Here is a subject that constantly amazes me as to the resistance it generates when it is likely an organization’s only way to prove they were not at fault for a data breach.

First there is the act of logging that drives everyone nuts.  To the system administrators, all it does is eat up processor power and disk space.  To a degree, logging does eat up processor, but not as much as people think.  And disk space – we’re talking about around 100MB of disk space per server that likely has 100GB or more in total disk space these days.  Cry me a river.

Where log data gets onerous is at your central logging facility.  This is where you can easily have terabytes of log data depending on the extent of your PCI in-scope environment.  However, with 1TB drives at under $100 per drive, stop whining.  Even a cheap NAS with capacity for 4TB can be had for under $1,000, including disks.  Yes, I know times are tough, but it must be done.  Without a centralized logging capability, you will never have a decent chance of recognizing a breach until it’s too late.

Then there’s the cost of a centralized logging system.  Yes, if you have talked to ArcSight or any other centralized logging solutions vendors, they get a fortune for their solutions.  But they also provide some excellent functionality, particularly real-time analysis, for that money that you have to develop if you go the open source route.  However, open source solutions are available and work quite well.  If you are adept at Crystal Reports or XML, you can likely generate the necessary reports you need to alert you to problems.  There are also reasonably priced solutions for homogeneous servers and networks in the Windows and Cisco worlds, so you can also get a purchased solution for reasonable sums.  And centralized logging solutions do not need the latest and greatest hardware.  I have clients that re-purpose desktops with a NAS and get a perfectly fine solution.

Then there is that question about logging everything.  Are you insane?  This is likely your only method of proving you were compliant with the PCI DSS and you want to skimp on what you log?  Logs are likely going to be the focus of any forensic examination should you suffer a breach.  If that’s the case, don’t you want the examiner to have every possible bit of information to analyze?  There could be information in some innocuous log entry that proves you were compliant and you decided not to include it.  After all, it just as likely it’s Cisco’s or Microsoft’s problem you were breached, not your procedures or configuration.  Since you will not know ahead of time what log information will be important and what will not be important, why would you not include everything you can?  And remember, log everything from every device, not just servers, but also firewalls, routers, switches, SANS, NAS, etc.  Disk is cheap.  Prove it and store as much information as you can.  And remember, you only need 90 days online (i.e., disk), the rest can be on tape.


0 Responses to “Logging”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


March 2009
« Feb   Apr »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: