Database.

Many intrusions involve multiple hosts, and the evidence for many intrusions may be seen in multiple types of logs. To support fast retrieval of relevant records, Kerf's logging host stores incoming log records in a database, indexing on important fields (such as host, facility, any IP address mentioned in the record, and any user name mentioned in the record). This approach also serves to isolate the log collection mechanism from the analysis mechanism, and to limit the amount of parsing, indexing, and searching that must be done within our analysis tool. The current implementation uses MySQL.