35. d. Log parsing is converting log entries into a different format. For example, log parsing can convert an extensible markup language (XML)-format log into a plaintext file. Log parsing sometimes includes actions such as log filtering, log aggregation, log normalization, and log correlation.
36. Major categories of log management infrastructures are based on which of the following?
1. Syslog-based centralized logging software
2. Security event management software
3. Network forensic analysis tools
4. Host-based intrusion detection systems
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
36. a. Log management infrastructures are typically based on one of the two major categories of log management software: syslog-based centralized logging software and security event management (SEM) software. Network forensic analysis tools and host-based intrusion detection systems are examples of additional types (secondary sources) of log management software.
37. Regarding log management infrastructure functions, which of the following defines closing a log and opening a new log when the first log is considered to be complete?
a. Log archival
b. Log rotation
c. Log reduction
d. Log clearing
37. b. Log rotation is closing a log and opening a new log when the first log is considered to be complete. The primary benefits of log rotation are preserving log entries and keeping the size of logs manageable by compressing the log to save space. Logs can also be rotated through simple scripts and utility software. The other three logs do not provide rotation functions.
38. Regarding log management infrastructure functions, which one of the following is often performed with the other?
1. Log archival
2. Log reduction
3. Log parsing
4. Log viewing
a. 1 and 2
b. 2 and 3
c. 3 and 4
d. 1, 2, 3, and 4
38. a. Log reduction is removing unneeded entries or data fields from a log to create a new log that is smaller in size. Log reduction is often performed with log archival so that only the log entries of interest are placed into long-term storage. Log parsing and log viewing are two separate activities.
39. Which of the following is used to ensure that changes to archival logs are detected?
a. Log file-integrity checking software
b. Network forensic analysis tools
c. Visualization tools
d. Log management utility software
39. a. To ensure that changes to archived logs are detected, log file-integrity checking can be performed with software. This involves calculating a message digest hash for each file and storing that message digest hash securely. The other three choices do not calculate a message digest.
40. Regarding log management infrastructure, which of the following characterizes the syslog-based centralized logging software?
1. Single standard data format
2. Proprietary data formats
3. High resource-intensive for hosts
4. Low resource-intensive for hosts
a. 1 and 3
b. 1 and 4
c. 2 and 3
d. 2 and 4
40. b. Syslog-based centralized logging software provides a single standard data format for log entry generation, storage, and transfer. Because it is simple in operation, it is less resource-intensive for hosts.
41. Regarding log management infrastructure, which of the following cannot take the place of others?
1. Network forensic analysis tools
2. Syslog-based centralized logging software
3. Host-based intrusion detection software
4. Security event management software
a. 1 and 2
b. 1 and 3
c. 2 and 3
d. 2 and 4
41. b. The network forensic analysis tools and host-based intrusion detection software are often part of a log management infrastructure, but they cannot take the place of syslog-based centralized logging software and security event management software. Syslog-based centralized logging software and security event management software are used as primary tools whereas network forensic analysis tools and host-based intrusion detection software are used as additional tools.
42. Which of the following are major factors to consider when designing the organizational-level log management processes?
1. Network bandwidth
2. Volume of log data to be processed
3. Configuration log sources
4. Performing log analysis
