Nov 30 2006
So many logs, so little time
Andy, IT Guy gives a specific example of how monitoring logs would have saved one company he consulted at a lot of time and grief. The only problem is, in most organizations, log monitoring is an afterthought, if it’s a thought at all. My last job was as the administrator of the IDS systems for a major state agency, and as such I spent my day monitoring Snort (later Sourcefire) logs for suspicious incidents, but most IT departments don’t have the luxury of dedicating a specific resource to that type of monitoring.
If you have to monitor logs, find some way of aggragating and filtering your logs. There are a number of open source and commercial solutions that will allow you to do both with varying degrees of implementation and daily usage pain. But even a central syslog collector you can review through grep commands is better than having to go to each of the systems individually. I’m looking at a Cisco Security Monitoring, Analysis and Response System (CS-MARS) implementation early next year, but your needs may be equally well served with a collection of open source tools you put together yourself.
Anything’s better than not looking at the logs at all.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}