Logblog: Logging In the New Year – Six Resolutions for 2006

« Welcome to 2006! | Main | Hot News From LogLogic »

Logging In the New Year – Six Resolutions for 2006

2006 is going to be a big year for Log Management and Intelligence (LMI) as compliance, security, and operations continue to drive new projects and the expansion of existing efforts. Here are some resolutions you might like to think about in order to get ahead of the pack.

Resolution #1: Turn on logging from ALL critical devices, applications, servers and operating systems. Start by mapping devices critical to compliance and security efforts – and then, make sure you are logging from them. Plan on capturing 100% of the logs, 100% of the time, unfiltered and unaltered. If you plan to meet audit/compliance requirements and mitigate risk, you cannot pick and choose what log data to keep. SIEM and homegrown solutions typically only allow insight to a small portion of log data. Your LMI solution needs to be able to collect 100% of all log messages from every critical device, server, application and OS - not just from your firewall. This is especially important when considering that internal and external threats are coming from an ever-broadening range of sources. It will also greatly improve the value of your LMI efforts: the more log data you capture, the more relevant they are to the entire enterprise – from the security folks to the people managing servers, network devices and applications. This is the year that you should be routing, automatically, critical “operational information” based on log data to other tools such as EMC Smarts and IBM Tivoli.

Resolution #2: Write homegrown scripts less – A lot less. Homegrown scripts are typically inadequate for sifting through the terabytes of data that gets logged in enterprise networks every day. Where they are useful is for very isolated troubleshooting on an extremely limited range of log data. It’s completely unrealistic to expect these same scripts – and the folks that need to write them - to keep pace with your compliance and security demands. Without LMI, finding specific information in the terabytes of data that enterprises generate is like trying to search the web without Google, and the resources devoted to the tedious tasks of maintaining scripts and organizing log data are better spent elsewhere.

Resolution #3: Automate log management processes and reporting. Keeping pace with growing forensics, business and audit requests requires that alerting and reporting is automated – and fast. Automation should take place at a variety of levels: Automate the data capture; automate reporting and alerting; automate storage policies. An often neglected aspect of compliance management is auditing of log activities. You need to prove that you are doing what you said you would do. An LMI platform will get this done on schedule, without human intervention, to the satisfaction of your auditors.

Resolution #4: Secure your log data. Most log data is scattered across the enterprise. Securing the data, and centralizing storage reduces IT costs and allows for faster access to data from any log source. Set it up so that your log solution pulls data from all connected devices - both local and remote - and puts it in one safe place. Secure transmission over the WAN to storage is critical to protect the data. Also, data must be encrypted at rest so that it cannot be tampered with. Is your infrastructure data as secure as your customer information? If not, 2006 is the year to make it so.

Resolution #5: Understand your infrastructure data obligations – and meet them. Most security best practices, regulations and audit processes have a direct impact on what you should be doing with your logs. Develop a clear, enterprise-wide log management policy and then automate the management and enforcement of it. (We can help here!) Smart network and IT operators are also looking beyond their own organizations to understand that any log management solution has broad application across the datacenter and enterprise. This reflects the increasing convergence of systems and security. An LMI platform enables you to avoid getting locked into a SIEM tool that is designed to deal only with security information and events. Deploy LMI first.

Resolution #6: Make Log-ED a priority. There will be a raft of new technologies and solutions over the next year. If you are really serious about improving the management of critical infrastructure data – logs of all and any kind - in 2006, attend a live demo of LogLogic solutions in action.

And, give us your thoughts on what log management priorities we can address for you in the coming year.

Posted January 06, 2006 in Log Management & Intelligence | Permalink