Now that you have logging set up, your most difficult task is to make sense of logging information found in your logging messages. I discussed some of this in the previous chapter related to DoS attacks. In this chapter, I give only an overview of what you should look for in your log files, as well as additional tools that you can use to make this process easier.
At a base level, every day you should look at the following items concerning your log files:
How many total messages were recorded in yesterday's log file?
Is this more or less than the day before? You should have a baseline developed that shows, on average, the number of entries per day or based on the day of week. If there is a huge discrepancy, scrutinize the logging process and the log file to look for any problems or issues.
How many messages did you have for each severity level in yesterday's log file?
Again, you should have a baseline for this information and should examine any major discrepancies.
Are you seeing any new types of messages in your log files that you rarely see?
If so, again, you should scrutinize these log messages.
If you are logging ACL entries, what are the top 10 denied IP addresses?
Look at not only the top 10 denied IP addresses, but also the network numbers that these are from. If there is a pattern here, you might want to block the entire network in question.
If you are logging ACL entries, is there a major increase on the number of matches of a particular permit or deny statement?
If so, this might indicate that a security weakness was found in an application or operating system, or a new worm is attacking your network. If you see a major increase in the number of matches of a particular ACL statement, definitely investigate this discrepancy and take the appropriate action.
Also examine CPU utilization and memory use on your router, as discussed in the previous chapter.
Many additional tools are available to help you with your logging process. I briefly focus on three third-party tools that you can use to help you with your logging and syslog process. Many are available, and you can easily create your own tools to examine your log files with scripting tools such as Tcl, Perl, and others.
Every day (or more often, if necessary) you should rotate the syslog server's log files. Then periodically, you should archive old syslog files. A syslog file that is being rotated out should have the date in its name, as well as a descriptive term. For example, if you have separate log files for three perimeter routers, I would use the following syntax for the rotated filenames: router_name.date.log (or something similar).
One package that I have used is logrot. It does what its name implies: It rotates log files. Logrot was built to work with CiscoWorks log files on Sun Solaris and Windows systems. You can find information for logrot at http://sourceforge.net/project/showfiles.php?group_id=25401&package_id=79001. Of course, you easily can create your own script to perform log rotation; I have done this many times using simple shell script commands.
However, no matter what product you use, you need to automate the rotation process. On UNIX systems, you can do this by using the kron process. On a Windows 2000 system, you can use the Scheduled Tasks tool. To do this, go to Start, > Programs, > Accessories, > System Tools, > Scheduled Tasks; then double-click the Add Schedule Task icon. This brings up the Schedule Task wizard, where you easily can point to your log file rotation program and schedule how often it should run.
You can use a variety of programs to examine and monitor the contents of your syslog server's log files. The following sections cover some of the commonly used ones.
One simple log file report program that I have used is cislog, which is useful for monitoring syslog files for Cisco products. It is actually a set of Perl scripts that can monitor the following information:
acl-report.pl? This Perl script summarizes the deny messages based on top source IP addresses, the most active destination ports, and the most active protocol types.
dial-report.pl? This Perl script lists the users and their addresses, as well as when they dialed into the router.
router-report.pl? This Perl script summarizes the log messages created by Cisco routers and produces information such as a summary of the top log message types, successful Telnet attempts, and which sources entered configuration mode.
switch-report.pl? This Perl script performs the same function as the router-report.pl, but for Catalyst switches.
The great thing about these tools is that they are written in Perl. If you are proficient in programming in Perl, you can use these scripts as a starting point and can add enhancements to them to meet your specific needs. cislog can be found at http://sourceforge.net/project/showfiles.php?group_id=25401&package_id=34535.
Another popular log file?processing utility is swatch, which standards for Simple WATCHer. This software can be found at http://swatch.sourceforge.net/. One advantage that swatch has over other log file checkers is that it actively scans your log files for new messages and then takes an action based on the message that was newly recorded. Its one main downside is that it runs only on Linux/UNIX platforms; Windows currently is not supported. I have used swatch quite often because of its ease in customization to look for specific things and then take appropriate actions on these matches.
A third popular tool is fwlogwatch, which runs on many Linux/UNIX platforms as well as Windows (through Cygwin). fwlogwatch can detect and process log entries from multiple platforms, including Linux ipchains, netfilter, and iptables; Solaris/BSD/Irix/HP-UX ipfilter; Cisco IOS and PIX logs; NetScreen Windows XP firewall; Elsa Lancom's router; and Snort IDS. All of these log entries can be in the same file, and the log file can be compressed using gzip. Other features include these:
Resolves for protocols, services, and host names
Lookups against the whois database for easy access to contact information of administrators of remote networks
Inclusion or exclusion of hosts, ports, chains, and targets
Support for multiple languages
Intelligent search capabilities based on log field columns
Generation of output in plain text and HTML, as well as the capability to send reports by e-mail
Real-time processing of log files, including instant notifications by e-mail, winpopup, or any other method that you can configure through a shell script
Support for antispoofing and IPv6
For more information on fwlogwatch, visit http://cert.uni-stuttgart.de/projects/fwlogwatch/.