I recently had a client whose IIS web server was being hacked. Based on files being changed we could tell what time the hack happened. In this kind of situation you need to have access to server and network activity history. In this case, we wanted to see the network activity to the server at the time the files were changed.
In the above situation the logical logs to look at are the Windows Server Event Logs, Internet Information Server Logs, and Network Firewall Logs. In our case our Firewall function was being handled by the Cisco ASA5505.
The problem is that the Cisco logs have limited life before they are overwritten with the thousands of new logs produced by "all" the traffic going through this unit. This is normal of most units of this type, since the logs on the system are intended for troubleshooting while working on the unit.
Most networks are not configured to collect and store critical Logs
In turn, we needed to be able to maintain the logs for a longer duration, we also needed to filter the logs we looked at, since looking through thousands of log types would be a waste of resources. From our analysis we knew we wanted to look at http and ftp IP connections to the affected server.
Accordingly, we selected Wiki SysLog Server for the purposes of having a Server on the network that could collect the Logs from the Cisco ASA5505 and turn provide us with the tools to analyze the logs. We also configured the Cisco ASA5505 to only send the corresponding Logs to the Wiki SysLog Server so we did not want to flood the server with unnecessary information.