In the September 2007 issue of Information Security Magazine there was an interesting article entitled “CSI for the CISO” which has some excellent observations into why you need to enable logging within your environment for forensic investigations.
From the article:
Today’s digital forensics involves more than just laptops and desktops; investigators need to look at network and communication data, making logging essential. But Intel- guardians’ Hillery says he often gets a blank stare when he asks for logs, the lack of which impedes an investigation.
Yikes! I just don’t understand why something as simple as enabling logging isn’t part of the system deployment process in every organization? Is it because it is difficult to enable logging? In a word…no. I don’t know of a single system administrator who hasn’t heard of SNARE. Is it because configuring a central log repository is difficult? I’m going to reuse my aforementioned ‘no’. Dust off that old PC sitting in your storage closet, download your Linux distribution of choice (Use Ubuntu if you’re not very familiar with Linux), install it, and follow some easy instructions on configuring remote syslog. This may not fit your environment, however, if you have a lot of devices that you need to collect logs from.
If building your own centralized logging server isn’t your cup of tea, or if your syslog server is being overloaded, then why not give an enterprise-class solution a try. They’re fairly inexpensive compared to the functionality you receive for your investment.
Also from the article:
David Lang, director of information assurance and forensics at risk management firm Abraxas, also often encounters a lack of logging when investigating intrusions. System administrators tell him they turned off logging because it slows things down too much. “It’s going to cost you some system performance to have logging turned on, but if it’s a critical system, that’s a risk management decision you need to look at,” Lang says.
Enterprise network and systems architects need to start planning for logging as part of their initial design phases. That way they can avoid embarrassing forensic setbacks like those in the article.
I’ve created a LinkedIn Group for supporters of the OSSEC project. To join, please use the following URL: http://www.linkedin.com/e/gis/25424/146D636846D0
If you’re not familiar with OSSEC it is an Open Source Host-based Intrusion Detection System. It performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, real-time alerting and active response.
It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows. I encourage you to visit http://www.ossec.net, download it, and see what you think 🙂