Log management involves collecting logs from various sources, normalizing the data into a readable format, and using log intelligence and monitoring tools to detect threats, enable incident response and forensic investigations, and ensure regulatory compliance. It provides a centralized way to search logs, correlate events, and generate reports which can help security teams more efficiently investigate issues compared to traditional methods of reviewing raw logs. Challenges include a lack of standard log formats and capturing all activity, but the market for log management software is large and growing due to its importance for compliance needs.

1. Log Management
Principle and Usage
Bikrant Gautam, MSIA Fall, SCSU

2. Log Sources:
What is log?
records of events.

3. ?
But why Log Management?
● Numeros computers
● Numerous logs
● Hard to pinpoint a single log

4. Log Management Operation
Log Collecting/Archiving
Log Normalization
Log Intelligence/Forensics
and Monitoring

5. Log Archiving
● Collect numerous logs in raw from from different
sources.
● Includes system event logs, SNMP traps, Flow data etc.
● Different tools deployed to collect logs, fetchers or
collectors,

6. Log Normalization
Raw Windows 2003 log
<13>Apr 02 10:10:31 LPDC22.logpoint.net MSWinEventLog 1 Security 34796279 Thu Apr
02 10:10:31 2015 4634 Microsoft-Windows-Security-Auditing St.CloudCQ899$ N/A
Success Audit scsu.test.net Logoff An account was logged off. Subject: Security ID: S-
1-5-21-1078081533-1303643608-682003330-14083 Account Name: SCSU11$ Account Domain: Husky
Logon ID: 0x8764a6ab Logon Type: 3 This event is generated when a logon session is destroyed. It
may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between
reboots on the same computer. 34790802
Normalized logs
LogTime=2015/04/02 10:10:31
object=account
Action=logged off |
EventLog=Security |
User= CQ899$ |
Domain=St.Cloud
EventCategory=Logoff |
EventId=4634
EventSource=Microsoft-Windows-Security
EventType=Success

7. Application Fields
✘Threat protection and discovery
✘Incidence response and forensics
✘Regulatory compliance and audit
✘It system and network troubleshooting
✘System performance and management
Ref: Anton Chuvakin ; http://www.slideshare.net/anton_chuvakin/log-management-and-compliance-whats-the-real-story-b
dr-anton-chuvakin

8. Plain old log investigation method
✘ collect logs from all associated
computers ( will not be few)
✘ Go through each logs searching for
evidence (might take years to
complete)
✘ finally give up, as the information was
stored in a binary value not readable
to human eyes.
A curious case of auditing with logs
Using log management tool
✘ point all your devices to a central log
collection server.
✘ all cryptic logs are normalized to
human readable format
✘ Search for particular keyword, or
event on a specific time.
✘ Complete the forensic in no time.

9. Use Case: Monitoring Users logging to eros server
✘user smmsp has
logged into eros
server for almost
6000 times.
✘user charles.kangas
have logged into the
system for almost
2500 times

10. Use case: Continued, Drilling down
✘further investigation
for charles.Kangas
was done.
✘the originating source
ips were searched on
arin-whois and the
further information
were collected

11. Use case: Continued, User Information
✘The result of whois
lookup for user
Charles.
✘Origin of request
seems fair enough.
What if the originating IP was
from North Korea?

12. AdvanceD Operation
Lookup
Log
Correlation
Reporting
● 10 logins on last 5 second ● connect to external
databases
● present the finding on a
neat report that can be
send to BOSSes

13. Advantages of Log Management Tool
✘cool dashboard to visualize queries
✘deployed in your private server so the integrity of data is
maintained
✘can be configured to generate alerts and triggers according to
your business requirement
✘supports your compliance requirement

14. Challenges of Log Management
✘Lack of common log format
✘Not all activities generate logs
✘Not all activities are logged
✘Requires user to learn new script for every log management
tool
✘High volume of irrelevant data

15. The future?

16. Required by Compliances

17. 1.3 billion
Projected revenue of Log management softwares in 2015

18. Conclusion
✘ A versatile tool to approach various challenges.
✘ Provides IT security with forensics and investigative
platform
✘ Quicker and faster alternative to plain old auditing
system

19. Questions?