| SPDX-FileCopyrightText | SPDX-License-Identifier | title | author | footer | description | keywords | color | class | style | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
© 2024 Menacit AB <[email protected]> |
CC-BY-SA-4.0 |
Logging course: Course recap |
Joel Rangsmo <[email protected]> |
© Course authors (CC BY-SA 4.0) |
Recap of material covered in logging course |
|
#ffffff |
|
section.center {
text-align: center;
}
table strong {
color: #d63030;
}
table em {
color: #2ce172;
}
|
Very messy, but important - especially for enabling log correlation!
Whenever possible, normalize time zone configuration (preferably UTC).
NTP helps us keep our clocks in sync.
NTS prevents MITM attacks and PTP improves precision.
Capture all traffic flowing across the network using tap/mirror/span functionality in switches.
Easy to implement inspection-based logging.
Requires lots computing resources and storage, encrypted traffic is a challenge.
NIDS are a middle-ground that just looks for suspicious traffic using IoCs/rulesets.
Only log and store traffic metadata.
Network flow ~= same peers, protocol and (when applicable) port.
Routers and networking gear provides HW-based support for NetFlow/IPFIX.
(In many cases extremely) useful for both NOC and SOC.
UNIX-like systems have historically populated /var/log with a bunch of text files.
GNU Coreutils provides several useful tools for text data filtration/extraction.
- cut: Split/filter lines into distinct fields
- wc: Count lines/bytes of input data
- uniq: Basic data aggregation
- tr: Various clean-up tasks
- date: Voodoo-magic with date time
And let's not forget GNU grep! ("sed" is not a part of Coreutils)
Choo choo - let's move on!
