Event log management made easy

When it comes to log management, most administrators follow the traditional route of generating all possible events that might need to be captured, then choosing which events should create actionable alerts. The centralized log management system then picks up, centralizes, and correlates these entries. The result is information overload, much akin to the log entries generated by the average firewall (you all know how much I love firewalls).

No one reads their firewall logs because they’re full of information that doesn’t need to be acted upon. Mostly, the logs record legitimate traffic erroneously reaching the firewall, such as network broadcasts or harmless exploratory packets. Alternatively, they track blocked port probe packets that take too much energy to research. But if you never check your logs or make actionable events from them, why collect them in the first place?

[ There’s gold in your log files, and Roger A. Grimes will help you find it. | InfoWorld’s Log Analysis Deep Dive PDF special report shows how effective collection and analysis of log files can help you improve security, troubleshooting, compliance, and systems management. | Stay up to date on the latest security developments with InfoWorld’s Security Central newsletter. ]

The way to make an event log management system that others will be jealous of is to collect only events that generate actionable responses. If you or your response team won’t immediately respond to an event log entry, then don’t generate it. The result: no noise, no false positives.

The key is in defining all the events that you know, for sure, are anomalous. Instead of trying to decide on what is actionable among all the noise, turn the model on its head and generate the opposite. Here some examples:

• If your Administrator account is renamed, alert on any attempted log-ons as Administrator.
• If server A should never connect to Server B, alert when they connect to each other.
• If normal network traffic between point A and point B is 1GB per day, but it unexpectedly jumps to 100GB, research it.
• If your company never sends files to China, then suddenly hundreds of gigabits of data head there, check that out.
• If you run RDP on a nondefault port (say, port 63389 instead of 3389), alert when someone connects on 3389.
• If employees in factory location A never do work at night, alert when a user logs on at midnight.
• If you have no members in your Domain Admins group and someone adds him- or herself, check that out immediately.

The idea is to define what you absolutely know is anomalous, then create an event log management system that looks only for those events. You don’t have to be all-inclusive or perfect. Start off by defining the items you know are bad and would never happen in your environment. Don’t pick up every event log entry that could be generated. Instead, generate only what’s actionable, and restrict your collection and reaction to those less numerous events. We go for the low-hanging fruit in almost every other IT project. Why not with event log management?

You might think the events you know are likely to be bad would generate too many false positives. If that’s true, then you’re defining the wrong events. My advice is to define only the stuff that you know is 100 percent malicious.

Don’t get me wrong. You might not always catch an uber-hacker. You might ensnare the SQL admin exploring SQL servers they weren’t authorized to visit or an end-user who thinks they’re an admin trying to use RDP to one of the servers. Those aren’t false-positive events.

But if you catch a few people doing things they shouldn’t, pretty soon word starts going around about your killer antihacker monitoring system. You’ll end up impressing employees, yourself, and management. You can’t and won’t do that with a traditional log management approach.

This story, “Event log management made easy,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.