Re: log level settings

[shannon_oneil_mn () yahoo com]

R,

  For Windows;  www.ultimatewindowssecuirty.com

Disclaimer:  I do not work for UWS, but I've found their advice valuable.

In my opinion, separate Windows from all other systems when you are defining policy.  PCI sections 10.2 and 10.3 appear 
to have been written with Windows in mind - reading the requirements carefully will lead you to the correct AD policy.  
Domain Controllers and member servers will have varying needs, so there isn't a one-size-fits-all for Windows.  

For unix and network devices, ask yourself "If I could sit in front of this box 24 x 7 x 365 and watch the logs, what 
sort of log entries will give the detail I need?".  That may seem like too much data, but its a valid starting point.  
Offbox the logs to a syslogger for protection.  These two aspects (log important events && protect them from deletion) 
are critical to detecting actual problems, but if you don't have them AHEAD OF TIME, the game is over.

Use your notes from the "if I had all the time in the world" session mentioned above, and write regular expression 
matches that can identify and alert on patterns in the logs stored @ the syslogger.

Build a script that compresses (and optionally deletes) logs based on organizational or regulatory requirements for 
retention.