1
00:00:00,660 --> 00:00:01,920
<v ->Log files.</v>

2
00:00:01,920 --> 00:00:04,130
So I mentioned, log files are important

3
00:00:04,130 --> 00:00:06,020
and we just talked about syslog servers

4
00:00:06,020 --> 00:00:08,200
and how we can consolidate all those log files

5
00:00:08,200 --> 00:00:10,160
onto a central repository.

6
00:00:10,160 --> 00:00:12,420
Log files are really important because they allow us

7
00:00:12,420 --> 00:00:14,980
to reconstruct an event after it occurs.

8
00:00:14,980 --> 00:00:17,390
So if we've had an attack, we've been breached,

9
00:00:17,390 --> 00:00:19,830
we lost confidentiality, someone stole our files,

10
00:00:19,830 --> 00:00:22,360
we can use the log files to figure all that out.

11
00:00:22,360 --> 00:00:24,360
How do you maintain those log files though?

12
00:00:24,360 --> 00:00:26,640
Well, you perform log file maintenance.

13
00:00:26,640 --> 00:00:28,570
Log file maintenance is the actions taken

14
00:00:28,570 --> 00:00:31,270
to ensure proper creation and storage of a log file,

15
00:00:31,270 --> 00:00:34,400
such as the proper configuration, saving, backing up,

16
00:00:34,400 --> 00:00:37,350
securing, and encrypting of those log files.

17
00:00:37,350 --> 00:00:39,800
Now when we do all of this, we have to make sure

18
00:00:39,800 --> 00:00:42,840
that we also configure our log files properly.

19
00:00:42,840 --> 00:00:44,550
How do we properly configure them?

20
00:00:44,550 --> 00:00:46,440
Well, we have to make some choices.

21
00:00:46,440 --> 00:00:48,140
How much data should we log?

22
00:00:48,140 --> 00:00:51,030
Maybe you want to log everything, but everything you log

23
00:00:51,030 --> 00:00:52,980
is going to give you more details, and it's going to

24
00:00:52,980 --> 00:00:55,690
take up more space and more processing resources.

25
00:00:55,690 --> 00:00:57,420
And so, if you don't have a big enough hard drive,

26
00:00:57,420 --> 00:01:00,200
you can't log indefinitely everything out there.

27
00:01:00,200 --> 00:01:01,780
And so you're going to have to figure out

28
00:01:01,780 --> 00:01:03,680
what exactly do you need to log?

29
00:01:03,680 --> 00:01:06,120
How big of a scope or how little of a scope?

30
00:01:06,120 --> 00:01:07,240
Then, you have to figure out

31
00:01:07,240 --> 00:01:08,650
how long should your logs be kept?

32
00:01:08,650 --> 00:01:10,860
Because you don't have infinite storage.

33
00:01:10,860 --> 00:01:12,520
You're going to have to archive off your logs.

34
00:01:12,520 --> 00:01:14,770
You're going to have to take them out, and at some point

35
00:01:14,770 --> 00:01:17,030
you have to figure out when do you overwrite the logs?

36
00:01:17,030 --> 00:01:19,510
All of this is important because you're doing a balance.

37
00:01:19,510 --> 00:01:21,720
We want all of the log data because it allows us

38
00:01:21,720 --> 00:01:23,920
to do great auditing after the fact,

39
00:01:23,920 --> 00:01:26,100
but if you have too much log data,

40
00:01:26,100 --> 00:01:28,660
you can end up actually hurting your system.

41
00:01:28,660 --> 00:01:30,870
And so, when you have these logs and they start

42
00:01:30,870 --> 00:01:33,740
getting really large in size, you need to make sure

43
00:01:33,740 --> 00:01:35,320
you're archiving them off.

44
00:01:35,320 --> 00:01:38,370
Now when it comes to log files, where should they be saved?

45
00:01:38,370 --> 00:01:40,810
Well I believe that log files shouldn't be saved

46
00:01:40,810 --> 00:01:43,430
on the same device that is being logged.

