India - Flag India

Please confirm your currency selection:

Indian Rupee
Incoterms:FCA (Shipping Point)
Duty, customs fees and taxes are collected at time of delivery.
Payment accepted in Credit cards only

US Dollars
Incoterms:FCA (Shipping Point)
Duty, customs fees and taxes are collected at time of delivery.
All payment options available

Bench Talk for Design Engineers

Bench Talk

rss

Bench Talk for Design Engineers | The Official Blog of Mouser Electronics


Eyes Up: Benefits of Centralized Logging Jeff Fellinge

Cybersecurity Theme Image

(Source: sdecoret/Shutterstock.com)

The attention focused on data security and the continuous push for cloud computing, data analytics, and artificial intelligence (AI) underscore the advantages that data aggregation and analysis brings businesses. A niche area benefiting from these new tools is the real-time processing of large amounts of security logs to help detect and track down security problems. The number of business intelligence tools providing these capabilities are more accessible now than ever before. More organizations are incorporating these new tools as a regular part of their data security toolkits to help filter, parse, and visualize data to help spot trends or highlight anomalies. The proliferation of the Internet of Things (IoT) means there are more devices than ever to track and manage. As a result, it has gotten more challenging to keep tabs on every IoT device and know when they are functioning correctly or have had their security compromised. If you don't already, consider using some of these tools and techniques and making centralized logging of security events a part of your organization's overall security control program to help ensure potential nefarious attackers don't go unnoticed.

Event logging is an important function of any device or application. Devices log events to record specific activities such as:

  • When a device starts up or shuts down
  • When a user logs in
  • If a configuration change occurs.

Often you can customize which events a device will log. It is essential to understand the tradeoffs when choosing how much data to log to avoid overwhelming your network or system while ensuring you collect the right data to base decisions.

Finding Pieces to a Larger Puzzle

Event logging is a critical security control. A single attack may trigger multiple events on different devices. Security incident responders must often query the events from multiple devices to piece together the attacker’s path. For example, attack reconnaissance by probing network ports may trigger a “port scan” event on a firewall. Some attackers will attempt to escalate their privilege on a system and the resulting super-user activity may be logged as well. The time and origin of an attacker that used stolen credentials to log into a system may be found as login events in authentication service logs. Firewalls, intrusion detection systems, application servers, and other gateway devices may also include critical information that aids defenders. Suffice to say, security investigations will go much faster if all these events across multiple devices are already in one location.

These events certainly serve as important clues to a security investigation, and savvy attackers know this. They may tailor their activity to try and “fly below the radar” and avoid triggering unwanted events. In some cases, attackers will attempt to clear the logs on a compromised device to cover their tracks. This action sometimes creates its own event—“the event log has been cleared”—that you can look for and alert on. Of course, clearing the events on a device does not erase the events that have already been forwarded to a centralized logging server—one of the most important reasons why centralizing your logs is so crucial for incident response and investigations.

Setting Up a Logging Server

Setting up a centralized log does not need to be complicated. You can set up a basic system in just a few hours depending on the number of enrolled devices. A simple base system might consist of a Linux syslog server configured to receive events forwarded from other syslog-enabled devices. This is often the case as many embedded and IoT devices run firmware, bare-bones Linux, or Linux-like operating systems that support syslog-messaging forwarding of their events built in.

Generally, syslog services rely on configuration files that instruct them how to parse and write incoming messages (events) to simple text files (or in some cases directly to a database). Syslogd was one of the original syslog services to process syslog messages. Over the years, enhanced syslog services have been developed, including syslog-ng and rsyslog, that provide even more flexibility to parse incoming syslog messages based their attributes.

Advanced Centralized Logging

If you need more capabilities beyond a simple centralized logging server, you may want to consider a Security Information Event Management (SIEM) platform or an advanced log analytics platform that extends centralized logging with additional search, analytics, correlation, visualization, and reporting capabilities. One example is the popular Elastic Stack that includes Elasticsearch, Logstash, and Kibana. Some platforms publish their own preconfigured Docker container images, which makes it easy to evaluate them in your test environment. 

Tips for Setting Up Centralized Logging

Here are a few other tips to help keep in mind when setting up your centralized logging service.

  • Configure all your devices to the same exact time using a network time protocol server.
  • Don’t forget to harden your centralized log repository service appropriately and regularly back it up.
  • Treat this centralized log repository as a piece of your critical infrastructure. Take appropriate steps to secure your logging infrastructure, such as limiting administrative access, disabling unnecessary services, and installing a host-based firewall.
  • Regularly scan your logging services to look for software vulnerabilities and misconfigurations that could be exploited by an attacker.
  • Don’t forget to take the time to configure your devices to forward their logs to your centralized log server.

Conclusion

Setting up centralized logging is an important piece to your security program and will provide critical information when you need it most. Even small environments using a basic log server to collect the events from their hosts and IoT devices will benefit from the visibility a service like this can provide.

Key Points:

  • Centralized logging services provide an important point of consolidation of event logs across a wide variety of devices and hosts
  • Running queries against a single data repository is much more efficient than logging into each individual device to try and collect the same data.
  • Many devices support syslog message forwarding, which means you don’t need proprietary solutions. In addition, many open-source options exist as well.
  • For more sophisticated deployments, consider advanced log management platforms that support data analytics, visualization, and reporting beyond simple-log collection.


« Back


Jeff Fellinge has over 25 years’ experience in a variety of disciplines ranging from Mechanical Engineering to Information Security. Jeff led information security programs for a large cloud provider to reduce risk and improve security control effectiveness at some of the world’s largest datacenters. He enjoys researching and evaluating technologies that improve business and infrastructure security and also owns and operates a small metal fabrication workshop. 


All Authors

Show More Show More
View Blogs by Date