In formulating a log retrieval policy, implement the following and document the formulated policy.
To clarify what logs will be retrieved for, define their reason for retrieval.
Examples of the purpose might include, "To use for investigation in the event of unauthorized access", and "To submit to investigating authorities as evidence if any issues arise".
In order to retrieve appropriate logs, organize the types of logs that can be retrieved in the target system, and decide on the logs to be retrieved.
Examples of log types are "operating system logs", "application run logs", and "database audit logs".
In order to decide on access for log retrieval targets, organize what kind of access will take place.
For example, the following access is possible:
Access related to important information
Access to personal information, confidential information, and database management information
Access outside of business hours
Login
Specific SQL
Access suspected to be unauthorized
Large amount of search access
Access from different locations
Access outside of business hours
In order to effectively use retrieved logs, organize the required content as a log, and decide on the retrieval content.
For example, the following output content is possible:
When (time)
Who (database account, application user)
What (object ID, table name)
Where from (machine name, IP address)
How (SQL type, SQL statement)
Execution result (success/fail)
In order to use the logs as purposed, formulate the log maintenance policy.
For each log, define its location, storage medium, retention period, access control, and so on.
