Logging

• A record of an event on the network or systems
• Enables the security principle of accountability
  • Compliance
  • Investigations
  • Operations and maintenance
• Volume Challenge
  • Collection and volume has changed exponentially
  • Log management must be considered when implementing any logging
  • Important to collect only the logs you need instead of logging everything
  • Some logging vendors charge by volume (Splunk)
• Log Management
  • Process for generation, transmission, storage, analysis, and disposal
  • Defined logging requirements and goals
    • Some based on regulatory compliance and best practices
    • Prioritized lists of logging sources and data retention requirements
      • Not keeping everything forever
    • CIA of log data
    • Organization entity should be in charge of log management
• Logging Infrastructure
  • Analyze the sizing requirements
    • Anticipated volume
    • Traffic
    • Space available for log storage
    • Compression and copies
    • Rotation/Destruction/Decay requirements
  • Staffing and budget
    • Who analyzes the logs
    • Costs, schedule, and functionality
• Log Management Tasks
  • Are all sources producing logs?
  • Is the rotation scheme working?
  • Is the time synced?
  • Do all logs have an analytical task associated with them?
  • Log reduction scheme and normalization?
• Challenges and Approaches
  • Timestamps and time accuracy
    • Use NTP and UTC across the board
    • Validate time syncing periodically
  • Format and correlation
    • Logs between data sources are inconsistent
    • Normalize