Logs. Logs Eluded Him.
To quote Lewis Black, “Verbs. Verbs eluded him!”
Folks, I would like to talk to you about logs. Logs are important. They can be a System Administrator best friend or an IT Security Pros next clue. Either way, if you do not have them or have them configured properly, they can be your worst nightmare.
Case in point: I would like to point out Microsoft’s serious lack of integrating the DHCP server logs into Windows Event Manager. Just about every server service on Microsoft Windows Server 2003 writes some type of event to the Windows Event Logs. However, the DHCP server is one of the exceptions. It creates a comma separated values file in a directory on the server that is overwritten within a week.
Why should I care?
Well, if you operate a network in a medium to large environment, this can make tracking down a PC with a problem a lot more difficult, especially in an environment that does not assign IP address leases based on MAC addresses (Static DHCP, Reservations, whatever you want to call it.) Trying to correlate the DHCP server log file can be a bit daunting since it is very hard to manage and may only exist for up to one week. From a digital forensics standpoint, you may not be able to tie an incident to a machine. Rather, you will most likely only be able to tie it to an IP address depending on your log.
So, what do we do? I would recommend archiving off the DHCP server logs on a weekly basis, say Saturday evenings around 11:50pm or earlier depending on size and backup method used. You may simply write a script to ZIP the files at the end of every day or week and store them on a directory on a server where your other logs sit. This is a simple method. Other methods may involve having your back-up software do this for you. You can find the DHCP server logs on a Windows Server 2003 box at: “%SYSTEMROOT%\SYSTEM32\DHCP\”
In addition, I would like to point out that server logs are useless unless someone actually reviews them. This can be a daunting task, especially if you do not have central log management software. There are several vendors out there that will collect logs from your various boxes. Each have their pros and cons. Investigate them and see which is right for you. Here are some links to some examples:
- GFI Software: http://www.gfi.com
- ManageEngine: http://manageengine.adventnet.com/products/eventlog/index.html
- NetForensics: http://www.netforensics.com/
- Event Reporter: http://www.eventreporter.com/en/
Event log management is a big business. Solutions may run from several hundred dollars to several hundred thousand dollars depending on your requirements.
Small networks may benefit from a “poorman’s” version of an event management system. If used properly, you will have a better understanding of your environment. You may want to investigate using NTsyslog, an open source project that will convert your Windows events to syslog messages that can be sent to a central syslog server. Check these out:
- NTsyslog: http://ntsyslog.sourceforge.net/
- Kiwi Syslog Server: http://www.kiwisyslog.com/
Whatever the solution, make sure to collect from as many sources as possible and to review the logs on a regular basis. You will gain a much better understanding of your network and be able to respond to trouble tickets or incidents in a faster, more informed manner. Otherwise, why bother?
Please Note: Products mentioned here are for illustrative purposes only and in no way are recommended or endorsed by the author. They do not imply suitability for a particular purpose either. You are encouraged to do your own research and determine your needs. Google is your friend. Your Mileage May Vary. Void where prohibited, taxed or restricted. 🙂