GUIDE TO COMPUTER SECURITY LOG MANAGEMENT
2. Introduction to Computer Security Log Management
A log is a record of the events occurring within an organization’s systems and networks. Logs are
composed of log entries; each entry contains information related to a specific event that has occurred
within a system or network. Originally, logs were used primarily for troubleshooting problems, but logs
now serve many functions within most organizations, such as optimizing system and network
performance, recording the actions of users, and providing data useful for investigating malicious activity.
Logs have evolved to contain information related to many different types of events occurring within
networks and systems. Within an organization, many logs contain records related to computer security;
common examples of these computer security logs are audit logs that track user authentication attempts
and security device logs that record possible attacks. This guide addresses only those logs that typically
contain computer security-related information.
1
Because of the widespread deployment of networked servers, workstations, and other computing devices,
and the ever-increasing number of threats against networks and systems, the number, volume, and variety
of computer security logs has increased greatly. This has created the need for computer security log
management, which is the process for generating, transmitting, storing, analyzing, and disposing of
computer security log data. This section of the document discusses the needs and challenges in computer
security log management. Section 2.1 explains the basics of computer security logs. Section 2.2
discusses the laws, regulations, and operational needs involved with log management. Section 2.3
explains the most common log management challenges, and Section 2.4 offers high-level
recommendations for meeting them.
2.1 The Basics of Computer Security Logs
Logs can contain a wide variety of information on the events occurring within systems and networks.
2
This section describes the following categories of logs of particular interest:
Security software logs primarily contain computer security-related information. Section 2.1.1
describes them.
Operating system logs (described in Section 2.1.2) and application logs (described in Section
2.1.3) typically contain a variety of information, including computer security-related data.
Under different sets of circumstances, many logs created within an organization could have some
relevance to computer security. For example, logs from network devices such as switches and wireless
access points, and from programs such as network monitoring software, might record data that could be of
use in computer security or other information technology (IT) initiatives, such as operations and audits, as
well as in demonstrating compliance with regulations. However, for computer security these logs are
generally used on an as-needed basis as supplementary sources of information. This document focuses on
the types of logs that are most often deemed to be important by organizations in terms of computer
security. Organizations should consider the value of each potential source of computer security log data
when designing and implementing a log management infrastructure.
Most of the sources of the log entries run continuously, so they generate entries on an ongoing basis.
However, some sources run periodically, so they generate entries in batches, often at regular intervals.
1
For the remainder of this document, the terms “log” and “computer security log” are interchangeable, except where
otherwise noted.
2
If the logs contain personally identifiable information—information that could be used to identify individuals, such as social
security numbers—the organization should ensure that the privacy of the log information is properly protected. The people
responsible for privacy for an organization should be consulted as part of log management planning.
2-1