Segregating Logs From Different Log Files On A Centralized Log Server Using Syslog-NG
In this post, I will demonstrate a way to capture logs from a series of log files, and relay those logs to a central log server, where the logs will be separated into log files, as they existed on the original host.
Reading from files
Syslog-ng has the ability to pull log data from files, then treat those logs as any other source, like this:
source s_file_abclog { file(“/var/log/abc.log” follow_freq(1));};
In this way, you can handle log data from applications that do not have native support for syslog.
Then, you can send that data to a central log server, like this:
source s_file_abclog { file(“/var/log/abc.log” follow_freq(1));};
destination d_remote{udp(“192.168.0.3″ port(514)); };
log { source(s_file_abclog); destination(d_remote);}; Read more…
Categories: Log Management, logging Tags: syslog-ng
Using Syslog Logs For Validation of Security Policy Compliance
In a previous post, I wrote about the general use of syslog logs as a method of ensuring compliance with policy. This is a specific example of how one might use syslog to do that.
As IT operations mature, particularly in regulated environments, it is not uncommon for an organization’s security policy to require controls on the use of privileged ID’s. Specifically, the use of the “root” or “administrator” account does not provide individual accountability. A policy requirement might be to require the use of sudo or equivalent technology to allow administrators to perform their jobs without losing individual accountability.
But how can you show that the policy is effective? Analyzing syslog logs are a good way. If it is a policy exception that an administrator would log into a server with “root”, then you simply have look for cases of that occurring. An ssh root login on FreeBSD looks like this:
Aug 7 17:22:00 www2 sshd[54036]: Accepted keyboard-interactive/pam for root from 127.0.0.1 port 50496 ssh2
Building a query can be as simple as “grep root /var/log/messages”, or can be performed by any number of syslog analyzers. Of course, root would have the ability to remove the log evidence of his presence, which is a very good reason to relay logs to a central syslog server. It then becomes imperative that administrators with access to root accounts on systems do not also have administrative access to the central syslog server.
Pulling evidence of root logins out of syslog logs from a central server which administrators do not have access is a good control to determine whether administrators are following policy requirements. This solution allows the administrators to retain the root password, but only use it in the event of an emergency. The policy should require reconciliation of any root logins found with known, documented issues. Use of the password without a valid reason will show evidence of policy violation.
Categories: Compliance, Policy, Security Tags: