Each time I talk to a vendor with a log management (LM) or Security Information and Event Management (SIEM) product, I hear about the wonderful things that can be done with the nuggets of valuable information generated by computing device logs. For example, you could use your correlated log data to alert you when a specific employee uses his lunch break to download vast quantities of data – an activity that doesn’t have a legitimate business need. Or, your year-old log data could be forensically analyzed to help determine the obscure cause of a mysterious data breach you suspect may have occurred seven months ago.

I don’t doubt that those use cases are possible, and certainly they are highly desirable. However, I think it’s a bit ambitious for LM/SIEM vendors to believe that a majority of their customers are at that stage of implementation maturity. I suspect that many users of log management tools are still taking baby steps to figure out their possible use cases for this powerful weapon.

The SANS Institute is currently running a survey designed to help clear up some of those suspicions. For the fifth consecutive year, SANS is running its detailed Log Management Survey during the month of January – and you are encouraged to participate!

With four years of historical data to compare to, this survey has become an authoritative source for understanding the current state of log management needs and uses. It reflects how companies really use their LM systems, as opposed to how they would like them to be used. (Not surprisingly, most companies would like to have the real-time security alerts and the forensics capabilities, but they just haven’t progressed that far on the usage scale.)

The 2008 edition of the survey (read the analysis report) showed that most survey respondents are still in the early stages of realizing the full value of their log data. More than three-fourths of the respondents said their reason for collecting log data was “detection and analysis of security and performance incidents.” However, they also acknowledged that log data could benefit their organizations through information asset protection, system maintenance, regulatory compliance, and – lower on the list – forensics.

Respondents in 2008 expressed some of their pain points with their current log management systems. “Collecting data” ranks as the top issue, followed closely by “searching data” and “reporting.” This shows that issues related to collecting log data are still preventing companies from realizing more benefits from their tools. The amount of data coming in, from various sources and in disparate formats, presents a challenge to collecting and correlating the data. Clearly there is a need for formal standards for log data across all types of devices.

Linda Musthaler is a principal analyst with Essential Solutions Corporation.