Both failure and success logging can provide useful information and clues, but you have to balance your monitoring and logging activities with system performance. Using the human record book example from above- it would help investigators if people kept a log of everyone they came into contact with and what happened during the interaction, but it would certainly slow people down.
If you had to stop and write down who, what and when for every encounter you had all day it might severely impact your productivity. The same thing is true of monitoring and logging computer activity. You can enable every possible failure and success logging option and you will have a very detailed record of everything that goes on in your computer. However, you will severely impact performance because the processor will be busy recording 100 different entries in the logs every time someone presses a button or clicks their mouse.
You have to weigh out what sorts of logging would be beneficial with the impact on system performance and come up with the balance that works best for you. You should also keep in mind that many hacker tools and Trojan horse programs such as Sub7 include utilities that allow them to alter log files to conceal their actions and hide the intrusion so you can’t rely 100% on the log files.
You can avoid some of the performance issues and possibly the hacker tool concealment issues by taking certain things into consideration when setting up your logging. You need to gauge how large the log files will get and make sure you have enough disk space in the first place. You also need to set up a policy for whether old logs will be overwritten or deleted or if you want to archive the logs on a daily, weekly or other periodic basis so that you have older data to look back on as well.
If it’s possible to use a dedicated hard drive and / or hard drive controller you will have less performance impact because the log files can be written to the disk without having to fight with the applications you’re trying to run for access to the drive. If you can direct the log files to a separate computer – possibly dedicated to storing log files and with completely different security settings- you might be able to block an intruder’s ability to alter or delete the log files as well.
A final note is that you should not wait until it’s too late and your system is already crashed or compromised before viewing the logs. It is best to review the logs periodically so you can know what is normal and establish a baseline. That way, when you do come across erroneous entries you can recognize them as such and take proactive steps to harden your system rather than doing the forensic investigation after its too late.
