Standard:
YALE-MSS-13.1: Ensure logging contains information required for incident response
YALE-MSS-13.1.3: Ensure adequate space to log data. Logs should be kept for a minimum of 90 days.
Details
Often times, incidents are not immediately detected. Detection can lag by hours or days. The availability of sufficient logs to adequately investigate the incident allows for Yale to properly assess what happened so we are not forced to assume what actually happened.
Logs are essential for proper scoping investigation of an incident.
Measure your log volume and be able to accommodate it.
Do you know where your logs are going to be stored?
Have you done capacity sizing and planning at a storage location?
Is there any monitoring in place to let you know if you are running out of space?
Have you checked after 60 days to see if there are automatic log rotation or pruning of the logs?
Do you have the number of logs you were expecting? Too many? Too little?