Monitoring

avatar
Created by
EarlyHorse17571

Cards (31)

  • Logging is the process of recording events as they take place on a computer system. These events can be:
    • Problems and errors
    • Information about current operations
    • Troubleshooting: Logs can be a valuable tool for troubleshooting errors. For instance, if a server fails to start, we would look at its logs to discover where it failed and what prevented it from starting.
    • Monitoring: Logs provide plenty of insight into the utilisation of a system’s resources. Consider the case where a server is slow, and we want to discover the bottleneck affecting its performance. The system might run low on memory, or the CPU might reach 100% utilisation for non-trivial durations. Logs can provide the necessary insights to pinpoint and solve the problem.
  • Some of the purposes of logging are:
    • Auditing: Logs record users’ activities on a given system. On an audited system, we want to know who logged in, what files they accessed, and what changes they made. This information is necessary to audit a system or investigate any incident.
    • Compliance: Logs can be a requirement to maintain compliance with relevant regulations. For instance, financial institutions need to keep logs of all financial transactions that take place.
  • Linux logs are an essential part of Linux system administration, as they provide a look into the system’s operation and reveal any issues that may be happening. This information can include errors, warnings, and security alerts, in addition to more innocuous events. Most Linux distributions store the log files and directories in /var/log.
    • An example /var/log directory content is shown in the terminal below.:
  • Linux Logs:
    • The importance of Linux logs lies in troubleshooting and monitoring as they help admins identify suspicious activities, diagnose system hardware and software problems, track system health, and gauge performance. For handling logs, many Linux distributions use system logging daemons like rsyslog, syslog-ng, and journald to manage, process, and store log events.
  • Linux Log Types
    There are several different types of logs on a Linux system. Some common types of logs include:
    • System logs: These logs contain information about the general health and operation of the system.
    • Application logs: These logs contain information about the specific applications running on the system.
    • Security logs: These logs contain information about security-related events, such as login and failed authentication attempts.
  • Managing Logs on a Linux System
    To efficiently work with Linux logs, we need to consider the following:
    • Log to a central location
    • Use a tool to filter and parse the logs
    • Setup alerts
    Configuring a Linux system to log in to a central location is essential. This setup will make it easier to collect and manage our logs.
    Additionally, using a tool that can filter and parse the generated logs would be best. This configuration will help us to find the information we need quickly and easily.
    Finally, we should set up alerts to notify us of important events.
  • Linux Logs:
    • One of the efficient command-line tools to audit system logs on a Linux system is aureport. You can get a summary of the events using the command aureport --summary. If you are only interested in the failed events, you can use aureport --failed as shown in the terminal window below.
  • The following command ausearch --message USER_LOGIN --success yes --interpret returns successful logins, while ausearch --message USER_LOGIN --success no --interpret returns the failed logins. The options are:
    • --message is followed by the message we are interested in searching : include USER_LOGIN, DEL_USER, ADD_GROUP, USER_CHAUTHTOK, DEL_GROUP, CHGRP_ID, ROLE_ASSIGN, and ROLE_REMOVE.
    • --success is followed by yes or no depending on whether you are searching for successful or unsuccessful attempts, respectively.
    • --interpret converts numeric entities, such as UID (User ID), into text.
  • Linux Logs:
    If we only want to display the failed login attempts for the root account, we can pipe the output via grep. The command becomes ausearch --message USER_LOGIN --success no --interpret | grep ct=root.
    • The command above would result in a very long list. Since we are interested in counting the lines, we can pipe the output again through wc -l. wc is used for counting characters, words, and lines. The -l will only display the line count. Consequently, a straightforward way to count the number of failed root logins is by issuing the following command.
  • Linux Logs:
    ausearch -m USER_LOGIN -sv no -i | grep ct=root | wc -l76
    • The output above tells us that 76 failed login attempts have been at the root account.
    • Interested in the failed events, you can use: aureport --failed
    • ausearch --message USER_LOGIN --success yes --interpret returns successful logins
    • ausearch --message USER_LOGIN --success no --interpret returns the failed logins
  • Windows logs, sometimes referred to as event logs, form an integral part of the operating system’s functionalities, providing insights into system behaviour and potential issues.
  • Windows Logs:
    • System Logs: This records activity associated with the system components, such as driver failure, resource conflict, and hardware issues. For IT professionals, they serve as sources of critical diagnostics information.
    • Application Logs: This type concerns individual software living upon the system. When issues manifest around a specific application, such as failing to connect to a database or process-related bottlenecks, these logs come in handy to determine why the failure occurred.
