February 8, 2018
Device logging can easily be overlooked in an environment, but always proves to be an invaluable tool for troubleshooting, stopping attacks and forensics. There are many log management solutions available (free and paid), that can collect logs from all of your devices.
A common misconception with log management is that once all devices are sending logs to the logging device, no more work needs to be done. However, a little daily log administration can pay big dividends. At a minimum, logs should be reviewed each day for suspicious activity. Log parsing and alerts will expedite this process and take log management to the next level. Once established, admins are alerted to attacks as they are occurring.
Some logging recommendations are below:
- The log collector should be physically separate from devices it is logging.
- The log collector should only be locally authenticated.
- Log data should be encrypted while in transit and on disk.
- Logs should be backed up offsite.
- Ensure all devices being logged have their clocks synced so that log time info is consistent.
- Ensure correct logs are being sent from each device. Sometimes extra configuration is needed to get the correct logs from devices. For more details on setting up Windows audit logging go to https://www.10dsecurity.com/blog9.html.