Log Analysist
Log analysis is a critical portion of IT administration. The need of regular log analysis is not often considered in the industry leading to issues or critical security breaches going undetected for a long time.
Based on the verizon report:http://www.verizonenterprise.com/resources/security/reports/rp_2009-data-breach-investigations-supplemental-report_en_xg.pdf mentions that a considerable percentage of organizations which were compromised had enough information in their logs to discover the breach if they had a systematic method for log analysis.Log analysis is a crucial portion of our service and we provide this to all our clients.
Log analysis is a crucial portion of our service and we provide this to all our clients
Our methodology to implement Log health checks is as below
- A systematic study is conducted and crucial devices and systems are identified.
- Log verbosity and detail levels are tweaked on each system that acts as a log agent
- A centralized log system is established to eliminating the need to log into each system regularly
- Basic filter and co-relation rules are built for each client
- A daily report is extracted and analyzed by analysts, need for deeper analysis will be triggered by the analyst
- Periodic tweaking of the filters and rules are conducted
- Log Retention and cleanup policy is established
OSSEC logging and analysis :
OSSEC is a security log analysis tool that stores only alerts and not all the generated logs. It implements a Log Based Intrusion Detection System and an active response system to trigger reposes based on security conditions.
OSSEC implements the following tasks :
- Log analysis
- File Integrity Checking
- Registry Integrity Checking
- Host Based Anomaly detection
- Active Repose system
- GNU/Linux (all distributions, including RHEL, Ubuntu, Slackware, Debian, etc)
- Windows 7, XP, 2000 and Vista
- Windows Server 2003 and 2008
- VMWare ESX 3.0,3.5 (including CIS checks)
- FreeBSD (all versions)
- OpenBSD (all versions)
- NetBSD (all versions)
- Solaris 2.7, 2.8, 2.9 and 10
- AIX 5.3 and 6.1
- HP-UX 10, 11, 11i
- MacOSX 10
The OSSEC logging framework is easy to install, manage and extend. The system supports hundreds of log decoders by default.The following operating systems are supported by the OSSEC agent:
The following operating systems are supported by the OSSEC agent :
Database monitoring is available for the following systems:
- MySQL (all versions)
- PostgreSQL (all versions)
- Oracle, MSSQL (to be available soon)
- Individual log formats and application support
- Unix-only
- Unix Pam
- sshd (OpenSSH)
- Solaris telnetd
- Samba
- Su
- Sudo
- Xinetd
- Adduser/deluser/etc
- Cron/Crontab
- Solaris BSM Auditing
- Dpkg (Debian package) logs
- Yum logs
- FTP servers
- Proftpd
- Pure-ftpd
- vsftpd
- wu-ftpd
- Microsoft FTP server
- Solaris ftpd
- Mac OS FTP server
- Mail servers:
- Imapd and pop3d
- Postfix
- Sendmail
- vpopmail
- Microsoft Exchange
- Courier imapd/pop3d/pop3-ssl
- vm-pop3d
- SMF-SAV (Sendmail Sender Address Validator)
- Procmail
- Mailscanner
- Web servers:
- Apache web server (access log and error log)
- IIS 5/6 web server (NSCA and W3C extended)
- Zeus web server
- Web applications:
- Horde imp
- Modsecurity
- Firewalls:
- Iptables firewall
- Shorewall (iptables-based) firewall
- Solaris ipfilter firewall
- AIX ipsec/firewall
- Netscreen firewall
- Windows firewall
- Cisco PIX/ASA/FWSM
- SonicWall firewall
- Checkpoint firewall
- NIDS:
- Cisco IOS IDS/IPS module
- Snort IDS (snort full, snort fast and snort syslog)
- Dragon NIDS
- Checkpoint Smart defense
- Security tools:
- Symantec Anti Virus
- Symantec Web Security
- Nmap
- Arpwatch
- McAfee VirusScan Enterprise (v8 and v8.5)
Others:
- Named (bind)
- Squid proxy
- Bluecoat proxy
- Cisco VPN Concentrator
- Cisco IOS routers
- Asterisk
- Vmware ESX
- Windows event logs (logins, logouts, audit information, etc)
- Windows Routing and Remote Access logs
- Generic unix authentication (adduser, logins, etc)
For further assistance, contact us at info@agniinfo.com
