Necessity of logging
So why do you need logs? Do you at all? Or do you?
Chances are you do.
It could be easy, as in you'd like to know when someone logged in to a certain device, and then logged out. Easy enough. Maybe there is an incentive to know what this person did during the session? Did the person change anything in your config-files? Any changes to the database? Did this person do a SELECT * FROM anydatabase? Why was user "abc" interested in columns "c_card_nr" and the "cvv" at the same time?
Oh well, you need to have logs, you need to know what is going on with your systems.
Most systems log, Unix and routers/switches use syslog, in one way or the other, Windows has several different loggings. You can use snare (as an example) for Windows to convert and distribute logs in syslog fashion, to collect events on your syslog server.
Your need, once you have decided you have needs, for a log management gadget depends on your needs. What do you need? What requirements do you have?
Let's boil those needs down to "use cases"...
1. I want to know who logged into server 'abc'
2. I want to know which users requested 'that service'
3. Show me the usage of account "xyz"
Unless you have logging turned on at the appropriate level you will not get answers to the scenarios above. Some of your applications might not even be able to log at all (throw them out).
The main reason you want to log stuff, is that you need to be on top of things, when it happens. Or if shit hits the fan, you will at least be able to know why.
Chances are you do.
It could be easy, as in you'd like to know when someone logged in to a certain device, and then logged out. Easy enough. Maybe there is an incentive to know what this person did during the session? Did the person change anything in your config-files? Any changes to the database? Did this person do a SELECT * FROM anydatabase? Why was user "abc" interested in columns "c_card_nr" and the "cvv" at the same time?
Oh well, you need to have logs, you need to know what is going on with your systems.
Most systems log, Unix and routers/switches use syslog, in one way or the other, Windows has several different loggings. You can use snare (as an example) for Windows to convert and distribute logs in syslog fashion, to collect events on your syslog server.
Your need, once you have decided you have needs, for a log management gadget depends on your needs. What do you need? What requirements do you have?
Let's boil those needs down to "use cases"...
1. I want to know who logged into server 'abc'
2. I want to know which users requested 'that service'
3. Show me the usage of account "xyz"
Unless you have logging turned on at the appropriate level you will not get answers to the scenarios above. Some of your applications might not even be able to log at all (throw them out).
The main reason you want to log stuff, is that you need to be on top of things, when it happens. Or if shit hits the fan, you will at least be able to know why.
Comments
Post a Comment