Introduction

Systems and network device reporting is important to the overall health and security of our systems. In this chapter, we explore finding key events in the log files of our Web servers and their host systems, and correlating that data to give us useful reports. Further, we discuss different methods of report outputs that will be meaningful to senior management.

Modern software applications and Web servers have, at least, basic logging features. It is in the best interest of organizations to have policies in place that effectively and efficiently manage these logs and collect them appropriately. It would also be wasteful not to capitalize on these logging capabilities. The policies adopted need to provide for the proper storage and management of the log data collected. A lapse in this area might result in compromise and render any type of post-mortem forensic analysis useless, and hinder legal prosecution. Optimally, all log collection and consolidation efforts should be performed on an independent and dedicated log server. Additionally, any network connection information and the actual contents of the log data should be properly encrypted for protection and digitally signed to ensure integrity.

When it comes to log files, it is considered best practices to set log files to be append only to avoid deletions, purges, and overwrites. A good suggestion would be to have the logs written to a WORM (Write Once Read Many) device, such as a CD; this way, accidental deletions are prevented via physical means. Regular backups of all...