Hello Security experts: I have configured a number of firewalls to send their
logs to a central SEMS (security event management system). The data is stored
in a oracle database.
A requirement I have to meet is storing the raw events in a log file on a daily
basis and making it available to manager/legal if necessary. There are some
firewalls which have been configured to send anything and everything. So a
simple query to the database requesting all events for previous day takes a
long time (upto 50 minutes). I saw this query returning about 3079853 records.
We do not have a requirement definition that explains what needs to be logged.
So my questions are the following
1. are there any regulations that outline what specifically should be logged
and what can be ignored from firewalls? I am assuming there are different
specifications for federal and commercial environments.
2. If any security admins in this group have been able to define this, could
you please share some high level info. Like what type of events should be
stored, what can be ignored, how many days have you stored them for etc?
thanks
Ravi
---------------------------------------------------------------------------
This list is sponsored by: Norwich University
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence
in Information Security. Our program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Using interactive e-Learning technology, you can earn this esteemed degree,
without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
