GUIDE TO COMPUTER SECURITY LOG MANAGEMENT
Routers. Routers may be configured to permit or block certain types of network traffic based on
a policy. Routers that block traffic are usually configured to log only the most basic
characteristics of blocked activity.
Firewalls. Like routers, firewalls permit or block activity based on a policy; however, firewalls
use much more sophisticated methods to examine network traffic.
6
Firewalls can also track the
state of network traffic and perform content inspection. Firewalls tend to have more complex
policies and generate more detailed logs of activity than routers.
Network Quarantine Servers. Some organizations check each remote host’s security posture
before allowing it to join the network. This is often done through a network quarantine server
and agents placed on each host. Hosts that do not respond to the server’s checks or that fail the
checks are quarantined on a separate virtual local area network (VLAN) segment. Network
quarantine servers log information about the status of checks, including which hosts were
quarantined and for what reasons.
Figure 2-1 contains several examples of security software log entries.
7
Intrusion Detection System
[**] [1:1407:9] SNMP trap udp [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/06-8:14:09.082119 192.168.1.167:1052 -> 172.30.128.27:162
UDP TTL:118 TOS:0x0 ID:29101 IpLen:20 DgmLen:87
Personal Firewall
3/6/2006 8:14:07 AM,"Rule ""Block Windows File Sharing"" blocked (192.168.1.54,
netbios-ssn(139)).","Rule ""Block Windows File Sharing"" blocked (192.168.1.54,
netbios-ssn(139)). Inbound TCP connection. Local address,service is
(KENT(172.30.128.27),netbios-ssn(139)). Remote address,service is
(192.168.1.54,39922). Process name is ""System""."
3/3/2006 9:04:04 AM,Firewall configuration updated: 398 rules.,Firewall configuration
updated: 398 rules.
Antivirus Software, Log 1
3/4/2006 9:33:50 AM,Definition File Download,KENT,userk,Definition downloader
3/4/2006 9:33:09 AM,AntiVirus Startup,KENT,userk,System
3/3/2006 3:56:46 PM,AntiVirus Shutdown,KENT,userk,System
Antivirus Software, Log 2
240203071234,16,3,7,KENT,userk,,,,,,,16777216,"Virus definitions are
current.",0,,0,,,,,0,,,,,,,,,,SAVPROD,{ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx },End
User,(IP)-192.168.1.121,,GROUP,0:0:0:0:0:0,9.0.0.338,,,,,,,,,,,,,,,
Antispyware Software
DSO Exploit: Data source object exploit (Registry change, nothing done) HKEY_USERS\S-
1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3
Figure 2-1. Security Software Log Entry Examples
6
More information on firewalls is available from NIST Special Publication (SP) 800-41, Guidelines on Firewalls and
Firewall Policy, which is available for download at http://csrc.nist.gov/publications/nistpubs/
.
7
Portions of the log examples in this publication have been sanitized to remove Internet Protocol (IP) addresses and other
identifying information.
2-3