regulatory compliance and system logging
DESCRIPTION
Log messages can be used to detect security incidents, operational problems, and other issues like policy violations, and are useful in auditing and forensics situations. From this white paper you can learn the advantages of using the syslog-ng Store Box logserver appliance to collect, store, and manage system log (syslog) and eventlog messages for policy compliance.TRANSCRIPT
Regulatory compliance and system logging
Second Edition
Publication date December 14, 2010
AbstractThe advantages of using the syslog-ng Store Box logserver appliance to collect, store, andmanage
system log (syslog) and eventlog messages for policy compliance.
Copyright © 2010 BalaBit IT Security Ltd.
Table of Contents1. Preface ............................................................................................................................................. 3
1.1. Summary of contents .............................................................................................................. 32. Introduction ..................................................................................................................................... 4
2.1. What is system logging ............................................................................................................ 42.2. Why is system logging important when dealing with policy compliance ......................................... 42.3. What syslog-ng and the syslog-ng Store Box are ......................................................................... 42.4. Problems to be solved by log management ................................................................................. 4
3. Using the syslog-ng Store Box for policy compliance ............................................................................. 73.1. PCI-DSS compliance and logging ............................................................................................. 73.2. COBIT 4.1 compliance and logging .......................................................................................... 9
4. HIPAA compliance and logging ........................................................................................................ 125. Other important features .................................................................................................................. 13
5.1. Managing SSB ....................................................................................................................... 135.2. Fine-tuned access control ....................................................................................................... 135.3. LDAP integration ................................................................................................................. 135.4. Real-time log monitoring and alerting ...................................................................................... 135.5. Log collector agent for several platforms ................................................................................. 135.6. Agent for Microsoft Windows platforms ................................................................................. 145.7. Agent for IBM System i platforms .......................................................................................... 145.8. Automatic data and configuration backups ............................................................................... 145.9. Automatic data archiving ........................................................................................................ 145.10. Ability to handle extreme load .............................................................................................. 14
6. Further information ......................................................................................................................... 156.1. About BalaBit ....................................................................................................................... 15
2www.balabit.com
1. Preface
This paper discusses the advantages of using the syslog-ng Store Box to collect, store, and manage system log(syslog) and eventlog messages in compliance with regulations like the Sarbanes-Oxley Act (SOX), the Health In-surance Portability and Accountability Act (HIPAA), or the Payment Card Industry Data Security Standard (PCI-DSS). The document is recommended for technical experts and decisionmakers working on implementing centralizedlogging solutions, but anyone with basic networking knowledge can fully understand its contents. The proceduresand concepts described here are applicable to version 1.x of the syslog-ng Store Box (SSB).
1.1. Summary of contents
This paper is organized into the following sections:
Section 2, Introduction (p. 4) briefly describes what system logging is, and why it is an important part of policy com-pliance.
Section 3, Using the syslog-ng Store Box for policy compliance (p. 7) is a detailed list of policy requirements, including therequirements of the Payment Card Industry Data Security Standard (PCI-DSS), COBIT 4.1, and the Health InsurancePortability and Accountability Act (HIPAA) that you can address with the syslog-ng Store Box and syslog-ngPremium Edition.
Section 5, Other important features (p. 13) discusses further features of syslog-ng Store Box that can come handy foryou when designing and implementing your system logging architecture.
Section 6, Further information (p. 15) contains a brief description of BalaBit IT Security and provides links where youcan find out more about syslog-ng Store Box, request an evaluation version, or find a reseller.
3www.balabit.com
Preface
2. Introduction
2.1. What is system logging
Operating systems, applications, and network devices generate text messages of various events that happen to them:a user logs in, a file is created, a network connection is opened to a remote host, and so on. These messages, calledlog messages, are usually stored in a file on the local hard disk of the system. The aim of central system logging isto collect the log messages to a single, central log server.
For a more de ta i l ed in t roduc t ion in to sys log a rch i t ec tu re s, s ee theDistributed syslog architectures with syslog-ng Premium Edition whitepaper.