47
00:01:43,430 --> 00:01:45,880
So, if my server is being logged, I need to make sure

48
00:01:45,880 --> 00:01:47,280
those logs are actually being saved

49
00:01:47,280 --> 00:01:49,890
to a different partition, a separate hard disk,

50
00:01:49,890 --> 00:01:51,840
or to an external server.

51
00:01:51,840 --> 00:01:55,150
This means that if that server gets attacked or it crashes,

52
00:01:55,150 --> 00:01:57,610
the log files will still be safe so I can put together

53
00:01:57,610 --> 00:01:59,880
the pieces and figure out what happened.

54
00:01:59,880 --> 00:02:02,360
Now in addition to that, you have to think about the size

55
00:02:02,360 --> 00:02:03,460
and scope of what you're logging,

56
00:02:03,460 --> 00:02:04,940
which I already talked about, right?

57
00:02:04,940 --> 00:02:06,070
If you log everything

58
00:02:06,070 --> 00:02:08,150
but you never move those log files off,

59
00:02:08,150 --> 00:02:11,010
you can actually have those files get so large

60
00:02:11,010 --> 00:02:12,140
that they overwhelm the system

61
00:02:12,140 --> 00:02:13,700
by eating up all of its resources

62
00:02:13,700 --> 00:02:16,140
and it can cause the server to crash.

63
00:02:16,140 --> 00:02:17,750
This can become another big issue,

64
00:02:17,750 --> 00:02:19,350
and so it's really important to understand

65
00:02:19,350 --> 00:02:21,680
how you configure your logging.

66
00:02:21,680 --> 00:02:24,160
Another issue you have to consider is what do you do

67
00:02:24,160 --> 00:02:26,910
when the maximum log file size is reached?

68
00:02:26,910 --> 00:02:29,540
If you want to overwrite those events, this will allow you

69
00:02:29,540 --> 00:02:32,300
to overwrite the oldest events to make room

70
00:02:32,300 --> 00:02:34,410
for the newest events in the case

71
00:02:34,410 --> 00:02:36,780
that the maximum log file size is reached.

72
00:02:36,780 --> 00:02:39,150
So for example, here's an example on the screen

73
00:02:39,150 --> 00:02:41,410
of a windows log configuration.

74
00:02:41,410 --> 00:02:44,150
Notice here I have the overwrite selected.

75
00:02:44,150 --> 00:02:47,290
So once that log file reaches the maximum size,

76
00:02:47,290 --> 00:02:50,080
it's going to start overwriting the oldest entries

77
00:02:50,080 --> 00:02:52,400
and then put new entries in.

78
00:02:52,400 --> 00:02:55,800
Now this is good to save space but I'm losing

79
00:02:55,800 --> 00:02:58,650
that other data if it wasn't saved off to someplace else.

80
00:02:58,650 --> 00:03:00,540
And so that's something you have to consider.

81
00:03:00,540 --> 00:03:02,330
How long do you need it to be kept?

82
00:03:02,330 --> 00:03:04,500
Do I need to keep log files for seven days?

83
00:03:04,500 --> 00:03:08,750
For 30 days, for six months, for a year, for seven years?

84
00:03:08,750 --> 00:03:09,583
I don't know.

85
00:03:09,583 --> 00:03:10,840
It depends on your organization.

86
00:03:10,840 --> 00:03:12,550
It depends on your needs.

87
00:03:12,550 --> 00:03:15,050
Some highly regulated organizations need

88
00:03:15,050 --> 00:03:17,050
to keep those log files forever.

89
00:03:17,050 --> 00:03:19,490
Some organizations are good with a seven day window

90
00:03:19,490 --> 00:03:20,487
and then they rewrite it.

91
00:03:20,487 --> 00:03:22,027
"If I haven't been hacked in seven days,

92
00:03:22,027 --> 00:03:23,780
"I don't need those log files."

93
00:03:23,780 --> 00:03:25,430
Again, you're probably going to find yourself

94
00:03:25,430 --> 00:03:26,540
someplace in between.

