When one of the data sources used for incident decision making is coming from individual or aggregated log files, the management of those sources becomes critical. What are some of the key activities associated with managing logs?

What will be an ideal response?

---

Be prepared to handle the amount of data generated by logging -Some systems may result in literally gigabytes of data that must be stored or otherwise managed.

Rotate logs on a schedule-As indicated, some systems overwrite older log entries with newer entries to comply with the space limitations of the system. Ensure that the rotation of log entries is acceptable, rather than accepting system defaults.

Archive logs-Log systems can copy logs periodically to remote storage locations. There is a debate among security administrators as to how long log files should be maintained. Some argue that log files may be subpoenaed during legal proceedings and thus should be routinely destroyed to prevent unwanted disclosure during this process. Others argue that the information to be gained from analyzing legacy and archival logs outweighs the risk. Still others take the middle ground and aggregate the log information, then destroy the individual entries. Regardless of the method employed, some plan must be in place to handle these files or risk loss.

Encrypt logs -If the organization does decide to archive logs, the logs should be encrypted in storage. Should the log file system be compromised, this prevents unwanted disclosure.

Dispose of logs-Once log files have outlived their usefulness, they should be routinely and securely disposed.