Network Logs Monitoring and Analysis Module Flow PDF
Document Details
Uploaded by barrejamesteacher
null
Tags
Related
- Certified Cybersecurity Technician Network Security Controls — Physical Controls PDF
- Secure Firewall Implementation (Exam 212-82) PDF
- Certified Cybersecurity Technician Network Logs Monitoring and Analysis PDF
- Linux Log Monitoring and Analysis PDF
- Certified Cybersecurity Technician Exam 212-82 PDF
- CompTIA Security+ Exam Prep: Data Sources for Investigations PDF
Summary
This document presents an overview of network logs monitoring and analysis, focusing on logging concepts, typical sources, and their importance in cybersecurity. It covers the basics of logging, highlighting the role of security professionals in analyzing and detecting issues. The material is suitable for professionals in this domain.
Full Transcript
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Module Flow Discuss Lo...
Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Module Flow Discuss Log Monitoring Understand Logging and Analysis on Windows Concepts @ Systems Discuss Various Log @ Discuss Log Monitoring Management Tools and Analysis on Linux Understand Logging Concepts The objective of this section is to explain the basic concepts of logging. It describes the sources of logs, need of logging, log formats, and various logging approaches. Module 18 Page 2066 EG-Council Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Typical Log Sources Client and File Server Logs Windows. Lo -— NAS Access Logs VLAN Access and Mainframe Control Logs Database i i QO Log is a collection of information/ Windows @Eg @Qfi i= Domain Logs = data on events generated in the form of audit trail by the various components of information system such as network, applications, OS, Access Logs service, etc. O QO Logging is the process of recording and storing logs of the events that occur in the network Q 1tis an important source that helps detect flaws or problems as well as network attacks, frauds, and inappropriate uses of data O Example of Log: » Trail of Login Failure events followed by Login Successful Cacheand Management event Proxy Logs Logs Log Logs are collection of information/data on events generated in the form of an audit trail by the various components of an information system such as network, applications, operating system (0OS), service, etc. A log can provide an indication that something may have gone wrong and it helps security professionals in analyzing and detecting issues. Separately, transaction logs or firewall logs or intrusion prevention system (IPS)/intrusion detection system (IDS) logs do not report faults. They simply store records of specific events; for example, deletion of record from the database. When logs from multiple devices are collected, correlated, and analyzed by security incident and event management (SIEM) systems, something meaningful is generated. For example, by combining the transaction log that represents a record entry by a user with the firewall log that represents network activity from an IP address registered by the same user who made the record entry, we can verify the authenticity of that user. Logs are recorded and stored through the logging process. Generally, there are four types of logging: security logging, operational logging, compliance logging, and application debug logging. Security logging concentrates on identifying and responding to security-related activities such as threats, viruses, malware, data loss, etc. It records logs about user login, unauthorized access to resources, etc. Operational logging concentrates on system-processing activities. It informs the security professional regarding failures and potentially actionable conditions. It also facilitates service provisioning and financial decisions. Compliance logging is a part of security logging because regulations are developed to enhance the security of systems and data. Application debug logging is logging that is beneficial to application/system developers, not system administrators. It concentrates on recording debugging logs, which are Module 18 Page 2067 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis analyzed by the application developer to detect issues. This type of logging can be disabled and enabled in a production system based on circumstantial requirements. Typical Log Sources A log source refers to a data source that builds an event log. Almost every device or application on the network has logging capability and can produce a log to record the information regarding an event. Every security system generates logs in some form or another. Windows logs, client and file server logs, router logs, firewall logs, and database logs are examples of the various log sources in the network. Log sources use two mechanisms to transfer records: pull-based and push-based. In a push- based mechanism, the system or application either saves records on the local disk or sends them over the network. If the records are being sent over the network, then a log collector is needed to collect them. System Logging Protocol (syslog) and Simple Network Management Protocol (SNMP) are the two main push-based protocols through which log records are transferred. In a pull-based mechanism, a system or an application pulls the log records from a log source. It works based on the client—server model. The system or device that follows this mechanism usually stores their log data in a proprietary format. For example, Check Point provides OPSEC C library to pull logs from a Check Point device. The required log sources need to be configured to collect important information in required formats and locations and store it for a long period of time. Log source configuration is not an easy task. Initially, the hosts and host components that are going to participate in log management infrastructure need to be identified based on the standard rules and policies. A single log file includes information from multiple sources; for example, an OS log includes information not only from OS itself but also from various other security programs. Once the log source is determined, the types of events to be logged by each log source as well as the features of data to be logged for each event need to be specified. The, the log sources need to be configured based on the features provided by that particular type of log source. Some log sources provide granular configuration options while others provide no granularity at all. In log sources with no granularity, logging is either enabled or disabled, without any control over the kind of data that can be logged. Module 18 Page 2068 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Network Logs Monitoring and Analysis Clientand Client and File |\ 0 ve Logs Logs NAS Access VLAN Access Access and and Mainframe Mainf rame patabase Windows patab ase Serve.r Logs Server Logs Control Logs Logs Logs $ Logs e sum]uu e g | | 0 BE pri=|ul= 000 HEEH 2 ? %_%%« %—%'%* Wireless - -2 g g Data center Access Logs Executive Executive Financial. Crrrernrennncasnnasnnnnes