Event data

Event data is a synonym to an audit trail. Modern computer software applications and IT infrastructure have adopted the term event data over audit trail. Events are typically recorded in logs and there is no standard for the format of event type data.

Examples of the use of this new term to describe audit trails are becoming more common and the term is cited in the documentation of the Microsoft Event Viewer which provides visibility into events in the following logs: Application log, security log, System log, Directory service log, File Replication service log and DNS server log.

Definition

Event data records are created whenever some sort of transaction occurs. Event data records are generated at an extremely granular level by business applications, IT infrastructure, and security systems. Almost any type of record that is created to record a transaction and affixed with a timestamp meets the definition of an event data.

The contents of event data records are extremely crude and often meaningless unless correlated with other event data records.

Examples include business applications such as SAP, Oracle, IIS and thousands of others.

Examples of IT infrastructure includes servers, internetworking devices manufactured by Cisco and others, telecommunication switches, a SAN and message queues between systems.

Examples of security systems range from authentication applications including LDAP and RACF as well as IDS applications and other security systems.

A typical organization will have hundreds of sources of event records.

A single business transaction such as withdrawing cash from an Automated teller machine (ATM) or a customer placing an order will generate several hundred event data records in dozens of federated log files. It is not uncommon for organizations to generate terabytes of event data every day.

The retention and ability to quickly inspect event data records has become a necessity for the purposes of detecting suspicious activity, insider threats and other security breaches.

Regulatory compliance implications

Since the passage of the Sarbanes-Oxley Act of 2002 and other regulatory compliance mandates, the requirement for retention of event data has become mandatory for passing audits.

EU Data Retention Directive implications

New legislation tied to combat terrorism such as The EU Data Retention Directive legislation, which the European Union says is necessary to help fight terrorism and organized crime, was passed by justice ministers in Brussels 2006. Internet service providers and fixed-line and mobile operators will now be forced to keep details of their customers' communications for up to two years.

Information including the date, destination and duration of communications will be stored and made available to law enforcement authorities for between six and 24 months, although the content of such communications will not be recorded. Service providers will have to bear the costs of the storage themselves.

EU countries will now have until August 2007 to implement the directive, which was initially proposed after the Madrid train bombings in 2004.