SlideShare a Scribd company logo

Log management principle and usage

Download as PPTX, PDF
Bikrant Gautam
Bikrant Gautam

Basic log management principle and best practices.

Engineering
1 of 19
Log Management Principle and Usage Bikrant Gautam, MSIA Fall, SCSU
Log Sources: What is log? records of events.
? But why Log Management? ● Numeros computers ● Numerous logs ● Hard to pinpoint a single log
Log Management Operation Log Collecting/Archiving Log Normalization Log Intelligence/Forensics and Monitoring
Log Archiving ● Collect numerous logs in raw from from different sources. ● Includes system event logs, SNMP traps, Flow data etc. ● Different tools deployed to collect logs, fetchers or collectors,
Log Normalization Raw Windows 2003 log <13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr 02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.CloudCQ899$ N/A Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S- 1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 34790802 Normalized logs LogTime=2015/04/02 10:10:31 object=account Action=logged off | EventLog=Security | User= CQ899$ | Domain=St.Cloud EventCategory=Logoff | EventId=4634 EventSource=Microsoft-Windows-Security EventType=Success
Application Fields ✘Threat protection and discovery ✘Incidence response and forensics ✘Regulatory compliance and audit ✘It system and network troubleshooting ✘System performance and management Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-b dr-anton-chuvakin
Plain old log investigation method ✘ collect logs from all associated computers ( will not be few) ✘ Go through each logs searching for evidence (might take years to complete) ✘ finally give up, as the information was stored in a binary value not readable to human eyes. A curious case of auditing with logs Using log management tool ✘ point all your devices to a central log collection server. ✘ all cryptic logs are normalized to human readable format ✘ Search for particular keyword, or event on a specific time. ✘ Complete the forensic in no time.
Use Case: Monitoring Users logging to eros server ✘user smmsp has logged into eros server for almost 6000 times. ✘user charles.kangas have logged into the system for almost 2500 times
Use case: Continued, Drilling down ✘further investigation for charles.Kangas was done. ✘the originating source ips were searched on arin-whois and the further information were collected
Use case: Continued, User Information ✘The result of whois lookup for user Charles. ✘Origin of request seems fair enough. What if the originating IP was from North Korea?
AdvanceD Operation Lookup Log Correlation Reporting ● 10 logins on last 5 second ● connect to external databases ● present the finding on a neat report that can be send to BOSSes
Advantages of Log Management Tool ✘cool dashboard to visualize queries ✘deployed in your private server so the integrity of data is maintained ✘can be configured to generate alerts and triggers according to your business requirement ✘supports your compliance requirement
Challenges of Log Management ✘Lack of common log format ✘Not all activities generate logs ✘Not all activities are logged ✘Requires user to learn new script for every log management tool ✘High volume of irrelevant data
The future?
Required by Compliances
1.3 billion Projected revenue of Log management softwares in 2015
Conclusion ✘ A versatile tool to approach various challenges. ✘ Provides IT security with forensics and investigative platform ✘ Quicker and faster alternative to plain old auditing system
Questions?

Recommended

Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
Democratizing Data Quality Through a Centralized Platform
Democratizing Data Quality Through a Centralized PlatformDemocratizing Data Quality Through a Centralized Platform
Democratizing Data Quality Through a Centralized PlatformDatabricks
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Getting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceGetting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceSplunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation PrasadThorat23
 
OSMC 2021 | Introduction into OpenSearch
OSMC 2021 | Introduction into OpenSearchOSMC 2021 | Introduction into OpenSearch
OSMC 2021 | Introduction into OpenSearchNETWAYS
 

Recommended

Best practises for log management
Best practises for log managementBest practises for log management
Best practises for log managementBrian Honan
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
Democratizing Data Quality Through a Centralized Platform
Democratizing Data Quality Through a Centralized PlatformDemocratizing Data Quality Through a Centralized Platform
Democratizing Data Quality Through a Centralized PlatformDatabricks
 
Splunk Enterprise Security
Splunk Enterprise SecuritySplunk Enterprise Security
Splunk Enterprise SecuritySplunk
 
Getting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceGetting Started with IT Service Intelligence
Getting Started with IT Service IntelligenceSplunk
 
Splunk for IT Operations
Splunk for IT OperationsSplunk for IT Operations
Splunk for IT OperationsSplunk
 
Splunk-Presentation
Splunk-Presentation Splunk-Presentation
Splunk-Presentation PrasadThorat23
 
