Chapter 20. Network Log Analysis

One of the most challenging, yet rewarding, aspects of perimeter security is network log file analysis. This process involves trying to identify intrusions and intrusion attempts through vigilant monitoring and analysis of various log files and then correlating events among those files. There are many different types of network log files to review, from network firewalls, routers, and packet filters to host-based firewalls and intrusion detection systems (IDSs). Although analyzing log files might sound a bit tedious to you, the techniques presented in this chapter can help you to gain a great deal of value from your files in a short amount of time.

This chapter discusses several important topics that demonstrate why log file analysis is so critical to establishing and maintaining a strong perimeter defense:

• Purpose of and characteristics of log files

• Basics of log file analysis, particularly how to automate as much of the analysis as possible

• Examples of how to analyze router, packet filter, network firewall, host-based firewall, and host-based IDS logs

By the end of this chapter, you should be well prepared to perform your own analysis of network log files in your environment to accurately identify suspicious and malicious activity and to respond to it quickly. As a first step toward that goal, let's talk about why you should care about log files and what they can tell you if you listen.