|
Data Category
|
Types of Data to Collect
|
|
Network performance
|
Total traffic load in and out over time (packet, byte, and connection
counts) and by event (such as new product or service release) Traffic load (percentage of packets, bytes, connections) in and out over
time, sorted by protocol, source address, destination address, other packet
header data Error counts on all network interfaces
|
|
Other network data
|
Service initiation requests Name of the user or host requesting the service Network traffic (packet headers) Successful connections and connection attempts (protocol, port, source,
destination, time) Connection duration Connection flow (sequence of packets from initiation to
termination) States associated with network interfaces (up, down) Network sockets currently open Whether a network interface card is in promiscuous mode Network probes and scans Results of administrator probes
|
|
System performance
|
Total resource use over time (CPU, memory [used, free], disk [used,
free]) Status and errors reported by systems and hardware devices Changes in system status, including shutdowns and restarts File system status (where mounted, free space by partition, open files,
biggest file) over time and at specific times File system warnings (low free space, too many open files, file exceeding
allocated size) Disk counters (input/output, queue lengths) over time and at specific
times Hardware availability (modems, network interface cards, memory)
|
|
Other system data
|
Actions requiring special privileges Successful and failed logins Modem activities Presence of new services and devices Configuration of resources and devices System call data
|
|
Process performance
|
Amount of resources used (CPU, memory, disk, time) by specific processes
over time; top "x" resource-consuming processes System and user processes and services executing at any given
time
|
|
Other process data
|
User executing the process Process startup time, arguments, filenames Process exit status, time, duration, resources consumed Means by which each process is normally initiated (administrator, other
users, other programs or processes), with what authorization and
privileges Devices used by specific processes Files currently open by specific processes
|
|
Files and directories
|
List of files, directories, attributes Cryptographic checksums for all files and directories Accesses (open, create, modify, execute, delete), time, date Changes to sizes, contents, protections, types, locations Changes to access control lists on system tools Additions and deletions of files and directories Results of virus scans
|
|
Users
|
Login/logout information (location, time): successful attempts, failed
attempts, attempted logins to privileged accounts Login/logout information on remote access servers that appears in modem
logs Changes in user identity Changes in authentication status, such as enabling privileges Failed attempts to access restricted information (such as password
files) Keystroke monitoring logs Violations of user quotas
|
|
Applications
|
Application-specific and services-specific information such as network
traffic (packet content), mail logs, FTP logs, web server Logs: Modem logs, firewall logs, SNMP logs, DNS logs, intrusion-detection
system logs, database management system logs Services-specific information could include FTP requests (files
transferred and connection statistics); web requests (pages accessed,
credentials of the requestor, connection statistics, user requests over time,
which pages are most requested, and who is requesting them); mail requests
(sender, receiver, size, and tracing information; for a mail server, number of
messages over time, number of queued messages); DNS requests (questions,
answers, zone transfers); for a filesystem server, file transfers over time; for
a database server, transactions over time
|
|
Log files
|
Results of scanning, filtering, and reducing log file contents Checks for log file consistency (increasing file size over time; use of
consecutive, increasing time stamps with no gaps)
|
|
Vulnerabilities
|
|