Tips and Trends on Database Log Management

InfoManagement Direct, December 14, 2007

Anton Chuvakin

Why Database Logs Fall In the Realm of Database Security

Buried deep within enterprise IT infrastructures, databases can be said to hold the “crown jewels” of an organization. Unfortunately, database security is often lacking, leaving sensitive, business-critical information such as customer data, financial details and more vulnerable to hackers. Department of VA, TJ Maxx, TD Ameritrade – these are just a few of the many organizations that have driven the media wild over data security breaches in the last year.

It is common that database administrators (DBAs) are assigned the task of database security, but this is an issue that should be of utmost importance to any business that wants to stay in business. TJ Maxx reported at least 45.7 million credit and debit card numbers stolen over a period of several years, costing the company an estimated $168 million.1 Proper security measures may not have stopped the initial hack-in, but perpetual data theft could have been avoided through careful log collection and analysis. This article will not only discuss the importance, challenges and benefits to database logging, but will also offer a few forward-looking trends to managing your database logs.

About Logs and Database Logging

Databases are now becoming one of the most voluminous log generators in the enterprise – rivaling firewalls for the top spot. Most databases (i.e., Oracle, Microsoft SQL Server, IBM DB2, MySQL, etc.) will log system starts, stops and restarts by default, but database logging isn’t merely about keeping the system running, particularly when your databases contain sensitive, private information. Security and compliance requirements must therefore be considered when configuring your database and managing your logs. In fact, regulations such as PCI, HIPAA, and FISMA all mandate log monitoring, with Sarbanes-Oxley strongly recommending it as a best practice.

Database logging thereby becomes an essential (and required) component of database security – and it makes sense to not only focus on “keeping the bad guys out,” but also to take a “what’s going on in here?” approach. After all, you may not know who the “bad guys” are. Logs can provide a continuous fingerprint of everything that happens in your IT systems and with your data and will point you to the “who, what, when, where” information of any breach – whether the malicious behavior comes from outside hackers, a disgruntled employee or another source.

Database security is a task often assigned to DBAs, not because they’re security experts, but because they know the ins and outs of databases. If configured properly, databases may be logging overwhelming amounts of files, perhaps up to gigabytes of data per day. Typical database log events may include:

• User logins and logouts;
• Database system starts, stops and restarts;
• Various system failures and errors;
• User privilege changes;
• Database structure (metadata) changes;
• Most other DBA actions; and
• Select or all database data access (if configured to be so).

As we know, hackers are always looking for new ways to break through security barriers to access your sensitive information, and all preventative security measures fail at some point. Thus, because you are not able to guard against every malicious hacker, logs will at least allow you to detect such security breaches as well as actually figure out how it was done during the incident investigation. At a minimal level, logs must be collected and archived, but log analysis makes the data significantly more useful. In more explicit terms, log monitoring and management should include:

Page 1 of 3.