OSMC 2021 | Introduction into OpenSearch
OSMC 2021 | Introduction into OpenSearchOSMC 2021 | Introduction into OpenSearch
OSMC 2021 | Introduction into OpenSearchNETWAYS
 
Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit Splunk
Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit SplunkSplunk Webinar: Full-Stack End-to-End SAP-Monitoring mit Splunk
Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit SplunkSplunk
 
Centralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackRohit Sharma
 
Splunk sales presentation
Splunk sales presentationSplunk sales presentation
Splunk sales presentationjpelletier123
 
Blueprint for omnichannel integration architecture
Blueprint for omnichannel integration architectureBlueprint for omnichannel integration architecture
Blueprint for omnichannel integration architectureEric D. Schabell
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentationgtbsalesindia
 
Snowflake Overview
Snowflake OverviewSnowflake Overview
Snowflake OverviewSnowflake Computing
 
Enabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data VirtualizationEnabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data VirtualizationDenodo
 
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...HostedbyConfluent
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
Migrating SSIS to the cloud
Migrating SSIS to the cloudMigrating SSIS to the cloud
Migrating SSIS to the cloudKoenVerbeeck
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Snowflake Architecture.pptx
Snowflake Architecture.pptxSnowflake Architecture.pptx
Snowflake Architecture.pptxchennakesava44
 
Log Analytics with AWS
Log Analytics with AWSLog Analytics with AWS
Log Analytics with AWSAmazon Web Services
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Splunk 101
Splunk 101Splunk 101
Splunk 101Splunk
 
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITY
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITYSECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITY
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITYRisman Hatibi
 
Building Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft AzureBuilding Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft AzureDmitry Anoshin
 
Keynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and visionKeynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and visionElasticsearch
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 
Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxColloqueRISQ
 

More Related Content

What's hot

Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit Splunk
Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit SplunkSplunk Webinar: Full-Stack End-to-End SAP-Monitoring mit Splunk
Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit SplunkSplunk
 
Centralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackRohit Sharma
 
Splunk sales presentation
Splunk sales presentationSplunk sales presentation
Splunk sales presentationjpelletier123
 
Blueprint for omnichannel integration architecture
Blueprint for omnichannel integration architectureBlueprint for omnichannel integration architecture
Blueprint for omnichannel integration architectureEric D. Schabell
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationAlienVault
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentationgtbsalesindia
 
Enabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data VirtualizationEnabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data VirtualizationDenodo
 
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...HostedbyConfluent
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopSplunk
 
Migrating SSIS to the cloud
Migrating SSIS to the cloudMigrating SSIS to the cloud
Migrating SSIS to the cloudKoenVerbeeck
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEMJohn Hubbard
 
Snowflake Architecture.pptx
Snowflake Architecture.pptxSnowflake Architecture.pptx
Snowflake Architecture.pptxchennakesava44
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMElasticsearch
 
Splunk 101
Splunk 101Splunk 101
Splunk 101Splunk
 
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITY
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITYSECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITY
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITYRisman Hatibi
 
Building Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft AzureBuilding Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft AzureDmitry Anoshin
 
Keynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and visionKeynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and visionElasticsearch
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics nullowaspmumbai
 

What's hot (20)

Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit Splunk
Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit SplunkSplunk Webinar: Full-Stack End-to-End SAP-Monitoring mit Splunk
Splunk Webinar: Full-Stack End-to-End SAP-Monitoring mit Splunk
 
Centralized Logging System Using ELK Stack
Centralized Logging System Using ELK StackCentralized Logging System Using ELK Stack
Centralized Logging System Using ELK Stack
 
Splunk sales presentation
Splunk sales presentationSplunk sales presentation
Splunk sales presentation
 
Blueprint for omnichannel integration architecture
Blueprint for omnichannel integration architectureBlueprint for omnichannel integration architecture
Blueprint for omnichannel integration architecture
 
Best Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM InstallationBest Practices for Configuring Your OSSIM Installation
Best Practices for Configuring Your OSSIM Installation
 
Gtb Dlp Suite Presentation
Gtb Dlp Suite PresentationGtb Dlp Suite Presentation
Gtb Dlp Suite Presentation
 
Snowflake Overview
Snowflake OverviewSnowflake Overview
Snowflake Overview
 
Enabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data VirtualizationEnabling a Data Mesh Architecture with Data Virtualization
Enabling a Data Mesh Architecture with Data Virtualization
 
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...
Qlik and Confluent Success Stories with Kafka - How Generali and Skechers Kee...
 
