Log management is one of the primary requirements for building an enterprise class SOC. In security, Log analysis is often the first step in incident forensics. Operating systems such as windows, Unix, Linux and other network devices such as routers, firewalls etc. offer native log management capabilities but are not sufficient for organizations because of a variety of reasons. First, due to storage constraint older logs are overwritten by the most recent logs. Second, log collection for network devices, OSs are not reliable and are often not in the same format rendering analysis difficult. Another challenge is that the logs are distributed across devices and are not centrally stored or managed.
image courtesy: https://www.flickr.com/photos/purpleslog/2870445260
Some of the benefits of log management are :
- Logs often provide the first hand evidence in cyber forensics and are often invaluable in investigating security incidents and auditing. Log management help make forensics and investigation much easier.
- Logs feeds SIEM solution for continuous security monitoring. A better log management speeds-ups the correlation engine and provide better insights by reducing noise in analysis results.
- Log management helps managing compliance requirements as they require organizations to index log events for easy accessibility and search capability
- Log management can help optimize the storage requirements by discarding unimportant logs
( Read More: Checklist To Evaluate SIEM Vendors )
Below is the list of couple of open-source Log Management tools which provide the capability of reliable log collection, Log normalization and relaying of Log messages to a central location for their log time storage.
1. Syslog-ng
syslog-ng allows you to flexibly collect, parse, classify, and correlate logs from across your infrastructure and store or route them to log analysis tools
2. rsyslog
Rsyslog is an open-source software utility used on UNIX and Unix-like computer systems for forwarding log messages in an IPnetwork. It implements the basic syslog protocol, extends it with content-based filtering, rich filtering capabilities, flexible configuration options and adds features such as using TCP for transport.
3. Log2timeline
Log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. Plaso is a Python-based backend engine for the tool log2timeline.
4.Logalyze
LOGalyze is an open source, centralized log management and network monitoring software. If you would like to handle all of your log data in one place, LOGalyze is the right choice. It supports Linux/Unix servers, network devices, Windows hosts. It provides real-time event detection and extensive search capabilities.
5.Gray Log
Graylog2 collects and aggregates events from a multitude of sources and presents your data in a streamlined, simplified interface where you can drill down to important metrics, identify key relationships, generate powerful data visualizations and derive actionable insights.
6. Fluentd
Fluentd is an open source data collector, which lets you unify the data collection and consumption for a better use and understanding of data.
( Read More: Top 10 'Incident Response & SIEM' talks from RSA Conference 2016 (USA) )
Pre-Register for SACON International 2017. Click on the image below to pre-register
Comments