Here is a subject that constantly amazes me as to the resistance it generates when it is likely an organization’s only way to prove they were not at fault for a data breach.
First there is the act of logging that drives everyone nuts. To the system administrators, all it does is eat up processor power and disk space. To a degree, logging does eat up processor, but not as much as people think. And disk space – we’re talking about around 100MB of disk space per server that likely has 100GB or more in total disk space these days. Cry me a river.
Where log data gets onerous is at your central logging facility. This is where you can easily have terabytes of log data depending on the extent of your PCI in-scope environment. However, with 1TB drives at under $100 per drive, stop whining. Even a cheap NAS with capacity for 4TB can be had for under $1,000, including disks. Yes, I know times are tough, but it must be done. Without a centralized logging capability, you will never have a decent chance of recognizing a breach until it’s too late.
Then there’s the cost of a centralized logging system. Yes, if you have talked to ArcSight or any other centralized logging solutions vendors, they get a fortune for their solutions. But they also provide some excellent functionality, particularly real-time analysis, for that money that you have to develop if you go the open source route. However, open source solutions are available and work quite well. If you are adept at Crystal Reports or XML, you can likely generate the necessary reports you need to alert you to problems. There are also reasonably priced solutions for homogeneous servers and networks in the Windows and Cisco worlds, so you can also get a purchased solution for reasonable sums. And centralized logging solutions do not need the latest and greatest hardware. I have clients that re-purpose desktops with a NAS and get a perfectly fine solution.
Then there is that question about logging everything. Are you insane? This is likely your only method of proving you were compliant with the PCI DSS and you want to skimp on what you log? Logs are likely going to be the focus of any forensic examination should you suffer a breach. If that’s the case, don’t you want the examiner to have every possible bit of information to analyze? There could be information in some innocuous log entry that proves you were compliant and you decided not to include it. After all, it just as likely it’s Cisco’s or Microsoft’s problem you were breached, not your procedures or configuration. Since you will not know ahead of time what log information will be important and what will not be important, why would you not include everything you can? And remember, log everything from every device, not just servers, but also firewalls, routers, switches, SANS, NAS, etc. Disk is cheap. Prove it and store as much information as you can. And remember, you only need 90 days online (i.e., disk), the rest can be on tape.