Background & Standards

• Logging and Audit Overview
• Specifications and Standards
• Archiving Secure Audit Files
• Programming syslog

Logging Infrastructure

• Centralized Logging
• syslog Replacements (UNIX)
• syslog Servers (non-UNIX)
• UNIX & related (routers, FWs) to syslog
• Windows to syslog
• Logfile Rotation Tools

Data Analysis

• Log Parsers (App Specific)
• Log Parsers (Generic)
• Regular Expressions
• Data Correlation
• Sample Log Files
• Intrusion Signatures
• Message Dictionaries
• Messages that Made Us Laugh

Resources

• Mailing Lists
• Research

Specifications and Standards

• Archive of the syslog security mailing list
• Common Intrusion Detection Framework (CIDF)
• Common Log Format, primarily focused on audit data from Web servers, but at least theoretically extensible to any text-based log format
• Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations (US DOJ) - Discussion on search and siezure rules for computers. Excellent. Particularly this section.
• Computer Records and the Federal Rules of Evidence (US DOJ) — This is the clearest, best-documented discussion of the case law about computer log data as court evidence that I’ve ever read. If you’ve got to go to court and you need to use your computer logs — or you’re building a log infrastructure and you need to know how and what to document — read this report. Thanks to Orin Kerr for writing it.
• Audit Trails in Evidence - A Queensland Case Study - Eleven court cases involving Queensland Police Service audit trails have been studied and the results are reported and analysed in this paper. It is shown that, of the cases studied, none of the evidence presented has been rejected or seriously challenged from a technical perspective.
• Date and Time on the Internet: Timestamps
• Implementation of the ISO 8601 Standard Around The World
• ISO 8601 Date/Time Representations
• A summary of the International Standard Date and Time Notation
• The BSD syslog Protocol (RFC 3164.txt) An informational RFC on syslog based on the observed behavior of the syslog network protocol, not anyone’s ideas about how it should behave.
• IETF Internet Draft: The syslog Protocol (expires 1 June 2004)
• IETF Internet Draft: Guidelines for Evidence Collection and Archiving
• IETF syslog Working Group Home Page
• A GPL’ed library for RFC 3195 syslog
• IETF Working Group: Security Issues in Network Event Logging
• Intrusion Detection Exchange Format — part of the IETF Working Group on intrusion detection
• Reliable Delivery for syslog protocol modifications designed to address the requirement of "reliable delivery of all event messages."
• Securing syslog on FreeBSD - paper from EuroBSDcon on running the syslog-sign protocol.
• Draft for syslog-sign — a mechanism adding origin authentication, message integrity, replay-resistance, message sequencing, and detection of missing messages to syslog.
• An RFC3195 implementation for Windows