of 15

Log Management Best Practices

Published on June 2016 | Categories: Documents | Downloads: 13 | Comments: 0



A|ert Log|c, Inc.
1776 ?orkLown, 7
lloor, PousLon, 1x 77036 - 877.484.8383 - alerLloglc.com
AlerL Loglc and Lhe AlerL Loglc logo are Lrademarks, reglsLered Lrademarks, or servlce marks of AlerL Loglc lnc. All oLher Lrademarks llsLed ln Lhls documenL are Lhe properLy of Lhelr respecLlve owners.
uocumenLs are Lhe properLy of Lhelr respecLlve owners.
© 2012 AlerL Loglc, lnc. All rlghLs reserved.
8ev. May, 2012

Log ManagemenL 8esL ÞracLlces:
1he 8eneflLs of AuLomaLed Log ManagemenL
To comply with today’s government and industry mandates, such as PCI,
Sarbanes-Oxley, HIPAA and GLBA, log data must be collected, regularly
reviewed and archived. In addition, regular analysis and forensics can
also be performed on the same log data to enhance overall security and
This paper discusses the challenges associated with effective log
management and enables you to better define best practices and
requirements for log management projects, as well as log management
and review solutions.
Why Log ManagemenL? ............... 2
CollecLlng Logs for 8esL ÞracLlce
CLher Log Sources Lo Conslder .... 6
Log ManagemenL Challenges ...... 9
AuLomaLed Log ManagemenL .... 12
Summary .................................... 13
AbouL AlerL Loglc ....................... 14

1 Log ManagemenL 8esL ÞracLlces

1PlS uCCuMLn1 Anu 1PL SCl1WA8L uLSC8l8Lu ln 1PlS uCCuMLn1 A8L lu8nlSPLu unuL8 Anu A8L Su8!LC1
ln SuCP LlCLnSL AC8LLMLn1 C8 nCn-ulSCLCSu8L AC8LLMLn1, ALL81 LCClC, lnC. Þ8CvluLS 1PlS uCCuMLn1
Anu 1PL SCl1WA8L uLSC8l8Lu ln 1PlS uCCuMLn1 "AS lS" Wl1PCu1 WA88An1? Cl An? klnu, Ll1PL8 LxÞ8LSS
C8 lMÞLlLu, lnCLuulnC, 8u1 nC1 LlMl1Lu 1C, 1PL lMÞLlLu WA88An1lLS Cl ML8CPAn1A8lLl1? C8 ll1nLSS lC8
CL81Aln 18AnSAC1lCnS, 1PL8LlC8L, 1PlS S1A1LMLn1 MA? nC1 AÞÞL? 1C ?Cu.
1hls documenL and Lhe sofLware descrlbed ln Lhls documenL may noL be lenL, sold, or glven away wlLhouL Lhe prlor
wrlLLen permlsslon of AlerL Loglc, lnc., excepL as oLherwlse permlLLed by law. LxcepL as expressly seL forLh ln such
llcense agreemenL or non-dlsclosure agreemenL, no parL of Lhls documenL or Lhe sofLware descrlbed ln Lhls
documenL may be reproduced, sLored ln a reLrleval sysLem, or LransmlLLed ln any form or by any means, elecLronlc,
mechanlcal, or oLherwlse, wlLhouL Lhe prlor wrlLLen consenL of AlerL Loglc, lnc. Some companles, names, and daLa
ln Lhls documenL are used for lllusLraLlon purposes and may noL represenL real companles, lndlvlduals, or daLa.
1hls documenL could lnclude Lechnlcal lnaccuracles or Lypographlcal errors. Changes are perlodlcally made Lo Lhe
lnformaLlon hereln. 1hese changes may be lncorporaLed ln new edlLlons of Lhls documenL. Changes or
lmprovemenLs may be made Lo Lhe sofLware descrlbed ln Lhls documenL aL any Llme.
© 2012 A|ert Log|c, Inc., a|| r|ghts reserved.
u.S. CovernmenL 8esLrlcLed 8lghLs: lf Lhe sofLware and documenLaLlon are belng acqulred by or on behalf of Lhe
u.S. CovernmenL or by a u.S. CovernmenL prlme conLracLor or subconLracLor (aL any Ller), ln accordance wlLh 48
C.l.8. 227.7202-4 (for ueparLmenL of uefense (uCu) acqulslLlons) and 48 C.l.8. 2.101 and 12.212 (for non-uCu
acqulslLlons), Lhe governmenL's rlghLs ln Lhe sofLware and documenLaLlon, lncludlng lLs rlghLs Lo use, modlfy,
reproduce, release, perform, dlsplay or dlsclose Lhe sofLware or documenLaLlon, wlll be sub[ecL ln all respecLs Lo
Lhe commerclal llcense rlghLs and resLrlcLlons provlded ln Lhe llcense agreemenL.
AlerL Loglc ls a Lrademark or reglsLered Lrademark of AlerL Loglc, lnc. or lLs subsldlarles ln Lhe unlLed SLaLes and
oLher [urlsdlcLlons. All oLher company and producL names menLloned are used only for ldenLlflcaLlon purposes and
may be Lrademarks or reglsLered Lrademarks of Lhelr respecLlve companles.

