 |
assuriaONLINE Customer and Partner resources Logon / register
Assuria Log Manager
Architecture and Components
Assuria Log Manager (ALM) is designed to meet the requirements of enterprise wide management of audit logs generated by systems, devices and applications.
Assuria Log Manager manages large communities of logs from Servers and Workstations, Windows, LINUX or UNIX as well as Databases, Applications and other network devices such as firewalls and routers. Assuria Log Manager includes the collection of logs from almost any log sources such as building access control systems.
Assuria Log Manager ensures the integrity and continuity of audit log data by securely collecting the audit logs from enterprise wide systems into a central point, in a secure and forensically sound way, where it may be used for analysis, reporting or full forensic investigation.
An agent is installed on source systems. The agent monitors the configured audit logs and initiates transfer where the policy criteria are met. Before logs are transferred to the central store a SHA256 checksum is calculated and the log digitally signed at source. The transfer of logs over the network is encrypted.
Logs can be processed by a rules-based analysis engine, allowing ‘interesting’ events to be tagged and written to a database for further analysis. Alternatively the logs can be indexed allowing for fast unstructured queries and drill-down into the log data.
Logs can be archived to secure long terms storage. All of the handling of the logs preserves the original format so that they are suitable, if required, for forensic analysis.
Assuria “Content Packs” are used to define log format, content and rules for event identification and tagging. A “content pack” is required for each type / format log.
Figure - Assuria Log Manager - Collection
Architecture Components.
Agent: Monitors and collects logs and securely transfers to the Collector. The Agent can optionally sign each log. A real-time alerter is integrated with the agent, can be configured to generate alerts when specific events are detected in monitored logs.
Collector(s): Receives logs from Agents and transfers the log to the Log Store. Validates received logs and can optionally sign each log. Logs are indexed as they are collected and stored.
Log Store: A file structure used to store collected logs, metadata and ALM configuration and report data.
Database: holds information about tagged ‘Interesting Events’, Agents, Logs and Agent policies.
Analyser: Analyses logs, tagging those with 'interesting events' which are stored in the database for reporting and display.
Inspector: Indexes collected logs for very fast unstructured queries, log inspection and reporting
Figure - Assuria Log Manager - Processing
Archiver: Manages the archiving of selected sets of logs based on flexible criteria. Allows tracking of archives on secondary and removable media.
Reporter: Provides a flexible report generation system based on database queries and employing XML/XSL technologies to produce reports in HTML, TEXT or PDF. An easy to use custom report generator is part of the product.
Console: A GUI to manage Agents and policies; provides the interface to the reporting and archiving functionality.
Resilient configuration
Assuria Log Manager is a modular
system and can be configured in a number of ways in order to meet user
requirements for high availability and / or resilience of volume /
capacity.
Multiple collectors can be
configured and agents configured so that they can use whichever
Collector is available with Load Balancing.
The Store and Database can,
where required, be replicated using replication functionality native to
the store or database. If required multiple agents can be installed on a
single log source system though each agent must handle its own unique
set of logs.
