Log management

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data (or logs) is composed of entries (records), and each entry contains information related to a specific event that occur within an organization's computing assets, including physical and virtual platforms, networks, services, and cloud environments.

The process of log management generally breaks down into:

• Log collection - a process of capturing actual data from log files, application standard output stream (stdout), network socket and other sources.
• Logs aggregation (centralization) - a process of putting all the log data together in a single place for the sake of further analysis or/and retention.
• Log storage and retention - a process of handling large volumes of log data according to corporate or regulatory policies (compliance).
• Log analysis - a process that helps operations and security team to handle system performance issues and security incidents

Overview

The primary drivers for log management implementations are concerns about security, system and network operations (such as system or network administration) and regulatory compliance. Logs are generated by nearly every computing device, and can often be directed to different locations both on a local file system or remote system.

Effectively analyzing large volumes of diverse logs can pose many challenges, such as:

• Volume: log data can reach hundreds of gigabytes of data per day for a large organization. Simply collecting, centralizing and storing data at this volume can be challenging.
• Normalization: logs are produced in multiple formats. The process of normalization is designed to provide a common output for analysis from diverse sources.
• Velocity: The speed at which logs are produced from devices can make collection and aggregation difficult
• Veracity: Log events may not be accurate. This is especially problematic for systems that perform detection, such as intrusion detection systems.

Users and potential users of log management may purchase complete commercial tools or build their own log-management and intelligence tools, assembling the functionality from various open-source components, or acquire (sub-)systems from commercial vendors. Log management is a complicated process and organizations often make mistakes while approaching it.

Logging can produce technical information usable for the maintenance of applications or websites. It can serve:

• to define whether a reported bug is actually a bug
• to help analyze, reproduce and solve bugs
• to help test new features in a development stage

Terminology

Suggestions were made to change the definition of logging. This change would keep matters both purer and more easily maintainable:

• Logging would then be defined as all instantly discardable data on the technical process of an application or website, as it represents and processes data and user input.
• Auditing, then, would involve data that is not immediately discardable. In other words: data that is assembled in the auditing process, is stored persistently, is protected by authorization schemes and is, always, connected to some end-user functional requirement.

Deployment life-cycle

One view of assessing the maturity of an organization in terms of the deployment of log-management tools might use successive levels such as:

1. in the initial stages, organizations use different log-analyzers for analyzing the logs in the devices on the security perimeter. They aim to identify the patterns of attack on the perimeter infrastructure of the organization.
2. with the increased use of integrated computing, organizations mandate logs to identify the access and usage of confidential data within the security perimeter.
3. at the next level of maturity, the log analyzer can track and monitor the performance and availability of systems at the level of the enterprise — especially of those information assets whose availability organizations regard as vital.
4. organizations integrate the logs of various business applications into an enterprise log manager for a better value proposition.
5. organizations merge the physical-access monitoring and the logical-access monitoring into a single view.

Regulatory requirements

Log management is a prerequisite for compliance with numerous regulatory frameworks that mandate audit trails and activity monitoring.

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires covered entities to implement audit controls—hardware, software, and procedural mechanisms that record and examine activity in information systems containing electronic protected health information (45 CFR 164.312(b)). It also requires regular review of information system activity records such as audit logs, access reports, and security incident tracking (45 CFR 164.308(a)(1)(ii)(D)). The December 2024 Notice of proposed rulemaking (NPRM) to modernize the HIPAA Security Rule would strengthen these requirements by mandating centralized collection and review of audit logs across all systems containing ePHI, with the ability to detect and alert on unauthorized activity.

The National Institute of Standards and Technology (NIST) SP 800-92, Guide to Computer Security Log Management, provides detailed guidance on establishing log management infrastructures, including log generation, transmission, storage, analysis, and disposal. The Payment Card Industry Data Security Standard (PCI DSS) requires tracking and monitoring of all access to network resources and cardholder data, with log retention of at least twelve months and a minimum of three months immediately available for analysis (Requirement 10).

See also

• Audit trail
• Common Base Event
• Common Log Format
• DARPA PRODIGAL and Anomaly Detection at Multiple Scales (ADAMS) projects.
• Data logging
• Log analysis
• Log monitor
• Log management knowledge base
• Security information and event management
• Server log
• Syslog
• Web counter
• Web log analysis software

References

• Chris MacKinnon: "LMI In The Enterprise". Processor November 18, 2005, Vol.27 Issue 46, page 33. Online at http://www.processor.com/editorial/article.asp?article=articles%2Fp2746%2F09p46%2F09p46.asp, retrieved 2007-09-10
• MITRE: Common Event Expression (CEE) Proposed Log Standard. Online at http://cee.mitre.org, retrieved 2010-03-03

External links

• InfoWorld review and comparison of commercial Log Management products