What are Network Device Logs?

Quick Definition: Network device logs provide insight into events occurring on devices, applications, and network traffic. They help with troubleshooting and incident response.

Do you ever wish you could see exactly where it all went wrong? Well, network device logs allow you to do just that. Every router, switch, application, and other device you can think of keeps logs of network activity and internal events. These logs are useful in troubleshooting, incident response, and digital forensics, and can even be used in application development. 

Different types of logs capture various types of events. This article will focus on traffic logs, audit logs, and the syslog protocol. These logs are some of the most basic and informative found on any given device. 

What are Traffic Logs? Insights into Network Traffic Patterns

Traffic logs contain information about network traffic, including the beginning and end of a connection, connection attempts, requests, and other information relating to one device communicating with another. 

These logs are a great source of information and can be used by end users, network administrators, and security analysts to identify issues. Logs are often stored in basic formats that are not fun to work with, but plenty of free and paid tools are available to help visualize and organize network traffic. 

The first step to analyzing network traffic is to collect and store the traffic somewhere. Most network devices will do this by default, and store the logs somewhere on the filesystem. Additionally, many organizations configure their network devices to forward those logs to the tools specifically designed to aid in network traffic analysis. 

Once collected, logs should be categorized by applying tags based on specific criteria such as event type, timestamp, source and destination, and any other attributes you may find useful. You can now use these traffic logs to troubleshoot issues and improve performance. 

Security analysts can also use traffic logs to identify anomalous and potentially malicious activity. Some key items to search your logs for include outbound connections at odd times, traffic to and from suspicious destinations, and sudden increases in outbound traffic volume. These may indicate malicious activity on your network, and you may need to use other logs further to identify the source. 

What are Audit Logs? Ensuring Compliance and Accountability

Audit logging captures data about activities such as application-level events. For example, you’ve just arrived at your desk, and you attempt to log into your work’s project management tool. You forget your password and fail the first attempt, but then you guess correctly and log in successfully on the second try.

To avoid this happening again, you change your password to something new that you can remember more easily. Each of those actions is logged as separate events in that application’s audit logs. 

Audit logs can be used in compliance audits to validate that certain events are or are not occurring. For example, you may use audit logs to identify who is accessing a system or repository, confirm that system backups are being created at specific intervals, or confirm that connections are terminating after a specified period. 

In the traffic logging section, we discussed looking for anomalous traffic, such as network connections at odd times. Let’s expand on that example and use audit logs to investigate what’s happening. 

Suppose we cross-reference the timestamp on these suspicious connections with audit log activities around that same time. We might be able to attribute that connection to a specific user or service account.

If we then look through the audit logs for anomalous activity associated with that user, we might find multiple failed password attempts over a few hours or even a few days, followed by a successful attempt, indicating a brute force attack. We might find that the user downloaded and ran software shortly before the suspicious connections began, indicating the execution of a phishing attack.

Audit logs provide a wealth of information and invaluable insight into an organization’s users' and applications' activities. For this reason, many organizations choose to forward their audit logs or event logs to a SIEM (Security Information and Event Management) tool for real-time monitoring and alerting.

What is Syslog? Centralized Logging for Enhanced Visibility

In the previous two sections, we mentioned that network and audit logs can be forwarded to other tools, such as a SIEM, and the syslog protocol helps transfer that data to the centralized logging and monitoring tool. 

Each syslog message is made of key components, including a header, structured data, and the message. The header contains information about the priority, hostname, timestamp, and more. The structured data component is made of data blocks in the “key:value” pair format. The message component describes the event being reported. An example of a full syslog message might look like this:

timestamp device-id severity code detailed-information

This information will be forwarded to a centralized tool such as a SIEM. Some of the more popular SIEMs you may hear about include Splunk, ELK Stack (also called Elastic Stack), and LogRhythm. 

Additionally, most cloud service providers offer their own internally managed logging tools, such as AWS CloudTrail and CloudWatch. There are several tools on the market, each with its advantages and disadvantages. The obvious main advantage of every central logging tool is having multiple data sources visible in one area.

Being able to view and investigate data about network activity, application data, and system-level events in a single tool makes real-time monitoring more efficient. What’s often referred to as a “single pane of glass” viewpoint also helps ensure alerts don’t go unnoticed. 

To achieve this type of log forwarding, you will need a syslog server, which consists of a few components: 

1. Syslog listener: This will allow the server to accept incoming traffic from multiple log sources. 

2. Database: As the data comes in, it will need to be stored in an organized fashion.

3. Filtering software: Syslog servers contain a lot of data, so you’ll need an efficient way to filter through it and find exactly what you’re looking for. 

Source: Inominds

How simple or complex your syslog server deployment is will depend on the tool you choose and whether you are receiving any support from the vendor. Thankfully, most tools have ample documentation available, and any questions you may have are probably in an online tech forum on the vendor’s website.

What are Log Reviews? The Key to Proactive Monitoring

Once all your network traffic logs and audit logs are configured to forward to a centralized tool like a SIEM, you don’t have to do anything but wait for the alerts to roll in, right? Not quite. 

Even if you think everything is set up correctly, it’s still good practice to manually review your logs every once in a while. You would do this for a couple of reasons, such as to validate that your tool is alerting correctly based on the criteria you’ve established, as well as to detect any anomalous behaviors suspicious enough to warrant further investigation but not quite strange enough to trigger an alert within the tool. 

Organizations with mature network and security teams might even host regular log reviews that the industry refers to as “threat hunts.” Sometimes, these threat hunts can involve searching for indicators of compromise (IOCs) found in recent security breaches or likely activities associated with newly discovered CVEs (Common Vulnerabilities and Exposures), such as odd SSH or SMB-related connections. It’s good practice to regularly audit your logs to verify that nothing is missed due to a technical issue.

What are Logging Levels/Security Levels? Tailoring Log Management

In most cases, you will have a decent amount of control regarding what information gets logged. The more robust a device or application, the more detailed your logs may be, and the more information you will inevitably need to parse through. 

If your organization chooses, you can alert based on criteria such as event ID or severity, only forwarding the information you find useful. Be cautious when configuring your log forwarding. Too few logs increase your risk of not seeing potential threats, while too many logs increase the risk of missing obvious alerts, high resource consumption, and exposing analysts to “alert fatigue” as they sift through high volumes of alerts.

Best Practices for Effective Log Management

The best way for your organization to get the most out of log management is to establish and maintain explicit policies outlining what information should be logged from which systems, how long the logs should be kept, who can access the logs, and what responses should come from different alert types. Doing so helps ensure everyone knows their roles in the greater log management process. 

Log management is also an ever-evolving process needing continuous updating. More than likely, someone responsible for maintaining the centralized log management tool will coordinate with the security analysts working with the tool to fine-tune alert criteria. 

As your environment changes and new vulnerabilities and exploits threaten your network, you will need to adjust your tools to become either more strict or more relaxed to find the right balance between too many and too few alerts. Your organization’s risk tolerance will also be a factor in how you tune these alert criteria.

Conclusion

Just about every device you can think of creates and stores some form and amount of logs. These logs contain information that is invaluable for troubleshooting, incident response, and digital forensics. Logs can be sent to a centralized log management server, which makes device and network monitoring more efficient. This leads to improved network performance and a reduced likelihood of a network breach. 

To learn more about how to increase your network’s security, take CBT Nuggets Trainer James Conrad's Cybersecurity Fundamentals Online Training.