Log Management : Syslog & Windows Event Log
Why log management?
Log Management - Pre-requisite to Ensure Network Security
Logs give you first hand information about your network activities. Log management ensures that the network activity data hidden in the logs is converted to meaningful, actionable security information. Log management is a pre-requisite for Network, Security administrator to keep the network secured.
Log management comprises of log collection, secured storage, normalization, analysis, reports and alerts generation.
- Log collection needs to be unintrusive.
- Logs need to be collected from diverse set of devices, servers and applications available in the network.
- Log collection should be preferably without an agent. In some network environments, log collection using agent should be available optional.
- The log data needs to be stored in archive for forensic analysis and regulatory compliance requirements.
- The log data storage should secured (e.g., encryption)
- Also, the storage should be tamper proof
- The retention duration should be flexible (preferably user configurable)
- The storage location, media also should be flexible (read only media, mass storage system, etc.)
The logs from heterogeneous sources should be normalized to have a common format. This is required to analyze and correlate.
The logs need to be analyzed to get a full picture of the network security events
Report and Alert Generation
The logs are analyzed to generate reports and alerts
- There should be canned, customizable, custom, and scheduled reports in different formats and
- The alerts should be notified in real-time. There should be more notification mechanisms and even other program should be executed to carry out remedial measures
Log management is an integral part of monitoring network security