Just wanted to highlight another useful resource on logging: "How to Do Application Logging Right” by Gunnar Peterson and myself.
Following on our previous IEEE paper (here [PDF]), we explored application logging from a developer's perspective. As Gunnar already pointed out, “audit logs are one of the quick, dirty and cheap things that can improve enterprise security.”
Here is a fun except:
“Organizations have finally gotten network device logging and—to some extent—server logging under control. However, after getting used to neat Cisco Adaptive Security Appliance or other firewall logs and Linux “password accepted” messages, security incident investigators trying to respond to the next wave of attacks have been thrust into the horrific world of application logging.”
and
“We can start by establishing criteria for good security audit logs (which we just call “logs” from now on). […] On the basis of the six Ws, the following list [see paper] provides a starting point for what to include [in each application log message]”
and
“Software architects and developers must “get” logging; there’s no other way. This is because infrastructure logging from network devices and operating systems won’t cut it for detecting and investigating application-level threats. Security teams will need to guide developers and architects through useful, effective logging.”
Grab the paper here [PDF] and enjoy!
And, Raffy, you owe me another beer for “We thank Raffy Marty of Loggly for his thoughtful review of the draft article.” :-) In fact, I think me using the word “thoughtful” here justifies “beer+2”…
Cross-posted from Security Warror
