download issue 24 here - Help Net Security

In any environment, large or small, the managing and interpreting of log files
is a time consuming and expensive responsibility. Generally, this particular
job is perceived as a boring waste of time, and is usually pushed onto whomever
is the “weakest” part of the team and executed half-heartedly and - therefore
- poorly.
I, for one, believe that log files contain a lot of
wisdom that most systems, applications and
network administrators miss. While log files
are considered a necessary evil and are consulted
only when someone is complaining
about problems with certain services, they are
key to understanding the baseline behavior of
your environment (when everything is running
smoothly) and are therefore fundamental for
the detection of anomalies. “Love thy logs like
you love thyself” should be a mantra for all
previously mentioned administrators.
Even in the smallest of environments you'll
have a dozen computers (workstations and
servers) and a few network appliances (routers,
firewalls, switches, access points). Add
some multifunctional printers into the mix, and
you're good to go.
The great majority of these devices will be
spitting out messages with a vengeance, and
it is you who must prioritize and process these
events. Even if you think itʼs not necessary,
you will probably have to do it as a compliance
requirement.
All of this would be a big problem if you had to
do it step-by-step, page-by page, by yourself.
Luckily, there are plenty of products out there
today that can provide these two services. I
am, of course, talking about log management,
and security incident and event management
solutions. The former acts as a black hole into
which all log events within your network are
siphoned and kept in. The latterʼs task is to
correlate events you throw in it and provide
you with a Web 2.0 dashboard from which you
can analyze the results.
www.insecuremag.com 57