Managing Security Log Files

One well attended all day track at FIRST was the System Network and Security Log Analysis for Incident Response track run by Anton Chuvakin of LogLogic. Unfortunately I was unable to attend this talk although I heard many good reports surrounding it.

However I did wonder if we could take log analysis one step further because as many enterprise businesses are aware log analysis can be an impossible task due to the sheer volume of information from:-

•Firewall logs

•Router logs

•Switch logs

•Operating system logs

•Operating system security event logs

•Application event logs

The last three sets of logs could be on one hundred to one hundred thousand to several hundred thousand servers…

There are several strategies for dealing with these logs:-

1.Ignore them until forensics are required.

2.Get your logs to proactively tell you whether anomalies are occurring in your enterprise

3.Try and remove as much of the irrelevant information from the log files and create automated filtering to locate anomalies.

If you want to hear a bit more about options 2 and 3 you will have to glean the information from my bar brawl podcast with “Raffy” (Raffael Marty).