[logs] Re: on database logging

From: Tom Le (dottom@private)
Date: Wed Mar 21 2007 - 20:05:37 PST

> > All the current trend toward legislating compliance has
> > accomplished is setting the bar very low, and encouraging
> > companies to look only at meeting that standard. I've had
> > senior IT managers tell me "We are going to do the exact
> > minimum, wherever possible."
> No kidding - but, at the same time, those organizations who used to
> fly (eh, crawl) BELOW that low bar would benefit if they are kicked
> into doing at least *something*. So, I am a bit more positive about
> such compliance motivators.

In most cases the fine grain auditing we're talking about in this thread
(DB, OS, app layer transactions) are wolves too far away from the sleigh.
Companies are just beginning to adopt centralized log aggregation for things
like host based logs, IDS/IPS traffic, and networking devices.  DB, OS, and
app transaction logging/monitoring is discussed but always the first to get

There's also a major analysis & reporting issue here that can't be ignored.
You can look at a Windows, Unix, IDS, or firewall message and any IT or
security admin will, generally speaking, know what to do with it.  When you
wrap correlation or other monitoring value around those log events, people
know whey mean.  They understand X failed logins in Y minutes is meaningful.

But they have a hard time understanding the meaning behind inserts,
updates, drops, grants, revokes, etc..  This is because so much context is
required to understand each environment.  This is true for DB, OS, and app
layer auditing.

So you have no internal champions (I know I'm repeating myself) for this
type of logging.  You have higher complexity and lower (immediately
observable) benfit.  I just don't see companies adopting this granular
auditing/logging/monitoring with a few exceptions.  There will always be
compliance drivers, but like Marcus said it's a big ambiguous "do the
minimum" approach and host, IDS, and network logs are easy ways to tackle
the audit requirements even if incomplete.


LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 08:52:07 PST