The answers actually depend on what is used and how in your environment.
* You can send logs from a server e.g. using syslog ("push") and thus it would be (near)real-time collection. For Windows, e.g. QRadar supports collection using MSRPC, and that would be a "pull" method, but collection takes place be default every 10s (so, very close to the push method). There could be a case that some systems/apps generate logs in a log file, which could be pulled e.g. every hour - so this would be an example of something according to a set schedule. So, you would need to go through your list of log sources and provide this record to your auditor. Also, info about log sources that were not active for some time could be something you would get additional questions about.
* To be able to generate the log when the logs are cleared on a system, you need to set the auditing properly so this event is also recorded. Your auditor will ask for the proof how is auditing configured on your systems. In case of Windows you would search for event 1102 (Audit log was cleared), and this event would be logged whenever the Security log is cleared - regardless of the Audit System Events audit policy status.
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: Thu April 22, 2021 11:43 AM
From: Asif Siddiqui
Subject: ISO 27001 Auditor Questions
Hi All,
I need answer to below two questions asked by ISO27001 auditor, I need detailed understanding first before I send my response to the Auditor.
- How are server logs sent to SIEM? Is it a scheduled task or pulled from the system or another format/process?
- If an administrator clears a server log is this information collected and can we demonstrate this?
Could you please assist on below on immediate basis.
Regards
Asif Siddiqui
------------------------------
Asif Siddiqui Senior Security Analyst
------------------------------