HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/SECURE: Security Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/SECURE: Security Q/A
January 2003

"Security Solutions: Key Technologies and Practices"

>> Monitoring Log Files <<

by Eric Maiwald, CISSP, CTO,
Fortrex Technologies, Inc.

QUESTION: I understand that I should be monitoring the log files on my systems. What is the best way to do this?

ANSWER: Monitoring log files is indeed a good practice. Good information can be found in the event logs of servers, in firewall logs, and in intrusion detection system alerts. Unfortunately, the sheer amount of information from these sources can be overwhelming!

If your organization only has a small number of systems, it may be feasible for a member of the system administration or security staff to manually examine the log files of your systems. While this is a tedious job, it is possible for small amounts of information. Performed on a daily basis, the total amount of log entries that needs to be examined is small.

Unfortunately, it does not take many systems to create log files that will overwhelm someone who is looking at the log files manually. In this case, an automated tool is required. This tool can be as simple as a home-grown script that searches for certain types of log entries (error messages or denials for example) or it can be a more complex, commercial product.

Generally, what you should be looking for is something unusual. Seeing an internal system with a large number of failed login attempts or denials for file access may cause an investigation to find out why this is happening. Likewise, a firewall log that shows an internal system trying to make connections to some external connection at odd times of day may indicate a virus infection or a Trojan Horse program.

Do not expect the log file to tell you everything about the issue. You will likely have to do some additional investigation to find out exactly what is happening to cause the strange message.

Read past HIPAA / SECURE Q/A articles.

Eric Maiwald, CISSP, is Chief Technology Officer of Fortrex Technologies, which provides information security management, and process and monitoring services for healthcare organizations and other industries. www.fortrex.com

Go to TOP