2.2. Why is system logging important when dealing with policy compliance
Log messages provide important information about the events of the network, the devices, and the applicationsrunning on these devices. Log messages can be used to detect security incidents, operational problems, and otherissues like policy violations, and are useful in auditing and forensics situations. But collecting and analyzing logmessages is also required directly or indirectly by several regulations, including the Sarbanes-Oxley Act (SOX), theBasel II Accord, the Health Insurance and Portability Act (HIPAA), or the Payment Card Industry Data SecurityStandard (PCI-DSS).
2.3. What syslog-ng and the syslog-ng Store Box are
The syslog-ng application is a system log collector and forwarder tool that can collect log messages from files andother sources, and also receive the log messages sent by remote hosts. It also has powerful message-filtering andmessage routing capabilities. The syslog-ng Store Box is a log server appliance built around syslog-ng, offering aweb-based configuration and log-browsing interface, encrypted and digitally signed log storage, and more.
2.4. Problems to be solved by log management
There are several problems and difficulties that have to be solved when creating a usable logging infrastructure.The main problems to consider are summarized below, along with a brief description about how the syslog-ngPremium Edition (PE) application can help you to overcome these problems.
■ Many different devices and applications running on a variety of operating systems. To start collecting log messagesinto a central log server, the logs must be retrieved somehow from the devices where the messages aregenerated. These devices (desktop computers, servers, networking devices like switches and routers,firewalls, and so on) usually use many different operating systems – all of which should send the logsto the central server. The problem with the variety of operating systems is that they use different loggingsolutions, with different configuration requirements and capabilities. To address this problem, syslog-ng can be installed on most common operating systems, including Linux, Solaris, HP-UX, BSD, IBMAIX, and has dedicated agent applications to collect the logs fromMicrosoft Windows and IBM Systemi platforms. Using a single logging application vastly simplifies configuration and management problems,and ensures that advanced logging capabilities (like TLS-encrypted log transfer or disk-based buffering)is available on every device. If syslog-ng cannot be installed on a device for some reason (for example,it is running a pre-built firmware which cannot be modified), a local computer running syslog-ng canaccept the syslog messages from devices and relay them to the central log server.
4www.balabit.com
Introduction
■ Inconsistent timestamps and message format.Different log messages often use different timestamp formats todate the messages (for example, some timestamp formats do not contain year or timezone information),making it difficult to locate the messages later, and to properly see their place in the flow of events. Withsyslog-ng, it is possible to convert the timestamps to a single format (for example as specified in theISO 8601 standard), and also to use the date when the syslog-ng Store Box has received the messagefrom the application or the remote host, so the stored messages will contain accurate date informationeven if the clock of the remote host or the application is inaccurate. The syslog-ng application providesmacros and powerful message-rewriting capabilities to reformat and normalize the messages in orderto convert them to a common format to ensure that the order of the data fields in the message is con-sistent with other messages. Supporting the new IETF syslog protocol standard, syslog-ng and the syslog-ng Store Box make it easy to integrate all kinds of log messages and logging clients into a commonframework.
■ Protecting the integrity and confidentiality of the messages during transmission. Log messages are important fromthe network-security point of view, but they may also contain sensitive information and private data likepasswords, usernames, and so on. Therefore, it is important that they are protected against eavesdroppingwhen they are transmitted over the network. It is also important to verify the identity of the communic-ating parties (that is, the host sending the message, and the central log server) to ensure that the messageis received only by its intended target (the log server), and that the message received by the server wasindeed sent by the client host. The integrity of the message must be also maintained so that no unauthor-ized modification of the message is possible. To address these issues, the syslog-ng PE application usesthe secure Transport Layer Security (TLS) protocol to encrypt the communication with the the syslog-ng Store Box log server. Both the syslog-ng client and the server can be authenticated using X.509 cer-tificates.
