I just read a presentation from Network Intelligence on putting together a SIEM solution. I really don’t know that much about SIEM, but what I do know is when my application breaks, I want to know what happened and have access to the logs as quickly and easily as possible.
I’ve talked about how to implement Logging in an application before, but this presentation sparked a few thoughts.
Don’t Filter Logs at the Source
Log all events to a single place, then use a different tool to pull down the data to sort and filter.
Have a Reporting Time Period
Create a report that will run once a Day, once a week or whenever that shows all the events you are interested in seeing. After the report has ran, you can get rid of the data -or- you can archive it.
Use a centralized, standard Time for every log. Synchronizing time between application logs will help correlate issues between applications.
Protect Sensitive Data
Be cautious of Sensitive information captured in the logs. Often username, machine names, and other sensitive data is captured in the event log. Provide access to the log to only those who need it.
Every application should know what events will be logged during day to day usage. Create a baseline report and look for exceptions to the expected baseline.