Sponsored by ArcSight
SANS Seventh Annual Log Management Survey Report
A SANS Whitepaper – April 2011 Written by Jerry Shenk
Survey Sample
Why Companies Collect Log Data
Users Want Better Log Data (and More of It!)
Top Challenges to Effective Log Management
Advisors:
Dave Shackleford and Barbara Filkins
SANS Analyst Program 1 SANS Seventh Annual Log Management Survey Report
Everyspringsince2005,theSANSLogManagementsurveyhastrackedthegrowthandmaturityof
thelogmanagementindustry.Thissurveyhasconsistentlyidentifiedareasinwhichorganizationsare
focusing their log management initiatives and continues to provide a roadmap to the industry for
futureimprovement.Overtheyears,thesesurveyshaveshowngrowthinthecollectionanduseoflogs
forsecurityandcompliance.Mostrecently,inthepasttwoyears,thesesurveyshaveshownthatorga-
nizationsareseekingmoreusesfromtheirlogs,buttheyhaveproblemsgettingthevaluetheywant
fromthoselogs.
Whenthissurveystartedsevenyearsago,logcollectionwasonlybeingdoneby43percentofrespon-
dents,comparedwith89percentwhoindicatedtheycollectedlogsthisyear,whichisconsistentwith
lastyear’ssurvey.So,logcollectionisnolongerasmuchofaproblemasitwasinthepast.Now,they’re
alsocollectinglogsformuchmorethandetectingsuspiciousbehaviorandtroubleshooting,asinthe
recentpast.Overthepasttwoyears,morerespondentsarealsocollectinglogsforuseinforensicanaly-
sisandcorrelationandtomeet/proveregulatorycompliance.Infact,thesethreeusesforlogsrankclose
enoughinimportancethatitisfairtosaythatforalogmanagementsolutiontobeeffectivetoday,it
mustsupportallthree.
Inadditiontotheabovetopthreeuses,organizationsarecollectingmoredata fromphysicalplant/
operationssystems(e.g.,HVAC,SCADA),mobileplatforms,andpoint-of-sale(PoS)devices.Thismeans
morelogtypestocollectandanalyze—eachwiththeirowndataformatsthatcanvarywidely.Even
when these log data format differences are slight (such as one date format being MMDDYYYY and
anotherbeingMM-DD-YYYY),theymustbeadjustedinordertoaccuratelycorrelateandreportonthe
data.Thishasbeenanongoingproblemforusersoflogmanagementtechnologies,particularlyasthey
starttousetheirlogsformorepurposes.
Inadditiontonormalization,respondentsarealsostrugglingwithsearching,correlatingandreporting
functionalities.Figure1illustratestheaspectsoflogmanagementthatrespondentsconsideredmost
challengingormoderatelychallenging.
Executive Summary
SANS Analyst Program 2 SANS Seventh Annual Log Management Survey Report
Figure 1. Log Management Challenges
Themechanicsofcollecting,storingandarchivingthelogdataarenolongerthechallengeintoday’s
worldofalmostunlimiteddatastorage.Thechallengenowisextractingtheneededinformationfor
monitoring,management,complianceanddecision-making(ofteninnearreal-time)fromwhatrespon-
dentssayisupwardsof100,000eventsrecordedperday.
Thisyear,respondentswereaskedspecificallyaboutwhatwasandwasnotusefulintermsofsearch-
ingandreportingcapabilities.Theyselectedreal-timealertsastheirmostusefulfeature.However,they
werelessenthusiasticabouttheirlogmanagementsystem’sabilitytointerfacewiththird-partytools
orlargerSIEMenvironments.Usersalsocitedproblemswithcorrelation,searchingandinterfacingwith
heterogeneoussystems,anddifficultieslocatinginformationwithinlogs.
Inparticular,Windowssystemsarestilldifficulttodrawandnormalizelogsfrom.Thisisaprimaryprob-
lemfororganizationsthisyear,asinyearspast,accordingtoresponses.Windows,pervasivethroughout
most industries, is widely criticized for its unfriendliness to log analysis. However, all vendors of log
managementapplicationsaremakingtheirsystemsinteractbetterwithmultiplesourcesoflogdata,
includingfromWindowssystems.However,asonecommenterwrote,allvendorsstillneedtogetbetter
atgeneratingusefulevents.
Despiteshortcomingsrespondentsreport,organizationsareincreasinglydependentonlogmanage-
menttosupportcorebusinessfunctionsincludingcostmanagement,servicelevelandline-of-business
applicationmonitoring,aswellasmoretraditionalIT-andsecurity-focusedactivities,accordingto
responses.Therestofthisreportdetailswhatorganizationsaredoingwiththeir logs
todayandwhattheystillwantfromtheirlogsinordertoachievethehighestvalue
fortheirbusiness,securityandcomplianceoperations.
SANS Analyst Program 3 SANS Seventh Annual Log Management Survey Report
A total of 747 organizations started this year’s survey, with 571 completing the survey all the way
throughtotheend.Organizationsrepresentedinthisyear’ssurvey(seeFigure2)encompassedawide
rangeofindustriesandsizes.Thelargestindustryverticalsrepresentedwerefinancial(19percent)and
government(18percent).Healthcareandeducationwerewellrepresentedaswell.Theadditional23
percent that replied“other” included good representation from software companies, entertainment,
managedservicesandconsultantsworkingamongtheseverticals.
Figure 2. Industries Represented in This Year’s Survey
Survey Sample
SANS Analyst Program 4 SANS Seventh Annual Log Management Survey Report
Respondentswerenearlyequallybalancedbetweenlargeorganizations(over2000employees)and
mid-sizedandsmallorganizations,asshowninFigure3.
Figure 3. Size of Organizations Based on Responses
Thevastmajorityofrespondentsheldstaffpositions(ratherthanbeingconsultants).Thisyear,ahigher
percentageofrespondentsheldasecurity-orientedrole intheirorganizations,asopposedtoanet-
work-orientedrole,whichthereweremoreoflastyear.Ofthe747respondentstoanswerthisques-
tion,73percenthadsecuritytitles,whereas35percenthadnetworkingtitles.Somerespondents,seven
percent,alsohadcomplianceofficerroles.Thetotalexceeds100percentbecausesomerespondents’
dutiesoverlapamongtheareasofnetworking,securityandcompliance.
SANS Analyst Program 5 SANS Seventh Annual Log Management Survey Report
Inthisyear’ssurvey(asinthe2009and2010surveys),detectingincidents,determiningwhathappened
(forensicsandanalysis),andmeetingcompliancerequirementswerethetopthreereasonsforcollect-
inglogs.Onceagainthisyear,themostimportantreasonforcollectinglogdatawasto“Detect/track
suspiciousbehaviorandpreventincidents,”asillustratedinFigure4.Secondplacewentto“Support
forensics analysis and correlation,” and third was“Meet/prove compliance with regulatory require-
ments.”
Figure 4. Why Respondents Collect Logs
Whilemaybenotcritical,supportingotherIToperationsrankedhighinlevelofimportance,andmore
than50percentoforganizationsthinkthatlogscanbeimportantinreducingcostsandsupporting
otherprocessesbesidessecurityandcomplianceoperations.Theseoptionswerenotprovidedinlast
year’ssurvey,butsurveyrespondentslastyear(andthisyear)indicatedanincreasingdesiretoderive
morebusinessvaluefromtheirlogs.
Why Companies Collect Log Data
SANS Analyst Program 6 SANS Seventh Annual Log Management Survey Report
Most Useful Features
Oncetheycollecttheir logs,respondentssaythemostusefulfeatureoflogmanagementsystemsis
“real-timealerts,”with68percent indicatingtheyareveryusefuland25percent indicatingtheyare
somewhatuseful.Thesecondandthirdmostusefulfeatureswere“Intuitiveuserinterfaceforsearch”
and“Unifiedinterfaceforalllog-relatedactivities.”Tobeprecise,thereisnosuchthingasareal-time
alert,duetodelaysinlogeventanalysisandnotifications.What’simportantisthatmanyrespondents
aregettingusefulalertsfromtheirlogmanagementsystemsinatimelyenoughmanner.
