1. Maintaining Host Security Logs

2.  Security logs are invaluable for verifying whether the host's defenses are operating properly.  Another reason to maintain logs is to ensure that forensics evidence is available when you need to figure out what happened, even if you already determined that something went wrong.  Of course, each security safeguard is only as good as the actions taken upon it. A log file is of minimal value if you never look at it.

3. Windows Logging and Auditing  Windows offers built-in tools that help administrators capture security-related events and audit the resulting log files.  By default, Windows logs only general system events aimed at resolving system and application faults.  To capture security-related information, you must enable auditing through the Local Security Policy editor (on a standalone system) or Group Policy (when using Active Directory).  You can use the Event Viewer program to examine security log entries collected by the Windows auditing facility.

4. Windows Logging and Auditing

5.  Previous Figure illustrates reasonable settings for a Windows workstation, although the specifics of the configuration will depend on your organization's requirements.  As you can see, Windows allows you to log successful and failed actions associated with several categories of events. T  he more event types you choose to log, the more thorough your understanding will be of what takes place on the system.  On the other hand, excessive auditing can degrade the host's performance, fill up its file system, and overwhelm you with superfluous log entries.

6. Windows Logging and Auditing  Striking the right balance for event logging may require several different settings until you achieve the desired configuration.

7. UNIX Logging and Auditing  Like Windows, UNIX can gather detailed information regarding security events on the system, such as logon and logoff times, occurrences of failed logons, the use of privileged accounts, and even the commands users execute.  The configuration of UNIX logging facilities is flexible and varies across UNIX flavors. However, here are some of the more standard log files as given ahead:

8. UNIX Logging and Auditing 1.utmp Maintains a snapshot listing of users who are currently logged in. Viewable using the who and users commands. 2.wtmp Maintains a historical record of users' login and logout activity. Viewable using the who and last commands. 3.btmp Maintains a historical record for failed user logins. Viewable using the lastb command.  A UNIX system stores event records in these log files using a binary format. As a result, you need to use the appropriate tools, specified in the preceding list, to view their contents.

9. UNIX Logging and Auditing  In addition to maintaining the binary log files just mentioned, UNIX systems rely on the Syslog facility to centralize logging of security and other system events.  Syslog typically uses the /etc/syslog.conf configuration file to determine what types of events to log and where to store the log files.  Depending on how you configure it, Syslog can record messages from the kernel, user processes, the mail system, locally defined events, and so on.  Syslog stores its records in text-based log files, which can be examined by regular text file viewers as well as through the use of the automated monitoring tools.