{"id":201,"date":"2011-07-04T17:29:00","date_gmt":"2011-07-04T17:29:00","guid":{"rendered":"https:\/\/belayclientstaging.zone\/securityeverafter\/2011\/07\/04\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/"},"modified":"2011-07-04T17:29:00","modified_gmt":"2011-07-04T17:29:00","slug":"critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs","status":"publish","type":"post","link":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/","title":{"rendered":"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs"},"content":{"rendered":"<p>Logs are the single most important place to look when it is time to answer the question &#8220;what just happened&#8221;. The more systems you have, the more impractical it is to review at system logs individually. To facilitate this, configure each system to send its logs to a centralized log review and retention solution. This will put all of the logs in one place and also keeps another copy in an alternate location.<\/p>\n<p>SANS provides a <a href=\"http:\/\/www.sans.org\/security-resources\/vendor_directory\/directories.php?catid=169\">Log Vendor Listing<\/a> that includes popular vendors. Martin Holste wrote his own <a href=\"http:\/\/code.google.com\/p\/enterprise-log-search-and-archive\">Enterprise Log Search and Archive<\/a> (ELSA) solution.<\/p>\n<p>A good tool not only allows you to search through the logs, but also lets you schedule recurring searches and alert when something is found. The following examples of reports and alerts can serve as the foundation of your indications and warnings of attack or misconfiguration.<\/p>\n<ul>\n<li>    Any successful (and unsuccessful) logins to firewall<\/li>\n<li>    All firewall rule changes<\/li>\n<li>    Daily log volume report for the last several days<\/li>\n<li>    Alert when a host has not sent logs over the last 24 hours<\/li>\n<li>    All RDP traffic<\/li>\n<li>    All two factor authentication system and device usage<\/li>\n<li>    Security log cleared<\/li>\n<li>    New users, especially in privileged groups<\/li>\n<li>    Basic File Integrity Monitoring (FIM) alerts generated by increased logging on critical files and folders<\/li>\n<\/ul>\n<p>SANS provides a <a href=\"http:\/\/www.sans.org\/info\/3766\">Top 5 Essential Log Reports<\/a> (PDF) lists categories of events that certainly should be addressed in log review. They are broad enough to be valid in all environments and serve as good conversation starters when looking for proper log review and analysis.<\/p>\n<ul>\n<li>Attempts to Gain Access through Existing Accounts <\/li>\n<li>Failed File or Resource Access Attempts <\/li>\n<li>Unauthorized Changes to Users,Groups and Services <\/li>\n<li>Systems Most Vulnerable to Attack <\/li>\n<li>Suspicious or Unauthorized Network Traffic Patterns <\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Logs are the single most important place to look when it is time to answer the question &#8220;what just happened&#8221;. The more systems you have, the more impractical it is to review at system logs individually. To facilitate this, configure each system to send its logs to a centralized log review and retention solution. This [&hellip;]<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false},"version":2}},"categories":[20,21,22],"tags":[],"jetpack_publicize_connections":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.7 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs - Security Ever After - vCISO<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs - Security Ever After - vCISO\" \/>\n<meta property=\"og:description\" content=\"Logs are the single most important place to look when it is time to answer the question &#8220;what just happened&#8221;. The more systems you have, the more impractical it is to review at system logs individually. To facilitate this, configure each system to send its logs to a centralized log review and retention solution. This [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Ever After - vCISO\" \/>\n<meta property=\"article:published_time\" content=\"2011-07-04T17:29:00+00:00\" \/>\n<meta name=\"author\" content=\"Russell\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:site\" content=\"@russelleubanks\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Russell\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/\"},\"author\":{\"name\":\"Russell\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\"},\"headline\":\"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs\",\"datePublished\":\"2011-07-04T17:29:00+00:00\",\"dateModified\":\"2011-07-04T17:29:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/\"},\"wordCount\":292,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"articleSection\":[\"Automation\",\"Operational Security\",\"SANS Top 20 Controls\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/\",\"url\":\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/\",\"name\":\"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs - Security Ever After - vCISO\",\"isPartOf\":{\"@id\":\"https:\/\/securityeverafter.com\/#website\"},\"datePublished\":\"2011-07-04T17:29:00+00:00\",\"dateModified\":\"2011-07-04T17:29:00+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/securityeverafter.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/securityeverafter.com\/#website\",\"url\":\"https:\/\/securityeverafter.com\/\",\"name\":\"Security Ever After - CISO\",\"description\":\"vCISO\",\"publisher\":{\"@id\":\"https:\/\/securityeverafter.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/securityeverafter.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/securityeverafter.com\/#organization\",\"name\":\"Security Ever After\",\"url\":\"https:\/\/securityeverafter.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1\",\"width\":1169,\"height\":826,\"caption\":\"Security Ever After\"},\"image\":{\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/russelleubanks\",\"https:\/\/www.linkedin.com\/in\/russelleubanks\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3\",\"name\":\"Russell\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg\",\"caption\":\"Russell\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs - Security Ever After - vCISO","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/","og_locale":"en_US","og_type":"article","og_title":"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs - Security Ever After - vCISO","og_description":"Logs are the single most important place to look when it is time to answer the question &#8220;what just happened&#8221;. The more systems you have, the more impractical it is to review at system logs individually. To facilitate this, configure each system to send its logs to a centralized log review and retention solution. This [&hellip;]","og_url":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/","og_site_name":"Security Ever After - vCISO","article_published_time":"2011-07-04T17:29:00+00:00","author":"Russell","twitter_card":"summary_large_image","twitter_creator":"@russelleubanks","twitter_site":"@russelleubanks","twitter_misc":{"Written by":"Russell","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#article","isPartOf":{"@id":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/"},"author":{"name":"Russell","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3"},"headline":"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs","datePublished":"2011-07-04T17:29:00+00:00","dateModified":"2011-07-04T17:29:00+00:00","mainEntityOfPage":{"@id":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/"},"wordCount":292,"commentCount":2,"publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"articleSection":["Automation","Operational Security","SANS Top 20 Controls"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/","url":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/","name":"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs - Security Ever After - vCISO","isPartOf":{"@id":"https:\/\/securityeverafter.com\/#website"},"datePublished":"2011-07-04T17:29:00+00:00","dateModified":"2011-07-04T17:29:00+00:00","breadcrumb":{"@id":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/securityeverafter.com\/critical-control-6-maintenance-monitoring-and-analysis-of-audit-logs\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/securityeverafter.com\/"},{"@type":"ListItem","position":2,"name":"Critical Control 6: Maintenance, Monitoring, and Analysis of Audit Logs"}]},{"@type":"WebSite","@id":"https:\/\/securityeverafter.com\/#website","url":"https:\/\/securityeverafter.com\/","name":"Security Ever After - CISO","description":"vCISO","publisher":{"@id":"https:\/\/securityeverafter.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/securityeverafter.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/securityeverafter.com\/#organization","name":"Security Ever After","url":"https:\/\/securityeverafter.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","contentUrl":"https:\/\/i0.wp.com\/securityeverafter.com\/wp-content\/uploads\/2020\/04\/SECURITY-e1589664916497.jpg?fit=1169%2C826&ssl=1","width":1169,"height":826,"caption":"Security Ever After"},"image":{"@id":"https:\/\/securityeverafter.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/russelleubanks","https:\/\/www.linkedin.com\/in\/russelleubanks\/"]},{"@type":"Person","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/38dd34bdece8068be18430e4c96ce5f3","name":"Russell","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/securityeverafter.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/8567bffe1f64223494326650c53f921b?s=96&r=pg","caption":"Russell"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/201"}],"collection":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/comments?post=201"}],"version-history":[{"count":0,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/posts\/201\/revisions"}],"wp:attachment":[{"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/media?parent=201"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/categories?post=201"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securityeverafter.com\/wp-json\/wp\/v2\/tags?post=201"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}