System Events. System events are operational actions performed by OS components, such as shutting down the system or starting a service. Typically, failed events and the most significant successful events are logged. The details logged for each event also vary widely; each event is usually timestamped, and other supporting information could include event, status, and error codes; service name; and user or system account associated with an event.

Audit Records. Audit records contain security event information such as successful and failed authentication attempts, file accesses, security policy changes, account changes (e.g., account creation and deletion, account privilege assignment), and use of privileges.

Operating systems and security software provide the foundation and protection for applications, which are used to store, access, and manipulate the data used for the organization’s business processes.

Applications

Some applications generate their own log files, while others use the logging capabilities of the OS on which they are installed. Applications vary significantly in the types of information that they log.


Account information such as successful and failed authentication attempts, account changes (e.g., account creation and deletion, account privilege assignment), and use of privileges. In addition to identifying security events such as brute force password guessing and escalation of privileges, it can be used to identify who has used the application and when each person has used it.

Usage information such as the number of transactions occurring in a certain period (e.g., minute, hour) and the size of transactions (e.g., e-mail message size, file transfer size). This can be useful for certain types of security monitoring (e.g., a ten-fold increase in e-mail activity might indicate a new e-mail–borne malware threat; an unusually large outbound e-mail message might indicate inappropriate release of information).

In determining which data is sufficient and appropriate to collect, organisations should implement processes that:

• Identify components and events that warrant logging.
• Establish the amount of data to be logged.
• Identify and establish mandated log retention timeframes.
• Implement polices for securely handling and analysing log files.

The issue of retention has become a difficult one for many organisations. Satisfying the reporting demands of government regulations and corporate security policies requires the retention of vast amounts of security data. Not only must you collect log and event data from security products like firewalls and identity management systems, auditors must also be able to go back several years to trace security violations. One effect of government regulations is that security information, including event logs and transaction logs, has now become legal records that must be produced when requested by legal authorities. This could potentially stretch data retention periods to the duration of the litigation process.