Server Auditing

The title may feel dark and grave, but as we come to understand what it means, it seems less daunting. Server Auditing is where you need to know-

  • Who is successfully logging into your server and when?
  • What commands the user or process are executing on your server?
  • Who is failing to log in to your server and when?
  • What are the processes running on your server? What ports are used at any given time?
  • What files are being modified and how are they modified?
  • Is there any new user/group added, is there any modification to the existing user/group.
  • These are a few essential cases why we audit the servers: to enhance its security.

Why do we need this?

You may have heard of the security breach on Facebook servers, which they realized later. These security breaches can be eradicated or defended to a great extent if we continuously audit and monitor our servers.

How do we do this?

Coming to how we implement this, we have two routes –

Open Sources (free tools) –

  • 1. Ossec
  • 2. Apache metron
  • 3. Audit Beat by Elastic
  • 4. SIEMonster

A few additional players are also available on the market.

Paid versions –

  • 1. ThreadStack
  • 2. Audit Beat by Elastic
  • 3. Splunk to an extent 
  • 4.  Nagios 
  • 5. AlienVault OSSIM

Several additional players are also available on the market.

Audit Beat by Elastic, with elastic search and Kibana, are my personal favorites. You have both free and paid versions for this. I would recommend to use the free version, opting for the paid versions only if you feel that the free version can’t accomplish the full scope of work.

Audit Beat working –

Beats are lightweight shippers. You should install Audit Beats on all the servers that you want to audit. The audit beat should be configured to send out the audit logs to Elastic search that will index and enrich the data received. Later, this can be visualized on Kibana, where you have dashboards for this.

Server auditing is no more an enrichment for your servers meant to help and should be considered as a mandatory requirement.

Leave a Comment