SwiftOnSecurity
One aspect of security configuration I don't see talked about enough is verbosity vs retention.
Do you really want this event of marginal use if it makes you have 20 fewer days before logs turnover?
Jan 5, 2023 at 4:16pmWeb
Show threadAPT Ate My HomeworkJan 5, 2023
@SwiftOnSecurity or it makes all your searches run slower because something that's used in 0.01% of your analysis tasks is consuming over 50% of your data volume
Show threadJason BraatzJan 5, 2023
@http_error_418 @SwiftOnSecurity it's this vs. getting yelled at by your director when the vendor says they can't figure out your outage because you didn't have the logging enabled
Show threadAPT Ate My HomeworkJan 5, 2023
@jasonbraatz @SwiftOnSecurity just because it's enabled at the source doesn't mean you have to collect and index it though...
Show threadConsoleWitchJan 5, 2023
@http_error_418 @SwiftOnSecurity APT, I love your user name.
Show threadAPT Ate My HomeworkJan 5, 2023
@ConsoleWitch @SwiftOnSecurity
why thank you 😊
Show threadConsoleWitchJan 5, 2023
@http_error_418 @SwiftOnSecurity wow, and I just realized that you're not a tea pot. Good to know.
Show threadAPT Ate My HomeworkJan 5, 2023
@ConsoleWitch @SwiftOnSecurity but I -am- a teapot. That's why I return an error when you ask for coffee
Show threadConsoleWitchJan 5, 2023
@http_error_418 @SwiftOnSecurity oh of course, my mistake. I haven't read the RFC lately.
Show threadMemory_TyrantJan 5, 2023
@SwiftOnSecurity
Arguing for short and properly managed retention periods is always an uphill battle. People really need to understand that most data doesn't have long-term value
Show threadJoe Beehammer (🐝 πŸ”¨)Jan 5, 2023

@SwiftOnSecurity And conversely - are those 2 days on top of the 100 you already have worth not being able to effectively trace an issue?

It is a tightrope for sure

Show threadAli-AlJan 5, 2023
@SwiftOnSecurity Don't most SIEMs have a built-in system for dropping raw logs that are similar enough to an initial one? Just keep the timestamps if the content never changes so you know how many came in and when, problem solved?
Show threadChad Schrock πŸ³οΈβ€πŸŒˆJan 5, 2023
@SwiftOnSecurity Try configuring a system to DISA STIG guidelines. They specify logging flipping everything, mostly through auditd.
Show threada wandering happenstanceJan 5, 2023
@SwiftOnSecurity β€œthe CrowdStrike story”
Show threadKirysJan 6, 2023
@SwiftOnSecurity One size doesn't fit all. When I was a Java developer I usually configure two log outputs on tomcat: a more verbose one with 3 day retention useful for issue diagnostic, and a less verbose long term retention for the security monitoring.
Only the second one went to the log collector.