Tuesday, January 08, 2008

Logging Poll #4 "Who Looks at Logs?" Analysis

Time to analyze my final 2007 poll on logs. In it, I asked who actually looks at logs at the organization. Here is what came up: results are here and also included below.


What can we conclude from this?

First, a "duh" conclusion is in order! No matter how many times one can utter the word "compliance," logs are still most useful for mundane (one would hope! :-)) system administration. Yes, indeed, sysadmins are the primary consumers of logs - yesterday, today, and - likely! - tomorrow as well.

Second, I am saddened by the fact that application developers have not warmed up to logs, at least no en masse (and not according to this limited poll...). I am guessing when they start thinking of logging when creating their applications, they will be more aware of the fact that you can troubleshoot the applications using logs ...

Third, incident response team showing that low is some kind of fluke, I am sure. Everybody knows that logs are indispensable during incident response (yes, even if only a little logging was enabled or even logging defaults left in place, logs often reveal answers unobtainable via any other mechanisms)

Am I reading too much into this? Hey, maybe I am! :-) Then again, I am a former theoretical physicist - thus, I can explain anything!

Next poll coming soon!

Technorati tags: , ,


anonymous said...

Anton, I tend to agree with you that Security analysts should be a bit further up the list (#1 in my opinion). The flip of this is rumours recently have stated they will be moving further down the list as the logs will become a commodity owned by the IT Dept. I think for the purpose of a forensic requirement, the logs should be owned by the Security Department of any organization.

Anton Chuvakin said...

Well, there are more sysadmins than security analysts; maybe that is what made them #1.

>logs will become a commodity owned
>by the IT Dept.

Well, I am not sure whether it is a good or a bad thing. IT dept owns more of IT anyhow...

"Log ownership", BTW, justifies a long, nice post from me in the near future :-)

For now, check out this one: http://chuvakin.blogspot.com/2007/06/anton-security-tip-of-day-11-but-these.html

Dr Anton Chuvakin