The Authoritative Guide to Understanding the Concepts Surrounding Logging and Log Management
Dr. Anton A. Chuvakin
Kevin J. Schmidt
Copyright
Acquiring Editor: Chris Katsaropolous
Editorial Project Manager: Heather Scherer
Project Manager: Priya Kumaraguruparan
Designer: Alan Studholme
Syngress is an imprint of Elsevier
225 Wyman Street, Waltham, MA 02451, USA
Copyright 2013 Elsevier, Inc. All rights reserved.
No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publishers permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.
This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).
Notices
Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information or methods described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.
To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.
Library of Congress Cataloging-in-Publication Data
Application submitted.
British Library Cataloguing-in-Publication Data
A catalogue record for this book is available from the British Library.
ISBN: 978-1-59749-635-3
Printed in the United States of America
13 14 15 10 9 8 7 6 5 4 3 2 1
For information on all Syngress publications, visit our website atwww.syngress.com
Acknowledgments
Dr. Anton A. Chuvakin
First, the most important part: Id like to thank my wife Olga for being my eternal inspiration for all my writing, for providing invaluable project management advice, and for tolerating (well, almost always tolerating) my work on the book during those evening hours that we could have spent together.
Next, Id like to specially thank Marcus Ranum for writing a foreword for our book.
Finally, I wanted to thank the Syngress/Elsevier crew for their tolerance of our delays and broken promises to deliver the content by a specific date.
Kevin J. Schmidt
First off I would like to thank my beautiful wife, Michelle. She gave me the encouragement and support to get this book over the finish line. Of course my employer, Dell, deserves an acknowledgment. They provided me with support to do this project. I next need to thank my co-workers who provided me with valuable input: Rob Scudiere, Wayne Haber, Raj Bandyopadhyay, Emily Friese, Rafael Guerrero-Platero, and Maro Arguedas. Robert Fekete from BalaBit IT Security provided great input on the syslog-ng chapter. Ernest Friedman-Hill provided valuable suggestions for the section on Jess in Chapter 9. Jimmy Alderson, a past colleague of mine, graciously provided code samples for Chapter 13. Finally, I would like to thank my co-authors, Anton and Chris, for providing great content for a great book.
Christopher Phillips
I would like to thank my beautiful wife, Inna, and my lovely children, Jacqueline and Josephine. Their kindness, humor, and love gave me inspiration and support while writing this book and through all of lifes many endeavors and adventures. I would also like to thank my father for always supporting and encouraging me to pursue a life in engineering and science. Rob Scudiere, Wayne Haber, and my employer Dell deserve acknowledgment for the valuable input they provided for this book. I would especially like to thank my co-author Kevin Schmidt for giving me the opportunity to be part of this great book. Kevin has provided tremendous guidance and encouragement to me over our many years together at Dell Secureworks and has helped me grow professionally in my career. His leadership and security knowledge have been inspiration to me, our customers, and to the many people he works with everyday.
About the Authors
Dr. Anton A. Chuvakin is a recognized security expert in the field of log management, SIEM and PCI DSS compliance. Anton is the co-author of Security Warrior (ISBN: 978-0-596-00545-0) and a contributing author to Know Your Enemy: Learning About Security Threats, Second Edition (ISBN: 978-0-321-16646-3); Information Security Management Handbook, Sixth Edition (ISBN: 978-0-8493-7495-1); Hackers Challenge 3: 20 Brand-New Forensic Scenarios & Solutions (ISBN: 978-0-072-26304-6); OSSEC Host-Based Intrusion Detection Guide (Syngress, ISBN: 978-1-59749-240-9); and others.
He has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management, and other security subjects. His blog, www.securitywarrior.org, is one of the most popular in the industry. In addition, Anton has taught classes and presented at many security conferences around the world; he recently addressed audiences in the United States, United Kingdom, Singapore, Spain, Russia, and other countries. He has worked on emerging security standards and served on the advisory boards of several security start-ups.
Until recently, Anton ran his own consulting firm, Security Warrior. Prior to that, he was formerly a Director of PCI Compliance Solutions at Qualys and as Chief Logging Evangelist at LogLogic, tasked with educating the world about the importance of logging for security, compliance, and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.
Kevin J. Schmidt is a senior manager at Dell SecureWorks, Inc., an industry leading MSSP, which is part of Dell. He is responsible for the design and development of a major part of the companys SIEM platform. This includes data acquisition, correlation and analysis of log data.Prior to SecureWorks, Kevin worked for Reflex Security where he worked on an IPS engine and anti-virus software. And prior to this he was a lead developer and architect at GuardedNet, Inc.,which built one of the industrys first SIEM platforms. Kevin is also a commissioned officer in the United States Navy Reserve (USNR).