Logging practices for security logging.

I would like to create log messages that would be used for log analysis using Splunk such as checking for occurence of Denial of Service attacks. What would be the best logging practices for that as in what are the most important information that i should be displaying in the log messages???

asked 19 Apr '12, 19:24

misteryuku
78●1●16
accept rate: 25%

One Answer:

oldest newest most voted

This is a good place for getting started:

In addition, naming field according to the CIM (Common Information Model) would be a good idea:

http://docs.splunk.com/Documentation/ES/latest/CreateTA/CommonInformationModelFieldReference

link

answered 19 Apr '12, 23:00

ziegfried ♦
10.1k●1●6●18
accept rate: 52%

Lets say if i want to monitor the traffic of the network as in detecting Denial of service attacks, the log message should contain the fields under the network protection category of the Common Information Model. Is that true?

(19 Apr '12, 23:41) misteryuku

Yup. Network Protection/Traffic might be the best choice.

(19 Apr '12, 23:42) ziegfried ♦

What does the action field for the network protection/traffic represent? Does it represent the action of the packet??

(20 Apr '12, 00:04) misteryuku

something like allowed/blocked or success/failure. whatever is more reasonable.

(20 Apr '12, 00:10) ziegfried ♦

Okay. i see...

(20 Apr '12, 00:19) misteryuku

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

logging ×26
dos ×3

Asked: 19 Apr '12, 19:24

Seen: 626 times

Last updated: 20 Apr '12, 00:19

Logging practices for security logging.

Follow this question

Splunk Resources

Related questions