Logs worth to keep and analyze in a central repository
In the need to centralize logs we have selected syslog as the collector and Splunk (free for now) as the analysis tool, but there's always the question about which events should get to the central repository and from which systems.
The selection should address only those logs of interest from a security point of view.
Which logs do you centralize and how do you select them?
The answers should indicate types of devices, systems or software, types of logs/events and the reason for choosing them.
Windows:
- Security Log (specifically looking for Audit Failures)
- System Log (To correlate with the Security Log)
- IIS Logs
- Any Application Logs for Network facing applications.
On Linux:
- /var/log/auth.log (logins)
- /var/log/errors.log ( for ... errors)
- SSH Logs
- Application Logs
Generally you want to monitor:
- Logins
- System Errors
- Application Logs
These will be the most important logs to monitor, and the most telling using splunk.
A log system is only as good as the time source. Using NTP and making sure all your servers are set to the same time zone will make your job ten times easier. I like to set my BIOS clocks to UTC and then set the OS to the local time zone.
EDIT: This is now a wiki. Add your own advice!
All logs are of interest for security purposes. At least they are on a unix/lnx box.
On Linux you might as well send everything from syslog to the central collector and analyze for patterns. You never know what you will need ahead of time and you may find yourself missing some information if you only include certain services. While there are general guidelines as to which facility a particular type of application should be logging to, there's no hard and fast rules.
If an application of interest writes its own log files, I usually ingest those in to the syslog daemon as well and forward them to the central collector.
This is useful not only for security purposes but also for finding configuration errors as well as hardware and software faults.
It really depends on what you are trying to detect.
If you are looking for resource access then (eg. payroll files, product documents):
- collect the logs for user and access time from the server where the resource is located
- collect email tracking information so you can see if and where the resource is going
If you are looking for external access then:
- vpn logs for who and when the persons login
- firewall logs for access attempts
- ids logs for unusual traffic
- AD login logs so brute force attempts are found
- wifi logs
- dhcp logs
Again, first determine what you want to detect and then go for the logs that can show you who what and where the information/resource was accessed. Then go for the next one. From experience if you just want everything you will fail in getting the detection you need for anything.