Welcome » IT Booklets » Information Security » II Information Security Program Management » II.C Risk Mitigation » II.C.22 Log Management
Network and host activities typically are recorded on the host
and sent across the network to a central logging repository. The
data that arrive at the repository are in the format of the
software that recorded the activity. The logging repository may
process the data and can enable timely and effective log analysis.
Management should have effective log retention policies that
address the significance of maintaining logs for incident response
and analysis needs.
Log files are critical to the successful investigation and
prosecution of security incidents and can potentially contain
sensitive information. Intruders often attempt to conceal
unauthorized access by editing or deleting log files. Therefore,
institutions should strictly control and monitor access to log
files whether on the host or in a centralized logging repository.
Considerations for securing the integrity of log files include the
Additionally, logging practices should be reviewed periodically
by an independent party to ensure appropriate log management.
Logs are voluminous and challenging to read. They come from a
variety of systems and can be difficult to manage and correlate.
Security information and event management (SIEM) systems can
provide a method for management to collect, aggregate, analyze, and
correlate information from discrete systems and applications.
Management can use SIEM systems to discern trends and identify
potential information security incidents. SIEM systems can be used
to gather information from the following:
Regardless of the method of log management, management should
develop processes to collect, aggregate, analyze, and correlate
security information. Policies should define retention periods for
security and operational logs. Institutions maintain event logs to
understand an incident or cyber event after it occurs. Monitoring
event logs for anomalies and relating that information with other
sources of information broadens the institution's ability to
understand trends, react to threats, and improve reports to
management and the board.