Home » Data Protection » Network Security

Another Look at Log Files

These long-standing logs can help you monitor your networks and employees. So before you invest in a new kind of data collection system, review your log files.

The most common "official" uses for log files include billing, utilization analysis and incident management. For example, a Web-hosting provider might have a program that processes the log files from its Web server to determine how many gigabytes each of its customers transmitted in a month so that they can be billed appropriately. If a hacker starts probing a script for vulnerabilities, those repeated probe attempts will likewise show up in the logs.

But the real use of log files, in practice, is for debugging. The overwhelming number of log messages that I have seen were not designed for any set of functional requirements, but by a programmer who was trying to understand why his or her program wasn't working properly. As a result, log files frequently contain cryptic information that isn't documented and was designed to be interpreted by human eyes, not by automated software.

The level of detail that will show up in some log files can be astonishing, and the files frequently contain considerable volumes of personal information. Mail logs contain a detailed list of which users sent e-mail to whom, and when. Other logs reveal when e-mail was downloaded to desktops or laptops, which you can use to find out when people were actually working and when they were slacking off. Servers that hand out addresses for the Internet's Dynamic Host Configuration Protocol (DHCP) record the hardware MAC address of every Ethernet card they see. In a wireless network, DHCP servers can also record where the laptop was seen in your organization. Such information can be incredibly useful in an internal investigation, whether you are trying to recover from a break-in, trace the source of a harassing e-mail or gather information that will be used to terminate a problem employee.

On the other hand, information in log files can be wrong. One kind of error happens when the information that's recorded doesn't mean what you think it means. Tina may have stopped checking her e-mail because she wasn't getting any work done and was on a deadline, not because she was taking a three-hour lunch. Another kind of error is more insidious: Log entries can be deleted, modified, or even maliciously created in an attempt to eliminate evidence or deflect suspicion to an innocent party.

Protect Files from Malicious Attack

It's certainly true that the vast majority of log entries are absolutely honest and correct. But it's also true, as Ranum implies, that most log entries are never examined by a human being. If you are going to use a log for an investigation, you can't assume that the log is true simply because most of the other records on your computer are true and correct. If a crime really has taken place, it's quite possible that the bad guy has intentionally corrupted the logs.