Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
Log management
open-in-new
<h2 id="overview">Overview</h2> <p>The primary drivers for log management implementations are concerns about <a href="/facts/Computer_security/7E5dIy7G">security</a>,<a class="footnote-ref" id="fnref:3" href="#fn:3"><sup>3</sup></a> system and network operations (such as <a href="/facts/System_administrator/zNhThrh9">system</a> or <a href="/facts/Network_administrator/UIwK6HTt">network administration</a>) and regulatory compliance. Logs are generated by nearly every computing device, and can often be directed to different locations both on a local <a href="/facts/File_system/FdPm90uc">file system</a> or remote system. </p><p>Effectively analyzing large volumes of diverse logs can pose many challenges, such as: </p> <ul><li>Volume: log data can reach hundreds of gigabytes of data per day for a large <a href="/facts/Organization/CR83f1Rn">organization</a>. Simply collecting, centralizing and storing data at this volume can be challenging.</li> <li>Normalization: logs are produced in multiple formats. The process of <a href="/facts/Normalization_(statistics)/734U3VFY">normalization</a> is designed to provide a common output for analysis from diverse sources.</li> <li>Velocity: The speed at which logs are produced from devices can make collection and aggregation difficult</li> <li>Veracity: Log events may not be accurate. This is especially problematic for systems that perform detection, such as <a href="/facts/Intrusion_detection_system/mAw24Fyo">intrusion detection systems</a>.</li></ul> <p>Users and potential users of log management may purchase complete commercial tools or build their own log-management and intelligence tools, assembling the functionality from various <a href="/facts/Open-source_model/uDWVYJ4V">open-source</a> components, or acquire (sub-)systems from commercial vendors. Log management is a complicated process and organizations often make mistakes while approaching it.<a class="footnote-ref" id="fnref:4" href="#fn:4"><sup>4</sup></a> </p><p>Logging can produce technical information usable for the maintenance of applications or websites. It can serve: </p> <ul><li>to define whether a reported bug is actually a bug</li> <li>to help analyze, reproduce and solve bugs</li> <li>to help test new features in a development stage</li></ul> <h2 id="terminology">Terminology</h2> <p>Suggestions were made[<i>by whom?</i>] to change the definition of logging. This change would keep matters both purer and more easily maintainable: </p> <ul><li>Logging would then be defined as all instantly discardable data on the technical process of an application or website, as it represents and processes data and user input.</li> <li>Auditing, then, would involve data that is not immediately discardable. In other words: data that is assembled in the auditing process, is stored persistently, is protected by authorization schemes and is, always, connected to some end-user functional requirement.</li></ul> <h2 id="deployment-life-cycle">Deployment life-cycle</h2> <p>One view of assessing the maturity of an organization in terms of the deployment of log-management tools might use[<i>original research?</i>] successive levels such as: </p> <ol><li>in the initial stages, organizations use different log-analyzers for analyzing the logs in the devices on the security perimeter. They aim to identify the patterns of attack on the perimeter infrastructure of the organization.</li> <li>with the increased use of integrated computing, organizations mandate logs to identify the access and usage of confidential data within the security perimeter.</li> <li>at the next level of maturity, the log analyzer can track and monitor the performance and availability of systems at the level of the <a href="/facts/Business/For1e8Nh">enterprise</a> — especially of those information assets whose availability organizations regard as vital.</li> <li>organizations integrate the logs of various <a href="/facts/Business/For1e8Nh">business</a> applications into an enterprise log manager for a better <a href="/facts/Value_proposition/z5S8Dynv">value proposition</a>.</li> <li>organizations merge the physical-access monitoring and the logical-access monitoring into a single view.</li></ol> <h2 id="see-also">See also</h2> <ul><li><a href="/facts/Audit_trail/s3nQzrF4">Audit trail</a></li> <li><a href="/facts/Common_Base_Event/BnuozRSz">Common Base Event</a></li> <li><a href="/facts/Common_Log_Format/85wBufAz">Common Log Format</a></li> <li><a href="/facts/DARPA/Uf9sarhT">DARPA</a> <a href="/facts/Proactive_Discovery_of_Insider_Threats_Using_Graph_Analysis_and_Learning/v4ApDLNq">PRODIGAL</a> and <a href="/facts/Anomaly_Detection_at_Multiple_Scales/24e4AulM">Anomaly Detection at Multiple Scales</a> (ADAMS) projects.</li> <li><a href="/facts/Data_logging/U3GglNdc">Data logging</a></li> <li><a href="/facts/Log_analysis/I4t3sE2y">Log analysis</a></li> <li><a href="/facts/Log_monitor/W7837zGS">Log monitor</a></li> <li><a href="/facts/Log_management_knowledge_base/NvzWRxeC">Log management knowledge base</a></li> <li><a href="/facts/Security_information_and_event_management/0jUVIEJ1">Security information and event management</a></li> <li><a href="/facts/Server_log/p7FHf8mA">Server log</a></li> <li><a href="/facts/Syslog/n6a7vIkt">Syslog</a></li> <li><a href="/facts/Web_counter/V7lETkYu">Web counter</a></li> <li><a href="/facts/Web_log_analysis_software/kl2u8P3Q">Web log analysis software</a></li></ul> <ul><li>Chris MacKinnon: "LMI In The Enterprise". <i>Processor</i> November 18, 2005, Vol.27 Issue 46, page 33. Online at <a href="http://www.processor.com/editorial/article.asp?article=articles%2Fp2746%2F09p46%2F09p46.asp">http://www.processor.com/editorial/article.asp?article=articles%2Fp2746%2F09p46%2F09p46.asp</a>, retrieved 2007-09-10</li> <li>MITRE: Common Event Expression (CEE) Proposed Log Standard. Online at <a href="http://cee.mitre.org">http://cee.mitre.org</a>, retrieved 2010-03-03</li></ul> <h2 id="external-links">External links</h2> <ul><li><a href="http://www.infoworld.com/d/data-explosion/infoworld-review-meeting-the-network-security-and-compliance-challenge-658">InfoWorld review and comparison of commercial Log Management products</a></li></ul> <h2 id="references">References</h2> <ol> <li id="fn:1"><p>NIST SP 800-92r1, Cybersecurity Log Management Planning Guide <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-92r1.ipd.pdf" target="_blank">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-92r1.ipd.pdf</a> <a href="#fnref:1" class="footnote-back-ref">↩</a></p></li> <li id="fn:2"><p>Kent, Karen; Souppaya, Murugiah (September 2006). Guide to Computer Security Log Management (Report). NIST. doi:10.6028/NIST.SP.800-92. S2CID 221183642. NIST SP 800-92. <a href="/wiki/Doi_(identifier)" target="_blank">/wiki/Doi_(identifier)</a> <a href="#fnref:2" class="footnote-back-ref">↩</a></p></li> <li id="fn:3"><p>"Leveraging Log Data for Better Security". EventTracker SIEM, IT Security, Compliance, Log Management. Archived from the original on 28 December 2014. Retrieved 12 August 2015. <a href="https://web.archive.org/web/20141228182418/http://www.prismmicrosys.com/newsletters_august2007.php" target="_blank">https://web.archive.org/web/20141228182418/http://www.prismmicrosys.com/newsletters_august2007.php</a> <a href="#fnref:3" class="footnote-back-ref">↩</a></p></li> <li id="fn:4"><p>"Top 5 Log Mistakes - Second Edition". Docstoc.com. Retrieved 12 August 2015. <a href="http://www.docstoc.com/docs/19680768/Top-5-Log-Mistakes---Second-Edition" target="_blank">http://www.docstoc.com/docs/19680768/Top-5-Log-Mistakes---Second-Edition</a> <a href="#fnref:4" class="footnote-back-ref">↩</a></p></li> </ol>