Thefourthmostusefulfeaturewas“Goodperformanceforall log-relatedactivities,whetherindivid-
ualorsimultaneous.”Inthepast,logmanagementsystemperformancereceivedlowmarksbysurvey
respondents.Itisgoodtoseethat55percentofrespondentsgavethisthehighestmark,while37per-
centgaveitamid-rangemark.Combined,that’smorethana90percentapprovalrating.“Integration
with largerSIEMenvironment”rankedninthonthe listofusefulness.Somecomments indicatethat
respondentsareintheprocessofinstallingSIEMsystems,sotherewilllikelybestrongerresponsesto
thisquestionnextyear.Figure5showstheoverallratingsforVeryandSomewhatusefulfeaturesbased
onresponses.
Figure 5. Features Deemed Most Useful by Respondents
SANS Analyst Program 7 SANS Seventh Annual Log Management Survey Report
Flippingthequestionaround,it’salsointerestingtonotethattheleastusefulfeaturesoflogmanage-
mentpointtootherintegrationproblems.Thequestionwas,“Howusefuldoyouratethefollowingfea-
turesinsupportofyourloganalysisandreportingactivities?”Thechoiceswere,VeryUseful,Somewhat
Useful,andNotUseful.NotUsefulwaschosenmostfor“Interfacewiththird-partyreportingtools,”with
27percentofrespondentschoosingthisoption.Sharingthebottomofthelistwaswitha21percent
negative vote was“Integration with larger SIEM environment.” Figure 6 shows the features deemed
leastusefulbyrespondents.Overall,thesearerelativelylownegativescores,whichsuggeststhatthe
usefulnessoflogmanagementsystemsisimproving.
Figure 6. What Respondents Find Least Useful About Their Log Management Systems
SANS Analyst Program 8 SANS Seventh Annual Log Management Survey Report
Users Want Better Log Data (and More of It!)
Thenumbersofsourcesfromwhichorganizationsarecollectinglogscontinuestoexpand.Thisyear’s
surveyshowsthat59percentofrespondentsarecollectinglogdatafromtheirlineofbusinessapplica-
tions,and14percentofrespondentsarecollectinglogdatafromtheirphysicalplantcontrolsystems,
such as HVAC.These were not considered a major source for log data in previous years. Other new
sources included inthisyear’ssurveyare logcollectionfrommobiledevices (15percent)andcloud
services(14percent).Point-of-sale(PoS)deviceswerenotonthelistbutwerereferencedincomments.
Accordingtothisyear’ssurvey,mostorganizationsarecollectinglogsfrommorethan50devices,with
only30percentcollectingfromfewerthan50devices.Thevastmajorityofsurveyrespondentsindicate
theyarecollectinglogsforcompliancepurposes,leadingwithPCIDSS.Figure7showswhatcompli-
ancemandatesaredrivingtheirlogmanagementprograms.
Figure 7. PCI DSS is the Leading Compliance Driver for Log Collection
SANS Analyst Program 9 SANS Seventh Annual Log Management Survey Report
Thetypesof log informationrespondentsconsider tobe themostvaluableare“Source/destination
IP address” and“Time/date stamp.”These were nearly tied with“Event information (name, category,
type),”followedby“Source/destinationTCP/UDPport”and“Userinformation.”Thislevelofdetailedlog
data,correlatedasneededandinreal-time,helpsoperatorsfindeventsonthenetworkwithminimal
manualsearchingandbetteraccuracy.Thisquestionalsohadan“other”category,inwhichrespondents
indicatedtheywantedevenmoreinformationfromtheirlogmanagementsystems,including“detailed
networkconnectionlogs,”“completeURLstrings,”“fullpacketcapture,”and“payload.”Alogmanager
mightnotbethebestplaceforsomeofthatdata.Instead,IPS,continuousmonitoringorSIEMmight
collectthesedatatypesmoreeffectively.However,thecommentshighlightthepointthatmanyana-
lystswantmore informationcorrelatedagainst more threat-monitoring devices to help themmake
decisionsaboutpossibleevents.
