Log management and intelligence

From Wikipedia, the free encyclopedia

This article does not cite any references or sources. (June 2007) Please help improve this article by adding citations to reliable sources. Unverifiable material may be challenged and removed.

This article is orphaned as few or no other articles link to it. Please help introduce links in articles on related topics. (June 2007)

Log management and intelligence (LMI) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc). LMI covers log collection, centralized aggregation, long-term retention and log analysis (in real-time and in bulk after storage). Syslog offers the most common example of such log messages.

Systems administrators usually perform LMI analysis for reasons of security, of operations (such as system or network administration) or of regulatory compliance.

Effectively analyzing large volumes of diverse logs can pose many challenges — such as huge log-volumes (reaching hundreds of gigabytes of data per day for a large organization), log-format diversity, undocumented proprietary log-formats (that resist analysis) as well as the presence of false log records in some types of logs (such as intrusion-detection logs).

Users and potential users of LMI can build their own log management and intelligence tools, assemble the functionality from various open-source components, or acquire (sub-)systems from commercial vendors.

[edit] Deployment life-cycle

One view^{[citation needed]} of assessing the maturity of an organization in terms of the deployment of log-management tools might use^{[original research?]} successive categories such as:

• Level 1: in the initial stages, organizations use different log-analyzers for analyzing the logs in the devices on the security-perimeter. They aim to identify the patterns of attack on the perimeter infrastructure of the organization.

• Level 2: with increased use of integrated computing, organizations mandate logs to identify the access and usage of confidential data within the security-perimeter.

• Level 3: at the next level of maturity, the log analyzer can track and monitor the performance and availability of systems at the level of the enterprise — especially of those information-assets whose availability organizations regard as vital.

• Level 4: organizations integrate the logs of various business-applications into an enterprise log manager for better value proposition.

• Level 5: organizations merge the physical-access monitoring and the logical-access monitoring into a single view.

[edit] List of log management software

• • LogRhythm Enterprise Log and Event Management
  • EventTracker Enterprise Event Log Management
  • BazSyslog
  • Kiwi Syslog Daemon
  • Logserver
  • MonitorWare Products: MonitorWare Agent, WinSyslog
  • NetDecision LogVision
  • NTsyslog
  • Pure PHP syslog client class
  • Syslserve
  • syslog-ng Agent for Windows
  • Syslog Watcher
  • Syslog CollectorA Syslog server/agent for Windows
  • Tftpd32 Tftpd32 which include a syslog server
  • TheOne SysLog Manager

[edit] References

• Chris MacKinnon: "LMI In The Enterprise". Processor November 18, 2005, Vol.27 Issue 46, page 33. Online at http://www.processor.com/editorial/article.asp?article=articles%2Fp2746%2F09p46%2F09p46.asp, retrieved 2007-09-10

• Mike Rothman: "Looking at Log Management Pragmatically". EventSource August, 2007. Online at http://www.prismmicrosys.com/newsletters_august2007.php