Is it enough to analyse log files, or is an IDS necessary?

The more network data you have to analyse, the better. In this expert response, Peter Wood explains what tools can provide the information you need.

Is it enough to analyse log files or it is necessary (or beneficial) to have an IDS feed to SIM/SEM as well? Will correlated logs provide enough information to pinpoint a security issue or does signature-based IDS provide me with an additional view, which cannot be replaced with just logs?
In principle, the more data you have to analyse, the better. A good IDS can give you invaluable information about attack types and help put log entries into context. I recommend visiting the SANS website for some excellent insight into this topic, especially its Top 5 Essential Log Reports document.

For more information:

  • A student from Royal Holloway University explains how machine learning can be harnessed to improve many aspects of information security including intrusion detection.
  • This was first published in October 2009



    Enjoy the benefits of CW+ membership, learn more and join.

    Read more on Network security management



    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:




    • Dissecting the Hack

      In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

    • Digital Identity Management

      In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

    • Becoming a Global Chief Security Executive Officer

      In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...