Sites
- LogAnalysis web site – http://www.loganalysis.org/
- mail-list: LogAnalysis – All things log-related – http://www.loganalysis.org/mailman/listinfo/loganalysis – moderated by Tina Bird and Dee-Ann LeBlanc, and sponsored by Splunk.
- subscription: http://www.loganalysis.org/mailman/listinfo/loganalysis
- archive of prior postings to the list: http://www.loganalysis.org/pipermail/loganalysis/.
- mail-list: LogAnalysis – All things log-related – http://www.loganalysis.org/mailman/listinfo/loganalysis – moderated by Tina Bird and Dee-Ann LeBlanc, and sponsored by Splunk.
- Anton A. Chuvakin – http://www.chuvakin.org/
- Chief Logging Evangelist at LogLogic (http://www.loglogic.com/), a log management and intelligence company; my role is to define and execute on a product vision and strategy, be responsible for the product roadmap, conduct research as well as assist key customers with their LogLogic implementations.
- blog – http://chuvakin.blogspot.com/
- “Critical log review checklist for security incidents” by Anton Chuvakin and Lenny Zeltser:
- Announcement: http://chuvakin.blogspot.com/2010/03/simple-log-review-checklist-released.html
- HTLM: http://zeltser.com/log-management/security-incident-log-review-checklist.html | http://www.securitywarriorconsulting.com/security-incident-log-review-checklist.html
- PDF: http://www.securitywarriorconsulting.com/security-incident-log-review-checklist.pdf
- DOCx: http://www.securitywarriorconsulting.com/security-incident-log-review-checklist.docx
- EventID.Net – Troubleshooting over 10,000 Windows event log entries – http://www.eventid.net/
- Windows Security Log Events – http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
Logging tools
- SLAPS-2 (System Log Analysis & Profiling System – 2): http://www.openchannelfoundation.org/projects/SLAPS-2/
- A collection of programs that filter Unix systems logs on a centralized log server in order to produce a series of reports that provide a snapshot of system operation over the past analysis period (e.g., 24 hours). These programs, developed in Perl and enhanced over the past ten years, function as an autonomous process to scan specifiable log files, create the analysis reports from those log files, distribute the reports eletronically to targeted recipients and manage the rotation of the log files used during the analysis. (See SLRS for a complementary system log rotation service
- logstalgia – website access log visualization – http://code.google.com/p/logstalgia/
- Log file wipers/cleaners/zapers – http://packetstormsecurity.org/UNIX/penetration/log-wipers/
- Passive Syslog Monitoring Daemon – http://sourceforge.net/projects/psmd
- psmd listens on an interface and writes the syslog messages that it sees to disk along with a hash. In addition, it can forward system messages to another system as though the messages came from the original device.
- A collection of log related scripts: http://www.uberadmin.com/Scripts/index.html
- Splunk – http://www.splunk.com/ – a commercial logging tool.
- SplunkBase – http://www.splunkbase.com/, a logging portal and knowledge base with community content licensed under Creative Commons.
- Logger:
- “Shell scripting: Write message to a syslog / log file”: http://www.cyberciti.biz/tips/howto-linux-unix-write-to-syslog.html
- Multilog – http://cr.yp.to/daemontools/multilog.html (a part of the daemontools collection by D.J. bernstein at http://cr.yp.to/daemontools.html) – multilog reads a sequence of lines from stdin and appends selected lines to any number of logs.
- syslog-ng logging system – http://www.balabit.com/network-security/syslog-ng/
- “Open source and free log analysis and log management tools”, maintained by Dr. Anton Chuvakin – http://www.securitywarriorconsulting.com/logtools/
- List of commercial SIEM tools: http://www.securityscoreboard.com/reviews/tag/productsoffered/siem/?criteria=1
- logrotate – http://iain.cx/src/logrotate/ – a bash script which can rotate log files and multilog log directories and archive them in a central location.
- “Logrotate for Users” by Michael Kavlon (2003.09.18) – http://web.archive.org/web/20071202103315/kavlon.org/index.php/logrotate
- Logfile::Rotate – perl module – http://sourceforge.net/projects/logfile-rotate/
- LogController – http://www.securityfocus.com/tools/638 – logController allows you to control the size of some files that tend to become too large (logfiles). A config file allows you to define which files to monitor and the sizes not to exceed. If one or more files exceed the limit size, they are automatically truncated to a new user-defined size and the area truncated can be erased, or compressed and stored.
