Once log files are effectively managed and parsed, they must be analyzed. On a production system, the auditing system can produce gigabytes of data per day—too much data to be effectively analyzed in its raw state. Trying to manually analyze that much raw data would take an excessive amount of time, and it would quickly become difficult to separate the important from the trivial log entries.

To avoid these problems, it is crucial to follow an effective and efficient analysis system that allows systems administrators to manage such large amounts of data. A good analysis system will overcome these issues:

• Time: Digging through log files looking for signs of malicious activity that may or may not exist is a tedious and time-consuming task. Automated analysis and reporting can help by putting all those data into a more easily understood format. Procedures that dictate a regular log analysis can also help remind systems administrators to spend the necessary time on this task.
• Normalization: Normalization is the process of translating log files from various systems into a common format. This allows administrators to easily compare and correlate events from a UNIX-based web server and a Windows-based domain controller, for example. Normalization also ensures that system-specific information, such as times and IP addresses, is correlated across multiple log sources.
• Prioritization: Prioritization is the process of determining which log files and/or entries are important and may require action and which are less important or informational only. Knowing what to look for makes the job of analyzing log files more efficient because it allows administrators to quickly discard log entries that are not of immediate interest. Most of the time, log file analysis is done to answer a specific set of questions:
  • Are we now or have we recently been under attack?
  • Did the attack succeed?
  • How extensive is the damage from the attack?
  • Has this ever happened before?
• Tunnel vision: The downfall of prioritizing is that some very interesting and important data can be overlooked because they do not directly answer the immediate questions. You might know what a DoS attack looks like in the logs. However, if you are looking specifically for a DoS attack, it is easy to miss the warning signs of a code injection attack.

Automated log analysis software can help make this task more manageable but ultimately there is no substitute for time and expertise. Good systems administrators who are not rushed can often find a crucial piece of evidence in the log files that allows them to prevent an attack before it starts.