Why Centralized Log Management is Important
Every system in your network generates some type of log file. In fact, a log entry is created for each event or transaction that takes place on any machine or piece of hardware--think of it as acting as your “journal of record”. Microsoft-based systems generate Windows Event Log files, and UNIX-based servers and networking devices use the System Log or Syslog standard. Web Application servers like Apache or IIS, as well as Load Balancers, Firewalls, Proxy Servers, or Content Security appliances generate W3C/IIS log files.
Centralized Log Management should be a key component of your compliance initiatives, because with centralized logs in place, you can monitor, audit, and report on file access, unauthorized activity by users, policy changes, and other critical activities performed against files or folders containing proprietary or regulated personal data such as employee, patient or financial records. A centralized log management strategy should include overseeing Event Logs, Syslog and W3C logs. And this is key because information breaches come equally from internal and external sources. For example, Windows Event Logs will give you visibility into potential harmful activities conducted by disgruntled employees, while Syslog management will give you control over your network perimeter.
Windows-based systems have several different event logs that should be monitored consistently. Of these logs, the most important is the Security Log. It provides key information about who is on logged onto the network and what they are doing. Security logs are important to security personnel to understand if vulnerability exists in the security implementation.
Syslog is a log message format and log transmission protocol defined as a standard by the Internet Engineering Task Force (IETF) in RFC-3164 with draft improvements in RFC-5424. Networking devices, UNIX and Linux systems, and many software and hardware platforms, implement Syslog as a standard logging format and means to transmit and collect those log files in a centralized log management repository. Using Syslog information, you can capture highly detailed information about the status of a device or a number of devices. The information can be sorted and parsed to see atypical behavior through changes in operational or performance patterns. These changes may indicate a single or multiple problems. Storage of Syslog log data can also support compliance efforts by providing audit logs to trace any event that may affect network reliability and protection of data. This is important as it proves control of all information to auditors.
Similarly, W3C logs also provide information on user and server activity. These audit logs should too be monitored as they provide valuable information that you can use to identify any unauthorized attempts to compromise, for example, your Web server. IIS log files are a fixed (meaning that it cannot be customized) ASCII format, which record more information than other log file formats, including basic items, such as the IP address of the user, user name, request date and time, service status code, and number of bytes received. In addition, the IIS log file format includes detailed items, such as the elapsed time, number of bytes sent, action, and target file.
By deploying a centralized log management solution, you can easily manage the frequently overwhelming amount of log information generated by your systems. Real-time access to log data will allow you to filter and locate that one “needle in a haystack” event that could be the cause of a security breach.