By: Dimitri McKay When I started with LogLogic, nearly four years ago, I worked in the support group. Day by day I spoke to new and existing customers about their appliances, how to tailor the software, how to hone the tool to their needs and their networks. The questions were often the same, and one question which was repeated over and over went something like this: “Hi. I’m a new customer, and we have the appliances up and running, and all of the log data on our network being sent to LogLogic. Now what?” “Now what”, indeed. This new customer had everything up and running, but didn’t know what to report on, what to alert on, what to search for. And this made sense. I work in log management full time, and I’m unable to remember which PIX message is created when there is a policy update or what log is created when PIX time server updates fail. I’m not Rain Man. How could I expect the average new customer to know what messages meant what. Each customer would have to re-invent the wheel, doing the task of searching for what events caused what messages on what devices. They would have to go through all of the controls of a compliance requirement and figure out how to map a control back to a set of reports and alerts. What a pain! Unfortunately, the only answer I could give at that time was “It depends.” I didn’t know what reason the customer had acquired LogLogic. Was it for Operations? Was it for Forensics? Was it for Compliance? And if so, what specific requirement? PCI? SOX? ITIL? ISO? HIPAA? COBIT? Each of these compliance mandates carried their own list of controls and required actions. For example, the COBIT framework specifically recommends using log data to review what users do with access rights and privileges and to monitor log data to detect anomalous activities.  Well, for that we’re talking about a specific set of devices. The Payment Card Industry (PCI DSS) security standards requires log data to be reviewed daily and to be archived online for one year. This is a different scope of devices to monitor and actions to accomplish. The latest version of ITIL, version 3, recommends log data for problem isolation and user activity monitoring in conjunction with identity management. You see where this is going. Not all shoes fit on all feet. Now, however, In each of these situations, LogLogic offers an answer to each question. Whether complying to PCI, to SOX to ISO or even ITIL, there is a suite to fit the need. As a Field Systems Engineer, when customers have a rock in their shoe, a thorn in their side, or a problem which needs a solution, we have an answer for them. We have a suite of alerts, of reports and of search filters to help them hit the ground running and find a path to unleashing that log power in as short a period of time as possible. We have the answer to the question “now what?”.