What is priority security?

There is, no doubt, a myriad of opinions and theories on exactly “what”

system, mechanism, or practice should be 1st in the information security

defense strategy.

Let me propose this prioritized list:

    1. A proper firewall perimeter

    2. Central logging

    3. Everything else

Why is central logging so important? Because it is perhaps the best

available host intrusion detection system, and the second best

audit trail (the first being a complete capture of all network data).

I believe that central logging is imperative for detecting anomalous

behavior, and it is quite probably the simplest and easiest method

to implement. After all, the most popular operating systems can

easily be configured to echo system logs to a remote logging host;

Unix/GNU/Linux/BSD, MacOS, and Windows.

The Central Logging Host

Usually, I prefer a dedicated GNU/Linux host to keep central logs

and use syslog-ng as a replacement for the native syslog daemon.

I won't go into the details of setting up syslog-ng, for there is

plenty of documentation for that. If you're not familiar, some

relevant links are below.

But, I do believe in one important concept for configuring

syslog-ng; a combined log. By having all of the systems on a

network writing to a single log, the entire network can be

watched for anomalous behavior.


Well,” you say, “that's fine and good for Unix/BSD variants,

but I do have some Windows boxes percolating around here

somewhere.” If that's the case, the utility snare can be used

to have Windows do remote logging to a syslog host. And,

if you insist on a commercial product instead of either

syslog-ng or snare, there are several fine products on the

market (including commercial versions of both syslog-ng

and snare).


Once you have a central logging host configured to keep

logs for all the systems on your network(s), what to do

next? Use the appropriate utilities for analyzing the log

data, which can be done real-time and on a routine basis.

For real-time analysis of log data, I'll typically use swatch

to trigger on suspicious behavior. And, there are quite a

few log analyzers to produce reports on the data.

You will also want to write the log data to some kind of

read-only media, such as a CD or DVD, not only for

archival auditing, but for future analysis as well.

So, that's the short version of why centralized logging

is key to information security. Very soon, I hope to be

adding more content.


Configuring syslog-ng -





Configuring snare -



Using swatch




If you have any suggestions for this page, please

email me: mark AT altsec.info, replacing

the work AT with “@”, of course.

Copyright © 2005 Mark Stingley