What is log management?

Log management is the management of log records of a computer system. Specifically, it involves the need to manage the chronological recording of activities within an IT infrastructure consisting of various sources such as files, servers, machines, nodes, devices, etc. for inspection, security, and privacy protection purposes.

In the field of computer science, logs (or audit logs) are chronological records of activities relevant to the security of a system. They are generated by properly configured individual systems (operating, application, network devices, databases, etc.). Logs can be of various types (e.g. access logs) and, depending on their content, can allow one to “identify who does what and when.”
Two different activities can be derived from logs:

• – System monitoring consisting of log collection, log monitoring, and log analysis
• – SIEM (Security information and event monitoring).

System monitoring: log collection, log monitoring, and log analysis

System Monitoring is nothing more than the monitoring and control of an organization’s IT infrastructure. It consists of a series of activities such as log collection, log monitoring, and log analysis.

Log collection is the collection and centralization of logs from one or more different sources of origin. In our specific case (Italy), it is necessary for these logs to be collected in a way that they are immutable and viewable at any time, for reasons that we will see later.

Log monitoring is the continuous observation of logs as they are generated. Log monitoring software can trigger alarms if they notice anomalies in the content of logs. Recording and observation alone are not sufficient; it often becomes necessary to analyse logs to understand any irregularities committed in the past or potential dangers on the horizon.

Lon analysis is the part of log management that focuses on giving logs greater significance than regulatory requirements. Log monitoring and analysis interact with each other to ensure that applications work best and to determine how security systems and policies can be improved.

Log analysis also helps identify ways to make IT infrastructure environments more predictable, efficient, and resilient. Finally, it provides continuous value to businesses by providing a window into existing issues, inspection functions on past activities, and forecasting future threats.

SIEM (Security Information and Event Management)

SIEM (Security Information and Event Management) is a cybersecurity solution that helps organizations recognize potential threats and vulnerabilities to their IT infrastructure before they occur. We can see it as a branch that leverages logs produced by various IT systems in a way superior to log management. It uses artificial intelligence to automate many of the manual processes associated with threat recognition, incident response, and user behaviour analysis to predict impending threats to the IT infrastructure.

Why is log management necessary?

It all stems from a regulatory requirement by the Privacy Guarantor. With a 2008 law (yes, it’s been a long time), public and private data controllers are required to comply with a series of organizational and technical-informatic obligations regarding the management of system administrators:

• Identification, written appointment, and keeping an updated list of system administrators;
• Obligation to acquire and retain access logs of system administrators for at least 6 months, with methods that ensure completeness, immutability, and integrity.
• Annual verification of the work of system administrators through log analysis.

All of this is because system administrators, by managing the IT infrastructure, also have access to personal data of users within the network. Hence, the Privacy Guarantor’s desire to monitor their activities to protect people’s privacy.

What are the consequences of improper log management?

Sanctions, both administrative and criminal. Firstly, Article 58 of the GDPR can partially or completely prevent the processing of personal data by the subject to be punished (not being able to perform the processing means you can no longer request personal information from anyone). Subsequently, Article 83 establishes a maximum ceiling of €20,000,000 or 4% of the total annual worldwide turnover of the previous year, in the case of companies.

Criminal liabilities, on the other hand, are linked to cases under Articles 167 (unlawful processing of data), 168 (false statements to the Guarantor), and 169 (failure to comply with Guarantor’s provisions). For these, the material author of the damage is liable, and in some cases, the data controller is also held responsible.

How are the Privacy Guarantor and GDPR related to log management?

We have discussed both the Privacy Guarantor and the GDPR. The Privacy Guarantor was the first to move in the field of personal data protection and to explicitly establish some mandatory rules on system administrators’ access. The GDPR, which originates from European regulations, integrates the Guarantor’s regulations on the subject, requiring greater quality control.

In reality, the GDPR regulations and the Guarantor’s rules are not the only ones, there are many national and international ones related to data security and privacy that require log management: SPID (AGID – 2015), Minimum Measures for PA (AGID – 2017), etc.

Why is log management useful regardless of regulations?

IT security and control of the IT infrastructure. The number of attacks on corporate networks increases every year, and the average costs associated with each attack also increase. Most threats come from within (weak accounts or disgruntled employees). Therefore, it is essential to have prevention and control systems in place. Among the control systems, log management allows you to keep track of internal user activity and prevent external threats in certain cases.

Do you want to learn more about logs and log management? Fill out the form below.