Tuesday, February 05, 2008

How to Audit a Log Server?

This SANS Reading Room paper "Auditing a Corporate Log Server" [PDF] touches upon an important, but rarely discussed subject: security audit of a log server (or a log appliance).

Whether it is a home-grown log server or a vendor's log management tool, security audit will help establish that your logs will remain useful for investigations, forensics, possibly litigation (offensive and defensive) as well as other purposes, all the way to operational troubleshooting. Some of the regulations, such as PCI DSS do call for log protections (see Req 10 or, while we are at it, go read my PCI book chapter on logs[PDF] :-))

Also, keep in mind all the reasons to protect logs C-I-A that I highlighted in "Top 11 Reasons to Secure and Protect Your Logs" post. Auditing the server helps establish that you do in fact protect your logs!

Possibly related posts:

No comments:

Dr Anton Chuvakin