|
Assuria Log Manager
Organisations of all sizes and in both the public and private sector are
increasingly required to be in compliance with an increasing number of
legislative and industry regulations and standards. The requirements are
driving organisations to seek tools to assist and automate their log
management and compliance processes.
Operating systems, system software and applications have for many years
had features to write audit logs to record events, data or actions
taken. The benefits of using log data are well known to IT professionals
who have used the information contained in logs for diagnostics and to
verify actions taken by software, often as the first steps in problem
identification.
Today such audit logs have attained a much higher level of importance;
this is driven by several factors including policy compliance
requirements.
Valuable information
Uses for collected logs and log data can vary from near real-time
collection and in-memory correlation of network traffic, through near
real-time alerting / host based intrusion detection, regulatory compliance
reporting, problem identification and resolution to incident response and
forensic analysis.
Logs have become essential to demonstrate compliance to regulations and
standards.
Uses for log data in addition to regulatory compliance include:
•
Incident response and
investigation
•
Forensic analysis
•
Problem identification and
resolution
•
Network traffic monitoring (near
Real time) and anomaly detection
•
Operations and Service Level
monitoring
•
Marketing analysis
Today’s
operating systems, applications and network devices, including Windows
and LINUX / UNIX, can produce vast amounts of audit data within their
logs. Assuria Log Manager is a fully scalable solution designed to
manage logs.
Assuria Log Manager
Assuria Log Manager (ALM)
is designed to meet the requirements of enterprise wide management of
audit logs generated by systems, devices and applications. ALM is highly
scalable from ten systems to tens of thousands of systems.
ALM provides:
a mechanism for the secure transfer of system logs from individual
systems onto a central management system. The secure transfer is
performed so that the logs may, if required, later be used for forensic
analysis and/or evidential use.
-
near real-time
alerting against specific events.
-
facilities to allow
viewing of the centrally held logs
-
facilities for the
archiving to long term storage of collected Logs.
-
facilities for the
analysis of the logs using analysis rules storing interesting events
into a database for further analysis, correlation and reporting.
-
Centrally, ALM allows
filtering, viewing, analysis, reporting and archiving of the stored
logs.
Key features
-
Log management: ALM manages the rotation of logs on the source
systems. ALM interacts with the software writing the log requesting
the log be rotated.
-
Forensic readiness: ALM retains logs in the original format they
are written. The logs are digitally signed to prevent unauthorised
tampering.
-
System specific data: ALM agent collects system specific
information to ensure that the log file can rendered readable away
from the system on which it is written.
-
Secure collection: ALM encrypts all network traffic and the
transfer of logs is an atomic transaction, with Logs are only
removed from the host when securely stored by the ALM Collector.
-
Secure storage: Logs are stored in a standard File / folder
sturucture protected by the application of appropriate permissions.
-
Powerful Analysis: ALM two analysis capabilities. A tagging
approach in which ‘interesting events’ in the logs are identified
and written to a SQL database where they can be used for structured
querying and an Indexing approach where the selected logs are
indexed for unstructured ‘drill down’ querying.
-
Flexible reporting: Once the tags are in the database the
Reporter queries the database for the regular reports.
-
Extensible: ALM is designed to be extensible. The extensibility
extends to a number of areas including data-sources (logs), analysis
rules (tagging), reports
-
Alerting: The agent can be configured to generate alerts when
specified events or sequences of events are written to the log.
-
Log Filtering: Optionally ALM can be configured to filter logs
as they are collected.
Assuria Log Manager
Architecture
ALM implements a multi-tier architecture. An agent is installed on each
system from which logs are to be collected1. Each log is sent to the
Collector via an encrypted and secure store and forward mechanism where
the logs are saved into the Log Store. The Collector provides agent
management and data management for ALM and uses a database for the
indexing of ‘interesting events’, the cataloguing of logs and other
system information. The Collector is the middle tier of Assuria Log
Manager. One or more Consoles can display management information, log
data, reports etc for the user / administrator.
ALM is based on an extensible
architecture comprising:
-
Agents
-
Collectors with Log Store and
Database
-
Analyser
-
Inspector
-
Archiver
-
Reporter
-
Consoles
The Agents run on Windows, Linux and Unix
based machines, the Collector, Console and other processing modules
currently operate on Windows machines.
The ALM Agent, where installed on the source system, monitors the logs
against the criteria defined (in the agent policy). If a log reaches a
policy defined threshold/trigger condition the log is transferred to the
ALM Collector on a central management platform using a secure store and
forward mechanism.
Log Collection
ALM collection components
consist of the following:
Agent monitors
and collects logs and securely transfers to the Collector. The agent
can optionally sign each log. An optional near real-time alerter is
integrated in the agent and can be configured to generate alerts
when specific events are detected in the logs.
Collector
receives logs from agents and transfers to the Log Store. Validates
received logs and can optionally sign each log. Indexes logs as they
are collected
Store file /
folder structure used to store logs and ALM configuration data
Database stores
information about Agents, Logs, ‘interesting’ events, Agent policies
and Archives.
Console a GUI
to manage agents, policies and collected logs. The ALM Console also
manages the processing components of Assuria Log Manager. The
Console also allows the user to browse analysis results, inspect the
collected data and generate reports.
Log Processing
ALM Processing components
consists of the following:
Analyser The
Analyser analyses the logs once collected and securely stored,
‘tagging’ those records that have interesting events as defined by
the current analysis rules for the data source.
Inspector The
Inspector indexes the logs once collected and securely stored. The
indexed log data enables very fast unstructured queries to be made
against the log data.
Archiver
Manages the archiving of selected sets of logs based on flexible
criteria and creates and signs archives for transfer onto secondary
level storage. The Archiver allows for the tracking of archives on
secondary and removable media
Reporter
Produces ALM reports. The Reporter takes the Analyser results from
the Database and renders the data into
|