  • Windows Logs:
    • Security Logs: Specialised logs designed to track security events. They touch on events such as logon and logoff actions, user rights assignments, policy changes, and security-related aberrations. For security professionals, this often represents their first check when investigating a security incident
  • Windows Logs:
    • Forwarded Events Logs: These logs receive collected from other tertiary-tertiary computing environments. They act as collated reports, pulling from multiple sources into a centralised file. They are ideal for monitoring tasks and analysis in a networked environment, where you may need to assemble data from various places into a cohesive analysis.
  • Linux Logs vs Windows Logs:
    Location:
    • Linux: /var/log
    • Windows: %SystemRoot%\System32\Logfiles
    Format:
    • Linux: Syslog
    • Windows: EventLog
    Logging Levels:
    • Linux: Debug, Info, Notice, Warning, Error, Critical
    • Windows: Debug, Information, Warning, Error, Critical
  • Linux Logs vs Windows Logs:
    Tools for View Logs:
    • Linux: tail, grep, less
    • Windows: Event Viewer
  • Windows Logs:
    Audit Policy
    Microsoft Windows makes it possible to audit various aspects of the system. Here is a list of example events you can audit:
    • Account logon events
    • Account management
    • Privilege use
    • Directory service access
    • Policy change
    • System events
    • Information systems monitoring involves continuously observing and checking an IT system’s performance and metrics. It can include reviewing processes, users, workflows, transactions, data storage, applications, servers, networks, and security protocols. It’s a proactive technical system that helps identify potential disruptions before they cause serious issues or system shutdowns.
  • Monitoring is crucial for several reasons:
    • Troubleshooting and Maintenance: Monitoring data helps IT support teams identify and rectify operational faults more efficiently, ensuring systems run smoothly and effectively with minimum downtime.
    • Performance Optimisation: By keeping track of information usage, transmission rates, and latency, fine-tuning strategies can be applied to optimise the performance of the systems.
  • Monitoring is crucial for several reasons:
    • Preventing Failures: Proactively spotting potential issues or irregular patterns, such as close-to-capacity servers or faulty hardware, forms a significant aspect of preventing more significant failures.
    • Security Risk Mitigation: Continuous monitoring helps identify unauthorised access, security breaches, or malicious activity, enabling immediate reaction and thus enhancing system security.
  • Monitoring is crucial for several reasons:
    • Regulatory Compliance: Continuous monitoring is crucial for organisations under regulatory controls to meet and prove compliance with data protection and privacy laws.
  • A log typically records events or activities that software or systems perform, as discussed in the previous tasks.
    While both involve in-depth analysis of system behaviour, the key difference between logging and monitoring lies in their primary functions and use. Logging provides a historical account of events for later analysis or audit review; it is essential for diagnostic, forensics, and compliance purposes. Monitoring is a real-time, continuous process used to detect issues or anomalies immediately; it ensures effective operational control, security, and optimal performance.
  • Logging vs Monitoring:
    Key Objectives:
    • Logging: Error diagnosis, accountability and providing detailed context
    • Monitoring: Eradicate small issues from escalating and becoming larger problem
  • Security Information and Event Management (SIEM) is a set of integrated management technologies that provide a holistic view of an organisation’s information security. SIEM systems collect and aggregate log data generated throughout the organisation’s IT infrastructure from network devices, systems, and applications.
    • SIEM software then identifies and categorises incidents and events and analyses them. This analysis can be beneficial for identifying issues such as security threats, compromised systems, and malicious activities. It can also help with potential incident response actions.
  • SIEM Process:
  • The key capabilities of SIEM technology include:
    • Data Aggregation: It can collect data from many sources, such as network devices, security controls, servers, and databases, providing a global perspective of the IT environment.
    • Correlation and analysis: SIEM systems can correlate different events and logs to see patterns of possible malicious activity.
    • Alerting and reporting: Based on the analysis performed on data, SIEM can automatically raise alerts upon identifying any abnormal activity and create dashboards/reports for IT administrators.
  • The key capabilities of SIEM technology include:
    • Forensic Analysis: It helps perform historical analysis against the event data for investigating and mitigating cyber threats.
    • Threat intelligence Feeds: Many SIEM tools integrate threat intelligence feeds to enhance incident detection and proactively identify external threats.
    • Automation and Orchestration: Some sophisticated SIEMs will also have capacities to automatically respond to some detected incidents, for example, by blocking IP addresses or deactivating vulnerable services.
  • SIEM is a vital tool for ensuring compliance with internal and external security policies and maintaining a solid security posture across an organisation.
    • There are many SIEM solutions available such as Wazuh and Splunk.
  • Logging & Monitoring Table: