folders, printers, and so on. For example, they can record when a user
               accessed, modified, or deleted a file, as shown earlier in Figure 17.5.

               Many systems automatically record access to key system files but
               require an administrator to enable auditing on other resources before
               logging access. For example, administrators might configure logging
               for proprietary data, but not for public data posted on a website.

               System Logs System logs record system events such as when a
               system starts or stops, or when services start or stop. If attackers are

               able to shut down a system and reboot it with a CD or USB flash drive,
               they can steal data from the system without any record of the data
               access. Similarly, if attackers are able to stop a service that is
               monitoring the system, they may be able to access the system without
               the logs recording their actions. Logs that detect when systems reboot,
               or when services stop, can help administrators discover potentially
               malicious activity.


               Application Logs These logs record information for specific
               applications. Application developers choose what to record in the
               application logs. For example, a database developer can choose to
               record when anyone accesses specific data objects such as tables or
               views.

               Firewall Logs Firewall logs can record events related to any traffic
               that reaches a firewall. This includes traffic that the firewall allows and

               traffic that the firewall blocks. These logs commonly log key packet
               information such as source and destination IP addresses, and source
               and destination ports, but not the actual contents of the packets.

               Proxy Logs Proxy servers improve internet access performance for
               users and can control what websites users can visit. Proxy logs include
               the ability to record details such as what sites specific users visit and
               how much time they spend on these sites. They can also record when

               users attempt to visit known prohibited sites.

               Change Logs Change logs record change requests, approvals, and
               actual changes to a system as a part of an overall change management
               process. A change log can be manually created or created from an
               internal web page as personnel record activity related to a change.
               Change logs are useful to track approved changes. They can also be