arcsight sans 2011 log management survey

Sponsored by ArcSight

SANS Seventh Annual Log Management Survey Report

A SANS Whitepaper – April 2011 Written by Jerry Shenk

Survey Sample

Why Companies Collect Log Data

Users Want Better Log Data (and More of It!)

Top Challenges to Effective Log Management

Advisors:

Dave Shackleford and Barbara Filkins

SANS Analyst Program 1 SANS Seventh Annual Log Management Survey Report

Everyspringsince2005,theSANSLogManagementsurveyhastrackedthegrowthandmaturityof

thelogmanagementindustry.Thissurveyhasconsistentlyidentifiedareasinwhichorganizationsare

focusing their log management initiatives and continues to provide a roadmap to the industry for

futureimprovement.Overtheyears,thesesurveyshaveshowngrowthinthecollectionanduseoflogs

forsecurityandcompliance.Mostrecently,inthepasttwoyears,thesesurveyshaveshownthatorga-

nizationsareseekingmoreusesfromtheirlogs,buttheyhaveproblemsgettingthevaluetheywant

fromthoselogs.

Whenthissurveystartedsevenyearsago,logcollectionwasonlybeingdoneby43percentofrespon-

dents,comparedwith89percentwhoindicatedtheycollectedlogsthisyear,whichisconsistentwith

lastyear’ssurvey.So,logcollectionisnolongerasmuchofaproblemasitwasinthepast.Now,they’re

alsocollectinglogsformuchmorethandetectingsuspiciousbehaviorandtroubleshooting,asinthe

recentpast.Overthepasttwoyears,morerespondentsarealsocollectinglogsforuseinforensicanaly-

sisandcorrelationandtomeet/proveregulatorycompliance.Infact,thesethreeusesforlogsrankclose

enoughinimportancethatitisfairtosaythatforalogmanagementsolutiontobeeffectivetoday,it

mustsupportallthree.

Inadditiontotheabovetopthreeuses,organizationsarecollectingmoredata fromphysicalplant/

operationssystems(e.g.,HVAC,SCADA),mobileplatforms,andpoint-of-sale(PoS)devices.Thismeans

morelogtypestocollectandanalyze—eachwiththeirowndataformatsthatcanvarywidely.Even

when these log data format differences are slight (such as one date format being MMDDYYYY and

anotherbeingMM-DD-YYYY),theymustbeadjustedinordertoaccuratelycorrelateandreportonthe

data.Thishasbeenanongoingproblemforusersoflogmanagementtechnologies,particularlyasthey

starttousetheirlogsformorepurposes.

Inadditiontonormalization,respondentsarealsostrugglingwithsearching,correlatingandreporting

functionalities.Figure1illustratestheaspectsoflogmanagementthatrespondentsconsideredmost

challengingormoderatelychallenging.

Executive Summary


Figure 1. Log Management Challenges

Themechanicsofcollecting,storingandarchivingthelogdataarenolongerthechallengeintoday’s

worldofalmostunlimiteddatastorage.Thechallengenowisextractingtheneededinformationfor

monitoring,management,complianceanddecision-making(ofteninnearreal-time)fromwhatrespon-

dentssayisupwardsof100,000eventsrecordedperday.

Thisyear,respondentswereaskedspecificallyaboutwhatwasandwasnotusefulintermsofsearch-

ingandreportingcapabilities.Theyselectedreal-timealertsastheirmostusefulfeature.However,they

werelessenthusiasticabouttheirlogmanagementsystem’sabilitytointerfacewiththird-partytools

orlargerSIEMenvironments.Usersalsocitedproblemswithcorrelation,searchingandinterfacingwith

heterogeneoussystems,anddifficultieslocatinginformationwithinlogs.

Inparticular,Windowssystemsarestilldifficulttodrawandnormalizelogsfrom.Thisisaprimaryprob-

lemfororganizationsthisyear,asinyearspast,accordingtoresponses.Windows,pervasivethroughout

most industries, is widely criticized for its unfriendliness to log analysis. However, all vendors of log

managementapplicationsaremakingtheirsystemsinteractbetterwithmultiplesourcesoflogdata,

includingfromWindowssystems.However,asonecommenterwrote,allvendorsstillneedtogetbetter

atgeneratingusefulevents.

Despiteshortcomingsrespondentsreport,organizationsareincreasinglydependentonlogmanage-

menttosupportcorebusinessfunctionsincludingcostmanagement,servicelevelandline-of-business

applicationmonitoring,aswellasmoretraditionalIT-andsecurity-focusedactivities,accordingto

responses.Therestofthisreportdetailswhatorganizationsaredoingwiththeir logs

todayandwhattheystillwantfromtheirlogsinordertoachievethehighestvalue

fortheirbusiness,securityandcomplianceoperations.


A total of 747 organizations started this year’s survey, with 571 completing the survey all the way

throughtotheend.Organizationsrepresentedinthisyear’ssurvey(seeFigure2)encompassedawide

rangeofindustriesandsizes.Thelargestindustryverticalsrepresentedwerefinancial(19percent)and

government(18percent).Healthcareandeducationwerewellrepresentedaswell.Theadditional23

percent that replied“other” included good representation from software companies, entertainment,

managedservicesandconsultantsworkingamongtheseverticals.

Figure 2. Industries Represented in This Year’s Survey

Survey Sample


Respondentswerenearlyequallybalancedbetweenlargeorganizations(over2000employees)and

mid-sizedandsmallorganizations,asshowninFigure3.

Figure 3. Size of Organizations Based on Responses

Thevastmajorityofrespondentsheldstaffpositions(ratherthanbeingconsultants).Thisyear,ahigher

percentageofrespondentsheldasecurity-orientedrole intheirorganizations,asopposedtoanet-

work-orientedrole,whichthereweremoreoflastyear.Ofthe747respondentstoanswerthisques-

tion,73percenthadsecuritytitles,whereas35percenthadnetworkingtitles.Somerespondents,seven

percent,alsohadcomplianceofficerroles.Thetotalexceeds100percentbecausesomerespondents’

dutiesoverlapamongtheareasofnetworking,securityandcompliance.


Inthisyear’ssurvey(asinthe2009and2010surveys),detectingincidents,determiningwhathappened

(forensicsandanalysis),andmeetingcompliancerequirementswerethetopthreereasonsforcollect-

inglogs.Onceagainthisyear,themostimportantreasonforcollectinglogdatawasto“Detect/track

suspiciousbehaviorandpreventincidents,”asillustratedinFigure4.Secondplacewentto“Support

forensics analysis and correlation,” and third was“Meet/prove compliance with regulatory require-

ments.”

Figure 4. Why Respondents Collect Logs

Whilemaybenotcritical,supportingotherIToperationsrankedhighinlevelofimportance,andmore

than50percentoforganizationsthinkthatlogscanbeimportantinreducingcostsandsupporting

otherprocessesbesidessecurityandcomplianceoperations.Theseoptionswerenotprovidedinlast

year’ssurvey,butsurveyrespondentslastyear(andthisyear)indicatedanincreasingdesiretoderive

morebusinessvaluefromtheirlogs.

Why Companies Collect Log Data


Most Useful Features

Oncetheycollecttheir logs,respondentssaythemostusefulfeatureoflogmanagementsystemsis

“real-timealerts,”with68percent indicatingtheyareveryusefuland25percent indicatingtheyare

somewhatuseful.Thesecondandthirdmostusefulfeatureswere“Intuitiveuserinterfaceforsearch”

and“Unifiedinterfaceforalllog-relatedactivities.”Tobeprecise,thereisnosuchthingasareal-time

alert,duetodelaysinlogeventanalysisandnotifications.What’simportantisthatmanyrespondents

aregettingusefulalertsfromtheirlogmanagementsystemsinatimelyenoughmanner.

Thefourthmostusefulfeaturewas“Goodperformanceforall log-relatedactivities,whetherindivid-

ualorsimultaneous.”Inthepast,logmanagementsystemperformancereceivedlowmarksbysurvey

respondents.Itisgoodtoseethat55percentofrespondentsgavethisthehighestmark,while37per-

centgaveitamid-rangemark.Combined,that’smorethana90percentapprovalrating.“Integration

with largerSIEMenvironment”rankedninthonthe listofusefulness.Somecomments indicatethat

respondentsareintheprocessofinstallingSIEMsystems,sotherewilllikelybestrongerresponsesto

thisquestionnextyear.Figure5showstheoverallratingsforVeryandSomewhatusefulfeaturesbased

onresponses.

