Problem solve Get help with specific problems with your technologies, process and projects.

Practice effective security log analysis

Collecting security log data is useless if your log isn't properly configured, monitored and analyzed. Get tips for effective data logging in part one of this two-part series.

The following is part one of a two-part series on security log analysis. Part one, below, discusses the importance of log monitoring and analysis. Part two will help you make sense of log data and use it to effectively protect and secure your network.

Log data can offer a treasure trove of valuable information -- or a complete quagmire of useless data. To protect and secure your network, the log data compiled by various operating systems, applications, devices and security products can help you proactively detect and avert disaster, and identify the root cause of a security incident.

Of course, how valuable log data is to your network security efforts depends on two things: First, your systems and devices must be properly configured to log the data you need. Second, you must have the proper tools, training and available resources to analyze the data that is collected.

You can't analyze what you don't have

Before you can analyze log data, you obviously have to collect it. More importantly, the program or device logging the data needs to be configured to collect the data you need. For example, Microsoft Windows operating systems are able to audit a wide variety of activities and log information about them in Event Viewer Security. However, security auditing is not enabled by default in Windows 2000 or Windows XP, and the default settings for security auditing in Windows Server 2003 may not meet your needs.

For security auditing events in Windows, you can choose to log successful or failed attempts. If you only log failed attempts to access a file or directory, log entries won't show when the file was successfully compromised. If you only log successful attempts to access a user account, log entries won't show you the 50 times an attacker incorrectly tried to guess the username and password for the account.

Collecting mountains of security event log data without the training or resources to effectively monitor and analyze it is as useless as not collecting any data at all.
Tony Bradley

Whether you're using Windows operating systems or any other device or program, it is important you put in the time and effort up front to understand the security logging capabilities available to you and configure the logging options appropriately for your needs. While it may seem logical to simply log everything, monitoring and logging security events puts a load on the processor and uses memory and hard drive space. You need to understand the logging options available and choose the best balance between logging everything and logging nothing to collect the data that is valuable to you.

Information overload

Once you have the log data collected, the challenge becomes how to use it effectively. Anton Chuvakin, a security strategist for Edison, N.J.-based netForensics, Inc., notes: "Once technology is in place and logs are collected, there needs to be a process of ongoing monitoring and review that hooks into actions and possible escalation."

Network and security administrators often take time to establish log data collection, but they then have no process or resources in place for monitoring and analyzing that data. Information about network reconnaissance or potential attack may be overlooked until it is too late because nobody watches the log data.

When a security event occurs, the log data may be reviewed to determine what happened, but many times there is simply too much data being reviewed by individuals without the technical training or ability to truly make sense of it.

There are tools available, such as Security Event Management (SEM) applications, that are designed specifically to monitor security events and apply some sort of logic or filter to help administrators make sense of the information. However, these tools still have to be configured and deployed properly to be effective, and someone has to understand and take action on the data that is filtered through.

Collecting mountains of security event log data without the training or resources to effectively monitor and analyze it is as useless as not collecting any data at all. In the next part of this series, I will provide some tips to help you make sense of the log data and use it to effectively protect and secure your network.

About the author: Tony Bradley is a consultant and writer with a focus on network security, antivirus and incident response. He is the Guide for Internet / Network Security, providing a broad range of information security tips, advice, reviews and information. Tony also contributes frequently to other industry publications. For a complete list of his freelance contributions you can visit Essential Computer Security.

More information from

Next Steps

Log analytics helps video streaming service manage 1,000 servers 

Dig Deeper on Enterprise desktop management