Townsend Security Data Privacy Blog

The 6 Fundamentals of System Logging

Posted by Luke Probasco on Jun 2, 2011 7:48:00 AM

system loggingSystem logging has become one of the most essential tasks of contemporary corporate IT.  Several IT standards and regulations, primarily in the interest of traceability (e.g.: PCI-DSS, SOX, etc.) now require it.

Like other IT projects, the implementation of up-to-date logging also requires careful planning.  For example: systems need to be monitored and the parameters related to security and archiving need to be defined.  Apart from the pure technical aspects it is also recommended to take into consideration several other factors that can not only make a log management system more cost-effective, but can also prevent organizations from having to face difficulties in the future.

With many years of system logging under our belt, we bring you the six fundamentals of system logging:

1) Invest in a Reliable Logging Solution

There are differences among logging solutions in respect of reliability.  The traditional and well-spread protocols were not developed for secure message transferring; therefore the devices applying them do not comply with the needs of organizations governed by different regulations.  If your organization is under any compliance regulations (PCI, SOX, HIPAA, etc.) it is highly recommended to ensure that your central logging infrastructure is reliable.

2) Make sure your logging solution has customized alarms and reports

Alarming and report-making modules are features of a good logging management system because they provide the tangible “end-products” of log management that have to support both the work of operators and the execution of the tasks of specialists responsible for security.  The exhaustiveness of the reports and the sensitivity of the alarms always have to be adjusted to the available quantity of the human resources processing them.

3) Define what to collect, what to analyze, and what to archive

Compliance regulations play an essential role in defining the exhaustiveness of system logging.  For example, section 10.3 of PCI DSS states that all events of all system components – at least data referring to the users identity, the type of event, the data and time of the event, and the origin of the event, name, successfulness or refusal have to be registered.  A huge amount of time and money can be saved if the irrelevant pieces of information can be successfully eliminated before analysis and archiving.

4) The infrastructure providing the time stamps and certificates is a critical point

When setting up a logging infrastructure due to critical business processes or meeting compliance regulations (e.g.: PCI-DSS), it is important to ensure privacy and confidentiality, and the high availability and security of the sub-system providing certificates and timestamps for strict sequence numbering.  Forging the time or the certificate means a fundamental attack against the logging infrastructures; therefore the corruption of these sub-systems questions the authenticity of the whole system itself.

5) Sensitive data needs to have regulated accessibility

All components of the logging system have to be handled as critical systems – including the log files themselves, which could entail such sensitive data as passwords and personal data.

6) Constantly be logging

In the case of each and every logged business process, consider carefully whether it is essential or not for them to be operating without logging as well.  The developers of syslog-ng have taken several steps in order to ensure uninterrupted logging.  The syslog-ng Premium Edition saves the messages on the local hard disk when the central logging server or network connection becomes inaccessible.

Summary

Logging is a must.  Download a free 30-day evaluation of syslog-ng Premium Edition now.

 

Click me

Topics: logging