I've recently faced a security breach in my company, and I have PostgreSQL server logs that show the IP address of the attacker. We know who it is and plan to take legal action, but the logs will only last for 7 days. I need to find a way to keep them longer, or at least prove that the logs haven't been tampered with if I download them. What are the best methods to retain these logs for a longer period, or to ensure their integrity for use as evidence?
3 Answers
A forensic backup is a solid approach here. You should really consider bringing in some experts who specialize in this area. They can give you tailored advice on how to properly retain and protect your logs. Good luck!
Honestly, I'm not sure you can automate this without doing something manually. Your best bet may be to download them, but you could also write a script to copy them directly to a storage account. Just keep in mind that whether you download or copy, there could still be concerns about tampering. Check out the log ingestion API documentation if you think that might help, though I doubt it'll help with historical records.
Just a heads up, the ingestion only captures new logs going forward, nothing past. So it won’t help you with the evidence you already have.
It’s crucial to know if this is an Azure managed PostgreSQL server or a self-hosted VM. If it's Azure, you can set up diagnostic settings to forward logs to a storage account or similar, but you needed to enable that before the incident. If it’s self-hosted, try setting up log forwarding and consider creating a disk image for forensic purposes.
If I hire a notary, could they verify that the logs were downloaded directly from Azure without any tampering?
Where would I even look for these forensic experts? Any suggestions on where to start?