Log Management in the Age of Compliance
Dr. Anton Chuvakin
WRITTEN: 2007
DISCLAIMER:
Security is a rapidly changing field of human endeavor. Threats we face literally
change every day; moreover, many security professionals consider the rate of
change to be accelerating. On top of that, to be able to stay in touch with such
ever-changing reality, one has to evolve with the space as well. Thus, even
though I hope that this document will be useful for to my readers, please keep in
mind that is was possibly written years ago. Also, keep in mind that some of the
URL might have gone 404, please Google around.
With each publicized data breach (TJ Maxx, U.S. Department of Agriculture) or new regulation
security emphasis seems to shift away from the traditional “keep bad guys out” mentality and
towards the “what’s going on in here?” layered, in-depth look at IT activity.
As such, organizations are turning to logs to provide a continuous fingerprint of everything that
happens with their IT systems and, more importantly, with their data. Logs of different types are
generated from different sources at an astounding rate, allowing for a detailed –if sometimes
cloudy - picture of IT activity. If a disgruntled employee accesses a database containing
confidential information with the intent to steal the data, there would likely be a log of that
activity that someone could review to determine the who’s, what’s, and when’s. Logs provide
the bread crumbs that organizations can use to follow the paths of all of their users, mal-
intentioned or not.
It follows that managing these logs can benefit an organization in many ways. They offer
situational awareness, help organizations pinpoint new threats as well as allow their effective
investigation. Routine log reviews and more in-depth analysis of stored logs are beneficial for
identifying security incidents, policy violations, fraudulent activity, and operational problems
shortly after they have occurred, and for providing information useful for resolving such
problems.
Given the inherent benefits of log management, it is not surprising that log data collection and
analysis is generally considered a security industry “best practice.” However, a number of
regulations also explicitly call for the collection, storage, maintenance, and review of logs in
order for companies to be compliant, turning log management from a “should do” to a “must
do.” Some of these regulations rely on National Institute of Standards and Technology
Computer Security Special Publications (NIST SP) in order to delineate the detailed logging
requirements.
In my last article (link), I described the way in which 3 regulations (FISMA, HIPAA, and PCI-
DSS) affect incident response processes. This triumvirate also affects log management, as they
call for enabling logging as well as for log review.

The Federal Information Security Management Act of 2002 (FISMA)
While many criticize FISMA for being ‘all documentation and no action’, the law simply
emphasizes the need for each Federal agency to develop, document, and implement an
organization-wide program to secure the information systems that support its operations and
assets. NIST SP 800-53, Recommended Security Controls for Federal Information Systems,
describes log management controls including the generation, review, protection, and
retention of audit records, and steps to take in the event of audit failure. NIST 800-92, Guide
to Computer Security Log Management, also is created to simplify FISMA compliance, is
fully devoted to log management, and describes a broad the need for log management in
federal agencies and ways to establish and maintain successful and efficient log management
infrastructures (including log generation, analysis, storage, and monitoring). NIST 800-92
discusses the importance of analyzing different kinds of logs from different sources and of
clearly defining specific roles and responsibilities of those teams and individuals involved in
log management. Importantly, section 4.2 highlights the need for organization to clearly
define its policy requirements (based on the appropriate regulations) for performing logging
and monitoring logs, including log generation, transmission, storage, and disposal as well as
explicit protections for these logs.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant
security standards for health information. NIST SP 800-66, An Introductory Resource Guide
for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security
Rule, details HIPAA-related log management needs in the context of securing electronic
protected health information. Section 4.1 of NIST 800-66 describes the need for regular
review of information system activity, such as audit logs, access reports, and security
incident tracking reports. Also, Section 4.22 specifies that documentation of actions and
activities need to be retained for at least six years. While the debate about whether logs can
be considered documents is not finished, some organizations did choose to store logs for as
long as other business documents. In addition, Appendix A of this document encourages
organizations to ask a variety of log-related questions, including whether or not system
performance monitoring is used t o analyze system performance logs in real time in order to
spot availability problems like active attacks.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS), which applies to
organizations that handle credit card transactions, mandates logging specific details and log
review procedures to prevent credit card fraud, hacking, and other related security issues in
companies that store, process, or transmit credit card data. Even though logging is present in
all PCI requirements, PCI DSS also contains Requirement 10, which is dedicated to logging
and log management. Under this requirement, logs for all system components must be
reviewed at least daily, and these log reviews must include servers that perform security
functions (e.g. intrusion detection system and authentication, authorization, and accounting
protocol servers. Further, PCI DSS states that the organization must ensure the integrity of
their logs by implementing file integrity monitoring and change detection software on logs to

insure that existing log data can not be changed without generating alerts. It also prescribes
that logs from in-scope systems are stored for at least one year.
There are also a variety of other regulations that call for log management capabilities,
although less explicitly than the aforementioned three. California Bill 1386 and its upcoming
federal equivalent, for example, requires a state agency, person, or business that owns or
licenses computerized data that includes personal information, to disclose any breach of the
security of the data to any California resident whose unencrypted personal information was
acquired by an unauthorized person. Logs, by nature of allowing for tracking IT
infrastructure activity, are the best way to assess if, how, when, and where a data breach has
occurred, so management of these logs would be the best way to assess what data has been
accessed/stolen and, thus, who needs to be notified.
The major effect the age of compliance has had on log management is to turn it into a
requirement rather than just a recommendation, and this change is certainly to the advantage
of any enterprise subject to one of those regulations. It is easy to see why log collection and
management is important, and the explicit inclusion of log management activities in major
regulations like FISMA, HIPAA, and PCI DSS highlights how key it truly is to enterprise
security as well as broader risk management needs.
ABOUT THE AUTHOR:
This is an updated author bio, added to the paper at the time of reposting in
2009.
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in
the field of log management and PCI DSS compliance. He is an author of books
"Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy
II", "Information Security Management Handbook" and others. Anton has
published dozens of papers on log management, correlation, data analysis, PCI
DSS, security management (see list www.info-secure.org) . His blog
http://www.securitywarrior.org is one of the most popular in the industry.
In addition, Anton teaches classes and presents at many security conferences
across the world; he recently addressed audiences in United States, UK,
Singapore, Spain, Russia and other countries. He works on emerging security
standards and serves on the advisory boards of several security start-ups.
Currently, Anton is developing his security consulting practice, focusing on
logging and PCI DSS compliance for security vendors and Fortune 500
organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance
Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging
Evangelist, tasked with educating the world about the importance of logging for
security, compliance and operations. Before LogLogic, Anton was employed by a
security vendor in a strategic product management role. Anton earned his Ph.D.
degree from Stony Brook University.