[logs] SIM solution - Objectives ?

Tina Bird tbird at precision-guesswork.com
Fri May 25 11:47:56 PDT 2007 

 
> Does anyone have list of items [ standalone or co-related ] which
> merit being monitored and alerted on these devices?
> 
> What I think I need is , a qualified list of events-of-interest, on
> these platforms? Events which are not declared by the event-source
> vendor but those which from experience merits attention by us.

I have been compiling lists of significant events -- or trying to, anyhow --
for the last five years. My firewalls doc is probably the most complete of
them:

http://www.loganalysis.org/sections/parsing/application-specific/firewall-lo
gging.html

or http://tinyurl.com/2fzuna

I've included a section from that document, below. 

I have less complete versions of this list for things like routers and web
servers, but I don't feel sufficiently qualified on those devices,
especially when they have really complex configurations, to claim that those
lists are comprehensive.

Several times over the course of the last few years, I've encouraged this
list to help me come up with ideas. I've gotten a few useful contributions,
but not enough to feel like the job is anywhere near finished. As ever, if
you have enough hands-on time with a type of gear or software that you feel
you can contribute, please let me know!

cheers - tbird

Here's the relevant bit:

"Significant events on firewalls fall into three broad categories: critical
system issues (hardware failures and the like), significant authorized
administrative events (ruleset changes, administrator account changes), and
network connection logs. In particular, we're interested in capturing the
following events:

    * host operating system log messages -- for the purposes of this
document, we'll capture this data at the minimum severity (maximum
verbosity) required to record system reboots, which will record other
time-critical OS issues, too
    * changes to network interfaces -- need to test whether or not the
default OS logging captures this information, or if the firewall software
records it somewhere (any invocation of UNIX ifconfig or the equivalent?)
    * changes to firewall policy
    * adds/deletes/changes of administrative accounts
    * system compromises
    * network connection logs, which include dropped and rejected
connections, time/protocol/IP addrs/usernames for allowed connections, maybe
amount of data transferred

The observant firewall administrator will notice that this list contains
more than just network connection information. Most firewall logging tools
focus on network connection records because protecting network connections
is the most obvious task performed by the firewall, and because they're
typically in a predictable format. At least, logging formats are relatively
stable on any given platform, operating system and firewall application.

However, tracking administrative changes on your firewalls is a vital
component of system and security administration. And records of
administrative changes are often hard to track down. So we'll include them
in the device-specific notes below."

More information about the LogAnalysis mailing list