IT infrastructures are becoming more and more complex. Especially in the area of security, more and more different devices are needed to protect against the increasingly professional criminals. Where in the past a simple firewall was sufficient, today you need many specialized gateways and firewalls together with analysis devices.
Analysis of log data: Important for IT security
It is crucial for IT security that the log data of all these devices is collected, correlated and evaluated. This is the only way to quickly take action in the event of an attack and to analyze the incident forensically.
terreActive recommend to collect all available log data in order to get a complete picture of the events. Performance or even licensing reasons should not play a role. With tacLOM, terreActive has been offering a monitoring and log management platform for over 20 years. It specialises in collecting all log data generated in the company centrally and making it available for queries and evaluations.
Different languages
The logs differ considerably depending on the type of device. Every device, every manufacturer speaks a different language. The important information is often hidden in numerous technical details. Therefore people cannot interpret this data efficiently and this causes major problems for companies in terms of security.
Now, we have a solution for this problem. With the eventpacks for tacLOM, terreActive has found a way how companies can easily understand logs.
What is an event?
An event in tacLOM is a log message generated by the system, which is created based on specific log events. With each of these events, the reference to the triggering log lines is also saved. Thus, the raw data can easily be used for a later analysis of the events. A complex set of rules defines when an event is created and what it looks like.
What is an Eventpack?
Eventpacks extend this set of rules by entire collections of rule definitions for a standard product. This ensures that the events of different eventpacks are displayed in the same way. The event for a successful login on the workstation and the login on the SQL database have the same format. They are therefore understandable without in-depth application knowledge and can also be correlated and used for further analyses and statistics.
This offers the user the following advantages:
Better to read and to understand:
Log data often have a lot of detailed information and a complex structure. The data fields are often unclear or not labeled at all.
The eventpacks translate the cryptic logs into a readable form. Event messages start with a category, followed by a short description. The detailed information follows afterwards.
Normalization:
If different devices are affected by the same event, the same ID numbers are assigned to the events. They receive the same category, the same description text and the same field names.
Compression:
The eventpack only creates an event for relevant events. Not all information from the original log is displayed, but only the essential fields. This reduction creates a completely new view of the infrastructure, which can be used as a basis for further reporting or SOC services.
Alerts
If the user wants to be informed proactively via mail or SMS, he can activate an alarm for a specific event with just a few clicks. If required, the alarm can also be linked to other conditions.
Performance:
The application of a complex and comprehensive set of rules for a very large number of incoming log lines is not always a matter of course, even with new hardware. In addition to the content aspects, the development of event packs always focuses on performance aspects. The individual rules are explicitly optimized for fast processing. In addition, they are designed to harmonize optimally with the distributed and multi-level filter process.