[syslog-ng] filtering vs. keeping all logs

Kevin Kadow kkadow at gmail.com
Fri Apr 29 22:00:04 CEST 2016


In my previous job (where I was much more active on this list), we kept
detailed URL and firewall event logs for just 4 days.   Long enough to
address technical issues even on a long weekend,  and no longer.

I work with some very large organizations, and even F-100 don't have the
resources to keep everything forever.   There is also the concept in
certain organizations that you only retain data for as long as it is useful
and no longer, optimizing the retention policy to discard debug logs
quickly, keep "audit trail" logs for exactly 366 days for regulatory
compliance, etc.

There's also the issue of "Discovery":  If you are keeping everything and
then you are sued, you need to put a freeze on the data you have and
preserve it for delivery to your adversary.  Better not to have/keep the
data in the first place if it has limited utility.

As mentioned,licensing costs definitely come into play.   Some clients use
syslog-ng as a "prefilter" to discard low-value events before forwarding
(spoofing source) to Splunk or Qradar.   This is particularly useful when
you have appliance-like devices with little or no ability to filter what
logs they generate and transmit.

Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160429/4f22cf10/attachment-0001.htm 


More information about the syslog-ng mailing list