Event Monitoring – An Overview (Part 1 of 2)
Since the dawn of the computer age, computing has been all about the interaction between man and the machine. In the beginning communication with a machine was very limited relying on complex mechanisms such as the punch card but as time went by and technology improved the interaction between humans and machines increased… drastically. Fast forwarding to the present day, computers are now extremely complex machines that can perform an impressive amount of calculations per second and we certainly do not let such power go to waste. Such power and complexity however is not without a price.
A modern system consists of a lot of different software running simultaneously on a wide variety of hardware. When this mix of software and hardware works harmoniously we humans can get a lot of work done but if that balance is upset it can cost us a lot of time and money. Unfortunately there is a lot that can upset this all important harmony from hardware failures to bugs to hacking attacks both internal and external. All is not doom and gloom however because just as our interaction with computers has increased so did their interaction back to us and if we listen, computers will tell us when something has gone wrong.
With a lot of different systems and complexity one can expect a lot of communication going on here and this is in fact the case. Each different system however mitigates this by centralizing this communication as much as possible. In the Windows environment this communication (or better yet logs) is generally centralized in the Windows Event System; on Linux/Unix Operating systems we find logs centralized in the SysLog System and we get Devices communicating to us using SNMP. That’s the general rule for in fact we find devices that use the Syslog System for logging and even application on both Windows and Linux that use SNMP.
Now that we know where to look, what can we actually do with the data? A general misconception one encounters is that logs are only useful if you are doing forensic analysis. While this is obviously one possibility, logs can provide us with details on much more! Other useful information that one can find in logs includes:
- System Health
- when hardware such as Hard drives start to fail one can generally find reports in the logging system about this occurrence
- Machine Performance
- when system runs out of memory or applications crash there will be log entries regarding this
- Monitoring Servers
- All servers be it Mail, Web or Firewalls will log about their own activities and inform the administrator of any failures, lack of system resources or suspicious behavior they encounter
- User Activities
- Logs can also provide a picture on how a user is using a system as actions such as reboots, login operations and various system interactions will be logged
- System Behavior
- The system will log its own action, from the logs you can find out which services were loaded and when, what devices connected, what services came online or went offline and other such information
- System Failure
- While sometimes application failure is quite visual popping up error messages and such to inform the user of the failure, at other times applications, especially servers, might fail silently with the only proof of such failures residing exclusively in the log
- A crucial part of compliance is to ensure that monitoring mechanisms are running effectively and are untampered. Such monitoring can only occur at a very low level stage that can generally only be achieved through the operating system logging itself.
- Forensic Analysis
- Logs are the central source on which to conduct a forensic analysis. Logs will help the administrator discover what events took place and when.
In the second part of this blog post we will be seeing how one accesses these logs using Windows Events, Syslog and SNMP.