Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: How often should Admins review their logs? Also logging login attempts...

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    How often should Admins review their logs? Also logging login attempts...

    Hello all,

    Hopefully a couple of quick questions. I am going to be questioning a few MS admins on log monitoring (Event, System, Security via Event viewer) soon and while I have our policies and standards ruling how often they should do their reviews - I wanted to broker some opinions - don't know if I will get opinons here, but what on your thoughts on how often an admin should review their logs? Once a week, once a day, every second they're awake or other?

    Also, thoughts having systems log login attempts, successful and unsuccessful? Should it be done or not? I ask because our organization is looking to turn it off in order to save on disk space... I have not had a chance to slap people around with a flounder to ask more questions about it - but I heard some IT people wanted to turn off that logging... thoughts?

    TIA!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252

    How often should Admins review their logs? Also logging login attempts...

    Hello all,

    Hopefully a couple of quick questions. I am going to be questioning a few MS admins on log monitoring (Event, System, Security via Event viewer) soon and while I have our policies and standards ruling how often they should do their reviews - I wanted to broker some opinions - don't know if I will get opinons here, but what on your thoughts on how often an admin should review their logs? Once a week, once a day, every second they're awake or other?

    Also, thoughts having systems log login attempts, successful and unsuccessful? Should it be done or not? I ask because our organization is looking to turn it off in order to save on disk space... I have not had a chance to slap people around with a flounder to ask more questions about it - but I heard some IT people wanted to turn off that logging... thoughts?

    TIA!
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  3. #3
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    ...hmmm.. my answer may not be correct, but it is exist some software that can monitor and manage logs, clear all good and keep bad and also send/show alerts....

    it can be some way to use some network driver to store logs on?

    wait for more answers......
    I have no much experiens yet.....
    // too far away outside of limit

  4. #4
    Senior Member
    Join Date
    Oct 2003
    Posts
    394
    ...hmmm.. my answer may not be correct, but it is exist some software that can monitor and manage logs, clear all good and keep bad and also send/show alerts....

    it can be some way to use some network driver to store logs on?

    wait for more answers......
    I have no much experiens yet.....
    // too far away outside of limit

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    There are Syslog services out there for free, (which may be against your security policy), that will send the event logs to a Syslog server - and therefore in a text format which is a lot less disk intensive. You can then tell the local logs to overwrite themselves at 500k if you like - no big deal, the text file still holds the log entries. I log almost everything and make about 130Mb of text a day weekdays and 60-70Mb a weekend in a 600 user network.... I could cut that down a lot but I like the addidional detail.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    There are Syslog services out there for free, (which may be against your security policy), that will send the event logs to a Syslog server - and therefore in a text format which is a lot less disk intensive. You can then tell the local logs to overwrite themselves at 500k if you like - no big deal, the text file still holds the log entries. I log almost everything and make about 130Mb of text a day weekdays and 60-70Mb a weekend in a 600 user network.... I could cut that down a lot but I like the addidional detail.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    I normally check the logs everyday on all critical servers. As for the others i look at them once a week. And as Tiger Shark said its great using a syslog server to centralize all logs, it makes your life easier. I like to log everything that can be logged since i tend to pick up problems before they become major inconvenience.

  8. #8
    Did someone said Pizza :) FanacooL's Avatar
    Join Date
    Oct 2004
    Location
    Karachi , Pakistan
    Posts
    466
    Well first thing logs are the most common ways to trace any unsuall activity, right if you dont have them obviously chances to see what happen are less. As far as checking is concerned it depends upon how critical is your server? if its highly critical then you should check your log daily. I used to check my servers logs 3-4 times a week. I had problem in the past and realize that its the best thing to have event view believe me before the occurance of the problem I used to think these logs are dumb but now i have realized there importance.

    So You should keep them and check them regularly.
    One machine can do the work of fifty ordinary men. No machine can do the work of one extraordinary man!

  9. #9
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    There are higher level questions that must be asked first.

    What are the requirements of the system?
    What is your standard logging architecture?
    What has your organization decided is an acceptable level of logging?

    Approaching this from the bottom up instead of the top down is a bad idea. Also, picking arbitrary intervals because they sound good or extra secure is also not a good approach. You can waste a lot of resources which could be used elsewhere. An example of this would be having a 24x7 armed guard watch your garbage cans down by the curb. Sure, you may have placed something in the garbage that is sensative but you're not going to have an armed guard there to protect against a dumpster diver.

    So, figure out what the higher level requirements are (your security policy isn't where you find this by the way, it should be in your standards or other supporting documentation) and then apply those to this system.

    So in the end, no one here can decide what the proper logging inteval is for you. If you are still unsure, you need to do a risk analysis and assessment. This can be performed by a third party and may be beneficial in your case if you're struggling with this issue.


    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  10. #10
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    We're introducing software to help with this task. It was taking up a lot of time for the apps team to check logs every day. We're putting in software which will collate and compress the logs and allow us to run scheduled reports for them to see every morning, saving the manual sift. The software also alerts in real time for anything they have chosen to be of significance, a service stopping for instance.

    We've go to hold the data for a minimum period to comply with some of our legislation and the software will also facilitate us.

    Best to check what legislation you come under. It may affect what you are logging and the way in which you do it. You might be like us and find that a manual check is not viable in the long term and need a software solution.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •