I recently had a perfect example of the value logging fall right into my lap. While testing out ArcSight Logger (a very cool product for a very reasonable price), I noticed some unusual firewall traffic. My NAS was making connections outbound to a IP address in Taiwan – something that in the security world can get your attention real quick! Fortunately, some quick Googling and a packet capture later, I had documented what was going on and was able to share the info on the product’s user forum.
Without a decent log analysis tool, the raw bulk of data just makes things impractical. Within a few days of installing Logger, I had over 300k events from my firewall alone. But the power of a good tool was that it allowed me to filter down to things I didn’t expect and easily identify anomalies that needed investigation.
If you aren’t using a good log tool, I encourage you to check out ArcSight Logger and Splunk. I haven’t played with Splunk yet, but the interface looks very similar and I’m looking forward to seeing how it matches up. If you’ve used Splunk, feel free to let me know what you think!