Deploying LogZilla in a PCI/NIST Environment

  • 25 March 2018

Customer Story: Deploying LogZilla in a PCI/NIST Environment

Note: This case study was submitted by a customer. The opinions and views expressed herein are the opinions of the designated author(s) and may not reflect the opinions or views of LogZilla Corp. or the opinions or views of any other individual.

Over the past several years our IT infrastructure has undergone many PCI-DSS (Payment Card Industry Data Security Standard) driven changes. Mainframe and Mini Computers are being replaced more and more by Linux-based systems. System Logging (syslog) and the procedure of archiving every system/application based transaction log is shifting from a localized diminutive archive process to a centralized global client server topology.

  • Single Host with Individual Services Running
  • All Data Collected On the Local Server
  • Decentralized Management Consoles

The first step for us in centralized logging, was to standardize on a common core of Operating Systems. All Linux systems for Production and Infrastructure have been converted to two standard distributions, Debian and CentOs. All administrative and operational functions have been documented and combined in an Installation Guide.

All System installations follow strict guidelines, including the use of Balabit’s syslog-ng on every system. Logging activity is started on the standard ports udp/514 as well as tcp/514. All local system logs are sent to a centrally located, primary logging server. This central server has a larger storage capacity than the local syslog-ng clients and holds up to 15 months of archived syslog information.

  • All Hosts Running Syslog-ng As A Client
  • All Data Sent To A Remote Server
  • One Centralized Management Console

PCI Compliance requires that these data structures be secured and that all access violations be recorded and reported. As a result of this PCI-DSS requirement, security and the hardening of the centralized syslog-ng server is a must. Security Guidelines are also a central part of the Installation Guidelines and shall be followed to keep the overall setup integrity. Archived syslog data is also the main source for finding problems and forensic investigations. The system and security administrator must have access to this data to ensure adequate and secure data security standards.

The best way to satisfy the need to access this secure data is to setup a secondary syslog-ng server. This method provides a mirrored copy of all data generated from subordinate systems. Syslog-ng has an option in its configuration which allows the mirrored data to appear to come from the originating host allowing analysis on that data to be performed as though it were local to the systems generating the event. Additionally, the filtering tools available in syslog-ng may be used to split or merge this large amount of data (a.k.a. “Big Data”), depending on your needs.

  • All Hosts Running Syslog-ng as A Client
  • All Data Sent to A Central Secure Server
  • Remote Secure Server Forwards Mirrored Copy of All Data to Syslog Analyzer

Summary

LogZilla is slim and fast. By far, the easiest to install, and the simple administration is a huge plus. LogZilla has eased and made this massive undertaking a breeze for us. Menus are easy to understand and quick to find. Administration of LogZilla is integrated within these menus and after a quick how-to using the online documentation, admin is quiet an easy task. Technical support is one of the best we have ever encountered; they are quick to respond to all customer needs. LogZilla requires a License in order to be used beyond the initial testing phase (in large environments), but you can fine tune your needs using a fully-functional demo version free of charge. The cost was far less than every other tool we tested, especially after factoring in the cost of hardware needed to run the other tools vs. LogZilla.