Anatomy of an Auditing System

An auditing system consists of three components: the logger, the analyzer, and the notifier. These components collect data, analyze it, and report the results.

1. Logger
Logging mechanisms record information. The type and quantity of information are dictated by system or program configuration parameters. The mechanisms may record information in binary or human-readable form or transmit it directly to an analysis mechanism (see Section 21.2.2). A log-viewing tool is usually provided if the logs are recorded in binary form, so a user can examine the raw data or manipulate it using text-processing tools.

EXAMPLE: Microsoft's Windows NT has three different sets of logs. The system event log contains records of events that Microsoft has determined warrant recording, such as system crashes, component failures, and other events. The application event log contains records that applications have added. These records are under the control of the applications. The security event log contains records corresponding to security-critical events such as logging in and out, system resource overuses, and accesses to system files. Only administrators can access the security event log.

An example security event log record might look like the following

Date:      2/12/2000       Source:    Security
Time:      13:03           Category:  Detailed Tracking
Type:      Success         EventID:   592
User:      WINDSOR\Administrator
Computer:  WINDSOR

2. Analyzer
An analyzer takes a log as input and analyzes it. The results of the analysis may lead to changes in the data being recorded, to detection of some event or problem, or both.

EXAMPLE: Suppose a system administrator wants to list all systems from which users have connected using the rlogin or telnet program, excluding systems at the site. The following swatch patterns match the lines generated by these remote connections.

/rlogin/&!/localhost/&!/*.site.com/
/telnet/&!/localhost/&!/*.site.com/

This line matches all log file entries containing the word "rlogin" and not containing either "localhost" or any string ending in ".site.com"the local host's domain.

3. Notifier
The analyzer passes the results of the analysis to the notifier. The notifier informs the analyst, and other entities, of the results of the audit. The entities may take some action in response to these results.

EXAMPLE: The swatch program mentioned above provides a notification facility. The configuration file to make swatch report rlogin and telnet connections is

/rlogin/&!/localhost/&!/*.site.com/  mail staff
/telnet/&!/localhost/&!/*.site.com/  mail staff

*Introduction to Computer Security, Matt Bishop, 2004