SANS Essential Log Reports - Help Needed

Thursday, July 15, 2010

Anton Chuvakin


Some of you remember the project started at SANS Log Management Summit 2006 called “SANS Top 5 Essential Log Reports.” You can still grab the old document here [PDF].

Recently, I volunteered to create a 2010 version of SANS Top 5 Log Reports. With help from others [to be credited when the project is complete, but definitely with help from somebody named MJR :-)] and some research into past efforts, I have identified the report types and specific examples below as candidates for a new Top 7 Essential Log Reports list – and now I need your help!

Initially, I wanted people to vote for 5 out of the 7 candidates, but let’s do it differently: just comment on the list below (blog comments, your own blogs – please post a link here, email, twitter, etc) or suggest your own most useful, most popular log reports or even report categories.

There is no reason why we can’t have Top 7 or Top N>7 useful log reports :-)

NEW PROPOSED Top 7 Essential Log Reports

Top Log Report Candidate

  • 1. Authentication and Authorization Reports
  • a. Login Failures and Successes
  • b. Attempts to gain unauthorized access through existing accounts
  • c. Privileged account access (success, failure)
  • d. VPN Authentication and other remote access (success, failure)
  • e. Please add more reports you find useful!

2. Change Reports

  • a. Addition/Changes/Deletions to Users, Groups and Services
  • b. Change to configurations
  • c. Application installs and Updates
  • d. Please add more reports you find useful!

 3. Network Activity Reports [used to be called “Suspicious or Unauthorized Network Traffic Patterns” in the old Top 5 list]

  • a. Top Internal Systems Connecting Through Firewall // Summary of Outbound Connections
  • b. Network Services Transiting A Firewall
  • c. Top Largest File Transfers Through the Firewall
  • d. Internal Systems Using Many Different Protocols/Ports
  • e. Top Internal Systems With NIDS Alerts
  • f. Proxy Report on File Uploads
  • g. Please add more reports you find useful!

4. Resource Access Reports

  • a. File i. Failed File or Resource Access Attempts
  • b. Database i. Top Database Users ii. Summary of Query Types iii. SELECT Data Volume iv. All Users Executing INSERT/DELETE Commands v. Database Backups c. Email i. Top Internal Email Addresses by Volume of Messages ii. Top Attachment Types with Sizes iii. Top Internal Systems Sending Spam // Top Internal Systems Sending Email NOT Through Mail Server
  • c. Please add more reports you find useful!

5. Malware Activity Reports

  • a. Top systems with anti-malware events
  • b. Detect-only events from anti-malware tools (“leave-alones”)
  • c. Anti-virus protection failures by type
  • d. Internal malware connections (all sources)
  • e. Please add more reports you find useful!

6. “Various FAIL”

  • a. Critical Errors
  • b. Backup failures
  • c. Capacity / Limit Exhaustion
  • d. System and Application Starts, Shutdowns and Restarts
  • e. Please add more reports you find useful!

7. Analytic Reports  [Mostly Using “Never Before Seen” (NBS) aka “NEW Type/Object” Analysis]

  • a. NEW (NBS) IDS/IPS Alert Types
  • b. NEW (NBS) Log Entry Types
  • c. NEW (NBS) Users Authentication Success
  • d. NEW (NBS) Internal Systems Connecting Through Firewall
  • e. NEW (NBS) Ports Accessed
  • f. NEW (NBS) HTTP Request Types
  • g. NEW (NBS) Query Types on Database
  • h. Please add more NBS or other analytic reports you find useful!

So, please help this project by commenting via whatever means!!!

BTW, I think I perused all the previous effor5ts to distill log reports (such as this one), but feel free to point me to such things as well.

Finally, if you are a SIEM or log management vendor, please consider supporting the resulting reports in your products – after they are finalized by the community and released by SANS. 

Cross-posted from Security Warrior

Possibly Related Articles:
Security Awareness
SANS Enterprise Security
Post Rating I Like this!
vinoth sivasubramanian Greetings , In todays world 99 percent of the data centers are monitored by CCTV cameras and biometric access controls are used to deter malicious activity , these logs are veryc much useful in the case of a malicious activity by an insider , Hence i will very much recommend CCTV logs and biometric access logs in the network activity reports.
vinoth sivasubramanian Resource Access Reports: I will also prefer the following under access reports
1. Internet Usage logs of each individual .
2. Mobile user logs ; people who work from home -- under network activity.
3. UPS failure logs -- under various fail.
4. Environmental management logs - under various fail.
5. False positives logs -- under malware events.
Mister Reiner Doesn't anyone ever stop and think how insane it is to expect everyone to be able to stay on top of all of these logs? Once you take into consideration that some hackers can avoid generating alarms - and that many people don't have the tools or skills necessary to detect sophisticated hackers, any expectation of detection is just totally unrealistic.

I wish more people would realize that we are approaching the hacking problem in the wrong way. All of these bolt-on security and monitoring systems we're using isn't getting us any closer to making computing secure - it's just making things more complicated and unmanageable.
Walt Johnson Mister Reiner makes a good point but when audit time comes you better be able to show that you are that you are on top of it. To add to the pain if you have wireless in your environment you should also include WIDS and WIPS.
Anton Chuvakin @Mister Reiner

So, prevention fails and detection is unrealistic. What do you suggest? Just prepare for incident response? This would be useful advice, but trying to detect badness and also record activities for incident response is what logs are all about
Mister Reiner @Anton Chuvakin

I'm not saying not to log. Given today's computing technology and security paradigms, it's mandatory.

What I would like people to do, is take a step back, look at the big picture and ask themselves why we continue putting up with all of this logging nonsense. Yes, it is required for incident response, but I'm talking about looking beyond incident response.

In my opinion, we'll continue chasing our tails trying to make computing secure until all the hardware, operating systems and applications we use are re-engineered from the ground up to be inherently secure.

Read these two blog posts and let me know what you think...
Anton Chuvakin Thanks for the pointers - heading there right now to read them.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.