In our final installment on system logging on the IBM i series, Patrick Townsend, Founder & CTO, discusses what to look for when selecting and deploying a logging solution. As we found out in part two of this series, it really isn’t a good idea to take the “do it yourself” approach. System logs are in several different locations on the IBM i, and even if you get them all together, it is still a challenge to get them in a useable format. Here is what Patrick has to say about selecting a logging solution:
So what do you need to look for when selecting and deploying a logging solution?
I think that there are four key points when looking at a logging solution especially on the IBM i Platform. One is, you want a real-time logging solution. It won’t cut it to have a system collecting events once or twice a day and sending them off to a log server. You need a real-time system that is collecting events as they happen so that your log collection server and your SIEM can actually correlate events across multiple servers and “see” what’s happening.
Secondly, on the IBM i, performance is always an issue. We have many customers running Alliance LogAgent with tens of millions of events a day. Just this week we talked to a customer who was generating 120 million events a day. That is a lot of events to be collecting and other solutions just can’t keep up with the sheer volume of events. If your system can’t keep up with that, you will have a real compliance problem. I’m really proud of the performance of our solution and that it allows us to do hundreds of millions of events every day, keeping up with the security events of the largest customers.
Third, logs should be protected while they are being transmitted to a log server. Alliance LogAgent protects the transmission with a SSL/TCP connection. Some of the information in your system logs can be very sensitive and it would be a bad idea to transmit this data in the clear. When choosing a logging solution, it should have full support for a secure transfer mechanism.
Finally, industry standards are very important. Standards are important on a very practical level. When you buy a light bulb in the store, you want to be able to take it home and plug into a light socket. You are able to do this because of standards. The same is true for logging events on the IBM i. There is a standard format for logging system events and the way you send your logs from an IBM i to a log collection server. Query, reporting, and alerting tools depend on those standard formats. The solution that you decide to deploy should be built on industry standards. We support both the RFC Format and Common Event Format standards.
Those are the four most critical points for a standard logging solution and I am really proud that our product, LogAgent stands up really well on all four of those points. Overall, I think if you focus on those four items you’ll be in a good place.
Listen to our podcast “System Logging on the IBM i” for more information on logging, how it can help you meet compliance requirements, what to look for in a logging solution, and how Townsend Security can help you transmit the logs from your IBM i to any SIEM console.