2 Log ManagemenL 8esL ÞracLlces

Why Log Management?
1oday mosL organlzaLlons have LlghLer budgeLs and fewer resources Lhan ever, yeL Lhey are experlenclng
ever-lncreaslng pressures Lo lmprove securlLy, comply wlLh regulaLlons, and conLlnuously lmprove
CovernmenLal and lndusLry regulaLlons have become beLLer deflned ln recenL years wlLh slgnlflcanL flnes or
even lncarceraLlon faclng senlor execuLlves who fall Lo comply. WlLh decreaslng sLaff, l1 organlzaLlons are
now belng forced Lo commlL resources Loward compllance lnlLlaLlves whlle also conLlnulng Lo ensure
securlLy and meeL servlce level agreemenLs.
ln Lhe pasL, a neLwork admlnlsLraLor or securlLy analysL would collecL log daLa from a few selecL sysLems ln
Lhe evenL LhaL Lhe daLa mlghL be needed for a speclflc search laLer. 1oday, log managemenL ls an
organlzaLlonal requlremenL, demandlng comprehenslve funcLlonallLy LhaL exLends beyond daLa collecLlon
Lo encompass normallzaLlon, analysls, reporLlng, and dlsasLer-proof archlval.
1he number, varleLy, and volume of log daLa and neLwork lnfrasLrucLures have creaLed a masslve challenge.
ln addlLlon, Lhe expanslon of l1 lnfrasLrucLure lnLo hosLed and cloud deploymenLs means LhaL Lhere ls noL
only more daLa Lo manage, buL LhaL lL resldes ln a varleLy of envlronmenLs. 1rylng Lo collecL and manage a
conLlnuous supply of dlsLrlbuLed log daLa can qulckly overwhelm aL l1 organlzaLlon, addlng sLorage sounds
slmple ln concepL, yeL Lhe cosLs of purchaslng and managlng LerabyLes of sLorage can be sLaggerlng.
WlLh all of Lhese challenges ln mlnd, Lhls paper wlll dlscuss besL pracLlces for log managemenL ln Lhe
currenL envlronmenL. 8esL pracLlces for log managemenL cenLer on several key areas:
• CollecLlng Lhe approprlaLe daLa. Conslder all Lhe sources of log daLa ln your envlronmenL and whlch
are requlred Lo meeL compllance mandaLes, alerL you Lo susplclous acLlvlLy, and provlde valuable
forenslc daLa.
• Maklng log daLa usable ln a normallzed, searchable formaL.
• 8evlewlng and analyzlng log daLa regularly. Log daLa wlll noL help you achleve your goals lf lL ls noL
examlned regularly, for compllance purposes, Lhls ls a requlremenL.
• Lnsurlng secure Lransmlsslon and sLorage of log daLa. Log daLa ls as senslLlve as any of your oLher
enLerprlse daLa and Lhe same care you exerclse wlLh oLher Lypes of daLa should be exerclsed wlLh
your log daLa.
• Archlvlng daLa accordlng Lo relevanL daLa reLenLlon pollcles, lncludlng provlslons for Lhe
approprlaLe level of daLa proLecLlon - for example, off-slLe sLorage.

