Shulou(Shulou.com)06/01 Report--

What is a journal?

To put it simply, a log is the information recorded by a computer system, equipment, software, and so on under certain circumstances. The specific content depends on the source of the log. For example, the Unix operating system logs user login and logout messages, the firewall logs ACL pass and reject messages, and the disk storage system generates log information when a failure occurs or if some systems believe that a failure will occur. There is a lot of information in the log that tells you why you need to generate the log and what has happened to the system. For example, Web servers typically log when someone visits a Web page to request resources (pictures, files, and so on). If the page visited by the user needs to be authenticated, the log message will contain the user name. This is an example of log data: you can use a user name to determine who has accessed a resource. Through the log, IT managers can understand the health of the system, security, and even the status of the operation.

The importance of the journal

In a complete information system, the log system is a very important functional component. It can record all the behavior generated by the system and express it according to a certain specification. We can use the information recorded by the log system to debug the system, optimize the performance of the system, or adjust the behavior of the system according to this information. In the field of security, logs can reflect a lot of security behaviors, such as login errors, abnormal access and so on. Logs can also tell you a lot about events that occur on the network, including performance information, fault detection, and * detection. Logs can be a good source of forensics information to find out what happened after an accident. Logs can be used as audit trails for audits.

An undervalued journal

In many enterprise environments, logs are not taken seriously. Logs are often completely ignored in daily work and attract people's attention only when there is insufficient disk space. At this time, they are often deleted without checking. In some cases, some messages in the log may indicate why the disk is full. Many people have the experience of looking at machines that have been destroyed. After asking where the logs are saved, we will hear, "Oh, they only take up space, so we deleted them." In most of these cases, there is nothing we can do.

Why is the log not taken seriously? There are many reasons for this. The first is the importance of leaders. In China, most leaders attach importance to business, not operation and maintenance or safety. Secondly, the log appears in various shapes and sizes, sometimes it is difficult to extract information from it, and the content of the log is difficult to understand. Syslog data can be pretty bad because most of the data is free-form text. Getting useful data from syslog takes some effort, and the amount of data that needs to be processed can be large. For example, some websites collect several GB logs a week, and some may reach that level in a day. This number seems overwhelming, and most administrators end up writing scripts based on experience to find something random based on what they see at a particular time.

Why do you need a journal?

From the perspective of operation and maintenance:

A successful software, the full development time may account for less than 1 Operation of its entire life cycle, after the release of the software, the data of the operation and maintenance can reflect the development, at the same time, the development also has to consider the operation and maintainability, one of the very important point is the log, without the log, the operation and maintenance will be blind. Therefore, in the process of operation and maintenance, we basically rely on logs to judge and solve problems.

Logs are also very important for business analysis, such as a website, its historical visits, new visits, which pages are visited the most, and so on.

From a security perspective:

Fragmentation of safety products

The characteristics of the security field, that is, he is related to all existing IT technologies and products, and he is related to network technology, host operating system, application software, human management, personal PC, server, content security, telephone network and so on, so almost no manufacturer can cover all areas of his security products. There are numerous subdivisions of security: firewall, * * detection, scanner, SSO, audit, patch management, centralized authentication, one-time password, LDAP, encrypted storage, link layer encryption, antivirus, content security, sniffer, forensics, PKI, security services, policy management, etc., each of which has the most powerful vendor. In such a fragmented environment, you have to face different management interfaces and terminals from each vendor. This is a very big challenge.

Inefficiency caused by huge amounts of data

In the process of deploying security products, the most serious and prominent phenomenon is that there will be a large number of security incidents. A standard network monitoring system uses the default policy, which may produce more than 10 million events on a 100-megabyte link every day. Massive data often make our security products meaningless. Even after adjustment and optimization, the strategy is also full of meaningless data and false positives. Security products such as monitoring have also been criticized for this reason. Some invalid data is caused by the mechanism of the security product itself, and it cannot solve the problem completely by itself. the problem faced by enterprises is that security incidents must be reduced but not lost. only in this way can we make the management of security products possible and efficient.

The log format is not uniform

The log format of each device type is different, each has its own expression, even if it is to express the same thing, it also has its own way of expression. For example, for the same login failure information, the description in the firewall may be fundamentally different from that in the host operating system. This forces auditors to understand the format of each device type.

Requirements of national laws and regulations

GB/T 22239-2008 "basic requirements for Information Security Technology Information system Security level Protection" for second-level and above information systems, security audit is clearly required in the basic requirements such as network security, host security and application security. Log audit is the basic means to meet these requirements.

Article 8 of the provisions on Technical measures for Internet Security Protection (decree No. 82 of the Ministry of Public Security) requires security audit functions such as recording and tracking the operation of the network, monitoring and recording all kinds of user information, network security events, and so on. L

Article 126 of the guidelines on Internal Control of Commercial Banks states that "the network equipment, operating systems, database systems and applications of commercial banks shall be set up with necessary logs. Logs should be able to meet the needs of all kinds of internal and external audits."

Article 27 of the Banking Information Technology risk Management guidelines requires the banking industry to develop relevant strategies and processes to manage the logs of all production systems to support effective auditing, safe forensic analysis and fraud prevention.

Article 44 of the guidelines on Security Management of Information Systems of Insurance companies requires that the mainframe system be audited, properly managed and analyzed and processed in a timely manner. Key audits should be conducted on important user behavior, abnormal operations and the use of important system commands.

The third article of the third chapter of the Network Security Law (draft) requires that "take technical measures to record and track the operation status of the network, monitor and record network security events, and keep the network log in accordance with the regulations."

Section 404 of the SOX Act, the responsibility of the company's management to establish and maintain the internal control system and the full effectiveness of the corresponding control procedures; the issuer's management's evaluation of the effectiveness of the internal control system and control procedures at the end of the most recent financial year. (note: in SOX, the information system log audit system and its audit results are an important tool and evidence to evaluate the effectiveness of internal control evaluation.)

From the above analysis, we can know that log analysis is still very important, so we should use the log as soon as possible.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.