Security log

Last updated

A security log is used to track security-related information on a computer system. Examples include:

The Security Log, in Microsoft Windows, is a log that contains records of login/logout activity or other security-related events specified by the system's audit policy. Auditing allows administrators to configure Windows to record operating system activity in the Security Log. The Security Log is one of three logs viewable under Event Viewer. Local Security Authority Subsystem Service writes events to the log. The Security Log is one of the primary tools used by Administrators to detect and investigate attempted and successful unauthorized activity and to troubleshoot problems; Microsoft describes it as "Your Best and Last Defense". The log and the audit policies that govern it are also favorite targets of hackers and rogue system administrators seeking to cover their tracks before and after committing unauthorized activity.

According to Stefan Axelsson, "Most UNIX installations do not run any form of security logging software, mainly because the security logging facilities are expensive in terms of disk storage, processing time, and the cost associated with analyzing the audit trail, either manually or by special software." [1]

See also

An audit trail is a security-relevant chronological record, set of records, and/or destination and source of records that provide documentary evidence of the sequence of activities that have affected at any time a specific operation, procedure, or event. Audit records typically result from activities such as financial transactions, scientific research and health care data transactions, or communications by individual people, systems, accounts, or other entities.

A server log is a log file automatically created and maintained by a server consisting of a list of activities it performed.

Web log analysis software is a kind of web analytics software that parses a server log file from a web server, and based on the values contained in the log file, derives indicators about when, how, and by whom a web server is visited. Reports are usually generated immediately, but data extracted from the log files can alternatively be stored in a database, allowing various reports to be generated on demand.

Related Research Articles

Shell account

A shell account is a user account on a remote server, traditionally running under the Unix operating system, which gives access to a shell via a command-line interface protocol such as telnet or SSH.

Nessus is a proprietary vulnerability scanner developed by Tenable Network Security.

grsecurity is a set of patches for the Linux kernel which emphasize security enhancements. The patches are typically used by computer systems which accept remote connections from untrusted locations, such as web servers and systems offering shell access to its users. Grsecurity provides a collection of security features to the Linux kernel, including address space protection, enhanced auditing and process control.

RACF, [usually pronounced Rack-Eff] short for Resource Access Control Facility, is an IBM software product. It is a security system that provides access control and auditing functionality for the z/OS and z/VM operating systems. RACF was introduced in 1976.

In computing, syslog is a standard for message logging. It allows separation of the software that generates messages, the system that stores them, and the software that reports and analyzes them. Each message is labeled with a facility code, indicating the software type generating the message, and assigned a severity level.

An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.

A computer security audit is a manual or systematic measurable technical assessment of a system or application. Manual assessments include interviewing staff, performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, or CAAT's, include system generated audit reports or using software to monitor and report changes to files and settings on a system. Systems can include personal computers, servers, mainframes, network routers, switches.

Argus – Audit Record Generation and Utilization System

Argus – the Audit Record Generation and Utilization System is the first implementation of network flow monitoring, and is an ongoing open source network flow monitor project. Started by Carter Bullard in 1984 at Georgia Tech, and developed for cyber security at Carnegie Mellon University in the early 1990s, Argus has been an important contributor to Internet cyber security technology over its 30 years..

Database security concerns the use of a broad range of information security controls to protect databases against compromises of their confidentiality, integrity and availability. It involves various types or categories of controls, such as technical, procedural/administrative and physical. Database security is a specialist topic within the broader realms of computer security, information security and risk management.

In computer log management and intelligence, log analysis is an art and science seeking to make sense out of computer-generated records. The process of creating such records is called data logging.

W3Perl

W3Perl is a free software logfile analyser, which can parse Web/FTP/Mail/CUPS/DHCP/SSH and Squid logfiles. Most major web logfile formats are supported, as well as split/compressed files. "Page tagging" and counter are also supported if you do not have logfiles access. The output is spread over HTML pages, with graphics and a sortable table. Stats can be run from a single command line or from a web browser.

FSA Corporation developed UNIX and Windows system level software for security and distributed system administration in the 1990s. The company provided the underlying technology basis for software offerings by IBM, Symantec, and McAfee. FSA's best known products were its Load Balancer distributed workload management solution, its PowerBroker secure system administration solution for controlling and auditing the power of root on UNIX networks, and its CipherLink network encryption solution. The company was acquired by McAfee in 1996. The company was a testing ground for Theo de Raadt's ideas concerning open-source software, which led to the OpenBSD operating system. De Raadt was FSA's first non-founding employee.

Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages. Log Management generally covers:

In computing, a log file is a file that records either events that occur in an operating system or other software runs, or messages between different users of a communication software. Logging is the act of keeping a log. In the simplest case, messages are written to a single log file.

Lynis is an extensible security audit tool for computer systems running Linux, FreeBSD, macOS, OpenBSD, Solaris, and other Unix-derivatives. It assists system administrators and security professionals with scanning a system and its security defenses, with the final goal being system hardening.

Snare (software) software

Snare is a collection of software tools that collect audit log data from a variety of operating systems and applications to facilitate centralised log analysis. Enterprise Agents are available for Linux, OSX, Windows, Solaris, Microsoft SQL Server, a variety of browsers, and more. Snare Enterprise Epilog for Windows facilitates the central collection and processing of Windows text-based log files such as ISA/IIS. Snare Enterprise Epilog for Unix provides a method to collect any text based log files on the Linux and Solaris operating systems. Opensource Agents are available for Irix and AIX.

Linoma Software

Linoma Software was a developer of managed file transfer and encryption solutions. The company was acquired by HelpSystems in June 2016. Mid-sized companies, large enterprises and government entities use Linoma's solutions to protect sensitive data and comply with data security regulations such as PCI DSS, HIPAA/HITECH, SOX, GLBA and state privacy laws. Linoma's solutions run on a variety of platforms including Windows, Linux, UNIX, IBM i (iSeries), AIX, Solaris, HP-UX and Mac OS X.

A jump server, jump host or jumpbox is a computer on a network used to access and manage devices in a separate security zone. The most common example is managing a host in a DMZ from trusted networks or computers.

References

  1. Stefan Axelsson, An Approach to UNIX Security Logging.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.