3 Log ManagemenL 8esL ÞracLlces

Collecting Logs for Best Practice Reports
WlLh a mulLlLude of sysLems generaLlng log daLa wlLhln a Lyplcal buslness envlronmenL, many organlzaLlons
sLruggle Lo deLermlne whlch log sources should be collecLed. 1hls challenge should be vlewed from Lhe
perspecLlve of whlch logs would LranslaLe Lo Lhe mosL lmmedlaLe value. When an organlzaLlon ls unsure
how Lo aLLrlbuLe value, lL ls besL Lo reference whaL Lhe lndusLry would deLermlne as besL pracLlce reporLs
assoclaLed wlLh log daLa.
1he followlng llsL ouLllnes a llsL of besL pracLlce reporLs LhaL should be avallable ln a log managemenL
Act|ve D|rectory
Act|ve D|rectory G|oba| Cata|og Change - 1he MlcrosofL AcLlve ulrecLory Clobal CaLalog provldes
searchable lnformaLlon abouL every ob[ecL conLrolled wlLhln your Au foresL. AddlLlonally, lL provldes Lhe
ablllLy Lo search across mulLlple dlfferenL domalns wlLhouL belng requlred Lo access Lhe Au for each
domaln dlrecLly. 1hls reporL should ldenLlfy log messages LhaL lndlcaLe all changes Lo Lhe Au Clobal

Act|ve D|rectory G|oba| Cata|og Demot|on - 1he MlcrosofL AcLlve ulrecLory Clobal CaLalog provldes
searchable lnformaLlon abouL every ob[ecL conLrolled wlLhln your Au foresL. AddlLlonally, lL provldes Lhe
ablllLy Lo search across mulLlple dlfferenL domalns wlLhouL belng requlred Lo access Lhe Au for each
domaln dlrecLly. 1hls reporL should ldenLlfy log messages LhaL lndlcaLe each Llme a domaln conLroller ln
your Au foresL has been demoLed and can no longer serve Lhe global caLalog.
Database Ia||ed Log|ns- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe daLabase logln fallure log
messages recelved from all monlLored hosLs.
Network Dev|ces
Network Dev|ce Ia||ed Log|ns- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe neLwork devlce
logln fallure log messages recelved from all monlLored hosLs.

Network Dev|ce Þo||cy Change - 1hls reporL should ldenLlfy log messages LhaL lndlcaLe when a pollcy ls
added/changed/removed on neLwork devlces.
W|ndows Server (2008 k2, 2008, 2003)
Lxcess|ve W|ndows Account Lockouts- 1he messages lndlcaLe LhaL Wlndows user accounLs have been
locked ouL. 1hls reporL should ldenLlfy log messages LhaL lndlcaLe when a Lhreshold of 2 log messages
has been exceeded.

4 Log ManagemenL 8esL ÞracLlces

Lxcess|ve W|ndows Account Lockouts by Adm|n|strat|ve User - 1he messages lndlcaLe LhaL Lhe Wlndows
AdmlnlsLraLor accounL has been locked ouL. 1hls reporL should ldenLlfy log messages LhaL lndlcaLe when a
Lhreshold of 2 log messages has been exceeded.

Lxcess|ve W|ndows Ia||ed Log|ns- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe excesslve
Wlndows logln fallure log messages recelved from all monlLored hosLs wlLh a Lhreshold greaLer Lhan 3

Lxcess|ve W|ndows Ia||ed Log|ns by Adm|n|strat|ve User- 1hls reporL should ldenLlfy log messages LhaL
lndlcaLe when an excesslve amounL of Wlndows logln fallure log messages are recelved from a slngle hosL
for Lhe AdmlnlsLraLor accounL. 1he Lhreshold ls messages greaLer Lhan 3.

W|ndows I1Þ Ia||ed Log|ns - 1hls reporL should ldenLlfy log messages LhaL lndlcaLe when accounLs have
falled Lo successfully logln Lo llS.

W|ndows User Account Created- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe when user
accounLs have been successfully creaLed.

W|ndows User Account Mod|f|ed- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe when user
accounLs have been modlfled (changed, creaLed and deleLed).

W|ndows User Group Created- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe LhaL a user
group has been creaLed.

W|ndows User Group Mod|f|ed- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe LhaL user
groups have been modlfled (changed, creaLed and deleLed).

Ia||ed UNIk Sw|tch User Command - 1hls reporL should ldenLlfy log messages LhaL lndlcaLe all
recorded falled uses of Lhe unlx swlLch user (su) command.