Figure 5. Features Deemed Most Useful by Respondents


Flippingthequestionaround,it’salsointerestingtonotethattheleastusefulfeaturesoflogmanage-

mentpointtootherintegrationproblems.Thequestionwas,“Howusefuldoyouratethefollowingfea-

turesinsupportofyourloganalysisandreportingactivities?”Thechoiceswere,VeryUseful,Somewhat

Useful,andNotUseful.NotUsefulwaschosenmostfor“Interfacewiththird-partyreportingtools,”with

27percentofrespondentschoosingthisoption.Sharingthebottomofthelistwaswitha21percent

negative vote was“Integration with larger SIEM environment.” Figure 6 shows the features deemed

leastusefulbyrespondents.Overall,thesearerelativelylownegativescores,whichsuggeststhatthe

usefulnessoflogmanagementsystemsisimproving.

Figure 6. What Respondents Find Least Useful About Their Log Management Systems


Users Want Better Log Data (and More of It!)

Thenumbersofsourcesfromwhichorganizationsarecollectinglogscontinuestoexpand.Thisyear’s

surveyshowsthat59percentofrespondentsarecollectinglogdatafromtheirlineofbusinessapplica-

tions,and14percentofrespondentsarecollectinglogdatafromtheirphysicalplantcontrolsystems,

such as HVAC.These were not considered a major source for log data in previous years. Other new

sources included inthisyear’ssurveyare logcollectionfrommobiledevices (15percent)andcloud

services(14percent).Point-of-sale(PoS)deviceswerenotonthelistbutwerereferencedincomments.

Accordingtothisyear’ssurvey,mostorganizationsarecollectinglogsfrommorethan50devices,with

only30percentcollectingfromfewerthan50devices.Thevastmajorityofsurveyrespondentsindicate

theyarecollectinglogsforcompliancepurposes,leadingwithPCIDSS.Figure7showswhatcompli-

ancemandatesaredrivingtheirlogmanagementprograms.

Figure 7. PCI DSS is the Leading Compliance Driver for Log Collection


Thetypesof log informationrespondentsconsider tobe themostvaluableare“Source/destination

IP address” and“Time/date stamp.”These were nearly tied with“Event information (name, category,

type),”followedby“Source/destinationTCP/UDPport”and“Userinformation.”Thislevelofdetailedlog

data,correlatedasneededandinreal-time,helpsoperatorsfindeventsonthenetworkwithminimal

manualsearchingandbetteraccuracy.Thisquestionalsohadan“other”category,inwhichrespondents

indicatedtheywantedevenmoreinformationfromtheirlogmanagementsystems,including“detailed

networkconnectionlogs,”“completeURLstrings,”“fullpacketcapture,”and“payload.”Alogmanager

mightnotbethebestplaceforsomeofthatdata.Instead,IPS,continuousmonitoringorSIEMmight

collectthesedatatypesmoreeffectively.However,thecommentshighlightthepointthatmanyana-

lystswantmore informationcorrelatedagainst more threat-monitoring devices to help themmake

decisionsaboutpossibleevents.

”Vendorsneedtogetbetteratgeneratingeventsthatareusefulbecauseitdoesn’tmatterhowgood

yourlogmanagementsolutionisiftheeventscomingintoitaregarbage,”wroteonecommenter,Jim

Murray,aninformationsecurityarchitectintheinsurancesector.Vendorsofhardwareandsoftwarethat

generatelogsshoulddifferentiatethemselvesfromtheircompetitionbystandardizingtheirlogdata

anditssyntaxandimprovingthelevelofloginformationtheymakeavailable.


Top Challenges to Effective Log Management

Year over year, trends uncovered in this survey have directly reflected the maturing of the industry.

Initially,thetopproblemreportedwassimplycollectinglogs.Afewyearsago,collectinglogsdropped

to the leastproblematic issue,andnowrespondentsexpress troubles in theareasofnormalization,

categorization,searchingandreporting.Seefigure8.

Figure 8. Top Challenges Reported by Log Management Users

“Normalizingandcategorizinginformation”wasthetopissuethisyear(42percentclaimedthisastheir

mostchallengingproblem,and37percentconsidereditaproblem).Thesecondmostnotedissuewas

searching(32percentconsideredthistheirmostchallengingproblem,and48percentconsideredit

aproblem).“Usinglogsforreportingandanalysis”cameinthird(18percentconsideredthistheirtop

challenge,with50percentconsideringthisaproblem).Nearlyashighapercentage(49percent)con-

sideredusinglogsforoperationsandmaintenancetobeaproblem,with18percentconsideringittheir

topchallenge.Thesechallengestiecloselytoresultsfromarelatedquestionaboutthetophindrances

insearchingandanalyzinglogs.Inorder,thesetopproblemswereinabilitytosearchacrossdifferent

log management systems, lack of correlation capabilities, interfacing with other IT groups, and

locatingneededinformationwithinthelogscollected.


