|This page is under construction|
The information provided below may not be complete or fully tested. Take care when following draft instructions.
|For more information on securing your data, see Information Protection @ MIT.|
On this page:
Logs keep track of what is happening on a computer system or network and help identify who did what, when. Ensuring authentication and access activity is logged to a central location helps ensure information about user and system interactions in the environment is captured, stored, protected, and available for retrieval during audits and investigations. Deploying log management solutions facilitate the centralization and standardization for auditing.
Computer systems and software applications produce countless log files (often identifiable by their .log extension) that document the activities which occur on and among networks, endpoint devices, and software programs. Types of activity or events that are logged include those related to authentication and access, particularly logon/logoff success and failures, account creation, account deletion, and information about these events. Logs pertaining to these events can provide valuable information for investigating digital activity on the network.
On Windows systems, events that track logon/logoff successes are assigned numbers 4624, 4647, with logon/logoff failures (4625), Accounts Disabled (4725) and Created (4720). These logs can be viewed by going to Windows EventViewer
- To view Windows System Event Logs
- To view Windows Security Logs
On Mac, view the logs in the Console
The logs above represent only a small group of logs that could be viewed. Everything on a network generates logs, including servers, databases, intrusion detection systems, etc. Given the number of logs across an environment, it is a best practice to consolidate all of your logs into a central location for optimal investigation and correlation. This is done by capturing logs on individual devices and then sending them to a central repository which can then be searched, viewed from a single dashboard of some centralized log management solution.
There are several commercial products specifically for Centralized Log management. While there are differences, each usually provides a method of forwarding logs from computer systems and devices from across your network, standardizes and structure the log data in a common format, and then allows search, reporting, and presentation of logs and summary information with which users can investigate activity. There is usually a configuration or agent on the device itself to set the logs into the centralized tool.
The security team here at MIT uses Splunk as its centralized log management solution. With Splunk, forwarders/agents pass traffic into a central console from which user can search and view their logs. (for instance Windows security log 4625 below)
Using a commercial tool, such as Splunk to consolidate log traffic allows for a common view and single pane of glass with which disparate data is consolidated for investigative and auditing purposes. If you have devices whose logs you would like to centrally manage, contact the security team to complete the required configurations and access.
- Open Web Application Security Project (OWASP) Logging Cheat Sheet
- National Institute of Standards and Technology (NIST) Guide to Computer Security Log Management
- Amazon Web Services (AWS) on Centralized Logging