Audit logs are a core component for the security of every system – without them there’s no visibility of who did what and for what purpose. There are audits, there are forensic investigations after security incidents, there’s compliance – all of that is impossible without a proper audit log.
Existing systems have many and different types of logs and it’s sometimes challenging to choose which ones should be secured and which are just for diagnostics and system information. Furthermore, application developers sometimes created dedicated log tables in the database which have a more structured representation of business-relevant events. At the same time, it is not immediately obvious how much critical log data is practically unprotected from privileged user manipulation.
In order to make it easier for our customers to choose what logs to secure using SentinelTrails, we’ve developed a tool for scanning the system for logs. The tool is free and open source, and does the following:
- scans for log files in a system and marks some of the log files as critical depending on their contents
- scans for running databases and tries to find tables that contain a application-specific audit log. If it detects running databases, it asks for DBA credentials in order to be able to scan all tables (read-only access is sufficient).
- scans for enabled database-native audit trail (e.g. for MS SQL Server or Oracle).
- scans for running log collectors, e.g. Logstash, Graylog, Splunk. These are important, as some of the logs there can be forwarded to SentinelTrails for protected storage, as the log collectors themselves to not guarantee the integrity of logs
The results are presented in an HTML report which can be used for determining which sources to include in the logsentinel-agent configuration (the logsentinel-agent is a client-side tool installed on each machine that gathers information from multiple sources which is then securely sent to SentinelTrails for storage in our internal blockchain structure).
Tools like this are important for both the business analysis phase as well as for regular checks by technical personnel. The security of each company relies on many steps and tools, and we believe we are contributing to that – with the the tool for scanning for logs and with our core offering – SentinelTrails.
Bozhidar Bozhanov is a senior software engineer and solution architect with 15 years of experience in the software industry. Bozhidar has been a speaker at numerous conferences and is among the popular bloggers and influencers in the technical field. He’s also a former government advisor on e-government, transparency, and information security.