T 3.115 Incorrect selection of relevant logged data

Logged data often contains important information enabling an IT early-warning system to detect IT security incidents. Selecting the relevant messages from the large number of different log events is a particular challenge.

Numerous messages are only of an informative character and divert attention from the messages that are actually important. This is particularly applicable to cases where centralised logging is used, because numerous IT systems send their messages to the centralised logging server.

If too many log messages are selected, the wealth of information can hardly be analysed and requires huge amounts of time. Furthermore, there is the risk of logged data being deleted or overwritten when the internal memory or the hard disk capacity of the logging server selected was too small. If the number of recorded log messages is too small or if an insufficient number of relevant log messages are recorded, security-critical incidents may remain undetected. This problem is often caused by incorrectly configured filter functions of an IT early-warning system.

Different formats

Log files are stored in different formats and sorted in a different order. This depends on the different manufacturers of the applications and processes the collected information comes from. For example, the date and time information in an operating system log file can be found at a different location than in a log file of the web server.

Logged system messages are used for error finding and in order to clarify security incidents. The messages can also be used in connection with an IT early-warning system. In order to get an overview of the accumulating data, the data must be correlated. For this, the logged data is normalised, i.e. converted to a uniform format.

Problems regarding applications and IT systems

Along with general logging aspects, problems regarding the applications and IT systems to be monitored may also occur. For example, the focus of a security gateway (firewall) or other network components could incorrectly be directed towards prohibited activities such as denied connections. The analysis of admissible activities, e.g. a correctly established connection, is neglected. At the same time, this very information may be indicative of a successful attempted attack, for example, if an attacker guesses the correct password of a user by trial and error.

Examples:

Within an information system, the centralised logging server is overloaded time and time again. The reason for this is that the Windows event messages are transmitted and stored redundantly to the logging server. For example, log entries are generated both on the respective client and on the domain controller during login and logout procedures and transmitted to the logging server. These overloads may cause the deletion of other logged information containing relevant events such as information about an attack. The consequences include gaps in the monitoring of the information system.

• The Exchange server of a company is to be integrated into the IT early-warning system and monitored. The main task of the early-warning system is to record all emails sent using the Exchange server. The administrator must log SMTP transactions on the Exchange server for this. However, since Exchange Message Tracking was accidentally not enabled on the server, the Exchange server cannot be monitored reasonably.