Previous: Detect compromised files or folders
Analyze log files for evidence of intrusion
Log-Based Intrusion Detection
The Halo Log-based Intrusion Detection system is a security module that monitors a server's log files for events that indicate compromise or misuse, alerting security personnel when such events are encountered.
This module allows you to detect selected important events that may be recorded in any number of system or application log files on any of your servers. Halo reports the events in near-real time, as they are written to any of the log files you have specified. If you also enable Halo alerting, you can receive alerts when the highest-priority events are logged.
In use, Log-based Intrusion Detection continually scans all policy-specified log files, looking for recently logged suspicious events (recognized by event ID or event-message text). You can use built-in Halo policies or you can customize or create your own.
You can view and search for the events in the Halo portal. To perform deeper analysis, such as correlating them with other events across your installations, you may wish to integrate them into whatever log-management and analysis or SIEM solutions your organization uses.
The Halo Log-based Intrusion Detection system (LIDS) allows you to monitor server log files for events of interest, and optionally receive alerts when such events occur. When enabled and configured, this module detects selected important events that are recorded in any number of system or application log files on any of your servers.
Event detection is policy-driven—the events that are to be considered indicators of intrusion are specified (by event ID or by event-message text pattern) in a policy that is assigned to a server group. Every detected event occurrence is logged as a Halo security event that you can view in the Halo portal, retrieve through the Halo API, and export to third-party tools for further analysis.
With log-based intrusion detection you can continually monitor all of your server systems and applications, and be notified whenever specific events of critical importance occur.
Set up and run log-based intrusion detection scans
- If you have not yet assigned a log-based intrusion detection policy to the server group you want to scan, do so now as described in Task 3.
- Verify that automatic scanning is enabled for Log-Based Intrusion Detection. Open the Halo portal main menu ( ), choose Site Administration, open the Settings tab, and under Agent Scanning make sure that "LIDS" shows a scanning frequency of "Every 5 mins".
Your setup is complete. Scans are already occurring, and you can look for scan results in the Halo portal within a few minutes.
Examine log-based intrusion detection issues
The Issues view is where you typically look to learn what log-based intrusion detection policy violations Halo has detected. An issue is like a persistent scan finding or event—Halo creates it when a scan first reports a specific policy violation, and Halo keeps the issue open as long as subsequent scans keep reporting that violation. Once a scan reports that that that specific violation did not occur, Halo automatically resolves the issue.
- At the group level, select a server group of interest from the group tree, then click Servers and select a server of interest. Click the Issues view button and the Open Issues tab to view the server's open issues.
- If necessary, filter the display as shown below (create an "issue type" filter with the value "LIDS"), or sort the issues list by scan type and scroll to find the log-based intrusion detection scans (marked "LIDS"). Critical issues have a red dot, non-critical issues a yellow dot.
Pick any configuration issue and note its summary information (such as the issue name, the policy that was violated, and the number of servers on which the issue was detected).
- For additional information about the issue, click the issue's name to display the issue details sidebar.
Details include the issue's age (how long ago it was first detected), when the last scan that detected it ran, and what the original log entry was that triggered the event from which the issue was generated.
Act on log-based intrusion detection issues or events
To act on a reported LIDS issue or event, evaluate the level of security risk that it represents, and take appropriate action ranging from ignoring the issue/event up to immediately quarantining the server and launching an incident response procedure or forensics investigation. For more details, see Act on LIDS Issues and Events in the Log-Based Intrusion Detection Setup Guide.
// <![CDATA[ var pdfTitle="Halo QuickStart and Tour"; var pdfURL="http://res.cloudinary.com/ljufltxil/image/upload/document_images/quickstart2/halo-quickstart-and-tour.pdf"; specifyPDF(pdfTitle, pdfURL); // ]]>