13 ESSENTIAL LOG COLLECTION SOURCES
Log management is an infrastructure management best practice that supports not only performance management but also security incident response and compliance requirements. Beyond its use for after-the-fact forensics, log management can be a key “early warning system” against possible breaches in progress that could replicate onto a disaster recovery infrastructure. Presented here is a list of log collections and alerts that can help support the infrastructure security of an automated log management system.
These logs can indicate malware detection, disinfection attempt results, file quarantines, when file-system scans were last performed, when anti-virus signature files were last updated, and when software upgrades have taken place.
Logs can include account changes, user authentication attempts, client and server activity, and configuration changes.
Servers typically log each and every authentication attempt and show the originating user ID, destination system or application, date and time, and success/failure details.
New sources of log data from specific public cloud environments such as Amazon Web Services (AWS), Microsoft Azure, and Rackspace Public Cloud must be considered for collection. (Example: CloudTrail logs in AWS)
These very detailed and informative logs can show what activity was blocked according to security policies.
INTRUSION DETECTION & PROTECTION
These systems record detailed information about suspicious behavior and detected attacks as well as actions taken to halt malicious activity in progress.
NETWORK ACCESS CONTROL SERVERS
These logs can provide useful information about both successful/permitted and unsuccessful quarantined network connections.
Logs from network devices like routers and switchers can provide information on network communication activity and what types of traffic were blocked.
Beyond typical log entries, operating system logs can contain information from security software and system applications that can help identify suspicious activity involving a particular host.
VIRTUAL PRIVATE NETWORKS (VPNs)
VPN logs record both successful and failed connection attempts, date and time of connects and disconnects, and the types and amount of data sent and received during a session.
VULNERABILITY MANAGEMENT SOFTWARE
Scanning and patch management software log entries such as configuration, missing software updates, identified vulnerabilities, and patch/scan currency downloads.
WEB APPLICATION FIREWALLS
WAFs generate “deny logs” which identify blocked application requests, useful in identifying attempted attacks that included applications as a possible attack vector.
Web proxy logs record user activity and URLs accessed by specified users.