Background & Standards

• Logging and Audit Overview
• Specifications and Standards
• Archiving Secure Audit Files
• Programming syslog

Logging Infrastructure

• Centralized Logging
• syslog Replacements (UNIX)
• syslog Servers (non-UNIX)
• UNIX & related (routers, FWs) to syslog
• Windows to syslog
• Logfile Rotation Tools

Data Analysis

• Log Parsers (App Specific)
• Log Parsers (Generic)
• Regular Expressions
• Data Correlation
• Sample Log Files
• Intrusion Signatures
• Message Dictionaries
• Messages that Made Us Laugh

Resources

• Mailing Lists
• Research

Centralized Logging

• Complete Reference Guide to Creating a Remote Log Server
• Configuring and using syslogd to collect logging messages on systems running Solaris 2.x
• Centralized Logging using Logsentry in a Large UNIX Environment - Saleem Kazmi paper for SANS GIAC certification
• Practical Implementations of syslog in Mixed Windows Environments for Secure Centralized Audit Logging - from the SANS reading room
• Documentation of a central syslog-based audit infrastructure
• evlog: Linux Event Logging for Enterprise-Class Systems. Extends and enhances the logging and filtering capability of Linux syslog and klog.
• FCheck: File system integrity checker
• Filewatch
• iplogger-ident: A program that creates TCP network connection logs, as well as ICMP, in syslog. If the ident service is available, this utility will also record the name of the user requesting the connection.
• Logging syslog to a Database: A high level overview of options to record syslog output in a UNIX database. Includes brief discussion of syslog alternatives and their support for open source databases.
• Modular Intrusion Detection and Countermeasure Environment (M-ICE): a framework for creating, collecting and reacting to data from significant events throughout a network, written by Thomas Biege
• Network Time Protocol and Internet Time Server
• Logging enhancement utilities from Rob Thomas : Look especially for nocando (a denial shell with enhanced logging capabilities), an su replacement, and fw-alert.
• Optimizing syslog server performance:syslog implementation, but the ideas can be applied to most log servers with a little bit of creativity.
• samhain: a file system integrity checker and host-based intrusion detection system. In addition to tracking and remembering changes in critical system files, similar to tripwire, samhain can detect unauthorized SUID root binaries on a UNIX box, and on Linux and FreeBSD systems will detect a variety of rootkits.
• SentryTools: a collection of host-based programs that improve an operating system’s ability to record potentially-malicious activity. Originally written by Craig Rowland, who at the time worked at Psionic.
• SNMP-to-syslog translator
• syslog Analysis by Harry Hoffman: an excellent article on using syslog-ng for building a logging infrastructure at University of Auckland.
• Snort
• tripwire: the pre-eminent file system integrity monitor. Available in freeware and commercial implementations.