This booklet describes how to build an infrastructure to collect, preserve, and extract useful information from your computer operating system and application logs. We will focus primarily on UNIX syslog, with some discussion of Windows logging and other sources of log data. Logfiles hold a wealth of information, from resource utilization diagnostics to problems with hardware and software, security problems, and forensic traces of intrusions. Unfortunately, there's an awful lot of information in log files, and it's not well organized or codified. Formats of messages, even timestamps, vary between applications, and sometimes even between different versions of the same application; different operating system distributions will use different messages to record the same event; and the information you need may be spread out over several messages. Many system administrators have been told to "go figure out those logs." It's a daunting task-there's an awful lot of data, little of which seems to be useful or pertinent, at least at first glance. If you did persevere, you probably built a monitoring system based on the relatively random data that showed up early on, without recognizing that the project would get a lot easier if you thought about what you'd really like to know before you started putting the pieces in place. We're going to change all that. The goal of this book is not to teach you how to interpret log files from any particular system (how would we pick?), how to write Perl scripts, or how to rewrite syslog. It's to provide an overview of the sorts of information your logfiles can give you:?how an archetypal UNIX log system (syslog) works, how to consolidate your UNIX and Windows XP/2000 logging, and how to monitor your network for intrusion detection, forensic analysis, and chaos reduction.