[loganalysis] Re: why read your logs?

From: Brian Hatch (loganalysis@ifokr.org)
Date: Mon Sep 10 2001 - 21:20:53 PDT

Next message: Mordechai T. Abzug: "Re: [loganalysis] why read your logs?"

Previous message: Tina Bird: "[loganalysis] why read your logs?"
In reply to: Tina Bird: "[loganalysis] why read your logs?"
Next in thread: Mordechai T. Abzug: "Re: [loganalysis] why read your logs?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> i've been tasked with giving a presentation to a group
> of manager types who do not have our understanding of the
> importance of staffing for log monitoring.  i've got a 
> couple of analogies to use for them -- things like asking
> how many of them balance their checkbooks or read their credit
> card statements -- but figured that this group might have
> an idea or two of how to convince a non-technie (or a new
> sys admin) of how important this is...


I think those are two bad examples.  I know plenty of
folks that do not balance their checkbooks nor read their
credit card statements.  Usually these are people with
enough money that they fell it's not worth their time.
These people often fall into the very category of management
to whom you're likely going to give your talk...

I find that there are usually only two angles that consistantly
convince the appropriate powers that be.

1) Security Concerns

	Management is scared of being broken into.  I hate the
	'hacker scare tactics' as much as the next person, but
	sometimes that's all that works for some management
	folks.  Watching logs is the only way to detect attacks
	(successful or in progress) so they must be reviewed
	by a human.

2) Hardware failure / Data loss

	Management wants 100% uptime.  Bad hardware will often
	start showing problems in it's logs before a painful
	failure occurs.  Again, the logs are your friends.


Other reasons that *I* like to review logs are of course numerous,
such as watching for performance changes (good argument in a
database-heavy environment) and such, however I find that the above
two arguments are really the most convincing.  A few carefully
picked horror stories (true or hypothetical) are usually sufficient
for them to realize the worth of logs.

From a non-system specific slant, however, you have

3) Marketing

	Webserver stats, showing how folks got to your site,
	where they went, most used pages, etc

#3 is almost always a high priority for some department at most
companies.  However management doesn't usually see how logs in
general could possibly be as useful as something as targeted as
marketing-related usage of logs.  Although you can use it as
an analogy ("If web logs tell us so much about our [product/etc]
then imagine how useful our system logs are to our IS department"!)
it never works as much as I'd hope.


My quick thoughts before bedtime.



--
Brian Hatch                "Never devour a man before
   Systems and             you have heard his story"
   Security Engineer       --Ancient Dragon Proverb
www.hackinglinuxexposed.com

Every message PGP signed

application/pgp-signature attachment: stored

Next message: Mordechai T. Abzug: "Re: [loganalysis] why read your logs?"
Previous message: Tina Bird: "[loganalysis] why read your logs?"
In reply to: Tina Bird: "[loganalysis] why read your logs?"
Next in thread: Mordechai T. Abzug: "Re: [loganalysis] why read your logs?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 22:11:09 PDT