Hi, I have been a number of places where the idea of setting up central logging is a hard sell. There is always concern that there will be a performance hit. My current position involves a project that has actually pretty good logging. When I asked about forwarding the logs to a central log server, they said it won't be done. There is no requirement for it, no budget, and no desire. Where is the return on investment to go to the trouble of ensuring a single log message is not lost? What value is there to storing 100 percent of generated messages when it noticably impacts business processes? In my prior position I set up a central log server. I was used Snare to forward Windows Event Messages to the log server. These messages had sequence numbers. I coded up a Perl script to document how many messages were being lost. It was around 2 to 3 percent with an occasional spike to 4 percent. The host system was a FreeBSD system using tcpdump to capture syslog packets on a hub it shared with a printer. The system did not have networking enabled. I used a Perl script to read the tcpdump files. As an intellectual exercise, I would have liked to verify where the messages were being dropped, but I had more important work to do. I agree in theory with all of what is being said about reliable logging, but in practice I think old fashioned syslog protocol is acceptable. Remember, it is only one small piece of security in depth. In my opinion I think that it is far more important to spend effort ensuring that the analysis of what is captured is done quickly and correctly. The analysis should have some benefit. If all you are looking for is evidence of security incidents, I think that you are doing your organization a disservice. Logs are a gold mine of information that is useful to identify misconfigured systems, hardware or software failures, and resources being used near or at capacity. Mine that gold and give it to the people who can make use of it to ensure system reliability and to plan appropriately for future upgrades. Also use the gold mine to justify your own existance and future budget requests. B Cing U Buck ---------------------------------------------------------------------------------------- This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. ---------------------------------------------------------------------------------------- _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2.1.3 : Mon Aug 16 2004 - 12:06:43 PDT