Normalization and Multisource Data

Differentsystemsanddevicesrecordthesameeventsindifferentways,makinganalysisoflogsdifficult.

Forexample,aCiscoASAfirewall,aniptablesfirewall,andaCheckPointfirewallbasicallyallperform

thesamefunctionofblockingsomepacketsandallowingothersbasedonpresetcriteria.Yet,howthey

expresseventsintheirlogsisdifferentforeveryapplication.Infact,aCiscoPIXfirewallandthenewer

ASAfirewallrequiresomechangestologeventanalysiswhenupgrading.

Onewaytocomparesimilarevents isthroughnormalization.1Normalizationshouldbeabletotake

logeventsfromalldevicesundermanagementandpresenttheminacommonwayforsearchingand

reporting.Oneproblemwithnormalizationisthat,unlessthelogmanagementsystemsavesboththe

originallogdataandthenormalizedlogdata,theoriginaldataislosttotheorganization.Originallog

datacanbeusedforverificationandmakethedifferenceindeterminingwhetheranattackfailedor

wassuccessfulandcanpointoutafalsealarm.Theproblemisgreatestwhencollectingdatafromsys-

temsandhardware(e.g.,phonesorcloudservices)thataren’twellsupportedbythelogmanagement

vendor.

Mostcommerciallogmanagementsystemsincludestorageoptionsforbothnormalizedandoriginal

data.Thesestoragesystemsshouldbeexpandableasneedsdictate.Inthesurvey,36percentofrespon-

dentssaytheirorganizationsstoretheirlogdataforuptoayear,and33percentstoredataforuptofive

years.Ofthoserespondentswhoknowtheirlogeventvolume,mostseemorethan100,000logevents

perday—andhalfofthoseareseeingmorethan1millioneventsperday.

Thebottomlineisthateachapplicationcanlogandstoredifferenttypesofdataintheformatsandfor

thedurationdictatedbytheorganization’sbusiness,securityandcomplianceneeds.Thekeystohav-

inggoodlogdatamanagement,then,areconsistencyinformat,collectionandstorageofenoughdata

toanswerthe“4-Ws”(who,what,whenandwhere),andgooddocumentationtointerpretwhatthelog

datameans.

Getting at the Information

Gettingtothose“4-Ws”isstillsomewhatdauntingformanyorganizationsrepresentedinthissurvey.

Mostlogmanagementsystemshavesomesortofaweb-basedfrontendthatcanbeusedforsearch-

ing.Responses,however,indicatedissatisfactionwiththeirsearchingandreporting/analysiscapabili-

ties.Thiscoincideswithrespondentstolastyear’ssurvey,wherein64percentconsideredsearchingand

reportingtobethefirstandsecondmostchallengingaspectsoflogmanagement.

Whenaskednewquestionsabouttheirspecificproblemswithsearchingandreporting

thisyear,respondentspointedtolackofcorrelation,inabilitytosearchacrossdif-

ferentlogmanagementsystems,andintegrationwithotherITsystemsastheir

topthreehindrancestotheirsearchingandreportingcapabilities.Theyalso

pointtoproblemslocatinginformationwithinthelogs.

1http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf


Integrationwithmultiplelogmanagementtoolsisbecomingafactorbecauserespondentsthisyear,

aswellas inrecentyearspast, reportusingamixofhomegrownandthirdpartytools.Manyreport

usingmultiplethirdpartylogmanagementtools.Responsesalsoindicatemultiplehomegrowntools

insingleenvironments,withaverysmallnumberusinglogmanagementasaservice.

Surveyresponsesalsopointtotheneedforstrongergraphicalanddatarepresentation,withonly32

percentofrespondentsrankingthesefeaturesas“Very”usefulintheirlogmanagementsystems.Awell-

designedgraphorchartcanconveyalotofinformationquicklyandcanevensupportnon-technical

managerswhennecessary.Onecommenterpointedoutthatfromabusinessperspective,sometimes

includinggraphicsisanexpectedpartofapresentation,evenifthegraphic’svalueislimited.Responses

indicatethatpeoplehaveworkedwiththeirlogmanager’sgraphicoptionsandwouldliketoinclude

graphics,buttheyaren’tabletogetwhattheywouldlikeoutofthepresentationcapabilitiesofcurrent

logmanagementsystems.Thisisanotherareaofgrowthforvendors.

