Monday, August 27, 2007

More Fun With Web Proxy Logs!

After publishing my proxy log tip (here) and preparing for this upcoming webcast on this (here), I figured I'd post a few more mini-tips on web proxy logging and log management.

First, why look at proxy logs? Apart from my overall answer that applies to all logs, proxy-specific reasons are the following:

  1. Review users’ activities on the web (not just surfing!)
  2. Monitor applications' HTTP activity
  3. Detect Web-enabled malware traffic
  4. Study proxy performance metrics

Most people just focus on #1 above and kinda forget #2-#4. Also, the focus of #1 is often narrow - what do they surf at work?- and not broad - what do they do on the web? - which is much more useful. While there is no direct mention of proxy logs in recent regulations, monitoring what users do with YOUR data is clearly part of the compliance mandates (and, obviously, a good idea in general!) Indirect references to proxy logging can be seen in the following:

  • Proxy monitoring is part of the overall control and governance (thus SOX, HIPAA, GLBA, etc)
  • Legal requirements to have audit trails (thus HIPAA, PCI)
  • Breach disclosure laws also impact (SB1386 and others, soon US-wide)
  • On the flip side, privacy laws might mandate the opposite i.e. NOT having logs.

So, please treat proxy logs with the respect they deserve!

Possibly related posts:

Dr Anton Chuvakin