75% of data breaches arise from external threats, according to Techbeacon.com. When a breach first occurs, the first step to take as a company is to identify its source, whether internal or external threats, to not only mitigate further data loss but also prevent any future instances of a breach. In such cases, a log management infrastructure can be a valuable tool for your forensics team to track the cause of the issue before it intensifies.
Also, a worthy log management system will help you stay compliant with regulations, anticipate and proactively deal with problems before they arise, and continuously perfect your systems. The valuable insights that monitoring your logs can offer cannot be gainsaid. Luckily, the success of your log monitoring efforts trickles down to the log management infrastructure you opt for.
Here are a few valuable tips for picking the right log monitoring infrastructure:
Log Retention Periods
In case you aim to use the infrastructure for short-term reporting and troubleshooting, then a log retention period of about two to four months will suffice. On the other hand, if the infrastructure is meant for regulatory compliance purposes, then a log retention period of about 12 months will be safe. Anything above this could also be great as long as you can afford the extra cost.
When making a choice based on log retention periods, be sure to factor in how the infrastructure will deal with your logs in terms of storage and rotation. For instance, when tail logging with Papertrail, your old logs should be easily removed and put on tape for future reference. As long as a system can purge/rotate your old logs with minor inconveniences along the way, then you are good to go.
While being one of the most vital aspects of your infrastructure, the log volume will dictate the terms of your retention policy, aggregation performance, correlation performance, and report performance. Although different vendors will have different ways for describing the log volumes, it all trickles down to the calculations that you can derive from the number of logs produced per second. When calculating the log volumes, account for common errors within the system.
For instance, if you produce 2,000 logs per second, you should look for a system that can accommodate 3,000 logs while leaving a 50% room for future spikes that can result from growth or even a virus. Additionally, look for one that can compress your log archives. Since the storage required will increase upon parsing and storing the logs in your database, ask the vendors to calculate the actual requirements for storage, as noted on Mssqltips.com.
There is a diversity of logging methods (such as file, syslog, database, and email) and formats (such as XML, single-line, database records and multiline), and the type of system you choose should offer you services with regard to what you use. While some vendors will sell systems that support log sources in various categories, others will only support certain sources. To be safe, ensure that the logging system can support most of your logging sources, if not all of them.
For the unsupported sources, ensure that there is a way to develop parses to accommodate them. Lastly, ensure that the system can support the native logging methods and input file formats to avoid issues down the line.
Your network topology will dictate the kind of logging infrastructure required. In case the topology is fairly distributed by having multiple remote locations, then the logging system you use should accommodate the retrieval of data from those areas. Similarly, it should be easy to forward the logs to a central location for analysis. As for companies with single topology systems, then a logging system that doesn’t have distribution capacities will suffice.
Log monitoring has a lot of benefits in store for your business. You can only enjoy these perks if you use an infrastructure that completely supports your logging system. Consider the above tips to avoid any issues with your business systems and applications.
Leave a Reply