The Logging and Reporting Architecture Design
The Logging and Reporting Architecture Design is the design specifications for the logging, monitoring, and reporting infrastructure
Below is my checklist that I use for my logging and reporting architecture design of the solution architecture
Understand the client’s current logging and reporting architecture.
· Interview the security manager and system administrators to determine what logging and monitoring is currently in place.
· Review current capabilities by examining network diagrams and infrastructure components in the Technical Infrastructure Assessment and Technical Infrastructure Requirements or by touring the site.
· Document all critical servers, including network appliances, routers, switches, and intrusion detection systems, where logging should be enabled. Pay particular attention to critical, externally accessible devices and servers.
2. Develop the business management requirements for logging and reporting.
· Interview the project sponsor or the CIO to determine the business goals of the project.
· From these interviews, determine what servers and infrastructure devices are critical to operations.
3. Interview user groups to determine their logging and reporting requirements, such as bandwidth, performance, reliability, scalability, security, and performance. User groups include telecommunications, applications, network, human resources, accounting, internal audit, and legal.
4. Define system capabilities, dependencies, and assumptions based on the management and user requirements. Use the Security Web Sites tool to include security-related web sites in your research.
5. Develop the system operating environment for the logging and reporting architecture.
· Document the operational policies, operational constraints, existing operational environment, existing support environment, and constraints on design and implementation.
· Verify that attempts to modify this information are logged and trigger an alarm that shows source and destination IP addresses, protocol type, time and date, data (size and packet details), and activity. Keep records for 1 year unless otherwise instructed by legal counsel.
· Verify that these events trigger alerts: unauthorized scanning or probing of networks, malicious code presence, unauthorized attempts to access services (whether in use or not), changes to files without change request approval, large increase of traffic, loss of connection to any of the servers within the production environment, and loss of connectivity.
· Review the architecture with the security manager or system administrator who will have ownership of the reporting system.
6. Document the system users, including personnel profiles, organizational structure, personnel interaction, personnel activities, and documentation. This information is required for selecting triggers and alerts.
7. Work with the project manager, security manager, and system administrators to document the process flow for the logging and reporting infrastructure.
· Define the processes.
· Create process models to illustrate the flow and sequence of operations; for example, a Visio diagram showing servers that have logs, how the logs are transferred to the central server, and how the reporting server transmits alerts and notifications.
8. Document the system definitions for the logging and reporting architecture.
· Include operation modes and states of the architecture, the system functions and their relationships, and configuration allocation for hardware, software, facilities, and system interfaces.
· See vendor hardware and software data to understand the implications of client requirements.
9. Meet with the client to determine the performance requirements of the logging and reporting architecture, such as physical locations, constraints, hardware and software performance, support requirements, safety requirements, the size of the log files, and the frequency of log traffic.
10. Develop quality assurance plans for the design.
· Develop requirements for the testing environment that will be used to verify the design requirements and constraints. Include a network diagram of any testing equipment you will use.
· Document the configuration of your testing environment with an example of each type of log or report, such as checkpoint firewall logs, UNIX syslogs, router and switch logs, and Windows event logs. Describe the architecture of each central logging server that will be used.
· Document the results of your tests. List each criterion and develop a test to confirm it. For example, validate that each device can communicate with the central logging server, validate that the logging server can receive traffic, and ensure that the logging server can communicate to a reporting server or a third-party monitoring system.