Data collection is one of the most important steps when designing an Intrusion Detection System (IDS) and it influences the whole design and implementation process, and also the final detection result. Usually, the attacks target not only one individual computer but also aim for a group of hosts. As a result, some intrusions might show an anomalous behavior at the network layer, while others could exhibit anomawe lous behaviors at the application layer. In order to cover various network intrusions we need to monitor each layer on networks. Although ideally it is possible to design and implement an IDS that can inspect a wide range of data extracted from both network and application layer, it is infeasible in practical due to two main reasons: one is the diversity of the data, and the other one is the time and space resources that the system has to consume for collecting and interpreting the data. Intrusion detection systems collect data from many different sources, such as system log files, network packets or flows, system calls and a running code itself. The place where the data are collected decides the detection capability and scope of IDSs, i.e. a network based IDS can not detect a User-to-Root attack, while an application based IDS is not able to find a port scanning attack. In this chapter, we discuss the data collection in terms of the different locus including host-based, network-based and application-based.