TABLE OF CONTENTS No matter how secure your network is, sooner or later something will happen that wasn't supposed to. If you don't take steps to identify security events, your only notice that something has occurred might be when there is a production outage or other undesirable disruption. At that point you are in a reactive mode instead of a proactive one. It would be preferable to know the instant a security event takes place so that you have a head start on correcting the issue and minimizing any damage. The two most common ways to keep yourself informed of security events across your network are through intrusion detection systems (IDSes) and by monitoring event logs. In this chapter we will demonstrate how to install and configure a first-class IDS on both Linux and Windows systems, and we will discuss the various tools for managing event logs, including syslog and Windows event log formats.
Intrusion detection systems do exactly what it sounds like. They spot undesirable activity and, typically, send an alert to someone so that action can be taken. The undesirable activity does not necessarily have to be from an actual intrusion, it can be any activity that you don't want to occur, such as the use of a file sharing program on the corporate network. The most common way to implement an IDS is by having a system monitor and inspect (sniff ) all traffic over a given link. The system then compares the traffic with a...
