Common mistakes made by Admins during log analysis

Umendra Singh by   01.28.2014   Auditing

In today’s modern era of cloud computing organizations are deploying wide range of network security tools to ensure foolproof security of network. The implementation of firewalls, antivirus, Network Intrusion Detection Systems (NIDS) etc. doesn’t mean that the network is fully secured. To keep any network’s security up to date it is must for administrators that they should keep analyzing the user generated, system generated, and security tools generated logs on regular basis. In any network, all the user, system actions and all the deployed security tools generate large amount of logs so there is a need of centralized platform to collect, store, and reconcile security logs collected from various sources and present audit-ready information. The administrators who follow the native auditing process to analyze the event logs face some serious issues related to network security on some occasions. The reason is they make following common mistakes in their approach of log analysis.

Start Audit only when damage is done

Even after designing a comprehensive log collection and storage system, administrators don’t want to analyze the logs as they feel very boring when see huge amount logs to be analyzed, means they don’t act proactively. They start audit only when an untoward incidence has already taken place. This limits their action to corrective measures. Regular analysis of logs helps to prevent security breaches and unwanted incidents from happening altogether maintaining the integrity of the network.

Looking only for critical event’s and security breach’s logs

Most of the times admins want to save themselves from the pain of analyzing piles of log data so they just audit particular type of events logs (that are usually generated by critical events and unwanted incidents). This method certainly reduces the time and resource consumed in doing log analysis but leaves a lot of loopholes as it is not sure what can be always good or bad for a network. So, admins should do full data mining of event logs to get deep insight of system behavior and usage.

Underestimate the importance of old logs

Many a times IT admins fail to understand how old logs can help them in investigating if any security breaches or unwanted incident occur in the network. Consider a case, if an organization keeps only one year old logs but if any incident is traced after two years then organization can’t investigate about that as the logs related to that will not be available for analysis. So, it is important for organizations that they should make necessary arrangements for long term storage of logs. As per the guidelines of regulatory authorities organizations should retain old logs for seven years.

So, while devising comprehensive log analysis strategy ensure that you don’t fall into the trap of making these common mistakes and instead devise a policy that is failsafe and can ensure in totality what log analysis stands for – a safe and secure network environment with near-zero downtime and fully complaint to regulations.


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.