Using Lamport’s Logical Clocks to Consolidate Log Files from Different Sources

  • Roberto Gómez
  • Jorge Herrerias
  • Erika Mata
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3908)


Event logging and log files are playing an important role in system and network security. Log files record computer system activities, are used to provide requirements of reliability, security and accountability applications. Information stored in log files can be obtained from different devices, not necessarily clock synchronized, and they do not arrive in the same order they are generated. Nevertheless, log information has to be coherent in time to be useful. To support the events we propose to use Lamport’s logic clocks, originated at different sources, in a causal relationship. As a result the administrator will count all the events involved general idea in a computer incident. A model implementation is also presented.


Intrusion Detection Intrusion Detection System Text Line Internal Clock Network Address Translation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Lamport, L.: Time, clocks, and the ordering of events in a distributed system. Communications of the ACM 27(7), 558–565 (1978)CrossRefMATHGoogle Scholar
  2. 2.
    Finlayson, R.S., Chcriton, D.K.: Log files: an extended file service exploiting write-once storage. In: Proceedings of the eleventh ACM Symposium on Operating systems principles, Austin, Texas, USA, pp. 139–148 (1987)Google Scholar
  3. 3.
    Pitts, D.: Log Consolidation with syslog December 23, 2000, SANS Institute (2000–2002)Google Scholar
  4. 4.
    Ahmad, A., Ruighaver, A.B.: Design of a Network-Access Audit Log for Security Monitoring and Forensic Investigation. In: Proceedings of the 1st Australian Computer Network, Information & Forensics Conference, Perth November 24 (2003)Google Scholar
  5. 5.
    Internet Draft: draft-ietf-idwg-idmef-xml-12, The Intrusion Detection Message Exchange Format, IETF Intrusion Detection Exchange Format Working Group, July 8 (2004)Google Scholar
  6. 6.
    Gómez, R., Herrerías, J.: An example of communication between security tools: Iptables –Snort. ACM Operating Systems Revies (submitted)Google Scholar
  7. 7.
    Bishop, M.: A Standard Audit Trail Format. In: Proceedings of the Eighteenth National Information Systems Security Conference, October, pp. 136–145 (1995)Google Scholar
  8. 8.
    Allison, J.: Automated Log Processing. login: The Magazine of Usenix & Sage 27(6), 16–20 (2002)Google Scholar
  9. 9.
    Forte, D.V.: Log Correlation Tools and Techniques. The art of Log Correlation. In: Proceedings of ISSA 2004 SouthAfrica, and HTCIA Conference 2004, Washington DC (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Roberto Gómez
    • 1
  • Jorge Herrerias
    • 1
  • Erika Mata
    • 1
  1. 1.ITESM-CEM, Depto. Ciencias ComputacionalesAtizapan Zaragoza, Edo MéxicoMexico

Personalised recommendations