Effective event logging is critical to ensuring application and network health, performance, and security. This article will discuss security event logs and explain how organizations leverage them to secure their network, applications, and data.
First, let’s clear the confusion surrounding the definitions of “security log,” “security incident,” and “security event.” These terms see interchangeable use, which is incorrect. While closely related, they’re not synonyms.
It’s important to note that while all incidents are events, not all events are incidents. An attempted breach is a security event, but it’s not an incident unless the breach is successful.
The typical organizational data environment contains a dizzying array of applications, services, and endpoint devices, all generating logs at a rate that would be impossible for human staff to analyze manually. Instead, IT teams use security solutions, such as security information and event management (SIEM) systems to ingest logs and identify security events and incidents. SIEMs don’t investigate or mitigate security events or incidents. The SIEM’s job is to flag them and notify human security personnel.
The Windows operating system logs activity on software or hardware components, which administrators can access directly through the Event Viewer application. Event Viewer uses six default categories to classify events.
While “security” is its own category, an event in any category could potentially impact organizational security. For example, the DNS server log could contain entries indicating a possible DNS attack.
Linux operating system logs contain events related to the server, kernel, and running applications. Events fall into four categories: application logs, event logs, service logs, and system logs.
Linux administrators have several options for directly viewing logs:
In addition to operating system logs, organizations commonly monitor these log and information sources:
Though not actual log data, many organizations export business-process mappings, points of contact, and partner information into their SIEMs.
Because compromised login credentials are involved in so many cyberattacks, events involving login credentials are very common entries in security event logs. In addition to a user connecting or attempting to connect to a system from an unusual IP address, security event logs may also show failed user login attempts, especially if repeated attempts or privileged or critical systems are involved. Changes in user privileges, especially increases in privileges, are another event that could indicate compromised credentials (or credential abuse by a company insider).
Other everyday security events include: