Log Analysis
•Download as PPT, PDF•
0 likes•1,091 views
Log Analysis by Abhishek Sanyal @ null Pune Meet, October, 2010
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Log Analysis
Similar to Log Analysis (20)
More from n|u - The Open Security Community
More from n|u - The Open Security Community (20)
Recently uploaded
Recently uploaded (20)
Log Analysis
- 1. Thank You
- 2. Topic - Log Analysis * Not a log analysis of a hacked server
- 3. References Security Metrics – Replacing FUD *Diversion ahead
- 4. Good Metrics - - Consistently Measured - Cheap to Gather - Expressed as a number / percentage - Expressed using one unit of measure - Contextually specific – avoid So What ?
- 5. Bad Metrics - - Inconsistently Measured / Varies from person to person - Cannot be Gathered cheaply - Does not express results with numbers e.g. - ratings and grades
- 6. Log – Record of all the activities in an Application / Server or a Process Log Analysis – Extracting information from the logs
- 7. Pre-Requisites of Log Analysis - Logging should be enabled - Correct Time to be recorded in the logs - Data should not be corrupted - Known / Intuitive Log format - Patience - Caution
- 8. Common Log Format Host Ident Authuser [Date] Request Status Bytes 127.0.0.1 - - [14/Oct/2010:15:41:45 +0530] "GET /announce? info_hash=%9E%F7E%21m0%C3%BB%C8%17%AC%CF%C7K %CCO%85L%B7S&peer_id=-AZ4510- jsyzmsekckgz&supportcrypto=1&port=14523&azudp=14523&uploaded =0&downloaded=0&left=144067607&corrupt=0&event=started&numwa nt=34&no_peer_id=1&compact=1&key=R34XtNXz&azver=3 HTTP/1.1" 404 300 "-" "Azureus 4.5.1.0;Linux;Java 1.6.0_18" (Last two fields makes the format – Combined Log Format)
- 9. Extended W3C Log Format #Software: Microsoft Internet Security and Acceleration Server 2004 #Version: 2.0 #Date: 2009-10-28 00:00:01 #Fields: computer date time IP protocol source destination original client IP source network destination network action status rule application protocol bytes sent bytes sent intermediate bytes received bytes received intermediate connection time connection time intermediate username agent session ID connection ID FW1 2009-10-28 00:00:01 TCP 192.9.133.33:2179 124.153.12.25:443 192.9.133.33 Internal External Establish 0x0 LAN to Internet HTTPS 0 0 0 0 - - - - 248445 7348626
- 10. Squid Log Format Native access.log Time Duration ClientIp ResultCodes RequestMethod URL Ident Hierarchy Type 1286536314.464 475 192.168.0.188 TCP_MISS/200 627 GET http://api.bing.com/qsml.aspx? - DIRECT/122.160.242.136 text/xml 1286536314.489 780 192.168.0.68 TCP_MISS/200 507 POST http://rcv- srv37.inplay.tubemogul.com/streamreceiver/services - DIRECT/174.129.41.128 application/xml Custom access.log Dec 15 06:44:23 box squid[2011]: 192.9.101.130 TCP_MISS/200 389 POST http://65.54.49.123/gateway/gateway.dll? - DIRECT/65.54.49.123 application/x- msn-messenger Dec 15 06:45:24 box squid[2011]: 192.9.101.130 TCP_MISS/200 389 POST http://65.54.49.123/gateway/gateway.dll? - DIRECT/65.54.49.123 application/x- msn-messenger Dec 15 06:47:25 box last message repeated 2 times Dec 15 06:47:32 box squid[2011]: 127.0.0.1 TCP_MISS/200 68777105 GET http://update.nai.com/products/commonupdater/dat-5832.zip - DIRECT/122.166.109.18 application/zip
- 11. Multi-line Log Format Generated by Applications which runs multiple processes internally. Such logs are created when a single activity as seen by the End User internally translates to several different tasks in the Application. LogEntry1 of Task1 LogEntry2 of Task2 LogEntry3 of Task3 Almost all Mail Server Logs are Multi line logs. Example – Postfix and IronPort (Cisco) Email Server
- 12. Iptables Log Format Dec 5 00:17:38 box Shorewall:nic012FW:ACCEPT: IN=eth1 OUT= MAC=00:1f:e2:6c:cb:6d:00:1e:58:22:6b:30:08:00 SRC=124.153.10.16 DST=192.168.1.4 LEN=44 TOS=00 PREC=0x00 TTL=55 ID=39105 CE PROTO=TCP SPT=36597 DPT=5666 SEQ=3522285426 ACK=0 WINDOW=5840 SYN URGP=0 Dec 5 00:17:40 box Shorewall:nic012FW:DROP: IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:e4:a5:46:f1:08:00 SRC=192.168.1.87 DST=192.168.1.255 LEN=229 TOS=00 PREC=0x00 TTL=128 ID=3758 PROTO=UDP SPT=138 DPT=138 LEN=209 Dec 5 00:17:47 box Shorewall:nic012nic01:DROP: IN=eth1 OUT=eth1 MAC=00:1f:e2:6c:cb:6d:00:1b:b9:63:a3:19:08:00 SRC=192.168.1.120 DST=202.54.157.139 LEN=48 T OS=00 PREC=0x00 TTL=127 ID=3754 DF PROTO=TCP SPT=1414 DPT=80 SEQ=2498894647 ACK=0 WINDOW=65535 SYN URGP=0
- 13. Splunk – Monitor, Report and Analyze live streaming / historical IT data
- 14. Basic Configuration after installation cd /opt/splunk/bin export SPLUNK_IGNORE_SELINUX=1 ./splunk start Use your browser to login to http://localhost:8000
- 15. New Apps goes to /opt/splunk/etc/apps For custom log format - update the following configuration file /opt/splunk/etc/system/local/props.conf and /opt/splunk/etc/system/local/transforms.conf with entries of new log format
- 16. OSSEC – This is an Open Source Host Based Intrusion Detection System which can work in a client – server mode.