Threat Level: green Handler on Duty: Kevin Liston

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cyber Security Awareness Tip #12: Managing and Understanding Logs on the Desktop or Laptop (AV, Firewall, or System Logs)

Published: 2007-10-12
Last Updated: 2007-10-13 03:20:56 UTC
by Jim Clausing (Version: 3)
0 comment(s)

Today is day 12 of Cyber Awareness month. Today's topic is managing and understanding logs on the laptop or desktop.  I'm working on a few thoughts of my own and I'll add them to this story later in the day, but I figured I'd post this early in the shift to solicit thoughts from our readers.  Use the contact form to let us know your thoughts.  Which logs are on the laptops and desktops in your organization and how do you use them?

Update 1:  There are some really good tips coming in and I'll start adding them to the story shortly, but I also had a request from Robert asking for recommendations on the best tools for reading firewall logs, I'll expand that a bit to ask for recommendations on tools to read any of the logs in question.

Update 2:  A big thank you to all the readers that wrote in today (see the bottom of this post). 

The tips

  1. Know your logs - the most important point is you need to know what logs you have, where they are located, and what data the may contain.
  2. Know your system - your logs are most useful (especially in case of an incident) if you know what normal is for your systems.
  3. Know what you don't know - don't be afraid to ask for assistance if you don't understand your logs.

From our readers (note, the following does not constitute endorsement of any particular commercial product by SANS or the Internet Storm Center):

"On my desktop(s)at home, I have logs from Avast, Comodo firewall and Hijack This and while I understand and react to the Avast and Comodo logs, I get my HJT logs analyzed by people on a computer forum who can spot any anomalies very quickly and can help me resolve them.

 
I guess my tip is: Ask for help. Not only in learning and using the logs but getting them analyzed. So many people are afraid that the logs will go over their head that they don;t use them when there is a problem and thus cause only more frustration for themselves.

They also refuse to ask for help, either through embarrassment or not knowing where to go which again causes delays in fixing the problem. People should ask for help and find place either through Google etc or people they know of where they can get their logs analyzed."

 

 

"In the past where unapproved portable storage (USB disk etc) use has been an issue I have looked at the following:

1> Event Logs - System Event Log ID's - Event ID 134 and 135 show device start and stop. Gives a good window of usage.

2>Event Logs II - System Log also shows Disk&Ven Refererence which can be Googled to sometimes match to a Vendor or Brand. Think was the device issued by the company or brought in?

3>Registry - Windows Registry will show what the device was mounted as (eg E:) with a match to the reference in the System Event Log.

4>Registry II - Stream MRU from Registry will also show the drive letter and any files that were custom sorted on the device. Should those files have been on the device?

5>Lnk Files - Finally if the data that was copied to the device was opened from the device there will be a Lnk file associated that will match the drive letter assigned to the device with usually some reference data back to the device description from the event log.

All in all a neat way to show USB disk usage without any third party software."

 

"You asked for recommendations on firewall log filters, besides the obvious in manually parsing Syslog files for real analysis we use Adventnet's Firewall Analyzer. It's one of the best tools we have implemented for traffic visibility. They also do an Event Viewer but I haven't used it.  While it's not technically an event log viewer we use Hyperic for network device/server monitoring and the latest version will read and display server event logs (sorted into tabs by severity) on the same timeline as it's resource monitors. It's very handy to be able to quickly see the Events just for the time segment that Hyperic reports a system problem on the target."

 

"A tool we use to capure events on our user's firewall logs is Snare- a free utility which sends the Application, Security, and System logs from Windows to a centralized syslog server. This syslog server has rules written on it to alert for suspicious behavior- such as a bunch of desktops suddenlyblocking an IRC port."

 

"For reading logs on desktops, I use a (free) utility from Microsoft called EventCombMT (http://support.microsoft.com/kb/824209).  It can scan the event logs of network attached Windows machines.  I use it regularly to scan for disk errors that are showing up in event logs."

 

"I don't spend all of my time digging into Windows Event Logs, but when I have to, I want to get it over with quickly.  The GPOs from AD where I work have the logs store almost anything they can store.  For servers, these get backed up daily (or weekly depending on volume).  Less popular servers get dumped
to .csv while busy systems get dumped to .evt.  These are copied to a storage server.

In any of those formats, I use Microsoft's own LogParser (http://www.microsoft.com/technet/scriptcenter/tools/logparser/default.mspx).  Query a variety of file and system types with SQL-like commands?  Oh, snap!  I'm on that!

I even created a perl script that uses LogParser that I can let run overnight to answer questions like: "when did this person log on to the network for the past three months".  The script crawls the archived logs, uncompresses them, digs for answers, deletes the uncompressed data, and goes to the next file.

LogParser can query live Event Logs, too.

I have used it to query Event Logs directly, .evt archived Event Logs, generic CSV files, and occasionally web server logs."

 

"I mostly use the exchange logs along with the isa logs.  Between those two I can keep 85-90% of the crap off my network.

I look for connections to the exchange that are exceedingly long and then I use the isa to squash them.

Then I use the isa logs to see if a user is trying to connect to an external network that either they shouldn't or their virus shouldn't.

I have built an absolute deny in the isa that has most of the bots and zombies in it but there are always new ones."

 

"I use SFR for firewall log analysis. It's a commercial software product. Website is at www.stonylakesolutions.com

For a text editor running on a MS Windows platform, I highly recommend Textpad". It's shareware and very worth the price! Great for searching for a literal string or regex through multiple files at a time!"

 

"Regarding tools used to read logs, I like to use simple AWK scripts that colorize the logs. It is easy to create one (from a template) for new logs andit adds that additional dimension required for log analysis.

[...script skipped for space...]

It basically searches the second field for the type of message and colorizes the line. Warnings, errors, and exceptions "pop out" at your while tailing the log. Informational and debug message stay in the background."

 

Thanx again to Jeremiah, Robert, Jeff, Brian, Kirk, Jason, Jerry, Derek, Perry, Peter, and Boris

Keywords:
0 comment(s)
Diary Archives