How do you log yours?

I speak to a number of people about security related issues in their infrastructure, and while most of them understand the importance of logs I'm always amazed that so few are doing anything to protect the integrity of their logs, or leverage them.

I get it: logs are about as sexy as backup, but they're also important in exactly the same way: you don't really care about them until you need them. Let's say you've had a breach (and chances are that you have, but you might not have noticed it yet...) - the first thing that any hacker worth their salt is going to do is clear the logs to cover their tracks. How do you do any kind of forensics on this?

The answer is that you ship your logs off to a separate, secured server where you can run analytics against said logs. If you have the resource available, you also proactively monitor them. Hint: you should have the resource available!

There are a number of products available on the market - Alienvault, Logrhythm, Logpoint, VMware Log Insight and the big fish Splunk. These all come at some cost, usually based on either the number of logs per second, the volume of logs that you're storing or the number of endpoints that you're shipping logs from. They're all great products, but if your budget is small and shrinking it might be tricky to get someone to sign off on the costs. I've been deploying Graylog for a while now, and I think it's a great tool - over the coming week or two I'm going to be blogging an idiot's guide to getting it up and running based on my real world experiences which I hope will be helpful - especially in an SMB environment where the focus might well be on keeping costs down.

I should be clear however: costs aren't the only reason to use a FOSS tool like Graylog - my experience with the developers has been second to none. The tool is easily scalable and there's a wealth of community developed content packs etc.

Stay tuned - more coming soon!