#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    1
    Rep Power
    0

    Why are auditors insisting on log analysis?


    We are gearing up the regulatory compliance audit (SOX) and don't know where to start. I have been reading a lot of articles and one thing that kept coming up in most of these discussions where "Are you keeping track (analysis & archiving) of all your logs that are being generated by the systems and devices in your organization" ?
    They have coined this word SEM (Security Event Management) or SIM (Security Information Management) for products that does this for you and saves you time before & after the audit

    Some of them i was asked to look at were:
    LogLogic
    Sensage
    EventLog Analyzer & Firewall Analyzer
    Sawmill

    I found the reports from the loganalyzer tool made some sense , but i am yet to explore the other tools. If any of you have had prior experience with these softwares then please educate me with all this complaince requirements and choosing the right product

    Please HELP!
  2. #2
  3. Periodically energetic Perler
    Devshed Regular (2000 - 2499 posts)

    Join Date
    May 2005
    Location
    Dublin, Ireland
    Posts
    2,265
    Rep Power
    538
    Hi,

    there are 2 main reasons they (the auditors) are asking about logs.

    1. to detect intrusions/attacks etc as soon as possible so the "bad" guys dont get access.
    2. to keep for future court cases in the event the "bad guys" do get access.

    We are audited on a constant basis for the bs7799, the auditors we get are only interested in is,

    1. do we check the logs on an ongoing basis & if so how do we do it and is the procedure documented.
    2. do we keep the logs, and if so how do we do it and how do we keep them and is it documented.

    depending on your environment & network this can be a nightmare. We've started ooking at selm as we can configure it to send emails for certain events (failed logons, low disk space, disk sector errors for example), so the auditors accept we dont have to check the logs on a daily basis.

    Hope this helps.
    Displeaser
    Vi Veri Veniversum Vivus Vici.
  4. #3
  5. No Profile Picture
    network dude
    Devshed Intermediate (1500 - 1999 posts)

    Join Date
    Dec 2003
    Posts
    1,698
    Rep Power
    114
    Any network should be doing some kind of logging for the reasons listed above but the logs are no good if no one is looking at them. Basicly any syslogger will suffice. personaly I recommend using one with MySQL or some kind of database for faster querying for free you can look at Splunk server runs on linux and can be upgraded to a more feature rich set this is for long term log storage and easy retrieval, I have splunk setup to collect the syslogs from SNORT, all switches, all firewalls, and routers etc.. I also run solarwinds syslog for real time monitoring as its color coded and can send e-mail alarms.
    Last edited by juniperr; July 20th, 2006 at 12:04 PM.

IMN logo majestic logo threadwatch logo seochat tools logo