[logs] Re: on database logging

From: Tom Le (dottom@private)
Date: Wed Mar 21 2007 - 20:23:04 PST

On 3/21/07, Anton Chuvakin <anton@private> wrote:
> > DBA's
> > implement it reluctantly.  It requires a compliance mandate and even
> then
> > encounters various levels of resistance.  When you look at other log
> > analysis projects (such as security event monitoring or log
> aggregation),
> Huh? What does "log aggregation" mean here? Shouldn't database logs part
> of it?!

"Log aggregation" in the above context means implementing centralized
logging.  Most database logs at most companies are not sent to a centralized
log server.

"Security event monitoring" means either an internal SIM/SIEM or outsourcing
to an MSSP.

Companies are only beginning to adopt solutions around these two areas.
Sure, companies do some of this to varying degrees (e.g. they send all Unix
logs to a centralized server), but my point is that when you are adopting a
new policy/process/paradigm, you tend to implement it in stages.  The stages
that are likely to internal champions are the system, security, and network
logging/monitoring.  This is because the use of centralized log aggregation
or SIM/SIEM/MSSP solutions greatly improve the quality of work these users
(system, security, and network admins).

The application admins and DBA's have traditionally never championed
auditing.  It's a nuisance to them.  They offer resistance and often
implement it reluctantly.

It's hard enough trying to convince customers to adopt a new technology when
all the technical recommenders agree.  A vendor recommends a whiz bang
solution and everyone agrees it's needed and useful.  You still have to sell
management on cost vs. benefits.  Now imagine a scenario where the technical
recommenders (DBA's, application admins) are reluctant the minute the topic
comes up.

You might want to consider hiring a focus group (like San Jose Focus) to
talk to DBA's and IT security managers.  You'll be able to dig even deeper
into this issue.  It's been money well spent IME for product & marketing


LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 08:59:33 PST