UNIk Account Created- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe Lhe creaLlon of unlx

UNIk Ia||ed Log|ns) - 1hls reporL should ldenLlfy log messages LhaL lndlcaLe local and remoLe accounLs
have falled Lo successfully logln.

UNIk Group Created- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe a unlx user group
was added.

UNIk SSn Ia||ed Log|ns- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe SSP logln fallure log
messages recelved from all monlLored hosLs.

3 Log ManagemenL 8esL ÞracLlces

UNIk Sudo Access- 1hls reporL should ldenLlfy log messages LhaL lndlcaLe when a user has execuLed
Lhe unlx sudo command.

UNIk Sw|tch User Command Success - 1hls reporL should ldenLlfy log messages LhaL lndlcaLe a user has
successfully execuLed Lhe unlx swlLch user (su) command.

6 Log ManagemenL 8esL ÞracLlces

Other Log Sources to Consider
1he besL pracLlce reporLs descrlbed above provlde Lhe mosL lmmedlaLe value Lo mosL organlzaLlons.
Powever, Lhere are oLher log sources LhaL should be consldered for collecLlon for oLher operaLlonal goals,
such as opLlmlzaLlon healLh checks. ln addlLlon, some compllance and regulaLory sLandards may requlre
LhaL addlLlonal log daLa be collecLed.
lor example, operaLlng sysLem logs and appllcaLlon logs ofLen conLaln securlLy-relaLed lnformaLlon as well
as lnformaLlon abouL evenLs LhaL may noL lnlLlally appear securlLy-relaLed. CrganlzaLlons musL conslder Lhe
poLenLlal value of each and every poLenLlal log source.
ln addlLlon, log collecLlon musL be enabled ln a growlng varleLy of Lypes of envlronmenLs. ln Lhe pasL, log
daLa Lyplcally reslded ln an ln-house envlronmenL, or ln LradlLlonal managed hosLlng deploymenLs. As more
lnfrasLrucLure moves lnLo Lhe cloud, log collecLlon pro[ecLs musL conLend wlLh daLa from vlrLual servers,
elasLlc cloud envlronmenLs wlLh lnsLances LhaL are launched for days or hours, and hybrld envlronmenLs.
Along wlLh Lhe Lremendous flexlblllLy and efflclency LhaL Lhese deploymenL opLlons brlng come new
challenges for l1 managers.
1he followlng log Lypes should also be consldered for collecLlon:
Ant|-Ma|ware Software
Lxamples of anLl-malware lnclude anLl-vlrus, anLl-spyware, and rooLklL deLecLors, Lo name [usL a few. 1hese
logs may lnclude lnformaLlon lndlcaLlng LhaL malware was deLecLed, dlslnfecLlon aLLempL resulLs, flle
quaranLlnes, when flle-sysLem scans were lasL performed, when anLl-vlrus slgnaLure flles were lasL updaLed,
and when sofLware upgrades have Laken place.
CrganlzaLlons Lyplcally uLlllze a wlde varleLy of appllcaLlons Lo supporL buslness processes, lncludlng supply
chaln managemenL, flnanclal managemenL, procuremenL, resource plannlng, cusLomer relaLlonshlp
managemenL, emall and volce communlcaLlons, web and ecommerce appllcaLlons, and flle and documenL
managemenL sysLems. Some of Lhese appllcaLlons are purchased from vendors and oLhers are developed
and malnLalned lnLernally.
1he lnformaLlon logged by varlous appllcaLlons can vary wlldly and may lnclude accounL changes, user
auLhenLlcaLlon aLLempLs, use of prlvlleges, usage deLalls, cllenL and server acLlvlLy, conflguraLlon changes,
ma[or sysLem fallures, eLc. AppllcaLlon logs can be more valuable when neLwork communlcaLlons are
encrypLed. Powever, appllcaLlon logs are ofLen proprleLary formaLs.
Authent|cat|on Servers
ulrecLory servers and slngle slgn-on servers wlll Lyplcally log each and every auLhenLlcaLlon aLLempL
showlng Lhe orlglnaLlng user lu, desLlnaLlon sysLem or appllcaLlon, daLe and Llme lnfo, and success/fallure

7 Log ManagemenL 8esL ÞracLlces

Some flrewalls are perlmeLer-focused and general ln naLure and oLhers are very appllcaLlon-speclflc or
slngle-hosL (personal) focused. llrewalls noL only block acLlvlLy based on pollcy, Lhey can lnspecL conLenL
and ensure Lhe sLaLe and lnLegrlLy of permlLLed connecLlons. As such, Lhelr logs can be very deLalled and
Intrus|on Detect|on and Þrotect|on Systems
1hese sysLems record deLalled lnformaLlon abouL susplclous behavlor and deLecLed aLLacks as well as
acLlons Laken Lo halL mallclous acLlvlLy ln progress. Some lnLruslon proLecLlon sysLems, such as flle lnLegrlLy
sysLems, run perlodlcally lnsLead of conLlnuously and Lhus Lhey generaLe logs ln baLches raLher Lhan on an
ongolng basls.
Network Access Contro| Servers
neLwork access conLrol can operaLe for boLh lnLernal and exLernal hosLs connecLlng Lo Lhe lnLernal
neLwork. AL Lhe Llme of connecL, Lhe hosLs' securlLy posLure ls deLermlned and hosLs falllng Lo adhere Lo
Lhe deflned pollcy are quaranLlned onLo a separaLe vLAn (vlrLual Local Area neLwork) segmenL. nAC
servers log a greaL deal of useful lnformaLlon abouL boLh successful/permlLLed and unsuccessful
quaranLlned neLwork connecLlons.
Network Dev|ces (kouters, Sw|tches, etc.)
8ouLers can be conflgured Lo block cerLaln Lypes of Lrafflc. neLwork devlces can be conflgured Lo log very
deLalled connecLlon acLlvlLy buL Lyplcally are conflgured Lo log very llghLly. 1hese logs can conLaln very
lnformaLlve neLwork communlcaLlon acLlvlLy.
Cperat|ng Systems
1here are many varled operaLlng sysLems on servers, worksLaLlons, and assorLed neLwork devlces. Logglng
ls Lyplcally conLrolled by Lhe hosL admlnlsLraLor. 1he Lypes of evenLs, as well as wheLher Lo log only
successful or only falled evenLs, or boLh, can be conLrolled.
1hese log enLrles Lyplcally conLaln lnformaLlon abouL servlce sLarLs and sLops, auLhenLlcaLlon aLLempLs, flle
accesses, securlLy pollcy changes, accounL changes, permlsslon and prlvllege changes, and use of prlvlleges.
CperaLlng SysLem logs can also conLaln lnformaLlon from securlLy sofLware and sysLem appllcaLlons and are
ofLen beneflclal for ldenLlfylng susplclous acLlvlLy lnvolvlng a parLlcular hosL.
V|rtua| Þr|vate Networks
vlrLual ÞrlvaLe neLworks (vÞns) are Lhe mosL popular Lype of secured remoLe access soluLlons and Lhey log
boLh successful and falled connecLlon aLLempLs. 1hey record deLalls such as Lhe daLe and Llme each user
connecLs and dlsconnecLs, as well as Lhe Lypes and amounL of daLa senL and recelved durlng Lhe connecLed

8 Log ManagemenL 8esL ÞracLlces

Vu|nerab|||ty Management Software
lncluded here are boLh vulnerablllLy scannlng and paLch managemenL sofLware. 1hese Lyplcally run on an
occaslonal basls and log baLches of log enLrles LhaL lnclude lnformaLlon abouL scanned hosLs/devlces
lncludlng: conflguraLlon, mlsslng sofLware updaLes, vulnerablllLles ldenLlfled, and paLch/scan currency
downloads, among oLher Lhlngs.
Web Þrox|es
Web proxles are Lhe lnLermedlaLe hosLs Lhrough whlch Web slLes are accessed and can be used Lo resLrlcL
Web access as well as add a layer of proLecLlon beLween Lhe user and exLernal Web slLes. Web proxy logs
record user acLlvlLy and u8Ls accessed by speclfled users.

9 Log ManagemenL 8esL ÞracLlces

Log Management Challenges
8ecenL compllance mandaLes requlre noL only LhaL you collecL all logs, buL also LhaL Lhey be revlewed
regularly, searchable, and sLored ln Lhelr orlglnal, unalLered, raw form for mandaLe-speclflc Llmeframes.
Logs can also be exLremely useful ln ldenLlfylng securlLy lncldenLs, pollcy vlolaLlons, fraudulenL acLlvlLy, and
operaLlonal problems shorLly afLer Lhey occur. 1hey are also valuable when performlng audlLs, forenslc
analysls, lnLernal lnvesLlgaLlons, esLabllshlng basellnes, and ldenLlfylng operaLlonal Lrends and long-Lerm
problems. Powever, Lhe lnflnlLe varleLy of log daLa formaLs makes lL lmposslble Lo uLlllze Lhe daLa wlLhouL
daLa normallzaLlon.
lL ls reasonable Lo assume LhaL Lhe varleLy of log daLa sources and Lhe volume of daLa wlll always lncrease.
Compoundlng Lhls challenge ls Lhe varlablllLy of daLa formaLs and dlsLrlbuLed naLure of Lhese sources, ln
addlLlon, every neLwork lnfrasLrucLure ls ln a consLanL sLaLe of change, wlLh new sysLems, appllcaLlons,
users, and devlces every day of Lhe year.
1hls creaLes a varleLy of speclflc challenges for log managemenL efforLs. 1hese challenges can be broken
down lnLo Lhree areas: collecLlon, analysls and revlew, and archlval.
When we dlscuss log daLa, we are dlscusslng a wlde range and ever-changlng range of daLa seLs LhaL musL
be accounLed for.
• Log data |s var|ed. noL only do sysLems, appllcaLlons, and neLwork devlces have Lhelr own logs wlLh
varylng Lypes of speclflc daLa whlch are capLured, buL a slngle log source can have mulLlple logs Lo
be capLured. lor example, appllcaLlons ofLen have mulLlple log flles, each conLalnlng a speclflc Lype
of daLa.
• Log data sources are d|str|buted. uaLa sources may be locaLed wlLhln lnLernal on-premlse
lnfrasLrucLure, collocaLed ln a daLa cenLer, hosLed wlLh a managed hosLlng provlder, or ln Lhe cloud.
1hls lnfrasLrucLure may be managed separaLely or ln a hybrld envlronmenL. Log collecLlon musL
span all of Lhese envlronmenLs.
• Log data sources change constant|y. AL any Llme a new sysLem, appllcaLlon, or neLwork devlce may
be broughL onllne and begln generaLlng new log daLa. Cloud lnsLances may be launched for days or
hours and Lhen LermlnaLed. A log managemenL soluLlon musL accounL for Lhese changes, or else
100° log collecLlon wlll noL be posslble. CLherwlse, an organlzaLlon rlsks dlscoverlng LhaL a log
source has noL been collecLed afLer weeks or monLhs, posslbly ln response Lo an audlLor's
• Log data may conta|n sens|t|ve |nformat|on, such as excerpLs from emalls, user names and
passwords. 1hls ralses securlLy and prlvacy concerns LhaL necesslLaLe proper log daLa securlLy. Logs
lmproperly secured when belng LransporLed Lo any cenLrallzed collecLlon sysLem are suscepLlble Lo
lnLenLlonal or unlnLenLlonal alLeraLlon or desLrucLlon.

