Top Log FAIL

By Anton Chuvakin
October 29, 2009 | Comments: 1

A recent Wal-Mart intrusion story inspired me to summarize the most egregious, reckless, painful, negligent, sad, idiotic examples of failures with logs and logging - "Top Log FAIL." I am pretty sure that esteemed readers of SysAdmin Blog would never, ever do anything of that sort :-)
Here they are:

  1. Logging disabled: if you got a system which had operational logging enabled by default and then you turned it off before deploying in production - congratulations! You truly earn your title of a Log Idiot! :-)
  2. Logging not enabled: this is more sad than anything else ... and the person who will suffer the most from this is likely the one who has caused it. After all, you'd need those logs at some point yourself. There is nothing sadder than see a person having to explain to management, police, FBI, press, QSA, SEC, whoever: "Well, logging ... was ... never ... enabled!" (check out this motivational horror story)
  3. No log centralization: Windows admins, read this one - logs on the machine that crashed, was 0wned or even stolen will do you absolutely no good. It used to be that only Unix administratory can do this (via the magic of /etc/syslog.conf line ". @loghost.example.com"), but you, on the Windows side, could not. Please notice that the world is different now! (check out this deck on benefits and tips related to log centralization)
  4. Log retention period too short: the picture on the right should make this item (as well as the one above) painfully clear: doing "the right thing" and building the centralized logging infrastructure and then limiting the retention to 30 days is still "log FAIL." Many, many scenarios today require logs from the past - for the juiciest examples check all the recent "compromised in 2006 - discovered in 2008" stories (see some here in this deck)
  5. No logging of "Granted", "Accepted", "Allowed", etc: I don't even know where to start on this one - maybe thus: logging a firewall "connection blocked" events simply means that the firewall was doing its job, logging "connection allowed" shows that somebody is now in your network... The same idea applies to logging "login failed" and missing "login successful" - please make really sure to always log both (read this tip for more examples, instructions and ideas)
  6. Bad logs: if you are in operations, this is truly not your fault. But if you are in development - it probably is. Creating such logging classics as "failed successfully" and "login failed" [with no actual user name recorded] are fine examples of this "log FAIL." Be aware that our work on CEE will fix it eventually, but more hilarity will have to transpire before it happens (see this deck for some ideas on how not to engineer logging and how to do it - and for some examples of hilarity, of course)
  7. No log review or nobody is looking at logs: I am saving this "log FAIL" for last; logs are created to be reviewed, monitored, searched, investigated, etc and NOT - I assure you! - to simply use up disk space (check my famous "Top 11 Reasons to Look at Logs" as well the classic "Top Logging Mistakes" for more info on this one)

Possibly related posts:


You might also be interested in:

1 Comment

All good points you just need to be careful to not overwhelm yourself with data just because it can be logged.

News Topics

Recommended for You

Got a Question?