Last week we had a very interesting discussion around Logging and its importance and effectiveness in an organization (re: LOGGING; WITHOUT A COMPLETE PICTURE, WHAT’S THE POINT? )
And two common themes emerged from the conversation; Being able to see the land through the sea of logging information (Let’s call it Lighthousing) and being able to determine what to collect and filter out the ‘fluff’ so you don’t drown in a sea of logs (We’ll call that Drowning :))
When it comes to troubleshooting the risk of drowning all too apparent, we as IT Administrators, Operations Support and Troubleshooters gain value from *having* the data there, but we also require the ability to see things from 10,000 feet as well as within an inch from where it stands. That said though, we don’t *always* need to be able to see an inch worth of data while 10,000 feet above. So the ability to be able to index, analyze and correlate that data is more important than ever as opposed to reading logs in a serial fashion. For example in that last discussion commenter bspencer63made note of intelligent proactive SIEM solutions which help with log filtering, grouping, alerting and more; solutions like these are not only useful, they’re essentially required if we’re going to get anywhere in this vast sea of information we’ll continue to be drowning in.
Why will we be drowning in this information though? Because as much as there is an inclination to scale back what information and logs we send to a SIEM in the effort of filtering out the noise (Trying to diminish the sea of information so we can see land easier) Regulatory Compliance is asking us to collect more logs from even more disparate devices than we’re collecting from today at an even greater detail than we’re used to consuming. Consider collecting hundreds of thousands of logs a second today, to hundreds of millions of logs a second tomorrow. Being able to consume and ingest that information is the responsibility of our SIEMs or solutions we implement, being able to interpret and analyze that information falls on us the Practitioner.
The question of whether we need to collect logs is a given, we have to whether we want to or not. But the ability to use that information, to be able to filter on what it relevant to the task at hand, to be able to be proactive and keep ahead of problems before the end-users see them has never been more important than now.
What kind of tools and methods are you using to wade through the sea of information in your organizations today? What do you find particularly effective and overwhelmingly ineffective?