10 Log ManagemenL 8esL ÞracLlces

• Log data shou|d be secured. lf admlnlsLraLlve prlvlleges are noL properly malnLalned and Lhe logs
secured, Lhen Lhe logs can be manlpulaLed or alLered. lL ls lmporLanL Lo undersLand and llmlL such
prlvlleges and access Lo logged daLa as well.
Ana|ys|s and kev|ew
Analysls and revlew of log daLa presenLs Lwo slgnlflcanL challenges: regular revlew of log daLa, and Lhe
varylng formaLs of log daLa.
8egular log revlew ls a valuable pracLlce for any organlzaLlon, and ls a requlremenL of many compllance
mandaLes. 1yplcally, sysLem admlnlsLraLors have been responslble for revlewlng and analyzlng log daLa, buL
Lhls has usually been a lower prlorlLy Lhan oLher acLlvlLles, such as more sLraLeglc buslness pro[ecLs. 8apld-
response slLuaLlons, such as performance lssues, vulnerablllLy remedlaLlon, and securlLy lncldenL response
and lnvesLlgaLlon, also Lend Lo Lake prlorlLy over log revlew. 1he resulL? Log managemenL pro[ecLs are
never sLarLed or llnger unflnlshed.
Log conLenLs vary enormously. Some logs are deslgned for humans Lo read and oLhers slmply are noL,
some logs use sLandard formaLs, whlle oLhers use proprleLary formaLs. Some log formaLs are comma
separaLed, some are space dellmlLed, and sLlll oLhers use symbols or oLher characLer dellmlLers beLween
Lhe flelds wlLhln a slngle log message.
Lach log enLry, or message, conLalns cerLaln deflned pleces of lnformaLlon, such as a hosL lÞ address or
username. Lach log source records Lhe pleces of lnformaLlon LhaL lL conslders lmporLanL. ConsequenLly, lL
can be exLremely dlfflculL Lo llnk dlfferenL log sources because Lhey may or may noL conLaln common
Lven when Lwo sources record Lhe same values, Lhey may be recorded ln dlfferenL and varled log
messages. AddlLlonally, Lhey may represenL Lhem dlfferenLly. lor example, a daLe may be formaLLed
MMuu????, MM-uu-????, or uu/MM/????.
ueclpherlng daLes ln varlous formaLs may be slmple for a human revlewer, buL conslder Lhe example of Lhe
use of l1Þ (llle 1ransfer ÞroLocol) belng recorded by one log source as ºl1Þ" and anoLher as º21," lLs well-
known porL number. very few analysLs can easlly dlsLlngulsh Lhe full 1,024 well-known porLs by porL
Cne approach Lo deallng wlLh Lhls complexlLy ls Lo creaLe ÞL8L scrlpLs Lo search and produce only Lhose log
messages maLchlng Lhe query. ln concepL Lhls ls a reasonable approach, buL wlLh Lhe growlng complexlLy
and varleLy of sources, lLs ablllLy Lo allevlaLe Lhe problems of manual log revlew ls llmlLed.
Log daLa musL be LreaLed llke any oLher organlzaLlonal daLa, sub[ecL Lo securlLy and reLenLlon pollcles, as
well as compllance mandaLes. 8ecause lL ofLen conLalns senslLlve daLa (such as cusLomer daLa), breach of
log daLa ls a serlous problem. As a resulL, proLecLlon of log daLa boLh ln LranslL Lo Lhe log collecLlon soluLlon
and when sLored ls an lmporLanL concern.

11 Log ManagemenL 8esL ÞracLlces

1hls means LhaL access Lo log daLa much be sLrlcLly conLrolled, and under no clrcumsLances should log daLa
be alLerable.
ln addlLlon, sLorlng log daLa cenLrally from dlsLrlbuLed sources across an organlzaLlon creaLes a masslve
sLorage managemenL challenge. Þurchaslng and deploylng Lhe requlred sLorage consumes valuable real
esLaLe and power (boLh for operaLlons and coollng) and musL be managed, backed up, and lncluded ln
dlsasLer-recovery plannlng.

12 Log ManagemenL 8esL ÞracLlces

Automated Log Management
As Lhe challenges of log managemenL have grown, so have Lhe beneflLs of auLomaLed log managemenL
soluLlons. An approprlaLe log managemenL soluLlon provldes many beneflLs Lo an organlzaLlon:
• Log collecLlon across all l1 lnfrasLrucLure - on premlse, hosLed, and ln Lhe cloud
• SophlsLlcaLed parslng of logs Lo enable analysls of daLa from a wldely-varylng seL of log sources
• 8eporLlng Lools LhaL provlde lnslghL lnLo your organlzaLlon's securlLy posLure
• 1ools Lo enable posL-lncldenL analysls of log daLa
• 8ellable, regular revlew of log daLa LhaL meeLs compllance mandaLes as well as securlLy besL
1he cosL of log managemenL Lools and servlces musL be welghed agalnsL Lhe lnLernal sLaff Llme requlred Lo
aLLempL log managemenL, as well as Lhe cosL of non-compllance, daLa loss, and securlLy lncldenLs.
Log managemenL soluLlons should be evaluaLed agalnsL Lhe pracLlces descrlbed ln Lhls paper:
• uoes Lhe soluLlon provlde compleLe log collecLlon across all sources, and ln all envlronmenLs?
• ls log daLa parsed and normallzed Lo supporL Lhe requlred search and analysls funcLlons?
• ls regular log revlew provlded LhaL meeLs lnLernal requlremenLs and compllance mandaLes?
• ls daLa LransmlLLed and sLored securely?
• Can daLa be archlved accordlng Lo organlzaLlonal reLenLlon pollcles, wlLh approprlaLe levels of daLa

