I recently did this webcast on logging for accountability (slides and recording here) and people asked a lot of good questions. Here are some of the answers for them as well as our blog readers.   Q1: How do you handle variety of log sources? There are so many, almost beyond my capability. A1: Sorry to ponder the meaning of "is" here, but what is meant by "handle"? It is really not that hard to collect logs from a large number of diverse sources, given the right tools (as long as the logs can be delivered via syslog or grabbed as files). Now, there will certainly be challenges  when the volume of logs gets large, but if by "handle" you mean "collect + store", it is really not that hard, again, given the right tools. Now, if "handle" means "make sense of what all those logs are trying to tell you," it is a different story altogether. It is indeed pretty hard to extract the meaning of all those logs automatically.   Q2: You talked about the importance of logging; however for an intermediate or novice admin what are the starting steps .. what are the minimal logs they should start at once? A2: Answered in "Log Management - Day 1" If you want a simple list of logging things to "enable today,"  I cannot really answer it since I know neither your needs, nor your environment. Remember, "requirements first - tools second!"   Q3: What regulations, rules or guidance exist regarding sharing or visibility of logs to users? A3: PCI DSS says in Requirement 10.5:  "Secure audit trails so they cannot be altered. 10.5.1 Limit viewing of audit trails to those with a job-related need 10.5.2 Protect audit trail files from unauthorized modifications" NIST guidance for FISMA also says something similar (for example, look in NIST 800-92 doc). Overall, log protection and security are mentioned in many other regulations as well, all the way to ISO and COBIT.   Q4: How I can learn what exactly I need to log? A4: Let me answer "how can I learn" part and not the "what exactly I need to log part," as it is actually answerable (also see discussion on "MUST-DO Logging for PCI?") . To learn what you need to log, first ask "Why?" (and then see this) - basically establish what you want to accomplish with logs, then catalogue your systems, then figure how to tweak the logging knobs - and then actually go and tweak them.   Q5: What is "more control" and what is "less control" that you mention in the webcast? Can you give an example? A5: OK, I did say that "sometimes when you implement more controls, you actually have less control." What do I mean? If you buy a firewall (a network security control) and then - over time, of course - configure it with 7800 rules (!) that are supposed to give you control over who can and cannot access your network, you will not gain control over your environment. You will actually be less in control of who is touching your network, compared to, say, having only 20 rules.   Q6: What about mandated NIST controls for government systems? Auditing is a specific control for Moderate and High risk systems. What list of events do you recommend for auditing? A6: This is too long to answer here, but NIST 800-92 Guide is a really good source of such info ("Guide to Computer Security Log Management [PDF]") Also, see my presentation on NIST 800-92 Guide in the Real World.   Q7: The issue that many organizations get stuck on is the monitoring process, and defining what exceptions to monitor for? Is there guidance for this? How much of it is system specific and how much is applicable generally to all systems? A7: I outlined some general ideas back in 2004 via this presentation; it is mostly general, but also has pointers to specific system. Keep in mind that it is focused on security, not operational monitoring (which is often no less important - in fact, often MORE important). Enjoy! Sorry for being brief with some of the answers. Other questions that I answered in the past:

• More Log Management Questions - Answered!
• Some Burning Logging Questions - Answered!