Another issue we faced in dealing with our SAS 70 audit was log management. Every system admin deals with this issue, we just ignore it most times. You have all sorts of information stored in log files on all your various servers. If you were going to review them regularly, you would probably be doing that just about all day every day if you have more than a handful of servers. Specifically for SAS 70, we needed to have processes to review things like access logs, backup logs, etc from all of our systems on a regular basis, as well as document this review process so that we could prove someone was actually reviewing the logs.
There are several companies out there with pretty good products in this area, a google search for log management will turn up several results such as LogLogic, EventLogManagement, and Splunk among others. We looked into several of these, but in our opinion, the best value for our money definitely seemed to be with Splunk. Basically, with Splunk, you set all your servers to send their log information to a main splunk server (or several distributed ones) by either having syslog or similar services forward the data or installing the basic splunk server on the server itself and configuring it to just forward the data to the main splunk server.
Once all your log data is in the main splunk server, you can simply “search” the logs just like a google search. If you have everything configured to extract the correct fields you could do a search like user=jsmith to see everything that John Smith has been doing. What servers has he logged into and accessed. One very good report that this can produce is when an employee is terminated. You can see what they access just before they were termined and what, if anything they accessed after they were terminated. Obviously, the after termination list should be empty. But that’s just one advantage.
We are still pretty early in our setup and still working on some of the field extraction and report generation, so I’ll likely have some better examples and praises for splunk in the near future. For now, I’m interested in hearing how other small businesses are handling this issue. Anyone willing to share?