Monitoring event logs

December 2016

Analysing logs

One of the best ways to detect intrusions is to monitor event logs (sometimes called logs for short).

In general, servers store logs of their activity, and in particular any errors encountered, in files.

Therefore, after a computer attack, it is rare for the hacker to successfully compromise a system on the first try. He/she usually works by trial and error, testing out various requests.

This is why log monitoring can be used to detect suspicious activity. It is particularly important to monitor the logs of security-related software; as well-configured as they may be, they may still be the target of an attack.

Concept of noise

In reality, it is not obvious which alerts are triggered by real attacks by worms and viruses, and which are caused by tools such as vulnerability analyzers.

For this reason, most attacks on servers are attacks which are completely unable to compromise the system (such as Microsoft IIS server attacks used on Linux servers with Apache).

They do, however, trigger false alarms, causing what is known as "noise", which makes it harder to focus on real alarms.

Article written 22 July 2005 by Jean-François Pillou.


Related :


Sobre CCM.net
Sobre CCM.net
Surveillance des journaux d'événements (logs)
Surveillance des journaux d'événements (logs)
Sorveglianza dei log d'eventi
Sorveglianza dei log d'eventi
Vigilância dos diários de acontecimentos (registos)
Vigilância dos diários de acontecimentos (registos)
This document entitled « Monitoring event logs » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.