Theabilitytoscriptroutinetaskswasalsobroughtupbyonerespondent.Anyseriousloganalystknows

thattheabilitytosetupscriptstorunrepetitivetaskscanbeahugetimesaver.Scriptsoftenmakeit

possibletotrackeventsandstatistics,allowingreviewthatwouldnotbeavailableanyotherway.Many

loganalystssetupprocessestorunintheearlymorningtogivethemsomequickbaselinestoreview

whentheygetintowork.Othersrunscriptsperiodicallytodetectsuspiciousorovertlyhostileactivity

(thesinglefeatureratedmostuseful).Inordertocollectandconsolidateinformationthatdoesn’tneatly

fitintoareport,theabilitytorunlow-levelscriptsisoftennecessary.Manylogmanagementsystems

havesomecapabilitytoscriptandrunsomereportsonascheduleanddeliverthemovere-mail,via

web,pagerorsmartphone;however,basedonresponses,theyneedevenmore‘scriptability’thanthey

alreadyoffer.

Managing Windows Logs

This is thesecondyearthesurvey includedquestionsspecificallyaddressingWindows logmanage-

ment.Theresultsareessentiallythesameforbothyears:Windows,themostheavilyusedoperating

systemthroughouttheworld,stillgetsabadgradefor its loggingenvironment.Asonerespondent

statedsimply,“Windowsmakesitdifficulttocollectlogs.”

CollectionandstorageofWindowslogsreceiveda40percentapprovalscore,withabout10percent

reporting they were“Very Satisfied” and about 30 percent reporting they were“Satisfied.” All other

categorieshelddismalsatisfactionratings:Fivetosevenpercentreportedbeing“VerySatisfied”and

between18and24percentwere“Satisfied”withtheirWindowslogmanagementcapabili-

ties.Thatleavesapproximately50to60percentofrespondentsbeingonly“Some-

whatSatisfied”or“Dissatisfied”(seeFigure9).


Figure 9. Windows Log Management Still Gets Low Scores from Respondents

AnalysisisthetopproblemthatorganizationshavewithWindowslogmanagement,closelyfollowed

byreporting.ThereareanumberoffactorsthatmakeWindowslogmanagementmoredifficultthan

othersoftware(UNIX/Linux)andhardwareplatforms,suchasrouters,firewallsandswitches.Windows

doesnotnativelysupportsysloginanyflavorforlogcollection.Yet,accordingtothesurvey,UDPSyslog

isstillthemostpopularlogcollectionmethod.TCPSyslogismoreresilientandcanscalebetter,and50

percentofrespondentsalsosupportTCPSyslog.NeitherversionofSyslogissupportedbyWindows.

ItwouldbehelpfulifMicrosoftwouldincorporatesomechangesintheiroperatingsystemstomakeit

easiertocollect,normalize,parseandanalyzeeventscomingfromWindowssystemsandsubsystems.

Usersoften install third-partyadd-onapplicationstogetthis functionality.Those leavingcomments

listedtheSnareagentasthemostpopularwaytosendeventlogdatafromaWindowsservertoasys-

logserver,buttherearealsootheroptions.SomelogmanagementsystemspulllogdatafromWindows

servers,aswell.Today,theburdenofanalysisrestsmostlyonthelogmanagementsoftwaretopulland

normalizeWindowseventsintousableinformation.

SatisfactionwithWindowslogmanagementhasdecreasedinsomecategoriessincelastyear(monitor-

ing,performanceandcollection)—withnoimprovementsinreportingandonlyminorimprove-

ments in analysis and storage (see Figure 10). So, vendors have a long way to go to

satisfyWindowsusers.


Figure 10. Windows Log Management Scores Worse This Year in Some Areas

Where to Start? A Primer for Windows Log Management

Dr.AntonChuvakin,leadauthoroftheSANSLogManagementcourse,says,“Oneofthefirstthingsthat

peopleshoulddotostartgettingvaluefromtheirWindowseventlogsistoactuallystartcentrallycol-

lectingthemfromalltheWindowssystems.Beforeyoucandoanalyticsandalerts,itmakessenseto

buildaworkinglogrepository.Itwillhugelyhelpyouduringincidentresponse.”

OnepopularwaytodothisisusingtheSnare2agent,althoughthereareotheroptions.Itisalsopossible

topulltheinformationfromtheeventlogsusingLASSO3oroneoftheotheragentsthatareavailable.

ForafullWindowsshop,thelogservercouldrunonaWindowscomputer.TheKiwiSyslogServer4isa

popularoption.TherearealsofreelogserversthatrunonLinux,andthereareanumberofcommercial

logservers.Oncethesyslogserverisrunning,youcansearchthroughtheeventsforeventsofinterest.

