|
 |
|
General Information
|
Add To My Personal Library |
December 29, 2006
• Vol.28 Issue 52
Page(s) 24 in print issue
|
Demystifying Event Logs
Put Event Logs To Work For Better Security & Compliance
|
While Event Logs are a rich information repository ripe with intimate details about network, application, and user events, many enterprises aren’t tapping this resource of performance and forensics information. However, SMEs often overlook analyzing event logs because from the outside it poses an overwhelming proposition.
Analyzing your SME’s event logs is a necessity for many compliance programs and for specialized network security and forensics applications. Even for day-to-day operations, a view of your event log data enables you to be proactive when security issues and other network issues first present themselves.
There are two schools of thought when it comes to event log monitoring. While both take a proactive approach, one uses a search engine model, and the other uses a traditional monitoring approach through a dashboard or other alert mechanism.
 Event Log Management Best Practices
Anton Chuvakin, director of product management for LogLogic (www.loglogic.com), developers of the LogLogic 3 event log management appliance, has seen a number of log analysis mistakes from customers. He advises that you always enable logs and set sufficient retention periods. Setting sufficient retention periods may require some experimentation. For Windows-based machines, Chuvakin recommends from 30 to 90 days.
He also advises a proactive approach to handling log management vs. opening them when a network outage or security issue occurs. “Not looking at the logs until something happens is a big mistake,” according to Chuvakin, because regular viewing of your logs enables you to see early signs of problems, such as security incidents like probes, not just trends.
Andre Muscat, security product manager for GFI Software (www.gfi.com), developers of the GFI EventsManager, says, “Information in event logs is distributed and unstructured. Many enterprises are overwhelmed by the process, and such analyzing event logs are often overlooked in SMBs.” He further notes that “70% of information in logs is irrelevant.” He says that SMEs should step back and define their goals for event logs analysis. “Logs are written by developers, not managers or system administrators.”
Choosing an appropriate event logs monitoring solution requires that you first determine your requirements. Muscat advises that you ask, “What do you want to achieve with the solution?” You need to define your business requirements, such as real-time alerts, security policy violation detection, and policy adherence, based on your internal business needs and/or compliance program requirements.
When identifying the best event logs monitoring solution, Muscat says, “Evaluate the products in the corporate environment and never rely on just marketing information. This goes beyond attending demos and forums discussions or reading the list of features. This requires serious evaluation in your environment as well as professional backup by auditors and experts that can confirm whether the yielded results meet the corporate requirements or not.”
He further advises to download trial versions of the tools and evaluate them against your own environment and requirements.
Both Chuvakin and Muscat speak to the value of using automated tools because doing a line-by-line log review manually is unfeasible and at the root of why so many enterprises disregard their event logs in the first place.
Christina Noren, vice president of product management and support for Splunk (www.splunk.com), an IT data search engine, offers up a different approach to event log management and monitoring. Splunk’s solution indexes and classifies log event data. She says that enterprises need to get all of their event logs off production systems in real time and not store the logs locally.
“Event logs are subject to compromise on production boxes,” according to Noren. “You need real-time centralized access to event log data.” While also promoting security best practices, centralized access to event log data is an element of compliance programs.
Noren further advises that you look for a log management tool that classifies and trends log data it hasn’t handled previously. She also advises to make logs self-sufficient through automated tools. While Splunk has an easy setup like the other products featured in this article, Splunk doesn’t require a professional services engagement for product installation, configuration, and tuning, but you still must integrate into your workflow and develop a search regimen through your log data that is meaningful to your administrators.
Demystifying Your SME’s Event Logs
Demystifying event logs requires proactivity with an eye toward retention, review, and automated tools to ensure that your log events are presented in a usable and actionable manner to your data center team.
Muscat notes, “Log management is not just about legal compliance. It’s about knowing what is really happening on your IT infrastructure, and to achieve this you need a versatile solution that not only augments your legal compliance efforts but which puts you in a position to perform effective forensic analysis, watch over your system health, and safeguard your information on a 24/7/365 basis. The quest for an effective log management solution costs time and money. Make sure that you are smart enough to get it right the first time.” 
by Will Kelly
Tips For Implementing An Event Log Management Tool In Your SME
• Define your expectations and requirements for the event log management tool.
• Set a suitable retention policy for your event log data (30, 60, 90 days).
• Automate your event log review with software tools.
• Download and evaluate log management tools with an eye for a tool that will be there for the long run.
• Spend the time to configure and tune the log management tool you use to take advantage of the appropriate log views and automated alerts. |
Log Management Tools
Corner Bowl Software
www.diskmonitor.com
Network Event Viewer enables the management, consolidation, and analysis of multiple local and remote Windows Event log files simultaneously.
GFI Software
www.gfi.com
GFI EventsManager collects data from all devices that use Windows event logs, W3C, and Syslog and applies the best rules and filtering in the industry to identify key data.
LogLogic
www.loglogic.com
LogLogic 3 is an appliance that enables the collection and aggregation of raw log data from any connected data source, analyzes that data in real time, sets alerts to warn of suspicious behavior, and safely stores all data for on-demand retrieval.
Splunk
www.splunk.com
Splunk indexes and securely manages all your logs and IT data. It’s easy to download, install, and use, and it’s very powerful. You can search, navigate, alert, and report on logs and IT data from any application, server, or network device in real time.
VeriSign
www.verisign.com
The VeriSign Log Management Service is available as an onsite solution with initial filtering and storage of logs occurring locally or as a hosted solution with logs sent offsite to VeriSign for analysis and archiving. |
|
|