”Vendorsneedtogetbetteratgeneratingeventsthatareusefulbecauseitdoesn’tmatterhowgood
yourlogmanagementsolutionisiftheeventscomingintoitaregarbage,”wroteonecommenter,Jim
Murray,aninformationsecurityarchitectintheinsurancesector.Vendorsofhardwareandsoftwarethat
generatelogsshoulddifferentiatethemselvesfromtheircompetitionbystandardizingtheirlogdata
anditssyntaxandimprovingthelevelofloginformationtheymakeavailable.
SANS Analyst Program 10 SANS Seventh Annual Log Management Survey Report
Top Challenges to Effective Log Management
Year over year, trends uncovered in this survey have directly reflected the maturing of the industry.
Initially,thetopproblemreportedwassimplycollectinglogs.Afewyearsago,collectinglogsdropped
to the leastproblematic issue,andnowrespondentsexpress troubles in theareasofnormalization,
categorization,searchingandreporting.Seefigure8.
Figure 8. Top Challenges Reported by Log Management Users
“Normalizingandcategorizinginformation”wasthetopissuethisyear(42percentclaimedthisastheir
mostchallengingproblem,and37percentconsidereditaproblem).Thesecondmostnotedissuewas
searching(32percentconsideredthistheirmostchallengingproblem,and48percentconsideredit
aproblem).“Usinglogsforreportingandanalysis”cameinthird(18percentconsideredthistheirtop
challenge,with50percentconsideringthisaproblem).Nearlyashighapercentage(49percent)con-
sideredusinglogsforoperationsandmaintenancetobeaproblem,with18percentconsideringittheir
topchallenge.Thesechallengestiecloselytoresultsfromarelatedquestionaboutthetophindrances
insearchingandanalyzinglogs.Inorder,thesetopproblemswereinabilitytosearchacrossdifferent
log management systems, lack of correlation capabilities, interfacing with other IT groups, and
locatingneededinformationwithinthelogscollected.
SANS Analyst Program 11 SANS Seventh Annual Log Management Survey Report
Normalization and Multisource Data
Differentsystemsanddevicesrecordthesameeventsindifferentways,makinganalysisoflogsdifficult.
Forexample,aCiscoASAfirewall,aniptablesfirewall,andaCheckPointfirewallbasicallyallperform
thesamefunctionofblockingsomepacketsandallowingothersbasedonpresetcriteria.Yet,howthey
expresseventsintheirlogsisdifferentforeveryapplication.Infact,aCiscoPIXfirewallandthenewer
ASAfirewallrequiresomechangestologeventanalysiswhenupgrading.
Onewaytocomparesimilarevents isthroughnormalization.1Normalizationshouldbeabletotake
logeventsfromalldevicesundermanagementandpresenttheminacommonwayforsearchingand
reporting.Oneproblemwithnormalizationisthat,unlessthelogmanagementsystemsavesboththe
originallogdataandthenormalizedlogdata,theoriginaldataislosttotheorganization.Originallog
datacanbeusedforverificationandmakethedifferenceindeterminingwhetheranattackfailedor
wassuccessfulandcanpointoutafalsealarm.Theproblemisgreatestwhencollectingdatafromsys-
temsandhardware(e.g.,phonesorcloudservices)thataren’twellsupportedbythelogmanagement
vendor.
Mostcommerciallogmanagementsystemsincludestorageoptionsforbothnormalizedandoriginal
data.Thesestoragesystemsshouldbeexpandableasneedsdictate.Inthesurvey,36percentofrespon-
dentssaytheirorganizationsstoretheirlogdataforuptoayear,and33percentstoredataforuptofive
years.Ofthoserespondentswhoknowtheirlogeventvolume,mostseemorethan100,000logevents
perday—andhalfofthoseareseeingmorethan1millioneventsperday.
