Log Management

Another issue we faced in dealing with our SAS 70 audit was log management.  Every system admin deals with this issue, we just ignore it most times.  You have all sorts of information stored in log files on all your various servers.  If you were going to review them regularly, you would probably be doing that just about all day every day if you have more than a handful of servers.  Specifically for SAS 70, we needed to have processes to review things like access logs, backup logs, etc from all of our systems on a regular basis, as well as document this review process so that we could prove someone was actually reviewing the logs.

There are several companies out there with pretty good products in this area, a google search for log management will turn up several results such as LogLogic, EventLogManagement, and Splunk among others.  We looked into several of these, but in our opinion, the best value for our money definitely seemed to be with Splunk.  Basically, with Splunk, you set all your servers to send their log information to a main splunk server (or several distributed ones) by either having syslog or similar services forward the data or installing the basic splunk server on the server itself and configuring it to just forward the data to the main splunk server.

Once all your log data is in the main splunk server, you can simply “search” the logs just like a google search.  If you have everything configured to extract the correct fields you could do a search like user=jsmith to see everything that John Smith has been doing.  What servers has he logged into and accessed.  One very good report that this can produce is when an employee is terminated.  You can see what they access just before they were termined and what, if anything they accessed after they were terminated.  Obviously, the after termination list should be empty.  But that’s just one advantage.

We are still pretty early in our setup and still working on some of the field extraction and report generation, so I’ll likely have some better examples and praises for splunk in the near future.  For now, I’m interested in hearing how other small businesses are handling this issue.  Anyone willing to share?

Advertisements

3 Responses to Log Management

  1. […] Log Management « IT@SmallBiz Another issue we faced in dealing with our SAS 70 audit was log management. Every system admin deals with this issue, we just ignore it most times. You have all sorts of information stored in log files on all your various servers. If you were going to […]

  2. bigapplezlp says:

    You got the best! We evaluated Splunk too. It just so powerful and useful in log management. Unfortunately, our management didn’t realize how helpful that is to the daily operation and didn’t move fast enough in deplying Splunk.

  3. […] public links >> smallbiz 2008 SEOmoz Expert Seminar Recap Saved by rossimarko on Sun 23-11-2008 Log Management Saved by James267 on Wed 12-11-2008 Small Biz Finance Experts Urge Entrepreneurs to Avoid Credit […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: