Security Log Management: Identifying Patterns in the Chaos [Paperback]

When I received a review copy of Security Log Management (SLM) last month, I was eager to read it. I saw two very powerful but seldom discussed tools -- Argus and Bro -- mentioned in the table of contents. This indicated some original thinking, which I appreciate. Unfortunately, SLM did not live up to my expectations. When you strip out the pages of scripts and code and the three reprinted chapters, you're left with a series of examples of output from the author's deployment of several tools. Aside from a few examples mentioned in this review, I don't think readers will learn much from SLM.

The first problem with SLM is a lack of competent editing. Prior to publication, someone should have read the book from the reader's perspective, asking "what is the reader expected to learn from this section/chapter/book?" In other words, the editor should have asked "how is the reader supposed to implement these recommendations?" For example, Ch 2 mentions using the Bro IDS. Nothing about setting up Bro is included, which would be acceptable if a reference to an online guide or another book was given. That is not the case; the author just assumes readers know about Bro and have it running. The number of Bro users is probably less than 100. If you're one of them, you don't need to read this book!

Bro's DNS and SMTP logging modules are casually demonstrated with no regard for showing the reader how to deploy them. The Web module at least shows a sample mt.bro file, if the reader can figure out what that is or how it fits into the picture. The situation gets worse on p 101 when the author says "the SMTP module can be very powerful in helping to identify several of the 'Marcus Ranum' top mail-related statistics (Chapter 1)." Marcus Ranum is not mentioned at all in Ch 1.

SLM demonstrates two other features that are becoming increasingly common and frustrating in Syngress books, for which I detracted stars from the review. First, the editing is rough. I am perplexed by the inability to standardize on references to tools; e.g., is it bro, Bro, or BRO? Second, and far more worrisome, the last three chapters (7, 8, and 9) of SLM are reprints of chapters 6, 7, and 5 from the Feb 2005 Syngress book Microsoft Log Parser Toolkit. On the positive side, SLM did not have as many fuzzy screen shots as sometimes appear in recent Syngress books. The unexplained small, fuzzy, NetForensics screen shot on p 31 is one unwelcome exception.

In terms of stating a clear purpose and delivering material in a coherent manner, the best chapter in SLM is Ch 6 -- Scalable Enterprise Solutions. I thought the author of this chapter stated his purpose, and then delivered material that readers could use. My only problem with the chapter was reading the definition of ESM 5 times -- on pp 195, 196, 205, 237, and 238!

My favorite part of SLM was the material showing how to put Argus records into a MySQL database. This is not that common, so I was glad to see how the author implements that function.

I'm sorry I can't recommend reading SLM in its current form. Three stars means there is some value, but you could get what you need browsing in the book store. I would like to see a second edition of SLM cut out the reprinted chapters. That cuts the book down to 241 pages. If the 70 or so pages of code are moved online, that reduces the book to 171 pages. That leaves plenty of room to add material that meets readers' needs. An example of a very strong Syngress book on a related (host-based) topic is Host Integrity Monitoring Using Osiris and Samhain by Brian Wotring.

It is not often that I review a genuinely bad book, but this is one such rare occasion. It so happens that log analysis has been my primary area of focus for the last several years and thus I could not have missed a book titled "Security Log Management."

Yuck! The book starts from a hodge-podge of examples, which, if entertaining at times, doesn't lead to any meaningful lessons and thus doesn't deliver the value it could have produced. The same applies to material selection for the book, which, as a result, suffers from a compete lack of logical structure. Even the Ch 1 "Log Analysis: Overall Issues" barely touched on analyzing logs and clearly didn't cover any "overall issues." Also, authors have undoubtedly trademarked the concept of a random irrelevant picture or graph...

In addition, the book reveals many areas where authors are deeply befuddled. ESM chapter (`Enterprise Security Management') is one such example, where such confusion reigns supreme. They can talk about `ESM process' and claim that `ESM is not a tool' in one sentence and then describe `ESM tools' in the next one. On top of that, if you are looking for some arcane security humor, try understanding their ROI calculation in the chapter (`Cost of problem' + `Cost of solution' ...)

One would think that they can get something as (relatively) simple as firewall reporting right (chapter 3). One would think that - and one would be wrong... The reader is still left with no answers to questions such as `what summaries, statistics and reports he/she should collect and how to do it'

As far as style is concerned, the book carries unfortunate signs of being written by a group of authors who didn't talk to each other much. Furthermore, what adds insult to injury is truly excessive amount of quoted source code, which plainly doesn't belong in the book, but on the website, CD, etc (were editors asleep at the wheel?)

To conclude, the book does have some relationship to patterns and chaos: the patterns in your brain will immediately turn into chaos after you are done reading it, provided you would even finish it. My suggestion is to avoid this largely useless title and save the money for better books (such as Bejtlich's or countless others).

Dr Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a

recognized security expert and book author. A frequent conference speaker, he also represents the company at various security meetings and standard organizations. He is an author of a book "Security Warrior" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and the upcoming "Hacker's Challenge 3". Anton also published numerous papers on a broad range of security subjects, such as incident response, intrusion detection, honeypots and log analysis. In his spare time he maintains his security portal http://www.info-secure.org and two blogs.

Do you know how to manage your security log? If you don't, then this book is for you. Authors Jacob Babbin, Dave Kleiman, Everett F. Carter Jr., Jeremy Faircloth, Mark Burnett and Esteban Gutierrez, have done an outstanding job of writing a book that shows you how to exactly solve the various problems pertinent to log generation, storage, processing, and reporting.

Babbin, Kleiman, Carter Jr., Faircloth, Burnett and Gutierrez, begin by covering how to get more information out of your passive detection systems. Then, the authors explore how to find key events in the log files of your Web servers and their host systems, and correlating data to give you useful reports. Next, they illustrate the depth and breadth your security logs can cover. They continue by exploring what ESM is, how it works, and when and where it should be used. In addition, the authors go over each of the primary areas of focus, and show you some techniques you can use to best manage your log files. Finally, they show you how to build a toolbox of queries that you will have ready to use if needed.

The ideas and tools shown in this most excellent book will help your organization in several ways. Perhaps more importantly, if you keep all of the solutions shown in this book in mind, your organization should have a flexible, scalable, remotely accessible security reporting infrastructure that can bend to the needs of an organization.

› Go to Amazon.com to see all 3 reviews  3.0 out of 5 stars