What information should my audit logs feature?<\/b><\/h3>\n
![\"\"](\"https:\/\/www.n-able.com\/wp-content\/uploads\/blog\/2019\/03\/logging%20body%20pic.jpg\" "\\"\\"")
Any event in an IT system can be included in an audit log. The needs and risks associated with every application and server instance will differ greatly, and it\u2019s these factors that should determine what information you are continually logging and analyzing. However, it\u2019s safe to say that in almost all scenarios, your audit logs should feature these elements:<\/p>\n
- \n
- User ID<\/li>\n
- Terminal identity<\/li>\n
- Log on and log off time and date<\/li>\n
- Systems, data, applications, files, and networks accessed<\/li>\n
- Failed attempts to access systems, data, applications, files, and networks<\/li>\n
- Changes to system configurations and use of system utilities<\/li>\n
- Alarms and other security events<\/li>\n
- Activity from cybersecurity tools like the\u00a0firewall\u00a0<\/a>or\u00a0antivirus software<\/a><\/li>\n<\/ul>\n
How long should audit logs be kept?<\/b><\/h3>\n
The amount of time you should archive event logs depends on the type of log you\u2019re keeping. Your client or organization may have particular requirements and recommendations regarding audit logging, and most forms of logging are subject to regulation. However, if you remain unsure as to how long you should be keeping a given audit log, logging best practices suggest keeping everything for at least one year.<\/p>\n
When setting a length of time with\u00a0event log management<\/a>, it may help to remember that distributed IT networks have significantly changed the practice of audit logging and monitoring. A large enterprise network can feature thousands of server instances or containers, and each of those instances and containers is constantly generating audit logs. As a result, more log data is being created today than ever before. These volumes of data are so massive that companies may reasonably struggle with the question of how to manage and store it all, let alone how to regularly comb through it for important insights about their\u00a0network\u2019s security and performance<\/a>. In order for an enterprise to successfully store all this data for months or a full year, it\u2019s often logistically necessary to use a cloud-based, managed services solution.<\/p>\n
What is application logging?\u00a0<\/b><\/h3>\n
Just like with any other component of your network, activity within your applications needs to be regularly saved and analyzed. One major difference between an\u00a0application log<\/a>\u00a0and other event logs in your IT system, however, is that the log\u2019s format and content are determined by the application rather than your operating system. This is to say, unless you\u2019re developing the application yourself you have little control over what information is featured in log files.<\/p>\n
An application normally contains code to write various types of events to an application log file. The log file can reveal message flow issues and application problems. It can also contain information about user and system actions that have occurred. Logged events typically include the following:<\/p>\n
- \n
- Application exceptions<\/li>\n
- Major events like startups, stops, and restarts, as well as security events.<\/li>\n
- Error events that prevent the application from starting<\/li>\n
- Some debug information<\/li>\n
- SQL logs<\/li>\n<\/ul>\n
What is audit logs security?<\/b><\/h3>\n
In cybersecurity, we have a number of active protection measures we can take, including antivirus software, some form of user authentication, and firewalls. These tools are at the disposal of network security specialists to prevent unauthorized users or users with malicious intent from stealing or destroying assets within that network, while protecting those who are authorized to use those networks. But what happens when, despite all these measures, an attack occurs? Security professionals can turn to their event logs to search for answers.<\/p>\n
When security breaks down and your application or network is compromised, event logging and monitoring can notify you that a problem exists as well as where the breach has occurred, enabling you to stop or limit the damage. It can also help you understand the vulnerabilities that have been exploited by an outside threat so you can attempt to recover or protect that data\u2014or at least do what\u2019s necessary to avoid similar breaches in the future.<\/p>\n
But the mere presence of audit logs isn\u2019t sufficient to protect you from cyberattacks, just like security cameras can\u2019t offer you any intelligence if they aren\u2019t trained on the area you\u2019re trying to protect. Here are some logging and monitoring best practices for ensuring that you are not only logging significant IT events, but that you\u2019re doing so in a way that will be easier to assess in the event of a security breach.<\/p>\n
- \n
- Automate reviews<\/b>A log management software solution is a necessary tool in any IT manager\u2019s arsenal, but it isn\u2019t enough on its own. Logs must not only be collected but carefully reviewed\u2014and in the case of particularly high-risk applications, these reviews should be automatically conducted on an hourly basis. Ideally,\u00a0the solution you use<\/a>\u00a0to do this would not only detect security threats in logs but deploy automated responses, such as blocking IP addresses, changing privileges, and disabling accounts.<\/li>\n
- Maintain manual administrator logs<\/b>Because administrators have so many more permissions than other users, their accounts must be monitored and protected with more vigilance. These users could exercise caution by manually logging their activities, including the times they logged on and off. These manual logs should be handled and analyzed with special attention if possible.<\/li>\n
- Frequently review fault logs<\/b>Errors reported by servers, applications, or by the people who use them are incredibly vital to the work of troubleshooting. Understanding whether a recurring problem is the result of faulty equipment or user error, for instance, can be incredibly difficult without a well-maintained fault log. Logs for incredibly important and\/or high-risk applications like eCommerce platforms should be reviewed and\u00a0analyzed every day<\/a>. Other applications and servers can have their fault logs checked every week or so.<\/li>\n
- Create log redundancy<\/b>Cybercriminals will often try to break into your log files in order to delete any evidence of the breach they committed. That\u2019s why it\u2019s important in logging best practices to record logs both locally and to a remote server that will be harder for criminals to access\u2014discrepancy between the two files will trigger an alarm and prevent a breach from going unnoticed.<\/li>\n
- Make sure system clocks are synchronized<\/b><\/b>In the world of forensics, understanding the exact order of events is essential to piecing together an accurate account of what crimes were committed and by whom. Doing that becomes very difficult if the clock on a particular device is inaccurate, even if it\u2019s only by a minute or two. Regularly check the clocks of all devices in a system to ensure they\u2019re all in sync.<\/li>\n<\/ol>\n
What is unique about the Security Log in Windows?\u00a0<\/b><\/h3>\n
Microsoft offers an activity log specifically for the purposes of detecting attempts at unauthorized access. While the operating system uses its own criteria for determining what events are significant enough to record in the Security Log, administrators have the ability to configure the tool to include any operating system activity they choose.<\/p>\n
The problem is that these specific event log management policies have also become a popular target among hackers. Because administrators have this ability to configure the Security Log, for example, it\u2019s very common for attackers to attempt to compromise administrator accounts and tamper with these records, prompting many companies to create redundancy in their logging as recommended above. Similarly, because the\u00a0Security Log<\/a>\u00a0can only hold a certain number of events, hackers will sometimes try to overload the system by generating so many events that incriminating evidence is overwritten.<\/p>\n
Going forward<\/b><\/h3>\n
- Maintain manual administrator logs<\/b>Because administrators have so many more permissions than other users, their accounts must be monitored and protected with more vigilance. These users could exercise caution by manually logging their activities, including the times they logged on and off. These manual logs should be handled and analyzed with special attention if possible.<\/li>\n
- Automate reviews<\/b>A log management software solution is a necessary tool in any IT manager\u2019s arsenal, but it isn\u2019t enough on its own. Logs must not only be collected but carefully reviewed\u2014and in the case of particularly high-risk applications, these reviews should be automatically conducted on an hourly basis. Ideally,\u00a0the solution you use<\/a>\u00a0to do this would not only detect security threats in logs but deploy automated responses, such as blocking IP addresses, changing privileges, and disabling accounts.<\/li>\n