Conferences

• IFIP International Symposium on Human Aspects of Information Security & Assurance (HAISA 2021); papers due April 26, 2021
• New Security Paradigms Workshop (NSPW 2021); papers due May 21, 2021

---

My Links

• My Home Page
• Books
• Classes
• Papers
• Reports and Notes
• Research
• Security in Programming
• Service
• Students
• Talks
• Miscellaneous
• My Family
• About Me (CV and such)

---

Other Links

• Cybersecurity Club
• Computer Security Lab
• Dept. of Computer Science
• College of Engineering
• University of California, Davis
• City of Davis
• County of Yolo
• State of California
• United States of America

---

Me

• This Quarter’s Classes
• Office Hours for This Quarter
• Contacting Me
• My Personal Blog
  (Last Entry September 4, 2020; “Don’t Vote Twice”)

---

Current Time in Davis, CA, USA

A Standard Audit Trail Format

Citation

• M. Bishop, “A Standard Audit Trail Format,” Proceedings of the Eighteenth National Information Systems Security Conference pp. 136–145 (Oct. 1995).

Paper

• Publisher’s version (entire proceedings free)
• PDF
• PS

Bibliographic Information

• BibTeX
• EndNote

Abstract

The central role of audit trails, or (more properly) logs, in security monitoring needs little description, for it is too well known for any to doubt it. Auditing, or the analysis of logs, is a central part of security not only in computer system security but also in analyzing financial and other non-technical systems. As part of this process, it is often necessary to reconcile logs from different sources.

All this speaks of many needs, such as synchronization of time among hosts, a method for correlation of host-specific information, and a standard logging format. Such a format has several benefits. First, it makes analysis of the logs by a central engine simpler, because that engine need not know the types of systems generating the logs. Secondly, it enables logs generated for very different purposes to be reconciled. Suppose a credit card transaction is made over the Internet. The financial transaction will be logged at the (electronic) bank, and the connection (and presumably information about the transaction) at the purchaser’s system. Should the purchaser claim fraud (e.g., he denies the transaction), the investigators would need to reconcile the system log with that of the financial institution to verify the legitimacy of the transaction. Third, it allows interoperability of audit systems on a very large scale, much the way a standard byte ordering allows interoperation of networked systems.

A standard log format robust enough to meet the needs of heterogeneity, transportability across various network protocols, and flexibility sufficient to meet a variety of needs in very different environments must satisfy two basic properties: extensibility and portability. This paper presents such a format, and contrasts it with other log formats.

Notice

This is not copyrighted. The definitive version was published in the Proceedings of the Eighteenth National Information Systems Security Conference, Oct. 1995, and is available at href="https://csrc.nist.gov/CSRC/media/Publications/conference-paper/1995/10/10/proceedings-of-the-18th-nissc-1995/documents/1995-18th-NISSC-proceedings-vol-1.pdf">.

---

Last updated on Thursday, April 15, 2021 11:20:53 PM PDT