Choosing Mr. Right


As you can imagine from the above, whatever products you choose, do not trust a vendor that promises "Plug it in and you will be up and running in ten minutes!". This will not happen. You will need to tweak and configure until your fingers bleed, your eyes are blood-shot from crying, and your vocabulary is out of new and innovative cursing as well as the old and proven four-letter words before you feel things are under control. Sometimes that feelings is good, as in: you're on the right track. The rest is just a false prediction of what is ahead of your adventure with log collection and reporting.

Now, don't let these words put you off. Once you've overcome the first hurdles and caveats you might experience the beauty and necessity of logs. Sounds crazy, but when you understand the heartbeats and almost organic life that is going on in your data centers you will see the benefits of your correlated and filtered data logs, and the advantage it gives your organization in reacting almost proactively to those alerts and reports you are able to squeeze out of those hundreds of millions events that might occur during a normal day at an average site with a few active databases.

Your mission is to choose the right product(s) for your needs. So you need to pin out your needs first. In cases of regulatory requirements it's pretty straight forward. Take PCI-DSS (I'll use that as an example since I am very familiar with those requirements after working for years with them), the requirements (PCI-DSS 2.0) clearly states that you need to collect logs and see to it that they can't be tampered with. There are also requirements of how often logs are to be reviewed. So you need to decide to what extent you want to obey, or follow, these requirements. As you will see later, maybe it is a good idea to look beyond the requirements and not only to comply, but also look at what good will the requirements do for you and what advantage you can gain from using them as an instrument in your daily work environment.

Let's start with your requirements. Don't worry about other's at this stage. This is your mission and your requirements comes first, and only later we'll take other requirements into consideration. It might just be that they walk hand in hand, or needs just a little tweak or persuasion so they will tango. 

The main mantra in logging is:

Who did what at which point of time? Who did what at which point of time? Who did what at which point of time? 

Is that clear enough? In one word: Traceability.

Comments

Post a Comment

Popular posts from this blog

Overhead lines

Image
One would think that in a climate such as this in southern Australia someone would come up with a better idea than keeping all lines (cable, electricity, telephone etc) up in the air. The wind can be pretty furious at times and city planners insist on planting trees which are known to grow over time. No doubt arborists are having fun coming up with ideas how to keep city planners and power utility companies happy. Once upon a time these cables were drawn in a similar way in Stockholm, where I have lived most of my life. At some point the phone companies decided this wasn't going to work in the long run. IMHO it would make sense to dig ditches into the ground and place all cables there (at least in the cities). Of course it will cost, but I also believe there is an algorithm that will give a number that will turn black a few years time after investment (ROI). Until then I will walk around this country with a smile on my face looking at the funny trees growing along city ...
Read more

R.I.P. Google Reader

For years my preferred application for reading RSS-feeds has been Google Reader. It has proven reliable, fast and most of all - clean in its interface. No clutter, pix or ads. Just plain information from sources of my choice. Now Google has decided to call it quits. Sad day. Call me an information junkie, and I'm fine with it. But I am a bit baffled by the comments on this decision to lay Reader to rest. An amazing majority of comments seem to be asking the question: is RSS an outdated technology? Really? What else is out there in terms of gathering information/news/updates/searches in one application, keeping this in one application, in one unified format? Facebook sucks with its censorship. Tumbler... oh well... no. I am terribly sorry, I just can't think of anything else to use. Here are some thoughts on Reader from Gigaom interview with Chris Wetherell. So I switched to Vienna . It seems to do the job fast and relatively clutter free. I'll go with that for a whil...
Read more

Sweden 2 Australia

So last year I was in for a big surprise. We had been talking about moving to Australia for a loooong time. But something always got in the way. Then pieces suddenly started falling into place. And by saying "suddenly" I mean really really fast. Just for fun I looked at the intranet career pages at work every now and then. Once in a while something popped up that I liked and sort of thought "wow, that would be great". So it went on until February 2016 when I saw THE ad. SIEM specialist in Australia. Suits me nicely I thought and told my wife about it. She of course told me to apply and a couple of days later I was ready to submit my letter. Back to the Jobseeker site and... it was gone... disaster! I had no choice but to go back home and deliver the sad news. Maybe it was the way it was meant to be. We'll just stay in Sweden and grow old. Weeks went by, and I thought maybe something similar would appear from nowhere and make my day, but nothing surfaced. N...
Read more