Maintaining a reliable and secure repository of logs is important for many reasons: establishing a foresnic trail of evidence in the case of fraud or attack, and enabling event correlation across many devices, among others. Particularly in regulated industries, management should enact controls that prevent security, application and system logs from being tampered with.
Many organizations choose to consolidate their logs on to a centralized syslog server. Many devices and just about all UNIX-like operating systems (Linux, free/net/open BSD, Solaris, AIX) support syslog natively. Windows-based systems require a tool to convert event logs to syslog.
Syslog is a simple protocol and is easy to wrap some very effective security around. The goal is remove as many opportunities for the central syslog server to be compromised as practical. There are 3 aspects to hardening a syslog server that we’ll cover:
- The operating system
- The network
- The application
- The users and administrators Read more…
There are a growing number of Managed Security Service Providers (MSSP’s), such as IBM and Symantec, and Verisign, and other companies, such as Savvis, offering an outsourced service to collect and retain system logs, generally called a log management service (LMS). The initial instinct for many would be to reject such a crazy thought as outsourcing log management, but there are some big advantages, and some things to consider. Read more…
RSS Error: A feed could not be found at http://www.syslog.org/forum/.xml/?type=rss. A feed with an invalid mime type may fall victim to this error, or SimplePie was unable to auto-discover it.. Use force_feed() if you are certain this URL is a real feed.