Professional Documents
Culture Documents
By Ipswitch, Inc.
Network Managment Division
www.whatsupgold.com
October 2010
Table of Contents
Executive Summary
Introduction
........................................................................................................................................1
....................................................................................................................................................1
....................................................................................................................1
.........................................................................................................2
................................................................................................................3
....................................................................................................................................3
.............................................................................................................................4
....................................................................................................................................4
A Real-World Scenario
....................................................................................................................... 5
.....................................................................................................................................5
Conclusion
.........................................................................................................4
......................................................................................................................5
.......................................................................................................................................................6
............................................................................................6
ii
Executive Summary
Event log managementthe monitoring, collection, consolidation, and analysis of log fileshas become a necessary and expanding
burden for network security professionals and IT administrators.
Having multiple servers running different operating systems with several log types on each machine generates a vast amount of
log data. When routers, firewalls, and other devices such as VPN concentrators are added, the volume of data to be readily kept
accessible is staggering. In fact, a single Microsoft Windows Server event log is capable of generating over one gigabyte of log data
in just one 24-hour period. Multiply this by the number of servers in an organization, then by the amount of time log files are to be
stored, and the event maintenance task becomes seemingly unmanageable. Add to this equation firewalls, VPNs, routers, web based
applications, the new EVTX log format, and a growing presence of telecommuters in public space; in theory, the system appears
unbalanced to the point of failure.
Introduction
Event logs allow administrators to look back at the recent history of a server or network device and see trends, failures, successes,
and other vital information to the organization. In real time, they can also provide indicators of Trojan and malware infections across
machines and networks. Event logs also hold potentially valuable forensic evidence. In the aftermath of a network security breach,
event logs hold all of the information about the breach. How it happened, when it happened, and in the end, the keys to preventing
another breach.
Because it can provide both frontline defense as well as the pieces to put together in a forensic investigation, the event log is now a
central component in network security. Many organizations have no choice but to develop a log management strategy as compliance
with regulatory acts and standards such as Sarbanes-Oxley or HIPAA hinges on it.
Regardless of whether it has been determined that log management is necessary because of internal security policies or because of
compliance with an external standard, manual management of log files is obviously not an optionthe task is simply overwhelming
and the results are unreliable. Who honestly could accept the liability of tracking each and every event generated on a network?
Automation of routine log management tasks is now a necessity both because of the resource requirements and the burden of
responsibility.
are. Add to the mix the recent log format shift from EVT to EVTX, and the homegrown route is a
minefield of IT headaches and resource drain.
More and more, the WhatsUp Event Archiver log consolidation and collection software is becoming the solution of choice for IT
groups stuck between tighter resources and expanding requirements. The ability to automate reliable and consistent collection
and consolidation of log data enables fewer resources to be devoted to the project from day one. In addition, network security
professionals who are facing requirements for data storage of months or more should seriously consider compression capability
something that WhatsUp Event Archiver includes. Otherwise, the costs associated with storage and absorbed in the manual collection
and compression will add up surprisingly over time.
Finally, flexibility in log collection and storage type are important both in terms of how the solution fits into an organizations network
infrastructure and in terms of reliability when the data is called upon. It is important to keep in mind that event collection in a database
provides for easy searching and filtering and that compressed storage of the logs provides the most reliable resource for future use
of the log file in an investigation. For these reasons, WhatsUp Event Archiver supports a wide variety of storage types and formats.
Monitoring Log Files
Operational issues can come up directly from your infrastructure or from the actions of rogue users or external threats that can
potentially harm your business. For the latter, there is no better strategy than to actively
monitor the event logs across your infrastructure. Whether it involves multiple attempts on a
login screen that look suspicious, an unexpected change in user rights, or unauthorized data
access that can lead to an information breachthese and other network security threats can
happen any time. Running behind the scenes as a set of Windows services, WhatsUp Event
Alarm constantly watches over log files, immediately sending out alert notifications at the
first sign of trouble. With advance warning from WhatsUp Event Alarm, network personnel
can initiate investigation and triage processes as per their established security policies and
compliance requirements.
A Real-World Scenario
The latest vulnerability announced by Microsoft is announced on the security lists, and within 12 hours, a new and dangerous trojan is sweeping the Internet. A large organization with a typical IT staff is busy applying the patch to their Windows
based servers. All goes well and time passes.
After several days, the Help Desk begins getting reports of domain account lockouts. When the calls become incessant,
the IT administrators begin to see their system accountssuch as Exchange and SQL Server and administrative service
accountsgetting locked out with alarming frequency.
Administrators check their log files on the servers and are distressed to see that no one unique account is being
used to cause lockouts. Also, IP addresses and machine names are not showing up as they should in the logs.
In fact, the logs are so full they have been overwriting themselves for several hours and all the events contained
in them are virtually useless. The administrators are now faced with a mountain of log information that will take
many hours to pour through manually and in the end, their work might very well serve as an exercise in futility.
Conclusion
Perimeter defense with firewalls and screening routers are the first line of defense in network securitys big picture, but a sound and
thorough event log management solution gives IT administrators and network security staff an essential tool for troubleshooting,
diagnosing and fixing potential problems as well as more serious immediate challenges like trojans, malicious code, and viruses.
As organizational infrastructures continue to grow and evolve in complexity, the need for rational data analysis is becoming a
fundamental issue to daily operations. IT staff are notoriously bombarded with information and demands from every source in the
organization, and the problems are not going away on their own. Giving IT staff a tool that will allow them to diagnose, troubleshoot,
and solve problems is essential.
It is also beneficial to upper management, on whom more demands of auditability and accountability are being placed. And, if the
past is an indicator of future trends, these demands will only intensify.