Just wanted to highlight another useful resource on logging: "How to Do Application Logging Right” by Gunnar Peterson and myself. Following on our previous IEEE paper (here [PDF]), we explored application logging from a developer's perspective. As Gunnar already pointed out, “audit logs are one of the quick, dirty and cheap things that can improve enterprise security.”
Here is a fun except:
“Organizations have finally gotten network device logging and—to
some extent—server logging under control. However, after getting
used to neat Cisco Adaptive Security Appliance or other firewall
logs and Linux “password accepted” messages, security incident
investigators trying to respond to the next wave of attacks
have been thrust into the horrific world of application logging.”
and
“We can start by establishing criteria for good security audit logs (which we just call “logs” from now on). […] On the basis of the six Ws, the following list [see paper] provides a starting point for what to include [in each application log message]”
and
“Software architects and developers must “get” logging; there’s
no other way. This is because infrastructure logging from network
devices and operating systems won’t cut it for detecting
and investigating application-level threats. Security teams will need
to guide developers and architects through useful, effective logging.”
Grab the paper here [PDF] and enjoy!
And, Raffy, you owe me another beer for “We thank Raffy Marty of Loggly for his thoughtful review of the draft article.” :-) In fact, I think me using the word “thoughtful” here justifies “beer+2”…
Possibly related posts:
- IEEE