So what exactly is log management, what benefits does it bring, and what does it take to implement it technically?
What is Log Management?
Log management describes the centralized storage of event logs and the ability to search and analyze this data.
Systems whose event logs are stored centrally are called log sources in this context. To retrieve event logs from a log source, either an integrated mechanism (e.g. syslog) or additional software is used to forward the local event logs. Such software is called a shipper or agent and is part of the respective log management solution.
The variety of connectable log source types is large and covers almost the entire range of IT infrastructure components. Typical log source types include:
- Server-side operating systems (Windows Server, Linux & UNIXoids)
- Endpoint operating systems (Windows & Mac OS X)
- Network infrastructure (switches, WLAN APs, routers, firewalls, load balancers)
- Security Appliances (Layer 7 Firewalls, IDS, IPS, Spam Filter)
- Blackbox & IoT devices (printers, thermal sensors,…)
Beyond the typical use case, it is also possible to capture exotic log formats by developing so-called log parsers yourself. In most cases, these are based on the use of regular expressions (RegEx).
Advantages of Log Management
The advantages of a solid log management solution are manifold and cover several areas.
Traceability & Error Analysis
If problems occur with a central service or an important server is no longer reachable at all, it is of great value to be able to access all log data for this system centrally. A simple search for the IP address or the host name can often already provide information about where problems exist, when a system failed and what happened shortly before the failure.
IT hygiene & visibility over your IT landscape
The term “IT hygiene” is particularly widespread in the area of cyber security, but it primarily refers to a thorough knowledge of one’s own IT landscape, which is also of great benefit to operational IT.
In concrete terms, this means, for example, being able to distinguish between legitimate systems that are under the control of the company and those that have no place in the company network. It is not uncommon for employees to bring their private devices to work out of good intentions.
A log management system is not suitable to detect such incidents automatically, but it is an excellent tool to build up knowledge about the own environment and to build up a reasonable asset database based on the log data.
Security against log manipulation & deletion of log data
When human attackers take over a system or ransomware encrypts a machine, access to log data is often lost along with it. Either they are encrypted by the ransomware or deleted by the attacker to cover his tracks. Particularly skilled attackers (e.g. NSA, keyword: DanderSpritz) even manipulate log data to become smokescreens.
Against deletion, encryption or manipulation of local log data one is secured with a centralized log management solution. For this reason, centralized storage of log data is also a key requirement of ISO 27001 and other compliance frameworks in IT security.
SIEM & IT Forensic Readiness
If you want to develop in the area of cyber security in the long term or even plan to establish a group-wide CDC / SOC, you can start with a log management solution and later expand it to a full-fledged SIEM solution. Particularly practical here is the planning security that is gained through the implementation of a log management solution. After all, the disproportionately higher costs of a SIEM implementation depend primarily on the volume of event logs recorded, which is already known to the operator of a log management solution.
But even beyond long-term goals, a log management solution can improve a company’s ability to respond. If a security incident occurs and an IT forensic specialist needs to assess what happened and whether other systems may have been affected, a log management solution is extremely valuable.
Security incidents are often not detected for weeks or months. Local event logs usually act as a ring buffer and accordingly the local event logs concerning the incident in question are often no longer available at this point. In this situation, it is very practical if the IT forensic expert is able to perform a historical analysis based on a log management system.
Introduction of a Log Management Solution
So what does it take to implement a log management solution? At SECUINFRA, we like to think in terms of the PPT framework popularized in IT security by Bruce Schneier. PPT stands for People, Processes & Technology, so it encourages you to think not only about the technology, but also about the associated processes and the competence of the employees, who are ultimately the decisive factor. After all, the best solution is of little use if those responsible cannot handle it.
From a technological point of view, the introduction of log management primarily requires three components.
- An infrastructure for capturing event logs
- A server-side component that
- can store the event logs in the long term
- can efficiently search the stored event logs
- A user-friendly interface that allows the evaluation and visualization of search results
There is a whole range of log management systems available. SECUINFRA recommends its customers to use Splunk or Elastic. In the continuing blog posts, we will use Elastic for illustration, because Elastic as an open source product is very transparent, which makes an explanation much easier.
Process-wise, a lot can be handled, but some things should definitely be handled. First and foremost, contact should be made with the works council and the data protection officer. The storage period for event logs should be the subject of a works agreement, which gives the company legal certainty and prevents conflicts between IT and the works council.
It is essential to record which systems are already connected to the log management solution and which audit log policy is used to operate them. The audit log policy is the configuration that determines the extent to which event logs are generated. This is especially important for operating systems, as the logging mechanisms can be configured very dynamically.
If you run a log management system, you should first understand how the system itself works. The learning curve is steep at the beginning, but after a relatively short training period, a technically experienced user can usually find his way around.
The real challenge, however, is to understand the collected event logs, which usually requires an understanding of the function of the log source in question. Accordingly, the competencies here are often highly fragmented.
Nevertheless, SECUINFRA generally advises its customers to make a dedicated effort with the connection of each new log source type in order to document the most important events and make them understandable for every user of the log management solution.
SECUINFRA can advise you extensively as a service provider in the planning, implementation and use of a log management solution, take over part of the tasks or operate your log management solution as a service for you. Please contact us for further information!