News and blog
NXLog main page
  • Products
    NXLog Platform
    Log collection
    Log management and analytics
    Log storage
    NXLog Community Edition
    Integrations
    Professional Services
  • Solutions
    Use cases
    Specific OS support
    SCADA/ICS
    Windows event log
    DNS logging
    MacOS logging
    Solutions by industry
    Financial Services
    Government & Education
    Entertainment & Gambling
    Telecommunications
    Medical & Healthcare
    Military & Defense
    Law Firms & Legal Counsel
    Industrial & Manufacturing
  • Plans
  • Partners
    Find a Reseller
    Partner Program
  • Resources
    Documentation
    Blog
    White papers
    Videos
    Webinars
    Case Studies
    Community Program
    Community Forum
  • About
    Company
    Careers
  • Support
    Support portals
    Contact us

NXLog Platform
Log collection
Log management and analytics
Log storage
NXLog Community Edition
Integrations
Professional Services

Use Cases
Specific OS support
SCADA/ICS
Windows event log
DNS logging
MacOS logging
Solutions by industry
Financial Services
Government & Education
Entertainment & Gambling
Telecommunications
Medical & Healthcare
Military & Defense
Law Firms & Legal Counsel
Industrial & Manufacturing


Find a Reseller
Partner Program

Documentation
Blog
White papers
Videos
Webinars
Case Studies
Community Program
Community Forum

Company
Careers

Support portals
Contact us
Let's Talk Start free
NXLog search
  • Loading...
Let's Talk Start free
April 3, 2023 strategysecurity

CISO starter pack - Log collection fundamentals

By Jonathan King

Share
ALL SIEM STRATEGY SECURITY ANNOUNCEMENT DEPLOYMENT COMPLIANCE COMPARISON RSS

Log collection is essential to managing an IT department because it allows administrators to research historical events throughout a network. Therefore, it’s critical to understand a few key points about collecting logs; the why, and what. We’ll look at a few specific examples of collecting log events efficiently, like incorporating threat modeling to enhance our collection. Implementing log collection policies and procedures is as fun as watching anti-phishing videos. But at the end of the day, the effort put in at the beginning will be worth it.

The why and what

When it comes down to it, log collection is vital in determining what has happened on your network when a cyber incident has occurred. Events occur every day as a result of routine computer use. A user printing a document and saving a file on a network share are both events. Incidents are events that have occurred with unintended consequences. A user clicks on a link in an email, and a remote connection is made to the computer three minutes later. All incidents are events, but not all events are incidents. Therefore, it’s crucial to capture a complete set of event logs to understand the full story of events that led to an incident, including the events that happened after the fact.

Threat modeling

optimizing your log collection journey the basics

When you analyze the logs within your environment, you’ll quickly find it similar to trying to sip from a firehose. There are a lot of events that occur on your network, and trying to manually analyze every event for signs of malicious activity would be a grueling, time-consuming task. That’s where threat modeling comes in. Just like in developing an incident response around your infrastructure, you can establish threat models about how an attacker might gain access to your network, and then ensure the related logs would be collected in this real-world event.

For example, many employees email and communicate with the general public daily. Clicking links in emails can end in a few different ways, including a remote connection established to your computer. But this connection doesn’t occur within a vacuum; the connection occurs at the firewall level and is forwarded to the computer through Network Address Translation. So not only would there be a connection log on the firewall, but there would also be one on the computer indicating a remote connection.

Following a similar thread, say a user plugs in a USB drive from home that contains a virus that autoruns when plugged in. You should collect these logs to determine a route vector for the virus. Still, Windows doesn’t provide a native mechanism for logging when USB devices get mounted on the filesystem, so you’ll need to look for a third-party logging solution and incorporate those logs in your analysis. By examining different potential scenarios within your environment, you uncover additional requirements. When you expose these requirements, it’s important to document them within the security policy as you go along. Some conditions may dictate how other requirements are implemented, such as compliance frameworks like PCI DSS that require firewall connection logs to be maintained for at least a year.

Optimal log collection settings

There are many tools out there that can collect and send logs (ahem NXLog) and then there are tools that can ingest these logs, analyze them for threats, alert based on that analysis, and then automate a response. While these tools are out of the scope of this post, it must be understood that they are only as effective as the information contained within. That’s why manufacturers like Microsoft give administrators tools to spice up log entries.

Microsoft has released a set of baseline security configurations for every domain-joined computer and server, as well as for specific applications. Check out the Microsoft blog for more information. For Windows Server 2016, they released a set of baseline security group policy objects that administrators could deploy within their environment. These objects contain hundreds of recommended security enhancements to workstations and servers to align them with best practices. Part of these best practices is that it enables audit logging and security logging, meaning it will provide detailed logging information for certain security events that occur within the environment.

Prioritize log flows

There are generally two problems facing investigators when they begin researching events: either there isn’t enough data, or too much data is being collected. Microsoft has released a set of Event IDs that you should plan to monitor for. These events include a potential replay attack occurrence, the audit log being cleared, account logins and logouts, and other similar events. Since this is a list of recommended events within a Windows Server environment, monitoring for these IDs and dropping everything else is safe. This is one example of reducing the log level without impacting your response effectiveness.

More devices on the network generate traffic, so it’s important to consider collecting logs from switches and internal firewalls as well. These devices can be monitored by sending traffic to syslog servers, which can then analyze and alert based on the data contained within the logs. Almost all log collection platforms offer some way to collect log records by receiving them on a dedicated port. This is an agentless method compared to an agent-based method of collecting logs.

