Auditing your logs regularly is necessary to make use of the valuable data in the logs. If a security incident logs inyour computer and no one sees the log, then you're still stuck re-installing the machine, but you won't know until netIRT contacts you about being a bad network citizen.

Review your logs. If possible, have a script pull the interesting parts and email them to you every morning. It only takes a couple of minutes to glance over the logs once your become familiar with "normal" log patterns. Question unusual traffic patterns, which should start popping out at you as yu read teh logs every morning. The human brain is a fantastic pattern matcher, which is why the mark-I eyeball is still a useful scanning tool.

Keep logs secure. If you have an incident and need to prosecute, or just follow up later, you need to know that the logs are intact. Set up a loghost which is not a login/user machine to accumulate the logs from your network. Use time synchronization on your log host and all of the clients. Most operating systems can be configured to automatically set the computer's time to a network time server. With synchronized time, you can tell exactly what order things happened in, without having to first establish how far off each machine's clock is from each other.

Base your log monitoring scripts on your policies and procedures. If the policy is that no regular users should access a certain box, scripts should look for non-admin access. If the procedure is to log in as yourself, and then change user-level to administrator, check for logins as root directly from remote machines.

---

Last updated: Apr 27, 2006 (03:59:14 PM EDT)
URL: http://www.clasnet.ufl.edu/security/ism/templates/auditing.shtml