Log management maturity



A sane approach to log collection is essential to successful deployment. This means in practice: don't get in there with a belief of installing a box and you're all set and compliant to whatever your initial goal was. This is very far from reality and even further from what could be true.

In real life you will want to proceed with utmost care and tread with baby steps in mind. If you know what you have in means of hardware, operating systems, applications and most importantly have a deep understanding of what you are logging and know various I/O peaks you might be able to take more of a wholesale approach in implementing log collection. Another approach (a more common scenario) for a shop that does not quite know what they have, what they need and how I/O will interfere (or not) with their existing environment would be baby steps, introducing one log source at the time, analyzing the results, and when you're happy, go on to the next log source.

Let's start with a basic maturity ladder for log collection. The purpose of this ladder is to give an idea of where you are to begin with. When you have decided upon which level you are at right now, you also know where you need to go, and what will be needed to climb up a notch on that ladder. The ladder is divided into six levels:

1. Log ignorance
2. Log collection
3. Log investigation
4. Log reporting
5. Log review
6. Log monitoring

There is no right or wrong level to be at, the most important thing is that you have a feeling of where you are aiming. This goal may be set by you, your bosses, your company's board or regulatory requirements such as PCI-DSS, HIPAA, SOX, Basel, or even local laws.

As you will see all of these steps will be explained in a very loose, and in some cases a bit ranting, way with a feel of "every day usage" feeling. At the end, I will post links and thanks to those who has contributed to my thoughts and conclusions, as well as pointers to where to find software (or hardware appliances) for your purposes. Please pop in for comments and suggestions :-)

Logging is king!

Comments

Post a Comment

Popular posts from this blog

Overhead lines

Image
One would think that in a climate such as this in southern Australia someone would come up with a better idea than keeping all lines (cable, electricity, telephone etc) up in the air. The wind can be pretty furious at times and city planners insist on planting trees which are known to grow over time. No doubt arborists are having fun coming up with ideas how to keep city planners and power utility companies happy. Once upon a time these cables were drawn in a similar way in Stockholm, where I have lived most of my life. At some point the phone companies decided this wasn't going to work in the long run. IMHO it would make sense to dig ditches into the ground and place all cables there (at least in the cities). Of course it will cost, but I also believe there is an algorithm that will give a number that will turn black a few years time after investment (ROI). Until then I will walk around this country with a smile on my face looking at the funny trees growing along city ...
Read more

Links for August 19th 2009

So the first signs of fall appeared today. First day in weeks I couldn't tak the bike to work. Schools stated today and hence I had to take my older boy to school in the car. Ah well, all good things must come to an end. Maybe I will have the time to take apart the bike and customize it in the ways I always planned to. Or maybe it'll just come to taking out the battery for witner care, as usual. But I'll keep on dreaming. Hacks: Social skills are as important as programming knowledge when it comes to penteration testing [or it could be used in malicious ways of course, but we don't, ringht?] and the creativity amongst people obtaining knowledge never ends to stun me. Hacks: Ethical hackning seems to be popular title to hide behind. Here's a security primer on how things can be done, written in proper English and not the hacker jibberish nerds speak. Hacks: More on social skills , or sort of. How do you use your mail? Do you have different mail accounts for diff...
Read more

R.I.P. Google Reader

For years my preferred application for reading RSS-feeds has been Google Reader. It has proven reliable, fast and most of all - clean in its interface. No clutter, pix or ads. Just plain information from sources of my choice. Now Google has decided to call it quits. Sad day. Call me an information junkie, and I'm fine with it. But I am a bit baffled by the comments on this decision to lay Reader to rest. An amazing majority of comments seem to be asking the question: is RSS an outdated technology? Really? What else is out there in terms of gathering information/news/updates/searches in one application, keeping this in one application, in one unified format? Facebook sucks with its censorship. Tumbler... oh well... no. I am terribly sorry, I just can't think of anything else to use. Here are some thoughts on Reader from Gigaom interview with Chris Wetherell. So I switched to Vienna . It seems to do the job fast and relatively clutter free. I'll go with that for a whil...
Read more