Event Logging – Why you should be logging your events
First off, this article isn’t meant to be the be all and end all of event logging, instead this article is designed to give you a basic understanding of the subject and get you to think of how these would work for your business and hopefully get you into a place where you can further protect your business and information, as well as help during any incidents that hopefully you will never have to endure.
Now, with the boring bit over and done with, lets discuss what logging is? Logging can come in many different forms and depending upon the device, may be handled and viewed differently which doesn’t make the life of security or IT teams easy. However, there are ways and means around this which we’ll discuss later.
Logging is a way for a device, such as a computer, firewall or router to save any event records within the device to a file for further analysis later. Purely by the act of recording these system level events to a file allows you to record a log of data.
Depending upon the device or Operating System you are on, these log files may be kept for a long period of time or overwritten once the file gets to a certain size. This helps with disk space. The last thing you want to do is run out of space due to gigabytes of log files.
Now, as discussed, logging can be stored or accessed in several ways, for Microsoft Windows, logging is primarily through their Windows Event Viewer application. For MacOS or Unix based machines you can access your logs in the /var/log directors or view them from Journalctl.
Devices, such as firewalls, switches, routers and such, all normally log their information internally, however, the majority do have the capability to log the data to another device or storage area, this is usually through something called Syslog. Syslog is a standardized way that machines can all write their events to another local for future review and analysis.
So now we know a bit about what logging is, why should you be using it? By logging and analysing events, it can help you build a trend of what normality looks like in your environment, then if something does go wrong you can investigate the problem easier when you know what the previous events should look like. Normally if you have a trend history of log events when something goes wrong its easier to pick out when it started happening and what is happening.
Troubleshooting is also a key area where logs play an important part, if you are not logging the events then trying to understand what is going on is going to become a nightmare. Now how do you know what to log? Well, that’s one of those questions and will depend upon the device, service and applications that you are using, but generally logging more is better in some circumstances.
Compliance and various regulations will state that you need to log events, such as who has logged onto systems, when did they log off, what invalid logins were there, and the list goes on.
Business analytics and analysis can also benefit from the logging of events, it allows you to see whether your devices are being strained for resources, it helps manage SLAs and can see if there are any performance impacts.
As you can see as soon as you start thinking about it, logs play an important part in all areas of business, and although you may not have thought about it, it already happens in the background. You just need to know where to look, what to log and when to read and understand the events.
Most importantly you need to understand and know what you are looking at and make sure you aren’t just logging everything for the sake of it. The worst thing you could do it log every record and action as not only would you fill up your space quickly, but there will be way too much data for you to properly analyse.
Now you know why you should be logging events, what happens if you don’t log events and review them occasionally? The main points of not logging are what we’ve basically already discussed.
However, if you don’t log and more importantly review your logs frequently, either manually or automatically, you may be failing to miss important events, such as people trying to log into systems via brute force attempts. Systems which are starting to fail, such as hard drives or memory issues may not be pickup on quick enough before they fail completely.
Incident management will be much harder if you don’t have any logs as you won’t be able to prove any actions or know when the incident started. Lastly, you may be invaliding any compliance you need to adhere to with regards to any laws.
So now that we know that we need to log events, that event logging is important and can help your business in several ways, how to you view and analyse the logs?
For Microsoft Windows, this is all based within their Event Viewer console application, you can simply click on the Start button, then type Event Viewer and this will open up the application. From here, you can look at the Windows Logs folder and there you will have three main areas, Application, Security and System. Depending upon the type of event being logged, depends on where it will be stored.
Now I’ll warn you now, if you’ve never looked at the Windows Event log, it is awfully noisy, and depending upon your requirements, may get even more noisier, if you start logging auditing events for logins and such.
For MacOS and Linux Operating Systems, there are several ways to do this and review, your logs, but the easiest is probably having a look in the /var/log directory, this directory will have lots of readable files in there which is logging for the specific service or application.
Now reading logs locally on a machine is ok when you are a small business or want to view your own logs, but when you start looking at 5 or more machines, this quickly becomes unworkable, and you need to start looking at centralised logging. There are several ways to do this.
For Microsoft Windows you can look at using an addon service application called Sysmon, this is form Microsoft and allows you to configure your logging and forward the logs to another location. For Other devices, you can use Syslog to forward the events to another location as well.
When you are looking at centralised logging, there are several parts you’ll need to look at, mainly storage, visibility and readability. For example, dashboards for easy identification of issues.
Here in the UK, the NCSC has released a project called Logging Made Easy (LME), its designed for small businesses and uses all open source software and licensing so it wont cost anything, other than the hardware. Another solution is to use products such as Loggly, DataDog, Solarwinds, Graylog and the list goes on.
And that’s it, I hope this has made some sense and gets you thinking about what you are currently logging now, are you logging? If not, are you going to start?