Log analysis is a detailed and systematic form of monitoring in which
               the logged information is analyzed for trends and patterns as well as

               abnormal, unauthorized, illegal, and policy-violating activities. Log
               analysis isn’t necessarily in response to an incident but instead a
               periodic task, which can detect potential issues.

               When manually analyzing logs, administrators simply open the log
               files and look for relevant data. This can be very tedious and time
               consuming. For example, searching 10 different archived logs for a

               specific event or ID code can take some time, even when using built-in
               search tools.

               In many cases, logs can produce so much information that important
               details can get lost in the sheer volume of data, so administrators often
               use automated tools to analyze the log data. For example, intrusion
               detection systems (IDSs) actively monitor multiple logs to detect and
               respond to malicious intrusions in real time. An IDS can help detect

               and track attacks from external attackers, send alerts to
               administrators, and record attackers’ access to resources.

               Multiple vendors sell operations management software that actively
               monitors the security, health, and performance of systems throughout
               a network. This software automatically looks for suspicious or
               abnormal activities that indicate problems such as an attack or
               unauthorized access.



               Security Information and Event Management
               Many organizations use a centralized application to automate

               monitoring of systems on a network. Several terms are used to
               describe these tools, including security information and event
               management (SIEM), security event management (SEM), and security
               information management (SIM). These tools provide real-time
               analysis of events occurring on systems throughout an organization.
               They include agents installed on remote systems that monitor for

               specific events known as alarm triggers. When the trigger occurs, the
               agents report the event back to the central monitoring software.

               For example, a SIEM can monitor a group of email servers. Each time
               one of the email servers logs an event, a SIEM agent examines the