Dr. Anton Chuvakin, co-author of Security Warrior (highly recommended. I have purchased several copies for friends -- it's up there with Beyond Fear in my security reading list) is an expert in the subject of log management/analysis and I'm looking forward to listening to him speak on the subject tomorrow. For those not in Orlando (or stuck in TechEd down the road), here's a post on the subject from last week, and another from today:
Now, I have to first admit that, in general, dealing with logs on a device-specific basis is a cruel joke. What I mean here is when you gather Windows logs in one place, Linux logs in another place, database logs in yet another place; all in different formats, all in different systems not connected to each others, all managed by different people who don't talk to each other (and sometimes hate each other). Yuck! Basically, this situation is "logs at their worst": all different, all disjointed and, as a result, all next to useless.
However, there are rare situations where you can choose device-specific log management approach (and still not look like a money- and time-wasting and idiot :-)). For example, you might be motivated by the fact that tools that can handle one specific type of log data (e.g. Windows-only, web server-only or Cisco PIX-only) are usually many times less expensive than cross-device log management tools. The table below clarifies it: [From Cross-Device-Type Log Management vs Device-Specific Log Management]
I consider logs a vastly under-utilized resource for intelligence gathering and threat assessment and have been thinking a lot about log federation and visualization, so tomorrow's session should be exceptionally interesting.
Leave a comment