One of the best ways to detect intrusions is to monitor event logs (sometimes called logs for short).
In general, servers store logs of their activity, and in particular any errors encountered, in files.
Therefore, after a computer attack, it is rare for the hacker to successfully compromise a system on the first try. He/she usually works by trial and error, testing out various requests.
This is why log monitoring can be used to detect suspicious activity. It is particularly important to monitor the logs of security-related software; as well-configured as they may be, they may still be the target of an attack.
Concept of noise
In reality, it is not obvious which alerts are triggered by real attacks by worms and viruses, and which are caused by tools such as vulnerability analyzers.
For this reason, most attacks on servers are attacks which are completely unable to compromise the system (such as Microsoft IIS server attacks used on Linux servers with Apache).
They do, however, trigger false alarms, causing what is known as "noise", which makes it harder to focus on real alarms.
Article written 22 July 2005 by Jean-FranÃ§ois Pillou.