Network Monitoring and Logging

# CHAPTER 7

Network Monitoring and Logging #

1. Introduction #

If a tree falls in a forest and no one is around to hear it, does it make a sound? If a hacker breaches your firewall at 3:00 AM and no one is looking at the firewall logs, did the breach happen? The answer is yes, and the damage is catastrophic. The foundation of modern network defense is visibility. You cannot defend what you cannot see. In this chapter, we will explore the critical discipline of Network Monitoring, the concept of Syslog, and how Security Information and Event Management (SIEM) systems aggregate data to catch attackers.

2. Learning Objectives #

By the end of this chapter, you will be able to:

• Define the purpose of network logging and monitoring.

• Understand the function of Syslog in network environments.

• Define a SIEM (Security Information and Event Management) system.

• Understand the concepts of Log Aggregation and Event Correlation.

• Identify the necessity of Network Time Protocol (NTP) in logging.

3. Beginner-Friendly Explanation #

Imagine managing security for a massive casino.

• The Logs: Every slot machine, every door card-reader, and every cash register prints a tiny receipt (a log) every time it is used.

• The Problem: The casino generates 1 million receipts a day. If someone steals money, it would take the manager 10 years to read through all the physical receipts to find the thief.

• The SIEM (The Security Room): Instead of printing physical receipts, every machine sends its data instantly to a massive central computer. The computer organizes the data. The manager tells the computer: *"Alert me if a door card-reader fails 5 times, and then a cash register opens 30 seconds later."* The computer connects the dots and sounds the alarm immediately.

4. What is a Log? #

A log is a time-stamped text record of an event. *Example Firewall Log:* 2024-10-27 14:32:01 | Action: DENY | Src IP: 203.0.113.5 | Dst IP: 10.0.0.5 | Port: 3389 This single line tells a security analyst that an external IP address attempted to access the internal Remote Desktop port, and the firewall blocked it.

5. Syslog and Log Forwarding #

A single server stores its logs locally (e.g., in /var/log/ on Linux). If an attacker hacks that server, the first thing they do is delete the local logs to cover their tracks! The Defense: Syslog. Syslog is a standard protocol used to forward log messages. Instead of just saving the log locally, the server instantly transmits a copy of the log over the network to a dedicated, highly secure, centralized Logging Server. Even if the hacker deletes the local logs, the evidence is already safely stored elsewhere.

6. The SIEM (Security Information and Event Management) #

A SIEM (like Splunk, IBM QRadar, or Elastic Security) is the brain of the Security Operations Center (SOC). It performs two massive tasks:

1. 1. Log Aggregation: It collects logs from firewalls, Windows Domain Controllers, Antivirus agents, and IDS/IPS systems into one searchable database.

1. 2. Event Correlation: It connects the dots.

• *Event A (Windows Log):* User Bob failed to log in 50 times.

• *Event B (Firewall Log):* An IP address from an unexpected country connected to the VPN.

• *Correlation:* The SIEM combines these isolated events and fires a "High Severity: Compromised Account" alert to the security team.

7. Mini Project: Monitor Local Network Activity #

Let's see how monitoring looks on a live Linux system using basic built-in tools.

Step-by-Step Walkthrough:

1. 1. Monitor Authentication Logs: Watch live as users (or attackers) attempt to log in to your server.

``bash sudo tail -f /var/log/auth.log ` *(The -f flag "follows" the file, updating your screen in real-time as new logins occur).*

1. 2. View Active Network Connections: See exactly which IP addresses are currently connected to your machine right now.

`bash netstat -antp ` *(Look for connections in the ESTABLISHED` state. Do you recognize the foreign IP addresses?)*

8. Real-World Scenarios #

A corporation is breached, and 500GB of proprietary source code is stolen. When incident responders arrive, they ask the IT team for the firewall logs from the past 30 days to see how the hackers got in. The IT team admits they never configured a centralized log server; the firewall only had enough internal memory to store the last 24 hours of logs. The evidence of the initial breach is permanently gone, making it nearly impossible to figure out what vulnerability the attackers exploited.

9. Best Practices #

• Network Time Protocol (NTP): If your firewall's clock is set to 2:00 PM, and your Active Directory server's clock is set to 2:05 PM, the SIEM cannot correlate events accurately. An attacker's login might appear to happen *before* they breached the firewall! All devices on a network must sync their clocks to a central NTP server down to the millisecond.

10. Legal and Ethical Notes #

Network monitoring involves collecting vast amounts of data, which may include employees' personal web browsing habits or sensitive communications. Organizations must establish clear "Acceptable Use" and "Privacy" policies, ensuring employees are legally aware that their corporate network traffic is being monitored for security purposes.

11. Exercises #

1. 1. Explain the primary security benefit of forwarding logs via Syslog to a centralized server rather than keeping them stored locally on individual machines.

1. 2. Define "Event Correlation" in the context of a SIEM. Give an example of two isolated logs that, when correlated, indicate a cyberattack.

12. FAQs #

Q: How long should a company keep its network logs? A: This depends on compliance regulations (like HIPAA or PCI-DSS), which often mandate retaining logs for 1 to 7 years. However, from a practical security standpoint, keeping active, searchable logs for 90 days, and archiving older logs to cheap "cold storage" (like AWS S3 Glacier) is a standard best practice, as hackers often dwell inside a network for months before launching an attack.

13. Interview Questions #

• Q: You are a SOC analyst investigating an alert. You notice the timestamps on the firewall logs are 5 minutes ahead of the Windows Domain Controller logs. Detail the operational challenges this presents during an investigation and the architectural fix required.

• Q: Describe the difference between Log Aggregation and Log Parsing/Normalization within a SIEM architecture.

14. Summary #

In Chapter 7, we established that visibility is the prerequisite to defense. We defined logs as the digital footprints left by network activity and emphasized the necessity of using Syslog to instantly forward these footprints to a secure, centralized location. We explored the immense power of a SIEM, which transforms millions of raw text files into actionable, correlated security alerts. A properly configured monitoring environment ensures that when a hacker inevitably breaches the perimeter, the Blue Team is watching.

15. Next Chapter Recommendation #

Logs provide a summary of what happened. But sometimes, a security analyst needs to look at the actual, raw data flowing through the cables to prove exactly what was stolen. Proceed to Chapter 8: Wireshark and Packet Analysis.