Logs monitoring is the key aspect of security monitoring. The evolving world of IT security demands organisations to have the infrastructure and expertise in place to recognise and combat threats. As new challenges to IT systems continue to emerge, organisations should have a corresponding plan in place to deal with those threats. Regardless of the nature of present and future security risks, log files will play a fundamental part in the ongoing security effort.
Advantages of log server
- Troubleshoot issues at a productive pace
- Faster threat analysing
- In-depth incident investigations
- Achieve Regulatory Compliance
Centralised versus decentralised logging
Let’s keep things simple here. We will look at the importance of centralised log server.
Centralised
Once you plan to collect your logs, you will very likely have to decide on pulling them from multiple sources into a central store.
Centralising logging will also mean you don’t have to go to each machine while investigating an incident physically. A centralised log server provides a unified logging solution. The more sources that feed log into a centralised log server, the more useful it will be, and the better return on your investment on setting up a log server. You create a more responsive system, requiring minimal resources to operate and manage it.
Decentralised
This would be the best solution for a single or couple of servers. Once the number of servers increases analysing logs will increase the complexity. When an incident happens looking for the mystery element becomes a misery.
Regulatory Compliance
PCI DSS: Specifies the retention of audit trail history for at least one year, with a minimum of three months immediately available for analysis – meaning online, archived, or restorable from backup.
HIPAA: Applies to the healthcare industry. Logs should be retained for up to Six years.
SOX: Pertains to U.S. corporations. Specifies retaining audit logs for up to Seven years.
NTP on your network
The last element that plays a vital role in the analysis of log is TIME. Analysing security breaches, network usage, or problems affecting any components in your infrastructure will be nearly impossible if timestamps in logs are inaccurate. Time is often the essential factor that allows an event on one network node to mapped to a corresponding function on another
Storing all the logs in a centralised server ease in terms troubleshooting, incident analysis and satisfy regulatory needs. If you plan and execute, this will pave the way for the golden standard for any regulatory compliance and security needs.