Thebottomlineisthateachapplicationcanlogandstoredifferenttypesofdataintheformatsandfor
thedurationdictatedbytheorganization’sbusiness,securityandcomplianceneeds.Thekeystohav-
inggoodlogdatamanagement,then,areconsistencyinformat,collectionandstorageofenoughdata
toanswerthe“4-Ws”(who,what,whenandwhere),andgooddocumentationtointerpretwhatthelog
datameans.
Getting at the Information
Gettingtothose“4-Ws”isstillsomewhatdauntingformanyorganizationsrepresentedinthissurvey.
Mostlogmanagementsystemshavesomesortofaweb-basedfrontendthatcanbeusedforsearch-
ing.Responses,however,indicatedissatisfactionwiththeirsearchingandreporting/analysiscapabili-
ties.Thiscoincideswithrespondentstolastyear’ssurvey,wherein64percentconsideredsearchingand
reportingtobethefirstandsecondmostchallengingaspectsoflogmanagement.
Whenaskednewquestionsabouttheirspecificproblemswithsearchingandreporting
thisyear,respondentspointedtolackofcorrelation,inabilitytosearchacrossdif-
ferentlogmanagementsystems,andintegrationwithotherITsystemsastheir
topthreehindrancestotheirsearchingandreportingcapabilities.Theyalso
pointtoproblemslocatinginformationwithinthelogs.
1http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf
SANS Analyst Program 12 SANS Seventh Annual Log Management Survey Report
Integrationwithmultiplelogmanagementtoolsisbecomingafactorbecauserespondentsthisyear,
aswellas inrecentyearspast, reportusingamixofhomegrownandthirdpartytools.Manyreport
usingmultiplethirdpartylogmanagementtools.Responsesalsoindicatemultiplehomegrowntools
insingleenvironments,withaverysmallnumberusinglogmanagementasaservice.
Surveyresponsesalsopointtotheneedforstrongergraphicalanddatarepresentation,withonly32
percentofrespondentsrankingthesefeaturesas“Very”usefulintheirlogmanagementsystems.Awell-
designedgraphorchartcanconveyalotofinformationquicklyandcanevensupportnon-technical
managerswhennecessary.Onecommenterpointedoutthatfromabusinessperspective,sometimes
includinggraphicsisanexpectedpartofapresentation,evenifthegraphic’svalueislimited.Responses
indicatethatpeoplehaveworkedwiththeirlogmanager’sgraphicoptionsandwouldliketoinclude
graphics,buttheyaren’tabletogetwhattheywouldlikeoutofthepresentationcapabilitiesofcurrent
logmanagementsystems.Thisisanotherareaofgrowthforvendors.
Theabilitytoscriptroutinetaskswasalsobroughtupbyonerespondent.Anyseriousloganalystknows
thattheabilitytosetupscriptstorunrepetitivetaskscanbeahugetimesaver.Scriptsoftenmakeit
possibletotrackeventsandstatistics,allowingreviewthatwouldnotbeavailableanyotherway.Many
loganalystssetupprocessestorunintheearlymorningtogivethemsomequickbaselinestoreview
whentheygetintowork.Othersrunscriptsperiodicallytodetectsuspiciousorovertlyhostileactivity
(thesinglefeatureratedmostuseful).Inordertocollectandconsolidateinformationthatdoesn’tneatly
fitintoareport,theabilitytorunlow-levelscriptsisoftennecessary.Manylogmanagementsystems
havesomecapabilitytoscriptandrunsomereportsonascheduleanddeliverthemovere-mail,via
web,pagerorsmartphone;however,basedonresponses,theyneedevenmore‘scriptability’thanthey
alreadyoffer.
Managing Windows Logs
This is thesecondyearthesurvey includedquestionsspecificallyaddressingWindows logmanage-
ment.Theresultsareessentiallythesameforbothyears:Windows,themostheavilyusedoperating
systemthroughouttheworld,stillgetsabadgradefor its loggingenvironment.Asonerespondent
statedsimply,“Windowsmakesitdifficulttocollectlogs.”
