Mozdef / docs /source /usage /sending_logs.rst

Upload folder using huggingface_hub

7c89ed7 verified 3 months ago

6.81 kB

	Sending logs to MozDef
	----------------------

	Events/Logs are accepted as json over http(s) with the POST or PUT methods or over rabbit-mq.
	Most modern log shippers support json output. MozDef is tested with support for:

	* `heka`_
	* `beaver`_
	* `nxlog`_
	* `logstash`_
	* `rsyslog`_
	* `native python code`_
	* `AWS cloudtrail`_ (via native python)

	We have `some configuration snippets`_

	.. _heka: https://github.com/mozilla-services/heka
	.. _beaver: https://github.com/josegonzalez/beaver
	.. _nxlog: https://nxlog.org/download
	.. _logstash: https://www.elastic.co/products/logstash
	.. _rsyslog: https://www.rsyslog.com/doc/master/configuration/modules/omhttp.html
	.. _native python code: https://github.com/gdestuynder/mozdef_lib
	.. _AWS cloudtrail: https://aws.amazon.com/cloudtrail/
	.. _some configuration snippets: https://github.com/mozilla/MozDef/tree/master/examples

	What should I log?
	******************

	If your program doesn't log anything it doesn't exist. If it logs everything that happens it becomes like the proverbial boy who cried wolf. There is a fine line between logging too little and too much but here is some guidance on key events that should be logged and in what detail.

	+------------------+---------------------------+---------------------------------------+
	\| Event \| Example \| Rationale \|
	+==================+===========================+=======================================+
	\| Authentication \| Failed/Success logins \| Authentication is always an important \|
	\| Events \| \| event to log as it establishes \|
	\| \| \| traceability for later events and \|
	\| \| \| allows correlation of user actions \|
	\| \| \| across systems. \|
	+------------------+---------------------------+---------------------------------------+
	\| Authorization \| Failed attempts to \| Once a user is authenticated they \|
	\| Events \| insert/update/delete a \| usually obtain certain permissions. \|
	\| \| record or access a \| Logging when a user's permissions do \|
	\| \| section of an application.\| not allow them to perform a function \|
	\| \| \| helps troubleshooting and can also \|
	\| \| \| be helpful when investigating \|
	\| \| \| security events. \|
	+------------------+---------------------------+---------------------------------------+
	\| Account \| Account \| Adding, removing or changing accounts \|
	\| Lifecycle \| creation/deletion/update \| are often the first steps an attacker \|
	\| \| \| performs when entering a system. \|
	+------------------+---------------------------+---------------------------------------+
	\| Password/Key \| Password changed, expired,\| If your application takes on the \|
	\| Events \| reset. Key expired, \| responsibility of storing a user's \|
	\| \| changed, reset. \| password (instead of using a \|
	\| \| \| centralized source) it is \|
	\| \| \| important to note changes to a users \|
	\| \| \| credentials or crypto keys. \|
	+------------------+---------------------------+---------------------------------------+
	\| Account \| Account lock, unlock, \| If your application locks out users \|
	\| Activations \| disable, enable \| after failed login attempts or allows \|
	\| \| \| for accounts to be inactivated, \|
	\| \| \| logging these events can assist in \|
	\| \| \| troubleshooting access issues. \|
	+------------------+---------------------------+---------------------------------------+
	\| Application \| Invalid input, \| If your application catches errors \|
	\| Exceptions \| fatal errors, \| like invalid input attempts on web \|
	\| \| known bad things \| forms, failures of key components, \|
	\| \| \| etc creating a log record when these \|
	\| \| \| events occur can help in \|
	\| \| \| troubleshooting and tracking security \|
	\| \| \| patterns across applications. Full \|
	\| \| \| stack traces should be avoided however\|
	\| \| \| as the signal to noise ratio is \|
	\| \| \| often overwhelming. \|
	\| \| \| \|
	\| \| \| It is also preferable to send a single\|
	\| \| \| event rather than a multitude of \|
	\| \| \| events if it is possible for your \|
	\| \| \| application to correlate a significant\|
	\| \| \| exception. \|
	\| \| \| \|
	\| \| \| For example, some systems are \|
	\| \| \| notorious for sending a connection \|
	\| \| \| event with source IP, then sending an \|
	\| \| \| authentication event with a session ID\|
	\| \| \| then later sending an event for \|
	\| \| \| invalid input that doesn't include \|
	\| \| \| source IP or session ID or username. \|
	\| \| \| Correctly correlating these events \|
	\| \| \| across time is much more difficult \|
	\| \| \| than just logging all pieces of \|
	\| \| \| information if it is available. \|
	+------------------+---------------------------+---------------------------------------+

