Log analysis is one of the most overlooked aspects of intrusion detection. Nowadays we see every desktop with an antivirus, companies with multiple firewalls and even simple endusers buying the latest security related tools.
However, who is watching or monitoring all the information these tools generate? Or even worse, who is watching your web server, mail server or authentication logs? I'm not talking about pretty usage statistics of your web logs (like what webalizer does). I'm talking about the crucial security information that only few of these events have and nobody notices. A lot of attacks would not have happened (or would have been stopped much earlier) if administrators cared to monitor their logs.
We are not saying that log analysis is easy or that you should be manually looking at all your logs on a daily basis. Because of their complexity and generally high volume, automatic log analysis is essential.
This document is in PDF format. To view it click here.