Monday, January 17, 2011

11 Log Resolutions for 2011

FYI, this piece has been specially created for LogManagementCentral (original post), an awesome site about logs, log management and SIEM. It is reposted here for posterity.

 

So, behold 11 log resolutions for 2011!!

1. I will turn logging on the systems I manage: this resolution is about the very first step one must take to using log data for many purposes inside and outside of IT – actually having logs. Start 2011 by committing to enabling logging across the systems you manage or oversee. And, yes, “log everything” is not the answer in most environments (and as all oversimplifications, it is often downright silly – e.g. log every SELECT on a database will lead to your DBAs killin’ ya Smile) – further resolutions help with figuring out how to do it without killing your systems

2. I will create log policy: this resolution helps you to make a commitment to understanding what you need to log on each system and how to do it. Logging policy starts from reviewing compliance requirements and other “use cases” for log data.

3. I will check for when logging stops: one of the simplest ways to commit to having logging in 2011 (and all years thereafter) is to commit to monitoring when logging stops. Apart from being a violation of a few regulatory compliance mandates, termination of logging – whether due to an attacker all by mistake – is something you need to know right when it happens.

4. I will use compliance intelligently: this resolution draws a line between being a checkbox-following “compliance monkey” and being convinced that “compliance is evil.” Regulation such as PCI DSS contain not just motivation but also some useful advice on how to do logging right (some ideas).

5. I will learn what the logs mean: committing to logs is not simply committing to having logs –you have to know what the log messages actually mean and what they are trying to tell you. In 2011, make sure who that you seek to understand what your systems are trying to tell you in their logs and learn to tell routine messages from critical “system-busting ” alerts.

6. I will at least check logs for intrusions, system and account changes and major errors: one cannot make a resolution to analyze logs without starting small first – if you have to look for some will things first, at least commit to check your logs for intrusions, system and account changes and major errors (this checklist can help)

7. I will review logs: generating, centralizing and storing logs is important. These practices a bed of sensible and mandatory (prescribed by many regulatory mandates). However, main log value lies in interpreting, understanding and then acting upon the information present in the logs. You cannot commit to logging excellence without committing to log review – using automated tools (lots of ideas on log review)

8. I will make sure that I have logs preserved after an incident: leads rarely matter more than in a hectic post-incident environment where every bit of data can help understand the origin and impact of the intrusion. Commit to using logs for incident response in 2011! (useful tips on that)

9. I will train my developers to create useful logs: making – and keeping!-a resolution to collect and review logs is impossible if logs do not exist – as it is often the case for your custom applications. In order to gain benefits of logging in such case, you must make a resolution to train your application developers to create useful logs inside their applications. Use emerging standards such as CEE to guide them towards proper logging practices

10. I will stop complaining about how bad logging is at most organizations: everybody starts somewhere, and many organizations start from a truly abysmal state in regards to logging. Start logging – and stop complaining. Go from log ignorance to near-real-time log enlightenment using a process similar to this

11. Finally, I WILL REMEMBER THESE RESOLUTIONS FOR THE ENTIRE YEAR: unlike some security technologies, logging, log review and log monitoring is a lifetime commitment. To get something useful out of log data, you have to log and review data all the time.

Any other logging resolutions you are making for 2011?

Dr Anton Chuvakin