Audit retention and storage
Storage cost is the most significant operational cost of auditing. The amount of audit data depends on the site policy for the following major factors: different number of users; different usage of the system or system loads (web or application server, timesharing system, workstation); degree of traceability and accountability that is required. As you plan for the storage of audit logs, remember the following:
•You must set aside more disk space for the audit trail if auditing is done for monitoring of system use than auditing for abnormal events.
•You can reduce storage cost by reducing the amount of audit data generated. Define
•If you expect the audit data volume to be high, configure audit trails on a logical volume consisting of multiple physical disks and multiple physical I/O cards. Use the
•Frequently accessed data, such as production data, must be available
•To keep audit files at a manageable size, you can invoke the audomon daemon. This monitors the capacity of the current audit trail and the file system on which the audit trail is located. If either capacity limit is reached, audit recording automatically switches to an alternative audit trail and backs up the current audit trail to a secondary storage".
•Deploying a log management solution is better than storing audit data distributed across systems because it facilitates access to logged data collected from across the organization and unifies searching, reporting, alerting, and analysis across any type of enterprise log data.
•Ensure that when the required data retention period has ended, the logs are retired by destroying them according to the organization's data destruction policies.
Audit log analysis
The cost of analysis is roughly proportional to the amount of audit data collected. The cost of analysis includes the time it takes to review audit records, and the time it takes to archive them and keep them in a safe place. The following best practices address the need to make analysis easier, enabling the organization to extract the wealth of information logs can provide:
•Regular review and analysis helps to identify late hours login, login failures, failed access to system files, and failed attempts to perform
•Automation can significantly improve analysis because it takes much less time to perform and produce more valuable results.
•Analyzing logs using a log management solution is better than analyzing logs separately in different systems because attacks usually involve multiple assets.
•You can analyze logs by extracting useful reports from the audit trail by using the following tools:
– Audit Record Display (audisp) in
21