Three Things to Remember When Configuring Logging
You set up a centralized logging server. Check. You installed the OSSEC manager to analyze your logs in real-time. Check. You even managed to implement high availability. Good going! Now your ready to start configuring clients. It should be as simple as installing an agent and pointing it to the log server, right? Maybe so, but don’t forget these other important steps to make the most of your logs.
- Set the time to sync with at least one time source. Three is even better. If you don’t ensure the client has synchronized time, putting an event timeline together after a compromise is going to be that much more difficult. With properly synchronized time, patterns emerge that you might otherwise miss.
- Set the auditing policy. Unless you tell your system what to audit, there may never be any logs to send to the log server. For a Windows domain, a well configured group policy can ensure consistency across the enterprise. For stand-alone Windows systems, a security template can serve the same purpose. For ‘nix systems, pay special attention to the facility and priorities in syslog.conf
- Review services which listen on the network. Did someone install WinSSHd on the Windows server you configured for logging? If you only look at the usual three Windows logs, you could be missing important information about potential attacks. Make sure to review the output of “netstat -an” for clues as to what may be offering services on the host. Once identified, configure them for logging.
Finally, it pays to take a few moments to make sure logging is working as intended. Countless administrators and log analysts have been bitten by situations where they try to refer to logs after a breach, only to find they’re not there.
Oh, and about that whole ballet thing from yesterday, well, I have decided that pink is not my color after all. Now that April Fool’s day is over, let’s get back to business. :)
Hi,
You said in this post “You set up a centralized logging server. Check. You installed the OSSEC manager to analyze your logs in real-time. Check(…)”
- Did you mean that you can install ossec on the centralized logging server ?
Let me explain: i’ve 30 machines (proxy, mail, firewalls, web servers…etc) that send their logs to a syslog-ng server. Each machine generate a log file.
If i install the ossec agent on the syslog-ng server i’ll monitor (if this syslog-ng host is dedicated to this task) “only” itself: No configuration to examine log files from the machines..
I chat on ossec irc chan of this configuration and i understood that recommended configuration is to install ossec agents on all machines (or agentless for Cisco or other proprietary devices..) not to llose benefice from other ossec functionalities (e.g integrity checking).
So it’s why i don’t understand when you start this post with “(…)ossec agent installed on centralized server”…
Hope my note is clear, thanks for your feedback !
:)
Hi,
Thanks for stopping by.
Yes, you can install OSSEC on the central logging server. Once OSSEC is installed and monitoring the local file, simply edit ossec.conf to also monitor the logs from the other 30 machines. OSSEC doesn’t care where the log came from–it will monitor them in the same way.
To also get the benefit of integrity checking and so on, install the agents on the 30 servers, then comment out the blocks so you won’t be monitoring the logs twice, but you’ll still receive the syscheck/rootcheck events.
Make sense?
Yes !
Great.
I must check the load part from it to install on bigger environments..
I have to tesst, but your answer is clear !
Thanks again.
Regards.