July 14th, 2006, 03:41 AM
Why are auditors insisting on log analysis?
We are gearing up the regulatory compliance audit (SOX) and don't know where to start. I have been reading a lot of articles and one thing that kept coming up in most of these discussions where "Are you keeping track (analysis & archiving) of all your logs that are being generated by the systems and devices in your organization" ?
They have coined this word SEM (Security Event Management) or SIM (Security Information Management) for products that does this for you and saves you time before & after the audit
Some of them i was asked to look at were:
EventLog Analyzer & Firewall Analyzer
I found the reports from the loganalyzer tool made some sense , but i am yet to explore the other tools. If any of you have had prior experience with these softwares then please educate me with all this complaince requirements and choosing the right product
July 14th, 2006, 04:17 AM
there are 2 main reasons they (the auditors) are asking about logs.
1. to detect intrusions/attacks etc as soon as possible so the "bad" guys dont get access.
2. to keep for future court cases in the event the "bad guys" do get access.
We are audited on a constant basis for the bs7799, the auditors we get are only interested in is,
1. do we check the logs on an ongoing basis & if so how do we do it and is the procedure documented.
2. do we keep the logs, and if so how do we do it and how do we keep them and is it documented.
depending on your environment & network this can be a nightmare. We've started ooking at selm as we can configure it to send emails for certain events (failed logons, low disk space, disk sector errors for example), so the auditors accept we dont have to check the logs on a daily basis.
Hope this helps.
Vi Veri Veniversum Vivus Vici.
July 20th, 2006, 01:02 PM
Any network should be doing some kind of logging for the reasons listed above but the logs are no good if no one is looking at them. Basicly any syslogger will suffice. personaly I recommend using one with MySQL or some kind of database for faster querying for free you can look at Splunk server runs on linux and can be upgraded to a more feature rich set this is for long term log storage and easy retrieval, I have splunk setup to collect the syslogs from SNORT, all switches, all firewalls, and routers etc.. I also run solarwinds syslog for real time monitoring as its color coded and can send e-mail alarms.
Last edited by juniperr; July 20th, 2006 at 01:04 PM.