Small Business Defense – Remote Logging and Analysis

The first thing to realize when it comes to protecting your logs from attackers is that if the logs aren’t there, they can’t be attacked.  At a minimum, you should consider setting up a remote logging server.  This does not have to be a brand new top-of-the-line server.  It can be an older server, a workstation or a virtual machine.  The big thing to keep in mind is that it will need a lot of disk space.  Depending on your network, it may also need a very fast network connection.

A nice free option to use is syslog.  It’s not as user friendly as some of the commercial systems, but you can’t beat the price.  For this tool, you just install one of the syslog-compatible systems on your remote server and configure each of your other systems to log to it.  There are Windows tools and guides so you can capture those logs as well.

Of course, there are some commercial options as well.  These often include enhanced tuning and searching.  Splunk , Snare and LogLogic are known in the industry.

The second thing to consider when looking at logs is that you actually have to look at them.  Remote logging may get the logs away from the attacker, but if it also gets them away from you, they’re not terribly effective.  Most of the log management tools fall into three categories:

• those that find problems and alert you
• those that let you search the log
• those that help you visualize the data.

Before looking at any of the many tools out there, ranging from application-specific to purpose-specific to problem analysis, you should first consider what you care the most about.  Logging involves a lot of data, and if you start with alerting before you tune anything, you’ll be drowning in it.  Similarly, it doesn’t make much sense to put considerable analysis time into an application that isn’t business critical.

Instead, it’s best to start by getting all of your logs in one place, and focusing on doing that well.  That’s a large project in of itself. Once that’s done, start looking at the sizes of the log files that you’re creating and work on reducing them. Odds are that at least one of your logs was set to maximum verbosity for testing something and never set back. Once you know that all of your logs have the data they need in them and as little garbage as possible, start with the biggest and look for a free tool that helps you pull out the important information. Then, move on to the next. Yes, it will take a lot of time and many tools. It may not look pretty, but it will work.

And, after all, working is what matters the most.

Then, later, once you have a greater level of inspection than you’ve ever had, you’ll know enough to seriously consider the big log management players. There’s no point in spending lots of money until you know what you’re spending it on.