Log Management Ė Lifeblood of Information Security
by Colm Murphy - Technical Director of Espion - Monday, 29 January 2007.
The responsibility to protect sensitive private information is now legally mandated and has become a key focus for many regulations within multiple industries. Information security is vital to the success of an organisationís day-to-day operations; and must be managed as a proactive and strategic business process throughout the entire enterprise - not an intermittent or point-in-time event for technology staff alone.

Love them or loathe them, log files play a central role in this. Logs are the lifeblood. They tell us the Who, the What, the Where, and the When. They give is insight. They give us answers. Very occasionally they might even make us laugh when the computer jargon points out the very obvious or make a simple fault sound incredibly serious.

Because of the widespread deployment of networked servers, workstations, and other computing devices, and the ever-increasing number of threats against networks and systems, the number, volume, and variety of computer security logs has increased greatly. This has created the need for computer security log management, which is the process for generating, transmitting, storing, analysing, and disposing of computer security log data.

Log files are critical to the successful investigation and prosecution of security incidents, therefore best practices recommend logging all events. However, enforcing such a policy can often overwhelm already overworked system administrators. The last thing you want is information overload. But it is true to say that logging only subsets is a risk. There are emerging solutions that do indeed gather a log for every event that takes place on the network, and provide an easy way to retrieve specific information if and when required.

Log files generally fall into one of three categories. Security software logs primarily contain computer security-related information, while operating system logs and application logs typically contain a variety of information, including computer security-related data.

Security Software
  • Anti-Virus Software
  • Intrusion Detection & Protection
  • Remote Access Software
  • Web Proxies
  • Vulnerability Management Software
  • Authentication Servers
  • Routers
  • Firewalls
  • Network Devices
Operating Systems

Operating systems (OS) for servers, workstations, and networking devices (e.g., routers, switches) usually log a variety of information related to security. The most common types of security-related OS data are:

System Events. System events are operational actions performed by OS components, such as shutting down the system or starting a service. Typically, failed events and the most significant successful events are logged. The details logged for each event also vary widely; each event is usually timestamped, and other supporting information could include event, status, and error codes; service name; and user or system account associated with an event.

Audit Records. Audit records contain security event information such as successful and failed authentication attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion, account privilege assignment), and use of privileges.

Operating systems and security software provide the foundation and protection for applications, which are used to store, access, and manipulate the data used for the organizationís business processes.


Some applications generate their own log files, while others use the logging capabilities of the OS on which they are installed. Applications vary significantly in the types of information that they log.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th