Monday, July 25, 2011

Log Management at $0 and 1hr/week?

As I was drinking cognac on the upper deck of a 747, flying TPE-SFO back from a client meeting, the following idea crossed my mind:  CAN one REALLY do a decent job with log management (including log review) if their budget is $0 AND their “time budget” is 1 hour/week? I got asked that when I was teaching my SANS SEC434 class a few months ago and the idea stuck in my head – and now cognac, courtesy of China Airlines, helped  stimulate it into a full blog post.

So, $0 budget points to using open-source,  free tools (duh!), but 1hr/week points in exactly the opposite direction: commercial or even outsourced model.

The only slightly plausible way it that I came up with is:

  1. Spend your 1st hour building a syslog server; it can be done, especially if starting from a old Linux box that you found in the basement (at $0); don’t forget logrotate or equivalent
  2. Spend a few next weeks (i.e. hours) configuring various Unix, Linux and network devices (essentially, all syslog log sources) to log to it
  3. Consider deploying Snare on a few Windows boxes (if needed); it would likely be easier to do than doing remote pull – too much tuning might be needed
  4. Next, drop a default OSSEC install on your log server and – gasp! – enable all alerts
  5. Spend the next  few hours (in the next few weeks) turning off the ones that are too numerous, irrelevant or don’t trigger any action in your environment.
  6. If you log volume fits within a free splunk license size (500MB/day), also spend an hour deploying splunk on your log server and have it index all gathered logs
  7. Now you’d be spending your “one log hour each week” on reviewing alerts and (if installed) digging in splunk for additional details
  8. Congrats! $0 and 1hr/week gave you semblance of log management and even monitoring….

What do you think? It just might work for organizations with severe time AND money constraints.

Enjoy the post … while it lasts.

BTW, on a completely unrelated note:  do you think EVERY organization above a certain size NEEDS a SIEM? Or WILL NEED a SIEM in the future?

Dr Anton Chuvakin