Logs – every system has them, but companies don’t usually pay much attention to them. At least not until a problem occurs. Log aggregation solutions come handy in many scenarios – tracing production issues, alerting on service degradation, fixing bugs, forensics, fraud detection.
We’ve argued, however, that logs have a dual nature – on the one hand they contain data about the functioning of the system; data, that’s useful for developers to diagnose and fix issues. On the other hand, they are effectively an audit trail of everything that has happened.
Log collection vendors may tell you that you can use the same product for both of these natures of logs. But that has many issues:
- Differentiating events with business meaning from system/application logs. It’s hard for an auditor or a business person to look through logs where 80% of the data is “we’ve initialized service X”, “exception in service Y”, “database connection pools size is approaching the configured limit”, and so on, and only 20% is related to business events – “who did what”
- Investigating behavior – application logs make it hard to drill down into the behaviour of a particular user, role or department.
- Security – typical logs lacks any additional security, i.e. anyone with admin access can modify them, back-date them or delete them without being detected.
- Compliance – simply having logs is not compliant with standards and laws like ISO 27001, PCI-DSS, HIPAA, PSD2, as we’ve previously argued
Below you can find a feature comparison between LogSentinel and major log collection vendors, as well as vendor of “integrity guarantee” and compliance packages. Obviously, when we are making the comparison, there are many dimensions to select from, but we do believe that these shown here are the most important when it comes to audit logs, security and compliance.
Certainly a simple table cannot represent all the complexity on the market. For example log collecting solutions claim to be PCI-DSS, ISO 27001 and HIPAA compliant, and many certification bodies do consider that okay. In our interpretation of the standards, that’s wrong and gives companies a false sense of security – that’s why the table has yellow color for these rows.
Furthermore, products like GuardTime and Tierion aren’t necessarily audit log solutions – they can be used as such, but they are more focused on the integrity aspect, which means they lack the analytical features (they don’t usually care about the content of the logs, as long as their integrity is guaranteed).
And finally, the products listed below are not mutually exclusive. The feature comparison below is based on the “secure audit trail” use case, but log collection has a wider scope. As mentioned above, you always have applications and system logs and they are distinct from the audit logs. You can have your log collector deployment and only forward a subset of these logs to LogSentinel, thus getting the best of both worlds – secure and compliant audit trail and rich analytical capabilities for logs.
Real information security is rarely about installing a product. Even almost never about the warm feeling that “fact sheets” generate, claiming compliance and endless possibilities. Information security is about a set of measures and tools, properly applied to the problem at hand. And when it comes to audit logs, we believe LogSentinel is the best tool for the job.
|LogSentinel||Loggly||Splunk||Logz.io||Oracle Audit Vault||Tierion||GuardTime|
|Timestamp (RFC 3161)||Yes||No||No||No||No||No||Yes|
|Easy integration||Yes||Yes||Yes||Yes||Oracle products||No||No|
|Long retention period||Yes||Archiving||Archiving||Archiving||Yes||Yes||Yes|
|Custom log parsing||Yes||Yes||Yes||Yes||No||No||No|
|Rich data analysis||Custom queries||Yes||Yes||Yes||Custom queries||No||No|
|ISO 27001 compliant||Yes||Claimed||Claimed||Claimed||Claimed||Yes||Yes|