An effective security operations center starts with a reliable tool for securely collecting all logs which are relevant from a security perspective. However, as the size and complexity of the enterprise IT infrastructure increases, the amount of logs relevant and which require processing can quickly become overwhelming.
Automate log search
syslog-ng Store Box is a high-performance log management appliance capable of centralizing all the security related log data, and offers a powerful full text search capability on the collected data. In its latest feature release 4F4, syslog-ng Store Box offers a new, automatic search functionality. It can significantly improve the efficiency of any security operations team by automating the search on the incoming log data and sending an alert when a critical event is detected. Among many other things this feature can help to
- Detect if logging on to a server is stopped by alerting on receiving a ‘syslog-ng shutting down’ log from the server
- Meet compliance requirements by automatically alerting if an application logs a critical error
- Verify if a credit card number has been accessed
- Verify if a a policy violation such as root login to a server has taken place
- Verify if a given user has had a failed login attempt
It is very easy to use the new functionality. The following screen shows the syslog-ng Store Box search interface, including the new alert definition pane:
Email alerts
If you execute a search, the search expression appears in the alert definition pane. An alert name and an alert target (the recipient of the alert) need to be specified and then the Create Alert button activates the alert. In the example above, an alert is created to detect when a server is accessed via SSH using root credentials. If the incoming log messages match the search expression, an alert e-mail will be sent to the specified target. Here is an example of such an e-mail alert:
The e-mail alert contains the name of the alert, the logspace where the alert comes from and also a direct link pointing to the SSB search interface and showing the logs that resulted in the alert being raised. This way detailed investigation of the corresponding logs can immediately and easily be started.