18.6 Challenge of Log Analysis

After spending so much effort building a case for audit trail and log analysis, let's play devil 's advocate and present an argument that strives to negate some of the proposed benefits.

We assume that security incidents are investigated using logfiles. This premise , however, can be questioned. Some sources indicate that every hacker worth his Mountain Dew leaves no traces in system logs and easily bypasses intrusion detection systems. If the activity wasn't logged, you can't analyze it. Additionally, logging infrastructure design is known to lead to logfiles being erased ”by the very attackers whose presence they track. Again, if you allow the intruder to erase the log, you can't analyze it.

It often happens (in fact, it happened to one of the authors) that an eager investigator arrives on the scene of a computer incident and promptly activates his response plan: "First step, look at the system logs." However, much to his chagrin, there aren't any. The logging either was not enabled or was directed to /dev/null by people who did not want to see "all this stuff" cluttering the drive space. What's the solution? Well, there isn't one, actually. If the logs are not preserved until the time it is needed ”you can't analyze it.

Even worse , sometimes there's a trace of an intrusion in the appropriate system file; for example, an IP address of somebody who connected to an exploited system right about time the incident occurred. But if all you have is an IP address, have you actually proved anything? It is easy to preach about advanced incident response procedures while sitting on a full traffic capture with the intruder's key-stroke recorded session, but in real life, logs are not always so detailed. If logs are not detailed enough to draw conclusions ”all together now ”you can't analyze them.

Log analysis often has to be done in spite of these pitfalls. However, it makes sense to always keep them in mind. If "logging everything" is not an option (due to storage, bandwidth, or application limitations), you might need to analyze what is available and try to reach a meaningful conclusion despite the challenges.

As we've mentioned, there are many tools to perform log analysis. However, this chapter would be incomplete without delving into Security Information Management (SIM) solutions.