Knowing What To Log

The volume of logs we are tasked with managing is almost impossible to quantify, even for the smallest of organizations. That is why it is extremely important that DevSecOps team spend the necessary time building a framework that focuses on the type of data to log. Knowing the type of data to log will help build a technology agnostic logging strategy and program.

Here is a list of events we recommend monitoring closely:

Event Category Explanation
Authentication Successes and Failures Record of when someone logged in, or if a user was trying to log in multiple times and failing.
Access Control Success and Failures Record of someone successfully used one of your access controls (e.g., ssh, ftp, sftp, wp-admin, telnet)
Session activity, such as files and applications used, particularly system utilities Knowing what applications were being used helps understand the users activity.
Changes In User Privileges Always want to know if someone goes from a standard user to an administrators, or to any other role.
Processes starting or stopping Processes should not stop unless told to stop. Something stopping is indicative of a problem, unless done during a maintenance windows.
Configuration changes Similar to processes, configurations should not change on their own. Recording these changes will prove invaluable post-incident.
Software Installed / Uninstalled Once a system is configured, short of updates for patches, etc..., it should not have a lot of movement in terms of applications being installed and removed. Always log these activities, they help understand what was going on.
Devices Attached / Detached This is going to be highly dependent on the type of environment you're working with, but knowing if devices are attached can prove invaluable (especially with insider threats).
System or application errors and alerts Errors can function as a great way to understand what was going on. You learn as much from failures, if not more, than with the successes.
Alerts from security controls If you have security controls deployed (e.g., HIDS, IDS, IPS) you want to record what they are saying if issues are identified.

While some of the event categories are broad, they are meant to be encompassing and agnostic to the network, system or application you are using. Every network, system, or application will have their own approach to logging. Using the categories above will help you group the logs in a way that help you make sense of what to toss and what to keep. While we agree that logging is important, we also believe logging should be pragmatic and practical. This means taking the time to create a strategy that helps you make sense of the noise.

Posted in   log-tutorial   log-management     by Daniel Cid (@dcid)

Simple, affordable, log management and analysis.