This story goes back years - many, many years. It starts with “SANS Top 5 Log Reports” [PDF] in 2006, and then continues with me volunteering to update it in 2009. I did a lot of work on it in 2009-2010, but never got it to a stage where I was 100% happy with it. Then in 2011, I joined Gartner and therefore was unable to finish it. Only in 2012 I found a new author who polished it before handing it to SANS for publication.
The document has now been published as “The 6 Categories of Critical Log Information” (with a subtitle of “Top 6 SANS Essential Categories of Log Reports 2013”, v 3.01)
At its center are these top log report categories:
- Authentication and Authorization Reports
- Systems and Data Change Reports
- Network Activity Reports
- Resource Access Reports
- Malware Activity Reports
- Failure and Critical Error Reports
The document can be used to figure out what to log, what to report on and what reports to review for various purposes.
So, enjoy! A lot of work of many smart people went into this. Thanks A LOT to those who contributed to it over the years. Special thanks go to Marcus Ranum, the original logging guru, and the enlightened members of the SANS GIAC Alumni mailing list.
P.S. Those of you who have read our Log Management book have seen an earlier and somewhat more wordy version of it. This one is better!