Analytics Driven SIEM Workshop
Analytics Driven SIEM WorkshopAnalytics Driven SIEM Workshop
Analytics Driven SIEM Workshop
 
Migrating SSIS to the cloud
Migrating SSIS to the cloudMigrating SSIS to the cloud
Migrating SSIS to the cloud
 
The Elastic Stack as a SIEM
The Elastic Stack as a SIEMThe Elastic Stack as a SIEM
The Elastic Stack as a SIEM
 
Snowflake Architecture.pptx
Snowflake Architecture.pptxSnowflake Architecture.pptx
Snowflake Architecture.pptx
 
Log Analytics with AWS
Log Analytics with AWSLog Analytics with AWS
Log Analytics with AWS
 
Empower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEMEmpower Your Security Practitioners with Elastic SIEM
Empower Your Security Practitioners with Elastic SIEM
 
Splunk 101
Splunk 101Splunk 101
Splunk 101
 
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITY
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITYSECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITY
SECURE MEDIA EXCHANGE (SMX) HONEYWELL INDUSTRIAL CYBER SECURITY
 
Building Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft AzureBuilding Modern Data Platform with Microsoft Azure
Building Modern Data Platform with Microsoft Azure
 
Keynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and visionKeynote: Elastic Observability evolution and vision
Keynote: Elastic Observability evolution and vision
 
ELK in Security Analytics
ELK in Security Analytics ELK in Security Analytics
ELK in Security Analytics
 

Similar to Log management principle and usage

Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Anton Chuvakin
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxColloqueRISQ
 
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfSplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfTuynNguyn819213
 
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Anton Chuvakin
 
Large enterprise SIEM: get ready for oversize
Large enterprise SIEM: get ready for oversizeLarge enterprise SIEM: get ready for oversize
Large enterprise SIEM: get ready for oversizeMona Arkhipova
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) ArkhipovaOWASP Russia
 
Nava SIEM Agent Datasheet
Nava SIEM Agent DatasheetNava SIEM Agent Datasheet
Nava SIEM Agent DatasheetLinkgard
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 
williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfVinceVulpes
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring BasicsRob Dunn
 
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...Ontico
 
Log aggregation and analysis
Log aggregation and analysisLog aggregation and analysis
Log aggregation and analysisDhaval Mehta
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramBeyondTrust
 
Security Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetSecurity Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetJuan Berner
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyAmazon Web Services
 

Similar to Log management principle and usage (20)

Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008Six Mistakes of Log Management 2008
Six Mistakes of Log Management 2008
 
Prévention et détection des mouvements latéraux
Prévention et détection des mouvements latérauxPrévention et détection des mouvements latéraux
Prévention et détection des mouvements latéraux
 
Flipping the script
Flipping the scriptFlipping the script
Flipping the script
 
EventLog Analyzer - Product overview
EventLog Analyzer - Product overviewEventLog Analyzer - Product overview
EventLog Analyzer - Product overview
 
Power of logs: practices for network security
Power of logs: practices for network securityPower of logs: practices for network security
Power of logs: practices for network security
 
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdfSplunkApplicationLoggingBestPractices_Template_2.3.pdf
SplunkApplicationLoggingBestPractices_Template_2.3.pdf
 
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
Logs: Can’t Hate Them, Won’t Love Them: Brief Log Management Class by Anton C...
 
Large enterprise SIEM: get ready for oversize
Large enterprise SIEM: get ready for oversizeLarge enterprise SIEM: get ready for oversize
Large enterprise SIEM: get ready for oversize
 
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
[2.3] Large enterprise SIEM: get ready for oversize - Svetlana (Mona) Arkhipova
 
Nava SIEM Agent Datasheet
Nava SIEM Agent DatasheetNava SIEM Agent Datasheet
Nava SIEM Agent Datasheet
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 
Observability at Spotify
Observability at SpotifyObservability at Spotify
Observability at Spotify
 
williams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdfwilliams-wwhf-20210617-eventlogs.pdf
williams-wwhf-20210617-eventlogs.pdf
 
Network Monitoring Basics
Network Monitoring BasicsNetwork Monitoring Basics
Network Monitoring Basics
 
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...
Protecting the Web at a scale using consul and Elk / Valentin Chernozemski (S...
 
