On 2 Dec 2002, Florin Andrei wrote: > How about the legal aspects of it? Will it be possible to use a database > log in court, just like using a flat text log? I'm not a lawyer, and I don't play one on the 'Net, so take this with a grain of salt[1]... There's technically not much difference between a database engine "log" and a filesystem "database" log- how they're made and how they're used and how easy it is to show that event X creates log record Y. Test it, regularly generate reports based on it (in the U.S. a regular report is a business record, and therefore relatively easily admissable, as are most "machine records" produced under normal circumstances.) Now, under some circumstances, if something ever gets to a jury, it may be the piece of confusion that a defense lawyer needs to sway a jury- a lot of that will depend on your ability to stand up an expert witness who's not talking over the jury's head. But they could try the same tactic on network-based log servers, filesystems, etc. A lot of the stuff comes down to having an explaination of how it all works that 12 of your dumbest lusers could understand. Bottom line, storing the information in a database shouldn't materially change its admissability- which is the part you have the most control over. Without tests, validation and a clear explaination of how it all works, the results of that evidence are a different matter all-together. By producing regular reports, you may increase the admissability of any logs- in a database or not (though, I'd probably consider reporting out of a database a better idea than normal, just so you can present the evidence in raw *and* readable format.) Now, there is one important thing to ponder about central log servers and logs- if you're presenting the original evidence in court, what's taking that disk/machine out of production going to do to your network? If you're compelled to produce the actual log, rather than a copy- can you do that easily, without major interruption? Can you pull it *during* an event or an investigation and not miss out on additional badness coming from other vectors (hint- hot-swappable mirrored drives are your friend?) Paul [1] Check with your legal counsel, seriously- it's good to have them already in the loop, and explaining to them how it all works is good practice. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 19:28:23 PST