"SNMP is vital. Syslog saves life." -- a networking guy
Hello Thwack, I'm Gideon Tam, one of the Thwack Ambassadors for the month of January. Happy New Year 2014! I'm a network security professional and also a data center network architect.
When you ask the Information Security folks what they think should be logged, they probably give you a simple answer: EVERYTHING. But in reality, things are more complicated than this.
Did you encounter Windows Server Admin folks who refuse to install any log connector agent on their servers because of their bad-taste -in-the-month experiences with foreign agents? They may not be even willing to give out admin credentials for agent-less log pulling. This situation sometime is resolved when the Information Security Officer tells them that they are making their career decision.
IIS 6.0 provides six different log file formats. IIS 8.5 now provides enhanced logging. What to log and what not to log becomes something that needs to be worked out between Application and InfoSec groups within a organization.
Detailed logging on firewalls and VPNs is a common sense. But what about logging DNS? Do you want to endure the high volume DNS logs for event correlation? Decision. I saw organization just simply logged DNS on devices and rolled over due to the volume. It didn't mean it's bad. It's just based on the face that wether they would use the data.
Networking devices have different level of logging. What level to log all depends on the need. The lower level doesn't give you much information and the higher level adds device's CPU load.
To do it right, logging requires collaboration of different departments within an organization. Sometimes this area is not in high priority, which it should be, in an organization. Do you agree? Did you experience similar situations? Did you have any conquering story?