| |
Log Analysis and Event Management
Log Identification
While log entries can be extremely interesting and relevant to daily operations, (e.g., hard-drive failure, router link down, virus detected), they can also be extremely uninteresting. Most logging systems can be configured to log everything and in most cases, that is exactly what they do. Relevant log data is mixed in with the irrelevant. This makes reviewing logs more difficult since finding interesting logs can be searching for the proverbial needle in the haystack.
LogRhythm automates the process of finding interesting log entries via a powerful and customizable log identification engine. When a log is identified, it is "normalized" for analysis and reporting purposes. The log is assigned a "common name" and classified as either security, operations, or audit related. Additional reporting information is parsed from the text of the log such as IP addresses, UDP/TCP port numbers and logins.
Event Forwarding
Identified log entries having the most immediate operational relevance can be forwarded to the Event Manager. This typically includes security events, audit failures, warnings and errors. However, what is forwarded can be completely customized. The function of intelligently forwarding a subset of logs provides the first layer of data reduction as depicted in the following diagram.
Since only the most important log entries are forwarded as events, users spend their time more efficiently. Instead of having to weed through irrelevant log entries, the most important are automatically identified for them.
Risk-based Prioritization
The impact of an event varies by business and within a business, by system. For instance, a router link failure might not be immediately critical for an ISP with redundant routers. However, for a branch office with a single router, business is impacted until fixed. A server reboot is uninteresting if seen on a user workstation but when seen from an ERP server that has 99.999% uptime requirements, is extremely interesting.
LogRhythm automatically prioritizes each event based on its impact to your business' operations. LogRhythm's risk-based priority calculates a 100 point priority based on the:
- Type of event
- Likelihood event is a false alarm
- The threat rating of the host causing the event (e.g., remote attacker), and
- The risk rating of the server on which the event occurred
LogRhythm's risk-based priority helps ensure the most important events are identified and acted upon.
Role-based Alerting
LogRhythm can be easily configured to send alerts on critical events or combinations of events. Alerts can be forwarded based on user role - so the right alerts automatically go to the right individuals.
Personalized dashboards
LogRhythm includes powerful analysis dashboards that allow users to quickly understand what is going on and drill down as appropriate. LogRhythm also makes it easy to tailor dashboards by user. As a result, each user sees and can analyze the information most relevant to them and their role.
Flexible Reporting
With LogRhythm's flexible reporting capability, customers can easily supplement standard reports with thousands of custom reports tailored to their analysis and reporting needs.
See Literature & Resources for Sample Reports.
|
|
