[loganalysis] Re: why read your logs?

From: Brian Hatch (loganalysisat_private)
Date: Mon Sep 10 2001 - 21:20:53 PDT

  • Next message: Mordechai T. Abzug: "Re: [loganalysis] why read your logs?"

    > i've been tasked with giving a presentation to a group
    > of manager types who do not have our understanding of the
    > importance of staffing for log monitoring.  i've got a 
    > couple of analogies to use for them -- things like asking
    > how many of them balance their checkbooks or read their credit
    > card statements -- but figured that this group might have
    > an idea or two of how to convince a non-technie (or a new
    > sys admin) of how important this is...
    I think those are two bad examples.  I know plenty of
    folks that do not balance their checkbooks nor read their
    credit card statements.  Usually these are people with
    enough money that they fell it's not worth their time.
    These people often fall into the very category of management
    to whom you're likely going to give your talk...
    I find that there are usually only two angles that consistantly
    convince the appropriate powers that be.
    1) Security Concerns
    	Management is scared of being broken into.  I hate the
    	'hacker scare tactics' as much as the next person, but
    	sometimes that's all that works for some management
    	folks.  Watching logs is the only way to detect attacks
    	(successful or in progress) so they must be reviewed
    	by a human.
    2) Hardware failure / Data loss
    	Management wants 100% uptime.  Bad hardware will often
    	start showing problems in it's logs before a painful
    	failure occurs.  Again, the logs are your friends.
    Other reasons that *I* like to review logs are of course numerous,
    such as watching for performance changes (good argument in a
    database-heavy environment) and such, however I find that the above
    two arguments are really the most convincing.  A few carefully
    picked horror stories (true or hypothetical) are usually sufficient
    for them to realize the worth of logs.
    From a non-system specific slant, however, you have
    3) Marketing
    	Webserver stats, showing how folks got to your site,
    	where they went, most used pages, etc
    #3 is almost always a high priority for some department at most
    companies.  However management doesn't usually see how logs in
    general could possibly be as useful as something as targeted as
    marketing-related usage of logs.  Although you can use it as
    an analogy ("If web logs tell us so much about our [product/etc]
    then imagine how useful our system logs are to our IS department"!)
    it never works as much as I'd hope.
    My quick thoughts before bedtime.
    Brian Hatch                "Never devour a man before
       Systems and             you have heard his story"
       Security Engineer       --Ancient Dragon Proverb
    Every message PGP signed

    This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 22:11:09 PDT