Regulations such as PCI, SOX, HIPAA, and GLBA mandate that event log data be collected, securely archived, and regularly reviewed. Collecting and archiving logs can be an overwhelming challenge for IT resources considering the wide variety of devices, operating systems, and applications in use today, as well as the sheer volume of events to be analyzed and stored.
The hard part of daily log review is the “daily” part
For PCI compliance, you are required to review event logs on a daily basis. That means 7 days a week, 365 days a year. To properly review logs, an in-depth understanding of network security, device configurations, and application behavior is a must. To demonstrate compliance, you need an audit trail that proves you are actually reviewing the logs, and auditors need access to historical log data.
Log Manager customers already know the value of our automated log collection and archival service. You know how much time you can save by creating views to quickly sift through and make sense of the large volume of events generated on a daily basis. You’re also able to demonstrate compliance by giving auditors the access they need to view all of your log data history and reports.
But how do you create a repeatable workflow for reviewing logs on a daily basis?
Automated workflow can help
With the release of Log Manager 2.1 on January 15, we’ve improved the case management capabilities so you can create your own daily log review process. Here’s how:
Step 1: Group the views that need to be reviewed daily
You can now create a group of views to make it easy to organize the log data that needs to be reviewed daily. These Groups allow users to manage and categorize Saved Views by technology type, location, or compliance requirements. Simply create a group for “Daily Log Review,” and then add or create the relevant Saved Views.
Step 2: Schedule the views to be executed daily
For each view in the “Daily Log Review” group, schedule it to run at a specific time each day.
Step 3: Automatically create and assign cases
A new feature in Saved View Scheduling allows you to automatically create a case based on a template. You can assign a due date, priority, reviewer (which can be a single user or a group of users), and additional tasks to be performed. When the case is created, the details of the executed view are included in the case for easy reference. Views that return no data will automatically close the case, saving you team time every day.
Reviewers will receive email notifications when they need to take action.
Check out the release notes for more details.
Demonstrating compliance
When you set up your own log review process using Log Manager 2.1, the case history reflects who reviewed the log data as well as what data was reviewed. This audit trail is available online, instantly, making it easier to demonstrate compliance.
What do you think?
Can the enhancements in Log Manager 2.1 help with your daily log review requirements?
Until next time, stay alert!
{ 2 comments… read them below or add one }
This is, of course, pretty brilliant. If you can somehow induce people to actually do it, everybody wins.
This is a nice addition to the product! The review of the logs is the “gotcha” but another problem you didn’t mention is that most people are not log experts. Actually, very very few people can look at a log and know what they are looking for. I know the product has some thresholding in it. It would be great to allow the user to set up some basic thresholds of various types of events and if they are triggered, that creates a case as you describe above. This would be a first step towards providing more intelligence to identify potential anonmolies and help to isolate some of the logs that warrant being reviewed.
Anything else you can do to help provide “intelligence in the cloud” to identify abnormal or potentially threatening log events would help a lot.
Oh…. “Hello Anton!” ….good luck at Alert Logic Mark!