SlideShare a Scribd company logo

Log management principle and usage

Download as PPTX, PDF
Bikrant Gautam
Bikrant Gautam

Log management involves collecting logs from various sources, normalizing the data into a readable format, and using log intelligence and monitoring tools to detect threats, enable incident response and forensic investigations, and ensure regulatory compliance. It provides a centralized way to search logs, correlate events, and generate reports which can help security teams more efficiently investigate issues compared to traditional methods of reviewing raw logs. Challenges include a lack of standard log formats and capturing all activity, but the market for log management software is large and growing due to its importance for compliance needs.

Engineering
1 of 19
Downloaded 66 times
1
2
3
Most read
4
5
6
7
8
9
Most read
10
11
12
13
14
15
16
17
18
Most read
19
Log Management Principle and Usage Bikrant Gautam, MSIA Fall, SCSU
Log Sources: What is log? records of events.
? But why Log Management? ● Numeros computers ● Numerous logs ● Hard to pinpoint a single log
Log Management Operation Log Collecting/Archiving Log Normalization Log Intelligence/Forensics and Monitoring
Log Archiving ● Collect numerous logs in raw from from different sources. ● Includes system event logs, SNMP traps, Flow data etc. ● Different tools deployed to collect logs, fetchers or collectors,
Log Normalization Raw Windows 2003 log <13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr 02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.CloudCQ899$ N/A Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S- 1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 34790802 Normalized logs LogTime=2015/04/02 10:10:31 object=account Action=logged off | EventLog=Security | User= CQ899$ | Domain=St.Cloud EventCategory=Logoff | EventId=4634 EventSource=Microsoft-Windows-Security EventType=Success
Application Fields ✘Threat protection and discovery ✘Incidence response and forensics ✘Regulatory compliance and audit ✘It system and network troubleshooting ✘System performance and management Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-b dr-anton-chuvakin
Plain old log investigation method ✘ collect logs from all associated computers ( will not be few) ✘ Go through each logs searching for evidence (might take years to complete) ✘ finally give up, as the information was stored in a binary value not readable to human eyes. A curious case of auditing with logs Using log management tool ✘ point all your devices to a central log collection server. ✘ all cryptic logs are normalized to human readable format ✘ Search for particular keyword, or event on a specific time. ✘ Complete the forensic in no time.
Use Case: Monitoring Users logging to eros server ✘user smmsp has logged into eros server for almost 6000 times. ✘user charles.kangas have logged into the system for almost 2500 times
Use case: Continued, Drilling down ✘further investigation for charles.Kangas was done. ✘the originating source ips were searched on arin-whois and the further information were collected
Use case: Continued, User Information ✘The result of whois lookup for user Charles. ✘Origin of request seems fair enough. What if the originating IP was from North Korea?
AdvanceD Operation Lookup Log Correlation Reporting ● 10 logins on last 5 second ● connect to external databases ● present the finding on a neat report that can be send to BOSSes
Advantages of Log Management Tool ✘cool dashboard to visualize queries ✘deployed in your private server so the integrity of data is maintained ✘can be configured to generate alerts and triggers according to your business requirement ✘supports your compliance requirement
Challenges of Log Management ✘Lack of common log format ✘Not all activities generate logs ✘Not all activities are logged ✘Requires user to learn new script for every log management tool ✘High volume of irrelevant data
The future?
Required by Compliances
1.3 billion Projected revenue of Log management softwares in 2015
Conclusion ✘ A versatile tool to approach various challenges. ✘ Provides IT security with forensics and investigative platform ✘ Quicker and faster alternative to plain old auditing system
Questions?