Conclusion

Implementing log collection policies is an essential step in an organization’s journey on its maturity model, though each journey is unique. Events are routine and are generated for any number of innocuous reasons, whereas incidents are adverse events. All incidents are events, but not all events are incidents, and it’s essential to consider this fact when collecting and analyzing log data. By modeling threats in your environment, you can anticipate specific requirements or needs when collecting logs. You can discover caveats or pitfalls along the way or ensure you’re only logging the data you need to log and analyze for future research endeavors. Optimizing your log collection settings and prioritizing your log flows ensures your logging infrastructure is sound enough to satisfy any regulatory requirements.

NXLog Platform is an on-premises solution for centralized log management with
versatile processing forming the backbone of security monitoring.

With our industry-leading expertise in log collection and agent management, we comprehensively
address your security log-related tasks, including collection, parsing, processing, enrichment, storage, management, and analytics.

Start free Contact us
  • CISO starter pack
Share

Facebook Twitter LinkedIn Reddit Mail
Related Posts

Making the most of Windows Event Forwarding for centralized log collection
6 minutes | December 17, 2018
The benefits of log aggregation
8 minutes | August 1, 2022
DNS Log Collection on Windows
8 minutes | May 28, 2020

Stay connected:

Sign up

Keep up to date with our monthly digest of articles.

By clicking singing up, I agree to the use of my personal data in accordance with NXLog Privacy Policy.

Featured posts

Announcing NXLog Platform 1.6
April 22, 2025
Announcing NXLog Platform 1.5
February 27, 2025
Announcing NXLog Platform 1.4
December 20, 2024
NXLog redefines log management for the digital age
December 19, 2024
2024 and NXLog - a review
December 19, 2024
Announcing NXLog Platform 1.3
October 25, 2024
NXLog redefines the market with the launch of NXLog Platform: a new centralized log management solution
September 24, 2024
Welcome to the future of log management with NXLog Platform
August 28, 2024
Announcing NXLog Enterprise Edition 5.11
June 20, 2024
Raijin announces release of version 2.1
May 31, 2024
Ingesting log data from Debian UFW to Loki and Grafana
May 21, 2024
Announcing NXLog Enterprise Edition 6.3
May 13, 2024
Raijin announces release of version 2.0
March 14, 2024
NXLog Enterprise Edition on Submarines
March 11, 2024
The evolution of event logging: from clay tablets to Taylor Swift
February 6, 2024
Migrate to NXLog Enterprise Edition 6 for our best ever log collection experience
February 2, 2024
Raijin announces release of version 1.5
January 26, 2024
2023 and NXLog - a review
December 22, 2023
Announcing NXLog Enterprise Edition 5.10
December 21, 2023
Raijin announces release of version 1.4
December 12, 2023
Announcing NXLog Enterprise Edition 6.2
December 4, 2023
Announcing NXLog Manager 5.7
November 3, 2023
Announcing NXLog Enterprise Edition 6.1
October 20, 2023
Raijin announces release of version 1.3
October 6, 2023
Upgrading from NXLog Enterprise Edition 5 to NXLog Enterprise Edition 6
September 11, 2023
Announcing NXLog Enterprise Edition 6.0
September 11, 2023
The cybersecurity challenges of modern aviation systems
September 8, 2023
Raijin announces release of version 1.2
August 11, 2023
The Sarbanes-Oxley (SOX) Act and security observability
August 9, 2023
Log Management and PCI DSS 4.0 compliance
August 2, 2023
Detect threats using NXLog and Sigma
July 27, 2023
HIPAA compliance logging requirements
July 19, 2023
Announcing NXLog Enterprise Edition 5.9
June 20, 2023
Industrial cybersecurity - The facts
June 8, 2023
Raijin announces release of version 1.1
May 30, 2023
CISO starter pack - Security Policy
May 2, 2023
Announcing NXLog Enterprise Edition 5.8
April 24, 2023
CISO starter pack - Log collection fundamentals
April 3, 2023
Raijin announces release of version 1.0
March 9, 2023
Avoid vendor lock-in and declare SIEM independence
February 13, 2023
Announcing NXLog Enterprise Edition 5.7
January 20, 2023
NXLog - 2022 in review
December 22, 2022
Need to replace syslog-ng? Changing to NXLog is easier than you think
November 23, 2022
The EU's response to cyberwarfare
November 22, 2022
Looking beyond Cybersecurity Awareness Month
November 8, 2022
GDPR compliance and log data
September 23, 2022
NXLog in an industrial control security context
August 10, 2022
Raijin vs Elasticsearch
August 9, 2022
NXLog provides native support for Google Chronicle
May 11, 2022
Aggregating macOS logs for SIEM systems
February 17, 2022
How a centralized log collection tool can help your SIEM solutions
April 1, 2020

Categories

  • SIEM
  • STRATEGY
  • SECURITY
  • ANNOUNCEMENT
  • DEPLOYMENT
  • COMPLIANCE
  • COMPARISON
logo

Subscribe to our newsletter to get the latest updates, news, and products releases. 

© Copyright 2024 NXLog FZE.

Privacy Policy. General Terms of Use

Follow us

  • Product
  • NXLog Platform 
  • Log collection
  • Log management and analysis
  • Log storage
  • Integration
  • Professional Services
  • Plans
  • Resources
  • Documentation
  • Blog
  • White papers
  • Videos
  • Webinars
  • Case studies
  • Community Program
  • Community forum
  • Support
  • Getting started guide
  • Support portals
  • About NXLog
  • About us
  • Careers
  • Find a reseller
  • Partner program
  • Contact us