System monitoring and the use of network traffic log files are extremely important for gauging baseline performance and observing events.  Why does identifying abnormal behavior first require having a baseline?  What can a log file show that lends insight into abnormal behavior?

---

Having a baseline is important because it gives you a guide to go off of, to measure for abnormal behavior, or abnormal network traffic. If the average amount of traffic is say, 1000 visits to a certain site a week, but then suddenly that jumps to 1 million visits to a site, that may be a cause for concern, whether from a security standpoint, or from a marketing position. Log files can show not only who visits certain sites, but how many times they visited it. If a person suddenly has in increase in the amount of times they visited a site, especially one with known problems that could be a security concern, it should be addressed. In line with this, logs can also track unauthorized attempts, and actions taken by an individual, so that network admins can track an unauthorized user, or a compromised user, concerning where they visited, what they did, and when they did it. The logs are basically a play-by-play of what a person does online, or in a network.