Security Log Management

Identifying Patterns in the Chaos

Multiple Authors -

ISBN: 1-59749-042-3

Syngress Publishing, Inc., Copyright 2006

I have to admit, this book wasn't entirely what I expected. For several chapters, I was introduced to more shell scripting, PHP scripting, and poorly printed screen shots than what I would generally expect from a book that at first appeared to have been directed towards security analysts instead of system administrators and web developers. However, despite its flaws, "Security Log Management" does have its merits during its middle chapters which aren't based on excessive code snippets and blatant endorsements for Microsoft's Log Parser.

To be honest, the book started off on a bad foot by mentioning "a recent report by the group mi2g" (page 12) regarding the worldwide cost of malware. The statistics involved, as well as the dubious source of the report, may or may not have been checked by an editor (more on that later), but there are several examples later in the book that show that it was not thoroughly proofread before final publication. Other pages in chapter 1 describe "self-poisoning" of DNS servers, pages upon pages of cut-and-paste code, and poorly published graphics. As previously mentioned, not a good start, but the end-of-chapter summaries and fast track sections are clear and concise throughout the entire book.

The book often suggests using free tools to build into analysis and reporting for system logs. Excellent point, since using open source tools can either provide an adequate amount of data or provide justification for the purchase and/or use of larger-scale solutions. Chapters 2, 3, and 4 focus on IDS, firewall, and system/network device reporting. Page 120 made me cringe a bit with phrases such as "this is best done" and "we want to use"; later in the book, it is pointed out that each particular environment should choose what type of log management is best, so I don't understand why blanket endorsements or solutions are given in early chapters. Again, however, the end-of-chapter summaries are direct and get to the points that the texts of the chapters sometimes elude.

Chapter 5 discusses creating a reporting infrastructure and is generally heavy on code and graphs, which may or may not be useful for any one particular environment. Chapter 6, "Scalable Enterprise Solutions", is probably the most informative section of the book. While the general focus of the book to this point has been on code, graphs, charts, and "solutions", the point that policies should be deployed *before* solutions is important and should have been stressed much earlier in the book. The sections on ESM implementation, usability, and vendor support are well written, and the mention of the "human touch" in log analysis was unexpected but appreciated. Too often, focus on log analysis is based on systems and not people.. but since people are the ones who read the logs, it's nice that the human species gets a prop now and then.

The last three chapters mainly deal with Microsoft Log Parser. I have to be honest.. I read the chapters, but really didn't see much value in them. Calling Microsoft Log Parser "the obvious choice of tool" seems somewhat promotional, especially considering the book's foreward was written by Gabriele Giuseppini, a developer for Microsoft Log Parser. Good information, but not really useful unless you're either using (or planning to use) MLP in a particular situation.

Overall, I have mixed feelings about this book. For a person who reads logs as a *hobby* (and yes, that's a sad admission, but the truth), I found the book to have good tips in some sections, but somewhat lacking in many areas. Too much code and too many graphs may not be appealing to some readers, and a few sections that say "this is the best tool" or "this is best done by..." (as well as the numerous typographical and grammatical errors) apparently weren't scrutinized by editors. Worth a read for anyone interested in log analysis, but feel free to skip over sections and chapters that don't interest you or specifically apply to your professional (or personal) environment.


Snippets (was re: proof, please):

A recent report by the group mi2g calculates the cost of malware "[sic] at around 600 million Windows-based computers worldwide, which works out to $281 to $340 worth of damage per machine." (page 12-13)
For an outbound policy violation, this address will be from a system on you LAN;... (page 119)
Q: My Web server has virtually hosts. How should I handle... (page 164)

main page ATTRITION feedback