![]() During the manual review, you can make sure the endpoints you are collecting logs from match up with what is in your inventory, and configure any new endpoints to generate logs as needed. You should configure log summary reports that are automatically emailed on a periodic basis, and then assign resources to review them monthly. But don’t rely on tools to be the be-all, end-all of your log review. Your logging/alerting/correlation system, for example, can be configured as a first-level triage for alerting on unusual behavior. You need to periodically review logs for unusual behavior, which can come from a combination of automatic and manual efforts. Remember that just collecting the logs is not enough. See our post on Encryption Policies for more information. As a general rule, storage of audit logs should include 90 days “hot” (meaning you can actively search/report on them with your tools) and 365 days “cold” (meaning log data you have backed up or archived for long-term storage). ![]() How long should audit logs be kept?Īs you might imagine, this amount of real-time log data needs to be retained for a period of time to satisfy audit and/or regulatory requirements. You need to be able to search by key fields and indicators, as well as run reports from a specified timeframe, as these are the kinds of operations you will be asked to do during an audit. Whatever tools you use to ingest logs need to have advanced searching capabilities. But if someone had to actually search and parse through those logs, it would be a living nightmare. Some companies just turn “logging up to 11” and what they essentially end up with is a gigantic pile of logs. In addition to collecting the critical logging information, you need the ability to store it in a format that makes sense for auditing purposes.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |