OK, any Information Security professional knows that logging is very important. Here are some best practices that we subscribe to in configuring logging:
- What’s the time? One of the most important information from a log is the correct time. You will need to set the time to sync with at least one or more time sources (we like three). Without a proper time, putting an event timeline together after a compromise is going to be that much more difficult. With properly synchronized time, patterns emerge that you might otherwise miss.
- What to monitor/audit? Unless you tell your system what to audit, there may never be any logs to send to the log server. For Windows domains, a well configued group policy can ensure consistency across the enterprise. Check out this Windows Audit Policies for PCI Compliance blog to get started on the right path.
- Are we there yet? Of course, we enabled the agent/client logging – now we need to make sure that it reaches our log server.
- Whoa, who turned on the fire hydrant? Once enabled, logs are always abundant, but sometimes it’s too much. Some fine tuning might be needed to get the data you really want to see.
Alright now that we have that covered, next is what to do with the logs. Now the fun part begins, tune in for the next series in our wonderful world of security event management.
Oscar Bravo Jr.
CISSP, CISA, CCDP, CCNP, CCSE, CCSE, MCSE, MCITP, RSASE
Senior Consultant, Security Solutions Services