	Sending logs to MozDef
	----------------------

	Events/Logs are accepted as json over http(s) with the POST or PUT methods or over rabbit-mq.
	Most modern log shippers support json output. MozDef is tested with support for:

	* `heka`_
	* `beaver`_
	* `nxlog`_
	* `logstash`_
	* `rsyslog`_
	* `native python code`_
	* `AWS cloudtrail`_ (via native python)

	We have `some configuration snippets`_

	.. _heka: https://github.com/mozilla-services/heka
	.. _beaver: https://github.com/josegonzalez/beaver
	.. _nxlog: https://nxlog.org/download
	.. _logstash: https://www.elastic.co/products/logstash
	.. _rsyslog: https://www.rsyslog.com/doc/master/configuration/modules/omhttp.html
	.. _native python code: https://github.com/gdestuynder/mozdef_lib
	.. _AWS cloudtrail: https://aws.amazon.com/cloudtrail/
	.. _some configuration snippets: https://github.com/mozilla/MozDef/tree/master/examples

	What should I log?
	******************

	If your program doesn't log anything it doesn't exist. If it logs everything that happens it becomes like the proverbial boy who cried wolf. There is a fine line between logging too little and too much but here is some guidance on key events that should be logged and in what detail.

	+------------------+---------------------------+---------------------------------------+
	\| Event \| Example \| Rationale \|
	+==================+===========================+=======================================+
	\| Authentication \| Failed/Success logins \| Authentication is always an important \|
	\| Events \| \| event to log as it establishes \|
	\| \| \| traceability for later events and \|
	\| \| \| allows correlation of user actions \|
	\| \| \| across systems. \|
	+------------------+---------------------------+---------------------------------------+
	\| Authorization \| Failed attempts to \| Once a user is authenticated they \|
	\| Events \| insert/update/delete a \| usually obtain certain permissions. \|
	\| \| record or access a \| Logging when a user's permissions do \|
	\| \| section of an application.\| not allow them to perform a function \|
	\| \| \| helps troubleshooting and can also \|
	\| \| \| be helpful when investigating \|
	\| \| \| security events. \|
	+------------------+---------------------------+---------------------------------------+
	\| Account \| Account \| Adding, removing or changing accounts \|
	\| Lifecycle \| creation/deletion/update \| are often the first steps an attacker \|
	\| \| \| performs when entering a system. \|
	+------------------+---------------------------+---------------------------------------+
	\| Password/Key \| Password changed, expired,\| If your application takes on the \|
	\| Events \| reset. Key expired, \| responsibility of storing a user's \|
	\| \| changed, reset. \| password (instead of using a \|
	\| \| \| centralized source) it is \|
	\| \| \| important to note changes to a users \|
	\| \| \| credentials or crypto keys. \|
	+------------------+---------------------------+---------------------------------------+
	\| Account \| Account lock, unlock, \| If your application locks out users \|
	\| Activations \| disable, enable \| after failed login attempts or allows \|
	\| \| \| for accounts to be inactivated, \|
	\| \| \| logging these events can assist in \|
	\| \| \| troubleshooting access issues. \|
	+------------------+---------------------------+---------------------------------------+
	\| Application \| Invalid input, \| If your application catches errors \|
	\| Exceptions \| fatal errors, \| like invalid input attempts on web \|
	\| \| known bad things \| forms, failures of key components, \|
	\| \| \| etc creating a log record when these \|
	\| \| \| events occur can help in \|
	\| \| \| troubleshooting and tracking security \|
	\| \| \| patterns across applications. Full \|
	\| \| \| stack traces should be avoided however\|
	\| \| \| as the signal to noise ratio is \|
	\| \| \| often overwhelming. \|
	\| \| \| \|
	\| \| \| It is also preferable to send a single\|
	\| \| \| event rather than a multitude of \|
	\| \| \| events if it is possible for your \|
	\| \| \| application to correlate a significant\|
	\| \| \| exception. \|
	\| \| \| \|
	\| \| \| For example, some systems are \|
	\| \| \| notorious for sending a connection \|
	\| \| \| event with source IP, then sending an \|
	\| \| \| authentication event with a session ID\|
	\| \| \| then later sending an event for \|
	\| \| \| invalid input that doesn't include \|
	\| \| \| source IP or session ID or username. \|
	\| \| \| Correctly correlating these events \|
	\| \| \| across time is much more difficult \|
	\| \| \| than just logging all pieces of \|
	\| \| \| information if it is available. \|
	+------------------+---------------------------+---------------------------------------+