95
00:03:26,540 --> 00:03:28,860
Something like three months, six months, or a year

96
00:03:28,860 --> 00:03:31,460
is probably somewhere closer to where you need to be

97
00:03:31,460 --> 00:03:33,410
with a maximum amount of time.

98
00:03:33,410 --> 00:03:36,230
Log files should also be archived and backed up

99
00:03:36,230 --> 00:03:39,010
to ensure that they're always available when you need them.

100
00:03:39,010 --> 00:03:41,340
Remember, if it's on the server that's been attacked,

101
00:03:41,340 --> 00:03:43,150
those log files could've been compromised,

102
00:03:43,150 --> 00:03:45,190
and so we want to make sure those log files are constantly

103
00:03:45,190 --> 00:03:47,020
being pushed to a syslog server

104
00:03:47,020 --> 00:03:49,250
or to another backup server someplace else,

105
00:03:49,250 --> 00:03:51,120
where we have good confidentiality

106
00:03:51,120 --> 00:03:53,200
and good integrity of those files.

107
00:03:53,200 --> 00:03:54,550
One way to ensure that is

108
00:03:54,550 --> 00:03:58,660
to use a write once, read many method of data storage.

109
00:03:58,660 --> 00:04:01,040
This can be a technology like a DVD-R,

110
00:04:01,040 --> 00:04:03,590
because once you write it to a DVD-R, it can only

111
00:04:03,590 --> 00:04:06,520
be written once but it can be read unlimited times.

112
00:04:06,520 --> 00:04:09,090
The good thing about this is if somebody hacks into a server

113
00:04:09,090 --> 00:04:11,090
and you've already written it to a DVD-R,

114
00:04:11,090 --> 00:04:12,650
they can't modify those log files,

115
00:04:12,650 --> 00:04:14,060
because it's already been written.

116
00:04:14,060 --> 00:04:16,400
And this is going to make sure that a hacker can't

117
00:04:16,400 --> 00:04:19,600
cover their tracks by modifying or deleting your log files

118
00:04:19,600 --> 00:04:22,520
because they're on a WORM method of storage, as opposed

119
00:04:22,520 --> 00:04:25,530
to being on a standard server that can be modified.

120
00:04:25,530 --> 00:04:27,660
Now the last thing we have to think about with logs

121
00:04:27,660 --> 00:04:29,310
is how do we protect them.

122
00:04:29,310 --> 00:04:31,370
Not just protect them from a hacker getting in

123
00:04:31,370 --> 00:04:34,180
and trying to cover their tracks, but how do we protect them

124
00:04:34,180 --> 00:04:36,200
to make sure we don't lose the confidential

125
00:04:36,200 --> 00:04:39,610
and private information that's located inside these logs.

126
00:04:39,610 --> 00:04:42,250
Well, it's important to encrypt the contents of your logs

127
00:04:42,250 --> 00:04:44,670
to make sure that no prying eyes can see them.

128
00:04:44,670 --> 00:04:46,800
On the Security+ exam, anytime you're trying

129
00:04:46,800 --> 00:04:48,840
to protect something from prying eyes,

130
00:04:48,840 --> 00:04:50,780
anytime you want to make sure that you keep people

131
00:04:50,780 --> 00:04:53,990
out from seeing things, encryption is a great choice.

132
00:04:53,990 --> 00:04:56,690
To do this, you should save your logs to an encrypted folder

133
00:04:56,690 --> 00:05:00,100
on the server or, better yet, to the backup server

134
00:05:00,100 --> 00:05:02,780
and have good file encryption being used

135
00:05:02,780 --> 00:05:05,250
on your backup and archival processes.

136
00:05:05,250 --> 00:05:06,980
This will ensure that your log files

137
00:05:06,980 --> 00:05:08,900
are encrypted in your backups and make sure

138
00:05:08,900 --> 00:05:10,540
that they're only being able to be accessed

139
00:05:10,540 --> 00:05:11,930
by those with a need to know

140
00:05:11,930 --> 00:05:13,880
and those who have that encryption key.