System Log Reviews? 1068

  • Are you seeing regular reviews being performed by IT of system logs? Reviewing for suspicious activity? Reviewing what system administrators are doing to ensure they are not doing something harmful?
    My current client states that their system logs are too voluminous to review. They save a backup copy of the logs and the only time they would refer to it if there was ever a problem.
    Until there is some filtering of the system logs by additional software, it does appear that it is like searching for a needle in a haystack. I’ve seen hardcopy of some logs being over a foot.
    What are you seeing? Any suggestions?

  • There’s an art to systems logs, which really revolves around ensuring that you log (and review) the right events. Sure if you log every action or transactions your logs are going to be enormous and you would only use it to resolve a problem. However, a log of, say, failed access attempts is going to be fairly short and if it isn’t it is indicative of a problem. Sometimes larger logs can be shortned by the use of a query tool e.g. ACL.
    Also, keeping a log is not enough for it to be an effective control - you need to review and follow up.

  • Thanks Denis.
    We have written a special program to pull out unsuccessful login attempts and that control is working well.
    The problem is we are not able to review the log specifically to monitor system administrator activities due to the size of the log.

  • With trends of enabled logging on all the transactions and processes the Logs are big for even a mid sized IT operations.
    The idea is to review logs only for exception. Filtering it intelligently is another point. Most of the tools will aggregate the logs but again the filtering part is yours.
    There is also a lot of resistance from IT people about reviewing of logs as they consider it a real dull part of the job. Also they tend to confuse the reviewing of logs with the review they do while troubleshooting something. When u troubleshoot a problem u really have to dig deep and analyze the logs in detail. The review for compliance is broader but lesser in depth. Pls correct me if I am wrong.
    A very pertinent point to note is that reviewing logs isn’t that big or tough if u review them on regular basis like daily/weekly. The volume is not big then and I have seen people get proficient real fast in analyzing them. Also you don’t need to analyze all the logs.
    I asked network people to do analysis of firewall logs in my company and there was a lot of resistance initially but now its all in place.

Log in to reply