Synchronized Log Collection Report

by David Schwalenberg
August 27, 2014

Effective log management is an issue for many organizations. This report provides a summary of log sources and monitors audit checks for Network Time Protocol (NTP) settings.

The first step in successful log management is to set a standardized time source on the network. Utilizing a Windows Domain Controller as a NTP server is one common practice. While some organizations synchronize with a known reputable online resource, others obtain an atomic clock or GPS source and run a private NTP server. The NTP source is set using Group Policy or other configuration management tools.

Routers, switches, and other network equipment should be configured to forward logs to the Log Correlation Engine (LCE). Logging can be further enhanced by deploying LCE Clients throughout the network. Monitoring of systems with the LCE Client provides the detailed information needed on the LCE to properly correlate events and discover vulnerabilities. A good practice is to have LCE Clients installed on all servers, and in a best-case scenario, also installed on all workstations. The LCE policies for servers would be more inclusive to capture web server, mail server, or other application logs, while workstation LCE policies can be more limited and only collect malware events and a subset of event logs.

SecurityCenter Continuous View (SC CV) supports a tight integration with SIEMs, malware defenses, firewalls, network systems, servers, workstations and virtualization systems. The ability of LCE to normalize events from many sources and identify the vulnerabilities is unmatched in the industry. Log normalization is one of the many ways Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk, and ensure compliance.

The report is available in the SecurityCenter app feed, an app store of dashboards, reports, and assets. The report can be easily located in the SecurityCenter Feed by selecting category Discovery & Detection, and then selecting tags log and ntp. The report requirements are:

  • SecurityCenter 4.8
  • Nessus 5.2.7
  • LCE 4.2.2
  • Tenable LCE Client

For the related SecurityCenter dashboard, see the Sychronized Log Collection dashboard.