Logging and Syslog Best Practices

In this post, I will cover a basic set of best practices for managing logs. Depending on your specific objectives, regulatory requirements, and business constraints, there are likely to be a number of additional best practices.

• Forward syslog messages from clients to a secure syslog server.
• Enable NTP clock synchronization on all clients and on the syslog server. It is very important for all systems
  reporting logs to be using the same time server, so that logs are all synchronized. Without doing this, it can be difficult or impossible to accurately determine the sequence of events across systems or applications.
• Group “like sources” into the same log file. (i.e. mail server, MTA, spamassassin and A/V scanner all report to one
  file)
• Use an automated tool to establish a baseline of your logs and escalate exceptions as appropriate.
• Review your records retention policy, if applicable, and determine if anything kept in logs falls under that policy. If so, establish retention periods based on the records policy.  Legal requirements for keeping logs vary by jurisdiction and application.
• The “sweet spot” for log retention appears to be one year.  Shorter than 1 year, and it is likely that key data would be unavailable in the wake of a long running attack, and longer than one year is most likely wasting disk space.
• Include logs and log archives in a standard backup process for disaster recovery.
• Change read/write permissions on logs files so they are not accessible to unprivileged user accounts.

Have more suggestions for logging best practices? Post them in a comment below.

<!-- Widget Area: [Content Item] Below ~~~ -->