January 18, 2012

1.2.12 Log analysis

Log analysis is crucial to identifying problems that occur related to security. As an administrator, you have the ability to turn on logging at many different locations and levels. The next step is to properly analyze what has been collected.

Not only do you need to collect and analyze the logs, but you also need to store them for a time in the future when you want to compare what is happening now to then (baselining). They should be stored in a format that you can quickly access and understand without having to convert them to a document each time you want to look at them. As much as possible, automate the collection and archiving of log files.

Log files can be analyzed either in real-time or historically (after an event). Real-time analysis allows the administrator to be alerted as quickly as possible of an event. Historical analysis is an aid for port-mortem analysis of an event.

References:
  • CompTIA Security+ Study Guide: Exam SY0-301, Fifth Edition by Emmett Dulaney
  • CompTIA Security+ Review Guide: Exam SY0-301, Second Edition by James M. Stewart

No comments:

Post a Comment