By: Tamas Szucs
March 30, 2017
Logging Settings and Procedures
By: Tamas Szucs
March 30, 2017
Logging procedures
Necessary information
The list indicates that the IT infrastructure that event logging is necessary if interpreted in the given system.1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
7. Reports, exports, imports making
8. Messages relating to infringement of rights
9. Start, stop, restart logging feature
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
18. Direct database access, direct data modifications
19. Direct database changes are made
20. Application of entry and exit
21. Start or stop the application of each module
22. Failed to user actions
23. Application-level transactions (who, when, what, what changed it)
24. Setting and/or changing application-level parameters
25. Users to add, modify, delete user group
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
29. Privileged user creation permissions
30. Password change
31. Four-eyes principle processes
32. Outside the working time entries
Log Analysis
The list includes the events that handle the log analysis topic.
7. Reports, exports, imports making
31. Four-eyes principle processes
32. Outside the working time entries
In some cases, though not a service, but the underlying operating system is able to log an event type. In many cases logged by the operating system events of the service are irrelevant, because we want to log events related to the service.
Logged systems and devices
The list includes examples of the present IT infrastructure and logged system types.- Zorp firewall
- Cisco ASA
- Cisco switch
- VMware vCenter
- Linux server
- Windows server
- Active Directory
- Apache server
- Novell Groupwise
- Jboss
- McAfee EPO
- Symantec Antivirus
- Oracle database
Logged data of logged systems
The example is a list of logged data from the present IT infrastructure and logged system types.Zorp firewall
The list includes those events, which are able to log the Zorp firewall as a service.
1. Successful and unsuccessful access attempts
9. Start, stop, restart logging feature
13. System events, system error
17. Check-in and check-out time, place and person
20. Application of entry and exit
21. Start or stop the application of each module
22. Failed to user actions
The list includes those events, which are able to log the firewall operating system level.
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
8. Messages relating to infringement of rights
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
24. Setting and/or changing application-level parameters
25. Users to add, modify, delete user group
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
30. Password change
Cisco ASA
The list includes those events, which are able to log the Cisco ASA.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
6. Changes in the configuration of logging subsystem
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
30. Password change
Cisco switch
The list includes those events, which are able to log the Cisco switch.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
6. Changes in the configuration of logging subsystem
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
30. Password change
VMware vCenter
The list includes those events, which are able to log the Vmware vCenter.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
8. Messages relating to infringement of rights
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
20. Application of entry and exit
21. Start or stop the application of each module
22. Failed to user actions
23. Application-level transactions (who, when, what, what changed it)
25. Users to add, modify, delete user group
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
29. Privileged user creation permissions
30. Password change
Linux server
The list includes those events, which are able to log the Linux server.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
8. Messages relating to infringement of rights
9. Start, stop, restart logging feature
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
21. Start or stop the application of each module
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
30. Password change
Windows server
The list includes those events, which are able to log the Windows server.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
8. Messages relating to infringement of rights
9. Start, stop, restart logging feature
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
21. Start or stop the application of each module
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
30. Password change
Active Directory
The list includes those events, which are able to log the Active Directory as a service.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
13. System events, system error
17. Check-in and check-out time, place and person
20. Application of entry and exit
22. Failed to user actions
23. Application-level transactions (who, when, what, what changed it)
24. Setting and/or changing application-level parameters
25. Users to add, modify, delete user group
29. Privileged user creation permissions
30. Password change
The list includes those events, which are able to log the Active Directory operating system level.
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
8. Messages relating to infringement of rights
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
21. Start or stop the application of each module
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
Apache server
The list includes those events, which are able to log the Apache as a service.
6. Changes in the configuration of logging subsystem
11. Delete log files
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
21. Start or stop the application of each module
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
The list includes those events, which are able to log the Apache operating system level.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
8. Messages relating to infringement of rights
10. Change logging options
12. Stopping and restarting the system
13. System events, system error
17. Check-in and check-out time, place and person
24. Setting and/or changing application-level parameters
25. Users to add, modify, delete user group
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
30. Password change
Novell Groupwise
The list includes those events, which are able to log the Novell Groupwise.
