What is Log Management and Which Solution is Best?
Blog / What is Log Management and Which Solution is Best?
In cybersecurity, information is key. The more you know, the quicker you can discover if there’s something amiss going on or, at least, has gone on in your network and systems and act. After all, the majority of the time, threat actors are relying on a corporation’s unawareness in order to achieve their goals, wanting to do the heavy-lifting before they’re pushed off.
Not only this, but post-incident you’ll likely need to do some kind of forensic investigation and logs act as recorded evidence that provide vital information concerning what happened, how, who, where and when in regards to events.
However, this brings us to a really big hurdle in cybersecurity. Where do you get information that indicates a cyber event is occurring? What information do you prioritise? What is important? If there’s more than one event, how do you know what events to deal with first?
As cyber attacks rising to unprecedented levels, it’s vital that companies can answer these questions.
What are log files?
The word ‘log’ is thrown around a lot in computing and cybersecurity, however the basic premise is that log files are documents that record and store data concerning system activity. The information can include all sorts, such as information on applications run or running on the machine, system errors that have happened, services and kernel-origin messages.
Logs record events occurring in an organisation’s networks and systems. Log sources are computers, servers, firewalls, applications and other devices. Log files provide information like:
- Computer name
- System IP address.
- Login data, such as usernames, timestamps of prior logins and current login status.
- Security logs.
Part of the reason logs are able to do this is because they record data simultaneously with activities as they occur.
Why are log files important?
With information coming from a number of different sources, logs are fundamental in allowing you to keep eyes on what is going on in your systems and networks and if there’s any indicators of suspicious activity.
Log files can be useful for:
- Post-error investigations, where the information they provide helps analysts determine why certain errors or security breaches have happened. For example, if an error occurs on a machine, an analyst can use logs to identify the last active user and whether their activities were suspicious.
- Logs cover a wide variety of bases, including information for applications, systems, auditing, authentication, intrusion detection system (IDS) or intrusion prevention system (IPS).
- Log file analysis is useful for helping you control access to resources by keeping a record of which systems should access which resources. If any of the set security restrictions are breached, it will be shown in the logs.
- Provide information showing deviations from normal system and network behaviour.
Not only do security logs help system admins detect and identify unauthorized login attempts, but can also help companies make decisions on what security infrastructure best suits their systems and networks.
What is log management?
Log management is the security control which centralises all the log data being generated and coming in from multiple data sources, be it hardware, software, networks or so on, to a single location.
With all log data stored in a central location and optimised for readability, organisations can become more efficient at security monitoring and be able to do more effective audits, facilitating them in establishing more robust cybersecurity functions, practices and procedures.
However, one of the major issues companies have to tackle is how to manage this ocean of data, as machines and applications can generate millions upon millions of diverse log messages per minute, making it difficult to sort through the data.
Some of the major problems companies struggle with when trying to manage their data is:
- Log format differences, where source types often use different formats that may not align with others and hamper correlations. Formats can be stuff like comma-separated or tab-separated text files, Syslog, binary files, SNMP, XML, etc.
- Too many sources, where too many services are part of the solution stack and the volume of logs the administrators has to review becomes quickly overwhelming. This is easily done, as even a single log source can generate many, many logs.
- Log data inconsistency, where log sources differ on what aspects of data they consider essential and worth recording, making it difficult at times to bring together data that should otherwise correlate due to missing information.
- Time disparities, where every log source reports events using its internal clock instead of all logs being on a synchronised timestamp, causing more correlation difficulties.
This is why it’s essential that your business picks the right log management means.
Which log management solution is best?
Picking the right log management infrastructure allows a company to better manage and prioritise alerts, facilitating and focusing their cybersecurity monitoring and risk remediation program. The benefits of establishing a single source of data to review increases efficiency and effectiveness when detecting, mitigating and reporting risks and threats.
Although various log management software is available, when building up their log management infrastructure, typically organisations end up going with either Syslog-based software or Security Information and Event Management software (SIEM).
Syslog is a standard protocol for messaging and logging. Syslog provides a standard format mechanism, forwarding logs and their messages from various data sources to a centralised Syslog Server where system management, auditing, forensic investigations and debugging can occur.
Syslog can be broken down into three layers:
- Content, where the syslog messages are contained.
- Application, which allows the syslog message to be routed, analysed and stored.
- Transport, which handles sending the syslog message across the network, involving factors such as the originator, the collector, the transport sender and receiver.
In the Syslog process, the client adds the originator process ID, along with the timestamp, hostname and IP of the device to the message, before sending it. A severity level is also applied to the message.
Syslog has eight severity levels, severity level zero being an emergency while severity level seven is the least severe, often meaning you should do some debugging. It’s important that you set the syslog severity level on the originator to filter out low-priority messages, ideally making sure only mid-to-high are sent, as you should be focused on finding actionable anomalies in the data, addressing the most severe problems first.
The benefits of using Syslog-based software include:
- It’s cost-effective, being an often-free means to collect data across multiple applications, platforms and systems.
- It offers great flexibility.
- Syslog makes it easy to troubleshoot applications without impacting performance due to the details it contains about said applications.
Many companies use Syslog due these benefits, however not one glove fits all and there are disadvantages to Syslog that can make it less than ideal for an organisation. Some of the disadvantages of a Syslog-based software approach are:
- It lacks a standardised format.
- Can easily clutter up the network and even lose messages.
- It can be lacking in sophistication, without any real authentication processes for detecting devices with stolen credentials.
Security Information Event Management (SIEM)
Over recent years, many organisations have adopted Security Information and Event Management solution (SIEM) software over simply having Syslog-based software.
SIEM is a holistic method that combines both Security Event Management (SEM) and Security Information Management into one software solution. SEM relates to the process of analysing cyber events and log data in real-time, while SIM is a monitoring software which collects data from computer logs, analysing it in a central repository.
SIEM streamlines the log management process by automating correlation and analysis processes, reducing the data, content and timestamp disparities and proving more precise as it notifies you of events and their severity.
With SIEM, you can either do an:
- Agent-based approach, where you have to install the software agent on each host so it can extract, process, and send data to the SIEM server.
- Agentless deployment, where the log-generating host sends the data directly to the SIEM or intermediate logging server.
Securiwiser is an excellent cybersecurity monitoring tool that greatly complements a company’s log management infrastructure.
Securiwiser evaluates your company’s cybersecurity posture and gives you a cubit score, flagging up vulnerabilities and exploits in real-time in an easy-to-read dashboard. Securiwiser can check to see if malware is on your network, if there’s suspicious port activity, your DNS Health and much more.
Previous Article5 Ways to Improve Staff Cyber Awareness
How secure is
How secure is