How to Protect your Server By Using your Logs

Posted on July 24, 2012 by Nikhil P Naik

Logging allows us to see everything that any given user does in a system. However, this is akin to collecting diaries – if you’re a large organisation, potentially thousands of diaries. We’re going to look at a few ways to make this bundle of data functional, as well as outlining how you can use them in the event of a server attack.

How often should I analyse my logs?

There’s a lot to be said for keeping tags on your logs daily – just so you as an admin get an idea of what’s been going on. However, it’s also critical that you do periodic long-term analysis of logs (i.e. monthly, weekly, even annually) to identify trends in suspicious activity.

Where do I find my logs?

If you are using a cPanel for your server, you can download the Raw Access Log [i.e. Log Data] from your dashboard.

Raw Access Log

You can also check for errors in the error log in the root of your website files.

Error log cpanel

How do I analyse my logs?

You don’t have to trawl through them. Luckily, there are numerous services that will delve in to your log data, figure out what’s going on, and post the result to your monitor for your viewing pleasure. Such programs are called ‘automatic log file analysers’ and there are several available on the market.

A top tip for deploying log file analysers is to make sure you use more than one. Why? Because each analyser will try to hunt for suspicious activity in its own, proprietary way. Using more than one ensures you cover all angles.

What should I do with my analysis data?

Copy it, and back it up. As you’re about to see, log files can come in handy way after the event that generated them. Make sure your archives are well-organised and automatically backed up (more on this next article). Use your printers to save the very basics—it’s always a good idea to have a hard copy.

Should the worst happen, and your server is attacked, log files are going to be invaluable in tracing the source of the attack, the nature of the attack, and how it progressed. You can use this to identify weak spots in your system – if an attacker managed to break in by executing a Denial of Service (DoS) attack through uploads, maybe it’s time to consider that upload screener. If they were hunting through files for your credit card details, maybe you should get on the phone to the card company. You get the idea. If you didn’t have log files, and log file analysers, you wouldn’t have a clue what had happened in the event of an attack.

Log files have been used in various cases in courts worldwide. They’re concrete evidence – all actions are time-stamped and clearly visible. Because of the nature of complex court cases, this can mean that log files from way back are dragged to the fore – but as long as you’ve backed up regularly, and maintained a well-organised library, you’ll be able to summon them well in to the future.

So, we’ve seen that we can use log file analysers to take care of the dirty work of tracing suspicious activity. We’ve also seen that you can use log files to trace weaknesses, understand motives and, in some cases, enforce justice. We’ve mentioned a few times that we’ll need to back up various parts of the server system – that’s the subject for next time.

About Nikhil P Naik

Nikhil Naik has a Master's Degree in Information Systems, and is currently working as a Software Engineer at Microsoft. He also loves playing cricket, listening to music, and traveling. Twitter Handle - @buzz_nikhil.

Leave a Comment


This site uses Akismet to reduce spam. Learn how your comment data is processed.