Yes, you heard that right, the boss said, “We need Log Management!” And he’s right but what does he mean? Isn’t that the horribly complex software that is only needed by huge corporations? And why is he saying it now? Did something happen?
Okay, breathe, it’s going to be all right. And you’re off on the right foot because you’ve started asking questions. In order to understand log management, lets first get a definition in place for the data you’ll be managing. Every system, application, network appliance, mobile device, and other universal machinery that we come in contact with every day, generates log data. Splunk refers to this as “machine data." This data lies at the heart of log management and SIEM process. In order for devices to perform tasks, or for security events to be identified, we need machine data. Watch the Splunk video below to obtain a further grasp on this concept.
Now that we understand machine data, let’s go over the first steps to getting the log data that you’ll need to satisfy the boss’s requirements.
Before you do anything else in this process, you need definitive answers to some questions.
Getting these questions answered will undoubtedly lead to additional questions. Nonetheless, it’s important that you get this done before all else.
With clear answers to the questions you’ve posed, you’re now prepared to begin the implementation. Here are some things to consider to ensure a solid implementation:
1. Stop! – Wait, the first step to get started is to stop? Yes! It’s easy to get psyched up about the potential for all the data you’ve now learned about. But the reality is that each data source and type bring its own unique challenges. From data collection to interpretation, there is a lot of work to do as each system begins to deliver data. Take on each new system in methodical fashion, ensuring that you’ve got the data you expected and that it’s valid. Once each system has been thoroughly integrated, move onto the next one.
2. Communicate – As you integrate each new system, make sure that you keep the teams and stakeholders in the loop. Provide access to the system as early as possible and make sure that VIP's get the reports they’d want from the system. By keeping everyone up to date with the status, you’ll spend less time playing catch up.
3. Train – Make sure that the people who are going to be responsible for using the tool have received adequate training. Log management tools have far more capability than most customers ever tap but that doesn’t mean that you shouldn’t try. Make sure to look out for automation around alerts and reports that will reduce the workload.
4. Connect – Every day you should spend at least some time using the system. The data coming into this system is just as dynamic as the network that it’s monitoring. This means that as new systems get added, they need to be managed. Keep up with updates provided by the vendor to ensure you’re getting maximum value from the investment.
Now, get going – the boss wants Log Management.