This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Which logs are important when finding intruders?

Hi!

If there would be an intruder due to a virus, a network attack or anything else. Which logs are important to forward to the Syslog Server, so we can see what they have done? For example, if they tried to install a program, to open a network port, disabled the firewall etc.

Thanks in advance!

  • That's a very broad question with no easy answer. Usually security detection devices and software systems will correlate different logs from different sources to find potential threats, but there's not really an exact science, one-size-fits-all solution or answer.

    For example, logging failed login attempts to a server or domain user account or any other device that logs authorization messages doesn't really tell you much. Some people only log the failed attempts, but that won't tell you if an attacker actually succeeds in logging in. So you have to do two things... First, you need to have a time-frame context for the failed login attempts and you have to cache them so that you also begin looking for successful login attempts to the same device/account. That would throw up a red flag if Suzy from Accounting was trying to log in at 3am, failed 4 or 5 times and then succeeded, but if it happened at 2pm, you'd have to ask Suzy if she forgot her password.

    It's the same kind of thing with any other log. Browsing the internet and downloading software may be malicious, or may be a normal course of business for one department or another.

    Kiwi out of the box isn't a security detection solution. Forensically, if you're logging everything and you know what you're looking for you can find things after the fact, but if you don't even know where to start, this is not the solution you are looking for in regards to intrusion detection. It's an amazingly versatile and powerful log collector that has the potential to be configured for more, but I wouldn't use it as my sole intrusion detection solution. Solarwinds has much better offerings for log correlation.

    To answer your question though, what to log to see what they have done? Everything. Default logging on your ASA or other firewall device may not be enough, for example. Configuration changes weren't logged right out of the box when I got my first 5510, so I could tell when admins were logging in, but not what they were changing without adjusting the logging options.