[logs] Re: on database logging

From: Tom Le (dottom@private)
Date: Mon Mar 19 2007 - 08:40:56 PST

> Performance reasons might be of the past.
> There are non-intrusive DB auditing solutions out there that
> are very low on maintenance and has zero impact on performance.
> These solutions do not work off of the DB server. Instead, they
> monitor the network traffic directed to and from the DB server
> and they sit on an applicance of their own.

In every DB audit/monitoring case I have participated or had extensive
discussions, everyone wanted to monitor local admin activity.  This is a key
issue for audit controls, and since all DB auditing I believe are always
compliance driven, if you can't cover on-the-box admin access, it's not
worth implementing one of these in-line app layer appliances.

The in-line solutions also typically only cover sql traffic it can see.
There is a lot that goes on with a DB as you know including stored
procedures, triggers, job automation, etc.  The in-line appliances have a
variety of ways to address this but they solutions are never complete and
always intrusive (e.g. they need to log into the DB).  If you cannot be 100%
passive and you lack coverage, I haven't seen a customer yet adopt the
in-line solution for DB auditing.  The only reason I've seen in-line sql
monitoring is for sql injection coverage for very large web server farms (an
IDS role rather than compliance).

Performance usually is not a problem once you intelligently identify the
compliance controls.  Each auditor has different requirements (which makes
life hard for log analysis), but in no case have I had an auditor tell us
"monitor everything".  Usually the "performance issue" is first raised by
the DBA's at project introduction.  Once they accept the compliance mandate
and realize we only have to monitor a subset of transactions, it doesn't
become as much of an issue.

What I'm suggesting to answer Anton's original question is that DB auditing
is not "hot" because it won't be championed by internal users.  DBA's
implement it reluctantly.  It requires a compliance mandate and even then
encounters various levels of resistance.  When you look at other log
analysis projects (such as security event monitoring or log aggregation),
you'll find other internal champions where none exists for DB auditing.

LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Wed Mar 21 2007 - 10:23:36 PST