More Related Content

What's hot (20)

PDF
Introduction to Apache Flink - Fast and reliable big data processing
Till Rohrmann
 
PDF
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
PPT
Snort
Stickman Hai
 
ODP
Mongo indexes
paradokslabs
 
PDF
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
PPTX
OpenID Connect: An Overview
Pat Patterson
 
PDF
Introduction to InfluxDB and TICK Stack
Ahmed AbouZaid
 
PPT
Open source intelligence
balakumaran779
 
PPTX
ELK Elasticsearch Logstash and Kibana Stack for Log Management
El Mahdi Benzekri
 
PPTX
Graylog Engineering - Design Your Architecture
Graylog
 
ODP
Monitoring With Prometheus
Knoldus Inc.
 
PDF
Why we chose Argo Workflow to scale DevOps at InVision
Nebulaworks
 
PPTX
SSO introduction
Aidy Tificate
 
PPTX
Centralized log-management-with-elastic-stack
Rich Lee
 
PDF
Ingesting and Processing IoT Data - using MQTT, Kafka Connect and KSQL
Guido Schmutz
 
PDF
Apache Iceberg: An Architectural Look Under the Covers
ScyllaDB
 
PDF
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
PPTX
The Elastic Stack as a SIEM
John Hubbard
 
PDF
stackconf 2022: Open Source for Better Observability
NETWAYS
 
Introduction to Apache Flink - Fast and reliable big data processing
Till Rohrmann
 
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
Snort
Stickman Hai
 
Mongo indexes
paradokslabs
 
Next Generation War: EDR vs RED TEAM
BGA Cyber Security
 
OpenID Connect: An Overview
Pat Patterson
 
Introduction to InfluxDB and TICK Stack
Ahmed AbouZaid
 
Open source intelligence
balakumaran779
 
ELK Elasticsearch Logstash and Kibana Stack for Log Management
El Mahdi Benzekri
 
Graylog Engineering - Design Your Architecture
Graylog
 
Monitoring With Prometheus
Knoldus Inc.
 
Why we chose Argo Workflow to scale DevOps at InVision
Nebulaworks
 
SSO introduction
Aidy Tificate
 
Centralized log-management-with-elastic-stack
Rich Lee
 
Ingesting and Processing IoT Data - using MQTT, Kafka Connect and KSQL
Guido Schmutz
 
Apache Iceberg: An Architectural Look Under the Covers
ScyllaDB
 
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
Introduction to OpenID Connect
Nat Sakimura
 
The Elastic Stack as a SIEM
John Hubbard
 
stackconf 2022: Open Source for Better Observability
NETWAYS
 

Similar to Log management principle and usage (20)

DOC
Logging "BrainBox" Short Article
Anton Chuvakin
 
PPTX
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
PPTX
Log maintenance network securiy
Mohsin Ali
 
PPT
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
PPT
Log Forensics from CEIC 2007
Anton Chuvakin
 
PPTX
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin
 
PPT
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
PPT
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
PDF
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
PPT
Six Mistakes of Log Management 2008
Anton Chuvakin
 
PPTX
How to Leverage Log Data for Effective Threat Detection
AlienVault
 
PPT
O'Reilly Webinar Five Mistakes Log Analysis
Anton Chuvakin
 
PPT
CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin
Anton Chuvakin
 
PDF
Wc4
Said Wali
 
PPTX
Log management
epoxxy
 
PPT
What Every Organization Should Log And Monitor
Anton Chuvakin
 
PPT
Log Management For e-Discovery, Database Monitoring and Other Unusual Uses
Anton Chuvakin
 
DOC
Audit logs for Security and Compliance
Anton Chuvakin
 
PPTX
EventLog Analyzer - Product overview
ManageEngine EventLog Analyzer
 
Logging "BrainBox" Short Article
Anton Chuvakin
 
Enterprise Logging and Log Management: Hot Topics by Dr. Anton Chuvakin
Anton Chuvakin
 
Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Anton Chuvakin
 
Log maintenance network securiy
Mohsin Ali
 
NIST 800-92 Log Management Guide in the Real World
Anton Chuvakin
 
Log Forensics from CEIC 2007
Anton Chuvakin
 
How to Gain Visibility and Control: Compliance Mandates, Security Threats and...
Anton Chuvakin
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
Logs for Information Assurance and Forensics @ USMA
Anton Chuvakin
 
UNIT -III SIEM aur baato kaise hai aap log.pdf
hefagi6193
 
Six Mistakes of Log Management 2008
Anton Chuvakin
 
How to Leverage Log Data for Effective Threat Detection
AlienVault
 
O'Reilly Webinar Five Mistakes Log Analysis
Anton Chuvakin
 
CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin
Anton Chuvakin
 
Wc4
Said Wali
 
Log management
epoxxy
 
What Every Organization Should Log And Monitor
Anton Chuvakin
 
Log Management For e-Discovery, Database Monitoring and Other Unusual Uses
Anton Chuvakin
 
Audit logs for Security and Compliance
Anton Chuvakin
 
EventLog Analyzer - Product overview
ManageEngine EventLog Analyzer
 
Ad

Recently uploaded (20)

PPTX
EC3551-Transmission lines Demo class .pptx
Mahalakshmiprasannag
 
PDF
MOBILE AND WEB BASED REMOTE BUSINESS MONITORING SYSTEM
ijait
 
PPTX
Introduction to Neural Networks and Perceptron Learning Algorithm.pptx
Kayalvizhi A
 
PPTX
Benefits_^0_Challigi😙🏡💐8fenges[1].pptx
akghostmaker
 
PDF
Set Relation Function Practice session 24.05.2025.pdf
DrStephenStrange4
 
PDF
UNIT-4-FEEDBACK AMPLIFIERS AND OSCILLATORS (1).pdf
Sridhar191373
 
PDF
Unified_Cloud_Comm_Presentation anil singh ppt
anilsingh298751
 
PDF
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
PPTX
原版一样(Acadia毕业证书)加拿大阿卡迪亚大学毕业证办理方法
Taqyea
 
PPTX
Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
Adri Jovin
 
PPTX
ISO/IEC JTC 1/WG 9 (MAR) Convenor Report
Kurata Takeshi
 
PPT
inherently safer design for engineering.ppt
DhavalShah616893
 
PPTX
265587293-NFPA 101 Life safety code-PPT-1.pptx
chandermwason
 
PPTX
NEUROMOROPHIC nu iajwojeieheueueueu.pptx
knkoodalingam39
 
PPTX
Types of Bearing_Specifications_PPT.pptx
PranjulAgrahariAkash
 
PPTX
UNIT DAA PPT cover all topics 2021 regulation
archu26
 
PDF
A presentation on the Urban Heat Island Effect
studyfor7hrs
 
PPTX
Structural Functiona theory this important for the theorist
cagumaydanny26
 
PDF
ARC--BUILDING-UTILITIES-2-PART-2 (1).pdf
IzzyBaniquedBusto
 
PDF
Ethics and Trustworthy AI in Healthcare – Governing Sensitive Data, Profiling...
AlqualsaDIResearchGr
 
EC3551-Transmission lines Demo class .pptx
Mahalakshmiprasannag
 
MOBILE AND WEB BASED REMOTE BUSINESS MONITORING SYSTEM
ijait
 
Introduction to Neural Networks and Perceptron Learning Algorithm.pptx
Kayalvizhi A
 
Benefits_^0_Challigi😙🏡💐8fenges[1].pptx
akghostmaker
 
Set Relation Function Practice session 24.05.2025.pdf
DrStephenStrange4
 
UNIT-4-FEEDBACK AMPLIFIERS AND OSCILLATORS (1).pdf
Sridhar191373
 
Unified_Cloud_Comm_Presentation anil singh ppt
anilsingh298751
 
POWER PLANT ENGINEERING (R17A0326).pdf..
haneefachosa123
 
原版一样(Acadia毕业证书)加拿大阿卡迪亚大学毕业证办理方法
Taqyea
 
Heart Bleed Bug - A case study (Course: Cryptography and Network Security)
Adri Jovin
 
