Monitoring and auditing activity on systems is important for two reasons. First, monitoring activity tells the systems administrator which systems are operating the way they should, where systems are failing, where performance is an issue, and what type of load exists at any one time. These details allow proper maintenance and discovery of performance bottlenecks, and they point to areas where further investigation is necessary. The wise administrator uses every possible tool to determine general network and system health, and then acts accordingly. Second, and of interest to security, is the exposure of suspicious activity, audit trails of normal and abnormal use, and forensic evidence that is useful in diagnosing attacks and potentially catching and prosecuting attackers. Suspicious activity may consist of obvious symptoms such as known attack codes or signatures, or may be patterns that, to the experienced, mean possible attempts or successful intrusions.

In order to benefit from the information available in logs and from other monitoring techniques, you must understand the type of information available and how to obtain it. You must also understand what to do with it. Three types of information are useful:

• Activity logs
  
• System and network monitoring activity
  
• Vulnerability scans

System and Device Logging

Each operating system, device, and application may provide extensive logging activity. There are, however, decisions to be made about how much activity to record. The range of information that is logged by default varies, as does what is available to log, and there is no clear-cut answer on what should be logged. The answer depends on the activity and on the reason for logging.

NOTE  When examining log files, it's important to understand what gets logged and what does not. This will vary by the type of log, the type of event, the operating system and product, whether or not there are additional things you can select, and the type of data. In addition, if you are looking for 'who' participated in the event or 'what' machine they were using, this may or may not be a part of the log. Windows event logs prior to Windows Server 2003, for example, did not include the IP address of the computer, just the hostname. And web server logs do not include exact information no matter which brand they are. Much web activity goes through a proxy server, so you may find that you know the network source but not the exact system it came from.

Determining What to Log

In general, the following questions must be answered:

• What is logged by default? This includes not just the typical security information, such as successful and unsuccessful logons or access to files, but also the actions of services and applications that run on the system.
  
• Where is the information logged? There may be several locations.
  
• Do logs grow indefinitely with the information added, or is log file size set? If the latter, what happens when the log file is full?
  
• What types of additional information can be logged? How is it turned on?
  
• When is specific logging activity desired? Are there specific items that are appropriate choices for some environments but not others? For some servers but not others? For servers but not desktop systems?
  
• Which logs should be archived and how long should archives be kept?
  
• How are logs protected from accidental or malicious change or tampering?