Event logs can help you spot and troubleshoot security events so you can protect your systems and data. However, log records can be hard to read, and logs so noisy that you often have to sift through pages of events to identify critical events and potential threats.
Read on to learn more about audit logs, log analysis and log auditing software.
What is an audit log?
An audit log is a ledger of changes and events in IT systems. Many applications, services, operating systems and network devices generate event logs; examples include Microsoft Windows event logs and Syslog. IT managers and administrators use audit logs to spot suspicious activity and investigate incidents.
The format of log data can vary significantly between sources, but logs generally capture events by recording:
- The time when the event occurred
- Details about what happened and where
- Information about which user caused the event
- Details about the system’s reaction, including messages such as “Audit Failure”, “Request accepted” or “Access denied”.
Maintaining a good audit trail is so important that the Center for Internet Security (CIS) lists log management as one of its critical security controls. In addition, many standards and regulations — such as the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), the Sarbanes-Oxley (SOX) Act and the Gramm-Leach-Bliley Act— require companies to create and keep audit logs for compliance, and may require covering specific categories of events. For example, PCI DSS requires monitoring access to cardholder data, and various consumer data privacy laws regulate how companies collect, store and share customer data.
What is involved in audit log monitoring?
Audit log monitoring usually consists of the following steps:
1. Log Collection
The first step in event log monitoring is to decide:
- Which computers, software, devices and other systems to collect events from
- What settings to use for each log, such as whether to use the default log size
- How the data will be stored and collected
- What the normalized time settings should look like (source and time zone)
While it might seem wise to collect all information from all sources, this strategy can be quite expensive due to the need to store and process huge amounts of data. Instead, organizations should carefully determine which events to collect from which sources, balancing the desire for comprehensive data collection against the associated costs.
2. Log Aggregation
Once you’ve started collecting log data, you need to aggregate it into one place. One good option is to implement a log management solution that can aggregate high volumes of data from many sources.
3. Log Parsing
Next, the aggregated log files need to be parsed. The simplest example is splitting seamless log strings into separate fields.
4. Log Normalization
Different systems use different formats for their log files, such as such as CEF, JSON or CSV. To empower users and systems to read and analyze the data, it needs to be standardized into a common format.
5. Event Correlation
Event correlation is the process of finding relationships between events in different logs, such as Active Directory security logs, firewall logs and database logs. For example, if you experienced a server outage, you might want to identify which applications were impacted by matching the events in the server and application logs.
The most common type of event correlation uses rules to match log entries based on event type, timestamp, IP address and other criteria. Event correlation often relies on statistical analysis.
6. Log Analysis
Finally, to focus on actual threats and other critical events, you need to analyze your data. Centralized log management platforms can automate and streamline the log data analysis process. They use visualization to highlight the similarities and correlations between events, making it easier to spot issues, track down root causes and determine appropriate response actions.
SIEM Solutions for Audit Log Monitoring
Security information and event management (SIEM) solutions can provide efficient and reliable log monitoring. SIEM software typically gathers log data generated by multiple sources, correlates events, performs sophisticated threat analysis and offers alerting capabilities, enabling IT teams to respond quickly.
However, SIEM log monitoring tools do have some drawbacks. In particular, they are often:
- Complex and expensive: Compared to log management solutions, SIEM tools are more complicated to operate and set up. As a result, they may require dedicated — and costly — personnel.
- Not designed to identify vulnerabilities: SIEMs are built to detect active threats, but they can’t spot security gaps to reduce your attack surface or help you understand which data is sensitive and requires protection.
- Likely to generate false alarms: SIEM tools can generate numerous false alarms. IT teams will spend enormous amounts of time investigating them if the tools are not tuned properly.
Extend Your Log Monitoring Capabilities with Netwrix Solutions
Netwrix products offer a more holistic approach to security than SIEM solutions:
- Netwrix Auditor will help you perform regular risk assessments to improve security, pass compliance audits and optimize IT operations.
- Netwrix Change Tracker will help you establish and maintain secure configurations of critical systems.
- Netwrix Data Classification will identify and classify sensitive and business-critical content across your organization.
- Netwrix StealthDEFENDand Netwrix Threat Prevention will help you to identify and respond to abnormal behavior and advanced attacks.
FAQ
What is event log auditing?
Event log auditing is the process of processing and analyzing the logs from enterprise IT systems.
What is audit log monitoring?
Audit log monitoring is another term for event log auditing. Another interchangeable term is log file auditing.
What do event logs tell you?
Event logs contain information about the operation and use of operating systems, devices and applications.