Tuesday, March 27, 2007

Look At Logs, If ONLY for Forensics and Incident Response

So you are a log-hater! It is fine with me, admit it. You hate logs and never ever look at them. In fact, you don't even know you have them. And you don't care if you don't, to add insult to injury. (Well, hopefully few of my readers are like that, but I suspect there are some :-))

How can I convince such a person to look at logs seriously? Well, that's actually easy: it is natural to want "all the logs" the moment something goes terribly bad in your IT infrastructure or somebody smart 0wns your network.

However, it is really unlikely that logs will automagically show up on your doorstep right when things go South. If you were ignoring logs before,  it is unlikely that you actually have them! And that is the whole point of this post: if you still insist on not looking at logs (as many organizations do out there...), I would suggest you invest in log management anyway. Huh? If you do that just for having logs in case of an incident or an investigation, you'd still be grateful you did. And, as ROI fans will probably say, "it will pay for itself."

What if you are a CSO with the above mindset? Then, run, not walk and get reeducated on the value of log management by the enlightened Mike Rothman (start here, for example). He closes with this: "Because your forensics guys will thank you that they've got such detailed information when they've got to solve the mystery of a security incident."

To conclude, as I hinted in my post "Logs Are Everywhere!", doing it earlier (like, today! :-)) is easier, since there will be more logs later.

Dr Anton Chuvakin