1
00:00:00,000 --> 00:00:00,930
In this lesson,

2
00:00:00,930 --> 00:00:03,060
we're going to discuss how we conduct network logging

3
00:00:03,060 --> 00:00:04,590
inside of our networks.

4
00:00:04,590 --> 00:00:07,170
Now, all of our network devices are going to generate logs

5
00:00:07,170 --> 00:00:10,290
based on the information, events, warnings, alerts,

6
00:00:10,290 --> 00:00:12,570
and other critical data that they generate.

7
00:00:12,570 --> 00:00:14,940
If you have a very small network, it's pretty easy

8
00:00:14,940 --> 00:00:16,440
for you to log into a network device

9
00:00:16,440 --> 00:00:19,140
and review the logs individually or manually.

10
00:00:19,140 --> 00:00:20,400
But if you're like me

11
00:00:20,400 --> 00:00:22,560
and you start working on large enterprise networks,

12
00:00:22,560 --> 00:00:24,240
this is impossible.

13
00:00:24,240 --> 00:00:26,940
For example, one of the networks I previously worked on

14
00:00:26,940 --> 00:00:30,030
had thousands of network switches and hundreds of routers.

15
00:00:30,030 --> 00:00:31,830
There is no way I could possibly log

16
00:00:31,830 --> 00:00:33,150
into each and every one of them

17
00:00:33,150 --> 00:00:36,360
and review those log files individually each and every day.

18
00:00:36,360 --> 00:00:39,480
So instead, we use something known as Syslog.

19
00:00:39,480 --> 00:00:41,490
Syslog is a protocol that's used

20
00:00:41,490 --> 00:00:43,950
to send these logs to a centralized server.

21
00:00:43,950 --> 00:00:45,180
This becomes the easiest way

22
00:00:45,180 --> 00:00:46,710
for us to gather all the logs

23
00:00:46,710 --> 00:00:48,480
across all our routers and switches,

24
00:00:48,480 --> 00:00:50,190
and bring them back to a central point

25
00:00:50,190 --> 00:00:52,260
where we can analyze and review them.

26
00:00:52,260 --> 00:00:54,660
All of our routers, our switches, our servers,

27
00:00:54,660 --> 00:00:56,880
and all of our other devices can be configured

28
00:00:56,880 --> 00:00:59,520
to send their own logs back to the centralized server

29
00:00:59,520 --> 00:01:03,240
to make our jobs easier and more efficient if we use Syslog.

30
00:01:03,240 --> 00:01:06,210
These centralized servers are known as syslog servers,

31
00:01:06,210 --> 00:01:07,890
or you could have a SIM,

32
00:01:07,890 --> 00:01:10,140
which is a Security Information Management system,

33
00:01:10,140 --> 00:01:13,260
or a SEM, a Security Event Management system,

34
00:01:13,260 --> 00:01:16,320
or the new combination of the two known as a SIEM,

35
00:01:16,320 --> 00:01:19,140
a Security Information and Event Management system.

36
00:01:19,140 --> 00:01:21,780
These days, most people have moved to a SIEM,

37
00:01:21,780 --> 00:01:23,040
because it combines the functionality

38
00:01:23,040 --> 00:01:24,030
of all these other types

39
00:01:24,030 --> 00:01:27,090
of logging and analysis systems into one device.

40
00:01:27,090 --> 00:01:29,460
By sending all of your logs to the centralized server,

41
00:01:29,460 --> 00:01:31,830
it allows you as an administrator or analyst

42
00:01:31,830 --> 00:01:33,870
to normalize and correlate the events

43
00:01:33,870 --> 00:01:36,150
in order to see trends over time.