CollectionandstorageofWindowslogsreceiveda40percentapprovalscore,withabout10percent
reporting they were“Very Satisfied” and about 30 percent reporting they were“Satisfied.” All other
categorieshelddismalsatisfactionratings:Fivetosevenpercentreportedbeing“VerySatisfied”and
between18and24percentwere“Satisfied”withtheirWindowslogmanagementcapabili-
ties.Thatleavesapproximately50to60percentofrespondentsbeingonly“Some-
whatSatisfied”or“Dissatisfied”(seeFigure9).
SANS Analyst Program 13 SANS Seventh Annual Log Management Survey Report
Figure 9. Windows Log Management Still Gets Low Scores from Respondents
AnalysisisthetopproblemthatorganizationshavewithWindowslogmanagement,closelyfollowed
byreporting.ThereareanumberoffactorsthatmakeWindowslogmanagementmoredifficultthan
othersoftware(UNIX/Linux)andhardwareplatforms,suchasrouters,firewallsandswitches.Windows
doesnotnativelysupportsysloginanyflavorforlogcollection.Yet,accordingtothesurvey,UDPSyslog
isstillthemostpopularlogcollectionmethod.TCPSyslogismoreresilientandcanscalebetter,and50
percentofrespondentsalsosupportTCPSyslog.NeitherversionofSyslogissupportedbyWindows.
ItwouldbehelpfulifMicrosoftwouldincorporatesomechangesintheiroperatingsystemstomakeit
easiertocollect,normalize,parseandanalyzeeventscomingfromWindowssystemsandsubsystems.
Usersoften install third-partyadd-onapplicationstogetthis functionality.Those leavingcomments
listedtheSnareagentasthemostpopularwaytosendeventlogdatafromaWindowsservertoasys-
logserver,buttherearealsootheroptions.SomelogmanagementsystemspulllogdatafromWindows
servers,aswell.Today,theburdenofanalysisrestsmostlyonthelogmanagementsoftwaretopulland
normalizeWindowseventsintousableinformation.
SatisfactionwithWindowslogmanagementhasdecreasedinsomecategoriessincelastyear(monitor-
ing,performanceandcollection)—withnoimprovementsinreportingandonlyminorimprove-
ments in analysis and storage (see Figure 10). So, vendors have a long way to go to
satisfyWindowsusers.
SANS Analyst Program 14 SANS Seventh Annual Log Management Survey Report
Figure 10. Windows Log Management Scores Worse This Year in Some Areas
Where to Start? A Primer for Windows Log Management
Dr.AntonChuvakin,leadauthoroftheSANSLogManagementcourse,says,“Oneofthefirstthingsthat
peopleshoulddotostartgettingvaluefromtheirWindowseventlogsistoactuallystartcentrallycol-
lectingthemfromalltheWindowssystems.Beforeyoucandoanalyticsandalerts,itmakessenseto
buildaworkinglogrepository.Itwillhugelyhelpyouduringincidentresponse.”
OnepopularwaytodothisisusingtheSnare2agent,althoughthereareotheroptions.Itisalsopossible
topulltheinformationfromtheeventlogsusingLASSO3oroneoftheotheragentsthatareavailable.
ForafullWindowsshop,thelogservercouldrunonaWindowscomputer.TheKiwiSyslogServer4isa
popularoption.TherearealsofreelogserversthatrunonLinux,andthereareanumberofcommercial
logservers.Oncethesyslogserverisrunning,youcansearchthroughtheeventsforeventsofinterest.
Dr.Chuvakinalsorecommendslearningthenormallogpatternsrightaftercollection.Storedlogsare
useful(suchasforincidentresponse),buttouselogsforincidentdetection,youneedtoknowwhatis
abnormal—andthatbeginswithknowingwhatisnormal!
OnthewebpagefortheSANScourseoncomplianceformanagers,5thereisalsoalinktothecourse’s
PDF,whichcontainsachecklistforsecurityincidents.Inthelowerleftcornerofthatfileisalistofafew
ofthemostcriticalWindowsevents.Thesecanbeagoodstartingpoint.
