What OTHER information is useful in log analysis?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

What OTHER information is useful in log analysis?

For those of you who do not monitor the
mailing list, there has been some discussion about
what information (besides the actual log contents)
is useful for log analysis.

Anton Chuvakin has posted a summary of this on his
blog. It is definitely a worthwhile read, as these
are the important points that CEE must take into


For example, the two most important things people
want to make sense of their logs (and should be
central issues in any log standard) are:

1. Other logs from around the same time

 - This is contextual information and implies that
   some logs often appear in sequence for certain
   actions. With well defined events, these
   sequences can be better identified and studied.

2. Documentation on the log's meaning

 - This is the one of the primary motivations for
   and a real need with log analysis. Why do
   write cryptic log messages that require their
   translation manual?

William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]

smime.p7s (4K) Download Attachment