[logs] Log Analysis -- Best Practice
Ron Gula
rgula at tenablesecurity.com
Tue May 29 17:24:29 PDT 2007
harshad.mengle at wipro.com wrote:
> Hi All:
>
> I am looking for Best Practice information for Log Analysis. Is there
> anyone who can help me out?
>
It really depends on what industry you are in and what sort of attacks
and abuse you want to possibly log evidence from. I'm sure you will get
a lot of ideas from list readers here.
If you are just starting out ...
- inventory of what you do have and start grabbing logs from those devices.
- put some independent monitoring in place you should get also get some
sort of network, netflow, IDS, IPS, NBAD and/or packet vault. The idea
is that these logs are independent of any application or OS logs.
If you have lots of logging and security monitoring already in place ...
- try to align your organization's efforts around any of the PCI, NIST,
health care, .etc compliance guides that are applicable for your
organization.
- check with your legal council to see if there are any corporate
polices for logging, who is supposed to have access to these logs, what
the retention policy is and so on. Don't be afraid to ask "why?" if a
logging policy seems technically outdated.
Ron Gula, CTO
Tenable Network Security
http://www.tenablesecurity.com
http://blog.tenablesecurity.com
More information about the LogAnalysis
mailing list