■ Protecting the integrity and confidentiality of the messages stored on the log server. Log messages must be protectedeven after they arrive to the log server to prevent manipulation and unauthorized access. For this reason,the syslog-ng Store Box can store the log messages in encrypted and digitally signed log files. Encryptingthe log files ensures that the log messages can be accessed only by authorized personnel who has theappropriate decryption key; while the digital signature prevents the unnoticed modification of the mes-sages. It is also possible to request timestamps from an external Timestamping Authority (TSA) to addfurther reliability to the date of the log messages.
■ Ensuring that no messages are lost. The syslog-ng PE application assigns a unique identifier to every messageand ensures that you do not lose messages during network or system outages, because syslog-ng PE canstore unsent messages on the local hard disk until the log server becomes available again. The syslog-ngPE application and SSB can also apply flow-control on the messages. Flow-control means that if thedestination server or database becomes overloaded, syslog-ng PE and SSB can stop accepting messagesfrom the sending applications or hosts. That way the senders are notified that there is a problem in thelogging infrastructure and can act accordingly: for example, in an environment where policy compliancemandates all events to be logged, the applications may temporarily halt until the logging can be resumed,so there are no actions that are not logged. As an alternative to handle server downtime, syslog-ng PEcan send the log messages to a backup log server if the primary server becomes unavailable. To avoidlosing messages on the server side, the syslog-ng Store Box (SSB) appliances use hot-swappable harddisks in RAID configuration to protect against disk failures, and out-of-the-box high-availability supportin failover cluster configurations. The nodes of the cluster use a common block-device subsystem thatis automatically synchronized on-the-fly. In addition, SSB can periodically archive the received messagesinto a remote backup server.
5www.balabit.com
Problems to be solved by log management
■ Helping SIEM devices to analyze the log messages. Analyzing logs is an essential element of network security.While SSB is not a log analyzing appliance, it has a number of features – including message normalization– that can aid log-analyzing engines. The syslog-ng application has powerful message filtering and sortingcapabilities that make it possible to ignore trivial or low-priority messages. Since message filtering cantake place already on the clients, it can save a significant amount of bandwidth by dropping unimportantmessages, and decrease the load on the SIEM device at the same time. Also, since the capacity of loganalyzing applications is often limited, the syslog-ng Store Box can limit the number of messages sentper second. This has the benefit of flattening out message bursts and protecting the log-analyzing enginefrom becoming overloaded. Certain SIEM devices prefer to receive log messages from databases; SSBcan send the log messages directly to a database, and supports most popular databases, includingMSSQL,MySQL, Oracle, and PostgreSQL. An even more powerful capability of SSB and syslog-ng is the abilityto classify messages almost real-time, and apply artificial ignorance on the results. This allows you tocreate a pattern database of the log messages that appear normally in your log traffic, and label them asnormal, security-related, violation and so on, and then compare every incoming message to this database.That waymessages labeled as important can instantly generate alerts if needed, and also unknownmessages– that might sign an event occurring for the first time on your network and thus be important – can becollected for review.
■ Storing the messages. Organizations often store log messages for a long time to be able to review securityincidents that are not immediately discovered, and several regulations also require the logs to be availablefor several months or years. Storing the log messages becomes an issue especially if the volume of logtraffic is very high (for example a few Gigabytes of raw logs per hour). To reduce the amount of logsto be stored, the syslog-ng Store Box provides powerful message filtering and sorting capabilities: it candrop or separate unimportant messages, organize messages into different files or databases based ontheir sending host, application, or content. It can also automatically compress and encrypt the log files,and periodically start a new file so that the older files can be archived and removed from the server. TheSSB appliances have large internal hard disk space (up to 10 Terabytes), and also offer the possibility todirectly connect to your SAN solution via an iSCSI or fibrechannel interface.
6www.balabit.com
Problems to be solved by log management
3. Using the syslog-ng Store Box for policy compliance
Compliance is becoming more and more important in several fields – laws, regulations and industrial standardsmandate increasing security awareness and the protection of sensitive data. As a result, companies have to increasethe control over and the auditability of their business processes, and this makes thorough log management necessary– especially since several regulations require the centralized collection of logs (including retaining logs for an extendedamount of time often spanning several years).
