Syslog - Main - Syslog Best Practices

I see a fair number of people searching around looking for how they should be treating their logs Below is a list of best practices for log management. Like other best practices, they are not meant to be adopted blindly, but rather evaluated for how each fits into your environment.

Forward syslog messages from clients to a secure syslog server
Enable NTP clock synchronization on all clients and on the syslog server. It is very important for all clocks reporting logs to be using the same time server.
Group “like sources” into the same log file. (i.e. mail server, spamassassin, mail A/V scanner all report to one file)
Use an automated tool to establish a baseline of your logs and escalate exceptions as appropriate (i.e. like Devialog)
Review your records retention policy, if applicable, and determine if anything kept in logs falls under that policy. If so, establish retention periods based on the records policy.
In the absence of a records retention policy, rotate logs every day, keeping at least the last 30 days for later reference.
Include logs and log archives in a standard backup process.
Change read/write permissions on logs files so they are not generally accessible to unprivileged user accounts.

Big View Syslog and Log Analysis Wiki and Forums Home Edit History Recent Changes
Home Syslog Forums Tools Syslog Tips How To FAQ Web Links Syslog-NG Wiki Event Log Wiki Web Log Wiki edit SideBar TriadSkin powered by PmWiki	Main Syslog Best Practices I see a fair number of people searching around looking for how they should be treating their logs Below is a list of best practices for log management. Like other best practices, they are not meant to be adopted blindly, but rather evaluated for how each fits into your environment. Forward syslog messages from clients to a secure syslog server Enable NTP clock synchronization on all clients and on the syslog server. It is very important for all clocks reporting logs to be using the same time server. Group “like sources” into the same log file. (i.e. mail server, spamassassin, mail A/V scanner all report to one file) Use an automated tool to establish a baseline of your logs and escalate exceptions as appropriate (i.e. like Devialog) Review your records retention policy, if applicable, and determine if anything kept in logs falls under that policy. If so, establish retention periods based on the records policy. In the absence of a records retention policy, rotate logs every day, keeping at least the last 30 days for later reference. Include logs and log archives in a standard backup process. Change read/write permissions on logs files so they are not generally accessible to unprivileged user accounts. Edit Page History Source Attach File Backlinks List Group Page last modified on March 28, 2007, at 10:25 AM
skin config pmwiki-2.2.0-beta57 Information Security News \| Jerry Bell's blog \| Enterprise IT \| Tropical Fish