13 ESSENTIAL LOG COLLECTION SOURCES


Log management is an infrastructure management best practice that supports not only performance management but also security incident response and compliance requirements. Beyond its use for after-the-fact forensics, log management can be a key “early warning system” against possible breaches in progress that could replicate onto a disaster recovery infrastructure. Presented here is a list of log collections and alerts that can help support the infrastructure security of an automated log management system.

13 Essential Log Collection Sources

ANTI-MALWARE SOFTWARE

These logs can indicate malware detection, disinfection attempt results, file quarantines, when file-system scans were last performed, when anti-virus signature files were last updated, and when software upgrades have taken place.

13 Essential Log Collection Sources

APPLICATIONS

Logs can include account changes, user authentication attempts, client and server activity, and configuration changes.

13 Essential Log Collection Sources

AUTHENTICATION SERVERS

Servers typically log each and every authentication attempt and show the originating user ID, destination system or application, date and time, and success/failure details.

13 Essential Log Collection Sources

CLOUD-SPECIFIC SOURCES

New sources of log data from specific public cloud environments such as Amazon Web Services (AWS), Microsoft Azure, and Rackspace Public Cloud must be considered for collection. (Example: CloudTrail logs in AWS)

13 Essential Log Collection Sources

FIREWALLS

These very detailed and informative logs can show what activity was blocked according to security policies.

13 Essential Log Collection Sources

INTRUSION DETECTION & PROTECTION

These systems record detailed information about suspicious behavior and detected attacks as well as actions taken to halt malicious activity in progress.

13 Essential Log Collection Sources

NETWORK ACCESS CONTROL SERVERS

These logs can provide useful information about both successful/permitted and unsuccessful quarantined network connections.

13 Essential Log Collection Sources

NETWORK DEVICES

Logs from network devices like routers and switchers can provide information on network communication activity and what types of traffic were blocked.

13 Essential Log Collection Sources

OPERATING SYSTEMS

Beyond typical log entries, operating system logs can contain information from security software and system applications that can help identify suspicious activity involving a particular host.

13 Essential Log Collection Sources

VIRTUAL PRIVATE NETWORKS (VPNs)

VPN logs record both successful and failed connection attempts, date and time of connects and disconnects, and the types and amount of data sent and received during a session.

13 Essential Log Collection Sources

VULNERABILITY MANAGEMENT SOFTWARE

Scanning and patch management software log entries such as configuration, missing software updates, identified vulnerabilities, and patch/scan currency downloads.

13 Essential Log Collection Sources

WEB APPLICATION FIREWALLS

WAFs generate “deny logs” which identify blocked application requests, useful in identifying attempted attacks that included applications as a possible attack vector.

13 Essential Log Collection Sources

WEB PROXIES

Web proxy logs record user activity and URLs accessed by specified users.