You need to balance the importance of recording system, network, and user activities with the resources available to store, process, review, and secure them. Questions that help you determine the usefulness of collected data include

• What is the priority of this asset (hardware, software, information)?
• How important is it to collect data related to this asset?
• How important is it to characterise this asset?
• What is the system's sole or primary purpose? For example, if a host is acting as a web server, you want to capture web logs.
• How many users are assigned to the system and how important is it for you to know who is logged on? This helps you decide how much login/logout information to capture.
• How important is it to be able to use your logs and other data to recover a compromised system? This helps you set the priority for capturing information such as data and file transaction logs.
• What is the range of services that can be performed on this system? Process accounting information is useful to detect unauthorised services and intruder actions.
• What is your organisation's ability and capacity to process and analyse all collected data to obtain useful information when it is needed?

A table of data categories and possible types of data to collect is shown below.
Table 1: Data Categories and Types of Data to Collect

Data Category	Types of data to collect
Network performance	total traffic load in and out over time (packet, byte, and connection counts) and by event (such as new product or service release) traffic load (percentage of packets, bytes, connections) in and out over time sorted by protocol, source address, destination address, other packet header data error counts on all network interfaces
Other network data	service initiation requests name of the user/host requesting the service network traffic (packet headers) successful connections and connection attempts (protocol, port, source, destination, time) connection duration connection flow (sequence of packets from initiation to termination) states associated with network interfaces (up, down) network sockets currently open whether or not network interface card is in promiscuous mode network probes and scans results of administrator probes
System performance	total resource use over time (CPU, memory [used, free], disk [used, free]) status and errors reported by systems and hardware devices changes in system status, including shutdowns and restarts file system status (where mounted, free space by partition, open files, biggest file) over time and at specific times file system warnings (low freespace, too many open files, file exceeding allocated size) disk counters (input/output, queue lengths) over time and at specific times hardware availability (modems, network interface cards, memory)
Other system data	actions requiring special privileges successful and failed logins modem activities presence of new services and devices configuration of resources and devices
Process performance	amount of resources used (CPU, memory, disk, time) by specific processes over time; top "x" resource-consuming processes system and user processes and services executing at any given time
Other process data	user executing the process process start-up time, arguments, file names process exit status, time, duration, resources consumed the means by which each process is normally initiated (administrator, other users, other programs or processes), with what authorisation and privileges devices used by specific processes files currently open by specific processes
Files and directories	list of files, directories, attributes cryptographic checksums for all files and directories accesses (open, create, modify, execute, delete), time, date changes to sizes, contents, protections, types, locations changes to access control lists on system tools additions and deletions of files and directories results of virus scanners
Users	login/logout information (location, time): successful attempts, failed attempts, attempted logins to privileged accounts login/logout information on remote access servers that appears in modem logs changes in user identity changes in authentication status, such as enabling privileges failed attempts to access restricted information (such as password files) keystroke monitoring logs violations of user quotas
Applications	applications- and services-specific information such as network traffic (packet content), mail logs, FTP logs, web server logs, modem logs, firewall logs, SNMP logs, DNS logs, intrusion detection system logs, database management system logs. Services specific information could be for FTP requests: files transferred and connection statistics for web requests: pages accessed, credentials of the requester, connection statistics, user requests over time, which pages are most requested, and who is requesting them for mail requests: sender, receiver, size, and tracing information; for a mail server, number of messages over time, number of queued messages for DNS requests: questions, answers, and zone transfers for a file system server: file transfers over time for a database server: transactions over time
Log files	results of scanning, filtering, and reducing log file contents checks for log file consistency (increasing file size over time, use of consecutive, increasing time stamps with no gaps)
Vulnerabilities	results of vulnerability scanners (presence of known vulnerabilities) vulnerability patch logging

Identify the data to be captured using logging mechanisms.

Identify the

• types of information you can log
• mechanisms used for logging
• locations where the logging is performed
• locations where the log files are stored

For all data categories, capture alerts and any reported errors. If possible, do not log passwords, even incorrect ones. Logging correct passwords creates an enormous potential vulnerability if a non-authorised user or intruder accesses log files. Recording incorrect passwords is also risky as they often differ from valid passwords by only a single character or transposition.

Turning off password logging may require resetting a system default. If you cannot turn off password logging, you need to exercise special care in protecting access to log files that contain this information.
However, you may want to log data about password use, such as the number of failed attempts, accesses to specific accounts, etc.

Determine if the logging mechanisms provided with your systems sufficiently capture the required information.
Determine the logging mechanisms available for the systems at your site. Identify what types of information each logging mechanism can capture. There may be differences in the log file contents provided by different vendors, even for similar types of systems.
Determine where each logging mechanism stores data. Identify how the log files are named and where they are located. The names of these log files can differ even among versions of the same operating system delivered by a single vendor, so it is important that you verify this each time you upgrade your systems.

Identify the data to be captured using additional data collection mechanisms (such as monitoring). Use Table 1 as a guide to the types of information you need to collect beyond that which is available using logging mechanisms. Tailor additional data selections to meet your site's intrusion detection policies and procedures.

Monitoring is the observation of data streams for specific events, whereas logging systematically records specified events in the order that they occur. Monitoring generally connotes more of a "real time" analysis activity, while inspecting log files generally occurs as more of an "off-line" or after-the-fact activity. Monitoring is often preferable where there are large quantities of data, such as network traffic. In most circumstances, it isn't feasible to store every network packet but monitoring the network traffic for specific types of events and connections is very desirable.

Real-time intrusion detection systems, including log file monitoring tools, can detect possible intrusions or access violations as they are occurring and generate alerts in any of the Table 1 data categories. Real-time intrusion detection occurs while an intruder is attempting to break in or is still present on your system. This is contrasted with off-line intrusion detection which is performed after the intrusion has occurred, usually through inspecting various system and network log files and performing data and system integrity tests.

A host- or system-based intrusion detection system (IDS) examines data such as log files, process accounting information, and user behaviour and generates alerts based on specified configuration information. A network IDS examines network traffic, including packet headers and content.

Both types of ID systems can employ one or more analysis approaches to determine whether or not an intrusion has occurred. The two most common analysis approaches are attack signature detection (sometime called "misuse detection") which identifies patterns (signatures) corresponding to known attacks anomaly detection, which identifies any unacceptable deviation from expected behaviour.
Expected behaviour is defined, in advance, by a manually or automatically developed profile of system, network, and user behaviour. It is difficult to provide guidance about additional data selection and collection mechanisms because the selection criteria varies based on organisational policy and security requirements. This is made more complex by a lack of uniformity in the intrusion characterisations used by common collection mechanisms.
In most cases, you will need to perform manual analysis in concert with the automated data collection and reporting performed by any mechanism.