In many industries, such as the financial services and healthcare industries, enterprises are compelled by strict records-retention regulations to archive important data, including: emails, documents, patient records, audit information, as well as other types of data. In some cases, archiving the data is not enough. Some records-retention regulations require that event logs, which include system data about archiving operations, also be retained. If backup data is found to be missing for some unexplained reason, an event log may indicate whether the data was properly archived to begin with. For example, an event log may include data about archiving operations, such as: the date and time an archival backup operation occurred; details about the particular data that was backed up; the location where the backup data was written; the user-id of the person who initiated the backup operation; and, whether the backup operation completed successfully. The data in an event log may prove critically important in the case of an internal investigation, or an investigation initiated by a government agency. Therefore it is necessary to ensure the integrity of logged event data, by ensuring that logged event data is complete, accurate, and verifiable.
Many traditional event logging systems have been designed to aid information technology personnel in troubleshooting situations, but these traditional event logging systems do not provide the reliability and security required to meet the requirements of strict records-retention regulations. One of the more common problems with traditional event logging systems is the possibility of losing event data in a log file. For example, in a traditional event logging system, event data may be lost in a number of situations, including when a system administrator inadvertently creates a new log file having the same name as a previous log file, resulting in existing event data being overwritten with new event data.
Another situation in which data may be lost is when a log volume (e.g., a volume storing one or more log files) has insufficient disk space to store new event data. For example, typically after a backup operation occurs, event data will be generated and appended to a log file of a log volume. If, however, the log volume is full, the event data may not be successfully appended to the log file. Consequently, important event data may be lost.
Another problem with traditional event logging systems is that they are susceptible to tampering. For example, many traditional event logging systems do not adequately protect log files from being modified or deleted by users. In an attempt to thwart an investigation, a user may delete incriminating archived data and then modify or delete the corresponding event data in the log file to make it appear as though the deleted archived data never existed. Alternatively, a user may generate false backup data and then append false event data to a log file, making it appear as though the archived data is the result of a legitimate backup operation.