Auditing is an important aspect of an overall security plan. Most modern systems can record all their activity in log files. These logs enable you to determine the effectiveness of your security implementation. Through these activity logs, you can usually determine if an unallowable activity occurred and how it was able to occur.

Information about who has logged on, when, and for how long should be investigated for

1. System access during non-business hours
2. Long periods of log in time for users with mid- to high-level access rights
3. Anytime log off would be expected, such as when a user is on vacation

Sort logs in several ways to identify possible problems. Analyze your access logs by

1. User: to identify extended log on times, failed logon attempts, and resource utilization
2. Supervisor, consultants, and administrators: to identify unusual activity
3. Network address: to identify users and their expected network address

Log files should be secured to allow only the most privileged accounts of the operating system to access or write to them.
You should also change the default location for log file storage. Log files are hacker targets because they contain the evidence of hacker activities.