Log files contain a wealth of data about system conditions and activity. Turning that data into useful information requires two things:

• Log file management: A system of storing and rotating log files. The data recorded and stored in log files may be necessary legal evidence when the time comes to prosecute the attacker in a security breach. Because of this, log files should be kept for at least the length of time allowed under the statute of limitations in your jurisdiction. However, keeping several years’ worth of log files on a production server is unwieldy. Log files should be backed up regularly and deleted from production servers to conserve space.
• Log file parsing: Parsing is the process of translating and reformatting raw log files into useful reports. In the middle of an attack, systems administrators do not have time to dig through raw log files. They need specific, actionable information in an easy-to-use format.

An audit trail is a series of events gleaned from parsed log file reports over a period of time. These events generally revolve around a specific user or a larger event such as a security breach. An audit trail is a useful tool in piecing together the events leading up to and including a security breach.