Control 6 on the Sans Top 20 is something near and dear to my heart. That's right Logging. Ok, before we get too far into this I have to be honest. There is absolutely nothing fun, exciting, or interesting about logging. Most of the great solutions out there are very expensive. The primary example of what comes to my mind is Logrythm. However, the guys who made the 2011 Verizon report have a great point! They stated that if someone had a basic idea of how many logs entries they have in a given time, and could tell when they increased they would be ahead of a large portion of the people who were mentioned in their report. While this is a bit beyond the scope of this entry here is a link.
I worked for a restaurant chain not too long ago. We had a PCI compliance issue and we needed to do some logging. So here is what I did. I found a solution to this called Splunk. Splunk will index up to 500MB of logs per day for free. What this means is that you can take logs from just about anywhere and index them! Ok, so what I did is took all of our point of sale systems, the Cisco logs for our firewall, and a few choice others. That information was then collected into a flat file database. Splunk then offered me a great browser which I could type queries into, but where this solution really shined was the modules. Someone had a already designed a PCI module. I was able to have it do the searching for me!
In the end, logging comes down to two things. First, you have to hold onto logs for a fixed amount of time. Second, you need to have a way to look at them. In the end logging efficiently depends on the size of the organization, the amount of data, and how important it is to the organization. In my mind with a little bit of hard disk, and a few hours, you can get a lot of great data!
No comments:
Post a Comment