SANS 20 Critical IT Security Controls #6: Maintaining and Monitoring Audit Logs

All network components log their activity, but most companies don’t have a formal policy of reviewing the logs on a daily basis. Network logs contain evidence of successful penetration your system by attackers. Catching an intrusion early will alert you to a vulnerable system and prevent catastrophic damage. If you don’t examine log files religiously, you may be allowing an attacker to control parts of your network for a long period of time.

The first thing you must do to make system logs useful, is to configure appropriate audit log settings for all hardware devices as well as software – thus, you must configure logging for network firewalls, routers and the UNIX /Linux Windows servers, for example. You must ensure that the logging follows standardized formats such as syslog or the standards outlined in the Common Event Expression (CEE) format. You can use a log normalization tool to standardize logs. You should also configure verbose logging for all network boundary devices such as firewalls, intrusion prevention systems and inbound and outbound proxies. Make sure that the logs capture any blocked access attempts as well. You must also log all unauthorized and failed attempts to log into a server or database.

Your system and network administrators must scan the logs daily to se if there’s any unusual activity in the system that may indicate a malicious attack. You must record verbose logs of all remote access to your internal network through VPN and dial-up as well as other mechanisms. Since logging can take up a lot of space, ensure that you’ve adequate disk space to store all logs, and automate the archiving and compression of older logs on a regular basis.

It’s important to dedicate a server for logging purposes , thus making it harder for an attacker to tamper the logs. Use write-only devices to protect the logs. A Security Event/Information Management (SIEM) tool helps to aggregate and consolidate s logs from different machines for log correlation and analysis. Your administrators must correlate attack detection events with stored vulnerability scanning results to see of the attacker gained access through a known vulnerability.

Leave a Comment

Your email address will not be published. Required fields are marked *


Contact Us

If you have an urgent question regarding your software licensing or a software audit, please contact Miro right away.

(732)738–8511 x1208
Use the chat box on the right

About Us

Miro is a leading global provider of software asset management services, specializing in license management, audit advisory, negotiation tactics, support management, and cloud services. We help our clients maximize ROI on their software license investments, stay in compliance, and minimize the impact of audits. Miro's performance guarantee promises that our long-tenured, diverse, and passionate team of expert analysts provides insightful and actionable advice to help our clients achieve the best possible outcomes.

Performance Guarantee

Miro’s no risk Performance Guarantee is that the amount of cost savings that we uncover will be more than our fees.


Managed Services for Oracle Licensing

Miro’s Managed Services for Oracle licensing is a best practice approach for an organization to optimize and outsource the practice of Software Asset Management to specialized external experts to ensure the organization’s compliance with vendor rules and policies.

Learn More