CompTIA Security+ (SY0-601) — Question 510

A privileged user at a company stole several proprietary documents from a server. The user also went into the log files and deleted all records of the incident. The systems administrator has just informed investigators that other log files are available for review. Which of the following did the administrator most likely configure that will assist the investigators?

Answer options

• A. Memory dumps
• B. The syslog server
• C. The application logs
• D. The log retention policy

Correct answer: B

Explanation

The syslog server is designed to collect and store log data from multiple sources, making it invaluable for investigations like this one. The other options, while relevant to logging and data retention, do not specifically indicate a centralized approach to log management that would provide the investigators with the necessary information after an incident.