- Tracks historic patterns of behaviors
- Identification of compromised targets
- Provides a trace of attack activity
- Provides a log of malicious activity even if server is “cleaned up”
- Provides evidence that is not captured at the Server or Application level
Types of Logs
- Server Logs
- Windows, Unix, Linux, Macintosh, etc.
- Application Logs
- Active Directory, Novel, IIS, Oracle, etc.
- Appliance Logs
- Firewall, Router, Switch, etc.
- Infrastructure Logs
- DNS, DHCP, LDAP, Proxy, Router, Switch, etc.
- External Logs
- Upstream ISP, Upstream DNS, etc.
Method of Obtaining Logs
- System Administrator
- Network Administrator
- Information Assurance Personnel
- Upstream Provider
Log Sizes and Durations
- Size – UP to 5+ GB of Text per day
- Sample (1 Day at USSS)
- DNS Logs – 4 x 800 MB per day
- Firewall Logs – 6 x 100 MB per day
- Internet Logs – 600 MB per day (URL only)
- Intranet Access Logs – 200 KB per day
- Switch Logs – 50 KB per day
- Duration –
- Sample
- Switch Logs – On device – Currently Hot
- Mail Logs – 5 years
- Squid Logs - 7 years
Types of Log Servers
- Pros and Cons to having a dedicated server
- Two general approaches:
- Push
- Pull
- Unix based (Syslog)
- Windows based (Event viewer)