Logs are a mystery. They come in a variety of formats and are available through several unique means. So in this post, along with the subsequent posts in this series, the SolarWinds geeks are aiming to demystify those little nuggets of IT gold.
So, What are Logs?
Logs are the means by which software keeps track of what's going on "behind the scenes." Everything from the operating systems running on your computers and devices to the databases that support your applications generate logs. Oftentimes, logs are very granular, logging every step the software takes, making them useful in many ways. Most IT professionals know at least this much about logs, but the segment of that population that knows what they're good for, much less how to read them, is significantly smaller.
Logs! What are They Good For? Absolutely...Wait.
Before you finish that statement with "absolutely nothin'!" consider the following scenarios for using the logs generated by your systems, applications, and devices.
Logs for Troubleshooting
Troubleshooting is arguably the most common use case for logs (the next section explains the emphasis here). When something breaks and the cause is not immediately apparent, it's likely the logs related to the broken device, system, etc. contain some kind of indication of what happened before it broke. This is how logs provide invaluable behind-the-scenes information to IT pros: they show you what the end-user doesn't see.
Logs for Compliance
Compliance reporting is probably the main reason most organizations collect logs. The reason troubleshooting is arguably the most common use case for logs, however, is because once these organizations collect their logs for compliance, they don't actually use them for anything. This is a huge gap in most log management strategies. The purpose of the compliance requirements, believe it or not, is to ensure the organization collecting logs actually does something with the information they contain. An example of how this applies to PCI compliance is that you need to actually modify your policies or coach offending users when your logs tell you your sensitive files have been accessed by unauthorized users.
Logs for Proactive Detection and Remediation
Examining historical logs once a month or once a quarter to address compliance issues is one thing. Reviewing the logs constantly to address issues more proactively is another. Large enterprises employ security specialists in their IT departments whose sole job is to monitor log files and make recommendations for remediation when necessary. Most other companies, unfortunately, don't enjoy that luxury. A good first step to this end would be to review the logs on your most critical and sensitive devices and systems on a daily or weekly basis to ensure you don't miss a catastrophic failure or breach you could have avoided otherwise. The best option is to implement an automated log management system to alert you when something has or is likely to go wrong.
Now that we have an idea why logs can be so useful, we'll take a deeper look at some of the challenges with accessing and reading them. For that, stay tuned for Logs 101 Part 2 - Logs: So Many Different Types.