Cutaway has an excellent interview up with Michael Farnum who talks about his experiences with companies in regards to a number of things, namely logging. Does he see companies logging, are they doing it properly, and so on. Excellent insight into what’s really going on, and not as untrustworthy as a sheet of stats from some vendor with an agenda.
In reflection to the questions and answers, here some of my bullet points when it comes to centralized logging discussions.
1. The IT team needs to see value in the process of logging and reading logs. If they don’t see value, they either won’t do it, won’t do it properly, or have no clue how to leverage it. If they don’t see value and the business sees no value, it just plain won’t get done. This probably always ends up not being a security value-add, but rather an operations one. Something went wrong with a web app, can you troubleshoot it by looking at the logs? Or a server isn’t updating properly from WSUS…and so on. Logging should be seen as important as a heart monitor on a patient in the hospital.
2. Once there is value, or maybe even before the value is realized, admins need the time to properly get things set up. Having enough time to gather Windows event logs and nothing else is going to be a wash. Same with just gathering the logs on half your firewalls. Give the team enough time to properly get things going.
3. Set aside time for the admins to regularly look at logs and maybe even “play” with the logging server. If admins don’t have time or are not allowed to use the logging reporting and querying regularly, they won’t have the familiarity to do it when emergencies or high profile incidents arise. Practice, practice, practice.
4. For the love of whatever, read Anton’s paper(s) about the six mistakes of logging.
My own logging? At home, I don’t do enough. At my last job, we did logging, but didn’t use it enough or probably use it properly. At my current job, we don’t do enough logging at all.