When it comes to audits of your VDI environment, the best defense is a good offense. If you do your due diligence and plan log file monitoring properly, you'll be able to troubleshoot problems more easily and you'll be fully prepared for an audit.
Proper preparation and planning can turn the task of log file monitoring into an opportunity to satisfy any auditing requests or requirements. If you don't currently have a log file or user activity monitoring tool in place, consider beginning the process of implementing one now so that when audits come -- and they will -- you will be fully prepared to respond to them without any gaps in your data. Your auditor may even thank you. Just make sure to choose log file and user activity monitoring tools that meet all your needs.
Log files are king
Implementing a log file monitoring and consolidation system is a mandatory requirement for audit-proofing your virtual desktop infrastructure (VDI) environment. Look for log monitoring tools that support all of the operating systems and platforms in your environment.
To be fully prepared for any possible audits, you should monitor and consolidate log files residing on servers, storage devices and user desktops on a regular basis. You should also monitor network components so you can get the entire picture of your environment. You can monitor the logs for network devices that run on common OSes such as Linux or Windows via regular log monitoring tools. Additionally, you can monitor network devices running on embedded OSes via syslog, so make sure your log file monitoring system of choice includes a way to receive syslog messages.
The process of planning for and implementing a comprehensive log file monitoring system includes devising a strategy for storing all of the log files in a central, fault-tolerant storage location. If you have hundreds or thousands of servers in your environment, you are looking at a large amount of log data that must be collected and stored in a format that allows for easy retrieval when you need it. Most comprehensive log monitoring tools include a central repository for log file data, but some lower-end systems may only automate the gathering of log file data.
If you purchase a log monitoring tool that does not include centralized data consolidation and retrieval capabilities, you may have to find a way to automate those tasks yourself. Carefully consider whether or not having to create your own data consolidation process is worth the cost savings of lower-end log file monitoring products. A cost-benefit analysis of implementing log file management tools without automatic aggregation and log data storage will likely show it's easier and cheaper to buy a tool that can handle log data aggregation.
Make sure your log monitoring tool of choice can search for common critical error messages. It should also let you watch for and create an alert on custom-defined log file error messages. Examples of top-rated log monitoring tools include ManageEngine's EventLog Analyzer, Paessler's PRTG Network Monitor, Splunk and LogMeister. You may already run computer monitoring tools that support log file monitoring, so be sure to explore that possibility before spending money on another tool to provide the same functionality.
Keyloggers and user activity monitoring
The next step up the ladder of audit preparations for your VDI environment is to consider implementing keyloggers and user activity monitoring on VDI desktops. They are both great tools for keeping track of which users are doing what on company computing resources.
Keyloggers record and store each user's keyboard input in a log file that you can search for critical errors. They also allow you to monitor employees' compliance with corporate or regulatory requirements. This information is vital in responding to requests for user log data as part of IT or regulatory audits.
User activity monitoring takes the keylogging concept one step further by including regular user screenshots, file transfers, periods of activity and inactivity, online searches, and websites visited in the log data it collects. User activity monitoring is the most in-depth way to monitor workers' activity, but the amount of data that user activity monitoring tools produce can be massive compared to standard log file monitoring. Be sure to plan carefully for proper aggregation and storage of your user activity data.
Compliance audits and criminal investigations are typical use cases for user activity monitoring tools. ObserveIT, Dell's Quest One and SpectorSoft's Spector 360 are all comprehensive user activity monitoring tools.
Correlating logs, keyloggers and user activity
The last step in the log file monitoring process is implementing a method for correlating log files on disparate systems and platforms.
Log data correlation lets you automatically link related log messages across all of the platforms you collect data from. For instance, you can correlate a buffer overrun on a network device with event log errors on a server and user desktop log file errors indicating poor performance. Without correlation, you would investigate all three errors separately without knowing that the other errors might be related. With a correlation tool running against a central log data repository, you can easily identify the network buffer overflow as a root cause for all three related error messages.
CorreLog, Logscape and Tenable's Log Correlation Engine are examples of log file correlation tools that can save you time and money while you troubleshoot VDI issues.