The syslog-ng Store Box logserver appliance and the syslog-ng Premium Edition log collector application give youthe tools you need to create a complete, reliable, and trusted log infrastructure to collect the log messages from theclients to a central log server, ensuring the secure transmission and storage of the log messages from a wide varietyof operating systems.
3.1. PCI-DSS compliance and logging
The following table provides a detailed description of the requirements of the Payment Card Industry Data SecurityStandard (PCI-DSS, available here) relevant to log management and auditing. Other compliance regulations like theSarbanes-Oxley Act (SOX) or the Basel II Accord imply similar requirements.
How the syslog-ng Store box supports itPCI requirement
System logs may contain sensitive information such as personal identificationnumbers (PIN) and card validation codes. The syslog-ng Store Box protects
3. Protect stored cardholder data
these messages by storing them in an encrypted file instead of plain text filescommonly used to store log messages. It is also possible to rewrite messagesand automatically remove sensitive cardholder data using themessage-rewritingcapabilities of syslog-ng.
Transport layer security (TLS) can be used to encrypt the communicationbetween the clients and the log server and to protect the integrity of the
4. Encrypt transmission of cardhold-er data across open, public networks
messages. Using TLS-encryption also prevents third-parties from accessing4.1 Use strong cryptography and se-curity protocols such as secure
or modifying the communication. The communication between the syslog-ng client and the SSB logserver can be mutually authenticated using X.509
sockets layer (SSL) / transport layersecurity (TLS) / secure shell (SSH)
certificates to verify the identity of the communicating parties and preventattackers from injecting fake messages into the log files.
Log messages have an important role in reconstructing events of an applica-tion, host, or a network. The syslog-ng application aids this process by ensuring
10.2 Implement automated audittrails for all system components.
that the log messages arrive to the central log server without any unwantedmodification. Messages are sent encrypted using the secure TLS protocol,which is based on the reliable TCP networking protocol that ensures that themessages arrive to the log server. The disk-based buffering feature of syslog-ng PE buffers messages to the hard disk of the client, ensuring that no mes-sages are lost even if the log server or the network connection becomes un-available. The syslog-ng Store Box can organize the messages into audit trailsbased on the sending host, the application, and its web-based search interfacemakes it easy to browse the log messages and to execute targeted queries toreview the log messages, or to find the details of an event.
7www.balabit.com
Using the syslog-ng Store Box for policy compliance
How the syslog-ng Store box supports itPCI requirement
As for its own audit trails, SSB logs every change of its configuration, andcan require the administrators to enter a changelog entry. These log messagesare stored separately to make it easy to review and audit the changes. Theadministrators of SSB can be authenticated to an LDAP database (for exampleMicrosoft Active Directory). SSB also receives automatic notifications of thesyslog-ng Premium Edition log collector clients whenever the configurationof a client is modified.
The syslog-ng PE application can automatically add the following to logmessages that omit this information:
10.3 Record at least the followingaudit trail entries for all systemcomponents for each event: ■ date and time in various standard formats (for example ISO), in-
cluding timezone information10.3.1 User identification■ highly customizable date and time information using macros
10.3.2 Type of event■ the name of the client host that generated the message
10.3.3 Date and time ■ the name of the application or facility that generated the message
SSB automatically logs the required entries whenever an administrator modifiesits configuration. The identity of the administrator can be verified to an LDAP
10.3.4 Success or failure indication
database (for example Microsoft Active Directory). The IP address fromwhere the administrator accessed SSB is also recorded.
10.3.5 Origination of event
10.3.6 Identity or name of affecteddata, system component, or resource.
The syslog-ng PE server can automatically add the date and time when it re-ceived the message, so the log messages contain accurate time information –
10.4 Using time-synchronizationtechnology, synchronize all critical
even if the clock of the client host or the application is mistimed. Naturally,SSB itself can synchronize its system clock to NTP servers.
system clocks and times and ensurethat the following is implementedfor acquiring, distributing, and stor-ing time.