Dr.Chuvakinalsorecommendslearningthenormallogpatternsrightaftercollection.Storedlogsare

useful(suchasforincidentresponse),buttouselogsforincidentdetection,youneedtoknowwhatis

abnormal—andthatbeginswithknowingwhatisnormal!

OnthewebpagefortheSANScourseoncomplianceformanagers,5thereisalsoalinktothecourse’s

PDF,whichcontainsachecklistforsecurityincidents.Inthelowerleftcornerofthatfileisalistofafew

ofthemostcriticalWindowsevents.Thesecanbeagoodstartingpoint.

Whenexaminingthelogs,you’llneedaplacetolookupeventIDstogetmoreinformationonthem.

SearchingforthespecificeventID(e.g.,eventid528)ontheMicrosoftTechNetSupportwebsite6can

behelpful.Thesite,eventid.net,isalsoaquick,handyresourceforinformationaboutspecificWindows

eventIDs.RandyFranklin’swebsite7hasanextensivelistofWindowseventIDs.

2www.intersectalliance.com/projects/SnareWindows/3http://sourceforge.net/projects/lassolog/4www.kiwisyslog.com/kiwi-syslog-server-features-and-benefits5www.sans.org/security-training/log-management-in-depth-compliance-security-forensics-troubleshooting-1217-mid6http://technet.microsoft.com/en-us/ms772425.aspx7www.ultimatewindowssecurity.com/securitylog/encyclopedia/Default.aspx


Organizationsareincreasinglymeasuringtheirsecurityeffectivenessbasedontheirabilitytoimprove

incidentremediation,reduceincidentsandmeetcompliance,accordingtothisyear’ssurvey.Theyare

alsomeasuringeffectivenessbyhowmuchtheyreduceoverallsecurityandmaintenancecosts,aswell

asimproveoverallsystemperformance.

Measuring effectiveness and making improvements depends, in large part, upon logs. Log analysts

wantbetterlogdatafrommoredevices,andtheyarelookingforbetterqualitylogdatatobegleaned

fromtheirmonitoreddevices.Thetopreasonsorganizationscollectlogsaretodetect,trackandanalyze

security incidentsandtomeetregulatorycompliancerequirements.Thedevicestheywant logdata

fromareextendingbeyondthetraditionalsources(e.g.,servers,firewallsandrouters)tothephysical

plant(e.g.,HVAC,SCADA)andremotelyattacheddevices,withasmallpercentagealreadycollecting

logsfromphonesandPoSterminals.ITdepartmentsarealsolookingforlogmanagementsystemsthat

providequick,accurateandcorrelatedresponsestoqueries.Theyalsowanttobeabletoturnthose

queriesintoreportswithvisualsandgraphics,whilebeingabletoeasilycustomizequeriestosupport

industry-specificapplicationsanddevicesinusewithintheirorganizations.

Whilesatisfactionisimprovingoverall,respondentsarehavingproblemswithanalysisandreporting.

TheirbiggestproblemismanaginglogsfromWindowssystems—aprettybigproblembecauseWin-

dowsoperatingsystemsaresopervasive.Inboththe2010and2011surveys,userspointtoWindows

logcollectionproblemsandmessagesthataredifficulttoanalyze. ItwouldbenicetoseeMicrosoft

includenativesyslogcapabilitiesfortheiroperatingsystemsandsoftware.Logmanagementvendors

needtocontinueworkingtosolvetheproblem,andmanyarealreadymakingheadway.ITdepartments

alsoneedtodevelopinternalresourcestostudylogdataandlearnwhateventsmean.Thiswilltake

commitment,buttherewardswillbeincreasedproductivity,complianceandsecurity.

Summary


Jerry ShenkcurrentlyservesasasenioranalystfortheSANSInstituteandisseniorsecurityanalyst

forWindstream Communications in Ephrata, PA. Since 1984, he has consulted with companies and

financialandeducationalinstitutionsonissuesofnetworkdesign,security,forensicanalysisandpen-

etrationtesting.Hisexperiencespanssmallhome-officesystemstoglobalnetworks.Alongwithsome

vendor-specificcertifications,JerryholdssixGIACcertifications,allcompletedwithhonors:GCIA,GCIH,

GCFW,GSNA,GPENandGCFA.FiveofhiscertificationsareGOLDcertifications.

About the Author


SANS would like to thank its sponsor:

arcsight sans 2011 log management survey

Documents

sans analyst

top challenges

log data

years survey

sans

management

windows

survey