Copyright Goodheart-Willcox Co., Inc. 84 Security Essentials Syslog System logging protocol (syslog) is the standard event logging protocol used to send system and event log information to a specific server, called the syslog server. Syslog enables the aggregation of multiple logs into one central log for monitoring and review. Syslog process is supported natively by both Linux and Unix platforms, but third- party tools must be used to collect Windows Event Viewer log information. A vari- ation of syslog called rsyslog is an open-source software utility used with Unix and Linux systems to forward messages. Syslog-ng is a portable version of rsyslog that is available on additional operating systems platforms. Syslog solutions offer differing review reports options and functionality. A review report is a document containing findings from a review of logs or data. Generally, data in a review report is analyzed by auditing event logs by severity or specific action. Sys- log systems provide event correlation that tracks attack patterns that occur across the network. It also serves as a source of data to support an investigation. Similar to syslog and rsyslog, NXlog is a multiplatform log management tool that includes support for Android and Windows platforms. NXlog is capable of collecting event logs from multiple servers and can support or convert between formats. It is also capable of processing logs offline. In many modern Linux distributions, the systemd init software suite is used to collect and manage system, boot, and kernel logs. This logging system includes a journal component that stores log data in binary format. Journals are retrieved using a tool called journalctl, which queries and displays system journal contents. Syslog event collection is to ensure event logs around the network can be in one location. At that point, analysis of the correlated data must occur to identify poten- tial threats, incidents, or possible vulnerabilities. Syslog servers may provide tools to query and filter information, but the syslog server does not analyze the informa- tion. Depending on the size of your network and the event logs that are collected, the amount of data can become overwhelming. Another solution is to use an SIEM system, which can provide the event analysis on correlated event data. 1.7, 4.3 4.3 4.3 Goodheart-Willcox Publisher Event Code Description Potential Security Concern 1102 Deletion of the security log This could be a normal administrative task, but it could mean someone tried to cover his or her tracks by deleting the contents of this log. 4663 An attempt to access an object If a large number of files are being deleted, this event will be recorded. This may indicate someone is trying to remove critical company information. 4724 Password reset (a privileged user changed this user’s password) While this is a normal function of networking, it could be tracked for administrative accounts or service accounts. 4704, 4717 Change to user’s rights or permissions assignments This could indicate a hacker has given an account more rights than it should have. 4740 User account locked out This is normal users do forget their passwords. However, frequent occurrences of this event, or it occurring on service, administrative, or manager accounts, should be investigated. Figure 3-3 In Windows, events are coded. Some codes may indicate a security issue.