All log messages can be encrypted using public-key encryption on the centrallog server in a so-called logstore file. The syslog-ng application can also request
10.5 Secure audit trails so they can-not be altered.
timestamps for the stored data from an external Timestamping Authority(TSA) to include reliable dates in the log files.
SSB has detailed privilege-management capabilities to enable only those re-quired to access a set of log messages. Encrypted log messages can be viewedonly if the user has the required encryption key.
10.5.1 Limit viewing of audit trailsto those with a job-related need.
The syslog-ng Store Box (SSB) logserver can store the log messages in encryp-ted logstore files, and log messages are also digitally signed to prevent modi-
10.5.2 Protect audit trail files fromunauthorized modifications
fications. The integrity of the messages is also checked when they are trans-mitted from the clients to the log server. The communication between thesyslog-ng clients and SSB can be mutually authenticated using X.509 certific-ates to prevent log-injection attacks.
8www.balabit.com
PCI-DSS compliance and logging
How the syslog-ng Store box supports itPCI requirement
The SSB appliance was created exactly for this purpose: it is a log server thatcan receive the log messages from reliable sources and store them in encrypted,digitally signed and timestamped log files to prevent modifications.
10.5.3 Promptly back-up audit trailfiles to a centralized log server ormedia that is difficult to alter.
To ensure that no log messages are lost, SSB can receive messages using thereliable TCP networking protocol. To avoid third parties gaining access ormodifying the messages on the network, the clients can send the messagesover mutually authenticated, TLS-encrypted connection as well.
To guarantee that the log server is continuously available, SSB appliances canbe set up in a high availability cluster, where the backup log server goes onlinein case the primary server becomes unavailable. To minimize the risk of losingmessages, the units of the SSB cluster use a common disk subsystem.
SSB can receive log messages from any client application that uses thestandard syslog protocols (RFC 3164 or RFC 5428-5428), but it is recommen-ded to use the syslog-ng Premium Edition log collector application wheneverpossible. During network outages, syslog-ng PE buffers the messages to thehard disk, and sends the messages when the server becomes available. De-pending on the volume of the log traffic and the available disk space on thehost, your messages are safe even in case of very long network downtime.
The syslog-ng PE application can relay log messages received from wirelessdevices and transfer them to the central log server.
10.5.4 Copy logs for wireless net-works onto a log server on the intern-al LAN.
Using TLS encryption between the clients and the log server ensures that thelog messages are not modified on the network. On the log server, syslog-ng
10.5.5 Use file integrity monitoringand change detection software on
can store messages in special encrypted and digitally signed log files to preventlogs to ensure that existing log datamodifications. Timestamps for the stored data can be requested also from ancannot be changed without generat-external Timestamping Authority (TSA). When its configuration is changed,ing alerts (although new data being
added should not cause an alert). syslog-ng PE application automatically sends a log message to simplify theauditing of your logging infrastructure.
When stored in the logstore of SSB, log messages can be compressed to savedisk space. Messages archived to a remote server remain available in the SSBweb interface as long as the server is online.
10.7 Retain audit trail history for atleast one year, with a minimum ofthree months online availability.
SSB has large internal hard disks, but can also directly connect to externalSAN systems.
Table 1. PCI-DSS compliance and logging
3.2. COBIT 4.1 compliance and logging
Although the compliance of logging infrastructures to COBIT is seldom required by authorities, COBIT-complianceis still important, as there are certain regulations (such as the Sarbanes-Oxley Act, or the Basel II Accord) that do
9www.balabit.com
COBIT 4.1 compliance and logging
not specify exact technical requirements, and compliance to these regulations is often achieved by adopting a well-established framework like COBIT.
The following table discusses some sample control objectives of the Control Objectives for Information and relatedTechnology (COBIT) 4.1, how they affect the logging infrastructure of the organizations, and how can syslog-ngPE be used to address these requirements. Please note that this list is by no means exhaustive, and other objectivesmay have further requirements on the logging infrastructure and log management.
How syslog-ng Store Box supports itCOBIT 4.1 control objective
The syslog-ng Store Box can organize the messages into audit trailsbased on the sending host, the application, and its web-based search
AI6 Manage Changes
Changes (including those to procedures,processes, system and service parameters)
interface makes it easy to browse the log messages and to execute tar-geted queries to review the log messages, or to find the details of anevent.are logged, assessed and authorized prior
to implementation and reviewed againstplanned outcomes following implementa-tion.
As for its own audit trails, SSB logs every change of its configuration,and can require the administrators to enter a changelog entry. These logmessages are stored separately to make it easy to review and audit thechanges. The administrators of SSB can be authenticated to an LDAPdatabase (for example Microsoft Active Directory).
The syslog-ng PE application automatically detects if its configurationis changed, and sends a log message to SSB. That way it is easy to recog-
DS9.3 Configuration Integrity Review
Periodically review the configuration datato verify and confirm the integrity of thecurrent and historical configuration.
nize any changes to the logging infrastructure, and detect unauthorizedchanges.
To support configuration reviews, SSB has an auditor role that allowsonly the browsing of its configuration, without any access to the collectedlog messages.
Transport layer security (TLS) can be used to encrypt the communicationbetween the clients and the SSB log server and to protect the integrity
DS5.11 Exchange of Sensitive Data
Exchange sensitive transaction data onlyover a trusted path or medium with con-
of the messages. Using TLS-encryption also prevents third-parties fromaccessing ormodifying the communication. The communication between
trols to provide authenticity of content, the client and the server can be mutually authenticated using X.509proof of submission, proof of receipt andnon-repudiation of origin.
certificates to verify the identity of the communicating parties and pre-vent attackers from injecting fake messages into the log files, and alsofrom obtaining syslog data. The use of the TCP networking protocol,disk-based buffering, and the ability to send the messages to a backupserver in case the primary log server becomes unavailable ensures thatthe log server indeed receives the sent messages.
SSB can store the received log messages in encrypted, digitally signedand timestamped files to prevent modifications to the messages afterthey have been received. The timestamps can be received from an ex-ternal Timestamping Authority (TSA) as well.
10www.balabit.com
COBIT 4.1 compliance and logging
How syslog-ng Store Box supports itCOBIT 4.1 control objective
The syslog-ng PE log collector application was created exactly for thispurpose: to transfer the log messages generated on the host to the
DS13.3 IT Infrastructure Monitoring
Define and implement procedures tomonitor the IT infrastructure and related
central log server, where they can be stored in encrypted and digitallysigned log files to prevent modifications.
events. Ensure that sufficient chronologic-al information is being stored in opera- SSB has a powerful log classification engine that can classify thousands
of messages per second, and raise alerts for certain message types. It cantions logs to enable the reconstruction,also use the principles of artificial ignorance to detect unknownmessagesthat may require attention or further investigation.
review and examination of the time se-quences of operations and the otheractivities surrounding or supporting oper-ations. To help the review of time sequences and events, SSB has a web-based
search interface. SSB also stores the timestampwhen a particular messagewas received: that way the time information of the message and the flowof the event is accurate even if the clock of the sending client is inaccur-ate.
Using TLS encryption between the clients and the log server ensuresthat the log messages are not modified on the network. On the log
PO2.4 Integrity Management
Define and implement procedures to en-sure the integrity and consistency of all
server, syslog-ng can store messages in special encrypted and digitallysigned log files to prevent modifications. It is also possible to store a
data stored in electronic form, such as copy of the messages digitally signed and encrypted in the logstore, anddatabases, data warehouses and dataarchives.
another copy in a database (syslog-ng can directly send messages intoOracle, MySQL, and other databases); the database can be used foreveryday log processing, analyzing, and reporting purposes, and themessages can be compared to the copies stored in the logstore to detectany unwanted changes.
Table 2. COBIT 4.1 compliance and logging
11www.balabit.com
COBIT 4.1 compliance and logging
4. HIPAA compliance and logging
The Health Insurance Portability and Accountability Act (HIPAA) has few direct requirements about logging, butit requires the protection and encryption of sensitive information as it is transmitted over the network and storedon a computer. As log messages may contain such information, the logging infrastructure must comply with theserequirements as well.
