S 3.89 Training on the administration of the logging function

Initiation responsibility: Supervisor, IT Security Officer

Implementation responsibility: IT Security Officer, Supervisor

In order to be able to use all functions and security features of the logging function in an ideal manner, it is important to train the administrators accordingly. The training courses should convey information about the configuration and operation of the components of a logging server, as well as knowledge about their administration. This also includes manufacturer-specific aspects for the individual products used in the company for logging purposes.

Along with the general operating system security aspects, as described in S 3.2 Servers in Unix or S 3.8 Windows Server 2003, for example, the following items are important:

• configuration and installation of the logging server
• basic administration principles and concepts
• knowledge of the commands for configuration, operation, maintenance, and error finding
• data protection aspects (see also S 2.110 Data protection guidelines for logging procedures).

Knowledge about possible attack scenarios may also be conveyed in order to allow for the log files to be analysed carefully. Additionally, it is recommendable to convey basic principles regarding intrusion detection / intrusion prevention systems (IDS/IPS). Moreover, this training course should also address topics such as a centralised logging server and data protection aspects (see also S 2.110 Data protection guidelines for logging procedures). When purchasing IT components, a budget should already be planned for the training programmes, and a training concept should be drawn up for administrators.

Review questions:

• Was a training concept drawn up for centralised logging?
• Do the administrators receive sufficient training regarding configuration and operation of the components of a logging server, even when using a centralised logging server?