Ode to Log Management
| Topics: | Business Intelligence, Compliance, IT Search, Operations, Security, Splunk |
|---|---|
| Tags: | Compliance, IT data, IT Search, log, log management, logging, MTTR, PCI, root cause analysis, Security, security attacks, SNMP, virtualization |
| Share: |
I love “log management.” I hate log management.
I love log management because years ago it was the impetus for IT to move beyond simple SNMP monitoring to collecting and trying to understand a much richer set of data about complex environments.
I hate log management for over the years it has been co-opted by vendors and analysts who’ve pigeon holed it into yet another IT management silo. These vendors and analysts have narrowly defined log management as the collection and storage of logs in some locked repository used to generate static reports to satisfy regulators, auditors and IT governance boards.
Why am I so bitter?
First it turns out logs are critical to many other stakeholders in the enterprise. Operations needs real time access to logs in order to find and fix problems and improve mean time to recovery (MTTR). Security needs logs to catch bad guys. Business people need logs to understand customer and service behavior and provide service level measurements. So locking up logs in a static repository designed for one constituency severely limits their value and diminishes the return on investment not only in a log management solution but also the return on your IT assets overall.
Secondly logs alone don’t provide anyone of the IT stakeholders with a complete picture.
Let’s take a simple example right from the hottest compliance use case today — PCI. The Payment Card Industry (PCI) Security Standards Council founded by American Express, Discover Financial Services, JCB International, Mastercard and Visa has outlined requirements for security management, policies, procedures, network architecture and software design. If you are a merchant accepting credit or debit cards and you process more than 20,000 transactions per year there are twelve specific requirements. Failure to comply with the requirements is not an option. You can be fined heavily and you can lose your ability to accept credit and debit cards.
One of the twelve requirements is the commitment to monitoring and investigating changes to configuration and password files for any application, server or device involved in the processing of card holder information and transactions. In the case of file content, permissions or attribute changes, logs will only tell me part of the story. Yes a Windows, Linux or Unix log will tell me a file has been changed but it won’t tell me who changed it. It also won’t tell me if the change was authorized or not. To understand who changed a file I need to look at the other user processes running on that server at the same time the file was changed. What user processes were running and who owned them? In Unix or Linux this information is easily viewed with a simple “ps” or “top” command but doesn’t exist in any log. In order to understand if the change was authorized or not I need to compare the log and file change information with the user information and any tickets from the service desk authorizing this user to make this type of modification.
The real reason I believe we need to move on from talking about log management is log management isn’t a market. It isn’t a solution. It is a feature in a much broader landscape of harnessing all the data being generated by our IT infrastructures. Turning all that data info information for every stakeholder is important to the future of IT as environments grow more complex, dynamic, service oriented, virtualized and mission critical. Not just to report on compliance controls, but to improve our speed of root cause analysis, increase our ability to quickly and comprehensively investigate security attacks and develop more intimate relationships with our customers by better understand their behavior and providing a transparent view of the services they are receiving in return.
June 25th, 2008 at 8:02 pm
I declare Log Management is DEAD!
June 28th, 2008 at 5:16 am
Well said.
Companies don’t realize the value that is present in there basic logs. It encompasses all parts of the business, Marketing, performance management, event resolution, forensics …..
-mike
June 30th, 2008 at 10:11 am
I agree with your point that log management is not a solution. However, it remains in the colloquium because managing logs is still an unsolved or partially solved problem in nearly every environment.
Although Splunk isn’t intended as a log management “solution” (as you correctly point out), many enterprises are discovering that their efforts to make their IT data searchable is having the parallel effect of making their IT data (logs, monitoring, messaging) more manageable.
July 14th, 2008 at 2:08 am
I would also like you to inform about some more about IT Governance and Compliance
IT governance, risk and compliance (IT GRC) is about striking an appropriate balance between business reward and risk. The maturity of IT GRC practices for managing reward and risk has a direct impact on the organization. IT GRC encompasses the practices for delivering: Greater business value from IT strategy, investment and alignment, Significantly reduced business and financial risk from the use of IT, and Conformance with policies of the organization and its external legal and regulatory compliance mandates. IT GRC energizes the entire organization to imagine what it can achieve, establishes methods for achieving their objectives, and demonstrates the practices that are proven to work for minimizing business and financial risk. Fundamentally, IT GRC is about striking an appropriate balance between business reward and risk, enabling an organization to more effectively anticipate and manage business risk while more effectively delivering value for the organization. IT governance, risk, compliance, IT GRC, White paper, compliance survey report, 2008 compliance report. You can also get more information from http://www.compliancehome.com/symantec/
August 2nd, 2008 at 2:52 pm
Tahnks for posting
August 4th, 2008 at 2:10 am
I enjoy pontificating about the nature and concept of security in the modern world. The heart of the most powerful IT security “monitoring” system must be a capacity that allows one to see every facet of structure and activity, flaw and perfection. The IT security expert who understands this knows that logs are an incomplete view of acitivity, even when well-correlated.
The ability to look at, interpret (and by default, search) any data from an IT infrastructure, be it metadata (e.g. logs, configurations - “data about data”) or content (e.g. documents, images) is where the immediate future of the IT Security expert lies. I agree with the assertion that log management is not a solution - it is simply a mildly useful stepping stone.
Our organisation has recently chosen Splunk as the foundation for its security monitoring solutions. Its search ethos combined with a non-dogmatic/non-prescriptive approach to security allows us to approach each and every customer with an open mind.
August 4th, 2008 at 6:07 am
[...] one administrator commented on the blog of Splunk CEO Michael Baum, “Log file management is DEAD.” It is becoming just one side of the larger task of system [...]