The invention relates to the log messages generated by computer applications; and more particularly, to new methods and systems for logging of computer generated log messages.
Computer and computer systems, such as servers, personal computers, web servers, mainframe computers, workstations and the like, and the software applications running on such systems typically generate log messages of the activity performed by them. For instance, the log messages may include information regarding log-in attempts, user identity, user log-in information, date and time, data accessed, data requested, applications accessed, etc. The log messages are logged (maintained and stored) in a log file which generally includes numerous log messages from the computer. A typical example of logging of computer generated log messages is web server logging. The logging of a web application will typically include log-in attempts, client log-in information (such as username and IP address), pages requested, bytes served, access and usage of confidential data, among other log data.
The log messages have various purposes, such as security, analyzing application, system and/or network operations and regulatory compliance. For instance, the log messages can be used for security purposes, such as identifying and preventing potential security attacks, unauthorized intrusions and security breaches. For example, a brute force attack attempting to log-in using trial and error usernames and/or passwords may be identified and blocked by managing the log messages from the targeted computer system. The log messages may also be utilized for website administration, managing server and hosting resources, usability analysis, performance analysis, and marketing and organizational planning.
Log management and intelligence tools may be utilized to aggregate, retain and analyze the potentially enormous volumes of logs generated by busy a computer system. The log management tools may determine the type and level of detail to log, how long to retain the logs, and other configuration settings. The log management tools may include log analyzers for analyzing the logs. The log analyzers can be configured to detect security issues, and analysis useful for the other functions of log messages described above.
Current logging methods and systems log at a specified detail level, until a user, such as a network administrator, modifies the detail level for some reason. For instance, under normal conditions, the detail level typically includes only a subset of the full set of logging information accessible for logging by system. In addition, the amount of logging may be limited by the amount of bandwidth available for logging, such as a number of licenses or computing resources available. Moreover, logging has a real cost in terms of data transmission bandwidth, storage resources, and computing resources. Therefore, maximum logging at all times may be inefficient and costly. This baseline detail level of logging is preferably enough to detect or correlate a potential security event, and to provide sufficient information for analyzing operations and marketing purposes.
If an event occurs, such as the detection of a potential security breach, or a need for more detailed operational or marketing analysis, the system is manually adjusted to modify the logging configuration to change the detail level of logging. For example, if a potential security breach is detected, an alert, warning or red flag is sent to a network administrator in the form of an email, SMS, pager message, or other notification. Then, the network administrator must modify the logging configuration to modify the logging detail. In the case of a potential security breach, the network administrator will increase the detail level of logging to include enough information to verify whether a security breach as occurred, and to investigate the potential breach. After the event has been resolved, the network administrator will typically configure the logging back to the baseline detail level.
Accordingly, there is a need for a more efficient method and system for modifying logging of computer generated log messages.