What OTHER information is useful in log analysis?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

What OTHER information is useful in log analysis?

heinbockel
For those of you who do not monitor the
LogAnalysis
mailing list, there has been some discussion about
what information (besides the actual log contents)
is useful for log analysis.

Anton Chuvakin has posted a summary of this on his
blog. It is definitely a worthwhile read, as these
are the important points that CEE must take into
consideration.

http://chuvakin.blogspot.com/2008/06/logging-poll-
8-analysis-needed-log.html


For example, the two most important things people
want to make sense of their logs (and should be
central issues in any log standard) are:

1. Other logs from around the same time

 - This is contextual information and implies that
   some logs often appear in sequence for certain
   actions. With well defined events, these
specific
   sequences can be better identified and studied.

2. Documentation on the log's meaning

 - This is the one of the primary motivations for
CEE
   and a real need with log analysis. Why do
vendors
   write cryptic log messages that require their
own
   translation manual?


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
[hidden email]
781-271-2615



smime.p7s (4K) Download Attachment