Log File Management with the Secure Online Desktop service
IT systems produce large quantities of log files, very useful tools for guaranteeing data security and application stability. However, in a complex ecosystem, the quantity of files and their location can become two insurmountable obstacles to overcome, in case it is necessary to consult the data efficiently. This is where log management systems come into play, which thanks to technologies such as Syslog-ng, are able to circumvent the problem. In the article, we see how a log file management solution can be a valuable investment.
What is a log file, what is it for
Any action that is performed on a machine or by it can be recorded in a log file. To understand what it is, let’s imagine that it is a ship’s logbook, in which every single event that happened on the boat is noted. In fact, the name derives from the nautical environment, in which the use of a logbook was common. This was nothing more than a diary in which navigation data were recorded at regular intervals: speed, wind strength and direction, water conditions and so on.
With the concept of recording useful information in a file that can be consulted later, the log file contains any changes, actions, states or modifications for security reasons. In case something goes wrong, it is easy to understand what happened by consulting a log file. This is especially true when we talk about servers and applications, data dissemination, IT security, etc.
Amount of log files
Some companies have up to a few dozen servers, others have hundreds, some thousands, and there are others that manage tens of thousands of servers. These systems produce a huge amount of data in the form of log files.
Complicating things is IT architecture. Very often machines are organized into subsystems, both for reasons of convenience and safety. In the unfortunate event that someone wants to consult the log files following an accident, we should despair. Which server holds the data we are interested in? Which subsystem is it in? These are not questions that can be answered simply, especially if you don’t know the source of the problem.
The management of the log files of a system (or Log Management) is essential in the collection of data, prevention and resolution of problems.
Secure Online Desktop Log Management
SOD offers a log management solution through Syslog-ng Premium Edition agents. These are in charge of the collection, transmission and storage of log files. Not only are they collected and centralized in a single virtual place, but the data are also normalized, ie “translated” into standardized formats so that they can be consulted and compared more easily.
Real-time normalization, reporting and classification
Thanks to normalization, it is possible to carry out cross-sectional full-text searches in a few seconds to all the log files collected. Complex operations are guaranteed by the possibility of using wildcards and Boolean operators. The analysis of the collected data is therefore very simplified, which allows the data to also be used to monitor the efficiency of the system, identify possible future problems and intervene before it is too late.
It is also possible to generate customized reports consisting of graphs and statistics with the aim of certifying compliance with standards and regulations such as PCI-DSS, ISO 27001, SOX and HIPAA.
One of the most interesting features of syslog-ng is the ability to automatically classify messages and sort them into classes. These can then be used to label the type of event described in the log. Examples of possible classes: user login, application crash, file transfer, etc.
Extraction and correlation of messages in log files
The classification of messages opens the door to a further functionality: the extraction and correlation of messages. Once each message contained in the log file has been normalized and classified according to your needs, it is possible to assign different tags, to add an additional filter level.
To give an example: once a user’s login messages have been collected, it is possible to label them as user_login, and then isolate them by extracting them and collecting them in a separate file to perform further processing on these messages.
Syslog-ng also makes it possible to correlate events in real time, to prevent data from a single event being scattered across multiple log files. For example, the access and exit data (log-in and log-out) are often recorded far from each other, even in different log files. Through correlation, the data of a single event can be collected and analyzed in isolation.
The stored log messages and the configuration of the Log Management service can be periodically transferred to a remote server using the following protocols:
– Network File System protocol (NFS)
– Rsync over SSH
– Server Message Block protocol (SMB / CIFS)
The log file collection and management system with syslog-ng PE agents operates on over 50 platforms, including all Linux distributions and commercial versions of Unix and Windows. The service is able to manage huge quantities of messages, up to over 100,000 per second and over 70 GB of raw log files per hour, from 5000 different sources (servers, applications, etc.).
Ask us for more information about our Log Monitoring service to know specifically how it can be implemented in your systems and how it can help you.
- Event Overload? Our SOCaaS can help!
- Business email compromise (BEC) schemes
- XDR as an approach to security
- What is threat intelligence?
- Data Loss Prevention: definition and uses
- Prevent shoulder surfing and theft of corporate credentials
- HTTP / 3, everything you need to know about the latest version protocol
- Machine learning and cybersecurity: UEBA applications and security
- Backup as a Service (2)
- Cloud Conference (3)
- Cloud CRM (1)
- Cloud Server/VPS (20)
- Conferenza Cloud (4)
- ICT Monitoring (4)
- Log Management (2)
- News (17)
- ownCloud (4)
- Privacy (6)
- Secure Online Desktop (14)
- Security (9)
- Web Hosting (15)
- Troy Hunt: Organizations Make Security Choices Tough for Users May 6, 2021The Have I Been Pwned founder took the virtual stage at Black Hat Asia to share stories about his work and industrywide challenges.
- New Techniques Emerge for Abusing Windows Services to Gain System Control May 6, 2021Organizations should apply principles of least privilege to mitigate threats, security researcher says.
- Google Plans to Automatically Enable Two-Factor Authentication May 6, 2021The company plans to automatically enroll users in two-step verification if their accounts are properly configured.
- CISA Publishes Analysis on New 'FiveHands' Ransomware May 6, 2021Attackers used publicly available tools, FiveHands ransomware, and SombRAT to successfully target an organization, officials report.
- Securing the Internet of Things in the Age of Quantum Computing May 6, 2021Internet security, privacy, and authentication aren't new issues, but IoT presents unique security challenges.
- Cloud-Native Businesses Struggle With Security May 6, 2021More companies moved to cloud-native infrastructure in the past year, and security incidents and malware moved right along with them.
