Collecting data generated by system, network, application, and user activities is essential for analysing the security of your information assets and detecting signs of suspicious and unexpected behaviour.
Log files contain information about past activities. You should identify the logging mechanisms and types of logs (system, file access, process, network, application-specific, etc.) available for each asset and identify the data recorded within each log.

Different systems provide various types of logging information; some systems do not collect adequate information in their default condition. It is important to supplement your logs with additional collection mechanisms that watch for signs of intrusions or intrusion attempts. They should also alert responsible parties when events occur. Include mechanisms that

• monitor and inspect system resource use
• monitor and inspect network traffic and connections
• monitor and inspect user account and file access
• scan for viruses
• verify file and data integrity
• probe for system and network vulnerabilities
• reduce, scan, monitor, and inspect your log files

Capturing an accurate, reliable, and complete characterisation of your systems when they are first created, and as they evolve, establishes the expected state against which to compare your current systems. The information to be captured includes a known, expected state for all assets, including your network traffic, system and network performance, processes, users, files and directories, and hardware. This includes information that characterises past behaviour derived from system logs and monitoring tools, which is available once you have been operational for some period of time.

This trusted record is periodically compared with your current systems to determine if assets are behaving as expected; in other words, to verify the integrity of your systems and to identify any deviations from expected behaviour.
Characterising your software, hardware, and information assets is a time-consuming, complex, and ongoing task. You need to determine, in advance, the level of resources you can commit to this activity.

Approaches to detecting signs of suspicious or unexpected behaviour are often based on identifying differences between your current operational state and a previously captured and trusted expected state.
You need to know where each asset is located and what information you expect to find in each location. You need to be able to verify the correct or expected state of every asset. Without this information, you cannot adequately determine if anything has been added, deleted, modified, lost, or stolen.
You may not be able to rebuild a critical component that has been compromised without up-to-date, available, trusted characterisations.

Log files may be the only record of suspicious behaviour. Failure to enable the mechanisms to record this information and use them to initiate alert mechanisms will greatly weaken or eliminate your ability to detect intrusion attempts and to determine whether or not they succeeded.
Similar problems can result from not having the necessary procedures and mechanisms in place to process and analyse your log files. You may need your logs to

• alert you to suspicious activity that requires further investigation determine the extent of an intruder's activity
• help you recover your systems
• provide information required for legal proceedings