[loganalysis] Central syslog server best practices (revisited)

From: lbuchanaat_private
Date: Tue Aug 28 2001 - 13:02:29 PDT

Next message: mhtat_private: "Re: [loganalysis] screend"

Previous message: Boris Wesslowski: "RE: [loganalysis] fwlogwatch feedback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

I have been going back over the mail from this list that have avoided the
"Delete Key".  There has been a fair amount of discussion of the tools and
techniques.  One aspect that has largely been ignored is "Why does my
organization need a centralized log server?".  There are lots of good
reasons to have centralized logging (and a few that argue against the
practice).  Depending on the primary reasons for having centralized logging
and the arguments against it, will determine which tools and techniques an
orgainization would use to create and process the collected logs.  Before
spending great effort looking at the tools and techniques being discussed
here, I think that it would be important to examine at least the following
set of questions.

Will the logs be analyzed in real-time as part of an Intrusion Detection
System?

Are the logs analyzed on a regular basis to detect abuses or find
misconfigured machines?

Are these logs part of "Corporate History"?

Does the central syslog server store all messages in a single file?

What is the training and experience of the people who will be analyzing the
log files?

Which log messages need to be archived?

Which log messages will be archived in real-time?

Is it absolutely required that every log message be archived?

Are there any logs that must have the entire contents archived?

How long should the logs be archived (online and offline)?

What abuses (malicious or unintentionally self inflicted) are there?

What measures should be taken to limit the damage the various abuses could
cause?

What laws and organizational rules apply to the contents of the collected
logs.

To what degree do these logs need to be protected?

Depending on the answers to these and other related questions will
determine what constitutes a best practice.  The answers a large ISP, a
small community hospital, the FBI, a military base, a software development
company, a stock brokerage, or a university research lab would have to
these questions would be signifcantly different.

A universal best practice for centralized logging in five steps:

  Step 1: any organization that does not already have centralized logging,
is to set one up and at least record what happens.
  Step 2: is to look at the logs and determine what useful information they
contain.
  Step 3: is to use the above questions to determine the details of
processing and handling of the logs.
  Step 4: put into place tools, techniques, procedures, etc. to implement
the details defined in Step 3.
  Step 5: Repeat steps 2, 3, and 4 forever.

B Cing U

Buck


---------------------------------------------------------------------
To unsubscribe, e-mail: loganalysis-unsubscribeat_private
For additional commands, e-mail: loganalysis-helpat_private

Next message: mhtat_private: "Re: [loganalysis] screend"
Previous message: Boris Wesslowski: "RE: [loganalysis] fwlogwatch feedback"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 13:37:50 PDT