Creating Rules & Understanding Event Log Correlation


Published on

SolarWinds Log & Event Manager (LEM) offers real-time log analysis and event correlation by giving you the control you need to overcome everyday IT challenges. In this presentation, learn how to leverage the built-in and user defined rules as well as how how SolarWinds LEM performs correlation. We will cover:

-- Rules in Log & Event Manager
-- Correlation Rule Builder
-- Rule Categories and Tags
-- Real-time Event Correlation
-- How does Event Correlation work?
-- Result of Correlation

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Creating Rules & Understanding Event Log Correlation

  1. 1. 1Creating Rules and UnderstandingEvent Log Correlation withSolarWinds® Log & Event Manager© 2013, SolarWinds Worldwide, LLC. All rights reserved.
  2. 2. 2Agenda» Rules in Log & Event Manager» Correlation Rule Builder» Rule Categories and Tags» Real-time Event Correlation» How does Event Correlation work?» Result of CorrelationSOLARWINDS LOG & EVENT MANAGER
  3. 3. 3SolarWinds Log & Event Manager» SolarWinds Log & Event Manager (LEM) offers real-time loganalysis and event correlation by giving you the control youneed to overcome everyday IT challenges.» SolarWinds LEM correlates with the help of built-in and userdefined rules.» Learn how to build to rules and how SolarWinds LEMperforms correlation.SOLARWINDS LOG & EVENT MANAGER
  4. 4. 4Correlation Rule BuilderSOLARWINDS LOG & EVENT MANAGER
  5. 5. 5Rules in Log & Event Manager» LEM rules offer the ability to use simple and advanced thresholds such astime/frequency and same/distinct to add complexity and helps yousignificantly reduce false positives.» They track events in real time even when the LEM console is notmonitored.» LEM rules allow you to:• Correlate multiple events from different sources• Automatically trigger alerts or email notifications• Respond to security events in real timeSOLARWINDS LOG & EVENT MANAGER
  6. 6. 6Correlation Rule Builder» SolarWinds LEM has a built-in Rule Builder that helps you to:• Build new rules easily• Clone existing rules• Customize and edit existing rules» The rule builder interface incorporates easy-to-use techniques such as dragand drop, an icon-based tool panel, and a graphical object selection panel.» The rule builder uses a logical ‘AND’ or ‘OR’ Boolean logic for rule creation.» SolarWinds LEM offers more than 700 pre-built correlation rules that covercritical network infrastructure, change management and network securityfunctions.SOLARWINDS LOG & EVENT MANAGER
  7. 7. 7Correlation Rule Builder (Contd…)SOLARWINDS LOG & EVENT MANAGER» For easy rulecreation, thereare additionalevents and fieldson the left-side ofthe rule builderwindow that canbe added to thecorrelation rule.
  8. 8. 8Rule Categories and Tags» LEM rules are organized into pre-built categories likesecurity, IT operations, compliance and changemanagement.» SolarWinds LEM also allows you to add tags making rulesearch easier.SOLARWINDS LOG & EVENT MANAGER
  9. 9. 9Real-Time Event CorrelationSOLARWINDS LOG & EVENT MANAGER
  10. 10. 10Real-time Event CorrelationSOLARWINDS LOG & EVENT MANAGER
  11. 11. 11How does Event Correlation work?» SolarWinds Log & Event Manager (LEM) is a full-function SIEM solutionthat offers an intelligent correlation engine to understand operational,security and policy-driven events.» Log Collection: LEM captures real-time event streams from networkdevices and utilizes agent technology to capture host-based events inreal time. Here is a list of data sources from which LEM can receive logdata for correlation and analysis.» Normalization: This is a key step before events are correlated. LEMparses the raw log data from agent nodes (workstations, servers, VMs,OS, etc.) and maps events from disparate sources to a consistentframework. This helps structure the data into identified categories andfields.SOLARWINDS LOG & EVENT MANAGER
  12. 12. 12How does Event Correlation work?» In-Memory Correlation: LEM correlates event logs in-memory thusavoiding performance bottlenecks associated with database insertionand query speeds.» Multiple-Event Correlation: LEM has comprehensive support formultiple-device, multiple-event correlation, including the unique abilityto set independent thresholds of activity per event, or group of events.» Non-Linear Correlation: After mapping events in-memory, LEM applies acompletely non-linear, multi-vector, correlation algorithm. This reducesthe number of correlation rules and eliminates the need to build distinctrules for all possible combination of events.SOLARWINDS LOG & EVENT MANAGER
  13. 13. 13How does Event Correlation work?» Field-Level Comparison: LEM combines field-level data with user-definedgroups and variables, making it possible to build rules that minimize falsepositives and focus your attention where and when it’s needed.» Environmental Awareness: LEM’s correlation rules factor in details aboutthe organization, such as critical assets, applications, time of day or dayof week, etc. to bring focus on the environmental parameters associatedwith the events and maximize the value of the data that’s being capturedand analyzed.SOLARWINDS LOG & EVENT MANAGER
  14. 14. 14Result of Event Correlation» Using the correlated event data, you can:• Set up alerts to trigger when a specific security conditionis encountered• Program active responses to counter threats,troubleshoot issues and react to policy violations• Perform event forensics and root cause analysis toidentify suspicious behavior patterns and anomalies• Generate compliance reports for network and securityauditsSOLARWINDS LOG & EVENT MANAGER
  15. 15. 15SolarWinds Log & Event Manager» SolarWinds Log & Event Manager (LEM) is a full-function SIEM solutionthat extends comprehensive log collection, correlation, analysis, andincident response to both servers and workstations.» Watch this short video to learn how to easily create and customizecorrelation rules using SolarWinds LEM.15SOLARWINDS LOG & EVENT MANAGER