Quick! When someone mentions "logs" in the same sentence with "compliance," what's your first thought?
If yours is like a lot of companies, says LogLogic's Anton Chuvakin, it's probably something along the lines of "Oh, sure. We have logs. We're fine."
But the truth is, you're not fine. In a recent IT Business Edge interview, Chuvakin reminded us that having logs somewhere in cold storage isn't enough when it comes to compliance requirements. Regulations from PCI-DSS to Sarbanes-Oxley to HIPAA require some level of log management, he said:
Most regulations that require logging actually cover three things. They require having logs, which means you have to have systems enabled so that the log will be produced...Second, they cover log retention, which means keeping those logs for a certain period of time...Finally, believe it or not, there is a requirement to review logs...
As for which regulations require what, Chuvakin says the details differ depending on the regulation:
PCI-DSS is specific about retention. You have to keep logs for a year. In the case of HIPAA, it's a little more fuzzy. It's organization-specific and you determine it yourself based on certain considerations ... The same applies for review (monitoring). Some regulations are more specific. They require daily review or automated review or monitoring in real time. Others just say, "Make sure you look at the logs."
Never fear, however. Most log management can be automated:
You can automate just about everything apart from making a decision about what needs to be done as a result of the data from the logs... You can look at the reports and say, "I can't believe this is going on! I need to go do X, Y, Z." And then you do it. But everything up to that point can be automated.