1. Successful and unsuccessful access attempts
5. Software startup, shutdown
12. Stopping and restarting the system
13. System events, system error
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
20. Application of entry and exit
21. Start or stop the application of each module
24. Setting and/or changing application-level parameters
Jboss
The list includes those events, which are able to log the Apache as a service.
1. Successful and unsuccessful access attempts
13. System events, system error
17. Check-in and check-out time, place and person
20. Application of entry and exit
The list includes those events, which are able to log the Jboss operating system level.
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
8. Messages relating to infringement of rights
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
24. Setting and/or changing application-level parameters
25. Users to add, modify, delete user group
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
McAfee EPO
The list includes those events, which are able to log the McAfee EPO as a service.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
8. Messages relating to infringement of rights
9. Start, stop, restart logging feature
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
18. Direct database access, direct data modifications
19. Direct database changes are made
21. Start or stop the application of each module
24. Setting and/or changing application-level parameters
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
30. Password change
The list includes those events, which are able to log the McAfee EPO operating system level.
21. Start or stop the application of each module
25. Users to add, modify, delete user group
29. Privileged user creation permissions
Symantec AntiVirus
The list includes those events, which are able to log the Symantec Antivirus as a service.
5. Software startup, shutdown
12. Stopping and restarting the system
13. System events, system error
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
21. Start or stop the application of each module
22. Failed to user actions
24. Setting and/or changing application-level parameters
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
The list includes those events, which are able to log the Symantec Antivirus operating system level.
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
8. Messages relating to infringement of rights
11. Delete log files
14. Create system files, modification, deletion, access
25. Users to add, modify, delete user group
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
29. Privileged user creation permissions
Oracle database
The list includes those events, which are able to log the Oracle database.
1. Successful and unsuccessful access attempts
2. Create and delete users
3. Users permissions changes
4. Create, delete, change roles
5. Software startup, shutdown
6. Changes in the configuration of logging subsystem
8. Messages relating to infringement of rights
10. Change logging options
11. Delete log files
12. Stopping and restarting the system
13. System events, system error
14. Create system files, modification, deletion, access
15. Configuration options that affect the operation of that system
16. Configuration log files, changing parameters
17. Check-in and check-out time, place and person
18. Direct database access, direct data modifications
19. Direct database changes are made
20. Application of entry and exit
21. Start or stop the application of each module
22. Failed to user actions
23. Application-level transactions (who, when, what, what changed it)
24. Setting and/or changing application-level parameters
25. Users to add, modify, delete user group
26. Change application-level software, software upgrades, installation or removal of existing modules, new modules
27. Sensitive file system integrity
28. Administrative integrity of sensitive data files
29. Privileged user creation permissions
30. Password change
Logging settings
The systems of logging required to perform the following settings.Cisco ASA
Recommended log settings of the Cisco ASA:
config t
logging enable
logging timestamp
logging buffered informational
logging trap informational
logging asdm warnings
logging queue 2048
logging device-id hostname
show run interface
logging host INTERFACE_NAME SYSLOG_HOST_IP 6/1470
logging permit-hostdown
VMware vCenter
Recommended log settings of the VMware vCenter in CLI:
esxcli system syslog config set –loghost=udp://SYSLOG_HOST_IP:514#or "tcp"
Recommended log settings of the VMware vCenter:
VMware Vcenter → Server settings → Logging options → Normal
Linux server
Standard log settings
Recommended settings in syslog:
*.info <IP-address_of_logserver>
Recommended settings in syslog-ng:
source s_local { unix-dgram("/dev/log"); internal(); };
filter f_info { level(info); };
destination d_network {
network("IP-address_of_logserver" transport("udp"));#or "tcp"
};
log { source(s_local); filter(f_info);destination(d_network);};
The above settings are all generated log entry in the central logserver
transmitted.
Log settings of integrity check
Integrity testing may be performed using with rkhunter.
The Rkhunter logs path is as follows:
/var/log/rkhunter.log*
Log settings of locale firewall
If IPTables local firewall is enabled, then set firewall logging rules for DROP.
Windows server
Standard log settings
The Windows operating system settings related to the audit log messages controlled by the group policy.
Successful and unsuccessful login attempts for each network service panel and console
1) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit logon events → Success, Failure
2) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Logon/Logoff → Audit Logon → Success, Failure
Create and delete users, and change password
4) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy → Audit account management → Success, Failure
5) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit User Account Managment → Success, Failure
6) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit Other Account Managment → Success, Failure
Create, Delete and Change Role (rights groups)
8) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit Application Group Managment → Success, Failure
9) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policy → Account Managment → Audit Distribution Group Managment → Success, Failure Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policy Configuration → Audit Policies → Account Managment → Audit Security Group Managment → Success, Failure
System start, shutdown and restart
11) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies → Audit system events → Success, Failure
12) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → System → Audit Security state Change → Success, Failure
13) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → System → Audit Other System Events → Success, Failure
Configuration of logging subsystem start, stop, restart and change
14) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → Policy Change → Audit Audit Policies Change → Succes, Failure
Software start and stop
These settings can generate large amounts of log entries.
15) Computer → Policies → Windows Settings → Security Settings → Local Policies → Audit Policies → Audit process tracking→ Success, Failure
16) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → Detailed Tracking → Audit Process Creation→ Success, Failure
17) Computer → Policies → Windows Settings → Security Settings → AdvancedAudit Policies Configuration → Audit Policies → Detailed Tracking → Audit Process Termination→ Success, Failure
If a local firewall is enabled, then set firewall logging rules for DENY.
18) Computer → Policies → Windows Settings → Security Settings → Windows Firewall with Advanced Security → Properties → Logging→ Customize…
The logs to file (not event log).
Apache server
The default settings are meet the logging procedures.
The Apache logs path is as follows:
/var/log/apache/
Jboss
The default settings in log4j.xml are meet the logging procedures.
McAfee EPO
The default settings are meet the logging procedures.
The McAfee EPO logs path is as follows:
ePolicy OrchestratorServerLogs
ePolicy OrchestratorApache2Logs
Symantec Antivirus
Configure logfiles to logging system.
Admin → Servers → Configure External Logging
The Symantec Antivirus logs path is as follows:
Configure in Log Filter tab:
Managment Server Logs
System Administrative Log → Warning
System Enforcer Activity Log
Audit Log
System Server Activity Log → Warning
Compliance Logs
Enforcer Client Log
Enforcer Server Log → Warning
Clients Logs
Client Activity Log → Error
Security Log → Minor
Traffic Log → Crictical
Control Log –> Major
Scan Log
Risk Log
SONAR Protection Log
Oracle database
Configure audit logs of all database:
Ţ audit session;
Ţ audit alter table;
Ţ audit alter user;
Ţ audit create role;
Ţ audit create user;
Ţ audit create session;
Ţ audit drop any procedure;
Ţ audit drop any table;
Ţ audit grant any privilege;
Ţ audit grant any role;
Ţ audit all on sys.aud$ by access;
Configure audit logs of all DBA event:
SQL> AUDIT ALL BY <username_of_admin> ;
SQL> AUDIT ALL PRIVILEGES BY <username_of_admin> ;
SQL> AUDIT SELECT TABLE, UPDATE TABLE, INSERT TABLE, DELETE TABLE BY <username_of_admin> BY ACCESS;
SQL> AUDIT EXECUTE PROCEDURE BY <username_of_admin> BY ACCESS;
Resource issues
You need to consider before performing the recommended settings that may cause any resource problems. The resource problems mainly affect the storage space, memory, and processor. Most systems do not cause resource problems correctly configure the logging. After the settings, using the monitoring system is generally easy to identify resource issues. If we know a logged systems, then shown in the resource problems before to the settings.
Oracle databases
Storage problems are expected on database servers, therefore storage space required for expansion.
Required information flow
The system settings are IT administration tasks. The settings of logging system is an IT security task requiring the mutual information flow. If the IT infrastructure or only one system is changed, then required the communication.