Whenexaminingthelogs,you’llneedaplacetolookupeventIDstogetmoreinformationonthem.
SearchingforthespecificeventID(e.g.,eventid528)ontheMicrosoftTechNetSupportwebsite6can
behelpful.Thesite,eventid.net,isalsoaquick,handyresourceforinformationaboutspecificWindows
eventIDs.RandyFranklin’swebsite7hasanextensivelistofWindowseventIDs.
2www.intersectalliance.com/projects/SnareWindows/3http://sourceforge.net/projects/lassolog/4www.kiwisyslog.com/kiwi-syslog-server-features-and-benefits5www.sans.org/security-training/log-management-in-depth-compliance-security-forensics-troubleshooting-1217-mid6http://technet.microsoft.com/en-us/ms772425.aspx7www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx
SANS Analyst Program 15 SANS Seventh Annual Log Management Survey Report
Organizationsareincreasinglymeasuringtheirsecurityeffectivenessbasedontheirabilitytoimprove
incidentremediation,reduceincidentsandmeetcompliance,accordingtothisyear’ssurvey.Theyare
alsomeasuringeffectivenessbyhowmuchtheyreduceoverallsecurityandmaintenancecosts,aswell
asimproveoverallsystemperformance.
Measuring effectiveness and making improvements depends, in large part, upon logs. Log analysts
wantbetterlogdatafrommoredevices,andtheyarelookingforbetterqualitylogdatatobegleaned
fromtheirmonitoreddevices.Thetopreasonsorganizationscollectlogsaretodetect,trackandanalyze
security incidentsandtomeetregulatorycompliancerequirements.Thedevicestheywant logdata
fromareextendingbeyondthetraditionalsources(e.g.,servers,firewallsandrouters)tothephysical
plant(e.g.,HVAC,SCADA)andremotelyattacheddevices,withasmallpercentagealreadycollecting
logsfromphonesandPoSterminals.ITdepartmentsarealsolookingforlogmanagementsystemsthat
providequick,accurateandcorrelatedresponsestoqueries.Theyalsowanttobeabletoturnthose
queriesintoreportswithvisualsandgraphics,whilebeingabletoeasilycustomizequeriestosupport
industry-specificapplicationsanddevicesinusewithintheirorganizations.
Whilesatisfactionisimprovingoverall,respondentsarehavingproblemswithanalysisandreporting.
TheirbiggestproblemismanaginglogsfromWindowssystems—aprettybigproblembecauseWin-
dowsoperatingsystemsaresopervasive.Inboththe2010and2011surveys,userspointtoWindows
logcollectionproblemsandmessagesthataredifficulttoanalyze. ItwouldbenicetoseeMicrosoft
includenativesyslogcapabilitiesfortheiroperatingsystemsandsoftware.Logmanagementvendors
needtocontinueworkingtosolvetheproblem,andmanyarealreadymakingheadway.ITdepartments
alsoneedtodevelopinternalresourcestostudylogdataandlearnwhateventsmean.Thiswilltake
commitment,buttherewardswillbeincreasedproductivity,complianceandsecurity.
Summary
SANS Analyst Program 16 SANS Seventh Annual Log Management Survey Report
Jerry ShenkcurrentlyservesasasenioranalystfortheSANSInstituteandisseniorsecurityanalyst
forWindstream Communications in Ephrata, PA. Since 1984, he has consulted with companies and
financialandeducationalinstitutionsonissuesofnetworkdesign,security,forensicanalysisandpen-
etrationtesting.Hisexperiencespanssmallhome-officesystemstoglobalnetworks.Alongwithsome
vendor-specificcertifications,JerryholdssixGIACcertifications,allcompletedwithhonors:GCIA,GCIH,
GCFW,GSNA,GPENandGCFA.FiveofhiscertificationsareGOLDcertifications.
About the Author
SANS Analyst Program 17 SANS Seventh Annual Log Management Survey Report
SANS would like to thank its sponsor:
Top Related