Monitoring an enterprise from network devices—namely routers, firewalls, and IDPs—benefits from a broad vantage point. With good network device coverage, an analyst should be able to monitor most if not all of the hosts in the enterprise. However, in addition to the limitations of network-based analysis described previously, there is one further limitation: the network alerts can’t provide insight into how the systems are affected by an attack. Were accounts created or successfully accessed? Were files changed or downloaded? Did key services fail?

The host can contribute perspective to security incidents by logging from three key technologies: operating systems, server applications, and security technologies. In theory, the concept of leveraging operating system logs sounds important, but unfortunately, these logs by themselves have somewhat limited value. Logging is typically limited and most logs on a system are designed to record a limited set of activities and expected conditions and errors. Considering that most vulnerabilities are explicitly bypassing some control within the operating system, you can reasonably expect it to be logged only partially, or not at all.

In contrast, some server applications, specifically network-based applications such as databases and web servers, tend to log all requests obtained from the network and host alike. They can capture in detail arguments passed and commands executed, and provide a wealth of contextual ...