 514 ■ Syslog messages contain: ● Facility: AuthLevel:Emergency(0) Authpriv|Alert (1) Console| Critical(2) Cron| Error(3) Daemon| Warning(4) Ftp| Notice(5) Kern| Info(6) LprMail| Debug(7) News Ntp | SecuritySyslog UserUUCP Local0...Local7

Best Practices * Forward syslog messages from clients to a secure syslog server. * Enable NTP clock synchronization on all clients and on the syslog server so that logs are all synchronized. Without doing this, it can be difficult or impossible to accurately determine the sequence of events across systems or applications. * Group “like sources” into the same log file. (i.e. mail server, MTA, spamassassin and A/V scanner all report to one file) * Use an automated tool to establish a baseline of your logs and escalate exceptions as appropriate.

Best Practices * Review your records retention policy, if applicable, and determine if anything kept in logs falls under that policy. If so, establish retention periods based on the records policy. Legal requirements for keeping logs vary by jurisdiction and application. * The “sweet spot” for log retention appears to be one year. Shorter than 1 year, and it is likely that key data would be unavailable in the wake of a long running attack, and longer than one year is most likely wasting disk space. * Include logs and log archives in a standard backup process for disaster recovery. * Change read/write permissions on logs files so they are not accessible to unprivileged user accounts.

Sorting logs ■ Using facility and level, sort by category into different files ■ With tools like syslog-ng, sort by host, date,... automatically into different directories ■ Grep your way through the logs. ■ Use standard UNIX tools to sort, and eliminate, things you want to filter out: ● egrep -v '(list 100 denied|logging rate- limited)' mylogfile ● Other tools exist, like ”Swatch” to make this automatic

SWATCH ■ Simple Log Watcher ● Written in Perl ● Monitors log files, looking for patterns (”regular expressions”) to match in the logs ● Perform a given action if the pattern is found

Sample config ■ watchfor /%LINK-3-UPDOWN/ mail addresses=inst,subject=Link updown throttle 1:00 watchfor /%SEC-6-IPACCESSLOGP/ exec /usr/bin/echo $* >> /tmp/accesslist.log watchfor /%SYS-5-CONFIG/ mail addresses=inst,subject=Configuration of router

References ■ ■ Syslog NG ● ■ Windows Event Log to Syslog: ● ents/UNIX/evtsys ■ SWATCH log watcher ● ● -swatch-skendrick.txt ● ● d=5332&group_id=25401

Questions ? ?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.