The following table discusses some sample requirement of HIPAA, how they affect the logging infrastructure ofthe organizations, and how can syslog-ng PE address these requirements. Please note that this list is by no meansexhaustive, and other requirements may be applicable to the logging infrastructure and log management.
How the syslog-ng Store Box supports itHIPAA Security Rule
Transport layer security (TLS) can be used to encrypt the communicationbetween the clients and the syslog-ng Store Box (SSB) log server and to
164.312(e)(1) Transmission Security: Im-plement technical security measures to
protect the integrity of the messages. Using TLS-encryption also preventsguard against unauthorized access tothird-parties from accessing or modifying the communication. Theelectronic protected health informationcommunication between the client and the server can be mutually au-that is being transmitted over an electronic
communications network. thenticated using X.509 certificates to verify the identity of the commu-nicating parties and prevent attackers from injecting fake messages intothe log files, and also from obtaining syslog data. The use of the TCPnetworking protocol, disk-based buffering, and the ability to send themessages to a backup server in case the primary log server becomesunavailable ensures that the log server indeed receives the sent messages.
Using TLS encryption between the clients and the log server ensuresthat the log messages are not modified on the network. SSB can store
164.312(e)(2)(i) Integrity Controls (A):Implement security measures to ensure
messages in special encrypted and digitally signed log files to preventthat electronically transmitted electronicmodifications. It is also possible to store a copy of the messages digitallyprotected health information is not im-signed and encrypted in the logstore, and another copy in a databaseproperly modified without detection until
disposed of. (SSB can directly send messages into Oracle, MySQL, and other data-bases); the database can be used for everyday log processing, analyzing,and reporting purposes, and the messages can be compared to the copiesstored in the logstore to detect any unwanted changes.
The syslog-ng PE log collector application can encrypt log messageswhile they are transferred from their origin to the SSB log server, and
164.312(e)(2)(ii) Encryption (A): Imple-ment a mechanism to encrypt electronic
SSB can store in an encrypted, digitally signed format. Timestamps forprotected health information wheneverdeemed appropriate. the stored data can be requested also from an external Timestamping
Authority (TSA).
Table 3. HIPAA compliance and logging
12www.balabit.com
HIPAA compliance and logging
5. Other important features
This section highlights some of the features of the syslog-ng Store Box (SSB) that were not discussed in detail sofar, but are useful to know about.
5.1. Managing SSB
SSB is configured from a clean, intuitive web interface. The roles of each SSB administrator can be clearly definedusing a set of privileges, such as manage SSB as a host; manage log collection, forwarding and storage; configurevarious alerts; browse the collected logs reports.
The web interface is accessible via a network interface dedicated to the management traffic. This management in-terface is also used for backups, sending alerts, and other administrative traffic. All configuration changes areautomatically logged, simplifying the auditing of SSB.
5.2. Fine-tuned access control
The SSB web interface features highly customizable access control. Using this together with the powerful message-sorting capabilities of syslog-ng, you can exactly specify which log messages a user has access to. For example, it ispossible to grant access only to the logs of a specific application to the support engineer of that application – it iseven possible to narrow the time frame of the data only to the relevant period.
5.3. LDAP integration
SSB can connect to a remote LDAP database (for example a Microsoft Active Directory server) to resolve groupmemberships of the users who access the SSB web interface. Privileges to configure SSB or browse different logscan be defined based on group memberships.
5.4. Real-time log monitoring and alerting
Even though SSB is not a log analyzing engine, it is able to classify individual log messages using artificial ignorance,much like the popular logcheck application of the Unix world. SSB comes with a built-in database of log messagepatterns that are considered “normal”. Messages matching these patterns are produced during the legitimate useof the applications (for example sendmail, Postfix, MySQL, and so on), and are unimportant from the log monitoringperspective, while the remaining messages may contain something “interesting”. The administrators can define logpatterns on the SSB interface, label matching messages (for example security event, and so on) and request alertsif a specific pattern is encountered. For thorough log analysis, SSB can also forward the incoming log messages toexternal log analyzing engines.
