Logblog: At the SANS Log Management Summit

« LogLogic Makes The Always On 100 | Main | Five To One... »

At the SANS Log Management Summit

Anton, Jill and myself are here in DC at the inaugural SANS Log Management Summit. Alan Paller opened the morning session to a packed room - over 200 people are attending - stating that Log Management is the sweet spot that bridges compliance and security.

Ben Wright took the stage after him speaking on Logs & The Law. A couple of the highlights from my rough notes:

Have a written policy... it is better to speak in general terms rather than hard language. And, a written policy, not followed = a negligence case.
Keep logs of log management - records about what was reviewed. Ben saw lots of value in this saying that "logs of log management are more valuable than logs themselves".
Bias to keeping more logs - general trend in law which rewards organizations that keep more information than they did in the past. More expectations for records/archives.
Only full audit committee should have power to know all logs... Maintaining custody of your log data is something we constantly emphasize and is a key feature of LogLogic.

Watch for our SANS Webinar on Logs & The Law - with Ben - later this month.

A great customer panel followed featuring a very large financial institution - and LogLogic customer, NetApp and others. NetApp are collecting some 40 million log messages a day - and emphasized that you can't use people exclusively to do log data mining when processing these kinds of volumes. You need a great tool. They made some other great points that we often look at when architecting solutions. You can't just collect logs from one set of devices and they shouldn't be dispersed. Get them centralized for rapid review and forensics. There was a definite preference on the panel for agentless log management systems.

- Andy

Posted July 12, 2006 in Log Management & Intelligence , LogEd , LogMatters | Permalink