Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs

Logs are the single most important place to look when it is time to answer the question “what just happened”. The more systems you have, the more impractical it is to review at system logs individually. To facilitate this, configure each system to send its logs to a centralized log review and retention solution. This will put all of the logs in one place and also keeps another copy in an alternate location.

SANS provides a Log Vendor Listing that includes popular vendors. Martin Holste wrote his own Enterprise Log Search and Archive (ELSA) solution.

A good tool not only allows you to search through the logs, but also lets you schedule recurring searches and alert when something is found. The following examples of reports and alerts can serve as the foundation of your indications and warnings of attack or misconfiguration.

• Any successful (and unsuccessful) logins to firewall
• All firewall rule changes
• Daily log volume report for the last several days
• Alert when a host has not sent logs over the last 24 hours
• All RDP traffic
• All two factor authentication system and device usage
• Security log cleared
• New users, especially in privileged groups
• Basic File Integrity Monitoring (FIM) alerts generated by increased logging on critical files and folders

SANS provides a Top 5 Essential Log Reports (PDF) lists categories of events that certainly should be addressed in log review. They are broad enough to be valid in all environments and serve as good conversation starters when looking for proper log review and analysis.

• Attempts to Gain Access through Existing Accounts
• Failed File or Resource Access Attempts
• Unauthorized Changes to Users,Groups and Services
• Systems Most Vulnerable to Attack
• Suspicious or Unauthorized Network Traffic Patterns