13 Log ManagemenL 8esL ÞracLlces

Whlle compllance lnlLlaLlves ofLen drlve Lhe need for log managemenL, Lhere are a myrlad of securlLy and
avallablllLy relaLed beneflLs as well. As for compllance, Lhere are many governlng regulaLlons and sLandards,
mosL-noLably ÞCl, Sarbanes-Cxley, PlÞAA, CL8A, and llSMA, whlch requlre log collecLlon, reLenLlon and
access for forenslc analysls. Lach of Lhese has varylng levels of ºkey conLrols" LhaL dlcLaLe Lhe collecLlon,
analysls and secure archlval of log daLa ln sufflclenL deLall for approprlaLe Llme perlods.
Some of Lhe oLher beneflLs achleved Lhrough rouLlne log analysls are lmproved deLecLlon of securlLy
lncldenLs, pollcy vlolaLlons, fraudulenL acLlvlLles, and operaLlonal problems. Logs are also useful for
esLabllshlng performance basellnes, performlng audlLlng and forenslc analysls, supporLlng lnLernal
lnvesLlgaLlons and ldenLlfylng operaLlonal Lrends and long-Lerm problems.
WheLher home-grown or purchased, ln-house log managemenL soluLlons conslsLenLly fall shorL due Lo a
conLlnuous supply of log daLa wlLh deflnlLe resource llmlLaLlons. ln Loday's envlronmenL, every organlzaLlon
ls faced wlLh Lhe log managemenL challenge, Lhough no one has ldle full Llme employees and hardware
resources Lo apply Lo Lhe challenge - noL Lo menLlon unllmlLed caplLal budgeLs.
Lven lf you were able Lo collecL, consolldaLe, and archlve log daLa ln an auLomaLed fashlon, Lhe daLa needs
Lo be proLecLed from mallclous and accldenLal breaches of confldenLlallLy and lnLegrlLy - noL Lo menLlon
dlsasLers wheLher Lhey be naLural, mallclous, or accldenLal. Compoundlng Lhls ls LhaL lnLerpreLlng raw log
daLa vla vlews and reporLs as well as supporLlng forenslc querles ls no small underLaklng. Plrlng and
reLalnlng log knowledge experLs ls noL only an lmposslble Lask, buL havlng Lhese experLs avallable Lo
efflclenLly and effecLlvely revlew log daLa on a regular basls ls slmply noL feaslble.
Conslderlng Lhe breadLh of servers, operaLlng sysLems, daLabases, appllcaLlons, and neLwork lnfrasLrucLure
componenLs LhaL produce log daLa, coupled wlLh Lhe lack of sLandardlzed log formaLs, a vendor managed
soluLlon ls Lhe besL cholce for mosL companles.

14 Log ManagemenL 8esL ÞracLlces

About Alert Logic
AlerL Loglc, Lhe leadlng provlder of SecurlLy-as-a-Servlce soluLlons for Lhe cloud, provldes soluLlons Lo
secure Lhe appllcaLlon and lnfrasLrucLure sLack. 8y lnLegraLlng advanced securlLy Lools wlLh 24»7 SecurlLy
CperaLlons CenLer experLlse, cusLomers can defend agalnsL securlLy LhreaLs and address compllance
mandaLes. 8y leveraglng an ºas-a-Servlce" dellvery model, AlerL Loglc soluLlons lnclude day-Lo-day
managemenL of securlLy lnfrasLrucLure, securlLy experLs LranslaLlng complex daLa lnLo acLlonable lnslghL,
and flexlble deploymenL opLlons Lo address cusLomer securlLy needs ln any compuLlng envlronmenL.
8ullL from Lhe ground up Lo address Lhe unlque challenges of publlc and prlvaLe cloud envlronmenLs, AlerL
Loglc parLners wlLh over half of Lhe largesL cloud and hosLlng servlce provlders Lo provlde SecurlLy-as-a-
Servlce soluLlons for buslness appllcaLlon deploymenLs for over 1,700 enLerprlses.
AlerL Loglc ls based ln PousLon, 1exas, and was founded ln 2002. lor more lnformaLlon, please vlslL

Sponsor Documents

Or use your account on DocShare.tips


Forgot your password?

Or register your new account on DocShare.tips


Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in