Change events are for administrative and policy types of changes to infrastructure security devices, servers, and endpoint detection and response (EDR) systems. Every operating system (OS) records details of its operating conditions and errors, and these time-stamped logs are the fundamental and authoritative source of system telemetry. Depending on the OS, there may be separate logs for different classes of events, such as routine informational updates, system errors, boot loader records, login attempts, and debug output.
Correlating system log entries is one of the best ways of identifying the root cause of a subtle system failure. System logs include a variety of security information such as attempted logins, file access, and system firewall activity. They can also be used to identify changes in system configurations and commands executed by users or privileged users. Error logs often aggregate records from multiple subsystems and OS services or daemons, and, thus, are a definitive source of troubleshooting information. In the Common Information Model, system log data is typically mapped to the Endpoint data model.