Guide to Computer Security Log Management - NIST

1 Special Publication 800-92 Guide to Computer Security Log Management Recommendations of the National Institute of Standards and Technology Karen Kent Murugiah Souppaya Guide TO Computer Security LOG Management Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the economy and public welfare by providing technical leadership for the nation s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology.

2 ITL s responsibilities include the development of technical, physical, administrative, and Management standards and guidelines for the cost-effective Security and privacy of sensitive unclassified information in Federal Computer systems. This Special Publication 800-series reports on ITL s research, guidance, and outreach efforts in Computer Security and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately.

3 Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. National Institute of Standards and Technology Special Publication 800-92 Natl. Inst. Stand. Technol. Spec. Publ. 800-92, 72 pages (September 2006) iiGUIDE TO Computer Security LOG Management Acknowledgements The authors, Karen Kent and Murugiah Souppaya of the National Institute of Standards and Technology (NIST), wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content, especially Bill Burr, Elizabeth Chew, Tim Grance, Bill MacGregor, Stephen Quinn, and Matthew Scholl of NIST, and Stephen Green, Joseph Nusbaum, Angela Orebaugh, Dennis Pickett, and Steven Sharma of Booz Allen Hamilton.

4 The authors particularly want to thank Anton Chuvakin of LogLogic and Michael Gerdes for their careful review and many contributions to improving the quality of this publication. The authors would also like to express their thanks to Security experts Kurt Dillard of Microsoft, Dean Farrington of Wells Fargo Bank, Raffael Marty of ArcSight, Greg Shipley of Neohapsis, and Randy Smith of the Monterey Technology Group, as well as representatives from the Department of Energy, the Department of Health and Human Services, the Department of Homeland Security , the Department of State, the Department of Treasury, the Environmental Protection Agency, the National Institutes of Health, and the Social Security Administration.

5 For their valuable comments and suggestions. Trademarks All names are registered trademarks or trademarks of their respective companies. iiiGUIDE TO Computer Security LOG Management Table of Contents Executive Summary ..ES-1 1. Introduction ..1-1 1-1 Purpose and 1-1 1-1 Publication Structure .. 1-1 2. Introduction to Computer Security Log 2-1 The Basics of Computer Security 2-1 Security Software .. 2-2 Operating 2-4 2-4 Usefulness of 2-6 The Need for Log 2-7 The Challenges in Log Management .. 2-8 Log Generation and Storage.

6 2-8 Log 2-9 Log 2-10 Meeting the 2-10 2-11 3. Log Management Infrastructure .. 3-1 Architecture .. 3-1 3-3 Syslog-Based Centralized Logging 3-5 Syslog Format .. 3-5 Syslog Security .. 3-7 Security Information and Event Management Software .. 3-9 Additional Types of Log Management 3-10 3-11 4. Log Management 4-1 Define Roles and Responsibilities .. 4-1 Establish Logging 4-3 Ensure that Policies Are Feasible .. 4-7 Design Log Management 4-9 4-10 5. Log Management Operational 5-1 Configure Log 5-1 Log Generation.

7 5-1 Log Storage and 5-2 Log Security .. 5-4 Analyze Log Data .. 5-5 Gaining an Understanding of Logs .. 5-5 Prioritizing Log Entries .. 5-6 Comparing System-Level and Infrastructure-Level 5-7 ivGUIDE TO Computer Security LOG Management Respond to Identified 5-8 Manage Long-Term Log Data Storage .. 5-9 Provide Other Operational 5-10 Perform Testing and Validation .. 5-10 5-11 List of Appendices Appendix A Glossary .. A-1 Appendix B Acronyms ..B-1 Appendix C Tools and Appendix D Index ..D-1 List of Figures Figure 2-1.

8 Security Software Log Entry Examples .. 2-3 Figure 2-2. Operating System Log Entry Example .. 2-4 Figure 2-3. Web Server Log Entry 2-6 Figure 3-1. Examples of Syslog Messages .. 3-6 List of Tables Table 4-1. Examples of Logging Configuration Settings .. 4-6 vGUIDE TO Computer Security LOG Management This page has been left blank intentionally. viGUIDE TO Computer Security LOG Management Executive Summary A log is a record of the events occurring within an organization s systems and networks. Logs are composed of log entries; each entry contains information related to a specific event that has occurred within a system or network.

9 Many logs within an organization contain records related to Computer Security . These Computer Security logs are generated by many sources, including Security software, such as antivirus software, firewalls, and intrusion detection and prevention systems; operating systems on servers, workstations, and networking equipment; and applications. The number, volume, and variety of Computer Security logs have increased greatly, which has created the need for Computer Security log Management the process for generating, transmitting, storing, analyzing, and disposing of Computer Security log data.

10 Log Management is essential to ensuring that Computer Security records are stored in sufficient detail for an appropriate period of time. Routine log analysis is beneficial for identifying Security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful when performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. Organizations also may store and analyze certain logs to comply with Federal legislation and regulations, including the Federal Information Security Management Act of 2002 (FISMA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the sarbanes -Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI DSS).