A security log maintains continuously updated records on security-related events in a computer system or network. Whenever an event that fits within the parameters occurs, the log generates a new entry. Such programs can track operating system events, applications, and network activity. The information is available for review and may network with a management system to make it easier to locate events of concern and identify specific issues within the log. Raw files are also available for technicians to review by hand.
Some examples of entries in a security log might include program updates, changes in permissions, and suspected intrusions. The security log runs continuously to compile information for the benefit of the operator. In the event of a problem, it can be audited to learn more about the nature of the situation and how the computer responded. For example, a technician might note that a firewall blocked an attack while allowing another through. This indicates that a modification may be necessary to prevent similar intrusions in the future.
The compiled data may be stored for varying lengths of time. Maintaining a security log that dates back to when the system was first booted up would result in a massive file. Thus, the system periodically purges its logs to remove old data. A technician can determine the most appropriate storage time, balancing the need to conserve memory with the potential desire to be able to look through older records to identify patterns.
One issue with security logs is their sheer size, even with regular removal of old records. Manually going through a log can be functionally impossible on a complex computer or network because of the large number of entries. Not looking at the document, however, defeats the purpose, and may mean that technicians miss important events. A server, for example, could have a trail of events in the log leading up to an attack. If those had been spotted, a hacking might have been prevented.
Management of security logs may involve the use of a program that scans the log. The program can look for keyphrases or specific types of events and generate a report for the operator. Some can trigger automatic warnings; servers, for example, may call an emergency phone number when signs of an immediate threat appear in the security log. This becomes part of the layered security for the system to minimize the risks of downtime and data loss.