44
00:01:36,150 --> 00:01:38,520
For example, if I see someone's conducting a ping sweep

45
00:01:38,520 --> 00:01:41,160
on my firewall, that's really not that big of a deal,

46
00:01:41,160 --> 00:01:43,590
but if I see that is coming within a few minutes

47
00:01:43,590 --> 00:01:45,990
of that sweep, and I see from the same IP address,

48
00:01:45,990 --> 00:01:48,360
somebody's trying to connect to my servers or my clients,

49
00:01:48,360 --> 00:01:49,920
that may be a concern

50
00:01:49,920 --> 00:01:51,540
that could be flagged for investigation,

51
00:01:51,540 --> 00:01:53,880
because maybe they were preparing the environment

52
00:01:53,880 --> 00:01:55,110
by seeing what ports were open

53
00:01:55,110 --> 00:01:57,090
and now they're launching an attack.

54
00:01:57,090 --> 00:01:58,830
When you configure your syslog server,

55
00:01:58,830 --> 00:02:01,020
your SIM, your SEM or your SIEM,

56
00:02:01,020 --> 00:02:03,240
there are two primary components you have to have.

57
00:02:03,240 --> 00:02:05,550
You have to have a client, and you have to have a server.

58
00:02:05,550 --> 00:02:06,990
Now, a client is just the device

59
00:02:06,990 --> 00:02:10,020
that's going to send the log information to the syslog server.

60
00:02:10,020 --> 00:02:13,140
This can be a router, a switch, a firewall, a web server,

61
00:02:13,140 --> 00:02:14,850
or any other type of device.

62
00:02:14,850 --> 00:02:17,220
Then you have a server, and this is going to receive

63
00:02:17,220 --> 00:02:20,370
and store all those logs from all the different clients.

64
00:02:20,370 --> 00:02:22,170
Each client can be configured to send logs

65
00:02:22,170 --> 00:02:24,540
to the server based on different severity levels

66
00:02:24,540 --> 00:02:26,310
of the information they contain.

67
00:02:26,310 --> 00:02:28,320
Now, when it does this, it's going to send the data

68
00:02:28,320 --> 00:02:33,210
over port 514 using UDP, the user datagram protocol.

69
00:02:33,210 --> 00:02:36,240
Now, syslog has eight different severity levels.

70
00:02:36,240 --> 00:02:37,950
The severity levels start at zero

71
00:02:37,950 --> 00:02:39,900
and they count upward to seven,

72
00:02:39,900 --> 00:02:42,090
so zero is going to be the most severe,

73
00:02:42,090 --> 00:02:45,600
and seven is going to be the least severe or the most benign.

74
00:02:45,600 --> 00:02:48,060
Now, level zero is going to be used for emergencies

75
00:02:48,060 --> 00:02:50,010
and it's going to be considered the most severe condition,

76
00:02:50,010 --> 00:02:52,950
because the system has now become unstable.

77
00:02:52,950 --> 00:02:55,530
With level one, we're going to have an alert condition,

78
00:02:55,530 --> 00:02:56,760
and this means there's a condition

79
00:02:56,760 --> 00:02:58,830
that should be corrected immediately.

80
00:02:58,830 --> 00:03:01,260
Level two is used for a critical condition,

81
00:03:01,260 --> 00:03:02,460
and it means there is a failure

82
00:03:02,460 --> 00:03:04,050
in the system's primary application

83
00:03:04,050 --> 00:03:06,450
and it requires somebody's immediate attention.

84
00:03:06,450 --> 00:03:08,790
With level three, we have an error condition,

85
00:03:08,790 --> 00:03:10,860
and it means that something is happening to the system

86
00:03:10,860 --> 00:03:13,020
that's preventing it from functioning properly.

87
00:03:13,020 --> 00:03:14,100
Now, for example,

88
00:03:14,100 --> 00:03:16,740
your file system storage may have reached its limits

89
00:03:16,740 --> 00:03:18,870
and now the system can't write the data,

90
00:03:18,870 --> 00:03:20,460
and so it's generating a write error

91
00:03:20,460 --> 00:03:22,440
when it tries to save that log information,

92
00:03:22,440 --> 00:03:24,480
and that could generate an error condition.

93
00:03:24,480 --> 00:03:27,000
Now, level four is going to be used for warning conditions,

94
00:03:27,000 --> 00:03:29,100
and it can indicate that an error is going to occur

95
00:03:29,100 --> 00:03:30,960
if action isn't taken soon.

96
00:03:30,960 --> 00:03:31,800
For example,

97
00:03:31,800 --> 00:03:34,080
let's say your file system only has two gigabytes

98
00:03:34,080 --> 00:03:36,960
of space remaining, so you need to free up more space

99
00:03:36,960 --> 00:03:38,880
before you start to write errors.

100
00:03:38,880 --> 00:03:40,410
This can send an alert,

101
00:03:40,410 --> 00:03:42,240
and this would be known as a warning condition,

102
00:03:42,240 --> 00:03:44,430
because you're running out of disk space.

103
00:03:44,430 --> 00:03:46,950
Now, level five is used for notice conditions,

104
00:03:46,950 --> 00:03:49,050
and that means these are events that are unusual,

105
00:03:49,050 --> 00:03:51,930
but they're not exactly error conditions.

106
00:03:51,930 --> 00:03:54,510
Level six is for information conditions,

107
00:03:54,510 --> 00:03:56,580
and this is going to be a normal operational message

108
00:03:56,580 --> 00:03:57,990
that requires no action.

109
00:03:57,990 --> 00:04:00,030
For example, you might see in your logs

110
00:04:00,030 --> 00:04:01,980
that an application has started or paused

111
00:04:01,980 --> 00:04:03,420
or ended successfully.

112
00:04:03,420 --> 00:04:05,520
These are all informational logs.

113
00:04:05,520 --> 00:04:08,070
Level seven is going to be used for debugging conditions,

114
00:04:08,070 --> 00:04:10,650
and it's just information that's useful to developers

115
00:04:10,650 --> 00:04:13,380
as they're debugging their networks and their applications.

116
00:04:13,380 --> 00:04:15,480
Now, as a network or system administrator,

117
00:04:15,480 --> 00:04:16,709
it's your responsibility

118
00:04:16,709 --> 00:04:18,750
to determine what levels should be logged

119
00:04:18,750 --> 00:04:20,670
and how long you want to keep those logs

120
00:04:20,670 --> 00:04:23,490
inside your syslog server or your SIEM.

121
00:04:23,490 --> 00:04:26,040
Now, while we would love to keep everything forever,

122
00:04:26,040 --> 00:04:28,320
for most of us, that's just not practical,

123
00:04:28,320 --> 00:04:30,840
because we'll eventually run out of hard disk space,

124
00:04:30,840 --> 00:04:33,630
so some administrators will limit what they log

125
00:04:33,630 --> 00:04:35,010
and they decide to only log things

126
00:04:35,010 --> 00:04:36,840
from level zero to level five,

127
00:04:36,840 --> 00:04:39,720
and they'll ignore the informational or debugging logs.

128
00:04:39,720 --> 00:04:41,520
This all depends on your organization

129
00:04:41,520 --> 00:04:43,050
and the policies you're going to set forth

130
00:04:43,050 --> 00:04:44,490
inside your business.

131
00:04:44,490 --> 00:04:47,520
All right, we've talked a lot about logs so far in Syslog,

132
00:04:47,520 --> 00:04:48,930
but we haven't really looked at one yet,

133
00:04:48,930 --> 00:04:51,720
so let's pull up a log and take a look inside.

134
00:04:51,720 --> 00:04:53,880
Here's an example from a syslog server.

135
00:04:53,880 --> 00:04:56,790
Here we have the date, the time, the location,

136
00:04:56,790 --> 00:04:58,380
and then we have the log level,

137
00:04:58,380 --> 00:05:01,260
and you can see things like alerts, emergency, error,

138
00:05:01,260 --> 00:05:04,620
warning, notice, informational, and things like that.

139
00:05:04,620 --> 00:05:06,930
Then you have the machine or the host name

140
00:05:06,930 --> 00:05:08,520
and the IP in the next column,

141
00:05:08,520 --> 00:05:11,160
so you know what machine did the reporting of this error

142
00:05:11,160 --> 00:05:12,930
or information or warning.

143
00:05:12,930 --> 00:05:16,110
Then you have the actual text of the log message itself.

144
00:05:16,110 --> 00:05:18,420
This will say things like, "This is a test message,"

145
00:05:18,420 --> 00:05:21,240
or "This is an error and here's the error I had."

146
00:05:21,240 --> 00:05:23,850
By having this information and understanding what it is

147
00:05:23,850 --> 00:05:26,280
as an analyst or administrator, you can start going back

148
00:05:26,280 --> 00:05:28,050
and figuring out what caused the incident

149
00:05:28,050 --> 00:05:29,610
and what really occurred.

150
00:05:29,610 --> 00:05:32,670
Now for the exam, what do you need to know about Syslog?

151
00:05:32,670 --> 00:05:35,250
Well, you need to understand the eight different levels.

152
00:05:35,250 --> 00:05:36,457
You may get a question that says,

153
00:05:36,457 --> 00:05:38,730
"What is level number three in syslog?"

154
00:05:38,730 --> 00:05:41,100
And you need to say, "That's an error message."

155
00:05:41,100 --> 00:05:42,330
All right, let's go ahead

156
00:05:42,330 --> 00:05:44,190
and talk a little bit more about logs.

157
00:05:44,190 --> 00:05:46,969
Remember, a syslog server is all just a big collection

158
00:05:46,969 --> 00:05:49,590
of all the different logs from all the different servers

159
00:05:49,590 --> 00:05:51,780
and clients and network devices we have.

160
00:05:51,780 --> 00:05:53,670
Now, when it comes to network device logs,

161
00:05:53,670 --> 00:05:56,100
we can review these inside the syslog server

162
00:05:56,100 --> 00:05:56,933
as well as by looking

163
00:05:56,933 --> 00:05:59,160
at our traffic logs and our audit logs.

164
00:05:59,160 --> 00:06:01,080
Now, when it comes to network traffic logs,

165
00:06:01,080 --> 00:06:02,370
these are going to contain information

166
00:06:02,370 --> 00:06:04,920
about traffic flows within your network.

167
00:06:04,920 --> 00:06:07,260
For example, if you collect network traffic logs

168
00:06:07,260 --> 00:06:08,760
from your router or your firewall,

169
00:06:08,760 --> 00:06:10,380
you're going to see a list of every connection

170
00:06:10,380 --> 00:06:12,600
that's been made to and from your network.

171
00:06:12,600 --> 00:06:15,780
For example, you can see the source IP, the source port,

172
00:06:15,780 --> 00:06:18,030
the destination IP, the destination port,

173
00:06:18,030 --> 00:06:19,620
as well as the MAC address of the client,

174
00:06:19,620 --> 00:06:20,940
the time it took to occur,

175
00:06:20,940 --> 00:06:23,760
the length of the packet, and even it's time to live.

176
00:06:23,760 --> 00:06:26,040
Then you can analyze these traffic flows

177
00:06:26,040 --> 00:06:28,380
to determine if this is normal traffic for you

178
00:06:28,380 --> 00:06:30,720
and something you'd expect to see in your baseline,

179
00:06:30,720 --> 00:06:32,700
or is this something that's abnormal

180
00:06:32,700 --> 00:06:34,530
and needs to be investigated further.

181
00:06:34,530 --> 00:06:35,760
For example, if you knew

182
00:06:35,760 --> 00:06:38,130
that in a given day you're used to seeing about a gigabyte

183
00:06:38,130 --> 00:06:40,710
of data leaving your network over port 443,

184
00:06:40,710 --> 00:06:42,690
but today you saw 10 gigabytes

185
00:06:42,690 --> 00:06:44,220
of data was leaving your network,

186
00:06:44,220 --> 00:06:46,380
that is something you need to worry about.

187
00:06:46,380 --> 00:06:48,030
So you might take a look at that

188
00:06:48,030 --> 00:06:49,500
and see, have you been hacked?

189
00:06:49,500 --> 00:06:51,090
Is somebody stealing all your data?

190
00:06:51,090 --> 00:06:52,350
Now, does it mean that's happening?

191
00:06:52,350 --> 00:06:55,980
Well, not necessarily, but we do know it's abnormal,

192
00:06:55,980 --> 00:06:58,200
because we expect to see somewhere around one,

193
00:06:58,200 --> 00:06:59,940
and right now we're seeing around 10,

194
00:06:59,940 --> 00:07:01,980
so we need to investigate that closer

195
00:07:01,980 --> 00:07:03,870
and dive into those network traffic logs

196
00:07:03,870 --> 00:07:05,310
to see what's happening.

197
00:07:05,310 --> 00:07:07,260
Let's say, for example, that happened in my company,

198
00:07:07,260 --> 00:07:08,850
I would want to investigate that.

199
00:07:08,850 --> 00:07:10,473
Now, most likely what I'll find is

200
00:07:10,473 --> 00:07:12,540
that my video editor was uploading all

201
00:07:12,540 --> 00:07:14,250
of our videos to cloud-based servers,

202
00:07:14,250 --> 00:07:15,960
because 10 gigabytes of data is only

203
00:07:15,960 --> 00:07:18,030
about an hour or two of video for our courses.

204
00:07:18,030 --> 00:07:19,440
Now she might edit all week

205
00:07:19,440 --> 00:07:21,840
and then on Friday upload all that data,

206
00:07:21,840 --> 00:07:24,360
and that's why we're seeing that big spike on Friday.

207
00:07:24,360 --> 00:07:27,030
Similarly, if you see traffic that you're not expecting,

208
00:07:27,030 --> 00:07:28,890
like somebody sending data over some port

209
00:07:28,890 --> 00:07:31,260
that you're not using like port 21 for FTP,

210
00:07:31,260 --> 00:07:33,960
but you don't have an FTP server, this could be something

211
00:07:33,960 --> 00:07:36,240
that's abnormal and suspicious as well.

212
00:07:36,240 --> 00:07:38,700
The key to understanding your network traffic logs is

213
00:07:38,700 --> 00:07:40,620
understanding what normal looks like,

214
00:07:40,620 --> 00:07:43,320
and so you have to understand what normal is

215
00:07:43,320 --> 00:07:46,170
in your baseline, so you can then determine what is abnormal

216
00:07:46,170 --> 00:07:48,510
and what needs to be looked at much more closely

217
00:07:48,510 --> 00:07:50,370
as you do investigations.

218
00:07:50,370 --> 00:07:52,620
Also, when you're looking at your traffic logs,

219
00:07:52,620 --> 00:07:54,870
this can help you during your troubleshooting efforts.

220
00:07:54,870 --> 00:07:57,150
For example, you might see that you're trying to send data

221
00:07:57,150 --> 00:07:58,680
to a particular IP address,

222
00:07:58,680 --> 00:08:00,510
but it's stopping in a particular router

223
00:08:00,510 --> 00:08:02,490
or firewall within your network.

224
00:08:02,490 --> 00:08:04,500
By investigating this in the traffic logs,

225
00:08:04,500 --> 00:08:07,320
you can determine why this blockage is occurring.

226
00:08:07,320 --> 00:08:08,160
Now the second type

227
00:08:08,160 --> 00:08:11,160
of network device log we need to talk about is an audit log.

228
00:08:11,160 --> 00:08:13,470
Now, an audit log or audit trail is a record

229
00:08:13,470 --> 00:08:14,940
of all the events and changes

230
00:08:14,940 --> 00:08:16,710
that have happened on that device.

231
00:08:16,710 --> 00:08:19,580
Every IT device keeps a log based on the events.

232
00:08:19,580 --> 00:08:22,230
An audit log is typically going to contain a sequence

233
00:08:22,230 --> 00:08:24,420
of events for a particular activity.

234
00:08:24,420 --> 00:08:25,740
In a network device,

235
00:08:25,740 --> 00:08:27,630
this would be something like a configuration change

236
00:08:27,630 --> 00:08:29,310
that you made to that system.

237
00:08:29,310 --> 00:08:31,890
So let's say for example, you came into work

238
00:08:31,890 --> 00:08:33,870
and you found that somebody changed a configuration

239
00:08:33,870 --> 00:08:35,520
on your border gateway router.

240
00:08:35,520 --> 00:08:38,309
Now you could log in and see who made that change

241
00:08:38,309 --> 00:08:40,140
and exactly what changes were made

242
00:08:40,140 --> 00:08:42,659
by reviewing that audit log for the device.

243
00:08:42,659 --> 00:08:43,710
For your convenience,

244
00:08:43,710 --> 00:08:46,290
these audit logs can be sent over Syslog

245
00:08:46,290 --> 00:08:47,670
to that centralized server

246
00:08:47,670 --> 00:08:49,650
for review and analysis as well.

247
00:08:49,650 --> 00:08:51,690
Now, when it comes to servers and clients,

248
00:08:51,690 --> 00:08:53,400
we're usually going to be using Windows machines

249
00:08:53,400 --> 00:08:54,840
in enterprise networks.

250
00:08:54,840 --> 00:08:55,673
For Windows,

251
00:08:55,673 --> 00:08:58,200
there are three main types of logs you can also collect.

252
00:08:58,200 --> 00:09:01,740
These are application logs, security logs, and system logs.

253
00:09:01,740 --> 00:09:03,990
To view these logs, you can open your event viewer

254
00:09:03,990 --> 00:09:07,260
on a Window system and access the different types of logs.

255
00:09:07,260 --> 00:09:09,330
The first one is an application log.

256
00:09:09,330 --> 00:09:11,280
In Windows, this contains information

257
00:09:11,280 --> 00:09:13,890
about the software running on your client or server.

258
00:09:13,890 --> 00:09:15,330
Now, there are three severity levels

259
00:09:15,330 --> 00:09:16,800
in a Windows application log.

260
00:09:16,800 --> 00:09:19,500
We have informational, warning, or error.

261
00:09:19,500 --> 00:09:21,540
For example, if you have Microsoft Word

262
00:09:21,540 --> 00:09:24,510
and it crashes on you, you can go check the application log

263
00:09:24,510 --> 00:09:26,790
and figure out why it keeps crashing.

264
00:09:26,790 --> 00:09:29,250
Our second one we have is the security log.

265
00:09:29,250 --> 00:09:30,840
The security log contains information

266
00:09:30,840 --> 00:09:33,060
about the security of your client or server.

267
00:09:33,060 --> 00:09:34,800
This is going to have things like successful

268
00:09:34,800 --> 00:09:36,240
and failed login attempts,

269
00:09:36,240 --> 00:09:38,130
other pertinent security information.

270
00:09:38,130 --> 00:09:40,200
This will also show you if an audit success

271
00:09:40,200 --> 00:09:42,960
or audit failure occurred for those logs.

272
00:09:42,960 --> 00:09:45,480
Now the third one we have is a system log.

273
00:09:45,480 --> 00:09:47,340
The system log contains all the information

274
00:09:47,340 --> 00:09:49,170
about the operating system itself.

275
00:09:49,170 --> 00:09:50,880
There are three severity codes here.

276
00:09:50,880 --> 00:09:52,320
Just like the application log,

277
00:09:52,320 --> 00:09:55,320
we're still going to have informational, warning, and error.

278
00:09:55,320 --> 00:09:57,150
In this example, there are four errors

279
00:09:57,150 --> 00:09:59,250
and the rest were informational items.

280
00:09:59,250 --> 00:10:01,500
Errors are notated by that red exclamation mark,

281
00:10:01,500 --> 00:10:02,670
whereas if you see the warning,

282
00:10:02,670 --> 00:10:04,080
it's going to be a yellow triangle,

283
00:10:04,080 --> 00:10:05,670
and information is a white circle

284
00:10:05,670 --> 00:10:07,053
with a blue I inside of it.