- Biden's Supply Chain Initiative Depends on Cybersecurity Insights May 6, 2021Those helming the US supply chain executive order need to leverage standards, measurement, and the lessons cybersecurity leaders have learned.
- How to Move Beyond Passwords and Basic MFA May 6, 2021It's not a question of whether passwordless is coming -- it's simply a question of when. How should your organization prepare? (Part two of a two-part series.)
- Black Hat Asia Speakers Share Secrets About Sandboxes, Smart Doors, and Security May 6, 2021Find video interviews with some of the coolest Black Hat Asia experts right here, as part of the Dark Reading News Desk this week.
- Attackers Seek New Strategies to Improve Macros' Effectiveness May 5, 2021The ubiquity of Microsoft Office document formats means attackers will continue to use them to spread malware and infect systems.
- APPLE-SA-2021-05-03-3 watchOS 7.4.1 May 4, 2021Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-3 watchOS 7.4.1 watchOS 7.4.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212339. WebKit Available for: Apple Watch Series 3 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report […]
- APPLE-SA-2021-05-03-4 macOS Big Sur 11.3.1 May 4, 2021Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-4 macOS Big Sur 11.3.1 macOS Big Sur 11.3.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212335. WebKit Available for: macOS Big Sur Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a […]
- APPLE-SA-2021-05-03-1 iOS 14.5.1 and iPadOS 14.5.1 May 4, 2021Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-1 iOS 14.5.1 and iPadOS 14.5.1 iOS 14.5.1 and iPadOS 14.5.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212336. WebKit Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, […]
- APPLE-SA-2021-05-03-2 iOS 12.5.3 May 4, 2021Posted by Apple Product Security via Fulldisclosure on May 04APPLE-SA-2021-05-03-2 iOS 12.5.3 iOS 12.5.3 addresses the following issues. Information about the security content is also available at https://support.apple.com/HT212341. WebKit Available for: iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation) Impact: Processing maliciously crafted […]
- KSA-Dev-0012:CVE-2021-25326:Unauthenticated Sensitive information Discloser in Skyworth RN510 Mesh Extender May 4, 2021Posted by Kaustubh Padwad via Fulldisclosure on May 04Overview ======== Title:- UnAuthenticated Sensitive information Discloser in RN510 Mesh Extender. CVE-ID :- CVE-2021-25326 Author: Kaustubh G. Padwad Vendor: Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products) Products: 1. RN510 with firmware V.18.104.22.168 (Tested and verified) Potential 2.RN620 with respective firmware or below 3.RN410 With Respective […]
- KSA-Dev-0011:CVE-2021-25327: Authenticated XSRF in Skyworth RN510 Mesh Extender May 4, 2021Posted by Kaustubh Padwad via Fulldisclosure on May 04Overview ======== Title:- Authenticated XSRF in RN510 Mesh Extender. CVE-ID :- CVE-2021-25327 Author: Kaustubh G. Padwad Vendor: Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products) Products: 1. RN510 with firmware V.22.214.171.124 (Tested and verified) Potential 2.RN620 with respective firmware or below 3.RN410 With Respective firmwware or […]
- KSA-Dev-0010:CVE-2021-25328:Authenticated Stack Overflow in Skyworth RN510 mesh Device May 4, 2021Posted by Kaustubh Padwad via Fulldisclosure on May 04itle :- Authenticated Stack Overflow in RN510 mesh Device CVE-ID:- CVE-2021-25328 Author: Kaustubh G. Padwad Vendor: Shenzhen Skyworth Digital Technology Company Ltd.(http://www.skyworthdigital.com/products) Products: 1. RN510 with firmware V.126.96.36.199 (Tested and verified) Potential 2.RN620 with respective firmware or below 3.RN410 With Respective firmwware or below. […]
- Re: Two vulnerabilities found in MikroTik's RouterOS May 4, 2021Posted by Q C on May 04[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20219: Mikrotik RouterOs 6.44.6 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/igmp-proxy process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference). CVE-2020-20262: Mikrotik RouterOs before 6.47 (stable tree) suffers from an […]
- Re: Two vulnerabilities found in MikroTik's RouterOS May 4, 2021Posted by Q C on May 04[Update 2021/05/04] Two CVEs have been assigned to these vulnerabilities. CVE-2020-20221: Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource consumption vulnerability in the /nova/bin/cerm process. An authenticated remote attacker can cause a Denial of Service due to overloading the systems CPU. CVE-2020-20218: Mikrotik RouterOs 6.44.6 (long-term […]
- Re: Two vulnerabilities found in MikroTik's RouterOS May 4, 2021Posted by Q C on May 04[Update 2021/05/04] CVE-2020-20212 and CVE-2020-20211 have been assigned to these two vulnerabilities. CVE-2020-20212: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from a memory corruption vulnerability in the /nova/bin/console process. An authenticated remote attacker can cause a Denial of Service (NULL pointer dereference) CVE-2020-20211: Mikrotik RouterOs 6.44.5 (long-term tree) suffers from […]
Estimated reading time: 7 minutes Ethical hacking means the application for good of hacking techniques. The… https://t.co/JMjvDtbW9p
Tempo di lettura: 4 minMonitoraggioNegli ultimi anni abbiamo assistito ad una rapida evoluzione delle infrastruttur… https://t.co/3EQ6yPJG4g
Tempo di lettura: 6 min WastedLocker e' un software per attacchi ransomware che ha iniziato a colpire imprese e al… https://t.co/yRXHQPoAlG
syslog server - High performance service for collecting logs - Use all the strengths of the syslog-ng Premium Edit… https://t.co/NOmReNicwb
WastedLocker is ransomware attack software that began targeting businesses and other organizations in May 2020. It… https://t.co/8244AWLg8s