Improved event logging for security and forensics: developing audit management infrastructure requirements

The design and implementation of audit configurations is often constrained by the audit management interface, which typically models operating system structures rather than real world behavior. This paper argues for the need for improved audit management technology as part of an overall top-down approach in the establishment of IT eventlogging policies and practices. We propose that audit management technology should be improved to allow security administrators and forensic investigators to set event log configurations that reflect the security and forensic needs of an organization as defined in security policy. This paper outlines some of the necessary functionality that must be supported by audit management infrastructure in order to facilitate the collection and retention of event data appropriate for different types of real world behaviour.