Top 11 Reasons to Collect and Preserve Computer Logs

by Anton Chuvakin

I've been wanting to create those for a loooooong time and finally - here they are (you can guess I've been on a long flight :-)). Some are admittedly tongue-in-cheek, but useful nonetheless. So, enjoy Anton's "Top 11 Reasons to Collect and Preserve Computer Logs", presented in no particular order:

  1. Before anything else, do you deal with credit cards? Patient info? Are you a government org under FISMA? A financial org? You have to keep'em - stop reading further.
  2. What if there is a law or a regulation that requires you to retain logs - and you don't know about it yet? Does the world "compliance" ring a bell?
  3. An auditor comes and asks for logs. Do you want to respond "Eh, what do you mean?"?
  4. A system starts crashing and keeps doing so. Where is the answer? Oops, it was in the logs - you just didn't retain them ...
  5. Somebody posts a piece of your future quarterly report online. Did John Smith did it? How? If not him, who did? Let's see who touched this document, got logs?
  6. A malware is rampant on your network. Where it came from? Who spreads it? Just check the logs - but only if you have them saved.
  7. Your boss comes and says 'I emailed you this and you ignored it!!' - 'No, you didn't!!!' Who is right? Only email logs can tell!
  8. Network is slow; somebody is hogging the bandwidth. Let's catch the bastard! Is your firewall logging? Keep the info at least until you can investigate.
  9. Somebody added a table to your database. Maybe he did something else too - no change control forms were filed. Got database log management? How else would you know?
  10. Disk space is cheap; tape is cheaper still. Save a log! Got SAN or NAS? Save a few of them!
  11. If you plan to throw away a log record, think - are you 100% sure you won't need it, ever? Exactly! :-) Keep it.

Have more? Feel free to suggest your own reasons below!

Coming soon: "Top 11 Reasons to Look at Your Logs"

Technorati tags: , , , ,


2007-04-10 12:46:28
Where I work, it is company policy that system usage logs be kept for 90 days. No more, no less. That saves those of us in the trenches from having to spend time worry about it; we just follow orders, then produce the logs as requested when one of those situations rears its head.
2007-04-13 10:28:22
The FBI sends you a National Security Letter, asking for all of your web-server and e-mail logs....