Skip to content

Log Analysis, Logging Information and Data Security

Log Analysis is one of the great overlooked aspects of operational computer security. Many organizations spend hundreds of thousands of dollars on intrusion detection systems (IDS) deployments – but still ignore their firewall logs. Why? Because the tools and knowledge to make use of that data are often not there, or the tools that exist are too inconvenient. You should expect that to change. Right now, IDS vendors are up against the wall with the volumes of data they produce; the next wave in security is to try to usefully correlate and process the contents of multiple logs.

We’re dedicated to pulling together a repository of useful information on log analysis for computer security. We hope you find this site to be useful and informative. Please don’t hesitate to contact us if you’ve got suggestions for how we can make it better!

The System Log: Logging News and Information

There’s remarkably little coherent information out there for the system or network administrator who wants to start getting value out of their system logs. The problems seem overwhelming; you’ve got to figure out the what, where and how of logging before you even get started on the real work, the job of making sense out of the information your systems are producing.
Relax. We’re here to help. is designed to help inexperienced folks figure out where and how to start, and to provide obscure information and suggestions to the people who have been doing this for ages.

The meat of the site is in the Library. Links and documentation are arranged into several broad categories: Background Information, which includes specifications & standards as well as advice on logging for developers; Building a Logging Infrastructure, which includes information on syslog servers, log rotation, and client configurations for UNIX and non-UNIX systems;

Data Analysis, which includes data parsing tools, sample data, message dictionaries, intrusion signatures, and articles on writing regular expressions; the Product Space, where we provide links to vendors of log management products and servers, as well as reviews and comments from readers of the LogAnalysis mailing list; and finally Other Resources, where we publish summaries of religious wars from the mailing list, information on other related mailing lists, and links to other sites.

If you have comments about the organization of the site, a link you think should be here, or other questions, please feel free to drop us a line.

Firewall Logging & Monitoring

  • 49 min read

What kinds of events do firewall admins want to monitor? Significant events on firewalls fall into three broad categories: critical system issues (hardware failures and the like), significant authorized administrative events (ruleset changes, administrator account… Read More »Firewall Logging & Monitoring

Log Parsing

  • 4 min read

RESOURCES for Log Parsing Firewalls Firewall Logging — A generic introduction to logging firewall devices, with specifics on ipchains and FireWall-1, compiled by tbird cislog [.tar.gz]: A rudimentary tool for reporting on Cisco-based syslog data,… Read More »Log Parsing