5.5. Log collector agent for several platforms
SSB uses the syslog-ng Premium Edition application to collect logs from different operating systems and hardwareplatforms, including Linux, Unix, BSD, Sun Solaris, HP-UX, IBMAIX, IBM System i, as well as Microsoft WindowsXP, Server 2003, Vista, and Server 2008.
13www.balabit.com
Other important features
5.6. Agent for Microsoft Windows platforms
The syslog-ng Agent for Windows is a log collector and forwarder application for Microsoft Windows platforms,including Windows Vista and Windows Server 2008. It collects the log messages from eventlog groups and log filesand forwards them to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog-ng Agentcan be managed from a domain controller using group policies, or run as a standalone application.
5.7. Agent for IBM System i platforms
The syslog-ng agent for IBM System i is a system log collector and forwarder application for the IBM System i(formerly known as AS/400 and IBM iSeries) platform. It collects application and system messages, as well asmessages from the System i security audit journal (QAUDJRN) and the operator message queue (QSYSOPR). Thecollected messages are forwarded to a syslog-ng server using regular or TLS-encrypted TCP connections. The syslog-ng server can run on a separate machine, or directly on IBM System i in the Portable Application Solutions Envir-onment (PASE). The syslog-ng Agent for IBM System i is available as a standalone product and must be licensedindependently from syslog-ng Store Box.
5.8. Automatic data and configuration backups
The recorded log messages and the configuration of SSB can be periodically transferred to a remote server usingthe following protocols:
■ Network File System protocol (NFS);
■ Rsync over SSH;
■ Server Message Block protocol (SMB/CIFS).
The latest backup – including the data backup – can be easily restored via SSB's web interface.
5.9. Automatic data archiving
SSB's configuration and the recorded log messages are automatically archived to a remote server. The data on theremote server remains accessible and searchable; several terabytes of audit trails can be accessed from the SSB webinterface. SSB uses the remote server as a network drive via the Network File System (NFS) or the Server MessageBlock (SMB/CIFS) protocol.
5.10. Ability to handle extreme load
The syslog-ng Store Box is optimized for performance, and can handle enormous amount of messages. Dependingon its exact configuration, it can process over 75,000 messages per second real-time, meaning over 24 GB raw logsper hour, and index and classify over 30,000 messages per second. Larger versions of the appliance (SSB5000 andSSB10000) include their own storage solutions capable of storing up to 10 Terabytes of data.
14www.balabit.com
Agent for Microsoft Windows platforms
6. Further information
6.1. About BalaBit
BalaBit IT Security Ltd. is a developer of network security solutions satisfying the highest standards. BalaBit wasfounded and is currently owned by Hungarian individuals. Its main products are the syslog-ng system logging software,which is the most widely used alternative syslog solution of the world; the syslog-ng Store Box logserver appliance;Zorp, a modular proxy gateway capable of inspecting over twenty protocols, including encrypted ones like SSL andSSH, and the Shell Control Box, an appliance that can transparently control, audit, and replay SSH, RDP, VNC, andTelnet traffic.
To learn more about commercial and open source BalaBit products, request an evaluation version, or find a reseller,visit the following links:
■ The syslog-ng homepage
■ Shell Control Box homepage
■ syslog-ng Store Box (SSB) homepage
■ Product manuals, guides, and other documentation
■ Register and request an evaluation version
■ Find a reseller
All questions, comments or inquiries should be directed to <[email protected]> or by post to the following address: BalaBit IT Security 1115 Budapest,Bártfai str. 54 Phone: +36 1 3710540 Fax: +36 1 2080875 Web: http://www.balabit.com/
Copyright © 2010 BalaBit IT Security Ltd. Some rights reserved. This document is published under the Creative Commons Attribution NoncommercialNo Derivative Works (byncnd) 3.0 license. All other product names mentioned herein are the trademarks of their respective owners.
The latest version is always available at the BalaBit Documentation Page.
15www.balabit.com
Further information