Top 11 Reasons to Look at Your Logs
by Anton Chuvakin
As promised, I am following my Top 11 Reasons to Collect and Preserve Computer Logs with just as humorous and hopefully no less insightful "Top 11 Reasons to Look at Your Logs."
- The first reason is again disarmingly simple (is it, really? :-)). Read PCI DSS lately? Glanced at HIPAA? Suffer under FISMA? Yes, all of the above regulations say that you must not only have, but also review logs periodically.
- Are your servers compromised now? How do you know if all your logs are stashed on a tape in a closet? Look at them! Now!
- An incident happens. Really, who needs extra motivation to look at logs in such case? Using logs for incident response is a true "no-brainer" (however, you need to be pretty "brainy" to actually analyze them in case of an incident)
- Users - from a CEO to a janitor. You do have to know what they do on your IT systems! How? Read the logs! Everybody leaves tracks.
- Systems log plenty of errors. Sometimes they are silly, sometimes - benign. However, often they mean that "stuff" is about to hit the fan. Periodic review of logs reveals them and saves the day.
- Network slowed to a crawl? Applications are slooow? Server is not ... well, serving? :-) Where is the answer? In the logs, but you need to read them and understand them.
- That policy you wrote a few months ago. Anybody following that? Anybody remembers that? Halloooo! Check the logs and you'd know.
- By now you know that your auditor might ask for your logs. But do you know they might also check whether you looked at them? Do you? Review the logs and leave the record of this activity in the logs.
- Change can be good. But then again, it may be the sign that your controls are lacking. Who changes what and when? From what and to what? Just review the logs.
- Now, you hate looking at logs. You have too many (as if everybody else doesn't...)! In this case, look at a specific subset of logs that you never saw before- NBS. Or just deploy log management that can do it for you.
- Logs can help you predict the future (if you review, know and love them :-)). Don't believe it? If you read them for long enough, you develop an ability to predict the future, albeit mostly future problems :-)
Coming soon: "Top 11 Reasons to Secure and Protect Your Logs"!