Remote Log Server

One of the many techniques intruders use to cover their presence is to wipe clean any logging facilities you might have enabled. This includes account logging, system messages, error logs, traffic logs, and so on.

One way to circumvent this problem is to log all your servers to a remote logging machine. The remote logging machine should only accept logging traffic from those servers. That way, even if a server is compromised, you will still have the logs to perform the forensics analysis of what went on.

Configure the appropriate packet filter on your logging server to drop all traffic except UDP/514. The logs on your logging server can additionally be archived to media such as CD-R, WORM, or tape.

UNIX/Linux

UNIX has very strong centralized logging facilities. It is true that some applications use their own log files and do not use syslog. However, the filesystem hierarchy is designed with support for a centralized location, /var/log. Additionally, most UNIX systems and GNU/Linux distributions come with an automated log rotation and management facility. The logs are automatically rotated, based on criteria such as size or age; and can automatically be compressed, renamed, and even archived.

To further enhance the logging capabilities of your UNIX/Linux server, replace your normal syslogd with a more robust, configurable, and secure alternative known as syslog-ng. syslog-ng has several features over the normal syslogd, including the capability to filter messages on message content, not just facility.priority pairs. Using regular expressions, you could log hosts information to individual logs. syslog-ng might already come with your UNIX/Linux distribution, but if it does not, it can be found at http://www.balabit.hu/en/products/syslog-ng/

Windows NT and 2000

There are several automated logging services built in to Windows NT and 2000. Most services use the EventLogs that everyone should be familiar with. If you are running any Internet services (such as FTP, HTTP, SMTP, and so on), they are logged through a different facility. If you are tuning or troubleshooting your servers, you're sure to be using the Performance Monitor application. This application does not log to the Application log of the EventLog service, but rather to its own set of logs. Finally, one of the more important aspects of the system, scheduling of automated jobs, is logged through yet another service. Because there is no normal centralized logging service in Windows NT and 2000, each must be addressed individually.

The first thing to do is move all logs to a separate logging partition. It would be convenient, although not 100% necessary, to have this partition be a separate disk, so as to not impact performance for the data portion of the server. After a log partition has been created, the next step is to move the logs from their default locations. Why go through all this trouble? After all the logs are centrally located, it makes it easier for routine maintenance after your server is in production. You can provide automated backup and archiving of logs for later review and processing.

EventLogs

EventLogs are the default built-in Windows NT event logs that are viewed with the Event Viewer. EventLogs are the Windows NT/2000 equivalent to syslog. The EventLog service is divided into the Application Log, Security Log, and System Log. Most Windows NT/2000 applications, services, and system events are logged into the appropriate category. Each category is actually its own separate physical file that can be relocated. This task is accomplished by editing the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\Eventlog\Application
\CurrentControlSet\Services\Eventlog\Security
\CurrentControlSet\Services\Eventlog\System
File

Change the value of File to be the new directory of your log files partition. After editing that value, you must restart the server for the changes to take effect.

Internet Services

The services provided by the IIS infrastructure generate logs for each service: Web, FTP, and SMTP. The Internet Service logs are unique in that you can configure a time interval to rotate to a new log automatically. The log filename can be based on the specific time period.

To change the location of these log files, edit the Web or FTP root properties, and select the properties for the log file. In the Properties dialog box, you can set the new location to be your directory on the log files partition.

Performance Logs

The Performance logs are created by the Performance Monitor counters. The default location is %SystemDrive%\PerfLogs. They can be changed by editing the DefaultLogFileFolder value in the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM
\CurrentControlSet\Services\SysmonLog
DefaultLogFileFolder

Scheduler Logs

The Scheduler service is normally located at %SystemRoot%\SchedLgU.Txt. The scheduler service log contains all jobs scheduled and executed, as well as when it was started and stopped. The location of this file can be changed by editing the LogPath value in the Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE
\Microsoft\SchedulingAgent
LogPath