RE: [logs] idea: let's scare ourselves...

From: Buck Buchanan (lbuchana@private)
Date: Sat Aug 14 2004 - 13:33:18 PDT


Hi,

I have been a number of places where the idea of setting up central logging
is a hard sell.  There is always concern that there will be a performance
hit.  My current position involves a project that has actually pretty good
logging.  When I asked about forwarding the logs to a central log server,
they said it won't be done.  There is no requirement for it, no budget, and
no desire.

Where is the return on investment to go to the trouble of ensuring a single
log message is not lost?  What value is there to storing 100 percent of
generated messages when it noticably impacts business processes?

In my prior position I set up a central log server.  I was used Snare to
forward Windows Event Messages to the log server.  These messages had
sequence numbers.  I coded up a Perl script to document how many messages
were being lost.  It was around 2 to 3 percent with an occasional spike to
4 percent.  The host system was a FreeBSD system using tcpdump to capture
syslog packets on a hub it shared with a printer.  The system did not have
networking enabled.  I used a Perl script to read the tcpdump files.  As an
intellectual exercise, I would have liked to verify where the messages were
being dropped, but I had more important work to do.

I agree in theory with all of what is being said about reliable logging,
but in practice I think old fashioned syslog protocol is acceptable.
Remember, it is only one small piece of security in depth.

In my opinion I think that it is far more important to spend effort
ensuring that the analysis of what is captured is done quickly and
correctly.  The analysis should have some benefit.  If all you are looking
for is evidence of security incidents, I think that you are doing your
organization a disservice.  Logs are a gold mine of information that is
useful to identify misconfigured systems, hardware or software failures,
and resources being used near or at capacity.  Mine that gold and give it
to the people who can make use of it to ensure system reliability and to
plan appropriately for future upgrades.  Also use the gold mine to justify
your own existance and future budget requests.

B Cing U

Buck

----------------------------------------------------------------------------------------

This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit written
agreement or government initiative expressly permitting the use of e-mail
for such purpose.
----------------------------------------------------------------------------------------


_______________________________________________
LogAnalysis mailing list
LogAnalysis@private
http://lists.shmoo.com/mailman/listinfo/loganalysis



This archive was generated by hypermail 2.1.3 : Mon Aug 16 2004 - 12:06:43 PDT