34. a. Log viewing is displaying log entries in a human-readable format. Some log viewers provide filtering and aggregation capabilities, and cannot provide log normalization and log correlation capabilities.
35. Which one of the following log management functions includes other functions?
a. Log filtering
b. Log aggregation
c. Log correlation
d. Log parsing
35. d. Log parsing is converting log entries into a different format. For example, log parsing can convert an extensible markup language (XML)-format log into a plaintext file. Log parsing sometimes includes actions such as log filtering, log aggregation, log normalization, and log correlation.
36. Major categories of log management infrastructures are based on which of the following?
1. Syslog-based centralized logging software
2. Security event management software
3. Network forensic analysis tools
4. Host-based intrusion detection systems
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
36. a. Log management infrastructures are typically based on one of the two major categories of log management software: syslog-based centralized logging software and security event management (SEM) software. Network forensic analysis tools and host-based intrusion detection systems are examples of additional types (secondary sources) of log management software.
37. Regarding log management infrastructure functions, which of the following defines closing a log and opening a new log when the first log is considered to be complete?
a. Log archival
b. Log rotation
c. Log reduction
d. Log clearing
37. b. Log rotation is closing a log and opening a new log when the first log is considered to be complete. The primary benefits of log rotation are preserving log entries and keeping the size of logs manageable by compressing the log to save space. Logs can also be rotated through simple scripts and utility software. The other three logs do not provide rotation functions.
38. Regarding log management infrastructure functions, which one of the following is often performed with the other?
1. Log archival
2. Log reduction
3. Log parsing
4. Log viewing
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
38. a. Log reduction is removing unneeded entries or data fields from a log to create a new log that is smaller in size. Log reduction is often performed with log archival so that only the log entries of interest are placed into long-term storage. Log parsing and log viewing are two separate activities.
39. Which of the following is used to ensure that changes to archival logs are detected?
a. Log file-integrity checking software
b. Network forensic analysis tools
c. Visualization tools
d. Log management utility software
39. a. To ensure that changes to archived logs are detected, log file-integrity checking can be performed with software. This involves calculating a message digest hash for each file and storing that message digest hash securely. The other three choices do not calculate a message digest.
40. Regarding log management infrastructure, which of the following characterizes the syslog-based centralized logging software?
1. Single standard data format
2. Proprietary data formats
3. High resource-intensive for hosts
4. Low resource-intensive for hosts
a. 1 and 3
b. 1 and 4
c. 2 and 3
d. 2 and 4
40. b. Syslog-based centralized logging software provides a single standard data format for log entry generation, storage, and transfer. Because it is simple in operation, it is less resource-intensive for hosts.
41. Regarding log management infrastructure, which of the following cannot take the place of others?
1. Network forensic analysis tools
2. Syslog-based centralized logging software
3. Host-based intrusion detection software
4. Security event management software
a. 1 and 2
b. 1 and 3
c. 2 and 3
d. 2 and 4
41. b. The network forensic analysis tools and host-based intrusion detection software are often part of a log management infrastructure, but they cannot take the place of syslog-based centralized logging software and security event management software. Syslog-based centralized logging software and security event management software are used as primary tools whereas network forensic analysis tools and host-based intrusion detection software are used as additional tools.
42. Which of the following are major factors to consider when designing the organizational-level log management processes?
1. Network bandwidth
2. Volume of log data to be processed
3. Configuration log sources
4. Performing log analysis
a. 1 and 2
b. 2 and 3
c. 1 and 3
d. 3 and 4
42. a. Major factors to consider in the design of organizational-level log management processes include the network bandwidth, volume of log data to be processed, online and offline data storage, the security needs for the data, and the time and resources needed for staff to analyze the logs. Configuration log sources and performing log analysis deal with system-level log management processes.
43. Regarding log management, the use of which of the following is not likely to be captured in logs?
a. Data concealment tools
b. Antivirus software
c. Spyware detection and removal utility software
d. Host-based intrusion detection software
43. a. The use of most data concealment tools is unlikely to be captured in logs because their intention is to hide. The other three choices are incorrect because they are examples of security applications. Along with content filtering software, they are usually logged.
44. What is the major reason why computer security incidents go unreported?
a. To avoid negative publicity
b. To fix system problems
c. To learn from system attacks
d. To take legal action against the attacker
44. a. Avoiding negative publicity is the major reason; although, there are other minor reasons. This is because bad news can cause current clients or potential clients to worry about their own sensitive information contained in computer systems. Taking legal action is not done regularly because it costs significant amounts of time and money. Fixing system problems and learning from system attacks could be byproducts of a security incident. The other three choices are minor reasons but the overriding reason is avoiding negative publicity.