Strap on your tinfoil hats and follow along with this scenario: Imagine that your database server is hacked. You are tasked with finding out what happened. Which files have been modified? Who hacked the machine? How long has it been compromised? Was it an inside job?
Lets start with the server itself; Which files have been modified recently? Probably easy enough to figure out by looking at the timestamps. Now, who modified them? What's that? You don't have logging enabled for object access? Or directory access? That's right, it's not enabled by default.
Perhaps you can narrow down the time frame to somewhere between 2-2:15 AM last Sunday night. So, who logged into the server at that time? What, you don't log successful and failed logons? (again, not enabled by default) You get the picture………
Another real world example: A colleague was having issues with an Exchange server sending large amounts of spam. Apparently an external entity was using the box as a relay, yet the box was not misconfigured as an open SMTP relay. So what was going on? Basic Exchange logging was useless. After enabling detailed logging, it was discovered that a 3rd party backup utility installed on that server and configured with default credentials was being used to obtain a valid logon and send mail through the box (let this be a lesson about changing default credentials).
As we can see, logging and auditing is very important. You can utilize it for forensics purposes, to detect anomalies before real problems surface, troubleshooting, and to gain a better understanding of what is going on within your network.
One of the oldest forms of logging is syslog, from the Unix world. This is an accepted standard and format that *nix machines have used forever. Unix and it's variants are very good when it comes to logging (some may say a bit too anal about it). These machines tend to log all operating system and user related events along with a majority of events generated by any applications running on the machines. Troubleshooting becomes very easy with this detailed level of logging.
But, alas, we're not here to talk about *nix machines only. Windows uses the Event Logs to keep track of what's happening with the device. The only pitfall is that even basic events are not logged by default. Successful and failed logons, object access, etc, is not logged. I can't stress how important it is that you develop a policy of enabling this on all of the servers that you build. Here's a good primer on getting started:
Recommendations on what to log
All of this logging tends to rapidly eat up drive space, which is most likely why it is disabled by default in Windows. You will find that the best solution to this is centralized log aggregation (required for regulatory compliance in many industries). Basically, you point all the logs from all of your servers to one log server device. This gives you a central repository for the information and allows you to control access to the logs (an important security consideration) and increase your log retention time (dedicated space for log storage). Most central log servers also have a search interface and some even have a correlation engine that allows you to set up alerts based upon certain thresholds or events. Examples include the Kiwi syslog products, Cisco Mars (more of Cisco-centric product), a simple home-built Linux syslog server, xDefenders ESM appliance (shameless plug), etc.
There are some issues with central logging in a network environment, not the least of which is the fact that Windows Event Logs are created in a proprietary format that is not directly compatible with the syslog standard. This is not a problem if you have a pure Windows network, don't want to log anything from your firewalls, switches, routers, etc., and are using a central log server that understands the Event Log format. I prefer to not only log my servers, I also want all that juicy information from my other network gear as well. Fortunately there is a solution in the form of products that can convert Event Log to syslog format. The best one by far (in my experience) is the Snare Agent for Windows. This product is free (everybody likes “free”), does a great job of formating the information into the syslog standard, and has a very powerful web-based interface to configure stuff to your heart's delight. The best feature of the Snare Agent is the fact that during the installation process it will ask you if it should enable some basic auditing and logging. Nice!
Get Snare Agent for Windows here
In summary, enable some basic logging on all of the important devices on your network, implement a central log server, and start to utilize the benefits that logging can provide for you. Some day you'll thank me.
Copyright Todd Hughes 2008