Log aggregation and analysis
Log aggregation and analysisLog aggregation and analysis
Log aggregation and analysis
 
Tips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management ProgramTips to Remediate your Vulnerability Management Program
Tips to Remediate your Vulnerability Management Program
 
Security Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budgetSecurity Monitoring for big Infrastructures without a Million Dollar budget
Security Monitoring for big Infrastructures without a Million Dollar budget
 
Zabbixconf2016(2)
Zabbixconf2016(2)Zabbixconf2016(2)
Zabbixconf2016(2)
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 

Recently uploaded

Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝soniya singh
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...ranjana rawat
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxhumanexperienceaaa
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...Call girls in Ahmedabad High profile
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 

Recently uploaded (20)

Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
9953056974 Call Girls In South Ex, Escorts (Delhi) NCR.pdf
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
Model Call Girl in Narela Delhi reach out to us at 🔝8264348440🔝
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
(TARA) Talegaon Dabhade Call Girls Just Call 7001035870 [ Cash on Delivery ] ...
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINEDJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
DJARUM4D - SLOT GACOR ONLINE | SLOT DEMO ONLINE
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptxthe ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
the ladakh protest in leh ladakh 2024 sonam wangchuk.pptx
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
High Profile Call Girls Dahisar Arpita 9907093804 Independent Escort Service ...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 

Log management principle and usage

  • 1. Log Management Principle and Usage Bikrant Gautam, MSIA Fall, SCSU
  • 2. Log Sources: What is log? records of events.
  • 3. ? But why Log Management? ● Numeros computers ● Numerous logs ● Hard to pinpoint a single log
  • 4. Log Management Operation Log Collecting/Archiving Log Normalization Log Intelligence/Forensics and Monitoring
  • 5. Log Archiving ● Collect numerous logs in raw from from different sources. ● Includes system event logs, SNMP traps, Flow data etc. ● Different tools deployed to collect logs, fetchers or collectors,
  • 6. Log Normalization Raw Windows 2003 log <13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr 02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.CloudCQ899$ N/A Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S- 1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. 34790802 Normalized logs LogTime=2015/04/02 10:10:31 object=account Action=logged off | EventLog=Security | User= CQ899$ | Domain=St.Cloud EventCategory=Logoff | EventId=4634 EventSource=Microsoft-Windows-Security EventType=Success
  • 7. Application Fields ✘Threat protection and discovery ✘Incidence response and forensics ✘Regulatory compliance and audit ✘It system and network troubleshooting ✘System performance and management Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-b dr-anton-chuvakin
  • 8. Plain old log investigation method ✘ collect logs from all associated computers ( will not be few) ✘ Go through each logs searching for evidence (might take years to complete) ✘ finally give up, as the information was stored in a binary value not readable to human eyes. A curious case of auditing with logs Using log management tool ✘ point all your devices to a central log collection server. ✘ all cryptic logs are normalized to human readable format ✘ Search for particular keyword, or event on a specific time. ✘ Complete the forensic in no time.
  • 9. Use Case: Monitoring Users logging to eros server ✘user smmsp has logged into eros server for almost 6000 times. ✘user charles.kangas have logged into the system for almost 2500 times
  • 10. Use case: Continued, Drilling down ✘further investigation for charles.Kangas was done. ✘the originating source ips were searched on arin-whois and the further information were collected
  • 11. Use case: Continued, User Information ✘The result of whois lookup for user Charles. ✘Origin of request seems fair enough. What if the originating IP was from North Korea?
  • 12. AdvanceD Operation Lookup Log Correlation Reporting ● 10 logins on last 5 second ● connect to external databases ● present the finding on a neat report that can be send to BOSSes
  • 13. Advantages of Log Management Tool ✘cool dashboard to visualize queries ✘deployed in your private server so the integrity of data is maintained ✘can be configured to generate alerts and triggers according to your business requirement ✘supports your compliance requirement
  • 14. Challenges of Log Management ✘Lack of common log format ✘Not all activities generate logs ✘Not all activities are logged ✘Requires user to learn new script for every log management tool ✘High volume of irrelevant data
  • 17. 1.3 billion Projected revenue of Log management softwares in 2015
  • 18. Conclusion ✘ A versatile tool to approach various challenges. ✘ Provides IT security with forensics and investigative platform ✘ Quicker and faster alternative to plain old auditing system