Friday, May 04, 2007

Few Bits on Log Management Trends

Some time before the recent SANS Log Management Summit, somebody asked me: What are the top three trends in the log analysis industry?

I figured why not also post my answer for all to see. So, here they are (slightly edited for clarity):

  • Rapid increase in the breadth of log sources that people care for (and thus collect data from): it used to be just firewall and IDS logs, then servers, and now it is expanding to all sorts of log sources - databases, applications, etc (see more information on this here)
  • This might sound boring, but it is still a major trend: more regulations, governance frameworks and standards will cover logs and logging. Just look at recent PCI, NIST 800-92 and a few others (including my very favorite - CEE  where work is just starting up
  • There is also a trend towards auditing more access and more activity through logs; for example, few of the file server, storage or database vendors cared much about logging, but now they do (well, some do and some start to :-)). What used to be just about "access to information" is now evolving into "auditable access info." More discussion of this is here.

Comments? Additions? Criticism? Silence? :-)


Anonymous said...

How about centralization? I see more organizations moving towards a few exceptionally hardened servers with SAN connectivity for usability, integrity, consolidation, etc.

Anton Chuvakin said...

Yes, true. However, this has been going on for a while and some folks are actually trying to have LESS of it by using more distributed log processing models (even if with centralized control...)

Dr Anton Chuvakin