Академический Документы
Профессиональный Документы
Культура Документы
WRITTEN: 2008
DISCLAIMER:
Introduction to Logging
A beaten maxim proclaims that “knowledge is power,” but where do we get our
knowledge about information technology (IT) components such as computers,
networking gear, application frameworks, SOA web infrastructure and the like?
The richest sources of such information that is always available but often
overlooked are the logs and audit trails that are produced by these systems and
applications. Through logs, audit trails and various alerts, information systems
often give signs that something is amiss, or an event logged in the log files
provides insight into future problems. Logs can also reveal larger weaknesses
–that may affect regulatory compliance and even IT governance, and, by
extension, corporate governance. However, more often than not, it’s difficult to
extract information from log files and distil the data into useful and usable or
actionable information.
To start from the very high level, logs equal accountability. Wikipedia
defines accountability as " a concept in ethics with several meanings…often
used synonymously with such concepts as answerability, enforcement,
responsibility, blameworthiness, liability and other terms associated with the
expectation of account-giving." There are many other mechanisms for
accountability in an organization, but logs are the most prevalent. And if your IT
staff is not accountable, neither is your business. Unless you take logs
seriously, you may be sending out the message that your organization shuns
accountability. Along the same lines, logs are also immensely valuable for
meeting regulatory compliance. Many recent US laws including HIPAA, GLBA,
Sarbanes-Oxley (SOX) and others have requirements related to log auditing and
the handling of those logs (see my papers “Log management in the age of
compliance” and “Six Mistakes of Log Management”)
Let’s take a look at virtualization and what it means in terms of log collection
and retention.
Introduction to Virtualization
Server virtualization makes it possible to combine multiple diverse systems onto a single
hardware platform, thus shrinking server, storage and networking costs, reducing
power requirements (through a direct decrease in consumed energy and
cooling costs), increasing utilization of existing computing resources and
improving productivity. The impact is significant; Garter reports savings of up to
25 percent due to server consolidations and decreased hardware purchases.
It all sounds good, but what happens to logs, logging and log management
when IT environments are virtualized?
First, let’s review what stays the same. A virtual server is still a server –
complete with operating system and applications, and logs that must be
collected, retained (for security and compliance reasons) and analyzed, just as
they do in “physical” environments. The rest of IT infrastructure stays the
same: Routers still route network traffic, switches perform switching, firewalls
and other network security devices perform their functions on network traffic,
etc. In other words, IT infrastructure with virtual platforms, hosts systems and
guest systems are largely the same as those with all physical elements; with all
the usual logging that needs to be managed. Similarly, networking between
guest systems running on a single virtual platform resembles networking
between physical machines, and needs to be monitored and audited just like on
a physical network.
In short, the advent of virtualization is not a reason to throw away tools that
work for you in physical environments. They will continue to deliver value and
help your IT and business to operate efficiently, be secure and compliant with
relevant regulations, especially given the fact that the future belongs to a mix
of physical and virtual environments.
What changes?
On the other hand, virtualization has brought a lot of new technologies (all with
their own logs) as well as new problems for IT departments to solve. Such
problems might not have any equivalent in the physical world, where “a server”
always meant “a piece of hardware” plus “an operating system” plus “one or
more of user applications” running on it—a worldview that virtualization is
making obsolete.
3) Stricter host platform security monitoring will help reduce the risk of
breaches into the virtual infrastructure world. Extensive logging, log collection
and analysis will allow thorough incident investigation. Such logs include
security incident response and forensics activity across virtual farms, as well as
across massive SAN arrays that house virtual machine images.
At this point it should be clear that changes that IT staff must face as
virtualization becomes a reality in the datacenter are indeed massive. For IT
staff tasked with logging activity across the infrastructure, these changes can
be good, bad or ugly:
2) They’re bad—or partly bad—because there are new logs to collect and
analyze and new activities to track and monitor. Virtual machines must be
closely watched for availability and security issues and to ensure they comply
with policies and regulations.
4) They’re “ugly”—sometimes, because unmanaged virtual machines can pop
up on the organization’s systems or even in the cloud, violating IT policies and
presenting significant enforcement and investigation challenges.
In addition to being affected by it, logging and log management can also
augment virtualization projects, especially in the areas of security, compliance
and manageability..
Compliance: Recent mandates such as PCI DSS and others require logging, log
collection and retention, log analysis and review, and log protection. For
example, logging is one of the 12 PCI requirements (Requirement 10), whether
the environment is physical or virtual. Hence, logs from virtual machines must
be given at least as much importance as logs from physical environments
Conclusion
Along with all the promise and benefits of a virtual infrastructure comes
significant change, requiring new ways for organizations to collect and manage
logs. However, existing log management tools such as LogLogic log
management appliances can still be leveraged to address these new logging
challenges, and to optimize, secure and bring into compliance newly virtualized
IT infrastructures.
This is an updated author bio, added to the paper at the time of reposting in
2009.