CENTRALIZED LOGGING � KNOWING WHEN LESS IS MORE

A lot of firms collect massive amounts of data every day (up to billions of events)
to improve their security efforts, enhance their business intelligence, and refine
their marketing strategies. Their log storage drives are so big that some of them
even brag about the size, to show their public and clients how advanced their
technologies are. But what�s the point of storing petabytes of data when you cannot
measurably make sense of it? Tons of security alerts and incident reports are
pointless when you can�t deal with them all quickly enough.

On the contrary, collecting an enormous amount of data strains your finances,

overwhelms your staff, and bloats your organization with additional and often
pointless work. Centralized logging is critical to get the most out of your logs,
and filter for only the most useful and interesting data because sometimes less is
just more.

WHY YOU NEED CENTRALIZED LOGGING

If you�re asking yourself whether centralized logging is worth all the effort,
well, the answer is just �Yes.� Log records are a key piece in any robust security
strategy, and placing them all in a single location greatly simplifies all the log
analysis and correlation tasks. It allows you to obtain a much more granular
overview of the current situation, and keep everything you always need at hand.

But it also improves your business�s security, providing you a safe and secure
place to store all your log data. Cybersecurity is all about mitigation, and even
if a network or a single machine is compromised, the wanna-be hacker won�t be able
to access the logs safely stashed in your central log repository. Cybercriminals
will also have a much harder time erasing their intrusion traces since they cannot
delete system logs so easily when all data is stored in a single location. When
logs are centralized, the management software can easily take into account the
entire organization�s infrastructure at the same time, including its different
units, improving the overall visibility and enhancing the cyber posture.

Storing centralized data is also a much more efficient solution. Most routers and
firewalls must save some buffer for logs, increasing their burden as space is not
unlimited. Old records get discarded all the time to make space, but the newest
ones still eat up precious disk space on most machines. Centralized loggers have a
much greater storage capacity, but what�s even better, they can identify suspicious
patterns since they can evaluate information in much larger time intervals.

BEST PRACTICES FOR CENTRALIZED LOGGING

Many companies who have distributed servers need to design a centralized logging
architecture to find a more efficient method to transfer and aggregate logs from
different sources. A centralized location that stores all aggregated logs in a
single place allows for real-time access, which significantly improves a firm�s
ability to troubleshoot problems, but a solid plan that establishes the best
practices for centralized logging is necessary. For example, did you know that
simply copying your logs to a central location using Cron will force you to follow
its schedule, preventing you from accessing them in real time? Syslog may represent
a better alternative since they will tell processes to send all log entries to
centralized data to aggregate them. A central Syslog daemon can be set up on both
clients and the network, using client-side daemons to forward all messages.

Availability of the central repository must be carefully taken into account

beforehand � you don�t want to find yourself unable to access reliable storage of
the retained information just when problems start occurring. At the same time, if
your organization is large enough, the chance is that you have to deal with
multiple domains, each one with different trust relations, authentication
processes, and security levels. Some applications may have to run unattended,
others should be accessed via VPN from home by remote employees, and some machines
may not even be linked to the domain. If you operate in a multi-data center,
repetitive migrations or redeployments of your platform will force you to choose an
Infrastructure as a Code (IaaC) approach. This way any future system maintenance
will always be kept clean and traceable. You should take all this into account
before a large-scale log management deployment occurs.

CENTRALIZE YOUR LOGS WITH GRAYLOG

Graylog can be easily integrated with any part of your infrastructure. Just drive
your first messages into Graylog and then build your extraction pipeline. All
streams can be checked at once (rather than on a per-server basis) to monitor
whether they contain a specific message. The more information contained in that
message, the more value that can be generated later on. Graylog offers multiple
installation methods to centralize your logs, and each one of them comes with its
own documentation to help you through each step of the process.

If you�re still confused on what is the best approach to centralize your logs,
we�re here to help you. We can offer you training to teach you all the steps needed
to fully implement the most efficient centralizing strategy needed in your
environment.