pdf

NIST - SP800-92 - Log Management.pdf
Nist Sp800 92 Log Management

NIST guidance on computer security log management.

This page contains AI generated content. Errors or omissions may be present. Use human level critical thinking.
  • Q: According to NIST SP 800-92, what are the three distinct tiers of log management?
    A: Log Generation, Log Analysis and Storage, and Log Monitoring.
  • Q: What is the primary operational risk associated with 'Syslog' over UDP?
    A: The lack of guaranteed delivery, meaning critical log messages can be lost during network congestion or attacks without the sender knowing.
  • Q: How does NIST define 'Log Normalization' in the context of disparate sources?
    A: The process of converting each log entry into a standard format with consistent fields (e.g., ensuring all timestamps are UTC and IP addresses are in a standard notation).
  • Q: What specific recommendation is made regarding 'Log Preservation' for legal purposes?
    A: Logs must be stored on write-once media (WORM) or cryptographically signed to ensure integrity and admissibility in court.
  • Q: What is the recommended strategy for 'Log Rotation' on high-volume systems?
    A: Rotate logs based on size (e.g., every 100MB) rather than just time, to prevent file system exhaustion.
  • Q: Why does NIST recommend separating 'Operational' logs from 'Security' logs?
    A: To allow for different retention policies and access controls, as security logs often contain sensitive data and require stricter integrity protection.
  • Q: What is the 'Chain of Custody' requirement for log analysis?
    A: Documenting exactly who accessed the logs, when, and for what purpose to maintain their evidentiary value.
  • Q: Which specific role is responsible for defining the log retention policy?
    A: The Information Security Officer (or equivalent management role), not the system administrator.
  • Q: What is the function of a 'Log Relay' or 'Log Aggregator'?
    A: To collect logs from multiple sources and forward them to a central repository, often adding a layer of buffering and security.
  • Q: What is the NIST recommendation for 'Time Synchronization'?
    A: All log generating hosts must be synchronized via NTP to a trusted time source to enable accurate event correlation.

Ask a question

Have a doubt or need clarification?



I’m here to help. Share your question, and I’ll get back to you with the guidance you need regarding the course.

Thank you!

I have received your message and I shall get back to you shortly.