ISO/IEC JTC 1/WG 9 (MAR) Convenor Report
Kurata Takeshi
 
inherently safer design for engineering.ppt
DhavalShah616893
 
265587293-NFPA 101 Life safety code-PPT-1.pptx
chandermwason
 
NEUROMOROPHIC nu iajwojeieheueueueu.pptx
knkoodalingam39
 
Types of Bearing_Specifications_PPT.pptx
PranjulAgrahariAkash
 
UNIT DAA PPT cover all topics 2021 regulation
archu26
 
A presentation on the Urban Heat Island Effect
studyfor7hrs
 
Structural Functiona theory this important for the theorist
cagumaydanny26
 
ARC--BUILDING-UTILITIES-2-PART-2 (1).pdf
IzzyBaniquedBusto
 
Ethics and Trustworthy AI in Healthcare – Governing Sensitive Data, Profiling...
AlqualsaDIResearchGr
 
Ad

Log management principle and usage

  • 1. Log Management Principle and Usage Bikrant Gautam, MSIA Fall, SCSU
  • 2. Log Sources: What is log? records of events.
  • 3. ? But why Log Management? ● Numeros computers ● Numerous logs ● Hard to pinpoint a single log
  • 4. Log Management Operation Log Collecting/Archiving Log Normalization Log Intelligence/Forensics and Monitoring
  • 5. Log Archiving ● Collect numerous logs in raw from from different sources. ● Includes system event logs, SNMP traps, Flow data etc. ● Different tools deployed to collect logs, fetchers or collectors,
  • 6. Log Normalization Raw Windows 2003 log <13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr 02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.CloudCQ899$ N/A Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S- 1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 34790802 Normalized logs LogTime=2015/04/02 10:10:31 object=account Action=logged off | EventLog=Security | User= CQ899$ | Domain=St.Cloud EventCategory=Logoff | EventId=4634 EventSource=Microsoft-Windows-Security EventType=Success
  • 7. Application Fields ✘Threat protection and discovery ✘Incidence response and forensics ✘Regulatory compliance and audit ✘It system and network troubleshooting ✘System performance and management Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-b dr-anton-chuvakin
  • 8. Plain old log investigation method ✘ collect logs from all associated computers ( will not be few) ✘ Go through each logs searching for evidence (might take years to complete) ✘ finally give up, as the information was stored in a binary value not readable to human eyes. A curious case of auditing with logs Using log management tool ✘ point all your devices to a central log collection server. ✘ all cryptic logs are normalized to human readable format ✘ Search for particular keyword, or event on a specific time. ✘ Complete the forensic in no time.
  • 9. Use Case: Monitoring Users logging to eros server ✘user smmsp has logged into eros server for almost 6000 times. ✘user charles.kangas have logged into the system for almost 2500 times
  • 10. Use case: Continued, Drilling down ✘further investigation for charles.Kangas was done. ✘the originating source ips were searched on arin-whois and the further information were collected
  • 11. Use case: Continued, User Information ✘The result of whois lookup for user Charles. ✘Origin of request seems fair enough. What if the originating IP was from North Korea?
  • 12. AdvanceD Operation Lookup Log Correlation Reporting ● 10 logins on last 5 second ● connect to external databases ● present the finding on a neat report that can be send to BOSSes
  • 13. Advantages of Log Management Tool ✘cool dashboard to visualize queries ✘deployed in your private server so the integrity of data is maintained ✘can be configured to generate alerts and triggers according to your business requirement ✘supports your compliance requirement
  • 14. Challenges of Log Management ✘Lack of common log format ✘Not all activities generate logs ✘Not all activities are logged ✘Requires user to learn new script for every log management tool ✘High volume of irrelevant data
  • 17. 1.3 billion Projected revenue of Log management softwares in 2015
  • 18. Conclusion ✘ A versatile tool to approach various challenges. ✘ Provides IT security with forensics and investigative platform ✘ Quicker and faster alternative to plain old auditing system