Articles and Papers
- “Artificial ignorance: how-to guide” by Marcus J. Ranum (1997.09.23) – http://archives.neohapsis.com/archives/nfr-wizards/1997/09/0098.html
- “Log Review Checklist For Responders Under Fire” by John Sawyer (Evil Bytes blog @ DarkReading, 2010.04.19) – http://www.darkreading.com/blog/archives/2010/04/log_review_chec.html
- “Secure Audit Logs to Support Computer Forensics” by Bruce Schneier and John Kelsey – http://www.schneier.com/paper-auditlogs.html
- ACM Transactions on Information and System Security, v. 1, n. 3, 1999, to appear.
- ABSTRACT: In many real-world applications, sensitive information must be kept in log files on an untrusted machine. In the event that an attacker captures this machine, we would like to guarantee that he will gain little or no information from the log files and to limit his ability to corrupt the log files. We describe a computationally cheap method for making all log entries generated prior to the logging machine’s compromise impossible for the attacker to read, and also impossible to undetectably modify or destroy.
- full text – http://www.schneier.com/paper-auditlogs.pdf
- Standard Operating Procedures under SunOS 5.7/5.8 (2001.11): http://downloads.openchannelsoftware.org/SLAPS-2/slaps_v20.pdf
- “syslog Overview” by tbird (2003.07.08) – http://www.precision-guesswork.com/sage-guide/syslog-overview.html
- Syslog message levels (Kiwi) – http://www.kiwisyslog.com/kb/info:-syslog-message-levels/ | http://www.kiwisyslog.com/help/syslog/protocol_levels.htm
- How To Set Up A Debian Linux Syslog Server – http://www.aboutdebian.com/syslog.htm
- Syslog-ng FAQ by Nate Campin – http://www.campin.net/syslog-ng/faq.html
- Encrypting traffic to a remote syslog-ng server including SSL peer authentication – http://www.stunnel.org/examples/syslog-ng.html
- Using newsyslog to rotate files containing logging messages on systems running Solaris 2.x – http://web.archive.org/web/20060426135905/www.cert.org/security-improvement/implementations/i041.09.html
- “Piping log files to a syslog server” by Major Hayden (Racker Hacker blog; 2009.04.21) – http://rackerhacker.com/2009/04/21/piping-log-files-to-a-syslog-server/
- cat some.log | nc -w 1 -u yoursyslogserver.com 514
- cat some.log | logger -t UsefulLabel -h yoursyslogserver.com -p 514
- cat some.log | logger -t UsefulLabel
Syslog
- kern – kernel
- user – application or user processes (this is the default if the application sending a message does not specify the facility)
- mail/news/UUCP/cron – electronic mail/NNTP/UUCP/cron subsystems
- daemon – system daemons
- auth – authentication (login) and authorization related commands
- lpr – line printer spooling subsystem
- mark – inserts timestamp into log data at regular intervals
- local0-local7 – 8 facilities for customized auditing
- syslog – internal messages generated by syslog itself
- authpriv – non-system authorization messages
- * — on most versions of UNIX, refers to all facilities except mark
- 0 Emergency (emerg) – system is or will be unusable if situation is not resolved
- 1 Alert (alert) – immediate action required
- 2 Critical (crit) – critical conditions
- 3 Error (error) – error conditions
- 4 Warning (warning) – warning conditions, recoverable errors
- 5 Notice (notice) – normal but significant condition; unusual situation that merits investigation; a significant event that is typically part of normal day-to-day operation
- 6 Informational (info) – informational messages
- 7 Debug (debug) – debug-level messages; verbose data for debugging
- filename – write message to the specified file on the local machine
- @hostname or @ipaddress – forward message to remote loghost
- user1,user2,… — write message to consoles of users named in list, if user is logged-in
- * — write message to all logged-in users
- Syslog Howto @ LinodeWiki – http://www.linode.com/wiki/index.php/Syslog_Howto
The standard UNIX syslog facilities are
Syslog message levels:
Syslog actions:
Links:
[…] Logging tools – https://eikonal.wordpress.com/2010/04/13/logging/ […]
LikeLike
Pingback by Security tools « Eikonal Blog — 2010.07.28 @ 14:23
[…] Logging – https://eikonal.wordpress.com/2010/04/13/logging/ […]
LikeLike
Pingback by Unix pages (at this blog) « Eikonal Blog — 2011.04.04 @ 15:45