Centralize Logging

Posted by Serge Truth on January 6, 2011 at 9:49 AM

Here is another article to keep up with the theme of centralizing information security functionality. The security functions that may be centralized effectively are:Centralize Logging input and data validation, auditing and logging, and error handling. These functions should behave similarly throughout the application and that is why it makes sense to put them in one place. Putting them in one place also helps make sure that this functionality is mature and well developed, because it is easier to evaluate it when it is distinct from the rest of the code. This article is focused on centralizing logging functions.

Write a dedicated logging library or class and use it whenever log entries have to be generated, because a centralized logging subsystem is simpler to maintain and implement correctly. Perform the following actions to centralize logging:

1.   Identify existing logging functionality. Examine the application architecture to identify logging facilities, such as the logging API and where audit trails are actually stored. Make a list of APIs used to log events, document how to use them, and where they store logs.

2.   Design the logging subsystem. Design and implement a class or library specifically for logging. When designing the logging subsystem, consider sending logs to a remote log server. Consider the following factors when designing the logging subsystem:

·         Log throttling

·         Logging important event details

·         Logging important security operations

·         Logging important business operations

·         Monitoring the use of privileged accounts

·         Logging user management events

·         Avoiding including sensitive information in logs

·         Logging unusual activity

·         Sending logs to a centralized server

3.   Implement the logging subsystem. Write code that generates log entries according to your design.

4.   Use the logging subsystem. Use the logging class or library whenever logs are generated. If earlier code exists that generates log entries, replace it with calls to the new logging subsystem API.

Topics: developer guidance

Serge Truth

Written by Serge Truth

Serge is a Content Lead here at Security Innovation. He is an IT and Information Security professional, certified by the Committee on National Security Systems Instruction.