I have been working on various SIEM (Security Information and Event Management) and log retention policy related projects lately. Through these projects, and others that I did as a security consultant, I have developed a list of log categories (or log types).
Surprisingly, I have found little to no authoritative document that provides such a list.
I have read through various RFCs, The NIST SP 800-52 Guide to Computer Security Log Management and a large number of other documents. And still not found a comparable list.
Because of the lack of existing lists I wanted to post what I have come up with in hopes that it will help others seeking out the same information, or at least generate conversation and point out other resources or types that I may have missed.
- Audit Trails: logs that document application or OS changes made and/or specific actions taken by a user. Also includes “object access/change” logs… This would include output from change management systems and system integrity logs like tripwire produces
- Event Logs: internal system or application events that are not specific to a user or user generated
- Traffic/Access Logs: web server hit logs, contain url accessed, visitor ip, browser, ect.
- Filter device Logs: allow/denies from: firewall, ips, acl enforcing routers, ect.
- Exception Logs: error logs
- Network Traces: packet captures, flow data, ect.
- Authentication Logs: login/log out/invalid logins and session tracking
- Physical Access Logs: visitor log, biometric/badge/token door logs
- Transaction Logs: database generated
- Data Logger: statistical or numeric data. Data center environmental monitors, web hit counters, manufacturing equipment output data, ect.
Obviously some systems would lump data from multiple categories into one physical file. This is where a good parser or SIEM product would come into play.
These categories also only include log data that would generally be ‘computer generated’ and are to be considered top level categories. Many different sub categories may exist under each.