By Sean Barry
It’s been awhile since our last post on Event Log Management (ELM) Best Practices, but the issue is no less prevalent. Last time we discussed the necessary categories of events to enable when performing security audits (log on, account log on, object access, process tracking, policy change, account management, directory service access, and system events).
This week we will focus on automating the consolidation of ell log records. When you choose an ELM solution it is vital that you consider the automation, means of storage, and compression of log files. With the correct ELM solution in place you shouldn’t have to check on it daily or even weekly. A hands-off product usually only requires initial configuration and occasional tweaks. You may be looking to manage log files for compliance purposes, an internal security policy, or industry standards. Either way, it is necessary to have a collection strategy in place to deal with your log data.
Because Syslog files and Windows event logs are decentralized by default, each network device or system records its own activity. If you’re a network administrator managing security and compliance initiatives, you then need to combine this data for effective analysis and reporting. The process of merging data in a reliable manner can now be automated.
Typically, an administrator will use an ELM tool to automatically gather log records on a nightly basis by saving and clearing active event log files from each system, compiling them in a central database (e.g. Microsoft SQL or Oracle), and compressing the saved files for storage centrally on secure file server.
There are pros and cons to compressing log data in flat files. For one, they are much cheaper to store when flat. However, for ad hoc or scheduled reporting and analysis it is helpful to keep an active working set of data (for 60 to 90 days). For that reason, there is a distinct auditing advantage to keeping log data in two formats, flat files and DB records. In most cases the majority of an audit is spent hunting down and restoring compressed flat files. You will want an ELM solution that allows for easy re-import of old saved log files back into your database should they be needed. Therefore we recommend you store log data in both formats.
Read the Whitepaper for more ELM Best Practices, or check back here for more of the blog series.