When analysing your server’s overall performance and functionality one of the key areas to consider is that of user activity. Looking for unusual user activity is a sensible option in identifying potential system problems or security issues. When a server log is full of unusual user activity you can often use this information to track down the potential issues very quickly. For example by analysing these issues from your system logs then you can often identify trends in authentication, security problems and application errors.
Monitoring user access to a system for example will allow you to determine usage trends such as utilization peaks. Often these can cause many sorts of issues, from authentication problems to very specific application errors. All of this data will be stored in different logs depending on what systems you are using, certainly most operating systems will record much of this by default.
Using system logs though can be difficult due to the huge amount of information in them. It is often difficult to determine which is relevant to the health and security of your servers. even benign behaviour can look suspicious to the untrained eye and it is important to use tools to help filter out some of the information into more readable forms.
For example if you see a particular user having authentication problems every week or so, then it is likely that they are just having problems remembering their passwords. However if you see a user repeatedly failing authentication over a shorter period of time, it may illustrate some other issues. For example if the user is trying to access the external network using a German proxy server then there would be an authentication problem as the server would not be trusted.
Looking at issues like this can help determine user activity that causes a security breach. Obviously it is important to be aware of the current security infrastructure in order to interpret the results in these logs correctly. Most operating systems like Unix and Windows allow you to configure the reports to record different levels of information ranging from brief to verbose.
If you do set logs to record verbose information it is advisable to use some sort of program to help analyse the information efficiently. There are many different applications which can allow you to do this, although some of them can be quite expensive. There are simpler and cheaper options though, for example the Microsoft Log Parser is a free tool which allows you to run queries against event data in a variety of formats.
Log parser is particularly useful for analysing security events, which are obviously the key priority for most IT departments in the current climate. These security and user authentication logs are the best way to determine whether any unusual activity is happening on your network. For example anyone using an stealth VPN or IP Cloaker like this one, will be very difficult to detect by looking at raw data from the wire. However it is very likely some user authentication errors will be thrown up from using an external server like this. For instance most networks restrict access to predetermined users or ip address ranges and these errors can flag up behaviour very quickly.