No doubt this is one of the most important aspects of any security system. Nothing can offer 100% protection. Therefore, if an attack succeeds, you usually won't have anything else than your logfiles to find out what exactly happened. An analysis of the logs can tell what has to be done to prevent a similar attack in the future. Moreover, the logfiles constitute evidence in court in case it comes to a lawsuit.
The main aim for keeping an audit log is to check compliance with the organization's security policy. This is especially important in the light that most of the security breaches come from inside personnel. For larger companies that are legally bound to have an external audit done, an automated audit trail can also reduce the cost of the audit process. The system in place therefore has to meet certain requirements: if the process that generates information is organized in a correct way, the generated output will also comply to the required quality standards and can be used by the external auditors.
Analysis and reporting tools are essential to turn the logged data into useable information. A lot of the analysis however is already done by the security management system itself, if set up properly. The knowledge based system would report what triggered its inference system, what rules were applied and what conclusion has subsequently been taken. So the line of reasoning should already be detectable in the logs. To prevent the logging application from being flooded with data, the event information could be filtered at the source. The entire log is then kept locally after the filtered data was sent to the remote logging facility. These local logs may also be fed into the system off-line for post-mortem analysis and may originate from other sites or even from an other adaptive security management system. Activity logs that are collected from other sites and analysed centrally may extend the amount of information that can be retrieved from attacks. Simultaneous break-in attempts at different locations for example indicate that an attack is not accidental but specifically aimed at this organization.
It can be expected that most applications generate logging information in proprietary formats that have to be translated before they can be interpreted centrally. The application that is used to analyse the logs will need to do additional processing of the incoming logfiles to streamline time-zone information and correct for drifting clocks. A secure clock synchronization service can be implemented as a security service provision application (see next section).
The fact that the logs are not solely stored on the systems that are being compromised provides additional safety because the traces of the intrusion cannot easily be erased. For the same reason various logs should be kept on WORM2.9 storage like CD-ROM. The workstations that fulfill the logging function should not be accessible over the regular network to prevent them from being compromised. The location and installation of the logging function is important. Under normal circumstances there is no reason to let someone physically get to the logs.