All organizations with information systems need to know what’s happening on, and between those systems. This is where a comprehensive logging setup can be very beneficial. It shows you what has happened and when it happened. Make sure we protect these logs from being altered or destroyed, and that admin access to the logs is monitored should also be considerations.. Finally making sure your time is synchronized across your estate ensures you can build an accurate timeline of events when things go wrong.
On any system that processes information we should ensure we have auditing and logging in place. We must also ensure that it cannot be tampered with by the users of that system.
One way to accomplish this goal is to use rsyslog to store logs remotely, away from the clutches of a compromised local system. This control is important for any event that requires investigating and can help us find the cause of problems quickly and accurately. The level of logging should also be tailored to what is useful and what is useful depends on the type of information and purpose of this server. Too high of a logging level will lead to important log entries being overlooked due to the “noise” of excessive logging or even the servers hard disk filling up causing a crash or for older log entries to be overwritten. Too low of a logging level can lead to important event information not being recorded. Reviews of logs should be regularly carried out and logs should be kept according the retention period decided by what your organization deems necessary for investigations.
Logs are only as useful as they are accurate. Steps should be taken to ensure users cannot alter log entries, either maliciously or accidently. Enough storage space should be available to reduce the risk of excessive log files being generated to overwrite previous, important, entries. In addition, only authorized staff should be able to view logs. Ways to ensure logs have not been tampered with include storing logs remotely and ensuring integrity is maintained using file hashes.
Who watches the watcher? The age-old question can give security teams sleepless nights. The system owners, administrators, often have root or administrator privileges. To protect against abuse any use of these privileges should be recorded and reviewed. Likewise, the audit trail kept should be stored in a way that the administrator cannot tamper with.
As important as logs are they can simply add to the confusion if an organizations logs don’t follow a standardized data/time format and time zone throughout the various time zones the company operates in. While this may not be an issue for organizations based in the one time zone best practice dictates the organization decides on a time zone and format to follow and enforces that on all its assets and logs. This is known as your reference time. In many cases organizations settle on UTC for their reference time