What OTHER information is useful in log analysis?

For those of you who do not monitor the
LogAnalysis
mailing list, there has been some discussion about
what information (besides the actual log contents)
is useful for log analysis.

Anton Chuvakin has posted a summary of this on his
blog. It is definitely a worthwhile read, as these
are the important points that CEE must take into
consideration.

http://chuvakin.blogspot.com/2008/06/logging-poll-
8-analysis-needed-log.html


For example, the two most important things people
want to make sense of their logs (and should be
central issues in any log standard) are:

1. Other logs from around the same time

 - This is contextual information and implies that
   some logs often appear in sequence for certain
   actions. With well defined events, these
specific
   sequences can be better identified and studied.

2. Documentation on the log's meaning

 - This is the one of the primary motivations for
CEE
   and a real need with log analysis. Why do
vendors
   write cryptic log messages that require their
own
   translation manual?


William Heinbockel
Infosec Engineer, Sr.
The MITRE Corporation
202 Burlington Rd. MS S145
Bedford, MA 01730
heinbockel@...
781-271-2615