Security Basics mailing list archives
Re: log level settings
From: shannon_oneil_mn () yahoo com
Date: 24 Sep 2007 21:23:00 -0000
R, For Windows; www.ultimatewindowssecuirty.com Disclaimer: I do not work for UWS, but I've found their advice valuable. In my opinion, separate Windows from all other systems when you are defining policy. PCI sections 10.2 and 10.3 appear to have been written with Windows in mind - reading the requirements carefully will lead you to the correct AD policy. Domain Controllers and member servers will have varying needs, so there isn't a one-size-fits-all for Windows. For unix and network devices, ask yourself "If I could sit in front of this box 24 x 7 x 365 and watch the logs, what sort of log entries will give the detail I need?". That may seem like too much data, but its a valid starting point. Offbox the logs to a syslogger for protection. These two aspects (log important events && protect them from deletion) are critical to detecting actual problems, but if you don't have them AHEAD OF TIME, the game is over. Use your notes from the "if I had all the time in the world" session mentioned above, and write regular expression matches that can identify and alert on patterns in the logs stored @ the syslogger. Build a script that compresses (and optionally deletes) logs based on organizational or regulatory requirements for retention.
Current thread:
- log level settings r a (Sep 21)
- RE: log level settings John Hammond (Sep 25)
- <Possible follow-ups>
- Re: log level settings tomasgermano (Sep 25)
- Re: log level settings shannon_oneil_mn (Sep 25)
- Re: log level settings ahzawng (Sep 25)