In last week's newsletter I told you about a survey about log management uses that SANS Institute is running this month. SANS wants to know how organizations are making use of device logs in order to help vendors shape and improve their solution sets. You still have time to contribute your information to the survey during the month of January. Results will be published in April.

Meanwhile, I recently talked with James Perry, the Information Security Officer at the University of Tennessee about his use of log management. His department has been using ArcSight Logger since July 2008, and he’s still finding interesting use cases. Here’s a look at some of them and how his organization is benefiting from log management.

In many ways, a university environment is much more complex than a corporate environment. Perry’s team has responsibility for security and operations at five campuses. He says they act almost like an ISP because they can’t dictate what products, technologies and applications are used by students, professors and campus departments. For a university network manager, there’s a strong need to balance student freedom with network security.

At the same time, the environment can’t be a free-for-all. The university network serves 159 merchants such as bookstores, coffee shops and other sales operations. This means there is a requirement for PCI compliance. Two of the campuses work with medical data. That means HIPAA compliance. There’s financial data, meaning GLBA compliance, and so on. As you can see, the need to log and monitor all activities for compliance purposes was a big driving factor in the university acquiring a log management product. What’s more, like most organizations today, the university is experiencing budget cuts, so Perry was forced to improve security and operations with fewer resources. Log management has helped to achieve the latter objective as well.

Perry’s team selected ArcSight Logger as their tool for two reasons. First of all, they were already using the ArcSight SIEM Platform to collect filtered security event information. Using the log management product from ArcSight meant that the two tools could easily use the same data for different purposes. Second, ArcSight Logger allows the university to collect data from many different types and brands of devices, bring it together in one place and normalize it for detailed reporting and alerting mechanisms. He calls ArcSight Logger “a Syslog-type tool on steroids.”

Linda Musthaler is a principal analyst with Essential Solutions Corporation.