« November 2007 | Main | January 2008 »
Logging Glossary: Operational Log Message
As I mentioned here, I started publishing the LogLogic Logging Glossary. So, here is the twelfth term (first second third fourth fifth sixth seventh eighth ninth tenth eleventh):
Operational Log Message
A log message about the state of a product, the product's operation or support of its application, or the interaction of the product with its environment.
Operational messages are one of the three basic message types. They can be summarized as:
- Administrative – Changes to the product
- Operational – The product itself and the job it is doing.
- Application – The product doing its job.
Example of operational messages are: backup succeeded, update applied, memory is running low, system load high, etc.
Future Glossary entries will cover Administrative Log Messages and Operational Log Messages
Posted December 20, 2007 in Log Management & Intelligence , LogEd | Permalink | TrackBack (0)
« November 2007 | Main | January 2008 »
Poll: Who looks at logs at your organization?
Here is my next poll about logs: Who looks at logs at your organization? Vote here! Also, my past polls and analysis are here.
Past polls were:
Posted December 19, 2007 in Log Management & Intelligence , LogMatters | Permalink | TrackBack (0)
« November 2007 | Main | January 2008 »
On Approaches to Database Monitoring
So, people sometimes ask me about how to do database logging/auditing/monitoring and log analysis right. The key choice many seem to struggle with for database auditing and monitoring is reviewing database logs vs sniffing SQL traffic off the wire. Before proceeding, please look for more background on database log management, auditing and monitoring in my database log management papers (longer, more detailed - shorter) The table below summarizes the situation with database monitoring and auditing - now you can make your choice more intelligently (items in bold are the ones I consider key):
| Pro | Con | |
| Sniff SQL traffic from the wire |
|
|
| Collect and analyze database logs |
|
|
Choose logs if you care for the relevant Pros (esp key ones) associated with them; choose sniffing if you care for the Pros and are NOT undermined by their Cons (e.g. difficulties of supporting encrypted traffic)
Of course, one can also opt for a combined approach which follows the ideas of "double the benefits - for double the cost"...
(*) Nobody really knows what it will be in each particular situation: 0-40% were observed under various conditions by various people ...
Posted December 17, 2007 in Innovation , Log Management & Intelligence , LogMatters | Permalink | TrackBack (0)
« November 2007 | Main | January 2008 »
LogLogic named a finalist for the SC Awards 2008
Folks, we've been called out for excellence again, this time by SC Magazine readers as a finalist for the 2008 SC Awards in the category of "Best Computer Forensics Solution." The short list of U.S. finalists is available here (link to: http://www.scmagazineus.com/Awards/section/110/). The SC Magazine Awards have recognized security's key contributors and outstanding products for more than a decade and we are pumped to be a finalist -- we'd like to extend our sincere THANK YOU to all of our friends and family who voted for LogLogic! Stayed tuned as the winners will be announced at the RSA Conference (link to: http://www.rsaconference.com/2008/US/home.aspx) next spring... We hope to see you there!
Posted December 14, 2007 in | Permalink | TrackBack (0)
« November 2007 | Main | January 2008 »
Again, On Criticality of Logs
I just wanted to highlight two pieces that, again, speak - or, better, scream! - about the importance of logs. I suspect that LogBlog readers don't need additional motivation to take logs seriously, but these are just too useful to skip.
First is the interview with some convicted criminal hacker, who said that '... it would have been easy for IT and security managers to detect him in their companies' systems ... if they'd been looking. The problem was that, generally, no one was paying attention.
"If they were just monitoring their boxes and keeping logs, they could easily have seen us logged in there," he said, adding that IT could have run its own scans, checking to see logged-in users."'
Amen to that! Indeed, many of the successful-and-then-undetected attacks are due to incompetence. Why? 'Cause lacking logs or ignoring logs is indeed negligent and incompetent!
Second, is my comment on the TJX case, which kinda follows the same idea: 'Dr. Anton Chuvakin, a security expert with LogLogic, said TJX [probably] didn't have decent logs. "What took TJX months was looking at all their systems and determining who took what data, from where, where it was sent, etc. The investigation took them months. They likely didn't have any logs, because they had to do system forensics rather than log analysis to arrive at their conclusions about who stole the data and how. If they had collected and analyzed log data centrally, the investigation would have been a piece of cake," he said in an e-mailed comment to InternetNews.com.'
Indeed, doing disk forensics to know who did what is much more painful than checking reliable logs. Save yourself by logging, then saving and reviewing the logs!
So, one more time (not the last, mind you!):
- Make sure you have and collect logs (here are 11 reasons for that)
- Make sure you look at logs (here are the 11 reasons)
Posted December 11, 2007 in Log Management & Intelligence , LogLogic News , LogMatters | Permalink | TrackBack (0)
« November 2007 | Main | January 2008 »
Logging Poll #3 "What Do You Do With Logs?" Analysis
So, the results of my 3rd poll are ready: live results are here, picture is also in this post.
First, this poll way more popular than my previous "why" poll. It seems like people do dislike to wonder "why."
Second, what are the two choices, that are by far the most popular? They are:
- Store raw logs on a server (23%)
- Search raw logs (grep) when needed (24%)
Yes, this is the "state of the art" of logging: collection of raw logs and "as needed" grep aka "slow and painful" search. In fact, the above answers might not even be given by the same people: some might be grepping logs on the individual servers, while others collect them on syslog servers and never touch them. That is why being in log management business is such a great thing: you have nearly the whole world to evangelize about the value of logs and log management tools.
Third, what's the next most popular idea of analyzing logs? It is "Run my own log analysis tool" at 10% of the respondents. Indeed, this movement still lives and thrives: people choose the Build->Suffer approach to log management often enough ...
Fourth, next come my somewhat self-inflicted surprise: apart from commercial log management (at 4%) and rolling one's own (discussed above at 10%), I added the option of "Use other log analysis tools" which captured 7% of the vote. But what does that mean? I have no idea!
Fifth, I am NOT surprised by the lack of popularity of the rule-based correlation tools, such as SIEM (at 2%). When I made my decision to join LogLogic, I had to ponder this one really, really hard. My conclusion at the time (which is also valid now, even more than back in 2006) was that "SIEM is for some, log management is for everybody." This poll confirms this further.
Finally, all my logging polls and analysis are here. Next one is coming up!
Posted December 08, 2007 in Log Management & Intelligence , LogEd , LogMatters | Permalink | TrackBack (0)
« November 2007 | Main | January 2008 »
LogLogic Welcomes Patricia C. Sueltz as their new CEO
Today LogLogic announced the appoint of Patricia C. Sueltz as Chief Executive Officer (click here for press release). Sueltz brings proven leadership as a veteran technology executive with more than 25 years of executive experience. Sueltz joins LogLogic from SurfControl where she served as CEO and prior to that she has held senior leadership roles at Sun Microsystems, IBM and Salesforce.com.
As LogLogic continues to grow and look towards the next phase as the leader in log management solutions, we are excited and proud to have Pat join the team to lead us into the future. Welcome to LogLogic, Pat!
Posted December 03, 2007 in | Permalink | TrackBack (0)
January 2008
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | 30 | 31 |
Categories
Archives
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005