July 14th, 2006, 04:17 AM
there are 2 main reasons they (the auditors) are asking about logs.
1. to detect intrusions/attacks etc as soon as possible so the "bad" guys dont get access.
2. to keep for future court cases in the event the "bad guys" do get access.
We are audited on a constant basis for the bs7799, the auditors we get are only interested in is,
1. do we check the logs on an ongoing basis & if so how do we do it and is the procedure documented.
2. do we keep the logs, and if so how do we do it and how do we keep them and is it documented.
depending on your environment & network this can be a nightmare. We've started ooking at selm
as we can configure it to send emails for certain events (failed logons, low disk space, disk sector errors for example), so the auditors accept we dont have to check the logs on a daily basis.
Hope this helps.
Vi Veri Veniversum Vivus Vici.